Cisco IOS XR XML API Guide
Cisco IOS XR Software Release 4.1
April 2011
CISCO sur FNAC.COM
Cisco IOS XR XML API Guide, Cisco IOS XR Release 4.1
Click the links on the left to view the individual chapters in HTML format.
Voir également d'autres Guide CISCO :
Cisco-Security-Appliance-Command-Line-ASA-5500-version-7-2
Cisco-Introduction-to-the-Security-Appliance
Cisco-ASR-9000-Series-Aggregation-Configuration-Guide-Release-4-2-x
Cisco-IOS-XR-Carrier-Grade-NAT-Configuration-Guide-for-the-Cisco-CRS-Router-Release-4-2-x
Cisco-ASR-9000-Series-Aggregation-Services-Router-Interface-and-Hardware-Component-Configuration-Guide-Release-4-2-x
Cisco-ASR-9000-Series-Aggregation-Services-Router-IP-Addresses-and-Services-Configuration-Guide-Release-4-2-x
Cisco-ASR-9000-Series-Aggregation-Services-Router-L2VPN-et-services-Ethernet-Configuration-Guide-version-4-2-x
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Cisco IOS XR XML API Guide
Cisco IOS XR Software Release 4.1
April 2011
Text Part Number: OL-24657-01THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED
WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED
WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version
of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL
FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE
PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at
www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are
shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Cisco IOS XR XML API Guide
© 2011 Cisco Systems, Inc. All rights reserved.1
Cisco IOS XR XML API Guide
OL-24657-01
C O N T E N T S
Preface ix
Changes to This Document ix
Obtaining Documentation and Submitting a Service Request ix
C H A P T E R 1 Cisco XML API Overview 1-1
Introduction 1-1
Definition of Terms 1-1
Cisco Management XML Interface 1-2
Cisco XML API and Router System Features 1-3
Cisco XML API Tags 1-3
Basic XML Request Content 1-4
Top-Level Structure 1-4
XML Declaration Tag 1-5
Request and Response Tags 1-5
ResultSummary Tag 1-5
Maximum Request Size 1-6
Minimum Response Content 1-6
Operation Type Tags 1-8
Native Data Operation Tags 1-8
Configuration Services Operation Tags 1-9
CLI Operation Tag 1-9
GetNext Operation Tag 1-9
Alarm Operation Tags 1-10
XML Request Batching 1-10
C H A P T E R 2 Cisco XML Router Configuration and Management 2-13
Target Configuration Overview 2-13
Configuration Operations 2-14
Additional Configuration Options Using XML 2-14
Locking the Running Configuration 2-15
Browsing the Target or Running Configuration 2-15
Getting Configuration Data 2-16
Browsing the Changed Configuration 2-17
Loading the Target Configuration 2-19Contents
2
Cisco IOS XR XML API Guide
OL-24657-01
Setting the Target Configuration Explicitly 2-20
Saving the Target Configuration 2-21
Committing the Target Configuration 2-22
Commit Operation 2-22
Commit Errors 2-25
Loading a Failed Configuration 2-27
Unlocking the Running Configuration 2-28
Additional Router Configuration and Management Options Using XML 2-28
Getting Commit Changes 2-29
Loading Commit Changes 2-30
Clearing a Target Session 2-32
Rolling Back Configuration Changes to a Specified Commit Identifier 2-33
Rolling Back the Trial Configuration Changes Before the Trial Time Expires 2-33
Rolling Back Configuration Changes to a Specified Number of Commits 2-34
Getting Rollback Changes 2-35
Loading Rollback Changes 2-36
Getting Configuration History 2-38
Getting Configuration Commit List 2-41
Getting Configuration Session Information 2-43
Clear Configuration Session 2-44
Replacing the Current Running Configuration 2-45
Clear Configuration Inconsistency Alarm 2-46
C H A P T E R 3 Cisco XML Operational Requests and Fault Management 3-49
Operational Get Requests 3-49
Action Requests 3-50
Cisco XML and Fault Management 3-51
Configuration Change Notification 3-51
C H A P T E R 4 Cisco XML and Native Data Operations 4-53
Native Data Operation Content 4-53
Request Type Tag and Namespaces 4-54
Object Hierarchy 4-54
Main Hierarchy Structure 4-55
Dependencies Between Configuration Items 4-58
Null Value Representations 4-58
Operation Triggering 4-58
Native Data Operation Examples 4-59
Set Configuration Data Request: Example 4-60Contents
3
Cisco IOS XR XML API Guide
OL-24657-01
Get Request: Example 4-62
Get Request of Nonexistent Data: Example 4-63
Delete Request: Example 4-65
GetDataSpaceInfo Request Example 4-66
C H A P T E R 5 Cisco XML and Native Data Access Techniques 5-67
Available Set of Native Data Access Techniques 5-67
XML Request for All Configuration Data 5-68
XML Request for All Configuration Data per Component 5-68
XML Request for All Data Within a Container 5-69
XML Request for Specific Data Items 5-71
XML Request with Combined Object Class Hierarchies 5-72
XML Request Using Wildcarding (Match Attribute) 5-75
XML Request for Specific Object Instances (Repeated Naming Information) 5-79
XML Request Using Operation Scope (Content Attribute) 5-82
Limiting the Number of Table Entries Returned (Count Attribute) 5-83
Custom Filtering (Filter Element) 5-85
XML Request Using the Mode Attribute 5-86
C H A P T E R 6 Cisco XML and Encapsulated CLI Operations 6-91
XML CLI Command Tags 6-91
CLI Command Limitations 6-92
C H A P T E R 7 Cisco XML and Large Data Retrieval 7-93
Iterators 7-93
Usage Guidelines 7-93
Examples Using Iterators to Retrieve Data 7-94
Large Response Division 7-97
Terminating an Iterator 7-97
Throttling 7-98
CPU Throttle Mechanism 7-99
Memory Throttle Mechanism 7-99
Streaming 7-99
Usage Guidelines 7-99
C H A P T E R 8 Cisco XML Security 8-101
Authentication 8-101
Authorization 8-101Contents
4
Cisco IOS XR XML API Guide
OL-24657-01
Retrieving Task Permissions 8-102
Task Privileges 8-102
Task Names 8-103
Authorization Failure 8-104
Management Plane Protection 8-104
Inband Traffic 8-104
Out-of-Band Traffic 8-104
VRF 8-105
Access Control List 8-105
C H A P T E R 9 Cisco XML Schema Versioning 9-107
Major and Minor Version Numbers 9-107
Run-Time Use of Version Information 9-108
Placement of Version Information 9-109
Version Lag with the AllowVersionMisMatch Attribute Set as TRUE 9-110
Version Lag with the AllowVersionMismatch Attribute Set as FALSE 9-111
Version Creep with the AllowVersionMisMatch Attribute Set as TRUE 9-112
Version Creep with the AllowVersionMisMatch Attribute Set as FALSE 9-113
Retrieving Version Information 9-113
Retrieving Schema Detail 9-115
C H A P T E R 10 Alarms 10-117
Alarm Registration 10-117
Alarm Deregistration 10-118
Alarm Notification 10-119
C H A P T E R 11 Error Reporting in Cisco XML Responses 11-121
Types of Reported Errors 11-121
Error Attributes 11-122
Transport Errors 11-122
XML Parse Errors 11-122
XML Schema Errors 11-123
Operation Processing Errors 11-125
Error Codes and Messages 11-126Contents
5
Cisco IOS XR XML API Guide
OL-24657-01
C H A P T E R 12 Summary of Cisco XML API Configuration Tags 12-127
C H A P T E R 13 XML Transport and Event Notifications 13-129
TTY-Based Transports 13-129
Enabling the TTY XML Agent 13-129
Enabling a Session from a Client 13-129
Sending XML Requests and Receiving Responses 13-130
Configuring Idle Session Timeout 13-130
Ending a Session 13-130
Errors That Result in No XML Response Being Produced 13-130
Dedicated Connection Based Transports 13-131
Enabling the Dedicated XML Agent 13-131
Enabling a Session from a Client 13-131
Sending XML Requests and Receiving Responses 13-132
Configuring Idle Session Timeout 13-132
Ending a Session 13-132
Errors That Result in No XML Response Being Produced 13-132
SSL Dedicated Connection based Transports 13-132
Enabling the SSL Dedicated XML Agent 13-133
Enabling a Session from a Client 13-133
Sending XML Requests and Receiving Responses 13-133
Configuring Idle Session Timeout 13-133
Ending a Session 13-134
Errors That Result in No XML Response Being Produced 13-134
C H A P T E R 14 Cisco XML Schemas 14-135
XML Schema Retrieval 14-135
Common XML Schemas 14-136
Component XML Schemas 14-136
Schema File Organization 14-136
Schema File Upgrades 14-137
C H A P T E R 15 Network Configuration Protocol 15-139
Starting a NETCONF Session 15-139
Ending a NETCONF Agent Session 15-140
Starting an SSH NETCONF Session 15-140
Ending an SSH NETCONF Agent Session 15-141
Configuring a NETCONF agent 15-141Contents
6
Cisco IOS XR XML API Guide
OL-24657-01
Limitations of NETCONF in Cisco IOS XR 15-142
Configuration Datastores 15-142
Configuration Capabilities 15-142
Transport (RFC4741 and RFC4742) 15-142
Subtree Filtering (RFC4741) 15-142
Protocol Operations (RFC4741) 15-144
Event Notifications (RFC5277) 15-145
C H A P T E R 16 Cisco IOS XR Perl Scripting Toolkit 16-147
Cisco IOS XR Perl Scripting Toolkit Concepts 16-148
Security Implications for the Cisco IOS XR Perl Scripting Toolkit 16-148
Prerequisites for Installing the Cisco IOS XR Perl Scripting Toolkit 16-148
Installing the Cisco IOS XR Perl Scripting Toolkit 16-149
Using the Cisco IOS XR Perl XML API in a Perl Script 16-150
Handling Types of Errors for the Cisco IOS XR Perl XML API 16-150
Starting a Management Session on a Router 16-150
Closing a Management Session on a Router 16-152
Sending an XML Request to the Router 16-152
Using Response Objects 16-153
Using the Error Objects 16-154
Using the Configuration Services Methods 16-154
Using the Cisco IOS XR Perl Data Object Interface 16-157
Understanding the Perl Data Object Documentation 16-158
Generating the Perl Data Object Documentation 16-158
Creating Data Objects 16-159
Specifying the Schema Version to Use When Creating a Data Object 16-161
Using the Data Operation Methods on a Data Object 16-161
get_data Method 16-161
find_data Method 16-162
get_keys Method 16-162
get_entries Method 16-163
set_data Method 16-163
delete_data Method 16-164
Using the Batching API 16-164
batch_start Method 16-164
batch_send Method 16-165
Displaying Data and Keys Returned by the Data Operation Methods 16-165
Specifying the Session to Use for the Data Operation Methods 16-166Contents
7
Cisco IOS XR XML API Guide
OL-24657-01
Cisco IOS XR Perl Notification and Alarm API 16-166
Registering for Alarms 16-166
Deregistering an Existing Alarm Registration 16-167
Deregistering All Registration on a Particular Session 16-167
Receiving an Alarm on a Management Session 16-167
Using the Debug and Logging Facilities 16-168
Debug Facility Overview 16-168
Logging Facility Overview 16-169
Examples of Using the Cisco IOS XR Perl XML API 16-170
Configuration Examples 16-171
Setting the IP Address of an Interface 16-171
Configuring a Simple BGP Neighbor 16-172
Adding a List of Neighbors to a BGP Neighbor Group 16-172
Displaying the Members of Each BGP Neighbor Group 16-173
Setting Up ISIS on an Interface 16-173
Finding the Circuit Type That is Currently Configured for an Interface for ISIS 16-173
Configuring a New Instance, Area, and Interface for OSPF 16-175
Getting a List of the Usernames That are Configured on the Router 16-175
Finding the IP Address of All Interfaces That Have IP Configured 16-175
Adding an Entry to the Access Control List 16-176
Denying Access to a Set of Interfaces from a Particular IP Address 16-176
Configuring a New Static Route Entry 16-177
Operational Examples 16-177
Retrieving the Operational Information for All Interfaces on the Router 16-178
Retrieving the Link State Database for a Particular Level for ISIS 16-178
Getting a List of All Interfaces on the System 16-179
Retrieving the Combined Interface and IP Information for Each Interface 16-179
Listing the Hostname and Interface for Each ISIS Neighbor 16-180
Recreating the Output of the show ip interfaces CLI Command 16-180
Producing a Textual Output Similar to the show bgp neighbors CLI Command 16-180
Displaying Tabular XML Data in a Generic HTML Table Using XSLT 16-181
Displaying the Interface State in a Customized HTML Table 16-182
Displaying the BGP Neighbor Operational Data in a Complex HTML Format 16-182
Performing Actions Whenever Certain Events Occur 16-183
Sample BGP Configuration 17-185
GL O S S A R Y
I N D E XContents
8
Cisco IOS XR XML API Guide
OL-24657-01ix
Cisco IOS XR XML API Guide
OL-24657-01
Preface
The XML application programming interface (API) is available for use on any Cisco platform running
Cisco IOS XR software. This document describes the XML API provided to developers of external
management applications. The XML interface provides a mechanism for router configuration and
monitoring using XML formatted request and response streams.
The XML schemas referenced in this guide are used by the management application developer to
integrate client applications with the router programmable interface.
The preface contains these sections:
• Changes to This Document, page ix
• Obtaining Documentation and Submitting a Service Request, page ix
Changes to This Document
Table 1 lists the technical changes made to this document since it was first published.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional
information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and
revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed
and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free
service and Cisco currently supports RSS Version 2.0.
Table 1 Changes to This Document
Revision Date Change Summary
OL-24657-01 April 2011 Initial release of this document.x
Cisco IOS XR XML API Guide
OL-24657-01
PrefaceC H A P T E R
1-1
Cisco IOS XR XML API Guide
OL-24657-01
1
Cisco XML API Overview
This chapter contains these sections:
• Introduction, page 1-1
• Cisco Management XML Interface, page 1-2
• Cisco XML API and Router System Features, page 1-3
• Cisco XML API Tags, page 1-3
Introduction
This Cisco IOS XR XML API Guide explains how to use the Cisco XML API to configure routers or
request information about configuration, management, or operation of the routers. The goal of this guide
is to help management application developers write client applications to interact with the Cisco XML
infrastructure on the router, and to use the Management XML API to build custom end-user interfaces
for configuration and information retrieval and display.
The XML application programming interface (API) provided by the router is an interface used for
development of client applications and perl scripts to manage and monitor the router. The XML interface
is specified by XML schemas. The XML API provides a mechanism, which exchanges XML formatted
request and response streams, for router configuration and monitoring.
Client applications can be used to configure the router or to request status information from the router,
by encoding a request in XML API tags and sending it to the router. The router processes the request
and sends the response to the client by again encoding the response in XML API tags. This guide
describes the XML requests that can be sent by external client applications to access router management
data, and also details the responses to the client by the router.
Customers use a variety of vendor-specific CLI scripts to manage their routers because no alternative
programmatic mechanism is available. In addition, a common framework has not been available to
develop CLI scripts. In response to this need, the XML API provides the necessary common framework
for development, deployment, and maintenance of router management.
Note The XML API code is available for use on any Cisco platform that runs Cisco IOS XR software.1-2
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 1 Cisco XML API Overview
Cisco Management XML Interface
Definition of Terms
Table 1-1 defines the words, acronyms, and actions used throughout this guide.
Cisco Management XML Interface
These topics, which are covered in detail in the sections that follow, outline information about the Cisco
Management XML interface:
• High-level structure of the XML request and response streams
• Operation tag types and usage, including their XML format and content
• Configuring the router using:
– the two–stage “target configuration” mechanism provided by the configuration manager
– features such as locking, loading, browsing, modifying, saving, and committing the
configuration
• Accessing the operational data of the router with XML
Table 1-1 Definition of Terms
Term Description
AAA Authentication, authorization, and accounting.
CLI Command-line interface.
SSH Secure Shell.
SSL Secure Sockets Layer.
XML Extensible markup language.
XML agent Process on the router that receives XML requests by XML clients,
and is responsible to carry out the actions contained in the request
and to return an XML response to the client.
XML client External application that sends XML requests to the router and
receives XML responses to those requests.
XML operation Portion of an XML request that specifies an operation that the XML
client wants the XML agent to perform.
XML operation provider Code that carries out a particular XML operation including parsing
the operation XML, performing the operation, and assembling the
operation XML response.
XML request XML document sent to the router containing a number of requested
operations to be carried out.
XML response Response to an XML request.
XML schema XML document specifying the structure and possible contents of
XML elements that can be contained in an XML document.1-3
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 1 Cisco XML API Overview
Cisco XML API and Router System Features
• Working with native management data object class hierarchies to:
– represent native data objects in XML
– use techniques, including the use of wildcards and filters, for structuring XML requests that
access the management data of interest,
• Encapsulating CLI commands in XML
• Error reporting to the client application
• Using iterators for large scale data retrieval
• Handling event notifications with XML
• Enforcing authorization of client requests
• Versioning of XML schemas
• Generation and packaging of XML schemas
• Transporting options that enable corresponding XML agents on the router
• Using the Cisco IOS XR Perl Scripting Toolkit to manage a Cisco IOS XR router
Cisco XML API and Router System Features
Using the XML API, an external client application sends XML encoded management requests to an
XML agent running on the router. The XML API readily supports available transport layers including
terminal-based protocols such as Telnet, Secure Shell (SSH), dedicated-TCP connection, and Secure
Sockets Layer (SSL) dedicated TCP connection.
Before an XML session is established, the XML transport and XML agent must be enabled on the router.
For more information, see Chapter 13, “XML Transport and Event Notifications.”
A client request sent to the router must specify the different types of operations that are to be carried out.
Three general types of management operations supported through XML are:
• Native data access (get, set, delete, and so on) using the native management data model.
• Configuration services for advanced configuration management through the Configuration
Manager.
• Traditional CLI access where CLI commands and command responses are encapsulated in XML.
When a client request is received by an XML agent on the router, the request is routed to the appropriate
XML operation provider in the internal Cisco XML API library for processing. After all the requested
operations are processed, the XML agent receives the result and sends the XML encoded response
stream on to the client.
Cisco XML API Tags
An external client application can access management data on the router through an exchange of
well-structured XML-tagged request and response streams. The XML tagged request and response
streams are described in these sections:
• Basic XML Request Content, page 1-4
• XML Declaration Tag, page 1-5
• Operation Type Tags, page 1-81-4
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 1 Cisco XML API Overview
Cisco XML API Tags
• XML Request Batching, page 1-10
Basic XML Request Content
This section describes the specific content and format of XML data exchanged between the client and
the router for the purpose of router configuration and monitoring.
Top-Level Structure
The top level of every request sent by a client application to the router must begin with an XML
declaration tag, followed by a request tag and one or more operation type tags. Similarly, every response
returned by the router begins with an XML declaration tag followed by a response tag, one or more
operation type tags, and a result summary tag with an error count. Each request contains operation tags
for each supported operation type; these operation type tags can be repeated. The operation type tags
contained in the response corresponds to those contained in the client request.
Sample XML Request from Client Application
.
.
.
Operation-specific content goes here
.
.
.
Sample XML Response from Router
.
.
.
Operation-specific response data returned here
.
.
.
Note All examples in this document are formatted with line breaks and white space to aid readability. Actual
XML request and response streams that are exchanged with the router do not include such line breaks
and white space characters. This is because these elements would add significantly to the size of the
XML data and impact the overall performance of the XML API. 1-5
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 1 Cisco XML API Overview
Cisco XML API Tags
XML Declaration Tag
Each request and response exchanged between a client application and the router must begin with an
XML declaration tag indicating which version of XML and (optionally) which character set is being
used:
Table 1-2 defines the attributes of the XML declaration that are defined by the XML specification.
Request and Response Tags
Following the XML declaration tag, the client application must enclose each request stream within a pair
of start and end tags. Also, the system encloses each XML response within a pair
of start and end tags. Major and minor version numbers are carried on the
and elements to indicate the overall XML API version in use by the client
application and router respectively.
The XML API presents a synchronous interface to client applications. The and tags
are used by the client to correlate request and response streams. A client application issues a request after
which, the router returns a response. The client then issues another request, and so on. Therefore, the
XML session between a client and the router consist of a series of alternating requests and response
streams.
The client application optionally includes a ClientID attribute within the tag. The value of
the ClientID attribute must be an unsigned 32-bit integer value. If the tag contains a ClientID
attribute, the router includes the same ClientID value in the corresponding tag. The
ClientID value is treated as opaque data and ignored by the router.
ResultSummary Tag
The system adds a tag immediately before the end tag to indicate the
overall result of the operation performed. This tag contains the attribute ErrorCount to indicate the total
number of errors encountered. A value of 0 indicates no errors. If applicable, the ItemNotFound or
ItemNotFoundBelow attributes are also included. See Table 1-3 for explanations of these attributes.
Sample XML Response with ResultsSummary Tag
.
.
Table 1-2 Attributes for XML Declaration
Name Description
Version Specifies the version of XML to be used. Only Version “1.0” is supported by the router.
Note The version attribute is required.
Encoding Specifies the standardized character set to be used. Only “UTF-8” is supported by the
router. The router includes the encoding attribute in a response only if it is specified in
the corresponding request.
Note The encoding attribute is optional.1-6
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 1 Cisco XML API Overview
Cisco XML API Tags
Maximum Request Size
The maximum size of an XML request or response is determined by the restrictions of the underlying
transports. For more information on transport-specific limitations of request and response sizes, see
Chapter 13, “XML Transport and Event Notifications.”
Minimum Response Content
If a or request has nothing to return, the router returns the original request and an
appropriate empty operation type tag. The minimum response returned by the router with a single
operation or and no result data, is shown in these examples:
Sample XML Request from Client Application
.
.
.
Operation-specific content goes here
.
.
.
Sample XML Minimum Response from a Router
If a request has nothing to return, the router returns the original request with an ItemNotFound
attribute at the level.
If a request has some ‘not found’ elements to return, the router returns the original request with
an ItemNotFoundBelow attribute at the level. For each requested element that is not found, the
router returns a NotFound attribute at the element level. For each requested element that is present, it
returns the corresponding data.
Table 1-3 defines the attributes when the request does not have any elements to return.
Sample XML Request from Client Application (ItemNotFound)
Table 1-3 Attributes for Elements Not Found
Attribute Description
ItemNotFound Empty response at the level.
ItemNotFoundBelow Response with some requested elements that are not found at the
level.
NotFound Requested element is not found at the element level.1-7
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 1 Cisco XML API Overview
Cisco XML API Tags
act
Loopback1
Sample XML Minimum Response from a Router (ItemNotFound)
act
Loopback1
Sample XML Request from Client Application (ItemNotFoundBelow)
act
Loopback0
Sample XML Minimum Response from a Router (ItemNotFoundBelow)
1-8
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 1 Cisco XML API Overview
Cisco XML API Tags
act
Loopback0
desc-loop0
1.1.1.1
255.255.0.0
Operation Type Tags
Following the tag, the client application must specify the operations to be carried out by the
router. Three general types of operations are supported along with the operation for large
responses.
Native Data Operation Tags
Native data operations provide basic access to the native management data model. Table 1-4 describes
the native data operation tags.
The XML schema definitions for the native data operation type tags are contained in the schema file
native_data_operations.xsd. The native data operations are described further in Chapter 5, “Cisco XML
and Native Data Access Techniques.”
Table 1-4 Native Data Operation Tags
Native Data Tag Description
Gets the value of one or more configuration, operational, or action
data items.
Creates or modifies one or more configuration or action data items.
Deletes one or more configuration data items.
Gets the major and minor version numbers of one or more
components.
Retrieves native data branch names.1-9
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 1 Cisco XML API Overview
Cisco XML API Tags
Configuration Services Operation Tags
Configuration services operations provide more advanced configuration management functions through
the Configuration Manager. Table 1-5 describes the configuration services operation tags.
The XML schema definitions for the configuration services operation type tags are contained in the
schema file config_services_operations.xsd (see Chapter 14, “Cisco XML Schemas”).
The configuration services operations are described further in Chapter 2, “Cisco XML Router
Configuration and Management.”
CLI Operation Tag
CLI access provides support for XML encapsulated CLI commands and responses. For CLI access, a
single tag is provided. The operation tag issues the request as a CLI command.
The XML schema definitions for the CLI tag are contained in the schema file cli_operations.xsd (see
Chapter 14, “Cisco XML Schemas”).
The CLI operations are described further in Chapter 6, “Cisco XML and Encapsulated CLI Operations.”
GetNext Operation Tag
The tag is used to retrieve the next portion of a large response. It can be used as required to
retrieve an oversize response following a request using one of the other operation types. The
operation tag gets the next portion of a response. Iterators are supported for large requests.
The XML schema definition for the operation type tag is contained in the schema file
xml_api_protocol.xsd (see Chapter 14, “Cisco XML Schemas”). For more information about the
operation, see Chapter 7, “Cisco XML and Large Data Retrieval.”
Table 1-5 Configuration Services Operation Tags
Tag Description
Locks the running configuration.
Unlocks the running configuration.
Loads the target configuration from a binary file previously
saved using the tag.
Saves the target configuration to a binary file.
Promotes the target configuration to the running configuration.
Aborts or clears the current target configuration session.
Rolls back the running configuration to a previous configuration
state.
Gets a list of configuration events.
Gets a list of the user sessions currently configuring the box.
Gets a list of commits that were made to the running
configuration and can be rolled back.
Clears a particular configuration session.
Clears a configuration inconsistency alarm.1-10
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 1 Cisco XML API Overview
Cisco XML API Tags
Alarm Operation Tags
The operation tag registers, unregisters, and receives alarm notifications. Table 1-6 lists the
alarm operation tags.
The XML schema definitions for the alarm operation tags are contained in the schema file
alarm_operations.xsd (see Chapter 14, “Cisco XML Schemas”).
XML Request Batching
The XML interface supports the combining of several requests or operations into a single request. When
multiple operations are specified in a single request, the response contains the same operation tags and
in the same order as they appeared in the request.
Batched requests are performed as a “best effort.” For example, in a case where operations 1 through 3
are in the request, even if operation 2 fails, operation 3 is attempted.
If you want to perform two or more operations, and if the first one might return a large amount
of data that is potentially larger than the size of one iterator chunk, you must place the subsequent
operations within a separate XML request. If the operations are placed in the same request within the
same tags, for example, potentially sharing part of the hierarchies with the first request, an error
attribute that informs you that the operations cannot be serviced is returned on the relevant tags.
For more information, see Chapter 5, “Cisco XML and Native Data Access Techniques.”
This example shows a simple request containing six different operations:
Sample XML Client Batched Requests
.
.
.
Get operation content goes here
.
.
.
.
.
.
Set operation content goes here
.
.
Table 1-6 List of Alarm Operation Tags
Tag Description
Registers to receive alarm notifications.
Cancels a previous alarm notification registration.1-11
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 1 Cisco XML API Overview
Cisco XML API Tags
.
.
.
.
Get operation content goes here
.
.
.
Sample XML Response from the Router
.
.
.
.
.
.
.
.
.
Get response content returned here
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Get response content returned here
.
.
.
.1-12
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 1 Cisco XML API Overview
Cisco XML API Tags
.
.
.
.
.
C H A P T E R
2-13
Cisco IOS XR XML API Guide
OL-24657-01
2
Cisco XML Router Configuration and
Management
This chapter reviews the basic XML requests and responses used to configure and manage the router.
The use of XML to configure the router is essentially an abstraction of a configuration editor in which
client applications can load, browse, and modify configuration data without affecting the current running
(that is, active) configuration on the router. This configuration that is being modified is called the "target
configuration” and is not the running configuration on the router. The router’s running configuration can
never be modified directly. All changes to the running configuration must go through the target
configuration.
Note Each client application session has its own target configuration, which is not visible to other client
sessions.
This chapter contains these sections:
• Target Configuration Overview, page 2-13
• Configuration Operations, page 2-14
• Additional Router Configuration and Management Options Using XML, page 2-27
Target Configuration Overview
The target configuration is effectively the current running configuration overlaid with the client-entered
configuration. In other words, the target configuration is the client-intended configuration if the client
were to commit changes. In terms of implementation, the target configuration is an operating system
buffer that contains just the changes (set and delete) that are performed within the configuration session.
A “client session” is synonymous with dedicated TCP, Telnet, Secure Shell (SSH) connection, or SSL
dedicated connection and authentication, authorization, and accounting (AAA) login. The target
configuration is created implicitly at the beginning of a client application session and must be promoted
(that is, committed) to the running configuration explicitly by the client application in order to replace
or become the running configuration. If the client session breaks, the current target configuration is
aborted and any outstanding locks are released.2-14
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 2 Cisco XML Router Configuration and Management
Configuration Operations
Note Only the syntax of the target configuration is checked and verified to be compatible with the installed
software image on the router. The semantics of the target configuration is checked only when the target
configuration is promoted to the running configuration.
Configuration Operations
Note Only the tasks in the “Committing the Target Configuration” section are required to change the
configuration on the router (that is, modifying and committing the target configuration).
Use these configuration options from the client application to configure or modify the router with XML:
• Locking the Running Configuration, page 2-14
• Browsing the Target or Running Configuration, page 2-15
– Getting Configuration Data, page 2-15
• Browsing the Changed Configuration, page 2-16
• Loading the Target Configuration, page 2-19
• Setting the Target Configuration Explicitly, page 2-20
• Saving the Target Configuration, page 2-21
• Committing the Target Configuration, page 2-22
– Loading a Failed Configuration, page 2-26
• Unlocking the Running Configuration, page 2-27
Locking the Running Configuration
The client application uses the operation to obtain an exclusive lock on the running
configuration in order to prevent modification by other users or applications.
If the lock operation is successful, the response contains only the tag. If the lock operation fails,
the response also contains ErrorCode and ErrorMsg attributes that indicates the cause of the lock failure.
This example shows a request to lock the running configuration. This request corresponds to the
command-line interface (CLI) command configure exclusive.
Sample XML Request from the Client Application
Sample XML Response from the Router
2-15
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 2 Cisco XML Router Configuration and Management
Configuration Operations
These conditions apply when the running configuration is locked:
• The scope of the lock is the entire configuration “namespace.”
• Only one client application can hold the lock on the running configuration at a time. If a client
application attempts to lock the configuration while another application holds the lock, an error is
returned.
• If a client application has locked the running configuration, all other client applications can only
read the running configuration, but cannot modify it (that is, they cannot commit changes to it).
• No mechanism is provided to allow a client application to break the lock of another user.
• If a client session is terminated, any outstanding locks are automatically released.
• The XML API does not support timeouts for locks.
• The operation is used to identify the user session holding the lock.
Browsing the Target or Running Configuration
The client application browses the target or current running configuration using the operation
along with the request type tags. The client application optionally uses CLI commands
encoded within XML tags to browse the configuration.
The tag supports the optional Source attribute, which is used to specify the source of
the configuration information returned from a operation.
Getting Configuration Data
Table 2-1 describes the Source options.
Table 2-1 Source Options
Option Description
ChangedConfig Reads only from the changes made to the target configuration for the current
session. This option effectively gets the configuration changes made from the
current session since the last configuration commit.
This option corresponds to the CLI command show configuration.
CurrentConfig Reads from the current active running configuration.
This option corresponds to the CLI command show configuration running.
MergedConfig Reads from the target configuration for this session. This option should provide
a view of the resultant running configuration if the current target configuration is
committed without errors. For example, in the case of the “best effort” commit,
some portions of the commit could fail, while others could succeed.
MergedConfig is the default when the Source attribute is not specified on the
operation.
This option corresponds to the CLI command show configuration merge.2-16
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 2 Cisco XML Router Configuration and Management
Configuration Operations
If the operation fails, the response contains one or more ErrorCode and ErrorMsg attributes
indicating the cause of the failure.
This example shows a request used to browse the current Border Gateway Protocol (BGP)
configuration:
Sample XML Client Request to Browse the Current BGP Configuration
Sample XML Response from the Router
..
.
.
response data goes here
.
.
.
Browsing the Changed Configuration
When a client application issues a request with a Source type of ChangedConfig, the response
contains the OperationType attribute to indicate whether the returned changes to the target configuration
were a result of or operations.
Use to browse uncommitted target configuration changes.
CommitChanges Reads from the commit database for the specified commit ID.
This operation corresponds to the CLI command show configuration commit
changes.
RollbackChanges Reads from a set of rollback changes.
This operation corresponds to the CLI command show configuration
rollback-changes.
Table 2-1 Source Options (continued)
Option Description2-17
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 2 Cisco XML Router Configuration and Management
Configuration Operations
This example shows and operations that modify the BGP configuration followed by a
request to browse the uncommitted BGP configuration changes. These requests correspond to
these CLI commands:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# router bgp 3
RP/0/RP0/CPU0:router(config-bgp)# default-metric 10
RP/0/RP0/CPU0:router(config-bgp)# no neighbor 10.0.101.8
RP/0/RP0/CPU0:router(config-bgp)# exit
RP/0/RP0/CPU0:router# show configuration
Sample XML to Modify the BGP Configuration
0
3
10
0
3
10.0.101.8
2-18
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 2 Cisco XML Router Configuration and Management
Configuration Operations
Sample XML Response from the Router
Sample XML Client Request to Browse Uncommitted Target Configuration Changes
Sample Secondary XML Response from the Router
0
3
true
10
0
3
2-19
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 2 Cisco XML Router Configuration and Management
Configuration Operations
10.0.101.8
Loading the Target Configuration
The client application uses the operation along with the tag to populate the target
configuration with the contents of a binary configuration file previously saved on the router using the
operation.
Note At the current time, a configuration file saved using CLI is not loadable with XML . The
configuration should have been saved using the XML operation. Using the operation is
strictly optional. It can be used alone or with the and operations, as described in the
section “Setting the Target Configuration Explicitly” section on page 2-20.
Use the tag to name the file from which the configuration is to be loaded. When you use the
tag to name the file from which the configuration is to be loaded, specify the complete path of
the file to be loaded.
If the load operation is successful, the response contains both the and tags. If the load
operation fails, the response contains the ErrorCode and ErrorMsg attributes that indicate the cause of
the load failure.
This example shows a request to load the target configuration from the contents of the file my_bgp.cfg:
Sample XML Client Request to Load the Target Configuration from a Named File
disk0:/my_bgp.cfg
Sample XML Response from the Router
disk0:/my_bgp.cfg2-20
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 2 Cisco XML Router Configuration and Management
Configuration Operations
See also the “Setting the Target Configuration Explicitly” section on page 20.
Setting the Target Configuration Explicitly
The client application modifies the target configuration as required using the and
operations.
Note There are no separate “Create” and “Modify” operations, because a operation for an item can
result in the creation of the item if it does not already exist in the configuration, and can result in the
modification of the item if it does already exist.
The client application can optionally use CLI commands encoded within XML tags to modify the target
configuration.
If the operation to modify the target configuration is successful, the response contains only the
or tag. If the operation fails, the response includes the element or object hierarchy passed in the
request along with one or more ErrorCode and ErrorMsg attributes indicating the cause of the failure.
A syntax check is performed whenever the client application writes to the target configuration. A
successful write to the target configuration, however, does not guarantee that the configuration change
can succeed when a subsequent commit of the target configuration is attempted. For example, errors
resulting from failed verifications may be returned from the commit.
This example shows how to use a request to set the default metric and routing timers and disable
neighbor change logging for a particular BGP autonomous system. This request corresponds to these
CLI commands:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# router bgp 3
RP/0/RP0/CPU0:router(config-bgp)# default-metric 10
RP/0/RP0/CPU0:router(config-bgp)# timers bgp 60 180
RP/0/RP0/CPU0:router(config-bgp)# exit
Sample XML Client Request to Set Timers and Disable Neighbor Change Logging for a BGP Configuration
3
3
10
60
1802-21
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 2 Cisco XML Router Configuration and Management
Configuration Operations
Sample XML Response from the Router
To replace a portion of the configuration, the client application should use a operation to
remove the unwanted portion of the configuration followed by a operation to add the new
configuration. An explicit “replace” option is not supported.
For more information on replacing the configuration, see the “Replacing the Current Running
Configuration” section on page 2-44.
Saving the Target Configuration
The client application uses the operation along with the tag to save the contents of the
target configuration to a binary file on the router.
Use the tag to name the file to which the configuration is to be saved. You must specify the
complete path of the file to be saved when you use the tag. If the file already exists on the router,
then an error is returned, unless the optional Boolean attribute Overwrite is included on the tag
with a value of “true”.
Note No mechanism is provided by the XML interface for “browsing” through the file directory structure.
If the save operation is successful, the response contains both the and tags. If the save
operation fails, the response also contains the ErrorCode and ErrorMsg attributes that indicate the cause
of the failure.
This example shows a request to save the contents of the target configuration to the file named
my_bgp.cfg on the router:
Sample XML Client Request to Save the Target Configuration to a File
disk0:/my_bgp.cfg
Sample XML Response from the Router
2-22
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 2 Cisco XML Router Configuration and Management
Configuration Operations
disk0:/my_bgp.cfg
Committing the Target Configuration
In order for the configuration in the target area to become part of the running configuration, the target
configuration must be explicitly committed by the client application using the operation.
Commit Operation
Table 2-2 describes the six optional attributes that are specified with the operation.
Table 2-2 Commit Operation Attributes
Attribute Description
Mode Use the Mode attribute to specify whether the target configuration should be
committed on an Atomic or a BestEffort basis. In the case of a commit with the
Atomic option, the entire configuration in the target area is committed only if
the application of all of the configuration in the target area to the running
configuration succeeds. If any errors occur, the commit operation is rolled back
and the errors are returned to the client application. In the case of commit with
the BestEffort option, the configuration is committed even if some
configuration items fail during the commit operation. In this case too, the errors
are returned to the client application. By default, the commit operation is
performed on an Atomic basis.
KeepFailedConfig Use this Boolean attribute to specify whether any configuration that fails
during the commit operation should remain in the target configuration buffer.
The default value for KeepFailedConfig is false. That is, by default the target
configuration buffer is cleared after each commit. If a commit operation is
performed with a KeepFailedConfig value of false, the user can then use the
operation to load the failed configuration back into the target
configuration buffer. The use of the KeepFailedConfig attribute makes sense
only for the BestEffort commit mode. In the case of an Atomic commit, if
something fails, the entire target configuration is kept intact (because nothing
is committed).
Label Use the Label attribute instead of the commit identifier wherever a commit
identifier is expected, such as in the operation. The Label attribute
is a unique user-specified label that is associated with the commit in the
commit database. If specified, the label must begin with an alphabetic character
and cannot match any existing label in the commit database.
Comment Use the Comment attribute as a user-specified comment to be associated with
the commit in the router commit database.2-23
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 2 Cisco XML Router Configuration and Management
Configuration Operations
If the commit operation is successful, the response contains only the tag, along with a unique
CommitID and any other attributes specified in the request. If the commit operation fails, the failed
configuration is returned in the response.
This example shows a request to commit the target configuration using the Atomic option. The request
corresponds to the commit label BGPUpdate1 comment BGP config update CLI command.
Sample XML Client Request to Commit the Target Configuration Using the Atomic Option
Sample XML Response from the Router
This example shows a request to commit for a 50-second period. The request corresponds to the commit
confirmed 50 CLI command.
Confirmed Use the Confirmed attribute as a commit request, which sends the target
configuration to a trial commit. The confirmed request has a value of 30 to 300
seconds. If the user sends a commit request without the Confirmed attribute
within the specified period, the changes are committed; otherwise, the changes
are rolled back after the specified period is over. If the user sends a commit
request again with the Confirmed attribute, the target configuration is sent to
the trial commit.
Replace Use this boolean attribute to specify whether the commit operation should
replace the entire configuration running on the router with the contents of the
target configuration buffer. The default value for Replace is false. The Replace
attribute should be used with caution.
Caution The new configuration must contain the necessary configuration to
maintain the XML session, for example, “xml agent” or “xml agent
tty” along with the configuration for the management interface.
Otherwise, the XML session is terminated.
IgnoreOtherSessions Use this boolean attribute to specify whether the commit operation should be
allowed to go through without an error when one or more commits have
occurred from other configuration sessions since the current session started or
since the last commit was made from this session. The default value for
IgnoreOtherSessions is false.
Table 2-2 Commit Operation Attributes (continued)
Attribute Description2-24
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 2 Cisco XML Router Configuration and Management
Configuration Operations
Sample XML Client Request to Commit for a 50-second Period
Sample XML Response from the Router
These points should be noted with regard to committing the target configuration:
• After each successful commit operation, a commit record is created in the router commit database.
The router maintains up to 100 entries in the commit database corresponding to the last 100
commits. Each commit is assigned a unique identifier, such as “1000000075,” which is saved with
the commit information in the database. The commit identifier is used in subsequent operations such
as commit changes or to a previous commit (using the tag).
• Configuration changes in the target configuration are merged with the running configuration when
committed. If a client application is to perform a replace of the configuration, the client must first
remove the unwanted configuration using a operation and then add the new configuration
using a operation. An explicit replace option is not supported. For more information on
replacing the configuration, see the “Replacing the Current Running Configuration” section on
page 2-44.
• Applying the configuration for a trial period (“try-and-apply”) is not supported for this release.
• If the client application never commits, the target configuration is automatically destroyed when the
client session is terminated. No other timeouts are supported.
• To confirm the commit with the Confirmed attribute, the user has to send an explicit
without the Confirmed attribute or send a without the “Confirmed” attribute along with
any other configurations.
Commit Errors
If any configuration entered into the target configuration fails to makes its way to the running
configuration as the result of a operation (for example, the configuration contains a semantic
error and is therefore rejected by a back-end application’s verifier function), all of the failed
configuration is returned in the response along with the appropriate ErrorCode and
ErrrorMsg attributes indicating the cause of each failure.
The OperationType attribute is used to indicate whether the failure was a result of a requested or
operation. In the case of a operation failure, the value to be set is included in the commit
response.
This example shows and operations to modify the BGP configuration followed by a
request resulting in failures for both requested operations. This request corresponds to these
CLI commands:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# router bgp 4
RP/0/RP0/CPU0:router(config-bgp)# default-metric 10
RP/0/RP0/CPU0:router(config-bgp)# exit
RP/0/RP0/CPU0:router(config)# commit best-effort2-25
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 2 Cisco XML Router Configuration and Management
Configuration Operations
Sample XML Client Request to Modify the Target Configuration
0
4
10
Sample XML Response from the Router
Sample Request to Commit the Target Configuration
Sample XML Response from the Router Showing Failures for Both Requested Operations
4
4
2-26
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 2 Cisco XML Router Configuration and Management
Configuration Operations
10
For more information, see the “Loading a Failed Configuration” section on page 2-26.
Loading a Failed Configuration
The client application uses the operation along with the tag to populate the
target configuration with the failed configuration from the most recent operation. Loading
the failed configuration in this way is equivalent to specifying a “true” value for the KeepFailedConfig
attribute in the operation.
If the load operation is successful, the response contains both the and tags. If
the load fails, the response can also contain the ErrorCode and ErrorMsg attributes that indicate the
cause of the load failure.
This example shows a request to load and display the failed configuration from the last
operation. This request corresponds to the show configuration failed CLI command.
Sample XML Client Request to Load the Failed Configuration from the Last Operation
Sample XML Response from the Router
0
4
true
2-27
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 2 Cisco XML Router Configuration and Management
Additional Router Configuration and Management Options Using XML
10
Unlocking the Running Configuration
The client application must use the operation to release the exclusive lock on the running
configuration for the current session prior to terminating the session.
If the unlock operation is successful, the response contains only the tag. If the unlock
operation fails, the response can also contain the ErrorCode and ErrorMsg attributes that indicate the
cause of the unlock failure.
This example shows a request to unlock the running configuration. This request corresponds to the exit
CLI command when it is used after the configuration mode is entered through the configure exclusive
CLI command.
Sample XML Client Request to Unlock the Running Configuration
Sample XML Response from the Router
Additional Router Configuration and Management Options
Using XML
These sections describe the optional configuration and router management tasks available to the client
application:
• Getting Commit Changes, page 2-28
• Loading Commit Changes, page 2-29
• Clearing a Target Session, page 2-31
• Rolling Back Configuration Changes to a Specified Commit Identifier, page 2-32
• Rolling Back the Trial Configuration Changes Before the Trial Time Expires, page 2-32
• Rolling Back Configuration Changes to a Specified Number of Commits, page 2-332-28
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 2 Cisco XML Router Configuration and Management
Additional Router Configuration and Management Options Using XML
• Getting Rollback Changes, page 2-34
• Loading Rollback Changes, page 2-35
• Getting Configuration History, page 2-37
• Getting Configuration Commit List, page 2-40
• Getting Configuration Session Information, page 2-42
• Clear Configuration Session, page 2-43
• Replacing the Current Running Configuration, page 2-44
• Clear Configuration Inconsistency Alarm, page 2-45
Getting Commit Changes
When a client application successfully commits the target configuration to the running configuration,
the configuration manager writes a single configuration change event to the system message logging
(syslog). As a result, an event notification is written to the Alarm Channel and subsequently forwarded
to any registered configuration agents.
Table 2-3 describes the event notification.
This example shows a configuration change notification:
RP/0/1/CPU0:Jul 25 18:23:21.810 : config[65725]: %MGBL-CONFIG-6-DB_COMMIT :
Configuration committed by user 'lab'. Use 'show configuration commit changes
1000000001' to view the changes
Upon receiving the configuration change notification, a client application can then use the
operation to load and browse the changed configuration.
The client application can read a set of commit changes using the operation along with the
request type tag when it includes the Source attribute option CommitChanges. One of
the additional attributes, either ForCommitID or SinceCommitID, must also be used to specify the
commit identifier or commit label for which the commit changes should be retrieved.
This example shows the use of the ForCommitID attribute to show the commit changes for a specific
commit. This request corresponds to the show configuration commit changes 1000000075 CLI
command.
Sample XML Request to Show Specified Commit Changes Using the ForCommitID Attribute
Table 2-3 Event Notification
Notification Description
userid Name of the user who performed the commit operation.
timestamp Date and time of the commit.
commit Unique ID associated with the commit.2-29
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 2 Cisco XML Router Configuration and Management
Additional Router Configuration and Management Options Using XML
Sample XML Response from the Router
.
.
changed config returned here
.
.
.
This example shows the use of the SinceCommitID attribute to show the commit changes made since a
specific commit. This request corresponds to the show configuration commit changes since
1000000072 CLI command.
Sample XML Request to Show Specified Commit Changes Using the SinceCommitID Attribute
Sample XML Response from the Router
OperationType=”....>
.
.
changed config returned here
.
.
.
Loading Commit Changes
The client application can load a set of commit changes into the target configuration buffer using the
Load operation and CommitChanges tag along with one of the additional tags ForCommitID,
SinceCommitID, or Previous. After the completion of the Load operation, the client application can then
modify and commit the commit changes like any other configuration.
If the load succeeds, the response contains both the Load and CommitChanges tags. If the load fails, the
response also contains the ErrorCode and ErrorMsg attributes indicating the cause of the load failure.2-30
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 2 Cisco XML Router Configuration and Management
Additional Router Configuration and Management Options Using XML
This example shows the use of the Load operation and CommitChanges tag along with the ForCommitID
tag to load the commit changes for a specific commit into the target configuration buffer. This request
corresponds to the load commit changes 1000000072 CLI command.
Sample XML Request to Load Commit Changes with the ForCommitID tag
1000000072
Sample XML Response from the Router
1000000072
This example shows the use of the Load operation and CommitChanges tag along with the
SinceCommitID tag to load the commit changes since (and including) a specific commit into the target
configuration buffer. This request corresponds to the load commit changes since 1000000072 CLI
command.
Sample XML Request to Load Commit Changes with the SinceCommitID tag
1000000072
Sample XML Response from the Router
1000000072
2-31
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 2 Cisco XML Router Configuration and Management
Additional Router Configuration and Management Options Using XML
This example shows the use of the Load operation and CommitChanges tag along with the Previous tag
to load the commit changes for the most recent four commits into the target configuration buffer. This
request corresponds to the load commit changes last 4 CLI command.
Sample XML Request to Load Commit Changes with the Previous tag
4
Sample XML Response from the Router
4
Clearing a Target Session
Prior to committing the target configuration to the active running configuration, the client application
can use the operation to clear the target configuration session. This operation has the effect of
clearing the contents of the target configuration, thus removing any changes made to the target
configuration since the last commit. The clear operation does not end the target configuration session,
but results in the discarding of any uncommitted changes from the target configuration.
If the clear operation is successful, the response contains just the tag. If the clear operation
fails, the response can also contain the ErrorCode and ErrorMsg attributes that indicate the cause of the
clear failure.
This example shows a request to clear the current target configuration session. This request corresponds
to the clear CLI command.
Sample XML Request to Clear the Current Target Configuration Session
Sample XML Response from a Router
2-32
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 2 Cisco XML Router Configuration and Management
Additional Router Configuration and Management Options Using XML
Rolling Back Configuration Changes to a Specified Commit Identifier
The client application uses the operation with the tag to roll back the
configuration changes made since (and including) the commit by specifying a commit identifier or
commit label.
If the roll back operation is successful, the response contains both the and
tags. If the roll back operation fails, the response can also contain the ErrorCode and ErrorMsg attributes
that indicate the cause of the roll back failure.
Table 2-4 describes the optional attributes that are specified with the operation by the client
application when rolling back to a commit identifier.
This example shows a request to roll back the configuration changes to a specified commit identifier.
This request corresponds to the rollback configuration to 1000000072 CLI command.
Sample XML Request to Roll Back the Configuration Changes to a Specified Commit Identifier
1000000072
Sample XML Response from the Router
1000000072
Note The commit identifier can also be obtained by using the operation described
in the section “Getting Configuration History” section on page 2-37.
Rolling Back the Trial Configuration Changes Before the Trial Time Expires
When the user sends a commit request with the Confirmed attribute, a trial configuration session is
created. If the user then sends a confirmed commit, the trial configuration changes are committed. If the
user wants to roll back the trial configuration changes before the trial time expires, the user can use the
operation.
Table 2-4 Optional Attributes for Rollback Operation (Commit Identifier)
Attribute Description
Label Unique user-specified label to be associated with the rollback in the router commit
database. If specified, the label must begin with an alphabetic character and cannot
match any existing label in the router commit database.
Comment User-specified comment to be associated with the rollback in the router commit
database.2-33
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 2 Cisco XML Router Configuration and Management
Additional Router Configuration and Management Options Using XML
Note No optional attributes can be used when is specified.
This example shows a request to roll back the trial configuration changes:
Sample XML Request to Roll Back the Trial Configuration Before the Trial Time Expires
Sample XML Response from the Router
Rolling Back Configuration Changes to a Specified Number of Commits
The client application uses the operation with the tag to roll back the
configuration changes made during the most recent [x] commits, where [x] is a number ranging from 0
to the number of saved commits in the commit database. If the value is specified as “0”,
nothing is rolled back. The target configuration must be unlocked at the time the operation
is requested.
If the roll back operation is successful, the response contains both the and tags.
If the roll back operation fails, the response can also contain the ErrorCode and ErrorMsg attributes that
indicate the cause of the rollback failure.
Table 2-5 describes the optional attributes that are specified with the operation by the client
application when rolling back a specified number of commits.
This example shows a request to roll back the configuration changes made during the previous three
commits. This request corresponds to the rollback configuration last 3 CLI command.
Table 2-5 Optional Attributes for Rollback Operation (Number of Commits)
Attribute Description
Label Unique user-specified label to be associated with the rollback in the router commit
database. If specified, the label must begin with an alphabetic character and cannot
match any existing label in the router commit database.
Comment User-specified comment to be associated with the rollback in the router commit
database.2-34
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 2 Cisco XML Router Configuration and Management
Additional Router Configuration and Management Options Using XML
Sample XML Request to Roll Back Configuration Changes to a Specified Number of Commits
3
Sample XML Response from the Router
3
Getting Rollback Changes
The client application can read a set of rollback changes using the operation along with the
request type tag when it includes both the Source attribute option RollbackChanges and
one of the additional attributes ToCommitID or PreviousCommits.
The set of roll back changes are the changes that are applied when the operation is
performed using the same parameters. It is recommended that the client application read or verify the
set of roll back changes before performing the roll back.
This example shows the use of the ToCommitID attribute to get the rollback changes for rolling back to
a specific commit. This request corresponds to the show configuration rollback-changes to
1000000072 CLI command.
Sample XML Client Request to Get Rollback Changes Using the ToCommitID Attribute
Sample XML Response from the Router
OperationType=”....>
.
.
rollback changes returned here
.
.
.
2-35
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 2 Cisco XML Router Configuration and Management
Additional Router Configuration and Management Options Using XML
This example shows the use of the PreviousCommits attribute to get the roll back changes for rolling
back a specified number of commits. This request corresponds to the show configuration
rollback-changes last 4 CLI command.
Sample XML Client Request to Get Roll Back Changes Using the PreviousCommits Attribute
Sample XML Response from the Router
OperationType=”....>
.
.
rollback changes returned here
.
.
.
< ResultSummary ErrorCount="0"/>
Loading Rollback Changes
The client application can load a set of rollback changes into the target configuration buffer using the
Load operation and RollbackChanges tag along with one of the additional tags ForCommitID,
ToCommidID, or Previous. After the completion of the Load operation, the client application can then
modify and commit the rollback changes like with any other configuration.
If the load succeeds, the response contains both the Load and RollbackChanges tags. If the load fails,
the response also contains the ErrorCode and ErrorMsg attributes indicating the cause of the load failure.
This example shows the use of the Load operation and RollbackChanges tag along with the
ForCommitID tag to load the rollback changes for a specific commit into the target configuration buffer.
This request corresponds to the load rollback changes 1000000072 CLI command.
Sample XML Client to Load Rollback Changes with the ForCommitID tag
1000000072
2-36
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 2 Cisco XML Router Configuration and Management
Additional Router Configuration and Management Options Using XML
Sample XML Response from the Router
1000000072
This example shows the use of the Load operation and RollbackChanges tag along with the ToCommitID
tag to load the rollback changes up to (and including) a specific commit into the target configuration
buffer. This request corresponds to the load rollback changes to 1000000072 CLI command.
Sample XML Client to Load Rollback Changes with the ToCommitID tag
1000000072
Sample XML Response from the Router
1000000072
This example shows the use of the Load operation and RollbackChanges tag along with the Previous tag
to load the rollback changes for the most recent four commits into the target configuration buffer. This
request corresponds to the load rollback changes last 4 CLI command.
Sample XML Client to Load Rollback Changes with the Previous tag
4
2-37
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 2 Cisco XML Router Configuration and Management
Additional Router Configuration and Management Options Using XML
Sample XML Response from the Router
4
Getting Configuration History
The client application uses the operation to get information regarding these
configuration events:
• Commit
• Online insertion and removal (OIR) events, also known as remove and replace
• Router shutdown synchronization
• cfs check rebuild of persistent configuration from running configuration
• Startup application of admin and SDR configuration, noting alternate configuration fallback
specification
• Configuration inconsistency including failed configuration or other similar reasons
Table 2-6 describes the optional attributes available with the operation.
The operation corresponds to the show configuration history CLI
command.
This example shows a request to list the information associated with the previous three commits. This
request corresponds to the show configuration commit history first 6 detail CLI command.
Table 2-6 Optional Attributes to Get Configuration History
Attribute Description
Maximum Maximum number of entries to be returned from the commit history file. The range
of entries that can be returned are from 0 to 1500. If the Maximum attribute is not
included in the request, or if the value of the Maximum attribute is greater than the
actual number of entries in the commit history file, all entries in the commit history
files are returned. The commit entries are returned with the most recent commit
history information appearing first in the list.
EventType Type of event records to be displayed from the configuration history file. If this
attribute is not included in the request, all types of event records are returned. The
EventType attribute expects one of these values: All, Alarm, CFS-Check, Commit,
OIR, Shutdown, or Startup.
Reverse Reverse attribute has a value of true. If it is specified, the most recent records are
displayed first; otherwise, the oldest records are displayed first.
Details Used to display detailed information. The Detail attribute has a value of either true
or false and the default is false.2-38
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 2 Cisco XML Router Configuration and Management
Additional Router Configuration and Management Options Using XML
Sample XML Request to List Configuration History Information for the Previous Three Commits
Sample XML Response from the Router
CFS-Check
1300262221
lab
vty2
Commit
1300262224
1000000627
lab
vty2
CLI
Commit
1300262231
2-39
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 2 Cisco XML Router Configuration and Management
Additional Router Configuration and Management Options Using XML
1000000628
lab
vty0
CLI
Commit
1300262239
1000000629
lab
vty0
CLI
Commit
1300262246
1000000630
lab
vty0
CLI
2-40
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 2 Cisco XML Router Configuration and Management
Additional Router Configuration and Management Options Using XML
Commit
1300262255
1000000631
lab
vty0
CLI
Getting Configuration Commit List
The client application can use the operation to get information
regarding the most recent commits to the running configuration.
Table 2-7 describes the information that is returned for each configuration commit session.
Table 2-7 Returned Session Information
Name Description
Unique ID associated with the commit.
<2-42
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 2 Cisco XML Router Configuration and Management
Additional Router Configuration and Management Options Using XML
Getting Configuration Session Information
The client application uses the operation to get the list of all users
configuring the router. In the case where the configuration is locked, the list identifies the user holding
the lock.
Table 2-8 describes the information that is returned for each configuration session.
The Detail attribute can be specified with . This attribute specifies whether
the detailed information is required. False is the default value.
Table 2-9 describes the additional information that is returned when the Detail attribute is used.
This example shows a request to get the list of users currently configuring the router. This request
corresponds to the show configuration sessions detail CLI command.
Sample XML Request to Get List of Users Configuring the Router
Sample XML Response from the Router
00000000-0005f109-00000000
Table 2-8 Returned Session Information
Returned Session Information Session Information Description
Unique autogenerated ID for the configuration session.
Name of the user who created the configuration session.
Line used to connect to the router.
User-friendly name of the client application that created the
configuration session.
Date and time of the creation of the configuration session.
Boolean operation indicating whether the session has an exclusive
lock on the running configuration.
Table 2-9 Returned Session Information with the Detail Attribute
Returned Session Information Session Information Description
Process name
Process ID
Node ID
Session time elapsed, in seconds.2-43
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 2 Cisco XML Router Configuration and Management
Additional Router Configuration and Management Options Using XML
lab
con0_0_CPU0
1303317929
false
false
CLI
389385
config
0
0
CPU0
2183
Clear Configuration Session
The client application can use the operation to clear a particular
configuration session. The SessionID attribute specifies the session to be cleared.
This example shows a request to clear a configuration session. This request corresponds to the clear
configuration sessions 00000000-000a00c9-00000000 CLI command.2-44
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 2 Cisco XML Router Configuration and Management
Additional Router Configuration and Management Options Using XML
Sample XML Request to Get List of Users Configuring the Router
Sample XML Response from the Router
Replacing the Current Running Configuration
A client application replaces the current running configuration on the router with a users configuration
file. Performg these operations in sequence:
1. Lock the configuration.
2. Load the desired off-the-box configuration into the target configuration using one or more
operations (assuming that the entire desired configuration is available in XML format, perhaps from
a previous of the entire configuration). As an alternative, use an appropriate copy command
enclosed within tags.
3. Commit the target configuration specifying the Replace attribute with a value of true.
These examples illustrate these steps:
Sample XML Request to Lock the Current Running Configuration
Sample XML Response from the Router
2-45
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 2 Cisco XML Router Configuration and Management
Additional Router Configuration and Management Options Using XML
Sample XML Request to Set the Current Running Configuration
.
.
.
configuration data goes here
.
.
.
Sample XML Response from the Router
Sample XML Request to Commit the Target Configuration
Sample XML Response from the Router
Clear Configuration Inconsistency Alarm
The client application uses the operation to clear a bi-state
configuration inconsistency alarm.
If the clear operation is successful, the response contains only the
tag. If the clear operation fails, the response also contains the ErrorCode and ErrorMsg attributes,
indicating the cause of the clear failure.
This example shows a request to clear the configuration inconsistency alarm in user mode. This request
corresponds to the clear configuration inconsistency CLI command.
Sample XML Request to Clear the Configuration Inconsistency Alarm
2-46
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 2 Cisco XML Router Configuration and Management
Additional Router Configuration and Management Options Using XML
Sample XML Response from the Router
C H A P T E R
3-49
Cisco IOS XR XML API Guide
OL-24657-01
3
Cisco XML Operational Requests and Fault
Management
A client application can send an XML request to get router operational information using either a native
data request along with the tag, or the equivalent CLI command. Although the CLI
is more familiar to users, the advantage of using the request is that the response data is encoded
in XML format instead of being only uninterpreted text enclosed within tags.
This chapter contains these sections:
• Operational Get Requests, page 3-49
• Action Requests, page 3-50
Operational Get Requests
The content and format of operational requests are described in additional detail in Chapter 4,
“Cisco XML and Native Data Operations.”
This example shows a request to retrieve the global Border Gateway Protocol (BGP) process
information. This request returns BGP process information similar to that displayed by the show ip bgp
process detail CLI command.
Sample XML Client Request to Get BGP Information
Sample XML Response from the Router
3-50
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 3 Cisco XML Operational Requests and Fault Management
Action Requests
0
0
....
more response content here
...
Action Requests
A client application can send a request along with the tag to trigger unique actions on
the router. For example, an object may be set with an action request to inform the router to clear a
particular counter or reset some functionality. Most often this operation involves setting the value of a
Boolean object to “true”.
This example shows an action request to clear the BGP performance statistics information. This request
is equivalent to the clear bgp performance-statistics CLI command.
Sample XML Request to Clear BGP Performance Statistics Information
true
3-51
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 3 Cisco XML Operational Requests and Fault Management
Action Requests
Sample XML Response from the Router
In addition, this example shows an action request to clear the peer drop information for all BGP
neighbors. This request is equivalent to the clear bgp peer-drops * CLI command.
Sample XML Request to Clear Peer Drop Information for All BGP Neighbors
true
Sample XML Response from the Router
Cisco XML and Fault Management
When a client application successfully commits the target configuration to the router’s running
configuration, the configuration manager writes a single configuration change event to system message
logging (syslog). As a result, a fault management event notification is written to the Alarm Channel and
subsequently forwarded to any registered configuration agents.
Configuration Change Notification
Table 3-1 provides event notification for configuration changes information.
Table 3-1 Event Notifications for Configuration Changes
Event Notification Description
userid Name of the user who performed the commit operation.3-52
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 3 Cisco XML Operational Requests and Fault Management
Action Requests
This example shows a configuration change notification:
RP/0/RP0/CPU0:Sep 18 09:43:42.747 : %CLIENTLIBCFGMGR-6-CONFIG_CHANGE : A configuration
commit by user root occurred at ’Wed Sep 18 09:43:42 2004 ’. The configuration changes are
saved on the router in file: 010208180943.0
Upon receiving the configuration change notification, a client application can then use the and
operations to load and browse the changed configuration.
timestamp Date and time of the commit.
commit Unique ID associated with the commit.
Table 3-1 Event Notifications for Configuration Changes (continued)
Event Notification DescriptionC H A P T E R
4-53
Cisco IOS XR XML API Guide
OL-24657-01
4
Cisco XML and Native Data Operations
Native data operations , , and provide basic access to configuration and
operational data residing on the router.
This chapter describes the content of native data operations and provides an example of each operation
type.
Native Data Operation Content
The content of native data operations includes the request type and relevant object class hierarchy as
described in these sections:
• Request Type Tag and Namespaces, page 4-54
• Object Hierarchy, page 4-54
• Dependencies Between Configuration Items, page 4-58
• Null Value Representations, page 4-58
• Operation Triggering, page 4-58
• Native Data Operation Examples, page 4-59
This example shows a native data operation request:
Sample XML Client Native Data Operation Request
.
.
.
object hierarchy goes here
.
.
.
4-54
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 4 Cisco XML and Native Data Operations
Native Data Operation Content
Sample XML Response from the Router
.
.
.
response content returned here
.
.
.
Request Type Tag and Namespaces
The request type tag must follow the operation type tag within a native data operation request.
Table 4-1 describes the type of request that must be specified as applying to one of the namespaces.
Object Hierarchy
A hierarchy of elements is included to specify the items to get, set, or delete, and so on, after the request
type tag is specified. The precise hierarchy is defined by the XML component schemas.
Note You should use only the supported XML schema objects; therefore, do not attempt to write a request for
other objects.
The XML schema information is mapped to the XML instance.
Table 4-1 Namespace Descriptions
Namespace Description
Provides access to the router configuration data analogous to CLI
configuration commands. The allowed operations on configuration data are
, , and .
Provides access to the router operational data and is analogous to CLI show
commands. The only operation allowed on operational data is .
Provides access to the action data, for example, the clear commands. The
only allowed operation on action data is .
Provides access to the router administration operational data. The only
operation allowed on administration operational data is .
Provides access to the router administration action data; for example, the
clear commands. The only allowed operation on administration action data
is .4-55
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 4 Cisco XML and Native Data Operations
Native Data Operation Content
Main Hierarchy Structure
The main structure of the hierarchy consists of the native data model organized as a tree of nodes, where
related data items appear in the same branch of the tree. At each level of the tree, a node is a container
of further, more specific, sets of related data, or a leaf that holds an actual value.
For example, the first element in the configuration data model is , which contains all
possible configuration items. The children of this element are more specific groups of configuration,
such as for Border Gateway Protocol (BGP) configuration and for Intermediate
System-to-Intermediate System (ISIS) configuration. Beneath the element, data is further
compartmentalized with the element for global BGP configuration and element
for per-entity BGP configuration. This compartmentalization continues down to the elements that hold
the values, the values being the character data of the element.
This example shows the main hierarchy structure:
.
.
.
.
.
.
10
.
.
.
.
.
.
.
.
.
.
.
.
Data can be retrieved at any level in the hierarchy. One particular data item can be examined, or all of
the data items in a branch of the tree can be returned in one request.
Similarly, configuration data can be deleted at any granularity—one item can be deleted, or a whole
branch of related configuration can be deleted. So, for example, all BGP configuration can be deleted in
one request, or just the value of the default metric.
Hierarchy Tables
One special type of container element is a table. Tables can hold any number of keyed entries, and are
used when there can be multiple instances of an entity. For example, BGP has a table of multiple
neighbors, each of which has a unique IP address "key" to identify it. In this case, the table element is 4-56
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 4 Cisco XML and Native Data Operations
Native Data Operation Content
, and its child element signifying a particular neighbor is . To specify the
key, an extension to the basic parent-child hierarchy is used, where a element appears under
the child element, containing the key to the table entry.
This example shows hierarchy tables:
.
.
.
10.0.101.6
0
6
10.0.101.7
0
6
.
.
.
.
.
.
Use tables to access a specific data item for an entry (for example, getting the remote autonomous system
number for neighbor 10.0.101.6), or all data for an entry, or even all data for all entries.
Tables also provide the extra feature of allowing the list of entries in the table to be returned.
Returned entries from tables can be used to show all neighbors configured; for example, without
showing all their data.4-57
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 4 Cisco XML and Native Data Operations
Native Data Operation Content
Tables in the operational data model often have a further feature when retrieving their entries. The tables
can be filtered on particular criteria to return just the set of entries that fulfill those criteria. For instance,
the table of BGP neighbors can be filtered on address family or autonomous system number or update
group, or all three. To apply a filter to a table, use another extension to the basic parent-child hierarchy,
where a element appears under the table element, containing the criteria to filter on.
This example shows table filtering:
one
IPv4Unicast
Leaf Nodes
The leaf nodes hold values and are generally simple one-value items where the element representing the
leaf node uses character data to specify the value (as in 10 in the
example in the “Main Hierarchy Structure” section on page 4-55. In some cases there may be more than
one value to specify—for example, when you configure the administrative distance for an address family
(the element), three values must be given together. Specifying more than one value is
achieved by adding further child elements to the leaf, each of which indicates the particular value being
configured.
This example shows leaf nodes:
.
.
.
20
250
200
.
.
.
4-58
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 4 Cisco XML and Native Data Operations
Native Data Operation Content
Sometimes there may be even more structure to the values (with additional levels in the hierarchy
beneath the tag as a means for grouping the related parts of the data together), although they
are still only “setable” or “getable” as one entity. The extreme example of this is that in some of the
information returned from the operational data model, all the values pertaining to the status of a
particular object may be grouped as one leaf. For example, a request to retrieve a particular BGP path
status returns all the values associated with that path.
Dependencies Between Configuration Items
Dependencies between configuration items are not articulated in the XML schema nor are they enforced
by the XML infrastructure; for example, if item A is this value, then item B must be one of these values,
and so forth. The back-end for the Cisco IOS XR applications is responsible for preventing inconsistent
configuration from being set. In addition, the management agents are responsible for carrying out the
appropriate operations on dependent configuration items through the XML interface.
Null Value Representations
The standard attribute “xsi:nil” is used with a value of “true” when a null value is specified for an
element in an XML request or response document.
This example shows how to specify a null value for the element :
60
Any element that can be set to “nil” in an XML instance has the attribute “nillable” set to “true” in the
XML schema definition for that element. For example:
Any XML instance document that uses the nil mechanism must declare the “XML Schema for Instance
Documents” namespace, which contains the “xsi:nil” definition. Responses to native data operations
returned from the router declares the namespace in the operation tag. For example:
Operation Triggering
When structuring an XML request, the user should remember the general rule regarding what to specify
in the XML for an operation to take place: As a client XML request is parsed by the router, the specified
operation takes place whenever a closing tag is encountered after a series of one or more opening tags
(but only when the closing tag is not the tag).
This example shows a request to get the confederation peer information for a particular BGP autonomous
system. In this example, the operation is triggered when the tag
is encountered.
Sample XML Client Request to Trigger a Operation for BGP Timer Values
4-59
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 4 Cisco XML and Native Data Operations
Native Data Operation Content
0
3
Sample XML Response from the Router
0
3
0
10
true
4-60
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 4 Cisco XML and Native Data Operations
Native Data Operation Content
Native Data Operation Examples
These sections provide examples of the basic , , and operations:
• Set Configuration Data Request: Example, page 4-60
• Get Request: Example, page 4-62
• Get Request of Nonexistent Data: Example, page 4-63
• Delete Request: Example, page 4-65
• GetDataSpaceInfo Request Example, page 4-66
Set Configuration Data Request: Example
This example shows a native data request to set several configuration values for a particular BGP
neighbor. Because the operation in this example is successful, the response contains only the
operation and request type tags.
This request is equivalent to these CLI commands:
router bgp 3
address-family ipv4 unicast!
address-family ipv4 multicast!
neighbor 10.0.101.6
remote-as 6
ebgp-multihop 255
address-family ipv4 unicast
orf route-policy BGP_pass all
capability orf prefix both
!
address-family ipv4 multicast
orf route-policy BGP_pass all
!
!
!
Sample XML Client Request to Configuration Values for a BGP Neighbor
0
3
true
IPv4Unicast
true
4-61
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 4 Cisco XML and Native Data Operations
Native Data Operation Content
IPv4Multicast
true
10.0.101.6
0
6
255
false
IPv4Unicast
true
BGP_pass_all
Both
IPv4Multicast
true
BGP_pass_all
Sample XML Response from the Router
4-62
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 4 Cisco XML and Native Data Operations
Native Data Operation Content
Get Request: Example
This example shows a native data request to get the address independent configuration values for a
specified BGP neighbor (using the same values set in the previous example).
Sample XML Client Request to Configuration Values for a BGP Neighbor
0
3
10.0.101.6
Sample XML Response from the Router
0
3
10.0.101.6
4-63
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 4 Cisco XML and Native Data Operations
Native Data Operation Content
0
6
255
false
IPv4Unicast
true
BGP_pass_all
Both
IPv4Multicast
true
BGP_pass_all
Get Request of Nonexistent Data: Example
This example shows a native data request to get the configuration values for a particular BGP neighbor;
this is similar to the previous example. However, in this example the client application is requesting the
configuration for a nonexistent neighbor. Instead of returning an error, the router returns the requested
object class hierarchy, but without any data.
Note Whenever an application attempts to get nonexistent data, the router does not treat this as an error and
returns the empty object hierarchy in the response.
Sample XML Client Request to Configuration Data for a Nonexistent BGP Neighbor
0
4-64
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 4 Cisco XML and Native Data Operations
Native Data Operation Content
3
10.0.101.99
Sample XML Response from the Router
0
3
10.0.101.99
4-65
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 4 Cisco XML and Native Data Operations
Native Data Operation Content
Delete Request: Example
This example shows a native data request to delete the address-independent configuration for a particular
BGP neighbor. Note that if a request is made to delete an item that does not exist in the current
configuration, an error is not returned to the client application. So in this example, the returned result is
the same as in the previous example: the empty tag, whether or not the specified BGP
neighbor exists.
This request is equivalent to these CLI commands:
router bgp 3
no neighbor 10.0.101.9
exit
Sample XML Client Request to the Address-Independent Configuration Data for a BGP Neighbor
0
3
10.0.101.6
Sample XML Response from the Router
4-66
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 4 Cisco XML and Native Data Operations
Native Data Operation Content
GetDataSpaceInfo Request Example
This example shows a operation used to retrieve the native data branch names
dynamically. This is useful, for example, for writing a client application that can issue a
operation without having to hardcode the branch names. The
operation can be invoked instead to retrieve the branch names. The returned branch names can then be
included in a subsequent request.
Sample XML Client Request to Retrieve Native Data
Sample XML Response from the Router
C H A P T E R
5-67
Cisco IOS XR XML API Guide
OL-24657-01
5
Cisco XML and Native Data Access Techniques
This chapter describes the various techniques or strategies you can use to structure native data operation
requests to access the information needed within the XML schema object class hierarchy.
Available Set of Native Data Access Techniques
The available native data access techniques are:
• Request all data in the configuration hierarchy. See the “XML Request for All Configuration Data”
section on page 5-68.
• Request all configuration data for a component. See the “XML Request for All Configuration Data
per Component” section on page 5-68.
• Request all data within a container. See the “XML Request for Specific Data Items” section on
page 5-71.
• Combine object class hierarchies within a request. See the “XML Request with Combined Object
Class Hierarchies” section on page 5-72.
• Use wildcards in order to apply an operation to a set of entries within a table (Match attribute). See
the “XML Request Using Wildcarding (Match Attribute)” section on page 5-75.
• Repeat naming information in order to apply an operation to multiple instances of an object. See the
“XML Request for Specific Object Instances (Repeated Naming Information)” section on
page 5-80.
• Perform a one-level in order to “list” the naming information for each entry within a table
(Content attribute). See the “XML Request Using Operation Scope (Content Attribute)” section on
page 5-82.
• Specify the maximum number of table entries to be returned in a response (Count attribute). See the
“Limiting the Number of Table Entries Returned (Count Attribute)” section on page 5-83.
• Use custom filters to filter table entries (Filter element). See the “Custom Filtering (Filter Element)”
section on page 5-85.
• Use the Mode attribute. See the “XML Request Using the Mode Attribute” section on page 5-86
The actual data returned in a request depends on the value of the Source attribute.
Note The term “container” is used in this document as a general reference to any grouping of related data, for
example, all of the configuration data for a particular Border Gateway Protocol (BGP) neighbor. The
term “table” is used more specifically to denote a type of container that holds a list of named 5-68
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 5 Cisco XML and Native Data Access Techniques
Available Set of Native Data Access Techniques
homogeneous objects. For example, the BGP neighbor address table contains a list of neighbor
addresses, each of which is identified by its IP address. All table entries in the XML API are identified
by the unique value of their element.
XML Request for All Configuration Data
Use the empty tag to retrieve the entire configuration object class hierarchy.
This example shows how to get the entire configuration hierarchy by specifying the empty
tag:
Sample XML Client Request to the Entire Configuration Object Class Hierarchy
Sample XML Response from the Router
.
.
.
response data goes here
.
.
.
XML Request for All Configuration Data per Component
All the configuration data for a component is retrieved by specifying the highest level tag for the
component.
In this example, all the configuration data for BGP is retrieved by specifying the empty tag:
Sample XML Client Request for All BGP Configuration Data
5-69
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 5 Cisco XML and Native Data Access Techniques
Available Set of Native Data Access Techniques
Sample XML Response from the Router
.
.
.
response data goes here
.
.
.
XML Request for All Data Within a Container
All data within a container is retrieved by specifying the configuration or operational object class
hierarchy down to the containers of interest, including any naming information as appropriate.
This example shows how to retrieve the configuration for the BGP neighbor with address 10.0.101.6:
Sample XML Client Request to Get All Address Family-Independent Configuration Data Within a BGP Neighbor
Container
0
3
5-70
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 5 Cisco XML and Native Data Access Techniques
Available Set of Native Data Access Techniques
10.0.101.6
Sample XML Response from the Router
0
3
10.0.101.6
0
6
255
false
IPv4Unicast
true
oBGP_pass_all
Both
IPv4Multicast
true
BGP_pass_all
5-71
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 5 Cisco XML and Native Data Access Techniques
Available Set of Native Data Access Techniques
XML Request for Specific Data Items
The value of a specific data item (leaf object) can be retrieved by specifying the configuration or
operational object class hierarchy down to the item of interest, including any naming information as
appropriate.
This example shows how to retrieve the values of the two data items and
for the BGP neighbor with address 10.0.101.6:
Sample XML Client Request for Two Specific Data Items: RemoteAS and EBGPMultihop
0
3
10.0.101.6
Sample XML Response from the Router
5-72
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 5 Cisco XML and Native Data Access Techniques
Available Set of Native Data Access Techniques
0
3
10.0.101.6
255
XML Request with Combined Object Class Hierarchies
Multiple object class hierarchies can be specified in a request. For example, a portion of the hierarchy
can be repeated, and multiple instances of a child object class can be included under a parent.
The object class hierarchy may also be compressed into the most “efficient” XML. In other words, it is
not necessary to repeat hierarchies within a request.
Before combining multiple operations inside one tag, these limitations should be noted for
Release 3.0. Any operations that request multiple items of data must be sent in a separate XML request.
They include:
• An operation to retrieve all data beneath a container. For more information, See the“XML Request
for All Data Within a Container” section on page 5-69.
• An operation to retrieve the list of entries in a table. For more information, See the “XML Request
Using Operation Scope (Content Attribute)” section on page 5-82.
• An operation which includes a wildcard. For more information, See the “XML Request Using
Wildcarding (Match Attribute)” section on page 5-75.
If an attempt is made to make such an operation followed by another operation within the same request,
this error is returned:
XML Service Library detected the ‘fatal’ condition. The XML document which led to this
response contained a request for a potentially large amount of data, which could return a
set of iterators. The document also contained further requests for data, but these must be
sent in a separate XML document, in order to ensure that they are serviced.
The error indicates that the operations must be separated out into separate XML requests.5-73
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 5 Cisco XML and Native Data Access Techniques
Available Set of Native Data Access Techniques
These two examples illustrate two different object class hierarchies that retrieve the same data: the value
of the leaf object and for the BGP neighbor with the address 10.0.101.6
and all of the configuration data for the BGP neighbor with the address 10.0.101.7:
Example 1: Verbose Form of a Request Using Duplicated Object Class Hierarchies
Sample XML Client Request for Specific Configuration Data Values
0
3
10.0.101.6
0
AS>3
10.0.101.7
5-74
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 5 Cisco XML and Native Data Access Techniques
Available Set of Native Data Access Techniques
Sample XML Response from the Router
.
.
.
response data returned here for
neighbor 10.0.101.6
.
.
.
.
.
.
response data returned here
neighbor 10.0.101.7
.
.
.
Example 2: Compact Form of a Request Using Compressed Object Class Hierarchies
Sample XML Client Request
0
3
10.0.101.6
5-75
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 5 Cisco XML and Native Data Access Techniques
Available Set of Native Data Access Techniques
10.0.101.7
Sample XML Response from the Router
.
.
.
response data returned here for both
neighbors
.
.
.
XML Request Using Wildcarding (Match Attribute)
Wildcarding of naming information is provided by means of the Match attribute. Match=“*” can be used
on any Naming attribute within a or operation to effectively specify a wildcarded value
for that attribute. The operation applies to all instances of the requested objects.
If no match is found, the response message contains MatchFoundBelow=”false” in the class, and
MatchFound=”false” in the class that specified Match=”*” and no match found. These attributes are not
added (with a value of true) in the response if a match is found.
Note Although partial wildcarding of NodeIDs is not available in XML, each element of the NodeID has to
be wildcarded, similar to the support on the CLI of */*/* as the only wildcards supported for locations.
This example shows how to use the Match attribute to get the value for all configured BGP
neighbors:
Sample XML Client Request Using the Match Attribute Wildcarding
5-76
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 5 Cisco XML and Native Data Access Techniques
Available Set of Native Data Access Techniques
0
3
Sample XML Response from the Router
0
3
10.0.101.1
1
10.0.101.2
2
10.0.101.3
3
...
data for more neighbors
returned here
...5-77
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 5 Cisco XML and Native Data Access Techniques
Available Set of Native Data Access Techniques
This example shows the response message when there is no match found for the request with
wildcarding:
Sample XML Client Request for No Match Found with Wildcarding
3
3
Sample XML Response from the Router
3
3
5-78
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 5 Cisco XML and Native Data Access Techniques
Available Set of Native Data Access Techniques
Regular expression matching of naming information is provided by means of the Match attribute.
Match=“” can be used on any Naming attribute within a operation to specify
a filtering criteria to filter table entries.
These rules apply to the filtering criteria:
• The character, ‘*’ , is treated same as the ‘.*’ character. (matches everything)
• Meta character ‘^’ (beginning of line) and ‘$’ (end of line) are always attached to the regular
expression string specified by ‘Match’ attribute.
• A regular expression string without any meta characters is treated as an exact match.
Sample Request of the Configured ACL Entries That End With ‘SAA’:
ACL entries that match this request: TCLSAA, 100SAA, SAA
ACL entries that do NOT match this request: TCLSAA1
Sample Request That Returns all of the Configured GigabitEthernet Ports in Slot 5:
act
5-79
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 5 Cisco XML and Native Data Access Techniques
Available Set of Native Data Access Techniques
Interface names that match this request: GigabitEthernet0/5/0/0, GigabitEthernet0/5/0/1, and so
forth.
Interface names that do not match this request: GigabitEthernet0/4/0/0
Sample Request That Returns the Configured Loopback Interfaces Between Loopback100 and Loopback199:
act
Interface names that match this request: Loopback100,…,Loopback199
Interface names that do not match this request: Loopback1000, Loopback1990
Sample Request That Returns Only Loopback1 (if it is configured):
act
Interface names that match this request: Loopback1
Interface names that do not match this request: Loopback10, Loopback100, and so forth
The request above, thus, is equivalent to this request:
act
Loopback1
5-80
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 5 Cisco XML and Native Data Access Techniques
Available Set of Native Data Access Techniques
Limitation: Regular expression matching can only be specified in the first table of an XML request.
XML Request for Specific Object Instances (Repeated Naming Information)
Wildcarding allows the client application to effectively specify all instances of a particular object.
Similarly, the client application might have a need to specify only a limited set of instances of an object.
Specifying object instances can be done by simply repeating the naming information in the request.
This example shows how to retrieve the address independent configuration for three different BGP
neighbors; that is, the neighbors with addresses 10.0.101.1, 10.0.101.6, and 10.0.101.8, by repeating the
naming information, once for each desired instance:
Sample XML Client Request Using Repeated Naming Information for BGP Instances
0
3
10.0.101.1
10.0.101.6
10.0.101.8
5-81
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 5 Cisco XML and Native Data Access Techniques
Available Set of Native Data Access Techniques
Sample XML Response from the Router
0
3
10.0.101.1
...
data returned for 1st neighbor
...
10.0.101.6
...
data returned for 2nd neighbor
...
10.0.101.6
...
data returned for 3rd neighbor
...
5-82
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 5 Cisco XML and Native Data Access Techniques
Available Set of Native Data Access Techniques
XML Request Using Operation Scope (Content Attribute)
The Content attribute is used on any table element in order to specify the scope of a operation.
Table 5-1 describes the content attribute values are supported.
If the Content attribute is specified on a nontable element, it is ignored. Also, note that the Content and
Count attributes can be used together on the same table element.
This example displays the Content attribute that is used to list all configured BGP neighbors:
Sample XML Client Request Using the All Content Attribute
0
3
Sample XML Response from the Router
0
Table 5-1 Content Attributes
Content Attribute Description
All Used to get all leaf items and their values. All is the default when the Content
attribute is not specified on a table element.
Entries Used to get the Naming information for each entry within a specified table object
class. Entries provides a one-level get capability.5-83
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 5 Cisco XML and Native Data Access Techniques
Available Set of Native Data Access Techniques
3
10.0.101.1
10.0.101.2
10.0.101.3
10.0.101.4
...
more neighbors returned here
...
Limiting the Number of Table Entries Returned (Count Attribute)
The Count attribute is used on any table element within a operation to specify the maximum
number of table entries to be returned in a response. When the Count attribute is specified, the naming
information within the request is used to identify the starting point within the table, that is, the first table
entry of interest. If no naming information is specified, the response starts at the beginning of the table.
For a table whose entries are containers, the Count attribute can be used only if the Content attribute is
also specified with a value of Entries. This restriction does not apply to a table whose children are leaf
nodes.
As an alternative to the use of the Count attribute, the XML interface supports the retrieval of large XML
responses in blocks through iterators. 5-84
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 5 Cisco XML and Native Data Access Techniques
Available Set of Native Data Access Techniques
This example shows how to use the Count attribute to retrieve the configuration information for the first
five BGP neighbors starting with the address 10.0.101.1:
Sample XML Client Request Using the Count Attribute
0
3
10.0.101.1
Sample XML Response from the Router
0
3
10.0.101.1
5-85
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 5 Cisco XML and Native Data Access Techniques
Available Set of Native Data Access Techniques
10.0.101.2
...
data returned for remaining
neighbors here
...
Custom Filtering (Filter Element)
Some of the tables from the operational namespace support the selection of rows of interest based on
predefined filtering criteria. Filters can be applied to such tables in order to reduce the number of table
entries retrieved in a request.
Client applications specify filtering criteria for such tables by using the tag and including the
filter specific parameters as defined in the XML schema definition for that table. If no table entries
match the specified filter criteria, the response contains the object class hierarchy down to the specified
table, but does not include any table entries. The Content attribute can be used with a filter to specify
the scope of a request.
In this example, the filter is used to retrieve operational information for all neighbors
in autonomous system 6:
Sample XML Client Request Using Filtering
one
6
5-86
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 5 Cisco XML and Native Data Access Techniques
Available Set of Native Data Access Techniques
Sample Filtered XML Response from the Router
one
6
...
data for 1st neighbor returned here
...
...
data for 2nd neighbor returned here
returned here
...
...
data for remaining neighbors
returned here
...
XML Request Using the Mode Attribute
The client application modifies the target configuration as needed using the and
operations. The XML interface supports the combining of several operations into a single request. When
multiple configuring operations are specified in a single request, they are performed on a “best effort”
basis by default. For example, in a case where configuring operations 1 through 3 are in the request and
even if operation 2 fails, operation 3 is attempted and operation 1 result remains in the target
configuration.
To perform the request on an atomic basis, use the Mode attribute with the value Atomic in the
. If any errors occur, the target configuration is cleared and the errors are returned to the client
application.5-87
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 5 Cisco XML and Native Data Access Techniques
Available Set of Native Data Access Techniques
Sample XML Client Request with the Attribute Mode=”Atomic”
20
Sample XML Response from the Router
Sample XML Client Request with an Invalid Set Operation (Best-Effort)
20
<--- This is an invalid XML set operation
Sample XML Response from the Router
5-88
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 5 Cisco XML and Native Data Access Techniques
Available Set of Native Data Access Techniques
Note This request is performed on a best effort basis. The SNMP timeout configuration has no error and is
committed.
Sample XML Request and Response of Commit Change for ForCommitID="1000000443"
20
Sample XML Client Request with the Attribute Mode=”Atomic” and with an Invalid Set Operation
20
5-89
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 5 Cisco XML and Native Data Access Techniques
Available Set of Native Data Access Techniques
<--- This is an invalid XML set operation
Sample XML Response from the Router
Note The target configuration buffer is cleared and no configuration is committed.5-90
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 5 Cisco XML and Native Data Access Techniques
Available Set of Native Data Access TechniquesC H A P T E R
6-91
Cisco IOS XR XML API Guide
OL-24657-01
6
Cisco XML and Encapsulated CLI Operations
XML interface for the router provides support for XML encapsulated CLI commands and responses.
This chapter provides information on XML CLI command tags.
XML CLI Command Tags
A client application can request a CLI command by encoding the text for the command within a pair of
start and end tags, tags, and tags. The router responds with
the uninterpreted CLI text result.
Note XML encapsulated CLI commands use the same target configuration as the corresponding XML
operations , , and .
When used for CLI operations, the tag supports the optional Operation attribute, which
can take one of the values listed in Table 6-1.
This example uses the operation tag:
Sample XML Client Request for CLI Command Using CLI Tags
router bgp 3
Table 6-1 Operational Attribute Values
Operational Attribute Value Operational Attribute Value Description
Apply Specifies that the commands should be executed or applied (default).
Help Gets help on the last command in the list of commands sent in the
request. There should not be any empty lines after the last command
(because the last command is considered to be the one on the last line).
CommandCompletion Completes the last keyword of the last command. Apart from not
allowing empty lines at the end of the list of commands sent in the
request, when this option is used, there should not be any white spaces
after the partial keyword to be completed.6-92
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 6 Cisco XML and Encapsulated CLI Operations
XML CLI Command Tags
default-metric 10
timers bgp 80 160
exit
commit
sh config commit changes last 1
Sample XML Response from the Router
Building configuration...
router bgp 3
timers bgp 80 160
default-metric 10
end
CLI Command Limitations
The CLI commands, which are supported through XML, are limited to CLI configuration commands and
EXEC mode show commands (and responses) that are wrapped in tags.
These commands and conditions are not supported:
• The do configuration mode command.
• EXEC mode commands other than show commands except for these items:
– show history
– show user
– show users
– show terminal
• Administration EXEC mode commands
• Iterators for responses to commands issued through XML. For example, iterators are not
supported for the output of the show run and show configuration commands.
• Sending a request in format and getting back an XML encoded response.
• Sending an XML encoded request and getting back a response in format.
• Only one XML request can be issued at a time across all client sessions on the router.C H A P T E R
7-93
Cisco IOS XR XML API Guide
OL-24657-01
7
Cisco XML and Large Data Retrieval
XML for the router supports the retrieval of large XML responses in blocks (for example, chunks or
sections).
These sections provide information about large data retrieval:
• Iterators, page 7-93
• Throttling, page 7-98
• Streaming, page 7-99
Iterators
When a client application makes a request, the resulting response data size is checked to determine
whether it is larger than a predetermined block size.
If the response data is not larger than the predetermined block size, the complete data is returned in a
normal response.
If the response data is larger than the block size, the first set of data is returned according to the block
size along with a decremented iterator ID included as the value of the IteratorID attribute. The client
must then send requests including the iterator ID until all data is retrieved. The client
application knows that all data is retrieved when it receives a response that does not contain an IteratorID
attribute.
Usage Guidelines
These points should be noted by the client application when iterators are used:
• The block size is a configurable value specific to each transport mechanism on the router; that is,
the XML agent for the dedicated TCP connection and Secure Shell (SSH), Telnet, or Secure Sockets
Layer (SSL) dedicated TCP connection.
Use this command to configure the iteration size:
xml agent [tty | ssl] iteration on size <1-100000>
Specify the iteration size in KB. The default is 48 KB.7-94
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 7 Cisco XML and Large Data Retrieval
Iterators
Note The iteration command includes the option to turn off the XML response iterator. However,
we do not recommend turning off the iterator because of the large memory usage that occurs
temporarily.
• The block size refers to the entire XML response, not just the payload portion of the response.
• Large responses are divided based on the requested block size, not the contents. However, each
response is always a complete XML document.
• Requests containing multiple operations are treated as a single entity when the block size and
IteratorID are applied. As a result, the IteratorID is an attribute of the tag, never of an
individual operation.
• If the client application sends a request that includes an operation resulting in the need for an iterator
to return all the response data, any further operations contained within that request are rejected. The
rejected operations are resent in another request.
• The IteratorID is an unsigned 32-bit value that should be treated as opaque data by the client
application. Furthermore, the client application should not assume that the IteratorID is constant
between operations.
To reduce memory overhead and avoid memory starvation of the router, these limitations are placed on
the number of allowed iterators:
• The maximum number of iterators allowed at any one time on a given client session is 10.
• The maximum number of iterators allowed at any one time for all client sessions is 100.
If a request is issued that results in an iterated response, it is counted as one iterator,
regardless of the number of operations required to retrieve all of the response data.
For example, a request may require 10, 100, or more operations to retrieve all the
associated data, but during this process only one iterator is being used.
Also, an iterator is considered to be in use until all of the response data associated with that iterator
(the original request) is retrieved or the iterator is terminated with the Abort attribute.
Examples Using Iterators to Retrieve Data
This example shows a client request that utilizes an iterator to retrieve all global Border Gateway
Protocol (BGP) configuration data for a specified autonomous system:
Sample XML Client Request to Retrieve All BGP Configuration Data
0
3
7-95
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 7 Cisco XML and Large Data Retrieval
Iterators
Sample XML Response from the Router Containing the First Block of Retrieved Data
0
3
...
1st block of data returned here
...
Second XML Client Request Using the Iterator to Retrieve the Next Block of BGP Configuration Data
Sample XML Response from the Router Containing the Second Block of Retrieved Data
0
3
7-96
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 7 Cisco XML and Large Data Retrieval
Iterators
Third XML Client Request Using the Iterator to Retrieve the Next Block of BGP Configuration Data
Sample XML Response from the Router Containing Third Block of Retrieved Data
0
3
...
3rd block of data returned here
...
Final XML Client Request Using the Iterator to Retrieve the Last Block of BGP Configuration Data
Final XML Response from the Router Containing the Final Block of Retrieved Data
0
3
...
Final block of data returned here
...
7-97
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 7 Cisco XML and Large Data Retrieval
Iterators
Large Response Division
The default behavior for large response division is that large responses are divided based on the
requested block size.
To specify a different basis for the division, use the IterateAtFirstTableGet attribute in the tag.
Sample XML Request with attribute IterateAtFirstTable
Terminating an Iterator
A client application may terminate an iterator without retrieving all of the response data by including an
Abort attribute with a value of “true” on the operation. A client application that does not
complete or terminate its requests risks running out of iterators.
This example shows a client request using the Abort attribute to terminate an iterator:
Sample XML Request
0
7-98
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 7 Cisco XML and Large Data Retrieval
Throttling
3
Sample XML Response from the Router
0
3
...
1st block of data returned here
...
Sample XML Request Using the Abort Attribute to Terminate an Iterator
Sample XML Response from the Router
Throttling
XML response data could be large resulting in high CPU utilization or high memory usage when
constructing the XML response. Throttling mechanisms in the XML agent provide a means for external
users or an NMS to control the impact to the system.7-99
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 7 Cisco XML and Large Data Retrieval
Streaming
CPU Throttle Mechanism
The CPU throttle mechanism in the XML agent controls the number of tags to process per second. The
higher the number of tags that are specified, the higher the CPU utilization and faster response. The
lower number of tags means less CPU utilization and slower response.
To configure the number of tags, use this command:
xml agent [tty | ssl] throttle process-rate <1000-30000>
Memory Throttle Mechanism
The memory throttle mechanism in the XML agent controls the maximum XML response size in MB. If
this size is exceeded, this error message is returned in the XML response.
> XML>
>
To configure the size of the memory usage per session, use this command:
xml agent [tty | ssl] throttle memory <100-600>
The default is 300 MB.
Streaming
As the XML agent retrieves the data from the source, the output of a response is streamed. This process
is similar to iterators, but the XML client does not run the GetNext IteratorID to handle large response
data size.
Usage Guidelines
Use these guidelines when streaming is used by the client application:
• Iteration must be off.
xml agent [tty | ssl] iteration off
• The sub-response block size is a configurable value specific to each transport mechanisms on the
router: the XML agent for the dedicated TCP connection and Secure Shell (SSH), Telnet, or Secure
Sockets Layer (SSL) dedicated TCP connection.
Use this command to configure the streaming size. Specify the streaming size in KB. The default is
48 KB.
xml agent [tty | ssl] streaming on size <1-100000>7-100
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 7 Cisco XML and Large Data Retrieval
StreamingC H A P T E R
8-101
Cisco IOS XR XML API Guide
OL-24657-01
8
Cisco XML Security
Specific security privileges are required for a client application requesting information from the router.
This chapter contains these sections:
• Authentication, page 8-101
• Authorization, page 8-101
• Retrieving Task Permissions, page 8-102
• Task Privileges, page 8-102
• Task Names, page 8-103
• Authorization Failure, page 8-104
• Management Plane Protection, page 8-104
• VRF, page 8-105
• Access Control List, page 8-105
Authentication
User authentication through authentication, authorization, and accounting (AAA) is handled on the
router by the transport-specific XML agent and is not exposed through the XML interface.
Authorization
Every operation request by a client application is authorized. If the client is not authorized to perform an
operation, the operation is not performed by the router and an error is returned.
Authorization of client requests is handled through the standard AAA “task permissions” mechanism.
The XML agent caches the AAA user credentials obtained from the user authentication process, and then
each client provides these to the XML infrastructure on the router. As a result, no AAA information
needs to be passed in the XML request from the client application.
Each object class in the schema has a task ID associated with it. A client application’s capabilities and
privileges in terms of task IDs are exposed by AAA through a show command. A client application can
use the XML interface to retrieve the capabilities prior to sending configuration requests to the router.
A client application requesting an operation through the XML interface must have the appropriate task
privileges enabled or assigned for any objects accessed in the operation:8-102
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 8 Cisco XML Security
Retrieving Task Permissions
• operations require AAA “read” privileges.
• and operations require AAA “write” privileges.
The “configuration services” operations through configuration manager can also require the appropriate
predefined task privileges.
If an operation requested by a client application fails authorization, an appropriate element is
returned in the response sent to the client. For “native data” operations, the element is associated
with the specific element or object classes where the authorization error occurred.
Retrieving Task Permissions
A client application’s capabilities and privileges in terms of task permissions are exposed by AAA
through CLI show commands. A client application can also use the XML interface to programatically
retrieve the current AAA capabilities from the router. This retrieval can be done by issuing the
appropriate request to the component.
This example shows a request to retrieve all of the AAA configuration from the router:
Sample XLM Request to Retrieve AAA Configuration Information
Sample XML Response from the Router
.
.
.
AAA configuration returned here
.
.
.
Task Privileges
A client application requesting a native data operation through the XML interface must have the
appropriate task privileges enabled or assigned for any items accessed in the operation:
• , , and operations require AAA “read” privileges.
• and operations require AAA “write” privileges.8-103
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 8 Cisco XML Security
Task Names
The “configuration services” operations through the configuration manager can also require the
appropriate predefined task privileges.
Task Names
Each object (that is, data item or table) exposed through the XML interface and accessible to the client
application has one or more task names associated with it. The task names are published in the XML
schema documents as annotations.
For example, the complex type definition for the top-level element in the Border Gateway Protocol
(BGP) configuration schema contains this annotation:
Container
18
0
bgp
native_data_operations
Configuration
Here is another example from a different component schema. This annotation includes a list of task
names.
1
0
ouni
mpls-te
Task names indicate what permissions are required to access the data below the object. In the example,
the task names ouni and mpls-te are specified for the object. The task names apply to the object and are
inherited by all the descendants of the object in the schema. In other words, the task names that apply to
a particular object are the task names specified for the object and the task names of all ancestors for
which there is a task name specified in the schema.
The TaskGrouping attribute specifies the logical relationship among the task names when multiple task
names are specified for a particular object. For example, for a client application to issue a request
for the object containing the preceding annotation, the corresponding AAA user credentials must have
read permissions set for both the ouni and mpls-te tasks (and any tasks inherited by the object). The
possible values for the TaskGrouping attribute are And, Or, and Single. The value Single is used when
there is only a single task name specified for the object.8-104
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 8 Cisco XML Security
Authorization Failure
Authorization Failure
If an operation requested by a client application fails authorization, an appropriate element is
returned in the response sent to the client. For “native data” operations, the element is associated
with the specific element or object where the authorization error occurred.
If a client application issues a request to retrieve all data below a container object, and if any
subsections of that data require permissions that the user does not have, then an error is not returned.
Instead, the subsection of data is not included in the response.
Management Plane Protection
Management Plane Protection (MPP) provides a mechanism for securing management traffic on the
router. Without MPP, a management service’s traffic can come through any interface with a network
address, which could be a security risk.
MPP is effective when XML is configured.
Inband Traffic
To configure the MPP for inband traffic, use the command in this example:
RP/0/0/CPU0:router(config)#control-plane management-plane inband interface [interface
type] allow [protocol|all]
where the protocol is XML.
RP/0/RSP0/CPU0:PE44_ASR-9010(config)#$Ethernet 0/0/0/0 allow XML ?
peer Configure peer address on this interface
RP/0/RSP0/CPU0:PE44_ASR-9010(config)#$Ethernet 0/0/0/0 allow XML peer ?
address Configure peer address on this interface
RP/0/RSP0/CPU0:PE44_ASR-9010(config)#$Ethernet 0/0/0/0 allow XML peer address ?
ipv4 Configure peer IPv4 address on this interface
ipv6 Configure peer IPv6 address on this interface
RP/0/RSP0/CPU0:PE44_ASR-9010(config)#$Ethernet 0/0/0/0 allow XML peer address
Out-of-Band Traffic
To configure the MPP for out-of-band traffic, use the command in this example:
RP/0/0/CPU0:router(config)#control-plane management-plane out-of-band interface
[interface type] allow [protocol|all]
where the protocol is XML.
RP/0/RSP0/CPU0:PE44_ASR-9010(config)#$gabitEthernet 0/0/0/1 allow XML ?
peer Configure peer address on this interface
RP/0/RSP0/CPU0:PE44_ASR-9010(config)#$gabitEthernet 0/0/0/1 allow XML peer ?
address Configure peer address on this interface
8-105
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 8 Cisco XML Security
VRF
RP/0/RSP0/CPU0:PE44_ASR-9010(config)#$ XML peer address ?
ipv4 Configure peer IPv4 address on this interface
ipv6 Configure peer IPv6 address on this interface
RP/0/RSP0/CPU0:PE44_ASR-9010(config)#$ XML peer address
VRF
XML agents can be configured to virtual route forwarding (VRF) aware.
• To configure the dedicated agent [ssl] to receive or send messages through VRF, use this command:
RP/0/0/CPU0:router(config)#xml agent [ssl] vrf
• To configure the dedicated [ssl] agent NOT to receive or send messages through the default VRF,
use this command:
RP/0/0/CPU0:Router(config)#xml agent [ssl] vrf default shutdown
Access Control List
To configure an access control list (ACL) for XML agents, use this command:
RP/0/0/CPU0:router(config)#xml agent [ssl] vrf access-list
IPv6 Access List Example
xml agent [ssl]
vrf
ipv6 access-list
IPv4 and IPv6 Access Lists Example
xml agent [ssl]
vrf
ipv4 access-list
ipv6 access-list
!
!
Note This method to configure an IPv4 access-list is still supported (for backward compatibility) but
hidden from CLI help.
xml agent [ssl]
vrf
access-list
!
!8-106
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 8 Cisco XML Security
Access Control ListC H A P T E R
9-107
Cisco IOS XR XML API Guide
OL-24657-01
9
Cisco XML Schema Versioning
Before the router can carry out a client application request, it must verify version compatibility between
the client request and router component versions.
Major and minor version numbers are included on the and elements to indicate
the overall XML application programming interface (API) version in use by the client application and
router. In addition, each component XML schema exposed through the XML API has a major and minor
version number associated with it.
This chapter describes the format of the version information exchanged between the client application
and the router, and how the router uses this information at run time to check version compatibility.
This chapter contains these sections:
• Major and Minor Version Numbers, page 9-107
• Run-Time Use of Version Information, page 9-108
• Retrieving Version Information, page 9-113
• Retrieving Schema Detail, page 9-115
Major and Minor Version Numbers
The top-level or root object (that is, element) in each component XML schema carries the major and
minor version numbers for that schema. A minor version change is defined as an addition to the XML
schema. All other changes, including deletions and semantic changes, are considered major version
changes.
The version numbers are documented in the header comment contained in the XML schema file. They
are also available as annotations included as part of the complex type definition for the
top-level schema element. This enables you to programmatically extract the version numbers from the
XML schema file to include in XML request instances sent to the router. The version numbers are carried
in the XML instances using the MajorVersion and MinorVersion attributes.
This example shows the relevant portion of the complex type definition for an element that carries
version information:
BGP Configuration Commands
Container
24
0
9-108
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 9 Cisco XML Schema Versioning
Run-Time Use of Version Information
bgp
native_data_operations
Configuration
.
.
.
.
.
..
The attribute group VersionAttributeGroup is defined as:
Common version information attributes
Run-Time Use of Version Information
Each XML request must contain the major and minor version numbers of the client at the appropriate
locations in the XML. These version numbers are compared to the version numbers running on the
router.
The behavior of the router, whether the request is accepted or rejected, depends on the value set for the
AllowVersion MisMatch attribute.
All requests are accepted when the AllowVersionMismatch attribute is set as TRUE. The request is then
accepted or rejected based on these rules when the AllowVersionMismatch attribute is set as FALSE:
• If there is a major version discrepancy, then the request fails.
• If there is a minor version lag, that is, the client minor version is behind that of the router, then the
request is attempted.
• If there is a minor version creep, that is, the client minor version is ahead of that of the router, then
the request fails.
• If the version information has not been included in the request, then the request fails.
• The default value is used when the request does not specify the AllowVersionMismatch attribute.
The default value is currently set as TRUE.
Each XML response can also contain the version numbers at the appropriate locations in the XML.9-109
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 9 Cisco XML Schema Versioning
Run-Time Use of Version Information
Note If the client minor version is behind that of the router, then the response may contain elements that are
not recognized by the client application. The client application must be able to handle these additional
elements.
Placement of Version Information
This example shows the placement of the MajorVersion and MinorVersion attributes within a client
request to retrieve the global BGP configuration data for a specified autonomous system:
Sample Client Request Showing Placement of Version Information
0
3
Sample XML Response from the Router
0
3
...
data returned here
...
9-110
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 9 Cisco XML Schema Versioning
Run-Time Use of Version Information
Version Lag with the AllowVersionMisMatch Attribute Set as TRUE
The example shows a request and response with a version mismatch. In this case, because the
AllowVersionMismatch attribute is set as TRUE, the request is attempted. This is also the default
behavior when AllowVersionMismatch attribute is not specified in the request. The router attempts the
request and if the request is successful returns a VersionMismatchExists attribute at the appropriate
point within the response along with a VersionMismatchExistsBelow attribute on the operation
tag.
Note The version number, which is returned in the response, is the version running on the router. The versions
in this example are hypothetical.
Sample XML Client Request with a Version Mismatch
0
3
Sample XML Response from the Router
VersionMismatchExists=”true”>
0
3
...
data returned here
...
9-111
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 9 Cisco XML Schema Versioning
Run-Time Use of Version Information
Version Lag with the AllowVersionMismatch Attribute Set as FALSE
The example shows a request and response with a version mismatch, but the request specifies the
AllowVersionMisMatch attribute as FALSE.
In this case, the client minor version is behind the router, so the request is still attempted, but
VersionMismatchExists and VersionMismatchExistsBelow attributes are not returned in the response.
Note The version number returned is the response is the version number running on the router. The versions
in this example are hypothetical.
Sample XML Client Request with the AllowVersionMismatch Attribute Set as False
0
3
Sample XML Response from the Router
0
3
...
data returned here
...
9-112
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 9 Cisco XML Schema Versioning
Run-Time Use of Version Information
Version Creep with the AllowVersionMisMatch Attribute Set as TRUE
The example shows a request and response with a version mismatch. In this case, the client is the
AllowVersionMismatch attribute and is set as TRUE. The request is attempted.
Note The version number returned is the response is the version number running on the router. The versions
in this example are hypothetical.
Sample XML Request with an AllowVersion Mismatch Attribute Set as TRUE
0
3
Sample XML Response from the Router
VersionMismatchExists=”true”>
0
3
...
data returned here
...
9-113
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 9 Cisco XML Schema Versioning
Retrieving Version Information
Version Creep with the AllowVersionMisMatch Attribute Set as FALSE
The example shows a request and response with a version mismatch. In this case, the client minor
version is ahead of the router minor version, which results in an error response.
Sample XML Request with an AllowVersion Mismatch Attribute Set as FALSE
Sample XML Response from the Router
ErrorMsg="'XML Service Library' detected the 'warning'
condition 'An error was encountered in the XML beneath this operation
tag'" >
Retrieving Version Information
The version of the XML schemas running on the router can be retrieved using the tag
followed by the appropriate tags identifying the names of the desired components.
In this example, the tag is used to retrieve the major and minor version numbers for
the BGP component configuration schema:
Sample XML Request to Retrieve Major and Minor Version Numbers
Sample XML Response from the Router
9-114
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 9 Cisco XML Schema Versioning
Retrieving Version Information
This example shows how to retrieve the version information for all configuration schemas available on
the router:
Sample XML Request to Retrieve Version Information for All Configuration Schemas
Sample XML Response from the Router
....
....
...
9-115
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 9 Cisco XML Schema Versioning
Retrieving Schema Detail
Retrieving Schema Detail
The SchemaDetail boolean attribute can now be specified on the operation to instruct
the router to return additional schema detail in the response. If the SchemaDetail attribute is specified
in the request, each schema entity in the response contains three additional boolean
attributes listed in Table 9-1.
This example shows a request and response with the SchemaDetail attribute:
Sample XML Client Request for Schema Detail
Sample XML Response from the Router
...
. ..
Table 9-1 Content Attributes
Content Attribute Description
ContainsNaming Indicates whether or not the schema entity contains naming information.
Getable Indicates whether or not operations are supported for this schema.
Setable Indicates whether or not operations are supported for this schema.9-116
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 9 Cisco XML Schema Versioning
Retrieving Schema Detail
C H A P T E R
10-117
Cisco IOS XR XML API Guide
OL-24657-01
10
Alarms
The Cisco IOS XR XML API supports the registration and receipt of notifications; for example,
asynchronous responses such as alarms, over any transport. The system supports alarms and event
notifications over XML/SSH.
An asynchronous registration request is followed by a synchronous response and any number of
asynchronous responses. If a client wants to stop receiving a particular set of asynchronous responses at
a later stage, the client sends a deregistration request.
One type of notification that is supported by the Cisco IOS XR XML API is alarms; for example, syslog
messages. The alarms that are received are restricted by a filter, which is specified in the registration
request. An alarm registration request is followed by a synchronous response. If successful, the
synchronous response contains a RegistrationID, which is used by the client to uniquely identify the
applicable registration. A client can make many alarm registrations. If a client wants to stop receiving a
particular set of alarms at a later stage, the client can send a deregistration request for the relevant
RegistrationID or all Registration IDs for the session.
When an asynchronous response is received that contains an alarm, the registration that resulted in the
alarm is determined from the RegistrationID.
These sections describe the XML used for every operation:
• Alarm Registration, page 10-117
• Alarm Deregistration, page 10-118
• Alarm Notification, page 10-119
Alarm Registration
Alarm registration and deregistration requests and responses and alarm notifications use the
operation tag to distinguish them from other types of XML operations. A registration request contains
the tag, which is followed by several tags that specify the filter requirement. If registration
for all alarms is required, no filter is specified. These filter criteria are listed:
• SourceID
• Category
• Group
• Context
• Code10-118
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 10 Alarms
Alarm Deregistration
• Severity
• BiStateOnly
If it succeeds, the response contains a tag with a RegistrationID attribute. If it fails, the filter
tag that caused the error appears with an error message attribute. This example shows a registration
request to receive all alarms for configuration change; for example, commit notifications:
Sample XML Request from the Client Application
CONFIG
DB_COMMIT
Sample XML Response from the Router
Response MajorVersion="1" MinorVersion="0">
Note If a second registration is made with the same filter, or if the filters with two registrations overlap, these
alarms that match both registrations are received twice. In general, each alarm is received once for each
registration that it matches.
If a session ends (for example, the connection is dropped), all registrations are automatically canceled.
Alarm Deregistration
An alarm deregistration request consists of the operation tag followed by the tag,
with the optional attribute RegistrationID. If RegistrationID is specified, the value must be that returned
from a previous registration request. The registration with that ID must not have already been
deregistered or an error is returned. If it is not specified, the request results in all alarm registrations for
that session being deregistered.
This example shows a deregistration request for the RegistrationID returned from the registration
request example:
Sample XML Request from the Client Application
10-119
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 10 Alarms
Alarm Notification
Sample XML Response from the Router
Alarm Notification
Alarm notifications are contained within a pair of tags to distinguish them from normal
responses. Each notification contains one or more alarms, each of which is contained within a pair of
tags. The tags have an attribute RegistrationID, where the value is the RegistrationID returned
in the registration that resulted in the alarm.
The tags contain these fields for the alarm:
• SourceID
• EventID
• Timestamp
• Category
• Group
• Code
• Severity
• State
• CorrelationID
• AdditionalText
This example shows the configuration commit alarm notification:
RP/0/0/CPU0
84
1077270612
MGBL
CONFIG
DB_COMMIT
Informational
NotAvailable
0
config[65704]: %MGBL-CONFIG-6-DB_COMMIT : Configuration committed
by user 'admin'. Use 'show commit changes 1000000490' to view
the changes.
10-120
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 10 Alarms
Alarm NotificationC H A P T E R
11-121
Cisco IOS XR XML API Guide
OL-24657-01
11
Error Reporting in Cisco XML Responses
The XML responses returned by the router contains error information as appropriate, including the
operation, object, and cause of the error when possible. The error codes and messages returned from the
router may originate in the XML agent or in one of the other infrastructure layers; for example, the XML
Service Library, XML Parser Library, or Configuration Manager.
Types of Reported Errors
Table 11-1 lists the types of potential errors in XML Responses.
These error categories are described in these sections:
• Error Attributes, page 11-122
• Transport Errors, page 11-122
• XML Parse Errors, page 11-122
• XML Schema Errors, page 11-123
Table 11-1 Reported Error Types
Error Type Description
Transport errors Transport-specific errors are detected within the XML agent (and
include failed authentication attempts).
XML parse errors XML format or syntax errors are detected by the XML Parser
Library (and include errors resulting from malformed XML,
mismatched XML tags, and so on).
XML schema errors XML schema errors are detected by the XML operation provider
within the infrastructure (and include errors resulting from invalid
operation types, invalid object hierarchies, values out of range, and
so on).
Operation processing errors Operation processing errors are errors encountered during the
processing of an operation, typically as a result of committing the
target configuration (and include errors returned from
Configuration Manager and the infrastructure such as failed
authorization attempts, and “invalid configuration errors” returned
from the back-end Cisco IOS XR applications). 11-122
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 11 Error Reporting in Cisco XML Responses
Types of Reported Errors
• Operation Processing Errors, page 11-125
• Error Codes and Messages, page 11-126
Error Attributes
If one or more errors occur during the processing of a requested operation, the corresponding XML
response includes error information for each element or object class in error. The error information is
included in the form of ErrorCode and ErrorMsg attributes providing a relevant error code and error
message respectively.
If one or more errors occur during the processing of an operation, error information is included for each
error at the appropriate point in the response. In addition, error attributes are added at the operation
element level. As a result, the client application does not have to search through the entire response to
determine if an error has occurred. However, the client can still search through the response to identify
each of the specific error conditions.
Transport Errors
Transport-specific errors, including failed authentication attempts, are handled by the appropriate XML
agent.
XML Parse Errors
This general category of errors includes those resulting from malformed XML and mismatched XML
tags.
The router checks each XML request, but does not validate the request against an XML schema. If the
XML contains invalid syntax and thus fails the well-formedness check, the error indication is returned
in the form of error attributes placed at the appropriate point in the response. In such cases, the response
may not contain the same XML as was received in the request, but just the portions to the point where
the syntax error was encountered.
In this example, the client application sends a request to the router that contains mismatched tags, that
is, the opening tag is not paired with a closing tag. This example illustrates
the format and placement of the error attributes.
Note The actual error codes and messages might be different than what is shown in this example. Also, the
actual error attributes does not contain new line characters.
Sample XML Client Request Containing Mismatched Tags
0
311-123
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 11 Error Reporting in Cisco XML Responses
Types of Reported Errors
Sample XML Response from the Router
XML Schema Errors
XML schema errors are detected by the XML operation providers. This general category of errors
includes those resulting from invalid operation types, invalid object hierarchies, and invalid naming or
value elements. However, some schema errors may go undetected because, as previously noted, the
router does not validate the request against an XML schema.
In this example, the client application has requested a operation specifying an object
that does not exist at this location in the Border Gateway Protocol (BGP) component
hierarchy. This example illustrates the format and placement of the error attributes.
Note The actual error codes and messages may be different than those shown in the example.
Sample XML Client Request Specifying an Invalid Object Hierarchy
0
3
10
11-124
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 11 Error Reporting in Cisco XML Responses
Types of Reported Errors
Sample XML Response from the Router
0
3
This example also illustrates a schema error. In this case, the client application has requested a
operation specifying a value for the object that is not within the range of valid
values for this item.
Sample XML Request Specifying an Invalid Object Value Range
0
3
6000
11-125
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 11 Error Reporting in Cisco XML Responses
Types of Reported Errors
Sample XML Response from the Router
0
3
Operation Processing Errors
Operation processing errors include errors encountered during the processing of an operation, typically
as a result of committing the target configuration after previous or operations. While
processing an operation, errors are returned from Configuration Manager and the infrastructure, failed
authorization attempts occur, and “invalid configuration errors” are returned from the back-end Cisco
IOS XR applications.
This example illustrates an operation processing error resulting from a request specifying an
unrecognized iterator ID:
Sample XML Client Request and Processing Error
Sample XML Response from the Router
11-126
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 11 Error Reporting in Cisco XML Responses
Types of Reported Errors
Error Codes and Messages
The error codes and messages returned from the router may originate in any one of several components.
The error codes (cerrnos) returned from these layers are 32-bit integer values. In general, for a given
error condition, the error message returned in the XML is the same as the error message displayed on
the CLI.C H A P T E R
12-127
Cisco IOS XR XML API Guide
OL-24657-01
12
Summary of Cisco XML API Configuration Tags
Table 12-1 provides the CLI to XML application programming interface (API) tag mapping for the
router target configuration.
Table 12-1 CLI Command or Operation to XML Tag Mapping
CLI Command or Operation XML Tag
To end, abort, or exit
1
(from top
config mode)
2
clear
show config with
show config running with
show config merge with
show config failed with followed by with
configure exclusive
3
4
To change the selected config with
To delete the selected config with
commit best-effort
commit
show config failed with
show commit changes commitid with
show commit changes since commitid with
rollback configuration to commitid with
rollback configuration last number with
show rollback changes to commitid with
show rollback changes last number with 12-128
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 12 Summary of Cisco XML API Configuration Tags
show rollback points
show configuration sessions
1. These CLI operations end the configuration session and unlock the running configuration session if it is locked.
2. This XML tag releases the lock on a running configuration but does not end the configuration session.
3. This CLI command starts a new configuration session and locks the running configuration.
4. This XML tag locks the running configuration from a configuration session that is already in progress.
Table 12-1 CLI Command or Operation to XML Tag Mapping (continued)
CLI Command or Operation XML TagC H A P T E R
13-129
Cisco IOS XR XML API Guide
OL-24657-01
13
XML Transport and Event Notifications
This chapter contains these sections:
• TTY-Based Transports, page 13-129
• Dedicated Connection Based Transports, page 13-131
• SSL Dedicated Connection based Transports, page 13-133
TTY-Based Transports
These sections describe how to use the TTY-based transports:
• Enabling the TTY XML Agent, page 13-129
• Enabling a Session from a Client, page 13-130
• Sending XML Requests and Receiving Responses, page 13-130
• Configuring Idle Session Timeout, page 13-132
• Ending a Session, page 13-130
• Errors That Result in No XML Response Being Produced, page 13-131
Enabling the TTY XML Agent
To enable the TTY agent on the router, which is ready to handle incoming XML sessions over Telnet
and Secured Shell (SSH), enter the xml agent tty command, as shown in this example:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# xml agent tty
RP/0/RP0/CPU0:router(config)# commit
RP/0/RP0/CPU0:router(config)# exit
For more information about the xml agent tty command, see Cisco IOS XR System Management
Configuration Guide.
TTY (SSH) agent is telnet based, so IPv6 addressing is supported.13-130
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 13 XML Transport and Event Notifications
TTY-Based Transports
Enabling a Session from a Client
To enable a session from a remote client, invoke SSH or Telnet to establish a connection with the
management port on the router. When prompted by the transport protocol, enter a valid username and
password. After you have successfully logged on, enter xml at the router prompt to be in XML mode.
A maximum of 50 XML sessions total can be started over a dedicated port, TTY, SSH, and Secure
Sockets Layer (SSL) dedicated port.
Note You should use, if configured, either the management port or any of the external interfaces rather than
a connection to the console or auxiliary port. The management port can have a significantly higher
bandwidth and offer better performance.
Sending XML Requests and Receiving Responses
To send an XML request, write the request to the Telnet/SSH session. The session can be used
interactively; for example, typing or pasting the XML at the XML> prompt from a window.
Note The XML request must be followed by a new-line character; for example, press Return, before the
request is processed.
Any responses, either synchronous or asynchronous, are also displayed in the session window. The end
of a synchronous response is always represented with and asynchronous responses (for
example), notifications, end with .
The client application is single threaded in the context of one session and sends requests synchronously;
for example, requests must not be sent until the response to the previous request is received.
Configuring Idle Session Timeout
When a session times out, the resource from that session is reclaimed. By default, XML agents do not
have an idle session timeout.
To configure the idle session timeout in minutes for the XML agents, use this command:
xml agent [tty | ssl] session timeout <1-1440>
Ending a Session
If you are using a session interactively from a terminal window, you can close the window. To manually
exit the session, at the prompt:
1. Enter the exit command to end XML mode.
2. Enter the exit command to end the Telnet/SSH session.13-131
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 13 XML Transport and Event Notifications
Dedicated Connection Based Transports
Errors That Result in No XML Response Being Produced
If the XML infrastructure is unable to return an XML response, the TTY agent returns an error code and
message in the this format:
ERROR: 0x%x %s\n
Dedicated Connection Based Transports
These sections describe how to use the dedicated connection-based transports:
• Enabling the Dedicated XML Agent, page 13-131
• Enabling a Session from a Client, page 13-132
• Sending XML Requests and Receiving Responses, page 13-132
• Configuring Idle Session Timeout, page 13-132
• Ending a Session, page 13-132
• Errors That Result in No XML Response Being Produced, page 13-132
Enabling the Dedicated XML Agent
To enable the dedicated agent on the router, which is ready to handle incoming XML sessions over a
dedicated TCP port (38751), enter the xml agent command, as shown in the following example:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# xml agent
RP/0/RP0/CPU0:router(config)# aaa authorization exec default local
RP/0/RP0/CPU0:router(config)# commit
RP/0/RP0/CPU0:router(config)# exit
For more information about the xml agent command, see Cisco IOS XR System Management
Configuration Guide.
The default addressing protocol for the XML dedicated agent is
• IPv4 enabled
• IPv6 disabled
To configure a dedicated agent to receive and send messages through IPv6 protocol:
xml agent ipv6 enable
To configure dedicated agent to disable IPv4 protocol
xml agent ipv4 disable
To receive and send messages only through IPv6 protocol:
xml agent ipv4 disable
xml agent ipv6 enable13-132
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 13 XML Transport and Event Notifications
Dedicated Connection Based Transports
Enabling a Session from a Client
To enable a session from a remote client, establish a TCP connection with the dedicated port (38751) on
the router. When prompted, enter a valid username and password. After you have successfully logged
on, the session is in XML mode and is ready to receive XML requests.
A maximum of 50 XML sessions total can be started over dedicated port, TTY, SSH, and SSL dedicated
port.
Sending XML Requests and Receiving Responses
To send an XML request, write the request to the established session. The session can be used
interactively; for example, typing or pasting the XML at the XML> prompt from a window.
Note The XML request must be followed by a new-line character; for example, press Return, before the
request is processed.
Any responses, either synchronous or asynchronous, are also displayed in the session window. The end
of a synchronous response is always represented with and asynchronous responses (for
example), notifications, end with .
The client application is single threaded in the context of one session and sends requests synchronously;
for example, requests must not be sent until the response to the previous request is received.
Configuring Idle Session Timeout
When a session times out, the resource from that session is reclaimed. By default, XML agents do not
have an idle session timeout.
To configure the idle session timeout in minutes for the XML agents, use this command:
xml agent [tty | ssl] session timeout <1-1440>
Ending a Session
If you are using a session interactively from a terminal window, you can close the window. To manually
exit the session, at the prompt:
1. Enter the exit command to end XML mode.
2. Enter the exit command to end the Telnet/SSH session.
Errors That Result in No XML Response Being Produced
If the XML infrastructure is unable to return an XML response, the TTY agent returns an error code and
message in this format:
ERROR: 0x%x %s\n13-133
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 13 XML Transport and Event Notifications
SSL Dedicated Connection based Transports
SSL Dedicated Connection based Transports
These sections describe how to use the dedicated connection based transports:
• Enabling the SSL Dedicated XML Agent, page 13-133
• Enabling a Session from a Client, page 13-133
• Sending XML Requests and Receiving Responses, page 13-133
• Configuring Idle Session Timeout, page 13-134
• Ending a Session, page 13-134
• Errors That Result in No XML Response Being Produced, page 13-134
Enabling the SSL Dedicated XML Agent
To enable the SSL dedicated agent on the router, which is ready to handle incoming XML sessions over
dedicated TCP port (38752), enter the xml agent command, as shown in this example:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# xml agent ssl
RP/0/RP0/CPU0:router(config)# aaa authorization exec default local
RP/0/RP0/CPU0:router(config)# commit
RP/0/RP0/CPU0:router(config)# exit
Note The k9sec package is required to use the SSL agent. The configuration is rejected during a commit when
the k9sec package is not active on the system. When the k9sec package is deactivated after configuring
the SSL agent, the agent is not available.
The SSL dedicated agent uses IPSec, so IPv6 addressing is supported.
Enabling a Session from a Client
To enable a session from a remote client, establish a TCP connection with the dedicated port (38752) on
the router. When prompted, enter a valid username and password. After you have successfully logged
on, the session is in XML mode and is ready to receive XML requests.
A maximum of 50 XML sessions can be started over a dedicated port, TTY, SSH, and a SSL dedicated
port.
Sending XML Requests and Receiving Responses
To send an XML request, write the request to the established session. The session can be used
interactively; for example, typing or pasting the XML at the XML> prompt from a window.
The XML request must be followed by a new-line character. For example, press Return before the
request is processed.
Any responses, either synchronous or asynchronous, are also displayed in the session window. The end
of a synchronous response is always represented with . Asynchronous responses end with
. 13-134
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 13 XML Transport and Event Notifications
SSL Dedicated Connection based Transports
The client application is single threaded in the context of one session and sends requests synchronously.
Requests must not be sent until the response to the previous request is received.
Configuring Idle Session Timeout
When a session times out, the resource from that session is reclaimed. By default, XML agents do not
have an idle session timeout.
To configure the idle session timeout in minutes for the XML agents, use this command:
xml agent [tty | ssl] session timeout <1-1440>
Ending a Session
If you are using a session interactively from a terminal window, you can close the window. To manually
exit the session, at the prompt:
1. Enter the exit command to end XML mode.
2. Enter the exit command to end the Telnet/SSH session.
Errors That Result in No XML Response Being Produced
If the XML infrastructure is unable to return an XML response, the SSL dedicated agent returns an error
code and message in this format:
ERROR: 0x%x %s\n C H A P T E R
14-135
Cisco IOS XR XML API Guide
OL-24657-01
14
Cisco XML Schemas
This chapter contains information about common XML schemas. The structure and allowable content of
the XML request and response instances supported by the Cisco IOS XR XML application programming
interface (API) are documented by means of XML schemas (.xsd files).
The XML schemas are documented using the standard World Wide Web Consortium (W3C) XML
schema language, which provides a much more powerful and flexible mechanism for describing schemas
than can be achieved using Document Type Definitions (DTDs). The set of XML schemas consists of a
small set of common high-level schemas and a larger number of component-specific schemas as
described in this chapter.
For more information on the W3C XML Schema standard, see this URL:
http://www.w3.org/XML/Schema
This chapter contains these sections:
• XML Schema Retrieval, page 14-135
• Common XML Schemas, page 14-136
• Component XML Schemas, page 14-136
XML Schema Retrieval
The XML schemas that belong to the features in a particular package are obtained as a .tar file from
cisco.com. To retrieve the XML schemas, you must:
1. Click this URL to display the Downloads page:
http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=268437899
Note Select Downloads. Only customer or partner viewers can access the Download Software page.
Guest users will get an error.
2. Select Cisco IOS XR Software.
3. Select IOS XR XML Schemas.
4. Select the XML schema for your platform.
Once untarred, all the XML schema files appear as a flat directory of .xsd files and can be opened with
any XML schema viewing application, such as XMLSpy.14-136
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 14 Cisco XML Schemas
Common XML Schemas
Common XML Schemas
Among the .xsd files that belong to a BASE package are the common Cisco IOS XR XML schemas that
include definitions of the high-level XML request and response instances, operations, and common
datatypes. These common XML schemas are listed:
• alarm_operations.xsd
• config_services_operations.xsd
• cli_operations.xsd
• common_datatypes.xsd
• xml_api_common.xsd
• xml_api_protocol.xsd
• native_data_common.xsd
• native_data_operations.xsd
Component XML Schemas
In addition to the common XML schemas, component XML schemas (such as native data) are provided
and contain the data model for each feature. There is typically one component XML schema for each
major type of data supported by the component—configuration, operational, action, administration
operational, and administration action data—plus any complex data type definitions in the operational
space.
Note Sometimes common schema files exist for a component that contain resources used by the component’s
other schema files (for example, the data types to be used by both configuration data and operational
data).
You should use only the XML objects that are defined in the XML schema files. You should not use any
unpublished objects that may be shown in the XML returned from the router.
Schema File Organization
There is no hard link from the high-level XML request schemas (namespace_types.xsd) and the
component schemas. Instead, links appear in the component schemas in the form of include elements
that specify the file in which the parent element exists. The name of the component .xsd file also
indicates where in the hierarchy the file’s contents reside. If the file ends with _cfg.xsd, it appears as a
child of “Configuration”; if it ends with _if_cfg.xsd, it appears as a child of “InterfaceConfiguration”,
and so on. In addition, the comment header in each .xsd file names the parent object of each top level
object in the schema.14-137
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 14 Cisco XML Schemas
Component XML Schemas
Schema File Upgrades
If a new version of a schema file becomes available (or has to be uploaded to the router as part of an
upgrade), the new version of the file can replace the old version of the file in a straight swap. All other
files are unaffected. Therefore, if a component is replaced, only the .xsd files pertaining to that
component is replaced.14-138
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 14 Cisco XML Schemas
Component XML SchemasC H A P T E R
15-139
Cisco IOS XR XML API Guide
OL-24657-01
15
Network Configuration Protocol
Network Configuration Protocol (NETCONF) defines an XML-based interface between a network
device and a network management system to provide a mechanism to manage, configure, and monitor a
network device.
In Cisco IOS-XR, NMS applications use defined XML schemas to manage network devices from
multiple vendors. These capabilities are supported from a Cisco IOS XR agent to a client:
• TTY NETCONF session—Logon through telnet and then enter the netconf command.
• SSH NETCONF session—Logon through SSH and then enter the netconf command.
This example shows a message that the agent sends to a client:
urn:ietf:params:netconf:base:1.0
urn:ietf:params:netconf:capability:candidate:1.0
4
These sections about NETCONF are covered:
• Starting a NETCONF Session, page 15-139
• Ending a NETCONF Agent Session, page 15-140
• Starting an SSH NETCONF Session, page 15-140
• Ending an SSH NETCONF Agent Session, page 15-141
• Configuring a NETCONF agent, page 15-141
• Limitations of NETCONF in Cisco IOS XR, page 15-142
Starting a NETCONF Session
To start a NETCONF session, enter the netconf command from the exec prompt (through telnet or SSH).
This example shows how to start a TTY NETCONF agent session:
client(/users/ore)> telnet 1.66.32.82
Trying 1.66.32.82...
Connected to 1.66.32.82.15-140
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 15 Network Configuration Protocol
Ending a NETCONF Agent Session
Escape character is '^]'.
User Access Verification
Username:
Password:
RP/0/1/CPU0:Router# netconf echo format
urn:ietf:params:netconf:base:1.0
urn:ietf:params:netconf:capability:candidate:1.0
4
]]>]]>
When a new session is created, the NETCONF agent immediately sends out a message with
capabilities. At the end of each message transmission, the NETCONF agent sends the EOD marker
‘]]>]]>’
The NETCONF agent does not display a prompt like the XML agent does (XML>).
The NETCONF TTY agent does not echo back the received messages and does not format returning
messages by default. These capabilities can be added by using the ‘echo’ and ‘format’ options.
The client is also required to send a message with capabilities.
Ending a NETCONF Agent Session
Unlike the XML agent, the client ends the session by sending a request.
]]>]]>
The agent replies with an tag and then closes the session.
]]>]]>
Starting an SSH NETCONF Session
This example shows how to start an SSH NETCONF agent session:
client(/users/ore)> ssh lab@1.66.32.82
lab@1.66.32.82's password:
RP/0/1/CPU0:gsrb#netconf echo format
15-141
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 15 Network Configuration Protocol
Ending an SSH NETCONF Agent Session
urn:ietf:params:netconf:base:1.0
urn:ietf:params:netconf:capability:candidate:1.0
4
]]>]]>
The client can also directly start a NETCONF session by specifying the netconf command on the ssh
command line:
client(/users/ore)> ssh lab@1.66.32.82 netconf echo format
lab@1.66.32.82's password:
urn:ietf:params:netconf:base:1.0
urn:ietf:params:netconf:capability:candidate:1.0
4
]]>]]>
Ending an SSH NETCONF Agent Session
This example shows how to end an SSH NETCONF agent session:
]]>]]>
The agent replies with an tag and then closes the session.
]]>]]>
Configuring a NETCONF agent
To configure a NETCONF TTY agent, use the netconf agent tty command.
Use the throttle and session timeout parameters as you would with the XML TTY agent.
netconf agent tty
throttle (memory | process-rate)
session timeout
To enable the NETCONF SSH agent, use this command:
ssh server v2
netconf agent tty15-142
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 15 Network Configuration Protocol
Limitations of NETCONF in Cisco IOS XR
Limitations of NETCONF in Cisco IOS XR
This sections identifies the limitations of NETCONF in Cisco IOS XR Software.
Configuration Datastores
Cisco IOS XR supports these configuration datastores:
•
•
Cisco IOS XR does not support the configuration datastore.
Configuration Capabilities
Cisco IOS XR supports these configuration capabilities:
• Candidate Configuration Capability
urn:ietf:params:netconf:capability:candidate:1.0
Cisco IOS XR does not support these configuration capabilities:
• Writable-Running Capability
urn:ietf:params:netconf:capability:writable-running:1.0
• Confirmed Commit Capability
urn:ietf:params:netconf:capability:confirmed-commit:1.0
Transport (RFC4741 and RFC4742)
These transport operations are supported:
• Connection-oriented operation
• Authentication
• SSH Transport—Shell based SSH. IANA-assigned TCP port <830> for NETCONF SSH is not
supported.
• Other transport
Subtree Filtering (RFC4741)
NETCONF has these subtree filtering limitations in Cisco IOS XR:
• Namespace Selection—Filtering based on specified namespace. This is not supported because Cisco
IOS XR does not publish schema name spaces.
• Attribute Match Expressions—Filtering is done by matching a specified attribute value. This
filtering with the “Match” attribute can be specified only in Table classes. See this example:
15-143
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 15 Network Configuration Protocol
Limitations of NETCONF in Cisco IOS XR
act
• Containment Nodes—Filtering is done by specifying nodes (classes) that have child nodes (classes).
This filtering is by specifying container classes. See this example:
• Selection Nodes—Filtering is done by specifying leaf nodes. This filtering specifies leaf classes.
See this example:
act
GigabitEthernet0/3/0/1
• Content Match Nodes—Filtering is done by exactly matching the content of a leaf node. This
filtering is done by specifying naming the class value for table classes. See this example:
15-144
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 15 Network Configuration Protocol
Limitations of NETCONF in Cisco IOS XR
act
Loopback0
According to the RFC, a request using an empty content match node should return all
elements of all entries of the table.
For example, for this request, the response should return elements of all the entries of
:
In Cisco IOS XR, this request is not supported and is errored out.
Protocol Operations (RFC4741)
These protocol operations are supported in Cisco IOS XR:
• get—Root level query that returns both the entire configuration and state data is not supported
• get-config
• edit-config
• lock
• unlock
• close-session
• commit (by the Candidate Configuration Capability)
• discard-change (by the Candidate Configuration Capability) 15-145
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 15 Network Configuration Protocol
Limitations of NETCONF in Cisco IOS XR
Event Notifications (RFC5277)
Event notifications are not supported in Cisco IOS XR.15-146
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 15 Network Configuration Protocol
Limitations of NETCONF in Cisco IOS XRC H A P T E R
16-147
Cisco IOS XR XML API Guide
OL-24657-01
16
Cisco IOS XR Perl Scripting Toolkit
This chapter describes the Cisco IOS XR Perl Scripting Toolkit as an alternative method to existing
router management methods. This method enables the router to be managed by a Perl script running on
a separate machine. Management commands and data are sent to, and from, the router in the form of
XML over either a Telnet or an SSH connection. The well-defined and consistent structure of XML,
which is used for both commands and data, makes it easy to write scripts that can interactively manage
the router, display information returned from the router in the format required, or manage multiple
routers at once.
These sections describe how to use the Cisco IOS XR Perl Scripting Toolkit:
• Cisco IOS XR Perl Scripting Toolkit Concepts, page 16-148
• Security Implications for the Cisco IOS XR Perl Scripting Toolkit, page 16-148
• Prerequisites for Installing the Cisco IOS XR Perl Scripting Toolkit, page 16-148
• Installing the Cisco IOS XR Perl Scripting Toolkit, page 16-149
• Using the Cisco IOS XR Perl XML API in a Perl Script, page 16-150
• Handling Types of Errors for the Cisco IOS XR Perl XML API, page 16-150
• Starting a Management Session on a Router, page 16-150
• Closing a Management Session on a Router, page 16-152
• Sending an XML Request to the Router, page 16-152
• Using Response Objects, page 16-153
• Using the Error Objects, page 16-154
• Using the Configuration Services Methods, page 16-154
• Using the Cisco IOS XR Perl Data Object Interface, page 16-157
• Cisco IOS XR Perl Notification and Alarm API, page 16-166
• Examples of Using the Cisco IOS XR Perl XML API, page 16-17016-148
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 16 Cisco IOS XR Perl Scripting Toolkit
Cisco IOS XR Perl Scripting Toolkit Concepts
Cisco IOS XR Perl Scripting Toolkit Concepts
Table 16-1 describes the toolkit concepts. Some sample scripts are modified and show how to use the
API in your own scripts.
Security Implications for the Cisco IOS XR Perl Scripting Toolkit
Similar to using the CLI over a Telnet or Secured Shell (SSH) connection, all authentication and
authorization are handled by authentication, authorization, and accounting (AAA) on the router. A script
prompts you to enter a password at run time, which ensures that passwords never get stored on the client
machine. Therefore, the security implications for using the toolkit are identical to the CLI over the same
transport.
Prerequisites for Installing the Cisco IOS XR Perl Scripting
Toolkit
To use the toolkit, you must have installed Perl version 5.6 on the client machine that runs UNIX and
Linux. To use the SSH transport option, you must have the SSH client executable installed on the
machine and in your path.
You need to install these specific standard Perl modules to use various functions:
• XML::LibXML—This module is essential for using the Perl XML API and requires that the libxml2
library be installed on the system first. This must be the version that is compatible with the version
of XML::LibXML. The toolkit is tested to work with XML::LibXML version 1.58 and libxml2
version 2.6.6. If you are installing libxml2 from a source, you must apply the included patch file
before compiling.
• Term::ReadKey (optional but recommended)—This module reads passwords without displaying
them on the screen.
• Net::Telnet—This module is needed if you are using the Telnet or SSH transport modules.
If one of the modules is not available in the current version, you are warned during the installation
process. Before installing the toolkit, you should install the current versions of the modules. You can
obtain all modules from this location: http://www.cpan.org/
Table 16-1 List of Concepts for the IOS XR Perl Scripting Toolkit
Concept Definition
Cisco IOS XR Perl XML API Consists of the core of the toolkit and provides the ability to create
management sessions, send management requests, and receive
responses by using Perl objects and methods.
Cisco IOS XR Perl Data Object
API
Allows management requests to be sent and responses received
entirely using Perl objects and data structures without any
knowledge of the underlying XML.
Cisco IOS XR Perl
Notification/Alarm API
Allows a script to register for notifications (for example, alarms),
on a management session and receive the notifications
asynchronously as Perl objects.16-149
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 16 Cisco IOS XR Perl Scripting Toolkit
Installing the Cisco IOS XR Perl Scripting Toolkit
These modules are not necessary for using the API, but are required to run some sample scripts:
• XML::LibXSLT—This module is needed for the sample scripts that use XSLT to produce HTML
pages. The module also requires that the libxslt library be installed on the system first. The toolkit
is tested to work with XML::LibXSLT version 1.57 and libxslt version 1.1.3.
• Mail::Send—This module is needed only for the notifications sample script.
Installing the Cisco IOS XR Perl Scripting Toolkit
The Cisco IOS XR Perl Scripting Toolkit is distributed in a file named:
Cisco-IOS_XR-Perl-Scripting-Toolkit-.tar.gz.
To install the Cisco IOS XR Perl Scripting Toolkit, perform these steps:
Step 1 Extract the contents from the directory in which the file resides by entering this command:
tar -f Cisco-IOS_XR-Perl-Scripting-Toolkit-.tar.gz -xzC
Table 16-2 defines the parameters.
Step 2 Use the cd command to change to the toolkit installation directory and enter this command:
perl Makefile.PL
If the command gives a warning that one of the prerequisite modules is not found, download and install
the applicable module from the Comprehensive Perl Archive Network (CPAN) before using the API.
Step 3 Use the make command to maintain a set of programs, as shown in this example:
make
Step 4 Use the make install command, as shown in this example:
make install
Ensure that you have the applicable permission requirements for the installation. You may need to have
root privileges.
If you do not encounter any errors, the toolkit is installed successfully. The Perl modules are copied into
the appropriate directory, and you can use your own Perl scripts.
Table 16-2 Toolkit Installation Directory Parameters
Parameter Description
Defines the version of the toolkit to install, for example, version 1.0.
Specifies the existing directory in which to create the toolkit installation directory. A
directory called Cisco-IOS_XR-Perl-Scripting-Toolkit- is created within the
directory along with the extracted contents.16-150
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 16 Cisco IOS XR Perl Scripting Toolkit
Using the Cisco IOS XR Perl XML API in a Perl Script
Using the Cisco IOS XR Perl XML API in a Perl Script
To use the Cisco IOS XR Perl XML API in a Perl application, import the module by including this
statement at the top of the script:
use Cisco::IOS_XR;
If you are using the Data Object interface, you can specify extra import options in the statement. For
more information about the objects, see the “Creating Data Objects” section on page 16-159.
Handling Types of Errors for the Cisco IOS XR Perl XML API
These types of errors can occur when using the Cisco IOS XR Perl XML API:
• Errors returned from the router—Specify that the errors are produced during the processing of an
XML request and are returned to you in an XML response document. For more information about
how these errors are handled, see the “Using the Error Objects” section on page 16-154.
• Errors produced within the Perl XML API modules—Specify that the script cannot continue. The
module causes the script to be terminated with the appropriate error message. If the script writer
wants the script to handle these error types, the writer must write the die handlers (for example,
enclose the call to the API function within an eval{} block).
Starting a Management Session on a Router
Before any requests are sent, a management session must be started on the router, which is done by
creating a new object of type named Cisco::IOS_XR. The new object is used for all further requests
during the session, and the session is ended when the object is destroyed. A Cisco::IOS_XR object is
created by calling Cisco::IOS_XR::new.
Table 16-3 lists the optional parameters specified as arguments.
Table 16-3 Argument Definitions
Name Description
use_command_line Controls whether or not the new() method parses the command-line options
given when the script was invoked. If the value of the argument is true, which
is the default, the command-line options specify or override any of the
subsequent arguments and control debug and logging options. The value of 0
defines the value as false.
interactive If the value of the argument is true, the script prompts you for the username
and password if they have not been specified either in the script or on the
command line. The Term::ReadKey module must be installed.
The most secure way of using the toolkit is not to have the input echoed to
the screen, which avoids hard coding or any record of passwords being used.
The default value is false, which means that the script does not ask for user
input. As a command-line option, the interactive argument does not take any
arguments. You can specify -interactive to turn on the interactive mode.16-151
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 16 Cisco IOS XR Perl Scripting Toolkit
Starting a Management Session on a Router
This example shows the arguments given using the standard Perl hash notation:
use Cisco::IOS_XR;
my $session = new Cisco::IOS_XR(transport => 'telnet',
host => 'router1',
port => 7000,
username => 'john',
password => 'smith',
connection_timeout => 3);
Alternatively, the arguments can be specified in a file. For example:
The contents of ‘/usrs/trice/perlxml.cfg’:
[myrouter]
transport = telnet
host = router1
username = john
password = smith
connection_timeout = 3
In the script, the file and profile name are specified:
use Cisco : : IOS_XR;
my $session = new Cisco: :IOS_XR(config_file =>
‘/usrs/trice/perlxml.cfg’,
profile => ‘myrouter’);
transport Means by which the Perl application should connect to the router, which
defaults to Telnet. If a different value is specified, the new() method searches
for a package called Cisco::IOS_XR::Transport::. If found,
the Perl application uses that package to connect to the router.
ssh_version If the chosen transport option is SSH and the SSH executable on your system
supports SSH v2, specifies which version of SSH you want to use for the
connection. The valid values are 1 and 2. If the SSH executable supports only
version 1, an error is caused by specifying the ssh_version argument.
host Specifies the name or IP address of the router to connect. The router console
or auxiliary ports should not be used because they are likely to cause
problems for the script when logging in and offer significantly lower
performance than a management port.
port Specifies the TCP port for the connection. The default value depends on the
transport being used.
username Specifies the username to log in to the router.
password Specifies the corresponding password.
connection_timeout Specifies the timeout value that is used to connect and log in to the session.
If not specified, the default value is 5 seconds.
response_timeout Specifies the timeout value that is used when waiting for a response to an
XML request. If not specified, the default value is 10 seconds.
prompt Specifies the prompt that is displayed on the router after a successful log in.
The default is #.
Table 16-3 Argument Definitions (continued)
Name Description16-152
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 16 Cisco IOS XR Perl Scripting Toolkit
Closing a Management Session on a Router
Table 16-4 describes the additional command-line options that can be specified.
To use the command-line options when invoking a script, use the -option value (assuming the option
has a value). The option name does not need to be given in full, but must be long enough to be
distinguished from other options. This is displayed:
perl my_script.pl -host my_router -user john -interactive -debug xml
Closing a Management Session on a Router
When an object of type Cisco::IOS_XR is created, the transport connection to the router and any
associated resources on the router are maintained until the object is destroyed and automatically cleaned.
For most scripts, the process should occur automatically when the script ends.
To close a particular session during the course of the script, use the close() method. You can perform
an operation on a large set of routers sequentially, and not keep all sessions open for the duration of the
script, as displayed in this example:
my $session1 = new Cisco::IOS_XR(host => ‘router1’, ...);
#do some stuff
$session1->close;
my $session2 = new Cisco::IOS_XR(host => ‘router2’, ...);
# do some stuff
...
Sending an XML Request to the Router
Requests and responses pass between the client and router in the form of XML. Depending on whether
the XML is stored in a string or file, you can construct an XML request that is sent to the router using
either the send_req or send_req_file method. Some requests are sent without specifying any XML by
using the configuration services methods; for example, commit and lock or the Data Object interface.
This example shows how to send an XML request in the form of a string:
my $xml_req_string = ‘...’;
my $response = $session->send_req($xml_req_string);
This example shows how to send a request stored in a file:
my $response = $session->send_req_file('request.xml');
Table 16-4 Command-Line Options
Name Description
debug Turns on the specified debug type and can be repeated to turn on more
than one type.
logging Turns on the specified logging type and can be repeated to turn on more
than one type.
log_file Specifies the name of the log file to use.
telnet_input_log Specifies the file used for the Telnet input log, if you are using Telnet.
telnet_dump_log Specifies the file used for the Telnet dump log, if you are using Telnet.16-153
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 16 Cisco IOS XR Perl Scripting Toolkit
Using Response Objects
Using Response Objects
Both of the send_req and send_req_file methods return a Cisco::IOS_XR::Response object, which
contains the XML response returned by the router.
Note Both send methods handle iterators in the background; so if a response consists of many parts, the
response object returned is the result of merging them back together.
Retrieving the Response XML as a String
This example shows how to use the to_string method:
$xml_response_string = $response->to_string;
Writing the Response XML Directly to a File
This example shows how to use the write_file method by specifying the name of the file to be written:
$response->write_file('response.xml');
Retrieving the Data Object Model Tree Representation of the Response
This example shows how to retrieve a Data Object Model (DOM) tree representation for the response:
my $document = $response->get_dom_tree;
You should be familiar with the DOM, which an XML document is represented in an object tree
structure. For more information, see this URL:
http://www.w3.org/DOM/
Note The returned DOM tree type will be of type XML::LibXML::Document, because this is the form in
which the response is held internally. The method is quick, because it does not perform extra parsing
and should be used in preference to retrieving the string form of the XML and parsing it again (unless a
different DOM library is used).
Determining if an Error Occurred While Processing a Request
This example shows how to determine whether an error has occurred while processing a request:
my $error = $response->get_error;
if (defined($error)) {
die $error;
}
Use the get_error method to return one error from the response. This returns an error object that
represents the first error found or is undefined if none are found.
Retrieving a List of All Errors Found in the Response XML
This example shows how to list all errors that occur, rather than just one, by using the get_errors method:
my @errors = $response->get_errors;
The get_errors method returns an array of error objects that represents all errors that were found in the
response XML. For more information, see the “Using the Error Objects” section on page 16-154.16-154
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 16 Cisco IOS XR Perl Scripting Toolkit
Using the Error Objects
Using the Error Objects
Error objects are returned when calling the get_error and get_errors methods on a response object, and
are used to represent an error encountered in an XML response. Table 16-5 lists the methods for the
object.
Using the Configuration Services Methods
Methods are provided to enable the standard configuration services operations to be performed without
knowledge of the underlying XML. These are the operations that are usually performed at the start or
end of a configuration session, such as locking the running configuration or saving the configuration to
a file.
Committing the Target Configuration
The config_commit() function takes these optional arguments:
• mode
• label
• comment
• Replace
• KeepFailedConfig
• IgnoreOtherSessions
• Confirmed
This example shows how to use the config_commit function:
$response = $session->config_commit(Label => 'Example1', Comment => 'Just an example');
A response object is returned from which any errors can be extracted, if desired. To retrieve the commit
ID that was assigned to the commit upon success, you can call the get_commit_id() method on the
response object, as shown in this example:
$commit_id = $response->get_commit_id();
Table 16-5 List of Methods for the Object
Method Description
get_message Returns the error message string that was found in the XML.
get_code Returns the corresponding error code.
get_element Returns the tag name of the XML element in which the error was found.
get_dom_node Returns a reference to the element node in the response DOM1
tree.
1. DOM = Data Object Model.
to_string Returns a string that contains the error message, code, and element name. If the error
object is used in a scalar context, the method is used automatically to convert it to a
string. This example displays all information in an error:
Error encountered in object ConfederationPeerASTable: 'XMLMDA' detected
the 'warning' condition 'The XML request does not conform to the schema.
A child element of the element on which this error appears includes a
non-existent naming, filter, or value element. Please check the request
against the schema.' Error code: 0x4368a00016-155
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 16 Cisco IOS XR Perl Scripting Toolkit
Using the Configuration Services Methods
Locking and Unlocking the Running Configuration
This example shows how to use the config_lock and config_unlock functions, which takes no arguments:
$error = $session->config_lock;
$error = $session->config_unlock;
Loading a Configuration from a File
This example shows how to contain a filename as an argument:
$error = $session->config_load(Filename => 'test_config.cfg');
Loading a Failed Configuration
This example shows how to use the config_load_failed function, which takes no arguments:
$error = $session->config_load_failed;
Saving a Configuration to a File
This example shows how to use two arguments for the config_save() function:
$error = $session->config_save(Filename => 'disk0:/my_config.cfg’, Overwrite => 'true');
The first argument shows how to use the filename to which to write and the Boolean overwrite setting.
The filename must be given with a full path. The second argument is optional.
Clearing the Target Configuration
This example shows how to use the config_clear function, which takes no arguments:
$error = $session->config_clear;
Getting a List of Recent Configuration Events
This example shows how to use the config_get_history function that uses the optional arguments
Maximum, EventType, Reverse, and Detail:
$response = $session->config_get_history(EventType => ‘All’, Maximum =>10, Detail =>
‘true’);
It returns a Response object, on which the method get entries can be called.
Getting a List of Recent Configuration Commits That Can Be Rolled Back
This example shows how to use the config_get_commitlist function that uses the optional arguments
Maximum and Detail:
$response = $session->config_get_commitlist (Maximum => 10, Detail => ‘true’);
It returns a Response object, on which the method get entries can be called. This returns an array of Entry
objects, on which the method get key can be called to retrieve the CommitID, and get data to retrieve
the rest of the fields.16-156
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 16 Cisco IOS XR Perl Scripting Toolkit
Using the Configuration Services Methods
Loading Changes Associated with a Set of Commits
This example shows how to use the config_load_commit_changes function to load into the target
configuration the changes that were made during one or more commits, and it uses one of three possible
arguments: ForCommitID, SinceCommitID, or Previous:
$error = $session ->config_load_commit_changes (ForCommitID => 1000000072);
#Loads the changes that were made in commit 1000000072
$error = $session ->config_load_commit_changes (SinceCommitID => 1000000072);
#Loads the changes made in commits 1000000072, 1000000073...up to latest
$error = $session ->config_load_commit_changes (Previous => 4);
#Loads the changes made in the last 4 commits
Rolling Back to a Previous Configuration
This example shows how to use the config_rollback() function that uses the optional arguments Label
and Comment, and exactly one of the two arguments CommitID or Previous or takes only
TrialConfiguration:
$error = $session->config_rollback(Label => ‘Rollback test’, CommitID => 1000000072);
Loading Changes Associated with Rolling Back Configuration
This example shows how to use the config_load_rollback_changes function to load into the target
configuration the changes that would be made if you were to roll back one or more commits. The
function uses one of three arguments: ForCommitID, ToCommitID and Previous. For example:
$error = $session->config_load_rollback_changes (ForCommitID => 1000000072)
# Loads the changes that would be made to rollback commit 1000000072
$error = $session->config_load_rollback_changes (ToCommitID => 1000000072);
# Loads the changes that would be made to rollback all commits up to and including commit
1000000072
Getting a List of Current Configuration Sessions
This example shows how to use the config_get_sessions function that uses the optional argument Detail
to return detailed information about configuration sessions. For example:
$response = $session->config_get_sessions (Detail => ‘true’);
It returns a response object in which the method get_entries can be called. This returns an array of entry
objects in which the method get_key can be called to retrieve the session ID, and get_data method to
retrieve the rest of the fields.
Clearing Configuration Session
This example shows how to use config_clear_session function that accepts a configuration session ID
SessionID as argument and clears that configuration session:
$error=$session->config_clear_sessions (SessionID => ‘00000000-000a00c9-00000000’);Sending
a Command-Line Interface Configuration Command
This example shows how to use the config_cli() function, which takes a string argument containing the
CLI format configuration that you want to apply to the router:
$response = $session->config_cli($cli_command);
To retrieve the textual CLI response from the response object returned, use the get_cli_response()
method, as shown in this example:
$response_text = $response->get_cli_response();16-157
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 16 Cisco IOS XR Perl Scripting Toolkit
Using the Cisco IOS XR Perl Data Object Interface
Note Apart from the config_commit, config_get_history, config_get_commitlist, config_get_sessions and
config_cli methods, each of the other methods return a reference to an error object if an error occurs or
is undefined. For more information, see the “Using the Error Objects” section on page 16-154.
Using the Cisco IOS XR Perl Data Object Interface
Instead of having to specify the XML requests explicitly, the interface allows access to management data
using a Perl notation. The Data Object interface is a Perl representation of the management data
hierarchy stored on the router. It consists of objects of type Cisco::IOS_XR::Data, which corresponds to
items in the IOS_XR management data hierarchy, and a set of methods for performing data operations
on them.
To use the Data Object interface, knowledge of the underlying management data hierarchy is required.
The management data on an Cisco IOS XR router are under one of six root objects, namely
Configuration, Operational, Action, AdminConfiguration, AdminOperational, and AdminAction. The
objects that lie below these objects in the hierarchy, along with definitions of any datatypes or filters that
are used by them, are documented in the Perl Data Object Documentation.
A hash structure is defined to be a scalar (that is, basic) type; for example, string or number, a reference
to a hash whose values are hash structures, or a reference to an array whose values are hash structures.
This standard Perl data structure corresponds naturally to the structure of management data on an Cisco
IOS XR router. This example shows how to use a hash structure:
# basic type
my $struct1 = ‘john’;
# reference to a hash of basic types
my $struct2 = {Forename => $struct1, Surname => ‘smith’};
# reference to an array of basic types
my $struct3 = (‘dog’, ‘budgie’, ‘cat’);
# reference to a hash of references and basic types
my $struct4 = {Name => $struct2, Age => ‘30’, Pets => $struct3};
These sections describe how to use the Perl Data Object Documentation:
• Understanding the Perl Data Object Documentation, page 16-158
• Generating the Perl Data Object Documentation, page 16-158
• Creating Data Objects, page 16-159
• Specifying the Schema Version to Use When Creating a Data Object, page 16-161
• Using Data Operation Methods on a Data Object, page 16-161
• Using the Batching API, page 16-164
• Displaying Data and Keys Returned by the Data Operation Methods, page 16-165
• Specifying the Session to Use for the Data Operation Methods, page 16-16616-158
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 16 Cisco IOS XR Perl Scripting Toolkit
Using the Cisco IOS XR Perl Data Object Interface
Understanding the Perl Data Object Documentation
The Perl Data Object Documentation consists of many files, each containing a subtree of the total
management data hierarchy. The main part of each filename tells you the area of management data to
which that file refers, and the suffix usually tells you below which root object that file’s data lies. For
example, a file containing configuration data usually ends in _cfg.html. Some files may not contain any
object definitions, but just some datatypes or filter definitions and usually end in _common.html.
For leaf objects, the object definition describes the data that the object contains. For nonleaf objects, the
definition provides a list of the object’s children within the tree. More precisely, the object definition
consists of these items:
• Name of the object.
• Brief description of what data is contained in the object or in the subtree below.
• List of the required task IDs that are required to access the data in the object and subtree.
• List of parent objects and the files in which they are defined, if the object is the top-level object in
that file.
• If the object is a leaf object (for example, data is contained without child objects), and its name is
not unique within that file, parent objects are listed.
• If the object is a table entry, a list of the keys that are needed to identify a particular item in that
table. For each key, a name, description, and datatype are given.
• If the object is a table, a list of the filters that can be applied to that table.
• If the object is a leaf object, a list of the value items that are contained. For each value item, a name,
description, and datatype are given.
• If the object is a leaf object, its default value (for example, the values for each of its value items that
would be assumed if the object did not exist), if there is one.
• List of the data operation methods, get_data, set_data, and so forth that are applicable to the object.
For more information, see the “Specifying the Schema Version to Use When Creating a Data
Object” section on page 16-161
Generating the Perl Data Object Documentation
The Perl Data Object Documentation must be generated from the schema distribution tar file
“All-schemas-CRS-1-”release”.tar.gz”, where “release” is the release of the Cisco IOS XR software that
you have installed on the router.
To generate the Perl Data Object Documentation:
Step 1 From the perl subdirectory under the extracted contents of the previously mentioned Schema tarball,
copy all *.dat files into the toolkit installation directory
Cisco-IOS_XR-Perl-Scripting-Toolkit-”version”/dat (default) or a selected directory for the .dat files.
These .dat files are the XML files that are used to generate the HTML documentation.
Step 2 From the perl subdirectory under the extracted contents of the previously mentioned Schema tarball,
copy all the *.html files into the toolkit installation directory
Cisco-IOS_XR-Perl-Scripting-Toolkit-”version”/html(default) or a selected directory for the .html.
(The default .html subdirectory already contains two files that were extracted with the toolkit
distribution: root_objects.html and common_datatypes.html. These files are automatically copied to the
selected .html directory, if a non-default directory is selected, upon performing this step).16-159
Cisco IOS XR XML API Guide
OL-24657-01
Chapter 16 Cisco IOS XR Perl Scripting Toolkit
Using the Cisco IOS XR Perl Data Object Interface
Step 3 Run the script generate_html_documentation.pl, which is available in the distribution
Cisco-IOS_XR-Perl-Scripting-Toolkit-”version”/scripts directory, giving the appropriate directories for
the .dat and .html files, when prompted.
Step 4 If the script fails, indicating any error .dat files, evaluate the .dat file to confirm that it is not of “0” size
and that it has a header as in this example:
NLRI length = 2 bytes
exit-address-family
MAC Address-related Parameters
The MAC address table contains a list of the known MAC addresses and their forwarding information.
In the current VPLS design, the MAC address table and its management are distributed. In other words,
a copy of the MAC address table is maintained on the route processor (RP) card and the line cards.
These topics provide information about the MAC address-related parameters:
• MAC Address Flooding, page LSC-194
• MAC Address-based Forwarding, page LSC-194
249879
Length (2 octets)
Route Distinguisher (8 octets)
L2VPN Router ID (4 octets)
VPLS-ID (8 octets)
Ext Comms:
NLRI:
Route Target (8 octets)Implementing Multipoint Layer 2 Services
Information About Implementing Multipoint Layer 2 Services
LSC-194
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
• MAC Address Source-based Learning, page LSC-194
• MAC Address Aging, page LSC-195
• MAC Address Limit, page LSC-195
• MAC Address Withdrawal, page LSC-196
• MAC Address Security, page LSC-196
Note After you modify the MAC limit or action at the bridge domain level, ensure that you shut and unshut
the bridge domain for the action to take effect. If you modify the MAC limit or action on an attachment
circuit (through which traffic is passing), the attachment circuit must be shut and unshut for the action
to take effect.
MAC Address Flooding
Ethernet services require that frames that are sent to broadcast addresses and to unknown destination
addresses be flooded to all ports. To obtain flooding within VPLS broadcast models, all unknown
unicast, broadcast, and multicast frames are flooded over the corresponding pseudowires and to all
attachment circuits. Therefore, a PE must replicate packets across both attachment circuits and
pseudowires.
MAC Address-based Forwarding
To forward a frame, a PE must associate a destination MAC address with a pseudowire or attachment
circuit. This type of association is provided through a static configuration on each PE or through
dynamic learning, which is flooded to all bridge ports.
Note Split horizon forwarding applies in this case, for example, frames that are coming in on an attachment
circuit or pseudowire are sent out of the same pseudowire. The pseudowire frames, which are received
on one pseudowire, are not replicated on other pseudowires in the same virtual forwarding instance
(VFI).
MAC Address Source-based Learning
When a frame arrives on a bridge port (for example, pseudowire or attachment circuit) and the source
MAC address is unknown to the receiving PE router, the source MAC address is associated with the
pseudowire or attachment circuit. Outbound frames to the MAC address are forwarded to the appropriate
pseudowire or attachment circuit.
MAC address source-based learning uses the MAC address information that is learned in the hardware
forwarding path. The updated MAC tables are sent to all line cards (LCs) and program the hardware for
the router.
The number of learned MAC addresses is limited through configurable per-port and per-bridge domain
MAC address limits.Implementing Multipoint Layer 2 Services
Information About Implementing Multipoint Layer 2 Services
LSC-195
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
MAC Address Aging
A MAC address in the MAC table is considered valid only for the duration of the MAC address aging
time. When the time expires, the relevant MAC entries are repopulated. When the MAC aging time is
configured only under a bridge domain, all the pseudowires and attachment circuits in the bridge domain
use that configured MAC aging time.
A bridge forwards, floods, or drops packets based on the bridge table. The bridge table maintains both
static entries and dynamic entries. Static entries are entered by the network manager or by the bridge
itself. Dynamic entries are entered by the bridge learning process. A dynamic entry is automatically
removed after a specified length of time, known as aging time, from the time the entry was created or
last updated.
If hosts on a bridged network are likely to move, decrease the aging-time to enable the bridge to adapt
to the change quickly. If hosts do not transmit continuously, increase the aging time to record the
dynamic entries for a longer time, thus reducing the possibility of flooding when the hosts transmit
again.
MAC Address Limit
The MAC address limit is used to limit the number of learned MAC addresses. The limit is set at the
bridge domain level and at the port level. The bridge domain level limit is always configured and cannot
be disabled. The default value of the bridge domain level limit is 4000 and can be changed in the range
of 5-512000.
Note Cisco ASR 9000 Series Routers support MAC limits on bridge port only when they are set on all the
ports in a bridge domain. In this case, the bridge domain limit must be set to the value higher than the
sum of limits on all ports in the bridge domain.
When the MAC address limit is violated, the system is configured to take one of the actions that are listed
in Table 1.
When a limit is exceeded, the system is configured to perform these notifications:
• Syslog (default)
• Simple Network Management Protocol (SNMP) trap
• Syslog and SNMP trap
• None (no notification)
To clear the MAC limit condition, the number of MACs must go below 75 percent of the configured
limit.
Table 1 MAC Address Limit Actions
Action Description
Limit flood Discards the new MAC addresses.
Limit no-flood Discards the new MAC addresses. Flooding of unknown unicast packets is
disabled.
Limit shutdown Disables forwarding MAC addresses.Implementing Multipoint Layer 2 Services
Information About Implementing Multipoint Layer 2 Services
LSC-196
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
MAC Address Withdrawal
For faster VPLS convergence, you can remove or unlearn the MAC addresses that are learned
dynamically. The Label Distribution Protocol (LDP) Address Withdrawal message is sent with the list
of MAC addresses, which need to be withdrawn to all other PEs that are participating in the
corresponding VPLS service.
For the Cisco IOS XR VPLS implementation, a portion of the dynamically learned MAC addresses are
cleared by using the MAC addresses aging mechanism by default. The MAC address withdrawal feature
is added through the LDP Address Withdrawal message. To enable the MAC address withdrawal feature,
use the withdrawal command in l2vpn bridge group bridge domain MAC configuration mode. To verify
that the MAC address withdrawal is enabled, use the show l2vpn bridge-domain command with the
detail keyword.
Note By default, the LDP MAC Withdrawal feature is enabled on Cisco IOS XR.
The LDP MAC Withdrawal feature is generated due to these events:
• Attachment circuit goes down. You can remove or add the attachment circuit through the CLI.
• MAC withdrawal messages are received over a VFI pseudowire and are not propagated over access
pseudowires. RFC 4762 specifies that both wildcards (by means of an empty Type, Length and Value
[TLV]) and a specific MAC address withdrawal. Cisco IOS XR software supports only a wildcard
MAC address withdrawal.
MAC Address Security
You can configure MAC address security at the interfaces and at the bridge access ports (subinterfaces)
levels. However, MAC security configured under an interface takes precedence to MAC security
configured at the bridge domain level. When a MAC address is first learned, on an EFP that is configured
with MAC security and then, the same MAC address is learned on another EFP, these events occur:
• the packet is dropped
• the second EFP is shutdown
• the packet is learned and the MAC from the original EFP is flushed
LSP Ping over VPWS and VPLS
For Cisco IOS XR software, the existing support for the Label Switched Path (LSP) ping and traceroute
verification mechanisms for point-to-point pseudowires (signaled using LDP FEC128) is extended to
cover the pseudowires that are associated with the VFI (VPLS). Currently, the support for the LSP ping
and traceroute is limited to manually configured VPLS pseudowires (signaled using LDP FEC128). For
information about Virtual Circuit Connection Verification (VCCV) support and the ping mpls
pseudowire command, see the Cisco ASR 9000 Series Aggregation Services Router MPLS Command
Reference.Implementing Multipoint Layer 2 Services
Information About Implementing Multipoint Layer 2 Services
LSC-197
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Split Horizon Groups
An IOS XR bridge domain aggregates attachment circuits (ACs) and pseudowires (PWs) in one of three
groups called Split Horizon Groups. When applied to bridge domains, Split Horizon refers to the
flooding and forwarding behavior between members of a Split Horizon group. In general, frames
received on one member of a split horizon group are not flooded out to the other members of the same
group.
Bridge Domain traffic is either unicast or multicast.
Flooding traffic consists of unknown unicast destination MAC address frames; frames sent to Ethernet
multicast addresses (Spanning Tree BPDUs, etc.); Ethernet broadcast frames (MAC address
FF-FF-FF-FF-FF-FF).
Known Unicast traffic consists of frames sent to bridge ports that were learned from that port using MAC
learning.
Traffic flooding is performed for broadcast, multicast and unknown unicast destination address. Unicast
traffic consists of frames sent to bridge ports that were learned using MAC learning.
.
Important notes on Split Horizon Groups:
• All bridge ports or PWs that are members of a bridge domain must belong to one of the three groups.
• By default, all bridge ports or PWs are members of group 0.
• The VFI configuration submode under a bridge domain configuration indicates that members under
this domain are included in group 1.
• A PW that is configured in group 0 is called an Access Pseudowire.
• The split-horizon group command is used to designate bridge ports or PWs as members of group 2.
• The ASR9000 only supports one VFI group.
Layer 2 Security
These topics describe the Layer 2 VPN extensions to support Layer 2 security:
• Port Security, page LSC-198
• Dynamic Host Configuration Protocol Snooping, page LSC-199
Table 2 Split Horizon Groups Supported in Cisco IOS-XR
Split Horizon Group Who belongs to this Group? Multicast within Group Unicast within Group
0 Default—any member not covered by groups 1
or 2.
Yes Yes
1 Any PW configured under VFI. No No
2 Any AC or PW configured with split-horizon
keyword.
No YesImplementing Multipoint Layer 2 Services
Information About Implementing Multipoint Layer 2 Services
LSC-198
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Port Security
Use port security with dynamically learned and static MAC addresses to restrict a port’s ingress traffic
by limiting the MAC addresses that are allowed to send traffic into the port. When secure MAC addresses
are assigned to a secure port, the port does not forward ingress traffic that has source addresses outside
the group of defined addresses. If the number of secure MAC addresses is limited to one and assigned a
single secure MAC address, the device attached to that port has the full bandwidth of the port.
These port security features are supported:
• Limits the MAC table size on a bridge or a port.
• Facilitates actions and notifications for a MAC address.
• Enables the MAC aging time and mode for a bridge or a port.
• Filters static MAC addresses on a bridge or a port.
• Marks ports as either secure or nonsecure.
• Enables or disables flooding on a bridge or a port.Implementing Multipoint Layer 2 Services
Information About Implementing Multipoint Layer 2 Services
LSC-199
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
After you have set the maximum number of secure MAC addresses on a port, you can configure port
security to include the secure addresses in the address table in one of these ways:
• Statically configure all secure MAC addresses by using the static-address command.
• Allow the port to dynamically configure secure MAC addresses with the MAC addresses of
connected devices.
• Statically configure a number of addresses and allow the rest to be dynamically configured.
Dynamic Host Configuration Protocol Snooping
Dynamic Host Configuration Protocol (DHCP) snooping is a security feature that acts like a firewall
between untrusted hosts and trusted DHCP servers. The DHCP snooping feature performs these
activities:
• Validates DHCP messages received from untrusted sources and filters out invalid messages.
• Rate-limits DHCP traffic from trusted and untrusted sources.
• Builds and maintains the binding database of DHCP snooping, which contains information about
untrusted hosts with leased IP addresses.
• Utilizes the binding database of DHCP snooping to validate subsequent requests from untrusted
hosts.
For additional information regarding DHCP, see the Cisco ASR 9000 Series Aggregation Services Router
IP Addresses and Services Configuration Guide.
G.8032 Ethernet Ring Protection
Ethernet Ring Protection (ERP) protocol, defined in ITU-T G.8032, provides protection for Ethernet
traffic in a ring topology, while ensuring that there are no loops within the ring at the Ethernet layer. The
loops are prevented by blocking either a pre-determined link or a failed link.
Overview
Each Ethernet ring node is connected to adjacent Ethernet ring nodes participating in the Ethernet ring
using two independent links. A ring link never allows formation of loops that affect the network. The
Ethernet ring uses a specific link to protect the entire Ethernet ring. This specific link is called the ring
protection link (RPL). A ring link is bound by two adjacent Ethernet ring nodes and a port for a ring link
(also known as a ring port).
Note The minimum number of Ethernet ring nodes in an Ethernet ring is two.
The fundamentals of ring protection switching are:
• the principle of loop avoidance
• the utilization of learning, forwarding, and Filtering Database (FDB) mechanisms
Loop avoidance in an Ethernet ring is achieved by ensuring that, at any time, traffic flows on all but one
of the ring links which is the RPL. Multiple nodes are used to form a ring:
• RPL owner—It is responsible for blocking traffic over the RPL so that no loops are formed in the
Ethernet traffic. There can be only one RPL owner in a ring.Implementing Multipoint Layer 2 Services
Information About Implementing Multipoint Layer 2 Services
LSC-200
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
• RPL neighbor node—The RPL neighbor node is an Ethernet ring node adjacent to the RPL. It is
responsible for blocking its end of the RPL under normal conditions. This node type is optional and
prevents RPL usage when protected.
• RPL next-neighbor node—The RPL next-neighbor node is an Ethernet ring node adjacent to RPL
owner node or RPL neighbor node. It is mainly used for FDB flush optimization on the ring. This
node is also optional.
Figure 15 illustrates the G.8032 Ethernet ring.
Figure 15 G.8032 Ethernet Ring
Nodes on the ring use control messages called RAPS to coordinate the activities of switching on or off
the RPL link. Any failure along the ring triggers a RAPS signal fail (RAPS SF) message along both
directions, from the nodes adjacent to the failed link, after the nodes have blocked the port facing the
failed link. On obtaining this message, the RPL owner unblocks the RPL port.
Note A single link failure in the ring ensures a loop-free topology.
Line status and Connectivity Fault Management protocols are used to detect ring link and node failure.
During the recovery phase, when the failed link is restored, the nodes adjacent to the restored link send
RAPS no request (RAPS NR) messages. On obtaining this message, the RPL owner blocks the RPL port
and sends RAPS no request, root blocked (RAPS NR, RB) messages. This causes all other nodes, other
than the RPL owner in the ring, to unblock all blocked ports. The ERP protocol is robust enough to work
for both unidirectional failure and multiple link failure scenarios in a ring topology.
A G.8032 ring supports these basic operator administrative commands:
• Force switch (FS)—Allows operator to forcefully block a particular ring-port.
– Effective even if there is an existing SF condition
– Multiple FS commands for ring supported
– May be used to allow immediate maintenance operations
• Manual switch (MS)—Allows operator to manually block a particular ring-port.
– Ineffective in an existing FS or SF condition
– Overridden by new FS or SF conditions
– Multiple MS commands cancel all MS commands
Ring
Protection link
RPL
Owner
node
RPL
node
RPL
Nextneighbor
node
RPL
Neighbor
node
RPL
node
RPL
Nextneighbor
node
282133Implementing Multipoint Layer 2 Services
Information About Implementing Multipoint Layer 2 Services
LSC-201
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
• Clear—Cancels an existing FS or MS command on the ring-port
– Used (at RPL Owner) to clear non-revertive mode
A G.8032 ring can support multiple instances. An instance is a logical ring running over a physical ring.
Such instances are used for various reasons, such as load balancing VLANs over a ring. For example,
odd VLANs may go in one direction of the ring, and even VLANs may go in the other direction. Specific
VLANs can be configured under only one instance. They cannot overlap multiple instances. Otherwise,
data traffic or RAPS packet can cross logical rings, and that is not desirable.
G.8032 ERP provides a new technology that relies on line status and Connectivity Fault Management
(CFM) to detect link failure. By running CFM Continuity Check Messages (CCM) messages at an
interval of 3.3ms, it is possible to achieve SONET-like switching time performance and loop free traffic.
For more information about Ethernet Connectivity Fault Management (CFM) and Ethernet Fault
Detection (EFD) configuration, refer to the Configuring Ethernet OAM on the Cisco ASR 9000 Series
Router module in the Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware
Component Configuration Guide.
Timers
G.8032 ERP specifies the use of different timers to avoid race conditions and unnecessary switching
operations:
• Delay Timers—used by the RPL Owner to verify that the network has stabilized before blocking the
RPL
– After SF condition, Wait-to-Restore (WTR) timer is used to verify that SF is not intermittent.
The WTR timer can be configured by the operator, and the default time interval is 5 minutes.
The time interval ranges from 1 to 12 minutes.
– After FS/MS command, Wait-to-Block timer is used to verify that no background condition
exists.
Note Wait-to-Block timer may be shorter than the Wait-to-Restore timer.
• Guard Timer—used by all nodes when changing state; it blocks latent outdated messages from
causing unnecessary state changes. The Guard timer can be configured and the default time interval
is 500 ms. The time interval ranges from 10 to 2000 ms.
• Hold-off timers—used by underlying Ethernet layer to filter out intermittent link faults. The hold-off
timer can be configured and the default time interval is 0 seconds. The time interval ranges from 0
to 10 seconds.
– Faults are reported to the ring protection mechanism, only if this timer expires.Implementing Multipoint Layer 2 Services
Information About Implementing Multipoint Layer 2 Services
LSC-202
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Single Link Failure
Figure 16 represents protection switching in case of a single link failure.
Figure 16 G.8032 Single Link Failure
Figure 16 represents an Ethernet ring composed of seven Ethernet ring nodes. The RPL is the ring link
between Ethernet ring nodes A and G. In these scenarios, both ends of the RPL are blocked. Ethernet
ring node G is the RPL owner node, and Ethernet ring node A is the RPL neighbor node.
These symbols are used:
This sequence describes the steps in the single link failure, represented in Figure 16:
1. Link operates in the normal condition.
2. A failure occurs.
3. Ethernet ring nodes C and D detect a local Signal Failure condition and after the holdoff time
interval, block the failed ring port and perform the FDB flush.
4. Ethernet ring nodes C and D start sending RAPS (SF) messages periodically along with the (Node
ID, BPR) pair on both ring ports, while the SF condition persists.
5. All Ethernet ring nodes receiving an RAPS (SF) message perform FDB flush. When the RPL owner
node G and RPL neighbor node A receive an RAPS (SF) message, the Ethernet ring node unblocks
it’s end of the RPL and performs the FDB flush.
6. All Ethernet ring nodes receiving a second RAPS (SF) message perform the FDB flush again; this
is because of the Node ID and BPR-based mechanism.
62,0 89, 1 62,0 89, 1 62,0 89, 1 89, 1 62,0 89, 1 62,0 89, 1 62,0 89, 1
75, 1 75, 1
75, 1 89, 1 89, 1 62,0 75 1 62,0 75 1 62,0
62,0
Pending
State
Protection
State
Idle
State
282136
A
81
B
26
75, 1 75, 1 75, 1 75, 1 75, 1
C
89
D
62
E
71
F
31
G
75
A
B
C
D
E
F
G
1 0 1 0 1 0 1 0 1 0 1 0
0 RPL 1
RPL
Neighbor
Node
RPL
Owner
Node
SF (62, 0)
SF (89, 1)
SF (89, 1)
NR, RB (75, 1)
NR, RB (75, 1)
SF (62, 0)
failure
Flush Flush Flush
Flush Flush
Flush Flush Flush Flush
SF (89, 1)
SF (89, 1) SF (62, 0)
SF (89, 1) SF (62, 0)
SF (62, 0)
NR, RB (75, 1)
Flush Flush Flush Flush Flush
Message source
R-APS channel blocking
Client channel blocking
n Node ID 282135Implementing Multipoint Layer 2 Services
Information About Implementing Multipoint Layer 2 Services
LSC-203
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
7. Stable SF condition—RAPS (SF) messages on the Ethernet Ring. Further RAPS (SF) messages
trigger no further action.
Figure 17 represents reversion in case of a single link failure.
Figure 17 Single link failure Recovery (Revertive operation)
This sequence describes the steps in the single link failure recovery, as represented in Figure 17:
1. Link operates in the stable SF condition.
2. Recovery of link failure occurs.
3. Ethernet ring nodes C and D detect clearing of signal failure (SF) condition, start the guard timer
and initiate periodical transmission of RAPS (NR) messages on both ring ports. (The guard timer
prevents the reception of RAPS messages).
4. When the Ethernet ring nodes receive an RAPS (NR) message, the Node ID and BPR pair of a
receiving ring port is deleted and the RPL owner node starts the WTR timer.
5. When the guard timer expires on Ethernet ring nodes C and D, they may accept the new RAPS
messages that they receive. Ethernet ring node D receives an RAPS (NR) message with higher Node
ID from Ethernet ring node C, and unblocks its non-failed ring port.
6. When WTR timer expires, the RPL owner node blocks its end of the RPL, sends RAPS (NR, RB)
message with the (Node ID, BPR) pair, and performs the FDB flush.
7. When Ethernet ring node C receives an RAPS (NR, RB) message, it removes the block on its
blocked ring ports, and stops sending RAPS (NR) messages. On the other hand, when the RPL
neighbor node A receives an RAPS (NR, RB) message, it blocks its end of the RPL. In addition to
this, Ethernet ring nodes A to F perform the FDB flush when receiving an RAPS (NR, RB) message,
due to the existence of the Node ID and BPR based mechanism.
62,0 89, 1
75, 1 75, 1 75, 1 75, 1 75, 1 75, 1 75, 1
75, 1 75, 1 75, 1 75, 1 75, 1 75, 1 75, 1 75, 1 75, 1
62,0 89, 1 62,0 89, 1 62,0 89, 1 62,0 89, 1 62,0 89, 1
Protection
State
Pending
State
Idle
State
282134
A
81
B
26
C
89
D
62
E
71
F
31
G
75
A
B
C
D
E
F
G
H
1 0 1 0 1 0 1 0 1 0 1 0
0 RPL 1
RPL
Neighbor
Node
RPL
Owner
Node
recovery
SF (62, 0)
NR (62, 0)
NR, RB (75, 1) NR, RB (75, 1)
NR, RB (75, 1)
NR, RB (75, 1)
NR (62, 0)
NR (89, 1)
NR (89, 1)
SF (89, 1) SF (62, 0) SF (89, 1)
failure
Flush
Flush
Flush
Flush Flush Flush Flush
NR (89, 1)
NR (89, 1)
NR, RB (75, 1)
NR, RB (75, 1)Implementing Multipoint Layer 2 Services
Information About Implementing Multipoint Layer 2 Services
LSC-204
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Flow Aware Transport Pseudowire (FAT PW) Overview
Routers typically loadbalance traffic based on the lower most label in the label stack which is the same
label for all flows on a given pseudowire. This can lead to asymmetric loadbalancing. The flow, in this
context, refers to a sequence of packets that have the same source and destination pair. The packets are
transported from a source provider edge (PE) to a destination PE.
Flow-Aware Transport Pseudowires (FAT PW) provide the capability to identify individual flows within
a pseudowire and provide routers the ability to use these flows to loadbalance traffic. FAT PWs are used
to loadbalance traffic in the core when equal cost multipaths (ECMP) are used. A flow label is created
based on indivisible packet flows entering a pseudowire; and is inserted as the lower most label in the
packet. Routers can use the flow label for loadbalancing which provides a better traffic distribution
across ECMP paths or link-bundled paths in the core.
Figure 18 shows a FAT PW with two flows distributing over ECMPs and bundle links.
Figure 18 FAT PW with two flows distributing over ECMPs and Bundle-Links
An additional label is added to the stack, called the flow label, which contains the flow information of a
virtual circuit (VC). A flow label is a unique identifier that distinguishes a flow within the PW, and is
derived from source and destination MAC addresses, and source and destination IP addresses. The flow
label contains the end of label stack (EOS) bit set and inserted after the VC label and before the control
word (if any). The ingress PE calculates and forwards the flow label. The FAT PW configuration enables
the flow label. The egress PE discards the flow label such that no decisions are made.
All core routers perform load balancing based on the flow-label in the FAT PW. Therefore, it is possible
to distribute flows over ECMPs and link bundles.
PE1 CE2
P1
MPLS Cloud
P2
Flow1
Flow2
Flow1
Flow2
CE1 PE2
AC AC
Bundle
Flow-2
Flow-1
PW between PE1 & PE2 carrying Flows 1 & 2
Based on the Flow label
does the hash on it’s
ECMPs or Bundle link
Ingress PE
calculates
Flow-label based
on IP header in the
packet and pushes
the Flow label to
load balance on
ECMPs or bundles
Egress PE
removes
Flow-label
from a packet
and can use it
for bundle AC
load-balance
283002Implementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-205
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
How to Implement Multipoint Layer 2 Services
This section describes the tasks that are required to implement VPLS:
• Configuring a Bridge Domain, page LSC-205
• Configuring Layer 2 Security, page LSC-221
• Configuring a Layer 2 Virtual Forwarding Instance, page LSC-225
• Configuring the MAC Address-related Parameters, page LSC-237
• Configuring an Attachment Circuit to the AC Split Horizon Group, page LSC-252
• Adding an Access Pseudowire to the AC Split Horizon Group, page LSC-254
• Configuring VPLS with BGP Autodiscovery and Signaling, page LSC-255
• Configuring VPLS with BGP Autodiscovery and LDP Signaling, page LSC-258
• Configuring G.8032 Ethernet Ring Protection, page LSC-261
• Configuring Flow Aware Transport Pseudowire, page LSC-270
Configuring a Bridge Domain
These topics describe how to configure a bridge domain:
• Creating a Bridge Domain, page LSC-205
• Configuring a Pseudowire, page LSC-207
• Associating Members with a Bridge Domain, page LSC-210
• Configuring Bridge Domain Parameters, page LSC-212
• Disabling a Bridge Domain, page LSC-215
• Blocking Unknown Unicast Flooding, page LSC-217
• Changing the Flood Optimization Mode, page LSC-218
Creating a Bridge Domain
Perform this task to create a bridge domain .
SUMMARY STEPS
1. configure
2. l2vpn
3. bridge group bridge-group-name
4. bridge-domain bridge-domain-name
5. end
or
commitImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-206
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
RP/0/RSP0/CPU0:router(config-l2vpn)#
Enters L2VPN configuration mode.
Step 3 bridge group bridge-group-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# bridge group
csco
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
Creates a bridge group that can contain bridge
domains, and then assigns network interfaces to the
bridge domain.
Step 4 bridge-domain bridge-domain-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
bridge-domain abc
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
Establishes a bridge domain and enters L2VPN
bridge group bridge domain configuration mode.
Step 5 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# end
or
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# commit
Saves configuration changes.
• When you issue the end command, the system
prompts you to commit changes:
Uncommitted changes found, commit them
before exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to
the running configuration file, exits the
configuration session, and returns the
router to EXEC mode.
– Entering no exits the configuration session
and returns the router to EXEC mode
without committing the configuration
changes.
– Entering cancel leaves the router in the
current configuration session without
exiting or committing the configuration
changes.
• Use the commit command to save the
configuration changes to the running
configuration file and remain within the
configuration session.Implementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-207
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Configuring a Pseudowire
Perform this task to configure a pseudowire under a bridge domain.
SUMMARY STEPS
1. configure
2. l2vpn
3. bridge group bridge-group-name
4. bridge-domain bridge-domain-name
5. vfi {vfi-name}
6. exit
7. neighbor {A.B.C.D} {pw-id value}
8. dhcp ipv4 snoop profile {dhcp_snoop_profile_name}
9. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
RP/0/RSP0/CPU0:router(config-l2vpn)#
Enters L2VPN configuration mode.
Step 3 bridge group bridge-group-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# bridge group
csco
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
Creates a bridge group so that it can contain bridge
domains and then assigns network interfaces to the
bridge domain.
Step 4 bridge-domain bridge-domain-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
bridge-domain abc
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
Establishes a bridge domain and enters L2VPN
bridge group bridge domain configuration mode.Implementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-208
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Step 5 vfi {vfi-name}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# vfi v1
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi)#
Configures the virtual forwarding interface (VFI)
parameters and enters L2VPN bridge group bridge
domain VFI configuration mode.
• Use the vfi-name argument to configure the
name of the specified virtual forwarding
interface.
Step 6 exit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi)# exit
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
Exits the current configuration mode.
Step 7 neighbor {A.B.C.D} {pw-id value}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# neighbor
10.1.1.2 pw-id 1000
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pw)#
Adds an access pseudowire port to a bridge domain
or a pseudowire to a bridge virtual forwarding
interface (VFI).
• Use the A.B.C.D argument to specify the IP
address of the cross-connect peer.
Note A.B.C.D can be a recursive or non-recursive
prefix.
• Use the pw-id keyword to configure the
pseudowire ID and ID value. The range is 1 to
4294967295.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-209
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Step 8 dhcp ipv4 snoop profile {dhcp_snoop_profile_name}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pw)# dhcp
ipv4 snoop profile profile1
Enables DHCP snooping on the bridge, and attaches
a DHCP snooping profile.
Step 9 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pw)# end
or
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pw)# commit
Saves configuration changes.
• When you issue the end command, the system
prompts you to commit changes:
Uncommitted changes found, commit them
before exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to
the running configuration file, exits the
configuration session, and returns the
router to EXEC mode.
– Entering no exits the configuration session
and returns the router to EXEC mode
without committing the configuration
changes.
– Entering cancel leaves the router in the
current configuration session without
exiting or committing the configuration
changes.
• Use the commit command to save the
configuration changes to the running
configuration file and remain within the
configuration session.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-210
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Associating Members with a Bridge Domain
After a bridge domain is created, perform this task to assign interfaces to the bridge domain. These types
of bridge ports are associated with a bridge domain:
• Ethernet and VLAN
• VFI
SUMMARY STEPS
1. configure
2. l2vpn
3. bridge group bridge-group-name
4. bridge-domain bridge-domain-name
5. interface type interface-path-id
6. static-mac-address {MAC-address}
7. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
RP/0/RSP0/CPU0:router(config-l2vpn)#
Enters L2VPN configuration mode.
Step 3 bridge group bridge-group-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# bridge group
csco
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
Creates a bridge group so that it can contain bridge
domains and then assigns network interfaces to the
bridge domain.
Step 4 bridge-domain bridge-domain-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
bridge-domain abc
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
Establishes a bridge domain and enters L2VPN
bridge group bridge domain configuration mode.Implementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-211
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Step 5 interface type interface-path-id
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# interface
GigabitEthernet 0/4/0/0
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-ac)#
Enters interface configuration mode and adds an
interface to a bridge domain that allows packets to
be forwarded and received from other interfaces that
are part of the same bridge domain.
Step 6 static-mac-address {MAC-address}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-ac)#
static-mac-address 1.1.1
Configures the static MAC address to associate a
remote MAC address with a pseudowire or any other
bridge interface.
Step 7 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-ac)# end
or
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-ac)# commit
Saves configuration changes.
• When you issue the end command, the system
prompts you to commit changes:
Uncommitted changes found, commit them
before exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to
the running configuration file, exits the
configuration session, and returns the
router to EXEC mode.
– Entering no exits the configuration session
and returns the router to EXEC mode
without committing the configuration
changes.
– Entering cancel leaves the router in the
current configuration session without
exiting or committing the configuration
changes.
• Use the commit command to save the
configuration changes to the running
configuration file and remain within the
configuration session.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-212
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Configuring Bridge Domain Parameters
To configure bridge domain parameters, associate these parameters with a bridge domain:
• Maximum transmission unit (MTU)—Specifies that all members of a bridge domain have the same
MTU. The bridge domain member with a different MTU size is not used by the bridge domain even
though it is still associated with a bridge domain.
• Flooding—Enables or disables flooding on the bridge domain. By default, flooding is enabled.
• Dynamic ARP Inspection (DAI)—Ensures only valid ARP requests and responses are relayed.
• IP SourceGuard (IPSG)—Enables source IP address filtering on a Layer 2 port.
Note To verify if the DAI and IPSG features are working correctly, look up the packets dropped statistics for
DAI and IPSG violation. The packet drops statistics can be viewed in the output of the show l2vpn
bridge-domain bd-name <> detail command.
SUMMARY STEPS
1. configure
2. l2vpn
3. bridge group bridge-group-name
4. bridge-domain bridge-domain-name
5. flooding disable
6. mtu bytes
7. dynamic-arp-inspection {address-validation | disable | logging}
8. ip-source-guard logging
9. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
RP/0/RSP0/CPU0:router(config-l2vpn)#
Enters L2VPN configuration mode.Implementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-213
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Step 3 bridge group bridge-group-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# bridge group
csco
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
Creates a bridge group so that it can contain bridge
domains and then assigns network interfaces to the
bridge domain.
Step 4 bridge-domain bridge-domain-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
bridge-domain abc
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
Establishes a bridge domain and enters L2VPN
bridge group bridge domain configuration mode.
Step 5 flooding disable
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# flooding
disable
Configures flooding for traffic at the bridge domain
level or at the bridge port level.
Step 6 mtu bytes
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# mtu 1000
Adjusts the maximum packet size or maximum
transmission unit (MTU) size for the bridge domain.
• Use the bytes argument to specify the MTU size,
in bytes. The range is from 64 to 65535.
Step 7 dynamic-arp-inspection {address-validation | disable
| logging}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
dynamic-arp-inspection
Enters the dynamic ARP inspection configuration
submode. Ensures only valid ARP requests and
responses are relayed.
Note You can configure dynamic ARP inspection
under the bridge domain or the bridge port.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-214
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Step 8 ip-source-guard logging
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
ip-source-guard logging
Enters the IP source guard configuration submode
and enables source IP address filtering on a Layer 2
port.
You can enable IP source guard under the bridge
domain or the bridge port. By default, bridge ports
under a bridge inherit the IP source guard
configuration from the parent bridge.
By default, IP source guard is disabled on the
bridges.
Step 9 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# end
or
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# commit
Saves configuration changes.
• When you issue the end command, the system
prompts you to commit changes:
Uncommitted changes found, commit them
before exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to
the running configuration file, exits the
configuration session, and returns the
router to EXEC mode.
– Entering no exits the configuration session
and returns the router to EXEC mode
without committing the configuration
changes.
– Entering cancel leaves the router in the
current configuration session without
exiting or committing the configuration
changes.
• Use the commit command to save the
configuration changes to the running
configuration file and remain within the
configuration session.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-215
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Disabling a Bridge Domain
Perform this task to disable a bridge domain. When a bridge domain is disabled, all VFIs that are
associated with the bridge domain are disabled. You are still able to attach or detach members to the
bridge domain and the VFIs that are associated with the bridge domain.
SUMMARY STEPS
1. configure
2. l2vpn
3. bridge group bridge-group-name
4. bridge-domain bridge-domain-name
5. shutdown
6. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
RP/0/RSP0/CPU0:router(config-l2vpn)#
Enters L2VPN configuration mode.
Step 3 bridge group bridge-group-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# bridge group
csco
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
Creates a bridge group so that it can contain bridge
domains and then assigns network interfaces to the
bridge domain.
Step 4 bridge-domain bridge-domain-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
bridge-domain abc
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
Establishes a bridge domain and enters l2vpn bridge
group bridge domain configuration mode.Implementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-216
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Step 5 shutdown
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
Shuts down a bridge domain to bring the bridge and
all attachment circuits and pseudowires under it to
admin down state.
Step 6 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# end
or
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# commit
Saves configuration changes.
• When you issue the end command, the system
prompts you to commit changes:
Uncommitted changes found, commit them
before exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to
the running configuration file, exits the
configuration session, and returns the
router to EXEC mode.
– Entering no exits the configuration session
and returns the router to EXEC mode
without committing the configuration
changes.
– Entering cancel leaves the router in the
current configuration session without
exiting or committing the configuration
changes.
• Use the commit command to save the
configuration changes to the running
configuration file and remain within the
configuration session.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-217
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Blocking Unknown Unicast Flooding
Perform this task to disable flooding of unknown unicast traffic at the bridge domain level.
You can disable flooding of unknown unicast traffic at the bridge domain, bridge port or access
pseudowire levels. By default, unknown unicast traffic is flooded to all ports in the bridge domain.
Note If you disable flooding of unknown unicast traffic on the bridge domain, all ports within the bridge
domain inherit this configuration. You can configure the bridge ports to override the bridge domain
configuration.
SUMMARY STEPS
1. configure
2. l2vpn
3. bridge group bridge-group name
4. bridge-domain bridge-domain name
5. flooding unknown-unicast disable
6. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
RP/0/RSP0/CPU0:router(config-l2vpn)#
Enters L2VPN configuration mode.
Step 3 bridge group bridge-group-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# bridge group
csco
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
Creates a bridge group so that it can contain bridge
domains and then assigns network interfaces to the
bridge domain.
Step 4 bridge-domain bridge-domain-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
bridge-domain abc
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
Establishes a bridge domain and enters l2vpn bridge
group bridge domain configuration mode.Implementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-218
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Changing the Flood Optimization Mode
Perform this task to change the flood optimization mode under the bridge domain:
SUMMARY STEPS
1. configure
2. l2vpn
3. bridge group bridge-group name
4. bridge-domain bridge-domain name
5. flood mode convergence-optimized
6. end
or
commit
Step 5 flooding unknown-unicast disable
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
flooding unknown-unicast disable
Disables flooding of unknown unicast traffic at the
bridge domain level.
Step 6 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# end
or
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# commit
Saves configuration changes.
• When you issue the end command, the system
prompts you to commit changes:
Uncommitted changes found, commit them
before exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to
the running configuration file, exits the
configuration session, and returns the
router to EXEC mode.
– Entering no exits the configuration session
and returns the router to EXEC mode
without committing the configuration
changes.
– Entering cancel leaves the router in the
current configuration session without
exiting or committing the configuration
changes.
• Use the commit command to save the
configuration changes to the running
configuration file and remain within the
configuration session.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-219
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
RP/0/RSP0/CPU0:router(config-l2vpn)#
Enters L2VPN configuration mode.
Step 3 bridge group bridge-group-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# bridge group
csco
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
Creates a bridge group so that it can contain bridge
domains and then assigns network interfaces to the
bridge domain.
Step 4 bridge-domain bridge-domain-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
bridge-domain abc
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
Establishes a bridge domain and enters l2vpn bridge
group bridge domain configuration mode.Implementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-220
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Step 5 flood mode convergence-optimized
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
flood mode convergence-optimized
Changes the default flood optimization mode from
Bandwidth Optimization Mode to Convergence
Mode.
Step 6 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# end
or
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# commit
Saves configuration changes.
• When you issue the end command, the system
prompts you to commit changes:
Uncommitted changes found, commit them
before exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to
the running configuration file, exits the
configuration session, and returns the
router to EXEC mode.
– Entering no exits the configuration session
and returns the router to EXEC mode
without committing the configuration
changes.
– Entering cancel leaves the router in the
current configuration session without
exiting or committing the configuration
changes.
• Use the commit command to save the
configuration changes to the running
configuration file and remain within the
configuration session.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-221
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Configuring Layer 2 Security
These topics describe how to configure Layer 2 security:
• Enabling Layer 2 Security, page LSC-221
• Attaching a Dynamic Host Configuration Protocol Profile, page LSC-222
Enabling Layer 2 Security
Perform this task to enable Layer 2 port security on a bridge.
SUMMARY STEPS
1. configure
2. l2vpn
3. bridge group bridge-group-name
4. bridge-domain bridge-domain-name
5. security
6. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
RP/0/RSP0/CPU0:router(config-l2vpn)#
Enters L2VPN configuration mode.
Step 3 bridge group bridge-group-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# bridge
group csco
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
Assigns each network interface to a bridge group
and enters L2VPN bridge group configuration
mode.
Step 4 bridge-domain bridge-domain-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
bridge-domain abc
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
Establishes a bridge domain and enters L2VPN
bridge group bridge domain configuration mode.Implementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-222
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Attaching a Dynamic Host Configuration Protocol Profile
Perform this task to enable DHCP snooping on a bridge and to attach a DHCP snooping profile to a
bridge.
SUMMARY STEPS
1. configure
2. l2vpn
3. bridge group bridge-group-name
4. bridge-domain bridge-domain-name
5. dhcp ipv4 snoop {profile profile-name}
6. end
or
commit
Step 5 security
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
security
Enables Layer 2 port security on a bridge.
Step 6 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
end
or
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
commit
Saves configuration changes.
• When you issue the end command, the system
prompts you to commit changes:
uncommitted changes found, commit them
before exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes
to the running configuration file, exits the
configuration session, and returns the
router to EXEC mode.
– Entering no exits the configuration session
and returns the router to EXEC mode
without committing the configuration
changes.
– Entering cancel leaves the router in the
current configuration session without
exiting or committing the configuration
changes.
• Use the commit command to save the
configuration changes to the running
configuration file and remain within the
configuration session.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-223
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
DETAILED STEPS
Command or Action Purpose
Step1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
RP/0/RSP0/CPU0:router(config-l2vpn)#
Enters L2VPN mode.
Step3 bridge group bridge-group-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# bridge group
csco
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
Assigns each network interface to a bridge
group and enters L2VPN bridge group
configuration mode.
Step4 bridge-domain bridge-domain-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
bridge-domain abc
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
Establishes a bridge domain and enters L2VPN
bridge group bridge domain configuration
mode.Implementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-224
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Step5 dhcp ipv4 snoop {profile profile-name}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# dhcp
ipv4 snoop profile attach
Enables DHCP snooping on a bridge and
attaches DHCP snooping profile to the bridge.
• Use the profile keyword to attach a DHCP
profile. The profile-name argument is the
profile name for DHCPv4 snooping.
Step6 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# end
or
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# commit
Saves configuration changes.
• When you issue the end command, the
system prompts you to commit changes:
uncommitted changes found, commit
them before exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration
changes to the running configuration
file, exits the configuration session,
and returns the router to EXEC mode.
– Entering no exits the configuration
session and returns the router to EXEC
mode without committing the
configuration changes.
– Entering cancel leaves the router in the
current configuration session without
exiting or committing the
configuration changes.
• Use the commit command to save the
configuration changes to the running
configuration file and remain within the
configuration session.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-225
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Configuring a Layer 2 Virtual Forwarding Instance
These topics describe how to configure a Layer 2 virtual forwarding instance (VFI):
• Adding the Virtual Forwarding Instance Under the Bridge Domain, page LSC-225
• Associating Pseudowires with the Virtual Forwarding Instance, page LSC-227
• Associating a Virtual Forwarding Instance to a Bridge Domain, page LSC-229
• Attaching Pseudowire Classes to Pseudowires, page LSC-231
• Configuring Any Transport over Multiprotocol Pseudowires By Using Static Labels, page LSC-233
• Disabling a Virtual Forwarding Instance, page LSC-235
Adding the Virtual Forwarding Instance Under the Bridge Domain
Perform this task to create a Layer 2 Virtual Forwarding Instance (VFI) on all provider edge devices
under the bridge domain.
SUMMARY STEPS
1. configure
2. l2vpn
3. bridge group bridge-group-name
4. bridge-domain bridge-domain-name
5. vfi {vfi-name}
6. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
RP/0/RSP0/CPU0:router(config-l2vpn)#
Enters L2VPN configuration mode.
Step 3 bridge group bridge-group-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# bridge group
csco
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
Creates a bridge group so that it can contain bridge
domains and then assigns network interfaces to the
bridge domain.Implementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-226
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Step 4 bridge-domain bridge-domain-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
bridge-domain abc
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
Establishes a bridge domain and enters L2VPN
bridge group bridge domain configuration mode.
Step 5 vfi {vfi-name}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# vfi v1
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi)#
Configures virtual forwarding interface (VFI)
parameters and enters L2VPN bridge group bridge
domain VFI configuration mode.
Step 6 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi)# end
or
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi)#
commit
Saves configuration changes.
• When you issue the end command, the system
prompts you to commit changes:
Uncommitted changes found, commit them
before exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to
the running configuration file, exits the
configuration session, and returns the
router to EXEC mode.
– Entering no exits the configuration session
and returns the router to EXEC mode
without committing the configuration
changes.
– Entering cancel leaves the router in the
current configuration session without
exiting or committing the configuration
changes.
• Use the commit command to save the
configuration changes to the running
configuration file and remain within the
configuration session.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-227
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Associating Pseudowires with the Virtual Forwarding Instance
After a VFI is created, perform this task to associate one or more pseudowires with the VFI.
SUMMARY STEPS
1. configure
2. l2vpn
3. bridge group bridge-group-name
4. bridge-domain bridge-domain-name
5. vfi {vfi-name}
6. neighbor {A.B.C.D} {pw-id value}
7. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
RP/0/RSP0/CPU0:router(config-l2vpn)#
Enters L2VPN configuration mode.
Step 3 bridge group bridge-group-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# bridge group
csco
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
Creates a bridge group so that it can contain bridge
domains and then assigns network interfaces to the
bridge domain.
Step 4 bridge-domain bridge-domain-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
bridge-domain abc
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
Establishes a bridge domain and enters L2VPN
bridge group bridge domain configuration mode.
Step 5 vfi {vfi-name}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# vfi v1
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi)#
Configures virtual forwarding interface (VFI)
parameters and enters L2VPN bridge group bridge
domain VFI configuration mode.Implementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-228
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Step 6 neighbor {A.B.C.D} {pw-id value}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi)#
neighbor 10.1.1.2 pw-id 1000
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-pw)#
Adds an access pseudowire port to a bridge domain
or a pseudowire to a bridge virtual forwarding
interface (VFI).
• Use the A.B.C.D argument to specify the IP
address of the cross-connect peer.
• Use the pw-id keyword to configure the
pseudowire ID and ID value. The range is 1 to
4294967295.
Step 7 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-pw)#
end
or
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-pw)#
commit
Saves configuration changes.
• When you issue the end command, the system
prompts you to commit changes:
Uncommitted changes found, commit them
before exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to
the running configuration file, exits the
configuration session, and returns the
router to EXEC mode.
– Entering no exits the configuration session
and returns the router to EXEC mode
without committing the configuration
changes.
– Entering cancel leaves the router in the
current configuration session without
exiting or committing the configuration
changes.
• Use the commit command to save the
configuration changes to the running
configuration file and remain within the
configuration session.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-229
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Associating a Virtual Forwarding Instance to a Bridge Domain
Perform this task to associate a VFI to be a member of a bridge domain.
SUMMARY STEPS
1. configure
2. l2vpn
3. bridge group bridge-group-name
4. bridge-domain bridge-domain-name
5. vfi {vfi-name}
6. neighbor {A.B.C.D} {pw-id value}
7. static-mac-address {MAC-address}
8. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
RP/0/RSP0/CPU0:router(config-l2vpn)#
Enters L2VPN configuration mode.
Step 3 bridge group bridge-group-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# bridge group
csco
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
Creates a bridge group so that it can contain bridge
domains and then assigns network interfaces to the
bridge domain.
Step 4 bridge-domain bridge-domain-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
bridge-domain abc
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
Establishes a bridge domain and enters L2VPN
bridge group bridge domain configuration mode.
Step 5 vfi {vfi-name}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# vfi v1
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi)#
Configures virtual forwarding interface (VFI)
parameters and enters L2VPN bridge group bridge
domain VFI configuration mode.Implementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-230
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Step 6 neighbor {A.B.C.D} {pw-id value}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi)#
neighbor 10.1.1.2 pw-id 1000
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-pw)#
Adds an access pseudowire port to a bridge domain
or a pseudowire to a bridge virtual forwarding
interface (VFI).
• Use the A.B.C.D argument to specify the IP
address of the cross-connect peer.
• Use the pw-id keyword to configure the
pseudowire ID and ID value. The range is 1 to
4294967295.
Step 7 static-mac-address {MAC-address}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-pw)#
static-mac-address 1.1.1
Configures the static MAC address to associate a
remote MAC address with a pseudowire or any other
bridge interface.
Step 8 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-pw)#
end
or
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-pw)#
commit
Saves configuration changes.
• When you issue the end command, the system
prompts you to commit changes:
Uncommitted changes found, commit them
before exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to
the running configuration file, exits the
configuration session, and returns the
router to EXEC mode.
– Entering no exits the configuration session
and returns the router to EXEC mode
without committing the configuration
changes.
– Entering cancel leaves the router in the
current configuration session without
exiting or committing the configuration
changes.
• Use the commit command to save the
configuration changes to the running
configuration file and remain within the
configuration session.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-231
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Attaching Pseudowire Classes to Pseudowires
Perform this task to attach a pseudowire class to a pseudowire.
SUMMARY STEPS
1. configure
2. l2vpn
3. bridge group bridge-group-name
4. bridge-domain bridge-domain-name
5. vfi {vfi-name}
6. neighbor {A.B.C.D} {pw-id value}
7. pw-class {class-name}
8. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
RP/0/RSP0/CPU0:router(config-l2vpn)#
Enters L2VPN configuration mode.
Step 3 bridge group bridge-group-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# bridge group
csco
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
Creates a bridge group so that it can contain bridge
domains and then assigns network interfaces to the
bridge domain.
Step 4 bridge-domain bridge-domain-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
bridge-domain abc
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
Establishes a bridge domain and enters L2VPN
bridge group bridge domain configuration mode.
Step 5 vfi {vfi-name}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# vfi v1
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi)#
Configures virtual forwarding interface (VFI)
parameters and enters L2VPN bridge group bridge
domain VFI configuration mode.Implementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-232
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Step 6 neighbor {A.B.C.D} {pw-id value}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi)#
neighbor 10.1.1.2 pw-id 1000
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-pw)#
Adds an access pseudowire port to a bridge domain
or a pseudowire to a bridge virtual forwarding
interface (VFI).
• Use the A.B.C.D argument to specify the IP
address of the cross-connect peer.
• Use the pw-id keyword to configure the
pseudowire ID and ID value. The range is 1 to
4294967295.
Step 7 pw-class {class-name}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-pw)#
pw-class canada
Configures the pseudowire class template name to
use for the pseudowire.
Step 8 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-pw)#
end
or
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-pw)#
commit
Saves configuration changes.
• When you issue the end command, the system
prompts you to commit changes:
Uncommitted changes found, commit them
before exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to
the running configuration file, exits the
configuration session, and returns the
router to EXEC mode.
– Entering no exits the configuration session
and returns the router to EXEC mode
without committing the configuration
changes.
– Entering cancel leaves the router in the
current configuration session without
exiting or committing the configuration
changes.
• Use the commit command to save the
configuration changes to the running
configuration file and remain within the
configuration session.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-233
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Configuring Any Transport over Multiprotocol Pseudowires By Using Static Labels
Perform this task to configure the Any Transport over Multiprotocol (AToM) pseudowires by using the
static labels. A pseudowire becomes a static AToM pseudowire by setting the MPLS static labels to local
and remote.
SUMMARY STEPS
1. configure
2. l2vpn
3. bridge group bridge-group-name
4. bridge-domain bridge-domain-name
5. vfi {vfi-name}
6. neighbor {A.B.C.D} {pw-id value}
7. mpls static label {local value} {remote value}
8. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
RP/0/RSP0/CPU0:router(config-l2vpn)#
Enters L2VPN configuration mode.
Step 3 bridge group bridge-group-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# bridge group
csco
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
Creates a bridge group so that it can contain bridge
domains and then assigns network interfaces to the
bridge domain.
Step 4 bridge-domain bridge-domain-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
bridge-domain abc
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
Establishes a bridge domain and enters L2VPN
bridge group bridge domain configuration mode.Implementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-234
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Step 5 vfi {vfi-name}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# vfi v1
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi)#
Configures virtual forwarding interface (VFI)
parameters and enters L2VPN bridge group bridge
domain VFI configuration mode.
Step 6 neighbor {A.B.C.D} {pw-id value}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi)#
neighbor 10.1.1.2 pw-id 1000
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-pw)#
Adds an access pseudowire port to a bridge domain
or a pseudowire to a bridge virtual forwarding
interface (VFI).
• Use the A.B.C.D argument to specify the IP
address of the cross-connect peer.
• Use the pw-id keyword to configure the
pseudowire ID and ID value. The range is 1 to
4294967295.
Step 7 mpls static label {local value} {remote value}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-pw)#
mpls static label local 800 remote 500
Configures the MPLS static labels and the static
labels for the access pseudowire configuration. You
can set the local and remote pseudowire labels.
Step 8 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-pw)#
end
or
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-pw)#
commit
Saves configuration changes.
• When you issue the end command, the system
prompts you to commit changes:
Uncommitted changes found, commit them
before exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to
the running configuration file, exits the
configuration session, and returns the
router to EXEC mode.
– Entering no exits the configuration session
and returns the router to EXEC mode
without committing the configuration
changes.
– Entering cancel leaves the router in the
current configuration session without
exiting or committing the configuration
changes.
• Use the commit command to save the
configuration changes to the running
configuration file and remain within the
configuration session.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-235
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Disabling a Virtual Forwarding Instance
Perform this task to disable a VFI. When a VFI is disabled, all the previously established pseudowires
that are associated with the VFI are disconnected. LDP advertisements are sent to withdraw the MAC
addresses that are associated with the VFI. However, you can still attach or detach attachment circuits
with a VFI after a shutdown.
SUMMARY STEPS
1. configure
2. l2vpn
3. bridge group bridge-group-name
4. bridge-domain bridge-domain-name
5. vfi {vfi-name}
6. shutdown
7. end
or
commit
8. show l2vpn bridge-domain [detail]
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
RP/0/RSP0/CPU0:router(config-l2vpn)#
Enters L2VPN configuration mode.
Step 3 bridge group bridge-group-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# bridge group
csco
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
Creates a bridge group so that it can contain bridge
domains and then assigns network interfaces to the
bridge domain.
Step 4 bridge-domain bridge-domain-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
bridge-domain abc
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
Establishes a bridge domain and enters L2VPN
bridge group bridge domain configuration mode.Implementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-236
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Step 5 vfi {vfi-name}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# vfi v1
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi)#
Configures virtual forwarding interface (VFI)
parameters and enters L2VPN bridge group bridge
domain VFI configuration mode.
Step 6 shutdown
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi)#
shutdown
Disables the virtual forwarding interface (VFI).
Step 7 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi)# end
or
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi)#
commit
Saves configuration changes.
• When you issue the end command, the system
prompts you to commit changes:
Uncommitted changes found, commit them
before exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to
the running configuration file, exits the
configuration session, and returns the
router to EXEC mode.
– Entering no exits the configuration session
and returns the router to EXEC mode
without committing the configuration
changes.
– Entering cancel leaves the router in the
current configuration session without
exiting or committing the configuration
changes.
• Use the commit command to save the
configuration changes to the running
configuration file and remain within the
configuration session.
Step 8 show l2vpn bridge-domain [detail]
Example:
RP/0/RSP0/CPU0:router# show l2vpn bridge-domain
detail
Displays the state of the VFI. For example, if you
shut down the VFI, the VFI is shown as shut down
under the bridge domain.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-237
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Configuring the MAC Address-related Parameters
These topics describe how to configure the MAC address-related parameters:
• Configuring the MAC Address Source-based Learning, page LSC-237
• Enabling the MAC Address Withdrawal, page LSC-240
• Configuring the MAC Address Limit, page LSC-242
• Configuring the MAC Address Aging, page LSC-245
• Disabling MAC Flush at the Bridge Port Level, page LSC-248
• Configuring MAC Address Security, page LSC-250
The MAC table attributes are set for the bridge domains.
Configuring the MAC Address Source-based Learning
Perform this task to configure the MAC address source-based learning.
SUMMARY STEPS
1. configure
2. l2vpn
3. bridge group bridge-group-name
4. bridge-domain bridge-domain-name
5. mac
6. learning disable
7. end
or
commit
8. show l2vpn bridge-domain [detail]
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
RP/0/RSP0/CPU0:router(config-l2vpn)#
Enters L2VPN configuration mode.Implementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-238
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Step 3 bridge group bridge-group-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# bridge group
csco
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
Creates a bridge group so that it can contain bridge
domains and then assigns network interfaces to the
bridge domain.
Step 4 bridge-domain bridge-domain-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
bridge-domain abc
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
Establishes a bridge domain and enters L2VPN
bridge group bridge domain configuration mode.
Step 5 mac
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# mac
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-mac)#
Enters L2VPN bridge group bridge domain MAC
configuration mode.
Step 6 learning disable
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-mac)#
learning disable
Disables MAC learning at the bridge domain level.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-239
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Step 7 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-mac)# end
or
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-mac)#
commit
Saves configuration changes.
• When you issue the end command, the system
prompts you to commit changes:
Uncommitted changes found, commit them
before exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to
the running configuration file, exits the
configuration session, and returns the
router to EXEC mode.
– Entering no exits the configuration session
and returns the router to EXEC mode
without committing the configuration
changes.
– Entering cancel leaves the router in the
current configuration session without
exiting or committing the configuration
changes.
• Use the commit command to save the
configuration changes to the running
configuration file and remain within the
configuration session.
Step 8 show l2vpn bridge-domain [detail]
Example:
RP/0/RSP0/CPU0:router# show l2vpn bridge-domain
detail
Displays the details that the MAC address
source-based learning is disabled on the bridge.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-240
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Enabling the MAC Address Withdrawal
Perform this task to enable the MAC address withdrawal for a specified bridge domain.
SUMMARY STEPS
1. configure
2. l2vpn
3. bridge group bridge-group-name
4. bridge-domain bridge-domain-name
5. mac
6. withdrawal
7. end
or
commit
8. show l2vpn bridge-domain [detail]
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
RP/0/RSP0/CPU0:router(config-l2vpn)#
Enters L2VPN configuration mode.
Step 3 bridge group bridge-group-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# bridge group
csco
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
Creates a bridge group so that it can contain bridge
domains and then assigns network interfaces to the
bridge domain.
Step 4 bridge-domain bridge-domain-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
bridge-domain abc
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
Establishes a bridge domain and enters L2VPN
bridge group bridge domain configuration mode.
Step 5 mac
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# mac
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-mac)#
Enters L2VPN bridge group bridge domain MAC
configuration mode.Implementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-241
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Step 6 withdrawal
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-mac)#
withdrawal
Enables the MAC address withdrawal for a specified
bridge domain.
Step 7 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-mac)# end
or
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-mac)#
commit
Saves configuration changes.
• When you issue the end command, the system
prompts you to commit changes:
Uncommitted changes found, commit them
before exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to
the running configuration file, exits the
configuration session, and returns the
router to EXEC mode.
– Entering no exits the configuration session
and returns the router to EXEC mode
without committing the configuration
changes.
– Entering cancel leaves the router in the
current configuration session without
exiting or committing the configuration
changes.
• Use the commit command to save the
configuration changes to the running
configuration file and remain within the
configuration session.
Step 8 show l2vpn bridge-domain [detail]
Example:
P/0/RSP0/CPU0:router# show l2vpn bridge-domain
detail
Displays detailed sample output to specify that the
MAC address withdrawal is enabled. In addition, the
sample output displays the number of MAC
withdrawal messages that are sent over or received
from the pseudowire.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-242
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Configuring the MAC Address Limit
Perform this task to configure the parameters for the MAC address limit.
SUMMARY STEPS
1. configure
2. l2vpn
3. bridge group bridge-group-name
4. bridge-domain bridge-domain-name
5. mac
6. limit
7. maximum {value}
8. action {flood | no-flood | shutdown}
9. notification {both | none | trap}
10. end
or
commit
11. show l2vpn bridge-domain [detail]
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
RP/0/RSP0/CPU0:router(config-l2vpn)#
Enters L2VPN configuration mode.
Step 3 bridge group bridge-group-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# bridge group
csco
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
Creates a bridge group so that it can contain bridge
domains and then assigns network interfaces to the
bridge domain.
Step 4 bridge-domain bridge-domain-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
bridge-domain abc
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
Establishes a bridge domain and enters L2VPN
bridge group bridge domain configuration mode.Implementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-243
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Step 5 mac
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# mac
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-mac)#
Enters L2VPN bridge group bridge domain MAC
configuration mode.
Step 6 limit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-mac)# limit
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-mac-limit)#
Sets the MAC address limit for action, maximum,
and notification and enters L2VPN bridge group
bridge domain MAC limit configuration mode.
Step 7 maximum {value}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-mac-limit)#
maximum 5000
Configures the specified action when the number of
MAC addresses learned on a bridge is reached.
Step 8 action {flood | no-flood | shutdown}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-mac-limit)#
action flood
Configures the bridge behavior when the number of
learned MAC addresses exceed the MAC limit
configured.
Step 9 notification {both | none | trap}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-mac-limit)#
notification both
Specifies the type of notification that is sent when
the number of learned MAC addresses exceeds the
configured limit.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-244
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Step 10 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-mac-limit)#
end
or
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-mac-limit)#
commit
Saves configuration changes.
• When you issue the end command, the system
prompts you to commit changes:
Uncommitted changes found, commit them
before exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to
the running configuration file, exits the
configuration session, and returns the
router to EXEC mode.
– Entering no exits the configuration session
and returns the router to EXEC mode
without committing the configuration
changes.
– Entering cancel leaves the router in the
current configuration session without
exiting or committing the configuration
changes.
• Use the commit command to save the
configuration changes to the running
configuration file and remain within the
configuration session.
Step 11 show l2vpn bridge-domain [detail]
Example:
RP/0/RSP0/CPU0:router# show l2vpn bridge-domain
detail
Displays the details about the MAC address limit.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-245
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Configuring the MAC Address Aging
Perform this task to configure the parameters for MAC address aging.
SUMMARY STEPS
1. configure
2. l2vpn
3. bridge group bridge-group-name
4. bridge-domain bridge-domain-name
5. mac
6. aging
7. time {seconds}
8. type {absolute | inactivity}
9. end
or
commit
10. show l2vpn bridge-domain [detail]
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
RP/0/RSP0/CPU0:router(config-l2vpn)#
Enters L2VPN configuration mode.
Step 3 bridge group bridge-group-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# bridge group
csco
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
Creates a bridge group so that it can contain bridge
domains and then assigns network interfaces to the
bridge domain.
Step 4 bridge-domain bridge-domain-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
bridge-domain abc
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
Establishes a bridge domain and enters L2VPN
bridge group bridge domain configuration mode.Implementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-246
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Step 5 mac
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# mac
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-mac)#
Enters L2VPN bridge group bridge domain MAC
configuration mode.
Step 6 aging
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-mac)# aging
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-mac-aging)#
Enters the MAC aging configuration submode to set
the aging parameters such as time and type.
Step 7 time {seconds}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-mac-aging)#
time 300
Configures the maximum aging time.
• Use the seconds argument to specify the
maximum age of the MAC address table entry.
The range is from 120 to 1000000 seconds.
Aging time is counted from the last time that the
switch saw the MAC address. The default value
is 300 seconds.
Step 8 type {absolute | inactivity}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-mac-aging)#
type absolute
Configures the type for MAC address aging.
• Use the absolute keyword to configure the
absolute aging type.
• Use the inactivity keyword to configure the
inactivity aging type.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-247
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Step 9 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-mac-aging)#
end
or
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-mac-aging)#
commit
Saves configuration changes.
• When you issue the end command, the system
prompts you to commit changes:
Uncommitted changes found, commit them
before exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to
the running configuration file, exits the
configuration session, and returns the
router to EXEC mode.
– Entering no exits the configuration session
and returns the router to EXEC mode
without committing the configuration
changes.
– Entering cancel leaves the router in the
current configuration session without
exiting or committing the configuration
changes.
• Use the commit command to save the
configuration changes to the running
configuration file and remain within the
configuration session.
Step 10 show l2vpn bridge-domain [detail]
Example:
RP/0/RSP0/CPU0:router# show l2vpn bridge-domain
detail
Displays the details about the aging fields.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-248
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Disabling MAC Flush at the Bridge Port Level
Perform this task to disable the MAC flush at the bridge domain level.
You can disable the MAC flush at the bridge domain, bridge port or access pseudowire levels. By default,
the MACs learned on a specific port are immediately flushed, when that port becomes nonfunctional.
SUMMARY STEPS
1. configure
2. l2vpn
3. bridge group bridge-group name
4. bridge-domain bridge-domain name
5. mac
6. port-down flush disable
7. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
RP/0/RSP0/CPU0:router(config-l2vpn)#
Enters L2VPN configuration mode.
Step 3 bridge group bridge-group-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# bridge group
csco
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
Creates a bridge group so that it can contain bridge
domains and then assigns network interfaces to the
bridge domain.
Step 4 bridge-domain bridge-domain-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
bridge-domain abc
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
Establishes a bridge domain and enters l2vpn bridge
group bridge domain configuration mode.Implementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-249
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Step 5 mac
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# mac
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-mac)#
Enters l2vpn bridge group bridge domain MAC
configuration mode.
Step 6 port-down flush disable
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-mac)#
port-down flush disable
Disables MAC flush when the bridge port becomes
nonfunctional.
Step 7 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-mac)# end
or
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-mac)#
commit
Saves configuration changes.
• When you issue the end command, the system
prompts you to commit changes:
Uncommitted changes found, commit them
before exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to
the running configuration file, exits the
configuration session, and returns the
router to EXEC mode.
– Entering no exits the configuration session
and returns the router to EXEC mode
without committing the configuration
changes.
– Entering cancel leaves the router in the
current configuration session without
exiting or committing the configuration
changes.
• Use the commit command to save the
configuration changes to the running
configuration file and remain within the
configuration session.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-250
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Configuring MAC Address Security
Perform this task to configure MAC address security.
SUMMARY STEPS
1. configure
2. l2vpn
3. bridge group bridge-group name
4. bridge-domain bridge-domain name
5. neighbor {A.B.C.D} {pw-id value}
6. mac
7. secure
8. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
RP/0/RSP0/CPU0:router(config-l2vpn)#
Enters L2VPN configuration mode.
Step 3 bridge group bridge-group-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# bridge group
csco
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
Creates a bridge group so that it can contain bridge
domains and then assigns network interfaces to the
bridge domain.
Step 4 bridge-domain bridge-domain-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
bridge-domain abc
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
Establishes a bridge domain and enters l2vpn bridge
group bridge domain configuration mode.Implementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-251
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Step 5 neighbor {A.B.C.D} {pw-id value}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# neighbor
10.1.1.2 pw-id 1000
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pw)#
Adds an access pseudowire port to a bridge domain,
or a pseudowire to a bridge virtual forwarding
interface (VFI).
• Use the A.B.C.D argument to specify the IP
address of the cross-connect peer.
• Use the pw-id keyword to configure the
pseudowire ID and ID value. The range is 1 to
4294967295.
Step 6 mac
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pw)# mac
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pw-mac)#
Enters l2vpn bridge group bridge domain MAC
configuration mode.
Step 7 secure [action | disable | logging]
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pw-mac)#
secure
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pw-macsecure)#
Enters MAC secure configuration mode.
By default, bridge ports (interfaces and access
pseudowires) under a bridge inherit the security
configuration from the parent bridge.
Note Once a bridge port goes down, a clear
command must be issued to bring the bridge
port up.
Step 8 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pw-macsecure)# end
or
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pw-macsecure)# commit
Saves configuration changes.
• When you issue the end command, the system
prompts you to commit changes:
Uncommitted changes found, commit them
before exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to
the running configuration file, exits the
configuration session, and returns the
router to EXEC mode.
– Entering no exits the configuration session
and returns the router to EXEC mode
without committing the configuration
changes.
– Entering cancel leaves the router in the
current configuration session without
exiting or committing the configuration
changes.
• Use the commit command to save the
configuration changes to the running
configuration file and remain within the
configuration session.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-252
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Configuring an Attachment Circuit to the AC Split Horizon Group
These steps show how to add an interface to the split horizon group for attachment circuits (ACs) under
a bridge domain.
SUMMARY STEPS
1. configure
2. l2vpn
3. bridge group bridge-group-name
4. bridge-domain bridge-domain-name
5. interface type instance
6. split-horizon group
7. commit
8. end
9. show l2vpn bridge-domain detail
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
Enters L2VPN configuration mode.
Step 3 bridge group bridge-group-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# bridge
group metroA
Enters configuration mode for the named bridge group.
Step 4 bridge-domain bridge-domain-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
bridge-domain east
Enters configuration mode for the named bridge domain.
Step 5 interface type instance
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
interface GigabitEthernet0/1/0/6
Enters configuration mode for the named interface. Implementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-253
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Step 6 split-horizon group
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-ac)#
split-horizon group
Adds this interface to the split horizon group for ACs. Only
one split horizon group for ACs for a bridge domain is
supported.
Step 7 commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-ac)#
commit
Saves configuration changes.
Step 8 end
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-ac)#
end
Returns to EXEC mode.
Step 9 show l2vpn bridge-domain detail
Example:
RP/0/RSP0/CPU0:router# show l2vpn bridge-domain
detail
Displays information about bridges, including whether each
AC is in the AC split horizon group or not.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-254
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Adding an Access Pseudowire to the AC Split Horizon Group
These steps show how to add an access pseudowire as a member to the split horizon group for attachment
circuits (ACs) under a bridge domain.
SUMMARY STEPS
1. configure
2. l2vpn
3. bridge group bridge-group-name
4. bridge-domain bridge-domain-name
5. neighbor A.B.C.D pw-id pseudowire-id
6. split-horizon group
7. commit
8. end
9. show l2vpn bridge-domain detail
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
Enters L2VPN configuration mode.
Step 3 bridge group bridge-group-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# bridge
group metroA
Enters configuration mode for the named bridge group.
Step 4 bridge-domain bridge-domain-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
bridge-domain east
Enters configuration mode for the named bridge domain.
Step 5 neighbor A.B.C.D pw-id pseudowire-id
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
neighbor 10.2.2.2 pw-id 2000
Configures the pseudowire segment.Implementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-255
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Configuring VPLS with BGP Autodiscovery and Signaling
Perform this task to configure BGP-based autodiscovery and signaling.
To locate documentation for the commands used in this configuration, refer to the Multipoint Layer 2
Services Commands module in the Cisco ASR 9000 Series Aggregation Services Router L2VPN and
Ethernet Services Command Reference.
SUMMARY STEPS
1. configure
2. l2vpn
3. bridge group bridge-group-name
4. bridge-domain bridge-domain-name
5. vfi {vfi-name}
6. vpn-id vpn-id
7. autodiscovery bgp
8. rd {as-number:nn | ip-address:nn | auto}
9. route-target {as-number:nn | ip-address:nn | export | import}
10. route-target import {as-number:nn | ip-address:nn}
11. route-target export {as-number:nn | ip-address:nn}
12. signaling-protocol bgp
13. ve-id {number}
Step 6 split-horizon group
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pw)#
split-horizon group
Adds this access pseudowire to the split horizon group for
ACs.
Note Only one split horizon group for ACs and access
pseudowires per bridge domain is supported.
Step 7 commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pw)#
commit
Saves configuration changes.
Step 8 end
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pw)#
end
Returns to EXEC mode.
Step 9 show l2vpn bridge-domain detail
Example:
RP/0/RSP0/CPU0:router# show l2vpn bridge-domain
detail
Displays information about bridges, including whether each
access pseudowire is in the AC split horizon group or not.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-256
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
14. ve-range {number}
15. commit
or
end
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
Enters L2VPN configuration mode.
Step 3 bridge group bridge-group-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# bridge group
metroA
Enters configuration mode for the named bridge group.
Step 4 bridge-domain bridge-domain-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
bridge-domain east
Enters configuration mode for the named bridge domain.
Step 5 vfi {vfi-name}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# vfi
vfi-east
Enters virtual forwarding instance (VFI) configuration
mode.
Step 6 vpn-id vpn-id
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi)#
vpn-id 100
Specifies the identifier for the VPLS service. The VPN ID
has to be globally unique within a PE router. i.e., the same
VPN ID cannot exist in multiple VFIs on the same PE
router. In addition, a VFI can have only one VPN ID.
Step 7 autodiscovery bgp
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi)#
autodiscovery bgp
Enters BGP autodiscovery configuration mode where all
BGP autodiscovery parameters are configured.
This command is not provisioned to BGP until at least the
VPN ID and the signaling protocol is configured.Implementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-257
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Step 8 rd {as-number:nn|ip-address:nn|auto}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-ad)#
rd auto
Specifies the route distinguisher (RD) under the VFI.
The RD is used in the BGP NLRI to identify VFI. Only
one RD can be configured per VFI, and except for rd auto
the same RD cannot be configured in multiple VFIs on the
same PE.
When rd auto is configured, the RD value is as follows:
{BGP Router ID}:{16 bits auto-generated unique index}.
Step 9 route-target {as-number:nn|ip-address:nn}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-ad)#
route-target 500:99
Specifies the route target (RT) for the VFI.
At least one import and one export route targets (or just
one route target with both roles) need to be configured in
each PE in order to establish BGP autodiscovery between
PEs.
If no export or import keyword is specified, it means that
the RT is both import and export. A VFI can have multiple
export or import RTs. However, the same RT is not
allowed in multiple VFIs in the same PE.
Step 10 route-target import {as-number:nn|ip-address:nn}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-ad)#
route-target import 200:20
Specifies the import route target for the VFI.
Import route target is what the PE compares with the RT
in the received NLRI: the RT in the received NLRI must
match the import RT to determine that the RTs belong to
the same VPLS service.
Step 11 route-target export {as-number:nn|ip-address:nn}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-ad)#
route-target export 100:10
Specifies the export route target for the VFI.
Export route target is the RT that is going to be in the
NLRI advertised to other PEs.
Step 12 signaling-protocol bgp
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-ad)#
signaling-protocol bgp
Enables BGP signaling, and enters the BGP signaling
configuration submode where BGP signaling parameters
are configured.
This command is not provisioned to BGP until VE ID and
VE ID range is configured.
Step 13 ve-id {number}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-adsig)# ve-id 10
Specifies the local PE identifier for the VFI for VPLS
configuration.
The VE ID identifies a VFI within a VPLS service. This
means that VFIs in the same VPLS service cannot share
the same VE ID. The scope of the VE ID is only within a
bridge domain. Therefore, VFIs in different bridge
domains within a PE can use the same VE ID.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-258
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Configuring VPLS with BGP Autodiscovery and LDP Signaling
Perform this task to configure BGP-based Autodiscovery and signaling:
SUMMARY STEPS
1. configure
2. l2vpn
3. route-id
4. bridge group bridge-group-name
5. bridge-domain bridge-domain-name
6. vfi {vfi-name}
7. autodiscovery bgp
8. vpn-id vpn-id
9. rd {as-number:nn | ip-address:nn | auto}
10. route-target {as-number:nn | ip-address:nn | export | import}
11. route-target import {as-number:nn | ip-address:nn}
Step 14 ve-range {number}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-ad-s
ig)# ve-range 40
Overrides the minimum size of VPLS edge (VE) blocks.
The default minimum size is 10. Any configured VE
range must be higher than 10.
Step 15 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-adsig)# end
or
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-adsig)# commit
Saves configuration changes.
• When you issue the end command, the system
prompts you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the
configuration session, and returns the router to
EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-259
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
12. route-target export {as-number:nn | ip-address:nn}
13. signaling-protocol ldp
14. vpls-id {as-number:nn | ip-address:nn}
15. commit
or
end
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
Enters L2VPN configuration mode.
Step 3 router-id ip-address
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# router-id
1.1.1.1
Specifies a unique Layer 2 (L2) router ID for the provider
edge (PE) router.
The router ID must be configured for LDP signaling, and
is used as the L2 router ID in the BGP NLRI, SAII (local
L2 Router ID) and TAII (remote L2 Router ID). Any
arbitrary value in the IPv4 address format is acceptable.
Note Each PE must have a unique L2 router ID. This
CLI is optional, as a PE automatically generates a
L2 router ID using the LDP router ID.
Step 4 bridge group bridge-group-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# bridge group
metroA
Enters configuration mode for the named bridge group.
Step 5 bridge-domain bridge-domain-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
bridge-domain east
Enters configuration mode for the named bridge domain.
Step 6 vfi {vfi-name}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# vfi
vfi-east
Enters virtual forwarding instance (VFI) configuration
mode. Implementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-260
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Step 7 vpn-id vpn-id
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi)#
vpn-id 100
Specifies the identifier for the VPLS service. The VPN ID
has to be globally unique within a PE router. i.e., the same
VPN ID cannot exist in multiple VFIs on the same PE
router. In addition, a VFI can have only one VPN ID.
Step 8 autodiscovery bgp
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi)#
autodiscovery bgp
Enters BGP autodiscovery configuration mode where all
BGP autodiscovery parameters are configured.
This command is not provisioned to BGP until at least the
VPN ID and the signaling protocol is configured.
Step 9 rd {as-number:nn|ip-address:nn|auto}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-ad)#
rd auto
Specifies the route distinguisher (RD) under the VFI.
The RD is used in the BGP NLRI to identify VFI. Only
one RD can be configured per VFI, and except for rd auto
the same RD cannot be configured in multiple VFIs on
the same PE.
When rd auto is configured, the RD value is as follows:
{BGP Router ID}:{16 bits auto-generated unique index}.
Step 10 route-target {as-number:nn|ip-address:nn}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-ad)#
route-target 500:99
Specifies the route target (RT) for the VFI.
At least one import and one export route targets (or just
one route target with both roles) need to be configured in
each PE in order to establish BGP autodiscovery between
PEs.
If no export or import keyword is specified, it means that
the RT is both import and export. A VFI can have multiple
export or import RTs. However, the same RT is not
allowed in multiple VFIs in the same PE.
Step 11 route-target import {as-number:nn|ip-address:nn}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-ad)#
route-target import 200:20
Specifies the import route target for the VFI.
Import route target is what the PE compares with the RT
in the received NLRI: the RT in the received NLRI must
match the import RT to determine that the RTs belong to
the same VPLS service.
Step 12 route-target export {as-number:nn|ip-address:nn}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-ad)#
route-target export 100:10
Specifies the export route target for the VFI.
Export route target is the RT that is going to be in the
NLRI advertised to other PEs.
Step 13 signaling-protocol bgp
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-ad)#
signaling-protocol bgp
Enables BGP signaling, and enters the BGP signaling
configuration submode where BGP signaling parameters
are configured.
This command is not provisioned to BGP until VE ID and
VE ID range is configured.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-261
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Configuring G.8032 Ethernet Ring Protection
To configure the G.8032 operation, separately configure:
• An ERP instance to indicate:
– which (sub)interface is used as the APS channel
– which (sub)interface is monitored by CFM
– whether the interface is an RPL link, and, if it is, the RPL node type
• CFM with EFD to monitor the ring links
Note MEP for each monitor link needs to be configured with different Maintenance Association.
Step 14 vpls-id {as-number:nn|ip-address:nn}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-adsig)# vpls-id 10:20
Specifies VPLS ID which identifies the VPLS domain
during signaling.
This command is optional in all PEs that are in the same
Autonomous System (share the same ASN) because a
default VPLS ID is automatically generated using BGP's
ASN and the configured VPN ID (i.e., the default VPLS
ID equals ASN:VPN-ID). If an ASN of 4 bytes is used,
the lower two bytes of the ASN are used to build the
VPLS ID. In case of InterAS, the VPLS ID must be
explicitly configured. Only one VPLS ID can be
configured per VFI, and the same VPLS ID cannot be
used for multiple VFIs.
Step 15 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-adsig)# end
or
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-adsig)# commit
Saves configuration changes.
• When you issue the end command, the system
prompts you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the
configuration session, and returns the router to
EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-262
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
• The bridge domains to create the Layer 2 topology. The RAPS channel is configured in a dedicated
management bridge domain separated from the data bridge domains.
• Behavior characteristics, that apply to ERP instance, if different from default values. This is
optional.
This section provides information on:
• Configuring ERP Profile, page LSC-262
• Configuring CFM MEP, page LSC-263
• Configuring an ERP Instance, page LSC-263
• Configuring ERP Parameters, page LSC-267
• Configuring TCN Propagation, page LSC-269
Configuring ERP Profile
Perform this task to configure Ethernet ring protection (ERP) profile.
SUMMARY STEPS
1. configure
2. ethernet ring g8032 profile profile-name
3. timer {wtr | guard | holdoff} seconds
4. non-revertive
5. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 Ethernet ring g8032 profile profile-name
Example:
RP/0/RSP0/CPU0:router(config)# Ethernet ring
g8032 profile p1
Enables G.8032 ring mode, and enters G.8032
configuration submode.
Step 3 timer {wtr | guard | hold-off} seconds
Example:
RP/0/RSP0/CPU0:router(config-g8032-ring-profile
)# timer hold-off 5
Specifies time interval (in seconds) for the guard, hold-off
and wait-to-restore timers.Implementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-263
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Configuring CFM MEP
For more information about Ethernet Connectivity Fault Management (CFM), refer to the Configuring
Ethernet OAM on the Cisco ASR 9000 Series Router module in the Cisco ASR 9000 Series Aggregation
Services Router Interface and Hardware Component Configuration Guide.
Configuring an ERP Instance
Perform this task to configure an ERP instance.
SUMMARY STEPS
1. configure
2. l2vpn
3. bridge group bridge-group-name
4. bridge-domain aps-bridge-domain-name
5. interface type port0-interface-path-id.subinterface
6. interface type port1-interface-path-id.subinterface
7. bridge-domain data-bridge-domain-name
8. interface type interface-path-id.subinterface
Step 4 non-revertive
Example:
RP/0/RSP0/CPU0:router(config-g8032-ring-profile
)# non-revertive
Specifies a non-revertive ring instance.
Step 5 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-g8032-ring-profile
)# end
or
RP/0/RSP0/CPU0:router(config-g8032-ring-profile
)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-264
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
9. ethernet ring g8032 ring-name
10. instance number
11. description string
12. profile profile-name
13. rpl {port0 | port1} {owner | neighbor | next-neighbor}
14. inclusion-list vlan-ids vlan-id
15. aps-channel
16. level number
17. port0 interface type interface-path-id
18. port1 {interface type interface-path-id | bridge-domain bridge-domain-name | xconnect
xconnect-name | none}
19. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
Enters L2VPN configuration mode.
Step 3 bridge group bridge-group-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# bridge
group csco
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
Creates a bridge group that can contain bridge domains, and
then assigns network interfaces to the bridge domain.
Step 4 bridge-domain bridge-domain-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
bridge-domain bd1
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
Establishes a bridge domain for R-APS channels, and enters
L2VPN bridge group bridge domain configuration mode.
Step 5 interface type
port0-interface-path-id.subinterface
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
interface GigabitEthernet 0/0/0/0.1
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-ac)#
Enters interface configuration mode and adds an interface to
a bridge domain that allows packets to be forwarded and
received from other interfaces that are part of the same
bridge domain.Implementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-265
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Step 6 interface type
port1-interface-path-id.subinterface
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
interface GigabitEthernet 0/0/0/1.1
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-ac)#
Enters interface configuration mode and adds an interface to
a bridge domain that allows packets to be forwarded and
received from other interfaces that are part of the same
bridge domain.
Step 7 bridge-domain bridge-domain-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#
bridge-domain bd2
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
Establishes a bridge domain for data traffic, and enters
L2VPN bridge group bridge domain configuration mode.
Step 8 interface type interface-path-id.subinterface
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
interface GigabitEthernet 0/0/0/0.10
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-ac)#
Enters interface configuration mode and adds an interface to
a bridge domain that allows packets to be forwarded and
received from other interfaces that are part of the same
bridge domain.
Step 9 ethernet ring g8032 ring-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# ethernet
ring g8032 r1
Enables G.8032 ring mode, and enters G.8032
configuration submode.
Step 10 instance number
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-erp)#
instance 1
Enters the Ethernet ring G.8032 instance configuration
submode.
Step 11 description string
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-erp-instance
)# description test
Specifies a string that serves as description for that instance.
Step 12 profile profile-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-erp-instance
)#profile p1
Specifies associated Ethernet ring G.8032 profile.
Step 13 rpl {port0 | port1} {owner | neighbor |
next-neighbor}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-erp-instance
)#rpl port0 neighbor
Specifies one ring port on local node as RPL owner,
neighbor or next-neighbor.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-266
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Step 14 inclusion-list vlan-ids vlan-id
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-erp-instance
)# inclusion-list vlan-ids e-g
Associates a set of VLAN IDs with the current instance.
Step 15 aps-channel
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-erp-instance
)# aps-channel
Enters the Ethernet ring G.8032 instance aps-channel
configuration submode.
Step 16 level number
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-erp-instance
-aps)# level 5
Specifies the APS message level. The range is from 0 to 7.
Step 17 port0 interface type interface-path-id
Example:
RP/0/RSP0/CPU0:router(configl2vpn-erp-instanceaps)# port0 interface GigabitEthernet 0/0/0/0.1
Associates G.8032 APS channel interface to port0.
Step 18 port1 {interface type interface-path-id |
bridge-domain bridge-domain-name | xconnect
xconnect-name | none}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-erp-instance
-aps)# port1 interface GigabitEthernet
0/0/0/1.1
Associates G.8032 APS channel interface to port1.
Step 19 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-erp-instance
-aps)# end
or
RP/0/RSP0/CPU0:router(config-l2vpn-erp-instance
-aps)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-267
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Configuring ERP Parameters
Perform this task to configure ERP parameters.
SUMMARY STEPS
1. configure
2. l2vpn
3. ethernet ring g8032 ring-name
4. port0 interface type interface-path-id
5. monitor port0 interface type interface-path-id
6. exit
7. port1 {interface type interface-path-id | virtual | none}
8. monitor port1 interface type interface-path-id
9. exit
10. exclusion-list vlan-ids vlan-id
11. open-ring
12. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
Enters L2VPN configuration mode.
Step 3 ethernet ring g8032 ring-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# ethernet
ring g8032 r1
Enables G.8032 ring mode, and enters G.8032
configuration submode.
Step 4 port0 interface type interface-path-id
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-erp)# port0
interface GigabitEthernet 0/1/0/6
Enables G.8032 ERP for the specified port (ring port).Implementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-268
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Step 5 monitor port0 interface type interface-path-id
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-erp-port0)#
monitor port0 interface 0/1/0/2
Specifies the port that is monitored to detect ring link
failure per ring port. The monitored interface must be a
sub-interface of the main interface.
Step 6 exit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-erp-port0)#
exit
Exits port0 configuration submode.
Step 7 port1 {interface type interface-path-id |
virtual | none}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-erp)# port1
interface GigabitEthernet 0/1/0/8
Enables G.8032 ERP for the specified port (ring port).
Step 8 monitor port1 interface type interface-path-id
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-erp-port1)#
monitor port1 interface 0/1/0/3
Specifies the port that is monitored to detect ring link
failure per ring port. The monitored interface must be a
sub-interface of the main interface.
Step 9 exit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-erp-port1)#
exit
Exits port1 configuration submode.
Step 10 exclusion-list vlan-ids vlan-id
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-erp)#
exclusion-list vlan-ids a-d
Specifies a set of VLAN IDs that is not protected by
Ethernet ring protection mechanism.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-269
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Configuring TCN Propagation
Perform this task to configure topology change notification (TCN) propagation.
SUMMARY STEPS
1. configure
2. l2vpn
3. tcn-propagation
4. end
or
commit
Step 11 open-ring
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-erp)#
open-ring
Specifies Ethernet ring G.8032 as open ring.
Step 12 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-erp)# end
or
RP/0/RSP0/CPU0:router(config-l2vpn-erp)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-270
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
DETAILED STEPS
Configuring Flow Aware Transport Pseudowire
This section provides information on
• Enabling Load Balancing with ECMP and FAT PW for VPWS
• Enabling Load Balancing with ECMP and FAT PW for VPLS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
Enters L2VPN configuration mode.
Step 3 tcn-propagation
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)#
tcn-propagation
Allows TCN propagation from minor ring to major ring and
from MSTP to G.8032.
Step 4 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# end
or
RP/0/RSP0/CPU0:router(config-l2vpn)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.Implementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-271
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Enabling Load Balancing with ECMP and FAT PW for VPWS
Perform this task to enable load balancing with ECMP and FAT PW for VPWS.
SUMMARY STEPS
1. configure
2. l2vpn
3. load-balancing flow {src-dst-mac | src-dst-ip}
4. pw-class {name}
5. encapsulation mpls
6. load-balancing flow-label {both | receive | transmit} [static]
7. exit
8. xconnect group group-name
9. p2p xconnect-name
10. interface type interface-path-id
11. neighbor A.B.C.D pw-id pseudowire-id
12. pw-class {name}
13. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters the configuration mode.
Step 2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
Enters L2VPN configuration mode.
Step 3 load-balancing flow {src-dst-mac | src-dst-ip}
Example:
RP/0/RSP0/CPU0:router(config)# load-balancing
flow src-dst-ip
Enables flow based load balancing.
• src-dst-mac—Uses source and destination MAC
addresses for hashing.
• src-dst-ip—Uses source and destination IP addresses
for hashing.
Note It is recommended to use the load-balancing flow
command with the src-dst-ip keyword.Implementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-272
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Step 4 pw-class {name}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# pw-class
path1
Configures the pseudowire class template name to use for
the pseudowire.
Step 5 encapsulation mpls
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-pwc)#
encapsulation mpls
Configures the pseudowire encapsulation to MPLS.
Step 6 load-balancing flow-label {both | receive |
transmit} [static]
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-pwc-encapmpls)# load-balancing flow-label both
Enables load-balancing on ECMPs. Also, enables the
imposition and disposition of flow labels for the
pseudowire.
Note If the static keyword is not specified, end to end
negotiation of the FAT PW is enabled.
Step 7 exit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-pwc-encapmpls)#exit
Exits the pseudowire encapsulation submode and returns
the router to the parent configuration mode.
Step 8 xconnect group group-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# xconnect
group grp1
Specifies the name of the cross-connect group.
Step 9 p2p xconnect-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-xc)# p2p
vlan1
Specifies the name of the point-to-point cross-connect
Step 10 interface type interface-path-id
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-xc-p2p)#
interface GigabitEthernet0/0/0/0.1
Specifies the interface type and instance.
Step 11 neighbor A.B.C.D pw-id pseudowire-id
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-xc-p2p)#
neighbor 10.2.2.2 pw-id 2000
Configures the pseudowire segment for the cross-connect.
Use the A.B.C.D argument to specify the IP address of the
cross-connect peer.
Note A.B.C.D can be a recursive or non-recursive prefix.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-273
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Enabling Load Balancing with ECMP and FAT PW for VPLS
Perform this task to enable load balancing with ECMP and FAT PW for VPLS.
SUMMARY STEPS
1. configure
2. l2vpn
3. load-balancing flow {src-dst-mac | src-dst-ip}
4. pw-class {class-name}
5. encapsulation mpls
6. load-balancing flow-label {both | receive | transmit} [static]
7. exit
8. bridge group bridge-group-name
9. bridge-domain bridge-domain-name
10. vfi {vfi-name}
11. autodiscovery bgp
12. signaling-protocol bgp
13. load-balancing flow-label {both | receive | transmit} [static]
Step 12 pw-class class-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-xc-p2p-pw)#
pw-class path1
Associates the pseudowire class with this pseudowire.
Step 13 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-xc-p2p-pw)#
end
or
RP/0/RSP0/CPU0:router(config-l2vpn-xc-p2p-pw)#
commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-274
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
14. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters the configuration mode.
Step 2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
Enters L2VPN configuration mode.
Step 3 load-balancing flow {src-dst-mac | src-dst-ip}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)#
load-balancing flow src-dst-ip
Enables flow based load balancing.
• src-dst-mac—Uses source and destination MAC
addresses for hashing.
• src-dst-ip—Uses source and destination IP addresses
for hashing.
Note It is recommended to use the load-balancing flow
command with the src-dst-ip keyword.
Step 4 pw-class {class-name}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# pw-class
class1
Associates the pseudowire class with this pseudowire.
Step 5 encapsulation mpls
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-pwc)#
encapsulation mpls
Configures the pseudowire encapsulation to MPLS.
Step 6 load-balancing flow-label {both | receive |
transmit} [static]
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-pwc-mpls)#
load-balancing flow-label both
Enables load-balancing on ECMPs. Also, enables the
imposition and disposition of flow labels for the
pseudowire.
Note If the static keyword is not specified, end to end
negotiation of the FAT PW is enabled.
Step 7 exit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-pwc-mpls)#
exit
Exits the pseudowire encapsulation submode and returns
the router to the parent configuration mode.Implementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-275
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Step 8 bridge group bridge-group-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# bridge
group group1
Creates a bridge group so that it can contain bridge domains
and then assigns network interfaces to the bridge domain.
Step 9 bridge-domain bridge-domain-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#bridgedomain domain1
Establishes a bridge domain and enters L2VPN bridge
group bridge domain configuration mode.
Step 10 vfi {vfi-name}
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#vfi
my_vfi
Enters virtual forwarding instance (VFI) configuration
mode.
Step 11 autodiscovery bgp
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi)#
autodiscovery bgp
Enters BGP autodiscovery configuration mode where all
BGP autodiscovery parameters are configured.
Step 12 signaling-protocol bgp
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-ad
)# signaling-protocol bgp
Enables BGP signaling, and enters the BGP signaling
configuration submode where BGP signaling parameters
are configured.
Command or Action PurposeImplementing Multipoint Layer 2 Services
How to Implement Multipoint Layer 2 Services
LSC-276
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Step 13 load-balancing flow-label
{both|receive|transmit} [static]
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-ad
-sig)# load-balancing flow-label both static
Enables load-balancing on ECMPs. Also, enables the
imposition and disposition of flow labels for the
pseudowire.
Step 14 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-ad
-sig)# end
or
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-ad
-sig)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing Multipoint Layer 2 Services
Configuration Examples for Multipoint Layer 2 Services
LSC-277
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Configuration Examples for Multipoint Layer 2 Services
This section includes these configuration examples:
• Virtual Private LAN Services Configuration for Provider Edge-to-Provider Edge: Example,
page LSC-277
• Virtual Private LAN Services Configuration for Provider Edge-to-Customer Edge: Example,
page LSC-278
• Displaying MAC Address Withdrawal Fields: Example, page LSC-279
• Split Horizon Group: Example, page LSC-280
• Blocking Unknown Unicast Flooding: Example, page LSC-281
• Disabling MAC Flush: Examples, page LSC-281
• Configuring VPLS with BGP Autodiscovery and Signaling: Example, page LSC-289
• Bridging on IOS XR Trunk Interfaces: Example, page LSC-282
• Bridging on Ethernet Flow Points: Example, page LSC-286
• Changing the Flood Optimization Mode: Example, page LSC-288
• Configuring VPLS with BGP Autodiscovery and Signaling: Example, page LSC-289
• Configuring Dynamic ARP Inspection: Example, page LSC-293
• Configuring IP Source Guard: Example, page LSC-295
• Configuring G.8032 Ethernet Ring Protection: Example, page LSC-296
• Configuring Flow Aware Transport Pseudowire: Example, page LSC-300
Virtual Private LAN Services Configuration for Provider Edge-to-Provider Edge:
Example
These configuration examples show how to create a Layer 2 VFI with a full-mesh of participating VPLS
provider edge (PE) nodes.
This configuration example shows how to configure PE 1:
configure
l2vpn
bridge group 1
bridge-domain PE1-VPLS-A
GigabitEthernet0/0/0/1
vfi 1
neighbor 10.2.2.2 pw-id 1
neighbor 10.3.3.3 pw-id 1
!
!
interface loopback 0
ipv4 address 10.1.1.1 255.255.255.25
This configuration example shows how to configure PE 2:
configure
l2vpn
bridge group 1
bridge-domain PE2-VPLS-AImplementing Multipoint Layer 2 Services
Configuration Examples for Multipoint Layer 2 Services
LSC-278
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
interface GigabitEthernet0/0/0/1
vfi 1
neighbor 10.1.1.1 pw-id 1
neighbor 10.3.3.3 pw-id 1
!
!
interface loopback 0
ipv4 address 10.2.2.2 255.255.255.25
This configuration example shows how to configure PE 3:
configure
l2vpn
bridge group 1
bridge-domain PE3-VPLS-A
interface GigabitEthernet0/0/0/1
vfi 1
neighbor 10.1.1.1 pw-id 1
neighbor 10.2.2.2 pw-id 1
!
!
interface loopback 0
ipv4 address 10.3.3.3 255.255.255.25
Virtual Private LAN Services Configuration for Provider Edge-to-Customer
Edge: Example
This configuration shows how to configure VPLS for a PE-to-CE nodes:
configure
interface GigabitEthernet0/0/0/1
l2transport---AC interface
no ipv4 address
no ipv4 directed-broadcast
negotiation auto
no cdp enable
configure
interface GigabitEthernet0/0
l2transport
no ipv4 address
no ipv4 directed-broadcast
negotiation auto
no cdp enable
configure
interface GigabitEthernet0/0
l2transport
no ipv4 address
no ipv4 directed-broadcast
negotiation auto
no cdp enableImplementing Multipoint Layer 2 Services
Configuration Examples for Multipoint Layer 2 Services
LSC-279
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Displaying MAC Address Withdrawal Fields: Example
This sample output shows the MAC address withdrawal fields:
RP/0/RSP0/CPU0:router# show l2vpn bridge-domain detail
Bridge group: siva_group, bridge-domain: siva_bd, id: 0, state: up, ShgId: 0, MSTi: 0
MAC Learning: enabled
MAC withdraw: enabled
Flooding:
Broadcast & Multicast: enabled
Unknown Unicast: enabled
MAC address aging time: 300 s Type: inactivity
MAC address limit: 4000, Action: none, Notification: syslog
MAC limit reached: no
Security: disabled
DHCPv4 Snooping: disabled
MTU: 1500
MAC Filter: Static MAC addresses:
ACs: 1 (1 up), VFIs: 1, PWs: 2 (1 up)
List of ACs:
AC: GigabitEthernet0/4/0/1, state is up
Type Ethernet
MTU 1500; XC ID 0x5000001; interworking none; MSTi 0 (unprotected)
MAC Learning: enabled
MAC withdraw: disabled
Flooding:
Broadcast & Multicast: enabled
Unknown Unicast: enabled
MAC address aging time: 300 s Type: inactivity
MAC address limit: 4000, Action: none, Notification: syslog
MAC limit reached: no
Security: disabled
DHCPv4 Snooping: disabled
Static MAC addresses:
Statistics:
packet totals: receive 6,send 0
byte totals: receive 360,send 4
List of Access PWs:
List of VFIs:
VFI siva_vfi
PW: neighbor 10.1.1.1, PW ID 1, state is down ( local ready )
PW class not set, XC ID 0xff000001
Encapsulation MPLS, protocol LDP
PW type Ethernet, control word enabled, interworking none
PW backup disable delay 0 sec
Sequencing not set
MPLS Local Remote
------------ ------------------------------ -------------------------
Label 30005 unknown
Group ID 0x0 0x0
Interface siva/vfi unknown
MTU 1500 unknown
Control word enabled unknown
PW type Ethernet unknown
------------ ------------------------------ -------------------------
Create time: 19/11/2007 15:20:14 (00:25:25 ago)
Last time status changed: 19/11/2007 15:44:00 (00:01:39 ago)
MAC withdraw message: send 0 receive 0Implementing Multipoint Layer 2 Services
Configuration Examples for Multipoint Layer 2 Services
LSC-280
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Split Horizon Group: Example
This example configures interfaces for Layer 2 transport, adds them to a bridge domain, and assigns
them to split horizon groups.
RP/0/RSP0/CPU0:router(config)#l2vpn
RP/0/RSP0/CPU0:router(config-l2vpn)#bridge group examples
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#bridge-domain all_three
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#interface GigabitEthernet 0/0/0/0.99
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-ac)#exit
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#interface GigabitEthernet 0/0/0/0.101
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-ac)#split-horizon group
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-ac)#exit
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#neighbor 192.168.99.1 pw-id 1
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pw)#exit
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#neighbor 192.168.99.9 pw-id 1
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pw)#split-horizon group
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pw)#exit
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#vfi abc
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi)#neighbor 192.168.99.17 pw-id 1
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi-pw)#exit
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-vfi)#exit
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#show
Mon Oct 18 13:51:05.831 EDT
l2vpn
bridge group examples
bridge-domain all_three
interface GigabitEthernet0/0/0/0.99
!
interface GigabitEthernet0/0/0/0.101
split-horizon group
!
neighbor 192.168.99.1 pw-id 1
!
neighbor 192.168.99.9 pw-id 1
split-horizon group
!
vfi abc
neighbor 192.168.99.17 pw-id 1
!
!
!
!
!
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
According to this example, the Split Horizon group assignments for bridge domain all_three are:
Bridge Port/Pseudowire Split Horizon Group
bridge port: gig0/0/0/0.99 0
bridge port: gig0/0/0/0.101 2
PW: 192.168.99.1 pw-id 1 0
PW: 192.168.99.9 pw-id 1 2
PW: 192.168.99.17 pw-id 1 1Implementing Multipoint Layer 2 Services
Configuration Examples for Multipoint Layer 2 Services
LSC-281
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Blocking Unknown Unicast Flooding: Example
Unknown-unicast flooding can be blocked at these levels:
• bridge domain
• bridge port (attachment circuit (AC))
• access pseudowire (PW)
This example shows how to block unknown-unicast flooding at the bridge domain level:
configure
l2vpn
bridge-group group1
bridge-domain domain1
flooding unknown-unicast disable
end
This example shows how to block unknown-unicast flooding at the bridge port level:
configure
l2vpn
bridge-group group1
bridge-domain domain1
interface GigabitEthernet 0/1/0/1
flooding unknown-unicast disable
end
This example shows how to block unknown-unicast flooding at the access pseudowire level:
configure
l2vpn
bridge-group group1
bridge-domain domain1
neighbor 10.1.1.1 pw-id 1000
flooding unknown-unicast disable
end
Disabling MAC Flush: Examples
You can disable the MAC flush at these levels:
• bridge domain
• bridge port (attachment circuit (AC))
• access pseudowire (PW)
This example shows how to disable the MAC flush at the bridge domain level:
configure
l2vpn
bridge-group group1
bridge-domain domain1
mac
port-down flush disable
endImplementing Multipoint Layer 2 Services
Configuration Examples for Multipoint Layer 2 Services
LSC-282
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
This example shows how to disable the MAC flush at the bridge port level:
configure
l2vpn
bridge-group group1
bridge-domain domain1
interface GigabitEthernet 0/1/0/1
mac
port-down flush disable
end
This example shows how to disable the MAC flush at the access pseudowire level:
configure
l2vpn
bridge-group group1
bridge-domain domain1
neighbor 10.1.1.1 pw-id 1000
mac
port-down flush disable
end
Bridging on IOS XR Trunk Interfaces: Example
This example shows how to configure a Cisco ASR 9000 Series Router as a simple L2 switch.
Important Notes:
Create a bridge domain that has four attachment circuits (AC). Each AC is an IOS XR trunk interface
(i.e. not a subinterface/EFP).
• This example assumes that the running config is empty, and that all the components are created.
• This example provides all the necessary steps to configure the Cisco ASR 9000 Series Router to
perform switching between the interfaces. However, the commands to prepare the interfaces such as
no shut, negotiation auto, etc., have been excluded.
• The bridge domain is in a no shut state, immediately after being created.
• Only trunk (i.e. main) interfaces are used in this example.
• The trunk interfaces are capable of handling tagged (i.e. IEEE 802.1Q) or untagged (i.e. no VLAN
header) frames.
• The bridge domain learns, floods, and forwards based on MAC address. This functionality works
for frames regardless of tag configuration.
• The bridge domain entity spans all the line cards of the system. It is not necessary to place all the
bridge domain ACs on a single LC. This applies to any bridge domain configuration.
• The show bundle and the show l2vpn bridge-domain commands are used to verify that the router
was configured as expected, and that the commands show the status of the new configurations.
• The ACs in this example use interfaces that are in the admin down state.Implementing Multipoint Layer 2 Services
Configuration Examples for Multipoint Layer 2 Services
LSC-283
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Configuration Example
RP/0/RSP0/CPU0:router#config
RP/0/RSP0/CPU0:router(config)#interface Bundle-ether10
RP/0/RSP0/CPU0:router(config-if)#l2transport
RP/0/RSP0/CPU0:router(config-if-l2)#interface GigabitEthernet0/2/0/5
RP/0/RSP0/CPU0:router(config-if)#bundle id 10 mode active
RP/0/RSP0/CPU0:router(config-if)#interface GigabitEthernet0/2/0/6
RP/0/RSP0/CPU0:router(config-if)#bundle id 10 mode active
RP/0/RSP0/CPU0:router(config-if)#interface GigabitEthernet0/2/0/0
RP/0/RSP0/CPU0:router(config-if)#l2transport
RP/0/RSP0/CPU0:router(config-if-l2)#interface GigabitEthernet0/2/0/1
RP/0/RSP0/CPU0:router(config-if)#l2transport
RP/0/RSP0/CPU0:router(config-if-l2)#interface TenGigE0/1/0/2
RP/0/RSP0/CPU0:router(config-if)#l2transport
RP/0/RSP0/CPU0:router(config-if-l2)#l2vpn
RP/0/RSP0/CPU0:router(config-l2vpn)#bridge group examples
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#bridge-domain test-switch
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#interface Bundle-ether10
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-ac)#exit
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#interface GigabitEthernet0/2/0/0
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-ac)#exit
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#interface GigabitEthernet0/2/0/1
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-ac)#exit
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#interface TenGigE0/1/0/2
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-ac)#commit
RP/0/RSP0/CPU0:Jul 26 10:48:21.320 EDT: config[65751]: %MGBL-CONFIG-6-DB_COMMIT :
Configuration committed by user 'lab'. Use 'show configuration commit changes 1000000973'
to view the changes.
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-ac)#end
RP/0/RSP0/CPU0:Jul 26 10:48:21.342 EDT: config[65751]: %MGBL-SYS-5-CONFIG_I : Configured
from console by lab
RP/0/RSP0/CPU0:router#show bundle Bundle-ether10
Bundle-Ether10
Status: Down
Local links : 0 / 0 / 2
Local bandwidth : 0 (0) kbps
MAC address (source): 0024.f71e.22eb (Chassis pool)
Minimum active links / bandwidth: 1 / 1 kbps
Maximum active links: 64
Wait while timer: 2000 ms
LACP: Operational
Flap suppression timer: Off
mLACP: Not configured
IPv4 BFD: Not configured
Port Device State Port ID B/W, kbps
-------------------- --------------- ----------- -------------- ----------
Gi0/2/0/5 Local Configured 0x8000, 0x0001 1000000
Link is down
Gi0/2/0/6 Local Configured 0x8000, 0x0002 1000000
Link is down
RP/0/RSP0/CPU0:router#
RP/0/RSP0/CPU0:router#show l2vpn bridge-domain group examples
Bridge group: examples, bridge-domain: test-switch, id: 2000, state: up, ShgId: 0, MSTi: 0
Aging: 300 s, MAC limit: 4000, Action: none, Notification: syslog
Filter MAC addresses: 0
ACs: 4 (1 up), VFIs: 0, PWs: 0 (0 up), PBBs: 0 (0 up)
List of ACs:
BE10, state: down, Static MAC addresses: 0
Gi0/2/0/0, state: up, Static MAC addresses: 0
Gi0/2/0/1, state: down, Static MAC addresses: 0Implementing Multipoint Layer 2 Services
Configuration Examples for Multipoint Layer 2 Services
LSC-284
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Te0/5/0/1, state: down, Static MAC addresses: 0
List of Access PWs:
List of VFIs:
RP/0/RSP0/CPU0:router#
This table lists the configuration steps (actions) and the corresponding purpose for this example:
Command or Action Purpose
Step 1 configure Enters global configuration mode.
Step 2 interface Bundle-ether10 Creates a new bundle trunk interface.
Step 3 l2transport Changes Bundle-ether10 from an L3 interface to an
L2 interface.
Step 4 interface GigabitEthernet0/2/0/5 Enters interface configuration mode. Changes
configuration mode to act on
GigabitEthernet0/2/0/5.
Step 5 bundle id 10 mode active Establishes GigabitEthernet0/2/0/5 as a member of
Bundle-ether10. The mode active keywords specify
LACP protocol.
Step 6 interface GigabitEthernet0/2/0/6 Enters interface configuration mode. Changes
configuration mode to act on
GigabitEthernet0/2/0/6.
Step 7 bundle id 10 mode active Establishes GigabitEthernet0/2/0/6 as a member of
Bundle-ether10. The mode active keywords specify
LACP protocol.
Step 8 interface GigabitEthernet0/2/0/0 Enters interface configuration mode. Changes
configuration mode to act on
GigabitEthernet0/2/0/0.
Step 9 l2transport Change GigabitEthernet0/2/0/0 from an L3 interface
to an L2 interface.
Step 10 interface GigabitEthernet0/2/0/1 Enters interface configuration mode. Changes
configuration mode to act on
GigabitEthernet0/2/0/1.
Step 11 l2transport Change GigabitEthernet0/2/0/1 from an L3 interface
to an L2 interface.
Step 12 interface TenGigE0/1/0/2 Enters interface configuration mode. Changes
configuration mode to act on TenGigE0/1/0/2.
Step 13 l2transport Changes TenGigE0/1/0/2 from an L3 interface to an
L2 interface.
Step 14 l2vpn Enters L2VPN configuration mode.
Step 15 bridge group examples Creates the bridge group examples.
Step 16 bridge-domain test-switch Creates the bridge domain test-switch, that is a
member of bridge group examples.
Step 17 interface Bundle-ether10 Establishes Bundle-ether10 as an AC of bridge
domain test-switch.
Step 18 exit Exits bridge domain AC configuration submode,
allowing next AC to be configured.Implementing Multipoint Layer 2 Services
Configuration Examples for Multipoint Layer 2 Services
LSC-285
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Step 19 interface GigabitEthernet0/2/0/0 Establishes GigabitEthernet0/2/0/0 as an AC of
bridge domain test-switch.
Step 20 exit Exits bridge domain AC configuration submode,
allowing next AC to be configured.
Step 21 interface GigabitEthernet0/2/0/1 Establishes GigabitEthernet0/2/0/1 as an AC of
bridge domain test-switch.
Step 22 exit Exits bridge domain AC configuration submode,
allowing next AC to be configured.
Step 23 interface TenGigE0/1/0/2 Establishes interface TenGigE0/1/0/2 as an AC of
bridge domain test-switch.
Step 24 end
or
commit
Saves configuration changes.
• When you issue the end command, the system
prompts you to commit changes:
Uncommitted changes found, commit them
before exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to
the running configuration file, exits the
configuration session, and returns the
router to EXEC mode.
– Entering no exits the configuration session
and returns the router to EXEC mode
without committing the configuration
changes.
– Entering cancel leaves the router in the
current configuration session without
exiting or committing the configuration
changes.
• Use the commit command to save the
configuration changes to the running
configuration file and remain within the
configuration session.
Command or Action PurposeImplementing Multipoint Layer 2 Services
Configuration Examples for Multipoint Layer 2 Services
LSC-286
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Bridging on Ethernet Flow Points: Example
This example shows how to configure a Cisco ASR 9000 Series Router to perform Layer 2 switching on
traffic that passes through Ethernet Flow Points (EFPs). EFP traffic typically has one or more VLAN
headers. Although both IOS XR trunks and IOS XR EFPs can be combined as attachment circuits in
bridge domains, this example uses EFPs exclusively.
Important Notes:
• An EFP is a Layer 2 subinterface. It is always created under a trunk interface. The trunk interface
must exist before the EFP is created.
• In an empty configuration, the bundle interface trunk does not exist, but the physical trunk interfaces
are automatically configured when a line card is inserted. Therefore, only the bundle trunk is
created.
• In this example the subinterface number and the VLAN IDs are identical, but this is out of
convenience, and is not a necessity. They do not need to be the same values.
• The bridge domain test-efp has three attachment circuits (ACs). All the ACs are EFPs.
• Only frames with a VLAN ID of 999 enter the EFPs. This ensures that all the traffic in this bridge
domain has the same VLAN encapsulation.
• The ACs in this example use interfaces that are in the admin down state, or interfaces for which no
line card has been inserted (unresolved state). Bridge domains that use nonexistent interfaces as
ACs are legal, and the commit for such configurations does not fail. In this case, the status of the
bridge domain shows unresolved until you configure the missing interface.
Configuration Example
RP/0/RSP1/CPU0:router#configure
RP/0/RSP1/CPU0:router(config)#interface Bundle-ether10
RP/0/RSP1/CPU0:router(config-if)#interface Bundle-ether10.999 l2transport
RP/0/RSP1/CPU0:router(config-subif)#encapsulation dot1q 999
RP/0/RSP1/CPU0:router(config-subif)#interface GigabitEthernet0/6/0/5
RP/0/RSP1/CPU0:router(config-if)#bundle id 10 mode active
RP/0/RSP1/CPU0:router(config-if)#interface GigabitEthernet0/6/0/6
RP/0/RSP1/CPU0:router(config-if)#bundle id 10 mode active
RP/0/RSP1/CPU0:router(config-if)#interface GigabitEthernet0/6/0/7.999 l2transport
RP/0/RSP1/CPU0:router(config-subif)#encapsulation dot1q 999
RP/0/RSP1/CPU0:router(config-subif)#interface TenGigE0/1/0/2.999 l2transport
RP/0/RSP1/CPU0:router(config-subif)#encapsulation dot1q 999
RP/0/RSP1/CPU0:router(config-subif)#l2vpn
RP/0/RSP1/CPU0:router(config-l2vpn)#bridge group examples
RP/0/RSP1/CPU0:router(config-l2vpn-bg)#bridge-domain test-efp
RP/0/RSP1/CPU0:router(config-l2vpn-bg-bd)#interface Bundle-ether10.999
RP/0/RSP1/CPU0:router(config-l2vpn-bg-bd-ac)#exit
RP/0/RSP1/CPU0:router(config-l2vpn-bg-bd)#interface GigabitEthernet0/6/0/7.999
RP/0/RSP1/CPU0:router(config-l2vpn-bg-bd-ac)#exit
RP/0/RSP1/CPU0:router(config-l2vpn-bg-bd)#interface TenGigE0/1/0/2.999
RP/0/RSP1/CPU0:router(config-l2vpn-bg-bd-ac)#commit
RP/0/RSP1/CPU0:router(config-l2vpn-bg-bd-ac)#end
RP/0/RSP1/CPU0:router#
RP/0/RSP1/CPU0:router#show l2vpn bridge group examples
Fri Jul 23 21:56:34.473 UTC Bridge group: examples, bridge-domain: test-efp, id: 0, state:
up, ShgId: 0, MSTi: 0
Aging: 300 s, MAC limit: 4000, Action: none, Notification: syslog
Filter MAC addresses: 0
ACs: 3 (0 up), VFIs: 0, PWs: 0 (0 up), PBBs: 0 (0 up)
List of ACs:
BE10.999, state: down, Static MAC addresses: 0Implementing Multipoint Layer 2 Services
Configuration Examples for Multipoint Layer 2 Services
LSC-287
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Gi0/6/0/7.999, state: unresolved, Static MAC addresses: 0
Te0/1/0/2.999, state: down, Static MAC addresses: 0
List of Access PWs:
List of VFIs:
RP/0/RSP1/CPU0:router#
This table lists the configuration steps (actions) and the corresponding purpose for this example:
Command or Action Purpose
Step 1 configure Enters global configuration mode.
Step 2 interface Bundle-ether10 Creates a new bundle trunk interface.
Step 3 interface Bundle-ether10.999 l2transport Creates an EFP under the new bundle trunk.
Step 4 encapsulation dot1q 999 Assigns VLAN ID of 999 to this EFP.
Step 5 interface GigabitEthernet0/6/0/5 Enters interface configuration mode. Changes
configuration mode to act on
GigabitEthernet0/6/0/5.
Step 6 bundle id 10 mode active Establishes GigabitEthernet0/6/0/5 as a member of
Bundle-ether10. The mode active keywords specify
LACP protocol.
Step 7 interface GigabitEthernet0/6/0/6 Enters interface configuration mode. Changes
configuration mode to act on
GigabitEthernet0/6/0/6.
Step 8 bundle id 10 mode active Establishes GigabitEthernet0/6/0/6 as a member of
Bundle-ether10. The mode active keywords specify
LACP protocol.
Step 9 interface GigabitEthernet0/6/0/7.999 l2transport Creates an EFP under GigabitEthernet0/6/0/7.
Step 10 encapsulation dot1q 999 Assigns VLAN ID of 999 to this EFP.
Step 11 interface TenGigE0/1/0/2.999 l2transport Creates an EFP under TenGigE0/1/0/2.
Step 12 encapsulation dot1q 999 Assigns VLAN ID of 999 to this EFP.
Step 13 l2vpn Enters L2VPN configuration mode.
Step 14 bridge group examples Creates the bridge group named examples.
Step 15 bridge-domain test-efp Creates the bridge domain named test-efp, that is a
member of bridge group examples.
Step 16 interface Bundle-ether10.999 Establishes Bundle-ether10.999 as an AC of the
bridge domain named test-efp.
Step 17 exit Exits bridge domain AC configuration submode,
allowing next AC to be configured.
Step 18 interface GigabitEthernet0/6/0/7.999 Establishes GigabitEthernet0/6/0/7.999 as an AC of
the bridge domain named test-efp.
Step 19 exit Exits bridge domain AC configuration submode,
allowing next AC to be configured.Implementing Multipoint Layer 2 Services
Configuration Examples for Multipoint Layer 2 Services
LSC-288
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Changing the Flood Optimization Mode: Example
This example shows how to change the default flood optimization mode under a bridge domain:
config
l2vpn
bridge group MyGroup
bridge-domain MyDomain
flood mode convergence-optimized
Step 20 interface TenGigE0/1/0/2.999 Establishes interface TenGigE0/1/0/2.999 as an AC
of bridge domain named test-efp.
Step 21 end
or
commit
Saves configuration changes.
• When you issue the end command, the system
prompts you to commit changes:
Uncommitted changes found, commit them
before exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to
the running configuration file, exits the
configuration session, and returns the
router to EXEC mode.
– Entering no exits the configuration session
and returns the router to EXEC mode
without committing the configuration
changes.
– Entering cancel leaves the router in the
current configuration session without
exiting or committing the configuration
changes.
• Use the commit command to save the
configuration changes to the running
configuration file and remain within the
configuration session.
Command or Action PurposeImplementing Multipoint Layer 2 Services
Configuration Examples for Multipoint Layer 2 Services
LSC-289
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Configuring VPLS with BGP Autodiscovery and Signaling: Example
This section contains these configuration examples for configuring the BGP autodiscovery and signaling
feature:
• LDP and BGP Configuration
• Minimum L2VPN Configuration for BGP Autodiscovery with BGP Signaling
• VPLS with BGP Autodiscovery and BGP Signaling
• Minimum Configuration for BGP Autodiscovery with LDP Signaling
• VPLS with BGP Autodiscovery and LDP Signaling
LDP and BGP Configuration
Figure 19 illustrates an example of LDP and BGP configuration.
Figure 19 LDP and BGP Configuration
Configuration at PE1:
interface Loopback0
ipv4 address 1.1.1.100 255.255.255.255
!
interface Loopback1
ipv4 address 1.1.1.10 255.255.255.255
!
mpls ldp
router-id 1.1.1.1
interface GigabitEthernt0/1/0/0
!
router bgp 120
address-family l2vpn vpls-vpws
!
neighbor 2.2.2.20
remote-as 120
update-source Loopback1
address-family l2vpn vpls-vpws
signaling bgp disable
Configuration at PE2:
interface Loopback0
ipv4 address 2.2.2.200 255.255.255.255
!
interface Loopback1
ipv4 address 2.2.2.20 255.255.255.255
!
mpls ldp
router-id 2.2.2.2
interface GigabitEthernt0/1/0/0
!
router bgp 120
249872
MPLS Core
CE1 PE1 PE2 CE2
GigabitEthernet0/1/0/0 GigabitEthernet0/1/0/0Implementing Multipoint Layer 2 Services
Configuration Examples for Multipoint Layer 2 Services
LSC-290
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
address-family l2vpn vpls-vpws
!
neighbor 1.1.1.10
remote-as 120
update-source Loopback1
address-family l2vpn vpls-vpws
Minimum L2VPN Configuration for BGP Autodiscovery with BGP Signaling
This example illustrates the minimum L2VPN configuration required for BGP Autodiscovery with BGP
Signaling, where any parameter that has a default value is not configured.
(config)# l2vpn
(config-l2vpn)# bridge group {bridge group name}
(config-l2vpn-bg)# bridge-domain {bridge domain name}
(config-l2vpn-bg-bd)# vfi {vfi name}
(config-l2vpn-bg-bd-vfi)# autodiscovery bgp
(config-l2vpn-bg-bd-vfi-ad)# vpn-id 10
(config-l2vpn-bg-bd-vfi-ad)# rd auto
(config-l2vpn-bg-bd-vfi-ad)# route-target 1.1.1.1:100
(config-l2vpn-bg-bd-vfi-ad-sig)# signaling-protocol bgp
(config-l2vpn-bg-bd-vfi-ad-sig)# ve-id 1
(config-l2vpn-bg-bd-vfi-ad-sig)# commit
VPLS with BGP Autodiscovery and BGP Signaling
Figure 20 illustrates an example of configuring VPLS with BGP autodiscovery (AD) and BGP
Signaling.
Figure 20 VPLS with BGP autodiscovery and BGP signaling
Configuration at PE1:
l2vpn
bridge group gr1
bridge-domain bd1
interface GigabitEthernet0/1/0/1.1
vfi vf1
! AD independent VFI attributes
vpn-id 100
! Auto-discovery attributes
autodiscovery bgp
rd auto
route-target 2.2.2.2:100
! Signaling attributes
signaling-protocol bgp
ve-id 3
249873
MPLS Core
CE1 PE1 PE2 CE2
GigabitEthernet0/1/0/1.1 1.1.1.1 Gig 3.3.3.3 abitEthernet0/1/0/2.1Implementing Multipoint Layer 2 Services
Configuration Examples for Multipoint Layer 2 Services
LSC-291
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Configuration at PE2:
l2vpn
bridge group gr1
bridge-domain bd1
interface GigabitEthernet0/1/0/2.1
vfi vf1
! AD independent VFI attributes
vpn-id 100
! Auto-discovery attributes
autodiscovery bgp
rd auto
route-target 2.2.2.2:100
! Signaling attributes
signaling-protocol bgp
ve-id 5
This is an example of NLRI for VPLS with BGP AD and signaling:
Discovery Attributes
NLRI sent at PE1:
Length = 19
Router Distinguisher = 3.3.3.3:32770
VE ID = 3
VE Block Offset = 1
VE Block Size = 10
Label Base = 16015
NLRI sent at PE2:
Length = 19
Router Distinguisher = 1.1.1.1:32775
VE ID = 5
VE Block Offset = 1
VE Block Size = 10
Label Base = 16120
Minimum Configuration for BGP Autodiscovery with LDP Signaling
This example illustrates the minimum L2VPN configuration required for BGP Autodiscovery with LDP
Signaling, where any parameter that has a default value is not configured.
(config)# l2vpn
(config-l2vpn)# bridge group {bridge group name}
(config-l2vpn-bg)# bridge-domain {bridge domain name}
(config-l2vpn-bg-bd)# vfi {vfi name}
(config-l2vpn-bg-bd-vfi)# autodiscovery bgp
(config-l2vpn-bg-bd-vfi-ad)# vpn-id 10
(config-l2vpn-bg-bd-vfi-ad)# rd auto
(config-l2vpn-bg-bd-vfi-ad)# route-target 1.1.1.1:100
(config-l2vpn-bg-bd-vfi-ad)# commit
249878
MPLS Core
CE1 PE1 PE2 CE2
GigabitEthernet0/1/0/1.1 1.1.1.1 Gig 3.3.3.3 abitEthernet0/1/0/2.1Implementing Multipoint Layer 2 Services
Configuration Examples for Multipoint Layer 2 Services
LSC-292
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
VPLS with BGP Autodiscovery and LDP Signaling
Figure 21 illustrates an example of configuring VPLS with BGP autodiscovery (AD) and LDP Signaling.
Figure 21 VPLS with BGP autodiscovery and LDP signaling
Configuration at PE1:
l2vpn
router-id 10.10.10.10
bridge group bg1
bridge-domain bd1
vfi vf1
vpn-id 100
autodiscovery bgp
rd 1:100
router-target 12:12
Configuration at PE2:
l2vpn
router-id 20.20.20.20
bridge group bg1
bridge-domain bd1
vfi vf1
vpn-id 100
autodiscovery bgp
rd 2:200
router-target 12:12
signaling-protocol ldp
vpls-id 120:100
Discovery and Signaling Attributes
Configuration at PE1:
LDP Router ID - 1.1.1.1
BGP Router ID - 1.1.1.100
Peer Address - 1.1.1.10
L2VPN Router ID - 10.10.10.10
Route Distinguisher - 1:100
249882
MPLS Core
CE1 PE1 PE2 CE2
GigabitEthernet0/1/0/0 GigabitEthernet0/1/0/0
MPLS Core
CE1 PE1 PE2 CE2
GigabitEthernet0/1/0/0 GigabitEthernet0/1/0/0Implementing Multipoint Layer 2 Services
Configuration Examples for Multipoint Layer 2 Services
LSC-293
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Common Configuration between PE1 and PE2:
ASN - 120
VPN ID - 100
VPLS ID - 120:100
Route Target - 12:12
Configuration at PE2:
LDP Router ID - 2.2.2.2
BGP Router ID - 2.2.2.200
Peer Address - 2.2.2.20
L2VPN Router ID - 20.20.20.20
Route Distinguisher - 2:200
Discovery Attributes
NLRI sent at PE1:
Source Address - 1.1.1.10
Destination Address - 2.2.2.20
Length - 14
Route Distinguisher - 1:100
L2VPN Router ID - 10.10.10.10
VPLS ID - 120:100
Route Target - 12:12
NLRI sent at PE2:
Source Address - 2.2.2.20
Destination Address - 1.1.1.10
Length - 14
Route Distinguisher - 2:200
L2VPN Router ID - 20.20.20.20
VPLS ID - 120:100
Route Target - 12:12
Configuring Dynamic ARP Inspection: Example
This example shows how to configure basic dynamic ARP inspection under a bridge domain:
config
l2vpn
bridge group MyGroup
bridge-domain MyDomain
dynamic-arp-inspection logging
This example shows how to configure basic dynamic ARP inspection under a bridge port:
config
l2vpn
bridge group MyGroup
bridge-domain MyDomain
interface gigabitEthernet 0/1/0/0.1
dynamic-arp-inspection loggingImplementing Multipoint Layer 2 Services
Configuration Examples for Multipoint Layer 2 Services
LSC-294
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
This example shows how to configure optional dynamic ARP inspection under a bridge domain:
l2vpn
bridge group SECURE
bridge-domain SECURE-DAI
dynamic-arp-inspection
logging
address-validation
src-mac
dst-mac
ipv4
This example shows how to configure optional dynamic ARP inspection under a bridge port:
l2vpn
bridge group SECURE
bridge-domain SECURE-DAI
interface GigabitEthernet0/0/0/1.10
dynamic-arp-inspection
logging
address-validation
src-mac
dst-mac
ipv4
This example shows the output of the show l2vpn bridge-domain bd-name SECURE-DAI detail
command:
#show l2vpn bridge-domain bd-name SECURE-DAI detail
Bridge group: SECURE, bridge-domain: SECURE-DAI, id: 2, state: up,
…
Dynamic ARP Inspection: enabled, Logging: enabled
Dynamic ARP Inspection Address Validation:
IPv4 verification: enabled
Source MAC verification: enabled
Destination MAC verification: enabled
…
List of ACs:
AC: GigabitEthernet0/0/0/1.10, state is up
…
Dynamic ARP Inspection: enabled, Logging: enabled
Dynamic ARP Inspection Address Validation:
IPv4 verification: enabled
Source MAC verification: enabled
Destination MAC verification: enabled
IP Source Guard: enabled, Logging: enabled
…
Dynamic ARP inspection drop counters:
packets: 1000, bytes: 64000
This example shows the output of the show l2vpn forwarding interface interface-name detail location
location-name command:
#show l2vpn forwarding interface g0/0/0/1.10 det location 0/0/CPU0
Local interface: GigabitEthernet0/0/0/1.10, Xconnect id: 0x40001, Status: up
…
Dynamic ARP Inspection: enabled, Logging: enabled
Dynamic ARP Inspection Address Validation:
IPv4 verification: enabled
Source MAC verification: enabled
Destination MAC verification: enabled
IP Source Guard: enabled, Logging: enabledImplementing Multipoint Layer 2 Services
Configuration Examples for Multipoint Layer 2 Services
LSC-295
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
…
This example shows the logging display:
LC/0/0/CPU0:Jun 16 13:28:28.697 : l2fib[188]: %L2-L2FIB-5-SECURITY_DAI_VIOLATION_AC :
Dynamic ARP inspection in AC GigabitEthernet0_0_0_7.1000 detected violated packet - source
MAC: 0000.0000.0065, destination MAC: 0000.0040.0000, sender MAC: 0000.0000.0064, target
MAC: 0000.0000.0000, sender IP: 5.6.6.6, target IP: 130.10.3.2
LC/0/5/CPU0:Jun 16 13:28:38.716 : l2fib[188]: %L2-L2FIB-5-SECURITY_DAI_VIOLATION_AC :
Dynamic ARP inspection in AC Bundle-Ether100.103 detected violated packet - source MAC:
0000.0000.0067, destination MAC: 0000.2300.0000, sender MAC: 0000.7800.0034, target MAC:
0000.0000.0000, sender IP: 130.2.5.1, target IP: 50.5.1.25
Configuring IP Source Guard: Example
This example shows how to configure basic IP source guard under a bridge domain:
config
l2vpn
bridge group MyGroup
bridge-domain MyDomain
ip-source-guard logging
This example shows how to configure basic IP source guard under a bridge port:
config
l2vpn
bridge group MyGroup
bridge-domain MyDomain
interface gigabitEthernet 0/1/0/0.1
ip-source-guard logging
This example shows how to configure optional IP source guard under a bridge domain:
l2vpn
bridge group SECURE
bridge-domain SECURE-IPSG
ip-source-guard
logging
This example shows how to configure optional IP source guard under a bridge port:
l2vpn
bridge group SECURE
bridge-domain SECURE-IPSG
interface GigabitEthernet0/0/0/1.10
ip-source-guard
logging
This example shows the output of the show l2vpn bridge-domain bd-name ipsg-name detail command:
# show l2vpn bridge-domain bd-name SECURE-IPSG detail
Bridge group: SECURE, bridge-domain: SECURE-IPSG, id: 2, state: up,
…
IP Source Guard: enabled, Logging: enabled
…
List of ACs:
AC: GigabitEthernet0/0/0/1.10, state is up
…
IP Source Guard: enabled, Logging: enabled
…
IP source guard drop counters:Implementing Multipoint Layer 2 Services
Configuration Examples for Multipoint Layer 2 Services
LSC-296
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
packets: 1000, bytes: 64000
This example shows the output of the show l2vpn forwarding interface interface-name detail location
location-name command:
# show l2vpn forwarding interface g0/0/0/1.10 detail location 0/0/CPU0
Local interface: GigabitEthernet0/0/0/1.10, Xconnect id: 0x40001, Status: up
…
IP Source Guard: enabled, Logging: enabled
This example shows the logging display:
LC/0/0/CPU0:Jun 16 13:32:25.334 : l2fib[188]: %L2-L2FIB-5-SECURITY_IPSG_VIOLATION_AC : IP
source guard in AC GigabitEthernet0_0_0_7.1001 detected violated packet - source MAC:
0000.0000.0200, destination MAC: 0000.0003.0000, source IP: 130.0.0.1, destination IP:
125.34.2.5
LC/0/5/CPU0:Jun 16 13:33:25.530 : l2fib[188]: %L2-L2FIB-5-SECURITY_IPSG_VIOLATION_AC : IP
source guard in AC Bundle-Ether100.100 detected violated packet - source MAC:
0000.0000.0064, destination MAC: 0000.0040.0000, source IP: 14.5.1.3, destination IP:
45.1.1.10
Configuring G.8032 Ethernet Ring Protection: Example
This sample configuration illustrates the elements that a complete G.8032 configuration includes:
# Configure the ERP profile characteristics if ERP instance behaviors are non-default.
ethernet ring g8032 profile ERP-profile
timer wtr 60
timer guard 100
timer hold-off 1
non-revertive
# Configure CFM MEPs and configure to monitor the ring links.
ethernet cfm
domain domain1
service link1 down-meps
continuity-check interval 3.3ms
efd
mep crosscheck
mep-id 2
domain domain2
service link2 down-meps
continuity-check interval 3.3ms
efd protection-switching
mep crosscheck
mep id 2
Interface Gig 0/0/0/0
ethernet cfm mep domain domain1 service link1 mep-id 1
Interface Gig 1/1/0/0
ethernet cfm mep domain domain2 service link2 mep-id 1
# Configure the ERP instance under L2VPN
l2vpn
ethernet ring g8032 RingA
port0 interface g0/0/0/0
port1 interface g0/1/0/0
instance 1Implementing Multipoint Layer 2 Services
Configuration Examples for Multipoint Layer 2 Services
LSC-297
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
description BD2-ring
profile ERP-profile
rpl port0 owner
vlan-ids 10-100
aps channel
level 3
port0 interface g0/0/0/0.1
port1 interface g1/1/0/0.1
# Set up the bridge domains
bridge group ABC
bridge-domain BD2
interface Gig 0/0/0/0.2
interface Gig 0/1/0/0.2
interface Gig 0/2/0/0.2
bridge-domain BD2-APS
interface Gig 0/0/0/0.1
interface Gig 1/1/0/0.1
# EFPs configuration
interface Gig 0/0/0/0.1 l2transport
encapsulation dot1q 5
interface Gig 1/1/0/0.1 l2transport
encapsulation dot1q 5
interface g 0/0/0/0.2 l2transport
encapsulation dot1q 10-100
interface g 0/1/0/0.2 l2transport
encapsulation dot1q 10-100
interface g 0/2/0/0.2 l2transport
encapsulation dot1q 10-100
Configuring Interconnection Node: Example
This example shows you how to configure an interconnection node. Figure 22 illustrates an open ring
scenario.Implementing Multipoint Layer 2 Services
Configuration Examples for Multipoint Layer 2 Services
LSC-298
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Figure 22 Open Ring Scenario - interconnection node
The minimum configuration required for configuring G.8032 at Router C (Open ring – Router C):
interface l2transport
encapsulation dot1q X1
interface l2transport
encapsulation dot1q Y1
interface l2transport
encapsulation dot1q Y1
interface l2transport
encapsulation dot1q Y1
l2vpn
ethernet ring g8032
port0 interface
port1 interface none #? This router is connected to an interconnection node
open-ring #? Mandatory when a router is part of an open-ring
instance <1-2>
inclusion-list vlan-ids X1-Y1
aps-channel
Port0 interface
Port1 none #? This router is connected to an interconnection node
bridge group bg1
bridge-domain bd-aps#? APS-channel has its own bridge domain
#? There is only one APS-channel at the interconnection node
bridge-domain bd-traffic #? Data traffic has its own bridge domain
Configuring the Node of an Open Ring: Example
This example shows you how to configure the node part of an open ring. Figure 23 illustrates an open
ring scenario.
Major Ring
Minor Ring
Router A
Router C Router D
Router E Router F
Router B
Interconnection node
282417
ifname2
ifname1
ifname2
Data traffic on VLAN Y1
R-APS on VLAN X1Implementing Multipoint Layer 2 Services
Configuration Examples for Multipoint Layer 2 Services
LSC-299
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Figure 23 Open Ring Scenario
The minimum configuration required for configuring G.8032 at the node of the open ring (node part of
the open ring at router F):
interface l2transport
encapsulation dot1q X1
interface l2transport
encapsulation dot1q X1
interface l2transport
encapsulation dot1q Y1
interface l2transport
encapsulation dot1q Y1
l2vpn
ethernet ring g8032
port0 interface
port1 interface
open-ring #? Mandatory when a router is part of an open-ring
instance <1-2>
inclusion-list vlan-ids X1-Y1
rpl port1 owner #? This node is RPL owner and is blocked
aps-channel
port0 interface
port1 interface
bridge group bg1
bridge-domain bd-aps#? APS-channel has its own bridge domain
bridge-domain bd-traffic #? Data traffic has its own bridge domain
Major Ring
Minor Ring
Router A
Router C Router D
Router E Router F
Router B
282418
name2
Data traffic on VLAN Y1
R-APS on VLAN X1Implementing Multipoint Layer 2 Services
Configuration Examples for Multipoint Layer 2 Services
LSC-300
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Configuring Flow Aware Transport Pseudowire: Example
This sample configuration shows how to enable load balancing with FAT PW for VPWS.
l2vpn
pw-class class1
encapsulation mpls
load-balancing flow-label transmit
!
!
pw-class class2
encapsulation mpls
load-balancing flow-label both
!
xconnect group group1
p2p p1
interface GigabitEthernet 0/0/0/0.1
neighbor 1.1.1.1 pw-id 1
pw-class class1
!
!
!
This sample configuration shows how to enable load balancing with FAT PW for VPLS.
Note For VPLS, the configuration at the bridge-domain level is applied to all PWs (access and VFI PWs).
Pseudowire classes are defined to override the configuration for manual PWs.
l2vpn
pw-class class1
encapsulation mpls
load-balancing flow-label both
bridge group group1
bridge-domain domain1
vfi vfi2-auto-bgp
autodiscovery bgp
signaling-protocol bgp
load-balancing flow-label both static
!
!
!
!
bridge-domain domain2
vfi vfi2-auto-ldp
autodiscovery bgp
signaling-protocol ldp
load-balancing flow-label both static
!
!
!
!
!Implementing Multipoint Layer 2 Services
Additional References
LSC-301
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
Additional References
For additional information related to implementing VPLS, refer to these:
Related Documents
Standards
MIBs
Related Topic Document Title
Cisco IOS XR L2VPN commands Point to Point Layer 2 Services Commands module in the Cisco ASR
9000 Series Aggregation Services Router L2VPN and Ethernet
Services Command Reference
MPLS VPLS-related commands Multipoint Layer 2 Services Commands module in the Cisco ASR
9000 Series Aggregation Services Router L2VPN and Ethernet
Services Command Reference
Getting started material Cisco ASR 9000 Series Aggregation Services Router Getting
Started Guide
Traffic storm control on VPLS bridges Traffic Storm Control under VPLS Bridges on Cisco ASR 9000
Series Routers module in the Cisco ASR 9000 Series Aggregation
Services Router System Security Configuration Guide
Layer 2 multicast on VPLS bridges Layer 2 Multicast Using IGMP Snooping module in the Cisco ASR
9000 Series Aggregation Services Router Multicast Configuration
Guide
Standards
1
1. Not all supported standards are listed.
Title
draft-ietf-l2vpn-vpls-ldp-09 Virtual Private LAN Services Using LDP
MIBs MIBs Link
— To locate and download MIBs using Cisco IOS XR software, use the
Cisco MIB Locator found at this URL and choose a platform under
the Cisco Access Products menu:
http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtmlImplementing Multipoint Layer 2 Services
Additional References
LSC-302
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
OL-26116-02
RFCs
Technical Assistance
RFCs Title
RFC 4447 Pseudowire Setup and Maintenance Using the Label Distribution Protocol (LDP), April 2006
RFC 4448 Encapsulation Methods for Transport of Ethernet over MPLS Networks, April 2006
RFC 4762 Virtual Private LAN Service (VPLS) Using Label Distribution Protocol (LDP) Signaling
Description Link
The Cisco Technical Support website contains
thousands of pages of searchable technical content,
including links to products, technologies, solutions,
technical tips, and tools. Registered Cisco.com users
can log in from this page to access even more content.
http://www.cisco.com/techsupportLSC-303
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Implementing IEEE 802.1ah Provider Backbone
Bridge
This module provides conceptual and configuration information for IEEE 802.1ah Provider Backbone
Bridge on Cisco ASR 9000 Series Routers. The IEEE 802.1ah standard (Ref [4]) provides a means for
interconnecting multiple provider bridged networks to build a large scale end-to-end Layer 2 provider
bridged network.
Feature History for Implementing IEEE 802.1ah Provider Backbone Bridge
Contents
• Prerequisites for Implementing 802.1ah Provider Backbone Bridge, page 304
• Information About Implementing 802.1ah Provider Backbone Bridge, page 304
• How to Implement 802.1ah Provider Backbone Bridge, page 309
• Configuration Examples for Implementing 802.1ah Provider Backbone Bridge, page 323
• Additional References, page 325
Release Modification
Release 3.9.1 This feature was introduced on Cisco ASR 9000 Series Routers.Implementing IEEE 802.1ah Provider Backbone Bridge
Prerequisites for Implementing 802.1ah Provider Backbone Bridge
LSC-304
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Prerequisites for Implementing 802.1ah Provider Backbone
Bridge
This prerequisite applies to implementing 802.1ah Provider Backbone Bridge:
• You must be in a user group associated with a task group that includes the proper task IDs. The
command reference guides include the task IDs required for each command.
If you suspect user group assignment is preventing you from using a command, contact your AAA
administrator for assistance.
• You must be familiar with the multipoint bridging concepts. Refer to the Implementing Multipoint
Layer 2 Services module.
Information About Implementing 802.1ah Provider Backbone
Bridge
To implement 802.1ah, you must understand these concepts:
• Benefits of IEEE 802.1ah standard, page 304
• IEEE 802.1ah Standard for Provider Backbone Bridging Overview, page 305
• Backbone Edge Bridges, page 307
• IB-BEB, page 308
Benefits of IEEE 802.1ah standard
The benefits of IEEE 802.1ah provider backbone bridges are as follows:
• Increased service instance scalability
• MAC address scalabilityImplementing IEEE 802.1ah Provider Backbone Bridge
Information About Implementing 802.1ah Provider Backbone Bridge
LSC-305
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
IEEE 802.1ah Standard for Provider Backbone Bridging Overview
The IEEE 802.1ah Provider Backbone Bridge feature encapsulates or decapsulates end-user traffic on a
Backbone Edge Bridge (BEB) at the edge of the Provider Backbone Bridged Network (PBBN). A
Backbone Core Bridge (BCB) based network provides internal transport of the IEEE 802.1ah
encapsulated frames within the PBBN. Figure 24 shows a typical 802.1ah PBB network.
Figure 24 IEEE 802.1ah Provider Backbone Bridge
Access Network
(802.1ad)
Access Network
(802.1ad)
UNI
(.1ad)
UNI
(.1ah)
UNI
(.1ah)
UNI
(.1ad)
Core Network
(802.1ah)
CE PEB PB PB PB
CE
CE
PEB PB PB PEB
PB BEB
BEB BEB
BCB
BCB
BCB
PB - provider bridge
281789Implementing IEEE 802.1ah Provider Backbone Bridge
Information About Implementing 802.1ah Provider Backbone Bridge
LSC-306
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Figure 25 shows a typical provider backbone network topology.
Figure 25 Provider Back Bone Network Topology
Ethernet link carrying backbone frames
comprising backbone SA and DA, B-VLAN
tag, I-tag and customer frame
Ethernet link carrying customer frames
comprising optional service VLAN tag and
original octets of data
BEB internal link between
edge BD and backbone BD 278091
Backbone
BD
BEB BEB
CE CE
Backbone
BD
Edge
BD
Backbone
BD
Edge
BD
Backbone
BD
BCB
BCB
Provider
Network
Port
Provider
Network
Port
Provider
Network
Port
Provider
Network
Port
Customer
Network
Port
Customer
Network
Port
PBBNImplementing IEEE 802.1ah Provider Backbone Bridge
Information About Implementing 802.1ah Provider Backbone Bridge
LSC-307
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Backbone Edge Bridges
Backbone edge bridges (BEBs) can contain either an I-Component or a B-Component. The I-Component
maps service VLAN identifiers (S-VIDs) to service instance identifiers (I-SIDs) and adds a provider
backbone bridge (PBB) header without a backbone VLAN tag (B-Tag). The B-Component maps I-SIDs
to backbone VIDs (B-VIDs) and adds a PBB header with a B-Tag.
The IEEE 802.1ah standard specifies these three types of BEBs:
• The B-BEB contains the B-Component of the MAC-in-MAC bridge. It validates the I-SIDs and
maps the frames onto the backbone VLAN (B-VLAN). It also switches traffic based on the
B-VLANS within the core bridge.
• The I-BEB contains the I-Component of the MAC-in-MAC bridge. It performs B-MAC
encapsulation and inserts the I-SIDs based on the provider VLAN tags (S-tags), customer VLAN
tags (C-tags), or S-tag/C-tag pairs.
• The IB-BEB contains one or more I-Components and a single B-Component interconnected through
a LAN segment.
Note Only IB-BEBs are supported on Cisco ASR 9000 Series Routers. Cisco IOS XR supports IB-BEB
bridge type at the Edge node.
Figure 26 shows the PBB bridge component topology on the Cisco ASR 9000 Series Routers.
Figure 26 PBB Bridge Component Topology on Cisco ASR 9000 Series Routers
I-component
Provider Network Port
(PNP)
Core
BD
B-component
CBP
VIP
VIP
VIP
Edge
BD-1
Edge
BD-2
Edge
BD-n
Provider Network Port
(PNP)
EFP-x
EFP-y
EFP-1
EFP-2
EFP-m
System internal
virtual port
Customer
Network Port
(CNP)
Customer
Network Port
(CNP)
278090Implementing IEEE 802.1ah Provider Backbone Bridge
Information About Implementing 802.1ah Provider Backbone Bridge
LSC-308
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
IB-BEB
The IB-BEB contains both the I-Component and the B-Component. The bridge selects the B-MAC and
inserts the I-SID based on the provider VLAN tag (S-tag), the customer VLAN tag (C-tag), or both the
S-tag and the C-tag. It validates the I-SIDs and it transmits and receives frames on the B-VLAN.
The IEEE 802.1ah on Provider Backbone Bridges feature supports all services mandated by the IEEE
802.1ah standard and extends the services to provides these additional functionalities:
• S-Tagged Service:
– In multiplexed environments each S-tag maps to an I-SID and may be retained or removed.
– In bundled environments multiple S-tags map to the same I-SID and the S-tags must be retained.
• C-Tagged Service:
– In multiplexed environments each C-tag maps to an I-SID and may be retained or removed.
– In bundled environments multiple C-tags map to the same I-SID and the C-tags must be
retained.
• S/C-Tagged Service:
– In multiplexed environments each S-tag/C-tag pair maps to an I-SID. The S-tag or the
S-tag/C-tag pair may be retained or removed.
– In bundled environments multiple S-tag/C-tags pairs map to the same I-SID and the S-tag/C-tag
pair must be retained.
• Port-based Service
– A port-based service interface is delivered on a Customer Network Port (CNP). A port-based
service interface may attach to a C-VLAN Bridge, 802.1d bridge, router or end-station. The
service provided by this interface forwards all frames without an S-Tag over the backbone on a
single backbone service instance. A port-based interface discards all frames with an S-Tag that
have non-null VLAN IDs.
This example shows how to configure a port-based service:
interface GigabitEthernet0/0/0/10.100 l2transport
encapsulation untagged
--> Creates an EFP for untagged frames.
interface GigabitEthernet0/0/0/10.101 l2transport
encapsulation dot1ad priority-tagged
--> Creates an EFP for null S-tagged frames.
interface GigabitEthernet0/0/0/10.102 l2transport
encapsulation dot1q priority-tagged
--> Creates an EFP for null C-tagged frames:
interface GigabitEthernet0/0/0/10.103 l2transport
encapsulation dot1q any
--> Creates an EFP for C-tagged frames:
Note To configure a port-based service, all the above EFPs must be added to the same edge bridge domain.Implementing IEEE 802.1ah Provider Backbone Bridge
How to Implement 802.1ah Provider Backbone Bridge
LSC-309
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
How to Implement 802.1ah Provider Backbone Bridge
This section contains these procedures:
• Restrictions for Implementing 802.1ah Provider Backbone Bridge, page 309
• Configuring Ethernet Flow Points on CNP and PNP Ports, page 309
• Configuring PBB Edge Bridge Domain and Service Instance ID, page 311
• Configuring the PBB Core Bridge Domain, page 313
• Configuring Backbone VLAN Tag under the PBB Core Bridge Domain, page 314
• Configuring Backbone Source MAC Address, page 316 (optional)
• Configuring Unknown Unicast Backbone MAC under PBB Edge Bridge Domain, page 319
(optional)
• Configuring Static MAC addresses under PBB Edge Bridge Domain, page 321 (optional)
Restrictions for Implementing 802.1ah Provider Backbone Bridge
These features are not supported:
• Cross-connect based point to point services over MAC-in-MAC
• One Edge bridge to multiple Core bridge mapping
• I type backbone edge bridge (I-BEB) and B type backbone edge bridge (B-BEB)
• IEEE 802.1ah over VPLS
• Multiple source B-MAC addresses per chassis
• Direct encapsulation of 802.1ah formatted packets natively over an MPLS LSP encapsulation
Configuring Ethernet Flow Points on CNP and PNP Ports
Perform this task to configure an Ethernet flow point (EFP) on the customer network port (CNP) or the
provider network port (PNP).
SUMMARY STEPS
1. configure
2. interface type interface-path-id.subinterface l2transport
3. encapsulation dot1q vlan-id
or
encapsulation dot1ad vlan-id
or
encapsulation dot1ad vlan-id dot1q vlan-id
4. end
or
commitImplementing IEEE 802.1ah Provider Backbone Bridge
How to Implement 802.1ah Provider Backbone Bridge
LSC-310
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface type interface-path-id.subinterface
l2transport
Example:
RP/0/RSP0/CPU0:router(config)# interface
GigabitEthernet0/0/0/10.100 l2transport
Configures an interface for L2 switching.
Step 3 encapsulation dot1q vlan-id
or
encapsulation dot1ad vlan-id
or
encapsulation dot1ad vlan-id dot1q vlan-id
Example:
RP/0/RSP0/CPU0:router(config-subif)#
encapsulation dot1q 100
or
encapsulation dot1ad 100
or
encapsulation dot1ad 100 dot1q 101
Assigns the matching VLAN ID and Ethertype to the
interfac
Step 4 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-subif)# end
or
RP/0/RSP0/CPU0:router(config-subif)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.Implementing IEEE 802.1ah Provider Backbone Bridge
How to Implement 802.1ah Provider Backbone Bridge
LSC-311
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Configuring PBB Edge Bridge Domain and Service Instance ID
Perform this task to configure a PBB edge domain and the service ID.
Note To configure the PBB feature, login with admin user privileges and issue the
hw-module profile feature l2 command to select an ASR 9000 Ethernet line card ucode version that
supports the PBB feature. The PBB feature will not be supported on the ASR 9000 Ethernet line card
unless you make this configuration. For more information on configuring the feature profile, refer to the
Cisco ASR 9000 Series Aggregation Services Router System Management Configuration Guide.
SUMMARY STEPS
1. configure
2. l2vpn
3. bridge group group-name
4. bridge-domain domain-name
5. interface type interface-path-id.subinterface
6. pbb edge i-sid service-id core-bridge core-bridge-name
7. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
Enters L2VPN configuration mode.
Step 3 bridge group bridge-group-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)#bridge
group pbb
Enters configuration mode for the named bridge group. This
command creates a new bridge group or modifies the
existing bridge group if it already exists. A bridge group
organizes bridge domains.
Step 4 bridge-domain domain-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#bridgedomain pbb-edge
Enters configuration mode for the named bridge domain.
This command creates a new bridge domain or modifies the
existing bridge domain, if it already exists.Implementing IEEE 802.1ah Provider Backbone Bridge
How to Implement 802.1ah Provider Backbone Bridge
LSC-312
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Step 5 interface type interface-path-id.subinterface
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#inter
face GigabitEthernet0/5/0/0.20
Assigns the matching VLAN ID and Ethertype to the
interface. This EFP is considered as the CNP for the Edge
bridge.
Step 6 pbb edge i-sid service-id core-bridge
core-bridge-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
pbb edge i-sid 1000 core-bridge pbb-core
Configures the bridge domain as PBB edge with the service
identifier and the assigned core bridge domain, and enters
the PBB edge configuration submode.
This command also creates the Virtual instance port (VIP)
that associates the PBB Edge bridge domain to the specified
Core bridge domain.
All the interfaces (bridge ports) under this bridge domain
are treated as the customer network ports (CNP).
Step 7 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pbbedge)# end
or
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pbbedge)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing IEEE 802.1ah Provider Backbone Bridge
How to Implement 802.1ah Provider Backbone Bridge
LSC-313
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Configuring the PBB Core Bridge Domain
Perform this task to configure the PBB core bridge domain.
SUMMARY STEPS
1. configure
2. l2vpn
3. bridge group group-name
4. bridge-domain domain-name
5. interface type interface-path-id.subinterface
6. pbb core
7. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
Enters L2VPN configuration mode.
Step 3 bridge group bridge-group-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)#bridge
group pbb
Enters configuration mode for the named bridge group. This
command creates a new bridge group or modifies the
existing bridge group, if it already exists. A bridge group
organizes bridge domains.
Step 4 bridge-domain domain-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#bridgedomain pbb-core
Enters configuration mode for the named bridge domain.
This command creates a new bridge domain or modifies the
existing bridge domain if it already exists.
Step 5 interface type interface-path-id.subinterface
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#inter
face GigabitEthernet0/5/0/0.20
Assigns the matching VLAN ID and Ethertype to the
interface.Implementing IEEE 802.1ah Provider Backbone Bridge
How to Implement 802.1ah Provider Backbone Bridge
LSC-314
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Configuring Backbone VLAN Tag under the PBB Core Bridge Domain
Perform this task to configure the backbone VLAN tag under the PBB core bridge domain.
SUMMARY STEPS
1. configure
2. l2vpn
3. bridge group group-name
4. bridge-domain domain-name
5. interface type interface-path-id.subinterface
6. interface type interface-path-id.subinterface
7. pbb core
8. rewrite ingress tag push dot1ad vlan-id symmetric
9. end
or
commit
Step 6 pbb core
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
pbb core
Configures the bridge domain as PBB core and enters the
PBB core configuration submode.
This command also creates an internal port known as
Customer bridge port (CBP).
All the interfaces (bridge ports) under this bridge domain
are treated as the provider network ports (PNP).
Step 7 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pbbcore)# end
or
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pbbcore)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing IEEE 802.1ah Provider Backbone Bridge
How to Implement 802.1ah Provider Backbone Bridge
LSC-315
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
Enters L2VPN configuration mode.
Step 3 bridge group bridge-group-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)#bridge
group pbb
Enters configuration mode for the named bridge group. This
command creates a new bridge group or modifies the
existing bridge group if it already exists. A bridge group
organizes bridge domains.
Step 4 bridge-domain domain-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#bridgedomain pbb-core
Enters configuration mode for the named bridge domain.
This command creates a new bridge domain or modifies the
existing bridge domain if it already exists.
Step 5 interface type interface-path-id.subinterface
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#inter
face GigabitEthernet0/5/0/0.20
Assigns the matching VLAN ID and Ethertype to the
interface.
Step 6 interface type interface-path-id.subinterface
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-ac)#in
terface GigabitEthernet0/5/0/1.15
Adds an interface to a bridge domain that allows packets to
be forwarded and received from other interfaces that are
part of the same bridge domain. The interface now becomes
an attachment circuit on this bridge domain.
Step 7 pbb core
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
pbb core
Configures the bridge domain as PBB core and enters the
PBB core configuration submode.
This command also creates an internal port known as
Customer bridge port (CBP).
All the interfaces (bridge ports) under this bridge domain
are treated as the provider network ports (PNP). Implementing IEEE 802.1ah Provider Backbone Bridge
How to Implement 802.1ah Provider Backbone Bridge
LSC-316
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Configuring Backbone Source MAC Address
The backbone source MAC address (B-SA) is a unique address for a backbone network. Each Cisco ASR
9000 Series Router has one backbone source MAC address. If B-SA is not configured, then the largest
MAC in the EEPROM is used as the PBB B-SA.
Note The backbone source MAC address configuration is optional. If you do not configure the backbone
source MAC address, the Cisco ASR 9000 Series Routers allocate a default backbone source MAC
address from the chassis backplane MAC pool.
Step 8 rewrite ingress tag push dot1ad vlan-id
symmetric
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pbbcore)# end
Configures the backbone VLAN tag in the Mac-in-MAC
frame and also, sets the tag rewriting policy.
Note All PNPs in a Core bridge domain use the same
backbone VLAN.
Step 9 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pbbcore)# end
or
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pbbcore)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing IEEE 802.1ah Provider Backbone Bridge
How to Implement 802.1ah Provider Backbone Bridge
LSC-317
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Perform this task to configure the backbone source MAC address.
SUMMARY STEPS
1. configure
2. l2vpn
3. pbb
4. backbone-source-mac mac-address
5. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
Enters L2VPN configuration mode.
Step 3 pbb
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# pbb
Enters PBB configuration mode.Implementing IEEE 802.1ah Provider Backbone Bridge
How to Implement 802.1ah Provider Backbone Bridge
LSC-318
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Step 4 backbone-source-address mac-address
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-pbb)#
backbone-source-address 0045.1200.04
Configures the backbone source MAC address.
Step 5 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-pbb)# end
or
RP/0/RSP0/CPU0:router(config-l2vpn-pbb)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing IEEE 802.1ah Provider Backbone Bridge
How to Implement 802.1ah Provider Backbone Bridge
LSC-319
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Configuring Unknown Unicast Backbone MAC under PBB Edge Bridge Domain
Perform this task to configure the unknown unicast backbone MAC under the PBB edge bridge domain.
SUMMARY STEPS
1. configure
2. l2vpn
3. bridge group group-name
4. bridge-domain domain-name
5. interface type interface-path-id.subinterface
6. pbb edge i-sid service-id core-bridge core-bridge-name
7. unknown-unicast-bmac mac-address
8. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
Enters L2VPN configuration mode.
Step 3 bridge group bridge-group-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)#bridge
group pbb
Enters configuration mode for the named bridge group. This
command creates a new bridge group or modifies the
existing bridge group if it already exists. A bridge group
organizes bridge domains.
Step 4 bridge-domain domain-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#bridgedomain pbb-edge
Enters configuration mode for the named bridge domain.
This command creates a new bridge domain or modifies the
existing bridge domain if it already exists.
Step 5 interface type interface-path-id.subinterface
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#inter
face GigabitEthernet0/5/0/0.20
Assigns the matching VLAN ID and Ethertype to the
interface.Implementing IEEE 802.1ah Provider Backbone Bridge
How to Implement 802.1ah Provider Backbone Bridge
LSC-320
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Step 6 pbb edge i-sid service-id core-bridge
core-bridge-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
pbb edge i-sid 1000 core-bridge pbb-core
Configures the bridge domain as PBB edge with the service
identifier and the assigned core bridge domain and enters
the PBB edge configuration submode.
This command also creates the Virtual instance port (VIP)
that associates the PBB Edge bridge domain to the specified
Core bridge domain.
All the interfaces (bridge ports) under this bridge domain
are treated as the customer network ports (CNP).
Step 7 unknown-unicast-bmac mac-address
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pbb-ed
ge)# unknown-unicast-bmac 1.1.1
Configures unknown unicast backbone MAC address.
Note On Trident line cards, once you configure the
unknown unicast BMAC, the BMAC is used to
forward customer traffic with multicast, broadcast
and unknown unicast destination MAC address.
Step 8 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pbbedge)# end
or
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pbbedge)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing IEEE 802.1ah Provider Backbone Bridge
How to Implement 802.1ah Provider Backbone Bridge
LSC-321
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Configuring Static MAC addresses under PBB Edge Bridge Domain
Perform this task to configure the static MAC addresses under the PBB edge bridge domain.
SUMMARY STEPS
1. configure
2. l2vpn
3. bridge group group-name
4. bridge-domain domain-name
5. interface type interface-path-id.subinterface
6. interface type interface-path-id.subinterface
7. pbb edge i-sid service-id core-bridge core-bridge-name
8. static-mac-address cda-mac-address bmac bda-mac-address
9. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
Enters L2VPN configuration mode.
Step 3 bridge group bridge-group-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)#bridge
group pbb
Enters configuration mode for the named bridge group. This
command creates a new bridge group or modifies the
existing bridge group if it already exists. A bridge group
organizes bridge domains.
Step 4 bridge-domain domain-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg)#bridgedomain pbb-edge
Enters configuration mode for the named bridge domain.
This command creates a new bridge domain or modifies the
existing bridge domain if it already exists.
Step 5 interface type interface-path-id.subinterface
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#inter
face GigabitEthernet0/5/0/0.20
Assigns the matching VLAN ID and Ethertype to the
interface.Implementing IEEE 802.1ah Provider Backbone Bridge
How to Implement 802.1ah Provider Backbone Bridge
LSC-322
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Step 6 interface type interface-path-id.subinterface
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-ac)#in
terface GigabitEthernet0/5/0/1.15
Adds an interface to a bridge domain that allows packets to
be forwarded and received from other interfaces that are
part of the same bridge domain. The interface now becomes
an attachment circuit on this bridge domain.
Step 7 pbb edge i-sid service-id core-bridge
core-bridge-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)#
pbb edge i-sid 1000 core-bridge pbb-core
Configures the bridge domain as PBB edge with the service
identifier and the assigned core bridge domain and enters
the PBB edge configuration submode.
This command also creates the Virtual instance port (VIP)
that associates the PBB Edge bridge domain to the specified
Core bridge domain.
All the interfaces (bridge ports) under this bridge domain
are treated as the customer network ports (CNP).
Step 8 static-mac-address cda-mac-address bmac
bda-mac-address
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pbb-ed
ge)#static-mac-address 0033.3333.3333 bmac
0044.4444.4444
Configures the static CMAC to BMAC mapping under the
PBB Edge submode.
Step 9 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pbbedge)# end
or
RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-pbbedge)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing IEEE 802.1ah Provider Backbone Bridge
Configuration Examples for Implementing 802.1ah Provider Backbone Bridge
LSC-323
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Configuration Examples for Implementing 802.1ah Provider
Backbone Bridge
This section provides these configuration examples:
• Configuring Ethernet Flow Points: Example, page 323
• Configuring PBB Edge Bridge Domain and Service Instance ID: Example, page 323
• Configuring PBB Core Bridge Domain: Example, page 324
• Configuring Backbone VLAN Tag: Example, page 324
• Configuring Backbone Source MAC Address: Example, page 324
• Configuring Static Mapping and Unknown Unicast MAC Address under the PBB Edge Bridge
Domain, page 325
Configuring Ethernet Flow Points: Example
This example shows how to configure Ethernet flow points:
config
interface GigabitEthernet0/0/0/10.100 l2transport
encapsulation dot1q 100
or
encapsulation dot1ad 100
or
encapsulation dot1ad 100 dot1q 101
Configuring PBB Edge Bridge Domain and Service Instance ID: Example
This example shows how to configure the PBB edge bridge domain:
config
l2vpn
bridge group PBB
bridge-domain PBB-EDGE
interface GigabitEthernet0/0/0/38.100
!
interface GigabitEthernet0/2/0/30.150
!
pbb edge i-sid 1000 core-bridge PBB-CORE
!
!
!Implementing IEEE 802.1ah Provider Backbone Bridge
Configuration Examples for Implementing 802.1ah Provider Backbone Bridge
LSC-324
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Configuring PBB Core Bridge Domain: Example
This example shows how to configure the PBB core bridge domain:
config
l2vpn
bridge group PBB
bridge-domain PBB-CORE
interface G0/5/0/10.100
!
interface G0/2/0/20.200
!
pbb core
!
!
!
Configuring Backbone VLAN Tag: Example
This example shows how to configure the backbone VLAN tag:
config
l2vpn
bridge group PBB
bridge-domain PBB-CORE
interface G0/5/0/10.100
!
interface G0/2/0/20.200
!
pbb core
rewrite ingress tag push dot1ad 100 symmetric
!
!
!
Configuring Backbone Source MAC Address: Example
This example shows how to configure the backbone source MAC address:
config
l2vpn
pbb
backbone-source-mac 0045.1200.04
!
!Implementing IEEE 802.1ah Provider Backbone Bridge
Additional References
LSC-325
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Configuring Static Mapping and Unknown Unicast MAC Address under the PBB
Edge Bridge Domain
This example shows how to configure static mapping and unknown unicast MAC address under the PBB
edge bridge domain:
config
l2vpn
bridge group PBB
bridge-domain PBB-EDGE
interface GigabitEthernet0/0/0/38.100
!
interface GigabitEthernet0/2/0/30.150
!
pbb edge i-sid 1000 core-bridge PBB-CORE
static-mac-address 0033.3333.3333 bmac 0044.4444.4444
unknown-unicast-bmac 0123.8888.8888
!
!
!
Additional References
These sections provide references related to implementing 802.1ah on Cisco ASR 9000 Series Routers.
Related Documents
Standards
Related Topic Document Title
802.1ah commands: complete command syntax,
command modes, command history, defaults, usage
guidelines, and examples
Provider Backbone Bridge Commands module in Cisco ASR 9000
Series Aggregation Services Router L2VPN and Ethernet Services
Command Reference
Standards Title
No new or modified standards are supported by this
feature, and support for existing standards has not been
modified by this feature.
—Implementing IEEE 802.1ah Provider Backbone Bridge
Additional References
LSC-326
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
MIBs
RFCs
Technical Assistance
MIBs MIBs Link
— To locate and download MIBs using Cisco IOS XR software, use the
Cisco MIB Locator found at this URL and choose a platform under
the Cisco Access Products menu:
http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs Title
No new or modified RFCs are supported by this
feature, and support for existing RFCs has not been
modified by this feature.
—
Description Link
The Cisco Technical Support website contains
thousands of pages of searchable technical content,
including links to products, technologies, solutions,
technical tips, and tools. Registered Cisco.com users
can log in from this page to access even more content.
http://www.cisco.com/techsupportLSC-327
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Implementing Multiple Spanning Tree Protocol
This module provides conceptual and configuration information for Multiple Spanning Tree Protocol on
Cisco ASR 9000 Series Routers. Multiple Spanning Tree Protocol (MSTP) is a spanning-tree protocol
used to prevent loops in bridge configurations. Unlike other types of STPs, MSTP can block ports
selectively by VLAN.
Feature History for Implementing Multiple Spanning Tree Protocol
Contents
• Prerequisites for Implementing Multiple Spanning Tree Protocol, page 328
• Information About Implementing Multiple Spanning Tree Protocol, page 328
• How to Implement Multiple Spanning Tree Protocol, page 342
• Configuration Examples for Implementing MSTP, page 365
• Additional References, page 374
Release Modification
Release 3.7.3 This feature was introduced on Cisco ASR 9000 Series Routers.
Release 3.9.1 Support for MSTP over Bundles feature was added.
Release 4.0.1 Support for PVST+ and PVSTAG features was added.
Release 4.1.0 Support for MSTAG Edge Mode feature was added.Implementing Multiple Spanning Tree Protocol
Prerequisites for Implementing Multiple Spanning Tree Protocol
LSC-328
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Prerequisites for Implementing Multiple Spanning Tree
Protocol
This prerequisite applies to implementing MSTP:
You must be in a user group associated with a task group that includes the proper task IDs. The command
reference guides include the task IDs required for each command.
If you suspect user group assignment is preventing you from using a command, contact your AAA
administrator for assistance.
Information About Implementing Multiple Spanning Tree
Protocol
To implement Ethernet services access lists, you must understand these concepts:
• Spanning Tree Protocol Overview
• Multiple Spanning Tree Protocol Overview
• MSTP Supported Features
• Restrictions for configuring MSTP
• Access Gateway
• Multiple VLAN Registration Protocol
Spanning Tree Protocol Overview
Ethernet is no longer just a link-layer technology used to interconnect network vehicles and hosts. Its
low cost and wide spectrum of bandwidth capabilities coupled with a simple plug and play provisioning
philosophy have transformed Ethernet into a legitimate technique for building networks, particularly in
the access and aggregation regions of service provider networks.
Ethernet networks lacking a TTL field in the Layer 2 (L2) header and, encouraging or requiring multicast
traffic network-wide, are susceptible to broadcast storms if loops are introduced. However, loops are a
desirable property as they provide redundant paths. Spanning tree protocols (STP) are used to provide a
loop free topology within Ethernet networks, allowing redundancy within the network to deal with link
failures.
There are many variants of STP; however, they work on the same basic principle. Within a network that
may contain loops, a sufficient number of interfaces are disabled by STP so as to ensure that there is a
loop-free spanning tree, that is, there is exactly one path between any two devices in the network. If there
is a fault in the network that affects one of the active links, the protocol recalculates the spanning tree
so as to ensure that all devices continue to be reachable. STP is transparent to end stations which cannot
detect whether they are connected to a single LAN segment or to a switched LAN containing multiple
segments and using STP to ensure there are no loops.Implementing Multiple Spanning Tree Protocol
Information About Implementing Multiple Spanning Tree Protocol
LSC-329
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
STP Protocol Operation
All variants of STP operate in a similar fashion: STP frames (known as bridge protocol data units
(BPDUs)) are exchanged at regular intervals over Layer 2 LAN segments, between network devices
participating in STP. Such network devices do not forward these frames, but use the information to
construct a loop free spanning tree.
The spanning tree is constructed by first selecting a device which is the root of the spanning tree (known
as the root bridge), and then by determining a loop free path from the root bridge to every other device
in the network. Redundant paths are disabled by setting the appropriate ports into a blocked state, where
STP frames can still be exchanged but data traffic is never forwarded. If a network segment fails and a
redundant path exists, the STP protocol recalculates the spanning tree topology and activates the
redundant path, by unblocking the appropriate ports.
The selection of the root bridge within an STP network is determined by the configured priority and the
embedded bridge ID of each device. The device with the lowest priority, or with equal lowest priority
but the lowest bridge ID, is selected as the root bridge.
The selection of the active path among a set of redundant paths is determined primarily by the port path
cost. The port path cost represents the cost of transiting between that port and the root bridge - the further
the port is from the root bridge, the higher the cost. The cost is incremented for each link in the path, by
an amount that is (by default) dependent on the media speed. Where two paths from a given LAN
segment have an equal cost, the selection is further determined by the priority and bridge ID of the
attached devices, and in the case of two attachments to the same device, by the configured port priority
and port ID of the attached ports.
Once the active paths have been selected, any ports that do not form part of the active topology are moved
to the blocking state.
Topology Changes
Network devices in a switched LAN perform MAC learning; that is, they use received data traffic to
associate unicast MAC addresses with the interface out of which frames destined for that MAC address
should be sent. If STP is used, then a recalculation of the spanning tree (for example, following a failure
in the network) can invalidate this learned information. The protocol therefore includes a mechanism to
notify topology changes around the network, so that the stale information can be removed (flushed) and
new information can be learned based on the new topology.
A Topology Change notification is sent whenever STP moves a port from the blocking state to the
forwarding state. When it is received, the receiving device flushes the MAC learning entries for all ports
that are not blocked other than the one where the notification was received, and also sends its own
topology change notification out of those ports. In this way, it is guaranteed that stale information is
removed from all the devices in the network.
Variants of STP
There are many variants of the Spanning Tree Protocol:
• Legacy STP (STP)—The original STP protocol was defined in IEEE 802.1D-1998. This creates a
single spanning tree which is used for all VLANs and most of the convergence is timer-based.
• Rapid STP (RSTP)—This is an enhancement defined in IEEE 802.1D-2004 to provide more
event-based, and hence faster, convergence. However, it still creates a single spanning tree for all
VLANs.Implementing Multiple Spanning Tree Protocol
Information About Implementing Multiple Spanning Tree Protocol
LSC-330
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
• Multiple STP (MSTP)—A further enhancement was defined in IEEE 802.1Q-2005. This allows
multiple spanning trees to be created over the same physical topology. By assigning different
VLANs to the different spanning trees, data traffic can be load-balanced over different physical
links. The number of different spanning trees that can be created is restricted to a much smaller
number than the number of possible VLANs; however, multiple VLANs can be assigned to the same
spanning tree. The BPDUs used to exchange MSTP information are always sent untagged; the
VLAN and spanning tree instance data is encoded inside the BPDU.
• Per-Vlan STP (PVST)—This is an alternative mechanism for creating multiple spanning trees; it
was developed by Cisco before the standardization of MSTP. Using PVST, a separate spanning tree
is created for each VLAN. There are two variants: PVST+ (based on legacy STP), and PVRST
(based on RSTP). At a packet level, the separation of the spanning trees is achieved by sending
standard STP or RSTP BPDUs, tagged with the appropriate VLAN tag.
• REP (Cisco-proprietary ring-redundancy protocol)— This is a Cisco-proprietary protocol for
providing resiliency in rings. It is included for completeness, as it provides MSTP compatibility
mode, using which, it interoperates with an MSTP peer.
Multiple Spanning Tree Protocol Overview
The Multiple Spanning Tree Protocol (MSTP) is an STP variant that allows multiple and independent
spanning trees to be created over the same physical network. The parameters for each spanning tree can
be configured separately, so as to cause a different network devices to be selected as the root bridge or
different paths to be selected to form the loop-free topology. Consequently, a given physical interface
can be blocked for some of the spanning trees and unblocked for others.
Having set up multiple spanning trees, the set of VLANs in use can be partitioned among them; for
example, VLANs 1 - 100 can be assigned to spanning tree 1, VLANs 101 - 200 can be assigned to
spanning tree 2, VLANs 201 - 300 can be assigned to spanning tree 3, and so on. Since each spanning
tree has a different active topology with different active links, this has the effect of dividing the data
traffic among the available redundant links based on the VLAN - a form of load balancing.
MSTP Regions
Along with supporting multiple spanning trees, MSTP also introduces the concept of regions. A region
is a group of devices under the same administrative control and have similar configuration. In particular,
the configuration for the region name, revision, and the mapping of VLANs to spanning tree instances
must be identical on all the network devices in the region. A digest of this information is included in the
BPDUs sent by each device, so as to allow other devices to verify whether they are in the same region.
Figure 27 shows the operation of MST regions when bridges running MSTP are connected to bridges
running legacy STP or RSTP. In this example, switches SW1, SW2, SW3, SW4 support MSTP, while
switches SW5 and SW6 do not.Implementing Multiple Spanning Tree Protocol
Information About Implementing Multiple Spanning Tree Protocol
LSC-331
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Figure 27 MST Interaction with Non-MST Regions
To handle this situation, an Internal Spanning Tree (IST) is used. This is always spanning tree instance
0 (zero). When communicating with non-MSTP-aware devices, the entire MSTP region is represented
as a single switch. The logical IST topology in this case is shown in Figure 28.
Figure 28 Logical Topology in MST Region Interacting with Non-MST Bridges
The same mechanism is used when communicating with MSTP devices in a different region. For
example, SW5 in Figure 28 could represent a number of MSTP devices, all in a different region
compared to SW1, SW2, SW3 and SW4.
MSTP Port Fast
MSTP includes a Port Fast feature for handling ports at the edge of the switched Ethernet network. For
devices that only have one link to the switched network (typically host devices), there is no need to run
MSTP, as there is only one available path. Furthermore, it is undesirable to trigger topology changes (and
resultant MAC flushes) when the single link fails or is restored, as there is no alternative path.
By default, MSTP monitors ports where no BPDUs are received, and after a timeout, places them into
edge mode whereby they do not participate in MSTP. However, this process can be speeded up (and
convergence of the whole network thereby improved) by explicitly configuring edge ports as port fast.
247171
Non MST
regions
MST
regions
SW5 SW6
SW1 SW2
SW3 SW4
247172
Non MST
regions
MST region as a bridge in IST topology
SW5 SW6Implementing Multiple Spanning Tree Protocol
Information About Implementing Multiple Spanning Tree Protocol
LSC-332
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Note Port Fast is implemented as a Cisco-proprietary extension in Cisco implementations of legacy STP.
However, it is encompassed in the standards for RSTP and MSTP, where it is known as Edge Port.
MSTP Root Guard
In networks with shared administrative control, it may be desirable for the network administrator to
enforce aspects of the network topology and in particular, the location of the root bridge. By default, any
device can become the root bridge for a spanning tree, if it has a lower priority or bridge ID. However,
a more optimal forwarding topology can be achieved by placing the root bridge at a specific location in
the centre of the network.
Note The administrator can set the root bridge priority to 0 in an effort to secure the root bridge position;
however, this is no guarantee against another bridge which also has a priority of 0 and has a lower bridge
ID.
The root guard feature provides a mechanism that allows the administrator to enforce the location of the
root bridge. When root guard is configured on an interface, it prevents that interface from becoming a
root port (that is, a port via which the root can be reached). If superior information is received via BPDUs
on the interface that would normally cause it to become a root port, it instead becomes a backup or
alternate port. In this case, it is placed in the blocking state and no data traffic is forwarded.
The root bridge itself has no root ports. Thus, by configuring root guard on every interface on a device,
the administrator forces the device to become the root, and interfaces receiving conflicting information
are blocked.
Note Root Guard is implemented as a Cisco-proprietary extension in Cisco implementations of legacy STP
and RSTP. However, it is encompassed in the standard for MSTP, where it is known as Restricted Role.
MSTP Topology Change Guard
In certain situations, it may be desirable to prevent topology changes originating at or received at a given
port from being propagated to the rest of the network. This may be the case, for example, when the
network is not under a single administrative control and it is desirable to prevent devices external to the
core of the network from causing MAC address flushing in the core. This behavior can be enabled by
configuring Topology Change Guard on the port.
Note Topology Change Guard is known as Restricted TCN in the MSTP standard.Implementing Multiple Spanning Tree Protocol
Information About Implementing Multiple Spanning Tree Protocol
LSC-333
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
MSTP Supported Features
Cisco ASR 9000 Series Routers support MSTP, as defined in IEEE 802.1Q-2005, on physical Ethernet
interfaces and Ethernet Bundle interfaces. Note that this includes the Port Fast, Backbone Fast, Uplink
Fast and Root Guard features found in Cisco implementations of legacy STP, RSTP and PVST, as these
are encompassed by the standard MSTP protocol. Cisco ASR 9000 Series Routers can operate in either
standard 802.1Q mode, or in Provide Edge (802.1ad) mode. In provider edge mode, a different MAC
address is used for BPDUs, and any BPDUs received with the 802.1Q MAC address are forwarded
transparently.
In addition, these additional Cisco features are supported:
• BPDU Guard—This Cisco feature protects against misconfiguration of edge ports.
• Flush Containment—This Cisco feature helps prevent unnecessary MAC flushes that would
otherwise occur following a topology change.
• Bringup Delay—This Cisco feature prevents an interface from being added to the active topology
before it is ready to forward traffic.
Note Interoperation with RSTP is supported, as described in the 802.1Q standard; however, interoperation
with legacy STP is not supported.
BPDU Guard
BPDU Guard is a Cisco feature that protects against misconfiguration of edge ports. It is an enhancement
to the MSTP port fast feature. When port fast is configured on an interface, MSTP considers that
interface to be an edge port and removes it from consideration when calculating the spanning tree. When
BPDU Guard is configured, MSTP additionally shuts down the interface using error-disable if an MSTP
BPDU is received.
Flush Containment
Flush containment is a Cisco feature that helps prevent unnecessary MAC flushes due to unrelated
topology changes in other areas of a network. This is best illustrated by example. Figure 29 shows a
network containing four devices. Two VLANs are in use: VLAN 1 is only used on device D, while
VLAN 2 spans devices A, B and C. The two VLANs are in the same spanning tree instance, but do not
share any links.
Figure 29 Flush Containment
If the link AB goes down, then in normal operation, as C brings up its blocked port, it sends out a
topology change notification on all other interfaces, including towards D. This causes a MAC flush to
occur for VLAN 1, even though the topology change which has taken place only affects VLAN 2.
VLAN 1
VLAN 2
254825
A
B
D CImplementing Multiple Spanning Tree Protocol
Information About Implementing Multiple Spanning Tree Protocol
LSC-334
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Flush containment helps deal with this problem by preventing topology change notifications from being
sent on interfaces on which no VLANs are configured for the MSTI in question. In the example network
this would mean no topology change notifications would be sent from C to D, and the MAC flushes
which take place would be confined to the right hand side of the network.
Note Flush containment is enabled by default, but can be disabled by configuration, thus restoring the
behavior described in the IEEE 802.1Q standard.
Bringup Delay
Bringup delay is a Cisco feature that stops MSTP from considering an interface when calculating the
spanning tree, if the interface is not yet ready to forward traffic. This is useful when a line card first boots
up, as the system may declare that the interfaces on that card are Up before the dataplane is fully ready
to forward traffic. According to the standard, MSTP considers the interfaces as soon as they are declared
Up, and this may cause it to move other interfaces into the blocking state if the new interfaces are
selected instead.
Bringup delay solves this problem by adding a configurable delay period which occurs as interfaces that
are configured with MSTP first come into existence. Until this delay period ends, the interfaces remain
in blocking state, and are not considered when calculating the spanning tree.
Bringup delay only takes place when interfaces which are already configured with MSTP are created,
for example, on a card reload. No delay takes place if an interface which already exists is later configured
with MSTP.
Restrictions for configuring MSTP
These restrictions apply when using MSTP:
• MSTP must only be enabled on interfaces where the interface itself (if it is in L2 mode) or all of the
subinterfaces have a simple encapsulation configured. These encapsulation matching criteria are
considered simple:
– Single-tagged 802.1Q frames
– Double-tagged Q-in-Q frames (only the outermost tag is examined)
– 802.1ad frames (if MSTP is operating in Provider Bridge mode)
– Ranges or lists of tags (any of the above)
Note Subinterfaces with a default and untagged encapsulation are not supported.
• If an L2 interface or subinterface is configured with an encapsulation that matches multiple VLANs,
then all of those VLANs must be mapped to the same spanning tree instance. There is therefore a
single spanning tree instance associated with each L2 interface or subinterface.
• All the interfaces or subinterfaces in a given bridge domain must be associated with the same
spanning tree instance.
• Multiple subinterfaces on the same interface must not be associated with the same spanning tree
instance, unless those subinterfaces are in the same split horizon group. In other words, hair-pinning
is not possible.Implementing Multiple Spanning Tree Protocol
Information About Implementing Multiple Spanning Tree Protocol
LSC-335
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
• Across the network, L2 interfaces or subinterfaces must be configured on all redundant paths for all
the VLANs mapped to each spanning tree instance. This is to avoid inadvertent loss of connectivity
due to STP blocking of a port.
Caution A subinterface with a default or untagged encapsulation will lead to an MSTP state machine failure.
Access Gateway
One common deployment scenario for Cisco ASR 9000 Series Routers is as an nPE gateway device
situated between a network of uPE access devices and a core or aggregation network. Each gateway
device may provide connectivity for many access networks, as shown in Figure 30. The access networks
(typically rings) have redundant links to the core or aggregation network, and therefore must use some
variant of STP or a similar protocol to ensure the network remains loopfree.
Figure 30 Core or Aggregation Network
It is possible for the gateway devices to also participate in the STP protocol. However, since each
gateway device may be connected to many access networks, this would result in one of two solutions:
• A single topology is maintained covering all of the access networks. This is undesirable as it means
topology changes in one access network could impact all the other access networks.
• The gateway devices runs multiple instances of the STP protocol, one for each access network. This
means a separate protocol database and separate protocol state machines are maintained for each
access network, which is undesirable due to the memory and CPU resource that would be required
on the gateway device.
It can be seen that both of these options have significant disadvantages.
Another alternative is for the gateway devices to tunnel protocol BPDUs between the legs of each access
network, but not to participate in the protocol themselves. While this results in correct loopfree
topologies, it also has significant downsides:
Core/Aggregation Network
254826
Access networks
Gateway
device
Gateway
deviceImplementing Multiple Spanning Tree Protocol
Information About Implementing Multiple Spanning Tree Protocol
LSC-336
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
• Since there is no direct connection between the legs of the access ring, a failure in one of the leg
links is not immediately detected by the access device connected to the other leg. Therefore,
recovery from the failure must wait for protocol timeouts, which leads to a traffic loss of at least six
seconds.
• As the gateway devices do not participate in the protocol, they are not aware of any topology changes
in the access network. The aggregation network may therefore direct traffic destined for the access
network over the wrong leg, following a topology change. This can lead to traffic loss on the order
of the MAC learning timeout (5 minutes by default).
Access gateway is a Cisco feature intended to address this deployment scenario, without incurring the
disadvantages of the solutions described above.
Overview of Access Gateway
Access gateway is based on two assumptions:
• Both gateway devices provide connectivity to the core or aggregation network at all times.
Generally, resiliency mechanisms used within the core or aggregation network are sufficient to
ensure this is the case. In many deployments, VPLS is used in the core or aggregation network to
provide this resiliency.
• The desired root of all of the spanning trees for each access network is one of the gateway devices.
This will be the case if (as is typical) the majority of the traffic is between an access device and the
core or aggregation network, and there is little if any traffic between the access devices.
With these assumptions, an STP topology can be envisaged where for every spanning tree, there is a
virtual root bridge behind (that is, on the core side of) the gateway devices, and both gateway devices
have a zero cost path to the virtual root bridge. In this case, the ports that connect the gateway devices
to the access network would never be blocked by the spanning tree protocol, but would always be in the
forwarding state. This is illustrated inFigure 31.
Figure 31 Access Networks
These ports will
never be blocked
Virtual Root
Bridge
Possible location
of blocked port
254827
Access networks
Gateway
device
Gateway
device
0-cost link 0-cost linkImplementing Multiple Spanning Tree Protocol
Information About Implementing Multiple Spanning Tree Protocol
LSC-337
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
With this topology, it can be observed that the BPDUs sent by the gateway devices are constant: since
the root bridge never changes (as we assume the aggregation or core network always provides
connectivity) and the ports are always forwarding, the information sent in the BPDUs never changes.
Access gateway makes use of this by removing the need to run the full STP protocol and associated state
machines on the gateway devices, and instead just sends statically configured BPDUs towards the access
network. The BPDUs are configured so as to mimic the behavior above, so that they contain the same
information that would be sent if the full protocol was running. To the access devices, it appears that the
gateway devices are fully participating in the protocol; however, since in fact the gateway devices are
just sending static BPDUs, very little memory or CPU resource is needed on the gateway devices, and
many access networks can be supported simultaneously.
For the most part, the gateway devices can ignore any BPDUs received from the access network;
however, one exception is when the access network signals a topology change. The gateway devices can
act on this appropriately, for example by triggering an LDP MAC withdrawal in the case where the core
or aggregation network uses VPLS.
In many cases, it is not necessary to have direct connectivity between the gateway devices; since the
gateway devices statically send configured BPDUs over the access links, they can each be configured
independently (so long as the configuration on each is consistent). This also means that different access
networks can use different pairs of gateway devices, as shown in Figure 32.
Figure 32 Access Networks
Note Although Figure 32 shows access rings, in general there are no restrictions on the access network
topology or the number or location of links to the gateway devices.
Access gateway ensures loop-free connectivity in the event of these failure cases:
• Failure of a link in the access network.
• Failure of a link between the access network and the gateway device.
• Failure of an access device.
• Failure of a gateway device.
Core/Aggregation Network
254828
Access networks
Gateway
device
Gateway
device
Gateway
deviceImplementing Multiple Spanning Tree Protocol
Information About Implementing Multiple Spanning Tree Protocol
LSC-338
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Topology Change Propagation
There is one case where the two gateway devices need to exchange BPDUs between each other, and this
is to handle topology changes in the access network. If a failure in the access network results in a
topology change that causes a previously blocked port to move to forwarding, the access device sends a
topology change notification out on that port, so as to notify the rest of the network about the change and
trigger the necessary MAC learning flushes. Typically, the topology change notification is sent towards
the root bridge, in the case of access gateway, that means it is sent to one of the gateway devices.
As described above, this causes the gateway device itself to take any necessary action; however, if the
failure caused the access network to become partitioned, it may also be necessary to propagate the
topology change notification to the rest of the access network, that is, the portion connected to the other
gateway device. This can be achieved by ensuring there is connectivity between the gateway devices, so
that each gateway device can propagate any topology change notifications it receives from the access
network to the other device. When a gateway device receives a BPDU from the other gateway device that
indicates a topology change, it signals this in the static BPDUs (that it is sending towards the access
network).
Topology Change Propagation is only necessary when these two conditions are met:
• The access network contains three or more access devices. If there are fewer than three devices, then
any possible failure must be detected by all the devices.
• The access devices send traffic to each other, and not just to or from the core or aggregation network.
If all the traffic is to or from the core or aggregation network, then all the access devices must either
already be sending traffic in the right direction, or will learn about the topology change from the
access device that originates it.
Preempt Delay
One of the assumptions underpinning access gateway is that the gateway devices are always available to
provide connectivity to the core or aggregation network. However, there is one situation where this
assumption may not hold, which is at bringup time. At bringup, it may be the case that the access facing
interface is available before all of the necessary signaling and convergence has completed that means
traffic can successfully be forwarded into the core or aggregation network. Since access gateway starts
sending BPDUs as soon as the interface comes up, this could result in the access devices sending traffic
to the gateway device before it is ready to receive it. To avoid this problem, the preempt delay feature is
used.
The preempt delay feature causes access gateway to send out inferior BPDUs for some period of time
after the interface comes up, before reverting to the normal values. These inferior BPDUs can be
configured such that the access network directs all traffic to the other gateway device, unless the other
gateway device is also down. If the other gateway device is unavailable, it is desirable for the traffic to
be sent to this device, even if it is only partially available, rather than being dropped completely. For this
reason, inferior BPDUs are sent during the preempt delay time, rather than sending no BPDUs at all.Implementing Multiple Spanning Tree Protocol
Information About Implementing Multiple Spanning Tree Protocol
LSC-339
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Supported Access Gateway Protocols
Access Gateway is supported on Cisco ASR 9000 Series Routers when the following protocols are used
in the access network.
MSTAG Edge Mode
An access gateway is used in a Layer 2 (L2) environment to ensure that for each Multiple Spanning Tree
Instance (MSTI), each access device has one path to the core or aggregation network. The core or
aggregation network provides L2 (Ethernet) connectivity between two gateway devices. Therefore, when
there are no failures, there must be at least one blocked port in the access network for each MSTI. In the
case of an access ring, there should be one blocked port in the access ring. For each MSTI – this is
typically one of the uplink ports that connects to one of the gateway devices. This is achieved by
configuring MSTAG in such a way that the gateway devices appear to have the best path to the best
possible Multiple Spanning Tree Protocol (MSTP) root node. Thus, the access devices always use the
gateway devices to reach the root, and the ports on the gateway devices are always in the designated
forwarding state.
In a mixed Layer 2-Layer 3 environment, the L2 access network is used to provide a Layer 2 service on
certain VLANs and a Layer 3 (L3) service on other VLANs. In the access network, a different MSTI is
used for the L2 service and the L3 service. For the L2 VLANs, the core or aggregation network provides
L2 connectivity between the gateway devices. However, for the L3 service, the gateway devices
terminate the L2 network and perform L3 routing. Typically, an L3 redundancy mechanism such as
HSRP or VRRP is used to allow the end hosts to route to the correct gateway.
In this scenario, the use of MSTAG alone does not achieve the desired behavior for the L3 MSTI. This
is because it results in one of the ports in the access network being blocked, even though there is actually
no loop. (This, in turn, is because there is no L2 connectivity between the gateway devices for the L3
VLANs.) In fact, because the gateway devices terminate the L2 network for the L3 VLANs, the desirable
behavior is for the MSTP root to be located in the access network, and for the gateway devices to appear
as leaf nodes with a single connection. This can be achieved by reversing the MSTAG configuration; that
is, setting the gateway devices to advertise the worst possible path to the worst possible root. This forces
the access devices to elect one of the access devices as the root, and therefore, no ports are blocked. In
this case, the ports on the gateway devices are always in root forwarding state. The MSTAG Edge mode
feature enables this scenario by changing the role advertised by the gateway devices from designated to
root. Figure 33 illustrates this scenario.
Table 3 Protocols
Access Network Protocol Access Gateway Variant
MSTP MST Access Gateway (MSTAG)
REP REP Access gateway (REPAG)
1
PVST+ PVST+ Access Gateway (PVSTAG)
2
PVRST PVRST Access Gateway (PVRSTAG)
3
1. REP Access Gateway is supported when the access device interfaces that connect to the gateway devices are configured with
REP MSTP Compatibility mode.
2. Topology Change Propagation is not supported for PVSTAG.
3. Topology Change Propagation is not supported for PVRSTAG.Implementing Multiple Spanning Tree Protocol
Information About Implementing Multiple Spanning Tree Protocol
LSC-340
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Figure 33 MSTAG Edge Mode scenario
For normal MSTAG, and for the L2 MSTIs, topology change notifications are propagated from one
gateway device to the other, and re-advertised into the access network. However, for the L3 MSTI, this
is not desirable. As there is no block for the L3 MSTI in the access network, the topology change
notification could loop forever. To avoid that situation, MSTAG Edge mode completely disables
handling of topology change notifications in the gateway devices.
Multiple VLAN Registration Protocol
The Multiple VLAN Registration Protocol is defined in IEEE 802.1ak and is used in MSTP based
networks to optimize the propagation of multicast and broadcast frames.
By default, multicast and broadcast frames are propagated to every point in the network, according to
the spanning tree, and hence to every edge (host) device that is attached to the network. However, for a
given VLAN, it may be the case that only certain hosts are interested in receiving the traffic for that
VLAN. Furthermore, it may be the case that a given network device, or even an entire segment of the
network, has no attached hosts that are interested in receiving traffic for that VLAN. In this case, an
optimization is possible by avoiding propagating traffic for that VLAN to those devices that have no
stake in it. MVRP provides the necessary protocol signaling that allows each host and device to indicate
to its attached peers which VLANs it is interested in.
MVRP-enabled devices can operate in two modes:
D - Designated port (forwarding)
R - Root port (forwarding)
A - Alternate port (blocked)
Core/Aggregation Network
246197
Gateway
(ASR9k)
L2 Root
D
R
R
D
D
D D
R
R
R
R D
D
R
D
A
Gateway
(ASR9k)
Access Device Access Device
Access Device
L3 Root
Physical Topology
Logical Topology for L2 MSTI
Logical Topology for L3 MSTIImplementing Multiple Spanning Tree Protocol
Information About Implementing Multiple Spanning Tree Protocol
LSC-341
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
• Static mode—In this mode, the device initiates MVRP messages declaring interest in a statically
configured set of VLANs. Note that the protocol is still dynamic with respect to the MSTP topology;
it is the set of VLANs that is static.
• Dynamic mode—In this mode, the device processes MVRP messages received on different ports,
and aggregates them dynamically to determine the set of VLANs it is interested in. It sends MVRP
messages declaring interest in this set. In dynamic mode, the device also uses the received MVRP
messages to prune the traffic sent out of each port so that traffic is only sent for the VLANs that the
attached device has indicated it is interested in.
Cisco ASR 9000 Series Routers support operating in static mode. This is known as MVRP-lite.Implementing Multiple Spanning Tree Protocol
How to Implement Multiple Spanning Tree Protocol
LSC-342
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
How to Implement Multiple Spanning Tree Protocol
This section contains these procedures:
• Configuring MSTP
• Configuring MSTAG or REPAG
• Configuring PVSTAG or PVRSTAG
• Configuring MVRP-lite
Configuring MSTP
This section describes the procedure for configuring MSTP:
• Enabling MSTP
• Configuring MSTP parameters
• Verifying MSTP
Note This section does not describe how to configure data switching. Refer to the Implementing Multipoint
Layer 2 Services module for more information.
Enabling MSTP
By default, STP is disabled on all interfaces. MSTP should be explicitly enabled by configuration on
each physical or Ethernet Bundle interface. When MSTP is configured on an interface, all the
subinterfaces of that interface are automatically MSTP-enabled.
Configuring MSTP parameters
The MSTP Standard defines a number of configurable parameters. The global parameters are:
• Region Name and Revision
• Bringup Delay
• Forward Delay
• Max Age or Hops
• Transmit Hold Count
• Provider Bridge mode
• Flush Containment
• VLAN IDs (per spanning-tree instance)
• Bridge Priority (per spanning-tree instance)
The per-interface parameters are:
• External port path cost
• Hello Time
• Link TypeImplementing Multiple Spanning Tree Protocol
How to Implement Multiple Spanning Tree Protocol
LSC-343
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
• Port Fast and BPDU Guard
• Root Guard and Topology Change Guard
• Port priority (per spanning-tree instance)
• Internal port path cost (per spanning-tree instance)
Per-interface configuration takes place in an interface submode within the MST configuration submode.
Note The configuration steps listed in the following sections show all of the configurable parameters.
However, in general, most of these can be retained with the default value.Implementing Multiple Spanning Tree Protocol
How to Implement Multiple Spanning Tree Protocol
LSC-344
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
SUMMARY STEPS
1. configure
2. spanning-tree mst protocol instance identifier
3. bringup delay for interval {minutes | seconds}
4. flush containment disable
5. name name
6. revision revision-number
7. forward-delay seconds
8. maximum {age seconds | hops hops}
9. transmit hold-count count
10. provider-bridge
11. instance id
12. priority priority
13. vlan-id vlan-range [,vlan-range][,vlan-range][,vlan-range]
14. interface {Bundle-Ether | GigabitEthernet | TenGigE | FastEthernet} instance
15. instance id port-priority priority
16. instance id cost cost
17. external-cost cost
18. link-type {point-to-point | multipoint}
19. hello-time seconds
20. portfast [bpdu-guard]
21. guard root
22. guard topology-change
23. end
or
commitImplementing Multiple Spanning Tree Protocol
How to Implement Multiple Spanning Tree Protocol
LSC-345
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# config
Thu Jun 4 07:50:02.660 PST
RP/0/RSP0/CPU0:router(config)#
Enters global configuration mode.
Step 2 spanning-tree mst protocol instance
identifier
Example:
RP/0/RSP0/CPU0:router(config)#
spanning-tree mst a
RP/0/RSP0/CPU0:router(config-mstp)#
Enters the MSTP configuration submode.
Step 3 bringup delay for interval {minutes |
seconds}
Example:
RP/0/RSP0/CPU0:router(config-mstp)#
bringup delay for 10 minutes
Configures the time interval to delay bringup for.
Step 4 flush containment disable
Example:
RP/0/RSP0/CPU0:router(config-mstp)#
flush containment disable
Disable flush containment.
This command performs MAC flush on all instances regardless of
the their state.
Step 5 name name
Example:
RP/0/RSP0/CPU0:router(config-mstp)# name
m1
Sets the name of the MSTP region.
The default value is the MAC address of the switch, formatted as a
text string by means of the hexadecimal representation specified in
IEEE Std 802.
Step 6 revision revision-number
Example:
RP/0/RSP0/CPU0:router(config-mstp)#
revision 10
Sets the revision level of the MSTP region.
Allowed values are from 0 through 65535.
Step 7 forward-delay seconds
Example:
RP/0/RSP0/CPU0:router(config-mstp)#
forward-delay 20
Sets the forward-delay parameter for the bridge.
Allowed values for bridge forward-delay time in seconds are from
4 through 30.
Step 8 maximum {age seconds | hops hops}
Example:
RP/0/RSP0/CPU0:router(config-mstp)# max
age 40
RP/0/RSP0/CPU0:router(config-mstp)# max
hops 30
Sets the maximum age and maximum hops performance
parameters for the bridge.
Allowed values for maximum age time for the bridge in seconds are
from 6 through 40.
Allowed values for maximum number of hops for the bridge in
seconds are from 6 through 40.Implementing Multiple Spanning Tree Protocol
How to Implement Multiple Spanning Tree Protocol
LSC-346
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Step 9 transmit hold-count count
Example:
RP/0/RSP0/CPU0:router(config-mstp)#
transmit hold-count 8
Sets the transmit hold count performance parameter.
Allowed values are from 1 through 10.
Step 10 provider-bridge
Example:
RP/0/RSP0/CPU0:router(config-mstp)#
provider-bridge
Places the current instance of the protocol in 802.1ad mode.
Step 11 instance id
Example:
RP/0/RSP0/CPU0:router(config-mstp)#
instance 101
RP/0/RSP0/CPU0:router(config-mstp-inst)#
Enters the MSTI configuration submode.
Allowed values for the MSTI ID are from 0 through 4094.
Step 12 priority priority
Example:
RP/0/RSP0/CPU0:router(config-mstp-inst)#
priority 8192
Sets the bridge priority for the current MSTI.
Allowed values are from 0 through 61440 in multiples of 4096.
Step 13 vlan-id vlan-range
[,vlan-range][,vlan-range][,vlan-range]
Example:
RP/0/RSP0/CPU0:router(config-mstp-inst)#
vlan-id 2-1005
Associates a set of VLAN IDs with the current MSTI.
List of VLAN ranges in the form a-b, c, d, e-f, g, and so on.
Note Repeat steps 11 to 13 for each MSTI.
Step 14 interface {Bundle-Ether | GigabitEthernet
| TenGigE | FastEthernet} instance
Example:
RP/0/RSP0/CPU0:router(config-mstp)#
interface FastEthernet 0/0/0/1
RP/0/RSP0/CPU0:router(config-mstp-if)#
Enters the MSTP interface configuration submode, and enables
STP for the specified port.
Forward interface in Rack/Slot/Instance/Port format.
Step 15 instance id port-priority priority
Example:
RP/0/RSP0/CPU0:router(config-mstp-if)#
instance 101 port-priority 160
Sets the port priority performance parameter for the MSTI.
Allowed values for the MSTI ID are from 0 through 4094.
Allowed values for port priority are from 0 through 240 in
multiples of 16.
Step 16 instance id cost cost
Example:
RP/0/RSP0/CPU0:router(config-mstp-if)#
instance 101 cost 10000
Sets the internal path cost for a given instance on the current port.
Allowed values for the MSTI ID are from 0 through 4094.
Allowed values for port cost are from 1 through 200000000.
Note Repeat steps 15 and 16 for each MSTI for each interface.
Command or Action PurposeImplementing Multiple Spanning Tree Protocol
How to Implement Multiple Spanning Tree Protocol
LSC-347
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Step 17 external-cost cost
Example:
RP/0/RSP0/CPU0:router(config-mstp-if)#
external-cost 10000
Sets the external path cost on the current port.
Allowed values for port cost are from 1 through 200000000.
Step 18 link-type {point-to-point | multipoint}
Example:
RP/0/RSP0/CPU0:router(config-mstp-if)#
link-type point-to-point
Sets the link type of the port to point-to-point or multipoint.
Step 19 hello-time seconds
Example:
RP/0/RSP0/CPU0:router(config-mstp-if)#
hello-time 1
Sets the port hello time in seconds.
Allowed values are 1 and 2.
Step 20 portfast [bpdu-guard]
Example:
RP/0/RSP0/CPU0:router(config-mstp-if)#
portfast
RP/0/RSP0/CPU0:router(config-mstp-if)#
portfast bpduguard
Enables PortFast on the port, and optionally enables BPDU guard.
Step 21 guard root
Example:
RP/0/RSP0/CPU0:router(config-mstp-if)#
guard root
Enables RootGuard on the port.
Command or Action PurposeImplementing Multiple Spanning Tree Protocol
How to Implement Multiple Spanning Tree Protocol
LSC-348
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Verifying MSTP
These show commands allow you to verify the operation of MSTP:
• show spanning-tree mst mst-name
• show spanning-tree mst mst-name interface interface-name
• show spanning-tree mst mst-name errors
• show spanning-tree mst mst-name configuration
• show spanning-tree mst mst-name bpdu interface interface-name
• show spanning-tree mst mst-name topology-change flushes
Step 22 guard topology-change
Example:
RP/0/RSP0/CPU0:router(config-mstp-if)#
guard topology-change
Enables TopologyChangeGuard on the port.
Note Repeat steps 14 to 22 for each interface.
Step 23 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-mstp-if)#
end
or
RP/0/RSP0/CPU0:router(config-mstp-if)#
commit
Saves configuration changes.
• When you issue the end command, the system prompts you to
commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the running
configuration file, exits the configuration session, and
returns the router to EXEC mode.
– Entering no exits the configuration session and returns the
router to EXEC mode without committing the
configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or committing the
configuration changes.
• Use the commit command to save the configuration changes to
the running configuration file and remain within the
configuration session.
Command or Action PurposeImplementing Multiple Spanning Tree Protocol
How to Implement Multiple Spanning Tree Protocol
LSC-349
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Configuring MSTAG or REPAG
This section describes the procedures for configuring MSTAG:
• Configuring an untagged subinterface
• Enabling MSTAG
• Configuring MSTAG parameters
• Configuring MSTAG Topology Change Propagation
• Verifying MSTAG
Note The procedures for configuring REPAG are identical.
This section does not describe how to configure data switching. Refer to the Implementing Multipoint
Layer 2 Services module for more information.
Configuring an untagged subinterface
In order to enable MSTAG on a physical or Bundle Ethernet interface, an L2 subinterface must first be
configured which matches untagged packets, using the encapsulation untagged command. Refer to The
Cisco ASR 9000 Series Routers Carrier Ethernet Model module for more information about configuring
L2 subinterfaces.
Enabling MSTAG
MSTAG is enabled on a physical or Bundle Ethernet interface by explicitly configuring it on the
corresponding untagged subinterface. When MSTAG is configured on the untagged subinterface, it is
automatically enabled on the physical or Bundle Ethernet interface and on all other subinterfaces on that
physical or Bundle Ethernet subinterface.
Configuring MSTAG parameters
MSTAG parameters are configured separately on each interface, and MSTAG runs completely
independently on each interface. There is no interaction between the MSTAG parameters on different
interfaces (unless they are connected to the same access network).
These parameters are configurable for each interface:
• Region Name and Revision
• Bridge ID
• Port ID
• External port path cost
• Max Age
• Provide Bridge mode
• Hello TimeImplementing Multiple Spanning Tree Protocol
How to Implement Multiple Spanning Tree Protocol
LSC-350
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
The following MSTAG parameters are configurable for each interface, for each spanning tree instance:
• VLAN IDs
• Root Bridge Priority and ID
• Bridge Priority
• Port Priority
• Internal Port Path Cost
To ensure consistent operation across the access network, these guidelines should be used when
configuring:
• Both gateway devices should be configured with a Root Bridge Priority and ID (for each spanning
tree instance) that is better (lower) than the Bridge Priority and Bridge ID of any device in the access
network. It is recommended to set the Root Bridge Priority and ID to 0 on the gateway devices.
Note To avoid an STP dispute being detected by the access devices, the same root priority and ID should be
configured on both gateway devices.
• Both gateway devices should be configured with a Port Path Cost of 0.
• For each spanning tree instance, one gateway device should be configured with the bridge priority
and ID that is higher than the root bridge priority and ID, but lower than the bridge priority and ID
of any other device in the network (including the other gateway device). It is recommended to set
the bridge priority to 0.
• For each spanning tree instance, the second gateway device should be configured with a bridge
priority and ID that is higher than the root bridge priority and ID and the first gateway device bridge
priority and ID, but lower than the bridge priority and ID of any device in the access network. It is
recommended to set the bridge priority to 4096 (this is the lowest allowable value greater than 0).
• All of the access devices should be configured with a higher bridge priority than the gateway
devices. It is recommended to use values of 8192 or higher.
• For each spanning tree instance, the port path cost and other parameters may be configured on the
access devices so as to ensure the desired port is put into the blocked state when all links are up.
Caution There are no checks on MSTAG configuration—misconfiguration may result in incorrect operation of
the MSTP protocol in the access devices (for example, an STP dispute being detected).
The guidelines above are illustrated in Figure 34.
Note These guidelines do not apply to REPAG, as in that case the access devices ignore the information
received from the gateway devices apart from when a topology change is signalled.Implementing Multiple Spanning Tree Protocol
How to Implement Multiple Spanning Tree Protocol
LSC-351
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Figure 34 MSTAG Guidelines
Note The configuration steps listed in the following sections show all of the configurable parameters.
However, in general, most of these can be retained with the default values.
SUMMARY STEPS
1. configure
2. spanning-tree mstag protocol instance identifier
3. preempt delay for interval {seconds | minutes | hours}
4. interface {Bundle-Ether | GigabitEthernet | TenGigE | FastEthernet} instance.subinterface
5. name name
6. revision revision-number
7. max age seconds
8. provider-bridge
9. bridge-id id
10. port-id id
11. external-cost cost
12. hello-time seconds
13. instance id
14. vlan-id vlan-range [,vlan-range][,vlan-range][,vlan-range]
15. priority priority
16. port-priority priority
17. cost cost
18. root-bridge id
Virtual Root
Bridge
254829
Access devices
Pri: 8192
Gateway
device
1
Gateway
device
2
Cost: 0
Pri: 0
Id: 0.0.0
Pri: 0
ID: 0.0.1
Pri: 4096
ID: 0.0.2
Cost: 0
>
=Implementing Multiple Spanning Tree Protocol
How to Implement Multiple Spanning Tree Protocol
LSC-352
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
19. root-priority priority
20. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Thu Jun 4 07:50:02.660 PST
RP/0/RSP0/CPU0:router(config)#
Enters global configuration mode.
Step 2 spanning-tree mstag protocol instance
identifier
Example:
RP/0/RSP0/CPU0:router(config)#
spanning-tree mstag a
RP/0/RSP0/CPU0:router(config-mstag)#
Enters the MSTAG configuration submode.
Step 3 preempt delay for interval {seconds |
minutes | hours}
Example:
RP/0/RSP0/CPU0:router(config-mstag)#
preempt delay for 10 seconds
Specifies the delay period during which startup BPDUs should be
sent, before preempting.
Step 4 interface {Bundle-Ether | GigabitEthernet
| TenGigE | FastEthernet}
instance.subinterface
Example:
RP/0/RSP0/CPU0:router(config-mstag)#
interface GigabitEthernet0/2/0/30.1
RP/0/RSP0/CPU0:router(config-mstag-if)#
Enters the MSTAG interface configuration submode, and enables
MSTAG for the specified port.
Step 5 name name
Example:
RP/0/RSP0/CPU0:router(config-mstag-if)#
name leo
Sets the name of the MSTP region.
The default value is the MAC address of the switch, formatted as a
text string using the hexadecimal representation specified in IEEE
Standard 802.
Step 6 revision revision-number
Example:
RP/0/RSP0/CPU0:router(config-mstag-if)#
revision 1
Sets the revision level of the MSTP region.
Allowed values are from 0 through 65535.Implementing Multiple Spanning Tree Protocol
How to Implement Multiple Spanning Tree Protocol
LSC-353
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Step 7 max age seconds
Example:
RP/0/RSP0/CPU0:router(config-mstag-if)#
max age 20
Sets the maximum age performance parameters for the bridge.
Allowed values for the maximum age time for the bridge in seconds
are from 6 through 40.
Step 8 provider-bridge
Example:
RP/0/RSP0/CPU0:router(config-mstag-if)#
provider-bridge
Places the current instance of the protocol in 802.1ad mode.
Step 9 bridge-id id
Example:
RP/0/RSP0/CPU0:router(config-mstag-if)#
bridge-id 001c.0000.0011
Sets the bridge ID for the current switch.
Step 10 port-id id
Example:
RP/0/RSP0/CPU0:router(config-mstag-if)#
port-id 111
Sets the port ID for the current switch.
Step 11 external-cost cost
Example:
RP/0/RSP0/CPU0:router(config-mstag-if)#
external-cost 10000
Sets the external path cost on the current port.
Allowed values for port cost are from 1 through 200000000.
Step 12 hello-time seconds
Example:
RP/0/RSP0/CPU0:router(config-mstag-if)#
hello-time 1
Sets the port hello time in seconds.
Allowed values are from 1 through 2.
Step 13 instance id
Example:
RP/0/RSP0/CPU0:router(config-mstag-if)#
instance 1
Enters the MSTI configuration submode.
Allowed values for the MSTI ID are from 0 through 4094.
Step 14 edge mode
Example:
RP/0/RSP0/CPU0:router(config-mstag-if-ins
t)# edge mode
Enables access gateway edge mode for this MSTI.
Step 15 vlan-id vlan-range
[,vlan-range][,vlan-range][,vlan-range]
Example:
RP/0/RSP0/CPU0:router(config-mstag-if-ins
t)# vlan-id 2-1005
Associates a set of VLAN IDs with the current MSTI.
List of VLAN ranges in the form a-b, c, d, e-f, g, and so on.
Command or Action PurposeImplementing Multiple Spanning Tree Protocol
How to Implement Multiple Spanning Tree Protocol
LSC-354
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Step 16 priority priority
Example:
RP/0/RSP0/CPU0:router(config-mstag-if-ins
t)# priority 4096
Sets the bridge priority for the current MSTI.
Allowed values are from 0 through 61440 in multiples of 4096.
Step 17 port-priority priority
Example:
RP/0/RSP0/CPU0:router(config-mstag-if-ins
t)# port-priority 160
Sets the port priority performance parameter for the MSTI.
Allowed values for port priority are from 0 through 240 in
multiples of 16.
Step 18 cost cost
Example:
RP/0/RSP0/CPU0:router(config-mstag-if-ins
t)# cost 10000
Sets the internal path cost for a given instance on the current port.
Allowed values for port cost are from 1 through 200000000.
Step 19 root-bridge id
Example:
RP/0/RSP0/CPU0:router(config-mstag-if-ins
t)# root-id 001c.0000.0011
Sets the root bridge ID for the BPDUs sent from the current port.
Step 20 root-priority priority
Example:
RP/0/RSP0/CPU0:router(config-mstag-if-ins
t)# root-priority 4096
Sets the root bridge priority for the BPDUs sent from this port.
Note Repeat steps 4 to 19 to configure each interface, and repeat
steps 13 to 19 to configure each MSTI for each interface.
Step 21 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-mstag-if-ins
t)# end
or
RP/0/RSP0/CPU0:router(config-mstag-if-ins
t)# commit
Saves configuration changes.
• When you issue the end command, the system prompts you to
commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the running
configuration file, exits the configuration session, and
returns the router to EXEC mode.
– Entering no exits the configuration session and returns the
router to EXEC mode without committing the
configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or committing the
configuration changes.
• Use the commit command to save the configuration changes to
the running configuration file and remain within the
configuration session.
Command or Action PurposeImplementing Multiple Spanning Tree Protocol
How to Implement Multiple Spanning Tree Protocol
LSC-355
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Configuring MSTAG Topology Change Propagation
MSTAG Topology Change Propagation is configured simply by configuring connectivity between the
MSTAG-enabled interfaces on the two gateway devices:
1. Configure MSTAG as described above. Take note of the untagged subinterface that is used.
2. Configure connectivity between the gateway devices. This may be via an MPLS Pseudowire, or may
be a VLAN subinterface if there is a direct physical link.
3. Configure a point-to-point (P2P) cross-connect on each gateway device that contains the untagged
subinterface and the link (PW or subinterface) to the other gateway device.
Once the untagged subinterface that is configured for MSTAG is added to the P2P cross-connect,
MSTAG Topology Change Propagation is automatically enabled. MSTAG forwards BDPUs via the
cross-connect to the other gateway device, so as to signal when a topology change has been detected.
For more information on configuring MPLS pseudowire or P2P cross-connects, refer to the
Implementing Point to Point Layer 2 Services module.
Verifying MSTAG
These show commands allow you to verify the operation of MSTAG:
• show spanning-tree mstag mst-name
• show spanning-tree mstag mst-name bpdu interface interface-name
• show spanning-tree mstag mst-name topology-change flushes
Analogous commands are available for REPAG.
Configuring PVSTAG or PVRSTAG
This section describes the procedures for configuring PVSTAG:
• Enabling PVSTAG
• Configuring PVSTAG parameters
• Configuring Subinterfaces
• Verifying PVSTAG
The procedures for configuring PVRSTAG are identical.
Note This section does not describe how to configure data switching. Refer to the Implementing Multipoint
Layer 2 Services module for more information.
Enabling PVSTAG
PVSTAG is enabled for a particular VLAN, on a physical interface, by explicit configuration of that
physical interface and VLAN for PVSTAG.Implementing Multiple Spanning Tree Protocol
How to Implement Multiple Spanning Tree Protocol
LSC-356
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Configuring PVSTAG parameters
The configurable PVSTAG parameters for each interface on each VLAN are:
• Root Priority and ID
• Root cost
• Bridge Priority and ID
• Port priority and ID
• Max Age
• Hello Time
For correct operation, these guidelines must be followed when configuring PVSTAG.
• Both gateway devices should be configured with a root bridge priority and ID that is better (lower)
than the bridge priority and Bridge ID of any device in the access network. It is recommended that
you set the root bridge priority and ID to 0 on the gateway devices.
• Both gateway devices should be configured with a root cost of 0.
• One gateway device should be configured with the bridge priority and ID that is higher than the root
bridge priority and ID, but lower than the bridge priority and ID of any other device in the network
(including the other gateway device). It is recommended that you set the bridge priority to 0.
• The second gateway device should be configured with a bridge priority and ID that is higher than
the root bridge priority and ID and the first gateway device bridge priority and ID, but lower than
the bridge priority and ID of any device in the access network. It is recommended that you set the
bridge priority to 1 for PVSTAG or 4096 for PVRSTAG. (For PVRSTAG, this is the lowest allowable
value greater than 0.)
• All access devices must be configured with a higher bridge priority than the gateway devices. It is
recommended that you use values of 2 or higher for PVSTAG, or 8192 or higher for PVRSTAG.
• For each spanning tree instance, the port path cost and other parameters may be configured on the
access devices, so as to ensure the desired port is placed into the blocked state when all links are up.
Caution There are no checks on PVSTAG configuration—misconfiguration may result in incorrect operation of
the PVST protocol in the access devices (for example, an STP dispute being detected).
These guidelines are illustrated in Figure 35.Implementing Multiple Spanning Tree Protocol
How to Implement Multiple Spanning Tree Protocol
LSC-357
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Figure 35 PVSTAG Guidelines
Note The configuration steps listed in the following sections show all of the configurable parameters.
However, in general, most of these can be retained with the default values.
PVSTAG Topology Restrictions
These restrictions are applicable to PVSTAG topology:
• Only a single access device can be attached to the gateway devices.
• Topology change notifications on a single VLAN affect all VLANs and bridge domains on that
physical interface.
SUMMARY STEPS
1. configure
2. spanning-tree pvstag protocol instance identifier
3. preempt delay for interval {seconds | minutes | hours}
4. interface interface-instance.subinterface
5. vlan vlan-id
6. root-priority priority
7. root-id id
8. root-cost cost
9. priority priority
10. bridge-id id
11. port-priority priority
12. port-id id
Virtual Root
Bridge
254830
Access device
Pri: >2
Gateway
device
1
Gateway
device
2
Cost: 0
Pri: 0
Id: 0.0.0
Pri: 0
ID: 0.0.1
Pri: 1
ID: 0.0.2
Cost: 0Implementing Multiple Spanning Tree Protocol
How to Implement Multiple Spanning Tree Protocol
LSC-358
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
13. hello-time seconds
14. max age seconds
15. end
or
commitImplementing Multiple Spanning Tree Protocol
How to Implement Multiple Spanning Tree Protocol
LSC-359
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Thu Jun 4 07:50:02.660 PST
RP/0/RSP0/CPU0:router(config)#
Enters global configuration mode.
Step 2 spanning-tree pvstag protocol instance
identifier
Example:
RP/0/RSP0/CPU0:router(config)#
spanning-tree pvstag a
RP/0/RSP0/CPU0:router(config-pvstag)#
Enters the PVSTAG configuration submode.
Step 3 preempt delay for interval {seconds |
minutes | hours}
Example:
RP/0/RSP0/CPU0:router(config-pvstag)#
preempt delay for 10 seconds
Specifies the delay period during which startup BPDUs should be
sent, before preempting.
Step 4 interface interface-instance.subinterface
Example:
RP/0/RSP0/CPU0:router(config-pvstag)#
interface GigabitEthernet0/2/0/30.1
RP/0/RSP0/CPU0:router(config-pvstag-if)#
Enters the PVSTAG interface configuration submode, and enables
PVSTAG for the specified port.
Step 5 vlan vlan-id
Example:
RP/0/RSP0/CPU0:router(config-pvstag-if)#
vlan 200
Enables and configures a VLAN on this interface.
Step 6 root-priority priority
Example:
RP/0/RSP0/CPU0:router(config-pvstag-ifvlan)# root-priority 4096
Sets the root bridge priority for the BPDUs sent from this port.
Step 7 root-id id
Example:
RP/0/RSP0/CPU0:router(config-pvstag-ifvlan)# root-id 0000.0000.0000
Sets the identifier of the root bridge for BPDUs sent from a port.
Step 8 root-cost cost
Example:
RP/0/RSP0/CPU0:router(config-pvstag-ifvlan)# root-cost 10000
Set the root path cost to sent in BPDUs from this interface.Implementing Multiple Spanning Tree Protocol
How to Implement Multiple Spanning Tree Protocol
LSC-360
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Step 9 priority priority
Example:
RP/0/RSP0/CPU0:router(config-pvstag-ifvlan)# priority 4096
Sets the bridge priority for the current MSTI.
For PVSTAG, allowed values are from are 0 through 65535; for
PVRSTAG, the allowed values are from 0 through 61440 in
multiples of 4096.
Step 10 bridge-id id
Example:
RP/0/RSP0/CPU0:router(config-pvstag-ifvlan)# bridge-id 001c.0000.0011
Sets the bridge ID for the current switch.
Step 11 port-priority priority
Example:
RP/0/RSP0/CPU0:router(config-pvstag-ifvlan)# port-priority 160
Sets the port priority performance parameter for the MSTI.
For PVSTAG, allowed values for port priority are from 0 through
255; for PVRSTAG, the allowed values are from 0 through 240 in
multiples of 16.
Step 12 port-id id
Example:
RP/0/RSP0/CPU0:router(config-pvstag-ifvlan)# port-id 111
Sets the port ID for the current switch.
Step 13 hello-time seconds
Example:
RP/0/RSP0/CPU0:router(config-pvstag-ifvlan)# hello-time 1
Sets the port hello time in seconds.
Allowed values are from 1 through 2.
Command or Action PurposeImplementing Multiple Spanning Tree Protocol
How to Implement Multiple Spanning Tree Protocol
LSC-361
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Configuring Subinterfaces
For each VLAN that is enabled for PVSTAG on an interface, a corresponding subinterface that matches
traffic for that VLAN must be configured. This is used both for data switching and for PVST BPDUs.
Follow these guidelines when configuring subinterfaces:
• VLAN 1 is treated as the native VLAN in PVST. Therefore, for VLAN 1, a subinterface that matches
untagged packets (encapsulation untagged) must be configured. It may also be necessary to
configure a subinterface that matches packets tagged explicitly with VLAN 1
(encapsulation dot1q 1).
• Only dot1q packets are allowed in PVST; Q-in-Q and dot1ad packets are not supported by the
protocol, and therefore subinterfaces configured with these encapsulation will not work correctly
with PVSTAG.
• Subinterfaces that match a range of VLANs are supported by PVSTAG; it is not necessary to
configure a separate subinterface for each VLAN, unless it is desirable for provisioning the data
switching.
• PVSTAG does not support:
– Physical interfaces configured in L2 mode
– Subinterface configured with a default encapsulation (encapsulation default)
– Subinterfaces configured to match any VLAN (encapsulation dot1q any)
Step 14 max age seconds
Example:
RP/0/RSP0/CPU0:router(config-pvstag-ifvlan)# max age 20
Sets the maximum age performance parameters for the bridge.
Allowed values for the maximum age time for the bridge in seconds
are from 6 through 40.
Note Repeat steps 4 to 14 to configure each interface; repeat
steps 5 to 14 to configure each VLAN on each interface.
Step 15 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-pvstag-ifvlan)# end
or
RP/0/RSP0/CPU0:router(config-pvstag-ifvlan)# commit
Saves configuration changes.
• When you issue the end command, the system prompts you to
commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the running
configuration file, exits the configuration session, and
returns the router to EXEC mode.
– Entering no exits the configuration session and returns the
router to EXEC mode without committing the
configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or committing the
configuration changes.
• Use the commit command to save the configuration changes to
the running configuration file and remain within the
configuration session.
Command or Action PurposeImplementing Multiple Spanning Tree Protocol
How to Implement Multiple Spanning Tree Protocol
LSC-362
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
For more information about configuring L2 subinterfaces, refer to the Implementing Point to Point Layer
2 Services module.
Verifying PVSTAG
These show commands allow you to verify the operation of PVSTAG or PVRSTAG:
• show spanning-tree pvstag mst-name
• show spanning-tree pvstag mst-name
In particular, these commands display the subinterface that is being used for each VLAN.
Configuring MVRP-lite
This section describes the procedure for configuring MVRP-lite:
• Enabling MVRP-lite
• Configuring MVRP-lite parameters
• Verifying MVRP-lite
Enabling MVRP-lite
When MVRP-lite is configured, it is automatically enabled on all interfaces where MSTP is enabled.
MSTP must be configured before MVRP can be enabled. For more information on configuring MSTP,
see Configuring MSTP, page 342.
Configuring MVRP-lite parameters
The configurable MVRP-lite parameters are:
• Periodic Transmission
• Join Time
• Leave Time
• Leave-all Time
Summary Steps
1. configure
2. spanning-tree mst protocol instance name
3. mvrp static
4. periodic transmit [interval seconds]
5. join-time milliseconds
6. leave-time seconds
7. leaveall-time seconds
8. end
or
commitImplementing Multiple Spanning Tree Protocol
How to Implement Multiple Spanning Tree Protocol
LSC-363
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Detailed Steps
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Thu Jun 4 07:50:02.660 PST
RP/0/RSP0/CPU0:router(config)#
Enters global configuration mode.
Step 2 spanning-tree mst protocol instance
identifier
Example:
RP/0/RSP0/CPU0:router(config)#
spanning-tree mst a
RP/0/RSP0/CPU0:router(config-mstp)#
Enters the MSTP configuration submode.
Step 3 mvrp static
Example:
RP/0/RSP0/CPU0:router(config-mstp)# mvrp
static
Configures MVRP to run over this MSTP protocol instance.
Step 4 periodic transmit [interval seconds]
Example:
RP/0/RSP0/CPU0:router(config-mvrp)#
periodic transmit
Sends periodic Multiple VLAN Registration Protocol Data Unit
(MVRPDU) on all active ports.
Step 5 join-time milliseconds
Example:
RP/0/RSP0/CPU0:router(config-mvrp)#
hello-time 1
Sets the join time for all active ports.
Step 6 leave-time seconds
Example:
RP/0/RSP0/CPU0:router(config-mvrp)#
leave-time 20
Sets the leave time for all active ports.Implementing Multiple Spanning Tree Protocol
How to Implement Multiple Spanning Tree Protocol
LSC-364
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Verifying MVRP-lite
These show commands allow you to verify the operation of MVRP-lite:
• show ethernet mvrp mad
• show ethernet mvrp status
• show ethernet mvrp statistics
Step 7 leaveall-time seconds
Example:
RP/0/RSP0/CPU0:router(config-mvrp)#
leaveall-time 20
Sets the leave all time for all active ports.
Step 8 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-mvrp)# end
or
RP/0/RSP0/CPU0:router(config-mvrp)#
commit
Saves configuration changes.
• When you issue the end command, the system prompts you to
commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the running
configuration file, exits the configuration session, and
returns the router to EXEC mode.
– Entering no exits the configuration session and returns the
router to EXEC mode without committing the
configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or committing the
configuration changes.
• Use the commit command to save the configuration changes to
the running configuration file and remain within the
configuration session.
Command or Action PurposeImplementing Multiple Spanning Tree Protocol
Configuration Examples for Implementing MSTP
LSC-365
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Configuration Examples for Implementing MSTP
This section provides configuration examples for the following:
• Configuring MSTP: Examples
• Configuring MSTAG: Examples
• Configuring PVSTAG: Examples
• Configuring MVRP-Lite: Examples
Configuring MSTP: Examples
This example shows MSTP configuration for a single spanning-tree instance with MSTP enabled on a
single interface:
config
spanning-tree mst example
name m1
revision 10
forward-delay 20
maximum hops 40
maximum age 40
transmit hold-count 8
provider-bridge
bringup delay for 60 seconds
flush containment disable
instance 101
vlans-id 101-110
priority 8192
!
interface GigabitEthernet0/0/0/0
hello-time 1
external-cost 10000
link-type point-to-point
portfast
guard root
guard topology-change
instance 101 cost 10000
instance 101 port-priority 160
!
!
This example shows the output from the show spanning-tree mst command, which produces an
overview of the spanning tree protocol state:
# show spanning-tree mst example
Role: ROOT=Root, DSGN=Designated, ALT=Alternate, BKP=Backup, MSTR=Master
State: FWD=Forwarding, LRN=Learning, BLK=Blocked, DLY=Bringup Delayed
Operating in dot1q mode
MSTI 0 (CIST):
VLANS Mapped: 1-9,11-4094
CIST Root Priority 4096
Address 6262.6262.6262
This bridge is the CIST rootImplementing Multiple Spanning Tree Protocol
Configuration Examples for Implementing MSTP
LSC-366
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Ext Cost 0
Root ID Priority 4096
Address 6262.6262.6262
This bridge is the root
Int Cost 0
Max Age 20 sec, Forward Delay 15 sec
Bridge ID Priority 4096 (priority 4096 sys-id-ext 0)
Address 6262.6262.6262
Max Age 20 sec, Forward Delay 15 sec
Max Hops 20, Transmit Hold count 6
Interface Port ID Role State Designated Port ID
Pri.Nbr Cost Bridge ID Pri.Nbr
------------ ------- --------- ---- ----- -------------------- -------
Gi0/0/0/0 128.1 20000 DSGN FWD 4096 6262.6262.6262 128.1
Gi0/0/0/1 128.2 20000 DSGN FWD 4096 6262.6262.6262 128.2
Gi0/0/0/2 128.3 20000 DSGN FWD 4096 6262.6262.6262 128.3
Gi0/0/0/3 128.4 20000 ---- BLK ----- -------------- -------
MSTI 1:
VLANS Mapped: 10
Root ID Priority 4096
Address 6161.6161.6161
Int Cost 20000
Max Age 20 sec, Forward Delay 15 sec
Bridge ID Priority 32768 (priority 32768 sys-id-ext 0)
Address 6262.6262.6262
Max Age 20 sec, Forward Delay 15 sec
Max Hops 20, Transmit Hold count 6
Interface Port ID Role State Designated Port ID
Pri.Nbr Cost Bridge ID Pri.Nbr
------------ ------- --------- ---- ----- -------------------- -------
Gi0/0/0/0 128.1 20000 ROOT FWD 4096 6161.6161.6161 128.1
Gi0/0/0/1 128.2 20000 ALT BLK 4096 6161.6161.6161 128.2
Gi0/0/0/2 128.3 20000 DSGN FWD 32768 6262.6262.6262 128.3
Gi0/0/0/3 128.4 20000 ---- BLK ----- -------------- -------
=========================================================================
In the show spanning-tree mst example output, the first line indicates whether MSTP is operating in
dot1q or the Provider Bridge mode, and this information is followed by details for each MSTI.
For each MSTI, the following information is displayed:
• The list of VLANs for the MSTI.
• For the CIST, the priority and bridge ID of the CIST root, and the external path cost to reach the
CIST root. The output also indicates if this bridge is the CIST root.
• The priority and bridge ID of the root bridge for this MSTI, and the internal path cost to reach the
root. The output also indicates if this bridge is the root for the MSTI.
• The max age and forward delay times received from the root bridge for the MSTI.
• The priority and bridge ID of this bridge, for this MSTI.Implementing Multiple Spanning Tree Protocol
Configuration Examples for Implementing MSTP
LSC-367
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
• The maximum age, forward delay, max hops and transmit hold-count for this bridge (which is the
same for every MSTI).
• A list of MSTP-enabled interfaces. For each interface, the following information is displayed:
– The interface name
– The port priority and port ID for this interface for this MSTI.
– The port cost for this interface for this MSTI.
– The current port role:
DSGN—Designated: This is the designated port on this LAN, for this MSTI
ROOT—Root: This is the root port for the bridge for this MSTI.
ALT—Alternate: This is an alternate port for this MSTI.
BKP—Backup: This is a backup port for this MSTI
MSTR—Master: This is a boundary port that is a root or alternate port for the CIST.
The interface is down, or the bringup delay timer is running and no role has been assigned yet.
– The current port state:
BLK—The port is blocked.
LRN—The port is learning.
FWD—The port is forwarding.
DLY—The bringup-delay timer is running.
– If the port is a boundary port, and not CIST and the port is not designated, then only the
BOUNDARY PORT is displayed and the remaining information is not displayed.
– If the port is not up, or the bringup delay timer is running, no information is displayed for the
remaining fields. Otherwise, the bridge priority and bridge ID of the designated bridge on the
LAN that the interface connects to is displayed, followed by the port priority and port ID of the
designated port on the LAN. If the port role is Designated, then the information for this bridge
or port is displayed.
The following example shows the output from the show spanning-tree mst command, which produces
more detailed information regarding interface state than the standard command as described above:
# show spanning-tree mst a interface GigabitEthernet0/1/2/1
GigabitEthernet0/1/2/1
Cost: 20000
link-type: point-to-point
hello-time 1
Portfast: no
BPDU Guard: no
Guard root: no
Guard topology change: no
BPDUs sent 492, received 3Implementing Multiple Spanning Tree Protocol
Configuration Examples for Implementing MSTP
LSC-368
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
MST 3:
Edge port:
Boundary : internal
Designated forwarding
Vlans mapped to MST 3: 1-2,4-2999,4000-4094
Port info port id 128.193 cost 200000
Designated root address 0050.3e66.d000 priority 8193 cost 20004
Designated bridge address 0002.172c.f400 priority 49152 port id 128.193
Timers: message expires in 0 sec, forward delay 0, forward transitions 1
Transitions to reach this state: 12
The output includes interface information about the interface which applies to all MSTIs:
• Cost
• link-type
• hello-time
• portfast (including whether BPDU guard is enabled)
• guard root
• guard topology change
• BPDUs sent, received.
It also includes information specific to each MSTI:
• Port ID, priority, cost
• BPDU information from root (bridge ID, cost, and priority)
• BPDU information being sent on this port (Bridge ID, cost, priority)
• State transitions to reach this state.
• Topology changes to reach this state.
• Flush containment status for this MSTI.
This example shows the output of show spanning-tree mst errors, which produces information about
interfaces that are configured for MSTP but where MSTP is not operational. Primarily this shows
information about interfaces which do not exist:
# show spanning-tree mst a errors
Interface Error
-------------------------------
GigabitEthernet1/2/3/4 Interface does not exist.
This example shows the output of show spanning-tree mst configuration, which displays the VLAN
ID to MSTI mapping table. It also displays the configuration digest which is included in the transmitted
BPDUs—this must match the digest received from other bridges in the same MSTP region:
# show spanning-tree mst a configuration
Name leo
Revision 2702
Config Digest 9D-14-5C-26-7D-BE-9F-B5-D8-93-44-1B-E3-BA-08-CE
Instance Vlans mapped
-------- -------------------------------
0 1-9,11-19,21-29,31-39,41-4094
1 10,20,30,40
------------------------------------------Implementing Multiple Spanning Tree Protocol
Configuration Examples for Implementing MSTP
LSC-369
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
This example shows the output of show spanning-tree mst bpdu interface, which produces details on
the BPDUs being output and received on a given local interface:
Note Several received packets can be stored in case of MSTP operating on a shared LAN.
# show spanning-tree mst a bpdu interface GigabitEthernet0/1/2/2 direction transmit
MSTI 0 (CIST):
Root ID : 0004.9b78.0800
Path Cost : 83
Bridge ID : 0004.9b78.0800
Port ID : 12
Hello Time : 2
...
This example shows the output of show spanning-tree mst topology-change flushes, which displays
details about the topology changes that have occurred for each MSTI on each interface:
# show spanning-tree mst M topology-change flushes instance$
MSTI 1:
Interface Last TC Reason Count
------------ -------------------- -------------------------------- -----
Te0/0/0/1 04:16:05 Mar 16 2010 Role change: DSGN to ---- 10
#
#
# show spanning-tree mst M topology-change flushes instance$
MSTI 0 (CIST):
Interface Last TC Reason Count
------------ -------------------- -------------------------------- -----
Te0/0/0/1 04:16:05 Mar 16 2010 Role change: DSGN to ---- 10
#
Configuring MSTAG: Examples
This example shows MSTAG configuration for a single spanning-tree instance on a single interface:
config
interface GigabitEthernet0/0/0/0.1 l2transport
encapsulation untagged
!
spanning-tree mstag example
preempt delay for 60 seconds
interface GigabitEthernet0/0/0/0.1
name m1
revision 10
external-cost 0
bridge-id 0.0.1
port-id 1
maximum age 40
provider-bridge
hello-time 1
instance 101
edge-mode
vlans-id 101-110
root-priority 0
root-id 0.0.0Implementing Multiple Spanning Tree Protocol
Configuration Examples for Implementing MSTP
LSC-370
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
cost 0
priority 0
port-priority 0
!
!
!
This example shows additional configuration for MSTAG Topology Change Propagation:
l2vpn
xconnect group example
p2p mstag-example
interface GigabitEthernet0/0/0/0.1
neighbor 123.123.123.1 pw-id 100
!
!
!
This example shows the output of show spanning-tree mstag:
# show spanning-tree mstag A
GigabitEthernet0/0/0/1
Preempt delay is disabled.
Name: 6161:6161:6161
Revision: 0
Max Age: 20
Provider Bridge: no
Bridge ID: 6161.6161.6161
Port ID: 1
External Cost: 0
Hello Time: 2
Active: no
BPDUs sent: 0
MSTI 0 (CIST):
VLAN IDs: 1-9,32-39,41-4094
Role: Designated
Bridge Priority: 32768
Port Priority: 128
Cost: 0
Root Bridge: 6161.6161.6161
Root Priority: 32768
Topology Changes: 123
MSTI 2
VLAN IDs: 10-31
Role: Designated
Bridge Priority: 32768
Port Priority: 128
Cost: 0
Root Bridge: 6161.6161.6161
Root Priority: 32768
Topology Changes: 123
MSTI 10
VLAN IDs: 40
Role: Root (Edge mode)
Bridge Priority: 32768
Port Priority: 128
Cost: 200000000
Root Bridge: 6161.6161.6161
Root Priority: 61440
Topology Changes: 0Implementing Multiple Spanning Tree Protocol
Configuration Examples for Implementing MSTP
LSC-371
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
This example shows the output of show spanning-tree mstag bpdu interface, which produces details
on the BPDUs being output and received on a given local interface:
RP/0/RSP0/CPU0:router#show spanning-tree mstag foo bpdu interface GigabitEthernet 0/0/0/0
Transmitted:
MSTI 0 (CIST):
ProtocolIdentifier: 0
ProtocolVersionIdentifier: 3
BPDUType: 2
CISTFlags: Top Change Ack 0
Agreement 1
Forwarding 1
Learning 1
Role 3
Proposal 0
Topology Change 0
CISTRootIdentifier: priority 8, MSTI 0, address 6969.6969.6969
CISTExternalPathCost: 0
CISTRegionalRootIdentifier: priority 8, MSTI 0, address 6969.6969.6969
CISTPortIdentifierPriority: 8
CISTPortIdentifierId: 1
MessageAge: 0
MaxAge: 20
HelloTime: 2
ForwardDelay: 15
Version1Length: 0
Version3Length: 80
FormatSelector: 0
Name: 6969:6969:6969
Revision: 0
MD5Digest: ac36177f 50283cd4 b83821d8 ab26de62
CISTInternalRootPathCost: 0
CISTBridgeIdentifier: priority 8, MSTI 0, address 6969.6969.6969
CISTRemainingHops: 20
MSTI 1:
MSTIFlags: Master 0
Agreement 1
Forwarding 1
Learning 1
Role 3
Proposal 0
Topology Change 0
MSTIRegionalRootIdentifier: priority 8, MSTI 1, address 6969.6969.6969
MSTIInternalRootPathCost: 0
MSTIBridgePriority: 1
MSTIPortPriority: 8
MSTIRemainingHops: 20
This example shows the output of show spanning-tree mstag topology-change flushes, which displays
details about the topology changes that have occurred for each interface:
#show spanning-tree mstag b topology-change flushes
MSTAG Protocol Instance b
Interface Last TC Reason Count
------------ ------------------- -------------------------------- -----
Gi0/0/0/1 18:03:24 2009-07-14 Gi0/0/0/1.10 egress TCN 65535
Gi0/0/0/2 21:05:04 2009-07-15 Gi0/0/0/2.1234567890 ingress TCN 2Implementing Multiple Spanning Tree Protocol
Configuration Examples for Implementing MSTP
LSC-372
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Configuring PVSTAG: Examples
This example shows PVSTAG configuration for a single VLAN on a single interface:
config
spanning-tree pvstag example
preempt delay for 60 seconds
interface GigabitEthernet0/0/0/0
vlan 10
root-priority 0
root-id 0.0.0
root-cost 0
priority 0
bridge-id 0.0.1
port-priority 0
port-id 1
max age 40
hello-time 1
!
!
!
This example shows the output of show spanning-tree pvstag:
# show spanning-tree pvstag interface GigabitEthernet0/0/0/1
GigabitEthernet0/0/0/1
VLAN 10
Preempt delay is disabled.
Sub-interface: GigabitEthernet0/0/0/1.20 (Up)
Max Age: 20
Root Priority: 0
Root Bridge: 0000.0000.0000
Cost: 0
Bridge Priority: 32768
Bridge ID: 6161.6161.6161
Port Priority: 128
Port ID: 1
Hello Time: 2
Active: no
BPDUs sent: 0
Topology Changes: 123
VLAN 20
Configuring MVRP-Lite: Examples
This example shows MVRP-lite configuration:
config
spanning-tree mst example
mvrp static
periodic transmit
join-time 200
leave-time 30
leaveall-time 10
!
!Implementing Multiple Spanning Tree Protocol
Configuration Examples for Implementing MSTP
LSC-373
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
This example shows the output of show ethernet mvrp mad:
RP/0/RSP0/CPU0:router# show ethernet mvrp mad interface GigabitEthernet 0/1/0/1
GigabitEthernet0/1/0/1
Participant Type: Full; Point-to-Point: Yes
Admin Control: Applicant Normal; Registrar Normal
LeaveAll Passive (next in 5.92s); periodic disabled
Leave in 25.70s; Join not running
Last peer 0293.6926.9585; failed registrations: 0
VID Applicant Registrar
---- --------------------- ---------
1 Very Anxious Observer Leaving
283 Quiet Passive Empty
This example shows the output of show ethernet mvrp status:
RP/0/RSP0/CPU0:router# show ethernet mvrp status interface GigabitEthernet 0/1/0/1
GigabitEthernet0/1/0/1
Statically declared: 1-512,768,980-1034
Dynamically declared: 2048-3084
Registered: 1-512
This example shows the output of show ethernet mvrp statistics:
RP/0/RSP0/CPU0:router# show ethernet mvrp statistics interface GigabitEthernet 0/1/0/1
GigabitEthernet0/1/0/1
MVRPDUs TX: 1245
MVRPDUs RX: 7
Dropped TX: 0
Dropped RX: 42
Invalid RX: 12Implementing Multiple Spanning Tree Protocol
Additional References
LSC-374
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Additional References
These sections provide references related to implementing Multiple Spanning Tree Protocol (MSTP) on
Cisco ASR 9000 Series Routers.
Related Documents
Standards
MIBs
RFCs
Related Topic Document Title
Multiple Spanning Tree Protocol Commands: complete
command syntax, command modes, command history,
defaults, usage guidelines, and examples
Multiple Spanning Tree Protocol Commands module in Cisco ASR
9000 Series Aggregation Services Router L2VPN and Ethernet
Services Command Reference
Standards Title
IEEE 802.1Q-2005 IEEE Standard for Local and Metropolitan Area Networks - Virtual
Bridged Local Area Networks
MIBs MIBs Link
— To locate and download MIBs using Cisco IOS XR software, use the
Cisco MIB Locator found at this URL and choose a platform under
the Cisco Access Products menu:
http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs Title
No new or modified RFCs are supported by this
feature, and support for existing RFCs has not been
modified by this feature.
—Implementing Multiple Spanning Tree Protocol
Additional References
LSC-375
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Technical Assistance
Description Link
The Cisco Technical Support website contains
thousands of pages of searchable technical content,
including links to products, technologies, solutions,
technical tips, and tools. Registered Cisco.com users
can log in from this page to access even more content.
http://www.cisco.com/techsupportImplementing Multiple Spanning Tree Protocol
Additional References
LSC-376
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02LSC-377
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Implementing Layer 2 Access Lists
An Ethernet services access control list (ACL) consists of one or more access control entries (ACE) that
collectively define the Layer 2 network traffic profile. This profile can then be referenced by
Cisco IOS XR software features. Each Ethernet services ACL includes an action element (permit or
deny) based on criteria such as source and destination address, Class of Service (CoS), or VLAN ID.
This module describes tasks required to implement Ethernet services access lists on your
Cisco ASR 9000 Series Aggregation Services Router.
Note For a complete description of the Ethernet services access list commands listed in this module, refer to
the Ethernet Services (Layer 2) Access List Commands on Cisco ASR 9000 Series Routers module in the
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Command Reference
publication. To locate documentation of other commands that appear in this chapter, use the command
reference master index, or search online.
Feature History for Implementing Ethernet Services Access Lists on Cisco ASR 9000 Series Routers
Contents
• Prerequisites for Implementing Layer 2 Access Lists, page 378
• Information About Implementing Layer 2 Access Lists, page 378
• How to Implement Layer 2 Access Lists, page 380
• Configuration Examples for Implementing Layer 2 Access Lists, page 387
• Additional References, page 388
Release Modification
Release 3.7.2 This feature was introduced on Cisco ASR 9000 Series Routers.Implementing Layer 2 Access Lists
Prerequisites for Implementing Layer 2 Access Lists
LSC-378
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Prerequisites for Implementing Layer 2 Access Lists
This prerequisite applies to implementing access lists and prefix lists:
You must be in a user group associated with a task group that includes the proper task IDs. The command
reference guides include the task IDs required for each command.
If you suspect user group assignment is preventing you from using a command, contact your AAA
administrator for assistance.
Information About Implementing Layer 2 Access Lists
To implement Ethernet services access lists, you must understand these concepts:
• Ethernet Services Access Lists Feature Highlights, page 378
• Purpose of Ethernet Services Access Lists, page 378
• How an Ethernet Services Access List Works, page 378
• Ethernet Services Access List Entry Sequence Numbering, page 380
Ethernet Services Access Lists Feature Highlights
Ethernet services access lists have these feature highlights:
• The ability to clear counters for an access list using a specific sequence number.
• The ability to copy the contents of an existing access list to another access list.
• Allows users to apply sequence numbers to permit or deny statements and to resequence, add, or
remove such statements from a named access list.
• Provides packet filtering on interfaces to forward packets.
• Ethernet services ACLs can be applied on interfaces, VLAN subinterfaces, bundle-Ethernet
interfaces, EFPs, and EFPs over bundle-Ethernet interfaces. Atomic replacement of Ethernet
services ACLs is supported on these physical interfaces.
Purpose of Ethernet Services Access Lists
Using ACL-based forwarding (ABF), Ethernet services access lists perform packet filtering to control
which packets move through the network and where. Such controls help to limit incoming and outgoing
network traffic and restrict the access of users and devices to the network at the port level.
How an Ethernet Services Access List Works
An Ethernet services access list is a sequential list consisting of permit and deny statements that apply
to Layer 2 configurations. The access list has a name by which it is referenced.
An access list can be configured and named, but it is not in effect until the access list is referenced by a
command that accepts an access list. Multiple commands can reference the same access list. An access
list can control Layer 2 traffic arriving at the router or leaving the router, but not traffic originating at
the router. Implementing Layer 2 Access Lists
Information About Implementing Layer 2 Access Lists
LSC-379
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Ethernet Services Access List Process and Rules
Use this process and rules when configuring an Ethernet services access list:
• The software tests the source or destination address of each packet being filtered against the
conditions in the access list, one condition (permit or deny statement) at a time.
• If a packet does not match an access list statement, the packet is then tested against the next
statement in the list.
• If a packet and an access list statement match, the remaining statements in the list are skipped and
the packet is permitted or denied as specified in the matched statement. The first entry that the packet
matches determines whether the software permits or denies the packet. That is, after the first match,
no subsequent entries are considered.
• If the access list denies the address or protocol, the software discards the packet.
• If no conditions match, the software drops the packet because each access list ends with an unwritten
or implicit deny statement. That is, if the packet has not been permitted or denied by the time it was
tested against each statement, it is denied.
• The access list should contain at least one permit statement or else all packets are denied.
• Because the software stops testing conditions after the first match, the order of the conditions is
critical. The same permit or deny statements specified in a different order could result in a packet
being passed under one circumstance and denied in another circumstance.
• Inbound access lists process packets arriving at the router. Incoming packets are processed before
being routed to an outbound interface. An inbound access list is efficient because it saves the
overhead of routing lookups if the packet is to be discarded because it is denied by the filtering tests.
If the packet is permitted by the tests, it is then processed for routing. For inbound lists, permit
means continue to process the packet after receiving it on an inbound interface; deny means discard
the packet.
• Outbound access lists process packets before they leave the router. Incoming packets are routed to
the outbound interface and then processed through the outbound access list. For outbound lists,
permit means send it to the output buffer; deny means discard the packet.
• An access list can not be removed if that access list is being applied by an access group in use. To
remove an access list, remove the access group that is referencing the access list and then remove
the access list.
• An access list must exist before you can use the ethernet-services access-group command.
Helpful Hints for Creating Ethernet Services Access Lists
Consider these when creating an Ethernet services access list:
• Create the access list before applying it to an interface.
• Organize your access list so that more specific references appear before more general ones.
Source and Destination Addresses
Source MAC address and destination MAC address are two of the most typical fields on which to base
an access list. Specify source MAC addresses to control packets from certain networking devices or
hosts. Specify destination MAC addresses to control packets being sent to certain networking devices or
hosts.Implementing Layer 2 Access Lists
How to Implement Layer 2 Access Lists
LSC-380
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Ethernet Services Access List Entry Sequence Numbering
The ability to apply sequence numbers to Ethernet services access-list entries simplifies access list
changes. The access list entry sequence numbering feature allows you to add sequence numbers to
access-list entries and resequence them. When you add a new entry, you choose the sequence number so
that it is in a desired position in the access list. If necessary, entries currently in the access list can be
resequenced to create room to insert the new entry.
Sequence Numbering Behavior
These details the sequence numbering behavior:
• If entries with no sequence numbers are applied, the first entry is assigned a sequence number of 10,
and successive entries are incremented by 10. The maximum sequence number is 2147483646. If
the generated sequence number exceeds this maximum number, this message is displayed:
Exceeded maximum sequence number.
• If you provide an entry without a sequence number, it is assigned a sequence number that is 10
greater than the last sequence number in that access list and is placed at the end of the list.
• ACL entries can be added without affecting traffic flow and hardware performance.
• Distributed support is provided so that the sequence numbers of entries in the route-switch processor
(RSP) and interface card are synchronized at all times.
How to Implement Layer 2 Access Lists
This section contains these procedures:
• Restrictions for Implementing Layer 2 Access Lists, page 380
• Configuring Ethernet Services Access Lists, page 381 (optional)
• Applying Ethernet Services Access Lists, page 382 (optional)
• Resequencing Access-List Entries, page 385 (optional)
Restrictions for Implementing Layer 2 Access Lists
These restrictions apply to implementing Ethernet services access lists:
• Ethernet services access lists are not supported over management interfaces.
• NetIO (software slow path) is not supported for Ethernet services access lists.Implementing Layer 2 Access Lists
How to Implement Layer 2 Access Lists
LSC-381
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Configuring Ethernet Services Access Lists
This task configures an Ethernet services access list.
SUMMARY STEPS
1. configure
2. ethernet-service access-list name
3. [sequence-number] {permit | deny} {src-mac-address src-mac-mask | any | host}
[{ethertype-number} | vlan min-vlan-ID [max-vlan-ID]] [cos cos-value] [dei] [inner-vlan
min-vlan-ID [max-vlan-ID]] [inner-cos cos-value] [inner-dei]
4. Repeat Step 3 as necessary, adding statements by sequence number where you planned. Use the no
sequence-number command to delete an entry.
5. end
or
commit
6. show access-lists ethernet-services [access-list-name | maximum | standby | summary]
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 ethernet-service access-list name
Example:
RP/0/RSP0/CPU0:router(config)# ethernet-service
access-list L2ACL2
Enters Ethernet services access list configuration mode and
configures access list L2ACL2.
Step 3 [sequence-number] {permit | deny}
{src-mac-address src-mac-mask | any | host}
[{ethertype-number} | vlan min-vlan-ID
[max-vlan-ID]] [cos cos-value] [dei] [inner-vlan
min-vlan-ID [max-vlan-ID]] [inner-cos cos-value]
[inner-dei]
Example:
RP/0/RSP0/CPU0:router(config-es-al)# 20 permit
1.2.3 3.2.1
or
RP/0/RSP0/CPU0:router(config-es-al)# 30 deny
any dei
Specifies one or more conditions allowed or denied, which
determines whether the packet is passed or dropped.
Step 4 Repeat Step 3 as necessary, adding statements by
sequence number where you planned. Use the no
sequence-number command to delete an entry.
Allows you to revise an access list.Implementing Layer 2 Access Lists
How to Implement Layer 2 Access Lists
LSC-382
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
What to Do Next
After creating an Ethernet services access list, you must apply it to an interface. See the Applying
Ethernet Services Access Lists section for information about how to apply an access list.
Applying Ethernet Services Access Lists
After you create an access list, you must reference the access list to make it work. Access lists can be
applied on either outbound or inbound interfaces. This section describes guidelines on how to
accomplish this task for both terminal lines and network interfaces.
For inbound access lists, after receiving a packet, Cisco IOS XR software checks the source MAC
address of the packet against the access list. If the access list permits the address, the software continues
to process the packet. If the access list rejects the address, the software discards the packet.
For outbound access lists, after receiving and routing a packet to a controlled interface, the software
checks the source MAC address of the packet against the access list. If the access list permits the address,
the software sends the packet. If the access list rejects the address, the software discards the packet.
Note An empty access-list (containing no access control elements) cannot be applied on an interface.
Step 5 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-es-acl)# end
or
RP/0/RSP0/CPU0:router(config-es-acl)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 6 show access-lists ethernet-services
[access-list-name | maximum | standby | summary]
Example:
RP/0/RSP0/CPU0:router# show access-lists
ethernet-services L2ACL1
(Optional) Displays the contents of the named Ethernet
services access list.
• As a default, contents of all Ethernet access lists are
displayed.
Command or Action PurposeImplementing Layer 2 Access Lists
How to Implement Layer 2 Access Lists
LSC-383
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Controlling Access to an Interface
This task applies an access list to an interface to restrict access to that interface. Access lists can be
applied on either outbound or inbound interfaces.
SUMMARY STEPS
1. configure
2. interface type instance
3. ethernet-service access-group access-list-name {ingress | egress}
4. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface type instance
Example:
RP/0/RSP0/CPU0:router(config)# interface
gigabitethernet 0/2/0/2
Configures an interface and enters interface configuration
mode.
• The type argument specifies an interface type. For more
information on interface types, use the question mark
(?) online help function.
• The instance argument specifies either a physical
interface instance or a virtual instance.
– The naming notation for a physical interface
instance is rack/slot/module/port. The slash (/)
between values is required as part of the notation.
– The number range for a virtual interface instance
varies depending on the interface type.
Step 3 ethernet-services access-group access-list-name
{ingress | egress}
Example:
RP/0/RSP0/CPU0:router(config-if)#
ethernet-services access-group p-in-filter
ingress
RP/0/RSP0/CPU0:router(config-if)#
ethernet-services access-group p-out-filter
egress
Controls access to an interface.
• Use the access-list-name argument to specify a
particular Ethernet services access list.
• Use the ingress keyword to filter on inbound packets or
the egress keyword to filter on outbound packets.
This example applies filters on packets inbound and
outbound from GigabitEthernet interface 0/2/0/2.Implementing Layer 2 Access Lists
How to Implement Layer 2 Access Lists
LSC-384
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Step 4 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-if)# end
or
RP/0/RSP0/CPU0:router(config-if)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing Layer 2 Access Lists
How to Implement Layer 2 Access Lists
LSC-385
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Copying Ethernet Services Access Lists
This task copies an Ethernet services access list.
SUMMARY STEPS
1. copy access-list ethernet-service source-acl destination-acl
2. show access-lists ethernet-services [access-list-name | maximum | standby | summary]
DETAILED STEPS
Resequencing Access-List Entries
This task shows how to reassign sequence numbers to entries in a named access list. Resequencing an
access list is optional.
SUMMARY STEPS
1. resequence access-list ethernet-service access-list-name [starting-sequence-number [increment]]
2. end
or
commit
3. show access-lists ethernet-services [access-list-name | maximum | standby | summary]
Command or Action Purpose
Step 1 copy access-list ethernet-service source-acl
destination-acl
Example:
RP/0/RSP0/CPU0:router# copy access-list
ethernet-service list-1 list-2
Creates a copy of an existing Ethernet services access list.
• Use the source-acl argument to specify the name of the
access list to be copied.
• Use the destination-acl argument to specify where to
copy the contents of the source access list.
– The destination-acl argument must be a unique
name; if the destination-acl argument name exists
for an access list, the access list is not copied.
Step 2 show access-lists ethernet-services
[access-list-name | maximum | standby | summary]
Example:
RP/0/RSP0/CPU0:router# show access-lists
ethernet-services list-2
(Optional) Displays the contents of a named Ethernet
services access list. For example, you can verify the output
to see that the destination access list list-2 contains all the
information from the source access list list-1.Implementing Layer 2 Access Lists
How to Implement Layer 2 Access Lists
LSC-386
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
DETAILED STEPS
Command or Action Purpose
Step 1 resequence access-list ethernet-service
access-list-name [starting-sequence-number
[increment]]
Example:
RP/0/RSP0/CPU0:router# resequence access-list
ethernet-service L2ACL2 20 10
(Optional) Resequences the specified Ethernet services
access list using the desired starting sequence number and
the increment of sequence numbers.
• This example resequences an Ethernet services access
list named L2ACL2. The starting sequence number is
20 and the increment is 10. If you do not select an
increment, the default increment 10 is used.
Note If during the resequencing process it is determined
that the ending number will exceed the maximum
sequence number allowed, the configuration will
not take effect and will be rejected. The sequence
numbers will not be changed.
Step 2 end
or
commit
Example:
RP/0/RSP0/CPU0:router# end
or
RP/0/RSP0/CPU0:router# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 3 show access-lists ethernet-services
[access-list-name | maximum | standby | summary]
Example:
RP/0/RSP0/CPU0:router# show access-lists
ethernet-services L2ACL2
(Optional) Displays the contents of a named Ethernet
services access list.
• Review the output to see that the access list includes the
updated information.Implementing Layer 2 Access Lists
Configuration Examples for Implementing Layer 2 Access Lists
LSC-387
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Configuration Examples for Implementing Layer 2 Access Lists
This section provides these configuration examples:
• Resequencing Entries in an Access List: Example, page 387
• Adding Entries with Sequence Numbers: Example, page 387
Resequencing Entries in an Access List: Example
This example shows access-list resequencing. The starting value in the resequenced access list is 1, and
the increment value is 2. The subsequent entries are ordered based on the increment values that users
provide, and the range is from 1 to 2147483646.
When an entry with no sequence number is entered, by default, it has a sequence number of 10 more than
the last entry in the access list.
ethernet service access-list acl_1
10 permit 1.2.3 4.5.6
20 deny 2.3.4 5.4.3
30 permit 3.1.2 5.3.4 cos 5
resequence access-list ethernet service acl_1 10 20
show access-list ethernet-service acl1_1
ipv4 access-list acl_1
10 permit 1.2.3 4.5.6
30 deny 2.3.4 5.4.3
50 permit 3.1.2 5.3.4 cos 5
Adding Entries with Sequence Numbers: Example
In this example, a new entry is added to Ethernet services access list acl_5.
ethernet-service access-list acl_5
2 permit 1.2.3 5.4.3
5 permit 2.3.4. 6.5.4 cos 3
10 permit any dei
20 permit 6.5.4 1.3.5 VLAN vlan3
configure
ethernet-service access-list acl_5
15 permit 1.5.7 7.5.1
end
ethernet-service access-list acl_5
2 permit 1.2.3 5.4.3
5 permit 2.3.4. 6.5.4 cos 3
10 permit any dei
15 permit 1.5.7 7.5.1
20 permit 6.5.4 1.3.5 VLAN vlan3Implementing Layer 2 Access Lists
Additional References
LSC-388
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Additional References
These sections provide references related to implementing Ethernet services access lists on
Cisco ASR 9000 Series Routers.
Related Documents
Standards
MIBs
RFCs
Related Topic Document Title
Ethernet services access list commands: complete
command syntax, command modes, command history,
defaults, usage guidelines, and examples
Ethernet Services (Layer 2) Access List Commands on
Cisco ASR 9000 Series Routers module in Cisco ASR 9000 Series
Aggregation Services Router IP Addresses and Services Command
Reference
Standards Title
No new or modified standards are supported by this
feature, and support for existing standards has not been
modified by this feature.
—
MIBs MIBs Link
— To locate and download MIBs using Cisco IOS XR software, use the
Cisco MIB Locator found at this URL and choose a platform under
the Cisco Access Products menu:
http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs Title
No new or modified RFCs are supported by this
feature, and support for existing RFCs has not been
modified by this feature.
—Implementing Layer 2 Access Lists
Additional References
LSC-389
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Technical Assistance
Description Link
The Cisco Technical Support website contains
thousands of pages of searchable technical content,
including links to products, technologies, solutions,
technical tips, and tools. Registered Cisco.com users
can log in from this page to access even more content.
http://www.cisco.com/techsupportImplementing Layer 2 Access Lists
Additional References
LSC-390
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02LSC-391
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
System Considerations
This module provides information on the Cisco ASR 9000 Series Routers scale limitations.
Note The show l2vpn capability command displays the scale limitation for the router.
Scale Limitations
Table 4 provides information on the Scale limitations for the Cisco ASR 9000 Series Routers.
Note The limitations in Table 4 are specified on a per VFI basis.
Table 4 Scale Limitations
K = 1024
Line cards:
L—Low Queue Line card, for example: A9K-40GE-L
B—Base Line card, for example: A9K-40GE-B
E—Extended Line card, for example: A9K-40GE-E
Note To achieve the scale values, subinterfaces must be evenly allocated between the line card’s physical
ports.
Port/Bundle Line Card Bridge Domain System
L B E L B E
Subinterfaces NA 32K 64K 64K 4K 8K 8K 64K
Bridge Domains NA NA NA NA NA NA NA 8K
Pseudowires NA NA NA NA NA NA NA 64K
LAG Bundles NA NA NA 40 NA NA NA 128
LAG Subinterfaces 4K 8K 8K 8K NA NA NA 16K
Learned MACs 512K 512K 512K 512K 512K 512K 512K 512KSystem Considerations
Additional References
LSC-392
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
For more information on Ethernet line cards, see Table 1-3 of the Cisco ASR 9000 Series Aggregation
Services Router Ethernet Line Card Installation Guide.
Additional References
These sections provide references related to implementing Ethernet services access lists on
Cisco ASR 9000 Series Routers.
Related Documents
Standards
MIBs
RFCs
Related Topic Document Title
Ethernet services access list commands: complete
command syntax, command modes, command history,
defaults, usage guidelines, and examples
Ethernet Services (Layer 2) Access List Commands on
Cisco ASR 9000 Series Routers module in Cisco ASR 9000 Series
Aggregation Services Router IP Addresses and Services Command
Reference
Standards Title
No new or modified standards are supported by this
feature, and support for existing standards has not been
modified by this feature.
—
MIBs MIBs Link
— To locate and download MIBs using Cisco IOS XR software, use the
Cisco MIB Locator found at this URL and choose a platform under
the Cisco Access Products menu:
http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs Title
No new or modified RFCs are supported by this
feature, and support for existing RFCs has not been
modified by this feature.
—System Considerations
Additional References
LSC-393
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Technical Assistance
Description Link
The Cisco Technical Support website contains
thousands of pages of searchable technical content,
including links to products, technologies, solutions,
technical tips, and tools. Registered Cisco.com users
can log in from this page to access even more content.
http://www.cisco.com/techsupportSystem Considerations
Additional References
LSC-394
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02AR Cisco ASR 9000 Series Aggregation Services Router
Advanced System Command Reference
HR Cisco ASR 9000 Series Aggregation Services Router Interface
and Hardware Component Command Reference
IR Cisco ASR 9000 Series Aggregation Services Router IP
Addresses and Services Command Reference
MCR Cisco ASR 9000 Series Aggregation Services Router
Multicast Command Reference
MNR Cisco ASR 9000 Series Aggregation Services Router System
Monitoring Command Reference
MPR Cisco ASR 9000 Series Aggregation Services Router MPLS
Command Reference
QR Cisco ASR 9000 Series Aggregation Services Router Modular
Quality of Service Command Reference
RR Cisco ASR 9000 Series Aggregation Services Router Routing
Command Reference
SMR Cisco ASR 9000 Series Aggregation Services Router System
Management Command Reference
SR Cisco ASR 9000 Series Aggregation Services Router System
Security Command Reference
LSR Cisco ASR 9000 Series Aggregation Services Router L2VPN
and Ethernet Services Command Reference
LSC-395
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
I N D E X
A
access
lists
applying LSC-382
inbound or outbound interfaces, applying
on LSC-382
Access Gateway LSC-335
Configuring MSTAG or REPAG LSC-349
Configuring PVSTAG or PVRSTAG LSC-355
MSTAG Edge Mode LSC-339
Overview LSC-336
Preempt Delay LSC-338
Supported Protocols LSC-339
Topology Change Propagation LSC-338
aging, MAC address
how to configure LSC-245
how to define LSC-195
Any Transport over Multiprotocol (AToM)
static labels, how to use LSC-233
static pseudowire LSC-233
Asynchronous Transfer Mode (ATM)
MPLS L2VPN LSC-107
attachment circuits
how to define LSC-188
B
bridge domain
how to associate members LSC-210
how to configure parameters LSC-212
how to configure pseudowire LSC-207
how to create LSC-205
how to disable LSC-215
overview LSC-186
Bundle-Ether command LSC-84
bundle id command LSC-84
bundle-POS LSC-88, LSC-94
bundle-id command
bundle-POS LSC-89
D
dot1q native vlan command LSC-51
dot1q vlan command LSC-48
E
encapsulation command LSC-48, LSC-49Index
LSC-396
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
EoMPLS
ethernet port mode LSC-108
inter-as port mode LSC-110
overview LSC-108
QinAny mode LSC-111
QinQ mode LSC-111
Ethernet Features LSC-61
L2PT LSC-62
policy based forwarding LSC-62
Ethernet interface
configuring an attachment circuit LSC-42
configuring flow control LSC-36
configuring the IP address and subnet mask LSC-40
configuring the MAC address LSC-36, LSC-40
configuring the MTU LSC-36, LSC-40
default settings
flow control LSC-36
MAC address LSC-36
mtu LSC-36
displaying Ethernet interfaces LSC-41
enabling flow-control LSC-40
Gigabit Ethernet standards LSC-24
IEEE 802.3ab 1000BASE-T Gigabit
Ethernet LSC-24
IEEE 802.3ae 10 Gbps Ethernet LSC-24
IEEE 802.3 Physical Ethernet
Infrastructure LSC-24
IEEE 802.3z 1000 Mbps Gigabit Ethernet LSC-24
Layer 2 VPN
overview LSC-23
preparing a port for Layer 2 VPN LSC-42
VLAN support LSC-34
using the flow-control command LSC-36, LSC-40
using the interface command LSC-39, LSC-310
using the ipv4 address command LSC-40
using the mac address command LSC-36, LSC-40
using the mtu command LSC-36, LSC-40
using the negotiation auto command LSC-40
using the no shutdown command LSC-41
VLANs
802.1Q frames tagging LSC-33
assigning a VLAN AC LSC-48
configuring native VLAN LSC-49
configuring subinterfaces LSC-47
configuring the native VLAN LSC-51
displaying VLAN interfaces LSC-49, LSC-53,
LSC-93, LSC-95
MTU inheritance LSC-33
removing a subinterface LSC-52
subinterface overview LSC-33
using the dot1q native vlan command LSC-51
using the dot1q vlan command LSC-48
using the interface command LSC-50
using the show vlan interfaces command LSC-49,
LSC-53, LSC-93, LSC-95
ethernet port mode LSC-108
F
failover LSC-84
flooding
MAC address LSC-194
Flow Aware Transport Pseudowire LSC-204
flow-control command LSC-36, LSC-40
frame relay, MPLS L2VPN LSC-107
G
G.8032 Ethernet Ring Protection LSC-199
Configuration Example LSC-296
Configuring G.8032 Ethernet Ring
Protection LSC-261
Overview LSC-199
Single Link Failure LSC-202
Timers LSC-201
Generic Routing Encapsulation Overview
(L2VPN) LSC-113Index
LSC-397
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
I
IEEE 802.1ah Provider Backbone Bridge LSC-303
IEEE 802.3ad standard LSC-82
if submode
bundle id command LSC-88, LSC-94
bundle-id command LSC-89
ip address command LSC-87, LSC-91, LSC-92
no shutdown command LSC-88, LSC-92, LSC-94
Inter-AS configurations
L2VPN quality of service LSC-132
Inter-AS mode LSC-110
interface Bundle-Ether command LSC-87, LSC-91
interface command LSC-39, LSC-50, LSC-310
for VLAN subinterfaces LSC-48
Link Bundling LSC-88, LSC-94
interfaces
Link Bundling LSC-79, LSC-85
configuring LSC-86
link failover LSC-85
prerequisites LSC-80
QoS LSC-83
IP
access lists LSC-382
ip address command
bundle-POS LSC-87, LSC-91, LSC-92
IP Interworking LSC-116
ipv4 address command LSC-40, LSC-84, LSC-87, LSC-91
ISP requirements, MPLS L2VPN LSC-107
L
L2VPN
See Layer 2 VPN LSC-23
L2VPN, QoS restrictions LSC-133
Layer 2 VPN
configuring an attachment circuit LSC-42
overview LSC-23
limit, MAC address
actions, types of LSC-195
how to configure LSC-242
Link Aggregation Control Protocol LSC-81, LSC-82
link bundling
configuring VLAN bundles LSC-34
link failover LSC-85
M
MAC address
aging LSC-195
flooding LSC-194
forwarding LSC-194
limit actions LSC-195
related parameters LSC-193
source-based learning LSC-194
withdrawal LSC-196
mac address command LSC-36, LSC-40
MPLS L2VPN
high availability LSC-112
interface or connection, how to configure LSC-122
ISP requirements LSC-107
Quality of service (QoS) LSC-111
VLAN mode, how to configure LSC-135
mtu command LSC-36, LSC-40
multicast-routing command LSC-156
multicast-routing submode
interface all enable command LSC-156
See multicast-routing command
Multiple Spanning Tree Protocol LSC-330
BPDU Guard LSC-333
Bringup Delay LSC-334
Flush Containment LSC-333
MSTP Port Fast LSC-331
MSTP Regions LSC-330
MSTP Root Guard LSC-332
MSTP Topology Change Guard LSC-332
Restrictions for configuring MSTP LSC-334
Supported MSTP Features LSC-333Index
LSC-398
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Multiple VLAN Registration Protocol LSC-340
N
negotiation auto command LSC-40
no interface command LSC-52
Nonstop forwarding LSC-84
no shutdown command
bundle-POS LSC-88, LSC-92, LSC-94
for Ethernet interfaces LSC-41
P
PBB LSC-303
backbone source MAC, how to configure LSC-316
backbone VLAN tag, how to configure LSC-314
benefits LSC-304
bridge domain, how to configure LSC-311
core bridge domain, how to configure LSC-313
EFP, how to configure LSC-309
Overview LSC-305
Prerequisites LSC-304
Restrictions LSC-309
service instance, how to configure LSC-311
port mode, MPLS L2VPN LSC-133
pseudowire (PW)
bridge domain, how to configure LSC-207
MPLS L2VPN LSC-108
Q
QinAny mode LSC-111
QinQ mode LSC-111
QoS (quality of service)
how to configure L2VPN LSC-133
MPLS L2VPN LSC-111
port mode, how to configure LSC-133
R
router igmp command LSC-157
router igmp submode
version command LSC-157
router mld command LSC-157
router mld submode
version command LSC-157
S
sequence numbering behavior LSC-380
show bundle Bundle-Ether command LSC-89, LSC-95
show interfaces command
for Ethernet interfaces LSC-41, LSC-45
show lacp bundle Bundle-Ether command LSC-89
show pim group-map command LSC-157
show pim topology command LSC-157
show vlan command LSC-49, LSC-53, LSC-93, LSC-95
signaling
VPLS LSC-191
source-based learning, how to configure MAC
address LSC-237
Spanning Tree Protocol LSC-328
STP Protocol Operation LSC-329
Topology Changes LSC-329
Variants of STP LSC-329
static
point-to-point xconnects LSC-129
T
tasks
access lists, applying LSC-382
V
VFI (Virtual Forwarding Instance)
AToM pseudowires, how to configure LSC-233Index
LSC-399
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
bridge domain member, how to associate LSC-229
functions LSC-188
how to add under bridge domain LSC-225
how to disable LSC-235
pseudowire classes to pseudowires, how to
attach LSC-231
pseudowires, how to associate LSC-227
VLAN
figure, mode packet flow LSC-109
mode LSC-109
VLANs
802.1Q frames tagging LSC-33
assigning a VLAN AC LSC-48
configuring bundles LSC-34
configuring native VLAN LSC-49
configuring subinterfaces LSC-47
configuring the native VLAN LSC-51
displaying VLAN interfaces LSC-49, LSC-53, LSC-93,
LSC-95
Layer 2 VPN support LSC-34
MTU inheritance LSC-33
removing a VLAN subinterface LSC-52
subinterface overview LSC-33
using the dot1q native vlan command LSC-51
using the dot1q vlan command LSC-48
using the no interfawn command LSC-52
using the show vlan interfaces command LSC-49,
LSC-53, LSC-93, LSC-95
VPLS (Virtual Private LAN Services)
attachment circuits LSC-188
bridge domain, how to define LSC-186
overview LSC-186
signaling, how to define LSC-191
virtual bridge, how to simulate LSC-189
VPLS (virtual private LAN services)
Layer 2 VPN, architecture LSC-188
W
withdrawal, MAC address
defining LSC-196
fields LSC-279
how to define LSC-196
how to enable LSC-240Index
LSC-400
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
OL-26116-02
Cisco ASR 9000 Series Aggregation Services Router IP Addresses
and Services Configuration Guide, Release 4.2.x
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-26068-02THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version
of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://
www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown
for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2012 Cisco Systems, Inc. All rights reserved.C O N T E N T S
P r e f a c e Preface xiii
Changes to This Document xiii
Obtaining Documentation and Submitting a Service Request xiii
C H A P T E R 1 Implementing Access Lists and Prefix Lists 1
Prerequisites for Implementing Access Lists and Prefix Lists 2
Restrictions for Implementing Access Lists and Prefix Lists 2
Hardware Limitations 3
Information About Implementing Access Lists and Prefix Lists 3
Access Lists and Prefix Lists Feature Highlights 3
Purpose of IP Access Lists 3
How an IP Access List Works 4
IP Access List Process and Rules 4
Helpful Hints for Creating IP Access Lists 5
Source and Destination Addresses 5
Wildcard Mask and Implicit Wildcard Mask 5
Transport Layer Information 5
IP Access List Entry Sequence Numbering 6
Sequence Numbering Behavior 6
IP Access List Logging Messages 6
Extended Access Lists with Fragment Control 7
Policy Routing 9
Comments About Entries in Access Lists 9
Access Control List Counters 9
BGP Filtering Using Prefix Lists 10
How the System Filters Traffic by Prefix List 10
Information About Implementing ACL-based Forwarding 11
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 iiiACL-based Forwarding Overview 11
ABF-OT 11
IPSLA support for Object tracking 11
How to Implement Access Lists and Prefix Lists 11
Configuring Extended Access Lists 12
Applying Access Lists 15
Controlling Access to an Interface 15
Controlling Access to a Line 17
Configuring Prefix Lists 18
Configuring Standard Access Lists 21
Copying Access Lists 23
Sequencing Access-List Entries and Revising the Access List 24
Copying Prefix Lists 27
Sequencing Prefix List Entries and Revising the Prefix List 28
How to Implement ACL-based Forwarding 30
Configuring ACL-based Forwarding with Security ACL 31
Implementing IPSLA-OT 32
Enabling track mode 33
Configuring track type 34
Configuring tracking type (line protocol) 34
Configuring track type (list) 35
Configuring tracking type (route) 37
Configuring tracking type (rtr) 38
Configuring Pure ACL-Based Forwarding for IPv6 ACL 40
Configuration Examples for Implementing Access Lists and Prefix Lists 41
Resequencing Entries in an Access List: Example 41
Adding Entries with Sequence Numbers: Example 42
Adding Entries Without Sequence Numbers: Example 43
IPv6 ACL in Class Map 43
Configuring IPv6 ACL QoS - An Example 44
IPv4/IPv6 ACL over BVI interface 46
Configuring IPv4 ACL over BVI interface - An Example 47
Additional References 47
C H A P T E R 2 Configuring ARP 49
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
iv OL-26068-02
ContentsPrerequisites for Configuring ARP 49
Restrictions for Configuring ARP 50
Information About Configuring ARP 50
IP Addressing Overview 50
Address Resolution on a Single LAN 50
Address Resolution When Interconnected by a Router 51
ARP and Proxy ARP 51
ARP Cache Entries 52
Direct Attached Gateway Redundancy 52
Additional Guidelines 52
How to Configure ARP 53
Defining a Static ARP Cache Entry 53
Enabling Proxy ARP 54
Configuring DAGR 56
C H A P T E R 3 Implementing Cisco Express Forwarding 59
Prerequisites for Implementing Cisco Express Forwarding 59
Information About Implementing Cisco Express Forwarding Software 60
Key Features Supported in the Cisco Express Forwarding Implementation 60
Benefits of CEF 60
CEF Components 61
Border Gateway Protocol Policy Accounting 61
Reverse Path Forwarding (Strict and Loose) 62
BGP Attributes Download 63
How to Implement CEF 63
Verifying CEF 63
Configuring BGP Policy Accounting 64
Verifying BGP Policy Accounting 69
Configuring a Route Purge Delay 71
Configuring Unicast RPF Checking 72
Configuring Modular Services Card-to-Route Processor Management Ethernet Interface
Switching 73
Configuring BGP Attributes Download 75
Configuring BGP Attributes Download 75
Configuration Examples for Implementing CEF on Routers Software 76
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 v
ContentsConfiguring BGP Policy Accounting: Example 76
Verifying BGP Policy Statistics: Example 79
Configuring Unicast RPF Checking: Example 90
Configuring the Switching of Modular Services Card to Management Ethernet Interfaces
on the Route Processor: Example 90
Configuring BGP Attributes Download: Example 90
Additional References 90
C H A P T E R 4 Implementing the Dynamic Host Configuration Protocol 93
Prerequisites for Configuring DHCP Relay Agent 93
Information About DHCP Relay Agent 94
How to Configure and Enable DHCP Relay Agent 94
Configuring and Enabling the DHCP Relay Agent 95
Configuring a DHCP Relay Profile 96
Configuring the DHCPv6 (Stateless) Relay Agent 97
Enabling DHCP Relay Agent on an Interface 99
Disabling DHCP Relay on an Interface 100
Enabling DHCP Relay on a VRF 102
Configuring the Relay Agent Information Feature 103
Configuring Relay Agent Giaddr Policy 106
DHCPv6 Relay Agent Notification for Prefix Delegation 108
Configuring DHCPv6 Stateful Relay Agent for Prefix Delegation 108
Configuration Examples for the DHCP Relay Agent 111
DHCP Relay Profile: Example 111
DHCP Relay on an Interface: Example 111
DHCP Relay on a VRF: Example 111
Relay Agent Information Option Support: Example 111
Relay Agent Giaddr Policy: Example 112
Implementing DHCP Snooping 112
Prerequisites for Configuring DHCP Snooping 112
Information about DHCP Snooping 112
Trusted and Untrusted Ports 113
DHCP Snooping in a Bridge Domain 113
Assigning Profiles to a Bridge Domain 113
Relay Information Options 114
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
vi OL-26068-02
ContentsHow to Configure DHCP Snooping 114
Enabling DHCP Snooping in a Bridge Domain 114
Disabling DHCP Snooping on a Specific Bridge Port 117
Using the Relay Information Option 120
Configuration Examples for DHCP Snooping 122
Assigning a DHCP Profile to a Bridge Domain: Example 122
Disabling DHCP Snooping on a Specific Bridge Port: Example 122
Configuring a DHCP Profile for Trusted Bridge Ports: Example 122
Configuring an Untrusted Profile on a Bridge Domain: Example 122
Configuring a Trusted Bridge Port: Example 122
Additional References 123
C H A P T E R 5 Implementing Host Services and Applications 125
Prerequisites for Implementing Host Services and Applications 125
Information About Implementing Host Services and Applications 126
Network Connectivity Tools 126
Ping 126
Traceroute 126
Domain Services 127
TFTP Server 127
File Transfer Services 127
RCP 128
FTP 128
TFTP 128
Cisco inetd 128
Telnet 128
How to Implement Host Services and Applications 128
Checking Network Connectivity 129
Checking Network Connectivity for Multiple Destinations 129
Checking Packet Routes 130
Configuring Domain Services 131
Configuring a Router as a TFTP Server 132
Configuring a Router to Use rcp Connections 134
Configuring a Router to Use FTP Connections 136
Configuring a Router to Use TFTP Connections 138
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 vii
ContentsConfiguring Telnet Services 140
Configuration Examples for Implementing Host Services and Applications 141
Checking Network Connectivity: Example 141
Configuring Domain Services: Example 143
Configuring a Router to Use rcp, FTP, or TFTP Connections: Example 143
Additional References 144
C H A P T E R 6 Implementing HSRP 147
Prerequisites for Implementing HSRP 148
Restrictions for Implementing HSRP 148
Information About Implementing HSRP 148
HSRP Overview 148
HSRP Groups 148
HSRP and ARP 150
Preemption 151
ICMP Redirect Messages 151
How to Implement HSRP 151
Enabling HSRP 151
Configuring HSRP Group Attributes 153
Configuring the HSRP Activation Delay 157
Enabling HSRP Support for ICMP Redirect Messages 159
Multiple Group Optimization (MGO) for HSRP 161
Customizing HSRP 161
Configuring a Primary Virtual IPv4 Address 164
Configuring a Secondary Virtual IPv4 Address 166
Configuring a slave follow 168
Configuring a slave primary virtual IPv4 address 170
Configuring a slave secondary virtual IPv4 address 171
Configuring a slave virtual mac address 173
Configuring an HSRP Session Name 175
BFD for HSRP 177
Advantages of BFD 177
BFD Process 178
Configuring BFD 178
Enabling BFD 178
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
viii OL-26068-02
ContentsModifying BFD timers (minimum interval) 180
Modifying BFD timers (multiplier) 181
Enhanced Object Tracking for HSRP and IP Static 183
Configuring object tracking for HSRP 183
Hot Restartability for HSRP 185
Configuration Examples for HSRP Implementation on Software 185
Configuring an HSRP Group: Example 185
Configuring a Router for Multiple HSRP Groups: Example 185
Additional References 186
C H A P T E R 7 Implementing LPTS 189
Prerequisites for Implementing LPTS 189
Information About Implementing LPTS 189
LPTS Overview 190
LPTS Policers 190
How to Implement LPTS 190
Configuring LPTS Policers 190
Configuration Examples for Implementing LPTS Policers 192
Configuring LPTS Policers: Example 192
Additional References 196
C H A P T E R 8 Implementing Network Stack IPv4 and IPv6 199
Prerequisites for Implementing Network Stack IPv4 and IPv6 200
Restrictions for Implementing Network Stack IPv4 and IPv6 200
Information About Implementing Network Stack IPv4 and IPv6 200
Network Stack IPv4 and IPv6 Exceptions 200
IPv4 and IPv6 Functionality 200
IPv6 for Cisco IOS XR Software 201
Larger IPv6 Address Space 201
IPv6 Address Formats 201
IPv6 Address Type: Unicast 202
Aggregatable Global Address 203
Link-Local Address 204
IPv4-Compatible IPv6 Address 205
Simplified IPv6 Packet Header 205
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 ix
ContentsPath MTU Discovery for IPv6 210
IPv6 Neighbor Discovery 210
IPv6 Neighbor Solicitation Message 210
IPv6 Router Advertisement Message 212
IPv6 Neighbor Redirect Message 214
ICMP for IPv6 215
Address Repository Manager 215
Address Conflict Resolution 215
Conflict Database 215
Multiple IP Addresses 216
Recursive Resolution of Conflict Sets 216
Route-Tag Support for Connected Routes 216
How to Implement Network Stack IPv4 and IPv6 218
Assigning IPv4 Addresses to Network Interfaces 218
IPv4 Addresses 218
IPv4 Virtual Addresses 220
Configuring IPv6 Addressing 221
Assigning Multiple IP Addresses to Network Interfaces 221
Secondary IPv4 Addresses 221
Configuring IPv4 and IPv6 Protocol Stacks 223
Enabling IPv4 Processing on an Unnumbered Interface 225
IPv4 Processing on an Unnumbered Interface 225
Configuring ICMP Rate Limiting 226
IPv4 ICMP Rate Limiting 226
IPv6 ICMP Rate Limiting 227
Configuring IPARM Conflict Resolution 229
Static Policy Resolution 229
Longest Prefix Address Conflict Resolution 230
Highest IP Address Conflict Resolution 231
Generic Routing Encapsulation 232
IPv4/IPv6 Forwarding over GRE Tunnels 233
IPv6 forwarding over GRE tunnels 233
Configuration Examples for Implementing Network Stack IPv4 and IPv6 234
Creating a Network from Separated Subnets: Example 234
Assigning an Unnumbered Interface: Example 235
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
x OL-26068-02
ContentsConfiguring Helper Addresses: Example 235
Configuring VRF mode big 235
Additional References 237
C H A P T E R 9 Configuring Transports 239
Prerequisites for Configuring NSR, TCP, UDP Transports 239
Information About Configuring NSR, TCP, UDP Transports 240
NSR Overview 240
TCP Overview 240
UDP Overview 240
How to Configure Failover as a Recovery Action for NSR 241
Configuring Failover as a Recovery Action for NSR 241
Additional References 242
C H A P T E R 1 0 Implementing VRRP 245
Prerequisites for Implementing VRRP on Cisco IOS XR Software 246
Restrictions for Implementing VRRP on Cisco IOS XR Software 246
Information About Implementing VRRP 246
VRRP Overview 246
Multiple Virtual Router Support 247
VRRP Router Priority 247
VRRP Advertisements 248
Benefits of VRRP 248
How to Implement VRRP on Cisco IOS XR Software 249
Customizing VRRP 249
Enabling VRRP 253
Verifying VRRP 255
Clearing VRRP Statistics 255
Configuring accept-mode 256
Configuring a Global Virtual IPv6 Address 258
Configuring a Primary Virtual IPv4 Address 260
Configuring a Secondary Virtual IPv4 Address 262
Configuring a Virtual Link-Local IPv6 Address 264
Disabling State Change Logging 266
BFD for VRRP 267
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 xi
ContentsAdvantages of BFD 267
BFD Process 268
Configuring BFD 268
Enabling Bidirectional Forward Detection 268
Modifying BFD timers (minimum interval) 270
Modifying BFD timers (multiplier) 271
MIB support for VRRP 273
Configuring SNMP server notifications for VRRP events 274
Hot Restartability for VRRP 275
Configuration Examples for VRRP Implementation on Cisco IOS XR Software 275
Configuring a VRRP Group: Example 275
Clearing VRRP Statistics: Example 276
Additional References 277
C H A P T E R 1 1 Implementing Video Monitoring 281
Prerequisites for Implementing Video Monitoring 281
Information About Implementing Video Monitoring 281
Introduction to Video Monitoring 281
Key Features Supported on Video Monitoring 282
Video Monitoring Terminology 285
Implementing Video Monitoring 286
Creating IPv4 Access Lists 286
Configuring class-map 288
Configuring policy-map 290
Configuring policy-map with metric parameters 290
Media bit-rate 292
Configuring policy-map with flow parameters 294
Configuring policy-map with react parameters 296
Configuring service policy on an interface 299
Configuring Trap and Clone on an interface 301
Configuration Examples for Implementing Video Monitoring 303
Additional References 308
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
xii OL-26068-02
ContentsPreface
The Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration
Guidepreface contains these sections:
• Changes to This Document, page xiii
• Obtaining Documentation and Submitting a Service Request, page xiii
Changes to This Document
This table lists the technical changes made to this document since it was first printed.
Table 1: Changes to This Document
Revision Date Change Summary
Republished with documentation
updates for Cisco IOS XR Release
4.2.1.
OL-26068-02 June 2012
OL-26068-01 December 2011 Initial release of this document.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation,submitting a service request, and gathering additional information,
see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco
technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed
and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free
service and Cisco currently supports RSS version 2.0.
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 xiii Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
xiv OL-26068-02
Preface
Obtaining Documentation and Submitting a Service RequestC H A P T E R 1
Implementing Access Lists and Prefix Lists
An access control list (ACL) consists of one or more access control entries (ACE) that collectively define
the network traffic profile. This profile can then be referenced by Cisco IOS XR softwarefeatures such as
traffic filtering, route filtering, QoS classification, and access control. Each ACL includes an action element
(permit or deny) and a filter element based on criteria such as source address, destination address, protocol,
and protocol-specific parameters.
Prefix lists are used in route maps and route filtering operations and can be used as an alternative to access
listsin many Border Gateway Protocol (BGP) route filtering commands. A prefix is a portion of an IP address,
starting from the far left bit of the far left octet. By specifying exactly how many bits of an address belong
to a prefix, you can then use prefixes to aggregate addresses and perform some function on them, such as
redistribution (filter routing updates).
This module describes the new and revised tasks required to implement access lists and prefix lists on the
Cisco ASR 9000 Series Router
For a complete description of the access list and prefix list commands listed in this module, refer to the
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Command ReferenceTo
locate documentation of other commands that appear in this chapter, use the command reference master
index, or search online.
Note
Feature History for Implementing Access Lists and Prefix Lists
Release Modification
Release 3.7.2 This feature was introduced.
Release 4.2.1 IPv6 ACL over BVI interface feature was added.
Release 4.2.1 ACL in Class map feature was added.
• Prerequisites for Implementing Access Lists and Prefix Lists , page 2
• Restrictions for Implementing Access Lists and Prefix Lists, page 2
• Hardware Limitations, page 3
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 1• Information About Implementing Access Lists and Prefix Lists , page 3
• Information About Implementing ACL-based Forwarding, page 11
• How to Implement Access Lists and Prefix Lists , page 11
• How to Implement ACL-based Forwarding, page 30
• Configuring Pure ACL-Based Forwarding for IPv6 ACL, page 40
• Configuration Examples for Implementing Access Lists and Prefix Lists , page 41
• IPv6 ACL in Class Map, page 43
• IPv4/IPv6 ACL over BVI interface, page 46
• Additional References, page 47
Prerequisites for Implementing Access Lists and Prefix Lists
The following prerequisite applies to implementing access lists and prefix lists:
All command task IDs are listed in individual command references and in the Cisco IOS XR Task ID Reference
Guide.If you need assistance with your task group assignment, contact your system administrator.
Restrictions for Implementing Access Lists and Prefix Lists
The following restrictions apply to implementing access lists and prefix lists:
• IPv4 ACLs are not supported for loopback and interflex interfaces.
• IPv6 ACLs are not supported for loopback, interflex and L2 Ethernet Flow Point (EFP) main or
subinterfaces.
The following restrictions apply to implementing ACL-based forwarding (ABF):
• The following nexthop configurations are not supported: attaching ACL having a nexthop option in the
egress direction, modifying an ACL attached in the egress direction having nexthop, deny ACE with
nexthop.
• The A9K-SIP-700 LC and ASR 9000 Enhanced Ethernet LC support ABFv4 and ABFv6 in Release
4.2.0. ASR 9000 Ethernet LC does not support ABFv6 in Release 4.2.0, it only supports ABFv4.
There is one exception to this. In case of IP to TAG, the label is imposed by the ingress LC (based on
ABF nexthop), and the packet crossesthe fabric as a tag packet. These packets are handled by A9K-SIP-700
without any issue.
Note
• Packets punted in the ingress direction from the NPU to the LC CPU are not subjected to ABF treatment
due to lack of ABF support in the slow path.
• IP packet(s) needing fragmentation are not subjected to ABF. The packet is forwarded in the traditional
way. Fragmented packets received are handled by ABF.
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
2 OL-26068-02
Implementing Access Lists and Prefix Lists
Prerequisites for Implementing Access Lists and Prefix ListsHardware Limitations
• Support for ABF is only for IPv4 and Ethernet line cards. IPv6 and other interfaces are not supported.
• ABF is an ingress line card feature and the egress line card must be ABF aware.
Information About Implementing Access Lists and Prefix Lists
To implement access lists and prefix lists, you must understand the following concepts:
Access Lists and Prefix Lists Feature Highlights
This section lists the feature highlights for access lists and prefix lists.
• Cisco IOS XR software provides the ability to clear counters for an access list or prefix list using a
specific sequence number.
• Cisco IOS XR software provides the ability to copy the contents of an existing access list or prefix list
to another access list or prefix list.
• Cisco IOS XR software allows users to apply sequence numbers to permit or deny statements and to
resequence, add, or remove such statements from a named access list or prefix list.
Note Resequencing is only for IPv4 prefix lists.
• Cisco IOS XR software does not differentiate between standard and extended access lists. Standard
access list support is provided for backward compatibility.
Purpose of IP Access Lists
Access lists perform packet filtering to control which packets move through the network and where. Such
controls help to limit network traffic and restrict the access of users and devices to the network. Access lists
have many uses, and therefore many commands accept a reference to an access list in their command syntax.
Access lists can be used to do the following:
• Filter incoming packets on an interface.
• Filter outgoing packets on an interface.
• Restrict the contents of routing updates.
• Limit debug output based on an address or protocol.
• Control vty access.
• Identify or classify traffic for advanced features, such as congestion avoidance, congestion management,
and priority and custom queueing.
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 3
Implementing Access Lists and Prefix Lists
Hardware LimitationsHow an IP Access List Works
An access list is a sequential list consisting of permit and deny statements that apply to IP addresses and
possibly upper-layer IP protocols. The access list has a name by which it is referenced. Many software
commands accept an access list as part of their syntax.
An access list can be configured and named, but it is not in effect until the access list is referenced by a
command that accepts an access list. Multiple commands can reference the same access list. An access list
can control traffic arriving at the router or leaving the router, but not traffic originating at the router.
IP Access List Process and Rules
Use the following process and rules when configuring an IP access list:
• The software tests the source or destination address or the protocol of each packet being filtered against
the conditions in the access list, one condition (permit or deny statement) at a time.
• If a packet does not match an access list statement, the packet is then tested against the next statement
in the list.
• If a packet and an access list statement match, the remaining statements in the list are skipped and the
packet is permitted or denied asspecified in the matched statement. The first entry that the packet matches
determines whether the software permits or deniesthe packet. That is, after the first match, no subsequent
entries are considered.
• If the access list denies the address or protocol, the software discards the packet and returns an Internet
Control Message Protocol (ICMP) Host Unreachable message. ICMP is configurable in the Cisco IOS XR
software.
• If no conditions match, the software drops the packet because each access list ends with an unwritten
or implicit deny statement. That is, if the packet has not been permitted or denied by the time it was
tested against each statement, it is denied.
• The access list should contain at least one permit statement or else all packets are denied.
• Because the software stops testing conditions after the first match, the order of the conditions is critical.
The same permit or deny statements specified in a different order could result in a packet being passed
under one circumstance and denied in another circumstance.
• Only one access list per interface, per protocol, per direction is allowed.
• Inbound access lists process packets arriving at the router. Incoming packets are processed before being
routed to an outbound interface. An inbound access list is efficient because it saves the overhead of
routing lookups if the packet is to be discarded because it is denied by the filtering tests. If the packet
is permitted by the tests, it is then processed for routing. For inbound lists, permit means continue to
process the packet after receiving it on an inbound interface; deny means discard the packet.
• Outbound access lists process packets before they leave the router. Incoming packets are routed to the
outbound interface and then processed through the outbound accesslist. For outbound lists, permit means
send it to the output buffer; deny means discard the packet.
• An accesslist can not be removed if that accesslist is being applied by an access group in use. To remove
an access list, remove the access group that is referencing the access list and then remove the access list.
• An access list must exist before you can use the ipv4 access group command.
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
4 OL-26068-02
Implementing Access Lists and Prefix Lists
How an IP Access List WorksHelpful Hints for Creating IP Access Lists
Consider the following when creating an IP access list:
• Create the access list before applying it to an interface.
•
• Organize your access list so that more specific references in a network or subnet appear before more
general ones.
• To make the purpose of individualstatements more easily understood at a glance, you can write a helpful
remark before or after any statement.
Source and Destination Addresses
Source address and destination addresses are two of the most typical fields in an IP packet on which to base
an access list. Specify source addresses to control packets from certain networking devices or hosts. Specify
destination addresses to control packets being sent to certain networking devices or hosts.
Wildcard Mask and Implicit Wildcard Mask
Address filtering uses wildcard masking to indicate whether the software checks or ignores corresponding IP
address bits when comparing the address bits in an access-list entry to a packet being submitted to the access
list. By carefully setting wildcard masks, an administrator can select a single orseveral IP addressesfor permit
or deny tests.
Wildcard masking for IP address bits uses the number 1 and the number 0 to specify how the software treats
the corresponding IP address bits. A wildcard mask is sometimes referred to as an inverted mask, because a
1 and 0 mean the opposite of what they mean in a subnet (network) mask.
• A wildcard mask bit 0 means check the corresponding bit value.
• A wildcard mask bit 1 means ignore that corresponding bit value.
You do not have to supply a wildcard mask with a source or destination address in an access list statement.
If you use the host keyword, the software assumes a wildcard mask of 0.0.0.0.
Unlike subnet masks, which require contiguous bitsindicating network and subnet to be ones, wildcard masks
allow noncontiguous bits in the mask. For IPv6 access lists, only contiguous bits are supported.
You can also use CIDR format (/x) in place of wildcard bits. For example, the address 1.2.3.4 0.255.255.255
corresponds to 1.2.3.4/8.
Transport Layer Information
You can filter packets on the basis of transport layer information, such as whether the packet is a TCP, UDP,
ICMP, or IGMP packet.
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 5
Implementing Access Lists and Prefix Lists
How an IP Access List WorksIP Access List Entry Sequence Numbering
The ability to apply sequence numbers to IP access-list entries simplifies access list changes. Prior to this
feature, there was no way to specify the position of an entry within an access list. If a user wanted to insert
an entry (statement) in the middle of an existing list, all the entries after the desired position had to be removed,
then the new entry was added, and then all the removed entries had to be reentered. This method was
cumbersome and error prone.
The IP Access List Entry Sequence Numbering feature allows users to add sequence numbers to access-list
entries and resequence them. When you add a new entry, you choose the sequence number so that it is in a
desired position in the access list. If necessary, entries currently in the access list can be resequenced to create
room to insert the new entry.
Sequence Numbering Behavior
The following details the sequence numbering behavior:
• If entries with no sequence numbers are applied, the first entry is assigned a sequence number of 10,
and successive entries are incremented by 10. The maximum sequence number is 2147483646. If the
generated sequence number exceeds this maximum number, the following message displays:
Exceeded maximum sequence number.
• If you provide an entry without a sequence number, it is assigned a sequence number that is 10 greater
than the last sequence number in that access list and is placed at the end of the list.
• ACL entries can be added without affecting traffic flow and hardware performance.
• If a new access list is entered from global configuration mode, then sequence numbers for that access
list are generated automatically.
• Distributed support is provided so that the sequence numbers of entries in the route processor (RP) and
line card (LC) are synchronized at all times.
• This feature works with named standard and extended IP access lists. Because the name of an access
list can be designated as a number, numbers are acceptable.
IP Access List Logging Messages
Cisco IOS XR software can provide logging messages about packets permitted or denied by a standard IP
access list. That is, any packet that matches the access list causes an informational logging message about the
packet to be sent to the console. The level of messages logged to the console is controlled by the logging
console command in global configuration mode.
The first packet that triggers the access list causes an immediate logging message, and subsequent packets
are collected over 5-minute intervals before they are displayed or logged. The logging message includes the
access list number, whether the packet was permitted or denied, the source IP address of the packet, and the
number of packets from that source permitted or denied in the prior 5-minute interval.
However, you can use the { ipv4 | ipv6 } access-list log-update threshold command to set the number of
packets that, when they match an access list (and are permitted or denied), cause the system to generate a log
message. You might do this to receive log messages more frequently than at 5-minute intervals.
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
6 OL-26068-02
Implementing Access Lists and Prefix Lists
IP Access List Entry Sequence NumberingIf you set the update-number argument to 1, a log message is sent right away, rather than caching it; every
packet that matches an access list causes a log message. A setting of 1 is not recommended because the
volume of log messages could overwhelm the system.
Caution
Even if you use the { ipv4 | ipv6} access-list log-update threshold command, the 5-minute timer remains
in effect,so each cache is emptied at the end of 5 minutes, regardless of the number of messagesin each cache.
Regardless of when the log message is sent, the cache is flushed and the count reset to 0 for that message the
same way it is when a threshold is not specified.
The logging facility might drop some logging message packets if there are too many to be handled or if
more than one logging message is handled in 1 second. This behavior prevents the router from using
excessive CPU cycles because of too many logging packets. Therefore, the logging facility should not be
used as a billing tool or as an accurate source of the number of matches to an access list.
Note
Extended Access Lists with Fragment Control
In earlier releases, the non-fragmented packets and the initial fragments of a packet were processed by IP
extended access lists (if you apply this access list), but non-initial fragments were permitted, by default.
However, now, the IP Extended Access Lists with Fragment Control feature allows more granularity of control
over non-initial fragments of a packet. Using this feature, you can specify whether the system examines
non-initial IP fragments of packets when applying an IP extended access list.
As non-initial fragments contain only Layer 3 information, these access-list entries containing only Layer 3
information, can now be applied to non-initial fragments also. The fragment has all the information the system
requires to filter, so the access-list entry is applied to the fragments of a packet.
This feature adds the optional fragments keyword to the following IP access list commands: deny (IPv4),
permit (IPv4) , deny (IPv6) , permit (IPv6). By specifying the fragments keyword in an access-list entry,
that particular access-list entry applies only to non-initial fragments of packets; the fragment is either permitted
or denied accordingly.
The behavior of access-list entries regarding the presence or absence of the fragments keyword can be
summarized as follows:
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 7
Implementing Access Lists and Prefix Lists
Extended Access Lists with Fragment ControlIf the Access-List Entry has... Then...
For an access-list entry containing only Layer 3
information:
• The entry is applied to non-fragmented packets,
initial fragments, and non-initial fragments.
For an access-list entry containing Layer 3 and Layer
4 information:
• The entry is applied to non-fragmented packets
and initial fragments.
? If the entry matches and is a permit
statement, the packet or fragment is
permitted.
? If the entry matches and is a deny
statement, the packet or fragment is
denied.
• The entry is also applied to non-initial fragments
in the following manner. Because non-initial
fragments contain only Layer 3 information,
only the Layer 3 portion of an access-list entry
can be applied. If the Layer 3 portion of the
access-list entry matches, and
? If the entry is a permit statement, the
non-initial fragment is permitted.
? If the entry is a deny statement, the next
access-list entry is processed.
Note that the deny statements are
handled differently for non-initial
fragments versus non-fragmented or
initial fragments.
Note
...no fragments keyword and all of the access-list
entry information matches
The access-list entry is applied only to non-initial
fragments.
The fragments keyword cannot be
configured for an access-list entry that
contains any Layer 4 information.
Note
...the fragments keyword and all of the access-list
entry information matches
You should not add the fragments keyword to every access-list entry, because the first fragment of the IP
packet is considered a non-fragment and is treated independently of the subsequent fragments. Because an
initial fragment will not match an access list permit or deny entry that contains the fragments keyword, the
packet is compared to the next access list entry until it is either permitted or denied by an access list entry that
does not contain the fragments keyword. Therefore, you may need two access list entries for every deny
entry. The first deny entry of the pair will not include the fragments keyword, and applies to the initial
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
8 OL-26068-02
Implementing Access Lists and Prefix Lists
Extended Access Lists with Fragment Controlfragment. The second deny entry of the pair will include the fragments keyword and appliesto the subsequent
fragments. In the cases where there are multiple deny access list entries for the same host but with different
Layer 4 ports, a single deny access-list entry with the fragments keyword for that host is all that has to be
added. Thus all the fragments of a packet are handled in the same manner by the access list.
Packet fragments of IP datagrams are considered individual packets and each fragment counts individually
as a packet in access-list accounting and access-list violation counts.
Note The fragments keyword cannot solve all cases involving access lists and IP fragments.
Within the scope of ACL processing, Layer 3 information refers to fields located within the IPv4 header;
for example, source, destination, protocol. Layer 4 information refers to other data contained beyond the
IPv4 header; for example, source and destination ports for TCP or UDP, flags for TCP, type and code for
ICMP.
Note
Policy Routing
Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the
match ip address command and the accesslist had entriesthat match on Layer 4 through Layer 7 information.
It is possible that noninitial fragments pass the access list and are policy routed, even if the first fragment was
not policy routed or the reverse.
By using the fragments keyword in access-list entries as described earlier, a better match between the action
taken for initial and noninitial fragments can be made and it is more likely policy routing will occur asintended.
Comments About Entries in Access Lists
You can include comments (remarks) about entries in any named IP access list using the remark access list
configuration command. The remarks make the access list easier for the network administrator to understand
and scan. Each remark line is limited to 255 characters.
The remark can go before or after a permit or deny statement. You should be consistent about where you put
the remark so it is clear which remark describes which permit or deny statement. For example, it would be
confusing to have some remarks before the associated permit or deny statements and some remarks after the
associated statements. Remarks can be sequenced.
Remember to apply the access list to an interface or terminal line after the access list is created. See
the“Applying Access Lists, on page 15” section for more information.
Access Control List Counters
In Cisco IOS XR software, ACL counters are maintained both in hardware and software. Hardware counters
are used for packet filtering applications such as when an access group is applied on an interface. Software
counters are used by all the applications mainly involving software packet processing.
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 9
Implementing Access Lists and Prefix Lists
Comments About Entries in Access ListsPacket filtering makes use of 64-bit hardware counters per ACE. If the same access group is applied on
interfaces that are on the same line card in a given direction, the hardware counters for the ACL are shared
between two interfaces.
To display the hardware counters for a given access group, use the show access-lists ipv4 [access-list-name
hardware {ingress| egress} [interface type interface-path-id] {location node-id}] command in EXEC mode.
To clear the hardware counters, use the clear access-list ipv4 access-list-name [hardware {ingress | egress}
[interface type interface-path-id] {location node-id}] command in EXEC mode.
Hardware counting is not enabled by default for IPv4 ACLs because of a small performance penalty. To
enable hardware counting, use the ipv4 access-group access-list-name {ingress | egress} [hardware-count]
command in interface configuration mode. This command can be used as desired, and counting is enabled
only on the specified interface.
Software counters are updated for the packets processed in software, for example, exception packets punted
to the LC CPU for processing, or ACL used by routing protocols, and so on. The counters that are maintained
are an aggregate of all the software applications using that ACL. To display software-only ACL counters, use
the show access-lists ipv4 access-list-name [sequence number] command in EXEC mode.
All the above information is true for IPv6, except that hardware counting is always enabled; there is no
hardware-count option in the IPv6 access-group command-line interface (CLI).
BGP Filtering Using Prefix Lists
Prefix lists can be used as an alternative to access lists in many BGP route filtering commands. The advantages
of using prefix lists are as follows:
• Significant performance improvement in loading and route lookup of large lists.
• Incremental updates are supported.
• More user friendly CLI. The CLI for using access lists to filter BGP updates is difficult to understand
and use because it uses the packet filtering format.
• Greater flexibility.
Before using a prefix list in a command, you must set up a prefix list, and you may want to assign sequence
numbers to the entries in the prefix list.
How the System Filters Traffic by Prefix List
Filtering by prefix list involves matching the prefixes of routes with those listed in the prefix list. When there
is a match, the route is used. More specifically, whether a prefix is permitted or denied is based upon the
following rules:
• An empty prefix list permits all prefixes.
• An implicit deny is assumed if a given prefix does not match any entries of a prefix list.
• When multiple entries of a prefix list match a given prefix, the longest, most specific match is chosen.
Sequence numbers are generated automatically unless you disable this automatic generation. If you disable
the automatic generation of sequence numbers, you must specify the sequence number for each entry using
the sequence-number argument of the permit and deny commands in either IPv4 or IPv6 prefix list
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
10 OL-26068-02
Implementing Access Lists and Prefix Lists
BGP Filtering Using Prefix Listsconfiguration command. Use the no form of the permit or deny command with the sequence-number
argument to remove a prefix-list entry.
The show commands include the sequence numbers in their output.
Information About Implementing ACL-based Forwarding
To implement access lists and prefix lists, you must understand the following concepts:
ACL-based Forwarding Overview
Converged networks carry voice, video and data. Users may need to route certain traffic through specific
paths instead of using the paths computed by routing protocols. A simple solution to achieve this, is by
specifying the next-hop address in ACL configurations, so that the configured next-hop address from ACL
is used for fowarding packet towardsits destination instead of routing packet-based destination addresslookup.
This feature of using next-hop in ACL configurations for forwarding is called ACL Based Forwarding (ABF).
ACL-based forwarding enables you to choose service from multiple providers for broadcast TV over IP, IP
telephony, data, and so on, which provides a cafeteria-like access to the Internet. Service providers can divert
user traffic to various content providers.
ABF-OT
To provide flexibility to the user to select the suitable nexthop, the ABF functionality is enhanced to interact
with object-tracking (OT), which impacts:
• Tracking prefix in CEF
• Tracking the line-state protocol
• IPSLA (IP Service Level Agreement)
IPSLA support for Object tracking
The OT-module interacts with the IPSLA-module to get reachability information. With IPSLA, the routers
perform periodic measurements
How to Implement Access Lists and Prefix Lists
IPv6 ACL support is available on the Cisco ASR 9000 SIP 700 linecard and the ASR 9000 Ethernet linecards.
The relevant scale is:
• ACL enabled interfaces - 1000 (500 in each direction); for ASR 9000 Ethernet linecards- 4000
• Unique ACLs - 512 (with 5 ACEs each); for ASR 9000 Ethernet linecards- 2000
• Maximum ACEs per ACL - 8000 (for ASR 9000 Ethernet lincards, ACEs could be 16000, 8000, 4000-
based on the LC model)
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 11
Implementing Access Lists and Prefix Lists
Information About Implementing ACL-based Forwarding• IPv6 ACL log will also be supported.
This section contains the following procedures:
Configuring Extended Access Lists
This task configures an extended IPv4 or IPv6 access list.
SUMMARY STEPS
1. configure
2. {ipv4 | ipv6} access-list name
3. [ sequence-number ] remark remark
4. Do one of the following:
• [ sequence-number]{permit | deny} source source-wildcard destination destination-wildcard
[precedence precedence] [dscp dscp] [fragments] [packet-length operator packet-length value]
[log | log-input]
• [ sequence-number ] {permit | deny} protocol {source-ipv6-prefix/prefix-length | any | host
source-ipv6-address} [operator {port | protocol-port}] {destination-ipv6-prefix/prefix-length | any
| host destination-ipv6-address} [operator {port | protocol-port}] [dscp value] [routing] [authen]
[destopts] [fragments] [packet-length operator packet-length value] [log | log-input]
5. Repeat Step 4 as necessary, adding statements by sequence number where you planned. Use the no
sequence-number command to delete an entry.
6. Use one of these commands:
• end
• commit
7. show access-lists {ipv4 | ipv6} [access-list-name hardware {ingress | egress} [interface type
interface-path-id] {sequence number | location node-id} | summary [access-list-name] | access-list-name
[sequence-number] | maximum [detail] [usage {pfilter location node-id}]]
DETAILED STEPS
Command or Action Purpose
configure Enters global configuration mode.
Example:
RP/0/RSP0/CPU0:router# configure
Step 1
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
12 OL-26068-02
Implementing Access Lists and Prefix Lists
Configuring Extended Access ListsCommand or Action Purpose
Enters either IPv4 or IPv6 access list configuration mode and
configures the named access list.
{ipv4 | ipv6} access-list name
Example:
RP/0/RSP0/CPU0:router(config)# ipv4
access-list acl_1
Step 2
or
RP/0/RSP0/CPU0:router(config)# ipv6
access-list acl_2
(Optional) Allows you to comment about a permit or deny
statement in a named access list.
[ sequence-number ] remark remark
Example:
RP/0/RSP0/CPU0:router(config-ipv4-acl)# 10
remark Do not allow user1 to telnet out
Step 3
• The remark can be up to 255 characters; anything longer is
truncated.
• Remarks can be configured before or after permit or deny
statements, but their location should be consistent.
Specifies one or more conditions allowed or denied in IPv4 access
list acl_1.
Step 4 Do one of the following:
• [ sequence-number]{permit | deny} source
source-wildcard destination • The optional log keyword causes an information logging
message about the packet that matches the entry to be sent to
the console.
destination-wildcard [precedence precedence]
[dscp dscp] [fragments] [packet-length
operator packet-length value] [log | log-input]
• The optional log-input keyword provides the same function
as the log keyword, except that the logging message also
includes the input interface.
• [ sequence-number ] {permit | deny} protocol
{source-ipv6-prefix/prefix-length | any | host
source-ipv6-address} [operator {port |
protocol-port}] or
{destination-ipv6-prefix/prefix-length | any |
Specifies one or more conditions allowed or denied in IPv6 access
list acl_2.
host destination-ipv6-address} [operator {port
| protocol-port}] [dscp value] [routing] [authen]
• Refer to the deny (IPv6) and permit (IPv6) commands for
more information on filtering IPv6 traffic based on based on
[destopts] [fragments] [packet-length operator
packet-length value] [log | log-input]
IPv6 option headers and optional, upper-layer protocol type
information.
Example:
RP/0/RSP0/CPU0:router(config-ipv4-acl)# 10
Every IPv6 address list has two implicit permits used for
neighbor advertisement and solicitation: Implicit Neighbor
Discovery–Neighbor Advertisement (NDNA) permit, and
Implicit Neighbor Discovery–Neighbor Solicitation (NDNS)
permit.
Note
Every IPv6 access list has an implicit deny ipv6 any any
statement as its last match condition. An IPv6 access list
must contain at least one entry for the implicit deny ipv6
any any statement to take effect.
Note
permit 172.16.0.0 0.0.255.255
RP/0/RSP0/CPU0:router(config-ipv4-acl)# 20
deny 192.168.34.0 0.0.0.255
or
RP/0/RSP0/CPU0:router(config-ipv6-acl)# 20
permit icmp any any
RP/0/RSP0/CPU0:router(config-ipv6-acl)# 30
deny tcp any any gt 5000
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 13
Implementing Access Lists and Prefix Lists
Configuring Extended Access ListsCommand or Action Purpose
Repeat Step 4 as necessary, adding statements by Allows you to revise an access list.
sequence number where you planned. Use the no
sequence-number command to delete an entry.
Step 5
Step 6 Use one of these commands: Saves configuration changes.
• end • When you issue the end command, the system prompts you to
commit changes:
Uncommitted changes found, commit them
before exiting(yes/no/cancel)? [cancel]:
• commit
Example:
RP/0/RSP0/CPU0:router(config)# end
? Entering yes saves configuration changes to the running
configuration file, exits the configuration session, and
returns the router to EXEC mode.
or
RP/0/RSP0/CPU0:router(config)# commit
? Entering no exits the configuration session and returns the
router to EXEC mode without committing the
configuration changes.
? Entering cancel leaves the router in the current
configuration session without exiting or committing the
configuration changes.
• Use the commit command to save the configuration changes
to the running configuration file and remain within the
configuration session.
show access-lists {ipv4 | ipv6} [access-list-name (Optional) Displays the contents of current IPv4 or IPv6 access lists.
hardware {ingress | egress} [interface type
Step 7
• Use the access-list-name argument to display the contents of
a specific access list.
interface-path-id] {sequence number | location
node-id} | summary [access-list-name] |
access-list-name [sequence-number] | maximum
[detail] [usage {pfilter location node-id}]]
• Use the hardware , ingress or egress , and location or
sequence keywordsto display the access-list hardware contents
Example:
RP/0/RSP0/CPU0:router# show access-lists ipv4
acl_1
and counters for all interfaces that use the specified access list
in a given direction (ingress or egress). The access group for an
interface must be configured using the ipv4 access-group
command for access-list hardware counters to be enabled.
• Use the summary keyword to display a summary of all current
IPv4 or IPv6 access-lists.
• Use the interface keyword to display interface statistics.
What to Do Next
After creating an access list, you must apply it to a line or interface. See the Applying Access Lists, on page
15 section for information about how to apply an access list.
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
14 OL-26068-02
Implementing Access Lists and Prefix Lists
Configuring Extended Access ListsACL commit fails while adding and removing unique Access List Entries (ACE). This happens due to the
absence of an assigned manager process. The user has to exit the config-ipv4-acl mode to configuration mode
and re-enter the config-ipv4-acl mode before adding the first ACE.
Applying Access Lists
After you create an access list, you must reference the access list to make it work. Access lists can be applied
on either outbound or inbound interfaces. This section describes guidelines on how to accomplish this task
for both terminal lines and network interfaces.
Set identical restrictions on all the virtual terminal lines, because a user can attempt to connect to any of them.
For inbound access lists, after receiving a packet, Cisco IOS XR software checks the source address of the
packet against the access list. If the access list permits the address, the software continues to process the
packet. If the access list rejects the address, the software discards the packet and returns an ICMP host
unreachable message. The ICMP message is configurable.
For outbound access lists, after receiving and routing a packet to a controlled interface, the software checks
the source address of the packet against the accesslist. If the accesslist permitsthe address, the software sends
the packet. If the access list rejects the address, the software discards the packet and returns an ICMP host
unreachable message.
When you apply an access list that has not yet been defined to an interface, the software acts as if the access
list has not been applied to the interface and accepts all packets. Note this behavior if you use undefined access
lists as a means of security in your network.
Controlling Access to an Interface
This task applies an access list to an interface to restrict access to that interface.
Access lists can be applied on either outbound or inbound interfaces.
SUMMARY STEPS
1. configure
2. interface type interface-path-id
3. Do one of the following:
• ipv4 access-group access-list-name {ingress | egress} [hardware-count] [interface-statistics]
• ipv6 access-group access-list-name {ingress | egress} [interface-statistics]
4. Do one of the following:
• end
• commit
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 15
Implementing Access Lists and Prefix Lists
Applying Access ListsDETAILED STEPS
Command or Action Purpose
configure Enters global configuration mode.
Example:
RP/0/RSP0/CPU0:router# configure
Step 1
Step 2 interface type interface-path-id Configures an interface and enters interface configuration mode.
Example:
RP/0/RSP0/CPU0:router(config)#
interface gigabitethernet 0/2/0/2
• The type argument specifies an interface type. For more information
on interface types, use the question mark (?) online help function.
• The instance argument specifies either a physical interface instance or
a virtual instance.
? The naming notation for a physical interface instance is
rack/slot/module/port. The slash (/) between values is required as
part of the notation.
? The number range for a virtual interface instance varies depending
on the interface type.
Step 3 Do one of the following: Controls access to an interface.
• ipv4 access-group access-list-name
{ingress | egress} [hardware-count]
[interface-statistics]
• Use the access-list-name argument to specify a particular IPv4 or IPv6
access list.
• Use the in keyword to filter on inbound packets or the out keyword to
• ipv6 access-group access-list-name filter on outbound packets.
{ingress | egress}
[interface-statistics]
• Use the hardware-count keyword to enable hardware counters for the
IPv4 access group.
Example:
RP/0/RSP0/CPU0:router(config-if)#
? Hardware counters are automatically enabled for IPv6 access
groups.
• Use the interface-statistics keyword to specify per-interface statistics
in the hardware.
ipv4 access-group p-in-filter in
RP/0/RSP0/CPU0:router(config-if)#
ipv4 access-group p-out-filter out
This example applies filters on packets inbound and outbound from
GigabitEthernet interface 0/2/0/2.
Step 4 Do one of the following: Saves configuration changes.
• end • When you issue the end command, the system prompts you to commit
changes:
Uncommitted changes found, commit them before
• commit
Example:
RP/0/RSP0/CPU0:router(config-if)# end
exiting(yes/no/cancel)?[cancel]:
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
16 OL-26068-02
Implementing Access Lists and Prefix Lists
Applying Access ListsCommand or Action Purpose
or
RP/0/RSP0/CPU0:router(config-if)#
commit
? Entering yes saves configuration changes to the running
configuration file, exits the configuration session, and returns the
router to EXEC mode.
? Entering no exits the configuration session and returns the router
to EXEC mode without committing the configuration changes.
? Entering cancel leavesthe router in the current configuration session
without exiting or committing the configuration changes.
• Use the commit command to save the configuration changes to the
running configuration file and remain within the configuration session.
Controlling Access to a Line
This task applies an access list to a line to control access to that line.
SUMMARY STEPS
1. configure
2. line {aux | console | default | template template-name}
3. access-class list-name{ingress | egress}
4. Use one of these commands:
• end
• commit
DETAILED STEPS
Command or Action Purpose
configure Enters global configuration mode.
Example:
RP/0/RSP0/CPU0:router# configure
Step 1
Specifies either the auxiliary, console, default, or a user-defined line template
and enters line template configuration mode.
line {aux | console | default | template
template-name}
Step 2
Example:
RP/0/RSP0/CPU0:router(config)# line
default
• Line templates are a collection of attributes used to configure and manage
physical terminal line connections (the console and auxiliary ports) and
vty connections. The following templates are available in Cisco IOS XR
software:
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 17
Implementing Access Lists and Prefix Lists
Applying Access ListsCommand or Action Purpose
? Aux line template—The line template that applies to the auxiliary
line.
? Console line template—The line template that appliesto the console
line.
? Default line template—The default line template that applies to a
physical and virtual terminal lines.
? User-defined line templates—User-defined line templates that can
be applied to a range of virtual terminal lines.
Step 3 access-class list-name{ingress | egress} Restricts incoming and outgoing connections using an IPv4 or IPv6 access list.
Example:
RP/0/RSP0/CPU0:router(config-line)#
access-class acl_2 out
• In the example, outgoing connections for the default line template are
filtered using the IPv6 access list acl_2.
Step 4 Use one of these commands: Saves configuration changes.
• end • When you issue the end command, the system prompts you to commit
changes:
Uncommitted changes found, commit them
before exiting(yes/no/cancel)? [cancel]:
• commit
Example:
RP/0/RSP0/CPU0:router(config)# end
? Entering yessaves configuration changesto the running configuration
file, exits the configuration session, and returns the router to EXEC
mode.
or
RP/0/RSP0/CPU0:router(config)#
commit
? Entering no exits the configuration session and returns the router to
EXEC mode without committing the configuration changes.
? Entering cancel leavesthe router in the current configuration session
without exiting or committing the configuration changes.
• Use the commit command to save the configuration changesto the running
configuration file and remain within the configuration session.
Configuring Prefix Lists
This task configures an IPv4 or IPv6 prefix list.
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
18 OL-26068-02
Implementing Access Lists and Prefix Lists
Configuring Prefix ListsSUMMARY STEPS
1. configure
2. {ipv4 | ipv6} prefix-list name
3. [ sequence-number ] remark remark
4. [ sequence-number] {permit | deny} network/length [ge value] [le value] [eq value]
5. Repeat Step 4 as necessary. Use the no sequence-number command to delete an entry.
6. Do one of the following:
• end
• commit
7. Do one of the following:
• show prefix-list ipv4 [name] [sequence-number]
• show prefix-list ipv6 [name] [sequence-number] [summary]
8. clear {ipv4 | ipv6} prefix-list name [sequence-number]
DETAILED STEPS
Command or Action Purpose
configure Enters global configuration mode.
Example:
RP/0/RSP0/CPU0:router# configure
Step 1
Enters either IPv4 or IPv6 prefix list configuration mode and
configures the named prefix list.
{ipv4 | ipv6} prefix-list name
Example:
RP/0/RSP0/CPU0:router(config)# ipv4
prefix-list pfx_1
Step 2
• To create a prefix list, you must enter at least one permit or
deny clause.
• Use the no {ipv4 | ipv6} prefix-list name command to remove
all entries in a prefix list.
or
RP/0/RSP0/CPU0:router(config)# ipv6
prefix-list pfx_2
(Optional) Allows you to comment about the following permit or
deny statement in a named prefix list.
[ sequence-number ] remark remark
Example:
RP/0/RSP0/CPU0:router(config-ipv4_pfx)# 10
Step 3
• The remark can be up to 255 characters; anything longer is
truncated.
remark Deny all routes with a prefix of
• Remarks can be configured before or after permit or deny
statements, but their location should be consistent.
10/8
RP/0/RSP0/CPU0:router(config-ipv4_pfx)# 20
deny 10.0.0.0/8 le 32
Specifies one or more conditions allowed or denied in the named
prefix list.
[sequence-number] {permit | deny} network/length
[ge value] [le value] [eq value]
Step 4
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 19
Implementing Access Lists and Prefix Lists
Configuring Prefix ListsCommand or Action Purpose
Example:
RP/0/RSP0/CPU0:router(config-ipv6_pfx)# 20
deny 128.0.0.0/8 eq 24
• This example denies all prefixes matching /24 in 128.0.0.0/8
in prefix list pfx_2.
Repeat Step 4 as necessary. Use the no Allows you to revise a prefix list.
sequence-number command to delete an entry.
Step 5
Step 6 Do one of the following: Saves configuration changes.
• end • When you issue the end command, the system prompts you
to commit changes:
Uncommitted changes found, commit them before
• commit
Example:
RP/0/RSP0/CPU0:router(config-ipv6_pfx)# end
exiting(yes/no/cancel)?[cancel]:
or
RP/0/RSP0/CPU0:router(config-ipv6_pfx)#
commit
? Entering yes saves configuration changes to the running
configuration file, exits the configuration session, and
returns the router to EXEC mode.
? Entering no exits the configuration session and returns
the router to EXEC mode without committing the
configuration changes.
? Entering cancel leaves the router in the current
configuration session without exiting or committing the
configuration changes.
• Use the commit command to save the configuration changes
to the running configuration file and remain within the
configuration session.
Step 7 Do one of the following: (Optional) Displays the contents of current IPv4 or IPv6 prefix lists.
• show prefix-list ipv4 [name]
[sequence-number]
• Use the name argument to display the contents of a specific
prefix list.
• Use the sequence-number argument to specify the sequence
number of the prefix-list entry.
• show prefix-list ipv6 [name]
[sequence-number] [summary]
• Use the summary keyword to display summary output of
prefix-list contents.
Example:
RP/0/RSP0/CPU0:router# show prefix-list ipv4
pfx_1
or
RP/0/RSP0/CPU0:router# show prefix-list ipv6
pfx_2 summary
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
20 OL-26068-02
Implementing Access Lists and Prefix Lists
Configuring Prefix ListsCommand or Action Purpose
clear {ipv4 | ipv6} prefix-list name (Optional) Clears the hit count on an IPv4 or IPv6 prefix list.
[sequence-number]
Step 8
The hit count is a value indicating the number of matches
to a specific prefix-list entry.
Note
Example:
RP/0/RSP0/CPU0:router# clear prefix-list
ipv4 pfx_1 30
Configuring Standard Access Lists
This task configures a standard IPv4 access list.
Standard access lists use source addresses for matching operations.
SUMMARY STEPS
1. configure
2. ipv4 access-list name
3. [ sequence-number ] remark remark
4. [ sequence-number ] {permit | deny} source [source-wildcard] [log | log-input]
5. Repeat Step 4 as necessary, adding statements by sequence number where you planned. Use the no
sequence-number command to delete an entry.
6. Do one of the following:
• end
• commit
7. show access-lists [ipv4 | ipv6] [access-list-name hardware {ingress | egress} [interface type
interface-path-id] {sequence number | location node-id} | summary [access-list-name] | access-list-name
[sequence-number] | maximum [detail] [usage {pfilter location node-id}]]
DETAILED STEPS
Command or Action Purpose
configure Enters global configuration mode.
Example:
RP/0/RSP0/CPU0:router# configure
Step 1
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 21
Implementing Access Lists and Prefix Lists
Configuring Standard Access ListsCommand or Action Purpose
Enters IPv4 access list configuration mode and configures access
list acl_1.
ipv4 access-list name
Example:
RP/0/RSP0/CPU0:router# ipv4 access-list acl_1
Step 2
(Optional) Allows you to comment about the following permit
or deny statement in a named access list.
[ sequence-number ] remark remark
Example:
RP/0/RSP0/CPU0:router(config-ipv4-acl)# 10
remark Do not allow user1 to telnet out
Step 3
• The remark can be up to 255 characters; anything longer is
truncated.
• Remarks can be configured before or after permit or deny
statements, but their location should be consistent.
Specifies one or more conditions allowed or denied, which
determines whether the packet is passed or dropped.
[ sequence-number ] {permit | deny} source
[source-wildcard] [log | log-input]
Step 4
Example:
RP/0/RSP0/CPU0:router(config-ipv4-acl)# 20
permit 172.16.0.0 0.0.255.255
• Use the source argument to specify the number of network
or host from which the packet is being sent.
• Use the optional source-wildcard argument to specify the
wildcard bits to be applied to the source.
or
RRP/0/RSP0/CPU0:routerrouter(config-ipv4-acl)#
30 deny 192.168.34.0 0.0.0.255
• The optional log keyword causes an information logging
message about the packet that matches the entry to be sent
to the console.
• The optional log-input keyword providesthe same function
as the log keyword, except that the logging message also
includes the input interface.
Repeat Step 4 as necessary, adding statements by Allows you to revise an access list.
sequence number where you planned. Use the no
sequence-number command to delete an entry.
Step 5
Step 6 Do one of the following: Saves configuration changes.
• end • When you issue the end command, the system prompts you
to commit changes:
Uncommitted changes found, commit them before
• commit
Example:
RP/0/RSP0/CPU0:router(config-ipv4-acl)# end
exiting(yes/no/cancel)?[cancel]:
or
RP/0/RSP0/CPU0:router(config-ipv4-acl)# commit ? Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
? Entering no exits the configuration session and returns
the router to EXEC mode without committing the
configuration changes.
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
22 OL-26068-02
Implementing Access Lists and Prefix Lists
Configuring Standard Access ListsCommand or Action Purpose
? Entering cancel leaves the router in the current
configuration session without exiting or committing
the configuration changes.
• Use the commit command to save the configuration changes
to the running configuration file and remain within the
configuration session.
show access-lists [ipv4 | ipv6] [access-list-name (Optional) Displays the contents of the named IPv4 access list.
hardware {ingress | egress} [interface type
Step 7
• The contents of an IPv4 standard access list are displayed in
extended access-list format.
interface-path-id] {sequence number | location
node-id} | summary [access-list-name] |
access-list-name [sequence-number] | maximum
[detail] [usage {pfilter location node-id}]]
Example:
RP/0/RSP0/CPU0:router# show access-lists ipv4
acl_1
What to Do Next
After creating a standard access list, you must apply it to a line or interface. See the Applying Access Lists,
on page 15” section for information about how to apply an access list.
Copying Access Lists
This task copies an IPv4 or IPv6 access list.
SUMMARY STEPS
1. copy access-list {ipv4 | ipv6}source-acl destination-acl
2. show access-lists {ipv4 | ipv6}[access-list-name hardware {ingress | egress} [interface type
interface-path-id] {sequence number | location node-id} | summary [access-list-name] | access-list-name
[sequence-number] | maximum [detail] [usage {pfilter location node-id}]]
DETAILED STEPS
Command or Action Purpose
Step 1 copy access-list {ipv4 | ipv6}source-acl destination-acl Creates a copy of an existing IPv4 or IPv6 access list.
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 23
Implementing Access Lists and Prefix Lists
Copying Access ListsCommand or Action Purpose
Example:
RP/0/RSP0/CPU0:router# copy ipv6 access-list
list-1 list-2
• Use the source-acl argument to specify the name of the
access list to be copied.
• Use the destination-acl argument to specify where to copy
the contents of the source access list.
? The destination-acl argument must be a unique name;
if the destination-acl argument name exists for an
access list, the access list is not copied.
(Optional) Displays the contents of a named IPv4 or IPv6 access
list. For example, you can verify the output to see that the
show access-lists {ipv4 | ipv6}[access-list-name
hardware {ingress | egress} [interface type
Step 2
destination access list list-2 contains all the information from the
source access list list-1.
interface-path-id] {sequence number| location node-id}
| summary [access-list-name] | access-list-name
[sequence-number] | maximum [detail] [usage {pfilter
location node-id}]]
Example:
RP/0/RSP0/CPU0:router# show access-lists ipv4
list-2
Sequencing Access-List Entries and Revising the Access List
This task shows how to assign sequence numbers to entries in a named access list and how to add or delete
an entry to or from an access list. It is assumed that a user wants to revise an access list. Resequencing an
access list is optional.
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
24 OL-26068-02
Implementing Access Lists and Prefix Lists
Sequencing Access-List Entries and Revising the Access ListSUMMARY STEPS
1. resequence access-list {ipv4 | ipv6} name [base [increment]]
2. configure
3. {ipv4 | ipv6} access-list name
4. Do one of the following:
• [ sequence-number ] {permit | deny} source source-wildcard destination destination-wildcard
[precedence precedence] [dscp dscp] [fragments] [packet-length operator packet-length value]
[log | log-input]
• [ sequence-number ] {permit | deny} protocol {source-ipv6-prefix/prefix-length | any | host
source-ipv6-address} [operator {port | protocol-port}] {destination-ipv6-prefix/prefix-length | any
| host destination-ipv6-address} [operator {port | protocol-port}] [dscp value] [routing] [authen]
[destopts] [fragments] [packet-length operator packet-length value] [log | log-input]
5. Repeat Step 4 as necessary, adding statements by sequence number where you planned. Use the no
sequence-number command to delete an entry.
6. Do one of the following:
• end
• commit
7. show access-lists [ipv4 | ipv6] [access-list-name hardware {ingress | egress} [interface type
interface-path-id] {sequence number | location node-id} | summary [access-list-name] | access-list-name
[sequence-number] | maximum [detail] [usage {pfilter location node-id}]]
DETAILED STEPS
Command or Action Purpose
(Optional) Resequences the specified IPv4 or IPv6 access list
using the starting sequence number and the increment ofsequence
numbers.
resequence access-list {ipv4 | ipv6} name [base
[increment]]
Example:
RP/0/RSP0/CPU0:router# resequence access-list
ipv4 acl_3 20 15
Step 1
• This example resequences an IPv4 access list named acl_3.
The starting sequence number is 20 and the increment is 15.
If you do not select an increment, the default increment 10
is used.
configure Enters global configuration mode.
Example:
RP/0/RSP0/CPU0:router# configure
Step 2
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 25
Implementing Access Lists and Prefix Lists
Sequencing Access-List Entries and Revising the Access ListCommand or Action Purpose
Enters either IPv4 or IPv6 access list configuration mode and
configures the named access list.
{ipv4 | ipv6} access-list name
Example:
RP/0/RSP0/CPU0:router(config)# ipv4 access-list
acl_1
Step 3
or
RP/0/RSP0/CPU0:router(config)# ipv6 access-list
acl_2
Specifies one or more conditions allowed or denied in IPv4 access
list acl_1.
Step 4 Do one of the following:
• [ sequence-number ] {permit | deny} source
source-wildcard destination destination-wildcard • The optional log keyword causes an information logging
message about the packet that matches the entry to be sent
to the console.
[precedence precedence] [dscp dscp] [fragments]
[packet-length operator packet-length value] [log
| log-input]
• The optional log-input keyword providesthe same function
as the log keyword, except that the logging message also
includes the input interface.
• [ sequence-number ] {permit | deny} protocol
{source-ipv6-prefix/prefix-length | any | host
source-ipv6-address} [operator {port |
• This access list happens to use a permit statement first, but
a deny statement could appear first, depending on the order
of statements you need.
protocol-port}]
{destination-ipv6-prefix/prefix-length | any | host
destination-ipv6-address} [operator {port |
protocol-port}] [dscp value] [routing] [authen]
or
[destopts] [fragments] [packet-length operator
packet-length value] [log | log-input] Specifies one or more conditions allowed or denied in IPv6 access
list acl_2.
Example:
RP/0/RSP0/CPU0:router(config-ipv4-acl)# 10
• Refer to the permit (IPv6) and deny (IPv6) commands
for more information on filtering IPv6 traffic based on IPv6
option headers and upper-layer protocols such as ICMP,
permit 172.16.0.0 0.0.255.255 TCP, and UDP.
RP/0/RSP0/CPU0:router(config-ipv4-acl)# 20 deny
192.168.34.0 0.0.0.255
Every IPv6 access list has an implicit deny ipv6 any
any statement asitslast match condition. An IPv6 access
list must contain at least one entry for the implicit deny
ipv6 any any statement to take effect.
Note
or
RP/0/RSP0/CPU0:router(config-ipv6-acl)# 20
permit icmp any any
RP/0/RSP0/CPU0:router(config-ipv6-acl)# 30 deny
tcp any any gt 5000
Repeat Step 4 as necessary, adding statements by Allows you to revise the access list.
sequence number where you planned. Use the no
sequence-number command to delete an entry.
Step 5
Step 6 Do one of the following: Saves configuration changes.
• end • When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
• commit
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
26 OL-26068-02
Implementing Access Lists and Prefix Lists
Sequencing Access-List Entries and Revising the Access ListCommand or Action Purpose
Example:
RP/0/RSP0/CPU0:router(config-ipv4-acl)# end
exiting(yes/no/cancel)?[cancel]:
or
RP/0/RSP0/CPU0:router(config-ipv4-acl)# commit
? Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
? Entering no exitsthe configuration session and returns
the router to EXEC mode without committing the
configuration changes.
? Entering cancel leaves the router in the current
configuration session without exiting or committing
the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain within
the configuration session.
(Optional) Displays the contents of a named IPv4 or IPv6 access
list.
show access-lists [ipv4 | ipv6] [access-list-name
hardware {ingress | egress} [interface type
Step 7
interface-path-id] {sequence number| location node-id}
• Review the output to see that the access list includes the
updated information.
| summary [access-list-name] | access-list-name
[sequence-number] | maximum [detail] [usage {pfilter
location node-id}]]
Example:
RP/0/RSP0/CPU0:router# show access-lists ipv4
acl_1
What to Do Next
If your access list is not already applied to an interface or line or otherwise referenced, apply the access list.
See the “Applying Access Lists, on page 15” section for information about how to apply an access list.
Copying Prefix Lists
This task copies an IPv4 or IPv6 prefix list.
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 27
Implementing Access Lists and Prefix Lists
Copying Prefix ListsSUMMARY STEPS
1. copy prefix-list {ipv4 | ipv6} source-name destination-name
2. Do one of the following:
• show prefix-list ipv4 [name] [sequence-number]
• show prefix-list ipv6 [name] [sequence-number] [summary]
DETAILED STEPS
Command or Action Purpose
copy prefix-list {ipv4 | ipv6} source-name Creates a copy of an existing IPv4 or IPv6 prefix list.
destination-name
Step 1
• Use the source-name argument to specify the name of the
prefix list to be copied and the destination-name argument
to specify where to copy the contents of the source prefix list.
Example:
RP/0/RSP0/CPU0:router# copy prefix-list ipv6
list_1 list_2
• The destination-name argument must be a unique name; if
the destination-name argument name exists for a prefix list,
the prefix list is not copied.
Step 2 Do one of the following: (Optional) Displays the contents of current IPv4 or IPv6 prefix lists.
• show prefix-list ipv4 [name]
[sequence-number]
• Review the output to see that prefix list list_2 includes the
entries from list_1.
• show prefix-list ipv6 [name]
[sequence-number] [summary]
Example:
RP/0/RSP0/CPU0:router# show prefix-list ipv6
list_2
Sequencing Prefix List Entries and Revising the Prefix List
This task shows how to assign sequence numbers to entries in a named prefix list and how to add or delete
an entry to or from a prefix list. It is assumed a user wants to revise a prefix list. Resequencing a prefix list
is optional.
Before You Begin
Note Resequencing IPv6 prefix lists is not supported.
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
28 OL-26068-02
Implementing Access Lists and Prefix Lists
Sequencing Prefix List Entries and Revising the Prefix ListSUMMARY STEPS
1. resequence prefix-list ipv4 name [base [increment]]
2. configure
3. {ipv4 | ipv6} prefix-list name
4. [ sequence-number ] {permit | deny} network/length [ge value] [le value] [eq value]
5. Repeat Step 4 as necessary, adding statements by sequence number where you planned. Use the no
sequence-number command to delete an entry.
6. Do one of the following:
• end
• commit
7. Do one of the following:
• show prefix-list ipv4 [name] [sequence-number]
• show prefix-list ipv6 [name] [sequence-number] [summary]
DETAILED STEPS
Command or Action Purpose
(Optional) Resequencesthe named IPv4 prefix list using the starting
sequence number and the increment of sequence numbers.
resequence prefix-list ipv4 name [base [increment]]
Example:
RP/0/RSP0/CPU0:router# resequence prefix-list
ipv4 pfx_1 10 15
Step 1
• This example resequences a prefix list named pfx_1. The
starting sequence number is 10 and the increment is 15.
configure Enters global configuration mode.
Example:
RP/0/RSP0/CPU0:router# configure
Step 2
Enters either IPv4 or IPv6 prefix list configuration mode and
configures the named prefix list.
{ipv4 | ipv6} prefix-list name
Example:
RP/0/RSP0/CPU0:router(config)# ipv6
prefix-list pfx_2
Step 3
Specifies one or more conditions allowed or denied in the named
prefix list.
[sequence-number] {permit | deny} network/length
[ge value] [le value] [eq value]
Example:
RP/0/RSP0/CPU0:router(config-ipv6_pfx)# 15
deny 128.0.0.0/8 eq 24
Step 4
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 29
Implementing Access Lists and Prefix Lists
Sequencing Prefix List Entries and Revising the Prefix ListCommand or Action Purpose
Repeat Step 4 as necessary, adding statements by Allows you to revise the prefix list.
sequence number where you planned. Use the no
sequence-number command to delete an entry.
Step 5
Step 6 Do one of the following: Saves configuration changes.
• end • When you issue the end command, the system prompts you
to commit changes:
Uncommitted changes found, commit them before
• commit
Example:
RP/0/RSP0/CPU0:router(config-ipv6_pfx)# end
exiting(yes/no/cancel)?[cancel]:
or
RP/0/RSP0/CPU0:router(config-ipv6_pfx)#
commit
? Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
? Entering no exits the configuration session and returns
the router to EXEC mode without committing the
configuration changes.
? Entering cancel leaves the router in the current
configuration session without exiting or committing
the configuration changes.
• Use the commit command to save the configuration changes
to the running configuration file and remain within the
configuration session.
(Optional) Displays the contents of current IPv4 or IPv6 prefix
lists.
Step 7 Do one of the following:
• show prefix-list ipv4 [name]
[sequence-number] • Review the output to see that prefix list pfx_2 includes all
new information.
• show prefix-list ipv6 [name]
[sequence-number] [summary]
Example:
RP/0/RSP0/CPU0:router# show prefix-list ipv6
pfx_2
How to Implement ACL-based Forwarding
This section contains the following procedures:
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
30 OL-26068-02
Implementing Access Lists and Prefix Lists
How to Implement ACL-based ForwardingConfiguring ACL-based Forwarding with Security ACL
Perform this task to configure ACL-based forwarding with security ACL.
SUMMARY STEPS
1. configure
2. ipv4 access-list name
3. [sequence-number] permit protocolsource source-wildcard destination destination-wildcard [precedence
precedence] [[default] nexthop1 [ipv4 ipv4-address1] nexthop2[ipv4 ipv4-address2] nexthop3[ipv4
ipv4-address3]] [dscp dscp] [fragments] [packet-length operator packet-length value] [log | log-input]
[[track track-name] [ttl ttl [value1 ... value2]]
4. Do one of the following:
• end
• commit
5. show access-list ipv4 [[access-list-name hardware {ingress | egress} [interface type interface-path-id]
{sequence number| location node-id} |summary [access-list-name] | access-list-name [sequence-number]
| maximum [detail] [usage {pfilter location node-id}]]
DETAILED STEPS
Command or Action Purpose
configure Enters global configuration mode.
Example:
RP/0/RSP0/CPU0:router# configure
Step 1
Enters IPv4 access list configuration mode and configures the
specified access list.
ipv4 access-list name
Example:
RP/0/RSP0/CPU0:router(config)# ipv4 access-list
security-abf-acl
Step 2
Sets the conditions for an IPv4 access list. The configuration
example shows how to configure ACL-based forwarding with
security ACL.
[ sequence-number ] permit protocol source
source-wildcard destination destination-wildcard
[precedence precedence] [[default] nexthop1 [ipv4
Step 3
ipv4-address1] nexthop2[ipv4 ipv4-address2]
• The nexthop1, nexthop2, nexthop3 keywordsforward
the specified next hop for this entry.
nexthop3[ipv4 ipv4-address3]] [dscp dscp] [fragments]
[packet-length operator packet-length value] [log |
log-input] [[track track-name] [ttl ttl [value1 ... value2]] • If the default keyword is configured, ACL-based
forwarding action is taken only if the results of the PLU
Example:
RP/0/RSP0/CPU0:router(config-ipv4-acl)# 10 permit
lookup for the destination of the packets determine a
default route; that is, no specified route is determined to
the destination of the packet.
ipv4 10.0.0.0 0.255.255.255 any nexthop 50.1.1.2
RP/0/RSP0/CPU0:router(config-ipv4-acl)# 15 permit
ipv4 30.2.1.0 0.0.0.255 any
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 31
Implementing Access Lists and Prefix Lists
Configuring ACL-based Forwarding with Security ACLCommand or Action Purpose
RP/0/RSP0/CPU0:router(config-ipv4-acl)# 20 permit
ipv4 30.2.0.0 0.0.255.255 any nexthop 40.1.1.2
RP/0/RSP0/CPU0:router(config-ipv4-acl)# 25 permit
ipv4 any any
Step 4 Do one of the following: Saves configuration changes.
• end • When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
• commit
Example:
RP/0/RSP0/CPU0:router(config-ipv4-acl)# end
exiting(yes/no/cancel)?[cancel]:
or
RP/0/RSP0/CPU0:router(config-ipv4-acl)# commit ? Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
? Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
? Entering cancel leaves the router in the current
configuration session without exiting or committing
the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
show access-list ipv4 [[access-list-name hardware {ingress Displays the information for ACL software.
| egress} [interface type interface-path-id] {sequence
Step 5
number | location node-id} | summary [access-list-name]
| access-list-name [sequence-number] | maximum [detail]
[usage {pfilter location node-id}]]
Example:
RP/0/RSP0/CPU0:router# show access-lists ipv4
security-abf-acl
Implementing IPSLA-OT
In this section, the following procedures are discussed:
• Enabling track mode, on page 33
• Configuring track type, on page 34
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
32 OL-26068-02
Implementing Access Lists and Prefix Lists
Implementing IPSLA-OT• Configuring tracking type (line protocol), on page 34
• Configuring track type (list), on page 35
• Configuring tracking type (route), on page 37
• Configuring tracking type (rtr), on page 38
Enabling track mode
SUMMARY STEPS
1. configure
2. track track-name
3. Use one of these commands:
• end
• commit
DETAILED STEPS
Command or Action Purpose
configure Enters global configuration mode.
Example:
RP/0/RSP0/CPU0:router# configure
Step 1
track track-name Enters track configuration mode.
Example:
RP/0/RSP0/CPU0:router(config)# track
t1
Step 2
Step 3 Use one of these commands: Saves configuration changes.
• end • When you issue the end command, the system prompts you to commit
changes:
Uncommitted changes found, commit them
before exiting(yes/no/cancel)? [cancel]:
• commit
Example:
RP/0/RSP0/CPU0:router(config)# end
? Entering yes saves configuration changes to the running
configuration file, exits the configuration session, and returns the
router to EXEC mode.
or
RP/0/RSP0/CPU0:router(config)#
commit
? Entering no exits the configuration session and returns the router
to EXEC mode without committing the configuration changes.
? Entering cancel leaves the router in the current configuration
session without exiting or committing the configuration changes.
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 33
Implementing Access Lists and Prefix Lists
Enabling track modeCommand or Action Purpose
• Use the commit command to save the configuration changes to the
running configuration file and remain within the configuration session.
Configuring track type
There are different mechanisms to track the availability of the next-hop device. The tracking type can be of
four types, using:
• line protocol
• list
• route
• IPSLA
Configuring tracking type (line protocol)
Line protocol is one of the object types the object tracker component can track. This object type provides an
option for tracking state change notification from an interface. Based on the interface state change notification,
it decides whether the track state should be UP or DOWN.
SUMMARY STEPS
1. configure
2. track track-name
3. type line-protocol state interface type interface-path-id
4. Use one of these commands:
• end
• commit
DETAILED STEPS
Command or Action Purpose
configure Enters global configuration mode.
Example:
RP/0/RSP0/CPU0:router# configure
Step 1
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
34 OL-26068-02
Implementing Access Lists and Prefix Lists
Configuring track typeCommand or Action Purpose
track track-name Enters track configuration mode.
Example:
RP/0/RSP0/CPU0:router(config)# track t1
Step 2
type line-protocol state interface type Setsthe interface which needsto be tracked forstate change notifications.
interface-path-id
Step 3
Example:
RP/0/RSP0/CPU0:router(config-track)#
type line-protocol state interface
tengige 0/4/4/0
Step 4 Use one of these commands: Saves configuration changes.
• end • When you issue the end command, the system prompts you to
commit changes:
Uncommitted changes found, commit them
before exiting(yes/no/cancel)? [cancel]:
• commit
Example:
RP/0/RSP0/CPU0:router(config)# end
? Entering yes saves configuration changes to the running
configuration file, exitsthe configuration session, and returns
the router to EXEC mode.
or
RP/0/RSP0/CPU0:router(config)# commit
? Entering no exits the configuration session and returns the
router to EXEC mode without committing the configuration
changes.
? Entering cancel leaves the router in the current configuration
session without exiting or committing the configuration
changes.
• Use the commit command to save the configuration changes to
the running configuration file and remain within the configuration
session.
Configuring track type (list)
List is a boolen object type. Boolean refers to the capability of performing a boolean AND or boolean OR
operation on combinations of different object types supported by object tracker.
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 35
Implementing Access Lists and Prefix Lists
Configuring track type (list)SUMMARY STEPS
1. configure
2. track track-name
3. type list boolean and
4. Use one of these commands:
• end
• commit
DETAILED STEPS
Command or Action Purpose
configure Enters global configuration mode.
Example:
RP/0/RSP0/CPU0:router# configure
Step 1
track track-name Enters track configuration mode.
Example:
RP/0/RSP0/CPU0:router(config)# track
t1
Step 2
Sets the list of track objects on which boolean AND or boolean OR
operations could be performed.
type list boolean and
Example:
RP/0/RSP0/CPU0:router(config-track)#
type list boolean and
Step 3
Step 4 Use one of these commands: Saves configuration changes.
• end • When you issue the end command, the system prompts you to commit
changes:
Uncommitted changes found, commit them
before exiting(yes/no/cancel)? [cancel]:
• commit
Example:
RP/0/RSP0/CPU0:router(config)# end
? Entering yes saves configuration changes to the running
configuration file, exits the configuration session, and returns
the router to EXEC mode.
or
RP/0/RSP0/CPU0:router(config)# commit
? Entering no exitsthe configuration session and returnsthe router
to EXEC mode without committing the configuration changes.
? Entering cancel leaves the router in the current configuration
session without exiting or committing the configuration changes.
• Use the commit command to save the configuration changes to the
running configuration file and remain within the configuration session.
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
36 OL-26068-02
Implementing Access Lists and Prefix Lists
Configuring track type (list)Command or Action Purpose
Configuring tracking type (route)
Route is a route object type. The object tracker tracks the fib notification to determine the route reachability
and the track state.
SUMMARY STEPS
1. configure
2. track track-name
3. type route reachability
4. Use one of these commands:
• end
• commit
DETAILED STEPS
Command or Action Purpose
configure Enters global configuration mode.
Example:
RP/0/RSP0/CPU0:router# configure
Step 1
track track-name Enters track configuration mode.
Example:
RP/0/RSP0/CPU0:router(config)# track
t1
Step 2
type route reachability Sets the route on which reachability state needs to be learnt dynamically.
Example:
RP/0/RSP0/CPU0:router(config-track)#
type route reachability
Step 3
Step 4 Use one of these commands: Saves configuration changes.
• end • When you issue the end command, the system prompts you to
commit changes:
Uncommitted changes found, commit them
before exiting(yes/no/cancel)? [cancel]:
• commit
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 37
Implementing Access Lists and Prefix Lists
Configuring tracking type (route)Command or Action Purpose
Example:
RP/0/RSP0/CPU0:router(config)# end
? Entering yes saves configuration changes to the running
configuration file, exits the configuration session, and returns
the router to EXEC mode.
? Entering no exits the configuration session and returns the
router to EXEC mode without committing the configuration
changes.
or
RP/0/RSP0/CPU0:router(config)# commit
? Entering cancel leaves the router in the current configuration
session without exiting or committing the configuration
changes.
• Use the commit command to save the configuration changes to the
running configuration file and remain within the configuration
session.
Configuring tracking type (rtr)
IPSLA is an ipsla object type. The object tracker tracks the return code of ipsla operation to determine the
track state changes.
SUMMARY STEPS
1. configure
2. track track-name
3. type rtr ipsla operation id reachability
4. Use one of these commands:
• end
• commit
DETAILED STEPS
Command or Action Purpose
configure Enters global configuration mode.
Example:
RP/0/RSP0/CPU0:router# configure
Step 1
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
38 OL-26068-02
Implementing Access Lists and Prefix Lists
Configuring tracking type (rtr)Command or Action Purpose
track track-name Enters track configuration mode.
Example:
RP/0/RSP0/CPU0:router(config)# track
t1
Step 2
type rtr ipsla operation id reachability Sets the ipsla operation id which needs to be tracked for reachability.
Example:
RP/0/RSP0/CPU0:routertype rtr 100
reachability
Step 3
Step 4 Use one of these commands: Saves configuration changes.
• end • When you issue the end command, the system prompts you to
commit changes:
Uncommitted changes found, commit them
before exiting(yes/no/cancel)? [cancel]:
• commit
Example:
RP/0/RSP0/CPU0:router(config)# end
? Entering yes saves configuration changes to the running
configuration file, exits the configuration session, and returns
the router to EXEC mode.
or
RP/0/RSP0/CPU0:router(config)# commit
? Entering no exits the configuration session and returns the
router to EXEC mode without committing the configuration
changes.
? Entering cancel leaves the router in the current configuration
session without exiting or committing the configuration
changes.
• Use the commit command to save the configuration changes to the
running configuration file and remain within the configuration
session.
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 39
Implementing Access Lists and Prefix Lists
Configuring tracking type (rtr)Configuring Pure ACL-Based Forwarding for IPv6 ACL
SUMMARY STEPS
1. configure
2. {ipv6 } access-list name
3. [sequence-number] permit protocolsource source-wildcard destination destination-wildcard [precedence
precedence] [dscp dscp] [fragments] [packet-length operator packet-length value] [log | log-input]] [ttl
ttl value [value1 ... value2]][default] nexthop1 [ vrf vrf-name1 ][ipv6 ipv6-address1] [ nexthop2 [ vrf
vrf-name2 ] [ipv6 ipv6-address2 ] [nexthop3 [vrf vrf-name3 ] [ipv6ipv6-address3 ]]]
4. Do one of the following:
• end
• commit
DETAILED STEPS
Command or Action Purpose
configure Enters global configuration mode.
Example:
RP/0/RSP0/CPU0:router# configure
Step 1
Enters IPv6 access list configuration mode and configures the
specified access list.
{ipv6 } access-list name
Example:
RP/0/RSP0/CPU0:router(config)# ipv6 access-list
security-abf-acl
Step 2
Sets the conditions for an IPv6 access list. The configuration
example shows how to configure pure ACL-based forwarding
for ACL.
[ sequence-number ] permit protocol source
source-wildcard destination destination-wildcard
[precedence precedence] [dscp dscp] [fragments]
Step 3
[packet-length operator packet-length value] [log |
• Forwards the specified next hop for this entry.
log-input]] [ttl ttl value [value1 ... value2]][default]
nexthop1 [ vrf vrf-name1 ][ipv6 ipv6-address1] [
nexthop2 [ vrf vrf-name2 ] [ipv6 ipv6-address2 ]
[nexthop3 [vrf vrf-name3 ] [ipv6ipv6-address3 ]]]
Example:
RP/0/RSP0/CPU0:router(config-ipv6-acl)# 10 permit
ipv6 any any default nexthop1 vrf vrf_A ipv6
11::1 nexthop2 vrf vrf_B ipv6 nexthop3 vrf vrf_C
ipv6 33::3
Step 4 Do one of the following: Saves configuration changes.
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
40 OL-26068-02
Implementing Access Lists and Prefix Lists
Configuring Pure ACL-Based Forwarding for IPv6 ACLCommand or Action Purpose
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
• end
• commit
Example:
RP/0/RSP0/CPU0:router(config-ipv6-acl)# end
exiting(yes/no/cancel)?[cancel]:
or
RP/0/RSP0/CPU0:router(config-ipv6-acl)# commit ? Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
? Entering no exitsthe configuration session and returns
the router to EXEC mode without committing the
configuration changes.
? Entering cancel leaves the router in the current
configuration session without exiting or committing
the configuration changes.
• Use the commit command to save the configuration
changesto the running configuration file and remain within
the configuration session.
Configuration Examples for Implementing Access Lists and
Prefix Lists
This section provides the following configuration examples:
Resequencing Entries in an Access List: Example
The following example shows access-list resequencing. The starting value in the resequenced access list is
10, and increment value is 20. The subsequent entries are ordered based on the increment values that users
provide, and the range is from 1 to 2147483646.
When an entry with no sequence number is entered, by default it has a sequence number of 10 more than the
last entry in the access list.
ipv4 access-list acl_1
10 permit ip host 10.3.3.3 host 172.16.5.34
20 permit icmp any any
30 permit tcp any host 10.3.3.3
40 permit ip host 10.4.4.4 any
60 permit ip host 172.16.2.2 host 10.3.3.12
70 permit ip host 10.3.3.3 any log
80 permit tcp host 10.3.3.3 host 10.1.2.2
100 permit ip any any
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 41
Implementing Access Lists and Prefix Lists
Configuration Examples for Implementing Access Lists and Prefix Listsconfigure
ipv4 access-list acl_1
end
resequence ipv4 access-list acl_1 10 20
ipv4 access-list acl_1
10 permit ip host 10.3.3.3 host 172.16.5.34
30 permit icmp any any
50 permit tcp any host 10.3.3.3
70 permit ip host 10.4.4.4 any
90 permit ip host 172.16.2.2 host 10.3.3.12
110 permit ip host 10.3.3.3 any log
130 permit tcp host 10.3.3.3 host 10.1.2.2
150 permit ip any any
ipv4 access-list acl_1
10 permit ip host 10.3.3.3 host 172.16.5.34
20 permit icmp any any
30 permit tcp any host 10.3.3.3
40 permit ip host 10.4.4.4 any
60 permit ip host 172.16.2.2 host 10.3.3.12
70 permit ip host 10.3.3.3 any log
80 permit tcp host 10.3.3.3 host 10.1.2.2
100 permit ip any any
configure
ipv6 access-list acl_1
end
resequence ipv6 access-list acl_1 10 20
ipv4 access-list acl_1
10 permit ip host 10.3.3.3 host 172.16.5.34
30 permit icmp any any
50 permit tcp any host 10.3.3.3
70 permit ip host 10.4.4.4 any
90 Dynamic test permit ip any any
110 permit ip host 172.16.2.2 host 10.3.3.12
130 permit ip host 10.3.3.3 any log
150 permit tcp host 10.3.3.3 host 10.1.2.2
170 permit ip host 10.3.3.3 any
190 permit ip any any
Adding Entries with Sequence Numbers: Example
In the following example, an new entry is added to IPv4 access list acl_5.
ipv4 access-list acl_5
2 permit ipv4 host 10.4.4.2 any
5 permit ipv4 host 10.0.0.44 any
10 permit ipv4 host 10.0.0.1 any
20 permit ipv4 host 10.0.0.2 any
configure
ipv4 access-list acl_5
15 permit 10.5.5.5 0.0.0.255
end
ipv4 access-list acl_5
2 permit ipv4 host 10.4.4.2 any
5 permit ipv4 host 10.0.0.44 any
10 permit ipv4 host 10.0.0.1 any
15 permit ipv4 10.5.5.5 0.0.0.255 any
20 permit ipv4 host 10.0.0.2 any
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
42 OL-26068-02
Implementing Access Lists and Prefix Lists
Adding Entries with Sequence Numbers: ExampleAdding Entries Without Sequence Numbers: Example
The following example shows how an entry with no specified sequence number is added to the end of an
access list. When an entry is added without a sequence number, it is automatically given a sequence number
that puts it at the end of the access list. Because the default increment is 10, the entry will have a sequence
number 10 higher than the last entry in the existing access list.
configure
ipv4 access-list acl_10
permit 10
.1.1.1 0.0.0.255
permit 10
.2.2.2 0.0.0.255
permit 10
.3.3.3 0.0.0.255
end
ipv4 access-list acl_10
10 permit ip 10
.1.1.0 0.0.0.255 any
20 permit ip 10
.2.2.0 0.0.0.255 any
30 permit ip 10
.3.3.0 0.0.0.255 any
configure
ipv4 access-list acl_10
permit 10
.4.4.4 0.0.0.255
end
ipv4 access-list acl_10
10 permit ip 10
.1.1.0 0.0.0.255 any
20 permit ip 10
.2.2.0 0.0.0.255 any
30 permit ip 10
.3.3.0 0.0.0.255 any
40 permit ip 10
.4.4.0 0.0.0.255 any
IPv6 ACL in Class Map
In Release 4.2.1, Quality of Service (Qos) features on ASR 9000 Ethernet line card and ASR 9000 Enhanced
Ethernet line card are enhanced to support these:
• ASR 9000 Enhanced Ethernet LC:
? Support on L2 and L3 interface and sub-interface
? Support on bundle L2 and L3 interface and sub-interface
? Support for both ingress and egress directions
? ICMP code and type for IPv4/IPv6
• ASR 9000 Ethernet LC:
? Support on only L3 interface and sub-interface
? Support on L3 bundle interface and sub-interface
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 43
Implementing Access Lists and Prefix Lists
Adding Entries Without Sequence Numbers: Example? Support for both ingress and egress directions
? ICMP code and type for IPv4/IPv6
• IPv6-supported match fields:
? IPv6 Source Address
? IPv6 Destination Address
? IPv6 Protocol
? Time to live (TTL) or hop limit
? Source Port
? Destination Port
? TCP Flags
? IPv6 Flags(Routing Header(RH), Authentication Header(AH) and Destination Option Header(DH))
• Class map with IPv6 ACL that also supports:
? IPv4 ACL
? Discard class
? QoS Group
? Outer CoS
? Inner CoS
? Outer VLAN (ASR 9000 Enhanced Ethernet LC only)
? Inner VLAN (ASR 9000 Enhanced Ethernet LC only)
? match-not option
? type of service (TOS) support
• Policy-map with IPv6 ACL supports:
? hierarchical class-map
Configuring IPv6 ACL QoS - An Example
This example shows how to configure IPv6 ACL QoS with IPv4 ACL and other fields :
ipv6 access-list aclv6
10 permit ipv6 1111:6666::2/64 1111:7777::2/64 authen
30 permit tcp host 1111:4444::2 eq 100 host 1111:5555::2 ttl eq 10
!
ipv4 access-list aclv4
10 permit ipv4 host 10.6.10.2 host 10.7.10.2
!
class-map match-any c.aclv6
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
44 OL-26068-02
Implementing Access Lists and Prefix Lists
Configuring IPv6 ACL QoS - An Examplematch access-group ipv6 aclv6
match access-group ipv4 aclv4
match cos 1
end-class-map
!
policy-map p.aclv6
class c.aclv6
set precedence 3
!
class class-default
!
end-policy-map
!
show qos-ea km policy p.aclv6 vmr interface tenGigE 0/1/0/6.10 hw
================================================================================
B : type & id E : ether type VO : vlan outer VI : vlan inner
Q : tos/exp/group X : Reserved DC : discard class Fl : flags
F2: L2 flags F4: L4 flags SP/DP: L4 ports
T : IP TTL D : DFS class# L : leaf class#
Pl: Protocol G : QoS Grp M : V6 hdr ext. C : VMR count
--------------------------------------------------------------------------------
policy name p.aclv6 and km format type 4
Total Egress TCAM entries: 5
|B F2 VO VI Q G DC T F4 Pl SP DP M IPv4/6 SA IPv4/6
DA
================================================================================
V|3019 00 0000 0000 00 00 00 00 00 00 0000 0000 80 11116666:00000000:00000000:00000000
11117777:00000000:00000000:00000000
M|0000 FF FFFF FFFF FF FF FF FF FF FF FFFF FFFF 7F 00000000:00000000:FFFFFFFF:FFFFFFFF
00000000:00000000:FFFFFFFF:FFFFFFFF
R| C=0 03080200 000000A6 F06000FF 0000FF00 0002FF00 00FF0000 FF000000 00000000
V|3019 00 0000 0000 00 00 00 0A 01 00 0064 0000 00 11114444:00000000:00000000:00000002
11115555:00000000:00000000:00000002
M|0000 FF FFFF FFFF FF FF FF 00 FE FF 0000 FFFF FF 00000000:00000000:00000000:00000000
00000000:00000000:00000000:00000000
R| C=1 03080200 000000A6 F06000FF 0000FF00 0002FF00 00FF0000 FF000000 00000000
V|3018 00 0000 0000 00 00 00 00 00 00 0000 0000 00 0A060A02 -------- -------- --------
0A070A02 -------- -------- --------
M|0000 FF FFFF FFFF FF FF FF FF FF FF FFFF FFFF FF 00000000 -------- -------- --------
00000000 -------- -------- --------
R| C=2 03080200 000000A6 F06000FF 0000FF00 0002FF00 00FF0000 FF000000 00000000
V|3018 00 2000 0000 00 00 00 00 00 00 0000 0000 00 00000000:00000000:00000000:00000000
00000000:00000000:00000000:00000000
M|0003 FF 1FFF FFFF FF FF FF FF FF FF FFFF FFFF FF FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF
FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF
R| C=3 03080200 000000A6 F06000FF 0000FF00 0002FF00 00FF0000 FF000000 00000000
V|3018 00 0000 0000 00 00 00 00 00 00 0000 0000 00 00000000:00000000:00000000:00000000
00000000:00000000:00000000:00000000
M|0003 FF FFFF FFFF FF FF FF FF FF FF FFFF FFFF FF FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF
FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF
R| C=4 03000200 00010002 FF0000FF 0000FF00 0002FF00 00FF0000 FF000000 00000000
This example shows how to configure hierarchical policy map:
ipv6 access-list aclv6.p
10 permit ipv6 1111:1111::/8 2222:2222::/8
ipv6 access-list aclv6.c
10 permit ipv6 host 1111:1111::2 host 2222:2222::3
class-map match-any c.aclv6.c
match not access-group ipv6 aclv6.c
end-class-map
!
class-map match-any c.aclv6.p
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 45
Implementing Access Lists and Prefix Lists
Configuring IPv6 ACL QoS - An Examplematch access-group ipv6 aclv6.p
end-class-map
!
policy-map child
class c.aclv6.c
set precedence 7
!
policy-map parent
class c.aclv6.p
service-policy child
set precedence 1
(config)#do show qos-ea km policy parent vmr interface tenGigE 0/1/0/6 hw
================================================================================
B : type & id E : ether type VO : vlan outer VI : vlan inner
Q : tos/exp/group X : Reserved DC : discard class Fl : flags
F2: L2 flags F4: L4 flags SP/DP: L4 ports
T : IP TTL D : DFS class# L : leaf class#
Pl: Protocol G : QoS Grp M : V6 hdr ext. C : VMR count
================================================================================
policy name parent and format type 4
Total Ingress TCAM entries: 3
|B F2 VO VI Q G DC T F4 Pl SP DP M IPv4/6 SA IPv4/6
DA
================================================================================
V|200D 00 0000 0000 00 00 00 00 00 00 0000 0000 00 11111111:00000000:00000000:00000002
22222222:00000000:00000000:00000003
M|0000 FF FFFF FFFF FF FF FF FF FF FF FFFF FFFF FF 00000000:00000000:00000000:00000000
00000000:00000000:00000000:00000000
R| C=0 11800200 00020000 29000000 80004100 00000000 00000000 00000000 00000000
V|200D 00 0000 0000 00 00 00 00 00 00 0000 0000 00 11000000:00000000:00000000:00000000
22000000:00000000:00000000:00000000
M|0000 FF FFFF FFFF FF FF FF FF FF FF FFFF FFFF FF 00FFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF
00FFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF
R| C=1 11800200 00010000 29000000 80004700 00000000 00000000 00000000 00000000
V|200C 00 0000 0000 00 00 00 00 00 00 0000 0000 00 00000000:00000000:00000000:00000000
00000000:00000000:00000000:00000000
M|0003 FF FFFF FFFF FF FF FF FF FF FF FFFF FFFF FF FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF
FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF
R| C=2 11000200 00030000 00000000 00000000 00000000 00000000 00000000 00000000
IPv4/IPv6 ACL over BVI interface
In Release 4.2.1, IPv4/IPv6 ACL is enabled over BVI interfaces on the ASR 9000 Enhanced Ethernet Line
Cards.
For ACL over BVI interfaces, the defined direction is:
• L2 interface - ingress direction
• L3 interface - egress direction
On the A9K-SIP-700 and ASR 9000 Ethernet Line Cards, ACLs on BVI interfaces are not supported.
For ASR 9000 Ethernet linecards, ACL can be applied on the EFP level (IPv4 L3 ACL can be applied on
an L2 interface).
Note
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
46 OL-26068-02
Implementing Access Lists and Prefix Lists
IPv4/IPv6 ACL over BVI interfaceConfiguring IPv4 ACL over BVI interface - An Example
This example shows how to configure IPv4 ACL over a BVI interface:
ipv4 access-list bvi-acl
10 permit ipv4 any any ttl eq 70
20 deny ipv4 any any ttl eq 60
Additional References
The following sections provide references related to implementing access lists and prefix lists.
Related Documents
Related Topic Document Title
Access List Commands module in Cisco ASR 9000
Series Aggregation Services RouterIP Addresses and
Services Command Reference
Access list commands: complete command syntax,
command modes, command history, defaults, usage
guidelines, and examples
Prefix List Commands module in Cisco ASR 9000
Series Aggregation Services RouterIP Addresses and
Services Command Reference
Prefix list commands: complete command syntax,
command modes, command history, defaults, usage
guidelines, and examples
Terminal Services Commands module in
Cisco ASR 9000 Series Aggregation Services Router
System Management Command Reference
Terminal services commands: complete command
syntax, command modes, command history, defaults,
usage guidelines, and examples
Standards
Standards Title
No new or modified standards are supported by this —
feature, and support for existing standards has not
been modified by this feature.
MIBs
MIBs MIBs Link
To locate and download MIBs, use the Cisco MIB
Locator found at the following URL and choose a
platform under the Cisco Access Products menu: http:/
/cisco.com/public/sw-center/netmgmt/cmtk/
mibs.shtml
—
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 47
Implementing Access Lists and Prefix Lists
Configuring IPv4 ACL over BVI interface - An ExampleRFCs
RFCs Title
No new or modified RFCs are supported by this —
feature, and support for existing RFCs has not been
modified by this feature.
Technical Assistance
Description Link
The Cisco Technical Support website contains http://www.cisco.com/techsupport
thousands of pages of searchable technical content,
including links to products, technologies, solutions,
technical tips, and tools. Registered Cisco.com users
can log in from this page to access even more content.
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
48 OL-26068-02
Implementing Access Lists and Prefix Lists
Additional ReferencesC H A P T E R 2
Configuring ARP
Address resolution is the process of mapping network addresses to Media Access Control (MAC) addresses.
This process is accomplished using the Address Resolution Protocol (ARP). This module describes how to
configure ARP processes on the Cisco ASR 9000 Series Aggregation Services Router.
For a complete description of the ARP commands listed in this module, refer to the Cisco ASR 9000
Series Aggregation Services RouterIP Addresses and Services Command ReferenceTo locate documentation
of other commands that appear in this module, use the command reference master index, or search online.
Note
Feature History for Configuring ARP
Release Modification
Release 3.7.2 This feature was introduced.
• Prerequisites for Configuring ARP , page 49
• Restrictions for Configuring ARP , page 50
• Information About Configuring ARP , page 50
• How to Configure ARP , page 53
Prerequisites for Configuring ARP
• You must be in a user group associated with a task group that includesthe proper task IDs. The command
reference guides include the task IDs required for each command. If you suspect user group assignment
is preventing you from using a command, contact your AAA administrator for assistance.
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 49Restrictions for Configuring ARP
The following restrictions apply to configuring ARP :
• Reverse Address Resolution Protocol (RARP) is not supported.
• ARP throttling is not supported.
ARP throttling is the rate limiting of ARP packets in Forwarding Information Base
(FIB).
Note
The following additional restrictions apply when configuring the Direct Attached Gateway Redundancy
(DAGR) feature on Cisco ASR 9000 Series Routers:
• IPv6 is not supported.
• Ethernet bundles are not supported.
• Non-Ethernet interfaces are not supported.
• Hitless ARP Process Restart is not supported.
• Hitless RSP Failover is not supported.
Information About Configuring ARP
To configure ARP, you must understand the following concepts:
IP Addressing Overview
A device in the IP can have both a local address (which uniquely identifies the device on its local segment or
LAN) and a network address (which identifies the network to which the device belongs). The local address
is more properly known as a data link address, because it is contained in the data link layer (Layer 2 of the
OSI model) part of the packet header and is read by data-link devices (bridges and all device interfaces, for
example). The more technically inclined person will refer to local addresses as MAC addresses, because the
MAC sublayer within the data link layer processes addresses for the layer.
To communicate with a device on Ethernet, for example, Cisco IOS XR software first must determine the
48-bit MAC or local data-link address of that device. The process of determining the local data-link address
from an IP address is called address resolution.
Address Resolution on a Single LAN
The following process describes address resolution when the source and destination devices are attached to
the same LAN:
1 End System A broadcasts an ARP request onto the LAN, attempting to learn the MAC address of End
System B.
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
50 OL-26068-02
Configuring ARP
Restrictions for Configuring ARP2 The broadcast is received and processed by all devices on the LAN, including End System B.
3 Only End System B replies to the ARP request. It sends an ARP reply containing its MAC address to End
System A.
4 End System A receives the reply and saves the MAC address of End System B in its ARP cache. (The
ARP cache is where network addresses are associated with MAC addresses.)
5 Whenever End System A needs to communicate with End System B, it checks the ARP cache, finds the
MAC address of System B, and sends the frame directly, without needing to first use an ARP request.
Address Resolution When Interconnected by a Router
The following process describes address resolution when the source and destination devices are attached to
different LANs that are interconnected by a router (only if proxy-arp is turned on):
1 End System Y broadcasts an ARP request onto the LAN, attempting to learn the MAC address of End
System Z.
2 The broadcast is received and processed by all devices on the LAN, including Router X.
3 Router X checks its routing table and finds that End System Z is located on a different LAN.
4 Router X therefore acts as a proxy for End System Z. It replies to the ARP request from End System Y,
sending an ARP reply containing its own MAC address as if it belonged to End System Z.
5 End System Y receives the ARP reply and saves the MAC address of Router X in its ARP cache, in the
entry for End System Z.
6 When End System Y needs to communicate with End System Z, it checks the ARP cache, finds the MAC
address of Router X, and sends the frame directly, without using ARP requests.
7 Router X receives the traffic from End System Y and forwards it to End System Z on the other LAN.
ARP and Proxy ARP
Two forms of addressresolution are supported by Cisco IOS XR software: Address Resolution Protocol (ARP)
and proxy ARP, as defined in RFC 826 and RFC 1027, respectively.
ARP is used to associate IP addresses with media or MAC addresses. Taking an IP address as input, ARP
determines the associated media address. After a media or MAC address is determined, the IP address or
media address association is stored in an ARP cache for rapid retrieval. Then the IP datagram is encapsulated
in a link-layer frame and sent over the network.
When proxy ARP is disabled, the networking device responds to ARP requests received on an interface only
if one of the following conditions is met:
• The target IP address in the ARP request is the same as the interface IP address on which the request is
received.
• The target IP address in the ARP request has a statically configured ARP alias.
When proxy ARP is enabled, the networking device also responds to ARP requests that meet all the following
conditions:
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 51
Configuring ARP
Address Resolution When Interconnected by a Router• The target IP address is not on the same physical network (LAN) on which the request is received.
• The networking device has one or more routes to the target IP address.
• All of the routes to the target IP address go through interfaces other than the one on which the request
is received.
ARP Cache Entries
ARP establishes correspondences between network addresses (an IP address, for example) and Ethernet
hardware addresses. A record of each correspondence is kept in a cache for a predetermined amount of time
and then discarded.
You can also add a static (permanent) entry to the ARP cache that persists until expressly removed.
Direct Attached Gateway Redundancy
Direct Attached Gateway Redundancy (DAGR) allowsthird-party redundancy schemes on connected devices
to use gratuitous ARP as a failover signal, enabling the ARP process to advertise an new type of route in the
Routing Information Base (RIB). These routes are distributed by Open Shortest Path First (OSPF).
Sometimes part of an IP network requires redundancy without routing protocols. A prime example is in the
mobile environment, where devices such as base station controllers and multimedia gateways are deployed
in redundant pairs, with aggressive failover requirements (subsecond or less), but typically do not have the
capability to use native Layer 3 protocols such as OSPF or Intermediate System-to-Intermediate System
(IS-IS) protocol to manage this redundancy. Instead, these devices assume they are connected to adjacent IP
devices over an Ethernet switch, and manage their redundancy at Layer 2, using proprietary mechanisms
similar to Virtual Router Redundancy Protocol (VRRP). Thisrequires a resilient Ethernetswitching capability,
and depends on mechanisms such as MAC learning and MAC flooding.
DAGR is a feature that enables many of these devices to connect directly to Cisco ASR 9000 Series Routers
without an intervening Ethernet switch. DAGR enables the subsecond failover requirements to be met using
a Layer 3 solution. No MAC learning, flooding, or switching is required.
Since mobile devices' 1:1 Layer 2 redundancy mechanisms are proprietary, they do not necessarily conform
to any standard. So although most IP mobile equipment is compatible with DAGR, interoperability does
require qualification, due to the possibly proprietary nature of the Layer 2 mechanisms with which DAGR
interfaces.
Note
Additional Guidelines
The following are additional guidelines to consider when configuring DAGR:
• Up to 40 DAGR peers, which may be on the same or different interfaces, are supported per system.
• Failover is supported for DAGR routes within 500 ms of receipt of an ARP reply packet.
• On ARP process restart, DAGR groups are reinitialized.
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
52 OL-26068-02
Configuring ARP
ARP Cache EntriesHow to Configure ARP
This section contains instructions for the following tasks:
Defining a Static ARP Cache Entry
ARP and other address resolution protocols provide a dynamic mapping between IP addresses and media
addresses. Because most hosts support dynamic address resolution, generally you need not to specify static
ARP cache entries. If you must define them, you can do so globally. Performing this task installs a permanent
entry in the ARP cache. Cisco IOS XR software uses this entry to translate 32-bit IP addresses into 48-bit
hardware addresses.
Optionally, you can specify that the software responds to ARP requests as if it were the owner of the specified
IP address by making an alias entry in the ARP cache.
SUMMARY STEPS
1. configure
2. Do one of the following:
• arp [vrf vrf-name] ip-address hardware-address encapsulation-type
• arp [vrf vrf-name] ip-address hardware-address encapsulation-type alias
3. Do one of the following:
• end
• commit
DETAILED STEPS
Command or Action Purpose
configure Enters global configuration mode.
Example:
RP/0/RSP0/CPU0:router# configure
Step 1
Creates a static ARP cache entry associating the specified 32-bit IP address
with the specified 48-bit hardware address.
Step 2 Do one of the following:
• arp [vrf vrf-name] ip-address
hardware-address encapsulation-type If an alias entry is created, then any interface to which the entry
is attached will act as if it is the owner of the specified addresses,
that is, it will respond to ARP request packets for this network
layer address with the data link layer address in the entry.
Note
• arp [vrf vrf-name] ip-address
hardware-address encapsulation-type
alias
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 53
Configuring ARP
How to Configure ARPCommand or Action Purpose
Example:
RP/0/RSP0/CPU0:router(config)# arp
192.168.7.19 0800.0900.1834 arpa
or
RP/0/RSP0/CPU0:router(config)# arp
192.168.7.19 0800.0900.1834 arpa alias
Step 3 Do one of the following: Saves configuration changes.
• end • When you issue the end command, the system prompts you to
commit changes:
Uncommitted changes found, commit them before
• commit
Example:
RP/0/RSP0/CPU0:router(config)# end
exiting(yes/no/cancel)?[cancel]:
or
RP/0/RSP0/CPU0:router(config)# commit ? Entering yes saves configuration changes to the running
configuration file, exits the configuration session, and returns
the router to EXEC mode.
? Entering no exits the configuration session and returns the
router to EXEC mode without committing the configuration
changes.
? Entering cancel leaves the router in the current configuration
session without exiting or committing the configuration
changes.
• Use the commit command to save the configuration changes to the
running configuration file and remain within the configuration
session.
Enabling Proxy ARP
Cisco IOS XR software uses proxy ARP (as defined in RFC 1027) to help hosts with no knowledge of routing
determine the media addresses of hosts on other networks or subnets. For example, if the router receives an
ARP request for a host that is not on the same interface as the ARP request sender, and if the router has all
of its routes to that host through other interfaces, then it generates a proxy ARP reply packet giving its own
local data-link address. The host that sent the ARP request then sends its packets to the router, which forwards
them to the intended host. Proxy ARP is disabled by default; this task describes how to enable proxy ARP if
it has been disabled.
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
54 OL-26068-02
Configuring ARP
Enabling Proxy ARPSUMMARY STEPS
1. configure
2. interface type number
3. proxy-arp
4. Do one of the following:
• end
• commit
DETAILED STEPS
Command or Action Purpose
configure Enters global configuration mode.
Example:
RP/0/RSP0/CPU0:router# configure
Step 1
interface type number Enters interface configuration mode.
Example:
RP/0/RSP0/CPU0:router(config)#
interface MgmtEth 0/RSP0/CPU0/0
Step 2
proxy-arp Enables proxy ARP on the interface.
Example:
RP/0/RSP0/CPU0:router(config-if)#
proxy-arp
Step 3
Step 4 Do one of the following: Saves configuration changes.
• end • When you issue the end command, the system prompts you to
commit changes:
Uncommitted changes found, commit them before
• commit
Example:
RP/0/RSP0/CPU0:router(config-if)# end
exiting(yes/no/cancel)?[cancel]:
or
RP/0/RSP0/CPU0:router(config-if)#
commit
? Entering yes saves configuration changes to the running
configuration file, exits the configuration session, and returns
the router to EXEC mode.
? Entering no exits the configuration session and returns the
router to EXEC mode without committing the configuration
changes.
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 55
Configuring ARP
Enabling Proxy ARPCommand or Action Purpose
? Entering cancel leaves the router in the current configuration
session without exiting or committing the configuration
changes.
• Use the commit command to save the configuration changes to
the running configuration file and remain within the configuration
session.
Configuring DAGR
Follow these steps to create a DAGR group on the Cisco ASR 9000 Series Router.
SUMMARY STEPS
1. configure
2. interface type interface-path-id
3. arp dagr
4. peer ipv4 address
5. route distance normal normal- distance priority priority-distance
6. route metric normal normal- metric priority priority-metric
7. timers query query-time standby standby-time
8. priority-timeout time
9. Do one of the following:
• end
• commit
10. show arp dagr [ interface [ IP-address ]]
DETAILED STEPS
Command or Action Purpose
configure Enters global configuration mode.
Example:
RP/0/RSP0/CPU0:router# configure
Step 1
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
56 OL-26068-02
Configuring ARP
Configuring DAGRCommand or Action Purpose
interface type interface-path-id Enters interface configuration mode and configures an interface.
Example:
RP/0/RSP0/CPU0:router(config)# interface
gigabitethernet 0/2/0/0
Step 2
arp dagr Enters DAGR configuration mode.
Example:
RP/0/RSP0/CPU0:router(config-if)# arp dagr
Step 3
peer ipv4 address Creates a new DAGR group for the virtual IP address.
Example:
RP/0/RSP0/CPU0:router(config-if-dagr)# peer
ipv4 10.0.0.100
Step 4
route distance normal normal- distance priority (Optional) Configures route distance for the DAGR group.
priority-distance
Step 5
Example:
RP/0/RSP0/CPU0:router(config-if-dagr-peer)#
route distance normal 140 priority 3
route metric normal normal- metric priority (Optional) Configures the route metric for the DAGR group.
priority-metric
Step 6
Example:
RP/0/RSP0/CPU0:router(config-if-dagr-peer)#
route metric normal 84 priority 80
(Optional) Configures the time in seconds between successive
ARP requests being sent out for the virtual IP address.
timers query query-time standby standby-time
Example:
RP/0/RSP0/CPU0:router(config-if-dagr-peer)#
timers query 2 standby 19
Step 7
(Optional) Configures a timer for the length of time in seconds
to wait before reverting to normal priority from a high-priority
DAGR route.
priority-timeout time
Example:
RP/0/RSP0/CPU0:router(config-if-dagr-peer)#
priority-timeout 25
Step 8
Step 9 Do one of the following: Saves configuration changes.
• end • When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
• commit
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 57
Configuring ARP
Configuring DAGRCommand or Action Purpose
Example:
RP/0/RSP0/CPU0:router(config-if-dagr)# end
exiting(yes/no/cancel)?[cancel]:
or
RP/0/RSP0/CPU0:router(config-if-dagr)# commit
? Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
? Entering no exitsthe configuration session and returns
the router to EXEC mode without committing the
configuration changes.
? Entering cancel leaves the router in the current
configuration session without exiting or committing
the configuration changes.
Use the commit command to save the configuration changes
to the running configuration file and remain within the
configuration session.
(Optional) Displays the operational state of all DAGR groups.
Using the optional interface and IP-address argumentsrestricts
the output to a specific interface or virtual IP address.
show arp dagr [ interface [ IP-address ]]
Example:
RP/0/RSP0/CPU0:router# show arp dagr
Step 10
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
58 OL-26068-02
Configuring ARP
Configuring DAGRC H A P T E R 3
Implementing Cisco Express Forwarding
Cisco Express Forwarding (CEF) is advanced, Layer 3 IP switching technology. CEF optimizes network
performance and scalability for networks with large and dynamic traffic patterns, such as the Internet, on
networks characterized by intensive web-based applications, or interactive sessions.
This module describes the tasks required to implement CEF on your Cisco ASR 9000 Series Aggregation
Services Router.
For complete descriptions of the CEF commands listed in this module, refer to the Cisco ASR 9000 Series
Aggregation Services Router IP Addresses and Services Command Reference . To locate documentation
for other commands that might appear in the course of executing a configuration task, search online in
the master command index.
Note
Feature History for Implementing CEF
Release Modification
Release 3.7.2 This feature was introduced.
• Prerequisites for Implementing Cisco Express Forwarding, page 59
• Information About Implementing Cisco Express Forwarding Software, page 60
• How to Implement CEF, page 63
• Configuration Examples for Implementing CEF on Routers Software, page 76
• Additional References, page 90
Prerequisites for Implementing Cisco Express Forwarding
The following prerequisites are required to implement Cisco Express Forwarding:
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 59• You must be in a user group associated with a task group that includesthe proper task IDs. The command
reference guides include the task IDs required for each command. If you suspect user group assignment
is preventing you from using a command, contact your AAA administrator for assistance.
Information About Implementing Cisco Express Forwarding
Software
To implement Cisco Express Forwarding featuresin this document you must understand the following concepts:
Key Features Supported in the Cisco Express Forwarding Implementation
The following features are supported for CEF on Cisco IOS XR software:
• Border Gateway Protocol (BGP) policy accounting
• Reverse path forwarding (RPF)
• Virtual interface support
• Multipath support
• Route consistency
• High availability features such as packaging, restartability, and Out of Resource (OOR) handling
• OSPFv2 SPF prefix prioritization
• BGP attributes download
Benefits of CEF
CEF offers the following benefits:
• Improved performance—CEF is less CPU-intensive than fast-switching route caching. More CPU
processing power can be dedicated to Layer 3 services such as quality of service (QoS) and encryption.
• Scalability—CEF offers full switching capacity at each modular services card (MSC).
• Resilience—CEF offers an unprecedented level of switching consistency and stability in large dynamic
networks. In dynamic networks, fast-switched cache entries are frequently invalidated due to routing
changes. These changes can cause traffic to be process switched using the routing table, rather than fast
switched using the route cache. Because the Forwarding Information Base (FIB) lookup table contains
all known routes that exist in the routing table, it eliminates route cache maintenance and the fast-switch
or process-switch forwarding scenario. CEF can switch traffic more efficiently than typical demand
caching schemes.
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
60 OL-26068-02
Implementing Cisco Express Forwarding
Information About Implementing Cisco Express Forwarding SoftwareCEF Components
Cisco IOS XR softwareCEF always operates in CEF mode with two distinct components: a Forwarding
Information Base (FIB) database and adjacency table—a protocol-independent adjacency information base
(AIB).
CEF is a primary IP packet-forwarding database for Cisco IOS XR software. CEF is responsible for the
following functions:
• Software switching path
• Maintaining forwarding table and adjacency tables (which are maintained by the AIB) for software and
hardware forwarding engines
The following CEF forwarding tables are maintained in Cisco IOS XR software:
• IPv4 CEF database
• IPv6 CEF database
• MPLS LFD database
• Multicast Forwarding Table (MFD)
The protocol-dependent FIB process maintains the forwarding tables for IPv4 and IPv6 unicast in the Route
Switch Processor (RSP ) and each MSC.
The FIB on each node processes Routing Information Base (RIB) updates, performing route resolution and
maintaining FIB tables independently in the RSP and each MSC. FIB tables on each node can be slightly
different. Adjacency FIB entries are maintained only on a local node, and adjacency entries linked to FIB
entries could be different.
Border Gateway Protocol Policy Accounting
Border Gateway Protocol (BGP) policy accounting measures and classifies IP traffic that is sent to, or received
from, different peers. Policy accounting is enabled on an individual input or output interface basis, and counters
based on parameters such as community list, autonomous system number, or autonomous system path are
assigned to identify the IP traffic.
There are two types of route policies. The first type (regular BGP route policies) is used to filter the BGP
routes advertised into or out from the BGP links. This type of route policy is applied to the specific BGP
neighbor. The second type (specific route policy) is used to set up a traffic index for the BGP prefixes.
This route policy is applied to the global BGP IPv4 address family to set up the traffic index when the
BGP routes are inserted into the RIB table. BGP policy accounting uses the second type of route policy.
Note
Using BGP policy accounting, you can account for traffic according to the route it traverses. Service providers
can identify and account for all traffic by customer and bill accordingly. In Figure 1: Sample Topology for
BGP Policy Accounting, on page 62, BGP policy accounting can be implemented in Router A to measure
packet and byte volumes in autonomous system buckets. Customers are billed appropriately for traffic that is
routed from a domestic, international, or satellite source.
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x
OL-26068-02 61
Implementing Cisco Express Forwarding
CEF ComponentsNote BGP policy accounting measures and classifies IP traffic for BGP prefixes only.
Figure 1: Sample Topology for BGP Policy Accounting
Based on the specified routing policy, BGP policy accounting assigns each prefix a traffic index (bucket)
associated with an interface. BGP prefixes are downloaded from the RIB to the FIB along with the traffic
index.
There are a total of 63 (1 to 63) traffic indexes (bucket numbers) that can be assigned for BGP prefixes.
Internally, there is an accounting table associated with the traffic indexes to be created for each input (ingress)
and output (egress) interface. The traffic indexes allow you to account for the IP traffic, where the source IP
address, the destination IP address, or both are BGP prefixes.
Note Traffic index 0 contains the packet count using Interior Gateway Protocol (IGP) routes.
Reverse Path Forwarding (Strict and Loose)
Unicast IPv4 and IPv6 Reverse Path Forwarding (uRPF), both strict and loose modes, help mitigate problems
caused by the introduction of malformed or spoofed IP source addresses into a network by discarding IP
packets that lack a verifiable IP source address. Unicast RPF does this by doing a reverse lookup in the CEF
table. Therefore, Unicast Reverse Path Forwarding is possible only if CEF is enabled on the router.
IPv6 uRPF is supported with ASR 9000-SIP-700 LC, ASR 9000 Ethernet LC and ASR 9000 Enhanced
Ethernet LC.
Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release
4.2.x
62 OL-26068-02
Implementing Cisco Express Forwarding
Reverse Path Forwarding (Strict and Loose)Unicast RPF allows packets with 0.0.0.0 source addresses and 255.255.255.255 destination addresses to
pass so that Bootstrap Protocol and Dynamic Host Configuration Protocol (DHCP) will function properly.
Note
When strict uRPF is enabled, the source address of the packet is checked in the FIB. If the packet is received
on the same interface that would be used to forward the traffic to the source of the packet, the packet passes
the check and is further processed; otherwise, it is dropped. Strict uRPF should only be applied where there
is natural or configured symmetry. Because internal interfaces are likely to have routing asymmetry, that is,
multiple routes to the source of a packet, strict uRPF should not be implemented on interfaces that are internal
to the network.
configuration errors:
Session Status Explanation
Session is not configured globally The session does not exist in global configuration.
Check show run command output to ensure that a
session with the right name has been configured.
Destination interface is not configured The interface that has been configured as the
destination does not exist. For example, the
destination interface may be configured to be a
VLAN subinterface, but the VLAN subinterface
may not have been created yet. Configuring Traffic Mirroring on the Cisco ASR 9000 Series Router
Traffic Mirroring Configuration Examples
HR-287
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component
OL-26061-02
The can report the following messages:
Destination interface () The destination interface is not in Up state in the
Interface Manager. You can verify the state using
the show interfaces command. Check the
configuration to see what might be keeping the
interface from coming up (for example, a
sub-interface needs to have an appropriate
encapsulation configured).
Destination pseudowire is not configured The L2VPN configuration that is to set up the
pseudowire is missing. Configure the traffic
mirroring session name as one segment of the
xconnect p2p.
Destination pseudowire (down) The pseudowire is configured, but is down. Check
the L2VPN configuration to identify why the
pseudowire is not coming up.
Session Status Explanation
Source Interface Status Explanation
Operational Everything appears to be working correctly in
traffic mirroring PI. Please follow up with the
platform teams in the first instance, if mirroring is
not operating as expected.
Not operational (Session is not configured
globally)
The session does not exist in global configuration.
Check the show run command output to ensure
that a session with the right name has been
configured.
Not operational (destination interface not known) The session exists, but it either does not have a
destination interface specified, or the destination
interface named for the session does not exist (for
example, if the destination is a sub-interface that
has not been created).
Not operational (source same as destination) The session exists, but the destination and source
are the same interface, so traffic mirroring does
not work.
Not operational (destination not active) The destination interface or pseudowire is not in
the Up state. See the corresponding Session status
error messages for suggested resolution.
Not operational (source state ) The source interface is not in the Up state. You
can verify the state using the show interfaces
command. Check the configuration to see what
might be keeping the interface from coming up
(for example, a sub-interface needs to have an
appropriate encapsulation configured).
Error: see detailed output for explanation Traffic mirroring has encountered an error. Run
the show monitor-session status detail command
to display more information.Configuring Traffic Mirroring on the Cisco ASR 9000 Series Router
Traffic Mirroring Configuration Examples
HR-288
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component
OL-26061-02
The show monitor-session status detail command displays full details of the configuration parameters,
and of any errors encountered. For example:
RP/0/RSP0/CPU0:router#show monitor-session status detail
Monitor-session sess1
Destination interface is not configured
Source Interfaces
-----------------
GigabitEthernet0/0/0/0
Direction: Both
ACL match: Enabled
Portion: Full packet
Status: Not operational (destination interface not known).
GigabitEthernet0/0/0/2
Direction: Both
ACL match: Disabled
Portion: First 100 bytes
Status: Error: 'Viking SPAN PD' detected the 'warning' condition 'PRM connection
creation failure'.
This detailed output may give you a clear indication of what the problem is.
Here are additional trace and debug commands:
RP/0/RSP0/CPU0:router# show monitor-session platform trace ?
all Turn on all the trace
errors Display errors
events Display interesting events
RP/0/RSP0/CPU0:router# show monitor-session trace ?
process Filter debug by process
RP/0/RSP0/CPU0:router# debug monitor-session platform ?
all Turn on all the debugs
errors VKG SPAN EA errors
event VKG SPAN EA event
info VKG SPAN EA info
RP/0/RSP0/CPU0:router# debug monitor-session platform all
RP/0/RSP0/CPU0:router# debug monitor-session platform event
RP/0/RSP0/CPU0:router# debug monitor-session platform info
RP/0/RSP0/CPU0:router# show monitor-session status ?
detail Display detailed output
errors Display only attachments which have errors
internal Display internal monitor-session information
| Output Modifiers
RP/0/RSP0/CPU0:router# show monitor-session status
RP/0/RSP0/CPU0:router# show monitor-session status errors
RP/0/RSP0/CPU0:router# show monitor-session status internalConfiguring Traffic Mirroring on the Cisco ASR 9000 Series Router
Where to Go Next
HR-289
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component
OL-26061-02
Where to Go Next
When you have configured an Ethernet interface, you can configure individual VLAN subinterfaces on
that Ethernet interface.
For information about modifying Ethernet management interfaces for the shelf controller (SC), route
processor (RP), and distributed RP, see the Advanced Configuration and Modification of the
Management Ethernet Interface on the Cisco ASR 9000 Series Router module later in this document.
For information about IPv6 see the Implementing Access Lists and Prefix Lists on
Cisco IOS XR Software module in the Cisco IOS XR IP Addresses and Services Configuration Guide.
Additional References
The following sections provide references related to implementing Gigabit and 10-Gigabit Ethernet
interfaces.
Related Documents
Standards
Related Topic Document Title
Ethernet L2VPN Cisco ASR 9000 Series Aggregation Services Router L2VPN and
Ethernet Services Configuration Guide
Cisco ASR 9000 Series Aggregation Services Router L2VPN and
Ethernet Services Command Reference
Cisco IOS XR master command reference Cisco ASR 9000 Series Aggregation Services Router Master
Commands List
Cisco IOS XR interface configuration commands Cisco ASR 9000 Series Aggregation Services Router Interface and
Hardware Component Command Reference
Information about user groups and task IDs Cisco IOS XR Interface and Hardware Component Command
Reference
Standards Title
IEEE 802.1ag
ITU-T Y.1731
—Configuring Traffic Mirroring on the Cisco ASR 9000 Series Router
Additional References
HR-290
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component
OL-26061-02
MIBs
RFCs
Technical Assistance
MIBs MIBs Link
IEEE CFM MIB To locate and download MIBs for selected platforms using
Cisco IOS XR Software, use the Cisco MIB Locator found at the
following URL:
http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs Title
No new or modified RFCs are supported by this
feature, and support for existing RFCs has not been
modified by this feature.
—
Description Link
The Cisco Technical Support website contains thousands of
pages of searchable technical content, including links to
products, technologies, solutions, technical tips, and tools.
Registered Cisco.com users can log in from this page to
access even more content.
http://www.cisco.com/techsupportHC-291
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Configuring Virtual Loopback and Null Interfaces
on the Cisco ASR 9000 Series Router
This module describes the configuration of loopback and null interfaces on the Cisco ASR 9000 Series
Aggregation Services Routers.
Loopback and null interfaces are considered virtual interfaces.
A virtual interface represents a logical packet switching entity within the router. Virtual interfaces
Interfaces have a global scope and do not have an associated location. Virtual interfaces have instead a
globally unique numerical ID after their names. Examples are Loopback 0, Loopback 1Loopback1, and
Loopback 99999. The ID is unique per virtual interface type to make the entire name string unique such
that you can have both Loopback 0 and Null 0.
Loopback and null interfaces have their control plane presence on the active route switch processor
(RSPRP). The configuration and control plane are mirrored onto the standby RSP RP and, in the event
of a failoverswitchover, the virtual interfaces move to the ex-standby, which then becomes the newly
active RSPRP.
Feature History for Configuring Loopback and Null Interfaces on Cisco IOS XR Software
Contents
• Prerequisites for Configuring Virtual Interfaces, page 292
• Information About Configuring Virtual Interfaces, page 292
• How to Configure Virtual Interfaces, page 294
• Configuration Examples for Virtual Interfaces, page 297
• Additional References, page 299
Release Modification
Release 3.7.2 This feature was introduced on the Cisco ASR 9000 Series Router.Configuring Virtual Loopback and Null Interfaces on the Cisco ASR 9000 Series Router
Prerequisites for Configuring Virtual Interfaces
HC-292
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Prerequisites for Configuring Virtual Interfaces
You must be in a user group associated with a task group that includes the proper task IDs. The command
reference guides include the task IDs required for each command. If you suspect user group assignment
is preventing you from using a command, contact your AAA administrator for assistance.
Information About Configuring Virtual Interfaces
To configure virtual interfaces, you must understand the following concepts:
• Virtual Loopback Interface Overview, page 292
• Null Interface Overview, page 292
• Virtual Management Interface Overview, page 293
• Active and Standby RPs and Virtual Interface Configuration, page 293
Virtual Loopback Interface Overview
A virtual loopback interface is a virtual interface with a single endpoint that is always up. Any packet
transmitted over a virtual loopback interface is immediately received by the selfsame interface.
Loopback interfaces emulate a physical interface.
In Cisco IOS XR software, ,virtual loopback interfaces perform the following functions:
• Loopback loopback interfaces can act as a termination address for routing protocol sessions. This
allows routing protocol sessions to stay up even if the outbound interface is down.
• You you can ping the loopback interface to verify that the router IP stack is working properly.
In applications where other routers or access servers attempt to reach a virtual loopback interface, you
must configure a routing protocol to distribute the subnet assigned to the loopback address.
Packets routed to the loopback interface are rerouted back to the router or access server and processed
locally. IP packets routed out the loopback interface but not destined to the loopback interface are
dropped. Under these two conditions, the loopback interface can behave like a null interface.
Null Interface Overview
A null interface functions similarly to the null devices available on most operating systems. This
interface is always up and can never forward or receive traffic; encapsulation always fails. The null
interface provides an alternative method of filtering traffic. You can avoid the overhead involved with
using access lists by directing undesired network traffic to the null interface.
The only interface configuration command that you can specify for the null interface is the ipv4
unreachables command. With the ipv4 unreachables command, if the software receives a nonbroadcast
packet destined for itself that uses a protocol it does not recognize, it sends an Internet Control Message
Protocol (ICMP) protocol unreachable message to the source. If the software receives a datagram that it
cannot deliver to its ultimate destination because it knows of no route to the destination address, it replies
to the originator of that datagram with an ICMP host unreachable message.
The Null 0 Null0 interface is created by default on the RSP RP during boot and cannot be removed. The
ipv4 unreachables command can be configured for this interface, but most configuration is unnecessary
because this interface just discards all the packets sent to it.Configuring Virtual Loopback and Null Interfaces on the Cisco ASR 9000 Series Router
Information About Configuring Virtual Interfaces
HC-293
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
The Null 0 Null0 interface can be displayed with the show interfaces null0 command.
Virtual Management Interface Overview
Configuring an IPv4 virtual address enables you to access the router from a single virtual address with
a management network without prior knowledge of which RSP RP is active. An IPv4 virtual address
persists across route switch processor (RSPRP) failover switchover situations. For this to happen, the
virtual IPv4 address must share a common IPv4 subnet with a management Ethernet interface on both
RPs.
On a Cisco ASR 9000 Series Router Cisco XR 12000 Series RouterCisco CRS-1 Router where each
RSP RP has multiple management Ethernet interfaces, the virtual IPv4 address maps to the management
Ethernet interface on the active RSP RP that shares the same IP subnet.
Active and Standby RPs and Virtual Interface Configuration
The standby RSP RP is available and in a state in which it can take over the work from the active RSP
RP should that prove necessary. Conditions that necessitate the standby RSP RP to become the active
RSP RP and assume the active RSPRP’s duties include:
• Failure detection by a watchdog
• Administrative command to take over
• Removal of the active RSP RP from the chassis
If a second RSP RP is not present in the chassis while the first is in operation, a second RSP RP may be
inserted and automatically becomes the standby RSPRP. The standby RSP RP may also be removed from
the chassis with no effect on the system other than loss of RSP RP redundancy.
After failoverswitchover, the virtual interfaces all are present on the standby (now active) RSPRP. Their
state and configuration are unchanged and there has been no loss of forwarding (in the case of tunnels)
over the interfaces during the failoverswitchover. The routers use nonstop forwarding (NSF) over
bundles and tunnels through the failover switchover of the host RSPRP.
Note The user need not configure anything to guarantee that the standby interface configurations are
maintained.
Note Protocol configuration such as tacacs source-interface, snmp-server trap-source, ntp source, logging
source-interface do not use the virtual management IP address as their source by default. Use the ipv4
virtual address use-as-src-addr command to ensure that the protocol uses the virtual IPv4 address as
its source address. Alternatively, you can also configure a loopback address with the designated or
desired IPv4 address and set that as the source for protocols such as TACACS+ using the tacacs
source-interface command.Configuring Virtual Loopback and Null Interfaces on the Cisco ASR 9000 Series Router
How to Configure Virtual Interfaces
HC-294
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
How to Configure Virtual Interfaces
This section contains the following procedures:
• Configuring Virtual Loopback Interfaces, page 294 (Required)
• Configuring Null Interfaces, page 295 (Required)
• Configuring Virtual IPv4 IPV4 Interfaces, page 296 (Required)
Configuring Virtual Loopback Interfaces
This task explains how to configure a basic loopback interface.
Restrictions
The IP address of a loopback interface must be unique across all routers on the network. It must not be
used by another interface on the router, and it must not be used by an interface on any other router on
the network.
SUMMARY STEPS
1. configure
2. interface loopback instance
3. interface loopback interface-path-id
4. ipv4 address ip-address
5. end
or
commit
6. show interfaces type instance
7. show interfaces type interface-path-id
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0RP00/CPU0:router# configure
Enters global configuration mode.Configuring Virtual Loopback and Null Interfaces on the Cisco ASR 9000 Series Router
How to Configure Virtual Interfaces
HC-295
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Configuring Null Interfaces
This task explains how to configure a basic null Null interface.
SUMMARY STEPS
1. configure
2. interface null 0
Step 2 interface loopback instance
interface loopback interface-path-id
Example:
RP/0/RSP0RP00/CPU0:router#(config)# interface
Loopback 3
Enters interface configuration mode and names the new
loopback interface.
Step 3 ipv4 address ip-address
Example:
RP/0/RSP0RP000/CPU0:router(config-if)# ipv4
address 172.18.189.38/32
Assigns an IP address and subnet mask to the virtual
loopback interface using the ipv4 address configuration
command.
Step 4 end
or
commit
Example:
RP/0/RSP0RP00/CPU0:router(config-if)# end
or
RP/0/RSP0RP00/CPU0:router(config-if)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 5 show interfaces type instance
show interfaces type interface-path-id
Example:
RP/0/RSP0RP00/CPU0:router# show interfaces
Loopback 3
(Optional) Displays the configuration of the loopback
interface.
Command or Action PurposeConfiguring Virtual Loopback and Null Interfaces on the Cisco ASR 9000 Series Router
How to Configure Virtual Interfaces
HC-296
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
3. end
or
commit
4. show interface null 0
5. show interfaces type interface-path-id
DETAILED STEPS
Configuring Virtual IPv4 IPV4 Interfaces
This task explains how to configure an IPv4 virtual interface.
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0RP00/CPU0:router# configure
Enters global configuration mode.
Step 2 interface null 0
Example:
RP/0/RSP0RP00/CPU0:router#(config)# interface
null 0
Enters the null 0 null0 interface configuration mode.
Step 3 end
or
commit
Example:
RP/0/RSP0RP00/CPU0:router(config-null0)# end
or
RP/0/RSP0RP00/CPU0:router(config-null0)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 4 show interfaces null 0
Example:
RP/0/RSP0RP00/CPU0:router# show interfaces null
0null0
Verifies the configuration of the null interface.Configuring Virtual Loopback and Null Interfaces on the Cisco ASR 9000 Series Router
Configuration Examples for Virtual Interfaces
HC-297
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
SUMMARY STEPS
1. configure
2. ipv4 address virtual address ipv4ip-address subnet mask
3. end
or
commit
DETAILED STEPS
Configuration Examples for Virtual Interfaces
This section provides the following configuration examples:
• Configuring a Loopback Interface: Example, page 298
• Configuring a Null Interface: Example, page 298
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0RP00/CPU0:router# configure
Enters global configuration mode.
Step 2 ipv4 address virtual address ipv4-address
subnet address/mask
Example:
RP/0/RSP0RP00/CPU0:router(config)# ipv4 virtual
address 10.3.32.154/8
Defines an IPv4 virtual address for the management
Ethernet interface.
Step 3 end
or
commit
Example:
RP/0/RSP0RP00/CPU0:router(config-null0)# end
or
RP/0/RSP0RP00/CPU0:router(config-null0)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.Configuring Virtual Loopback and Null Interfaces on the Cisco ASR 9000 Series Router
Configuration Examples for Virtual Interfaces
HC-298
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Configuring a Loopback Interface: Example
The following example indicates how to configure a loopback interface:
RP/0/RSP0RP00/CPU0:router# configure
RP/0/RSP0RP00/CPU0:router(config)# interface Loopback 3
RP/0/RSP0RP00/CPU0:router(config-if)# ipv4 address 172.18.189.38/32
RP/0/RSP0RP00/CPU0:router(config-if)# end
Uncommitted changes found, commit them? [yes]: yes
RP/0/RSP0RP00/CPU0:router# show interfaces Loopback 3
Loopback3 is up, line protocol is up
Hardware is Loopback interface(s)
Internet address is 172.18.189.38/32
MTU 1514 bytes, BW Unknown
reliability 0/255, txload Unknown, rxload Unknown
Encapsulation Loopback, loopback not set
Last clearing of "show interface" counters never
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 total input drops
0 drops for unrecognized upper-level protocol
Received 0 broadcast packets, 0 multicast packets
0 packets output, 0 bytes, 0 total output drops
Output 0 broadcast packets, 0 multicast packets
Configuring a Null Interface: Example
The following example indicates how to configure a null interface:
RP/0/RSP0RP00/CPU0:router# configure
RP/0/RSP0RP00/CPU0:router(config)# interface Null 0
RP/0/RSP0RP00/CPU0:router(config-null0)# ipv4 unreachables
RP/0/RSP0RP00/CPU0:router(config-null0)# end
Uncommitted changes found, commit them? [yes]: yes
RP/0/RSP0RP00/CPU0:router# show interfaces Null 0
Null0 is up, line protocol is up
Hardware is Null interface
Internet address is Unknown
MTU 1500 bytes, BW Unknown
reliability 0/255, txload Unknown, rxload Unknown
Encapsulation Null, loopback not set
Last clearing of "show interface" counters never
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 total input drops
0 drops for unrecognized upper-level protocol
Received 0 broadcast packets, 0 multicast packets
0 packets output, 0 bytes, 0 total output drops
Output 0 broadcast packets, 0 multicast packets
Configuring a Virtual IPv4 Interface: Example
RP/0/RSP0RP00/CPU0:router# configure
RP/0/RSP0RP00/CPU0:router(config)# ipv4 virtual address 10.3.32.154/8
RP/0/RSP0RP00/CPU0:router(config-null0)# commitConfiguring Virtual Loopback and Null Interfaces on the Cisco ASR 9000 Series Router
Additional References
HC-299
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Additional References
The following sections provide references related to loopback and null interface configuration.
Related Documents
Standards
Related Topic Document Title
Cisco ASR 9000 Series Router master command
reference
Cisco ASR 9000 Series Router Master Commands List
Cisco ASR 9000 Series Router interface configuration
commands
Cisco ASR 9000 Series Router Interface and Hardware Component
Command Reference
Initial system bootup and configuration information for
a Cisco ASR 9000 Series Router using the Cisco IOS
XR Software.
Cisco ASR 9000 Series Router Getting Started Guide
Information about user groups and task IDs Cisco ASR 9000 Series Router Interface and Hardware Component
Command Reference
Related Topic Document Title
Cisco IOS XR master command reference Cisco IOS XR Master Commands List
Cisco IOS XR interface configuration commands Cisco IOS XR Interface and Hardware Component Command
Reference
Initial system bootup and configuration information for
a router using the Cisco IOS XR Software.
Cisco IOS XR Getting Started Guide
Information about user groups and task IDs Cisco IOS XR Interface and Hardware Component Command
Reference
Information about configuring interfaces and other
components from a remote Craft Works Interface
(CWI) client management application
Cisco Craft Works Interface Configuration Guide
Standards Title
No new or modified standards are supported by this
feature, and support for existing standards has not been
modified by this feature.
—Configuring Virtual Loopback and Null Interfaces on the Cisco ASR 9000 Series Router
Additional References
HC-300
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
MIBs
RFCs
Technical Assistance
MIBs MIBs Link
There are no applicable MIBs for this module. To locate and download MIBs for selected platforms using
Cisco IOS XR Software, use the Cisco MIB Locator found at the
following URL:
http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs Title
No new or modified RFCs are supported by this
feature, and support for existing RFCs has not been
modified by this feature.
—
Description Link
The Cisco Technical Support website contains
thousands of pages of searchable technical content,
including links to products, technologies, solutions,
technical tips, and tools. Registered Cisco.com users
can log in from this page to access even more content.
http://www.cisco.com/techsupportHC-301
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Configuring Channelized SONET/SDH on the
Cisco ASR 9000 Series Router
This module describes the configuration of Channelized SONET/SDH on the Cisco ASR 9000 Series
Aggregation Services Routers.
Feature History for Configuring Channelized SONET/SDH on Cisco IOS XR Software
Contents
• Prerequisites for Configuring Channelized SONET/SDH, page 301
• Information About Configuring Channelized SONET/SDH, page 302
• How to Configure Channelized SONET/SDH, page 311
• Configuration Examples for Channelized SONET, page 338
Prerequisites for Configuring Channelized SONET/SDH
You must be in a user group associated with a task group that includes the proper task IDs. The command
reference guides include the task IDs required for each command. If you suspect user group assignment
is preventing you from using a command, contact your AAA administrator for assistance.
Release Modification
Release 3.9.0 Support for the following SPA was introduced on the
Cisco ASR 9000 Series Router:
• Cisco 2-Port Channelized OC-12/DS0 SPA
Release 4.0.0 Support for the following SPA was introduced on the
Cisco ASR 9000 Series Router:
• Cisco 1-Port Channelized OC-48/STM-16 SPA
Support for SDH, E3, E1, and POS channelization was added for the
Cisco 2-Port Channelized OC-12/DS0 and Cisco 1-Port Channelized
OC-48/STM-16 SPAs.
Release 4.0.1 Support for the following SPA was introduced on the
Cisco ASR 9000 Series Router:
• Cisco 1-Port Channelized OC-3/STM-1 SPAConfiguring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
Information About Configuring Channelized SONET/SDH
HC-302
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Before configuring Channelized SONET/SDH, be sure that the following tasks and conditions are met:
• You have at least one of the following SPAs installed in your chassis:
– Cisco 1-Port Channelized OC-3/STM-1 SPA
– Cisco 2-Port Channelized OC-12c/DS0 SPA
– Cisco 1-Port Channelized OC-48/STM-16 SPA
• You should know how to apply and specify the SONET controller name and interface-path-id with
the generalized notation rack/slot/module/port. The SONET controller name and interface-path-id
are required with the controller sonet command.
Information About Configuring Channelized SONET/SDH
To configure Channelized SONET/SDH, you must understand the following concepts:
• Channelized SONET Overview, page 302
• Channelized SDH Overview, page 307
• Default Configuration Values for Channelized SONET/SDH, page 310
• How to Configure Channelized SONET/SDH, page 311
Channelized SONET Overview
Synchronous Optical Network (SONET) is an American National Standards Institute (ANSI)
specification format used in transporting digital telecommunications services over optical fiber.
Synchronous Digital Hierarchy (SDH) is the international equivalent of SONET.
Channelized SONET provides the ability to transport SONET frames across multiplexed T3/E3 and
virtual tributary group (VTG) channels.
Channelized SONET is supported on the following SPAs:
• Cisco 1-Port Channelized OC-48/STM-16 SPA
• Cisco 1-Port Channelized OC-3/STM-1 SPA
• Cisco 2-Port Channelized OC-12c/DS0 SPA
Channelized SDH is supported on the following SPAs:
• Cisco 1-Port Channelized OC-48/STM-16 SPA
• Cisco 1-Port Channelized OC-3/STM-1 SPA
• Cisco 2-Port Channelized OC-12c/DS0 SPA
SONET uses Synchronous Transport Signal (STS) framing. An STS is the electrical equivalent to an
optical carrier 1 (OC-1).
SDH uses Synchronous Transport Mode (STM) framing. An STM-1 is the electrical equivalent to 3
optical carrier 1s (OC-1s).
A channelized SONET interface is a composite of STS streams, which are maintained as independent
frames with unique payload pointers. The frames are multiplexed before transmission. Configuring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
Information About Configuring Channelized SONET/SDH
HC-303
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
When a line is channelized, it is logically divided into smaller bandwidth channels called paths. These
paths carry the SONET payload. The sum of the bandwidth on all paths cannot exceed the line
bandwidth.
When a line is not channelized, it is called clear channel, and the full bandwidth of the line is dedicated
to a single channel that carries broadband services.
An STS stream can be channelized into the following types of channels:
• T3/E3
• VT1.5 mapped T1
• Packet over SONET/SDH (POS) (OC12 and OC48 only)
The T3/E3 channels can be channelized further into T1s, and the T1s can be channelized into time slots
(DS0s), except on the 1-Port Channelized OC-48/STM-16 SPA, which does not support T1 or DS0s.
Channelizing a SONET line consists of two primary processes:
• Configuring the controller
• Configuring the interface into channelized paths
You configure the controller first by setting the mode of the STS path. The mode can be set to T3, or
VT1.5-mapped T1, or POS, depending on your hardware support.
Note POS is supported only on the STS-3c and STS-12c paths on the Cisco 1-Port Channelized OC-12/DS0
SPA and on the STS-3c, STS-12c, and STS-48c paths on the Cisco 1-Port Channelized OC-48/STM-16
SPA.
When the mode is specified, the respective controller is created, and the remainder of the configuration
is applied on that controller. For example, mode T3 creates a T3 controller. The T3 controller can then
be configured to a serial channel, or it can be further channelized to carry T1s, and those T1s can be
configured to serial interfaces.
Depending on the support for your installed SPA, each STS path can be independently configured into
T3s, E3s, or VTGs, and so on.Configuring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
Information About Configuring Channelized SONET/SDH
HC-304
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Figure 22 shows an example of three STS paths for a SONET controller. However, the 2-Port
Channelized OC-12/DS0 SPA supports up to 12 STS paths, and the 1-Port Channelized OC-48/STM-16
SPA supports up to 48 STS paths, but the 1-Port Channelized OC-48/STM-16 SPA does not support
VTGs.
Figure 22 SONET Controller STS Paths
STS 3
SONET
Controller
. . . can be configured as T3s or VTGs
STS 2 . . . can be configured as T3s or VTGs
STS 1 . . . can be configured as T3s or VTGs
210870Configuring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
Information About Configuring Channelized SONET/SDH
HC-305
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Figure 23 shows an example of some SONET controller configuration combinations.
Note The 1-Port Channelized OC-48/STM-16 SPA on the Cisco ASR 9000 Series Router does not support
VTGs.
Figure 23 SONET Controller Configuration Combinations
STS 3
SONET
Controller
STS 2
STS 1
Clear Channel
T3
210873
VTG 1
VTG 2
VTG 3
VTG 4
VTG 5
VTG 6
VTG 7Configuring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
Information About Configuring Channelized SONET/SDH
HC-306
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Figure 24 shows the T3 paths that can be configured.
Note Channelized T3 paths are only supported on the 1-Port Channelized OC-3/STM-1 SPA and 2-Port
Channelized OC-12c/DS0 SPA.
Figure 24 SONET T3 Channelized Paths
STS 3
SONET
Controller
. . . same possibilities as STS 1
STS 2 . . . same possibilities as STS 1
STS 1
210876
DS0
DS0
DS0
DS0
DS0
DS0
DS0
DS0
DS0
. . . up to 24 DS0s
T1
T1
T1
T1
T1
T1
T1
T1
T1
T3
T3
T3
. . . up to 28 T1s
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . . Configuring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
Information About Configuring Channelized SONET/SDH
HC-307
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Figure 25 shows the VTG paths that can be configured.
Note VTG paths are only supported on the Cisco 1-Port Channelized OC-3/STM-1 SPA and Cisco 2-Port
Channelized OC-12c/DS0 SPA on the Cisco ASR 9000 Series Router.
Figure 25 SONET VTG Channelized Paths
Channelized SDH Overview
Synchronous Digital Hierarchy (SDH) is the international equivalent of SONET.
Channelized SDH is supported on the following SPAs:
• Cisco 1-Port Channelized OC-48/STM-16 SPA
• Cisco 1-Port Channelized OC-3/STM-1 SPA
• Cisco 2-Port Channelized OC-12/DS0 SPA
A Synchronous Transport Module (STM) signal is the Synchronous Digital Hierarchy (SDH) equivalent
of the SONET STS, but the numbers are different for each bandwidth. In this guide, the STM term refers
to both path widths and optical line rates. The paths within an STM signals are called administrative
units (AUs).
A summary of the basic terminology differences between SONET and SDH is as follows:
• SONET STS is equivalent to SDH administrative unit (AU)
• SONET VT is equivalent to SDH tributary unit (TU)
• SDH basic building blocks are STM-1 (equivalent to STS-3) and STM-0 (equivalent to STS-1)
STS 3
SONET
Controller
. . . same configuration possibilities as STS 1
STS 2 . . . same configuration possibilities as STS 1
STS 1
210877
VTG 1
VTG 2
VTG 3
VTG 4
VTG 5
VTG 6
VTG 7
T1
T1
T1
T1
Each STS
can be channelized
into 7 VTGs.
Each VTG
can be channelized
into 4 T1s.Configuring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
Information About Configuring Channelized SONET/SDH
HC-308
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
An administrative unit (AU) is the information structure that provides adaptation between the
higher-order path layer and the multiplex section layer. It consists of an information payload (the
higher-order virtual container) and an administrative unit pointer, which indicates the offset of the
payload frame start relative to the multiplex section frame start.
An AU can be channelized into tributary units (TUs) and tributary unit groups (TUGs).
An administrative unit 4 (AU-4) consists of three STM-1s or an STM-3.
An administrative unit 3 (AU-3) consists of one STM-1.
An administrative unit group (AUG) consists of one or more administrative units occupying fixed,
defined positions in an STM payload.
On the Cisco ASR 9000 Series Router, the following levels of SDH channelization are supported:
• 1-Port Channelized OC-3/STM-1 SPA
– AU4 to TUG-3 to TUG-2 to VC-12 to E1 to NxDS0
– AU4 to TUG-3 to VC-3 to DS3 (Clear Channel)
– AU4 to TUG-3 to VC-3 to E3 (Clear Channel)
– AU3 to TUG-2 to VC-11 to DS1 to NxDS0
• 2-Port Channelized OC-12/DS0 SPA
– AU-4-4c (VC-4-4c)
– AU-4 (VC-4)
– AU-4 to TUG-3 to VC-3 to DS3
– AU-4 to TUG-3 to VC-3 to E3
– AU-4 to TUG-3 to TUG-2 to VC-11 to T1 to NxDS0
– AU-4 to TUG-3 to TUG-2 to VC-12 to E1to NxDS0
– AU-3 to VC-3 to DS3
– AU-3 to TUG-2 to VC-11 to T1 to NxDS0
– AU-3 to TUG-2 to VC-12 to E1to NxDS0
– AU-3 to VC-3 to E3
– AU-3 to VC-3 to DS3 to T1 to NxDS0
Table 2 SONET and SDH Terminology Equivalencies
SONET Term SDH Term
SONET SDH
STS-3c AU-4
STS-1 AU-3
VT TU
SPE VC
Section Regenerator Section
Line Multiplex Section
Path PathConfiguring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
Information About Configuring Channelized SONET/SDH
HC-309
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
– AU-3 to VC-3 to DS3 to E1 to NxDS0
• 1-Port Channelized OC-48/STM-16 SPA
– DS3
– E3
– AU-3 (VC-3)
– AU-4 (VC-4)
– AU-4-4c (VC-4-4c)
– AU-4-16c (VC-4-16c)
Figure 26 shows an example of SDH AU-3 paths that can be configured on certain supported SPAs.
Note The 1-Port Channelized OC-48/STM-16 SPA does not support further channelization of AU-3 paths into
T1s.
Figure 26 SDH AU3 Paths
SONET
Controller
210874
C11-T1
T1
AU-3
C11-T1
T1
AU-3
C11-T1
T1
AU-3
STM-1Configuring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
Information About Configuring Channelized SONET/SDH
HC-310
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Figure 27 shows the SDH AU4 paths that can be configured on supported SPAs.
Note The 1-Port Channelized OC-48/STM-16 SPA only supports channelization to the T3 or E3 level. Further
channelization of AU-4 paths is not supported.
Figure 27 SDH AU4 Paths
Default Configuration Values for Channelized SONET/SDH
Table 3 describes the default configuration parameters that are present on the Channelized SONET/SDH.
SONET
Controller
210875
TUG-3
T3
or C12
AU-4
STM-1
E1
E1
E1
E1
E1
E1
E1
E1
E1
E1
Up to 21 E1s
Table 3 SONET/SDH Controller Default Cit onfiguration Values
Parameter Default Value Configuration File Entry
Clock source line clock source {internal | line}
SONET framing sonet framing {sdh | sonet}Configuring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
How to Configure Channelized SONET/SDH
HC-311
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
How to Configure Channelized SONET/SDH
This section contains the following procedures:
• Configuring SONET T3 and VT1.5-Mapped T1 Channels, page 311
• Configuring Packet over SONET Channels, page 316
• Configuring a Clear Channel SONET Controller for T3, page 319
• Configuring Channelized SONET APS, page 322
• Configuring SDH AU-3, page 325
• Configuring SDH AU-4, page 333
Configuring SONET T3 and VT1.5-Mapped T1 Channels
This task explains how to configure a SONET line into T3 and VT-mapped T1 Channels.
Prerequisites
• You should know how to configure the SONET controller as specified in the “How to Configure
Clear Channel SONET Controllers” section of the Configuring Clear Channel SONET Controllers
on the Cisco ASR 9000 Series Router module.
• STS paths can be channelized into T3s on the following SPAs:
– Cisco 1-Port Channelized OC-48/STM-16 SPA
– Cisco 1-Port Channelized OC-3/STM-1 SPA
– Cisco 2-Port Channelized OC-12/DS0 SPA
• STS paths can be channelized into VTG mapped T1s on the following SPA:
– Cisco 1-Port Channelized OC-3/STM-1 SPA
– Cisco 2-Port Channelized OC-12/DS0 SPA
• T3 paths can be channelized into T1s or E1s on the following SPA:
– Cisco 1-Port Channelized OC-3/STM-1 SPA
– Cisco 2-Port Channelized OC-12/DS0 SPA
• T1 paths can be channelized into NxDS0s on the Cisco 2-Port Channelized OC-12/DS0 SPA.
Restrictions
T1s and E1s are not supported on the Cisco 1-Port Channelized OC-48/STM-16 SPA.
SUMMARY STEPS
1. configure
2. controller sonet interface-path-id
3. clock source {internal | line}
4. framing sonetConfiguring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
How to Configure Channelized SONET/SDH
HC-312
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
5. sts number
6. mode mode
7. width number
8. root
9. controller controllerName instance
10. mode mode
11. root
12. controller t1 interface-path-id
13. channel-group number
14. timeslots num1:num2:num3:num4
or
timeslots range1-range2
15. show configuration
16. root
17. interface serial interface-path-id
18. encapsulation {frame-relay | hdlc | ppp}
19. ipv4 ip-address mask
20. no shutdown
21. end
or
commit
22. show
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 controller sonet interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller
sonet 0/1/1/0
Enters SONET controller configuration submode and specifies the
SONET controller name and interface-path-id with the
rack/slot/module/port notation. Configuring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
How to Configure Channelized SONET/SDH
HC-313
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Step 3 clock source {internal | line}
Example:
RP/0/RSP0/CPU0:router(config-sonet)#
clock source internal
Configures the SONET port transmit clock source, where the
internal keyword sets the internal clock and the line keyword sets
the clock recovered from the line.
• Use the line keyword whenever clocking is derived from the
network. Use the internal keyword when two routers are
connected back to back or over fiber for which no clocking is
available.
• line is the default keyword.
Note Internal clocking is required for SRP interfaces.
Step 4 framing sonet
Example:
RP/0/RSP0/CPU0:router(config-sonet)#
framing sonet
Configures the controller for SONET framing.
SONET framing (sonet) is the default.
Step 5 sts number
Example:
RP/0/RSP0/CPU0:router(config-sonet)# sts
1
Configures the STS stream specified by number. The ranges are:
• 1 to 48—1 Port Channelized OC-48/STM-16 SPA
• 1 to 3—1-Port Channelized OC-3/STM-1 SPA
• 1 to 12—2-Port Channelized OC-12/DS0 SPA
Step 6 mode mode
Example:
RP/0/RSP0/CPU0:router(config-stsPath)#
mode t3
Sets the mode of interface at the STS level. The possible modes are:
• t3—SONET path carrying T3
• vt15-t1—SONET path carrying virtual tributary 1.5 T1s
(VT15 T1) (1-Port Channelized OC-3/STM-1 SPA and 2-Port
Channelized OC-12c/DS0 SPA only)
• pos—Packet over SONET
Step 7 width number
Example:
RP/0/RSP0/CPU0:router(config-stsPath)#
width 3
Configures the number of the STS streams that are concatenated.
The possible values for number are:
• 1—Indicating one STS stream
• 3—Indicating three STS streams (STS-3c)
• 12—Indicating concatenation of 12 STS streams (STS-12c)
• 48—Indicating concatenation of 48 STS streams (STS-48c).
This is the default on the 1-Port Channelized OC-48/STM-16
SPA.
Widths 3, and 12, and 48 are configured on STS paths at natural
boundaries, which coincide with the following path numbers:
• 1, 4, 7, 10, and so on, for STS-3c
• 1, 13, 25, and 37 for STS-12c
• 1 for STS-48c
Step 8 root
Example:
RP/0/RSP0/CPU0:router(config-stsPath)#
root
Exits to global configuration mode.
Command or Action PurposeConfiguring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
How to Configure Channelized SONET/SDH
HC-314
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Step 9 controller controllerName instance
Example:
RP/0/RSP0/CPU0:router(config)# controller
t3 0/1/1/0/0
Enters controller configuration submode and specifies the
controller name and instance identifier with the
rack/slot/module/port/controllerName notation. The controller
names are:
• t3—SONET path carrying T3
• vt15-t1—SONET path carrying virtual tributary 1.5 T1s
(VT15 T1) (1-Port Channelized OC-3/STM-1 SPA and 2-Port
Channelized OC-12c/DS0 SPA only)
Step 10 mode mode
Example:
RP/0/RSP0/CPU0:router(config-t3)# mode t1
Sets the mode of interface at this level. The possible modes are:
• t1—Channelized into 28 T1s (1-Port Channelized
OC-3/STM-1 SPA and 2-Port Channelized OC-12c/DS0 SPA
only)
• e1—Channelized into 21 E1s (1-Port Channelized
OC-3/STM-1 SPA and 2-Port Channelized OC-12c/DS0 SPA
only)
• serial—Clear channel carrying an HDLC-like payload
Step 11 root
Example:
RP/0/RSP0/CPU0:router(config-t3)# root
Exits to global configuration mode.
Step 12 controller t1 interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller
t1 0/1/1/0/0/0
Enters T1 controller configuration submode and specifies the T1
controller name and interface-path-id with the
rack/slot/module/port/T3Num/T1num notation.
(1-Port Channelized OC-3/STM-1 SPA and 2-Port Channelized
OC-12c/DS0 SPA only)
Step 13 channel-group number
Example:
RP/0/RSP0/CPU0:router(config-t1)#
channel-group 1
Sets the channel group number to which time slots are assigned.
The range is from 1 to 24.
Step 14 timeslots num1:num2:num3:num4
or
timeslots range1-range2
Example:
RP/0/0/CPU0:router(config-t1-channel_grou
p)# timeslots 1:3:7:9
RP/0/0/CPU0:router(config-t1-channel_grou
p)# timeslots 1-24
Specifies the time slots for the interface by number with the
num1:num2:num3:num4 notation, or by range with the
range1-range2 notation.
Step 15 show configuration
Example:
RP/0/RSP0/CPU0:router(config-t1-channel_g
roup)# show configuration
Displays the contents of uncommitted configuration.
Command or Action PurposeConfiguring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
How to Configure Channelized SONET/SDH
HC-315
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Step 16 root
Example:
RP/0/RSP0/CPU0:router(config-t3)# root
Exits to global configuration mode.
Step 17 interface serial interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# interface
serial 0/1/1/0/0/0:0
Specifies the complete interface number with the
rack/slot/module/port/T3Num/T1num:instance notation.
Step 18 encapsulation {frame-relay | hdlc | ppp}
Example:
RP/0/RSP0/CPU0:router(config-if)#
encapsulation ppp
Specifies the encapsulation type with the one of the following
keywords:
• frame-relay—Frame Relay network protocol
• hdlc—High-level Data Link Control (HDLC) synchronous
protocol
• ppp—Point-to-Point Protocol
Step 19 ipv4 ip-address mask
Example:
RP/0/RSP0/CPU0:router(config-if)# ip
address 10.10.10.10 255.255.255.255
Assigns an IP address and subnet mask to the interface.
Step 20 no shutdown
Example:
RP/0/RSP0/CPU0:router(config-if)# no
shutdown
Removes the shutdown configuration.
Note Removal of the shutdown configuration eliminates the
forced administrative down on the interface, enabling it to
move to an up or down state (assuming that the parent
SONET layer is not configured administratively down).
Command or Action PurposeConfiguring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
How to Configure Channelized SONET/SDH
HC-316
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Configuring Packet over SONET Channels
This task explains how to configure Packet over SONET (POS) channels on SPAs supporting
channelized SONET.
Prerequisites
You have one of the following SPAs installed:
• Cisco 1-Port Channelized OC-48/STM-16 SPA
• Cisco 2-Port Channelized OC-12/DS0 SPA
SUMMARY STEPS
1. configure
2. controller sonet interface-path-id
3. clock source {internal | line}
4. framing {sdh | sonet}
5. sts number
6. width number
Step 21 end
or
commit
Example:
RP/0/0RSP0/CPU0:router(config-sonet)# end
or
RP/0/RSP0/CPU0:router(config-sonet)#
commit
Saves configuration changes.
• When you issue the end command, the system prompts you to
commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the running
configuration file, exits the configuration session, and
returns the router to EXEC mode.
– Entering no exits the configuration session and returns the
router to EXEC mode without committing the
configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or committing the
configuration changes.
• Use the commit command to save the configuration changes to
the running configuration file and remain within the
configuration session.
Step 22 show controllers sonet interface-path-id
Example:
RP/0/RSP0/CPU0:router# show controllers
sonet 0/1/1/0
Verifies the SONET controller configuration.
Command or Action PurposeConfiguring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
How to Configure Channelized SONET/SDH
HC-317
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
7. mode mode scramble
8. root
9. interface pos interface-path-id
10. encapsulation [hdlc | ppp | frame-relay [IETF]]
11. pos crc {16 | 32}
12. mtu value
13. no shutdown
14. end
or
commit
15. show interfaces pos interface-path-id
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 controller sonet interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller
sonet 0/1/1/0
Enters SONET controller configuration submode and specifies the
SONET controller name and interface-path-id with the
rack/slot/module/port notation.
Step 3 clock source {internal | line}
Example:
RP/0/RSP0/CPU0:router(config-sonet)#
clock source internal
Configures the SONET port transmit clock source, where the
internal keyword sets the internal clock and the line keyword sets
the clock recovered from the line.
• Use the line keyword whenever clocking is derived from the
network. Use the internal keyword when two routers are
connected back to back or over fiber for which no clocking is
available.
• line is the default keyword.
Note Internal clocking is required for SRP interfaces.
Step 4 framing {sdh | sonet}
Example:
RP/0/RSP0/CPU0:router(config-sonet)#
framing sonet
(Optional) Configures the controller framing with either the sdh
keyword for Synchronous Digital Hierarchy (SDH) framing or the
sonet keyword for SONET framing.
SONET framing (sonet) is the default.
Step 5 sts number
Example:
RP/0/RSP0/CPU0:router(config-sonet)# sts
1
Configures the STS stream specified by number. The ranges are:
• 1 to 12 on the 2-Port Channelized OC12c/DS0 SPA
• 1 to 48 on the 1 Port Channelized OC48/DS3 SPA Configuring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
How to Configure Channelized SONET/SDH
HC-318
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Step 6 width number
Example:
RP/0/RSP0/CPU0:router(config-stsPath)#
width 3
Configures the number of the STS streams that are concatenated.
The possible values for number are:
• 3—Indicating three STS streams (STS-3c)
• 12—Indicating concatenation of 12 STS streams (STS-12c)
• 48—Indicating concatenation of 48 STS streams (STS-48c)
Widths 3, 12, and 48 are configured on STS paths at natural
boundaries, which coincide with the following path numbers:
• 1, 4, 7, 10, and so on, for STS-3c
• 1, 13, 25, and 37 for STS-12c
• 1 for STS-48c
Note POS interfaces are not supported when width is 1.
Step 7 mode mode scramble
Example:
RP/0/RSP0/CPU0:router(config-stsPath)#
mode pos scramble
Sets the mode of interface at the STS level. Set the mode to pos to
create POS interface (OC12 and OC48 only).
Step 8 root
Example:
RP/0/RSP0/CPU0:router(config-stsPath)#
root
Exits to global configuration mode.
Step 9 interface pos interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# interface
POS 0/1/1/0
Specifies the POS interface name and notation
rack/slot/module/port, and enters interface configuration mode.
Step 10 encapsulation [hdlc | ppp | frame-relay
[IETF]]
Example:
RP/0/RSP0/CPU0:router(config-if)#
encapsulation hdlc
(Optional) Configures the interface encapsulation parameters and
details such as HDLC or PPP. The default is HDLC.
Step 11 pos crc {16 | 32}
Example:
RP/0/RSP0/CPU0:router(config-if)# pos crc
32
(Optional) Configures the CRC value for the interface. Enter the 16
keyword to specify 16-bit CRC mode, or enter the 32 keyword to
specify 32-bit CRC mode.
The default CRC is 32.
Step 12 mtu value
Example:
RP/0/RSP0/CPU0:router(config-if)# mtu
4474
(Optional) Configures the POS MTU value.
The range is 64–65535.
Command or Action PurposeConfiguring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
How to Configure Channelized SONET/SDH
HC-319
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Configuring a Clear Channel SONET Controller for T3
This task explains how to configure a SONET line into a single T3 serial channel called clear channel.
Clear channel is established by setting the T3 controller mode to serial.
Prerequisites
• You should know how to configure the SONET controller as specified in the “How to Configure
Clear Channel SONET Controllers” section of the Configuring Clear Channel SONET Controllers
on the Cisco ASR 9000 Series Router module.
SUMMARY STEPS
1. configure
2. controller sonet interface-path-id
3. clock source {internal | line}
Step 13 no shutdown
Example:
RP/0/RSP0/CPU0:router (config-if)# no
shutdown
Removes the shutdown configuration.
Note Removal of the shutdown configuration eliminates the
forced administrative down on the interface, enabling it to
move to an up or down state (assuming that the parent
SONET layer is not configured administratively down).
Step 14 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-sonet)# end
or
RP/0/RSP0/CPU0:router(config-sonet)#
commit
Saves configuration changes.
• When you issue the end command, the system prompts you to
commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the running
configuration file, exits the configuration session, and
returns the router to EXEC mode.
– Entering no exits the configuration session and returns the
router to EXEC mode without committing the
configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or committing the
configuration changes.
• Use the commit command to save the configuration changes to
the running configuration file and remain within the
configuration session.
Step 15 show interfaces pos interface-path-id
Example:
RP/0/0/CPU0:router# show interfaces pos
0/1/1/0
(Optional) Displays the interface configuration.
Command or Action PurposeConfiguring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
How to Configure Channelized SONET/SDH
HC-320
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
4. framing sonet
5. sts number
6. mode t3
7. root
8. controller t3 interface-path-id
9. mode serial
10. root
11. interface serial interface-path-id
12. encapsulation {frame-relay | hdlc | ppp}
13. ipv4 ip-address mask
14. no shutdown
15. end
or
commit
16. show controllers sonet interface-path-id
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 controller sonet interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller
sonet 0/1/1/0
Enters SONET controller configuration submode and specifies the
SONET controller name and interface-path-id with the
rack/slot/module/port notation.
Step 3 clock source {internal | line}
Example:
RP/0/RSP0/CPU0:router(config-sonet)#
clock source internal
Configures the SONET port transmit clock source, where the
internal keyword sets the internal clock and the line keyword sets
the clock recovered from the line.
• Use the line keyword whenever clocking is derived from the
network. Use the internal keyword when two routers are
connected back to back or over fiber for which no clocking is
available.
• line is the default keyword.
Note Internal clocking is required for SRP interfaces.
Step 4 framing sonet
Example:
RP/0/RSP0/CPU0:router(config-sonet)#
framing sonet
Configures the controller for SONET framing. SONET framing
(sonet) is the default.Configuring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
How to Configure Channelized SONET/SDH
HC-321
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Step 5 sts number
Example:
RP/0/RSP0/CPU0:router(config-sonet)# sts
1
Configures the STS stream specified by number. The ranges are:
• 1 to 48—1-Port Channelized OC-48/DS3 SPA
• 1 to 3—1-Port Channelized OC-3/STM-1 SPA
• 1 to 12—2-Port Channelized OC-12/DS0 SPA
Step 6 mode t3
Example:
RP/0/RSP0/CPU0:router(config-stsPath)#
mode t3
Sets the mode of the interface at the STS level for T3.
Step 7 root
Example:
RP/0/RSP0/CPU0:router(config-stsPath)#
root
Exits to global configuration mode.
Step 8 controller t3 interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller
t3 0/1/1/0/0
Enters T3 controller configuration submode and specifies the T3
controller name and interface-path-id identifier with the
rack/slot/module/port/T3Num notation.
Step 9 mode serial
Example:
RP/0/RSP0/CPU0:router(config-t3)# mode
serial
Sets the mode of the interface to serial to establish a clear channel.
Step 10 root
Example:
RP/0/RSP0/CPU0:router(config-t3)# root
Exits to global configuration mode.
Step 11 interface serial interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# interface
serial 0/1/1/0/0/0:0
Specifies the complete interface number with the
rack/slot/module/port/T3Num/T1num:instance notation.
Step 12 encapsulation {frame-relay | hdlc | ppp}
Example:
RP/0/RSP0/CPU0:router(config-if)#
encapsulation ppp
Specifies the encapsulation type with the one of the following
keywords:
• frame-relay—Frame Relay network protocol
• hdlc—High-level Data Link Control (HDLC) synchronous
protocol
• ppp—Point-to-Point Protocol
Step 13 ipv4 ip-address mask
Example:
RP/0/RSP0/CPU0:router(config-if)# ip
address 10.10.10.10 255.255.255.255
Assigns an IP address and subnet mask to the interface.
Command or Action PurposeConfiguring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
How to Configure Channelized SONET/SDH
HC-322
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Configuring Channelized SONET APS
This task explains how to configure APS for channelized SONET lines.
Prerequisites
• You should know how to configure the SONET controller as specified in the “How to Configure
Clear Channel SONET Controllers” section of the Configuring Clear Channel SONET Controllers
on the Cisco ASR 9000 Series Router module.
• You should know how to configure the SONET APS as specified in the “Configuring SONET APS”
section of the Configuring Clear Channel SONET Controllers on the Cisco ASR 9000 Series Router
module.
Step 14 no shutdown
Example:
RP/0/RSP0/CPU0:router(config-if)# no
shutdown
Removes the shutdown configuration.
Note Removal of the shutdown configuration eliminates the
forced administrative down on the interface, enabling it to
move to an up or down state (assuming that the parent
SONET layer is not configured administratively down).
Step 15 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-sonet)# end
or
RP/0/RSP0/CPU0:router(config-sonet)#
commit
Saves configuration changes.
• When you issue the end command, the system prompts you to
commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the running
configuration file, exits the configuration session, and
returns the router to EXEC mode.
– Entering no exits the configuration session and returns the
router to EXEC mode without committing the
configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or committing the
configuration changes.
• Use the commit command to save the configuration changes to
the running configuration file and remain within the
configuration session.
Step 16 show controllers sonet interface-path-id
Example:
RP/0//RSP0/CPU0:router# show controllers
sonet 0/1/1/0
Verifies the SONET controller configuration.
Command or Action PurposeConfiguring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
How to Configure Channelized SONET/SDH
HC-323
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Restrictions
• SONET APS is not supported on the 1-Port Channelized OC-48/STM-16 SPA.
• The Cisco ASR 9000 Series Router supports multirouter APS only on the following SPAS:
– 1-Port Channelized OC-3/STM-1 SPA
– 2-Port Channelized OC-12c/DS0 SPA
SUMMARY STEPS
1. aps group number
2. channel 0 local sonet interface
or
channel 0 remote ip-address
3. channel 1 local sonet interface
or
channel 1 remote ip-address
4. signalling {sonet | sdh}
5. end
or
commit
6. show aps
7. show aps group [number]Configuring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
How to Configure Channelized SONET/SDH
HC-324
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
DETAILED STEPS
Command or Action Purpose
Step 1 aps group number
Example:
RP/0/RSP0/CPU0:router(config)# aps group
1
Adds an APS group with a specified number and enters APS group
configuration mode.
• Use the aps group command in global configuration mode.
• To remove a group, use the no form of this command, as in: no
aps group number, where the value range is from 1 to 255.
Note To use the aps group command, you must be a member of
a user group associated with the proper task IDs for APS
commands.
Note The aps group command is used even when a single
protect group is configured.
Step 2 channel 0 local sonet interface
or
channel 0 remote ip-address
Example:
RP/0/RSP0/CPU0:router(config-aps)#
channel 0 local SONET 0/0/0/1
or
RP/0/RSP0/CPU0:router(config-aps)#
channel 0 remote 172.18.69.123
Creates a protect channel for the APS group, where 0 designates a
protect channel.
Note The protect channel must be assigned before the active
channel can be assigned.
Note To configure APS where both channels are on one router,
use the channel local command for both the protect and
active channels.
To configure APS using two different routers where the
active channel is on one router and the protect channel is on
another router, use the channel local command for either
the protect or the active channel, but use the channel
remote command for the other channel.
Step 3 channel 1 local sonet interface
or
channel 1 remote ip-address
Example:
RP/0/RSP0/CPU0:router(config-aps)#
channel 1 local SONET 0/0/0/2
or
RP/0/0/CPU0:router(config-aps)# channel 1
remote 172.18.69.123
Creates an active channel for the APS group, where 1 designates an
active channel.
Note The active channel must be assigned after the protect
channel is assigned.
Note To configure APS where both channels are on one router,
use the channel local command for both the protect and
active channels.
To configure APS using two different routers where the
active channel is on one router and the protect channel is on
another router, use the channel local command for either
the protect or the active channel, but use the channel
remote command for the other channel.
Step 4 signalling {sonet | sdh}
Example:
RP/0/RSP0/CPU0:router(config-aps)#
signalling sonet
Configures the K1K2 overhead byte used for automatic protection
switching (APS). The keyword options are:
• sonet—Sets signaling to SONET.
• sdh—Sets signaling to Synchronous Digital Hierarchy (SDH).Configuring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
How to Configure Channelized SONET/SDH
HC-325
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Configuring SDH AU-3
This section includes the following tasks:
• Configuring SDH AU-3 Mapped to C11-T1 or C12-E1, page 325
• Configuring SDH AU-3 Mapped to T3 or E3, page 329
Configuring SDH AU-3 Mapped to C11-T1 or C12-E1
This task explains how to configure SDH AU-3 with c11-t1 or c12-e1 mapping.
Prerequisites
• You should know how to configure the SONET controller as specified in the “How to Configure
Clear Channel SONET Controllers” section of the Configuring Clear Channel SONET Controllers
on the Cisco ASR 9000 Series Router module.
Step 5 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-sonet)# end
or
RP/0/RSP0/CPU0:router(config-sonet)#
commit
Saves configuration changes.
• When you issue the end command, the system prompts you to
commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the running
configuration file, exits the configuration session, and
returns the router to EXEC mode.
– Entering no exits the configuration session and returns the
router to EXEC mode without committing the
configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or committing the
configuration changes.
• Use the commit command to save the configuration changes to
the running configuration file and remain within the
configuration session.
Step 6 show aps
Example:
RP/0/RSP0/CPU0:router# show aps
(Optional) Displays the operational status for all configured
SONET APS groups.
Step 7 show aps group [number]
Example:
RP/0/RSP0/CPU0:router# show aps group 3
(Optional) Displays the operational status for configured SONET
APS groups.
Note The show aps group command is more useful than the
show aps command when multiple groups are defined.
Command or Action PurposeConfiguring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
How to Configure Channelized SONET/SDH
HC-326
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Restrictions
Channelized SDH AU-3 with c11-t1 or c12-e1 mapping is supported on the following SPAs:
• Cisco 1-Port Channelized OC-3/STM-1 SPA
• Cisco 2-Port Channelized OC-12c/DS0 SPA
SUMMARY STEPS
1. configure
2. controller sonet interface-path-id
3. clock source {internal | line}
4. framing sdh
5. au number
6. mode mode
7. root
8. controller t1 interface-path-id
9. channel-group number
10. timeslots num1:num2:num3:num4
or
timeslots range1-range2
11. show configuration
12. root
13. interface serial interface-path-id
14. encapsulation {frame-relay | hdlc | ppp}
15. ipv4 ip-address mask
16. no shutdown
17. end
or
commit
18. show controllers sonet interface-path-id
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 controller sonet interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller
sonet 0/1/1/0
Enters SONET controller configuration submode and specifies the
SONET controller name and interface-path-id identifier with the
rack/slot/module/port notation. Configuring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
How to Configure Channelized SONET/SDH
HC-327
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Step 3 clock source {internal | line}
Example:
RP/0/RSP0/CPU0:router(config-sonet)#
clock source internal
Configures the SONET port transmit clock source, where the
internal keyword sets the internal clock and the line keyword sets
the clock recovered from the line.
• Use the line keyword whenever clocking is derived from the
network. Use the internal keyword when two routers are
connected back to back or over fiber for which no clocking is
available.
• line is the default keyword.
Note Internal clocking is required for SRP interfaces.
Step 4 framing sdh
Example:
RP/0/RSP0/CPU0:router(config-sonet)#
framing sdh
Configures the controller framing for Synchronous Digital
Hierarchy (SDH) framing.
SONET framing (sonet) is the default.
Step 5 au number
Example:
RP/0/RSP0/CPU0:router(config-sonet)# au 1
Specifies the administrative unit (AU) group and enters AU path
configuration mode. For AU-3, the valid range is:
• 1 to 3—1-Port Channelized OC-3/STM-1 SPA
• 1 to 12—2-Port Channelized OC-12c/DS0 SPA
Note The au command does not specify the AU type. It specifies
the number of the AU group for the AU type that you want
to configure. The range for the AU command varies based
on whether you are configuring AU-3 or AU-4.
Step 6 mode mode
Example:
RP/0/RSP0/CPU0:router(config-auPath)#
mode c11-t1
Sets the mode of interface at the AU level. AU-3 paths can be
mapped to c11-t1 or c12-e1 on supported SPAs.
Step 7 root
Example:
RP/0/RSP0/CPU0:router(config-auPath)#
root
Exits to global configuration mode.
Step 8 controller t1 interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller
T1 0/1/1/0/0/0/0
Enters T1 controller configuration submode and specifies the T1
controller name and interface-path-id with the
rack/slot/module/port/auNum/t1Num notation.
Step 9 channel-group number
Example:
RP/0/RSP0/CPU0:router(config-t1)#
channel-group 0
Sets the channel-group number to which time slots are assigned.
The range is from 1 to 28.
Command or Action PurposeConfiguring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
How to Configure Channelized SONET/SDH
HC-328
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Step 10 timeslots num1:num2:num3:num4
or
timeslots range1-range2
Example:
RP/0/RSP0/CPU0:router(config-t1-channel_g
roup)# timeslots 1:3:7:9
RP/0/RSP0/CPU0:router(config-t1-channel_g
roup)# timeslots 1-12
Specifies time slots for the interface by number with the
num1:num2:num3:num4 notation, or by range with the
range1-range2 notation.
Step 11 show configuration
Example:
RP/0/RSP0/CPU0:router(config-t1-channel_g
roup)# show configuration
Displays the contents of uncommitted configuration.
Step 12 root
Example:
RP/0/RSP0/CPU0:router(config-t3)# root
Exits to global configuration mode.
Step 13 interface serial interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# interface
serial 0/1/1/0/0/0:0
Specifies the complete interface number with the
rack/slot/module/port/T3Num/T1num:instance notation.
Step 14 encapsulation {frame-relay | hdlc | ppp}
Example:
RP/0/RSP0/CPU0:router(config-if)#
encapsulation frame-relay
Specifies the encapsulation type with the one of the following
keywords:
• frame-relay—Frame Relay network protocol
• hdlc—High-level Data Link Control (HDLC) synchronous
protocol
• ppp—Point-to-Point Protocol
Step 15 ipv4 ip-address mask
Example:
RP/0/RSP0/CPU0:router(config-if)# ip
address 10.10.10.10 255.255.255.255
Assigns an IP address and subnet mask to the interface.
Step 16 no shutdown
Example:
RP/0/RSP0/CPU0:router(config-if)# no
shutdown
Removes the shutdown configuration.
Note Removal of the shutdown configuration eliminates the
forced administrative down on the interface, enabling it to
move to an up or down state (assuming that the parent
SONET layer is not configured administratively down).
Command or Action PurposeConfiguring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
How to Configure Channelized SONET/SDH
HC-329
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Configuring SDH AU-3 Mapped to T3 or E3
This task explains how to configure SDH AU-3 mapped to T3 or E3.
Prerequisites
• You should know how to configure the SONET controller as specified in the “How to Configure
Clear Channel SONET Controllers” section of the Configuring Clear Channel SONET Controllers
on the Cisco ASR 9000 Series Router module.
Restrictions
Channelized SDH AU-3 with T3 or E3 mapping is supported on the following SPAs:
• Cisco 1-Port Channelized OC-48/STM-16 SPA
• Cisco 1-Port Channelized OC-3/STM-1 SPA
• Cisco 2-Port Channelized OC-12c/DS0 SPA
SUMMARY STEPS
1. configure
2. controller sonet interface-path-id
3. clock source {internal | line}
Step 17 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-sonet)# end
or
RP/0/RSP0/CPU0:router(config-sonet)#
commit
Saves configuration changes.
• When you issue the end command, the system prompts you to
commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the running
configuration file, exits the configuration session, and
returns the router to EXEC mode.
– Entering no exits the configuration session and returns the
router to EXEC mode without committing the
configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or committing the
configuration changes.
• Use the commit command to save the configuration changes to
the running configuration file and remain within the
configuration session.
Step 18 show controllers sonet interface-path-id
Example:
RP/0/RSP0/CPU0:router# show controllers
sonet 0/1/1/0
Verifies the SONET controller configuration.
Command or Action PurposeConfiguring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
How to Configure Channelized SONET/SDH
HC-330
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
4. framing sdh
5. au number
6. mode t3
or
mode e3
7. root
8. controller {t3 | e3} interface-path-id
9. mode serial
10. show configuration
11. root
12. interface serial interface-path-id
13. encapsulation {frame-relay | hdlc | ppp}
14. ipv4 ip-address mask
15. no shutdown
16. end
or
commit
17. show controllers sonet interface-path-id
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 controller sonet interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller
sonet 0/1/1/0
Enters SONET controller configuration submode and specifies the
SONET controller name and interface-path-id identifier with the
rack/slot/module/port notation.
Step 3 clock source {internal | line}
Example:
RP/0/RSP0/CPU0:router(config-sonet)#
clock source internal
Configures the SONET port transmit clock source, where the
internal keyword sets the internal clock and the line keyword sets
the clock recovered from the line.
• Use the line keyword whenever clocking is derived from the
network. Use the internal keyword when two routers are
connected back to back or over fiber for which no clocking is
available.
• line is the default keyword.
Note Internal clocking is required for SRP interfaces.Configuring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
How to Configure Channelized SONET/SDH
HC-331
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Step 4 framing sdh
Example:
RP/0/RSP0/CPU0:router(config-sonet)#
framing sdh
Configures the controller framing for Synchronous Digital
Hierarchy (SDH) framing.
SONET framing (sonet) is the default.
Step 5 au number
Example:
RP/0/RSP0/CPU0:router(config-sonet)# au 1
Specifies the administrative unit (AU) group and enters AU path
configuration mode. For AU-3, the valid range is:
• 1 to 48—1-Port Channelized OC-48/DS3 SPA
• 1 to 3—1-Port Channelized OC-3/STM-1 SPA
• 1 to 12—2-Port Channelized OC-12c/DS0 SPA
Note The au command does not specify the AU type. It specifies
the number of the AU group for the AU type that you want
to configure. The range for the AU command varies based
on whether you are configuring AU-3 or AU-4.
Step 6 mode t3
or
mode e3
Example:
RP/0/RSP0/CPU0:router(config-auPath)#
mode t3
Sets the mode of interface at the AU level to T3 or E3.
Step 7 root
Example:
RP/0/RSP0/CPU0:router(config-auPath)#
root
Exits to global configuration mode.
Step 8 controller {t3 | e3} interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller
T3 0/1/1/0/0
Enters T3 or E3 controller configuration submode and specifies the
T3 or E3 controller name and interface-path-id with the
rack/slot/module/port/auNum notation.
Step 9 mode serial
Example:
RP/0/RSP0/CPU0:router(config-t3)# mode
serial
Configures the mode of the port to be clear channel serial.
Step 10 show configuration
Example:
RP/0/RSP0/CPU0:router(config-t3)# show
configuration
Displays the contents of uncommitted configuration.
Step 11 root
Example:
RP/0/RSP0/CPU0:router(config-t3)# root
Exits to global configuration mode.
Command or Action PurposeConfiguring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
How to Configure Channelized SONET/SDH
HC-332
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Step 12 interface serial interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# interface
serial 0/1/1/0/0/0:0
Specifies the complete interface number with the
rack/slot/module/port/T3Num/T1num:instance notation.
Step 13 encapsulation frame-relay | hdlc | ppp
Example:
RP/0/RSP0/CPU0:router(config-if)#
encapsulation frame-relay | hdlc | ppp
Specifies the encapsulation type with the one of the following
keywords:
• frame-relay—Frame Relay network protocol
• hdlc—High-level Data Link Control (HDLC) synchronous
protocol
• ppp—Point-to-Point Protocol
Step 14 ipv4 ip-address mask
Example:
RP/0/RSP0/CPU0:router(config-if)# ip
address 10.10.10.10 255.255.255.255
Assigns an IP address and subnet mask to the interface.
Step 15 no shutdown
Example:
RP/0/RSP0/CPU0:router(config-if)# no
shutdown
Removes the shutdown configuration.
Note Removal of the shutdown configuration eliminates the
forced administrative down on the interface, enabling it to
move to an up or down state (assuming that the parent
SONET layer is not configured administratively down).
Step 16 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-sonet)# end
or
RP/0/RSP0/CPU0:router(config-sonet)#
commit
Saves configuration changes.
• When you issue the end command, the system prompts you to
commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the running
configuration file, exits the configuration session, and
returns the router to EXEC mode.
– Entering no exits the configuration session and returns the
router to EXEC mode without committing the
configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or committing the
configuration changes.
• Use the commit command to save the configuration changes to
the running configuration file and remain within the
configuration session.
Step 17 show controllers sonet interface-path-id
Example:
RP/0/RSP0/CPU0:router# show controllers
sonet 0/1/1/0
Verifies the SONET controller configuration.
Command or Action PurposeConfiguring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
How to Configure Channelized SONET/SDH
HC-333
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Configuring SDH AU-4
This task explains how to configure an SDH AU-4 stream into a TUG-3 channel mapped to E3s.
Prerequisites
• You should know how to configure the SONET controller as specified in the “How to Configure
Clear Channel SONET Controllers” section of the Configuring Clear Channel SONET Controllers
on the Cisco ASR 9000 Series Router module.
Restrictions
• Channelized SDH is supported on the following SPAs:
– Cisco 1-Port Channelized OC-48/STM-16 SPA
– Cisco 1-Port Channelized OC-3/STM-1 SPA
– Cisco 2-Port Channelized OC-12/DS0 SPA
• In this release, AU-4 paths can only be channelized into TUG-3s.
• The 1-Port Channelized OC-48/STM-16 SPA does not support T1 or E1 channelization.
SUMMARY STEPS
1. configure
2. controller sonet interface-path-id
3. clock source {internal | line}
4. framing sdh
5. au number
6. mode tug3
7. width number
8. tug3 number
9. mode mode
10. root
11. controller name interface-path-id
12. mode mode
13. root
14. controller name instance
15. channel-group number
16. timeslots num1:num2:num3:num4
or
timeslots range1-range2
17. show configuration
18. root
19. interface serial interface-path-idConfiguring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
How to Configure Channelized SONET/SDH
HC-334
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
20. encapsulation {frame-relay | hdlc | ppp}
21. ipv4 ip-address mask
22. no shutdown
23. end
or
commit
24. show controllers sonet interface-path-id
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/0/CPU0:router# configure
Enters global configuration mode.
Step 2 controller sonet interface-path-id
Example:
RP/0/0/CPU0:router(config)# controller
sonet 0/1/1/0
Enters SONET controller configuration submode and specifies the
SONET controller name and interface-path-id with the
rack/slot/module/port notation.
Step 3 clock source {internal | line}
Example:
RP/0/0/CPU0:router(config-sonet)# clock
source internal
Configures the SONET port transmit clock source, where the
internal keyword sets the internal clock and the line keyword sets
the clock recovered from the line.
• Use the line keyword whenever clocking is derived from the
network. Use the internal keyword when two routers are
connected back to back or over fiber for which no clocking is
available.
• line is the default keyword.
Note Internal clocking is required for SRP interfaces.
Step 4 framing sdh
Example:
RP/0/0/CPU0:router(config-sonet)# framing
sdh
Configures the controller for Synchronous Digital Hierarchy
(SDH) framing.
SONET framing (sonet) is the default.
Step 5 au number
Example:
RP/0/RSP0/CPU0:router(config-sonet)# au 1
Specifies the administrative unit (AU) group and enters AU path
configuration mode. For AU-4, the valid range is:
• 1 to 16—1-Port Channelized OC-48/DS3 SPA
• 1 to 3—1-Port Channelized OC-3/STM-1 SPA
• 1 to 4—2-Port Channelized OC-12c/DS0 SPA
Note The au command does not specify the AU type. It specifies
the number of the AU group for the AU type that you want
to configure. The range for the AU command varies based
on whether you are configuring AU-3 or AU-4.Configuring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
How to Configure Channelized SONET/SDH
HC-335
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Step 6 mode tug3
Example:
RP/0/0/CPU0:router(config-auPath)# mode
tug3
Sets the mode of interface at the AU level. Currently only TUG3 is
supported.
Step 7 width number
Example:
RP/0/0/CPU0:router(config-auPath)# width
3
Configures the number of the AU streams.
Step 8 tug3 number
Example:
RP/0/0/CPU0:router(config-auPath)#tug3 1
Specifies the Tributary Unit Group (TUG) number and enters the
config-tug3Path mode. The range is 1 to 3.
Step 9 mode mode
Example:
RP/0/0/CPU0:router(config-tug3Path)# mode
e3
Sets the mode of interface at the tug3 level. The modes are:
• c11—TUG-3 path carrying TU-11
• c11-t1—TUG-3 path carrying TU-11 to T1
• c12—TUG-3 path carrying TU-12
• c12-e1—TUG-3 path carrying TU-12 to E1
• e3—TUG-3 path carrying E3
• t3—TUG-3 path carrying T3
Note The 1-Port Channelized OC-48/STM-16 SPA only supports
the e3 and t3 options.
Step 10 root
Example:
RP/0/0/CPU0:router(config-tug3Path)# root
Exits to global configuration mode.
Step 11 controller name instance
Example:
RP/0/0/CPU0:router(config)# controller e3
0/1/1/0/0/0
Enters controller configuration submode and specifies the
controller name and instance identifier with the
rack/slot/module/port/name/instance notation. The controller
names are:
• e3—TUG3 path carrying E3
• t3—TUG3 path carrying T3
• e1—channelized E1 port
Note In this step, you can create an E3 or T3 controller and add
T1 channels under the T3 controller as shown in Step 14,
or you can create a channelized E1 port at this point.
Note E1 is not supported on the 1-Port Channelized
OC-48/STM-16 SPA.
Command or Action PurposeConfiguring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
How to Configure Channelized SONET/SDH
HC-336
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Step 12 mode mode
Example:
RP/0/0/CPU0:router(config-e3)#mode e1
Sets the mode of interface. The modes are:
• e1—Channelized into 21 E1s
• serial—Clear Channel carrying HDLC-like payload
• t1—Channelized into 28 T1s
Note T1 and E1 are not supported on the 1-Port Channelized
OC-48/STM-16 SPA.
Step 13 root
Example:
RP/0/0/CPU0:router(config-e3)# root
Exits to global configuration mode.
Step 14 controller name instance
Example:
RP/0/0/CPU0:router(config)# controller E1
0/1/1/0/0/0/0/0
Enters controller configuration submode and specifies the
controller name and instance identifier with the
rack/slot/module/port/name/instance1/instance2 notation. The
controller names are:
• serial—Clear Channel carrying HDLC-like payload.
• t1—Channelized into 24 T1s.
Step 15 channel-group number
Example:
RP/0/0/CPU0:router(config-e1)#
channel-group 0
Sets the channel-group number to which time slots are assigned.
• For t1, the range is from 1 to 24.
• For e1, the range is from 1 to 32.
Step 16 timeslots num1:num2:num3:num4
or
timeslots range1-range2
Example:
RP/0/0/CPU0:router(config-e1-channel_grou
p)# timeslots 1:3:7:9
RP/0/0/CPU0:router(config-e1-channel_grou
p)# timeslots 1-12
Specifies time slots for the interface by number with the
num1:num2:num3:num4 notation, or by range with the
range1-range2 notation.
Step 17 show configuration
Example:
RP/0/0/CPU0:router(config-e1-channel_grou
p)# show configuration
Displays the contents of uncommitted configuration.
Step 18 root
Example:
RP/0/0/CPU0:router(config-e1-channel_grou
p)# root
Exits to global configuration mode.
Step 19 interface serial interface-path-id
Example:
RP/0/0/CPU0:router(config)# interface
serial 0/1/1/0/0/0:0
Specifies the complete interface number with the
rack/slot/module/port/T3Num/T1num:instance notation.
Command or Action PurposeConfiguring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
How to Configure Channelized SONET/SDH
HC-337
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Step 20 encapsulation {frame-relay | hdlc | ppp}
Example:
Router(config-if)# encapsulation
frame-relay | hdlc | ppp
Specifies the encapsulation type with the one of the following
keywords:
• frame-relay—Frame Relay network protocol
• hdlc—High-level Data Link Control (HDLC) synchronous
protocol
• ppp—Point-to-Point Protocol
Step 21 ipv4 ip-address mask
Example:
Router(config-if)# ip address 10.10.10.10
255.255.255.255
Assigns an IP address and subnet mask to the interface.
Step 22 no shutdown
Example:
RP/0/0/CPU0:router (config-if)# no
shutdown
Removes the shutdown configuration.
Note Removal of the shutdown configuration eliminates the
forced administrative down on the interface, enabling it to
move to an up or down state (assuming that the parent
SONET layer is not configured administratively down).
Step 23 end
or
commit
Example:
RP/0/0/CPU0:router(config-sonet)# end
or
RP/0/0/CPU0:router(config-sonet)# commit
Saves configuration changes.
• When you issue the end command, the system prompts you to
commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the running
configuration file, exits the configuration session, and
returns the router to EXEC mode.
– Entering no exits the configuration session and returns the
router to EXEC mode without committing the
configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or committing the
configuration changes.
• Use the commit command to save the configuration changes to
the running configuration file and remain within the
configuration session.
Step 24 show controllers sonet interface-path-id
Example:
RP/0/0/CPU0:router# show controllers
sonet 0/1/1/0
Verifies the SONET controller configuration.
Command or Action PurposeConfiguring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
Configuration Examples for Channelized SONET
HC-338
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Configuration Examples for Channelized SONET
This section contains the following examples:
• Channelized SONET Examples, page 338
• Channelized SDH Examples, page 340
Channelized SONET Examples
• Channelized SONET T3 to T1 Configuration: Example, page 338
• Channelized Packet over SONET Configuration: Example, page 339
• SONET Clear Channel T3 Configuration: Example, page 339
• Channelized SONET APS Multirouter Configuration: Example, page 339
Channelized SONET T3 to T1 Configuration: Example
The following example shows SONET T3 to T1 configuration.
configure
controller sonet 0/1/1/0
clock source internal
framing sonet
sts 1
mode t3
width 3
root
controller t3 0/1/1/0/0
mode t1
root
controller t1 0/1/1/0/0/0
framing esf
channel-group 0
timeslots 1:3:7:9
show configuration
root
interface serial 0/1/1/0/0/0:0
encapsulation hdlc
ip address 10.10.10.10 255.255.255.255
no shutdown
commit
show controllers sonet 0/1/1/0
Channelized SONET in VT1.5 Mode and T1 Channelization to NxDS0
Note This example is not supported on the 1-Port Channelized OC-48/STM-16 SPA.
The following example shows how to configure SONET channelized to NxDS0s through SONET VT1.5
mode:
configure
controller sonet 0/1/1/0
clock source internal
framing sonetConfiguring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
Configuration Examples for Channelized SONET
HC-339
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
sts 1
mode vt15-t1
root
controller t1 0/1/1/0/0/0
channel-group 0 timeslots 1
channel-group 1 timeslots 2-3
commit
Channelized Packet over SONET Configuration: Example
The following example shows Channelized Packet over SONET configuration.
configure
controller sonet 0/1/1/0
clock source internal
framing sonet
sts 1
mode pos scramble
width 3
root
interface POS 0/1/1/0
encapsulation hdlc
pos crc 32
mtu 4474
no shutdown
commit
show interfaces pos 0/1/1/0
SONET Clear Channel T3 Configuration: Example
The following example shows SONET clear channel configuration for T3:
configure
controller sonet 0/1/1/0
clock source internal
framing sonet
sts 1
mode t3
root
controller t3 0/1/1/0/0
mode serial
root
interface serial 0/1/1/0/0/0:0
encapsulation ppp
ip address 10.10.10.10 255.255.255.255
no shutdown
commit
show controllers sonet 0/1/1/0
Channelized SONET APS Multirouter Configuration: Example
The following example shows SONET APS multirouter configuration.
aps group 1
channel 0 local SONET 0/0/0/1
channel 1 remote 172.18.69.123
signalling sonet
commit
show aps
show aps group 3Configuring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
Configuration Examples for Channelized SONET
HC-340
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Channelized SDH Examples
• Channelized SDH AU-3 Configuration: Examples, page 340
• Channelized SDH AU-4 Configuration: Examples, page 341
Channelized SDH AU-3 Configuration: Examples
This section includes the following configuration examples:
• Channelized SDH AU-3 to VC-3 and Clear Channel T3/E3: Examples, page 340
• Channelized SDH AU-3 to TUG-2, VC-11, T1 and NxDS0s: Example, page 340
• Channelized SDH AU-3 to TUG-2, VC-12, E1 and NxDS0s: Example, page 341
Channelized SDH AU-3 to VC-3 and Clear Channel T3/E3: Examples
The following example shows how to configure SDH AU-3 to VC-3 and clear channel T3:
configure
controller sonet 0/1/1/0
clock source internal
framing sdh
au 1
width 1
mode t3
root
controller t3 0/1/1/0/1
mode serial
commit
The following example shows how to configure SDH AU-3 to VC-3 and clear channel E3:
configure
controller sonet 0/1/1/0
clock source internal
framing sdh
au 1
width 1
mode e3
root
controller e3 0/1/1/0/1
mode serial
commit
Channelized SDH AU-3 to TUG-2, VC-11, T1 and NxDS0s: Example
Note This example is not supported on the 1-Port Channelized OC-48/STM-16 SPA.
The following example shows how to configure SDH AU-3 to TUG-2, VC-11 and channelized T1 to
NxDS0s:
configure
controller sonet 0/1/1/0
clock source internal
framing sdh
au 1Configuring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
Configuration Examples for Channelized SONET
HC-341
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
mode c11-t1
width 1
root
controller T1 0/1/1/0/0/1/1
channel-group 0
timeslots 1-12
show configuration
root
interface serial 0/1/1/0/1/1:0
encapsulation ppp
ip address 10.10.10.10 255.255.255.255
no shutdown
commit
show controllers sonet 0/1/1/0
Channelized SDH AU-3 to TUG-2, VC-12, E1 and NxDS0s: Example
Note This example is not supported on the 1-Port Channelized OC-48/STM-16 SPA.
The following example shows how to configure SDH AU-3 to TUG-2, VC-12 and channelized E1 to
NxDS0s:
configure
controller sonet 0/1/1/0
clock source internal
framing sdh
au 1
mode c12-e1
width 1
root
controller e1 0/1/1/0/0/1/1
channel-group 0
timeslots 1-12
show configuration
root
interface serial 0/1/1/0/1/1:0
encapsulation ppp
ip address 10.10.10.10 255.255.255.255
no shutdown
commit
show controllers sonet 0/1/1/0
Channelized SDH AU-4 Configuration: Examples
This section includes the following configuration examples:
• Channelized SDH AU-4 to TUG-3 and Clear Channel T3/E3: Examples, page 341
• Channelized SDH AU-4 to TUG-3, TUG-2, and T1/E1 and NxDS0: Examples, page 342
Channelized SDH AU-4 to TUG-3 and Clear Channel T3/E3: Examples
The following exampe shows SDH AU-4 channelization to TUG-3 and clear channel T3:
configure
controller sonet 0/4/0/0
framing sdh
au 1
width 3Configuring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
Configuration Examples for Channelized SONET
HC-342
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
mode tug3
tug3 1
mode t3
root
controller t3 0/4/0/0/1/1
mode serial
commit
The following exampe shows SDH AU-4 channelization to TUG-3 and clear channel E3:
configure
controller sonet 0/4/0/0
framing sdh
au 1
width 3
mode tug3
tug3 1
mode e3
root
controller e3 0/4/0/0/1/1
mode serial
commit
Channelized SDH AU-4 to TUG-3, TUG-2, and T1/E1 and NxDS0: Examples
Note Channelization to T1/E1 and NxDS0s is not supported on the 1-Port Channelized OC-48/STM-16 SPA.
The following example shows SDH AU-4 configuration with unframed E1 controllers and serial
interfaces:
configure
controller sonet 0/1/2/0
framing sdh
au 1
width 3
mode tug3
tug3 1
mode c12-e1
!
tug3 2
mode c12-e1
!
tug3 3
mode c12-e1
!
controller E1 0/1/2/0/1/1/1/1
framing unframed
!
controller E1 0/1/2/0/1/1/1/2
framing unframed
!
controller E1 0/1/2/0/1/1/1/3
framing unframed
!
interface Serial0/1/2/0/1/1/1/1:0
encapsulation ppp
multilink
group 1
!
interface Serial0/1/2/0/1/1/1/2:0
encapsulation pppConfiguring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
Configuration Examples for Channelized SONET
HC-343
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
multilink
group 1
!
!
interface Serial0/1/2/0/1/1/1/3:0
encapsulation ppp
multilink
group 1
!
The following example shows SDH AU-4 configuration with E1 controller channel groups and serial
interfaces:
configure
controller SONET0/3/2/0
framing sdh
au 1
width 3
mode tug3
tug3 1
mode c12-e1
!
tug3 2
mode c12-e1
!
tug3 3
mode c12-e1
!
controller E1 0/3/2/0/1/1/1/1
framing crc4
channel-group 0
timeslots 1-4
!
controller E1 0/3/2/0/1/1/3/1
framing crc4
channel-group 0
timeslots 1-31
!
controller E1 0/3/2/0/1/1/1/2
framing crc4
channel-group 0
timeslots 1-31
!
controller E1 0/3/2/0/1/2/7/3
framing crc4
channel-group 0
timeslots 1-5
!
channel-group 1
timeslots 6-31
!
interface Serial0/3/2/0/1/1/1/1:0
encapsulation frame-relay IETF
frame-relay lmi-type ansi
frame-relay intf-type dce
!
interface Serial0/3/2/0/1/1/1/1:0.1 point-to-point
ipv4 address 192.168.200.2 255.255.255.252
ipv4 verify unicast source reachable-via rx
pvc 100
encap ietf
!
interface Serial0/3/2/0/1/1/3/1:0
encapsulation ppp
multilinkConfiguring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
Additional References
HC-344
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
group 1
!
interface Serial0/3/2/0/1/1/1/2:0
encapsulation ppp
multilink
group 1
Additional References
The following sections provide references related to channelized SONET configuration.
Related Documents
Standards
Related Topic Document Title
Cisco IOS XR master command reference Cisco IOS XR Master Commands List
Cisco IOS XR interface configuration commands Cisco IOS XR Interface and Hardware Component Command
Reference
Initial system bootup and configuration information for
a router using the Cisco IOS XR software
Cisco IOS XR Getting Started Guide
Information about user groups and task IDs Configuring AAA Services on Cisco IOS XR Software module of
Cisco IOS XR System Security Configuration Guide
Standards Title
No new or modified standards are supported by this
feature, and support for existing standards has not been
modified by this feature.
—Configuring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
Additional References
HC-345
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
MIBs
RFCs
Technical Assistance
MIBs MIBs Link
• CISCO-SONET-MIB
• ENTITY-MIB
• SONET-MIB (RFC 3592)
The following additional MIBs are supported on the
Cisco 1-Port Channelized OC-3/STM-1 SPA and Cisco
2-Port Channelized OC-12c/DS0 SPA on the
Cisco ASR 9000 Series Router:
• CISCO-IF-EXTENSION-MIB
• DS1-MIB
• DS3-MIB
• IF-MIB
To locate and download MIBs for selected platforms using
Cisco IOS XR software, use the Cisco MIB Locator found at the
following URL:
http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs Title
No new or modified RFCs are supported by this
feature, and support for existing RFCs has not been
modified by this feature.
—
Description Link
The Cisco Technical Support website contains
thousands of pages of searchable technical content,
including links to products, technologies, solutions,
technical tips, and tools. Registered Cisco.com users
can log in from this page to access even more content.
http://www.cisco.com/techsupportConfiguring Channelized SONET/SDH on the Cisco ASR 9000 Series Router
Additional References
HC-346
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01HC-347
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Configuring Circuit Emulation over Packet on the
Cisco ASR 9000 Series Router
This module describes the configuration of Circuit Emulation over Packet (CEoP) shared port adapters
(SPAs) on the Cisco ASR 9000 Series Aggregation Services Routers.
Feature History for Configuring CEoP on Cisco ASR 9000 Series Router
Contents
• Prerequisites for Configuration, page 347
• Overview of Circuit Emulation over Packet Service, page 348
• Information About Configuring CEoP Channelized SONET/SDH, page 349
• Clock Distribution, page 354
• How to implement CEM, page 355
• Configuring Clocking, page 373
• Configuration Examples for CEM, page 376
• Additional References, page 379
Prerequisites for Configuration
You must be in a user group associated with a task group that includes the proper task IDs. The command
reference guides include the task IDs required for each command. If you suspect user group assignment
is preventing you from using a command, contact your AAA administrator for assistance.
Release Modification
Release 4.2.0 • Support for Circuit Emulation Service over Packet Switched Network
was added in the following SPA:
– Cisco 1-port Channelized OC3/STM-1 SPA
(SPA-1CHOC3-CE-ATM)Configuring Circuit Emulation over Packet on the Cisco ASR 9000 Series Router
Overview of Circuit Emulation over Packet Service
HC-348
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Before configuring the Circuit Emulation over Packet (CEoP) service on your router, ensure that these
conditions are met:
• You must have this SPAinstalled in your chassis:
– Cisco 1-port Channelized OC3/STM-1 Circuit Emulation and ATM SPA
• You should know how to apply and specify the SONET controller name and interface-path-id with
the generalized notation rack/slot/module/port. The SONET controller name and interface-path-id
are required with the controller sonet command.
Overview of Circuit Emulation over Packet Service
Circuit Emulation over Packet (CEoP) is a way to carry TDM circuits over packet switched network.
Circuit Emulation over Packet is the imitation of a physical connection. The goal of CEoP is to replace
leased lines and legacy TDM networks. This feature allows network administrators to use their existing
IP/MPLS network to provide leased-line emulation services or to carry data streams or protocols that do
not meet the format requirements of other multiservice platform interfaces. CEoP puts TDM bits into the
packets, encapsulates them into appropriate header and then sends through PSN. The receiver side of
CEoP restores the TDM bit stream from packets.
CEoP SPAs are half-height (HH) Shared Port Adapters (SPA) and the CEoP SPA family consists of
24xT1/E1/J1, 2xT3/E3, and 1xOC3/STM1 unstructured and structured (NxDS0) quarter rate, half height
SPAs. The CEoP SPAs provide bit-transparent data transport that is completely protocol independent.
CEoP has two major modes:
• Unstructured mode is called SAToP (Structure Agnostic TDM over Packet) — SAToP does not look
what is inside the incoming data and considers it as a pure bit stream.
• Structured mode is named CESoPSN (Circuit Emulation Service over Packet Switched Network) —
CESoPSN is aware of the structure of the incoming TDM bit stream at DS0 level.
CESoPSN and SAToP can use MPLS, UDP/IP, and L2TPv3 for the underlying transport mechanism.
Note The Cisco IOS XR Release 4.2.0 supports only MPLS transport mechanism.
These SPAs are the first Cisco router interfaces designed to meet the emerging standards for Circuit
Emulation Services over Packet Switched Network (CESoPSN) and Structure-Agnostic Transport over
Packet (SAToP) transport.
The Cisco IOS XR Release 4.2.0 supports CEM functionality only on this SPA:
1-port Channelized OC3 SPA [SPA-1xOC3-CE-ATM]
In SAToP mode, these SPAs do not assume that data has any predefined format or structure. They simply
regard the data as an arbitrary bit stream. All data bits are simply transported to a defined destination
encapsulated in IP/MPLS packets. In CESoPSN mode the carrier has defined format. The SPAs support
a full range of E1 and T1 framing. CESoPSN applications can save utilized bandwidth by selecting only
valid timeslots for transmission. Some primary applications include:
• Transporting 2G and 3G network traffic over packet networks, for mobile operators. Mobile service
providers are implementing high-speed data networks with HSDPA to support new
revenue-generating services. The SPA is uniquely positioned for multigenerational migration of
mobile networks (2G and 3G), simultaneously carrying TDM and ATM traffic over IP/MPLS
networks. This technology provides a mechanism to enable IP/MPLS to the cell site, which can
eventually be in place to transport the mobile traffic over IP from end to end.Configuring Circuit Emulation over Packet on the Cisco ASR 9000 Series Router
Information About Configuring CEoP Channelized SONET/SDH
HC-349
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
• T3/E3 circuit emulation for leased-line replacement.
• T1/E1 circuit emulation for leased-line replacement.
• PBX to PBX connectivity over PSN.
• High density SS7 backhaul over IP/MPLS.
• Inter-MSC connectivity.
• Preencrypted data for government, defense, or other high-security applications.
• Proprietary synchronous or asynchronous data protocols used in transportation, utilities, and other
industries.
• Leased-line emulation service offerings in metropolitan (metro) Ethernet or WAN service provider
environments.
For more information on Circuit Emulation service concepts, configuration, and example, see the
Implementing Point to Point Layer 2 Services module in the Cisco ASR 9000 Series Aggregation Services
Router L2VPN and Ethernet Services Configuration Guide.
Information About Configuring CEoP Channelized SONET/SDH
To configure the Circuit Emulation over Packet Channelized SONET/SDH, you must understand the
following concepts:
• Channelized SONET and SDH Overview, page 349
• Default Configuration Values for Channelized SONET/SDH, page 353
Channelized SONET and SDH Overview
Synchronous Optical Network (SONET) is an American National Standards Institute (ANSI)
specification format used in transporting digital telecommunications services over optical fiber.
Channelized SONET provides the ability to transport SONET frames across multiplexed T3/E3 and
virtual tributary group (VTG) channels.
SONET uses Synchronous Transport Signal (STS) framing. An STS is the electrical equivalent to an
optical carrier 1 (OC-1).
A channelized SONET interface is a composite of STS streams, which are maintained as independent
frames with unique payload pointers. The frames are multiplexed before transmission.
When a line is channelized, it is logically divided into smaller bandwidth channels called paths. These
paths carry the SONET payload. The sum of the bandwidth on all paths cannot exceed the line
bandwidth.
When a line is not channelized, it is called clear channel, and the full bandwidth of the line is dedicated
to a single channel that carries broadband services.
The T3/E3 channels can be channelized further into T1s, and the T1s can be channelized into time slots
(DS0s).
Channelizing a SONET line consists of two primary processes:
• Configuring the controller
• Configuring the interface into channelized paths
You configure the controller first by setting the mode of the STS path. Configuring Circuit Emulation over Packet on the Cisco ASR 9000 Series Router
Information About Configuring CEoP Channelized SONET/SDH
HC-350
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
When the mode is specified, the respective controller is created, and the remainder of the configuration
is applied on that controller. For example, mode T3 creates a T3 controller. The T3 controller can then
be configured to a serial channel, or it can be further channelized to carry T1s, and those T1s can be
configured to serial interfaces.
Depending on the support for your installed SPA, each STS path can be independently configured into
T3s, E3s, or VTGs, and so on.
The following level of SONET channelization modes are supported in CEoP SPA:
OC3->STS-1->VTG-> VT1.5 -> Unframed T1
OC3->STS-1->VTG-> VT1.5 -> T1 -> DS0
Figure 28 shows the VTG paths that can be configured.
Note Only VTG paths are supported on the Cisco 1-Port Channelized OC-3/STM-1 SPA on the
Cisco ASR 9000 Series Router.
Figure 28 SONET VTG Channelized Paths
Synchronous Digital Hierarchy (SDH) is the international equivalent of SONET.
SDH uses Synchronous Transport Mode (STM) framing. An STM-1 is the electrical equivalent to 3
optical carrier 1s (OC-1s). A Synchronous Transport Module (STM) signal is the Synchronous Digital
Hierarchy (SDH) equivalent of the SONET STS, but the numbers are different for each bandwidth. In
this guide, the STM term refers to both path widths and optical line rates. The paths within an STM
signals are called administrative units (AUs).
STS 3
SONET
Controller
. . . same configuration possibilities as STS 1
STS 2 . . . same configuration possibilities as STS 1
STS 1
210877
VTG 1
VTG 2
VTG 3
VTG 4
VTG 5
VTG 6
VTG 7
T1
T1
T1
T1
Each STS
can be channelized
into 7 VTGs.
Each VTG
can be channelized
into 4 T1s.Configuring Circuit Emulation over Packet on the Cisco ASR 9000 Series Router
Information About Configuring CEoP Channelized SONET/SDH
HC-351
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
A summary of the basic terminology differences between SONET and SDH is as follows:
• SONET STS is equivalent to SDH administrative unit (AU)
• SONET VT is equivalent to SDH tributary unit (TU)
• SDH basic building blocks are STM-1 (equivalent to STS-3) and STM-0 (equivalent to STS-1)
An administrative unit (AU) is the information structure that provides adaptation between the
higher-order path layer and the multiplex section layer. It consists of an information payload (the
higher-order virtual container) and an administrative unit pointer, which indicates the offset of the
payload frame start relative to the multiplex section frame start.
An AU can be channelized into tributary units (TUs) and tributary unit groups (TUGs).
An administrative unit 3 (AU-3) consists of one STM-1.
An administrative unit group (AUG) consists of one or more administrative units occupying fixed,
defined positions in an STM payload.
The Table 4 shows the commonly used notations and terms in SONET standards and their SDH
equivalents.
The following levels of SDH channelization are supported on the CEoP SPA in Cisco IOS XR Release
4.2.0:
• For E1 :
– STM1-> AU-4 -> TUG-3 -> TUG-2 ->VC12-> Unframed E1
– STM1-> AU-4 -> TUG-3 -> TUG-2 ->VC12-> E1 -> DS0
• For T1 :
– STM1-> AU-3-> TUG-2 -> VC11->Unframed T1
– STM1-> AU-3-> TUG-2 -> VC11->T1 -> DS0
Table 4 SONET and SDH Terminology Equivalencies
SONET Term SDH Term
SONET SDH
STS-3c AU-4
STS-1 AU-3
VT TU
SPE VC
Section Regenerator Section
Line Multiplex Section
Path PathConfiguring Circuit Emulation over Packet on the Cisco ASR 9000 Series Router
Information About Configuring CEoP Channelized SONET/SDH
HC-352
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Figure 29 shows an example of SDH AU-3 paths that can be configured on the CEoP SPA.
Figure 29 SDH AU3 Paths
SONET
Controller
210874
C11-T1
T1
AU-3
C11-T1
T1
AU-3
C11-T1
T1
AU-3
STM-1Configuring Circuit Emulation over Packet on the Cisco ASR 9000 Series Router
Information About Configuring CEoP Channelized SONET/SDH
HC-353
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Figure 30 shows the SDH AU4 paths that can be configured on the CEoP SPA.
Figure 30 SDH AU4 Paths
Default Configuration Values for Channelized SONET/SDH
Table 5 describes the default configuration parameters that are present on the Channelized SONET/SDH.
SONET
Controller
210875
TUG-3
T3
or C12
AU-4
STM-1
E1
E1
E1
E1
E1
E1
E1
E1
E1
E1
Up to 21 E1s
Table 5 SONET/SDH Controller Default Cit onfiguration Values
Parameter Default Value Configuration File Entry
Clock source line clock source {internal | line}
SONET framing sonet hw-module sub-slot node-id cardtype
{sonet | sdh}Configuring Circuit Emulation over Packet on the Cisco ASR 9000 Series Router
Clock Distribution
HC-354
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Clock Distribution
Clocking distribution in the CEoP SPA can be done in these ways:
• Synchronous Clocking — With synchronous clocking, TDM lines on source and destination are
synchronized to the same clock delivered by some means of physical clock distribution
(SONET/SDH, BITS, GPS, and so on). The clock to the particular TDM line can be delivered from
– Line: the transmit clock is from the receiver of the same physical line
– Internal: the transmit clock is taken from line card and can be derived either from an internal
free running oscillator or from another physical line
– Recovered: In-band pseudowire-based activeclock recovery on a CEM interface which is used
to drive the transmit clock.
The number of recovered clocks that can be configured for CEoP SPA are:
– Cisco 1-port Channelized OC3/STM-1 Circuit Emulation and Channelized ATM SPA : 10
clocks per SPA in the T1/E1 mode.
• Adaptive Clocking — Adaptive clocking is used when the routers do not have a common clock
source. See Figure 31. The clock is derived based on packet arrival rates. Two major types of
adaptive clock recovery algorithms are:
– Based on dejitter buffer fill level
– Based on packet arrival rate
The clock quality depends on packet size, has less tolerance to packet loss/corruption and introduces
unnecessary delay in order to have sufficient number of packets in the buffer for clock recovery. The
dejitter buffer size determines the ability of the emulated circuit to tolerate network jitter. The dejitter
buffer in CEoP software is configurable up to a maximum of 500 milliseconds.
Note The CEoP SPA hardware supports only the packet arrival rate algorithm.
Figure 31 Adaptive Clock Recovery
• Differential clocking — Differential clocking is used when the cell site and aggregation routers have
a common clock source but TDM lines are clocked by a different source. The TDM clocks are
derived from differential information in the RTP header of the packet with respect to the common
clock. Differential clock recovery is based on time stamps received in RTP header. On the master
TDM
Service
Clock
Packet Switched
Network
IWF IWF
TDM TDM
Adaptive Clock Recovery
Recovered TDM
timing based on
the adaptive
clock recovery
284385Configuring Circuit Emulation over Packet on the Cisco ASR 9000 Series Router
How to implement CEM
HC-355
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
side, the difference of TDM clock and network clock is recorded into RTP header. On the slave side,
these timestamps are read from RTP header, the clock recovery is done and this clock is used for
synchronization. See Figure 32.
Note The Cisco 1-port Channelized OC3/STM-1 CEoP SPA hardware can recover only a maximum of ten
unique clocks in as many CEM interfaces. The CEM interfaces where clock recovery is configured must
be on unique T1s.
Figure 32 Differential Clock Recovery
For information on CEM configuration and commands, see Implementing Point to Point Layer 2 Services
module in the Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services
Configuration Guide and Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet
Services Command Reference.
For a sample CEM interface configuration, refer Circuit Emulation Interface Configuration: Examples,
page 376.
How to implement CEM
This section contains the following procedures:
• Configuring SONET VT1.5-Mapped T1 Channels and Creating CEM Interface, page 356
• Configuring SDH AU-3 Mapped to C11-T1 or C12-E1, page 359
• Configuring CEM Interface, page 365
• Configuring Clocking, page 373
TDM
TDM
Service
Clock
Packet Switched
Network
IWF IWF
TDM
Differential Timing
Messages
Recovered TDM
timing based on
the differential
timing messages
284386
Synchronization
Network
PRC/PRS
Synchronization
Network
PRC/PRS
The two PRS/PRCs may
also originate from the
same sourceConfiguring Circuit Emulation over Packet on the Cisco ASR 9000 Series Router
How to implement CEM
HC-356
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Configuring SONET VT1.5-Mapped T1 Channels and Creating CEM Interface
In the case of Cisco 1-port Channelized OC3/STM-1 CEoP SPA, the STS stream can be channelized into
the VT1.5 mapped T1 channel.
This task explains how to configure a SONET line into VT-mapped T1 Channels.
Prerequisites
None.
Restrictions
Channelized SONET STS stream with VT1.5-T1 mapping is supported on the following SPA:
• Cisco 1-Port Channelized OC-3/STM-1 SPA
SUMMARY STEPS
1. configure
2. hw-module subslot node-id cardtype type
3. commit
4. controller sonet interface-path-id
5. sts number
6. mode mode
7. root
8. controller t1 interface-path-id
9. cem-group unframed
10. controller t1 interface-path-id
11. cem-group framed group-number timeslots range1-range2
12. no shutdown
13. end
or
commit
14. show runn interface cem interface-path-idConfiguring Circuit Emulation over Packet on the Cisco ASR 9000 Series Router
How to implement CEM
HC-357
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 hw-module subslot node-id cardtype
{sonet| sdh}
Example:
RP/0/RSP0/CPU0:router(config-sonet)#
hw-module subslot 0/3/0 sonet
Configures the controller for SONET framing.
SONET framing (sonet) is the default. Whenever there is a change
in framing mode (sonet/sdh), the SPA will be reloaded
automatically. Reload will happen only when all the CEM
Interface, T1 Controller and Sonet Controller configurations are
removed completely. This is not applicable when you configure the
first time because T1 controller and interface configurations would
not exist.
This configuration is mandatory for CEoP SPA to work normally
in one of the framing modes. When you configure for the first time,
it will not cause a SPA reload, if the cardtype is set to Sonet.
Step 3 commit Use the commit command to save the configuration changes to the
running configuration file and remain within the configuration
session.
Step 4 controller sonet interface-path-id Enters controller configuration submode and specifies the SONET
controller name and instance identifier with the
rack/slot/module/port/controllerName notation.
Step 5 sts number
Example:
RP/0/RSP0/CPU0:router(config-sonet)# sts
1
Configures the STS stream specified by number. The range is
from1 to 3.
Step 6 mode mode
Example:
RP/0/RSP0/CPU0:router(config-stsPath)#
mode t1
Sets the mode of interface at the STS level. The possible modes are:
• vt15-t1—SONET path carrying virtual tributary 1.5 T1s
(VT15 T1)
Step 7 root
Example:
RP/0/RSP0/CPU0:router(config-stsPath)#
root
Exits to global configuration mode. Go to step 7, if you want to
create an structure agnostic CEM interface. Go to step 9, if you
want to create a structure aware CEM interface.Configuring Circuit Emulation over Packet on the Cisco ASR 9000 Series Router
How to implement CEM
HC-358
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Step 8 controller t1 interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller
t1 0/0/1/0/1/4/1
Enters T1 controller configuration submode and specifies the T1
controller name and interface-path-id with the
rack/slot/module/port/sts-num/vtg-num/T1-num notation.
Step 9 cem-group unframed
Example:
RP/0/RSP0/CPU0:router(config)# cem-group
unframed
Creates an structure agnostic CEM interface.
Step 10 controller t1 interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller
t1 0/0/1/0/1/5/1
Enters T1 controller configuration submode and specifies the T1
controller name and interface-path-id with the
rack/slot/module/port/sts-num/vtg-num/T1-num notation.
Step 11 cem-group framed group-number timeslots
range1-range2
Example:
RP/0/RSP0/CPU0:router(config)# cem-group
framed 0 timeslots 1
Creates an structure aware CEM interface. The timeslots keyword
specifies the time slots for the interface by range with the
range1-range2 notation.
Step 12 no shutdown
Example:
RP/0/RSP0/CPU0:router(config-if)# no
shutdown
Removes the shutdown configuration.
Note Removal of the shutdown configuration eliminates the
forced administrative down on the interface, enabling it to
move to an up or down state (assuming that the parent
SONET layer is not configured administratively down).
Command or Action PurposeConfiguring Circuit Emulation over Packet on the Cisco ASR 9000 Series Router
How to implement CEM
HC-359
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Configuring SDH AU-3 Mapped to C11-T1 or C12-E1
This section includes the following tasks:
• Configuring SDH AU-3 Mapped to C11-T1 and Creating CEM Interface, page 359
• Configuring SDH AU-3 Mapped to C12-E1 and Creating CEM Interface, page 362
Configuring SDH AU-3 Mapped to C11-T1 and Creating CEM Interface
This task explains how to configure SDH AU-3 with c11-t1 mapping.
Prerequisites
• You should know how to configure the SONET/SDH controller.
Restrictions
Channelized SDH AU-3 with c11-t1 mapping is supported on the following SPA:
• Cisco 1-Port Channelized OC-3/STM-1 SPA
Step 13 end
or
commit
Example:
RP/0/0RSP0/CPU0:router(config-sonet)# end
or
RP/0/RSP0/CPU0:router(config-sonet)#
commit
Saves configuration changes.
• When you issue the end command, the system prompts you to
commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the running
configuration file, exits the configuration session, and
returns the router to EXEC mode.
– Entering no exits the configuration session and returns the
router to EXEC mode without committing the
configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or committing the
configuration changes.
• Use the commit command to save the configuration changes to
the running configuration file and remain within the
configuration session.
Step 14 show runn interface cem interface-path-id
Example:
RP/0/RSP0/CPU0:router# show runn
interface cem 0/0/2/0/1/1/1/1:1
Verifies the CEM interface configuration.
Command or Action PurposeConfiguring Circuit Emulation over Packet on the Cisco ASR 9000 Series Router
How to implement CEM
HC-360
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
SUMMARY STEPS
1. configure
2. hw-module subslot node-id cardtype type
3.
4. commit
5. controller sonet interface-path-id
6. au number
7. mode mode
8. root
9. controller t1 interface-path-id
10. cem-group unframed
11. controller t1 interface-path-id
12. cem-group framed group-number timeslots range1-range2
13. no shutdown
14. end
or
commit
15. show runn interface cem interface-path-id
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 hw-module sub-slot node-id cardtype type
Example:
RP/0/RSP0/CPU0:router(config-sonet)#
hw-module sub-slot <> cardtype sdh
Configures the controller for Synchronous Digital Hierarchy
(SDH) framing. The hw-module subslot node-id cardtype type
command configures the SPA to function in sonet/sdh mode.
This command when committed results in automatic reload of SPA.
Reload happens only when all the CEM interface, T1 Controller
and Sonet Controller configurations are removed completely. This
is not applicable when you configure the first time because T1
controller and interface configurations would not exist.
This configuration is mandatory for CEoP SPA to work normally
in one of the framing modes. SONET framing (sonet) is the
default.
Step 3 commit Use the commit command to save the configuration changes to the
running configuration file and remain within the configuration
session.Configuring Circuit Emulation over Packet on the Cisco ASR 9000 Series Router
How to implement CEM
HC-361
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Step 4 controller sonet interface-path-id Enters controller configuration submode and specifies the SDH
controller name and instance identifier with the
rack/slot/module/port/controllerName notation.
Step 5 au number
Example:
RP/0/RSP0/CPU0:router(config-sonet)# au 1
Specifies the administrative unit (AU) group and enters AU path
configuration mode. For AU-3, the valid range is:
• 1 to 3—1-Port Channelized OC-3/STM-1 SPA
Note The au command does not specify the AU type. It specifies
the number of the AU group for the AU type that you want
to configure. The range for the AU command varies based
on whether you are configuring AU-3 or AU-4.
Step 6 mode mode
Example:
RP/0/RSP0/CPU0:router(config-auPath)#
mode c11-t1
Sets the mode of interface at the AU level. AU-3 paths can be
mapped to c11-t1 on supported SPAs.
Step 7 root
Example:
RP/0/RSP0/CPU0:router(config-auPath)#
root
Exits to global configuration mode.
Step 8 controller t1 interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller
T1 0/0/2/0/1/1/4
Enters T1 controller configuration submode and specifies the T1
controller name and interface-path-id with the
rack/slot/module/port/auNum/t1Num notation.
Step 9 cem-group unframed
Example:
RP/0/RSP0/CPU0:router(config)# cem-group
unframed
Creates an structure agnostic CEM interface.
Step 10 controller t1 interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller
t1 0/0/2/0/1/1/7
Enters T1 controller configuration submode and specifies the T1
controller name and interface-path-id with the
rack/slot/module/port/auNum/t1Num notation.
Step 11 cem-group framed group-number timeslots
range1-range2
Example:
RP/0/RSP0/CPU0:router(config)# cem-group
framed 1 timeslots 2-3
Creates an structure aware CEM interface. The timeslots keyword
specifies the time slots for the interface by range with the
range1-range2 notation.
Command or Action PurposeConfiguring Circuit Emulation over Packet on the Cisco ASR 9000 Series Router
How to implement CEM
HC-362
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Configuring SDH AU-3 Mapped to C12-E1 and Creating CEM Interface
This task explains how to configure SDH AU-3 with c12-e1 mapping.
Prerequisites
• You should know how to configure the SONET/SDH controller.
Restrictions
Channelized SDH AU-3 with c12-e1 mapping is supported on the following SPAs:
• Cisco 1-Port Channelized OC-3/STM-1 SPA
SUMMARY STEPS
1. configure
2. hw-module subslot node-id cardtype type
Step 12 no shutdown
Example:
RP/0/RSP0/CPU0:router(config-if)# no
shutdown
Removes the shutdown configuration.
Note Removal of the shutdown configuration eliminates the
forced administrative down on the interface, enabling it to
move to an up or down state (assuming that the parent
SONET layer is not configured administratively down).
Step 13 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-sonet)# end
or
RP/0/RSP0/CPU0:router(config-sonet)#
commit
Saves configuration changes.
• When you issue the end command, the system prompts you to
commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the running
configuration file, exits the configuration session, and
returns the router to EXEC mode.
– Entering no exits the configuration session and returns the
router to EXEC mode without committing the
configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or committing the
configuration changes.
• Use the commit command to save the configuration changes to
the running configuration file and remain within the
configuration session.
Step 14 show runn interface cem interface-path-id
Example:
RP/0/RSP0/CPU0:router# show runn
interface cem 0/0/2/0/1/1/1/1:1
Verifies the CEM interface configuration.
Command or Action PurposeConfiguring Circuit Emulation over Packet on the Cisco ASR 9000 Series Router
How to implement CEM
HC-363
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
3. commit
4. controller sonet interface-path-id
5. au number
6. mode tug3
7. width number
8. tug3 number
9. mode mode
10. root
11. controller e1 interface-path-id
12. cem-group unframed
13. controller e1 interface-path-id
14. cem-group framed group-number timeslots range1-range2
15. no shutdown
16. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 hw-module sub-slot node-id cardtype type
Example:
RP/0/RSP0/CPU0:router(config-sonet)#
hw-module sub-slot <> cardtype sdh
Configures the controller framing for Synchronous Digital
Hierarchy (SDH) framing. The hw-module subslot node-id
cardtype type command configures the SPA to function in
sonet/sdh mode. This command when committed results in
automatic reload of SPA. Reload happens only when all the CEM
interface, E1 Controller and Sonet Controller configurations are
removed completely.
Step 3 commit Use the commit command to save the configuration changes to the
running configuration file and remain within the configuration
session.
Step 4 controller sonet interface-path-id Enters controller configuration submode and specifies the SDH
controller name and instance identifier with the
rack/slot/module/port/controllerName notation.Configuring Circuit Emulation over Packet on the Cisco ASR 9000 Series Router
How to implement CEM
HC-364
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Step 5 au number
Example:
RP/0/RSP0/CPU0:router(config-sonet)# au 1
Specifies the administrative unit (AU) group and enters AU path
configuration mode. For AU-3, the valid range is:
• 1 to 3—1-Port Channelized OC-3/STM-1 SPA
Note The au command does not specify the AU type. It specifies
the number of the AU group for the AU type that you want
to configure. The range for the AU command varies based
on whether you are configuring AU-3 or AU-4.
Step 6 mode tug3
Example:
RP/0/RSP0/CPU0:router(config-auPath)#
mode tug3
Sets the mode of interface at the AU level. Currently only TUG3 is
supported.
Step 7 width number
Example:
RP/0/RSP0/CPU0:router(config-auPath)#
width 3
Configures the number of the AU streams.
Step 8 tug3 number
Example:
RP/0/RSP0/CPU0:router(config-auPath)#tug3
1
Specifies the Tributary Unit Group (TUG) number and enters the
config-tug3Path mode. The range is 1 to 3.
Step 9 mode mode
Example:
RP/0/RSP0/CPU0:router(config-tug3Path)#
mode c12-e1
Sets the mode of interface at the tug3 level. The modes are:
• c12-e1—TUG-3 path carrying TU-12 to E1
Step 10 root
Example:
RP/0/RSP0/CPU0:router(config-auPath)#
root
Exits to global configuration mode.
Step 11 controller e1 interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller
E1 0/0/2/0/1/1/1
Enters E1 controller configuration submode and specifies the E1
controller name and interface-path-id with the
rack/slot/module/port/auNum/tugNum/t1Num notation.
Step 12 cem-group unframed
Example:
RP/0/RSP0/CPU0:router(config)# cem-group
unframed
Creates an structure agnostic CEM interface.
Command or Action PurposeConfiguring Circuit Emulation over Packet on the Cisco ASR 9000 Series Router
How to implement CEM
HC-365
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Configuring CEM Interface
This section provides information about how to configure CEM. CEM provides a bridge between a
time-division multiplexing (TDM) network and a packet network using Multiprotocol Label Switching
(MPLS). The router encapsulates the TDM data in the MPLS packets and sends the data over a CEM
pseudowire to the remote provider edge (PE) router.
The following sections describe how to configure CEM:
• Configuration Guidelines and Restrictions
Step 13 controller e1 interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller
E1 0/0/2/0/1/1/7
Enters E1 controller configuration submode and specifies the E1
controller name and interface-path-id with the
rack/slot/module/port/auNum/tugNum/t1Num notation.
Step 14 cem-group framed group-number timeslots
range1-range2
Example:
RP/0/RSP0/CPU0:router(config)# cem-group
framed 0 timeslots 1
Creates an structure aware CEM interface.
Step 15 no shutdown
Example:
RP/0/RSP0/CPU0:router(config-if)# no
shutdown
Removes the shutdown configuration.
Note Removal of the shutdown configuration eliminates the
forced administrative down on the interface, enabling it to
move to an up or down state (assuming that the parent
SONET layer is not configured administratively down).
Step 16 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-sonet)# end
or
RP/0/RSP0/CPU0:router(config-sonet)#
commit
Saves configuration changes.
• When you issue the end command, the system prompts you to
commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the running
configuration file, exits the configuration session, and
returns the router to EXEC mode.
– Entering no exits the configuration session and returns the
router to EXEC mode without committing the
configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or committing the
configuration changes.
• Use the commit command to save the configuration changes to
the running configuration file and remain within the
configuration session.
Command or Action PurposeConfiguring Circuit Emulation over Packet on the Cisco ASR 9000 Series Router
How to implement CEM
HC-366
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
• Configuring a Global CEM Class
• Attaching a CEM Class
• Configuring Payload Size
• Setting the Dejitter Buffer Size
• Setting an Idle Pattern
• Enabling Dummy Mode
• Setting a Dummy Pattern
Configuration Guidelines and Restrictions
Not all combinations of payload size and dejitter buffer size are supported. If you apply an incompatible
payload size or dejitter buffer configuration, the router rejects it and reverts to the previous
configuration.
Configuring a Global CEM Class
This task explains how to configure a global CEM class.
Note Any interface configuration would have higher precedence over configuration applied through attaching
a CEM class. Also, CEM class attached to an interface would have higher precedence than CEM class
attached to the parent controller. For example, if the dummy pattern value of 0xcf is applied directly to
an interface and then a CEM class which contains dummy pattern value of 0xaa is attached to the same
interface, then the dummy pattern value would be 0xcf. The new configuration would not be applied
until the dummy pattern value applied directly to the interface is removed.
SUMMARY STEPS
1. configure
2. cem class class-name
3. payload value
4. dejitter value
5. idle pattern value
6. dummy mode {last-frame|user-defined}
7. dummy pattern value
8. end
or
commit Configuring Circuit Emulation over Packet on the Cisco ASR 9000 Series Router
How to implement CEM
HC-367
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 cem class class-name
Example:
RP/0/RSP0/CPU0:router(config)# cem class
Default
Creates a new CEM class.
Step 3 payload value
Example:
RP/0/RSP0/CPU0:router(config-cem-class)#
payload 512
Enter the payload size for the CEM class.
Step 4 dejitter value
Example:
RP/0/RSP0/CPU0:router(config-cem-class)#
dejitter 10
Enter the dejitter buffer size for the CEM class.
Step 5 idle pattern value
Example:
RP/0/RSP0/CPU0:router(config-cem-class)#
idle pattern 0x55
Enter the idle pattern value for the CEM class.
Step 6 dummy mode
Example:
RP/0/RSP0/CPU0:router(config-cem-class)#
dummy mode last-frame
Enter the dummy mode for the CEM class. The options are
last-frame or user-defined.Configuring Circuit Emulation over Packet on the Cisco ASR 9000 Series Router
How to implement CEM
HC-368
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Attaching a CEM Class
This task explains how to attach a global CEM class.
Note You can attach a CEM class either to a CEM interface or to a T1/E1 controller.
SUMMARY STEPS
1. configure
2. interface cem interface-path-id (or) controller {t1|e1} rack/slot/subslot/port
3. cem class-attach class-name
4. end
or
commit
Step 7 dummy pattern value
Example:
RP/0/RSP0/CPU0:router(config-cem-class)#
dummy pattern
Enter the dummy pattern value for the CEM class. This value is
applied only when the dummy mode is user-defined.
Step 8 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-cem-class)#
end
or
RP/0/RSP0/CPU0:router(config-cem-class)#
commit
Saves configuration changes.
• When you issue the end command, the system prompts you to
commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the running
configuration file, exits the configuration session, and
returns the router to EXEC mode.
– Entering no exits the configuration session and returns the
router to EXEC mode without committing the
configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or committing the
configuration changes.
• Use the commit command to save the configuration changes to
the running configuration file and remain within the
configuration session.
Command or Action PurposeConfiguring Circuit Emulation over Packet on the Cisco ASR 9000 Series Router
How to implement CEM
HC-369
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface cem interface-path-id
(or)
controller {t1|e1} interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller
t1 0/0/2/0/1/1
Specifies the CEM interface or the T1/E1 controller.
Step 3 cem class-attach class-name
Example:
RP/0/RSP0/CPU0:router(config)# cem
class-attach Default
Attaches the CEM class to an interface or controller.
Step 4 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-cem-class)#
end
or
RP/0/RSP0/CPU0:router(config-cem-class)#
commit
Saves configuration changes.
• When you issue the end command, the system prompts you to
commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the running
configuration file, exits the configuration session, and
returns the router to EXEC mode.
– Entering no exits the configuration session and returns the
router to EXEC mode without committing the
configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or committing the
configuration changes.
• Use the commit command to save the configuration changes to
the running configuration file and remain within the
configuration session.Configuring Circuit Emulation over Packet on the Cisco ASR 9000 Series Router
How to implement CEM
HC-370
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Configuring Payload Size
To specify the number of bytes encapsulated into a single IP packet, use the cem payload command. The
size argument specifies the number of bytes in the payload of each packet. The range is from 32 to 1312
bytes.
Default payload sizes for an unstructured CEM channel are as follows:
• E1 = 256 bytes
• T1 = 192 bytes
• E3 = 1024 bytes
• T3 = 1024 bytes
Default payload sizes for a structured CEM channel depend on the number of time slots that constitute
the channel. Payload (L in bytes), number of time slots (N), and packetization delay (D in milliseconds)
have the following relationship: L = 8*N*D.
The default payload size is calculated using the packetization latency depending on the number of time
slots the cem interface represents. The relationship between the number of time slots and the
packetization latency is provided below:
• For N = 1, D is 8 milliseconds (with the corresponding packet payloadsize of 64 bytes)
• For 2 <=N <= 4, D is 4 milliseconds (with the corresponding packetpayload size of 32*N bytes)
• For N >= 5, D is 1 millisecond (with the corresponding packet payloadsize of 8*N octets).
Support of 5 ms packetization latency for N = 1 is recommended.
Setting the Dejitter Buffer Size
To specify the size of the dejitter buffer used to compensate for the network filter, use the cem dejitter
command. The configured dejitter buffer size is converted from milliseconds to packets and rounded up
to the next integral number of packets. Use the size argument to specify the size of the buffer, in
milliseconds. The range is from 1 to 500 ms. The following is an example:
Router(config-cem)# cem dejitter 5
The default dejitter buffer for a CEM channel, irrespective of CESoPSN or SAToP, is as follows:
• E1 = 16 milliseconds
• T1 = 16 milliseconds
• E3 = 5 milliseconds
• T3 = 5 milliseconds
Note Refer Table 6, Table 7, and Table 8 for the relationship between payload and dejitter buffer on SAToP
T1/E1, T3/E3, and CESoPSN lines. Configuration of payload and dejitter should be in accordance with
the minimum and maximum values as mentioned in the table.
Note The maximum and minimum dejitter buffer value, that is the range is fixed for a given payload value.Configuring Circuit Emulation over Packet on the Cisco ASR 9000 Series Router
How to implement CEM
HC-371
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Setting an Idle Pattern
To specify an idle pattern, use the [no] cem idle pattern pattern command. The payload of each lost
CESoPSN data packet must be replaced with the equivalent amount of the replacement data. The range
for pattern is from 0x0 to 0xff; the default idle pattern is 0xff. This is an example:
Router(config-cem)# cem idle pattern 0xff
If the expected CEM packets are not received for a given CEM interface and are considered as being lost,
then the CEoP SPA will play out the idle pattern towards the TDM attachment circuit in the respective
timeslots configured in the CEM group.
Enabling Dummy Mode
Dummy mode enables a bit pattern for filling in for lost or corrupted frames. To enable dummy mode,
use the cem dummy mode [last-frame | user-defined] command. The default is last-frame. This is an
example:
Router(config-cem)# cem dummy mode last-frame
When packets are lost due to misordering or where reordering of packets is not successful, the CEoP
SPA will play out the Dummy pattern towards the TDM attachment circuit in respective timeslots
configured in the CEM group.
Setting a Dummy Pattern
If dummy mode is set to user-defined, you can use the cem dummy-pattern command to configure the
dummy pattern. The range for pattern is from 0x0 to 0xff. The default dummy pattern is 0xff. This is an
example:
Router(config-cem)# cem dummy-pattern 0xff
The Table 6 shows the relationship between payload and dejitter for T1/E1 SAToP lines.
Table 6 T1/E1 SAToP lines: Payload and Jitter Limits
The Table 7 shows the relationship between payload and dejitter for T3/E3 SAToP lines.
Table 7 T3/E3 SAToP lines: Payload and Jitter Limits
T1/E1
Maximum
Payload
Maximum
Jitter
Minimum
Jitter
Minimum
Payload
Maximum
Jitter
Minimun
Jitter
T1 960 320 10 192 64 2
E1 1280 320 10 256 64 2
T3/E3
Maximum
Payload
Maximum
Jitter
Minimum
Jitter
Minimum
Payload
Maximum
Jitter
Minimun
Jitter
T3 1312 8 2 672 8 2
E3 1312 16 2 512 8 2Configuring Circuit Emulation over Packet on the Cisco ASR 9000 Series Router
How to implement CEM
HC-372
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
The Table 8 shows the relationship between payload and dejitter for DS0 lines.
Table 8 CESoPSN DS0 Lines: Payload and Jitter Limits
DS0
Maximum
Payload
Maximum
Jitter
Minimum
Jitter
Minimum
Payload
Maximum
Jitter
Minimun
Jitter
1 40 320 10 32 256 8
2 80 320 10 32 128 4
3 120 320 10 33 128 4
4 160 320 10 32 64 2
5 200 320 10 40 64 2
6 240 320 10 48 64 2
7 280 320 10 56 64 2
8 320 320 10 64 64 2
9 360 320 10 72 64 2
10 400 320 10 80 64 2
11 440 320 10 88 64 2
12 480 320 10 96 64 2
13 520 320 10 104 64 2
14 560 320 10 112 64 2
15 600 320 10 120 64 2
16 640 320 10 128 64 2
17 680 320 10 136 64 2
18 720 320 10 144 64 2
19 760 320 10 152 64 2
20 800 320 10 160 64 2
21 840 320 10 168 64 2
22 880 320 10 176 64 2
23 920 320 10 184 64 2
24 960 320 10 192 64 2
25 1000 320 10 200 64 2
26 1040 320 10 208 64 2
27 1080 320 10 216 64 2
28 1120 320 10 224 64 2
29 1160 320 10 232 64 2
30 1200 320 10 240 64 2
31 1240 320 10 248 64 2
32 1280 320 10 256 64 2Configuring Circuit Emulation over Packet on the Cisco ASR 9000 Series Router
How to implement CEM
HC-373
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Configuring Clocking
Each SPA port shall be configured either to use system clock from the host card or loop timed
independently. Each SPA also supplies a reference clock to the host which can be selected among the
received port clocks. This section provides information about how to configure clocking on the 1xOC3
SPA.
This section describes the following topics:
• Configuring Clock Recovery
• Verifying Clock recovery
Configuring Clock Recovery
When configuring clock recovery, consider the following guidelines:
Adaptive Clock Recovery
• Clock source:
– In Cisco IOS XR Release 4.2.0 and later, recovered clock from a CEM interface on the 1-Port
Channelized OC-3/STM1 CEoP SPA can be used as a clock source on the SPA itself.
• Number of clock sources allowed:
– Refer the section Clock Distribution, page 354 for more information.
• The clock must be the same as used by the router as the network clock. Any pseudowire in this case
can carry the clock.
• The minimum bundle size of CEM pseudowires on the network that delivers robust clock recovery
is 4 DS0s.
• The minimum packet size of CEM pseudowires on the network that delivers robust clock recovery
is 64 bytes.
Differential Clocking
• The maximum number of differential clocks sourced from a 1-Port Channelized OC-3/STM1 CEoP
SPA is 10.
• The 1-Port Channelized OC-3/STM1 CEoP SPA can recover up to 10 T1/E1 clocks.
• There are several bundles sent from the same port. The bundle that is used for carrying the clock of
the port is the first created bundle of the port. Only pseudowires that include the first DS0 of a port
can carry differential clock.
• You must have a Stratum-1 clock, a common clock going to both PE routers. If not, the recovery
will not work as expected.
To configure clock recovery on the CEoP SPA and to apply the recovered clock to the controller, use the
following procedure:
SUMMARY STEPS
1. configure
2. interface cem rack/slot/subslot/port:cem-group
3. transmit-clock differential Configuring Circuit Emulation over Packet on the Cisco ASR 9000 Series Router
How to implement CEM
HC-374
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
4. recover-clock clock-id {adaptive |differential}
5. controller {t1|e1|t3|e3} rack/slot/subslot/port
6. clock source recovered clock-id
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface cem
rack/slot/subslot/port:cem-group
Example:
RP/0/RSP0/CPU0:router(config)# interface
cem 0/1/0/0:2
Specifies the complete CEM interface instance.
Step 3 transmit-clock {differential}
Example:
RP/0/RSP0/CPU0:router(config-if)#
transmit-clock source internal
Configures the CEM port transmit clock source. This is typically
configured at the node acting as Master to send the clock. This
command is not required for Adaptive Clock Recovery.
Step 4 recover-clock clock-id {adaptive |
differential}
Example:
RP/0/RSP0/CPU0:router(config-if)#
recover-clock clock-id <> adaptive
Specifies the recovered clock number and the clock recovery type.
This is typically configured at the node acting as Slave that
recovers the clock from incoming CEM packets from core.
Step 5 controller name instance
Example:
RP/0/RSP0/CPU0:router(config)# controller
t1 0/1/1/0/0/0
Enters controller configuration submode and specifies the
controller name and instance identifier with the
rack/slot/module/port/name/instance1/instance2 notation.
Step 6 clock source recovered clock-id
Example:
RP/0/RSP0/CPU0:router(config-t1)# clock
source recovered 3
Specifies the recovered clock number. This applies the recovered
clock from a CEM interface on a T1/E1 Controller.Configuring Circuit Emulation over Packet on the Cisco ASR 9000 Series Router
How to implement CEM
HC-375
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Verifying Clock recovery
To verify clock recovery, use the show recovered-clock command.
Router# show recovered-clock sublsot 0/3/0
Recovered clock status for subslot 0/3/0
----------------------------------------
Clock Mode Port CEM Status Frequency Offset(ppb)
1 ADAPTIVE 0 1 HOLDOVER 0
Router# show recovered-clock
Recovered clock status for subslot 3/0
----------------------------------------
Clock Mode Port CEM Status Frequency Offset(ppb)
1 ADAPTIVE 0 1 ACQUIRING -694 Configuring Circuit Emulation over Packet on the Cisco ASR 9000 Series Router
Configuration Examples for CEM
HC-376
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Configuration Examples for CEM
This section contains the following examples:
• Circuit Emulation Interface Configuration: Examples, page 376
– Channelized Sonet / SDH Configurations and CEM Interface Creation, page 376
–
• Clock Recovery : Example, page 378
– Adaptive Clock Recovery Configuration:, page 378
– Differential Clock Recovery Configuration:, page 378
Circuit Emulation Interface Configuration: Examples
The following example shows a sample CEM interface configuration on the Cisco 1-port Channelized
OC3/STM-1 SPA.
Channelized Sonet / SDH Configurations and CEM Interface Creation
Sonet - T1 Channelization and CEM Interface Creation
hw-module subslot cardtype sonet
controller SONET 0/0/1/0
sts 1
mode vt15-t1
sts 2
mode vt15-t1
sts 3
mode vt15-t1
commit
In case of structure agnostic cem interface:
controller T1 0/0/1/0/1/4/1
cem-group unframed
In case of structure aware cem interface:
controller T1 0/0/1/0/1/5/1
cem-group framed 0 timeslots 1
cem-group framed 1 timeslots 2-3
cem-group framed 2 timeslots 4-6
cem-group framed 3 timeslots 7-10
cem-group framed 4 timeslots 11-15
cem-group framed 5 timeslots 16-21
cem-group framed 6 timeslots 22-24
SDH - T1 Channelization and CEM Interface Creation
hw-module subslot cardtype sdh
controller SONET0/0/2/0
au 1
mode c11-t1
au 2
mode c11-t1Configuring Circuit Emulation over Packet on the Cisco ASR 9000 Series Router
Configuration Examples for CEM
HC-377
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
au 3
mode c11-t1
commit
In case of structure agnostic cem interface:
controller T1 0/0/2/0/1/1/4
cem-group unframed
In case of structure aware cem interface:
controller T1 0/0/2/0/1/7/1
cem-group framed 0 timeslots 1
cem-group framed 1 timeslots 2-3
cem-group framed 2 timeslots 4-6
cem-group framed 3 timeslots 7-10
cem-group framed 4 timeslots 11-15
cem-group framed 5 timeslots 16-21
cem-group framed 6 timeslots 22-24
SDH - E1 Channelization and CEM Interface Creation
hw-module subslot cardtype sdh
controller SONET 0/0/2/0
au 1
mode tug3
width 3
tug3 1
mode c12-e1
tug3 2
mode c12-e1
tug3 3
mode c12-e1
commit
In case of structure agnostic cem interface:
controller E1 0/0/2/0/1/1/1/1
cem-group unframed
In case of structure aware cem interface:
controller E1 0/0/2/0/1/1/7/1
cem-group framed 0 timeslots 1
cem-group framed 1 timeslots 2-3
cem-group framed 2 timeslots 4-6
cem-group framed 3 timeslots 7-10
cem-group framed 4 timeslots 11-15
cem-group framed 5 timeslots 16-21
cem-group framed 6 timeslots 22-31
CEM Interface Configuration
RP/0/RSP0/CPU0:CEOP-01#show runn interface cem 0/0/2/0/1/1/1/1:1
interface CEM0/0/2/0/1/1/1/1:1
l2transport
!
CEM Interface Config Options :
RP/0/RSP0/CPU0:CEOP-01(config)#interface cem 0/0/2/0/1/1/1/1:1
RP/0/RSP0/CPU0:CEOP-01(config-if)#cem ?Configuring Circuit Emulation over Packet on the Cisco ASR 9000 Series Router
Configuration Examples for CEM
HC-378
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
class-attach Attach a CEM class to this interface
clock Configure clocks on this CEM interface
dejitter Configure dejitter buffer
dummy Configure dummy frame parameters
idle Configure idle frame parameters
payload Configure payload size of CEM frames
Clock Recovery : Example
Adaptive Clock Recovery Configuration:
(E1 configurations are similar to T1s given below)
CE1
----
Router (config)#controller t1 0/0/2/0/1/1/4
Router (config-t1)#clock source internal
PE1 (Acts as source of clock, but no specific configuration under CEM Interface is needed
here)
----------------------------------------------------------------------------------------
Router (config)#controller t1 0/0/2/0/1/1/4
Router (config-t1)#clock source line
PE2 (On PE node where clock recovery is done):
----------------------------------------
To recover the adaptive clock:
Router(config)# interface cem 0/0/2/0/1/1/4:0
Router(config-if)#cem clock recover adaptive
To apply the recovered clock,
Router (config)#controller t1 0/0/2/0/1/1/4
Router (config-t1)#clock source recovered
CE2
----
Router (config)#controller t1 0/0/2/0/1/1/4
Router (config-t1)#clock source line
Differential Clock Recovery Configuration:
CE1
----
Router (config)#controller t1 0/0/2/0/1/1/4
Router (config-t1)#clock source internal
PE1 (Acts as source of clock)
-----------------------------
Router (config)#controller t1 0/0/2/0/1/1/4
Router (config-t1)#clock source line
Router(config)# interface cem 0/0/2/0/1/1/4:0
Router(config-if)#cem clock transmit differential
PE2 (To recover the differential clock):
---------------------------------------
Router (config)#interface cem 0/0/2/0/1/1/4:0
Router (config-t1)#cem clock recover differential Configuring Circuit Emulation over Packet on the Cisco ASR 9000 Series Router
Additional References
HC-379
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
To apply the recovered clock:
Router (config)#controller t1 0/0/2/0/1/1/4
Router (config-t1)#cem clock recovered
CE2
----
Router (config)#controller t1 0/0/2/0/1/1/4
Router (config-t1)#clock source line
Additional References
The following sections provide references to related documents.
Related Documents
Standards
Related Topic Document Title
Cisco IOS XR master command reference Cisco IOS XR Master Commands List
Cisco IOS XR interface configuration commands Cisco ASR 9000 Series Aggregation Services RouterInterface and
Hardware Component Command Reference
Initial system bootup and configuration information for
a router using the Cisco IOS XR software
Cisco ASR 9000 Series Aggregation Services Router Getting Started
Guide
Information about user groups and task IDs Configuring AAA Services on Cisco IOS XR Software module of
Cisco IOS XR System Security Configuration Guide
Standards Title
No new or modified standards are supported by this
feature, and support for existing standards has not been
modified by this feature.
—Configuring Circuit Emulation over Packet on the Cisco ASR 9000 Series Router
Additional References
HC-380
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
MIBs
RFCs
Technical Assistance
MIBs MIBs Link
• CISCO-SONET-MIB
• ENTITY-MIB
• SONET-MIB (RFC 3592)
The following additional MIBs are supported on the
Cisco 1-Port Channelized OC-3/STM-1 SPA on the
Cisco ASR 9000 Series Router:
• CISCO-IF-EXTENSION-MIB
• DS1-MIB
• DS3-MIB
• IF-MIB
To locate and download MIBs for selected platforms using
Cisco IOS XR software, use the Cisco MIB Locator found at the
following URL:
http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs Title
RFC 5086, RFC 4553. RFC 4197, RFC 5287 • Structure-Aware Time Division Multiplexed (TDM) Circuit
Emulation Service over Packet Switched Network (CESoPSN)
• Structure-Agnostic Time Division Multiplexing (TDM) over
Packet (SAToP)
• Requirements for Edge-to-Edge Emulation of Time Division
Multiplexed (TDM) Circuits over Packet Switching Networks
• Control Protocol Extensions for the Setup of Time-Division
Multiplexing (TDM) Pseudowires in MPLS Networks
Description Link
The Cisco Technical Support website contains
thousands of pages of searchable technical content,
including links to products, technologies, solutions,
technical tips, and tools. Registered Cisco.com users
can log in from this page to access even more content.
http://www.cisco.com/techsupportHC-381
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Configuring Clear Channel SONET Controllers on
the Cisco ASR 9000 Series Router
This module describes the configuration of clear channel SONET controllers on the
Cisco ASR 9000 Series Router.
SONET controller configuration is a prerequisite for configuring Inter-Chassis Stateful Switchover
(ICSSO) for Point-to-Point Protocol (PPP) and Multilink PPP (MLPPP), channelized SONET, or serial
interfaces on the Cisco ASR 9000 Series Router.
SONET allows you to define optical signals and a synchronous frame structure for multiplexed digital
traffic. It is a set of standards defining the rates and formats for optical networks specified in American
National Standards Institute (ANSI) T1.105, ANSI T1.106, and ANSI T1.117.
For more information about configuring a channelized SONET controller, see the “Configuring
Channelized SONET/SDH on the Cisco ASR 9000 Series Router” module.
The commands for configuring the Layer 1 SONET controllers are provided in the
Cisco IOS XR Interface and Hardware Component Command Reference.
Feature History for Configuring SONET Controllers on Cisco IOS XR Software
Release Modification
Release 3.9.0 Support for the following SPA was introduced on the
Cisco ASR 9000 Series Router:
• Cisco 2-Port Channelized OC-12c/DS0 SPA
Release 4.0.0 Support for the following SPAs was introduced on the
Cisco ASR 9000 Series Router:
• Cisco 1-Port Channelized OC-48/STM-16 SPA
• Cisco 1-Port OC-192c/STM-64 POS/RPR XFP SPA
• Cisco 2-Port OC-48c/STM-16 POS/RPR SPA
• Cisco 8-Port OC-12c/STM-4 POS SPA
Release 4.0.1 Support for the following SPAs was introduced on the
Cisco ASR 9000 Series Router:
• Cisco 4-Port OC-3c/STM-1 POS SPA
• Cisco 8-Port OC-3c/STM-1 POS SPAConfiguring Clear Channel SONET Controllers on the Cisco ASR 9000 Series Router
Contents
HC-382
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Contents
• Prerequisites for Configuring Clear Channel SONET Controllers, page 382
• Information About Configuring SONET Controllers, page 382
• How to Configure Clear Channel SONET Controllers, page 384
• Configuration Examples for SONET Controllers, page 395
• Additional References, page 396
Prerequisites for Configuring Clear Channel SONET Controllers
You must be in a user group associated with a task group that includes the proper task IDs. The command
reference guides include the task IDs required for each command. If you suspect user group assignment
is preventing you from using a command, contact your AAA administrator for assistance.
Before configuring SONET controllers, be sure that the following tasks and conditions are met:
• You have one of the following SPAs installed:
– Cisco 2-Port Channelized OC-12c/DS0 SPA
– Cisco 1-Port Channelized OC-48/STM-16 SPA
– Cisco 4-Port OC-3c/STM-1 POS SPA
– Cisco 8-Port OC-3c/STM-1 POS SPA
– Cisco 1-Port OC-192c/STM-64 POS/RPR XFP SPA
– Cisco 2-Port OC-48c/STM-16 POS/RPR SPA
– Cisco 8-Port OC-12c/STM-4 POS SPA
• You know how to apply the specify the SONET controller name and instance identifier with the
generalized notation rack/slot/module/port. The SONET controller name and instance identifier are
required with the controller sonet command.
Information About Configuring SONET Controllers
To configure SONET controllers, you must understand the following concepts:
• SONET Controller Overview, page 382
• Default Configuration Values for SONET Controllers, page 383
• SONET APS, page 384
SONET Controller Overview
In routers supporting Cisco IOS XR software, the physical ports on certain line cards are called
controllers. Before you can configure channelized SONET or a serial interface, you need to configure
the SONET controller.Configuring Clear Channel SONET Controllers on the Cisco ASR 9000 Series Router
Information About Configuring SONET Controllers
HC-383
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
The commands used to configure the physical SONET port are grouped under the SONET controller
configuration mode. To get to the SONET controller configuration mode, enter the controller sonet
command in global configuration mode. You can also preconfigure a SONET controller using the
controller preconfigure sonet global configuration command.
The router uses SONET controllers for Layer 1 and Layer 2 processing.
Default Configuration Values for SONET Controllers
Table 9 describes some default configuration parameters that are present on SONET controllers.
Table 9 SONET Controller Default Configuration Values
Parameter Default Value Configuration File Entry
Reporting of the following alarms for a
SONET controller:
• Bit 1 (B1) bit error rate (BER)
threshold crossing alert (TCA) errors
• Bit 2 (B2) BER TCA errors
• Signal failure BER errors
• Section loss of frame (SLOF) errors
• Section loss of signal (SLOS) errors
enabled To disable reporting of any
alarms enabled by default,
use the no report [b1-tca |
b2-tca | sf-ber | slof | slos]
command in SONET/SDH
configuration mode.
To enable reporting of line
alarm indication signal
(LAIS), line remote defect
indication (LRDI), or signal
degradation BER errors, use
the report [lais | lrdi |
sd-ber] command in
SONET/SDH configuration
mode.
Reporting of the following alarms for a
SONET path controller:
• Bit 3 (B3) BER TCA errors
• Path loss of pointer (PLOP) errors
enabled To disable B3 BER TCA or
PLOP reporting on the
SONET path controller,
enter the no report b3-tca or
no report plop command in
SONET/SDH path
configuration submode.
To enable reporting of path
alarm indication signal
(PAIS), path payload
mismatch (PPLM), path
remote defect indication
(PRDI), or path trace identity
mismatch (PTIM) errors, use
the report [ pais | pplm |
prdi | ptim command in
SONET/SDH path
configuration submode. Configuring Clear Channel SONET Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel SONET Controllers
HC-384
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
SONET APS
The automatic protection switching (APS) feature allows switchover of interfaces in the event of failure,
and is often required when connecting SONET equipment to telco equipment. APS refers to the
mechanism of using a protect interface in the SONET network as the backup for working interface. When
the working interface fails, the protect interface quickly assumes its traffic load. The working interfaces
and their protect interfaces make up an APS group.
In Cisco IOS XR software, SONET APS configuration defines a working line and a protection line for
each redundant line pair. The working line is the primary or preferred line, and communications take
place over that line as long as the line remains operative. If a failure occurs on the working line, APS
initiates a switchover to the protection line. For proper APS operation between two routers, a working
line on one router must also be the working line on the other router, and the same applies to the protection
line.
In a SONET APS group, each connection may be bidirectional or unidirectional, and revertive or
non-revertive. The same signal payload is sent to the working and protect interfaces. The working and
protect interfaces terminate in two different routers.
The protect interface directs the working interface to activate or deactivate in the case of degradation,
loss of channel signal, or manual intervention. If communication between the working and protect
interfaces is lost, the working router assumes full control of the working interface as if no protect circuit
existed.
In an APS group, each line is called a channel. In bidirectional mode, the receive and transmit channels
are switched as a pair. In unidirectional mode, the transmit and receive channels are switched
independently. For example, in bidirectional mode, if the receive channel on the working interface has a
loss of channel signal, both the receive and transmit channels are switched.
How to Configure Clear Channel SONET Controllers
This section contains the following procedures:
• Configuring a Clear Channel SONET Controller, page 385
• Configuring SONET APS, page 388
• Configuring a Hold-off Timer to Prevent Fast Reroute from Being Triggered, page 393
Synchronous payload envelope (SPE)
scrambling
enabled To disable SPE scrambling
on a SONET controller, enter
the path scrambling disable
command in SONET
controller configuration
submode.
Keepalive timer enabled To turn off the keepalive
timer, enter the keepalive
disable command in
interface configuration
mode.
Table 9 SONET Controller Default Configuration Values (continued)
Parameter Default Value Configuration File EntryConfiguring Clear Channel SONET Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel SONET Controllers
HC-385
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Configuring a Clear Channel SONET Controller
This task explains how to configure SONET controllers as a prerequisite to configuring POS or serial
interfaces.
Prerequisites
• You need to have a supported POS SPA or channelized SPA installed in a router that is running the
corresponding supported Cisco IOS XR software release.
• If you want to ensure recovery from fiber or equipment failures, then configure SONET APS on the
router as describe in the “Configuring SONET APS” section on page -388.
SUMMARY STEPS
1. configure
2. controller sonet interface-path-id
3. clock source {internal | line}
4. line delay trigger value
5. line delay clear value
6. framing {sdh | sonet}
7. loopback {internal | line}
8. overhead {j0 | s1s0} byte-value
9. path keyword [values]
10. end
or
commit
11. show controllers sonet interface-path-id
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 controller sonet interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)#
controller sonet 0/1/0/0
Enters SONET controller configuration submode and specifies the
SONET controller name and instance identifier with the
rack/slot/module/port notation. Configuring Clear Channel SONET Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel SONET Controllers
HC-386
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Step 3 clock source {internal | line}
Example:
RP/0/RSP0/CPU0:router(config-sonet)#
clock source internal
Configures the SONET port transmit clock source, where the
internal keyword sets the internal clock and line keyword sets the
clock recovered from the line.
• Use the line keyword whenever clocking is derived from the
network. Use the internal keyword when two routers are
connected back-to-back or over fiber for which no clocking is
available.
Note The line clock is the default.
Step 4 line delay trigger value
Example:
RP/0/RSP0/CPU0:router(config-sonet)#
line delay trigger 3000
(Optional) Configures the SONET line delay trigger values, where
the trigger values are in the range from 0 through 60000
milliseconds, and the default delay trigger value is 0 milliseconds.
Step 5 line delay clear value
Example:
RP/0/RSP0/CPU0:router(config-sonet)#
line delay clear 4000
(Optional) Configures the amount of time before a SONET line
delay trigger alarm is cleared. The range is from 1000 through
180000 milliseconds, and the default is 10 seconds.
Step 6 framing {sdh | sonet}
Example:
RP/0/RSP0/CPU0:router(config-sonet)#
framing sonet
(Optional) Configures the controller framing with either the sdh
keyword for Synchronous Digital Hierarchy (SDH) framing or the
sonet keyword for SONET framing.
SONET framing (sonet) is the default.
Step 7 loopback {internal | line}
Example:
RP/0/RSP0/CPU0:router(config-sonet)#
loopback internal
(Optional) Configures the SONET controller for loopback, where
the internal keyword selects internal (terminal) loopback, or the
line keyword selects line (facility) loopback.
Step 8 overhead {j0 | s1s0} byte-value
Example:
RP/0/RSP0/CPU0:router(config-sonet)#
overhead s1s0
(Optional) Configures the controller’s overhead, where the j0
keyword specifies the STS identifier (J0/C1) byte, and the s1s0
keyword specifies bits s1 and s0 of H1 byte.
• The default byte value for the j0 keyword is 0xcc, and the
default byte value for the s1s0 keyword is 0.
• The range of valid values for j0 and s1s0 is 0 through 255.
Command or Action PurposeConfiguring Clear Channel SONET Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel SONET Controllers
HC-387
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Step 9 path keyword [values]
Example:
RP/0/RSP0/CPU0:router(config-sonet)#
path delay trigger 25
(Optional) Configures SONET controller path values.
Keyword definitions are as follows:
• ais-shut—Set sending path alarm indication signal (PAIS)
when shut down.
• b3-ber-prdi—Enable sending of a path-level remote defect
indication (PRDI) when the bit error rate (BER) bit interleaved
parity (BIP) threshold is exceeded.
• delay clear value—Set the amount of time before a
Synchronous Transport Signal (STS) path delay trigger alarm
is cleared. Replace the value argument with a number in the
range from 0 through 180000 milliseconds. The default value
is 10 seconds.
• delay trigger value —Set SONET path delay values or delay
trigger value. Replace the value argument with a number in the
range from 0 through 60000 milliseconds. The default value is
0 milliseconds.
• overhead [c2 byte-value | j1 line] —Set SONET POH byte or
bit values. Enter the c2 keyword to specify STS SPE content
(C2) byte, and replace the byte-value argument with a number
in the range from 0 through 255. Enter the j1 keyword to
configure the SONET path trace (J1) buffer, and replace the
line argument with the path trace buffer identifier (in ASCII
text).
• report [b3-tca | pais | plop | pplm | prdi | ptim]—Set SONET
path alarm reporting. Specifies which alarms are reported and
which bit error rate (BER) thresholds will signal an alarm. By
default, B3 BER threshold crossing alert (TCA) and path loss
of pointer (PLOP) reporting are enabled. Specifying the pais
keyword sets PAIS reporting status; pplm sets path payload
mismatch (PPLM) defect reporting status; prdi sets path
remote defect indication reporting status; and ptim sets path
trace identity mismatch (PTIM) defect reporting status.
The no report b3-tca and no report plop commands in
SONET/SDH path configuration submode disable B3 BER
TCA and PLOP reporting status, respectively.
• scrambling disable—Disable SPE scrambling. Note that SPE
scrambling is enabled by default.
• threshold b3-tca BER—Set SONET path BER threshold
value. Replace the BER argument with a number in the range
from 3 through 9. The threshold value is interpreted as a negative
exponent of 10 when determining the bit error rate. For example,
a value of 5 implies a bit error rate of 10 to the minus 5. The
default BER threshold value is 6.
• uneq-shut—Sets sending Unequipped (UNEQ) when shut
down.
Command or Action PurposeConfiguring Clear Channel SONET Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel SONET Controllers
HC-388
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Configuring SONET APS
SONET APS offers recovery from fiber (external) or equipment (interface and internal) failures at the
SONET line layer. This task explains how to configure basic automatic protection switching (APS) on
the router and how to configure more than one protect or working interface on a router by using the aps
group command.
To verify the configuration or to determine if a switchover has occurred, use the show aps command.
Prerequisites
Before you configure SONET APS, be sure that you have a supported channelized SPA installed in a
router that is running Cisco IOS XR software.
On the Cisco ASR 9000 Series Router, you must have a 2-Port Channelized OC-12c/DS0 SPA installed.
Restrictions
Before you configure SONET APS, consider the following restictions:
• The POS SPAs on the Cisco ASR 9000 Series Router do not support either single router or
multirouter APS.
Step 10 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-sonet)# end
or
RP/0/RSP0/CPU0:router(config-sonet)#
commit
Saves configuration changes.
• When you issue the end command, the system prompts you to
commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the running
configuration file, exits the configuration session, and
returns the router to EXEC mode.
– Entering no exits the configuration session and returns the
router to EXEC mode without committing the
configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or committing the
configuration changes.
• Use the commit command to save the configuration changes to
the running configuration file and remain within the
configuration session.
Step 11 show controllers sonet interface-path-id
Example:
RP/0/RSP0/CPU0:router# show controllers
sonet 0/1/0/0
Verifies the SONET controller configuration.
Command or Action PurposeConfiguring Clear Channel SONET Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel SONET Controllers
HC-389
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
• The Cisco ASR 9000 Series Router supports multirouter APS on the 2-Port Channelized
OC-12/DS0 SPA.
• For proper APS operation between two routers, a working line on one router must also be the
working line on the other router, and the same applies to the protection line.
SUMMARY STEPS
1. configure
2. aps group number
3. channel {0 | 1} local sonet interface
4. Repeat Step 3 for each channel in the APS group.
5. exit
6. interface loopback number
7. ipv4 address ip-address mask
8. exit
9. interface pos interface-path-id
or
interface serial interface-path-id
10. ipv4 address ip-address mask
11. pos crc {16 | 32}
or
crc {16 | 32}
12. encapsulation {frame-relay | hdlc | ppp} (Serial interfaces only)
13. keepalive {interval | disable}[retry]
14. no shutdown
15. Repeat Step 9 to Step 13 for each channel in the group.
16. exit
17. controller sonet interface-path-id
18. ais-shut
19. path scrambling disable
20. clock source {internal | line}
21. Repeat Step 16 to Step 19 for each channel of the group.
22. end
or
commit
23. exit
24. exit
25. show aps
26. show aps group [number]Configuring Clear Channel SONET Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel SONET Controllers
HC-390
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 aps group number
Example:
RP/0/RSP0/CPU0:router(config)# aps group 1
Adds an APS group with a specified number and enters APS
group configuration mode.
• Use the aps group command in global configuration
mode.
• To remove a group, use the no form of this command,
as in: no aps group number, where the value range is
from 1–255.
Note To use the aps group command, you must be a
member of a user group associated with the proper
task IDs for aps commands.
Note The aps group command is used even when a single
protect group is configured.
Step 3 channel {0 | 1} local sonet interface
Example:
RP/0/RSP0/CPU0:router(config-aps)# channel 0
local SONET 0/0/0/1
Creates a channel for the APS group. 0 designates a protect
channel, and 1 designates a working channel.
Note If the protect channel is local, it must be assigned
using the channel command before any of the
working channels is assigned.
Step 4 Repeat Step 3 for each channel in the group. —
Step 5 exit Exits APS group configuration mode and enters global
configuration mode.
Step 6 interface loopback number
Example:
RP/0/RSP0/CPU0:router(config)# interface
loopback 1
(Optional) Configures a loopback interface if a two-router
APS is desired and enters interface configuration mode for
a loopback interface.
Note In this example, the loopback interface is used as
the interconnect.
Step 7 ipv4 address ip-address mask
Example:
RP/0/RSP0/CPU0:router(config-if)# ipv4 address
172.18.0.1 255.255.255.224
Assigns an IPV4 address and subnet mask to the loopback
interface.
Step 8 exit Exits interface configuration mode for a loopback interface,
and enters global configuration mode.Configuring Clear Channel SONET Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel SONET Controllers
HC-391
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Step 9 interface pos interface-path-id
or
interface serial interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# interface POS
0/2/0/0
or
RP/0/RSP0/CPU0:router(config)# interface serial
0/1/1/0/0/0:0
Connects the interface for the channel selected in Step 3,
and enters interface configuration mode.
For serial interfaces, specifies the complete interface
number with the
rack/slot/module/port/T3Num/T1num:instance notation.
Step 10 ipv4 address ip-address mask
Example:
RP/0//CPU0:router(config-if)# ipv4 address
172.18.0.1 255.255.255.224
Assigns an IPv4 address and subnet mask to the interface.
Step 11 pos crc {16 | 32}
or
crc {16 | 32}
Example:
RP/0/RSP0/CPU0:router(config-if)# pos crc 32
or
RP/0/RSP0/CPU0:router(config-if)# crc 32
Selects a CRC value for the channel. Enter the 16 keyword
to specify 16-bit CRC mode, or enter the 32 keyword to
specify 32-bit CRC mode. For POS interfaces, the default
CRC is 32. For serial interfaces, the default is 16.
Step 12 encapsulation {frame-relay | hdlc | ppp}
Example:
RP/0/RSP0/CPU0:router(config-if)# encapsulation
ppp
(Serial interfaces only) Set the Layer 2 encapsulation of an
interface.
Step 13 keepalive {interval | disable}[retry]
Example:
RP/0/RSP0/CPU0:router(config-if)# keepalive
disable
Sets the keepalive timer for the channel, where:
• interval—Number of seconds (from 1 to 30) between
keepalive messages. The default is 10.
• disable—Turns off the keepalive timer.
• retry—(Optional) Number of keepalive messages (from
1 to 255) that can be sent to a peer without a response
before transitioning the link to the down state. The
default is 5 for interfaces with PPP encapsulation, and
3 for interfaces with HDLC encapsulation.
The keepalive command does not apply to interfaces using
Frame Relay encapsulation.
Step 14 no shutdown
Example:
RP/0/RSP0/CPU0:router(config-if)# no shutdown
Removes the shutdown configuration.
• The removal of the shutdown configuration removes
the forced administrative down on the interface,
enabling that interface to move to an up or down state
(assuming the parent SONET layer is not configured
administratively down).
Step 15 Repeat Step 9 through Step 13 for each channel in the
group.
—
Command or Action PurposeConfiguring Clear Channel SONET Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel SONET Controllers
HC-392
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Step 16 exit Exits interface configuration mode, and enters global
configuration mode.
Step 17 controller sonet interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller sonet
0/1/0/0
Enters SONET controller configuration mode and specifies
the SONET controller name and instance identifier with the
rack/slot/module/port notation.
Step 18 ais-shut
Example:
RP/0/RSP0/CPU0:router(config-sonet)# ais-shut
Configures SONET path values such as alarm indication
signal (AIS) at shut down.
Step 19 path scrambling disable
Example:
RP/0/RSP0/CPU0:router(config-sonet)# path
scrambling disable
(Optional) Disables synchronous payload envelope (SPE)
scrambling.
Note SPE scrambling is enabled by default.
Step 20 clock source {internal | line}
Example:
RP/0/RSP0/CPU0:router(config-sonet)# clock
source internal
Configures the SONET port TX clock source, where the
internal keyword sets the internal clock and the line
keyword sets the clock recovered from the line.
• Use the line keyword whenever clocking is derived
from the network; use the internal keyword when two
routers are connected back-to-back or over fiber for
which no clocking is available.
• The line clock (line) is the default.
Step 21 Repeat Step 16 through Step 19 for each channel in the
group.
—
Step 22 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-sonet)# end
or
RP/0/RSP0/CPU0:router(config-sonet)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeConfiguring Clear Channel SONET Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel SONET Controllers
HC-393
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Configuring a Hold-off Timer to Prevent Fast Reroute from Being Triggered
When APS is configured on a router, it does not offer protection for tunnels; because of this limitation,
fast reroute (FRR) still remains the protection mechanism for Multiprotocol Label Switching (MPLS)
traffic-engineering.
When APS is configured in a SONET core network, an alarm might be generated toward a router
downstream. If the router downstream is configured with FRR, you may want to configure a hold-off
timer at the SONET level to prevent FRR from being triggered while the CORE network is doing a
restoration. Perform this task to configure the delay.
Prerequisites
Configure SONET APS, as describe in the “Configuring SONET APS” section on page 388.
SUMMARY STEPS
1. configure
2. controller sonet interface-path-id
3. line delay trigger value
or
path delay trigger value
4. end
or
commit
Step 23 exit Exits SONET controller configuration mode, and enters
global configuration mode.
Step 24 exit Exits global configuration mode, and enters EXEC mode.
Step 25 show aps
Example:
RP/0/RSP0/CPU0:router# show aps
(Optional) Displays the operational status for all configured
SONET APS groups.
Step 26 show aps group [number]
Example:
RP/0/RSP0/CPU0:router# show aps group 3
(Optional) Displays the operational status for configured
SONET APS groups.
Note The show aps group command is more useful than
the show aps command when multiple groups are
defined.
Command or Action PurposeConfiguring Clear Channel SONET Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel SONET Controllers
HC-394
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 controller sonet interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller sonet
0/6/0/0
Enters SONET configuration mode.
Step 3 line delay trigger value
or
path delay trigger value
Example:
RP/0/RSP0/CPU0:router(config-sonet)# line delay
trigger 250
or
RP/0/RSP0/CPU0:router(config-sonet)# path delay
trigger 300
Configures SONET port delay trigger values in
milliseconds.
Tip The commands in Step 2 and Step 3 can be
combined in one command string and entered from
global configuration mode like this: controller
sonet r/s/m/p line delay trigger or controller sonet
r/s/m/p path delay trigger.
Step 4 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-sonet)# end
or
RP/0/RSP0/CPU0:router(config-sonet)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.Configuring Clear Channel SONET Controllers on the Cisco ASR 9000 Series Router
Configuration Examples for SONET Controllers
HC-395
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Configuration Examples for SONET Controllers
This section contains the following examples:
• SONET Controller Configuration: Example, page 395
• SONET APS Group Configuration: Example, page 395
SONET Controller Configuration: Example
The following example shows the commands and output generated when you are performing the
configuration of a SONET controllers following the steps outlined in the “Configuring a Clear Channel
SONET Controller” section on page 385. This example shows the usage of every optional command,
along with listings of options within commands where relevant. An actual configuration may or may not
include all these commands.
configure
controller sonet 0/1/0/0
ais-shut
clock source internal
framing sonet
loopback internal
Loopback is a traffic-effecting operation
overhead s1s0 1
path ais-shut
path delay trigger 0
path overhead j1 line l1
path report pais
path scrambling disable
path threshold b3-tca 6
path uneq-shut
report pais
threshold b2-tca 4
commit
SONET APS Group Configuration: Example
The following example shows SONET Remote (two routers) APS configuration.
RP/0/0/CPU0:router(config)# aps group 1
channel 0 local SONET 0/0/0/1
channel 1 remote 172.18.69.123
signalling sonet
commit
show aps
show aps group 3Configuring Clear Channel SONET Controllers on the Cisco ASR 9000 Series Router
Additional References
HC-396
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Additional References
The following sections provide references related to SONET controller configuration.
Related Documents
Standards
MIBs
RFCs
Related Topic Document Title
Cisco IOS XR master command reference Cisco IOS XR Master Commands List
Cisco IOS XR interface configuration commands Cisco IOS XR Interface and Hardware Component Command
Reference
Initial system bootup and configuration information for
a router using the Cisco IOS XR Software
Cisco IOS XR Getting Started Guide
Information about user groups and task IDs Configuring AAA Services on Cisco IOS XR Software module of
Cisco IOS XR System Security Configuration Guide
Standards Title
No new or modified standards are supported by this
feature, and support for existing standards has not been
modified by this feature.
—
MIBs MIBs Link
There are no applicable MIBs for this module. To locate and download MIBs for selected platforms using
Cisco IOS XR Software, use the Cisco MIB Locator found at the
following URL:
http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs Title
No new or modified RFCs are supported by this
feature, and support for existing RFCs has not been
modified by this feature.
—Configuring Clear Channel SONET Controllers on the Cisco ASR 9000 Series Router
Additional References
HC-397
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Technical Assistance
Description Link
The Cisco Technical Support website contains
thousands of pages of searchable technical content,
including links to products, technologies, solutions,
technical tips, and tools. Registered Cisco.com users
can log in from this page to access even more content.
http://www.cisco.com/techsupportConfiguring Clear Channel SONET Controllers on the Cisco ASR 9000 Series Router
Additional References
HC-398
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01399
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Configuring Clear Channel T3/E3 and
Channelized T3 and T1/E1 Controllers on the
Cisco ASR 9000 Series Router
This module describes the configuration of clear channel T3/E3 controllers and channelized T3 and
T1/E1 controllers on the Cisco ASR 9000 Series Aggregation Services Routers.
You must configure the T3/E3 controller before you can configure an associated serial interface.
Feature History for Configuring T3/E3 Controller Interfaces
Release Modification
Release 3.9.0 This feature was introduced on the Cisco ASR 9000 Series Router for the
Cisco 2-Port Channelized OC-12c/DS0 SPA.
Release 4.0.0 Support for the following features was added on the Cisco 2-Port
Channelized OC-12c/DS0 SPA:
• NxDS0 channelization
• Link Noise Monitoring
Support for clear channel T3 controllers on the 1-Port Channelized
OC-48/STM-16 SPA was introduced.
Release 4.0.1 Support for the following SPAs was added:
• Cisco 1-Port Channelized OC-3/STM-1 SPA
• Cisco 2-Port and 4-Port Clear Channel T3/E3 SPA
Release 4.1.0 • Support for the following SPAs was added:
– Cisco 4-Port Channelized T3/DS0 SPA
– Cisco 8-Port Channelized T1/E1 SPA
• Support for a Link Noise Monitoring enhancement was added on the
Cisco 2-Port Channelized OC-12c/DS0 SPA to set thresholds for noise
errors on T1/E1 links that are used to signal the Noise Attribute to PPP
for removal of an MLPPP bundle link.Configuring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
Contents
400
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Contents
• Prerequisites for Configuring T3/E3 Controllers, page 400
• Information About T3/E3 Controllers and Serial Interfaces, page 400
• How to Configure Clear Channel T3/E3 Controllers and Channelized T1/E1 Controllers, page 409
• Configuration Examples, page 439
• Additional References, page 443
Prerequisites for Configuring T3/E3 Controllers
You must be in a user group associated with a task group that includes the proper task IDs. The command
reference guides include the task IDs required for each command. If you suspect user group assignment
is preventing you from using a command, contact your AAA administrator for assistance.
Before configuring T3/E3 controllers, be sure that you have one of the following supported SPAs
installed in the router:
• Cisco 2-Port and 4-Port Clear Channel T3/E3 SPA
• Cisco 4-Port Channelized T3/DS0 SPA
Note The 4-Port Channelized T3/DS0 SPA can run in clear channel mode, or it can be channelized
into 28 T1 or 21 E1 controllers.
• Cisco 1-Port Channelized OC-3/STM-1 SPA
• Cisco 2-Port Channelized OC-12c/DS0 SPA
• Cisco 1-Port Channelized OC-48/STM-16 SPA
• Cisco 8-Port Channelized T1/E1 SPA
• Before you can configure a clear channel T3 controller on the channelized SONET SPAs, you must
configure the SPA for an STS stream channelized for T3. For more information, see the
“Configuring Channelized SONET/SDH on the Cisco ASR 9000 Series Router” module.
Information About T3/E3 Controllers and Serial Interfaces
The 2-Port and 4-Port Clear Channel T3/E3 SPAs support clear channel services over serial lines only.
The 4-Port Channelized T3/DS0 SPA supports clear channel services and channelized serial lines. If a
controller is not channelized, then it is a clear channel controller, and the full bandwidth of its associated
serial line is dedicated to a single channel that carries serial services.
When a T3 controller is channelized, it is logically divided into smaller bandwidth T1 or E1 controllers,
depending on which mode of channelization you select. The sum of the bandwidth of the serial interfaces
on the T1 or E1 controllers cannot exceed the bandwidth of the T3 controller that contains those
channelized T1 or E1 controllers.
When you channelize a T3 controller, each individual T1 or E1 controller is automatically further
channelized into DS0 time slots. A single T1 controller carries 24 DS0 time slots, and a single E1
controller carries 31 DS0 time slots. Users can divide these DS0 time slots up into individual channel
groups. Each channel group can support a single serial interface.Configuring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
Information About T3/E3 Controllers and Serial Interfaces
401
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
When a controller is channelized, and channel groups have been created, services are provisioned on the
associated serial interfaces.
The channelization feature in this release allows the following types of channelization:
• A single T3 controller into 28 T1 controllers, for a total controller size of 44210 kbps.
• A single T3 controller into 21 E1 controllers, for a total controller size of 43008 kbps.
• A single T1 controller supports up to 1.536 MB.
• A single E1 controller supports up to 2.048 MB.
Note A single shared port adapter (SPA) can support up to 448 channel groups.
This section includes the following additional topics:
• Supported Features, page 401
• Configuration Overview, page 406
• Default Configuration Values for T3 and E3 Controllers, page 406
• Default Configuration Values for T1 and E1 Controllers, page 407
• Link Noise Monitoring on T1 or E1 Links, page 408
Supported Features
Table 10 shows a summary of some of the supported features by SPA type.
Table 10 Supported Features on Channelized T3/E3, T1/E1, and Clear Channel SPAs
1-Port
Channelized
OC-3/STM-1
SPA
2-Port
Channelized
OC-12c/DS0
SPA
1-Port Channelized
OC-48/STM-16 SPA
4-Port
Channelized
T3/DS0 SPA
8-Port
Channelized
T1/E1 SPA
2-Port and
4-Port Clear
Channel T3/E3
SPA
Bit Error Ratio
Test (BERT)
T3, T1, E3,
E1, and DS0
channels
Maximum of
12 sessions
1
Maximum 1
session for T1
T3 channels T3 and E3
Maximum of 2
simultaneous BERT
tests are possible per
STS-12.
T3, T1, E1
and DS0
channels
T1, E1, and
DS0 channels
T3 and E3
1 session per
port
Channelization
and
Clear Channel
Modes
Channelized
SONET/SDH
Channelized
T1/E1 to DS0s
Clear channel
SONET
Clear channel
T3 and E3 in
SDH mode for
serial
interfaces
Channelized
SONET/SDH
Channelized
T3/E3
Channelized
T1/E1 to DS0s
Clear channel
SONET
Channelized
SONET/SDH
Channelized T3/E3
Clear channel
SONET
Channelized
T3
Channelized
T1/E1
T3 clear
channel
Channelized
T1/E1 to
DS0s.
Clear channel
T1 and E1
Clear channel
T3 or E3 onlyConfiguring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
Information About T3/E3 Controllers and Serial Interfaces
402
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
DSU Modes Adtran
Digital-link
Cisco
Kentrox
Larscom
Verilink
For E3
Cisco
(Default)
Digital Link
Kentrox
Adtran
Digital-link
Cisco Kentrox
Larscom
Verilink
Adtran
Digital-link
Cisco
Kentrox
Larscom
Verilink
Note Subrate for
E3 is not
supported.
Adtran
Digital-link
Cisco
Kentrox
Larscom
Verilink
Adtran
Digital-link
Cisco
Kentrox
Larscom
Verilink
Adtran
Digital-link
Cisco
Kentrox
Larscom
Verilink
Encapsulations Frame Relay
HDLC
PPP
HDLC
PPP
Frame Relay
HDLC
PPP
Frame Relay
HDLC
PPP
Frame Relay
HDLC
PPP
Frame Relay
HDLC
PPP
Equal Cost
Multipath
(ECMP)
Yes ECMP support
for egress paths
over T3 or T1
speed channels
with either PPP
or HDLC
encapsulation
ECMP support
for paths on
multiple
controllers,
SPAs, and SIPs
Yes Yes Yes Yes
Facility Data
Link (FDL)
Yes Yes Yes Yes Yes No
Far End Alarm
Control (FEAC)
For T3 C-bit
framing
For T3 C-bit
framing
For T3 C-bit
framing
For T3 C-bit
framing
For T3 C-bit
framing
Inter-Chassis
Stateful
Switchover
(ICSSO)
2
For PPP on
T3, T1, and E1
channels only
(not DS0)
For MLPPP on
T1 and E1
sessions
For PPP on T3
channels
For T1 when T3
channels are
configured on
the same
system, SIP,
SPA or port
No T3, T1, and
E1 channels
only (not
DS0)
T1 and E1
channels only
(not DS0)
No
Table 10 Supported Features on Channelized T3/E3, T1/E1, and Clear Channel SPAs (continued)
1-Port
Channelized
OC-3/STM-1
SPA
2-Port
Channelized
OC-12c/DS0
SPA
1-Port Channelized
OC-48/STM-16 SPA
4-Port
Channelized
T3/DS0 SPA
8-Port
Channelized
T1/E1 SPA
2-Port and
4-Port Clear
Channel T3/E3
SPAConfiguring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
Information About T3/E3 Controllers and Serial Interfaces
403
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
IP Fast Reroute
(IP-FRR)
No For PPP only No T3, T1, and
E1 channels
T1 and E1
channels
No
Link Noise
Monitoring
No Yes No No No No
Loopback
3
Yes Yes Yes Yes—Not
DS0
Yes—Not DS0 Yes
Maintenance
Data Link (MDL)
Message
Support
Yes Yes Yes Yes N/A Yes
Circuit
Emulation
Service Over
Packet
Switched
Network
Support
Yes Yes No No No No
Mixed Channel
Support
No—T3 and
E3 cannot be
mixed.
T1 and E1
cannot coexist
on single
STS-1.
Yes—T3 and
T1 channels
supported on
the same SIP,
SPA, or port
Yes Yes No—All
channels must
be either in T1
or E1 mode.
No—All ports
must be either
T3 or E3.
Scalability 1000 channels
per SPA
48 T3 channels
per SIP
24 T3 channels
per SPA
12 T3 channels
per interface
48 T3/E3 channels 1000 channels
per SPA
8 T1 or E1
ports
Up to 256
full-duplex
HDLC
channels
Nx64K or
Nx56K
channel
speeds, where
N is less than
or equal to 24
for T1, and
less than or
equal to 32 for
E1
2 or 4 T3 or E3
ports
1. 6 simultaneous BERT sessions among first three physical ports and 6 simultaneous BERT sessions on 4th port.
2. All interfaces configured on a SONET/SDH controller for the 1-Port Channelized OC-3/STM-1 SPA should be IC-SSO protected or none of them should
be IC-SSO protected.
Table 10 Supported Features on Channelized T3/E3, T1/E1, and Clear Channel SPAs (continued)
1-Port
Channelized
OC-3/STM-1
SPA
2-Port
Channelized
OC-12c/DS0
SPA
1-Port Channelized
OC-48/STM-16 SPA
4-Port
Channelized
T3/DS0 SPA
8-Port
Channelized
T1/E1 SPA
2-Port and
4-Port Clear
Channel T3/E3
SPAConfiguring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
Information About T3/E3 Controllers and Serial Interfaces
404
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Loopback Support
Cisco 1-Port Channelized OC-3/STM-1 SPA
This section describes the types of loopback supported on the 1-Port Channelized OC-3/STM-1 SPA:
• For SONET controller:
– Local loopback
– Network line loopback
• For T3:
– Local loopback
– Network loopback
– Remote loopback line (Use FEAC in C-Bit mode for T3)
– Remote loopback payload (Use FEAC in C-Bit mode for T3)
• For E3:
– Local loopback
– Network loopback
• For T1:
– Local loopback
– Network line loopback
– Remote line FDL ANSI loopback (also known as Remote CSU loopback - ESF mode)
– Remote line FDL Bellcore loopback (also known as Remote SmartJack loopback - ESF mode)
– Remote line inband loopback (SF inband loopback)
– Remote payload FDL ANSI loopback (ESF remote payload loopback)
• For E1:
– Local loopback
– Network line loopback
Cisco 2-Port Channelized OC-12c/DS0 SPA
This section describes the types of loopback supported on the 2-Port Channelized OC-12c/DS0 SPA:
• For T3
– Local loopback
– Network line loopback
• For ports
– Local line loopback
– Network line loopback
3. For detailed information about loopback support, see the “Loopback Support” section on page 404.Configuring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
Information About T3/E3 Controllers and Serial Interfaces
405
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Cisco 1-Port Channelized OC-48/STM-16 SPA
This section describes the types of loopback supported on the 1-Port Channelized OC-48/STM-16 SPA:
• For SONET:
– Local line loopback
– Network line loopback
• For T3:
– Local loopback
– Network line loopback
– Network payload loopback
• For E3:
– Local loopback
– Network loopback
Cisco 4-Port Channelized T3/DS0 SPA
This section describes the types of loopback supported on the 4-Port Channelized T3/DS0 SPA:
• For T3:
– Local loopback
– Network loopback
– Remote loopback line
• For T1:
– Local loopback
– Network line loopback
– Remote line FDL ANSI loopback (also known as Remote CSU loopback - ESF mode)
– Remote line FDL Bellcore loopback (also known as Remote SmartJack loopback - ESF mode)
• For E1:
– Local loopback
– Network line loopback
Cisco 8-Port Channelized T1/E1 SPA
This section describes the types of loopback supported on the 8-Port Channelized T1/E1 SPA:
• For T1:
– Local loopback
– Networkl line loopback
– Remote line FDL ANSI loopback (also known as Remote CSU loopback - ESF mode)
– Remote line FDL Bellcore loopback (also known as Remote SmartJack loopback - ESF mode)
• For E1:
– Local loopback Configuring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
Information About T3/E3 Controllers and Serial Interfaces
406
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Cisco 2-Port and 4-Port Clear Channel T3/E3 SPA
This section describes the types of loopback supported on the 2-Port and 4-Port Clear Channel T3/E3
SPA:
• Local loopback
• Network payload loopback (Configure the local framer to send all data received from the remote side
back to the remote side.)
• Network line loopback (Configure the local LIU to send all data received from the remote side back
to the remote side.)
• Remote line loopback (Use FEAC to request the remote interface to loop back to SPA—T3 only)
Configuration Overview
Configuring a channelized T3 controller and its associated serial interfaces is a 4-step process:
Step 1 Configure the T3 controller, and set the mode for that controller to T1 or E1.
Step 2 Configure the T1 or E1 controller.
Step 3 Create channel groups and assign DS0 time slots to these channel groups as desired.
Step 4 Configure the serial interfaces that are associated with the individual channel groups, as described in the
Configuring Serial Interfaces on the Cisco ASR 9000 Series Router module later in this document.
Default Configuration Values for T3 and E3 Controllers
Table 11 describes the default configuration parameters that are present on the T3 and E3 controllers.
Note • Auto-detect framing is not supported on the 2-Port Channelized OC-12c/DS0 SPA.
• E3 is not supported on the 4-Port Channelized T3/DS0 SPA.
Table 11 T3 and E3 Controller Default Configuration Values
Parameter Default Value Configuration File Entry
Frame type for the data line For T3: C-bit framing
For E3: G.751
framing {auto-detect | c-bit
| m23}
Clocking for individual T3/E3 links internal clock source {internal |
line}
Cable length 224 feet cablelength feetConfiguring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
Information About T3/E3 Controllers and Serial Interfaces
407
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Note When configuring clocking on a serial link, you must configure one end to be internal, and the other
end to be line. If you configure internal clocking on both ends of a connection, framing slips occur. If
you configure line clocking on both ends of a connection, the line does not come up.
Default Configuration Values for T1 and E1 Controllers
Table 12 describes the default configuration parameters that are present on the T1 and E1 controllers.
Maintenance data link (MDL) messages
(T3 only)
disable mdl transmit {idle-signal |
path | test-signal} {disable |
enable}
National reserved bits for an E3 port
(E3 only)
enable, and the bit pattern
value is 1.
national bits {disable |
enable}
Table 11 T3 and E3 Controller Default Configuration Values
Parameter Default Value Configuration File Entry
Table 12 T1 and E1 Controller Default Configuration Values
Parameter Default Value Configuration File Entry
Frame type for the data line For T1: extended
superframe (esf)For E1:
framing with CRC-4 error
monitoring capabilities
(crc4).
For T1: framing {sf |
esf}For E1: framing {crc4 |
no-crc4 | unframed
Detection and generation of T1 yellow
alarms.
(T1 only)
Yellow alarms are
detected and generated on
the T1 channel.
yellow {detection |
generation} {disable |
enable}
Clocking for individual T1 and E1 links internal clock source {internal |
line}
Cable length
(T1 only)
For cablelength long
command: db-gain-value:
gain26; db-loss-value:
0db.
For cablelength short
command: 533 feet.
To set a cable length of
longer than 655 feet:
cablelength long
db-gain-value db-loss-value
To set a cable length of 655
feet or shorter: cablelength
short length
Transmission of ANSI T1.403 or AT&T
TR54016 once-per-second performance
reports through Facility Data Link (FDL)
for a T1 channel
(T1 only)
disable fdl {ansi | att} {enable |
disable}
National reserved bits for an E1 port
(E1 only)
0 (which corresponds to
0x1f in hexadecimal
format)
national bits bitsConfiguring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
Information About T3/E3 Controllers and Serial Interfaces
408
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Note When configuring clocking on a serial link, you must configure one end to be internal, and the other
end to be line. If you configure internal clocking on both ends of a connection, framing slips occur. If
you configure line clocking on both ends of a connection, the line does not come up.
Link Noise Monitoring on T1 or E1 Links
Link Noise Monitoring (LNM) provides the ability to monitor Path Code Violation (PCV) errors on T1
and E1 links on the 2-Port Channelized OC-12c/DS0 SPA on the Cisco ASR 9000 Series Router, and to
signal events and alarms on these links when noise continuously meets or exceeds configured thresholds
(the set threshold values) for those errors. Events are also signaled when noise falls below configured
improved thresholds (the clear threshold values).
Beginning in Cisco IOS XR Release 4.1, the LNM feature supports the lnm remove command to signal
the Noise Attribute to PPP to remove an MLPPP bundle member link when specified thresholds are
crossed.
Note An LCV is an occurrence of either a Bi-Polar Violation (BPV) or Excessive Zeroes (EXZ) error, and a
PCV is an occurrence of a CRC error in a timeslot. However, the LNM feature currently only monitors
PCV errors. The LCV values are only used to calculate an expected PCV if the PCV values are not
specified. If the PCV values are specified, then the LCV values are ignored.
LNM Events
There are two basic types of monitoring events produced by LNM:
• Crossed events—A crossed event signals when PCV threshold values continuously meet or exceed
the specified set values for major and minor warnings for a specified period of time (duration).
When a crossed event occurs, the major or minor monitoring type for the controller is reported as
the alarm state. When the crossed event is no longer present, the monitoring type returns to the
stable state.
The following are examples of crossed events:
RP/0/RSP0/CPU0:Router#0/1/CPU0:May 13 9:54:10.980 : g_spa_1[181]:
%L2-T1E1_LNM-3-MINWARNNOISE :
Interface T10/1/1/0/1/1/1, noise crossed minor warning threshold
RP/0/RSP0/CPU0:Router#0/1/CPU0:May 13 9:54:11.980 : g_spa_1[181]:
%L2-T1E1_LNM-3-MAJWARNNOISE :
Interface T10/1/1/0/1/1/1, noise crossed major warning threshold
• Cleared events—A cleared event signals when threshold values that were crossed have fallen below
the specified clear values for major and minor warnings.
The following are examples of cleared events:
RP/0/RSP0/CPU0:Router#LC/0/1/CPU0:May 13 10:27:25.809 : g_spa_1[181]:
%L2-T1E1_LNM-3-MAJWARNNOISE :
Interface T10/1/1/0/1/1/1, noise cleared major warning threshold
RP/0/RSP0/CPU0:Router#LC/0/1/CPU0:May 13 10:28:14.810 : g_spa_1[181]:
%L2-T1E1_LNM-3-MINWARNNOISE :
Interface T10/1/1/0/1/1/1, noise cleared minor warning thresholdConfiguring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel T3/E3 Controllers and Channelized T1/E1 Controllers
409
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
LNM Logging
When you enable syslog messages for LNM events using the lnm syslog command, LNM messages will
appear in both the system log and in the log events buffer. You can display LNM events in the log events
buffer using the show logging events buffer bistate-alarms-set command, and also using the show
logging command, which are described in the Cisco ASR 9000 Series Aggregation Services Router
System Monitoring Command Reference.
LNM supports hierarchical level alarm reporting as defined in the Telcordia (Bellcore) GR-253 standard.
Hierarchical alarm reporting means that whenever a higher alarm is asserted, the lower alarm state is
suppressed. When the high alarm is cleared, the lower alarm will re-assert if the condition still exists.
For LNM, this means that if a major warning threshold is continuously met or exceeded resulting in a
crossed event and alarm state, then a minor warning alarm state is suppressed and returned to stable state.
The minor crossed event also is removed from the bistate log. When the major warning is cleared, the
minor warning alarm is asserted if the condition still exists.
Only a single crossed event for major warnings will appear in the bistate log for the controller. Therefore,
you will see only a single log message for a controller if noise exists above configured threshold values.
How to Configure Clear Channel T3/E3 Controllers and
Channelized T1/E1 Controllers
The T3/E3 controllers are configured in the physical layer control element of the Cisco IOS XR software
configuration space. This configuration is described in the following tasks:
• Configuring a Clear Channel E3 Controller, page 409
• Modifying the Default E3 Controller Configuration, page 411
• Configuring a Clear Channel T3 Controller, page 414
• Configuring a Channelized T3 Controller, page 415
• Modifying the Default T3 Controller Configuration, page 418
• Configuring a T1 Controller, page 421
• Configuring an E1 Controller, page 425
• Configuring BERT, page 429
• Configuring Link Noise Monitoring on a T1 or E1 Channel, page 436
Configuring a Clear Channel E3 Controller
When an E3 controller is in clear channel mode, it carries a single serial interface.
The E3 controllers are configured using the E3 configuration mode.
Restrictions
• If you configure an option that is not valid for your controller type, you receive an error when you
commit the configuration.
• A single SPA cannot support a mixture of T3 and E3 interfaces.Configuring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel T3/E3 Controllers and Channelized T1/E1 Controllers
410
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
• E3 is not supported on the 4-Port Channelized T3/DS0 SPA.
SUMMARY STEPS
1. configure
2. controller e3 interface-path-id
3. mode serial
4. no shutdown
5. end
or
commit
6. show controllers e3 interface-path-id
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 controller e3 interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller t3
0/1/0/0
Specifies the E3 controller name in the notation
rack/slot/module/port and enters E3 configuration mode.
Step 3 mode serial
Example:
RP/0/RSP0/CPU0:router(config-e3)# mode serial
Configures the mode of the port to be clear channel serial.
Note This step is required for the 2-Port and 4-Port
Channelized T3 SPA only. The 2-Port and 4-Port
Clear Channel T3/E3 SPA run in serial mode by
default.
Step 4 no shutdown
Example:
RP/0/RSP0/CPU0:router(config-e3)# no shutdown
Removes the shutdown configuration.
• The removal of the shutdown configuration removes
the forced administrative down on the controller,
enabling the controller to move to an up or a down state. Configuring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel T3/E3 Controllers and Channelized T1/E1 Controllers
411
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
What to Do Next
• Modify the default configuration that is running on the E3 controller you just configured, as
described in the “Modifying the Default E3 Controller Configuration” section later in this module.
• Configure a bit error rate test (BERT) on the controller to test its integrity, as described in the
“Configuring BERT” section later in this module.
• Configure the associated serial interface, as described in the Configuring Serial Interfaces on the
Cisco ASR 9000 Series Router module later in this document.
Modifying the Default E3 Controller Configuration
This task explains how to modify the default E3 controller configuration, which is described in the
“Default Configuration Values for T3 and E3 Controllers” section earlier in this module.
Prerequisites
You must configure a clear channel E3 controller, as described in the “Configuring a Clear Channel E3
Controller” section earlier in this module.
Step 5 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-e3)# end
or
RP/0/RSP0/CPU0:router(config-e3)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 6 show controllers e3 interface-path-id
Example:
RP/0/RSP0/CPU0:router# show controllers e3
0/1/0/0
(Optional) Displays information about the E3 controllers.
Command or Action PurposeConfiguring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel T3/E3 Controllers and Channelized T1/E1 Controllers
412
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Restrictions
• E3 is not supported on the 4-Port Channelized T3/DS0 SPA.
SUMMARY STEPS
1. configure
2. controller e3 interface-path-id
3. clock source {internal | line}
4. cablelength feet
5. framing {g751 | g832}
6. national bits {disable | enable}
7. no shutdown
8. end
or
commit
9. show controllers e3 interface-path-id
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 controller e3 interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller t3
0/1/0/0
Specifies the E3 controller name in the notation
rack/slot/module/port and enters E3 configuration mode.
Step 3 clock source {internal | line}
Example:
RP/0/RSP0/CPU0:router(config-e3)# clock source
internal
(Optional) Sets the clocking for individual E3 links.
Note The default clock source is internal.
Note When configuring clocking on a serial link, you
must configure one end to be internal, and the other
end to be line. If you configure internal clocking on
both ends of a connection, framing slips occur. If
you configure line clocking on both ends of a
connection, the line does not come up.
Step 4 cablelength feet
Example:
RP/0/RSP0/CPU0:router(config-e3)# cablelength
250
(Optional) Specifies the distance of the cable from the
router to the network equipment.
Note The default cable length is 224 feet.Configuring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel T3/E3 Controllers and Channelized T1/E1 Controllers
413
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
What to Do Next
• Modify the default configuration that is running on the T3 controller you just configured, as
described in the “Modifying the Default T3 Controller Configuration” section later in this module.
• Configure BERT on the controller to test its integrity, as described in the “Configuring BERT”
section later in this module.
• Configure the associated serial interface, as described in the Configuring Serial Interfaces on the
Cisco ASR 9000 Series Router module later in this document.
Step 5 framing {g751 | g832}
Example:
RP/0/RSP0/CPU0:router(config-e3)# framing g832
(Optional) Selects the frame type for the E3 port. Possible
E3 frame types are G.751 and G.832.
Note The default framing for E3 is G.751.
Step 6 national bits {disable | enable}
Example:
RP/0/RSP0/CPU0:router(config-e3)# national bits
enable
(Optional) Enables or disables the 0x1F national reserved
bit pattern on the E3 port.
Note The E3 national bit is enabled by default, and the bit
pattern value is 1.
Step 7 no shutdown
Example:
RP/0/RSP0/CPU0:router(config-e3)# no shutdown
Removes the shutdown configuration.
• The removal of the shutdown configuration removes
the forced administrative down on the controller,
enabling the controller to move to an up or a down state.
Step 8 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-e3)# end
or
RP/0/RSP0/CPU0:router(config-e3)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 9 show controllers e3 interface-path-id
Example:
RP/0/RSP0/CPU0:router# show controllers e3
0/1/0/0
(Optional) Displays information about the E3 controllers.
Command or Action PurposeConfiguring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel T3/E3 Controllers and Channelized T1/E1 Controllers
414
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Configuring a Clear Channel T3 Controller
When a T3 controller is in clear channel mode, it carries a single serial interface.
The T3 controllers are configured in the T3 configuration mode.
Prerequisites
Before you can configure a clear channel T3 controller on a channelized SPA, you must configure the
SPA for an STS stream channelized for T3. For more information, see the “Configuring Channelized
SONET/SDH on the Cisco ASR 9000 Series Router” module.
Restrictions
• If you configure an option that is not valid for your controller type, you receive an error when you
commit the configuration.
• A single SPA cannot support a mixture of T3 and E3 interfaces.
SUMMARY STEPS
1. configure
2. controller t3 interface-path-id
3. mode serial
4. no shutdown
5. end
or
commit
6. show controllers t3 interface-path-id
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 controller t3 interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller t3
0/1/0/0
Specifies the T3 controller name in the
rack/slot/module/port notation and enters T3 configuration
mode.
Step 3 mode serial
Example:
RP/0/RSP0/CPU0:router(config-t3)# mode serial
Note Configures the mode of the port to be clear channel
serial.Configuring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel T3/E3 Controllers and Channelized T1/E1 Controllers
415
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
What to Do Next
• Modify the default configuration that is running on the T3 controller you just configured, as
described in the “Modifying the Default T3 Controller Configuration” section later in this module.
• Configure BERT on the controller to test its integrity, as described in the “Configuring BERT”
section later in this module.
• Configure the associated serial interface, as described in the Configuring Serial Interfaces on the
Cisco ASR 9000 Series Router module.
Configuring a Channelized T3 Controller
The SPAs that support channelized T3 support channelization to T1, E1, and DS0. The steps in this
section describe how to channelize a single T3 controller into 28 T1 controllers or 21 E1 controllers.
Once you have created T1 or E1 controllers, you can further channelize those controllers into DS0 time
slots, as described in the following sections:
• Configuring a T1 Controller
Step 4 no shutdown
Example:
RP/0/RSP0/CPU0:router(config-t3)# no shutdown
Removes the shutdown configuration.
• The removal of the shutdown configuration removes
the forced administrative down on the controller,
enabling the controller to move to an up or a down state.
Step 5 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-t3)# end
or
RP/0/RSP0/CPU0:router(config-t3)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 6 show controllers t3 interface-path-id
Example:
RP/0/RSP0/CPU0:router# show controllers t3
0/1/0/0
(Optional) Displays information about the T3 controllers.
Command or Action PurposeConfiguring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel T3/E3 Controllers and Channelized T1/E1 Controllers
416
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
• Configuring an E1 Controller
Each individual T1 controller supports a total of 24 DS0 time slots, and each individual E1 controller
supports a total of 31 DS0 time slots.
Prerequisites
Before you configure a channelized T3 controller, be sure that the following requirements are met:
• You have one of the following SPAs installed:
– 1-Port Channelized OC-3/STM-1 SPA
– 2-Port Channelized OC-12/DS0 SPA
– 4-Port Channelized T3/DS0 SPA
• For the channelized SONET SPAs, you have configured the SPA for an STS stream channelized for
T3. For more information, see the “Configuring Channelized SONET/SDH on the
Cisco ASR 9000 Series Router” module.
Note If you configure an option that is not valid for your controller type, you receive an error when you
commit the configuration.
SUMMARY STEPS
1. configure
2. controller t3 interface-path-id
3. mode [t1 | e1]
4. no shutdown
5. end
or
commit
6. show controllers t3 interface-path-id
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 controller T3 interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller t3
0/1/0/0
Specifies the T3 controller name in the notation
rack/slot/module/port and enters T3 configuration mode.Configuring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel T3/E3 Controllers and Channelized T1/E1 Controllers
417
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
What to Do Next
• Modify the default configuration that is running on the T3 controller you just configured, as
described in the “Modifying the Default T3 Controller Configuration” section on page 418.
• If you channelized your T3 controller into 28 T1 controllers, configure the T1 controllers and assign
DS0 time slots to them, as described in the “Configuring a T1 Controller” section on page 421.
• If you channelized your T3 controller into 21 E1 controllers, configure the E1 controllers and assign
DS0 time slots to them, as described in the “Configuring an E1 Controller” section on page 425.
Step 3 mode t1
Example:
RP/0/RSP0/CPU0:router(config-t3)# mode t1
Sets the mode of the channelized controllers to be T1, and
creates 28 T1 controllers.
Step 4 no shutdown
Example:
RP/0/RSP0/CPU0:router(config-t3)# no shutdown
Removes the shutdown configuration.
• The removal of the shutdown configuration removes
the forced administrative down on the controller,
enabling the controller to move to an up or a down state.
Step 5 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-t3)# end
or
RP/0/RSP0/CPU0:router(config-t3)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 6 show controllers t3 interface-path-id
Example:
RP/0/RSP0/CPU0:router# show controllers t3
0/1/0/0
(Optional) Displays information about the T3 controllers.
Command or Action PurposeConfiguring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel T3/E3 Controllers and Channelized T1/E1 Controllers
418
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Modifying the Default T3 Controller Configuration
This task explains how to modify the default T3 controller configuration, which is described in the
“Default Configuration Values for T3 and E3 Controllers” section on page 406.
Prerequisites
You must configure a clear channel or channelized T3 controller, as described in one of the following
sections:
• Configuring a Clear Channel T3 Controller
• Configuring a Channelized T3 Controller
SUMMARY STEPS
1. configure
2. controller t3 interface-path-id
3. clock source {internal | line}
4. cablelength feet
5. framing {auto-detect | c-bit | m23}
6. mdl transmit {idle-signal | path | test-signal} {disable | enable}
7. mdl string {eic | fi | fic | gen-number | lic | port-number | unit} string
8. no shutdown
9. end
or
commit
10. show controllers t3 interface-path-id
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 controller T3 interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller t3
0/1/0/0
Specifies the T3 controller name in the notation
rack/slot/module/port and enters T3 configuration mode.Configuring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel T3/E3 Controllers and Channelized T1/E1 Controllers
419
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Step 3 clock source {internal | line}
Example:
RP/0/RSP0/CPU0:router(config-t3)# clock source
internal
(Optional) Sets the clocking for the T3 port.
Note The default clock source is internal.
Note When configuring clocking on a serial link, you
must configure one end to be internal, and the other
end to be line. If you configure internal clocking on
both ends of a connection, framing slips occur. If
you configure line clocking on both ends of a
connection, the line does not come up.
Step 4 cablelength feet
Example:
RP/0/RSP0/CPU0:router(config-t3)# cablelength
250
(Optional) Specifies the distance of the cable from the
router to the network equipment.
Note The default cable length is 224 feet.
Step 5 framing {auto-detect | c-bit | m23}
Example:
RP/0/RSP0/CPU0:router(config-t3)# framing c-bit
(Optional) Selects the frame type for the T3 port.
Note The default frame type for T3 is C-bit. Auto-detect
is not supported on the 2-Port Channelized
OC-12c/DS0 SPA.
Step 6 mdl transmit {idle-signal | path | test-signal}
{disable | enable}
Example:
RP/0/RSP0/CPU0:router(config-t3)# mdl transmit
path enable
(Optional) Enables Maintenance Data Link (MDL)
messages on the T3 port.
Note MDL messages are supported only when the T3
framing is C-bit parity.
Note MDL message are disabled by default.
Step 7 mdl string {eic | fi | fic | gen-number | lic |
port-number | unit} string
Example:
RP/0/RSP0/CPU0:router(config-t3)# mdl fi
facility identification code
(Optional) Specifies the values of the strings sent in the
MDL messages.
Step 8 no shutdown
Example:
RP/0/RSP0/CPU0:router(config-t3)# no shutdown
Removes the shutdown configuration.
• The removal of the shutdown configuration removes
the forced administrative down on the controller,
enabling the controller to move to an up or a down state.
Command or Action PurposeConfiguring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel T3/E3 Controllers and Channelized T1/E1 Controllers
420
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Step 3 clock source {internal | line}
Example:
RP/0/RSP0/CPU0:router(config-t3)# clock source
internal
(Optional) Sets the clocking for the T3 port.
Note The default clock source is internal.
Note When configuring clocking on a serial link, you
must configure one end to be internal, and the other
end to be line. If you configure internal clocking on
both ends of a connection, framing slips occur. If
you configure line clocking on both ends of a
connection, the line does not come up.
Step 4 cablelength feet
Example:
RP/0/RSP0/CPU0:router(config-t3)# cablelength
250
(Optional) Specifies the distance of the cable from the
router to the network equipment.
Note The default cable length is 224 feet.
Step 5 framing {auto-detect | c-bit | m23}
Example:
RP/0/RSP0/CPU0:router(config-t3)# framing c-bit
(Optional) Selects the frame type for the T3 port.
Note The default frame type for T3 is C-bit. Auto-detect
is not supported on the 2-Port Channelized
OC-12c/DS0 SPA.
Step 6 mdl transmit {idle-signal | path | test-signal}
{disable | enable}
Example:
RP/0/RSP0/CPU0:router(config-t3)# mdl transmit
path enable
(Optional) Enables Maintenance Data Link (MDL)
messages on the T3 port.
Note MDL messages are supported only when the T3
framing is C-bit parity.
Note MDL message are disabled by default.
Step 7 mdl string {eic | fi | fic | gen-number | lic |
port-number | unit} string
Example:
RP/0/RSP0/CPU0:router(config-t3)# mdl fi
facility identification code
(Optional) Specifies the values of the strings sent in the
MDL messages.
Step 8 no shutdown
Example:
RP/0/RSP0/CPU0:router(config-t3)# no shutdown
Removes the shutdown configuration.
• The removal of the shutdown configuration removes
the forced administrative down on the controller,
enabling the controller to move to an up or a down state.
Command or Action PurposeConfiguring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel T3/E3 Controllers and Channelized T1/E1 Controllers
421
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
What to Do Next
• If you configured a clear channel T3 controller, perform the following tasks:
– Configure BERT on the controller to test its integrity, as described in the “Configuring BERT”
section on page 429 later in this module.
– Configure the associated serial interface, as described in the Configuring Serial Interfaces on
the Cisco ASR 9000 Series Router module.
• If you channelized your T3 controller into 28 T1 controllers, configure the T1 controllers and assign
DS0 time slots to them, as described in the “Configuring a T1 Controller” section on page 421.
• If you channelized your T3 controller into 21 E1 controllers, configure the E1 controllers and assign
DS0 time slots to them, as described in the “Configuring an E1 Controller” section on page 425.
Configuring a T1 Controller
This task describes how to configure an individual T1 controller and channelize it into 24 individual DS0
timeslots.
Prerequisites
Before you configure a T1 controller, be sure that the following requirements are met:
Step 9 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-t3)# end
or
RP/0/RSP0/CPU0:router(config-t3)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 10 show controllers t3 interface-path-id
Example:
RP/0/RSP0/CPU0:router# show controllers t3
0/1/0/0
(Optional) Displays information about the T3 controllers.
Command or Action PurposeConfiguring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel T3/E3 Controllers and Channelized T1/E1 Controllers
422
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
• You have one of the following SPAs installed:
– 1-Port Channelized OC-3/STM-1 SPA
– 2-Port Channelized OC-12/DS0 SPA
– 4-Port Channelized T3/DS0 SPA
– 8-Port Channelized T1/E1 SPA
• If you have a 1-Port Channelized OC-3/STM-1 SPA or 2-Port Channelized OC-12/DS0 SPA, you
must complete the following configuration:
– Configure an STS stream channelized for T3. For more information, see the “Configuring
Channelized SONET/SDH on the Cisco ASR 9000 Series Router” module.
– Configure a channelized T3 controller running in T1 mode, as described in the “Configuring a
Channelized T3 Controller” section on page 415.
• If you have a 4-Port Channelized T3/DS0 SPA, you must configure a channelized T3 controller to
run in T1 mode, as described in the “Configuring a Channelized T3 Controller” section on page 415.
Restrictions
If you configure an option that is not valid for your controller type, you receive an error when you
commit the configuration.
Before you configure a T1 controller on the 8-Port Channelized T1/E1 SPA, consider the following
restrictions:
• The SPA controller is not visible until it is explicitly configured for T1 mode.
• For each individual SPA, the SPA ports must all be in the same mode (all T1).
SUMMARY STEPS
1. show controllers t1 interface-path-id
2. configure
3. controller t1 interface-path-id
4. framing {sf | esf}
5. yellow {detection | generation} {disable | enable}
6. clock source {internal | line}
7. fdl {ansi | att} {enable | disable}
8. no shutdown
9. channel-group channel-group-number
10. timeslots range
11. speed kbps
12. exit
13. Repeat Step 9 through Step 12 to assign time slots to a channel group. Each controller can contain
up to 24 time slots.
14. exit
15. Repeat Step 2 through Step 14 to assign more channel groups to a controller.Configuring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel T3/E3 Controllers and Channelized T1/E1 Controllers
423
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
16. end
or
commit
DETAILED STEPS
Step 1 show controllers t1 interface-path-id
Example:
RP/0/RSP0/CPU0:router# show controllers t3
0/1/0/0
(Optional) Displays information about the T1 controllers
you created in Step 3.
Step 2 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 3 controller t1 interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller t1
0/3/0/0/0
Enters T1 configuration mode.
Step 4 framing {sf | esf}
Example:
RP/0/RSP0/CPU0:router(config-t1)# framing esf
(Optional) Selects the frame type for the T1 data line:
• sf—Superframe
• esf—Extended super frame
Note The default frame type for T1 is Extended
superframe (esf).
Step 5 yellow {detection | generation} {disable |
enable}
Example:
RP/0/RSP0/CPU0:router(config-t1e1)# yellow
detection enable
(Optional) Enables or disables the detection and generation
of T1 yellow alarms.
Note Yellow alarms are detected and generated on the T1
channel by default.
Step 6 clock source {internal | line}
Example:
RP/0/RSP0/CPU0:router(config-t1e1)# clock
source internal
(Optional) Sets the clocking for individual T1 links.
Note The default clock source is internal.
Note When configuring clocking on a serial link, you
must configure one end to be internal, and the other
end to be line. If you configure internal clocking on
both ends of a connection, framing slips occur. If
you configure line clocking on both ends of a
connection, the line does not come up.
Step 7 fdl {ansi | att} {enable | disable}
Example:
RP/0/RSP0/CPU0:router(config-t1e1)# fdl ansi
enable
(Optional) Enables the transmission of ANSI T1.403 or
AT&T TR54016 once-per-second performance reports
through Facility Data Link (FDL).
Note FDL ansi and att are disabled by default.Configuring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel T3/E3 Controllers and Channelized T1/E1 Controllers
424
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Step 8 no shutdown
Example:
RP/0/RSP0/CPU0:router(config-t1e1)# no shutdown
Removes the shutdown configuration.
• The removal of the shutdown configuration removes
the forced administrative down on the controller,
enabling the controller to move to an up or a down state.
Step 9 channel-group channel-group-number
Example:
RP/0/RSP0/CPU0:router(config-t1)# channel-group
0
Creates a T1 channel group and enters channel group
configuration mode for that channel group.
Step 10 timeslots range
Example:
RP/0/RSP0/CPU0:router(config-t1-channel_group)#
timeslots 7-12
Associates DS0 time slots to a channel group and creates an
associated serial subinterface on that channel group.
• Range is from 1 to 24 time slots.
• You can assign all 24 time slots to a single channel
group, or you can divide the time slots among several
channel groups.
Note Each individual T1 controller supports a total of 24
DS0 time slots.
Step 11 speed kbps
Example:
RP/0/RSP0/CPU0:router(config-t1e1-channel_group
)# speed 64
(Optional) Specifies the speed of the DS0s in kilobits per
second. Valid values are 56 and 64.
Note The default speed is 64 kbps.
Step 12 exit
Example:
RP/0/RSP0/CPU0:router(config-t1-channel_group)#
exit
Exits channel group configuration mode.
Step 13 Repeat Step 9 through Step 12 to assign time slots to a
channel group. Each controller can contain up to 24
time slots.
—
Step 14 exit
Example:
RP/0/RSP0/CPU0:router(config-t1)# exit
Exits T1 configuration mode and enters global
configuration mode.Configuring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel T3/E3 Controllers and Channelized T1/E1 Controllers
425
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
What to Do Next
• Configure BERT on the controller to test its integrity, as described in the “Configuring BERT”
section on page 429.
• Configure the associated serial interface, as described in the Configuring Serial Interfaces on the
Cisco ASR 9000 Series Router module.
Configuring an E1 Controller
This task describes how to configure an individual E1 controller and channelize it into 31 individual DS0
timeslots.
Prerequisites
Before you configure an E1 controller, be sure that the following requirements are met:
• You have one of the following SPAs installed:
– 1-Port Channelized OC-3/STM-1 SPA
– 2-Port Channelized OC-12/DS0 SPA
– 4-Port Channelized T3/DS0 SPA
– 8-Port Channelized T1/E1 SPA
• If you have a 1-Port Channelized OC-3/STM-1 SPA or 2-Port Channelized OC-12/DS0 SPA, you
must complete the following configuration:
Step 15 Repeat Step 2 through Step 14 to assign more channel
groups to a controller as desired.
—
Step 16 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-t3)# end
or
RP/0/RSP0/CPU0:router(config-t3)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.Configuring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel T3/E3 Controllers and Channelized T1/E1 Controllers
426
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
– Configure an STS stream channelized for T3. For more information, see the “Configuring
Channelized SONET/SDH on the Cisco ASR 9000 Series Router” module.
– Configure a channelized T3 controller running in E1 mode, as described in the “Configuring a
Channelized T3 Controller” section on page 415.
• If you have a 4-Port Channelized T3/DS0 SPA, you must configure a channelized T3 controller to
run in E1 mode, as described in the “Configuring a Channelized T3 Controller” section on page 415.
Restrictions
If you configure an option that is not valid for your controller type, you receive an error when you
commit the configuration.
Before you configure an E1 controller on the 8-Port Channelized T1/E1 SPA, consider the following
restrictions:
• The SPA controller is not visible until it is explicitly configured for E1 mode.
• For each individual SPA, the SPA ports must all be in the same mode (all E1).
SUMMARY STEPS
1. show controllers e1 interface-path-id
2. configure
3. controller e1 interface-path-id
4. clock source {internal | line}
5. framing {crc4 | no-crc4 | unframed}
6. national bits bits
7. no shutdown
8. channel-group channel-group-number
9. timeslots range
10. speed kbps
11. exit
12. Repeat Step 8 through Step 11 to assign time slots to a channel group. Each controller can contain
up to 24 time slots.
13. exit
14. Repeat Step 2 through Step 13 to assign more channel groups to a controller as desired.
15. end
or
commitConfiguring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel T3/E3 Controllers and Channelized T1/E1 Controllers
427
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
DETAILED STEPS
Command or Action Purpose
Step 1 show controllers e1 interface-path-id
Example:
RP/0/RSP0/CPU0:router# show controllers e1
0/1/0/0
(Optional) Displays information about the E1 controllers.
Step 2 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 3 controller e1 interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller e1
0/3/0/0/0
Enters E1 configuration mode.
Step 4 clock source {internal | line}
Example:
RP/0/RSP0/CPU0:router(config-e1)# clock source
internal
(Optional) Sets the clocking for individual E1 links.
Note The default clock source is internal.
Note When configuring clocking on a serial link, you
must configure one end to be internal, and the other
end to be line. If you configure internal clocking on
both ends of a connection, framing slips occur. If
you configure line clocking on both ends of a
connection, the line does not come up.
Step 5 framing {crc4 | no-crc4 | unframed}
Example:
RP/0/RSP0/CPU0:router(config-e1)# framing
unframed
(Optional) Selects the frame type for the E1 data line. The
following frame types are valid for E1:
• crc4—Framing with CRC-4 error monitoring
capabilities
• no-crc4—Framing without CRC-4 error monitoring
capabilities
• unframed—Unframed E1
Note The default frame type for E1 is crc4.
Step 6 national bits bits
Example:
RP/0/RSP0/CPU0:router(config-e1)# national bits
10
(Optional) Specifies the national reserved bits for an E1
port. Range is from 0 to 31.
Note The default bit pattern is 0, which corresponds to
the hexadecimal value 0x1f.
Step 7 no shutdown
Example:
RP/0/RSP0/CPU0:router(config-e1)# no shutdown
Removes the shutdown configuration.
• The removal of the shutdown configuration removes
the forced administrative down on the controller,
enabling the controller to move to an up or a down state. Configuring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel T3/E3 Controllers and Channelized T1/E1 Controllers
428
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Step 8 channel-group channel-group-number
Example:
RP/0/RSP0/CPU0:router(config-e1)# channel-group
0
Creates an E1 channel group and enters channel group
configuration mode for that channel group.
Step 9 timeslots range
Example:
RP/0/RSP0/CPU0:router(config-e1-channel_group)#
timeslots 1-16
Associates one or more time slots to a channel group and
creates an associated serial subinterface on that channel
group.
• Range is from 1 to 31 time slots.
• You can assign all 31 time slots to a single channel
group, or you can divide the time slots among several
channel groups.
Note Each E1 controller supports a total of 31 DS0 time
slots.
Step 10 speed kbps
Example:
RP/0/RSP0/CPU0:router(config-e1-channel_group)#
speed 100
(Optional) Specifies the speed of the DS0s in kilobits per
second. Valid values are 56 and 64.
Note The default speed is 64 kbps.
Step 11 exit
Example:
RP/0/RSP0/CPU0:router(config-e1-channel_group)#
exit
Exits channel group configuration mode
Step 12 Repeat Step 8 through Step 11 to assign time slots to a
channel group.
—
Step 13 exit
Example:
RP/0/RSP0/CPU0:router(config-e1)# exit
Exits E1 configuration mode
Command or Action PurposeConfiguring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel T3/E3 Controllers and Channelized T1/E1 Controllers
429
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
What to Do Next
• Configure BERT on the controller to test its integrity, as described in the “Configuring BERT”
section on page 429 in this module.
• Configure the associated serial interface, as described in the Configuring Serial Interfaces on the
Cisco ASR 9000 Series Router module later in this document.
Configuring BERT
Depending on your hardware support, BERT is supported on each of the T3/E3 or T1/E1 controllers, and
on the DS0 channel groups. It is done only over an unframed T3/E3 or T1/E1 signal and is run on only
one port at a time. It is also supported on individual channel groups.
To view the BERT results, use the show controllers t1 or show controllers t3 command in EXEC mode.
The BERT results include the following information:
• Type of test pattern selected
• Status of the test
• Interval selected
• Time remaining on the BER test
• Total bit errors
• Total bits received
Step 14 Repeat Step 2 through Step 13 to assign more channel
groups to a controller as desired.
—
Step 15 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-e3)# end
or
RP/0/RSP0/CPU0:router(config-e3)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeConfiguring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel T3/E3 Controllers and Channelized T1/E1 Controllers
430
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
BERT is data intrusive. Regular data cannot flow on a line while the test is in progress. The line is put
in an alarm state when BERT is in progress and restored to a normal state after BERT has been
terminated.
Configuring BERT on T3/E3 and T1/E1 Controllers
This task explains how to enable a bit error rate test (BERT) pattern on a T3/E3 or T1/E1 line or an
individual channel group.
Prerequisites
You must have configured a clear channel T3/E3 controller, or a channelized T3-to-T1/E1 controller.
Restrictions
Before configuring BERT on the 1-Port Channelized OC-48/STM-16 SPA, consider the following
restrictions:
• Only two simultaneous BERT tests are possible per STS-12 stream.
• These test patterns are supported:
– 2^15-1 (O.151)
– 2^20-1 (O.151) - QRSS
– 2^23-1 (O.151)
– Fixed Patterns (all 0s, all 1s etc.)
– Single bit error injection
– Data inversion
Before configuring BERT on the 4-Port Channelized T3/DS0 SPA, consider the following restrictions:
• A maximum of 12 BERT sessions is supported.
• 6 simultaneous BERT sessions among the first three physical ports and 6 simultaneous BERT
sessions on the fourth port are supported.
• Only one BERT session per T1 is supported.
• These test patterns are supported on the 4-Port Channelized T3/DS0 SPA:
– 2^11-1—T1/E1/DS0 only
– 2^15-1 (O.151)
– 2^20-1 (O.153)—T3 only
– 2^20-1 (QRSS)
– 2^23-1 (O.151)
– Alternating 0s/1s
– Fixed Patterns (all 0s, all 1s etc.)
– 1 in 8 DS1 insertion—T1/E1/DS0 only
– 3 in 24 DS1 insertion—T1/E1/DS0 only
These test patterns are supported on the 8-Port Channelized T1/E1 SPA for T1/E1/DS0:Configuring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel T3/E3 Controllers and Channelized T1/E1 Controllers
431
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
• 2^11-1
• 2^15-1 (O.153)
• 2^20-1 (QRSS)
• 2^23-1 (O.151)
• Alternating 0s/1s
• Fixed Patterns (all 0s, all 1s etc.)
For other cards, valid patterns for all controllers and channel groups include: 0s, 1s, 2^15, 2^20,
2^20-QRSS, 2^23, and alt-0-1.
Additional valid patterns for T1 and E1 controllers include: 1in8, 3in24, 55Daly, and 55Octet.
Additional valid patterns for channel groups include: 2^11, 2^9, ds0-1, ds0-2, ds0-3, and ds0-4.
SUMMARY STEPS
1. configure
2. controller [t3 | e3 | t1 | e1] interface-path-id
3. pattern pattern
4. bert interval time
5. bert error [number]
6. end
or
commit
7. exit
8. exit
9. bert [t3 | e3 | t1 | e1] interface-path-id [channel-group channel-group-number] [error] start
10. bert [t3 | e3 | t1 | e1] interface-path-id [channel-group channel-group-number] stop
11. show controllers [t3 | e3 | t1 | e1] interface-path-id
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 controller [t3 | e3 | t1 | e1]
interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller t3
0/1/0/0
Specifies the controller name and instance in the notation
rack/slot/module/port, and enters T3, E3, T1, or E1
controller configuration mode.Configuring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel T3/E3 Controllers and Channelized T1/E1 Controllers
432
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Step 3 bert pattern pattern
Example:
RP/0/RSP0/CPU0:router(config-t3)# bert pattern
2^15
Enables a specific bit error rate test (BERT) pattern on a
controller.
Note You must use the bert command in EXEC mode to
start the BER test.
Step 4 bert interval time
Example:
RP/0/RSP0/CPU0:router(config-t3)# bert pattern
2^15
(Optional) Specifies the duration of a bit error rate test
(BERT) pattern on a T3/E3 or T1/E1 line. The interval can
be a value from 1 to 14400.
Step 5 bert error [number]
Example:
RP/0/RSP0/CPU0:router(config-t3)# bert error 10
Specifies the number of BERT errors to introduce into the
bit stream. Range is from 1 to 255.
Step 6 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-t3)# end
or
RP/0/RSP0/CPU0:router(config-t3)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 7 exit
Example:
RP/0/RSP0/CPU0:router(config-t3)# exit
Exits T3/E3 or T1/E1 controller configuration mode.
Step 8 exit
Example:
RP/0/RSP0/CPU0:router(config)# exit
Exits global configuration mode.
Command or Action PurposeConfiguring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel T3/E3 Controllers and Channelized T1/E1 Controllers
433
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
What to Do Next
Configure the serial interfaces that are associate with the controllers you tested, as described in the
Configuring Serial Interfaces on the Cisco ASR 9000 Series Router module.
Configuring BERT on a DS0 Channel Group
This task explains how to enable a bit error rate test (BERT) pattern on an individual DS0 channel group.
Prerequisites
You must have configured a clear channel T1/E1 controller, or a channelized T3-to-T1/E1 controller.
SUMMARY STEPS
1. configure
2. controller {t1 | e1} interface-path-id
3. channel-group channel-group-number
4. bert pattern pattern
5. bert interval time
6. end
or
commit
7. exit
8. exit
9. exit
10. bert [t1 | e1] interface-path-id [channel-group channel-group-number][error] start
Step 9 bert [t3 | e3 | t1 | e1] interface-path-id
[channel-group channel-group-number] [error]
start
Example:
RP/0/RSP0/CPU0:router# bert t3 0/3/0/0 start
RP/0/RSP0/CPU0:router# bert t3 0/3/0/0 error
Starts the configured BERT test on the specified T3/E3 or
T1/E1 controller.
Note You can include the optional error keyword to
inject errors into the running BERT stream.
Step 10 bert [t3 | e3 | t1 | e1] interface-path-id
[channel-group channel-group-number] stop
Example:
RP/0/RSP0/CPU0:router# bert t3 0/3/0/0 stop
Stops the configured BERT test on the specified T3/E3 or
T1/E1 controller.
Step 11 show controllers [t3 | e3 | t1 | e1]
interface-path-id
Example:
RP/0/RSP0/CPU0:router# show controllers t3
0/3/0/0
Displays the results of the configured BERT.
Command or Action PurposeConfiguring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel T3/E3 Controllers and Channelized T1/E1 Controllers
434
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
11. bert [t1 | e1] interface-path-id [channel-group channel-group-number] stop
12. show controllers [t1 | e1] interface-path-id
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 controller {t1 | e1} interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller t3
0/1/0/0
Specifies the controller name and instance in the notation
rack/slot/module/port, and enters T1 or E1 controller
configuration mode.
Step 3 channel-group channel-group-number
Example:
RP/0/RSP0/CPU0:router(config-t1)# channel-group
1
RP/0/RSP0/CPU0:router(config-t1-channel_group)#
Enters channel group configuration mode for a specific
channel group. Replace channel-group-number with the
number that identifies the channel group on which you want
to configure a BERT.
Step 4 bert pattern pattern
Example:
RP/0/RSP0/CPU0:router(config-t1-channel_group)#
bert pattern 2^15
Enables a specific bit error rate test (BERT) pattern on a T1
line. Valid patterns for all controllers and channel groups
include: 0s, 1s, 2^15, 2^20, 2^20-QRSS, 2^23, and
alt-0-1. Additional valid patterns for T1 and E1 controllers
include: 1in8, 3in24, 55Daly, and 55Octet. Additional
valid patterns for channel groups include: 2^11, 2^9, ds0-1,
ds0-2, ds0-3, and ds0-4.
Note You must use the bert command in EXEC mode to
start the BER test.
Step 5 bert interval time
Example:
RP/0/RSP0/CPU0:router(config-t1-channel_group)#
bert interval 5
(Optional) Specifies the duration, in minutes, of a bit error
rate test (BERT) pattern on a T1/E1 line. The interval can be
a value from 1 to 14400. Configuring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel T3/E3 Controllers and Channelized T1/E1 Controllers
435
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Step 6 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-t1-channel_group)#
end
or
RP/0/RSP0/CPU0:router(config-t1-channel_group)#
commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 7 exit
Example:
RP/0/RSP0/CPU0:router(config-t1-channel_group)#
exit
Exits channel group configuration mode.
Step 8 exit
Example:
RP/0/RSP0/CPU0:router(config-t1)# exit
Exits T1 or E1 configuration mode.
Step 9 exit
Example:
RP/0/RSP0/CPU0:router(config)# exit
Exits global configuration mode.
Step 10 bert [t1 | e1] interface-path-id [channel-group
channel-group-number] [error] start
Example:
RP/0/RSP0/CPU0:router# bert t1 0/3/0/0/0 start
RP/0/RSP0/CPU0:router# bert t1 0/3/0/0/0 error
Starts the configured BERT test on the specified channel
group.
Note You can include the optional error keyword to
inject errors into the running BERT stream.
Command or Action PurposeConfiguring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel T3/E3 Controllers and Channelized T1/E1 Controllers
436
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
What to Do Next
Configure the serial interfaces that are associate with the controllers you tested, as described in the
Configuring Serial Interfaces on the Cisco ASR 9000 Series Router module later in this document.
Configuring Link Noise Monitoring on a T1 or E1 Channel
This section describes how to configure Link Noise Monitoring (LNM) on a T1 or E1 channel on the
Cisco ASR 9000 Series Router.
Prerequisites
Before you configure LNM on the Cisco ASR 9000 Series Router, be sure that these requirements are
met:
• A 2-Port Channelized OC-12c/DS0 SPA is installed.
• The 2-Port Channelized OC-12/DS0 SPA is configured as a channelized T3 controller running in T1
or E1 mode, as described in the “Configuring a Channelized T3 Controller” section on page 415.
• The T1 or E1 controller is configured as a single channel supporting the full 24 or 31 DS0 time slots,
as described in the “Configuring a T1 Controller” section on page 421 or “Configuring an E1
Controller” section on page 425. LNM is not supported on a fractional T1 or E1 link.
Restrictions
Before you configure LNM on the Cisco ASR 9000 Series Router, consider these restrictions:
• The lnm major-warning and lnm remove commands are mutually exclusive. You can only
configure one of these LNM functions on a controller.
• The lnm minor-warning command can be configured with the lnm major-warning or lnm remove
commands on a controller.
• When the lnm remove command is configured, links in an MLPPP bundle are removed only up to
the threshold set by the ppp multilink minimum-active links command.
SUMMARY STEPS
1. configure
Step 11 bert [t1 | e1] interface-path-id [channel-group
channel-group-number] stop
Example:
RP/0/RSP0/CPU0:router# bert t1 0/3/0/0/0 stop
Stops the configured BERT test on the specified channel
group.
Step 12 show controllers [t1 | e1] interface-path-id
Example:
RP/0/RSP0/CPU0:router# show controllers t3
0/3/0/0
Displays the results of the configured BERT.
Command or Action PurposeConfiguring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel T3/E3 Controllers and Channelized T1/E1 Controllers
437
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
2. controller {t1 | e1} interface-path-id
3. lnm {major-warning | remove} [clear | set][line-code-violation lcv-value [path-code-violation
pcv-value]][duration seconds]
4. lnm minor-warning [clear | set][line-code-violation lcv-value [path-code-violation
pcv-value]][duration seconds]
5. lnm syslog
6. end
or
commit
DETAILED STEPS
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 controller {t1 | e1} interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller t1
0/1/1/0/1/1
Enters T1 or E1 configuration mode.
Step 3 lnm {major-warning | remove}[clear |
set][line-code-violation lcv-value
[path-code-violation pcv-value]][duration
seconds]
Example:
RP/0/RSP0/CPU0:router(config-t1)# lnm
major-warning
(Optional) Enables link noise monitoring and specifies
thresholds for noise errors on T1/E1 links that are used to
signal major warning events or link removal and recovery
from those events.
The default values for both set and clear thresholds are:
• For T1 links—line-code-violation is 1544,
path-code-violation is 320, and duration is 10.
• For E1 links—line-code-violation is 2048,
path-code-violation is 831, and duration is 10.
Step 4 lnm minor-warning [clear |
set][line-code-violation lcv-value
[path-code-violation pcv-value]][duration
seconds]
Example:
RP/0/RSP0/CPU0:router(config-t1)# lnm
minor-warning
(Optional) Enables link noise monitoring and specifies
thresholds for noise errors on T1/E1 links that are used to
signal minor warning events and recovery from those
events.
The default values for both set and clear thresholds are:
• For T1 links—line-code-violation is 154,
path-code-violation is 145, and duration is 10.
• For E1 links—line-code-violation is 205,
path-code-violation is 205, and duration is 10.Configuring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
How to Configure Clear Channel T3/E3 Controllers and Channelized T1/E1 Controllers
438
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Verifying Link Noise Monitoring Configuration and Status
To verify LNM configuration and state information, as well as statistics and events, use the show
controllers lnm command as shown in the following example:
Note When the lnm remove command is configured, the word “Remove” appears in the show controllers
output headers and events in place of “major-warning” and “Major-Warn.”
RP/0/RSP0/CPU0:Router# show controllers t1 0/1/1/0/1/1 lnm all
Thu May 13 10:28:26.474 PDT
Controller T1 0/1/1/0/1/1
Syslog Monitoring type State Thresholds (lcv/pcv/duration)
--------------------------------------------------------------------
enabled minor-warning stable Set( 15/ 15/ 4) Clear( 15/ 15/ 4)
major-warning stable Set( 154/ 145/ 4) Clear( 154/ 145/ 4)
Monitoring type Minor-Warn Major-Warn
--------------- ------------ ------------
Create 1 1
Update 0 0
Delete 0 0
Clear 0 0
Noise Crossed 1 1
Noise Cleared 1 1
Step 5 lnm syslog
Example:
RP/0/RSP0/CPU0:router(config-t1)# lnm syslog
(Optional) Enables logging of link noise monitoring major
and minor events and alarms.
Note You must use this command for LNM messages to
appear in both the system log and in the log events
buffer.
Step 6 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-t1)# end
or
RP/0/RSP0/CPU0:router(config-t1)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.Configuring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
Configuration Examples
439
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Last Five Events
--------------------------------------------------------------------
MINWARNCROSS: Noise crossed minor-warn threshold at Thu May 13 09:54:10 2010
MAJWARNCROSS: Noise crossed major-warn threshold at Thu May 13 09:54:11 2010
MAJWARNCLEAR: Noise cleared major-warn threshold at Thu May 13 10:27:25 2010
MINWARNCLEAR: Noise cleared minor-warn threshold at Thu May 13 10:28:14 2010
Clearing Link Noise Monitoring States and Statistics
You can use the clear controller lnm command to reset LNM states or clear statistics and reset them to
zero.
There should not normally be any need to clear the LNM controller states. The state option resets the
LNM configuration which causes an update of the current LNM states in the system. Therefore, under
normal conditions, if the controller is in alarm state, the reset should continue to report the alarm state;
alternatively, if the controller is clear of any alarms, the reset will show the stable state. The use of the
clear controller lnm state command does not actually clear any alarms, but causes a refresh of their
values in the system. Therefore, this command can be used if the reported controller state should happen
to be out of synchronization with the actual controller state.
To reset LNM states, use the clear controller lnm command as shown in the following example:
RP/0/RSP0/CPU0:Router# clear controller t1 0/1/0/0/1/1 lnm state
To clear LNM statistics and reset counters to zero, use the clear controller lnm command as shown in
the following example:
RP/0/RSP0/CPU0:Router# clear controller t1 0/1/0/0/1/1 lnm statistics
RP/0/RSP0/CPU0:Router# show controller T1 0/1/0/1/1/1 lnm statistics
Thu May 13 11:26:20.991 PDT
Controller T1 0/1/0/1/1/1
Monitoring type Minor-Warn Major-Warn
--------------- ------------ ------------
Create 0 0
Update 0 0
Delete 0 0
Clear 0 0
Noise Crossed 0 0
Noise Cleared 0 0
Configuration Examples
This section contains the following examples:
• Configuring a Clear Channel T3 Controller: Example, page 440
• Configuring a T3 Controller with Channelized T1 Controllers: Example, page 440
• Configuring BERT on a T3 Controller: Example, page 441
• Configuring Link Noise Monitoring on a T1 Controller: Examples, page 442
• QoS on T3 Channels: Example, page 443Configuring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
Configuration Examples
440
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Configuring a Clear Channel T3 Controller: Example
The following example shows configuration for a clear channel T3 controller:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)#controller T3 0/3/2/0
RP/0/RSP0/CPU0:router(config-t3)#clock source internal
RP/0/RSP0/CPU0:router(config-t3)#mode serial
RP/0/RSP0/CPU0:router(config-t3)#cablelength 4
RP/0/RSP0/CPU0:router(config-t3)#framing c-bit
RP/0/RSP0/CPU0:router(config-t3)#commit
Configuring a T3 Controller with Channelized T1 Controllers: Example
The following example shows how to configure a T3 controller that has been channelized 28 T1
controllers:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# controller T3 0/3/0/0
RP/0/RSP0/CPU0:router(config-t3)# mode t1
RP/0/RSP0/CPU0:router(config-t3)# framing m23
RP/0/RSP0/CPU0:router(config-t3)# cablelength 11
RP/0/RSP0/CPU0:router(config-t3)# clock source line
RP/0/RSP0/CPU0:router(config-t3)#commit
RP/0/RSP0/CPU0:router(config-t3)#exit
RP/0/RSP0/CPU0:router(config)# exit
RP/0/RSP0/CPU0:router# show controllers T1 ?
0/3/0/0/0 T1 Interface Instance
0/3/0/0/1 T1 Interface Instance
0/3/0/0/10 T1 Interface Instance
0/3/0/0/11 T1 Interface Instance
0/3/0/0/12 T1 Interface Instance
0/3/0/0/13 T1 Interface Instance
0/3/0/0/14 T1 Interface Instance
0/3/0/0/15 T1 Interface Instance
0/3/0/0/16 T1 Interface Instance
0/3/0/0/17 T1 Interface Instance
0/3/0/0/18 T1 Interface Instance
0/3/0/0/19 T1 Interface Instance
0/3/0/0/2 T1 Interface Instance
0/3/0/0/20 T1 Interface Instance
0/3/0/0/21 T1 Interface Instance
0/3/0/0/22 T1 Interface Instance
0/3/0/0/23 T1 Interface Instance
0/3/0/0/24 T1 Interface Instance
0/3/0/0/25 T1 Interface Instance
0/3/0/0/26 T1 Interface Instance
0/3/0/0/27 T1 Interface Instance
0/3/0/0/3 T1 Interface Instance
0/3/0/0/4 T1 Interface Instance
0/3/0/0/5 T1 Interface Instance
--More--
!
RP/0/RSP0/CPU0:router#
RP/0/RSP0/CPU0:router(config)#configure
RP/0/RSP0/CPU0:router(config)# controller t1 0/3/0/0/0
RP/0/RSP0/CPU0:router(config-t1)# channel-group 0
RP/0/RSP0/CPU0:router(config-t1-channel_group)# timeslots 1-24
RP/0/RSP0/CPU0:router(config-t1-channel_group)# exit
RP/0/RSP0/CPU0:router(config-t1)# exitConfiguring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
Configuration Examples
441
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
RP/0/RSP0/CPU0:router(config)# controller t1 0/3/0/0/1
RP/0/RSP0/CPU0:router(config-t1)# channel-group 0
RP/0/RSP0/CPU0:router(config-t1-channel_group)# timeslots 1-24
RP/0/RSP0/CPU0:router(config-t1-channel_group)# exit
RP/0/RSP0/CPU0:router(config-t1)# exit
RP/0/RSP0/CPU0:router(config)# controller t1 0/3/0/0/2
RP/0/RSP0/CPU0:router(config-t1)# channel-group 0
RP/0/RSP0/CPU0:router(config-t1-channel_group)# timeslots 1-12
RP/0/RSP0/CPU0:router(config-t1-channel_group)# exit
RP/0/RSP0/CPU0:router(config-t1)# channel-group 1
RP/0/RSP0/CPU0:router(config-t1-channel_group)# timeslots 13-24
RP/0/RSP0/CPU0:router(config-t1-channel_group)# exit
RP/0/RSP0/CPU0:router(config-t1)# exit
RP/0/RSP0/CPU0:router(config)# controller t1 0/3/0/0/3
RP/0/RSP0/CPU0:router(config-t1)# channel-group 0
RP/0/RSP0/CPU0:router(config-t1-channel_group)# timeslots 1-6
RP/0/RSP0/CPU0:router(config-t1-channel_group)# exit
RP/0/RSP0/CPU0:router(config-t1)# channel-group 1
RP/0/RSP0/CPU0:router(config-t1-channel_group)# timeslots 7-12
RP/0/RSP0/CPU0:router(config-t1-channel_group)# exit
RP/0/RSP0/CPU0:router(config-t1)# channel-group 2
RP/0/RSP0/CPU0:router(config-t1-channel_group)# timeslots 13-18
RP/0/RSP0/CPU0:router(config-t1-channel_group)# exit
RP/0/RSP0/CPU0:router(config-t1)# channel-group 3
RP/0/RSP0/CPU0:router(config-t1-channel_group)# timeslots 19-24
RP/0/RSP0/CPU0:router(config-t1-channel_group)# exit
RP/0/RSP0/CPU0:router(config-t1-channel_group)#commit
Configuring BERT on a T3 Controller: Example
The following example shows how to configure a BERT on a T3 controller, and then display the results
of the BERT:
RP/0/RSP0/CPU0:router# config
RP/0/RSP0/CPU0:router(config)# controller t3 0/3/0/1
RP/0/RSP0/CPU0:router(config-t3)# bert pattern 0s
Run bert from exec mode for the bert config to take effect
RP/0/RSP0/CPU0:router(config-t3)#exit
RP/0/RSP0/CPU0:router(config)# exit
Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]
RP/0/RSP0/CPU0:router# bert t3 0/3/0/1 start
RP/0/RSP0/CPU0:router# bert t3 0/3/0/1 stop
RP/0/RSP0/CPU0:router# show controllers t3 0/3/0/1
T30/3/0/1 is up
No alarms detected.
MDL transmission is disabled
EIC: , LIC: , FIC: , UNIT:
Path FI:
Idle Signal PORT_NO:
Test Signal GEN_NO:
FEAC code received: No code is being received
Framing is C-BIT Parity, Line Code is B3ZS, Clock Source is Internal
Data in current interval (108 seconds elapsed):
0 Line Code Violations, 0 P-bit Coding ViolationConfiguring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
Configuration Examples
442
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
0 C-bit Coding Violation, 0 P-bit Err Secs
0 P-bit Severely Err Secs, 0 Severely Err Framing Secs
0 Unavailable Secs, 0 Line Errored Secs
0 C-bit Errored Secs, 0 C-bit Severely Errored Secs
Data in Interval 1:
0 Line Code Violations, 0 P-bit Coding Violation
0 C-bit Coding Violation, 0 P-bit Err Secs
0 P-bit Severely Err Secs, 0 Severely Err Framing Secs
0 Unavailable Secs, 0 Line Errored Secs
0 C-bit Errored Secs, 0 C-bit Severely Errored Secs
Data in Interval 2:
0 Line Code Violations, 0 P-bit Coding Violation
0 C-bit Coding Violation, 0 P-bit Err Secs
0 P-bit Severely Err Secs, 0 Severely Err Framing Secs
0 Unavailable Secs, 0 Line Errored Secs
0 C-bit Errored Secs, 0 C-bit Severely Errored Secs
Data in Interval 3:
0 Line Code Violations, 0 P-bit Coding Violation
0 C-bit Coding Violation, 0 P-bit Err Secs
0 P-bit Severely Err Secs, 0 Severely Err Framing Secs
0 Unavailable Secs, 0 Line Errored Secs
0 C-bit Errored Secs, 0 C-bit Severely Errored Secs
Configuring Link Noise Monitoring on a T1 Controller: Examples
The following example shows how to configure a channelized T3 controller for T1 configuration mode
using the full 24 DS0 timeslots as a single channel before configuring LNM on the link. In this example,
the values shown are actually the system defaults for the set thresholds:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# controller T3 0/1/1/0/1
RP/0/RSP0/CPU0:router(config-t3)# mode t1
RP/0/RSP0/CPU0:router(config-t3)# framing m23
RP/0/RSP0/CPU0:router(config-t3)# cablelength 11
RP/0/RSP0/CPU0:router(config-t3)# clock source line
RP/0/RSP0/CPU0:router(config-t3)#commit
RP/0/RSP0/CPU0:router(config-t3)#exit
RP/0/RSP0/CPU0:router(config)# controller t1 0/1/1/0/1/1
RP/0/RSP0/CPU0:router(config-t1)# channel-group 0
RP/0/RSP0/CPU0:router(config-t1-channel_group)# timeslots 1-24
RP/0/RSP0/CPU0:router(config-t1-channel_group)# exit
RP/0/RSP0/CPU0:router(config-t1)# lnm syslog
RP/0/RSP0/CPU0:router(config-t1)# lnm major-warning set line-code-violation 1544
path-code-violation 320 duration 10
RP/0/RSP0/CPU0:router(config-t1)# lnm minor-warning set line-code-violation 154
path-code-violation 145 duration 10
The following example shows how to configure a channelized T3 controller for T1 configuration mode
using the full 24 DS0 timeslots as a single channel before configuring LNM on the link. In this example,
the values shown are actually the system defaults for the set thresholds, and LNM is configured to signal
the Noise Attribute to PPP for MLPPP link removal when those thresholds are crossed:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# controller T3 0/1/1/0/1
RP/0/RSP0/CPU0:router(config-t3)# mode t1
RP/0/RSP0/CPU0:router(config-t3)# framing m23
RP/0/RSP0/CPU0:router(config-t3)# cablelength 11
RP/0/RSP0/CPU0:router(config-t3)# clock source line
RP/0/RSP0/CPU0:router(config-t3)#commit
RP/0/RSP0/CPU0:router(config-t3)#exit
RP/0/RSP0/CPU0:router(config)# controller t1 0/1/1/0/1/1Configuring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
Additional References
443
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
RP/0/RSP0/CPU0:router(config-t1)# channel-group 0
RP/0/RSP0/CPU0:router(config-t1-channel_group)# timeslots 1-24
RP/0/RSP0/CPU0:router(config-t1-channel_group)# exit
RP/0/RSP0/CPU0:router(config-t1)# lnm syslog
RP/0/RSP0/CPU0:router(config-t1)# lnm remove set line-code-violation 1544
path-code-violation 320 duration 10
RP/0/RSP0/CPU0:router(config-t1)# lnm minor-warning set line-code-violation 154
path-code-violation 145 duration 10
QoS on T3 Channels: Example
QoS on the T3 channels is supported for both PPP and HDLC encapsulation. The following example
shows a typical QoS configuration for T3 interfaces:
class-map VOIP
match dscp EF
end-class-map
class-map OAM
match dscp AF43
end-class-map
!
Policy-map T3-no-priority
class OAM
bandwidth percent 30
!
class class-default
!
end-policy-map
!
Policy-map T3-priority
class VOIP
priority level 1
police rate percent 60
!
class OAM
bandwidth percent 30
!
class class-default
!
end-policy-map
Additional References
The following sections provide references related to T3 and T1 controllers.
Related Documents
Related Topic Document Title
Cisco IOS XR master command reference Cisco IOS XR Master Commands List
Cisco IOS XR interface configuration commands Cisco IOS XR Interface and Hardware Component Command
ReferenceConfiguring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
Additional References
444
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Standards
MIBs
RFCs
Initial system bootup and configuration information for
a router using Cisco IOS XR software
Cisco IOS XR Getting Started Guide
Cisco IOS XR AAA services configuration information Cisco IOS XR System Security Configuration Guide and
Cisco IOS XR System Security Command Reference
Standards Title
No new or modified standards are supported by this
feature, and support for existing standards has not been
modified by this feature.
—
MIBs MIBs Link
• IF-MIB
• DS3-MIB
• CISCO-DS3-MIB
• DS1-MIB
Note Not supported on the 4-Port Clear Channel
T3/E3 SPA.
• Entity MIBs
To locate and download MIBs for selected platforms using
Cisco IOS XR software, use the Cisco MIB Locator found at the
following URL:
http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs Title
No new or modified RFCs are supported by this
feature, and support for existing RFCs has not been
modified by this feature.
—
Related Topic Document TitleConfiguring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
Additional References
445
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Technical Assistance
Description Link
The Cisco Technical Support website contains
thousands of pages of searchable technical content,
including links to products, technologies, solutions,
technical tips, and tools. Registered Cisco.com users
can log in from this page to access even more content.
http://www.cisco.com/techsupportConfiguring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router
Additional References
446
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01HC-447
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Configuring Dense Wavelength Division
Multiplexing Controllers on the
Cisco ASR 9000 Series Router
This module describes the configuration of dense wavelength division multiplexing (DWDM)
controllers on the Cisco ASR 9000 Series Aggregation Services Routers.
DWDM is an optical technology that is used to increase bandwidth over existing fiber-optic backbones.
DWDM can be configured on supported 10-Gigabit Ethernet (GE) line cards. After you configure the
DWDM controller, you can configure an associated 10-Gigabit Ethernet interface.
Feature History for Configuring DWDM Controller Interfaces
Contents
• Prerequisites for Configuring DWDM Controller Interfaces, page 448
• Information About the DWDM Controllers, page 448
• Information about IPoDWDM, page 449
Release Modification
Release 3.9.0 This feature was introduced on the Cisco ASR 9000 Series Router on the
following cards:
• Cisco 8-Port 10 Gigabit Ethernet Line Card (A9K-8T-L and -E)
• Cisco 2-port 10 Gigabit Ethernet + 20-port Gigabit Ethernet
Combination Line Card (A9K-2T20GE-L)
Release 3.9.1 Support for the following cards was added:
• Cisco 8-Port 10 Gigabit Ethernet Line Card (A9K-8T-B)
• Cisco 2-port 10 Gigabit Ethernet + 20-port Gigabit Ethernet
Combination Line Card (A9K-2T20GE-B and -E)
Release 4.0.0 Support for IPoDWDM Proactive Protection was added on the following
cards:
• Cisco 8-Port 10 Gigabit Ethernet Line Card (A9K-8T-L, -B, and -E)
• Cisco 2-port 10 Gigabit Ethernet + 20-port Gigabit Ethernet
Combination Line Card (A9K-2T20GE-L, -B, and -E)Configuring Dense Wavelength Division Multiplexing Controllers on the Cisco ASR 9000 Series Router
Prerequisites for Configuring DWDM Controller Interfaces
HC-448
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
• How to Configure DWDM Controllers, page 450
• How to Perform Performance Monitoring on DWDM Controllers, page 453
• Configuring IPoDWDM, page 457
• Configuration Examples, page 463
• Additional References, page 466
Prerequisites for Configuring DWDM Controller Interfaces
You must be in a user group associated with a task group that includes the proper task IDs. The command
reference guides include the task IDs required for each command. If you suspect user group assignment
is preventing you from using a command, contact your AAA administrator for assistance.
Before configuring a DWDM controller, be sure that you have installed one of the following cards that
support DWDM:
• Cisco 8-Port 10 Gigabit Ethernet Line Card
• Cisco 2-port 10 Gigabit Ethernet + 20-port Gigabit Ethernet Combination Line Card
Information About the DWDM Controllers
DWDM support in Cisco IOS XR software is based on the Optical Transport Network (OTN) protocol
that is specified in ITU-T G.709. This standard combines the benefits of SONET/SDH technology with
the multiwavelength networks of DWDM. It also provides for forward error correction (FEC) that can
allow a reduction in network costs by reducing the number of regenerators used.
To enable multiservice transport, OTN uses the concept of a wrapped overhead (OH). To illustrate this
structure:
• Optical channel payload unit (OPU) OH information is added to the information payload to form the
OPU. The OPU OH includes information to support the adaptation of client signals.
• Optical channel data unit (ODU) OH is added to the OPU to create the ODU. The ODU OH includes
information for maintenance and operational functions to support optical channels.
• Optical channel transport unit (OTU) OH together with the FEC is added to form the OTU. The OTU
OH includes information for operational functions to support the transport by way of one or more
optical channel connections.
• Optical channel (OCh) OH is added to form the OCh. The OCh provides the OTN management
functionality and contains four subparts: the OPU, ODU, OTU, and frame alignment signal (FAS).
See Figure 33.
Figure 33 OTN Optical Channel Structure
FAS OTU
ODU
Payload FEC
OPU
138893Configuring Dense Wavelength Division Multiplexing Controllers on the Cisco ASR 9000 Series Router
Information about IPoDWDM
HC-449
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Information about IPoDWDM
Cisco IOS XR software includes the IP over Dense Wavelength Division Multiplexing (IPoDWDM)
feature.
IPoDWDM is supported on the following hardware devices:
• Cisco 8-Port 10 Gigabit Ethernet Line Card
• Cisco 2-port 10 Gigabit Ethernet + 20-port Gigabit Ethernet Combination Line Card
IPoDWDM currently provides the following software features:
• Proactive Maintenance
Proactive Maintenance
Proactive maintenance automatically triggers Forward Error Correction-Fast Re-Route (FEC-FRR).
Proactive maintenance requires coordinated maintenance between Layer 0 (L0) and Layer 3 (L3).
L0 is the DWDM optical layer. FEC-FRR is an L3 protection mechanism. FEC-FRR detects failures
before they happen and corrects errors introduced during transmission or that are due to a degrading
signal.
System administrators can configure the following IPoDWDM features:
• Optical Layer DWDM port, see Configuring the Optical Layer DWDM Ports, page 457.
• Administrative state of DWDM optical ports, see Configuring the Administrative State of DWDM
Optical Ports, page 459.
• FEC-FRR trigger threshold, window size, revert threshold, and revert window size, see Configuring
Proactive FEC-FRR Triggering, page 461.
FEC-FRR Triggering
FEC-FRR can be configure to be triggered by the following alarms:
• ais – Alarm Indication Signal (AIS)
• bdi – Backward Defect Indication (BDI)
• *bdiO – Backward Defect Indication - Overhead (BDI-O)
• *bdiP – Backward Defect Indication - Payload (BDI-P)
• *deg – Degraded (DEG)
• lck – Locked (LCK)
• lof – Loss of Frame (LOF)
• lom – Loss of Multi Frame
• los – Loss of Signal (LOS)
• *losO – Loss of Signal - Overhead (LOS-O)
• *losP – Loss of Signal - Payload (LOS-P)
• oci – Open Connection Indication (OCI)
• plm – Payload Mismatch (PLM)
• *ssf – Server Signal Failure (SSF)
• *ssfO – Server Signal Failure - Overhead (SSF-O)
• *ssfP – Server Signal Failure - Payload (SSF-P)Configuring Dense Wavelength Division Multiplexing Controllers on the Cisco ASR 9000 Series Router
How to Configure DWDM Controllers
HC-450
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
• tim – Trace Identifier Mismatch (TIM)
Signal Logging
DWDM statistic data, such as EC, UC and alarms, are collected and stored in the log file on the DWDM
line card.
How to Configure DWDM Controllers
The DWDM controllers are configured in the physical layer control element of the Cisco IOS XR
software configuration space. This configuration is done using the controller dwdm command, and is
described in the following task:
• Configuring G.709 Parameters, page 450
Note All interface configuration tasks for Gigabit Ethernet interfaces still must be performed in interface
configuration mode.
Configuring G.709 Parameters
This task describes how to customize the alarm display and the thresholds for alerts and forward error
correction (FEC). You need to use this task only if the default values are not correct for your installation.
Prerequisites
The loopback, and g709 fec commands can be used only when the controller is in the shutdown state.
Use the admin-state command.
SUMMARY STEPS
1. configure
2. controller dwdm interface-path-id
3. admin-state maintenance
or
admin-state out-of-service
4. commit
5. loopback {internal | line}
6. g709 fec {disable | enhanced | standard}
7. g709 {odu | otu} report alarm disable
8. g709 otu overhead tti {expected | sent} {ascii | hex} tti-string
9. end
or
commit
10. admin-state in-service
11. show controllers dwdm interface-path-id g709Configuring Dense Wavelength Division Multiplexing Controllers on the Cisco ASR 9000 Series Router
How to Configure DWDM Controllers
HC-451
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:Router# configure
Enters global configuration mode.
Step 2 controller dwdm interface-path-id
Example:
RP/0/RSP0/CPU0:Router(config)# controller dwdm
0/1/0/0
Specifies the DWDM controller name in the notation
rack/slot/module/port and enters DWDM configuration
mode.
Step 3 admin-state maintenance
or
admin-state out-of-service
Example:
RP/0/RSP0/CPU0:Router(config-dwdm)# admin-state
out-of-service
Disables the DWDM controller. You must disable the
controller before you can use the DWDM configuration
commands.
Step 4 commit
Example:
RP/0/RSP0/CPU0:Router(config-dwdm)# commit
Saves configuration changes. This performs the shutdown
from the previous step. When the controller has been shut
down, you can proceed with the configuration.
Step 5 loopback {internal | line}
Example:
RP/0/RSP0/CPU0:Router(config-dwdm)# loopback
internal
(Optional) Configures the DWDM controller for loopback
mode.
Step 6 g709 fec {disable | standard}
Example:
RP/0/RSP0/CPU0:Router(config-dwdm)# g709 fec
disable
(Optional) Configures the forward error correction mode
(FEC) for the DWDM controller. By default, enhanced FEC
is enabled.
Step 7 g709 {odu | otu} report alarm disable
Example:
RP/0/RSP0/CPU0:Router(config-dwdm)# g709 odu
bdi disable
(Optional) Disables the logging of selected optical channel
data unit (ODU) alarms or optical channel transport unit
(OTU) alarms to the console for a DWDM controller. By
default, all alarms are logged to the console.
Step 8 g709 otu overhead tti {expected | sent} {ascii
| hex} tti-string
Example:
RP/0/RSP0/CPU0:Router(config-dwdm)# g709 otu
overhead tti expected ascii test OTU 5678
Configures a transmit or expected Trail Trace Identifier
(TTI) that is displayed in the show controller dwdm
command.Configuring Dense Wavelength Division Multiplexing Controllers on the Cisco ASR 9000 Series Router
How to Configure DWDM Controllers
HC-452
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
What to Do Next
All interface configuration tasks for the Gigabit Ethernet interfaces still must be performed in interface
configuration mode. Refer to the corresponding modules in this book for more information.
Step 9 end
or
commit
Example:
RP/0/RSP0/CPU0:Router(config-dwdm)# end
or
RP/0/RSP0/CPU0:Router(config-dwdm)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)? [cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 10 admin-state in-service
Example:
RP/0/RSP0/CPU0:Router(config-dwdm)# admin-state
in-service
Places the DWDM port in In Service (IS) state, to support
all normal operation.
Step 11 show controllers dwdm interface-path-id g709
Example:
RP/0/RSP0/CPU0:Router# show controller dwdm
0/1/0/0 optics
Displays the G.709 Optical Transport Network (OTN)
protocol alarms and counters for Bit Errors, along with the
FEC statistics and threshold-based alerts.
Command or Action PurposeConfiguring Dense Wavelength Division Multiplexing Controllers on the Cisco ASR 9000 Series Router
How to Perform Performance Monitoring on DWDM Controllers
HC-453
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
How to Perform Performance Monitoring on DWDM Controllers
Performance monitoring parameters are used to gather, store, set thresholds for, and report performance
data for early detection of problems. Thresholds are used to set error levels for each performance
monitoring parameter. During the accumulation cycle, if the current value of a performance monitoring
parameter reaches or exceeds its corresponding threshold value, a threshold crossing alert (TCA) can be
generated. The TCAs provide early detection of performance degradation.
Performance monitoring statistics are accumulated on a 15-minute basis, synchronized to the start of
each quarter-hour. They are also accumulated on a daily basis starting at midnight. Historical counts are
maintained for thirty-three 15-minute intervals and two daily intervals.
Performance monitoring is described in the following task:
• Configuring DWDM Controller Performance Monitoring, page 453
Configuring DWDM Controller Performance Monitoring
This task describes how to configure performance monitoring on DWDM controllers and how to display
the performance parameters.
SUMMARY STEPS
1. configure
2. controller dwdm interface-path-id
3. pm {15-min | 24-hour} fec threshold {ec-bits | uc-words} threshold
4. pm {15-min | 24-hour} optics threshold {lbc | opr | opt} {max | min} threshold
5. pm {15-min | 24-hour} otn threshold otn-parameter threshold
6. pm {15-min | 24-hour} fec report {ec-bits | uc-words} enable
7. pm {15-min | 24-hour} optics report {lbc | opr | opt} {max-tca | min-tca} enable
8. pm {15-min | 24-hour} otn report otn-parameter enable
9. end
or
commit
10. show controllers dwdm interface-path-id pm history [15-min | 24-hour | fec | optics | otn]
11. show controllers dwdm interface-path-id pm interval {15-min | 24-hour} [fec | optics | otn] indexConfiguring Dense Wavelength Division Multiplexing Controllers on the Cisco ASR 9000 Series Router
How to Perform Performance Monitoring on DWDM Controllers
HC-454
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:Router# configure
Enters global configuration mode.
Step 2 controller dwdm interface-path-id
Example:
RP/0/RSP0/CPU0:Router(config)# controller dwdm
0/1/0/0
Specifies the DWDM controller name in the notation
rack/slot/module/port and enters DWDM
configuration mode.
Step 3 pm {15-min | 24-hour} fec threshold {ec-bits |
uc-words} threshold
Example:
RP/0/RSP0/CPU0:Router(config-dwdm)# pm 15-min fec
threshold ec-bits 49000000
RP/0/RSP0/CPU0:Router(config-dwdm)# pm 15-min fec
threshold uc-words xxxxxx
Configures a performance monitoring threshold for
specific parameters on the FEC layer.
Step 4 pm {15-min | 24-hour} optics threshold {lbc | opr |
opt} {max | min} threshold
Example:
RP/0/RSP0/CPU0:Router(config-dwdm)# pm 15-min optics
threshold opt max xxx
RP/0/RSP0/CPU0:Router(config-dwdm)# pm 15-min optics
threshold lbc min xxx
Configures a performance monitoring threshold for
specific parameters on the optics layer.Configuring Dense Wavelength Division Multiplexing Controllers on the Cisco ASR 9000 Series Router
How to Perform Performance Monitoring on DWDM Controllers
HC-455
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Step 5 pm {15-min | 24-hour} otn threshold otn-parameter
threshold
Example:
RP/0/RSP0/CPU0:Router(config-dwdm)# pm 15-min otn
threshold bbe-pm-ne xxx
RP/0/RSP0/CPU0:Router(config-dwdm)# pm 15-min otn
threshold es-sm-fe xxx
Configures a performance monitoring threshold for
specific parameters on the optical transport network
(OTN) layer. OTN parameters can be as follows:
• bbe-pm-fe—Far-end path monitoring
background block errors (BBE-PM)
• bbe-pm-ne—Near-end path monitoring
background block errors (BBE-PM)
• bbe-sm-fe—Far-end section monitoring
background block errors (BBE-SM)
• bbe-sm-ne—Near-end section monitoring
background block errors (BBE-SM)
• bber-pm-fe—Far-end path monitoring
background block errors ratio (BBER-PM)
• bber-pm-ne—Near-end path monitoring
background block errors ratio (BBER-PM)
• bber-sm-fe—Far-end section monitoring
background block errors ratio (BBER-SM)
• bber-sm-ne—Near-end section monitoring
background block errors ratio (BBER-SM)
• es-pm-fe—Far-end path monitoring errored
seconds (ES-PM)
• es-pm-ne—Near-end path monitoring errored
seconds (ES-PM)
• es-sm-fe—Far-end section monitoring errored
seconds (ES-SM)
• es-sm-ne—Near-end section monitoring
errored seconds (ES-SM)
• esr-pm-fe—Far-end path monitoring errored
seconds ratio (ESR-PM)
• esr-pm-ne—Near-end path monitoring errored
seconds ratio (ESR-PM)
• esr-sm-fe—Far-end section monitoring errored
seconds ratio (ESR-SM)
• esr-sm-ne—Near-end section monitoring
errored seconds ratio (ESR-SM)
• fc-pm-fe—Far-end path monitoring failure
counts (FC-PM)
• fc-pm-ne—Near-end path monitoring failure
counts (FC-PM)
• fc-sm-fe—Far-end section monitoring failure
counts (FC-SM)
• fc-sm-ne—Near-end section monitoring failure
counts (FC-SM)
Command or Action PurposeConfiguring Dense Wavelength Division Multiplexing Controllers on the Cisco ASR 9000 Series Router
How to Perform Performance Monitoring on DWDM Controllers
HC-456
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
• ses-pm-fe—Far-end path monitoring severely
errored seconds (SES-PM)
• ses-pm-ne—Near-end path monitoring severely
errored seconds (SES-PM)
• ses-sm-fe—Far-end section monitoring
severely errored seconds (SES-SM)
• ses-sm-ne—Near-end section monitoring
severely errored seconds (SES-SM)
• sesr-pm-fe—Far-end path monitoring severely
errored seconds ratio (SESR-PM)
• sesr-pm-ne—Near-end path monitoring
severely errored seconds ratio (SESR-PM)
• sesr-sm-fe—Far-end section monitoring
severely errored seconds ratio (SESR-SM)
• sesr-sm-ne—Near-end section monitoring
severely errored seconds ratio (SESR-SM)
• uas-pm-fe—Far-end path monitoring
unavailable seconds (UAS-PM)
• uas-pm-ne—Near-end path monitoring
unavailable seconds (UAS-PM)
• uas-sm-fe—Far-end section monitoring
unavailable seconds (UAS-SM)
• uas-sm-ne—Near-end section monitoring
unavailable seconds (UAS-SM)
Step 6 pm {15-min | 24-hour} fec report {ec-bits |
uc-words} enable
Example:
RP/0/RSP0/CPU0:Router(config-dwdm)# pm 15-min fec
report ec-bits enable
RP/0/RSP0/CPU0:Router(config-dwdm)# pm 15-min fec
report uc-words enable
Configures threshold crossing alert (TCA)
generation for specific parameters on the FEC layer.
Step 7 pm {15-min | 24-hour} optics report {lbc | opr |
opt} {max-tca | min-tca} enable
Example:
RP/0/RSP0/CPU0:Router(config-dwdm)# pm 15-min optics
report opt enable
RP/0/RSP0/CPU0:Router(config-dwdm)# pm 15-min optics
report lbc enable
Configures TCA generation for specific parameters
on the optics layer.
Command or Action PurposeConfiguring Dense Wavelength Division Multiplexing Controllers on the Cisco ASR 9000 Series Router
Configuring IPoDWDM
HC-457
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Configuring IPoDWDM
This section provides the following configuration procedures:
• Configuring the Optical Layer DWDM Ports, page 457
• Configuring the Administrative State of DWDM Optical Ports, page 459
• Configuring Proactive FEC-FRR Triggering, page 461
Configuring the Optical Layer DWDM Ports
Use the following procedure to configure the Optical Layer DWDM ports.
SUMMARY STEPS
1. configure
Step 8 pm {15-min | 24-hour} otn report otn-parameter
enable
Example:
RP/0/RSP0/CPU0:Router(config-dwdm)# pm 15-min otn
report bbe-pm-ne enable
RP/0/RSP0/CPU0:Router(config-dwdm)# pm 15-min otn
report es-sm-fe enable
Configures TCA generation for specific parameters
on the optical transport network (OTN) layer. OTN
parameters are shown in Step 5.
Step 9 end
or
commit
Example:
RP/0/RSP0/CPU0:Router(config-dwdm)# end
or
RP/0/RSP0/CPU0:Router(config-dwdm)# commit
Saves configuration changes.
• When you issue the end command, the system
prompts you to commit changes:
Uncommitted changes found, commit them
before exiting(yes/no/cancel)? [cancel]:
– Entering yes saves configuration changes to
the running configuration file, exits the
configuration session, and returns the
router to EXEC mode.
– Entering no exits the configuration session
and returns the router to EXEC mode
without committing the configuration
changes.
– Entering cancel leaves the router in the
current configuration session without
exiting or committing the configuration
changes.
• Use the commit command to save the
configuration changes to the running
configuration file and remain within the
configuration session.
Command or Action PurposeConfiguring Dense Wavelength Division Multiplexing Controllers on the Cisco ASR 9000 Series Router
Configuring IPoDWDM
HC-458
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
2. controller dwdm interface-path-id
3. network port id id-number
4. network connection id id-number
5. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:Router# config
Enters global configuration mode.
Step 2 controller dwdm interface-path-id
Example:
RP/0/RSP0/CPU0:Router(config)# controller dwdm
0/1/0/1
Specifies the DWDM controller and enters DWDM
controller mode.
Step 3 network port id id-number
Example:
RP/0/RSP0/CPU0:Router(config-dwdm)# network
port id 1/0/1/1
Assigns an identifier number to a port for the Multi Service
Transport Protocol (MSTP).Configuring Dense Wavelength Division Multiplexing Controllers on the Cisco ASR 9000 Series Router
Configuring IPoDWDM
HC-459
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Configuring the Administrative State of DWDM Optical Ports
Use the following procedure to configure the administrative state and optionally set the maintenance
embargo flag.
SUMMARY STEPS
1. configure
2. controller dwdm interface-path-id
3. admin-state {in-service | maintenance | out-of-service}
4. exit
5. interface tengige interface-path-id
6. maintenance disable
7. end
or
commit
Step 4 network connection id id-number
Example:
RP/0/RSP0/CPU0:Router(config-dwdm)# network
connection id 1/1/1/1
Configures a connection identifier for the Multi Service
Transport Protocol (MSTP).
Step 5 end
or
commit
Example:
RP/0/RSP0/CPU0:Router(config-dwdm)# end
or
RP/0/RSP0/CPU0:Router(config-dwdm)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)? [cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeConfiguring Dense Wavelength Division Multiplexing Controllers on the Cisco ASR 9000 Series Router
Configuring IPoDWDM
HC-460
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:Router# config
Enters global configuration mode.
Step 2 controller dwdm interface-path-id
Example:
RP/0/RSP0/CPU0:Routerconfig)# controller dwdm
0/1/0/1
Specifies the DWDM controller and enters DWDM
controller mode.
Step 3 admin-state {in-service | maintenance |
out-of-service}
Example:
RP/0/RSP0/CPU0:Router(config-dwdm)# admin-state
maintenance
Specifies the transport administration state.
Step 4 exit
Example:
RP/0/RSP0/CPU0:Router(config-dwdm)# exit
Exits to the previous mode.
Step 5 interface pos interface-path-id
or
interface tengige interface-path-id
Example:
RP/0/RSP0/CPU0:Router(config)# interface pos
1/0/1/1
or
RP/0/RSP0/CPU0:Router(config)# interface
tengige 1/0/1/1
Specifies the interface and enters interface configuration
mode.Configuring Dense Wavelength Division Multiplexing Controllers on the Cisco ASR 9000 Series Router
Configuring IPoDWDM
HC-461
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Configuring Proactive FEC-FRR Triggering
Use the following procedure to configure automatic triggering of Forward Error Correction-Fast
Re-Route (FEC-FRR).
SUMMARY STEPS
1. configure
2. controller dwdm interface-path-id
3. proactive
4. logging signal file-name
5. proactive trigger threshold x-coefficient y-power
6. proactive trigger window window
7. proactive revert threshold x-coefficient y-power
8. proactive revert window window
9. end
or
commit
Step 6 maintenance disable
Example:
RP/0/RSP0/CPU0:Router(config-if)# maintenance
disable
Provisions the maintenance embargo flag, which prevents
maintenance activities from being performed on an
interface.
Step 7 end
or
commit
Example:
RP/0/RSP0/CPU0:Router(config-dwdm)# end
or
RP/0/RSP0/CPU0:Router(config-dwdm)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)? [cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeConfiguring Dense Wavelength Division Multiplexing Controllers on the Cisco ASR 9000 Series Router
Configuring IPoDWDM
HC-462
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:Router# config
Enters global configuration mode.
Step 2 controller dwdm interface-path-id
Example:
RP/0/RSP0/CPU0:Router(config)# controller dwdm
0/1/0/1
Specifies the DWDM controller and enters DWDM
controller mode.
Step 3 proactive
Example:
RP/0/RSP0/CPU0:Router(config-dwdm)# proactive
enable
Enables automatic triggering of FEC-FRR.
Step 4 logging signal file-name
Example:
RP/0/RSP0/CPU0:Router(config-dwdm)# logging
signal LogFile1
Enables10 millisecond proactive monitoring of FEC-FRR.
Step 5 proactive trigger threshold x-coefficient
y-power
Example:
RP/0/RSP0/CPU0:Routerconfig-dwdm)# proactive
trigger threshold 1 9
Configures the trigger threshold of FEC-FRR in the form of
xE-y.
Step 6 proactive trigger window window
Example:
RP/0/RSP0/CPU0:Router(config-dwdm)# proactive
trigger window 10000
Configures the trigger window (in milliseconds) in which
FRR may be triggered.
Step 7 proactive revert threshold x-coefficient
y-power
Example:
RP/0/RSP0/CPU0:Router(config-dwdm)# proactive
revert threshold 1 9
Configures the revert threshold (in the form of xE-y) to
trigger reverting from the FEC-FRR route back to the
original route.Configuring Dense Wavelength Division Multiplexing Controllers on the Cisco ASR 9000 Series Router
Configuration Examples
HC-463
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Configuration Examples
This section includes the following examples:
• Turning On the Laser: Example, page 463
• Turning Off the Laser: Example, page 464
• DWDM Controller Configuration: Examples, page 464
• DWDM Performance Monitoring: Examples, page 464
• IPoDWDM Configuration: Examples, page 465
Turning On the Laser: Example
Note This is a required configuration. The DWDM cards will not operate without this configuration.
The following example shows how to turn on the laser and place a DWDM port in In Service (IS) state:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:Router(config)# controller dwdm 0/1/0/1
RP/0/RP0/CPU0:Router(config-dwdm)# admin-state in-service
RP/0/RP0/CPU0:Router(config-dwdm)# commit
Step 8 proactive revert window window
Example:
RP/0/RSP0/CPU0:Router(config-dwdm)# proactive
revert window 600000
Configures the revert window in which reverting from the
FEC-FRR route back to the original route is triggered.
Step 9 end
or
commit
Example:
RP/0/RSP0/CPU0:Router(config-dwdm)# end
or
RP/0/RSP0/CPU0:Router(config-dwdm)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)? [cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeConfiguring Dense Wavelength Division Multiplexing Controllers on the Cisco ASR 9000 Series Router
Configuration Examples
HC-464
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Turning Off the Laser: Example
The following example shows how to turn off the laser, stop all traffic and place a DWDM port in Out
of Service (OOS) state:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:Router(config)# controller dwdm 0/1/0/1
RP/0/RP0/CPU0:Router(config-dwdm)# admin-state out-of-service
RP/0/RP0/CPU0:Router(config-dwdm)# commit
DWDM Controller Configuration: Examples
The following example shows how to customize the alarm display and the thresholds for alerts and
forward error correction (FEC):
RP/0/RSP0/CPU0:Router# configure
RP/0/RSP0/CPU0:Router(config)# controller dwdm 0/1/0/0
RP/0/RSP0/CPU0:Router(config-dwdm)# maintenance out-of-service
RP/0/RSP0/CPU0:Router(config-dwdm)# commit
RP/0/RSP0/CPU0:Router(config-dwdm)# g709 disable
RP/0/RSP0/CPU0:Router(config-dwdm)# loopback internal
RP/0/RSP0/CPU0:Router(config-dwdm)# g709 fec standard
RP/0/RSP0/CPU0:Router(config-dwdm)# g709 odu bdi disable
RP/0/RSP0/CPU0:Router(config-dwdm)# maintenance in-service
RP/0/RSP0/CPU0:Router(config-dwdm)# commit
DWDM Performance Monitoring: Examples
The following example shows how to configure performance monitoring for the optics parameters and
how to display the configuration and current statistics:
RP/0/RSP0/CPU0:Router# configure
RP/0/RSP0/CPU0:Router(config)# controller dwdm 0/2/0/0
RP/0/RSP0/CPU0:Router(config-dwdm)# pm 15-min optics threshold opt max 2000000
RP/0/RSP0/CPU0:Router(config-dwdm)# pm 15-min optics threshold opt min 200
RP/0/RSP0/CPU0:Router(config-dwdm)# pm 15-min optics threshold lbc max 3000000
RP/0/RSP0/CPU0:Router(config-dwdm)# pm 15-min optics threshold lbc min 300
RP/0/RSP0/CPU0:Router(config-dwdm)# pm 15-min optics threshold opr max 4000000
RP/0/RSP0/CPU0:Router(config-dwdm)# pm 15-min optics threshold opr min 400
RP/0/RSP0/CPU0:Router(config-dwdm)# pm 15-min optics report opt max-tca enable
RP/0/RSP0/CPU0:Router(config-dwdm)# pm 15-min optics report opt min-tca enable
RP/0/RSP0/CPU0:Router(config-dwdm)# pm 15-min optics report opr max-tca enable
RP/0/RSP0/CPU0:Router(config-dwdm)# pm 15-min optics report opr min-tca enable
RP/0/RSP0/CPU0:Router(config-dwdm)# pm 15-min optics report lbc max-tca enable
RP/0/RSP0/CPU0:Router(config-dwdm)# pm 15-min optics report lbc min-tca enable
RP/0/RSP0/CPU0:Router(config-dwdm)# exit
RP/0/RSP0/CPU0:Router(config)# exit
Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]:y
LC/0/2/CPU0:Jul 12 04:10:47.252 : plim_4p_10ge_dwdm[194]: %L1-PMENGINE-4-TCA : Port DWDM
0/2/0/0 reports OPTICS TX-PWR-MIN(NE) PM TCA with current value 0, threshold 200 in
current 15-min interval window
LC/0/2/CPU0:Jul 12 04:10:47.255 : plim_4p_10ge_dwdm[194]: %L1-PMENGINE-4-TCA : Port DWDM
0/2/0/0 reports OPTICS RX-PWR-MIN(NE) PM TCA with current value 68, threshold 400 in
current 15-min interval window Configuring Dense Wavelength Division Multiplexing Controllers on the Cisco ASR 9000 Series Router
Configuration Examples
HC-465
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
RP/0/RP1/CPU0:Jul 12 04:09:05.443 : config[65678]: %MGBL-CONFIG-6-DB_COMMIT :
Configuration committed by user 'lab'. Use 'show configuration commit changes 1000000001'
to view the changes.
RP/0/RP1/CPU0:Jul 12 04:09:05.604 : config[65678]: %MGBL-SYS-5-CONFIG_I : Configured from
console by lab
RP/0/RSP0/CPU0:Router# show controllers dwdm 0/2/0/0 pm interval 15-min optics 0
Optics in the current interval [ 4:15:00 - 04:26:02 Wed Jul 12 2006]
MIN AVG MAX Threshold TCA Threshold TCA
(min) (enable) (max) (enable)
LBC[mA ] : 3605 4948 6453 300 YES 3000000 YES
OPT[uW] : 2593 2593 2593 200 YES 2000000 YES
OPR[uW] : 69 69 70 400 YES 4000000 YES
IPoDWDM Configuration: Examples
This section includes the following examples:
• Optical Layer DWDM Port Configuration: Examples, page 465
• Administrative State of DWDM Optical Ports Configuration: Examples, page 465
• Proactive FEC-FRR Triggering Configuration: Examples, page 466
Optical Layer DWDM Port Configuration: Examples
The following example shows how to configure Optical Layer DWDM ports.
RP/0/RSP0/CPU0:Router# configure
RP/0/RSP0/CPU0:Router(config)# controller dwdm 0/1/0/1
RP/0/RSP0/CPU0:Router(config-dwdm)# network port id 1/0/1/1
RP/0/RSP0/CPU0:Router(config-dwdm)# network connection id 1/1/1/1
Administrative State of DWDM Optical Ports Configuration: Examples
The following examples show how to configure the administrative state and optionally set the
maintenance embargo flag:
RP/0/RSP0/CPU0:Router# configure
RP/0/RSP0/CPU0:Router(config)# controller dwdm 0/1/0/1
RP/0/RSP0/CPU0:Router(config-dwdm)# admin-state in-service
RP/0/RSP0/CPU0:Router(config-dwdm)# exit
RP/0/RSP0/CPU0:Router(config)# interface tengige 1/0/1/1
RP/0/RSP0/CPU0:Router(config-if)# maintenance disable
RP/0/RSP0/CPU0:Router(config-if)# commit Configuring Dense Wavelength Division Multiplexing Controllers on the Cisco ASR 9000 Series Router
Additional References
HC-466
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Proactive FEC-FRR Triggering Configuration: Examples
The following example shows how to configure automatic triggering of Forward Error Correction-Fast
Re-Route (FEC-FRR):
RP/0/RSP0/CPU0:Router# configure
RP/0/RSP0/CPU0:Router(config)# controller dwdm 0/1/0/1
RP/0/RSP0/CPU0:Router(config-dwdm)# proactive
RP/0/RSP0/CPU0:Router(config-dwdm)# logging signal LogFile1
RP/0/RSP0/CPU0:Router(config-dwdm)# proactive trigger threshold 1 9
RP/0/RSP0/CPU0:Router(config-dwdm)# proactive trigger window 10000
RP/0/RSP0/CPU0:Router(config-dwdm)# proactive revert threshold 1 9
RP/0/RSP0/CPU0:Router(config-dwdm)# proactive revert window 600000
Additional References
The following sections provide references related to DWDM controller configuration.
Related Documents
Standards
MIBs
Related Topic Document Title
Cisco IOS XR master command reference Cisco IOS XR Master Commands List
Cisco IOS XR interface configuration commands Cisco IOS XR Interface and Hardware Component Command
Reference
Initial system bootup and configuration information for
a router using Cisco IOS XR software
Cisco IOS XR Getting Started Guide
Cisco IOS XR AAA services configuration information Cisco IOS XR System Security Configuration Guide and
Cisco IOS XR System Security Command Reference
Standards Title
ITU-T G.709/Y.1331 Interfaces for the optical transport network (OTN)
MIBs MIBs Link
— To locate and download MIBs for selected platforms using
Cisco IOS XR software, use the Cisco MIB Locator found at the
following URL:
http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
OTN-MIB IPoDWDM MIBConfiguring Dense Wavelength Division Multiplexing Controllers on the Cisco ASR 9000 Series Router
Additional References
HC-467
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
RFCs
Technical Assistance
RFCs Title
No new or modified RFCs are supported by this
feature, and support for existing RFCs has not been
modified by this feature.
—
Description Link
The Cisco Technical Support website contains
thousands of pages of searchable technical content,
including links to products, technologies, solutions,
technical tips, and tools. Registered Cisco.com users
can log in from this page to access even more content.
http://www.cisco.com/techsupportConfiguring Dense Wavelength Division Multiplexing Controllers on the Cisco ASR 9000 Series Router
Additional References
HC-468
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01HC-469
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Configuring POS Interfaces onthe
Cisco ASR 9000 Series Router
This module describes the configuration of Packet-over-SONET/SDH (POS) interfaces on the
Cisco ASR 9000 Series Aggregation Services Routers.
POS interfaces provide secure and reliable data transmission over SONET and Synchronous Digital
Hierarchy (SDH) frames using Cisco High-Level Data Link Control (HDLC) protocol or Point-to-Point
Protocol (PPP) encapsulation. In addition to Cisco HDLC and PPP encapsulation, the
Cisco ASR 9000 Series Router supports Frame Relay encapsulation.
The commands for configuring Layer 1 POS interfaces are provided in the Cisco IOS XR Interface and
Hardware Component Command Reference.
Feature History for Configuring POS Interfaces on Cisco IOS XR Software
Contents
• Prerequisites for Configuring POS Interfaces, page 470
• Information About Configuring POS Interfaces, page 470
• How to Configure a POS Interface, page 475
• Configuration Examples for POS Interfaces, page 494
Release Modification
Release 4.0.0 This feature was introduced on the Cisco ASR 9000 Series Router on the
following SPAs:
• Cisco 1-Port Channelized OC-48/STM-16 SPA
• Cisco 2-Port Channelized OC-12c/DS0 SPA
• Cisco 1-Port OC-192c/STM-64 POS/RPR XFP SPA
• Cisco 2-Port OC-48c/STM-16 POS/RPR SPA
• Cisco 8-Port OC-12c/STM-4 POS SPA
Release 4.0.1 Support for the following SPAs was added on the
Cisco ASR 9000 Series Router:
• Cisco 4-Port OC-3c/STM-1 POS SPA
• Cisco 8-Port OC-3c/STM-1 POS SPAConfiguring POS Interfaces onthe Cisco ASR 9000 Series Router
Prerequisites for Configuring POS Interfaces
HC-470
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
• Additional References, page 496
Prerequisites for Configuring POS Interfaces
You must be in a user group associated with a task group that includes the proper task IDs. The command
reference guides include the task IDs required for each command. If you suspect user group assignment
is preventing you from using a command, contact your AAA administrator for assistance.
Before configuring POS interfaces, be sure that the following conditions are met:
• You know the IP address of the interface you will assign to the new POS interface configuration.
• You have configured a clear channel or channelized SONET controller, as described in the
“Configuring Clear Channel SONET Controllers on the Cisco ASR 9000 Series Router” or
“Configuring Channelized SONET/SDH on the Cisco ASR 9000 Series Router” modules.
Information About Configuring POS Interfaces
To configure POS interfaces, you must understand the following concepts:
• Cisco HDLC Encapsulation, page 471
• PPP Encapsulation, page 471
• Keepalive Timer, page 472
• Frame Relay Encapsulation, page 473
• Default Settings for POS Interfaces, page 470
On the Cisco ASR 9000 Series Router, a single POS interface carries data using PPP, Cisco HDLC, or
Frame Relay encapsulation.
The router identifies the POS interface address by the physical layer interface module (PLIM) card rack
number, slot number, bay number, and port number that are associated with that interface. If a
subinterface and permanent virtual circuits (PVCs) are configured under the POS interface, then the
router includes the subinterface number in the POS interface path ID.
Default Settings for POS Interfaces
When a POS interface is brought up and no additional configuration commands are applied, the default
interface settings shown in Table 13 are present. These default settings can be changed by configuration. Configuring POS Interfaces onthe Cisco ASR 9000 Series Router
Information About Configuring POS Interfaces
HC-471
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Note Default settings do not appear in the output of the show running-config command.
Cisco HDLC Encapsulation
Cisco High-Level Data Link Controller (HDLC) is the Cisco proprietary protocol for sending data over
synchronous serial links using HDLC. Cisco HDLC also provides a simple control protocol called Serial
Line Address Resolution Protocol (SLARP) to maintain serial link keepalives. HDLC is the default
encapsulation type for POS interfaces under Cisco IOS XR software. Cisco HDLC is the default for data
encapsulation at Layer 2 (data link) of the Open System Interconnection (OSI) stack for efficient packet
delineation and error control.
Note Cisco HDLC is enabled by default for POS interfaces.
Cisco HDLC uses keepalives to monitor the link state, as described in the “Keepalive Timer” section on
page 472.
PPP Encapsulation
PPP is a standard protocol used to send data over synchronous serial links. PPP also provides a Link
Control Protocol (LCP) for negotiating properties of the link. LCP uses echo requests and responses to
monitor the continuing availability of the link.
Table 13 POS Modular Services Card and PLIM Default Interface Settings
Parameter Configuration File Entry Default Settings
Keepalive
Note The keepalive
command applies to
POS interfaces using
HDLC or PPP
encapsulation. It does
not apply to POS
interfaces using Frame
Relay encapsulation.
keepalive {interval [retry] | disable}
no keepalive
Interval of 10 seconds
Retry of:
• 5 (with PPP
encapsulation)
• 3 (with HDLC
encapsulation)
Encapsulation encapsulation [hdlc | ppp | frame-relay
[IETF]]
hdlc
Maximum transmission unit
(MTU)
mtu bytes 4474 bytes
Cyclic redundancy check
(CRC)
crc [16 | 32] 32Configuring POS Interfaces onthe Cisco ASR 9000 Series Router
Information About Configuring POS Interfaces
HC-472
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Note When an interface is configured with PPP encapsulation, a link is declared down, and full LCP
negotiation is re-initiated after three ECHOREQ packets are sent without receiving an ECHOREP
response.
PPP provides the following Network Control Protocols (NCPs) for negotiating the properties of data
protocols that run on the link:
• IP Control Protocol (IPCP)—negotiates IP properties
• Multiprotocol Label Switching control processor (MPLSCP)—negotiates MPLS properties
• Cisco Discovery Protocol control processor (CDPCP)—negotiates CDP properties
• IPv6CP—negotiates IP Version 6 (IPv6) properties
• Open Systems Interconnection control processor (OSICP)—negotiates OSI properties
PPP uses keepalives to monitor the link state, as described in the “Keepalive Timer” section on page 472.
PPP supports the following authentication protocols, which require a remote device to prove its identity
before allowing data traffic to flow over a connection:
• Challenge Handshake Authentication Protocol (CHAP)—CHAP authentication sends a challenge
message to the remote device. The remote device encrypts the challenge value with a shared secret
and returns the encrypted value and its name to the local router in a response message. The local
router attempts to match the remote device’s name with an associated secret stored in the local
username or remote security server database; it uses the stored secret to encrypt the original
challenge and verify that the encrypted values match.
• Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)—MS-CHAP is the Microsoft
version of CHAP. Like the standard version of CHAP, MS-CHAP is used for PPP authentication; in
this case, authentication occurs between a personal computer using Microsoft Windows NT or
Microsoft Windows 95 and a Cisco router or access server acting as a network access server.
• Password Authentication Protocol (PAP)—PAP authentication requires the remote device to send a
name and a password, which are checked against a matching entry in the local username database
or in the remote security server database.
Note For more information on enabling and configuring PPP authentication protocols, see the “Configuring
PPP on the Cisco ASR 9000 Series Router” module later in this manual.
Use the ppp authentication command in interface configuration mode to enable CHAP, MS-CHAP, and
PAP on a POS interface.
Note Enabling or disabling PPP authentication does not effect the local router’s willingness to authenticate
itself to the remote device.
Keepalive Timer
Cisco keepalives are useful for monitoring the link state. Periodic keepalives are sent to and received
from the peer at a frequency determined by the value of the keepalive timer. If an acceptable keepalive
response is not received from the peer, the link makes the transition to the down state. As soon as an
acceptable keepalive response is obtained from the peer or if keepalives are disabled, the link makes the
transition to the up state.Configuring POS Interfaces onthe Cisco ASR 9000 Series Router
Information About Configuring POS Interfaces
HC-473
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
If three keepalives are sent to the peer and no response is received from peer, then the link makes the
transition to the down state. ECHOREQ packets are sent out only when LCP negotiation is complete (for
example, when LCP is open).
Note The keepalive command applies to POS interfaces using HDLC or PPP encapsulation. It does not apply
to POS interfaces using Frame Relay encapsulation.
Use the keepalive command in interface configuration mode to set the frequency at which LCP sends
ECHOREQ packets to its peer. To restore the system to the default keepalive interval of 10 seconds, use
the keepalive command with no argument. To disable keepalives, use the keepalive disable command.
For both PPP and Cisco HDLC, a keepalive of 0 disables keepalives and is reported in the show
running-config command output as keepalive disable.
To remove the keepalive command from the configuration entirely, use the no keepalive command. You
must remove the keepalive command from an interface configuration before you can configure Frame
Relay encapsulation on that interface. Frame Relay interfaces do not support keepalives.
Note During MDR, the keepalive interval must be 10 seconds or more.
When LCP is running on the peer and receives an ECHOREQ packet, it responds with an echo reply
(ECHOREP) packet, regardless of whether keepalives are enabled on the peer.
Keepalives are independent between the two peers. One peer end can have keepalives enabled while the
other end has them disabled. Even if keepalives are disabled locally, LCP still responds with ECHOREP
packets to the ECHOREQ packets it receives. Similarly, LCP also works if the period of keepalives at
each end is different.
Note Use the debug chdlc slarp packet command and other Cisco HDLC debug commands to display
information about the Serial Line Address Resolution Protocol (SLARP) packets that are sent to the peer
after the keepalive timer has been configured.
Frame Relay Encapsulation
On the Cisco ASR 9000 Series Router, Frame Relay encapsulated POS interface configuration is
hierarchical and comprises the following elements:
1. The POS main interface is comprised of the physical interface and port. If you are not using the POS
interface to support Cisco HDLC and PPP encapsulated connections, then you must configure
subinterfaces with PVCs under the POS main interface. Frame Relay connections are supported on
PVCs only.
2. POS subinterfaces are configured under the POS main interface. A POS subinterface does not
actively carry traffic until you configure a PVC under the POS subinterface.
3. Point-to-point and Layer 2 attachment circut (AC) PVCs are configured under a POS subinterface.
You cannot configure a PVC directly under a main interface. A single point-to-point or L2 AC PVC
is allowed per subinterface. PVCs use a predefined circuit path and fail if the path is interrupted.
PVCs remain active until the circuit is removed. Connections on the POS PVC support Frame Relay
encapsulation only.
4. Layer 3 configuration typically takes place on the subinterface.Configuring POS Interfaces onthe Cisco ASR 9000 Series Router
Information About Configuring POS Interfaces
HC-474
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Note The administrative state of a parent interface drives the state of the subinterface and its PVC. When the
administrative state of a parent interface or subinterface changes, so does the administrative state of any
child PVC configured under that parent interface or subinterface.
On the Cisco ASR 9000 Series Router, the following SPAs support Frame Relay encapsulation:
• Cisco 4-Port OC-3c/STM-1 POS SPA
• Cisco 8-Port OC-3c/STM-1 POS SPA
• Cisco 1-Port OC-192c/STM-64 POS/RPR XFP SPA
• Cisco 2-Port OC-48c/STM-16 POS/RPR SPA
• Cisco 8-Port OC-12c/STM-4 POS SPA
To configure Frame Relay encapsulation on POS interfaces, use the encapsulation frame-relay
command.
Frame Relay interfaces support two types of encapsulated frames:
• Cisco (this is the default)
• IETF
Use the encap command in PVC configuration mode to configure Cisco or IETF encapsulation on a
PVC. If the encapsulation type is not configured explicitly for a PVC, then that PVC inherits the
encapsulation type from the main POS interface.
Note Cisco encapsulation is required on POS main interfaces that are configured for MPLS. IETF
encapsulation is not supported for MPLS.
Before you configure Frame Relay encapsulation on an interface, you must verify that all prior Layer 3
configuration is removed from that interface. For example, you must ensure that there is no IP address
configured directly under the main interface; otherwise, any Frame Relay configuration done under the
main interface will not be viable.
LMI on Frame Relay Interfaces
The Local Management Interface (LMI) protocol monitors the addition, deletion, and status of PVCs.
LMI also verifies the integrity of the link that forms a Frame Relay UNI interface. By default, cisco LMI
is enabled on all PVCs. However, you can modify the default LMI type to be ANSI or Q.933, as
described in the “Modifying the Default Frame Relay Configuration on an Interface” module later in this
manual.
If the LMI type is cisco (the default LMI type), the maximum number of PVCs that can be supported
under a single interface is related to the MTU size of the main interface. Use the following formula to
calculate the maximum number of PVCs supported on a card or SPA:
(MTU - 13)/8 = maximum number of PVCs
Note The default setting of the mtu command for a POS interface is 4474 bytes. Therefore, the default
numbers of PVCs supported on a POS interface configured with cisco LMI is 557. Configuring POS Interfaces onthe Cisco ASR 9000 Series Router
How to Configure a POS Interface
HC-475
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Note You must configure the LMI interface type on Frame Relay interfaces; otherwise, the POS interface does
not come up. For connections between Provider Edge (PE) and Customer Edge (CE) routers, the PE end
must be DCE and the CE end must be DTE for LMI to come up. For more information about configuring
the LMI interface type on a Frame Relay interface, see the “Configuring Frame Relay on the
Cisco ASR 9000 Series Router” module.
How to Configure a POS Interface
This section contains the following procedures:
• Bringing Up a POS Interface, page 475
• Configuring Optional POS Interface Parameters, page 478
• Creating a Point-to-Point POS Subinterface with a PVC, page 480
• Configuring Optional PVC Parameters, page 482
• Modifying the Keepalive Interval on POS Interfaces, page 485
• Creating a Layer 2 Frame Relay Subinterface with a PVC, page 488
Bringing Up a POS Interface
This task describes the commands you can use to bring up a POS interface.
Prerequisites
You must have a POS line card or SPA installed in a router that is running Cisco IOS XR software.
Restrictions
The configuration on both ends of the POS connection must match for the interface to be active.
SUMMARY STEPS
1. show interfaces
2. configure
3. interface pos interface-path-id
4. ipv4 address ipv4_address/prefix
5. no shutdown
6. end
or
commit
7. exit
8. exitConfiguring POS Interfaces onthe Cisco ASR 9000 Series Router
How to Configure a POS Interface
HC-476
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
9. Repeat Step 1 through Step 8 to bring up the interface at the other end of the connection.
10. show ipv4 interface brief
11. show interfaces pos interface-path-id
DETAILED STEPS
Command or Action Purpose
Step 1 show interfaces
Example:
RP/0/RSP0/CPU0:router# show interfaces
(Optional) Displays configured interfaces.
• Use this command to also confirm that the router
recognizes the PLIM card.
Step 2 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 3 interface pos interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# interface POS
0/3/0/0
Specifies the POS interface name and notation
rack/slot/module/port, and enters interface configuration
mode.
Step 4 ipv4 address ipv4_address/prefix
Example:
RP/0/RSP0/CPU0:router (config)#ipv4 address
10.46.8.6/24
Assigns an IP address and subnet mask to the interface.
Note Skip this step if you are configuring Frame Relay
encapsulation on this interface. For Frame Relay,
the IP address and subnet mask are configured
under the subinterface.
Step 5 no shutdown
Example:
RP/0/RSP0/CPU0:router (config-if)# no shutdown
Removes the shutdown configuration.
Note Removal of the shutdown configuration eliminates
the forced administrative down on the interface,
enabling it to move to an up or down state (assuming
the parent SONET layer is not configured
administratively down).Configuring POS Interfaces onthe Cisco ASR 9000 Series Router
How to Configure a POS Interface
HC-477
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Step 6 end
or
commit
Example:
RP/0/RSP0/CPU0:router (config-if)# end
or
RP/0/RSP0/CPU0:router(config-if)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 7 exit
Example:
RP/0/RSP0/CPU0:router (config-if)# exit
Exits interface configuration mode and enters global
configuration mode.
Step 8 exit
Example:
RP/0/RSP0/CPU0:router (config)# exit
Exits global configuration mode and enters EXEC mode.
Step 9 show interfaces
configure
interface pos interface-path-id
no shut
exit
exit
commit
Example:
RP/0/RSP0/CPU0:router# show interfaces
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router (config)# interface pos
0/3/0/0
RP/0/RSP0/CPU0:router (config-if)# no shutdown
RP/0/RSP0/CPU0:router (config-if)# commit
RP/0/RSP0/CPU0:router (config-if)# exit
RP/0/RSP0/CPU0:router (config)# exit
Repeat Step 1 through Step 8 to bring up the interface at the
other end of the connection.
Note The configuration on both ends of the POS
connection must match.
Command or Action PurposeConfiguring POS Interfaces onthe Cisco ASR 9000 Series Router
How to Configure a POS Interface
HC-478
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
What to Do Next
To modify the default configuration of the POS interface you just brought up, see the “Configuring
Optional POS Interface Parameters” section on page 478.
Configuring Optional POS Interface Parameters
This task describes the commands you can use to modify the default configuration on a POS interface.
Prerequisites
Before you modify the default POS interface configuration, you must bring up the POS interface and
remove the shutdown configuration, as described in the “Bringing Up a POS Interface” section on
page 475.
Restrictions
The configuration on both ends of the POS connection must match for the interface to be active.
SUMMARY STEPS
1. configure
2. interface pos interface-path-id
3. encapsulation [hdlc | ppp | frame-relay [IETF]]
4. pos crc {16 | 32}
5. mtu value
6. end
or
commit
7. exit
8. exit
9. show interfaces pos [interface-path-id]
Step 10 show ipv4 interface brief
Example:
RP/0/RSP0/CPU0:router # show ipv4 interface
brief
Verifies that the interface is active and properly configured.
If you have brought up a POS interface properly, the
“Status” field for that interface in the show ipv4 interface
brief command output shows “Up.”
Step 11 show interfaces pos interface-path-id
Example:
RP/0/RSP0/CPU0:router# show interfaces pos
0/3/0/0
(Optional) Displays the interface configuration.
Command or Action PurposeConfiguring POS Interfaces onthe Cisco ASR 9000 Series Router
How to Configure a POS Interface
HC-479
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface pos interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# interface POS
0/3/0/0
Specifies the POS interface name and notation
rack/slot/module/port, and enters interface configuration
mode.
Step 3 encapsulation [hdlc | ppp | frame-relay [IETF]]
Example:
RP/0/RSP0/CPU0:router(config-if)# encapsulation
hdlc
(Optional) Configures the interface encapsulation
parameters and details such as HDLC or PPP.
Note The default encapsulation is hdlc.
Step 4 pos crc {16 | 32}
Example:
RP/0/RSP0/CPU0:router(config-if)# pos crc 32
(Optional) Configures the CRC value for the interface.
Enter the 16 keyword to specify 16-bit CRC mode, or enter
the 32 keyword to specify 32-bit CRC mode.
Note The default CRC is 32.
Step 5 mtu value
Example:
RP/0/RSP0/CPU0:router(config-if)# mtu 4474
(Optional) Configures the MTU value.
• The default value is 4474.
• The POS MTU range is 64–9216.
Step 6 end
or
commit
Example:
RP/0/RSP0/CPU0:router (config-if)# end
or
RP/0/RSP0/CPU0:router(config-if)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.Configuring POS Interfaces onthe Cisco ASR 9000 Series Router
How to Configure a POS Interface
HC-480
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
What to Do Next
• To create a point-to-point Frame Relay subinterface with a PVC on the POS interface you just
brought up, see the “Creating a Point-to-Point POS Subinterface with a PVC” section on page 480.
• To configure PPP authentication on POS interfaces where PPP encapsulation is enabled, see the
Configuring PPP on the Cisco ASR 9000 Series Router module later in this manual.
• To modify the keepalive interval on POS interfaces that have Cisco HDLC or PPP encapsulation
enabled, see the “Modifying the Keepalive Interval on POS Interfaces” section on page 485.
• To modify the default Frame Relay configuration on POS interfaces that have Frame Relay
encapsulation enabled, see the “Modifying the Default Frame Relay Configuration on an Interface”
of the Configuring Frame Relay on the Cisco ASR 9000 Series Router module in this manual.
Creating a Point-to-Point POS Subinterface with a PVC
The procedure in this section creates a point-to-point POS subinterface and configures a permanent
virtual circuit (PVC) on that POS subinterface.
Note Subinterface and PVC creation is supported on interfaces with Frame Relay encapsulation only.
Prerequisites
Before you can create a subinterface on a POS interface, you must bring up the main POS interface with
Frame Relay encapsulation, as described in the “Bringing Up a POS Interface” section on page 475.
Restrictions
Only one PVC can be configured for each point-to-point POS subinterface.
Step 7 exit
Example:
RP/0/RSP0/CPU0:router (config-if)# exit
Exits interface configuration mode and enters global
configuration mode.
Step 8 exit
Example:
RP/0/RSP0/CPU0:router (config)# exit
Exits global configuration mode and enters EXEC mode.
Step 9 show interfaces pos [interface-path-id]
Example:
RP/0/RSP0/CPU0:router# show interface pos
0/3/0/0
(Optional) Displays general information for the specified
POS interface.
Command or Action PurposeConfiguring POS Interfaces onthe Cisco ASR 9000 Series Router
How to Configure a POS Interface
HC-481
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
SUMMARY STEPS
1. configure
2. interface pos interface-path-id.subinterface point-to-point
3. ipv4 address ipv4_address/prefix
4. pvc dlci
5. end
or
commit
6. Repeat Step 1 through Step 5 to bring up the POS subinterface and any associated PVC at the other
end of the connection.
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface pos interface-path-id.subinterface
point-to-point
Example:
RP/0/RSP0/CPU0:router (config)# interface pos
0/3/0/0.1 point-to-point
Enters POS subinterface configuration mode.
Replace subinterface with a subinterface ID, in the range
from 1 through 4294967295.
Step 3 ipv4 address ipv4_address/prefix
Example:
RP/0/RSP0/CPU0:router (config-subif)#ipv4
address 10.46.8.6/24
Assigns an IP address and subnet mask to the subinterface.
Step 4 pvc dlci
Example:
RP/0/RSP0/CPU0:router (config-subif)# pvc 20
Creates a POS permanent virtual circuit (PVC) and enters
Frame Relay PVC configuration submode.
Replace dlci with a PVC identifier, in the range from 16 to
1007.
Note Only one PVC is allowed per subinterface. Configuring POS Interfaces onthe Cisco ASR 9000 Series Router
How to Configure a POS Interface
HC-482
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
What to Do Next
• To configure optional PVC parameters, see the “Configuring Optional PVC Parameters” section on
page 482.
• To modify the default Frame Relay configuration on POS interfaces that have Frame Relay
encapsulation enabled, see the “Modifying the Default Frame Relay Configuration on an Interface”
of the “Configuring Frame Relay on the Cisco ASR 9000 Series Router” module.
• To attach a Layer 3 QOS service policy to the PVC under the PVC submode, refer to the appropriate
Cisco IOS XR software configuration guide.
Configuring Optional PVC Parameters
This task describes the commands you can use to modify the default configuration on a POS PVC.
Step 5 end
or
commit
Example:
RP/0/RSP0/CPU0:router (config-fr-vc)# end
or
RP/0/RSP0/CPU0:router(config-fr-vc)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 6 configure
interface pos interface-path-id.subinterface
pvc dlci
commit
Example:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router (config)# interface pos
0/3/0/1.1
RP/0/RSP0/CPU0:router (config-subif)#ipv4
address 10.46.8.5/24
RP/0/RSP0/CPU0:router (config-subif)# pvc 20
RP/0/RSP0/CPU0:router (config-fr-vc)# commit
Repeat Step 1 through Step 5 to bring up the POS
subinterface and any associated PVC at the other end of the
connection.
Note The DLCI (or PVC identifier) must match on both
ends of the subinterface connection.
Note When assigning an IP address and subnet mask to
the subinterface at the other end of the connection,
keep in mind that the addresses at both ends of the
connection must be in the same subnet.
Command or Action PurposeConfiguring POS Interfaces onthe Cisco ASR 9000 Series Router
How to Configure a POS Interface
HC-483
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Prerequisites
Before you can modify the default PVC configuration, you must create the PVC on a POS subinterface,
as described in the “Creating a Point-to-Point POS Subinterface with a PVC” section on page 480.
Restrictions
• The DLCI (or PVC identifier) must match on both ends of the PVC for the connection to be active.
• To change the PVC DLCI, you must delete the PVC and then add it back with the new DLCI.
SUMMARY STEPS
1. configure
2. interface pos interface-path-id.subinterface
3. pvc dlci
4. encap [cisco | ietf]
5. service-policy {input | output} policy-map
6. end
or
commit
7. Repeat Step 1 through Step 6 to configure the PVC at the other end of the connection.
8. show frame-relay pvc dlci-number
9. show policy-map interface pos interface-path-id.subinterface {input | output}
or
show policy-map type qos interface pos interface-path-id.subinterface {input | output}
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface pos interface-path-id.subinterface
Example:
RP/0/RSP0/CPU0:router (config)# interface pos
0/3/0/0.1
Enters POS subinterface configuration mode.
Step 3 pvc dlci
Example:
RP/0/RSP0/CPU0:router (config-subif)# pvc 20
Enters subinterface configuration mode for the PVC.
Replace dlci with the DLCI number used to identify the
PVC. Range is from 16 to 1007. Configuring POS Interfaces onthe Cisco ASR 9000 Series Router
How to Configure a POS Interface
HC-484
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Step 4 encap [cisco | ietf]
Example:
RP/0/RSP0/CPU0:router (config-fr-vc)# encap
ietf
(Optional) Configures the encapsulation for a Frame Relay
PVC.
Note If the encapsulation type is not configured explicitly
for a PVC, then that PVC inherits the encapsulation
type from the main POS interface.
Step 5 service-policy {input | output} policy-map
Example:
RP/0/RSP0/CPU0:router (config-fr-vc)#
service-policy output policy1
Attaches a policy map to an input subinterface or output
subinterface. Once attached, the policy map is used as the
service policy for the subinterface.
Note For information on creating and configuring policy
maps, refer to the Cisco IOS XR Modular Quality of
Service Configuration Guide,
Step 6 end
or
commit
Example:
RP/0/RSP0/CPU0:router (config-fr-vc)# end
or
RP/0/RSP0/CPU0:router(config-fr-vc)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 7 configure
interface pos interface-path-id.subinterface
pvc dlci
encap [cisco | ietf]
commit
Example:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router (config)# interface pos
0/3/0/1.1
RP/0/RSP0/CPU0:router (config-subif)# pvc 20
RP/0/RSP0/CPU0:router (config-fr-vc)# encap
cisco
RP/0/RSP0/CPU0:router (config-fr-vc)# commit
Repeat Step 1 through Step 6 to bring up the POS
subinterface and any associated PVC at the other end of the
connection.
Note The configuration on both ends of the subinterface
connection must match.
Command or Action PurposeConfiguring POS Interfaces onthe Cisco ASR 9000 Series Router
How to Configure a POS Interface
HC-485
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
What to Do Next
To modify the default Frame Relay configuration on POS interfaces that have Frame Relay encapsulation
enabled, see the “Modifying the Default Frame Relay Configuration on an Interface” of the
“Configuring Frame Relay on the Cisco ASR 9000 Series Router” module.
Modifying the Keepalive Interval on POS Interfaces
Perform this task to modify the keepalive interval on POS interfaces that have Cisco HDLC or PPP
encapsulation enabled.
Note When you enable Cisco HDLC or PPP encapsulation on a POS interface, the default keepalive interval
is 10 seconds. Use this procedure to modify that default keepalive interval.
Note Cisco HDLC is enabled by default on POS interfaces.
Prerequisites
Before you can modify the keepalive timer configuration, you must ensure that Cisco HDLC or PPP
encapsulation is enabled on the interface. Use the encapsulation command to enable Cisco HDLC or
PPP encapsulation on the interface, as described in the “Configuring Optional POS Interface
Parameters” section on page 478.
Restrictions
During MDR, the keepalive interval must be 10 seconds or more.
Step 8 show frame-relay pvc dlci-number
Example:
RP/0/RSP0/CPU0:router# show frame-relay pvc 20
(Optional) Verifies the configuration of specified POS
interface.
Step 9 show policy-map interface pos
interface-path-id.subinterface {input | output}
or
show policy-map type qos interface pos
interface-path-id.subinterface {input | output}
Example:
RP/0/RSP0/CPU0:router# show policy-map
interface pos 0/3/0/0.1 output
or
RP/0/RSP0/CPU0:router# show policy-map type qos
interface pos 0/3/0/0.1 output
(Optional) Displays the statistics and the configurations of
the input and output policies that are attached to a
subinterface.
Command or Action PurposeConfiguring POS Interfaces onthe Cisco ASR 9000 Series Router
How to Configure a POS Interface
HC-486
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
SUMMARY STEPS
1. configure
2. interface pos interface-path-id
3. keepalive {seconds [retry-count] | disable}
or
no keepalive
4. end
or
commit
5. show interfaces type interface-path-id
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface pos interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# interface POS
0/3/0/0
Specifies the POS interface name and notation
rack/slot/module/port and enters interface configuration
mode.
Step 3 keepalive {seconds [retry-count] | disable}
or
no keepalive
Example:
RP/0/RSP0/CPU0:router(config-if)# keepalive 3
or
RP/0/RSP0/CPU0:router(config-if)# no keepalive
Specifies the number of seconds between keepalive
messages, and optionally the number of keepalive messages
that can be sent to a peer without a response before
transitioning the link to the down state.
• Use the keepalive disable command, the no keepalive,
or the keepalive command with an argument of 0 to
disable the keepalive feature entirely.
• If keepalives are configured on an interface, use the no
keepalive command to disable the keepalive feature
before you configure Frame Relay encapsulation on
that interface.Configuring POS Interfaces onthe Cisco ASR 9000 Series Router
How to Configure a Layer 2 Attachment Circuit
HC-487
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
How to Configure a Layer 2 Attachment Circuit
The Layer 2 AC configuration tasks are described in the following procedures:
• Creating a Layer 2 Frame Relay Subinterface with a PVC
• Configuring Optional Layer 2 PVC Parameters
Note After you configure an interface for Layer 2 switching, no routing commands such as ipv4 address are
permissible.
Note Layer 2 ACs are not supported on interfaces configured with HDLC or PPP encapsulation.
Step 4 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-if)# end
or
RP/0/RSP0/CPU0:router(config-if)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 5 show interfaces pos interface-path-id
Example:
RP/0/RSP0/CPU0:router# show interfaces POS
0/3/0/0
(Optional) Verifies the interface configuration.
Command or Action PurposeConfiguring POS Interfaces onthe Cisco ASR 9000 Series Router
How to Configure a Layer 2 Attachment Circuit
HC-488
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Creating a Layer 2 Frame Relay Subinterface with a PVC
The procedure in this section creates a Layer 2 Frame Relay subinterface with a PVC.
Prerequisites
Before you can create a subinterface on a POS interface, you must bring up a POS interface, as described
in the “Bringing Up a POS Interface” section on page 475.
Note You must skip Step 4 of the “Bringing Up a POS Interface” configuration steps when configuring an
interface for Layer 2 switching. The ipv4 address command is not permissible on Frame Relay
encapsulated interface.
Restrictions
• Only one PVC can be configured for each subinterface.
• The configuration on both ends of the PVC must match for the connection to operate properly.
• The ipv4 address command is not permissible on Frame Relay encapsulated interface. Any previous
configuration of an IP address must be removed before you can configure an interface for Layer 2
transport mode.
• Layer 2 configuration is supported on Frame Relay PVCs only. Layer 2 Port mode, where Layer 2
configuration is applied directly under the main POS interface, is not supported.
SUMMARY STEPS
1. configure
2. interface pos interface-path-id.subinterface l2transport
3. pvc dlci
4. end
or
commit
5. Repeat Step 1 through Step 4 to bring up the subinterface and any associated PVC at the other end
of the AC.Configuring POS Interfaces onthe Cisco ASR 9000 Series Router
How to Configure a Layer 2 Attachment Circuit
HC-489
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
DETAILED STEPS
What to Do Next
• To configure optional subinterface parameters, see the “Configuring Optional Layer 2 Subinterface
Parameters” section on page 492.
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface pos interface-path-id.subinterface
l2transport
Example:
RP/0/RSP0/CPU0:router(config)# interface pos
0/3/0/0.1 l2transport
Creates a subinterface and enters POS subinterface
configuration mode for that subinterface.
Note The subinterface must be unique to any other
subinterfaces configured under a single main
interface.
Step 3 pvc dlci
Example:
RP/0/RSP0/CPU0:router(config-if)# pvc 100
Creates a Frame Relay permanent virtual circuit (PVC) and
enters Layer 2 transport PVC configuration mode.
Replace dlci with the DLCI number used to identify the
PVC. Range is from 16 to 1007.
Note Only one PVC is allowed per subinterface.
Step 4 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-fr-vc)# end
or
RP/0/RSP0/CPU0:router(config-fr-vc)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 5 Repeat Step 1 through Step 4 to bring up the
subinterface and any associated PVC at the other end
of the AC.
Brings up the AC.
Note The configuration on both ends of the AC must
match.Configuring POS Interfaces onthe Cisco ASR 9000 Series Router
How to Configure a Layer 2 Attachment Circuit
HC-490
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
• To configure optional PVC parameters, see the “Configuring Optional Layer 2 PVC Parameters”
section on page 490.
• For more information about configuring Layer 2 services on the Cisco ASR 9000 Series Router, see
the “Implementing Point to Point Layer 2 Services” module of the Cisco ASR 9000 Series
Aggregation Services Router L2VPN and Ethernet Services Configuration Guide.
Configuring Optional Layer 2 PVC Parameters
This task describes the commands you can use to modify the default configuration on a Frame Relay
Layer 2 PVC.
Prerequisites
You must create the PVC on a Layer 2 subinterface, as described in the “Creating a Layer 2 Frame Relay
Subinterface with a PVC” section on page 488.
SUMMARY STEPS
1. configure
2. interface pos interface-path-id.subinterface l2transport
3. pvc dlci
4. encap [cisco | ietf]
5. service-policy {input | output} policy-map
6. end
or
commit
7. Repeat Step 1 through Step 5 to configure the PVC at the other end of the AC.
8. show policy-map interface pos interface-path-id.subinterface {input | output}
or
show policy-map type qos interface pos interface-path-id.subinterface {input | output}
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface pos interface-path-id.subinterface
l2transport
Example:
RP/0/RSP0/CPU0:router(config)# interface pos
0/6/0/1.10 l2transport
Enters POS subinterface configuration mode for a Layer 2
Frame Relay subinterface.Configuring POS Interfaces onthe Cisco ASR 9000 Series Router
How to Configure a Layer 2 Attachment Circuit
HC-491
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Step 3 pvc dlci
Example:
RP/0/RSP0/CPU0:router(config-if)# pvc 100
Enters Frame Relay PVC configuration mode for the
specified PVC.
Replace dlci with the DLCI number used to identify the
PVC. Range is from 16 to 1007.
Step 4 encap {cisco | ietf}
Example:
RP/0/RSP0/CPU0:router(config-fr-vc)# encap ietf
Configures the encapsulation for a Frame Relay PVC.
The encapsulation type must match on both ends of the
PVC.
Step 5 service-policy {input | output} policy-map
Example:
RP/0/RSP0/CPU0:router (config-fr-vc)#
service-policy output policy1
Attaches a policy map to an input subinterface or output
subinterface. Once attached, the policy map is used as the
service policy for the subinterface.
Note For information on creating and configuring policy
maps, refer to the Cisco IOS XR Modular Quality of
Service Configuration Guide,
Step 6 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-pos-l2transport-pv
c)# end
or
RP/0/RSP0/CPU0:router(config-pos-l2transport-pv
c)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
Use the commit command to save the configuration
changes to the running configuration file and remain within
the configuration session.
Command or Action PurposeConfiguring POS Interfaces onthe Cisco ASR 9000 Series Router
How to Configure a Layer 2 Attachment Circuit
HC-492
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Configuring Optional Layer 2 Subinterface Parameters
This task describes the commands you can use to modify the default configuration on a Frame Relay
Layer 2 subinterface.
Prerequisites
Before you can modify the default PVC configuration, you must create the PVC on a Layer 2
subinterface, as described in the “Creating a Layer 2 Frame Relay Subinterface with a PVC” section on
page 488.
Restrictions
In most cases, the MTU that is configured under the subinterface has priority over the MTU that is
configured under the main interface. The exception to this rule is when the subinterface MTU is higher
than main interface MTU. In such cases, the subinterface MTU displays the configured value in the CLI
output, but the actual operational MTU is the value that is configured under the main interface value. To
avoid confusion when troubleshooting and optimizing your Layer 2 connections, we recommend always
configuring a higher MTU on main interface.
SUMMARY STEPS
1. configure
2. interface pos interface-path-id.subinterface
3. mtu value
4. end
or
commit
5. Repeat Step 1 through Step 4 to configure the subinterface at the other end of the AC.
Step 7 Repeat Step 1 through Step 5 to configure the PVC at
the other end of the AC.
Brings up the AC.
Note The configuration on both ends of the connection
must match.
Step 8 show policy-map interface pos
interface-path-id.subinterface {input | output}
or
show policy-map type qos interface pos
interface-path-id.subinterface {input | output}
Example:
RP/0/RSP0/CPU0:router# show policy-map
interface pos 0/6/0/1.10 output
or
RP/0/RSP0/CPU0:router# show policy-map type qos
interface pos 0/6/0/1.10 output
(Optional) Displays the statistics and the configurations of
the input and output policies that are attached to a
subinterface.
Command or Action PurposeConfiguring POS Interfaces onthe Cisco ASR 9000 Series Router
How to Configure a Layer 2 Attachment Circuit
HC-493
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface pos interface-path-id.subinterface
Example:
RP/0/RSP0/CPU0:router(config)# interface pos
0/3/0/1.1
Enters POS subinterface configuration mode for a Layer 2
Frame Relay subinterface.
Step 3 mtu value
Example:
RP/0/RSP0/CPU0:router(config-if)# mtu 5000
(Optional) Configures the MTU value. Range is from 64
through 65535.
Step 4 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-pos-l2transport-pv
c)# end
or
RP/0/RSP0/CPU0:router(config-pos-l2transport-pv
c)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
Use the commit command to save the configuration
changes to the running configuration file and remain within
the configuration session.
Step 5 Repeat Step 1 through Step 4 to configure the PVC at
the other end of the AC.
Brings up the AC.
Note The configuration on both ends of the connection
must match.Configuring POS Interfaces onthe Cisco ASR 9000 Series Router
Configuration Examples for POS Interfaces
HC-494
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Configuration Examples for POS Interfaces
This section provides the following configuration examples:
• Bringing Up and Configuring a POS Interface with Cisco HDLC Encapsulation: Example, page 494
• Configuring a POS Interface with Frame Relay Encapsulation: Example, page 494
• Configuring a POS Interface with PPP Encapsulation: Example, page 496
Bringing Up and Configuring a POS Interface with Cisco HDLC Encapsulation:
Example
The following example shows how to bring up a basic POS interface with Cisco HDLC encapsulation:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# interface POS 0/3/0/0
RP/0/RSP0/CPU0:router(config-if)# ipv4 address 172.18.189.38 255.255.255.224
RP/0/RSP0/CPU0:router(config-if)# no shutdown
RP/0/RSP0/CPU0:router(config-if)# end
Uncommitted changes found, commit them? [yes]: yes
The following example shows how to configure the interval between keepalive messages to be 10
seconds:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# interface POS 0/3/0/0
RP/0/RSP0/CPU0:router(config-if)# keepalive 10
RP/0/RSP0/CPU0:router(config-if)# commit
Configuring a POS Interface with Frame Relay Encapsulation: Example
The following example shows how to create a POS interface with Frame Relay encapsulation and a
point-to-point POS subinterface with a PVC on router 1:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# interface POS 0/3/0/0
RP/0/RSP0/CPU0:router(config-if)# encapsulation frame-relay
RP/0/RSP0/CPU0:router(config-if)# no shutdown
RP/0/RSP0/CPU0:router(config-if)# end
Uncommitted changes found, commit them? [yes]: yes
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router (config)# interface pos 0/3/0/0.1 point-to-point
RP/0/RSP0/CPU0:router (config-subif)#ipv4 address 10.20.3.1/24
RP/0/RSP0/CPU0:router (config-subif)# pvc 100
RP/0/RSP0/CPU0:router(config-if)# end
Uncommitted changes found, commit them? [yes]: yes
RP/0/RSP0/CPU0:router# show interface POS 0/3/0/0
Wed Oct 8 04:20:30.248 PST DST
POS0/3/0/0 is up, line protocol is up
Interface state transitions: 1
Hardware is Packet over SONET/SDH
Internet address is 10.20.3.1/24
MTU 4474 bytes, BW 155520 Kbit
reliability 255/255, txload 0/255, rxload 0/255
Encapsulation FRAME-RELAY, crc 32, controller loopback not set,Configuring POS Interfaces onthe Cisco ASR 9000 Series Router
Configuration Examples for POS Interfaces
HC-495
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
LMI enq sent 116, LMI stat recvd 76, LMI upd recvd 0, DTE LMI up
LMI enq recvd 0, LMI stat sent 0, LMI upd sent 0
LMI DLCI 1023 LMI type is CISCO frame relay DTE
Last clearing of "show interface" counters 00:00:06
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
1 packets input, 13 bytes, 0 total input drops
0 drops for unrecognized upper-level protocol
Received 0 runts, 0 giants, 0 throttles, 0 parity
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1 packets output, 13 bytes, 0 total output drops
0 output errors, 0 underruns, 0 applique, 0 resets
0 output buffer failures, 0 output buffers swapped out
The following example shows how to create a POS interface with Frame Relay encapsulation and a
point-to-point POS subinterface with a PVC on router 2, which is connected to router 1:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# interface POS 0/3/0/1
RP/0/RSP0/CPU0:router(config-if)# encapsulation frame-relay
RP/0/RSP0/CPU0:router(config-if)# frame-relay intf-type dce
RP/0/RSP0/CPU0:router(config-if)# no shutdown
RP/0/RSP0/CPU0:router(config-if)# end
Uncommitted changes found, commit them? [yes]: yes
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router (config)# interface pos 0/3/0/1.1 point-to-point
RP/0/RSP0/CPU0:router (config-subif)#ipv4 address 10.20.3.2/24
RP/0/RSP0/CPU0:router (config-subif)# pvc 100
RP/0/RSP0/CPU0:router(config-if)# end
Uncommitted changes found, commit them? [yes]: yes
RP/0/RSP0/CPU0:router# show interface POS 0/3/0/1
Wed Oct 8 04:20:38.037 PST DST
POS0/3/0/1 is up, line protocol is up
Interface state transitions: 1
Hardware is Packet over SONET/SDH
Internet address is 10.20.3.2/24
MTU 4474 bytes, BW 155520 Kbit
reliability 255/255, txload 0/255, rxload 0/255
Encapsulation FRAME-RELAY, crc 32, controller loopback not set,
LMI enq sent 0, LMI stat recvd 0, LMI upd recvd 0
LMI enq recvd 77, LMI stat sent 77, LMI upd sent 0 , DCE LMI up
LMI DLCI 1023 LMI type is CISCO frame relay DCE
Last clearing of "show interface" counters 00:00:14
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
2 packets input, 26 bytes, 0 total input drops
0 drops for unrecognized upper-level protocol
Received 0 runts, 0 giants, 0 throttles, 0 parity
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
2 packets output, 26 bytes, 0 total output drops
0 output errors, 0 underruns, 0 applique, 0 resets
0 output buffer failures, 0 output buffers swapped out
The following example shows how create a Layer 2 POS subinterface with a PVC on the main POS
interface:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router (config)# interface pos 0/3/0/0.1 l2transport
RP/0/RSP0/CPU0:router (config-subif)# pvc 100
RP/0/RSP0/CPU0:router(config-subif)# commitConfiguring POS Interfaces onthe Cisco ASR 9000 Series Router
Additional References
HC-496
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Configuring a POS Interface with PPP Encapsulation: Example
The following example shows how to create and configure a POS interface with PPP encapsulation:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# interface POS 0/3/0/0
RP/0/RSP0/CPU0:router(config-if)# ipv4 address 172.18.189.38 255.255.255.224
RP/0/RSP0/CPU0:router(config-if)# encapsulation ppp
RP/0/RSP0/CPU0:router(config-if)# no shutdown
RP/0/RSP0/CPU0:router(config-if)# end
Uncommitted changes found, commit them? [yes]: yes
RP/0/RSP0/CPU0:router# show interfaces POS 0/3/0/0
POS0/3/0/0 is down, line protocol is down
Hardware is Packet over SONET
Internet address is 172.18.189.38/27
MTU 4474 bytes, BW 2488320 Kbit
reliability 0/255, txload Unknown, rxload Unknown
Encapsulation PPP, crc 32, controller loopback not set, keepalive set (
10 sec)
LCP Closed
Closed: IPCP
Last clearing of "show interface" counters never
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 total input drops
0 drops for unrecognized upper-level protocol
Received 0 broadcast packets, 0 multicast packets
0 runts, 0 giants, 0 throttles, 0 parity
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 total output drops
Output 0 broadcast packets, 0 multicast packets
0 output errors, 0 underruns, 0 applique, 0 resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
Additional References
The following sections provide references related to POS interface configuration.
Related Documents
Related Topic Document Title
Cisco IOS XR master command reference Cisco IOS XR Master Commands List
Cisco IOS XR interface configuration commands Cisco IOS XR Interface and Hardware Component Command
Reference
Initial system bootup and configuration information for
a router using the Cisco IOS XR software.
Cisco IOS XR Getting Started GuideConfiguring POS Interfaces onthe Cisco ASR 9000 Series Router
Additional References
HC-497
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Standards
MIBs
RFCs
Cisco IOS XR AAA services configuration information Cisco IOS XR System Security Configuration Guide and
Cisco IOS XR System Security Command Reference
Information about user groups and task IDs Cisco IOS XR Interface and Hardware Component Command
Reference
Standards Title
FRF.1.2 PVC User-to-Network Interface (UNI) Implementation Agreement -
July 2000
ANSI T1.617 Annex D —
ITU Q.933 Annex A —
MIBs MIBs Link
— To locate and download MIBs using Cisco IOS XR software, use the
Cisco MIB Locator found at the following URL and choose a
platform under the Cisco Access Products menu:
http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs Title
RFC 1294 Multiprotocol Interconnect Over Frame Relay
RFC 1315 Management Information Base for Frame Relay DTEs
RFC 1490 Multiprotocol Interconnect Over Frame Relay
RFC 1586 Guidelines for Running OSPF Over Frame Relay Networks
RFC 1604 Definitions of Managed Objects for Frame Relay Service
RFC 2115 Management Information Base for Frame Relay DTEs Using SMIv2
RFC 2390 Inverse Address Resolution Protocol
RFC 2427 Multiprotocol Interconnect Over Frame Relay
RFC 2954 Definitions of Managed Objects for Frame Relay Service
Related Topic Document TitleConfiguring POS Interfaces onthe Cisco ASR 9000 Series Router
Additional References
HC-498
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-01
Technical Assistance
Description Link
The Cisco Technical Support website contains
thousands of pages of searchable technical content,
including links to products, technologies, solutions,
technical tips, and tools. Registered Cisco.com users
can log in from this page to access even more content.
http://www.cisco.com/techsupport499
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Configuring Serial Interfaces on the
Cisco ASR 9000 Series Router
This module describes the configuration of serial interfaces on the Cisco ASR 9000 Series Router.
Before you configure a serial interface, you must configure the clear channel T3/E3 controller or
channelized T1/E1controller (DS0 channel) that is associated with that interface.
Feature History for Configuring Serial Controller Interfaces
Release Modification
Release 3.3.0 This feature was introduced on the Cisco XR 12000 Series Router.
Support was added on the Cisco XR 12000 Series Router for the following
hardware:
• Cisco XR 12000 SIP-401
• Cisco XR 12000 SIP-501
• Cisco XR 12000 SIP-601
Support was added on the Cisco XR 12000 Series Router for the following
SPAs:
• Cisco 2-Port and 4-Port Channelized T3/DS0 SPA
• Cisco 2-Port and 4-Port T3/E3 Serial SPA
Release 3.4.0 Support for the following features was introduced:
• Subinterfaces with permanent virtual circuits (PVCs)
• Frame Relay encapsulation on serial main interfaces and PVCs on the
following hardware:
– Cisco 8-port Channelized T1/E1 SPA
– Cisco 2-Port and 4-Port Channelized T3/DS0 SPA
– Cisco 2-Port and 4-Port T3/E3 Serial SPA
– Cisco 1-Port Channelized OC-3 SPA
– Cisco 1-Port Channelized OC-12 SPA
– Cisco 1-Port Channelized OC-48 SPA
– Cisco 1-Port Channelized OC-12/STM-4 ISE Line CardConfiguring Serial Interfaces on the Cisco ASR 9000 Series Router
500
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Release 3.4.1 This feature was introduced on the Cisco CRS-1 Router.
Support was added on the Cisco CRS-1 Router for the following hardware:
• Cisco CRS-1 SIP-800
• Cisco 2-Port and 4-Port Clear Channel T3/E3 SPA
Multilink PPP was supported on serial interfaces on the
Cisco XR 12000 Series Router.
Release 3.5.0 Support was added on the Cisco XR 12000 Series Router for the following
SPAs:
• Cisco 1-Port Channelized OC-12/DS0 SPA
• Cisco 1-Port Channelized OC-48/STM-16 SPA
Release 3.7.0 Support was added on the Cisco XR 12000 Series Router for the 1-Port
Channelized OC-48/DS3 Line Card.
Release 3.8.0 Support was added on the Cisco XR 12000 Series Router for quality of
service (QoS) on Layer 2 subinterfaces and the following line cards:
• Cisco 1-Port Channelized OC-12/DS0 Line Card
• Cisco 4-Port Channelized OC-12/DS3 Line Card
Release 3.9.0 Support for serial interfaces was added on the
Cisco ASR 9000 Series Router for the 2-Port Channelized OC-12c/DS0
SPA.
Release 4.0.0 Support for the following features and SPAs was added on the
Cisco ASR 9000 Series Router:
• Support for IPv4 multicast was added for serial interfaces. For more
information about multicast configuration on an interface, see the
Cisco ASR 9000 Series Aggregation Services Router Multicast
Configuration Guide.
• IPHC was added on the Cisco 2-Port Channelized OC-12c/DS0 SPA.
• Support for the Cisco 1-Port Channelized OC-48/STM-16 SPA was
introduced.
Release 4.0.0 Support for fragmentation counters using the fragment-counter command
was added for the following SPAs:
• Cisco 1-Port Channelized OC-3/STM-1 SPA
• Cisco 4-Port Channelized T3/DS0 SPA
• Cisco 8-Port Channelized T1/E1 SPAConfiguring Serial Interfaces on the Cisco ASR 9000 Series Router
Prerequisites for Configuring Serial Interfaces
501
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Contents
• Prerequisites for Configuring Serial Interfaces, page 501
• Information About Configuring Serial Interfaces, page 502
• How to Configure Serial Interfaces, page 514
• Configuration Examples for Serial Interfaces, page 542
• Additional References, page 547
Prerequisites for Configuring Serial Interfaces
Before configuring serial interfaces, ensure that the following tasks and conditions are met:
• You must be in a user group associated with a task group that includes the proper task IDs. If you
suspect user group assignment is preventing you from using a command, contact your AAA
administrator for assistance.
• You have installed a 2-Port or 4-Port Clear Channel T3/E3 SPA.
• You should have the following SIP and any one of the following SPAs installed on the
Cisco ASR 9000 Series Router:
– Cisco SIP 700 SPA Interface Processor
– Cisco 1-Port Channelized OC-3/STM-1 SPA
– Cisco 2-Port Channelized OC-12c/DS0 SPA
– Cisco 1-Port Channelized OC-48/STM-16 SPA
– Cisco 2-Port or 4-Port Clear Channel T3/E3 SPA
– Cisco 4-Port Channelized T3/DS0 SPA
– Cisco 8-Port Channelized T1/E1 SPA
• Your hardware must support T3/E3 or T1/E1 controllers and serial interfaces.
The following hardware supports T3/E3 controllers and serial interfaces:
– Cisco 2-Port and 4-Port Clear Channel T3/E3 SPAs
Release 4.0.1 Support for the following SPAs was added:
• Cisco 1-Port Channelized OC-3/STM-1 SPA
• Cisco 2-Port and 4-Port Clear Channel T3/E3 SPA
Release 4.1.0 Support for the following SPAs was added:
• Cisco 4-Port Channelized T3/DS0 SPA
• Cisco 8-Port Channelized T1/E1 SPA
Support for IPHC was added on the following SPAs:
• Cisco 1-Port Channelized OC-3/STM-1 SPA
• Cisco 4-Port Channelized T3/DS0 SPA
• Cisco 8-Port Channelized T1/E1 SPA
• Cisco 2-Port and 4-Port Clear Channel T3/E3 SPAConfiguring Serial Interfaces on the Cisco ASR 9000 Series Router
Information About Configuring Serial Interfaces
502
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
– Cisco 2-Port and 4-Port Channelized T3 SPAs
– Cisco 4-Port Channelized OC-12/DS3 line cards
– Cisco 1-Port Channelized OC-48/STM-16 SPA and line cards
The following hardware supports T1/E1 controllers and DS0 channels:
– Cisco 2-Port and 4-Port Channelized T3 SPAs
– Cisco 4-Port Channelized OC-12/DS3 line cards
– Cisco 1-Port Channelized OC-12/DS0 SPAs and line cards
– Cisco 1-Port Channelized OC-48/DS3 SPAs and line cards
– Cisco 1-Port Channelized OC3/STM-1 SPA
– Cisco 8-Port Channelized T1/E1 SPA
The following hardware supports serial interfaces:
– Cisco 2-Port and 4-Port Clear Channel T3/E3 SPAs
– Cisco 2-Port and 4-Port Channelized T3 SPAs
– Cisco 4-Port Channelized OC-12/DS3 line cards
– Cisco 1-Port Channelized OC-12/DS0 SPAs and line cards
– Cisco 1-Port Channelized OC-48/DS3 SPAs and line cards
– Cisco 1-Port Channelized OC3/STM-1 SPA
– Cisco 8-Port Channelized T1/E1 SPA
Note The Cisco 2-Port and 4-Port Channelized T3 SPAs can run in clear channel mode, or they can be
channelized into 28 T1 or 21 E1 controllers.
Note The Cisco 4-Port Channelized T3/DS0 SPA can run in clear channel mode, or it can be channelized into
28 T1 or 21 E1 controllers.
• You should have configured the clear channel T3/E3 controller or channelized T3 to T1/E1
controller that is associated with the serial interface you want to configure, as described in the
“Configuring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the
Cisco ASR 9000 Series Router” module in this manual.
Note On channelized T3 to T1/E1 controllers, serial interfaces are automatically created when users configure
individual DS0 channel groups on the T1/E1 controllers.
Information About Configuring Serial Interfaces
To configure serial interfaces, study the following concepts:
• High-Level Overview: Serial Interface Configuration on Clear-Channel SPAs, page 503
• High-Level Overview: Serial Interface Configuration on Channelized SPAs, page 504
• Cisco HDLC Encapsulation, page 506Configuring Serial Interfaces on the Cisco ASR 9000 Series Router
Information About Configuring Serial Interfaces
503
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
• PPP Encapsulation, page 506
• Keepalive Timer, page 508
• Frame Relay Encapsulation, page 509
• Layer 2 Tunnel Protocol Version 3-Based Layer 2 VPN on Frame Relay, page 510
• Default Settings for Serial Interface Configurations, page 511
• Serial Interface Naming Notation, page 511
• IPHC Overview, page 512
On the Cisco ASR 9000 Series Router, a single serial interface carries data over a single interface using
PPP, Cisco HDLC, or Frame Relay encapsulation.
High-Level Overview: Serial Interface Configuration on Clear-Channel SPAs
Table 14 provides a high-level overview of the tasks required to configure a T3 serial interface on the
Cisco 2-Port and 4-Port Clear Channel T3/E3 SPA.
Table 15 provides a high-level overview of the tasks required to configure an E3 serial interface on a
2-Port and 4-Port Clear Channel T3/E3 SPA.
Table 14 Overview: Configuring a T3 Serial Interface on a Clear Channel SPA
Step Task Module Section
1. Use the hw-module subslot
command to set serial mode for the
SPA to be T3, if necessary.
Note By default, the 2-Port and
4-Port Clear Channel T3/E3
SPA is set to run in T3 mode.
“Configuring Clear Channel T3/E3 and
Channelized T3 and T1/E1 Controllers
on the Cisco ASR 9000 Series Router”
Setting the Card Type
2. Configure the T3 controller. “Configuring Clear Channel T3/E3 and
Channelized T3 and T1/E1 Controllers
on the Cisco ASR 9000 Series Router”
Setting the Card Type
3. Configure the serial interface that is
associated with the T3 controller
you configured in Step 2.
“Configuring Serial Interfaces on the
Cisco ASR 9000 Series Router”
“How to Configure Serial Interfaces”
Table 15 Overview: Configuring an E3 Serial Interface on a Clear Channel SPA
Step Task Module Section
1. Use the hw-module subslot
command to set serial mode for the
SPA to be E3.
“Configuring Clear Channel T3/E3 and
Channelized T3 and T1/E1 Controllers
on the Cisco ASR 9000 Series Router”
Setting the Card Type
2. Configure the E3 controller. “Configuring Clear Channel T3/E3 and
Channelized T3 and T1/E1 Controllers
on the Cisco ASR 9000 Series Router”
Setting the Card Type
3. Configure the serial interface that is
associated with the E3 controller
you configured in Step 2.
Configuring Serial Interfaces on the
Cisco ASR 9000 Series Router
How to Configure Serial InterfacesConfiguring Serial Interfaces on the Cisco ASR 9000 Series Router
Information About Configuring Serial Interfaces
504
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
High-Level Overview: Serial Interface Configuration on Channelized SPAs
Table 16Table 17 provides a high-level overview of the tasks required to configure a T1 serial interface
on the following SPAs and line cards.
• Cisco 2-Port and 4-Port Channelized T3 SPA
• Cisco 4-Port Channelized OC-12/DS3 line cards
• Cisco 1-Port Channelized OC-12/DS0 SPAs and line cards
• Cisco 1-Port Channelized OC-48/STM-16 SPA and line cards
• Cisco 2-Port Channelized OC-12c/DS0 SPA
Table 16 Overview: Configuring a Serial Interface on a T1 DS0 Channel
Step Task Module Section
1. Configure the T3 controller
parameters and set the SPA mode to
be T3.
28 T1 controllers are automatically
created.
“Configuring Clear Channel
T3/E3 and Channelized T3 and
T1/E1 Controllers on the
Cisco ASR 9000 Series Router”
Setting the Card Type
Configuring a Channelized T3
Controller
2. Create and configure DS0 channel
groups on the T1 controllers.
“Configuring Clear Channel
T3/E3 and Channelized T3 and
T1/E1 Controllers on the
Cisco ASR 9000 Series Router”
Configuring a T1 Controller
3. Configure the Serial interfaces that
are associated channel groups you
created in Step 2.
“Configuring Serial Interfaces on
the
Cisco ASR 9000 Series Router”
How to Configure Serial Interfaces
Table 17 Overview: Configuring a Serial Interface on a T1 DS0 Channel
Step Task Module Section
1. Configure the SONET controller
parameters and STS stream for T3
mode.
“Configuring Channelized
SONET/SDH on the
Cisco ASR 9000 Series Router”
Configuring SONET T3 and
VT1.5-Mapped T1 Channels
2. Configure the T3 controller
parameters and set the mode to T1.
28 T1 controllers are automatically
created.
“Configuring Clear Channel
T3/E3 and Channelized T3 and
T1/E1 Controllers on the
Cisco ASR 9000 Series Router”
Configuring a Channelized T3
Controller
3. Create and configure DS0 channel
groups on the T1 controllers.
“Configuring Clear Channel
T3/E3 and Channelized T3 and
T1/E1 Controllers on the
Cisco ASR 9000 Series Router”
Configuring a T1 Controller
4. Configure the Serial interfaces that
are associated channel groups you
created in Step 2.
“Configuring Serial Interfaces on
the
Cisco ASR 9000 Series Router”
How to Configure Serial InterfacesConfiguring Serial Interfaces on the Cisco ASR 9000 Series Router
Information About Configuring Serial Interfaces
505
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Table 18 provides a high-level overview of the tasks required to configure an E1 serial interface on the
following SPAs and line cards.
• 2-Port and 4-Port Channelized T3 SPA
• 4-Port Channelized OC-12/DS3 line cards
• 1-Port Channelized OC-12/DS0 SPAs and line cards
• 1-Port Channelized OC-48/DS3 SPAs and line cards
• 1-Port Channelized OC-3/STM-1 SPA
• 2-Port Channelized OC-12c/DS0 SPA
Table 18 Overview: Configuring a Serial Interface on an E1 DS0 Channel
Step Task Module Section
1. Configure the T3 controller
parameters and set the SPA mode to
be E3.
21 E1 controllers are automatically
created.
“Configuring Clear Channel T3/E3
and Channelized T3 and T1/E1
Controllers on the
Cisco ASR 9000 Series Router”
Configuring a Channelized T3
Controller
2. Create and configure DS0 channel
groups on the E1 controllers.
“Configuring Clear Channel T3/E3
and Channelized T3 and T1/E1
Controllers on the
Cisco ASR 9000 Series Router”
Configuring an E1 Controller
3. Configure the Serial interfaces that
are associated channel groups you
created in Step 2.
Configuring Serial Interfaces on the
Cisco ASR 9000 Series Router
How to Configure Serial Interfaces
Table 19 Overview: Configuring a Serial Interface on a E1 DS0 Channel
Step Task Module Section
1. Configure the SONET controller
parameters and STS stream for T3
mode.
“Configuring Channelized
SONET/SDH on the
Cisco ASR 9000 Series Router”
Configuring SONET T3 and
VT1.5-Mapped T1 Channels
2. Configure the T3 controller
parameters and set the mode to E1.
21 E1 controllers are automatically
created.
“Configuring Clear Channel
T3/E3 and Channelized T3 and
T1/E1 Controllers on the
Cisco ASR 9000 Series Router”
Configuring a Channelized T3
Controller
3. Create and configure DS0 channel
groups on the E1 controllers.
“Configuring Clear Channel
T3/E3 and Channelized T3 and
T1/E1 Controllers on the
Cisco ASR 9000 Series Router”
Configuring an E1 Controller
4. Configure the Serial interfaces that
are associated channel groups you
created in Step 2.
“Configuring Serial Interfaces on
the
Cisco ASR 9000 Series Router”
How to Configure Serial InterfacesConfiguring Serial Interfaces on the Cisco ASR 9000 Series Router
Information About Configuring Serial Interfaces
506
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Table 20 provides a high-level overview of the tasks required to configure a T3 serial interface on the
1-Port Channelized OC-48/STM-16 SPA
Cisco HDLC Encapsulation
Cisco High-Level Data Link Controller (HDLC) is the Cisco proprietary protocol for sending data over
synchronous serial links using HDLC. Cisco HDLC also provides a simple control protocol called Serial
Line Address Resolution Protocol (SLARP) to maintain serial link keepalives. HDLC is the default
encapsulation type for serial interfaces under Cisco IOS XR software. Cisco HDLC is the default for
data encapsulation at Layer 2 (data link) of the Open System Interconnection (OSI) stack for efficient
packet delineation and error control.
Note Cisco HDLC is the default encapsulation type for the serial interfaces.
Cisco HDLC uses keepalives to monitor the link state, as described in the “Keepalive Timer” section on
page 508.
Note Use the debug chdlc slarp packet command to display information about the Serial Line Address
Resolution Protocol (SLARP) packets that are sent to the peer after the keepalive timer has been
configured.
PPP Encapsulation
PPP is a standard protocol used to send data over synchronous serial links. PPP also provides a Link
Control Protocol (LCP) for negotiating properties of the link. LCP uses echo requests and responses to
monitor the continuing availability of the link.
Note When an interface is configured with PPP encapsulation, a link is declared down, and full LCP
negotiation is re-initiated after five ECHOREQ packets are sent without receiving an ECHOREP
response.
PPP provides the following Network Control Protocols (NCPs) for negotiating properties of data
protocols that will run on the link:
Table 20 Overview: Configuring a Serial Interface on a T3 Channel
Step Task Module Section
1. Configure the SONET controller
parameters and STS stream.
“Configuring Channelized
SONET/SDH on the
Cisco ASR 9000 Series Router”
Configuring a Clear Channel SONET
Controller for T3
2. Configure the STS stream mode for
T3 and configure the T3 controller
parameters.
“Configuring Channelized
SONET/SDH on the
Cisco ASR 9000 Series Router”
Configuring a Clear Channel SONET
Controller for T3
3. Configure the Serial interfaces. “Configuring Serial Interfaces on
the
Cisco ASR 9000 Series Router”
How to Configure Serial InterfacesConfiguring Serial Interfaces on the Cisco ASR 9000 Series Router
Information About Configuring Serial Interfaces
507
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
• IP Control Protocol (IPCP) to negotiate IP properties
• Multiprotocol Label Switching control processor (MPLSCP) to negotiate MPLS properties
• Cisco Discovery Protocol control processor (CDPCP) to negotiate CDP properties
• IPv6CP to negotiate IP Version 6 (IPv6) properties
• Open Systems Interconnection control processor (OSICP) to negotiate OSI properties
PPP uses keepalives to monitor the link state, as described in the “Keepalive Timer” section on page 508.
PPP supports the following authentication protocols, which require a remote device to prove its identity
before allowing data traffic to flow over a connection:
• Challenge Handshake Authentication Protocol (CHAP)—CHAP authentication sends a challenge
message to the remote device. The remote device encrypts the challenge value with a shared secret
and returns the encrypted value and its name to the local router in a response message. The local
router attempts to match the name of the remote device with an associated secret stored in the local
username or remote security server database; it uses the stored secret to encrypt the original
challenge and verify that the encrypted values match.
• Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)—MS-CHAP is the Microsoft
version of CHAP. Like the standard version of CHAP, MS-CHAP is used for PPP authentication; in
this case, authentication occurs between a personal computer using Microsoft Windows NT or
Microsoft Windows 95 and a Cisco router or access server acting as a network access server.
• Password Authentication Protocol (PAP)—PAP authentication requires the remote device to send a
name and a password, which are checked against a matching entry in the local username database
or in the remote security server database.
Note For more information on enabling and configuring PPP authentication protocols, see the “Configuring
PPP on the Cisco ASR 9000 Series Router” module in this manual.
Use the ppp authentication command in interface configuration mode to enable CHAP, MS-CHAP, and
PAP on a serial interface.
Note Enabling or disabling PPP authentication does not effect the local router’s willingness to authenticate
itself to the remote device.
Multilink PPP
Multilink Point-to-Point Protocol (MLPPP) is supported on the following SPAs:
• 1-Port Channelized OC-12/DS0 SPAs and line cards
• 2-Port and 4-Port Channelized T3 SPAs
• 8-Port Channelized T1/E1 SPA
• 1-Port Channelized OC-3/STM-1 SPA
• 2-Port Channelized OC-12/DS0 SPA
MLPPP provides a method for combining multiple physical links into one logical link. The
implementation of MLPPP combines multiple PPP serial interfaces into one multilink interface. MLPPP
performs the fragmenting, reassembling, and sequencing of datagrams across multiple PPP links. Configuring Serial Interfaces on the Cisco ASR 9000 Series Router
Information About Configuring Serial Interfaces
508
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
MLPPP provides the same features that are supported on PPP Serial interfaces with the exception of
QoS. It also provides the following additional features:
• Fragment sizes of 128, 256, and 512 bytes
• Long sequence numbers (24-bit)
• Lost fragment detection timeout period of 80 ms
• Minimum-active-links configuration option
• LCP echo request/reply support over multilink interface
• Full T1 and E1 framed and unframed links
For more information about configuring MLPPP on a serial interface, see the “Configuring PPP on the
Cisco ASR 9000 Series Router” module in this document.
Keepalive Timer
Cisco keepalives are useful for monitoring the link state. Periodic keepalives are sent to and received
from the peer at a frequency determined by the value of the keepalive timer. If an acceptable keepalive
response is not received from the peer, the link makes the transition to the down state. As soon as an
acceptable keepalive response is obtained from the peer or if keepalives are disabled, the link makes the
transition to the up state.
Note The keepalive command applies to serial interfaces using HDLC or PPP encapsulation. It does not apply
to serial interfaces using Frame Relay encapsulation.
For each encapsulation type, a certain number of keepalives ignored by a peer triggers the serial interface
to transition to the down state. For HDLC encapsulation, three ignored keepalives causes the interface
to be brought down. For PPP encapsulation, five ignored keepalives causes the interface to be brought
down. ECHOREQ packets are sent out only when LCP negotiation is complete (for example, when LCP
is open).
Use the keepalive command in interface configuration mode to set the frequency at which LCP sends
ECHOREQ packets to its peer. To restore the system to the default keepalive interval of 10 seconds, use
the keepalive command with no argument. To disable keepalives, use the keepalive disable command.
For both PPP and Cisco HDLC, a keepalive of 0 disables keepalives and is reported in the show
running-config command output as keepalive disable.
Note During Minimal Disruptive Restart (MDR) keepalives may fail. Therefore the keepalive timers, on both
ends, should be either disabled or set to an interval longer than the MDR time.
Note Before performing a Minimal Disruptive Restart (MDR) upgrade, we recommend disabling keepalives
on a Cisco XR 12000 Series Router.
Note Before performing a Minimal Disruptive Restart (MDR) upgrade, we recommend configuring a
keepalive interval of 10 seconds or more on a Cisco CRS-1 Router.Configuring Serial Interfaces on the Cisco ASR 9000 Series Router
Information About Configuring Serial Interfaces
509
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
When LCP is running on the peer and receives an ECHOREQ packet, it responds with an echo reply
(ECHOREP) packet, regardless of whether keepalives are enabled on the peer.
Keepalives are independent between the two peers. One peer end can have keepalives enabled; the other
end can have them disabled. Even if keepalives are disabled locally, LCP still responds with ECHOREP
packets to the ECHOREQ packets it receives. Similarly, LCP also works if the period of keepalives at
each end is different.
Note Use the debug chdlc slarp packet command and other Cisco HDLC debug commands to display
information about the Serial Line Address Resolution Protocol (SLARP) packets that are sent to the peer
after the keepalive timer has been configured.
Frame Relay Encapsulation
When Frame Relay encapsulation is enabled on a serial interface, the interface configuration is
hierarchical and comprises the following elements:
1. The serial main interface comprises the physical interface and port. If you are not using the serial
interface to support Cisco HDLC and PPP encapsulated connections, then you must configure
subinterfaces with permanent virtual circuits (PVCs) under the serial main interface. Frame Relay
connections are supported on PVCs only.
2. Serial subinterfaces are configured under the serial main interface. A serial subinterface does not
actively carry traffic until you configure a PVC under the serial subinterface. Layer 3 configuration
typically takes place on the subinterface.
3. Point-to-point PVCs are configured under a serial subinterface. You cannot configure a PVC directly
under a main interface. A single point-to-point PVC is allowed per subinterface. PVCs use a
predefined circuit path and fail if the path is interrupted. PVCs remain active until the circuit is
removed from either configuration. Connections on the serial PVC support Frame Relay
encapsulation only.
Note The administrative state of a parent interface drives the state of the subinterface and its PVC. When the
administrative state of a parent interface or subinterface changes, so does the administrative state of any
child PVC configured under that parent interface or subinterface.
To configure Frame Relay encapsulation on serial interfaces, use the encapsulation frame-relay
command.
Frame Relay interfaces support two types of encapsulated frames:
• Cisco (default)
• IETF
Use the encap command in PVC configuration mode to configure Cisco or IETF encapsulation on a
PVC. If the encapsulation type is not configured explicitly for a PVC, then that PVC inherits the
encapsulation type from the main serial interface.
Note Cisco encapsulation is required on serial main interfaces that are configured for MPLS. IETF
encapsulation is not supported for MPLS.Configuring Serial Interfaces on the Cisco ASR 9000 Series Router
Information About Configuring Serial Interfaces
510
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Before you configure Frame Relay encapsulation on an interface, you must verify that all prior Layer 3
configuration is removed from that interface. For example, you must ensure that there is no IP address
configured directly under the main interface; otherwise, any Frame Relay configuration done under the
main interface will not be viable.
LMI on Frame Relay Interfaces
The Local Management Interface (LMI) protocol monitors the addition, deletion, and status of PVCs.
LMI also verifies the integrity of the link that forms a Frame Relay UNI interface. By default, cisco LMI
is enabled on all PVCs. However, you can modify the default LMI type to be ANSI or Q.933, as
described in the “Modifying the Default Frame Relay Configuration on an Interface” section of the
“Configuring Frame Relay on the Cisco ASR 9000 Series Router” module in this manual.
If the LMI type is cisco (the default LMI type), the maximum number of PVCs that can be supported
under a single interface is related to the MTU size of the main interface. Use the following formula to
calculate the maximum number of PVCs supported on a card or SPA:
(MTU - 13)/8 = maximum number of PVCs
Note The default setting of the mtu command for a serial interface is 1504 bytes. Therefore, the default
numbers of PVCs supported on a serial interface configured with cisco LMI is 186.
Layer 2 Tunnel Protocol Version 3-Based Layer 2 VPN on Frame Relay
The Layer 2 Tunnel Protocol Version 3 (L2TPv3) feature defines the L2TP protocol for tunneling Layer
2 payloads over an IP core network using Layer 2 virtual private networks (VPNs).
L2TPv3 is a tunneling protocol used for transporting Layer 2 protocols. It can operate in a number of
different configurations and tunnel a number of different Layer 2 protocols and connections over a
packet-switched network.
Before you can configure L2TPv3, you need to configure a connection between the two attachment
circuits (ACs) that will host the L2TPv3 psuedowire. Cisco IOS XR software supports a point-to-point,
end-to-end service, where two ACs are connected together.
This module describes how to configure a Layer 2 AC on a Frame Relay encapsulated serial interface.
Note Serial interfaces support DLCI mode layer 2 ACs only; layer 2 port mode ACs are not supported on serial
interfaces.
For detailed information about configuring L2TPv3 in your network, see the “Implementing Layer 2
Tunnel Protocol Version 3” module of the Cisco IOS XR Virtual Private Network Configuration Guide
for the Cisco CRS Router. For detailed information about configuring L2VPNs, see the “Implementing
MPLS Layer 2 VPNs” module of the Cisco IOS XR Virtual Private Network Configuration Guide for the
Cisco CRS Router.
For detailed information about configuring L2TPv3 in your network, see the “Implementing Layer 2
Tunnel Protocol Version 3 on Cisco IOS XR Software” module of the Cisco IOS XR Virtual Private
Network Configuration Guide for the Cisco XR 12000 Series Router. For detailed information about
configuring L2VPNs, see the “Implementing MPLS Layer 2 VPNs on Cisco IOS XR Software” module
of the Cisco IOS XR Virtual Private Network Configuration Guide for the Cisco XR 12000 Series Router.Configuring Serial Interfaces on the Cisco ASR 9000 Series Router
Information About Configuring Serial Interfaces
511
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Default Settings for Serial Interface Configurations
When an interface is enabled on a T3/E3 SPA, and no additional configuration commands are applied,
the default interface settings shown in Table 21 are present. These default settings can be changed by
configuration.
Note Default settings do not appear in the output of the show running-config command.
Serial Interface Naming Notation
The naming notation for serial interfaces on a clear channel SPA is rack/slot/module/port, as shown in
the following example:
interface serial 0/0/1/2
The naming notation for T1, E1, and DS0 interfaces on a channelized SPA is
rack/slot/module/port/channel-num:channel-group-number, as shown in the following example:
interface serial 0/0/1/2/4:3
Table 21 Serial Interface Default Settings
Parameter Configuration File Entry Default Settings
Keepalive
Note The keepalive
command applies to
serial interfaces using
HDLC or PPP
encapsulation. It does
not apply to serial
interfaces using Frame
Relay encapsulation.
keepalive [disable]
no keepalive
keepalive 10 seconds
Encapsulation encapsulation [hdlc | ppp |
frame-relay [ietf]]
hdlc
Maximum transmission unit
(MTU)
mtu bytes 1504 bytes
Cyclic redundancy check
(CRC)
crc [16 | 32] 16
Data stream inversion on a
serial interface
invert Data stream is not inverted
Payload scrambling
(encryption)
scramble Scrambling is disabled.
Number of High-Level Data
Link Control (HDLC) flag
sequences to be inserted
between the packets
transmit-delay Default is 0 (disabled).Configuring Serial Interfaces on the Cisco ASR 9000 Series Router
Information About Configuring Serial Interfaces
512
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
If a subinterface and PVC are configured under the serial interface, then the router includes the
subinterface number at the end of the serial interface address. In this case, the naming notation is
rack/slot/module/port[/channel-num:channel-group-number].subinterface, as shown in the following
examples:
interface serial 0/0/1/2.1
interface serial 0/0/1/2/4:3.1
Note A slash between values is required as part of the notation.
The naming notation syntax for serial interfaces is as follows:
• rack: Chassis number of the rack.
• slot: Physical slot number of the modular services card or line card.
• module: Module number. Shared port adapters (SPAs) are referenced by their subslot number.
• port: Physical port number of the controller.
• channel-num: T1 or E1 channel number. T1 channels range from 0 to 23; E1 channels range from 0
to 31.
• channel-group-number: Time slot number. T1 time slots range from 1 to 24; E1 time slots range
from 1 to 31. The channel-group-number is preceded by a colon and not a slash.
• subinterface: Subinterface number.
Use the question mark (?) online help function following the serial keyword to view a list of all valid
interface choices.
IPHC Overview
IP header compression (IPHC) is based on the premise that most of the headers in the packets of a
particular transmission remain constant throughout the flow. Only a few fields in the headers of related
packets change during a flow.
IPHC compresses these headers so that the compressed header contains only the fields that change from
packet to packet. All fields that remain the same from packet to packet are eliminated in the compressed
headers. Full headers are sent between compressed headers.
Full headers are uncompressed headers that contain all the original header fields along with additional
information (context ID) to identify the flow. The interval at which full headers are sent between
compressed packets is configurable using the refresh max-period and refresh max-time commands.
IPHC contexts are used by the compressor (sender) and decompressor (receiver) of compressed packets
to encode and decode the packets in a flow. A context is stored on the compressor and decompressor and
is used in the delta calculation at both ends. The number of contexts allowed on a particular interface is
configurable. The maximum size of the header that can be compressed is also configurable.
IPHC supports the compression and decompression of RTP and UDP traffic and the decompression of
CN on TCP and CTCP traffic.
Users may choose one of the following types of compression formats:
• Internet Engineering Task Force (IETF) standard format.
Uses RFC2507 and RFC2508 compression schemes.
• IPHC format.
Provides options similar to IETF.Configuring Serial Interfaces on the Cisco ASR 9000 Series Router
Information About Configuring Serial Interfaces
513
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Table 22 shows the IPHC features, the values of the features, and their defaults:
Currently, only IPv4 unicast packets with UDP in the protocol field of the IP header are compressed.
IPHC is configured on an interface as follows:
• Configure the IPHC slot level command
• Create an IPHC profile
• Configure IPHC attributes in the profile
• Attach the profile to an interface
IPHC profiles must contain the rtp command to enable Real Time Protocol (RTP) on the interface, or
the profile is not enabled. The refresh rtp command must be used to enable the configured refresh
settings for RTP packets. By default, refresh RTP is disabled and only the first packet in the flow is sent
as a ‘full-header’ packet.
If some attributes, such as feedback messages, maximum refresh period size, maximum refresh time
period, and maximum header size, are not configured in the profile, the default values for those attributes
apply when the profile is enabled on the interface.
Currently, IPHC is supported only on serial interfaces with PPP encapsulation and on multilink with PPP
encapsulation interfaces.
IPHC is typically configured between the Customer Edge (CE) and Provide Edge (PE) ends of an
interface and must be configured at both ends of the interface to work. The PPP protocol negotiates the
IPHC specific parameters between the two ends of the interface and settles on the lowest value
configured between the two ends.
QoS and IPHC
An IPHC profile can be enabled on an interface so that the IPHC profile applies only to packets that
match a Quality of Service (QoS) service policy. In this case, the QoS service-policy class attributes
determine which packets are compressed. This allows users to fine tune IPHC with greater granularity.
Policy maps are attached to an interface using the service-policy command. IPHC action applies only to
output service policies. IPHC is not supported on input service policies.
Table 22 IPHC features and default setttings
IPHC Feature Values Defaults
TCP contexts 0 to 255 1
Non-TCP contexts 1 to 6000 16
Compression Format Options IETF or IPHC —
Feedback Messages Enable or Disable Enabled
Maximum Refresh Period Size 1 to 65535 packets 256
Maximum Refresh Time Period 0 to 255 seconds 5
Maximum Header Size 20 to 40 bytes 40
Real Time Protocol (RTP) Enable or Disable Enabled
Refresh RTP Enable or Disable DisableConfiguring Serial Interfaces on the Cisco ASR 9000 Series Router
How to Configure Serial Interfaces
514
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
The user can configure IPHC using QoS as follows:
• Create a QoS policy-map with the compress header ip action.
• Attach the IPHC profile to the interface using the ipv4 iphc profile profile_name mode
service-policy command.
• Attach the QoS policy-map with compress header ip action using the service-policy output
command.
See “IPHC on a Serial Interface with MLPPP/LFI and QoS Configuration: Example” section on
page 547 for an example of how to configure IPHC using QoS.
For complete information on configuring QoS, refer to the Cisco XR 12000 Series Router Modular
Quality of Service Configuration Guide and the Cisco XR 12000 Series Router Modular Quality of
Service Command ReferenceCisco ASR 9000 Series Aggregation Services Router Modular Quality of
Service Configuration Guide and the Cisco ASR 9000 Series Aggregation Services Router Modular
Quality of Service Command Reference.
How to Configure Serial Interfaces
After you have configured a channelized or clear channel T3/E3 controller, as described in the
“Configuring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the
Cisco ASR 9000 Series Router” module in this document, you can configure the serial interfaces
associated with that controller.
The following tasks describe how to configure a serial interface:
• Bringing Up a Serial Interface, page 514
• Configuring Optional Serial Interface Parameters, page 518
• Creating a Point-to-Point Serial Subinterface with a PVC, page 521
• Configuring Optional PVC Parameters, page 524
• Modifying the Keepalive Interval on Serial Interfaces, page 526
• How to Configure a Layer 2 Attachment Circuit, page 528
– Creating a Serial Layer 2 Subinterface with a PVC, page 529
– Configuring Optional Serial Layer 2 PVC Parameters, page 531
• Configuring IPHC, page 533
– Configuring the IPHC Slot Level Command, page 534
– Configuring an IPHC Profile, page 536
– Configuring an IPHC Profile, page 538
– Enabling an IPHC Profile on an Interface, page 541
Bringing Up a Serial Interface
This task describes the commands used to bring up a serial interface.Configuring Serial Interfaces on the Cisco ASR 9000 Series Router
How to Configure Serial Interfaces
515
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Prerequisites
The Cisco XR 12000 Series Router must have at least one of the SIPs and one of the SPAs or line cards
installed and be running Cisco IOS XR software:
• Cisco XR 12000 SIP-401
• Cisco XR 12000 SIP-501
• Cisco XR 12000 SIP-601
• 2-Port and 4-Port T3/E3 Serial SPA
• 2-Port and 4-Port Channelized T3/DS0 Serial SPA
• 4-Port Channelized OC-12/DS3 line cards
• 1-Port Channelized OC-12/DS0 SPAs and line cards
• 1-Port Channelized OC-48/DS3 SPAs and line cards
• 1-Port Channelized OC3/STM-1 SPA
• 8-Port Channelized T1/E1 SPA
The Cisco CRS-1 Router must have the following SIP and SPA installed and running
Cisco IOS XR software:
• Cisco CRS-1 SIP-800
• 2-Port and 4-Port T3/E3 Serial SPA
The Cisco ASR 9000 Series Router must have the following SIP and at least one of the following SPAs
installed and running Cisco IOS XR software:
• SIP 700 SPA Interface Processor
• 1-Port Channelized OC-3/STM-1 SPA
• 2-Port Channelized OC-12c/DS0 SPA
• 1-Port Channelized OC-48/STM-16 SPA
• 4-Port Channelized T3/DS0 SPA
• 2-Port and 4-Port Clear Channel T3/E3 SPA
• 8-Port Channelized T1/E1 SPA
Restrictions
The configuration on both ends of the serial connection must match for the interface to be active.
SUMMARY STEPS
1. show interfaces
2. configure
3. interface serial interface-path-id
4. ipv4 address ip-address
5. no shutdown
6. end
or
commitConfiguring Serial Interfaces on the Cisco ASR 9000 Series Router
How to Configure Serial Interfaces
516
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
7. exit
8. exit
9. Repeat Step 1 through Step 8 to bring up the interface at the other end of the connection.
10. show ipv4 interface brief
11. show interfaces serial interface-path-id
DETAILED STEPS
Command or Action Purpose
Step 1 show interfaces
Example:
RP/0/0RP0RSP0/CPU0:router# show interfaces
(Optional) Displays configured interfaces.
• Use this command to also confirm that the router
recognizes the PLIM card.
Step 2 configure
Example:
RP/0/0RP0RSP0/CPU0:router# configure
Enters global configuration mode.
Step 3 interface serial interface-path-id
Example:
RP/0/0RP0RSP0/CPU0:router(config)# interface
serial 0/1/0/0
Specifies the serial interface name and notation
rack/slot/module/port, and enters interface configuration
mode.
Step 4 ipv4 address ip-address
Example:
RP/0/0RP0RSP0/CPU0:router(config-if)# ipv4
address 10.1.2.1 255.255.255.224
Assigns an IP address and subnet mask to the interface.
Note Skip this step if you are configuring Frame Relay
encapsulation on this interface. For Frame Relay,
the IP address and subnet mask are configured
under the subinterface.
Step 5 no shutdown
Example:
RP/0/0RP0RSP0/CPU0:router (config-if)# no
shutdown
Removes the shutdown configuration.
Note Removal of the shutdown configuration eliminates
the forced administrative down on the interface,
enabling it to move to an up or down state (assuming
the parent SONET layer is not configured
administratively down).Configuring Serial Interfaces on the Cisco ASR 9000 Series Router
How to Configure Serial Interfaces
517
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Step 6 end
or
commit
Example:
RP/0/0RP0RSP0/CPU0:router (config-if)# end
or
RP/0/0RP0RSP0/CPU0:router(config-if)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 7 exit
Example:
RP/0/0RP0RSP0/CPU0:router (config-if)# exit
Exits interface configuration mode and enters global
configuration mode.
Step 8 exit
Example:
RP/0/0RP0RSP0/CPU0:router (config)# exit
Exits global configuration mode and enters EXEC mode.
Step 9 show interfaces
configure
interface serial interface-path-id
no shut
exit
exit
Example:
RP/0/0RP0RSP0/CPU0:router# show interfaces
RP/0/0RP0RSP0/CPU0:router# configure
RP/0/0RP0RSP0/CPU0:router (config)# interface
serial 0/1/0/1
RP/0/0RP0RSP0/CPU0:router(config-if)# ipv4
address 10.1.2.2 255.255.255.224
RP/0/0RP0RSP0/CPU0:router (config-if)# no
shutdown
RP/0/0RP0RSP0/CPU0:router (config-if)# commit
RP/0/0RP0RSP0/CPU0:router (config-if)# exit
RP/0/0RP0RSP0/CPU0:router (config)# exit
Repeat Step 1 through Step 8 to bring up the interface at the
other end of the connection.
Note The configuration on both ends of the serial
connection must match.
Command or Action PurposeConfiguring Serial Interfaces on the Cisco ASR 9000 Series Router
How to Configure Serial Interfaces
518
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
What to Do Next
To modify the default configuration of the serial interface you just brought up, see the “Configuring
Optional Serial Interface Parameters” section on page 518.
Configuring Optional Serial Interface Parameters
This task describes the commands used to modify the default configuration on a serial interface.
Prerequisites
Before you modify the default serial interface configuration, you must bring up the serial interface and
remove the shutdown configuration, as described in the “Bringing Up a Serial Interface” section on
page 514.
Restrictions
The configuration on both ends of the serial connection must match for the interface to be active.
SUMMARY STEPS
1. configure
2. interface serial interface-path-id
3. encapsulation [hdlc | ppp | frame-relay [IETF]
4. serial
5. crc length
6. invert
7. scramble
8. transmit-delay hdlc-flags
9. end
or
commit
10. exit
Step 10 show ipv4 interface brief
Example:
RP/0/0RP0RSP0/CPU0:router # show ipv4 interface
brief
Verifies that the interface is active and properly configured.
If you have brought up a serial interface properly, the
“Status” field for that interface in the show ipv4 interface
brief command output displays “Up.”
Step 11 show interfaces serial interface-path-id
Example:
RP/0/0RP0RSP0/CPU0:router# show interfaces
serial 0/1/0/0
(Optional) Displays the interface configuration.
Command or Action PurposeConfiguring Serial Interfaces on the Cisco ASR 9000 Series Router
How to Configure Serial Interfaces
519
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
11. exit
12. exit
13. show interfaces serial [interface-path-id]
Command or Action Purpose
Step 1 configure
Example:
RP/0/0RP0RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface serial interface-path-id
Example:
RP/0/0RP0RSP0/CPU0:router(config)# interface
serial 0/1/0/0
Specifies the serial interface name and notation
rack/slot/module/port, and enters interface configuration
mode.
Step 3 encapsulation [hdlc | ppp | frame-relay [IETF]
Example:
RP/0/0RP0RSP0/CPU0:router(config-if)#
encapsulation hdlc
(Optional) Configures the interface encapsulation
parameters and details such as HDLC, PPP or Frame Relay.
Note The default encapsulation is hdlc.
Step 4 serial
Example:
RP/0/0RP0RSP0/CPU0:router(config-if)# serial
(Optional) Enters serial submode to configure the serial
parameters.
Step 5 crc length
Example:
RP/0/0RP0RSP0/CPU0:ios(config-if-serial)# crc
32
(Optional) Specifies the length of the cyclic redundancy
check (CRC) for the interface. Enter the 16 keyword to
specify 16-bit CRC mode, or enter the 32 keyword to
specify 32-bit CRC mode.
Note The default is CRC length is 16.
Step 6 invert
Example:
RP/0/0RP0RSP0/CPU0:ios(config-if-serial)#
inverts
(Optional) Inverts the data stream.
Step 7 scramble
Example:
RP/0/0RP0RSP0/CPU0:ios(config-if-serial)#
scramble
(Optional) Enables payload scrambling on the interface.
Note Payload scrambling is disabled on the interface.
Step 8 transmit-delay hdlc-flags
Example:
RP/0/0RP0RSP0/CPU0:ios(config-if-serial)#
transmit-delay 10
(Optional) Specifies a transmit delay on the interface.
Values can be from 0 to 128.
Note Transmit delay is disabled by default (the transmit
delay is set to 0).Configuring Serial Interfaces on the Cisco ASR 9000 Series Router
How to Configure Serial Interfaces
520
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
What to Do Next
• To create a point-to-point Frame Relay subinterface with a PVC on the serial interface you just
brought up, see the “Creating a Point-to-Point Serial Subinterface with a PVC” section on page 521.
• To configure PPP authentication on serial interfaces with PPP encapsulation, see the “Configuring
PPP on the Cisco ASR 9000 Series Router” module later in this manual.
Step 9 end
or
commit
Example:
RP/0/0RP0RSP0/CPU0:router (config-if)# end
or
RP/0/0RP0RSP0/CPU0:router(config-if)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 10 exit
Example:
RP/0/0RP0RSP0/CPU0:router(config-if-serial)#
exit
Exits serial configuration mode.
Step 11 exit
Example:
RP/0/0RP0RSP0/CPU0:router (config-if)# exit
Exits interface configuration mode and enters global
configuration mode.
Step 12 exit
Example:
RP/0/0RP0RSP0/CPU0:router (config)# exit
Exits global configuration mode and enters EXEC mode.
Step 13 show interfaces serial [interface-path-id]
Example:
RP/0/0RP0RSP0/CPU0:router# show interface
serial 0/1/0/0
(Optional) Displays general information for the specified
serial interface.
Command or Action PurposeConfiguring Serial Interfaces on the Cisco ASR 9000 Series Router
How to Configure Serial Interfaces
521
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
• To modify the default keepalive configuration, see the “Modifying the Keepalive Interval on Serial
Interfaces” section on page 526.
• To modify the default Frame Relay configuration on serial interfaces that have Frame Relay
encapsulation enabled, see the “Modifying the Default Frame Relay Configuration on an Interface”
section of the “Configuring Frame Relay on the Cisco ASR 9000 Series Router” module.
Creating a Point-to-Point Serial Subinterface with a PVC
The procedure in this section creates a point-to-point serial subinterface and configures a permanent
virtual circuit (PVC) on that serial subinterface.
Note Subinterface and PVC creation is supported on interfaces with Frame Relay encapsulation only.
Prerequisites
Before you can create a subinterface on a serial interface, you must bring up the main serial interface
with Frame Relay encapsulation, as described in the “Bringing Up a Serial Interface” section on
page 514.
Restrictions
Only one PVC can be configured for each point-to-point serial subinterface.
SUMMARY STEPS
1. configure
2. interface serial interface-path-id.subinterface point-to-point
3. ipv4 address ipv4_address/prefix
4. pvc dlci
5. end
or
commit
6. Repeat Step 1 through Step 5 to bring up the serial subinterface and any associated PVC at the other
end of the connection.Configuring Serial Interfaces on the Cisco ASR 9000 Series Router
How to Configure Serial Interfaces
522
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/0RP0RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface serial interface-path-id.subinterface
point-to-point
Example:
RP/0/0RP0RSP0/CPU0:router (config)# interface
serial 0/1/0/0.1
Enters serial subinterface configuration mode.
Step 3 ipv4 address ipv4_address/prefix
Example:
RP/0/0RP0RSP0/CPU0:router (config-subif)#ipv4
address 10.46.8.6/24
Assigns an IP address and subnet mask to the subinterface.
Step 4 pvc dlci
Example:
RP/0/0RP0RSP0/CPU0:router (config-subif)# pvc
20
Creates a serial permanent virtual circuit (PVC) and enters
Frame Relay PVC configuration submode.
Replace dlci with a PVC identifier, in the range from 16 to
1007.
Note Only one PVC is allowed per subinterface. Configuring Serial Interfaces on the Cisco ASR 9000 Series Router
How to Configure Serial Interfaces
523
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
What to Do Next
• To configure optional PVC parameters, see the “Configuring Optional Serial Interface Parameters”
section on page 518.
• To modify the default Frame Relay configuration on serial interfaces that have Frame Relay
encapsulation enabled, see the“Modifying the Default Frame Relay Configuration on an Interface”
section of the “Configuring Frame Relay on the Cisco ASR 9000 Series Router” module.
• To attach a Layer 3 QOS service policy to the PVC under the PVC submode, refer to the appropriate
Cisco IOS XR software configuration guide.
Step 5 end
or
commit
Example:
RP/0/0RP0RSP0/CPU0:router (config-subif)# end
or
RP/0/0RP0RSP0/CPU0:router(config-subif)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 6 configure
interface serial interface-path-id
pvc dlci
commit
Example:
RP/0/0RP0RSP0/CPU0:router# configure
RP/0/0RP0RSP0/CPU0:router (config)# interface
serial 0/1/0/1.1
RP/0/0RP0RSP0/CPU0:router (config-subif)#ipv4
address 10.46.8.5/24
RP/0/0RP0RSP0/CPU0:router (config-subif)# pvc
20
RP/0/0RP0RSP0/CPU0:router (config-fr-vc)#
commit
Repeat Step 1 through Step 5 to bring up the serial
subinterface and any associated PVC at the other end of the
connection.
Note The DLCI (or PVC identifier) must match on both
ends of the subinterface connection.
Note When assigning an IP address and subnet mask to
the subinterface at the other end of the connection,
keep in mind that the addresses at both ends of the
connection must be in the same subnet.
Command or Action PurposeConfiguring Serial Interfaces on the Cisco ASR 9000 Series Router
How to Configure Serial Interfaces
524
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Configuring Optional PVC Parameters
This task describes the commands you can use to modify the default configuration on a serial PVC.
For additional information about Frame Relay options, see the “Configuring Frame Relay on Cisco IOS
XR Software” module in the Cisco IOS XR Interface and Hardware Component Configuration Guide for
the Cisco XR 12000 Series Router.
For additional information about Frame Relay options, see the “Configuring Frame Relay on the Cisco
ASR 9000 Series Router” module in the Cisco IOS XR Interface and Hardware Component
Configuration Guide for the Cisco ASR 9000 Series Router.
Prerequisites
Before you can modify the default PVC configuration, you must create the PVC on a serial subinterface,
as described in the “Creating a Point-to-Point Serial Subinterface with a PVC” section on page 521.
Restrictions
• The DLCI (or PVI identifier) must match on both ends of the PVC for the connection to be active.
• To change the PVC DLCI, you must delete the PVC and then add it back with the new DLCI.
SUMMARY STEPS
1. configure
2. interface serial interface-path-id.subinterface
3. pvc dlci
4. encap [cisco | ietf]
5. service-policy {input | output} policy-map
6. end
or
commit
7. Repeat Step 1 through Step 6 to configure the PVC at the other end of the connection.
8. show frame-relay pvc dlci-number
9. show policy-map interface serial interface-path-id.subinterface {input | output}
or
show policy-map type qos interface serial interface-path-id.subinterface {input | output}Configuring Serial Interfaces on the Cisco ASR 9000 Series Router
How to Configure Serial Interfaces
525
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Command or Action Purpose
Step 1 configure
Example:
RP/0/0RP0RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface serial interface-path-id.subinterface
Example:
RP/0/0RP0RSP0/CPU0:router (config)# interface
serial 0/1/0/0.1
Enters serial subinterface configuration mode.
Step 3 pvc dlci
Example:
RP/0/0RP0RSP0/CPU0:router (config-subif)# pvc
20
Enters subinterface configuration mode for the PVC.
Step 4 encap [cisco | ietf]
Example:
RP/0/0RP0RSP0/CPU0:router (config-fr-vc)# encap
ietf
(Optional) Configures the encapsulation for a Frame Relay
PVC.
Note If the encapsulation type is not configured explicitly
for a PVC, then that PVC inherits the encapsulation
type from the main serial interface.
Step 5 service-policy {input | output} policy-map
Example:
RP/0/0RP0RSP0/CPU0:router (config-fr-vc)#
service-policy output policy1
Attaches a policy map to an input subinterface or output
subinterface. Once attached, the policy map is used as the
service policy for the subinterface.
Step 6 end
or
commit
Example:
RP/0/0RP0RSP0/CPU0:router (config-fr-vc)# end
or
RP/0/0RP0RSP0/CPU0:router(config-fr-vc)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.Configuring Serial Interfaces on the Cisco ASR 9000 Series Router
How to Configure Serial Interfaces
526
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
What to Do Next
• To modify the default Frame Relay configuration on serial interfaces that have Frame Relay
encapsulation enabled, see the “Modifying the Default Frame Relay Configuration on an Interface”
section of the “Configuring Frame Relay on the Cisco ASR 9000 Series Router” module in this
manual.
Modifying the Keepalive Interval on Serial Interfaces
Perform this task to modify the keepalive interval on serial interfaces that have Cisco HDLC or PPP
encapsulation enabled.
Note When you enable Cisco HDLC or PPP encapsulation on a serial interface, the default keepalive interval
is 10 seconds. Use this procedure to modify that default keepalive interval.
Step 7 configure
interface serial interface-path-id.subinterface
pvc dlci
encap [cisco | ietf]
commit
Example:
RP/0/0RP0RSP0/CPU0:router# configure
RP/0/0RP0RSP0/CPU0:router (config)# interface
serial 0/1/0/1.1
RP/0/0RP0RSP0/CPU0:router (config-subif)# pvc
20
RP/0/0RP0RSP0/CPU0:router (config-fr-vc)# encap
cisco
RP/0/0RP0RSP0/CPU0:router (config-fr-vc)#
commit
Repeat Step 1 through Step 6 to bring up the serial
subinterface and any associated PVC at the other end of the
connection.
Note The configuration on both ends of the subinterface
connection must match.
Step 8 show frame-relay pvc dlci-number
Example:
RP/0/0RP0RSP0/CPU0:router# show frame-relay pvc
20
(Optional) Verifies the configuration of specified serial
interface.
Step 9 show policy-map interface serial
interface-path-id.subinterface {input | output}
or
show policy-map type qos interface serial
interface-path-id.subinterface {input | output}
Example:
RP/0/0RP0RSP0/CPU0:router# show policy-map
interface serial 0/1/0/0.1 output
or
RP/0/0RP0RSP0/CPU0:router# show policy-map type
qos interface serial 0/1/0/0.1 output
(Optional) Displays the statistics and the configurations of
the input and output policies that are attached to a
subinterface.
Command or Action PurposeConfiguring Serial Interfaces on the Cisco ASR 9000 Series Router
How to Configure Serial Interfaces
527
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Note Cisco HDLC is enabled by default on serial interfaces.
Prerequisites
Before modifying the keepalive timer configuration, ensure that Cisco HDLC or PPP encapsulation is
enabled on the interface. Use the encapsulation command to enable Cisco HDLC or PPP encapsulation
on the interface, as described in the “Configuring Optional Serial Interface Parameters” section on
page 518.
Restrictions
Is there a comparable recommendation for ASR9k with keepalives for MDR upgrade? XR12k
recommends disabling keepalives and CRS recommends setting interval to greater than or equal
to 10 sec.
• Before performing a Minimal Disruptive Restart (MDR) upgrade, we recommend disabling
keepalives on a Cisco XR 12000 Series Router.
• Before performing a Minimal Disruptive Restart (MDR) upgrade, we recommend configuring a
keepalive interval of 10 seconds or more on a Cisco CRS-1 Router.
SUMMARY STEPS
1. configure
2. interface serial interface-path-id
3. keepalive {seconds | disable}
or
no keepalive
4. end
or
commit
5. show interfaces type interface-path-id
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/0RP0RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface serial interface-path-id
Example:
RP/0/0RP0RSP0/CPU0:router(config)# interface
serial 0/1/0/0
Specifies the serial interface name and notation
rack/slot/module/port and enters interface configuration
mode.Configuring Serial Interfaces on the Cisco ASR 9000 Series Router
How to Configure Serial Interfaces
528
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
How to Configure a Layer 2 Attachment Circuit
The Layer 2 AC configuration tasks are described in the following procedures:
• Creating a Serial Layer 2 Subinterface with a PVC
• Configuring Optional Serial Layer 2 PVC Parameters
Step 3 keepalive {seconds | disable}
or
no keepalive
Example:
RP/0/0RP0RSP0/CPU0:router(config-if)# keepalive
3
or
RP/0/0RP0RSP0/CPU0:router(config-if)# no
keepalive
Specifies the number of seconds between keepalive
messages.
• Use the keepalive disable command, the no keepalive,
or the keepalive command with an argument of 0 to
disable the keepalive feature.
• The range is from 1 to 30 seconds. The default is 10
seconds.
• If keepalives are configured on an interface, use the no
keepalive command to disable the keepalive feature
before configuring Frame Relay encapsulation on that
interface.
Step 4 end
or
commit
Example:
RP/0/0RP0RSP0/CPU0:router(config-if)# end
or
RP/0/0RP0RSP0/CPU0:router(config-if)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 5 show interfaces serial interface-path-id
Example:
RP/0/0RP0RSP0/CPU0:router# show interfaces
serial 0/1/0/0
(Optional) Verifies the interface configuration.
Command or Action PurposeConfiguring Serial Interfaces on the Cisco ASR 9000 Series Router
How to Configure Serial Interfaces
529
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Note After you configure an interface for Layer 2 switching, no routing commands such as ipv4 address are
permissible. If any routing commands are configured on the interface, then the l2transport command is
rejected.
Creating a Serial Layer 2 Subinterface with a PVC
The procedure in this section creates a Layer 2 subinterface with a PVC.
Prerequisites
Before you can create a subinterface on a serial interface, you must bring up a serial interface, as
described in the “Bringing Up a Serial Interface” section on page 514.
Restrictions
Only one PVC can be configured for each serial subinterface.
SUMMARY STEPS
1. configure
2. interface serial interface-path-id.subinterface l2transport
3. pvc vpi/vci
4. end
or
commit
5. Repeat Step 1 through Step 4 to bring up the serial subinterface and any associated PVC at the other
end of the AC.
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/0RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface serial interface-path-id.subinterface
l2transport
Example:
RP/0/0RP0/CPU0:router(config)# interface serial
0/1/0/0.1 l2transport
Creates a subinterface and enters serial subinterface
configuration mode for that subinterface.Configuring Serial Interfaces on the Cisco ASR 9000 Series Router
How to Configure Serial Interfaces
530
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
What to Do Next
• To configure optional PVC parameters, see the “Configuring Optional Serial Layer 2 PVC
Parameters” section on page 531.
• For detailed information about configuring L2TPv3 in your network, see the “Implementing Layer
2 Tunnel Protocol Version 3” module of the Cisco IOS XR Virtual Private Network Configuration
Guide for the Cisco CRS Router. For detailed information about configuring L2VPNs, see the
“Implementing MPLS Layer 2 VPNs” module of the Cisco IOS XR Virtual Private Network
Configuration Guide for the Cisco CRS Router.
• For detailed information about configuring L2TPv3 in your network, see the “Implementing Layer
2 Tunnel Protocol Version 3 on Cisco IOS XR Software” module of the Cisco IOS XR Virtual Private
Network Configuration Guide for the Cisco XR 12000 Series Router. For detailed information about
configuring L2VPNs, see the “Implementing MPLS Layer 2 VPNs on Cisco IOS XR Software”
module of the Cisco IOS XR Virtual Private Network Configuration Guide for the Cisco XR 12000
Series Router.
Step 3 pvc vpi/vci
Example:
RP/0/0RP0/CPU0:router(config-if)# pvc 5/20
Creates a serial permanent virtual circuit (PVC) and enters
serial Layer 2 transport PVC configuration mode.
Note Only one PVC is allowed per subinterface.
Step 4 end
or
commit
Example:
RP/0/0RP0/CPU0:router(config-fr-vc)# end
or
RP/0/0RP0/CPU0:router(config-fr-vc)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 5 Repeat Step 1 through Step 4 to bring up the serial
subinterface and any associated PVC at the other end
of the AC.
Brings up the AC.
Note The configuration on both ends of the AC must
match.
Command or Action PurposeConfiguring Serial Interfaces on the Cisco ASR 9000 Series Router
How to Configure Serial Interfaces
531
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Configuring Optional Serial Layer 2 PVC Parameters
This task describes the commands you can use to modify the default configuration on a serial Layer 2
PVC.
Prerequisites
Before you can modify the default PVC configuration, you must create the PVC on a Layer 2
subinterface, as described in the “Creating a Serial Layer 2 Subinterface with a PVC” section on
page 529.
Restrictions
The configuration on both ends of the PVC must match for the connection to be active.
SUMMARY STEPS
1. configure
2. interface serial interface-path-id.subinterface l2transport
3. pvc dlci
4. encap [cisco | ietf]
5. service-policy {input | output} policy-map
6. fragment end-to-end fragment-size
7. fragment-counter
8. end
or
commit
9. Repeat Step 1 through Step 7 to configure the PVC at the other end of the AC.
10. show policy-map interface serial interface-path-id.subinterface {input | output}
or
show policy-map type qos interface serial interface-path-id.subinterface {input | output}
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/0RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface serial interface-path-id.subinterface
l2transport
Example:
RP/0/0RP0/CPU0:router(config)# interface serial
0/1/0/0.1 l2transport
Enters serial subinterface configuration mode for a Layer 2
serial subinterface.Configuring Serial Interfaces on the Cisco ASR 9000 Series Router
How to Configure Serial Interfaces
532
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Step 3 pvc dlci
Example:
RP/0/0RP0/CPU0:router(config-if)# pvc 100
Enters serial Frame Relay PVC configuration mode for the
specified PVC.
Step 4 encap {cisco | ietf}
Example:
RP/0/0RP0/CPU0:router(config-fr-vc)#
encapsulation aal5
Configures the encapsulation for a Frame Relay PVC.
Step 5 service-policy {input | output} policy-map
Example:
RP/0/0RP0/CPU0:router (config-subif)#
service-policy output policy1
Attaches a policy map to an input subinterface or output
subinterface. Once attached, the policy map is used as the
service policy for the subinterface.
Step 6 fragment end-to-end fragment-size
Example:
RP/0/0/CPU0:router(config-fr-vc)# fragment
end-to-end 100
Enables fragmentation of Frame Relay frames on an
interface.
Replace fragment-size with the number of payload bytes
from the original Frame Relay frame that will go into each
fragment. This number excludes the Frame Relay header of
the original frame.
On the Cisco 8-Port Channelized T1/E1 SPA, valid values
are 128, 256, and 512.
Step 7 fragment-counter
Example:
RP/0/0/CPU0:router(config-fr-vc)#
fragment-counter
Enables fragmentation counters for a Frame Relay
subinterface and PVC.
Step 8 end
or
commit
Example:
RP/0/0RP0/CPU0:router(config-serial-l2transport
-
pvc)# end
or
RP/0/0RP0/CPU0:router(config-serial-l2transport
-pvc)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
Use the commit command to save the configuration
changes to the running configuration file and remain within
the configuration session.
Command or Action PurposeConfiguring Serial Interfaces on the Cisco ASR 9000 Series Router
How to Configure Serial Interfaces
533
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
What to Do Next
• To configure a point-to-point pseudowire XConnect on the AC you just created, see the
“Implementing Layer 2 Tunnel Protocol Version 3” module of the Cisco IOS XR Virtual Private
Network Configuration Guide for the Cisco CRS Router.
• To configure an L2VPN, see the “Implementing MPLS Layer 2 VPNs” module of the Cisco IOS XR
Virtual Private Network Configuration Guide for the Cisco CRS Router.
• To configure a point-to-point pseudowire XConnect on the AC you just created, see the
“Implementing Layer 2 Tunnel Protocol Version 3 on Cisco IOS XR Software” module of the Cisco
IOS XR Virtual Private Network Configuration Guide for the Cisco XR 12000 Series Router.
• To configure an L2VPN, see the “Implementing MPLS Layer 2 VPNs on Cisco IOS XR Software”
module of the Cisco IOS XR Virtual Private Network Configuration Guide for the Cisco XR 12000
Series Router.
Configuring IPHC
This section contains the following step procedures:
• Prerequisites for Configuring IPHC, page 533
• Configuring the IPHC Slot Level Command, page 534
• Configuring an IPHC Profile, page 536
• Configuring an IPHC Profile, page 538
• Enabling an IPHC Profile on an Interface, page 541
Prerequisites for Configuring IPHC
IP header compression (IPHC) is supported on the following cards:
• Cisco 1-Port Channelized OC-12/STM-4
Step 9 Repeat Step 1 through Step 7 to configure the PVC at
the other end of the AC.
Brings up the AC.
Note The configuration on both ends of the connection
must match.
Step 10 show policy-map interface serial
interface-path-id.subinterface {input | output}
or
show policy-map type qos interface serial
interface-path-id.subinterface {input | output}
Example:
RP/0/0RP0/CPU0:router# show policy-map
interface pos 0/1/0/0.1 output
or
RP/0/0RP0/CPU0:router# show policy-map type qos
interface pos 0/1/0/0.1 output
(Optional) Displays the statistics and the configurations of
the input and output policies that are attached to a
subinterface.
Command or Action PurposeConfiguring Serial Interfaces on the Cisco ASR 9000 Series Router
How to Configure Serial Interfaces
534
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
• Cisco 1-Port Channelized OC-48/STM-16
• Cisco 1-Port Channelized STM-1/OC-3
• Cisco 8-Port Channelized T1/E1 SPA
• Cisco 2-Port and 4-Port Clear Channel T3/E3 SPA
• Cisco 2-Port and 4-Port Channelized T3 SPA
• Cisco Multirate 10G IP Services Engines SIPs
– Cisco 12000-SIP-600
– Cisco 12000-SIP-401
– Cisco 12000-SIP-501
– Cisco 12000-SIP-601
• SIP 700 SPA Interface Processor
• Cisco 2-Port Channelized OC-12c/DS0 SPA
• Cisco 1-Port Channelized OC-3/STM-1 SPA
• Cisco 4-Port Channelized T3/DS0 SPA
• Cisco 8-Port Channelized T1/E1 SPA
• Cisco 2-Port and 4-Port Clear Channel T3/E3 SPA
Configuring the IPHC Slot Level Command
This section describes how to configure the IP header compression (IPHC) slot level command, which
reserves the IPHC resources, enables IPHC on the line card, and defines the maximum number of TCP
and non-TCP connections for the nodes. This configuration must be done before an IPHC profile can be
created.
Note IPHC slot level configuration is required on both the peer routers.
SUMMARY STEPS
To configure the IP header compression (IPHC) slot level, perform the following steps.
1. config
2. iphc tcp connections max-number location node-id
3. iphc non-tcp connections max-number location node-id
4. commitConfiguring Serial Interfaces on the Cisco ASR 9000 Series Router
How to Configure Serial Interfaces
535
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
DETAILED STEPS
Command or Action Purpose
Step 1 config
Example:
RP/0/0/CPU0:router# configure
Enters global configuration mode.
Step 2 iphc tcp connections max-number location node-id
Example:
RP/0/0/CPU0:router(config)# iphc tcp connections
2000 location 0/1/cpu0
Sets the maximum number of TCP connections that
may be configured for IPHC on a line card.
The range is 1 to 2000.
Step 3 iphc non-tcp connections max-number location
node-id
Example:
RP/0/0/CPU0:router(config)# iphc non-tcp
connections 20000 location 0/1/cpu0
Sets the maximum number of non-TCP connections
that may be configured for IPHC on a line card.
The range is 1 to 20000.
Step 4 end
or
commit
Example:
RP/0/0/CPU0:router(config-if)# end
or
RP/0/0/CPU0:router(config-if)# commit
Saves configuration changes.
• When you issue the end command, the system
prompts you to commit changes:
Uncommitted changes found, commit them
before exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to
the running configuration file, exits the
configuration session, and returns the router
to EXEC mode.
– Entering no exits the configuration session
and returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the
current configuration session without exiting
or committing the configuration changes.
• Use the commit command to save the
configuration changes to the running
configuration file and remain within the
configuration session.Configuring Serial Interfaces on the Cisco ASR 9000 Series Router
How to Configure Serial Interfaces
536
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Configuring an IPHC Profile
This section describes how to create and configure an IP header compression (IPHC) profile. This
procedure is for TCP and non-TCP compression.
SUMMARY STEPS
To configure an IP header compression (IPHC) profile, perform the following steps.
1. configure
2. iphc profile profile-name type {ietf | iphc}
3. tcp compression
4. tcp context absolute number-of-contexts
5. non-tcp compression
6. non-tcp context absolute number-of-contexts
7. rtp
8. refresh max-period {max-number | infinite}
9. refresh rtp
10. feedback disable
11. max-header number-of-bytes
12. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/0/CPU0:router# configure
Enters global configuration mode.
Step 2 iphc profile profile-name type {ietf | iphc}
Example:
RP/0/0/CPU0:router(config)# iphc profile Profile_1
type iphc
Creates an IPHC profile, sets the compression format
type. and enters the IPHC profile configuration mode.
Step 3 tcp compression
Example:
RP/0/0/CPU0:router(config-iphc-profile)# tcp
compression
Enables TCP compression in an IPHC profile.Configuring Serial Interfaces on the Cisco ASR 9000 Series Router
How to Configure Serial Interfaces
537
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Step 4 tcp context absolute number-of-contexts
Example:
RP/0/0/CPU0:router(config-iphc-profile)# tcp
context absolute 255
Configures the maximum number of TCP contexts that
are allowed for IPHC on a line card.
Step 5 non-tcp compression
Example:
RP/0/0/CPU0:router(config-iphc-profile)# non-tcp
compression
Enables non-TCP compression in an IPHC profile.
Step 6 non-tcp context absolute number-of-contexts
Example:
RP/0/0/CPU0:router(config-iphc-profile)# non-tcp
context absolute 255
Configures the maximum number of non-TCP contexts
that are allowed for IPHC on a line card.
Step 7 rtp
Example:
RP/0/0/CPU0:router(config-iphc-profile)# rtp
Configures Real Time Protocol (RTP) on the interface.
Step 8 refresh max-period {max-number | infinite}
Example:
RP/0/0/CPU0:router(config-iphc-profile)# refresh
max-period 50
Configures the maximum number of compressed IP
header packets that are exchanged on a link before the
IPHC context is refreshed.
Step 9 refresh rtp
Example:
RP/0/0/CPU0:router(config-iphc-profile)# refresh
rtp
Enables the configured context refresh settings for
RTP packets.
Step 10 feedback disable
Example:
RP/0/0/CPU0:router(config-iphc-profile)# feedback
disable
Disables the IPHC context status feedback messages
on an interface.
Command or Action PurposeConfiguring Serial Interfaces on the Cisco ASR 9000 Series Router
How to Configure Serial Interfaces
538
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Configuring an IPHC Profile
This section describes how to create and configure an IP header compression (IPHC) profile. This
procedure is for TCP and non-TCP compression.
SUMMARY STEPS
To configure an IP header compression (IPHC) profile, perform the following steps.
1. configure
2. iphc profile profile-name type {cisco | ietf | iphc}
3. tcp compression
4. tcp context absolute number-of-contexts
5. non-tcp compression
6. non-tcp context absolute number-of-contexts
7. rtp
8. refresh max-period {max-number | infinite}
9. refresh max-time {max-time | infinite}
10. refresh rtp
Step 11 max-header number-of-bytes
Example:
RP/0/0/CPU0:router(config-iphc-profile)# max-header
20
Configures the maximum size (in bytes) of a
compressed IP header.
Step 12 end
or
commit
Example:
RP/0/0/CPU0:router(config-if)# end
or
RP/0/0/CPU0:router(config-if)# commit
Saves configuration changes.
• When you issue the end command, the system
prompts you to commit changes:
Uncommitted changes found, commit them
before exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to
the running configuration file, exits the
configuration session, and returns the router
to EXEC mode.
– Entering no exits the configuration session
and returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the
current configuration session without exiting
or committing the configuration changes.
• Use the commit command to save the
configuration changes to the running
configuration file and remain within the
configuration session.
Command or Action PurposeConfiguring Serial Interfaces on the Cisco ASR 9000 Series Router
How to Configure Serial Interfaces
539
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
11. feedback disable
12. max-header number-of-bytes
13. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 config
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 iphc profile profile-name type {cisco | ietf |
iphc}
Example:
RP/0/RSP0/CPU0:router(config)# iphc profile
Profile_1 type iphc
Creates an IPHC profile, sets the compression format
type, and enters the IPHC profile configuration mode.
Step 3 tcp compression
Example:
RP/0/RSP0/CPU0:router(config-iphc-profile)# tcp
compression
Enables TCP compression in an IPHC profile.
Step 4 tcp context absolute number-of-contexts
Example:
RP/0/RSP0/CPU0:router(config-iphc-profile)# tcp
context absolute 255
Configures the maximum number of TCP contexts that
are allowed for IPHC on a line card.
Step 5 non-tcp compression
Example:
RP/0/RSP0/CPU0:router(config-iphc-profile)# non-tcp
compression
Enables non-TCP compression in an IPHC profile.
Step 6 non-tcp context absolute number-of-contexts
Example:
RP/0/RSP0/CPU0:router(config-iphc-profile)# non-tcp
context absolute 255
Configures the maximum number of non-TCP contexts
that are allowed for IPHC on a line card.
Step 7 rtp
Example:
RP/0/RSP0/CPU0:router(config-iphc-profile)# rtp
Configures Real Time Protocol (RTP) on the interface. Configuring Serial Interfaces on the Cisco ASR 9000 Series Router
How to Configure Serial Interfaces
540
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Step 8 refresh max-period {max-number | infinite}
Example:
RP/0/RSP0/CPU0:router(config-iphc-profile)# refresh
max-period 50
Configures the maximum number of compressed IP
header packets that are exchanged on a link before the
IPHC context is refreshed.
Step 9 refresh max-time {max-time | infinite}
Example:
RP/0/RSP0/CPU0:router(config-iphc-profile)# refresh
max-time 10
Configures the maximum time between context
refreshes.
Step 10 refresh rtp
Example:
RP/0/RSP0/CPU0:router(config-iphc-profile)# refresh
rtp
Enables the configured context refresh settings for
RTP packets.
Step 11 feedback disable
Example:
RP/0/RSP0/CPU0:router(config-iphc-profile)#
feedback disable
Disables the IPHC context status feedback messages
on an interface.
Step 12 max-header number-of-bytes
Example:
RP/0/RSP0/CPU0:router(config-iphc-profile)#
max-header 20
Configures the maximum size (in bytes) of a
compressed IP header.
Step 13 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-if)# end
or
RP/0/RSP0/CPU0:router(config-if)# commit
Saves configuration changes.
• When you issue the end command, the system
prompts you to commit changes:
Uncommitted changes found, commit them
before exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to
the running configuration file, exits the
configuration session, and returns the router
to EXEC mode.
– Entering no exits the configuration session
and returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the
current configuration session without exiting
or committing the configuration changes.
• Use the commit command to save the
configuration changes to the running
configuration file and remain within the
configuration session.
Command or Action PurposeConfiguring Serial Interfaces on the Cisco ASR 9000 Series Router
How to Configure Serial Interfaces
541
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Enabling an IPHC Profile on an Interface
This section describes how to enable an IP header compression (IPHC) profile on an interface by
attaching the profile directly to the interface.
SUMMARY STEPS
To configure to enable an IPHC profile on an interface, perform the following steps.
1. config
2. interface type interface-path-id
3. encapsulation ppp
4. ipv4 iphc profile profile-name [mode service-policy]
5. service policy input | output | type service-policy-name
6. commit
DETAILED STEPS
Command or Action Purpose
Step 1 config
Example:
RP/0/0RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface type interface-path-id
Example:
RP/0/0RSP0/CPU0:router(config)# interface serial
0/1/0/1
Specifies the interface.
Note Use the show interfaces command to see a list
of all interfaces currently configured on the
router.
For more information about the syntax for the router,
use the question mark (?) online help function.
Step 3 encapsulation {hdlc | ppp | frame-relay | mfr}
Example:
RP/0/0RSP0/CPU0:router(config-if)# encapsulation
ppp
Specifies Layer 2 encapsulation for the interface.
Step 4 ipv4 iphc profile profile-name [mode
service-policy]
Example:
RP/0/0RSP0/CPU0:router(config-if)# ipv4 iphc
profile Profile_1
or
RP/0/0RSP0/CPU0:router(config-if)# ipv4 iphc
profile Profile_1 mode service-policy
Attaches an IPHC profile to the interface:
• profile-name—Text name of the IPHC profile to
attach to the interface.
• mode service-policy—Specifies that the IPHC
profile applies only to a QoS service policy.Configuring Serial Interfaces on the Cisco ASR 9000 Series Router
Configuration Examples for Serial Interfaces
542
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Configuration Examples for Serial Interfaces
This section provides the following configuration examples:
• Bringing Up and Configuring a Serial Interface with Cisco HDLC Encapsulation: Example,
page 542
• Configuring a Serial Interface with Frame Relay Encapsulation: Example, page 543
• Configuring a Serial Interface with PPP Encapsulation: Example, page 545
• IPHC Configuration: Examples, page 545
Bringing Up and Configuring a Serial Interface with Cisco HDLC Encapsulation:
Example
The following example shows how to bring up a basic serial interface with Cisco HDLC encapsulation:
RP/0/0RP0RSP0/CPU0:Router#config
RP/0/0RP0RSP0/CPU0:Router(config)# interface serial 0/3/0/0/0:0
RP/0/0RP0RSP0/CPU0:Router(config-if)# ipv4 address 192.0.2.2 255.255.255.252
RP/0/0RP0RSP0/CPU0:Router(config-if)# no shutdown
Step 5 service policy output service-policy-name
Example:
RP/0/0RSP0/CPU0:router(config-if)# service policy
input | output | type service-policy-name
(Optional) Specifies the name of the QoS service
policy to which the IPHC profile applies. Only output
service policies are allowed.
Used only when mode service-policy is specified in
Step 2.
Step 6 end
or
commit
Example:
RP/0/0RSP0/CPU0:router(config-if)# end
or
RP/0/0RSP0/CPU0:router(config-if)# commit
Saves configuration changes.
• When you issue the end command, the system
prompts you to commit changes:
Uncommitted changes found, commit them
before exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to
the running configuration file, exits the
configuration session, and returns the router
to EXEC mode.
– Entering no exits the configuration session
and returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the
current configuration session without exiting
or committing the configuration changes.
• Use the commit command to save the
configuration changes to the running
configuration file and remain within the
configuration session.
Command or Action PurposeConfiguring Serial Interfaces on the Cisco ASR 9000 Series Router
Configuration Examples for Serial Interfaces
543
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
RP/0/0RP0RSP0/CPU0:router(config-if)# end
Uncommitted changes found, commit them? [yes]: yes
The following example shows how to configure the interval between keepalive messages to be 10
seconds:
RP/0/0RP0RSP0/CPU0:router# configure
RP/0/0RP0RSP0/CPU0:router(config)# interface serial 0/3/0/0/0:0
RP/0/0RP0RSP0/CPU0:router(config-if)# keepalive 10
RP/0/0RP0RSP0/CPU0:router(config-if)# commit
The following example shows how to modify the optional serial interface parameters:
RP/0/0RP0RSP0/CPU0:router# configure
RP/0/0RP0RSP0/CPU0:router(config)# interface serial 0/3/0/0/0:0
RP/0/0RP0RSP0/CPU0:Router(config-if)# serial
RP/0/0RP0RSP0/CPU0:Router(config-if-serial)# crc 16
RP/0/0RP0RSP0/CPU0:Router(config-if-serial)# invert
RP/0/0RP0RSP0/CPU0:Router(config-if-serial)# scramble
RP/0/0RP0RSP0/CPU0:Router(config-if-serial)# transmit-delay 3
RP/0/0RP0RSP0/CPU0:Router(config-if-serial)# commit
The following is sample output from the show interfaces serial command:
RP/0/0RP0RSP0/CPU0:Router# show interfaces serial 0/0/3/0/5:23
Serial0/0/3/0/5:23 is down, line protocol is down
Hardware is Serial network interface(s)
Internet address is Unknown
MTU 1504 bytes, BW 64 Kbit
reliability 143/255, txload 1/255, rxload 1/255
Encapsulation HDLC, crc 16, loopback not set, keepalive set (10 sec)
Last clearing of "show interface" counters 18:11:15
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
2764 packets input, 2816 bytes, 3046 total input drops
0 drops for unrecognized upper-level protocol
Received 0 broadcast packets, 0 multicast packets
0 runts, 0 giants, 0 throttles, 0 parity
3046 input errors, 1 CRC, 0 frame, 0 overrun, 2764 ignored, 281 abort
2764 packets output, 60804 bytes, 0 total output drops
Output 0 broadcast packets, 0 multicast packets
0 output errors, 0 underruns, 0 applique, 0 resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
Configuring a Serial Interface with Frame Relay Encapsulation: Example
The following example shows how to create a serial interface on a SPA with Frame Relay encapsulation
and a serial subinterface with a PVC on router 1:
RP/0/0RP0RSP0/CPU0:router# configure
RP/0/0RP0RSP0/CPU0:router(config)# interface serial 0/1/0/0
RP/0/0RP0RSP0/CPU0:router(config-if)# encapsulation frame-relay
RP/0/0RP0RSP0/CPU0:router(config-if)#frame-relay intf-type dce
RP/0/0RP0RSP0/CPU0:router(config-if)# no shutdown
RP/0/0RP0RSP0/CPU0:router(config-if)# end
Uncommitted changes found, commit them? [yes]: yes
RP/0/0RP0RSP0/CPU0:router# configure
RP/0/0RP0RSP0/CPU0:router(config)# interface serial 0/1/0/0.1 point-to-pointConfiguring Serial Interfaces on the Cisco ASR 9000 Series Router
Configuration Examples for Serial Interfaces
544
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
RP/0/0RP0RSP0/CPU0:router (config-subif)#ipv4 address 10.20.3.1/24
RP/0/0RP0RSP0/CPU0:router (config-subif)# pvc 16
RP/0/0RP0RSP0/CPU0:router (config-fr-vc)# encapsulation ietf
RP/0/0RP0RSP0/CPU0:router (config-fr-vc)# commit
RP/0/0RP0RSP0/CPU0:router(config-fr-vc)# exit
RP/0/0RP0RSP0/CPU0:router(config-subif)# exit
RP/0/0RP0RSP0/CPU0:router(config)# exit
RP/0/0RP0RSP0/CPU0:router# show interface serial 0/1/0/0
Wed Oct 8 04:14:39.946 PST DST
Serial0/1/0/0 is up, line protocol is up
Interface state transitions: 5
Hardware is Serial network interface(s)
Internet address is 10.20.3.1/24
MTU 4474 bytes, BW 44210 Kbit
reliability 255/255, txload 0/255, rxload 0/255
Encapsulation FRAME-RELAY, crc 16,
Scrambling is disabled, Invert data is disabled
LMI enq sent 0, LMI stat recvd 0, LMI upd recvd 0
LMI enq recvd 880, LMI stat sent 880, LMI upd sent 0 , DCE LMI up
LMI DLCI 1023 LMI type is CISCO frame relay DCE
Last clearing of "show interface" counters 02:23:04
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
858 packets input, 11154 bytes, 0 total input drops
0 drops for unrecognized upper-level protocol
Received 0 runts, 0 giants, 0 throttles, 0 parity
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
858 packets output, 12226 bytes, 0 total output drops
0 output errors, 0 underruns, 0 applique, 0 resets
0 output buffer failures, 0 output buffers swapped out
The following example shows how to create a serial interface on a SPA with Frame Relay encapsulation
and a serial subinterface with a PVC on router 2, which is connected to router 1:
RP/0/0RP0RSP0/CPU0:router# configure
RP/0/0RP0RSP0/CPU0:router(config)# interface serial 0/1/0/1
RP/0/0RP0RSP0/CPU0:router(config-if)# encapsulation frame-relay
RP/0/0RP0RSP0/CPU0:router(config-if)# no shutdown
RP/0/0RP0RSP0/CPU0:router(config-if)# end
Uncommitted changes found, commit them? [yes]: yes
RP/0/0RP0RSP0/CPU0:router# configure
RP/0/0RP0RSP0/CPU0:router(config)# interface serial 0/1/0/1.1 point-to-point
RP/0/0RP0RSP0/CPU0:router (config-subif)#ipv4 address 10.20.3.2/24
RP/0/0RP0RSP0/CPU0:router (config-subif)# pvc 16
RP/0/0RP0RSP0/CPU0:router (config-fr-vc)# encapsulation ietf
RP/0/0RP0RSP0/CPU0:router (config-fr-vc)# commitConfiguring Serial Interfaces on the Cisco ASR 9000 Series Router
Configuration Examples for Serial Interfaces
545
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
RP/0/0RP0RSP0/CPU0:router(config-fr-vc)# exit
RP/0/0RP0RSP0/CPU0:router(config-subif)# exit
RP/0/0RP0RSP0/CPU0:router(config)# exit
RP/0/0RP0RSP0/CPU0:router# show interface serial 0/1/0/1
Wed Oct 8 04:13:45.046 PST DST
Serial0/1/0/1 is up, line protocol is up
Interface state transitions: 7
Hardware is Serial network interface(s)
Internet address is Unknown
MTU 4474 bytes, BW 44210 Kbit
reliability 255/255, txload 0/255, rxload 0/255
Encapsulation FRAME-RELAY, crc 16,
Scrambling is disabled, Invert data is disabled
LMI enq sent 1110, LMI stat recvd 875, LMI upd recvd 0, DTE LMI up
LMI enq recvd 0, LMI stat sent 0, LMI upd sent 0
LMI DLCI 1023 LMI type is CISCO frame relay DTE
Last clearing of "show interface" counters 02:22:09
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
853 packets input, 12153 bytes, 0 total input drops
0 drops for unrecognized upper-level protocol
Received 0 runts, 0 giants, 0 throttles, 0 parity
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
853 packets output, 11089 bytes, 0 total output drops
0 output errors, 0 underruns, 0 applique, 0 resets
0 output buffer failures, 0 output buffers swapped out
Configuring a Serial Interface with PPP Encapsulation: Example
The following example shows how to create and configure a serial interface with PPP encapsulation:
RP/0/0RP0RSP0/CPU0:router# configure
RP/0/0RP0RSP0/CPU0:router(config)# interface serial 0/3/0/0/0:0
RP/0/0RP0RSP0/CPU0:router(config-if)# ipv4 address 172.18.189.38 255.255.255.224
RP/0/0RP0RSP0/CPU0:router(config-if)# encapsulation ppp
RP/0/0RP0RSP0/CPU0:router(config-if)# no shutdown
RP/0/0RP0RSP0/CPU0:router(config-if)# ppp authentication chap MIS-access
RP/0/0RP0RSP0/CPU0:router(config-if)# end
Uncommitted changes found, commit them? [yes]: yes
The following example shows how to configure serial interface 0/3/0/0/0:0 to allow two additional retries
after an initial authentication failure (for a total of three failed authentication attempts):
RP/0/0RP0RSP0/CPU0:router# configuration
RP/0/0RP0RSP0/CPU0:router(config)# interface serial 0/3/0/0/0:0
RP/0/0RP0RSP0/CPU0:router(config-if)# encapsulation ppp
RP/0/0RP0RSP0/CPU0:router(config-if)# ppp authentication chap
RP/0/0RP0RSP0/CPU0:router(config-if)# ppp max-bad-auth 3
RP/0/0RP0RSP0/CPU0:router(config-if)# end
Uncommitted changes found, commit them? [yes]: yes
IPHC Configuration: Examples
This section provides the following examples:
• IPHC Profile Configuration: Example, page 546
• IPHC on a Serial Interface Configuration: Examples, page 546
• IPHC on Multilink Configuration: Example, page 546Configuring Serial Interfaces on the Cisco ASR 9000 Series Router
Configuration Examples for Serial Interfaces
546
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
• IPHC on a Serial Interface with MLPPP/LFI and QoS Configuration: Example, page 547
IPHC Profile Configuration: Example
The following example shows how to configure an IPHC Profile:
config
iphc tcp connections 6000 location 0/2/1
iphc non-tcp connections 6000 location 0/2/1
iphc profile Profile_1 type iphc
tcp compression
tcp context absolute 255
non-tcp compression
non-tcp context absolute 255
rtp
refresh max-period 50
refresh max-time 10
refresh rtp
feedback disable
max-header 20
commit
IPHC on a Serial Interface Configuration: Examples
Example 1
The following example shows how to enable an IP header compression (IPHC) profile on a serial
interface by attaching the profile directly to the interface:
config
interface serial 0/1/0/1
encapsulation ppp
ipv4 iphc profile Profile_1
commit
Example 2
The following example shows how to enable an IP header compression (IPHC) profile on an interface
by specifying a QoS service policy that contains an IPHC profile:
config
interface serial 0/1/0/1:1
encapsulation ppp
ipv4 iphc profile Profile_2 mode service-policy
service-policy output ip_header_compression_policy_map
commit
IPHC on Multilink Configuration: Example
The following example shows how to configure an IP header compression (IPHC) on a multilink
interface:
config
interface multilink 0/4/3/0/4
ipv4 address 10.10.10.10
encapsulation ppp
ipv4 iphc profile Profile_1
commit
interface serial 0/1/0/1:1
encapsulation pppConfiguring Serial Interfaces on the Cisco ASR 9000 Series Router
Additional References
547
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
multilink group 4
commit
IPHC on a Serial Interface with MLPPP/LFI and QoS Configuration: Example
The following example shows how to configure IP header compression (IPHC) on a serial interface with
LFI and by specifying a QoS service policy that contains an IPHC profile:
config
interface multilink 0/4/3/0/4
ipv4 address 10.10.10.10
multilink
fragment-size 128
interleave
ipv4 iphc profile Profile_2 mode service-policy
service-policy output SP_2
commit
interface serial 0/1/0/1:2
encapsulation ppp
multilink group 4
commit
Additional References
The following sections provide references related to T3/E3 and T1/E1 controllers and serial interfaces.
Related Documents
Related Topic Document Title
Cisco IOS XR master command reference Cisco IOS XR Master Commands List
Cisco IOS XR interface configuration commands Cisco IOS XR Interface and Hardware Component Command
Reference
Initial system bootup and configuration information for
a router using Cisco IOS XR software
Cisco IOS XR Getting Started Guide
Cisco IOS XR AAA services configuration information Cisco IOS XR System Security Configuration Guide and
Cisco IOS XR System Security Command Reference
Information about configuring interfaces and other
components on the Cisco CRS-1 Router from a remote
Craft Works Interface (CWI) client management
application
Cisco Craft Works Interface Configuration GuideConfiguring Serial Interfaces on the Cisco ASR 9000 Series Router
Additional References
548
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Standards
MIBs
RFCs
Technical Assistance
Standards Title
FRF.1.2 PVC User-to-Network Interface (UNI) Implementation Agreement -
July 2000
ANSI T1.617 Annex D —
ITU Q.933 Annex A —
MIBs MIBs Link
— To locate and download MIBs using Cisco IOS XR software, use the
Cisco MIB Locator found at the following URL and choose a
platform under the Cisco Access Products menu:
http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs Title
RFC 1294 Multiprotocol Interconnect Over Frame Relay
RFC 1315 Management Information Base for Frame Relay DTEs
RFC 1490 Multiprotocol Interconnect Over Frame Relay
RFC 1586 Guidelines for Running OSPF Over Frame Relay Networks
RFC 1604 Definitions of Managed Objects for Frame Relay Service
RFC 2115 Management Information Base for Frame Relay DTEs Using SMIv2
RFC 2390 Inverse Address Resolution Protocol
RFC 2427 Multiprotocol Interconnect Over Frame Relay
RFC 2954 Definitions of Managed Objects for Frame Relay Service
Description Link
The Cisco Technical Support website contains
thousands of pages of searchable technical content,
including links to products, technologies, solutions,
technical tips, and tools. Registered Cisco.com users
can log in from this page to access even more content.
http://www.cisco.com/techsupportHC-549
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Configuring Frame Relay on the
Cisco ASR 9000 Series Router
This module describes the optional configurable Frame Relay parameters available on
Packet-over-SONET/SDH (POS), multilink, and serial interfaces configured with Frame Relay
encapsulation.
Feature History for Configuring Frame Relay Interfaces on Cisco IOS XR Software
Release Modification
Release 4.0.0 Support for Frame Relay was added for the following SPAs:
• Cisco 2-Port Channelized OC-12c/DS0 SPA
• Cisco 1-Port Channelized OC-48/STM-16 SPA
• Cisco 8-Port OC-12c/STM-4 POS SPA
• Cisco 2-Port OC-48c/STM-16 POS/RPR SPA
• Cisco 1-Port OC-192c/STM-64 POS/RPR XFP SPA
Support for the following Frame Relay features was added for the Cisco
2-Port Channelized OC-12c/DSO SPA:
• Multilink Frame Relay (FRF.16)
• End-to-End Fragmentation (FRF.12)
Release 4.0.1 Support for Frame Relay was added for the following SPAs:
• Cisco 1-Port Channelized OC-3/STM-1 SPA
• Cisco 2-Port and 4-Port Clear Channel T3/E3 SPA
• Cisco 4-Port OC-3c/STM-1 POS SPA
• Cisco 8-Port OC-3c/STM-1 POS SPA
Release 4.1.0 Support for Frame Relay was added for the following SPAs:
• Cisco 4-Port Channelized T3/DS0 SPA
• Cisco 8-Port Channelized T1/E1 SPAConfiguring Frame Relay on the Cisco ASR 9000 Series Router
Contents
HC-550
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Contents
• Prerequisites for Configuring Frame Relay, page 550
• Information About Frame Relay Interfaces, page 550
• Configuring Frame Relay, page 557
• Configuration Examples for Frame Relay, page 572
• Additional References, page 576
Prerequisites for Configuring Frame Relay
You must be in a user group associated with a task group that includes the proper task IDs. The command
reference guides include the task IDs required for each command. If you suspect user group assignment
is preventing you from using a command, contact your AAA administrator for assistance.
Before configuring Frame Relay, be sure that the following conditions are met:
• Your hardware must support POS or serial interfaces.
• You have enabled Frame Relay encapsulation on your interface with the encapsulation frame relay
command, as described in the appropriate module:
– To enable Frame Relay encapsulation on a multilink bundle interface, see the “Configuring
Multilink Frame Relay Bundle Interfaces” section on page 562.
– To enable Frame Relay encapsulation on a POS interface, see the “Configuring POS Interfaces
onthe Cisco ASR 9000 Series Router” module in this manual.
– To enable Frame Relay encapsulation on a serial interface, see the Configuring Serial Interfaces
on the Cisco ASR 9000 Series Router module in this manual.
Information About Frame Relay Interfaces
The following sections explain the various aspects of configuring Frame Relay interfaces:
• Frame Relay Encapsulation, page 550
• Multilink Frame Relay (FRF.16), page 553
• End-to-End Fragmentation (FRF.12), page 557
Frame Relay Encapsulation
On the Cisco ASR 9000 Series Router, Frame Relay is supported on POS and serial main interfaces, and
on PVCs that are configured under those interfaces. To enable Frame Relay encapsulation on an
interface, use the encapsulation frame-relay command in interface configuration mode.
Frame Relay interfaces support two types of encapsulated frames:
• Cisco (this is the default)
• IETF
Use the encapsulation frame-relay command in interface configuration mode to configure Cisco or
IETF encapsulation on a PVC. Configuring Frame Relay on the Cisco ASR 9000 Series Router
Information About Frame Relay Interfaces
HC-551
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Note If the encapsulation type is not configured explicitly for a PVC with the encapsulation command, then
that PVC inherits the encapsulation type from the main interface.
The encapsulation frame relay and encap (PVC) commands are described in the following modules:
– To enable Frame Relay encapsulation on a POS interface, see the “Configuring POS Interfaces
onthe Cisco ASR 9000 Series Router” module in this manual.
– To enable Frame Relay encapsulation on a serial interface, see the Configuring Serial Interfaces
on the Cisco ASR 9000 Series Router module in this manual.
When an interface is configured with Frame Relay encapsulation and no additional configuration
commands are applied, the default interface settings shown in Table 23 are present. These default
settings can be changed by configuration as described in this module.
Note The default settings of LMI polling-related commands appear in Table 24 on page 552 and Table 25 on
page 553.
LMI
The Local Management Interface (LMI) protocol monitors the addition, deletion, and status of PVCs.
LMI also verifies the integrity of the link that forms a Frame Relay User-Network Interface (UNI).
Table 23 Frame Relay Encapsulation Default Settings
Parameter Configuration File Entry Default Settings Command Mode
PVC Encapsulation encap {cisco | ietf} cisco
Note When the encap command is
not configured, the PVC
encapsulation type is inherited
from the Frame Relay main
interface.
PVC configuration
Type of support provided by the
interface
frame-relay intf-type
{dce | dte}
dte Interface
configuration
LMI type supported on the
interface
frame-relay lmi-type
[ansi | cisco | q933a]
For a DCE, the default setting is cisco.
For a DTE, the default setting is
synchronized to match the LMI type
supported on the DCE.
Note To return an interface to its
default LMI type, use the no
frame-relay lmi-type [ansi |
cisco | q933a] command.
Interface
configuration
Disable or enable LMI frame-relay lmi
disable
LMI is enabled by default on Frame
Relay interfaces.
To reenable LMI on an interface after it
has been disabled, use the no
frame-relay lmi disable command.
Interface
configurationConfiguring Frame Relay on the Cisco ASR 9000 Series Router
Information About Frame Relay Interfaces
HC-552
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Frame Relay interfaces supports the following types of LMI on UNI interfaces:
• ANSI—ANSI T1.617 Annex D
• Q.933—ITU-T Q.933 Annex A
• Cisco
Use the frame-relay lmi-type command to configure the LMI type to be used on an interface.
Note The LMI type that you use must correspond to the PVCs configured on the main interface. The LMI type
must match on both ends of a Frame Relay connection.
If your router functions as a switch connected to another non-Frame Relay router, use the frame-relay
intf-type dce command to configure the LMI type to support data communication equipment (DCE).
If your router is connected to a Frame Relay network, use the frame-relay intf-type dte command to
configure the LMI type to support data terminal equipment (DTE).
Note LMI type auto-sensing is supported on DTE interfaces by default.
Use the show frame-relay lmi and show frame-relay lmi-info commands in EXEC mode to display
information and statistics for the Frame Relay interfaces in your system. (When specifying the type and
interface-path-id arguments, you must specify information for the main interface.) You can modify the
error threshold, event count, and polling verification timer and then use the show frame-relay lmi
command to gather information that can help you monitor and troubleshoot Frame Relay interfaces.
If the LMI type is cisco (the default LMI type), the maximum number of PVCs that can be supported
under a single interface is related to the MTU size of the main interface. Use the following formula to
calculate the maximum number of PVCs supported on a card or SPA :
(MTU - 13)/8 = maximum number of PVCs
The default number of PVCs supported on POS PVCs configured with cisco LMI is 557, while the
default number of PVCs supported on serial PVCs configured with cisco LMI is 186.
For LMI types that are not from Cisco, up to 992 PVCs are supported under a single main interface.
Note If a specific LMI type is configured on an interface, use the no frame-relay lmi-type [ansi | cisco |
q933a] command to bring the interface back to the default LMI type.
Table 24 describes the commands that can be used to modify LMI polling options on PVCs configured
for a DCE.
Table 24 LMI Polling Configuration Commands for DCE
Parameter Configuration File Entry Default Settings
Sets the error threshold on a DCE
interface.
lmi-n392dce threshold 3
Sets the monitored event count. lmi-n393dce events 4
Sets the polling verification timer
on the DCE end.
lmi-t392dce seconds 15Configuring Frame Relay on the Cisco ASR 9000 Series Router
Information About Frame Relay Interfaces
HC-553
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Table 25 describes the commands that can be used to modify LMI polling options on PVCs configured
for a DTE.
Multilink Frame Relay (FRF.16)
Multilink Frame Relay (MFR) is supported only on the following shared port adapters (SPAs):
• Cisco 1-Port Channelized STM-1/OC-3 SPA
• Cisco 2-Port Channelized OC-12c/DSO SPA
Multilink Frame Relay High Availability
MFR supports the following levels of high availability support:
• MFR supports a process restart, but some statistics will be reset during a restart of certain processes.
• MFR member links remain operational during a route switch processor (RSP) switchover.
Multilink Frame Relay Configuration Overview
A multilink Frame Relay interface is part of a multilink bundle that allows Frame Relay encapsulation
on its interfaces. You create a multilink Frame Relay interface by configuring the following components:
• MgmtMultilink controller
• Multilink bundle interface that allows Frame Relay encapsulation
• Bundle identifier name
• Multilink Frame Relay subinterfaces
• Bundle interface bandwidth class
• Serial interfaces
MgmtMultilink Controller
You configure a multilink bundle under a controller, using the following commands:
controller MgmtMultilink rack/slot/bay/controller-id
bundle bundleId
Table 25 LMI Polling Configuration Commands for DTE
Parameter Configuration File Entry Default Settings
Set the number of Line Integrity Verification (LIV)
exchanges performed before requesting a full status
message.
lmi-n391dte polling-cycles 6
Sets the error threshold. lmi-n392dte threshold 3
Sets the monitored event count. lmi-n393dte events 4
Sets the polling interval (in seconds) between each
status inquiry from the DTE end.
frame-relay lmi-t391dte seconds 10Configuring Frame Relay on the Cisco ASR 9000 Series Router
Information About Frame Relay Interfaces
HC-554
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
This configuration creates the controller for a generic multilink bundle. The controller ID number is the
zero-based index of the controller chip. Currently, the SPAs that support multilink Frame Relay have
only one controller per bay; therefore, the controller ID number is always zero (0).
Multilink Bundle Interface
After you create the multilink bundle, you create a multilink bundle interface that allows Frame Relay
encapsulation, using the following commands:
interface multilink interface-path-id
encapsulation frame-relay
This configuration allows you to create multilink Frame Relay subinterfaces under the multilink bundle
interface.
Note After you set the encapsulation on a multilink bundle interface to Frame Relay, you cannot change the
encapsulation if the interface has member links or any member links associated with a multilink bundle.
Bundle Identifier Name
Note Bundle identifier name is configurable only under Frame Relay Forum 16.1 (FRF 16.1).
The bundle identifier (bid) name value identifies the bundle interface at both endpoints of the interface.
The bundle identifier name is exchanged in the information elements to ensure consistent link
assignments.
By default, the interface name, for example, Multilink 0/4/1/0/1, is used as the bundle identifier name.
However, you can optionally create a name using the frame-relay multilink bid command.
Note Regardless of whether you use the default name or create a name using the frame-relay multilink bid
command, it is recommended that each bundle have a unique name.
The bundle identifier name can be up to 50 characters including the null termination character. The
bundle identifier name is configured at the bundle interface level and is applied to each member link.
You configure the bundle identifier name using the following commands:
interface multilink interface-path-id
frame-relay multilink bid bundle-id-name
Multilink Frame Relay Subinterfaces
You configure a multilink Frame Relay subinterface, using the following command:
interface multilink interface-path-id[.subinterface {l2transport | point-to-point}]
You can configure up to 992 subinterfaces on a multilink bundle interface.
Note You configure specific Frame Relay interface features at the subinterface level.Configuring Frame Relay on the Cisco ASR 9000 Series Router
Information About Frame Relay Interfaces
HC-555
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Multilink Frame-Relay Subinterface Features
The following commands are available to set specific features on a multilink Frame Relay bundle
subinterface:
• mtu MTU size
• description
• shutdown
• bandwidth bandwidth
• service-policy {input | output} policymap-name
Note When entering the service-policy command, which enables you to attach a policy map to a multilink
Frame Relay bundle subinterface, you must do so while in Frame Relay PVC configuration mode. For
more information, see Configuring Multilink Frame Relay Bundle Interfaces, page 562.
Bundle Interface Bandwidth Class
Note Bandwidth class is configurable only under a multilink bundle interface.
You can configure one of three types of bandwidth classes on a multilink Frame Relay interface:
• a—Bandwidth Class A
• b—Bandwidth Class B
• c—Bandwidth Class C
When Bandwidth Class A is configured and one or more member links are up (PH_ACTIVE), the bundle
interface is also up and BL_ACTIVATE is signaled to the Frame Relay connections. When all the
member links are down, the bundle interface is down and BL_DEACTIVATE is signaled to the Frame
Relay connections.
When Bandwidth Class B is configured and all the member links are up (PH_ACTIVE), the bundle
interface is up and BL_ACTIVATE is signaled to the Frame Relay connections. When any member link
is down, the bundle interface is down and BL_ACTIVATE is signaled to the Frame Relay connections.
When Bandwidth Class C is configured, you must also set the bundle link threshold to a value between
1 and 255. The threshold value is the minimum number of links that must be up (PH_ACTIVE) for the
bundle interface to be up and for BL_ACTIVATE to be signaled to the Frame Relay connections. When
the number of links that are up falls below this threshold, the bundle interface goes down and
BL_DEACTIVATE is signaled to the Frame Relay connections. When 1 is entered as the threshold value,
the behavior is identical to Bandwidth Class A. If you enter a threshold value that is greater than the
number of member links that are up, the bundle remains down.
You configure the bandwidth class for a Frame Relay multilink bundle interface using the following
commands:
interface multilink interface-path-id
frame-relay multilink bandwidth-class {a | b | c [threshold]}
The default is a (Bandwidth Class A).Configuring Frame Relay on the Cisco ASR 9000 Series Router
Information About Frame Relay Interfaces
HC-556
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Serial Interfaces
After the T3 and T1 controllers are configured, you can add serial interfaces to the multilink Frame Relay
bundle subinterface by configuring the serial interface, encapsulating it as multilink Frame Relay (mfr),
assigning it to the bundle interface (specified by the multilink group number), and configuring a name
for the link. You may also configure MFR acknowledge timeout value, retry count for retransmissions
and hello interval, for the bundle link.
You configure a multilink Frame Relay serial interface using the following commands:
interface serial rack/slot/module/port/t1-num:channel-group-number
encapsulation mfr
multilink group group number
frame-relay multilink lid link-id name
frame-relay multilink ack ack-timeout
frame-relay multilink hello hello-interval
frame-relay multilink retry retry-count
Note All serial links in an MFR bundle inherit the value of the mtu command from the multilink interface.
Therefore, you should not configure the mtu command on a serial interface before configuring it as a
member of an MFR bundle. The Cisco IOS XR software blocks attempts to configure a serial interface
as a member of an MFR bundle if the interface is configured with a nondefault MTU value as well as
attempts to change the mtu command value for a serial interface that is configured as a member of an
MFR bundle.
Show Commands
You can verify a multilink Frame Relay serial interface configuration using the following show
commands:
show frame-relay multilink location node id
show frame-relay multilink interface serial interface-path-id [detail | verbose]
The following example shows the display output of the show frame-relay multilink location command:
RP/0/RSP0/CPU0:router# show frame-relay multilink location 0/4/cpu0
Member interface: Serial0/4/2/0/9:0, ifhandle 0x05007b00
HW state = Up, link state = Up
Member of bundle interface Multilink0/4/2/0/2 with ifhandle 0x05007800
Bundle interface: Multilink0/4/2/0/2, ifhandle 0x05007800
Member Links: 4 active, 0 inactive
State = Up, BW Class = C (threshold 3)
Member Links:
Serial0/4/2/0/12:0, HW state = Up, link state = Up
Serial0/4/2/0/11:0, HW state = Up, link state = Up
Serial0/4/2/0/10:0, HW state = Up, link state = Up
Serial0/4/2/0/9:0, HW state = Up, link state = Up
Member interface: Serial0/4/2/0/10:0, ifhandle 0x05007c00
HW state = Up, link state = Up
Member of bundle interface Multilink0/4/2/0/2 with ifhandle 0x05007800
Member interface: Serial0/4/2/0/11:0, ifhandle 0x05007d00
HW state = Up, link state = Up
Member of bundle interface Multilink0/4/2/0/2 with ifhandle 0x05007800 Configuring Frame Relay on the Cisco ASR 9000 Series Router
Configuring Frame Relay
HC-557
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Member interface: Serial0/4/2/0/12:0, ifhandle 0x05007e00
HW state = Up, link state = Up
Member of bundle interface Multilink0/4/2/0/2 with ifhandle 0x05007800
The following example shows the display output of
RP/0/RSP0/CPU0:router# show frame-relay multilink interface serial 0/4/2/0/10:0
Member interface: Serial0/4/2/0/10:0, ifhandle 0x05007c00
HW state = Up, link state = Up
Member of bundle interface Multilink0/4/2/0/2 with ifhandle 0x05007800
End-to-End Fragmentation (FRF.12)
You can configure an FRF.12 end-to-end fragmentation connection using the data-link connection
identifier (DLCI). However, it must be done on a channelized Frame Relay serial interface.
Note The fragment end-to-end command is not allowed on Packet-over-SONET/SDH (POS) interfaces or
under the DLCI of a multilink Frame Relay bundle interface.
You configure FRF.12 end-to-end fragmentation on a DLCI connection using the following command:
fragment end-to-end fragment-size
The fragment-size argument defines the size of the fragments, in bytes, for the serial interface.
Note On a DLCI connection, we highly recommend that you configure an egress service policy that classifies
packets into high and low priorities, so that interleaving of high-priority and low-priority fragments
occurs.
Configuring Frame Relay
The following sections describe how to configure Frame Relay interfaces.
• Modifying the Default Frame Relay Configuration on an Interface, page 557
• Disabling LMI on an Interface with Frame Relay Encapsulation, page 560
• Configuring Multilink Frame Relay Bundle Interfaces, page 562
• Configuring FRF.12 End-to-End Fragmentation on a Channelized Frame Relay Serial Interface,
page 568
Modifying the Default Frame Relay Configuration on an Interface
Perform this task to modify the default Frame Relay parameters on a Packet-over-SONET/SDH (POS),
multilink, or serial interface with Frame Relay encapsulation.
Prerequisites
Before you can modify the default Frame Relay configuration, you need to enable Frame Relay on the
interface, as described in the following modules:Configuring Frame Relay on the Cisco ASR 9000 Series Router
Configuring Frame Relay
HC-558
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
• To enable Frame Relay encapsulation on a POS interface, see the “Configuring POS Interfaces
onthe Cisco ASR 9000 Series Router” module in this manual.
• To enable Frame Relay encapsulation on a serial interface, see the Configuring Serial Interfaces on
the Cisco ASR 9000 Series Router module in this manual.
Note Before enabling Frame Relay encapsulation on a POS or serial interface, make certain that you have not
previously assigned an IP address to the interface. If an IP address is assigned to the interface, you will
not be able to enable Frame Relay encapsulation. For Frame Relay, the IP address and subnet mask are
configured on the subinterface.
Restrictions
• The LMI type must match on both ends of the connection for the connection to be active.
• Before you can remove Frame Relay encapsulation on an interface and reconfigure that interface
with PPP or HDLC encapsulation, you must remove all interfaces, subinterface, LMI, and Frame
Relay configuration from that interface.
SUMMARY STEPS
1. configure
2. interface type interface-path-id
3. frame-relay intf-type {dce | dte}
4. frame-relay lmi-type [ansi | cisco | q933a]
5. encap {cisco | ietf}
6. end
or
commit
7. show interfaces [summary | [type interface-path-id] [brief | description | detail | accounting
[rates]]] [location node-id]
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.Configuring Frame Relay on the Cisco ASR 9000 Series Router
Configuring Frame Relay
HC-559
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Step 2 interface type interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# interface pos
0/4/0/1
Enters interface configuration mode.
Step 3 frame-relay intf-type {dce | dte}
Example:
RP/0/RSP0/CPU0:router(config-if)# frame-relay
intf-type dce
Configures the type of support provided by the interface.
• If your router functions as a switch connected to
another router, use the frame-relay intf-type dce
command to configure the LMI type to support data
communication equipment (DCE).
• If your router is connected to a Frame Relay network,
use the frame-relay intf-type dte command to
configure the LMI type to support data terminal
equipment (DTE).
Note The default interface type is DTE.
Step 4 frame-relay lmi-type [ansi | q933a | cisco]
Example:
RP/0/RSP0/CPU0:router(config-if)# frame-relay
lmi-type ansi
Selects the LMI type supported on the interface.
• Enter the frame-relay lmi-type ansi command to use
LMI as defined by ANSI T1.617a-1994 Annex D.
• Enter the frame-relay lmi-type cisco command to use
LMI as defined by Cisco (not standard).
• Enter the frame-relay lmi-type q933a command to use
LMI as defined by ITU-T Q.933 (02/2003) Annex A.
Note The default LMI type is Cisco.
Step 5 encap {cisco | ietf}
Example:
RP/0/RSP0/CPU0:router (config-fr-vc)# encap
ietf
Configures the encapsulation for a Frame Relay PVC.
Note If the encapsulation type is not configured explicitly
for a PVC, then that PVC inherits the encapsulation
type from the main interface.
Command or Action PurposeConfiguring Frame Relay on the Cisco ASR 9000 Series Router
Configuring Frame Relay
HC-560
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Disabling LMI on an Interface with Frame Relay Encapsulation
Perform this task to disable LMI on interfaces that have Frame Relay encapsulation.
Note LMI is enabled by default on interfaces that have Frame Relay encapsulation enabled. To reenable LMI
on an interface after it has been disabled, use the no frame-relay lmi disable command in interface
configuration mode.
SUMMARY STEPS
1. configure
2. interface type interface-path-id
3. frame-relay lmi disable
4. end
or
commit
5. show interfaces [summary | [type interface-path-id] [brief | description | detail | accounting
[rates]]] [location node-id]
Step 6 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-if)# end
or
RP/0/RSP0/CPU0:router(config-if)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 7 show interfaces [summary | [type
interface-path-id] [brief | description |
detail | accounting [rates]]] [location
node-id]
Example:
RP/0/RSP0/CPU0:router# show interface pos
0/4/0/1
(Optional) Verifies the configuration for the specified
interface.
Command or Action PurposeConfiguring Frame Relay on the Cisco ASR 9000 Series Router
Configuring Frame Relay
HC-561
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface type interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# interface POS
0/4/0/1
Enters interface configuration mode.
Step 3 frame-relay lmi disable
Example:
RP/0/RSP0/CPU0:router(config-if)# frame-relay
lmi disable
Disables LMI on the specified interface.
Step 4 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-if)# end
or
RP/0/RSP0/CPU0:router(config-if)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 5 show interfaces [summary | [type
interface-path-id] [brief | description |
detail | accounting [rates]]] [location
node-id]
Example:
RP/0/RSP0/CPU0:router# show interfaces POS
0/1/0/0
(Optional) Verifies that LMI is disabled on the specified
interface.Configuring Frame Relay on the Cisco ASR 9000 Series Router
Configuring Frame Relay
HC-562
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Configuring Multilink Frame Relay Bundle Interfaces
Perform these steps to configure a multilink Frame Relay (MFR) bundle interface and its subinterfaces.
Prerequisites
Before configuring MFR bundles, be sure you have the following SPA installed:
• 1-Port Channelized STM-1/OC-3 SPA
• 2-Port Channelized OC-12c/DS0 SPA
Restrictions
• All member links in a multilink Frame Relay bundle interface must be of the same type (for example,
T1s or E1s). The member links must have the same framing type, such as point-to-point, and they
must have the same bandwidth class.
• All member links must be full T1s or E1s. Fractional links, such as DS0s, are not supported.
• All member links must reside on the same SPA; otherwise, they are considered to be unrelated
bundles.
• All member links must be connected to the same line card or SPA at the far end.
• A maximum of 992 MFR subinterfaces is supported on each main interface, based on the supported
DLCI range 16–1007.
• The Cisco 1-Port Channelized OC-3/STM-1 SPA and 2-Port Channelized OC-12c/DS0 SPA have
the following additional guidelines:
– A maximum of 700 MFR bundles per line card is supported.
– A maximum of 2600 MFR bundles per system is supported.
– A maximum of 4000 Frame Relay Layer 3 subinterfaces per line card is supported.
– A maximum of 8000 Frame Relay Layer 3 subinterfaces per system is supported.
• Fragmentation on a Frame Relay subinterface that is part of an MLFR bundle is not supported.
• All serial links in an MFR bundle inherit the value of the mtu command from the multilink interface.
Therefore, you should not configure the mtu command on a serial interface before configuring it as
a member of an MFR bundle. The Cisco IOS XR software blocks the following:
– Attempts to configure a serial interface as a member of an MFR bundle if the interface is
configured with a nondefault MTU value.
– Attempts to change the mtu command value for a serial interface that is configured as a member
of an MFR bundle.
SUMMARY STEPS
1. configure
2. controller MgmtMultilink rack/slot/bay/controller-id
3. exit
4. controller t3 interface-path-id
5. mode typeConfiguring Frame Relay on the Cisco ASR 9000 Series Router
Configuring Frame Relay
HC-563
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
6. clock source {internal | line}
7. exit
8. controller {t1 | e1} interface-path-id
9. channel-group channel-group-number
10. timeslots range
11. exit
12. exit
13. interface multilink interface-path-id[.subinterface {l2transport | point-to-point}]
14. encapsulation frame-relay
15. frame-relay multilink bid bundle-id-name
16. frame-relay multilink bandwidth-class {a | b | c [threshold]}
17. exit
18. interface multilink interface-path-id[.subinterface {l2transport | point-to-point}]
19. ipv4 address ip-address
20. pvc dlci
21. service-policy {input | output} policy-map
22. exit
23. exit
24. interface serial interface-path-id
25. encapsulation mfr
26. multilink group group-id
27. frame-relay multilink lid link-id name
28. frame-relay multilink ack ack-timeout
29. frame-relay multilink hello hello-interval
30. frame-relay multilink retry retry-count
31. exit
32. end
or
commit
33. exit
34. show frame-relay multilink interface type interface-path-id [detail | verbose]Configuring Frame Relay on the Cisco ASR 9000 Series Router
Configuring Frame Relay
HC-564
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# config
Enters global configuration mode.
Step 2 controller MgmtMultilink rack/slot/bay/controller-id
Example:
RP/0/RSP0/CPU0:router(config)# controller
MgmtMultilink 0/1/0/0
Creates the controller for a generic multilink bundle
in the rack/slot/bay/controller-id notation and enters
the multilink management configuration mode. The
controller ID number is the zero-based index of the
controller chip. Currently, the SPAs that support
multilink Frame Relay have only one controller per
bay; therefore, the controller ID number is always
zero (0).
Step 3 exit
Example:
RP/0/RSP0/CPU0:router(config-mgmtmultilink)# exit
Exits the multilink management configuration mode.
Step 4 controller t3 interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller t3 0/1/0/0
Specifies the T3 controller name in the
rack/slot/module/port notation and enters T3
configuration mode.
Step 5 mode type
Example:
RP/0/RSP0/CPU0:router(config-t3)# mode t1
Configures the type of multilinks to channelize; for
example, 28 T1s.
Step 6 clock source {internal | line}
Example:
RP/0/RSP0/CPU0:router(config-t3)# clock source
internal
(Optional) Sets the clocking for individual E3 links.
Note The default clock source is internal.
Note When configuring clocking on a serial link,
you must configure one end to be internal,
and the other end to be line. If you configure
internal clocking on both ends of a
connection, framing slips occur. If you
configure line clocking on both ends of a
connection, the line does not come up.
Step 7 exit
Example:
RP/0/RSP0/CPU0:router(config-t3)# exit
Exits T3/E3 controller configuration mode.
Step 8 controller {t1 | e1} interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller t1
0/1/0/0/0
Enters T1 or E1 configuration mode.Configuring Frame Relay on the Cisco ASR 9000 Series Router
Configuring Frame Relay
HC-565
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Step 9 channel-group channel-group-number
Example:
RP/0/RSP0/CPU0:router(config-t1)# channel-group 0
Creates a T1 channel group and enters channel group
configuration mode for that channel group.
Step 10 timeslots range
Example:
RP/0/RSP0/CPU0:router(config-t1-channel_group)#
timeslots 1-24
Associates one or more DS0 time slots to a channel
group and creates an associated serial subinterface on
that channel group.
• For T1 controllers—Range is from 1 to 24 time
slots.
• For E1 controllers—Range is from 1 to 31 time
slots.
• You can assign all time slots to a single channel
group, or you can divide the time slots among
several channel groups.
Step 11 exit
Example:
RP/0/RSP0/CPU0:router(config-t1-channel_group)# exit
Exits channel group configuration mode.
Step 12 exit
Example:
RP/0/RSP0/CPU0:router(config-t1)# exit
Exits T1 configuration mode.
Step 13 interface multilink interface-path-id[.subinterface
{l2transport | point-to-point}]
Example:
RP/0/RSP0/CPU0:router(config)# interface Multilink
0/1/0/0/100
Creates a multilink bundle interface where you can
specify Frame Relay encapsulation for the bundle.
You create multilink Frame Relay subinterfaces
under the multilink bundle interface.
Step 14 encapsulation frame-relay
Example:
Router(config-if)# encapsulation frame-relay
Specifies the Frame Relay encapsulation type.
Step 15 frame-relay multilink bid bundle-id-name
Example:
Router(config-if)# frame-relay multilink bid
MFRBundle
Note (Optional) By default, the interface name, for
example, Multilink 0/4/1/0/1, is used as the
bundle identifier name. However, you can
optionally create a name using the
frame-relay multilink bid command.
Step 16 frame-relay multilink bandwidth-class {a | b | c
[threshold]}
Example:
Router(config-if)# frame-relay multilink
bandwidth-class a
Configures one of three types of bandwidth classes on
a multilink Frame Relay interface:
• a—Bandwidth Class A
• b—Bandwidth Class B
• c—Bandwidth Class C
The default is a (Bandwidth Class A).
Command or Action PurposeConfiguring Frame Relay on the Cisco ASR 9000 Series Router
Configuring Frame Relay
HC-566
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Step 17 exit
Example:
RP/0/RSP0/CPU0:router(config-if)# exit
Exits interface configuration mode.
Step 18 interface multilink interface-path-id[.subinterface
{l2transport | point-to-point}]
Example:
RP/0/RSP0/CPU0:router(config)# interface Multilink
0/1/0/0/100.16 point-to-point
Creates a multilink subinterface in the
rack/slot/bay/controller-id bundleId.subinterace
[point-to-point | l2transport ] notation and enters
the subinterface configuration mode.
• l2transport—Treat as an attachment circuit
• point-to-point—Treat as a point-to-point link
You can configure up to 992 subinterfaces on a
multilink bundle interface. The DLCIs are 16 to 1007.
Step 19 ipv4 address ip-address
Example:
RP/0/RSP0/CPU0:router(config-subif)# ipv4 address
3.1.100.16 255.255.255.0
Assigns an IP address and subnet mask to the
interface in the format:
A.B.C.D/prefix or A.B.C.D/mask
Step 20 pvc dlci
Example:
RP/0/RSP0/CPU0:router (config-subif)# pvc 16
Creates a POS permanent virtual circuit (PVC) and
enters Frame Relay PVC configuration submode.
Replace dlci with a PVC identifier, in the range from
16 to 1007.
Note Only one PVC is allowed per subinterface.
Step 21 service-policy {input | output} policy-map
Example:
RP/0/RSP0/CPU0:router(config-fr-vc)# service-policy
output policy-mapA
Attaches a policy map to an input subinterface or
output subinterface. When attached, the policy map is
used as the service policy for the subinterface.
Note For information on creating and configuring
policy maps, refer to Cisco IOS XR Modular
Quality of Service Configuration Guide.
Step 22 exit
Example:
RP/0/RSP0/CPU0:router(config-fr-vc)# exit
Exits the Frame-Relay virtual circuit mode.
Step 23 exit
Example:
RP/0/RSP0/CPU0:router(config-subif)# exit
Exits the subinterface configuration mode.
Step 24 interface serial interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# interface serial
0/1/0/0/0/0:0
Specifies the complete interface number with the
rack/slot/module/port/T3Num/T1num:instance
notation.
Command or Action PurposeConfiguring Frame Relay on the Cisco ASR 9000 Series Router
Configuring Frame Relay
HC-567
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Step 25 encapsulation mfr
Example:
RP/0/RSP0/CPU0:router(config)# encapsulation mfr
Enables multilink Frame Relay on the serial
interface.
Step 26 multilink group group-id
Example:
RP/0/RSP0/CPU0:router(config-if)# multilink group
100
Specifies the multilink group ID for this interface.
Step 27 frame-relay multilink lid link-id name
Example:
RP/0/RSP0/CPU0:router(config-if)# frame-relay
multilink lid sj1
Note Configures a name for the Frame Relay
multilink bundle link.
Step 28 frame-relay multilink ack ack-timeout
Example:
RP/0/RSP0/CPU0:router(config-if)# frame-relay
multilink ack 5
Configures the acknowledge timeout value for the
Frame Relay multilink bundle link.
Step 29 frame-relay multilink hello hello-interval
Example:
RP/0/RSP0/CPU0:router(config-if)# frame-relay
multilink hello 60
Configures the hello interval for the Frame Relay
multilink bundle link.
Step 30 frame-relay multilink retry retry-count
Example:
RP/0/RSP0/CPU0:router(config-if)# frame-relay
multilink retry 2
Configures the retry count for retransmissions for the
Frame Relay multilink bundle link.
Step 31 exit
Example:
RP/0/RSP0/CPU0:router(config-if)# exit
Exits interface configuration mode.
Command or Action PurposeConfiguring Frame Relay on the Cisco ASR 9000 Series Router
Configuring Frame Relay
HC-568
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Configuring FRF.12 End-to-End Fragmentation on a Channelized Frame Relay
Serial Interface
Perform the following steps to configure FRF.12 end-to-end fragmentation on a channelized Frame
Relay serial interface.
SUMMARY STEPS
1. config
2. controller t3 interface-path-id
3. mode type
4. clock source {internal | line}
Step 32 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-if)# end
or
RP/0/RSP0/CPU0:router(config-if)# commit
Saves configuration changes.
• When you issue the end command, the system
prompts you to commit changes:
Uncommitted changes found, commit them
before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to
the running configuration file, exits the
configuration session, and returns the router
to EXEC mode.
– Entering no exits the configuration session
and returns the router to EXEC mode
without committing the configuration
changes.
– Entering cancel leaves the router in the
current configuration session without exiting
or committing the configuration changes.
• Use the commit command to save the
configuration changes to the running
configuration file and remain within the
configuration session.
Step 33 exit
Example:
RP/0/RSP0/CPU0:router(config)# exit
Exits global configuration mode.
Step 34 show frame-relay multilink interface type
interface-path-id [detail | verbose]
Example:
RP/0/RSP0/CPU0:router# show frame-relay multilink
interface Multilink 0/5/1/0/1
Shows the information retrieved from the interface
description block (IDB), including bundle-specific
information and Frame Relay information.
Command or Action PurposeConfiguring Frame Relay on the Cisco ASR 9000 Series Router
Configuring Frame Relay
HC-569
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
5. exit
6. controller t1 interface-path-id
7. channel-group channel-group-number
8. timeslots range
9. exit
10. exit
11. interface serial interface-path-id
12. encapsulation frame-relay
13. exit
14. interface serial interface-path-id
15. ipv4 address ip-address
16. pvc dlci
17. service-policy {input | output} policy-map
18. fragment end-to-end fragment-size
19. exit
20. exit
21. exit
22. end
or
commit
23. exit
24. show frame-relay pvc [ dlci | interface | location ]
DETAILED STEPS
Command or Action Purpose
Step 1 config
Example:
RP/0/RSP0/CPU0:router# config
Enters global configuration mode.
Step 2 controller t3 interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller t3 0/1/0/0
Specifies the T3 controller name in the
rack/slot/module/port notation and enters T3
configuration mode.
Step 3 mode type
Example:
RP/0/RSP0/CPU0:router(config-t3)# mode t1
Configures the type of multilinks to channelize; for
example, 28 T1s.Configuring Frame Relay on the Cisco ASR 9000 Series Router
Configuring Frame Relay
HC-570
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Step 4 clock source {internal | line}
Example:
RP/0/RSP0/CPU0:router(config-t3)# clock source
internal
(Optional) Sets the clocking for individual E3 links.
Note The default clock source is internal.
Note When configuring clocking on a serial link,
you must configure one end to be internal,
and the other end to be line. If you configure
internal clocking on both ends of a
connection, framing slips occur. If you
configure line clocking on both ends of a
connection, the line does not come up.
Step 5 exit
Example:
RP/0/RSP0/CPU0:router(config-t3)# exit
Exits T3/E3 or T1/E1 controller configuration mode.
Step 6 controller t1 interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller t1
0/1/0/0/0
Enters T1 configuration mode.
Step 7 channel-group channel-group-number
Example:
RP/0/RSP0/CPU0:router(config-t1)# channel-group 0
Creates a T1 channel group and enters channel group
configuration mode for that channel group.
Step 8 timeslots range
Example:
RP/0/RSP0/CPU0:router(config-t1-channel_group)#
timeslots 1-24
Associates one or more DS0 time slots to a channel
group and creates an associated serial subinterface on
that channel group.
• Range is from 1 to 24 time slots.
• You can assign all 24 time slots to a single
channel group, or you can divide the time slots
among several channel groups.
Note Each individual T1 controller supports a total
of 24 DS0 time slots.
Step 9 exit
Example:
RP/0/RSP0/CPU0:router(config-t1-channel_group)# exit
Exits channel group configuration mode.
Step 10 exit
Example:
RP/0/RSP0/CPU0:router(config-t1)# exit
Exits T1 configuration mode.
Step 11 interface serial interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# interface serial
0/1/0/0/0/0:0
Specifies the complete interface number with the
rack/slot/module/port/T3Num/T1num:instance
notation.
Command or Action PurposeConfiguring Frame Relay on the Cisco ASR 9000 Series Router
Configuring Frame Relay
HC-571
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Step 12 encapsulation frame-relay
Example:
RP/0/RSP0/CPU0:Router(config-if)# encapsulation
frame-relay
Specifies the Frame Relay encapsulation type.
Step 13 exit
Example:
RP/0/RSP0/CPU0:router(config-if)# exit
Exits interface configuration mode.
Step 14 interface serial interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# interface serial
1/0/0/0/0:0.1
Specifies the complete subinterface number with the
rack/slot/module/port[/channel-num:channel-groupnumber].subinterface notation.
Step 15 ipv4 address ip-address
Example:
RP/0/RSP0/CPU0:router(config-subif)# ipv4 address
3.1.100.16 255.255.255.0
Assigns an IP address and subnet mask to the
interface in the format:
A.B.C.D/prefix or A.B.C.D/mask
Step 16 pvc dlci
Example:
RP/0/RSP0/CPU0:router (config-subif)# pvc 100
Creates a POS permanent virtual circuit (PVC) and
enters Frame Relay PVC configuration submode.
Replace dlci with a PVC identifier, in the range from
16 to 1007.
Note Only one PVC is allowed per subinterface.
Step 17 service-policy {input | output} policy-map
Example:
RP/0/RSP0/CPU0:router(config-fr-vc)# service-policy
output policy-mapA
Attaches a policy map to an input subinterface or
output subinterface. When attached, the policy map is
used as the service policy for the subinterface.
Note For effective FRF.12 functionality (interleave
specifically), you should configure an egress
service policy with priority.
Note For information on creating and configuring
policy maps, refer to Cisco IOS XR Modular
Quality of Service Configuration Guide,
Step 18 fragment end-to-end fragment-size
Example:
RP/0/RSP0/CPU0:router(config-fr-vc)# fragment
end-to-end 100
(Optional) Enables fragmentation of Frame Relay
frames on an interface and specifies the size (in
bytes) of the payload from the original frame that will
go into each fragment. This number excludes the
Frame Relay header of the original frame.
Valid values are from 64 to 512, depending on your
hardware.
Step 19 exit
Example:
RP/0/RSP0/CPU0:router(config-fr-vc)# exit
Exits the Frame-Relay virtual circuit mode.
Command or Action PurposeConfiguring Frame Relay on the Cisco ASR 9000 Series Router
Configuration Examples for Frame Relay
HC-572
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Configuration Examples for Frame Relay
This section provides the following configuration examples:
• Optional Frame Relay Parameters: Example, page 573
Step 20 exit
Example:
RP/0/RSP0/CPU0:router(config-subif)# exit
Exits the subinterface configuration mode.
Step 21 exit
Example:
RP/0/RSP0/CPU0:router(config-if)# exit
Exits interface configuration mode.
Step 22 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-if)# end
or
RP/0/RSP0/CPU0:router(config-if)# commit
Saves configuration changes.
• When you issue the end command, the system
prompts you to commit changes:
Uncommitted changes found, commit them
before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to
the running configuration file, exits the
configuration session, and returns the router
to EXEC mode.
– Entering no exits the configuration session
and returns the router to EXEC mode
without committing the configuration
changes.
– Entering cancel leaves the router in the
current configuration session without
exiting or committing the configuration
changes.
• Use the commit command to save the
configuration changes to the running
configuration file and remain within the
configuration session.
Step 23 exit
Example:
RP/0/RSP0/CPU0:router(config)# exit
Exits global configuration mode.
Step 24 show frame-relay pvc [ dlci | interface | location ]
Example:
RP/0/RSP0/CPU0:router# show frame-relay pvc 100
Displays the information for the specified PVC
DLCI, interface, or location.
Command or Action PurposeConfiguring Frame Relay on the Cisco ASR 9000 Series Router
Configuration Examples for Frame Relay
HC-573
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
• Multilink Frame Relay: Example, page 575
• End-to-End Fragmentation: Example, page 576
Optional Frame Relay Parameters: Example
The following example shows how to bring up and configure a POS interface with Frame Relay
encapsulation. In this example, the user modifies the default Frame Relay configuration so that the
interface supports ANSI T1.617a-1994 Annex D LMI on DCE.
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# interface POS 0/3/0/0
RP/0/RSP0/CPU0:router(config-if)# encapsulation frame-relay IETF
RP/0/RSP0/CPU0:router(config-if)# frame-relay intf-type dce
RP/0/RSP0/CPU0:router(config-if)# frame-relay lmi-type ansi
RP/0/RSP0/CPU0:router(config-if)# no shutdown
RP/0/RSP0/CPU0:router(config-if)# end
Uncommitted changes found, commit them? [yes]: yes
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router (config)# interface pos 0/3/0/0.10 point-to-point
RP/0/RSP0/CPU0:router (config-subif)#ipv4 address 10.46.8.6/24
RP/0/RSP0/CPU0:router (config-subif)# pvc 20
RP/0/RSP0/CPU0:router (config-fr-vc)# encap ietf
RP/0/RSP0/CPU0:router(config-subif)# commit
The following example shows how to disable LMI on a POS interface that has Frame Relay
encapsulation configured:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# interface
RP/0/RSP0/CPU0:router(config)# interface pos 0/3/0/0
RP/0/RSP0/CPU0:router(config-if)# frame-relay lmi disable
RP/0/RSP0/CPU0:router(config-if)# end
Uncommitted changes found, commit them? [yes]: yes
The following example shows how to reenable LMI on a serial interface:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# interface
RP/0/RSP0/CPU0:router(config)# interface serial 0/3/0/0
RP/0/RSP0/CPU0:router(config-if)# no frame-relay lmi disable
RP/0/RSP0/CPU0:router(config-if)# end
Uncommitted changes found, commit them? [yes]: yes
The following example shows how to display Frame Relay statistics for LMI on all interfaces:
RP/0/RSP0/CPU0:router# show frame-relay lmi
LMI Statistics for interface POS0/1/0/0/ (Frame Relay DCE) LMI TYPE = ANSI
Invalid Unnumbered Info 0 Invalid Prot Disc 0
Invalid Dummy Call Ref 0 Invalid Msg Type 0
Invalid Status Message 0 Invalid Lock Shift 9
Invalid Information ID 0 Invalid Report IE Len 0
Invalid Report Request 0 Invalid Keep IE Len 0
Num Status Enq. Rcvd 9444 Num Status Msgs Sent 9444
Num Full Status Sent 1578 Num St Enq. Timeouts 41
Num Link Timeouts 7Configuring Frame Relay on the Cisco ASR 9000 Series Router
Configuration Examples for Frame Relay
HC-574
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
LMI Statistics for interface POS0/1/0/1/ (Frame Relay DCE) LMI TYPE = CISCO
Invalid Unnumbered Info 0 Invalid Prot Disc 0
Invalid Dummy Call Ref 0 Invalid Msg Type 0
Invalid Status Message 0 Invalid Lock Shift 0
Invalid Information ID 0 Invalid Report IE Len 0
Invalid Report Request 0 Invalid Keep IE Len 0
Num Status Enq. Rcvd 9481 Num Status Msgs Sent 9481
Num Full Status Sent 1588 Num St Enq. Timeouts 16
Num Link Timeouts 4
The following example shows how to create a serial subinterface with a PVC on the main serial interface:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# interface serial 0/3/0/0/0:0.10 point-to-point
RP/0/RSP0/CPU0:router (config-subif)#ipv4 address 10.46.8.6/24
RP/0/RSP0/CPU0:router (config-subif)# pvc 20
RP/0/RSP0/CPU0:router (config-fr-vc)# encapsulation ietf
RP/0/RSP0/CPU0:router(config-subif)# commit
The following example shows how to display information about all PVCs configured on your system:
RP/0/RSP0/CPU0router# show frame-relay pvc
PVC Statistics for interface Serial0/3/2/0 (Frame Relay DCE)
Active Inactive Deleted Static
Local 4 0 0 0
Switched 0 0 0 0
Dynamic 0 0 0 0
DLCI = 612, DLCI USAGE = LOCAL, ENCAP = CISCO, INHERIT = TRUE, PVC STATUS = ACTI
VE, INTERFACE = Serial0/3/2/0.1
input pkts 0 output pkts 0 in bytes 0
out bytes 0 dropped pkts 0 in FECN packets 0
in BECN pkts 0 out FECN pkts 0 out BECN pkts 0
in DE pkts 0 out DE pkts 0
out bcast pkts 0 out bcast bytes 0
pvc create time 00:00:00 last time pvc status changed 00:00:00
DLCI = 613, DLCI USAGE = LOCAL, ENCAP = CISCO, INHERIT = TRUE, PVC STATUS = ACTI
VE, INTERFACE = Serial0/3/2/0.2
input pkts 0 output pkts 0 in bytes 0
out bytes 0 dropped pkts 0 in FECN packets 0
in BECN pkts 0 out FECN pkts 0 out BECN pkts 0
in DE pkts 0 out DE pkts 0
out bcast pkts 0 out bcast bytes 0
pvc create time 00:00:00 last time pvc status changed 00:00:00
DLCI = 614, DLCI USAGE = LOCAL, ENCAP = CISCO, INHERIT = TRUE, PVC STATUS = ACTI
VE, INTERFACE = Serial0/3/2/0.3
input pkts 0 output pkts 0 in bytes 0
out bytes 0 dropped pkts 0 in FECN packets 0
in BECN pkts 0 out FECN pkts 0 out BECN pkts 0
in DE pkts 0 out DE pkts 0
out bcast pkts 0 out bcast bytes 0
pvc create time 00:00:00 last time pvc status changed 00:00:00
DLCI = 615, DLCI USAGE = LOCAL, ENCAP = CISCO, INHERIT = TRUE, PVC STATUS = ACTI
VE, INTERFACE = Serial0/3/2/0.4
input pkts 0 output pkts 0 in bytes 0
out bytes 0 dropped pkts 0 in FECN packets 0
in BECN pkts 0 out FECN pkts 0 out BECN pkts 0
in DE pkts 0 out DE pkts 0
out bcast pkts 0 out bcast bytes 0Configuring Frame Relay on the Cisco ASR 9000 Series Router
Configuration Examples for Frame Relay
HC-575
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
pvc create time 00:00:00 last time pvc status changed 00:00:00
The following example shows how to modify LMI polling options on PVCs configured for a DTE, and
then use the show frame-relay lmi and show frame-relay lmi-info commands to display information
for monitoring and troublehooting the interface:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# interface pos 0/3/0/0
RP/0/RSP0/CPU0:router(config-if)# frame-relay lmi-n391dte 10
RP/0/RSP0/CPU0:router(config-if)# frame-relay lmi-n391dte 5
RP/0/RSP0/CPU0:router(config-if)# frame-relay lmi-t391dte 15
RP/0/RSP0/CPU0:router(config-subif)# commit
RP/0/RSP0/CPU0:router# show frame-relay lmi interface pos 0/3/0/0
LMI Statistics for interface pos 0/3/0/0 (Frame Relay DTE) LMI TYPE = ANSI
Invalid Unnumbered Info 0 Invalid Prot Disc 0
Invalid Dummy Call Ref 0 Invalid Msg Type 0
Invalid Status Message 0 Invalid Lock Shift 9
Invalid Information ID 0 Invalid Report IE Len 0
Invalid Report Request 0 Invalid Keep IE Len 0
Num Status Enq. Rcvd 9444 Num Status Msgs Sent 9444
Num Full Status Sent 1578 Num St Enq. Timeouts 41
Num Link Timeouts 7
RP/0/RSP0/CPU0:router# show frame-relay lmi-info interface pos 0/3/0/0
LMI IDB Info for interface POS0/3/0/0
ifhandle: 0x6176840
Interface type: DTE
Interface state: UP
Line Protocol: UP
LMI type (cnf/oper): AUTO/CISCO
LMI type autosense: OFF
Interface MTU: 1504
-------------- DTE -------------
T391: 15s
N391: (cnf/oper): 5/5
N392: (cnf/oper): 3/0
N393: 4
My seq#: 83
My seq# seen: 83
Your seq# seen: 82
-------------- DCE -------------
T392: 15s
N392: (cnf/oper): 3/0
N393: 4
My seq#: 0
My seq# seen: 0
Your seq# seen: 0
Multilink Frame Relay: Example
The following example shows how to configure multilink Frame Relay with serial interfaces:
RP/0/RSP0/CPU0:router# config
RP/0/RSP0/CPU0:router(config)# controller MgmtMultilink 0/3/1/0
RP/0/RSP0/CPU0:router(config-mgmtmultilink)# bundle 100
RP/0/RSP0/CPU0:router(config-mgmtmultilink)# exit
RP/0/RSP0/CPU0:router(config)# controller T3 0/3/1/0
RP/0/RSP0/CPU0:router(config-t3)# mode t1 Configuring Frame Relay on the Cisco ASR 9000 Series Router
Additional References
HC-576
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
RP/0/RSP0/CPU0:router(config-t3)# clock source internal
RP/0/RSP0/CPU0:router(config-t3)# exit
RP/0/RSP0/CPU0:router(config)# controller T1 0/3/1/0/0
RP/0/RSP0/CPU0:router(config-t1)# channel-group 0
RP/0/RSP0/CPU0:router(config-t1-channel_group)# timeslots 1-24
RP/0/RSP0/CPU0:router(config-t1-channel_group)# exit
RP/0/RSP0/CPU0:router(config-t1-channel_group)# exit
RP/0/RSP0/CPU0:router(config-t1)# exit
RP/0/RSP0/CPU0:router(config)# interface Multilink 0/3/1/0/100
RP/0/RSP0/CPU0:router(config-if)# encapsulation frame-relay
RP/0/RSP0/CPU0:router(config-if)# exit
RP/0/RSP0/CPU0:router(config)# interface Multilink 0/3/1/0/100.16 point-to-point
RP/0/RSP0/CPU0:router(config-subif)# ipv4 address 3.1.100.16 255.255.255.0
RP/0/RSP0/CPU0:router(config-subif)# pvc 16
RP/0/RSP0/CPU0:router(config-fr-vc)# service-policy output policy-mapA
RP/0/RSP0/CPU0:router(config-fr-vc)# exit
RP/0/RSP0/CPU0:router(config-subif)# exit
RP/0/RSP0/CPU0:router(config)# interface Serial 0/3/1/0/0:0
RP/0/RSP0/CPU0:router(config-if)# encapsulation mfr
RP/0/RSP0/CPU0:router(config-if)# multilink group 100
RP/0/RSP0/CPU0:router(config-if)# frame-relay multilink lid sj1
RP/0/RSP0/CPU0:router(config-if)# frame-relay multilink ack 5
RP/0/RSP0/CPU0:router(config-if)# frame-relay multilink hello 60
RP/0/RSP0/CPU0:router(config-if)# frame-relay multilink retry 2
RP/0/RSP0/CPU0:router(config-if)# exit
RP/0/RSP0/CPU0:router(config)#
End-to-End Fragmentation: Example
The following example shows how to configure FRF.12 end-to-end fragmentation on a channelized
Frame Relay serial interface:
RP/0/RSP0/CPU0:router# config
RP/0/RSP0/CPU0:router(config)# controller T30/3/1/0
RP/0/RSP0/CPU0:router(config-t3)# mode t1
RP/0/RSP0/CPU0:router(config-t3)# clock source internal
RP/0/RSP0/CPU0:router(config-t3)# exit
RP/0/RSP0/CPU0:router(config-t3)# controller T10/3/1/0/0
RP/0/RSP0/CPU0:router(config-t1)# channel-group 0
RP/0/RSP0/CPU0:router(config-t1-channel_group)# timeslots 1-24
RP/0/RSP0/CPU0:router(config-t1-channel_group)# exit
RP/0/RSP0/CPU0:router(config-t1-channel_group)# interface Serial 0/3/1/0/0:0
RP/0/RSP0/CPU0:router(config-if)# encapsulation frame-relay
RP/0/RSP0/CPU0:router(config-if)# exit
RP/0/RSP0/CPU0:router(config-if)# interface Serial 0/3/1/0/0:0.100 point-to-point
RP/0/RSP0/CPU0:router(config-subif)# ipv4 address 3.1.1.1 255.255.255.0
RP/0/RSP0/CPU0:router(config-subif)# pvc 100
RP/0/RSP0/CPU0:router(config-fr-vc)# service-policy output LFI
RP/0/RSP0/CPU0:router(config-fr-vc)# fragment end-to-end 256
Additional References
The following sections provide references related to Frame Relay.Configuring Frame Relay on the Cisco ASR 9000 Series Router
Additional References
HC-577
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Related Documents
Standards
MIBs
RFCs
Related Topic Document Title
Cisco IOS XR master command reference Cisco IOS XR Master Commands List
Cisco IOS XR interface configuration commands Cisco IOS XR Interface and Hardware Component Command
Reference
Initial system bootup and configuration information for
a router using Cisco IOS XR software
Cisco IOS XR Getting Started Guide
Cisco IOS XR AAA services configuration information Cisco IOS XR System Security Configuration Guide and
Cisco IOS XR System Security Command Reference
Standards Title
FRF.12 Frame Relay Forum .12
FRF.16 Frame Relay Forum .16
ANSI T1.617 Annex D American National Standards Institute T1.617 Annex D
ITU Q.933 Annex A International Telecommunication Union Q.933 Annex A
MIBs MIBs Link
FRF.16 MIB
Cisco Frame Relay MIB
IF-MIB
Management Information Base for Frame Relay DTEs
Management Information Base for Frame Relay DTEs
Using SMIv2
To locate and download MIBs using Cisco IOS XR software, use the
Cisco MIB Locator found at the following URL and choose a
platform under the Cisco Access Products menu:
http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs Title
RFC 1294 Multiprotocol Interconnect Over Frame Relay
RFC 1315 Management Information Base for Frame Relay DTEs
RFC 1490 Multiprotocol Interconnect Over Frame Relay
RFC 1586 Guidelines for Running OSPF Over Frame Relay Networks
RFC 1604 Definitions of Managed Objects for Frame Relay Service
RFC 2115 Management Information Base for Frame Relay DTEs Using SMIv2
RFC 2390 Inverse Address Resolution ProtocolConfiguring Frame Relay on the Cisco ASR 9000 Series Router
Additional References
HC-578
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Technical Assistance
RFC 2427 Multiprotocol Interconnect Over Frame Relay
RFC 2954 Definitions of Managed Objects for Frame Relay Service
RFC 3020 RFC for FRF.16 MIB
Description Link
The Cisco Technical Support website contains
thousands of pages of searchable technical content,
including links to products, technologies, solutions,
technical tips, and tools. Registered Cisco.com users
can log in from this page to access even more content.
http://www.cisco.com/techsupport
RFCs TitleHC-579
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Configuring PPP on the
Cisco ASR 9000 Series Router
This module describes the configuration of Point-to-Point Protocol (PPP) on POS and serial interfaces
on the Cisco ASR 9000 Series Router.
Feature History for Configuring PPP Interfaces
Release Modification
Release 3.9.0 PPP and ICSSO for PPP and MLPPP were introduced on the
Cisco ASR 9000 Series Router.
Release 3.9.1 Support for T3 Channelized SONET was added.
Release 4.0.0 Support for the following features was added for the 2-Port Channelized
OC-12c/DS0 SPA:
• IPHC over PPP, MLPPP, and MLPPP/LFI
• NxDS0 serial interfaces
Support for PPP was introduced on the following SPAs:
• 1-Port Channelized OC-48/STM-16 SPA
• 1-Port OC-192c/STM-64 POS/RPR XFP SPA
• 2-Port OC-48c/STM-16 POS/RPR SPA
• 8-Port OC-12c/STM-4 POS SPA Configuring PPP on the Cisco ASR 9000 Series Router
Contents
HC-580
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Contents
• Prerequisites for Configuring PPP, page 580
• Information About PPP, page 581
• How to Configure PPP, page 588
• Configuration Examples for PPP, page 621
• Additional References, page 633
Prerequisites for Configuring PPP
You must be in a user group associated with a task group that includes the proper task IDs. The command
reference guides include the task IDs required for each command. If you suspect user group assignment
is preventing you from using a command, contact your AAA administrator for assistance.
Before you can configure PPP authentication on a POS or serial interface, be sure that the following tasks
and conditions are met:
• Your hardware must support POS or serial interfaces.
• You have enabled PPP encapsulation on your interface with the encap ppp command, as described
in the appropriate module:
– To enable PPP encapsulation on a POS interface, see the Configuring POS Interfaces onthe
Cisco ASR 9000 Series Router module in this manual.
– To enable PPP encapsulation on a serial interface, see the Configuring Serial Interfaces on the
Cisco ASR 9000 Series Router module in this manual.
Release 4.0.1 Support for PPP was added for the following SPAs on the
Cisco ASR 9000 Series Router:
• Cisco 1-Port Channelized OC-3/STM-1 SPA (also supports MLPPP)
• Cisco 2-Port and 4-Port Clear Channel T3/E3 SPA
• Cisco 4-Port OC-3c/STM-1 SPA
• Cisco 8-Port OC-3c/STM-1 SPA
Release 4.1.0 Support for the Noise Attribute was added for PPP to remove links on
MLPPP bundles when Link Noise Monitoring (LNM) thresholds are
crossed on a link.
Support for PPP, including MLPPP support on T1/E1 channels, was
introduced on the following SPAs:
• Cisco 4-Port Channelized T3 SPA
• Cisco 8-Port Channelized T1/E1 SPAConfiguring PPP on the Cisco ASR 9000 Series Router
Information About PPP
HC-581
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Information About PPP
To configure PPP and related features, you should understand the information in this section:
• PPP Authentication, page 581
• Multilink PPP, page 582
• ICSSO for PPP and MLPPP, page 584
• Multiclass MLPPP with QoS, page 586
• T3 SONET Channels, page 587
PPP Authentication
When PPP authentication is configured on an interface, a host requires that the other host uniquely
identify itself with a secure password before establishing a PPP connection. The password is unique and
is known to both hosts.
PPP supports the following authentication protocols:
• Challenge-Handshake Authentication Protocol (CHAP)
• Microsoft extension to the CHAP protocol (MS-CHAP)
• Password Authentication Protocol (PAP).
When you first enable PPP on a POS or serial interface, no authentication is enabled on the interface
until you configure a CHAP, MS-CHAP, or PAP secret password under that interface. Keep the following
information in mind when configuring PPP on an interface:
• CHAP, MS-CHAP, and PAP can be configured on a single interface; however, only one
authentication method is used at any one time. The order in which the authentication protocols are
used is determined by the peer during the LCP negotiations. The first authentication method used is
the one that is also supported by the peer.
• PAP is the least secure authentication protocol available on POS and serial interfaces. To ensure
higher security for information that is sent over POS and serial interfaces, we recommend
configuring CHAP or MS-CHAP authentication in addition to PAP authentication.
• Enabling or disabling PPP authentication does not effect the local router’s willingness to
authenticate itself to the remote device.
• The ppp authentication command is also used to specify the order in which CHAP, MS-CHAP, and
PAP authentication is selected on the interface. You can enable CHAP, MS-CHAP, or PAP in any
order. If you enable all three methods, the first method specified is requested during link negotiation.
If the peer suggests using the second method, or refuses the first method, the second method is tried.
Some remote devices support only one method. Base the order in which you specify methods on the
remote device’s ability to correctly negotiate the appropriate method and on the level of data line
security you require. PAP usernames and passwords are sent as clear text strings, which can be
intercepted and reused.
Caution If you use a list-name value that was not configured with the aaa authentication ppp command, your
interface cannot authenticate the peer. For details on implementing the aaa authentication command
with the ppp keyword, see the Authentication, Authorization, and Accounting Commands on Cisco IOS
XR Software module of Cisco IOS XR System Security Command Reference and Configuring AAA
Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.Configuring PPP on the Cisco ASR 9000 Series Router
Information About PPP
HC-582
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
PAP Authentication
PAP provides a simple method for a remote node to establish its identity using a two-way handshake.
After a PPP link is established between two hosts, a username and password pair is repeatedly sent by
the remote node across the link (in clear text) until authentication is acknowledged, or until the
connection is terminated.
PAP is not a secure authentication protocol. Passwords are sent across the link in clear text and there is
no protection from playback or trial-and-error attacks. The remote node is in control of the frequency
and timing of the login attempts.
CHAP Authentication
CHAP is defined in RFC 1994, and it verifies the identity of the peer by means of a three-way handshake.
The steps that follow provide a general overview of the CHAP process:
Step 1 The CHAP authenticator sends a challenge message to the peer.
Step 2 The peer responds with a value calculated through a one-way hash function.
Step 3 The authenticator checks the response against its own calculation of the expected hash value. If the
values match, then the authentication is successful. If the values do not match, then the connection is
terminated.
This authentication method depends on a CHAP password known only to the authenticator and the peer.
The CHAP password is not sent over the link. Although the authentication is only one-way, you can
negotiate CHAP in both directions, with the help of the same CHAP password set for mutual
authentication.
Note For CHAP authentication to be valid, the CHAP password must be identical on both hosts.
MS-CHAP Authentication
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) is the Microsoft version of CHAP
and is an extension to RFC 1994. MS-CHAP follows the same authentication process used by CHAP. In
this case, however, authentication occurs between a PC using Microsoft Windows NT or Microsoft
Windows 95 and a Cisco router or access server acting as a network access server (NAS).
Note For MS-CHAP authentication to be valid, the MS-CHAP password must be identical on both hosts.
Multilink PPP
Multilink Point-to-Point Protocol (MLPPP) provides a method for combining multiple physical links
into one logical link. The implementation combines multiple PPP interfaces into one multilink interface.
MLPPP performs the fragmenting, reassembling, and sequencing of datagrams across multiple PPP
links.Configuring PPP on the Cisco ASR 9000 Series Router
Information About PPP
HC-583
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Link Fragmentation and Interleaving (LFI) is designed for MLPPP interfaces and is required when
integrating voice and data on low-speed interfaces.
Link Fragmentation and Interleaving (LFI) provides stability for delay-sensitive traffic, such as voice or
video, traveling on the same circuit as data. Voice is susceptible to increased latency and jitter when the
network processes large packets on low-speed interfaces. LFI reduces delay and jitter by fragmenting
large datagrams and interleaving them with low-delay traffic packets.
Figure 34 Link Fragmentation Interleave
MLPPP Feature Summary
MLPPP in Cisco IOS XR provides the same features that are supported on PPP Serial interfaces with the
exception of QoS. It also provides the following additional features:
• Long sequence numbers (24-bit).
• Lost fragment detection timeout period of 1 second.
• Minimum-active-links configuration option.
• LCP echo request/reply support over multilink interface.
• Full T1 and E1 framed and unframed links.
• Support for the Cisco 2-Port Channelized OC-12c/DS0 SPA to set thresholds for noise errors on
T1/E1 links that are used to signal the Noise Attribute to PPP for removal of an MLPPP bundle link.
For more information about LNM, see the “Configuring Clear Channel T3/E3 Controllers and
Channelized T3 Controllers on the Cisco ASR 9000 Series Router” module in the Cisco ASR 9000
Series Aggregation Services Router Interface and Hardware Component Configuration Guide.
IPHC Over MLPPP
The 2-Port Channelized OC-12c/DS0 SPA supports IPHC over PPP, MLPPP, and MLPPP/LFI. For more
information about IPHC and how to configure it, see the “Configuring Serial Interfaces on the Cisco
ASR 9000 Series Router” module in the Cisco ASR 9000 Series Aggregation Services Router Interface
and Hardware Component Configuration Guide.
Before LFI
Voice pkt
c12
Data pkt fragment
210872
Voice pkt Data pkt fragment
After LFI
Voice pkt Data pkt fragment
c12Configuring PPP on the Cisco ASR 9000 Series Router
Information About PPP
HC-584
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
ICSSO for PPP and MLPPP
Note SR- and MR-APS is not supported on the Cisco 1-Port Channelized OC-48/STM-16 SPA.
Inter-Chassis Stateful Switchover (ICSSO) on the Cisco ASR 9000 Series Router provides features that
maintain Point-to-Point Protocol (PPP) and Multilink PPP (MLPPP) sessions during a Multi-Router
Automatic Protection Switching (MR-APS) switchover from the MR-APS Working router to the
MR-APS Protect router.
ICSSO allows an MR-APS switchover to occur without the need for Link Control Protocol (LCP) or IP
Control Protocol (IPCP) renegotiation between the new MR-APS active router and the remote
PPP/MLPPP peer devices. The primary purpose of ICSSO is to minimize subscriber session and data
loss during an MR-APS switchover.
ICSSO synchronizes the PPP and MLPPP state information on the active router with the state
information on the backup router, and ensures that the backup router is ready to forward traffic
immediately after an MR-APS switchover.
ICSSO works in conjunction with the following other software components:
• Multi-Router Automatic Protection Switching (MR-APS), page 584
• Session State Redundancy Protocol (SSRP), page 584
• Redundancy Group Manager (RG-MGR), page 585
• IP Fast Reroute (IP-FRR), page 585
• VPN Routing And Forwarding (VRF), page 585
• Open Shortest Path First (OSPF), page 586
Multi-Router Automatic Protection Switching (MR-APS)
Multi-Router Automatic Protection Switching (MR-APS) is a Cisco feature that provides Layer 1
protection against facility and equipment failures through the configuration of a protection pair of
SONET controllers located on two different routers. The redundant backup router is configured
identically to the active router and is ready to forward traffic immediately upon an MR-APS switchover.
The protection pair communicates using Layer 1 (k1/k2) signalling bytes from the SONET downstream
connection (as per Bellcore specification GR-253-CORE) and Layer 3 signaling messages using Protect
Group Protocol (PGP). MR-APS detects many of the sources of failures that indirectly trigger an IP-FRR
update to use backup routes.
In an MR-APS configuration, two interfaces, on different routers, are assigned the roles of Working
interface or Protect interface. These roles are configured by the operator. Under normal conditions, the
Working interface carries active traffic. If the Working interface fails, the Protect interface takes over the
active traffic immediately with no loss of PPP traffic.
Session State Redundancy Protocol (SSRP)
A pair of SONET controllers configured for MR-APS are part of a Session State Redundancy Protocol
(SSRP) protection group. SSRP communicates interface and system state information between the
Active and Standby routers. SSRP also serves as the keepalive protocol.
SSRP configuration associates a SONET controller with an inter-chassis redundancy group and enables
MR-APS peer routers to synchronize PPP session states on each Active SONET controller. Configuring PPP on the Cisco ASR 9000 Series Router
Information About PPP
HC-585
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
PPP sessions can have one of three states:
• Active–A PPP session is in the Active state when the PPP session negotiation is complete, the
associated route is installed, and the associated adjacency is created. PPP sessions in the Active state
replicate data to their peers on the Standby router.
• Standby Up–A PPP session on the Standby router is in the Standby Up state when replicated state
information is received from the Active router, the associated PPP route is installed, and the
associated adjacency is created. PPP sessions in the Standby Up state are ready to forward traffic
immediately after an MR-APS switchover.
• Standby Down–A PPP session on the Standby router is in the Standby Down state when the
associated route is not installed and the adjacency is not created.
SSRP runs between the MR-APS peer routers and uses TCP/IP. One SSRP session runs on each pair of
redundant SONET controllers, meaning multiple SSRP sessions can be running on a pair of
MR-APS-redundant routers.
Note SSRP is not a redundancy control protocol, but is a state information synchronization protocol.
Redundancy Group Manager (RG-MGR)
The Redundancy Group Manager (RG-MGR) configures the backup routes for the protected interface.
The RG-MGR registers events on protected SONET controllers and provides the Routing Information
Base (RIB) component with IP Fast Reroute (IP-FRR) updates.
IP Fast Reroute (IP-FRR)
Note IP-FRR, when used with IC-SSO, is only supported with PPP encapsulation. It is not supported with
HDLC encapsulation.
IP Fast Reroute (IP-FRR) provides extremely fast rerouting of PPP/MLPPP traffic after an MR-APS
switchover.
IP-FRR controls the primary and backup routes. Each route is mapped in the Routing Information Base
(RIB), and IP-FRR controls which backup path is used to forward traffic after an MR-APS switchover.
An MR-APS switchover triggers an IP-FRR update, which activates the backup routes on the protection
SONET controller. When the working SONET controller is restored, another IP-FRR update is triggered,
and traffic is rerouted to the primary route.
For more information about IP-FRR, refer to the “Implementing MPLS Traffic Engineering on Cisco
IOS XR Software” module in the Cisco IOS XR MPLS Configuration Guide.
VPN Routing And Forwarding (VRF)
ICSSO can be used with VPN routing and forwarding (VRF). Customers who wish to isolate traffic
streams with different service types can do so using VRF technology. VRF allows the user to create and
maintain separate routing and forwarding databases. See VRF on Multilink Configuration for Use with
ICSSO: Example, page 625 and VRF on Ethernet Configuration for Use with ICSSO: Example,
page 625. For more information on configuring VRF, refer to the Cisco ASR 9000 Series Aggregation
Services Router Routing Configuration Guide.Configuring PPP on the Cisco ASR 9000 Series Router
Information About PPP
HC-586
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Open Shortest Path First (OSPF)
Aggregation routers that terminate PPP sessions to a set of remote peers, must advertise their availability
on the network using Open Shortest Path First (OSPF). OSPF is required to advertise the availability of
remote PPP peers to the ICSSO peer router. See OSPF Configuration for Use with ICSSO: Example,
page 626. For more information on configuring OSPF, refer to the Cisco ASR 9000 Series Aggregation
Services Router Routing Configuration Guide.
ICSSO Configuration Overview
ICSSO is configured as follows:
• Configure MR-APS
• Configure SSRP profile
• Configure SSRP groups
• Configure serial interfaces with PPP encapsulation
• Configure multilink interfaces
• Verify ICSSO configuration
The “Configuring ICSSO for PPP and MLPPP” section on page 612 of this module provides step
procedures for configuring ICSSO.
The “ICSSO for PPP and MLPPP Configuration: Examples” section on page 622 gives specific
examples for configuring ICSSO and related components.
Multiclass MLPPP with QoS
Multiclass Multilink Point-to-Point Protocol (MLPPP) can be utilized with Quality of Service (QoS) and
configured using the encap-sequence command under a class in a policy map.
The encap-sequence command specifies the MLPPP MCMP class ID for the packets in an MQC defined
class.
The valid values for the encap-sequence ID number are none, 0, 1, 2, or 3. The none value is applicable
only when the priority level is 1 and indicates that there is no MLPPP encapsulation. The values 1, 2,
or 3 can be used with priority 1 or 2 classes or other classes with queuing actions. An encap-sequence
ID number of zero (0) is reserved for the default class and cannot be specified in any other classes.
Note The encap-sequence ID numbers must be configured in numeric order. For example, you cannot assign
an ID number of 3 unless you have already assigned 1 and 2.
The number of encap-sequence ID numbers must be less than the number of MLPPP classes that are
negotiated between the peers via the Multilink header. The user must ensure that the configuration is
consistent as the system does not verify this.
The ppp multilink multiclass remote apply command provides a way to ensure this. You can ensure
that the number of classes using an encap-sequence ID number (including the default of 0) is less than
the min-number value in the ppp multilink multiclass remote apply command. For example, if the
min-number value in the ppp multilink multiclass remote apply command is 4, you can only have 3 or
less classes with encap-sequence ID numbers
The QoS policy validates the following conditions. If these conditions are not met, the policy is rejected:Configuring PPP on the Cisco ASR 9000 Series Router
Information About PPP
HC-587
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
• The encap-sequence ID number is within the allowed values of 1 to 3.
• When encap-sequence is configured for any class in a policy map, all classes in that policy map
with priority level 1 must also contain an encap-sequence ID number.
• The encap-sequence none configuration is restricted to classes with priority level 1.
• The class-default does not contain an encap-sequence configuration.
• Only classes containing a queuing action have the encap-sequence configuration.
Note Classes that share the same encap-sequence ID number must have the same priority.
A QoS policy map is configured as follows:
config
policy-map type qos policy-name
class class-name
action
action
action
. . .
The following example shows how to configure a policy map for MLPPP:
config
policy-map foo
class ip-prec-1
encap-sequence none
police rate percent 10
priority level 1
!
class ip-prec-2
encap-sequence 1
shape average percent 80
!
class ip-prec-3
encap-sequence 1
bandwidth percent 10
!
class class-default
!
end-policy-map
!
For complete information on configuring QoS and QoS commands, refer to the Cisco ASR 9000 Series
Aggregation Services Routers Modular Quality of Service Configuration Guide and the
Cisco ASR 9000 Series Aggregation Services Routers Modular Quality of Service Command Reference.
T3 SONET Channels
The Cisco ASR 9000 Series Router supports T3 channelized SONET on the following hardware:
• SIP 700 SPA Interface Processor
• 1-Port Channelized OC-3/STM-1 SPA
• 2-Port Channelized OC-12c/DS0 SPA
• 1-Port Channelized OC-48/STM-16 SPA
•Configuring PPP on the Cisco ASR 9000 Series Router
How to Configure PPP
HC-588
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Channelized SONET provides the ability to transport multiple T3 channels over the same physical link.
For more detailed information about configuring channelized SONET, T3 and T1 controllers, serial
interfaces, and SONET APS, see the following related modules:
• “Configuring Channelized SONET/SDH on the Cisco ASR 9000 Series Router”
• “Configuring Clear Channel SONET Controllers on the Cisco ASR 9000 Series Router”
• “Configuring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the
Cisco ASR 9000 Series Router”
• “Configuring Serial Interfaces on the Cisco ASR 9000 Series Router”
How to Configure PPP
This section includes the following procedures:
• Modifying the Default PPP Configuration, page 588
• Configuring PPP Authentication, page 591
• Disabling an Authentication Protocol, page 599
• Configuring Multilink PPP, page 604
• Configuring ICSSO for PPP and MLPPP, page 612
Modifying the Default PPP Configuration
When you first enable PPP on an interface, the following default configuration applies:
• The interface resets itself immediately after an authentication failure.
• The maximum number of configuration requests without response permitted before all requests are
stopped is 10.
• The maximum number of consecutive Configure Negative Acknowledgments (CONFNAKs)
permitted before terminating a negotiation is 5.
• The maximum number of terminate requests (TermReqs) without response permitted before the
Link Control Protocol (LCP) or Network Control Protocol (NCP) is closed is 2.
• Maximum time to wait for a response to an authentication packet is 10 seconds.
• Maximum time to wait for a response during PPP negotiation is 3 seconds.
This task explains how to modify the basic PPP configuration on serial and POS interfaces that have PPP
encapsulation enabled. The commands in this task apply to all authentication types supported by PPP
(CHAP, MS-CHAP, and PAP).
Prerequisites
You must enable PPP encapsulation on the interface with the encapsulation ppp command.
• To enable PPP encapsulation on a POS interface, see the Configuring POS Interfaces onthe
Cisco ASR 9000 Series Router module in this manual.
• To enable PPP encapsulation on an interface, see the Configuring Serial Interfaces on the
Cisco ASR 9000 Series Router module in this manual.Configuring PPP on the Cisco ASR 9000 Series Router
How to Configure PPP
HC-589
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
SUMMARY STEPS
1. configure
2. interface type interface-path-id
3. ppp max-bad-auth retries
4. ppp max-configure retries
5. ppp max-failure retries
6. ppp max-terminate number
7. ppp timeout authentication seconds
8. ppp timeout retry seconds
9. end
or
commit
10. show ppp interfaces {type interface-path-id | all | brief {type interface-path-id | all | location
node-id} | detail {type interface-path-id | all | location node-id} | location node-id}
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface type interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# interface serial
0/4/0/1
Enters interface configuration mode.
Step 3 ppp max-bad-auth retries
Example:
RP/0/RSP0/CPU0:router(config-if)# ppp
max-bad-auth 3
(Optional) Configures the number of authentication retries
allowed on an interface after a PPP authentication failure.
• If you do not specify the number of authentication
retries allowed, the router resets itself immediately
after an authentication failure.
• Replace the retries argument with number of retries
after which the interface is to reset itself, in the range
from 0 through 10.
• The default is 0 retries.
• The ppp max-bad-auth command applies to any
interface on which PPP encapsulation is enabled. Configuring PPP on the Cisco ASR 9000 Series Router
How to Configure PPP
HC-590
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Step 4 ppp max-configure retries
Example:
RP/0/RSP0/CPU0:router(config-if)# ppp
max-configure 4
(Optional) Specifies the maximum number of configure
requests to attempt (without response) before the requests
are stopped.
• Replace the retries argument with the maximum
number of configure requests retries, in the range from
4 through 20.
• The default maximum number of configure requests is
10.
• If a configure request message receives a reply before
the maximum number of configure requests are sent,
further configure requests are abandoned.
Step 5 ppp max-failure retries
Example:
RP/0/RSP0/CPU0:router(config-if)# ppp
max-failure 3
(Optional) Configures the maximum number of consecutive
Configure Negative Acknowledgments (CONFNAKs)
permitted before a negotiation is terminated.
• Replace the retries argument with the maximum
number of CONFNAKs to permit before terminating a
negotiation, in the range from 2 through 10.
• The default maximum number of CONFNAKs is 5.
Step 6 ppp max-terminate number
Example:
RP/0/RSP0/CPU0:router(config-if)# ppp
max-terminate 5
(Optional) Configures the maximum number of terminate
requests (TermReqs) to send without reply before the Link
Control Protocol (LCP) or Network Control Protocol (NCP)
is closed.
• Replace the number argument with the maximum
number of TermReqs to send without reply before
closing down the LCP or NCP. Range is from 2 to 10.
• The default maximum number of TermReqs is 2.
Step 7 ppp timeout authentication seconds
Example:
RP/0/RSP0/CPU0:router(config-if)# ppp timeout
authentication 20
(Optional) Sets PPP authentication timeout parameters.
• Replace the seconds argument with the maximum time,
in seconds, to wait for a response to an authentication
packet. Range is from 3 to 30 seconds.
• The default authentication time is 10 seconds, which
should allow time for a remote router to authenticate
and authorize the connection and provide a response.
However, it is also possible that it will take much less
time than 10 seconds. In such cases, use the ppp
timeout authentication command to lower the timeout
period to improve connection times in the event that an
authentication response is lost.
Step 8 ppp timeout retry seconds
Example:
RP/0/RSP0/CPU0:router(config-if)# ppp timeout
retry 8
(Optional) Sets PPP timeout retry parameters.
• Replace the seconds argument with the maximum time,
in seconds, to wait for a response during PPP
negotiation. Range is from 1 to 10 seconds.
• The default is 3 seconds.
Command or Action PurposeConfiguring PPP on the Cisco ASR 9000 Series Router
How to Configure PPP
HC-591
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Configuring PPP Authentication
This section contains the following procedures:
• Enabling PAP, CHAP, and MS-CHAP Authentication, page 591
• Configuring a PAP Authentication Password, page 594
• Configuring a CHAP Authentication Password, page 596
• Configuring an MS-CHAP Authentication Password, page 598
Enabling PAP, CHAP, and MS-CHAP Authentication
This task explains how to enable PAP, CHAP, and MS-CHAP authentication on a serial or POS interface.
Prerequisites
You must enable PPP encapsulation on the interface with the encapsulation ppp command, as described
in the following modules:
Step 9 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-if)# end
or
RP/0/RSP0/CPU0:router(config-if)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 10 show ppp interfaces {type interface-path-id |
all | brief {type interface-path-id | all |
location node-id} | detail {type
interface-path-id | all | location node-id} |
location node-id}
Example:
RP/0/RSP0/CPU0:router# show ppp interfaces
serial 0/2/0/0
Verifies the PPP configuration for an interface or for all
interfaces that have PPP encapsulation enabled.
Command or Action PurposeConfiguring PPP on the Cisco ASR 9000 Series Router
How to Configure PPP
HC-592
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
• To enable PPP encapsulation on a POS interface, see the Configuring POS Interfaces onthe
Cisco ASR 9000 Series Router module in this manual.
• To enable PPP encapsulation on an interface, see the Configuring Serial Interfaces on the
Cisco ASR 9000 Series Router module in this manual.
SUMMARY STEPS
1. configure
2. interface type interface-path-id
3. ppp authentication protocol [protocol [protocol]] [list-name | default]
4. end
or
commit
5. show ppp interfaces {type interface-path-id | all | brief {type interface-path-id | all | location
node-id} | detail {type interface-path-id | all | location node-id} | location node-id}
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface type interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# interface serial
0/4/0/1
Enters interface configuration mode.
Step 3 ppp authentication protocol [protocol
[protocol]] [list-name | default]
Example:
RP/0/RSP0/CPU0:router(config-if)# ppp
authentication chap pap MIS-access
Enables CHAP, MS-CHAP, or PAP on an interface, and
specifies the order in which CHAP, MS-CHAP, and PAP
authentication is selected on the interface.
• Replace the protocol argument with pap, chap, or
ms-chap.
• Replace the list name argument with the name of a list
of methods of authentication to use. To create a list, use
the aaa authentication ppp command, as described in
the Authentication, Authorization, and Accounting
Commands on Cisco IOS XR Software module of the
Cisco IOS XR System Security Command Reference.
• If no list name is specified, the system uses the default.
The default list is designated with the aaa
authentication ppp command, as described in the
Authentication, Authorization, and Accounting
Commands on Cisco IOS XR Software module of the
Cisco IOS XR System Security Command Reference.Configuring PPP on the Cisco ASR 9000 Series Router
How to Configure PPP
HC-593
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Where To Go Next
Configure a PAP, CHAP, or MS-CHAP authentication password, as described in the appropriate section:
• If you enabled PAP on an interface, configure a PAP authentication username and password, as
described in the “Configuring a PAP Authentication Password” section on page 594.
• If you enabled CHAP on an interface, configure a CHAP authentication password, as described in
the “Configuring a CHAP Authentication Password” section on page 596
• If you enabled MS-CHAP on an interface, configure an MS-CHAP authentication password, as
described in the “Configuring an MS-CHAP Authentication Password” section on page 598
Step 4 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-if)# end
or
RP/0/RSP0/CPU0:router(config-if)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 5 show ppp interfaces {type interface-path-id |
all | brief {type interface-path-id | all |
location node-id} | detail {type
interface-path-id | all | location node-id} |
location node-id}
Example:
RP/0/RSP0/CPU0:router# show ppp interfaces
serial 0/2/0/0
Displays PPP state information for an interface.
• Enter the type interface-path-id argument to display
PPP information for a specific interface.
• Enter the brief keyword to display brief output for all
interfaces on the router, for a specific interface
instance, or for all interfaces on a specific node.
• Enter the all keyword to display detailed PPP
information for all nodes installed in the router.
• Enter the location node-id keyword argument to
display detailed PPP information for the designated
node.
There are seven possible PPP states applicable for either the
Link Control Protocol (LCP) or the Network Control
Protocol (NCP).
Command or Action PurposeConfiguring PPP on the Cisco ASR 9000 Series Router
How to Configure PPP
HC-594
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Configuring a PAP Authentication Password
This task explains how to enable and configure PAP authentication on a serial or POS interface.
Note PAP is the least secure authentication protocol available on POS and interfaces. To ensure higher security
for information that is sent over POS and interfaces, we recommend configuring CHAP or MS-CHAP
authentication in addition to PAP authentication.
Prerequisites
You must enable PAP authentication on the interface with the ppp authentication command, as
described in the “Enabling PAP, CHAP, and MS-CHAP Authentication” section on page 591.
SUMMARY STEPS
1. configure
2. interface type interface-path-id
3. ppp pap sent-username username password [clear | encrypted] password
4. end
or
commit
5. show running-config
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.Configuring PPP on the Cisco ASR 9000 Series Router
How to Configure PPP
HC-595
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Step 2 interface type interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# interface serial
0/4/0/1
Enters interface configuration mode.
Step 3 ppp pap sent-username username password [clear
| encrypted] password
Example:
RP/0/RSP0/CPU0:router(config-if)# ppp pap
sent-username xxxx password notified
Enables remote Password Authentication Protocol (PAP)
support for an interface, and includes the sent-username
and password commands in the PAP authentication request
packet to the peer.
• Replace the username argument with the username
sent in the PAP authentication request.
• Enter password clear to select cleartext encryption for
the password, or enter password encrypted if the
password is already encrypted.
• The ppp pap sent-username command allows you to
replace several username and password configuration
commands with a single copy of this command on
interfaces.
• You must configure the ppp pap sent-username
command for each interface.
• Remote PAP support is disabled by default.
Step 4 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-if)# end
or
RP/0/RSP0/CPU0:router(config-if)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 5 show running-config
Example:
RP/0/RSP0/CPU0:router# show running-config
Verifies PPP authentication information for interfaces that
have PPP encapsulation enabled.
Command or Action PurposeConfiguring PPP on the Cisco ASR 9000 Series Router
How to Configure PPP
HC-596
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Configuring a CHAP Authentication Password
This task explains how to enable CHAP authentication and configure a CHAP password on a serial or
POS interface.
Prerequisites
You must enable CHAP authentication on the interface with the ppp authentication command, as
described in the “Enabling PAP, CHAP, and MS-CHAP Authentication” section on page 591.
Restrictions
The same CHAP password must be configured on both host endpoints.
SUMMARY STEPS
1. configure
2. interface type interface-path-id
3. ppp chap password [clear | encrypted] password
4. end
or
commit
5. show running-config
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.Configuring PPP on the Cisco ASR 9000 Series Router
How to Configure PPP
HC-597
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Step 2 interface type interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# interface serial
0/4/0/1
Enters interface configuration mode.
Step 3 ppp chap password [clear | encrypted] password
Example:
RP/0/RSP0/CPU0:router(config-if)# ppp chap
password clear xxxx
Enables CHAP authentication on the specified interface,
and defines an interface-specific CHAP password.
• Enter clear to select cleartext encryption, or encrypted
if the password is already encrypted.
• Replace the password argument with a cleartext or
already-encrypted password. This password is used to
authenticate secure communications among a
collection of routers.
• The ppp chap password command is used for remote
CHAP authentication only (when routers authenticate
to the peer) and does not effect local CHAP
authentication.This command is useful when you are
trying to authenticate a peer that does not support this
command (such as a router running an older
Cisco IOS XR software image).
• The CHAP secret password is used by the routers in
response to challenges from an unknown peer.
Step 4 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-if)# end
or
RP/0/RSP0/CPU0:router(config-if)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 5 show running-config
Example:
RP/0/RSP0/CPU0:router# show running-config
Verifies PPP authentication information for interfaces that
have PPP encapsulation enabled.
Command or Action PurposeConfiguring PPP on the Cisco ASR 9000 Series Router
How to Configure PPP
HC-598
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Configuring an MS-CHAP Authentication Password
This task explains how to enable MS-CHAP authentication and configure an MS-CHAP password on a
serial or POS interface.
Prerequisites
You must enable MS-CHAP authentication on the interface with the ppp authentication command, as
described in the “Enabling PAP, CHAP, and MS-CHAP Authentication” section on page 591.
Restrictions
The same MS-CHAP password must be configured on both host endpoints.
SUMMARY STEPS
1. configure
2. interface type interface-path-id
3. ppp ms-chap password [clear | encrypted] password
4. end
or
commit
5. show running-config
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface type interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# interface serial
0/4/0/1
Enters interface configuration mode.
Step 3 ppp ms-chap password [clear | encrypted]
password
Example:
RP/0/RSP0/CPU0:router(config-if)# ppp ms-chap
password clear xxxx
Enables a router calling a collection of routers to configure
a common Microsoft Challenge Handshake Authentication
(MS-CHAP) secret password.
The MS-CHAP secret password is used by the routers in
response to challenges from an unknown peer.Configuring PPP on the Cisco ASR 9000 Series Router
How to Configure PPP
HC-599
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Disabling an Authentication Protocol
This section contains the following procedures:
• Disabling PAP Authentication on an Interface, page 599
• Disabling CHAP Authentication on an Interface, page 601
• Disabling MS-CHAP Authentication on an Interface, page 602
Disabling PAP Authentication on an Interface
This task explains how to disable PAP authentication on a serial or POS interface.
SUMMARY STEPS
1. configure
2. interface type interface-path-id
3. ppp pap refuse
4. end
or
commit
5. show running-config
Step 4 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-if)# end
or
RP/0/RSP0/CPU0:router(config-if)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 5 show running-config
Example:
RP/0/RSP0/CPU0:router# show running-config
Verifies PPP authentication information for interfaces that
have PPP encapsulation enabled.
Command or Action PurposeConfiguring PPP on the Cisco ASR 9000 Series Router
How to Configure PPP
HC-600
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface type interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# interface serial
0/4/0/1
Enters interface configuration mode.
Step 3 ppp pap refuse
Example:
RP/0/RSP0/CPU0:router(config-if)# ppp pap
refuse
Refuses Password Authentication Protocol (PAP)
authentication from peers requesting it.
• If outbound Challenge Handshake Authentication
Protocol (CHAP) has been configured (using the ppp
authentication command), CHAP will be suggested as
the authentication method in the refusal packet.
• PAP authentication is disabled by default.
Step 4 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-if)# end
or
RP/0/RSP0/CPU0:router(config-if)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 5 show running-config
Example:
RP/0/RSP0/CPU0:router# show running-config
Verifies PPP authentication information for interfaces that
have PPP encapsulation enabled.Configuring PPP on the Cisco ASR 9000 Series Router
How to Configure PPP
HC-601
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Disabling CHAP Authentication on an Interface
This task explains how to disable CHAP authentication on a serial or POS interface.
SUMMARY STEPS
1. configure
2. interface type interface-path-id
3. ppp chap refuse
4. end
or
commit
5. show running-config
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface type interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# interface serial
0/4/0/1
Enters interface configuration mode.
Step 3 ppp chap refuse
Example:
RP/0/RSP0/CPU0:router(config-if)# ppp chap
refuse
Refuses CHAP authentication from peers requesting it.
After you enter the ppp chap refuse command under the
specified interface, all attempts by the peer to force the
user to authenticate with the help of CHAP are refused.
• CHAP authentication is disabled by default.
• If outbound Password Authentication Protocol (PAP)
has been configured (using the ppp authentication
command), PAP will be suggested as the authentication
method in the refusal packet.Configuring PPP on the Cisco ASR 9000 Series Router
How to Configure PPP
HC-602
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Disabling MS-CHAP Authentication on an Interface
This task explains how to disable MS-CHAP authentication on a serial or POS interface.
SUMMARY STEPS
1. configure
2. interface type interface-path-id
3. ppp ms-chap refuse
4. end
or
commit
5. show running-config
Step 4 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-if)# end
or
RP/0/RSP0/CPU0:router(config-if)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 5 show running-config
Example:
RP/0/RSP0/CPU0:router# show running-config
Verifies PPP authentication information for interfaces that
have PPP encapsulation enabled.
Command or Action PurposeConfiguring PPP on the Cisco ASR 9000 Series Router
How to Configure PPP
HC-603
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface type interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# interface serial
0/4/0/1
Enters interface configuration mode.
Step 3 ppp ms-chap refuse
Example:
RP/0/RSP0/CPU0:router(config-if)# ppp ms-chap
refuse
Refuses MS-CHAP authentication from peers requesting it.
After you enter the ppp ms-chap refuse command under
the specified interface, all attempts by the peer to force the
user to authenticate with the help of MS-CHAP are
refused.
• MS-CHAP authentication is disabled by default.
• If outbound Password Authentication Protocol (PAP)
has been configured (using the ppp authentication
command), PAP will be suggested as the authentication
method in the refusal packet.
Step 4 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-if)# end
or
RP/0/RSP0/CPU0:router(config-if)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 5 show running-config
Example:
RP/0/RSP0/CPU0:router# show running-config
Verifies PPP authentication information for interfaces that
have PPP encapsulation enabled.Configuring PPP on the Cisco ASR 9000 Series Router
How to Configure PPP
HC-604
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Configuring Multilink PPP
This section contains the following procedures:
• Prerequisites, page 604
• Restrictions, page 604
• Configuring the Controller, page 604
• Configuring the Interfaces, page 607
• Configuring MLPPP Optional Features, page 610
Prerequisites
MLPPP and LFI are supported on the 1-Port Channelized OC-3/STM-1 SPA and 2-Port Channelized
OC-12/DS0 SPA.
Restrictions
MLPPP for Cisco IOS XR software has the following restrictions:
• Only full rate T1s are supported.
• All links in a bundle must belong to the same SPA.
• All links in a bundle must operate at the same speed.
• A maximum of 10 links per bundle is supported.
• A maximum of 700 bundles per line card is supported.
• A maximum of 2600 bundles per system is supported.
• MLPPP interfaces are not supported with DS0 link members.
• MLPPP interfaces are not be supported with T3 channels as members. Therefore, LFI is also
unsupported on T3 channels.
• All serial links in an MLPPP bundle inherit the value of the mtu command from the multilink
interface. Therefore, you should not configure the mtu command on a serial interface before
configuring it as a member of an MLPPP bundle. The Cisco IOS XR software blocks the following:
– Attempts to configure a serial interface as a member of an MLPPP bundle if the interface is
configured with a nondefault MTU value.
– Attempts to change the mtu command value for a serial interface that is configured as a member
of an MLPPP bundle.
In Cisco IOS XR software, multilink processing is controlled by a hardware module called the Multilink
Controller, which consists of an ASIC, network processor, and CPU working in conjunction. The
MgmtMultilink Controller makes the multilink interfaces behave like the serial interfaces of channelized
SPAs.
Configuring the Controller
Perform this task to configure the controller. Configuring PPP on the Cisco ASR 9000 Series Router
How to Configure PPP
HC-605
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
SUMMARY STEPS
1. configure
2. controller type interface-path-id
3. mode type
4. clock source {internal | line}
5. exit
6. controller t1 interface-path-id
7. channel-group channel-group-number
8. timeslots range
9. exit
10. exit
11. controller mgmtmultilink interface-path-id
12. bundle bundle-id
13. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 controller type interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller t3
0/1/0/0
Enters controller configuration submode and specifies the
controller name and instance identifier in
rack/slot/module/port notation.
Step 3 mode type
Example:
RP/0/RSP0/CPU0:router# mode t1
Configures the type of multilinks to channelize; for
example, 28 T1s.
Step 4 clock source {internal | line}
Example:
RP/0/RSP0/CPU0:router(config-t3)# clock source
internal
(Optional) Configures the clocking for the port.
Note The default clock source is internal.
Step 5 exit
Example:
RP/0/RSP0/CPU0:router(config-t3)# exit
Exits controller configuration mode.Configuring PPP on the Cisco ASR 9000 Series Router
How to Configure PPP
HC-606
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Step 6 controller t1 interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller t1
0/1/0/0/1
Enters T1 configuration mode.
Step 7 channel-group channel-group-number
Example:
RP/0/RSP0/CPU0:router(config-t1)# channel-group
0
Creates a T1 channel group and enters channel group
configuration mode for that channel group. Channel group
numbers can range from 0 to 23.
Step 8 timeslots range
Example:
RP/0/RSP0/CPU0:router(config-t1-channel_group)#
timeslots 1-24
Associates one or more DS0 time slots to a channel group
and creates an associated serial subinterface on that channel
group.
• Range is from 1 to 24 time slots.
Note The time slot range must be from 1 to 24 for the
resulting serial interface to be accepted into a
MLPPP bundle.
Step 9 exit
Example:
RP/0/RSP0/CPU0:router(config-t1-channel_group)#
exit
Exits channel group configuration mode.
Step 10 exit
Example:
RP/0/RSP0/CPU0:router(config-t1)# exit
Exits T1 configuration mode and enters global
configuration mode.
Step 11 controller mgmtmultilink interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller
mgmtmultilink 0/1/0/0
Enters controller configuration submode for the
management of multilink interfaces. Specify the controller
name and instance identifier in rack/slot/module/port
notation.
Command or Action PurposeConfiguring PPP on the Cisco ASR 9000 Series Router
How to Configure PPP
HC-607
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Configuring the Interfaces
Perform this task to configure the interfaces.
Restrictions
• All serial links in an MLPPP bundle inherit the value of the mtu command from the multilink
interface. Therefore, you should not configure the mtu command on a serial interface before
configuring it as a member of an MLPPP bundle. The Cisco IOS XR software blocks the following:
– Attempts to configure a serial interface as a member of an MLPPP bundle if the interface is
configured with a nondefault MTU value.
– Attempts to change the mtu command value for a serial interface that is configured as a member
of an MLPPP bundle.
SUMMARY STEPS
1. configure
2. interface multilink interface-path-id
3. ipv4 address address/mask
4. multilink fragment-size bytes
or
multilink fragment delay delay-ms
Step 12 bundle bundle-id
Example:
RP/0/RSP0/CPU0:router(config-mgmtmultilink)#
bundle 20
Creates a multilink interface with the specified bundle ID.
Step 13 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-t3)# end
or
RP/0/RSP0/CPU0:router(config-t3)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeConfiguring PPP on the Cisco ASR 9000 Series Router
How to Configure PPP
HC-608
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
5. keepalive {interval | disable}[retry]
6. exit
7. interface type interface-path-id
8. encapsulation type
9. multilink group group-id
10. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface multilink interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# interface
multilink 0/1/0/0/1
Specifies the multilink interface name and instance
identifier in rack/slot/module/port/bundle-id notation, and
enters interface configuration mode.
Step 3 ipv4 address ip-address
Example:
RP/0/RSP0/CPU0:router(config-if)# ipv4 address
80.170.0.1/24
Assigns an IP address and subnet mask to the interface in
the format:
A.B.C.D/prefix or A.B.C.D/mask
Step 4 multilink fragment-size bytes
or
multilink fragment delay delay-ms
Example:
RP/0/RSP0/CPU0:router(config-if)# multilink
fragment-size 350
or
RP/0/RSP0/CPU0:router(config-if)# multilink
fragment delay 2
(Optional) Specifies the size of the multilink fragments,
such as 128 bytes. Some fragment sizes may not be
supported. The default is no fragments.
or
(Optional) Specifies the multilink fragment delay in
milliseconds. This sets the MLPPP fragment size so that it
is equivalent in length to the transmission time delay for any
individual member-link (T1s with bandwidths of
1536000bps/192000Bps).
If the user specifies fragment delay 2, the fragment size is
(192000*.002)=384B. The usage of this command is
exclusive to the usage of fragment size. Either command
overrides the other.Configuring PPP on the Cisco ASR 9000 Series Router
How to Configure PPP
HC-609
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Step 5 keepalive {interval | disable}[retry]
Example:
RP/0/RSP0/CPU0:router(config-if)# keepalive
disable
Sets the keepalive timer for the channel, where:
• interval—Number of seconds (from 1 to 30) between
keepalive messages. The default is 10.
• disable—Turns off the keepalive timer.
• retry—(Optional) Number of keepalive messages (from
1 to 255) that can be sent to a peer without a response
before transitioning the link to the down state. The
default is 3.
Note To connect with some Cisco IOS devices, multilink
keepalives need to be disabled on both devices.
Step 6 exit
Example:
RP/0/RSP0/CPU0:router(config-if)# exit
Exits interface configuration mode and enters global
configuration mode.
Step 7 interface type interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# interface serial
0/1/0/0/1:0
Specifies the interface name and instance identifier in
rack/slot/module/port/t1-number:channel-group notation,
and enters interface configuration mode.
Step 8 encapsulation type
Example:
RP/0/RSP0/CPU0:router(config-if)# encapsulation
ppp
Specifies the type of encapsulation; in this case, PPP.
Step 9 multilink group group-id
Example:
RP/0/RSP0/CPU0:router(config-if)# multilink
group 20
Specifies the multilink group ID for this interface.
Command or Action PurposeConfiguring PPP on the Cisco ASR 9000 Series Router
How to Configure PPP
HC-610
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Configuring MLPPP Optional Features
Perform this task to configure either of the following optional features:
• Minimum number of active links
• Multilink interleave
Note Minimum number active links must be configured at both endpoints.
SUMMARY STEPS
1. configure
2. interface multilink interface-path-id
3. multilink
4. ppp multilink minimum-active links value
5. multilink interleave
6. no shutdown
7. end
or
commit
Step 10 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-t3)# end
or
RP/0/RSP0/CPU0:router(config-t3)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeConfiguring PPP on the Cisco ASR 9000 Series Router
How to Configure PPP
HC-611
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface multilink interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# interface
multilink 0/1/0/0/1
Specifies the multilink interface name and instance
identifier in rack/slot/module/port/bundle-id notation, and
enters interface configuration mode.
Step 3 multilink
Example:
RP/0/RSP0/CPU0:router(config-if)# multilink
Enters interface multilink configuration mode.
Step 4 ppp multilink minimum-active links value
Example:
RP/0/RSP0/CPU0:router(config-if-multilink)# ppp
multilink minimum-active links 12
(Optional) Specifies the minimum number of active links
for the multilink interface.
Note When support for the Noise Attribute is configured
to signal PPP to remove links on MLPPP bundles
when LNM thresholds are crossed on a link, the
links will not be removed below this
miminum-active threshold.
Step 5 multilink interleave
Example:
RP/0/RSP0/CPU0:router(config-if-multilink)#
multilink interleave
(Optional) Enables interleave on a multilink interface.Configuring PPP on the Cisco ASR 9000 Series Router
How to Configure PPP
HC-612
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Configuring ICSSO for PPP and MLPPP
This section provides the following ICSSO configuration procedures:
• Prerequisites, page 612
• Restrictions, page 613
• Configuring a Basic ICSSO Implementation, page 613
• Configuring MR-APS, page 614
• Configuring SSRP on Serial and Multilink Interfaces, page 616
Prerequisites
The Cisco ASR 9000 Series Router supports ICSSO in the following MR-APS, minimum equipment,
hardware configurations:
• Two 6-slot or 8-slot chassis
• Four route/switch processors (RSPs), two per chassis (offers a higher degree of reliability)
• Two 20G SIPs, 1 per chassis
• Two of the following SPA types 1 per chassis:
– 2-Port Channelized OC-12/DS0 SPA
Step 6 no shutdown
Example:
RP/0/RSP0/CPU0:router(config-if-mutlilink)# no
shutdown
Removes the shutdown configuration.
• The removal of the shutdown configuration removes
the forced administrative down on the controller,
enabling the controller to move to an up or a down state.
Step 7 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-t3)# end
or
RP/0/RSP0/CPU0:router(config-t3)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeConfiguring PPP on the Cisco ASR 9000 Series Router
How to Configure PPP
HC-613
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
– 4-Port Channelized T3 SPA
– 8-Port Channelized T1/E1 SPA
• Two 40 Gigabit Ethernet line cards, 2 per chassis
• Two 4-Port 10 Gigabit Ethernet line cards, 1 per chassis
• 1-Port Channelized OC-3/STM-1 SPA (SPA-1XCHSTM1/OC3)
Restrictions
The following restrictions apply to ICSSO for PPP and MLPPP:
• ICSSO is supported only on two independent routers.
ICSSO for two line cards on the same router is not supported.
• Automated synchronization or verification of the IOS XR system configuration between the ICSSO
peer routers is not available.
• The following restrictions apply to ICSSO on the 2-Port Channelized OC-12/DS0 SPA:
– ICSSO is supported only on T1/T3 PPP and T1/MLPPP interfaces.
– T1 member links must terminate on the same SPA.
– Member links in an MLPPP bundle being protected by MR-APS must all be contained in the
same SONET port, this SONET port being a part of the MR-APS protection pair.
– T1/PPP, T3/PPP and MLPPP encapsulated interfaces on the OC-12 SONET interface can be
protected.
• The following restrictions apply to ICSSO on the 1-Port Channelized T3 SPA:
– Supported for PPP on T3, T1, E1 channels only.
– Supported for member links in an MLPPP on E1 channels only.
• The following restrictions apply to ICSSO on the 8-Port Channelized T1/E1 SPA:
– Supported for PPP on T1 and E1 channels only.
– Supported for member links in an MLPPP on E1 channels only.
Configuring a Basic ICSSO Implementation
Use the following procedure to configure a simple version of ICSSO.
SUMMARY STEPS
1. config
2. redundancy
3. multi-router aps
4. group group_number
5. controller sonet path
6. member ipv4 address backup-interface
7. commitConfiguring PPP on the Cisco ASR 9000 Series Router
How to Configure PPP
HC-614
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
DETAILED STEPS
Configuring MR-APS
Use the following procedure to configure MR-APS.
Command or Action Purpose
Step 1 config
Example:
RP/0/RSP0/CPU0:router# config
Enters global configuration mode.
Step 2 redundancy
Example:
RP/0/RSP0/CPU0:router(config)# redundancy
Enters redundancy configuration mode.
Step 3 multi-router aps
Example:
RP/0/RSP0/CPU0:router(config-redundancy)#
multi-router aps
Configures Multi-Router APS redundancy and enters APS
redundancy configuration mode.
Step 4 group group_number
Example:
RP/0/RSP0/CPU0:router(config-redundancy-aps)#
group 1
Configures the APS redundancy group and assigns the
group number.
Step 5 controller sonet path
Example:
RP/0/RSP0/CPU0:router(config-redundancy-aps-gro
up)# controller sonet 0/1/0/0
Specifies a SONET controller as the APS redundancy
backup.
Step 6 member ipv4 address backup-interface type
interface-path-id
Example:
RP/0/RSP0/CPU0:router(config-redundancy-group-c
ontroller)# member ipv4 10.10.10.10
backup-interface GigabitEthernet 0/6/0/1
Specifies the IP address of the backup interface used by
IP-FRR.
Step 7 commit
Example:
RP/0/RSP0/CPU0:router(config-redundancy-group-c
ontroller)# commit
Saves the configuration.
Step 8 show running config
Example:
RP/0/RSP0/CPU0:router# show running config
Displays the current configuration on the router, including
MR-APS, SONET controller, and IP address information
for verifying the configuration. Configuring PPP on the Cisco ASR 9000 Series Router
How to Configure PPP
HC-615
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
SUMMARY STEPS
1. config
2. aps group number
3. channel {0 | 1} remote ip-address
4. channel {0 | 1} local sonet interface-path-id
5. exit
6. aps rprplus
7. interface GigabitEthernet interface-path-id
8. description text
9. ipv4 address ipv4-address mask
10. commit
DETAILED STEPS
Command or Action Purpose
Step 1 config
Example:
RP/0/RSP0/CPU0:router# config
Enters global configuration mode.
Step 2 aps group number
Example:
RP/0/RSP0/CPU0:router(config)# aps group 1
Adds an automatic protection switching (APS) group and
enter APS group configuration mode.
Step 3 channel {0 | 1} remote ip-address
Example:
RP/0/RSP0/CPU0:router(config-aps)# channel 0
remote 99.10.1.2
Assigns a port and interface that is physically located in a
remote router as a SONET APS channel.
• 0 designates the channel as protect channel.
• 1 designates the channel as a working channel.
Step 4 channel {0 | 1} local sonet interface-path-id
Example:
RP/0/RSP0/CPU0:router(config-aps)# channel 1
local SONET 0/1/0/0
Assigns a local SONET physical port as a SONET APS
channel.
• 0 designates the channel as protect channel.
• 1 designates the channel as a working channel.
Step 5 exit
Example:
RP/0/RSP0/CPU0:router(config-aps)# exit
Exits to the previous mode.
Step 6 aps rprplus
Example:
RP/0/RSP0/CPU0:router(config-aps)# aps rprplus
Extends the APS hold timer for a switchover. Configuring PPP on the Cisco ASR 9000 Series Router
How to Configure PPP
HC-616
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Configuring SSRP on Serial and Multilink Interfaces
Use the following procedure to configure SSRP on serial and multilink interfaces:
SUMMARY STEPS
1. config
2. ssrp profile profile-name
3. peer ipv4 address A.B.C.D
4. exit
5. ssrp location node_id
6. group group-id profile profile_name
7. group group-id profile profile_name
8. exit
9. interface serial interface-path-id
10. ssrp group group-number id id-number ppp
11. encapsulation ppp
12. multilink
13. group group-id
14. exit
15. keepalive disable
16. exit
Step 7 interface GigabitEthernet interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# interface
GigabitEthernet 0/6/0/0
Creates a Gigabit Ethernet interface as the path to the
MR-APS peer, and enters interface configuration mode.
Step 8 description text
Example:
RP/0/RSP0/CPU0:router(config-if)# description
MR-APS PGP interface for aps group 1
Adds a text description to this interface.
Step 9 ipv4 address ipv4-address mask
Example:
RP/0/RSP0/CPU0:router(config-if )# ipv4 address
99.10.1.1 255.255.255.0
Sets the primary IPv4 address and subnet mask for an
interface.
Step 10 commit
Example:
RP/0/RSP0/CPU0:router(config-if)# commit
Saves the current configuration.
Command or Action PurposeConfiguring PPP on the Cisco ASR 9000 Series Router
How to Configure PPP
HC-617
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
17. interface serial interface-path-id
18. ssrp group group-number id id-number ppp
19. encapsulation ppp
20. multilink
21. group group-id
22. exit
23. keepalive disable
24. exit
25. interface multilink interface-path-id
26. ipv4 address ipv4-address mask
27. ssrp group group-number id id-number ppp
28. encapsulation ppp
29. shutdown
30. keepalive disable
31. exit
32. controller MgmtMultilink interface-path-id
33. bundle bundleID
34. bundle bundleID
35. commit
DETAILED STEPS
Command or Action Purpose
Step 1 config
Example:
RP/0/RSP0/CPU0:router# config
Enters global configuration mode.
Step 2 ssrp profile profile-name
Example:
RP/0/RSP0/CPU0:router(config)# ssrp profile
Profile_1
Configures the Session State Redundancy Protocol (SSRP)
profile and enters the SSRP configuration mode.
Step 3 peer ipv4 address A.B.C.D
Example:
RP/0/RSP0/CPU0:router(config)# peer ipv4
address 10.10.10.10
Configures the IPv4 address for a Session State
Redundancy Protocol (SSRP) peer.
Step 4 exit
Example:
RP/0/RSP0/CPU0:router(config-aps)# exit
Exits to the previous mode. Configuring PPP on the Cisco ASR 9000 Series Router
How to Configure PPP
HC-618
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Step 5 ssrp location node_id
Example:
RP/0/RSP0/CPU0:router(config)# ssrp location
0/1/CPU0
Specifies the node on which to create a Session State
Redundancy Protocol (SSRP) group and enters the SSRP
node configuration mode
Step 6 group group-id profile profile_name
Example:
RP/0/RSP0/CPU0:router(config-ssrp)# group 1
profile Profile_1
Creates a Session State Redundancy Protocol (SSRP) group
and associates it with a profile.
Step 7 group group-id profile profile_name
Example:
RP/0/RSP0/CPU0:router(config-ssrp-node)# group
2 profile Profile_2
Creates a second Session State Redundancy Protocol
(SSRP) group and associates it with a profile.
Step 8 exit
Example:
RP/0/RSP0/CPU0:router(config-ssrp-node)# exit
Exits to the previous mode.
Step 9 interface serial
interface-path-id[.subinterface]
Example:
RP/0/RSP0/CPU0:router(config)# interface serial
0/1/0/0/1/1:0
Physical interface or virtual interface.
Note Use the show interfaces command to see a list of all
interfaces currently configured on the router.
For more information about the syntax for the router, use the
question mark (?) online help function.
Step 10 ssrp group group-number id id-number ppp
Example:
RP/0/RSP0/CPU0:router(config-if)# ssrp group 1
id 1 ppp
Attaches an SSRP group on the interface.
Step 11 encapsulation ppp
Example:
RP/0/RSP0/CPU0:router(config-if)# encapsulation
ppp
Enables encapsulation for communication with routers
using the Point-to-Point Protocol (PPP).
Step 12 multilink
Example:
RP/0/RSP0/CPU0:router(config-if)# multilink
Enters the multilink interface configuration mode.
Step 13 group group-id
Example:
RP/0/RSP0/CPU0:router(config-if)# group 1
Attaches a Session State Redundancy Protocol (SSRP)
group to this interface.
Step 14 exit
Example:
RP/0/RSP0/CPU0:router(config)# exit
Exits to the previous mode.
Command or Action PurposeConfiguring PPP on the Cisco ASR 9000 Series Router
How to Configure PPP
HC-619
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Step 15 keepalive disable
Example:
RP/0/RSP0/CPU0:router(config)# keepalive
disable
Disables the keepalive timer for this interface.
Step 16 exit
Example:
RP/0/RSP0/CPU0:router(config-if)# exit
Exits to the previous mode.
Step 17 interface serial
interface-path-id[.subinterface]
Example:
RP/0/RSP0/CPU0:router(config)# interface serial
0/1/0/0/1/2:0
Physical interface or virtual interface.
Note Use the show interfaces command to see a list of all
interfaces currently configured on the router.
For more information about the syntax for the router, use the
question mark (?) online help function.
Step 18 ssrp group group-number id id-number ppp
Example:
RP/0/RSP0/CPU0:router(config-if)# ssrp group 1
id 2 ppp
Attaches an SSRP group on the interface.
Step 19 encapsulation ppp
Example:
RP/0/RSP0/CPU0:router(config-if)# encapsulation
ppp
Enables encapsulation for communication with routers
using the Point-to-Point Protocol (PPP).
Step 20 multilink
Example:
RP/0/RSP0/CPU0:router(config-if)# multilink
Enters the multilink interface configuration mode.
Step 21 group group-id
Example:
RP/0/RSP0/CPU0:router(config-if)# group 1
Attaches a Session State Redundancy Protocol (SSRP)
group to this interface.
Step 22 exit
Example:
RP/0/RSP0/CPU0:router(config-if)# exit
Exits to the previous mode.
Step 23 keepalive disable
Example:
RP/0/RSP0/CPU0:router(config-if)# keepalive
disable
Disables the keepalive timer for this interface.
Step 24 exit
Example:
RP/0/RSP0/CPU0:router(config-if)# exit
Exits to the previous mode.
Command or Action PurposeConfiguring PPP on the Cisco ASR 9000 Series Router
How to Configure PPP
HC-620
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Step 25 interface multilink interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# interface
Multilink 0/1/0/0/1
Physical interface or virtual interface.
Note Use the show interfaces command to see a list of all
interfaces currently configured on the router.
For more information about the syntax for the router, use the
question mark (?) online help function.
Step 26 ipv4 address ipv4-address mask
Example:
RP/0/RSP0/CPU0:router(config-if )# ipv4 address
10.10.10.10 255.255.255.0
Sets the primary IPv4 address and subnet mask for an
interface.
Step 27 ssrp group group-number id id-number ppp
Example:
RP/0/RSP0/CPU0:router(config-if)# ssrp group 1
id 3 ppp
Attaches an SSRP group on the interface.
Step 28 encapsulation ppp
Example:
RP/0/RSP0/CPU0:router(config-if)# encapsulation
ppp
Enables encapsulation for communication with routers
using the Point-to-Point Protocol (PPP).
Step 29 shutdown
Example:
RP/0/RSP0/CPU0:router(config-if)# shutdown
Brings the interface administratively down for
configuration.
Step 30 keepalive disable
Example:
RP/0/RSP0/CPU0:router(config-if)# keepalive
disable
Disables the keepalive timer for this interface.
Step 31 exit
Example:
RP/0/RSP0/CPU0:router(config-if)# exit
Exits to the previous mode.
Step 32 controller MgmtMultilink interface-path-id
Example:
RP/0/RSP0/CPU0:router(config)# controller
MgmtMultilink 0/1/0/0
Configure a controller for a generic multilink bundle and
enters MgmtMultilink configuration mode.
Step 33 bundle bundleID
Example:
RP/0/RSP0/CPU0:router(config-mgmtmultilink)#
bundle 1
Creates a multilink interface bundle.
Command or Action PurposeConfiguring PPP on the Cisco ASR 9000 Series Router
Configuration Examples for PPP
HC-621
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Configuration Examples for PPP
This section provides the following configuration examples:
• Configuring a POS Interface with PPP Encapsulation: Example, page 621
• Configuring a Serial Interface with PPP Encapsulation: Example, page 621
• ICSSO for PPP and MLPPP Configuration: Examples, page 622
• Verifying Multilink PPP Configurations, page 629
Configuring a POS Interface with PPP Encapsulation: Example
The following example shows how to create and configure a POS interface with PPP encapsulation:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# interface POS 0/3/0/0
RP/0/RSP0/CPU0:router(config-if)# ipv4 address 172.18.189.38 255.255.255.224
RP/0/RSP0/CPU0:router(config-if)# encapsulation ppp
RP/0/RSP0/CPU0:router(config-if)# no shutdown
RP/0/RSP0/CPU0:router(config-if)# ppp pap sent-username P1_TEST-8 password xxxx
RP/0/RSP0/CPU0:router(config-if)# ppp authentication chap pap MIS-access
RP/0/RSP0/CPU0:router(config-if)# ppp chap password encrypted xxxx
RP/0/RSP0/CPU0:router(config-if)# end
Uncommitted changes found, commit them? [yes]: yes
The following example shows how to configure POS interface 0/3/0/1 to allow two additional retries
after an initial authentication failure (for a total of three failed authentication attempts):
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# interface POS 0/3/0/1
RP/0/RSP0/CPU0:router(config-if)# ppp max-bad-auth 3
Configuring a Serial Interface with PPP Encapsulation: Example
The following example shows how to create and configure a serial interface with PPP MS-CHAP
encapsulation:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# interface serial 0/3/0/0/0:0
RP/0/RSP0/CPU0:router(config-if)# ipv4 address 172.18.189.38 255.255.255.224
Step 34 bundle bundleID
Example:
RP/0/RSP0/CPU0:router(config-mgmtmultilink)#
bundle 2
Creates a multilink interface bundle.
Step 35 commit
Example:
RP/0/RSP0/CPU0:router(config-mgmtmultilink)#
commit
Saves the current configuration.
Command or Action PurposeConfiguring PPP on the Cisco ASR 9000 Series Router
ICSSO for PPP and MLPPP Configuration: Examples
HC-622
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
RP/0/RSP0/CPU0:router(config-if)# encapsulation ppp
RP/0/RSP0/CPU0:router(config-if)# no shutdown
RP/0/RSP0/CPU0:router(config-if)# ppp authentication ms-chap MIS-access
RP/0/RSP0/CPU0:router(config-if)# ppp ms-chap password encrypted xxxx
RP/0/RSP0/CPU0:router(config-if)# end
Uncommitted changes found, commit them? [yes]: yes
Configuring MLPPP: Example
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# controller t3 0/1/0/0/1
RP/0/RSP0/CPU0:router# mode t1
RP/0/RSP0/CPU0:router(config-t3)# clock source internal
RP/0/RSP0/CPU0:router(config-t3)# exit
RP/0/RSP0/CPU0:router(config)# controller t1 0/1/0/0/1/1
RP/0/RSP0/CPU0:router(config-t1)# channel-group 0
RP/0/RSP0/CPU0:router(config-t1-channel_group)# timeslots 1-24
RP/0/RSP0/CPU0:router(config-t1-channel_group)# exit
RP/0/RSP0/CPU0:router(config-t1)# exit
RP/0/RSP0/CPU0:router(config)# controller mgmtmultilink 0/1/0/0
RP/0/RSP0/CPU0:router(config-mgmtmultilink)# bundle 20
RP/0/RSP0/CPU0:router(config-t3)# commit
RP/0/RSP0/CPU0:router(config-t3)# exit
RP/0/RSP0/CPU0:router(config)# interface multilink 0/1/0/0/20
RP/0/RSP0/CPU0:router(config-if)# ipv4 address 80.170.0.1/24
RP/0/RSP0/CPU0:router(config-if)# multilink fragment-size 128
RP/0/RSP0/CPU0:router(config-if)# keepalive disable
RP/0/RSP0/CPU0:router(config-if)# exit
RP/0/RSP0/CPU0:router(config)# interface serial 0/1/0/0/1/1:0
RP/0/RSP0/CPU0:router(config-if)# encapsulation ppp
RP/0/RSP0/CPU0:router(config-if)# multilink group 20
RP/0/RSP0/CPU0:router(config-t3)# commit
RP/0/RSP0/CPU0:router(config-t3)# exit
RP/0/RSP0/CPU0:router(config)# interface multilink 0/1/0/0/1
RP/0/RSP0/CPU0:router(config-if)# multilink
RP/0/RSP0/CPU0:router(config-if-multilink)# ppp multilink minimum-active links 10
RP/0/RSP0/CPU0:router(config-if-multilink)# multilink interleave
RP/0/RSP0/CPU0:router(config-if-mutlilink)# no shutdown
RP/0/RSP0/CPU0:router(config-t3)# commit
ICSSO for PPP and MLPPP Configuration: Examples
This section provides the following examples of ICSSO configuration and related configurations:
• ICSSO Configuration: Example, page 623
• Channelized SONET Controller Configuration for Use with ICSSO: Example, page 623
• MR-APS Configuration: Example, page 623
• SSRP on Serial and Multilink Interfaces Configuration: Example, page 624
• VRF on Multilink Configuration for Use with ICSSO: Example, page 625
• VRF on Ethernet Configuration for Use with ICSSO: Example, page 625
• OSPF Configuration for Use with ICSSO: Example, page 626
• Verifying ICSSO Configuration: Examples, page 626Configuring PPP on the Cisco ASR 9000 Series Router
ICSSO for PPP and MLPPP Configuration: Examples
HC-623
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
ICSSO Configuration: Example
The following example shows how to configure ICSSO on a SONET controller:
config
redundancy
multi-router aps
group 1
controller sonet 0/1/0/0
member ipv4 10.10.10.10 backup-interface GigabitEthernet 0/6/0/1
commit
show running config
Channelized SONET Controller Configuration for Use with ICSSO: Example
The following example shows how to configure channelized SONET controllers for use with ICSSO:
config
controller SONET0/7/1/0
framing sonet
sts 1
mode t3
!
sts 2
mode t3
!
sts 3
mode t3
!
controller T3 0/7/0/1
mode t1
framing auto-detect
!
controller T1 0/7/0/1/1
channel-group 0
timeslots 1-24
MR-APS Configuration: Example
The following example shows how to configure MR-APS:
config
aps group 1
channel 0 remote 99.10.1.2
channel 1 local SONET0/1/0/0
!
aps rprplus
!
interface GigabitEthernet0/6/0/0
description MR-APS PGP interface for aps group 1
ipv4 address 99.10.1.1 255.255.255.0
The following example shows how to configure a redundancy group manager:
// mr-aps part:
aps group 1
channel 0 remote 99.10.1.2
channel 1 local SONET0/1/0/0
!
// ssrp part:Configuring PPP on the Cisco ASR 9000 Series Router
ICSSO for PPP and MLPPP Configuration: Examples
HC-624
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
ssrp location 0/1/CPU0
group 1 profile TEST
!
ssrp profile TEST
peer ipv4 address 99.10.1.2
!
// redundancy group manager part:
redundancy
multi-router aps
group 1
controller SONET0/1/0/0
member ipv4 99.30.1.2 backup-interface GigabitEthernet0/6/0/4
!
// ospf part:
router ospf 1
nsr
nsf ietf
redistribute connected instance IPCP
redistribute static
area 0
interface GigabitEthernet0/6/0/4
!
!
!
show redundancy-group multi-router aps
SSRP on Serial and Multilink Interfaces Configuration: Example
The following example shows how to configure SSRP on serial interfaces with PPP encapsulation and
multilink interfaces:
config
ssrp profile TEST
peer ipv4 address 99.10.1.2
!
ssrp location 0/1/CPU0
group 1 profile TEST
!
interface Serial0/1/0/0/1/1:0
ssrp group 1 id 1 ppp
encapsulation ppp
multilink
group 1
!
keepalive disable
!
interface Serial0/1/0/0/1/2:0
ssrp group 1 id 2 ppp
encapsulation ppp
multilink
group 1
!
keepalive disable
!
interface Multilink0/1/0/0/1
ipv4 address 51.1.1.1 255.255.255.0
ssrp group 1 id 3 ppp
encapsulation pppConfiguring PPP on the Cisco ASR 9000 Series Router
ICSSO for PPP and MLPPP Configuration: Examples
HC-625
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
shutdown
!
keepalive disable
!
controller MgmtMultilink0/1/0/0
bundle 1
Note For more information on configuring serial interfaces, refer to the Configuring Serial Interfaces on the
Cisco ASR 9000 Series Router module of this document.
Note For more information on configuring Multilink, refer to Configuring Multilink PPP, page 604.
VRF on Multilink Configuration for Use with ICSSO: Example
The following example shows how to configure VPN Routing and Forwarding (VRF) on a Multilink
interface for use with ICSSO:
config
vrf EvDO-vrf
address-family ipv4 unicast
!
interface Multilink 0/0/0/0/1
description To EvDO BTS Number 1
vrf EvDO-vrf
ipv4 address 150.0.1.3 255.255.255.0
encapsulation ppp
!
Note For more information on configuring VRF, refer to the Cisco ASR 9000 Series Aggregation Services
Router Routing Configuration Guide. For more information on configuring Multilink, refer to
Configuring Multilink PPP, page 604.
VRF on Ethernet Configuration for Use with ICSSO: Example
The following example shows how to configure VPN Routing and Forwarding (VRF) on an Ethernet
interface for use with ICSSO:
config
vrf EvDO-vrf
address-family ipv4 unicast
!
interface GigabitEthernet 1/0/0/0.20
description Inter-ASR9000 EvDO VLAN
vrf EvDO-vrf
encapsulation dot1q 20
Note For more information on configuring VRF, refer to the Cisco ASR 9000 Series Aggregation Services
Router Routing Configuration Guide. For more information on configuring Ethernet, refer to the
Configuring Ethernet OAM on the Cisco ASR 9000 Series Router module of this document.Configuring PPP on the Cisco ASR 9000 Series Router
ICSSO for PPP and MLPPP Configuration: Examples
HC-626
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
OSPF Configuration for Use with ICSSO: Example
Aggregation routers that terminate PPP sessions to a set of cell sites, advertise their availability to LAN
switches using Open Shortest Path First (OSPF). The following example shows how to configure OSPF
for use with ICSSO:
config
router ospf 1
nsr
nsf ietf
redistribute connected instance IPCP
redistribute static
area 0
interface GigabitEthernet 0/6/0/1
!
Note For more information on configuring OSPF, refer to the Cisco ASR 9000 Series Aggregation Services
Router Routing Configuration Guide.
Verifying ICSSO Configuration: Examples
The following examples show how to verify ICSSO configuration:
• Verifying SSRP Groups: Example, page 626
• Verifying ICSSO Status: Example, page 627
• Verifying MR-APS Configuration: Example, page 627
• Verifying OSPF Configuration: Example, page 628
Verifying SSRP Groups: Example
The following example shows how to verify SSRP Group configuration:
RP/0/RSP0/CPU0:Router# show ssrp groups all det loc 0/1/cpu0
Tue Nov 10 16:57:55.911 UTC
Group ID: 1
Conn (ACT,SB): UP,UP
Profile: TEST
Peer: 99.10.1.2
Max-hops: 255
Sessions: 3
Channels Created
Client: PPP
Active Init: TRUE
Standby Init: TRUE
Active State: IDT-End-Sent
Standby State: IDT-End-Received
Auth-Req Pending: FALSE
Active ID Out: 93
Active ID In: 93
Active Last Reply In: 93
Active Counter: 5
Standby ID Out: 50
Standby ID In: 50Configuring PPP on the Cisco ASR 9000 Series Router
ICSSO for PPP and MLPPP Configuration: Examples
HC-627
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Standby Last Reply In: 50
Standby Counter: 5
Session Interface
-----------------------------
1 Se0/1/0/0/1/1:0
2 Se0/1/0/0/1/2:0
3 Mu0/1/0/0/1
Verifying ICSSO Status: Example
The following example shows how to verify ICSSO status:
RP/0/RSP0/CPU0:Router# show ppp sso sum loc 0/1/cpu0
Tue Nov 10 16:59:00.253 UTC
Not-Ready : The session is not yet ready to run as Active or Standby
Stby-UnNegd : In Standby mode, no replication state received yet
Act-Down : In Active mode, lower layer not yet up
Deactivating : Session was Active, now going Standby
Act-UnNegd : In Active mode, not fully negotiated yet
Stby-Negd : In Standby mode, replication state received and pre-programmed
Activating : Session was Standby and pre-programmed, now going Active
Act-Negd : In Active mode, fully negotiated and up
- : This layer not running
Not- Stby- Act- Deactiv- Act- Stby- Activ- ActLayer | Total Ready UnNegd Down ating UnNegd Negd ating Negd
-------------+------- ------ ------ ------ ------ ------ ------ ------ ------
LCP | 6 0 0 0 0 0 0 0 6
of-us-auth | 6 0 0 0 0 0 0 0 6
of-peer-auth | 6 0 0 0 0 0 0 0 6
IPCP | 2 0 0 0 0 0 0 0 2
Verifying MR-APS Configuration: Example
The following examples show how to verify MR-APS configuration:
Example 1:
RP/0/RSP0/CPU0:Router# show redundancy-group multi-router aps all
Tue Nov 10 17:00:14.018 UTC
Interchassis Group: 1
State: FRR ADD SENT
Controller: SONET0/1/0/0 0x2000080
Backup Interface: GigabitEthernet0/6/0/1 0x10000180
Next Hop IP Addr: 10.10.10.10
Interchassis Group: Not Configured
State: WAIT CONFIG
Controller: SONET0/1/0/1 0x20003c0
Backup Interface: None 0x0
Next Hop IP Addr: 0.0.0.0Configuring PPP on the Cisco ASR 9000 Series Router
ICSSO for PPP and MLPPP Configuration: Examples
HC-628
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Example 2:
RP/0/RSP0/CPU0:Router# show cef adj rem loc 0/6/cpu0
Tue Nov 10 17:00:30.471 UTC
Display protocol is ipv4
Interface Address Type Refcount
SO0/1/0/0 Ifhandle: 0x2000080 remote 2
Adjacency: PT:0xa47c9cf4
Interface: SO0/1/0/0
Interface Type: 0x0, Base Flags: 0x110000 (0xa4a00494)
Nhinfo PT: 0xa4a00494, Idb PT: 0xa4cd60d8, If Handle: 0x2000080
Ancestor If Handle: 0x0
Protect FRR: 0xa4a8a040
Backup FRR: 0xa4a89f34
Backup NH: 0xa4a00a74
Backup IFH: 0x10000180
Backup Interface: Gi0/6/0/1
Backup IP: 10.10.10.10
FRR Active: 0
Verifying OSPF Configuration: Example
The following examples show how to verify OSPF configuration:
Example 1:
RP/0/RSP0/CPU0:Router# show route back
Tue Nov 10 17:01:48.974 UTC
Codes: C - connected, S - static, R - RIP, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
U - per-user static route, o - ODR, L - local, G - DAGR
A - access/subscriber
C 51.1.1.2/32 is directly connected, 00:10:03, Multilink0/1/0/0/1
Backup O E2 [110/20] via 10.10.10.10, GigabitEthernet0/6/0/1
C 52.1.1.2/32 is directly connected, 00:11:47, Multilink0/1/0/0/2
Backup O E2 [110/20] via 10.10.10.10, GigabitEthernet0/6/0/1
S 110.0.0.2/32 [1/0] via 51.1.1.2, 00:11:40
Backup O E2 [110/20] via 10.10.10.10, GigabitEthernet0/6/0/1
Example 2:
RP/0/RSP0/CPU0:Router# show route 51.1.1.2
Tue Nov 10 17:02:26.507 UTC
Routing entry for 51.1.1.2/32
Known via "connected IPCP", distance 0, metric 0 (connected)
Installed Nov 10 16:51:45.703 for 00:10:40
Routing Descriptor Blocks
51.1.1.2 directly connected, via Multilink0/1/0/0/1
Route metric is 0
No advertising protos.Configuring PPP on the Cisco ASR 9000 Series Router
ICSSO for PPP and MLPPP Configuration: Examples
HC-629
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Verifying Multilink PPP Configurations
Use the following show commands to verify and troubleshoot your multilink configurations:
• show multilink interfaces: Examples, page 629
• show ppp interfaces multilink: Example, page 631
• show ppp interface serial: Example, page 632
• show imds interface multilink: Example, page 632
show multilink interfaces: Examples
RP/0/RSP0/CPU0:Router# show multilink interfaces Serial 0/4/3/1/10:0
Mon Sep 21 09:24:19.604 UTC
Serial0/4/3/1/10:0 is up, line protocol is up
Encapsulation: PPP
Multilink group id: 6
Member status: ACTIVE
RP/0/RSP0/CPU0:Router# show multilink interfaces Multilink 0/4/3/0/3
Mon Sep 21 09:17:12.131 UTC
Multilink0/4/3/0/3 is up, line protocol is up
Fragmentation: disabled
Interleave: disabled
Encapsulation: PPP
Member Links: 1 active, 1 inactive
- Serial0/4/3/1/5:0 is up, line protocol is up
Encapsulation: PPP
Multilink group id: 3
Member status: ACTIVE
- Serial0/4/3/1/6:0 is administratively down, line protocol is administratively down
Encapsulation: PPP
Multilink group id: 3
Member status: INACTIVE : LCP has not been negotiated
Fragmentation Statistics
Input Fragmented packets 0 Input Fragmented bytes 0
Output Fragmented packets 0 Output Fragmented bytes 0
Input Unfragmented packets 0 Input Unfragmented bytes 0
Output Unfragmented packets 0 Output Unfragmented bytes 0
Input Reassembled packets 0 Input Reassembled bytes 0
RP/0/5/CPU0:Mav-IOX-Rahul#sho multilink interfaces Serial 0/4/3/1/10:0
Mon Sep 21 09:24:19.604 UTC
Serial0/4/3/1/10:0 is up, line protocol is up
Encapsulation: PPP
Multilink group id: 6
Member status: ACTIVE
RP/0/RSP0/CPU0:Router# show multilink interfaces
Mon Sep 21 09:15:10.679 UTC
Multilink0/4/3/0/1 is up, line protocol is up
Fragmentation: disabled
Interleave: disabled
Encapsulation: FRConfiguring PPP on the Cisco ASR 9000 Series Router
ICSSO for PPP and MLPPP Configuration: Examples
HC-630
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Member Links: 1 active, 1 inactive
- Serial0/4/3/1/2:0: INACTIVE : Down (Member link idle)
- Serial0/4/3/1/1:0: ACTIVE : Up
Multilink0/4/3/0/10 is up, line protocol is down
Fragmentation: disabled
Interleave: disabled
Encapsulation: PPP
Member Links: 0 active, 0 inactive
Fragmentation Statistics
Input Fragmented packets 0 Input Fragmented bytes 0
Output Fragmented packets 0 Output Fragmented bytes 0
Input Unfragmented packets 0 Input Unfragmented bytes 0
Output Unfragmented packets 0 Output Unfragmented bytes 0
Input Reassembled packets 0 Input Reassembled bytes 0
Multilink0/4/3/0/100 is administratively down, line protocol is administratively down
Fragmentation: disabled
Interleave: disabled
Encapsulation: PPP
Member Links: 0 active, 0 inactive
Fragmentation Statistics
Input Fragmented packets 0 Input Fragmented bytes 0
Output Fragmented packets 0 Output Fragmented bytes 0
Input Unfragmented packets 0 Input Unfragmented bytes 0
Output Unfragmented packets 0 Output Unfragmented bytes 0
Input Reassembled packets 0 Input Reassembled bytes 0
Multilink0/4/3/0/2 is up, line protocol is up
Fragmentation: disabled
Interleave: disabled
Encapsulation: FR
Member Links: 2 active, 0 inactive
- Serial0/4/3/1/4:0: ACTIVE : Up
- Serial0/4/3/1/3:0: ACTIVE : Up
Multilink0/4/3/0/3 is up, line protocol is up
Fragmentation: disabled
Interleave: disabled
Encapsulation: PPP
Member Links: 1 active, 1 inactive
- Serial0/4/3/1/5:0: ACTIVE
- Serial0/4/3/1/6:0: INACTIVE : LCP has not been negotiated
Fragmentation Statistics
Input Fragmented packets 0 Input Fragmented bytes 0
Output Fragmented packets 0 Output Fragmented bytes 0
Input Unfragmented packets 0 Input Unfragmented bytes 0
Output Unfragmented packets 0 Output Unfragmented bytes 0
Input Reassembled packets 0 Input Reassembled bytes 0
Multilink0/4/3/0/4 is up, line protocol is up
Fragmentation: disabled
Interleave: disabled
Encapsulation: PPP
Member Links: 2 active, 0 inactive
- Serial0/4/3/1/8:0: ACTIVE
- Serial0/4/3/1/7:0: ACTIVE
Fragmentation Statistics
Input Fragmented packets 0 Input Fragmented bytes 0
Output Fragmented packets 0 Output Fragmented bytes 0
Input Unfragmented packets 0 Input Unfragmented bytes 0
Output Unfragmented packets 0 Output Unfragmented bytes 0Configuring PPP on the Cisco ASR 9000 Series Router
ICSSO for PPP and MLPPP Configuration: Examples
HC-631
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Input Reassembled packets 0 Input Reassembled bytes 0
Multilink0/4/3/0/5 is up, line protocol is up
Fragmentation: disabled
Interleave: enabled
Encapsulation: PPP
Member Links: 1 active, 0 inactive
- Serial0/4/3/1/9:0: ACTIVE
Fragmentation Statistics
Input Fragmented packets 0 Input Fragmented bytes 0
Output Fragmented packets 0 Output Fragmented bytes 0
Input Unfragmented packets 0 Input Unfragmented bytes 0
Output Unfragmented packets 0 Output Unfragmented bytes 0
Input Reassembled packets 0 Input Reassembled bytes 0
Multilink0/4/3/0/6 is up, line protocol is up
Fragmentation: disabled
Interleave: enabled
Encapsulation: PPP
Member Links: 1 active, 0 inactive
- Serial0/4/3/1/10:0: ACTIVE
Fragmentation Statistics
Input Fragmented packets 0 Input Fragmented bytes 0
Output Fragmented packets 0 Output Fragmented bytes 0
Input Unfragmented packets 0 Input Unfragmented bytes 0
Output Unfragmented packets 0 Output Unfragmented bytes 0
Input Reassembled packets 0 Input Reassembled bytes 0
Multilink0/4/3/0/7 is up, line protocol is down
Fragmentation: disabled
Interleave: enabled
Encapsulation: PPP
Member Links: 0 active, 1 inactive
- Serial0/4/3/1/11:0: INACTIVE : LCP has not been negotiated
Fragmentation Statistics
Input Fragmented packets 0 Input Fragmented bytes 0
Output Fragmented packets 0 Output Fragmented bytes 0
Input Unfragmented packets 0 Input Unfragmented bytes 0
Output Unfragmented packets 0 Output Unfragmented bytes 0
Input Reassembled packets 0 Input Reassembled bytes 0
Multilink0/4/3/0/8 is up, line protocol is down
Fragmentation: disabled
Interleave: enabled
Encapsulation: PPP
Member Links: 0 active, 1 inactive
- Serial0/4/3/1/12:0: INACTIVE : LCP has not been negotiated
Fragmentation Statistics
Input Fragmented packets 0 Input Fragmented bytes 0
Output Fragmented packets 0 Output Fragmented bytes 0
Input Unfragmented packets 0 Input Unfragmented bytes 0
Output Unfragmented packets 0 Output Unfragmented bytes 0
Input Reassembled packets 0 Input Reassembled bytes 0
show ppp interfaces multilink: Example
RP/0/RSP0/CPU0:Router# show ppp interfaces multilink 0/3/1/0/1
Multilink 0/3/1/0/1 is up, line protocol is up
LCP: Open
Keepalives disabledConfiguring PPP on the Cisco ASR 9000 Series Router
ICSSO for PPP and MLPPP Configuration: Examples
HC-632
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
IPCP: Open
Local IPv4 address: 1.1.1.2
Peer IPv4 address: 1.1.1.1
Multilink
Member Links: 2 active, 1 inactive (min-active 1)
- Serial0/3/1/0/0:0: ACTIVE
- Serial0/3/1/0/1:0: ACTIVE
- Serial0/3/1/0/2:0: INACTIVE : LCP has not been negotiated
show ppp interface serial: Example
RP/0/RSP0/CPU0:Router# show ppp interface Serial 0/3/1/0/0:0
Serial 0/3/1/0/0:0 is up, line protocol is up
LCP: Open
Keepalives disabled
Local MRU: 1500 bytes
Peer MRU: 1500 bytes
Local Bundle MRRU: 1596 bytes
Peer Bundle MRRU: 1500 bytes
Local Endpoint Discriminator: 1b61950e3e9ce8172c8289df0000003900000001
Peer Endpoint Discriminator: 7d046cd8390a4519087aefb90000003900000001
Authentication
Of Peer:
Of Us:
Multilink
Multilink group id: 1
Member status: ACTIVE
show imds interface multilink: Example
RP/0/RSP0/CPU0:Router# show imds interface Multilink 0/3/1/0/1
IMDS INTERFACE DATA (Node 0x0)
Multilink0_3_1_0_1 (0x04001200)
-----------------------
flags: 0x0001002f type: 55 (IFT_MULTILINK) encap: 52 (ppp)
state: 3 (up) mtu: 1600 protocol count: 3
control parent: 0x04000800 data parent: 0x00000000
protocol capsulation state mtu
--------------- -------------------- --------------- --------
12 (ipv4)
26 (ipv4) 3 (up) 1500
47 (ipcp) 3 (up) 1500
16 (ppp_ctrl)
53 (ppp_ctrl) 3 (up) 1500
0 (Unknown)
139 (c_shim) 3 (up) 1600
52 (ppp) 3 (up) 1504
56 (queue_fifo) 3 (up) 1600
60 (txm_nopull) 3 (up) 1600 Configuring PPP on the Cisco ASR 9000 Series Router
Additional References
HC-633
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Additional References
The following sections provide references related to PPP encapsulation.
Related Documents
Standards
MIBs
RFCs
Related Topic Document Title
Cisco IOS XR master command reference Cisco IOS XR Master Commands List
Cisco IOS XR interface configuration commands Cisco IOS XR Interface and Hardware Component Command
Reference
Initial system bootup and configuration information for
a router using Cisco IOS XR software
Cisco IOS XR Getting Started Guide
Cisco IOS XR AAA services configuration information Cisco IOS XR System Security Configuration Guide and
Cisco IOS XR System Security Command Reference
Standards Title
No new or modified standards are supported by this
feature, and support for existing standards has not been
modified by this feature.
—
MIBs MIBs Link
No new or modified MIBs are supported by this
feature, and support for existing MIBs has not been
modified by this feature
To locate and download MIBs for selected platforms using
Cisco IOS XR software, use the Cisco MIB Locator found at the
following URL:
http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs Title
RFC-1661 The Point-to-Point Protocol (PPP)
RFC- 1994 PPP Challenge Handshake Authentication Protocol (CHAP)Configuring PPP on the Cisco ASR 9000 Series Router
Additional References
HC-634
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-01
Technical Assistance
Description Link
The Cisco Technical Support website contains
thousands of pages of searchable technical content,
including links to products, technologies, solutions,
technical tips, and tools. Registered Cisco.com users
can log in from this page to access even more content.
http://www.cisco.com/techsupportHC-635
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-02
Configuring 802.1Q VLAN Interfaces on the
Cisco ASR 9000 Series Router
This module describes the configuration and management of 802.1Q VLAN interfaces on the
Cisco ASR 9000 Series Aggregation Services Routers.
The IEEE 802.1Q specification establishes a standard method for tagging Ethernet frames with VLAN
membership information, and defines the operation of VLAN bridges that permit the definition,
operation, and administration of VLAN topologies within a bridged LAN infrastructure.
The 802.1Q standard is intended to address the problem of how to divide large networks into smaller
parts so broadcast and multicast traffic does not use more bandwidth than necessary. The standard also
helps provide a higher level of security between segments of internal networks.
Feature History for Configuring 802.1Q VLAN Interfaces
Contents
• Prerequisites for Configuring 802.1Q VLAN Interfaces, page 635
• Information About Configuring 802.1Q VLAN Interfaces, page 636
• How to Configure 802.1Q VLAN Interfaces, page 639
• Configuration Examples for VLAN Interfaces, page 645
• Additional References, page 647
Prerequisites for Configuring 802.1Q VLAN Interfaces
You must be in a user group associated with a task group that includes the proper task IDs. The command
reference guides include the task IDs required for each command. If you suspect user group assignment
is preventing you from using a command, contact your AAA administrator for assistance.
Before configuring 802.1Q VLAN interfaces, be sure that the following conditions are met:
Release Modification
Release 3.7.2 This feature was introduced on the Cisco ASR 9000 Series Router.
Release 3.9.0 Layer 2 dot1q was updated. Encapsulation dot1q was added. Configuring 802.1Q VLAN Interfaces on the Cisco ASR 9000 Series Router
Information About Configuring 802.1Q VLAN Interfaces
HC-636
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-02
• You must have configured a Gigabit Ethernet interface, a 10-Gigabit Ethernet interface, or an
Ethernet bundle interface.
Information About Configuring 802.1Q VLAN Interfaces
To configure 802.1Q VLAN interfaces, you must understand the following concepts:
• 802.1Q VLAN Overview, page 636
• 802.1Q Tagged Frames, page 636
• CFM on 802.1Q VLAN Interfaces, page 637
• Subinterfaces, page 637
• Subinterface MTU, page 637
• Native VLAN, page 637
• EFPs, page 637
• Layer 2 VPN on VLANs, page 638
• Other Layer 2 VPN Features, page 639
802.1Q VLAN Overview
A VLAN is a group of devices on one or more LANs that are configured so that they can communicate
as if they were attached to the same wire, when in fact they are located on a number of different LAN
segments. Because VLANs are based on logical instead of physical connections, they are very flexible
for user and host management, bandwidth allocation, and resource optimization.
The IEEE 802.1Q protocol standard addresses the problem of dividing large networks into smaller parts
so broadcast and multicast traffic does not consume more bandwidth than necessary. The standard also
helps provide a higher level of security between segments of internal networks.
The 802.1Q specification establishes a standard method for inserting VLAN membership information
into Ethernet frames.
Cisco IOS XR software supports VLAN subinterface configuration on Gigabit Ethernet and10-Gigabit
Ethernet interfaces.
802.1Q Tagged Frames
The IEEE 802.1Q tag-based VLAN uses an extra tag in the MAC header to identify the VLAN
membership of a frame across bridges. This tag is used for VLAN and quality of service (QoS) priority
identification. The VLANs can be created statically by manual entry or dynamically through Generic
Attribute Registration Protocol (GARP) VLAN Registration Protocol (GVRP). The VLAN ID associates
a frame with a specific VLAN and provides the information that switches must process the frame across
the network. A tagged frame is four bytes longer than an untagged frame and contains two bytes of Tag
Protocol Identifier (TPID) residing within the type and length field of the Ethernet frame and two bytes
of Tag Control Information (TCI) which starts after the source address field of the Ethernet frame.Configuring 802.1Q VLAN Interfaces on the Cisco ASR 9000 Series Router
Information About Configuring 802.1Q VLAN Interfaces
HC-637
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-02
CFM on 802.1Q VLAN Interfaces
Configuring Connectivity Fault Management (CFM) for monitoring 802.1Q VLAN interfaces is
identical to configuring CFM for monitoring Ethernet interfaces.
For information on configuring CFM for Ethernet interfaces, refer to the following sections in the
Configuring Ethernet OAM on the Cisco ASR 9000 Series Router module:
• Ethernet CFM, page 56
• Configuring Ethernet CFM, page 94
• Ethernet CFM Service Configuration: Example, page 149
• Ethernet CFM Show Command: Examples, page 150
Subinterfaces
Subinterfaces are logical interfaces created on a hardware interface. These software-defined interfaces
allow for segregation of traffic into separate logical channels on a single hardware interface as well as
allowing for better utilization of the available bandwidth on the physical interface.
Subinterfaces are distinguished from one another by adding an extension on the end of the interface name
and designation. For instance, the Ethernet subinterface 23 on the physical interface designated TenGigE
0/1/0/0 would be indicated by TenGigE 0/1/0/0.23.
Before a subinterface is allowed to pass traffic it must have a valid tagging protocol encapsulation and
VLAN identifier assigned. All Ethernet subinterfaces always default to the 802.1Q VLAN
encapsulation. However, the VLAN identifier must be explicitly defined.
Subinterface MTU
The subinterface maximum transmission unit (MTU) is inherited from the physical interface with an
additional four bytes allowed for the 802.1Q VLAN tag.
Native VLAN
The Cisco ASR 9000 Series Router does not support a native VLAN. However, the equivalent
functionality is accomplished using an encapsulation command as follows:
encapsulation dot1q TAG-ID, untagged
EFPs
An Ethernet Flow Point (EFP) is a Metro Ethernet Forum (MEF) term describing abstract router
architecture. On the Cisco ASR 9000 Series Router, an EFP is implemented by an L2 subinterface
with a VLAN encapsulation. The term EFP is used synonymously with an VLAN tagged L2
subinterface.Configuring 802.1Q VLAN Interfaces on the Cisco ASR 9000 Series Router
Information About Configuring 802.1Q VLAN Interfaces
HC-638
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-02
Layer 2 VPN on VLANs
The Layer 2 Virtual Private Network (L2VPN) feature enables Service Providers (SPs) to provide
Layer 2 services to geographically disparate customer sites.
The configuration model for configuring VLAN attachment circuits (ACs) is similar to the model used
for configuring basic VLANs, where the user first creates a VLAN subinterface, and then configures that
VLAN in subinterface configuration mode. To create an AC, you need to include the l2transport
keyword in the interface command string to specify that the interface is a Layer 2 interface.
VLAN ACs support three modes of L2VPN operation:
• Basic Dot1Q AC—The AC covers all frames that are received and sent with a specific VLAN tag.
• QinQ AC—The AC covers all frames received and sent with a specific outer VLAN tag and a
specific inner VLAN tag. QinQ is an extension to Dot1Q that uses a stack of two tags.
• Q-in-Any AC—The AC covers all frames received and sent with a specific outer VLAN tag and any
inner VLAN tag, as long as that inner VLAN tag is not L3 terminated. Q-in-Any is an extension to
QinQ that uses wildcarding to match any second tag.
Note The Q-in-Any mode is a variation of the basic Dot1Q mode. In Q-in-Any mode, the frames have
a basic QinQ encapsulation; however, in Q-in-Any mode the inner tag is not relevant, except for
the fact that a few specific inner VLAN tags are siphoned for specific services. For example, a
tag may be used to provide L3 services for general internet access.
Each VLAN on a CE-to-PE link can be configured as a separate L2VPN connection (using either VC
type 4 or VC type 5). To configure L2VPN on VLANs, see the “Configuring an Attachment Circuit on
a VLAN” section on page 641.
Keep the following in mind when configuring L2VPN on a VLAN:
• Cisco IOS XR software supports 4k ACs per LC.
• In a point-to-point connection, the two ACs do not have to be of the same type. For example, a port
mode Ethernet AC can be connected to a Dot1Q Ethernet AC.
• Pseudowires can run in VLAN mode or in port mode. A pseudowire running in VLAN mode has a
single Dot1Q tag, while a pseudo-wire running in port mode has no tags. Some interworking is
required to connect these different types of circuits together. This interworking takes the form of
popping, pushing, and rewriting tags. The advantage of Layer 2 VPN is that is simplifies the
interworking required to connect completely different media types together.
• The ACs on either side of an MPLS pseudowire can be different types. In this case, the appropriate
conversion is carried out at one or both ends of the AC to pseudowire connection.
Use the show interfaces command to display AC and pseudowire information.
Note For detailed information about configuring an L2VPN network, see the “Implementing MPLS Layer 2
VPNs” module of the Cisco ASR 9000 Series Router Multiprotocol Label Switching Configuration
Guide.Configuring 802.1Q VLAN Interfaces on the Cisco ASR 9000 Series Router
How to Configure 802.1Q VLAN Interfaces
HC-639
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-02
Other Layer 2 VPN Features
For information on the following Layer 2 VPN features, refer to the Cisco ASR 9000 Series Aggregation
Services Router L2VPN and Ethernet Services Configuration Guide and the Cisco ASR 9000 Series
Aggregation Services Router L2VPN and Ethernet Services Command Reference:
• Provider Backbone Bridge (PBB) 802.1ah
• Policy-Based Forwarding (PBF)
• MVRP 802.1 (MVRP-lite)
How to Configure 802.1Q VLAN Interfaces
This section contains the following procedures:
• Configuring 802.1Q VLAN Subinterfaces, page 639
• Configuring an Attachment Circuit on a VLAN, page 641
• Removing an 802.1Q VLAN Subinterface, page 643
Configuring 802.1Q VLAN Subinterfaces
This task explains how to configure 802.1Q VLAN subinterfaces. To remove these subinterfaces, see the
“Removing an 802.1Q VLAN Subinterface” section of this module.
SUMMARY STEPS
1. configure
2. interface {GigabitEthernet | TenGigE |Bundle-Ether} interface-path-id.subinterface
3. encapsulation dot1q
4. ipv4 address ip-address mask
5. exit
6. Repeat Step 2 through Step 5 to define the rest of the VLAN subinterfaces.
7. end
or
commit
8. show ethernet trunk bundle-ether instance (Optional)Configuring 802.1Q VLAN Interfaces on the Cisco ASR 9000 Series Router
How to Configure 802.1Q VLAN Interfaces
HC-640
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-02
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface {GigabitEthernet | TenGigE |
Bundle-Ether} interface-path-id.subinterface
Example:
RP/0/RSP0/CPU0:router(config)# interface
TenGigE 0/2/0/4.10
Enters subinterface configuration mode and specifies the
interface type, location, and subinterface number.
• Replace the interface-path-id argument with one of the
following instances:
– Physical Ethernet interface instance, or with an
Ethernet bundle instance. Naming notation is
rack/slot/module/port, and a slash between values
is required as part of the notation.
– Ethernet bundle instance. Range is from 1 through
65535.
• Replace the subinterface argument with the
subinterface value. Range is from 0 through 4095.
• Naming notation is interface-path-id.subinterface, and
a period between arguments is required as part of the
notation.
Step 3 encapsulation dot1q
Example:
RP/0/RSP0/CPU0:router(config-subif)#
encapsulation dot1q 100, untagged
Sets the Layer 2 encapsulation of an interface.
Note The dot1q vlan command is replaced by the
encapsulation dot1q command on the
Cisco ASR 9000 Series Router. It is still available
for backward-compatibility, but only for Layer 3
interfaces.
Step 4 ipv4 address ip-address mask
Example:
RP/0/RSP0/CPU0:router(config-subif)# ipv4
address 178.18.169.23/24
Assigns an IP address and subnet mask to the subinterface.
• Replace ip-address with the primary IPv4 address for
an interface.
• Replace mask with the mask for the associated IP
subnet. The network mask can be specified in either of
two ways:
– The network mask can be a four-part dotted
decimal address. For example, 255.0.0.0 indicates
that each bit equal to 1 means that the
corresponding address bit belongs to the network
address.
– The network mask can be indicated as a slash (/)
and number. For example, /8 indicates that the first
8 bits of the mask are ones, and the corresponding
bits of the address are network address. Configuring 802.1Q VLAN Interfaces on the Cisco ASR 9000 Series Router
How to Configure 802.1Q VLAN Interfaces
HC-641
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-02
Configuring an Attachment Circuit on a VLAN
Use the following procedure to configure an attachment circuit on a VLAN.
SUMMARY STEPS
1. configure
2. interface {GigabitEthernet | TenGigE | Bundle-Ether] interface-path-id.subinterface
l2transport
3. encapsulation dot1q
4. l2protocol cpsv {tunnel | reverse-tunnel}
5. end
or
commit
Step 5 exit
Example:
RP/0/RSP0/CPU0:router(config-subif)# exit
(Optional) Exits the subinterface configuration mode.
• The exit command is not explicitly required.
Step 6 Repeat Step 2 through Step 5 to define the rest of the
VLAN subinterfaces.
—
Step 7 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config)# end
or
RP/0/RSP0/CPU0:router(config)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 8 show ethernet trunk bundle-ether instance
Example:
RP/0/RSP0/CPU0:router# show ethernet trunk
bundle-ether 5
(Optional) Displays the interface configuration.
The Ethernet bundle instance range is from 1 through
65535.
Command or Action PurposeConfiguring 802.1Q VLAN Interfaces on the Cisco ASR 9000 Series Router
How to Configure 802.1Q VLAN Interfaces
HC-642
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-02
6. show interfaces [GigabitEthernet | TenGigE]
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure terminal
Enters global configuration mode.
Step 2 interface [GigabitEthernet | TenGigE |
Bundle-Ether | TenGigE] interface-path]
id.subinterface l2transport
Example:
RP/0/RSP0/CPU0:router(config)# interface
TenGigE 0/1/0/0.1 l2transport
Enters subinterface configuration and specifies the interface
type, location, and subinterface number.
• Replace the argument with one of the following
instances:
– Physical Ethernet interface instance, or with an
Ethernet bundle instance. Naming notation is
rack/slot/module/port, and a slash between values
is required as part of the notation.
– Ethernet bundle instance. Range is from 1 through
65535.
• Replace the subinterface argument with the
subinterface value. Range is from 0 through 4095.
• Naming notation is instance.subinterface, and a period
between arguments is required as part of the notation.
Note You must include the l2transport keyword in the
command string; otherwise, the configuration
creates a Layer 3 subinterface rather that an AC.
Step 3 encapsulation dot1q
Example:
RP/0/RSP0/CPU0:router(config-subif)#
encapsulation dot1q 100, untagged
Sets the Layer 2 encapsulation of an interface.
Note The dot1q vlan command is replaced by the
encapsulation dot1q command on the Cisco ASR
9000 Series Router. It is still available for
backward-compatibility, but only for Layer 3
interfaces.
Step 4 l2protocol cpsv {tunnel | reverse-tunnel}
Example:
RP/0/RSP0/CPU0:router(config-if-l2)# l2protocol
cpsv tunnel
Configures Layer 2 protocol tunneling and protocol data
unit (PDU) filtering on an Ethernet interface for the
following protocols: CDP, PVST+, STP, VTP, where:
• tunnel—Specifies L2PT encapsulation on frames as
they enter the interface, and de-encapsulation on
frames as they exit they interface.
• reverse-tunnel—Specifies L2PT encapsulation on
frames as they exit the interface, and de-encapsulation
on frames as they enter the interface. Configuring 802.1Q VLAN Interfaces on the Cisco ASR 9000 Series Router
How to Configure 802.1Q VLAN Interfaces
HC-643
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-02
What to Do Next
• To configure a point-to-point pseudowire cross connect on the AC, see the “Implementing MPLS
Layer 2 VPNs” module of the Cisco ASR 9000 Series Router Multiprotocol Label Switching
Configuration Guide.
• To attach Layer 3 service policies, such as Multiprotocol Label Switching (MPLS) or QoS, to the
VLAN, refer to the appropriate Cisco ASR 9000 Series Router configuration guide.
Removing an 802.1Q VLAN Subinterface
This task explains how to remove 802.1Q VLAN subinterfaces that have been previously configured
using the “Configuring 802.1Q VLAN Subinterfaces” task in this module.
SUMMARY STEPS
1. configure
2. no interface {GigabitEthernet | TenGigE | Bundle-Ether] interface-path-id.subinterface
3. Repeat Step 2 to remove other VLAN subinterfaces.
Step 5 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-if-l2)# end
or
RP/0/RSP0/CPU0:router(config-if-l2)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 6 show interfaces [GigabitEthernet | TenGigE]
interface-path-id.subinterface
Example:
RP/0/RSP0/CPU0:router# show interfaces TenGigE
0/3/0/0.1
(Optional) Displays statistics for interfaces on the router.
Command or Action PurposeConfiguring 802.1Q VLAN Interfaces on the Cisco ASR 9000 Series Router
How to Configure 802.1Q VLAN Interfaces
HC-644
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-02
4. end
or
commit
5. show ethernet trunk bundle-ether instance (Optional)
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 no interface {GigabitEthernet | TenGigE |
Bundle-Ether] interface-path-id.subinterface
Example:
RP/0/RSP0/CPU0:router(config)# no interface
TenGigE 0/2/0/4.10
Removes the subinterface, which also automatically deletes
all the configuration applied to the subinterface.
• Replace the instance argument with one of the
following instances:
– Physical Ethernet interface instance, or with an
Ethernet bundle instance. Naming notation is
rack/slot/module/port, and a slash between values
is required as part of the notation.
– Ethernet bundle instance. Range is from 1 through
65535.
• Replace the subinterface argument with the
subinterface value. Range is from 0 through 4095.
Naming notation is instance.subinterface, and a period
between arguments is required as part of the notation.Configuring 802.1Q VLAN Interfaces on the Cisco ASR 9000 Series Router
Configuration Examples for VLAN Interfaces
HC-645
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-02
Configuration Examples for VLAN Interfaces
This section contains the following example:
VLAN Subinterfaces: Example, page 645
VLAN Subinterfaces: Example
The following example shows how to create three VLAN subinterfaces at one time:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# interface TenGigE 0/2/0/4.1
RP/0/RSP0/CPU0:router(config-subif)# encapsulation dot1q 100
RP/0/RSP0/CPU0:router(config-subif)# ipv4 address 10.0.10.1/24
RP/0/RSP0/CPU0:router(config-subif)# interface TenGigE0/2/0/4.2
RP/0/RSP0/CPU0:router(config-subif)# encapsulation dot1q 101
RP/0/RSP0/CPU0:router(config-subif)# ipv4 address 10.0.20.1/24
RP/0/RSP0/CPU0:router(config-subif)# interface TenGigE0/2/0/4.3
RP/0/RSP0/CPU0:router(config-subif)# encapsulation dot1q 102
RP/0/RSP0/CPU0:router(config-subif)# ipv4 address 10.0.30.1/24
RP/0/RSP0/CPU0:router(config-subif)# commit
RP/0/RSP0/CPU0:router(config-subif)# exit
RP/0/RSP0/CPU0:router(config)# exit
Step 3 Repeat Step 2 to remove other VLAN subinterfaces. —
Step 4 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config)# end
or
RP/0/RSP0/CPU0:router(config)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 5 show ethernet trunk bundle-ether instance
Example:
RP/0/RSP0/CPU0:router# show ethernet trunk
bundle-ether 5
(Optional) Displays the interface configuration.
The Ethernet bundle instance range is from 1 through
65535.
Command or Action PurposeConfiguring 802.1Q VLAN Interfaces on the Cisco ASR 9000 Series Router
Configuration Examples for VLAN Interfaces
HC-646
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-02
RP/0/RSP0/CPU0:router# show ethernet trunk bundle-Ether 1
Trunk Sub types Sub states
Interface St Ly MTU Subs L2 L3 Up Down Ad-Down
BE1 Up L3 1514 1000 0 1000 1000 0 0
Summary 1000 0 1000 1000 0 0
The following example shows how to create two VLAN subinterfaces on an Ethernet bundle:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# interface bundle-ether 2
RP/0/RSP0/CPU0:router(config-if)# ipv4 address 192.168.2.1/24
RP/0/RSP0/CPU0:router(config-if)# exit
RP/0/RSP0/CPU0:router(config)# interface bundle-ether 2.1
RP/0/RSP0/CPU0:router(config-subif)# encapsulation dot1q 100
RP/0/RSP0/CPU0:router(config-subif)# ipv4 address 192.168.100.1/24
RP/0/RSP0/CPU0:router(config-subif)# exit
RP/0/RSP0/CPU0:router(config)# interface bundle-ether 2.2
RP/0/RSP0/CPU0:router(config-subif)# encapsulation dot1q 200
RP/0/RSP0/CPU0:router(config-subif)# ipv4 address 192.168.200.1/24
RP/0/RSP0/CPU0:router(config-subif)# exit
RP/0/RSP0/CPU0:router(config)# commit
The following example shows how to create a basic dot1Q AC:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# interface GigabitEthernet 0/0/0/0.1
RP/0/RSP0/CPU0:router(config-subif)# l2transport
RP/0/RSP0/CPU0:router(config-subif)# encapsulation dot1q 100
RP/0/RSP0/CPU0:router(config-subif)# commit
RP/0/RSP0/CPU0:router(config-subif)# exit
RP/0/RSP0/CPU0:router(config)# exit
The following example shows how to create a Q-in-Q AC:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# interface GigabitEthernet 0/0/0/0.2
RP/0/RSP0/CPU0:router(config-subif)# l2transport
RP/0/RSP0/CPU0:router(config-subif)# encapsulation dot1q 200 second-dot1q 201
RP/0/RSP0/CPU0:router(config-subif)# commit
RP/0/RSP0/CPU0:router(config-subif)# exit
RP/0/RSP0/CPU0:router(config)# exit
The following example shows how to create a Q-in-Any AC:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# interface GigabitEthernet 0/0/0/0.3
RP/0/RSP0/CPU0:router(config-subif)# l2transport
RP/0/RSP0/CPU0:router(config-subif)# encapsulation dot1q 300 second-dot1q any
RP/0/RSP0/CPU0:router(config-subif)# commit
RP/0/RSP0/CPU0:router(config-subif)# exit
RP/0/RSP0/CPU0:router(config)# exitConfiguring 802.1Q VLAN Interfaces on the Cisco ASR 9000 Series Router
Additional References
HC-647
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-02
Additional References
The following sections provide references related to VLAN interface configuration.
Related Documents
Standards
MIBs
RFCs
Related Topic Document Title
Cisco ASR 9000 Series Router master command
reference
Cisco ASR 9000 Series Router Master Commands List
Cisco ASR 9000 Series Router interface configuration
commands
Cisco ASR 9000 Series Router Interface and Hardware Component
Command Reference
Initial system bootup and configuration information for
a Cisco ASR 9000 Series Router using the Cisco IOS
XR software.
Cisco ASR 9000 Series Router Getting Started Guide
Information about user groups and task IDs Cisco ASR 9000 Series Router Interface and Hardware Component
Command Reference
Standards Title
No new or modified standards are supported by this
feature, and support for existing standards has not been
modified by this feature
—
MIBs MIBs Link
There are no applicable MIBs for this module. To locate and download MIBs for selected platforms using
Cisco IOS XR software, use the Cisco MIB Locator found at the
following URL:
http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs Title
No new or modified RFCs are supported by this
feature, and support for existing RFCs has not been
modified by this feature.
—Configuring 802.1Q VLAN Interfaces on the Cisco ASR 9000 Series Router
Additional References
HC-648
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-02
Technical Assistance
Description Link
The Cisco Technical Support website contains
thousands of pages of searchable technical content,
including links to products, technologies, solutions,
technical tips, and tools. Registered Cisco.com users
can log in from this page to access even more content.
http://www.cisco.com/techsupportHC-649
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Configuring Bidirectional Forwarding Detection
on the Cisco ASR 9000 Series Router
This module describes the configuration of bidirectional forwarding detection (BFD) on the
Cisco ASR 9000 Series Aggregation Services Routers.
Bidirectional forwarding detection (BFD) provides low-overhead, short-duration detection of failures in
the path between adjacent forwarding engines. BFD allows a single mechanism to be used for failure
detection over any media and at any protocol layer, with a wide range of detection times and overhead.
The fast detection of failures provides immediate reaction to failure in the event of a failed link or
neighbor.
Feature History for Configuring Bidirectional Forwarding Detection on Cisco IOS XR Software
Release Modification
Release 3.7.2 BFD was introduced on the Cisco ASR 9000 Series Router.
Release 3.9.0 • Support for these applications with BFD was added:
– Hot Standby Router Protocol (HSRP)
– Virtual Router Redundancy Protocol (VRRP)
• The dampening command was added to minimize BFD session
flapping and delay session startup.
• The echo ipv4 source command was added to specify a source IP
address and override the default.
• The ipv6 checksum command was added to enable and disable the
IPv6 UDP checksum computation and BFD interface configuration
modes.
Release 4.0.0 Support for these BFD features was added:
• BFD for OSPFv3
• BFD for IPv6
Support for BFD was added on the following SPAs:
• 1-Port OC-192c/STM-64 POS/RPR XFP SPA
• 2-Port OC-48c/STM-16 POS/RPR SPA
• 8-Port OC-12c/STM-4 POS SPA Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
Contents
HC-650
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Contents
• Prerequisites for Configuring BFD, page 650
• Restrictions for Configuring BFD, page 651
• Information About BFD, page 652
• How to Configure BFD, page 663
• Configuration Examples for Configuring BFD, page 697
• Where to Go Next, page 704
• Additional References, page 704
Prerequisites for Configuring BFD
You must be in a user group associated with a task group that includes the proper task IDs. The command
reference guides include the task IDs required for each command. If you suspect user group assignment
is preventing you from using a command, contact your AAA administrator for assistance.
The following prerequisites are required to implement BFD:
• If enabling BFD on Multiprotocol Label Switching (MPLS), an installed composite PIE file
including the MPLS package, or a composite-package image is required. For Border Gateway
Protocol (BGP), Intermediate System-to-Intermediate System (IS-IS), Static, and Open Shortest
Path First (OSPF), an installed Cisco IOS XR IP Unicast Routing Core Bundle image is required.
• Interior Gateway Protocol (IGP) is activated on the router if you are using IS-IS or OSPF.
• On the Cisco ASR 9000 Series Router, each line card supporting BFD must be able to perform the
following tasks:
– Send echo packets every 50ms * 3 (as a minimum under normal conditions)
– Send control packets every 150ms * 3 (as a minimum under stress conditions)
Release 4.0.1 Support for these BFD features was added:
• Support for BFD Per Member Links on Link Bundles was added.
• The echo latency detect command was added to enable latency
detection for BFD echo packets on non-bundle interfaces.
• The echo startup validate command was added to verify the echo path
before starting a BFD session on non-bundle interfaces.
Release 4.2.0 Support for these BFD features was added:
• BFD Multihop Global TTL check.
• BFD Multihop support for BGP and
• BFD Multihop support for IPv4 traffic.
• The multihop ttl-drop-threshold command was added to specify the
TTL value to start dropping packets for multihop sessions.
Release 4.2.1 Support for BFD Multihop feature was added on the ASR9K-SIP-700 line
card.Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
Restrictions for Configuring BFD
HC-651
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
– Send and receive up to 9600 User Datagram Protocol (UDP) pps. This sustains 144 sessions at
a 15-ms echo interval (or 1440 sessions at a 150-ms echo interval).
• To enable BFD for a neighbor, the neighbor router must support BFD.
• In Cisco IOS XR releases before Release 3.9.0, we recommended that you configure the local router
ID with the router-id command in global configuration mode prior to setting up a BFD session. If
you did not configure the local router ID, then by default the source address of the IP packet for BFD
echo mode is the IP address of the output interface. Beginning in Cisco IOS XR release 3.9.0 and
later, you can use the echo ipv4 source command to specify the IP address that you want to use as
the source address.
• To support BFD on bundle member links, be sure that the following requirements are met:
– The routers on either end of the bundle are connected back-to-back without a Layer 2 switch in
between.
– For a BFD session to start, any one of the following configurations or states are present on the
bundle member:
Link Aggregation Control Protocol (LACP) Distributing state is reached, –Or–
EtherChannel or POS Channel is configured, –Or–
Hot Standby and LACP Collecting state is reached.
Restrictions for Configuring BFD
These restrictions apply to BFD:
• Demand mode is not supported in Cisco IOS XR software.
• BFD echo mode is not supported for these applications:
– BFD for IPv4 on bundled VLANs
– BFD for IPv6 (global and link-local addressing)
– BFD with uRPF (IPv4 or IPv6)
– Rack reload and online insertion and removal (OIR) when a BFD bundle interface has member
links that span multiple racks
– BFD for Multihop Paths
• BFD for IPv6 has these restrictions:
– BFD for IPv6 is not supported on bundled VLAN interfaces
– BFD for IPv6 static routes, OSPFv3, and BGP are supported by the client
– BFD for IPv6 static routes that have link-local address as the next-hop is not supported
• Only the static, OSPF, and IS-IS applications are supported on BFD over bundled VLANs.
• BFD under BGP with IPv4 over Ethernet VLAN bundle subinterfaces is not supported.
• For BFD on bundle member links, only a single BFD session for each bundle member link is created,
monitored, and maintained for the IPv4 addressing type only. IPv6 and VLAN links in a bundle have
the following restrictions:
– IPv6 states are not explicitly monitored on a bundle member and they inherit the state of the
IPv4 BFD session for that member interface. Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
Information About BFD
HC-652
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
– VLAN subinterfaces on a bundle member also inherit the BFD state from the IPv4 BFD session
for that member interface. VLAN subinterfaces are not explicitly monitored on a bundle
member.
• Echo latency detection and echo validation are not supported on bundle interfaces.
• BFD Multihop can be run on any non-default VRF but selective VRF download must be disabled.
For more information on the configuration and commands for selective VRF download, see Cisco
ASR 9000 Series Aggregation Services Router Routing Configuration Guide and Cisco ASR 9000
Aggregation Services Router Routing Command Reference.
Information About BFD
To configure BFD, you should understand these concepts:
• Differences in BFD in Cisco IOS XR Software and Cisco IOS Software, page 652
• BFD Modes of Operation, page 653
• BFD Packet Information, page 653
• BFD for IPv4, page 658
• BFD for IPv6, page 660
• BFD on Bundled VLANs, page 660
• BFD Over Member Links on Link Bundles, page 660
• BFD Multipath Sessions, page 663
Differences in BFD in Cisco IOS XR Software and Cisco IOS Software
If you are already familiar with BFD configuration in Cisco IOS software, be sure to consider the
following differences in BFD configuration in the Cisco IOS XR software implementation:
• In Cisco IOS XR software, BFD is an application that is configured under a dynamic routing
protocol, such as an OSPF or BGP instance. This is not the case for BFD in Cisco IOS software,
where BFD is only configured on an interface.
• In Cisco IOS XR software, a BFD neighbor is established through routing. The Cisco IOS bfd
neighbor interface configuration command is not supported in Cisco IOS XR software.
• Instead of using a dynamic routing protocol to establish a BFD neighbor, you can establish a specific
BFD peer or neighbor for BFD responses in Cisco IOS XR software using a method of static routing
to define that path. In fact, you must configure a static route for BFD if you do not configure BFD
under a dynamic routing protocol in Cisco IOS XR software. For more information, see the
“Enabling BFD on a Static Route” section on page 671.
• A router running BFD in Cisco IOS software can designate a router running BFD in Cisco IOS XR
software as its peer using the bfd neighbor command; the Cisco IOS XR router must use dynamic
routing or a static route back to the Cisco IOS router to establish the peer relationship. See the “BFD
Peers on Routers Running Cisco IOS and Cisco IOS XR Software: Example” section on page 703.Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
Information About BFD
HC-653
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
BFD Modes of Operation
Cisco IOS XR software supports the asynchronous mode of operation only, with or without using echo
packets. Asynchronous mode without echo will engage various pieces of packet switching paths on local
and remote systems. However, asynchronous mode with echo is usually known to provide slightly wider
test coverage as echo packets are self-destined packets which traverse same packet switching paths as
normal traffic on the remote system.
BFD echo mode is enabled by default for the following interfaces:
• For IPv4 on member links of BFD bundle interfaces.
• For IPv4 on other physical interfaces whose minimum interval is less than two seconds.
When BFD is running asynchronously without echo packets (Figure 35), the following occurs:
• Each system periodically sends BFD control packets to one another. Packets sent by BFD router
“Peer A” to BFD router “Peer B” have a source address from Peer A and a destination address for
Peer B.
• Control packet streams are independent of each other and do not work in a request/response model.
• If a number of packets in a row are not received by the other system, the session is declared down.
Figure 35 BFD Asynchronous Mode Without Echo Packets
When BFD is running asynchronously with echo packets (Figure 36), the following occurs:
• BFD echo packets are looped back through the forwarding path only of the BFD peer and are not
processed by any protocol stack. So, packets sent by BFD router “Peer A” can be sent with both the
source and destination address of Peer A.
• BFD echo packets are sent in addition to BFD control packets.
Figure 36 BFD Asynchronous Mode With Echo Packets
For more information about control and echo packet intervals in asynchronous mode, see the “BFD
Packet Intervals and Failure Detection” section on page 654.
BFD Packet Information
This section includes the following topics:
• BFD Source and Destination Ports, page 654
• BFD Packet Intervals and Failure Detection, page 654
254915
Peer A is alive
Peer A Peer B is alive Peer B
Echo Packet destination A
Echo Packet destination B 254916
Control packets
Peer A Peer BConfiguring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
Information About BFD
HC-654
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
• Priority Settings for BFD Packets, page 658
BFD Source and Destination Ports
BFD payload control packets are encapsulated in UDP packets, using destination port 3784 and source
port 49152. Even on shared media, like Ethernet, BFD control packets are always sent as unicast packets
to the BFD peer.
Echo packets are encapsulated in UDP packets, as well, using destination port 3785 and source port
3785.
The BFD over bundle member feature increments each byte of the UDP source port on echo packets with
each transmission. UDP source port ranges from 0xC0C0 to 0xFFFF. For example:
1st echo packet: 0xC0C0
2nd echo packet: 0xC1C1
3rd echo packet: 0xC2C2
The UDP source port is incremented so that sequential echo packets are hashed to deviating bundle
member.
BFD Packet Intervals and Failure Detection
BFD uses configurable intervals and multipliers to specify the periods at which control and echo packets
are sent in asynchronous mode and their corresponding failure detection.
There are differences in how these intervals and failure detection times are implemented for BFD
sessions running over physical interfaces, and BFD sessions on bundle member links.
BFD Packet Intervals on Physical Interfaces
When BFD is running over physical interfaces, echo mode is used only if the configured interval is less
than two seconds.
BFD sessions running over physical interfaces when echo mode is enabled send BFD control packets at
a slow rate of every two seconds. There is no need to duplicate control packet failure detection at a fast
rate because BFD echo packets are already being sent at fast rates and link failures will be detected when
echo packets are not received within the echo failure detection time.
BFD Packet Intervals on Bundle Member Links
On each bundle member interface, BFD asynchronous mode control packets run at user-configurable
interval and multiplier values, even when echo mode is running.
However, on a bundle member interface when echo mode is enabled, BFD asynchronous mode must
continue to run at a fast rate because one of the requirements of enabling BFD echo mode is that the
bundle member interface is available in BFD asynchronous mode.
The maximum echo packet interval for BFD on bundle member links is the minimum of either 30
seconds or the asynchronous control packet failure detection time.
When echo mode is disabled, the behavior is the same as BFD over physical interfaces, where sessions
exchange BFD control packets at the configured rate.Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
Information About BFD
HC-655
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Control Packet Failure Detection In Asynchronous Mode
Control packet failure in asynchronous mode without echo is detected using the values of the minimum
interval (bfd minimum-interval for non-bundle interfaces, and bfd address-family ipv4
minimum-interval for bundle interfaces) and multiplier (bfd multiplier for non-bundle interfaces, and
bfd address-family ipv4 multiplier for bundle interfaces) commands.
For control packet failure detection, the local multiplier value is sent to the neighbor. A failure detection
timer is started based on (I x M), where I is the negotiated interval, and M is the multiplier provided by
the remote end.
Whenever a valid control packet is received from the neighbor, the failure detection timer is reset. If a
valid control packet is not received from the neighbor within the time period (I x M), then the failure
detection timer is triggered, and the neighbor is declared down.
Echo Packet Failure Detection In Asynchronous Mode
The standard echo failure detection scheme is done through a counter that is based on the value of the
bfd multiplier command on non-bundle interfaces, and the value of the bfd address-family ipv4
multiplier command for bundle interfaces.
This counter is incremented each time the system sends an echo packet, and is reset to zero whenever
any echo packet is received, regardless of the order that the packet was sent in the echo packet stream.
Under ideal conditions, this means that BFD generally detects echo failures that exceed the period of
time (I x M) or (I x M x M) for bundle interfaces, where:
• I—Value of the minimum interval (bfd minimum-interval for non-bundle interfaces, and bfd
address-family ipv4 minimum-interval for bundle interfaces).
• M—Value of the multiplier (bfd multiplier for non-bundle interfaces, and bfd address-family ipv4
multiplier for bundle interfaces) commands.
So, if the system transmits one additional echo packet beyond the multiplier count without receipt of any
echo packets, echo failure is detected and the neighbor is declared down (See Example 2, page 656).
However, this standard echo failure detection does not address latency between transmission and receipt
of any specific echo packet, which can build beyond (I x M) over the course of the BFD session. In this
case, BFD will not declare a neighbor down as long as any echo packet continues to be received within
the multiplier window and resets the counter to zero. Beginning in Cisco IOS XR 4.0.1, you can
configure BFD to measure this latency for non-bundle interfaces. For more information, see Example 3,
page 656 and the “Echo Packet Latency” section on page 657.
Echo Failure Detection Examples
This section provides examples of several scenarios of standard echo packet processing and failure
detection without configuration of latency detection for non-bundle interfaces. In these examples,
consider an interval of 50 ms and a multiplier of 3.
Note The same interval and multiplier counter scheme for echo failure detection is used for bundle interfaces,
but the values are determined by the bfd address-family ipv4 multiplier and bfd address-family ipv4
minimum-interval commands, and use a window of (I x M x M) to detect absence of receipt of echo
packets.Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
Information About BFD
HC-656
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Example 1
The following example shows an ideal case where each echo packet is returned before the next echo is
transmitted. In this case, the counter increments to 1 and is returned to 0 before the next echo is sent and
no echo failure occurs. As long as the roundtip delay for echo packets in the session is less than the
minimum interval, this scenario occurs:
Time (T): Echo#1 TX (count = 1)
T + 1 ms: Echo#1 RX (count = 0)
T + 50 ms: Echo#2 TX (count = 1)
T + 51 ms: Echo#2 RX (count = 0)
T + 100 ms: Echo#3 TX (count = 1)
T + 101 ms: Echo#3 RX (count = 0)
T + 150 ms: Echo#4 TX (count = 1)
T + 151 ms: Echo#4 RX (count = 0)
Example 2
The following example shows the absence in return of any echo packets. After the transmission of the
fourth echo packet, the counter exceeds the multiplier value of 3 and echo failure is detected. In this case,
echo failure detection occurs at the 150 ms (I x M) window:
Time (T): Echo#1 TX (count = 1)
T + 50 ms: Echo#2 TX (count = 2)
T + 100 ms: Echo#3 TX (count = 3)
T + 150 ms: Echo#4 TX (count = 4 -> echo failure
Example 3
The following example shows an example of how roundtrip latency can build beyond (I x M) for any
particular echo packet over the course of a BFD session using the standard echo failure detection, but
latency between return of echo packets overall in the session never exceeds the (I x M) window and
the counter never exceeds the multiplier, so the neighbor is not declared down.
Note You can configure BFD to detect roundtrip latency on non-bundle interfaces using the echo latency
detect command beginning in Cisco IOS XR 4.0.1.
Time (T): Echo#1 TX (count = 1)
T + 1 ms: Echo#1 RX (count = 0)
T + 50 ms: Echo#2 TX (count = 1)
T + 51 ms: Echo#2 RX (count = 0)
T + 100 ms: Echo#3 TX (count = 1)
T + 150 ms: Echo#4 TX (count = 2)
T + 151 ms: Echo#3 RX (count = 0; ~50 ms roundtrip latency)
T + 200 ms: Echo#5 TX (count = 1)
T + 250 ms: Echo#6 TX (count = 2)
T + 251 ms: Echo#4 RX (count = 0; ~100 ms roundtrip latency)
T + 300 ms: Echo#7 TX (count = 1)
T + 350 ms: Echo#8 TX (count = 2)
T + 351 ms: Echo#5 RX (count = 0; ~150 ms roundtrip latency)
T + 451 ms: Echo#6 RX (count = 0; ~200 ms roundtrip latency; no failure detection)
T + 501 ms: Echo#7 RX (count = 0; ~200 ms roundtrip latency; no failure detection)
T + 551 ms: Echo#8 RX (count = 0; ~200 ms roundtrip latency; no failure detection)
Looking at the delay between receipt of echo packets for the BFD session, observe that no latency is
beyond the (I x M) window:
Echo#1 RX – Echo#2 RX: 50 ms
Echo#2 RX – Echo#3 RX: 100ms
Echo#3 RX - Echo#4 RX: 100ms
Echo#4 RX - Echo#5 RX: 100ms
Echo#5 RX - Echo#6 RX: 100msConfiguring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
Information About BFD
HC-657
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Echo#6 RX - Echo#7 RX: 50ms
Echo#7 RX - Echo#8 RX: 50ms
Summary of Packet Intervals and Failure Detection Times for BFD on Bundle Interfaces
For BFD on bundle interfaces, with a session interval I and a multiplier M, these packet intervals and
failure detection times apply for BFD asynchronous mode (Table 26):
• Value of I—Minimum period between sending of BFD control packets.
• Value of I x M
– BFD control packet failure detection time.
– Minimum period between sending of BFD echo packets.
The BFD control packet failure detection time is the maximum amount of time that can elapse without
receipt of a BFD control packet before the BFD session is declared down.
• Value of (I x M) x M—BFD echo packet failure detection time. This is the maximum amount of time
that can elapse without receipt of a BFD echo packet (using the standard multiplier counter scheme
as described in Echo Packet Failure Detection In Asynchronous Mode, page 655) before the BFD
session is declared down.
Echo Packet Latency
In Cisco IOS XR software releases prior to Cisco IOS XR 4.0.1, BFD only detects an absence of receipt
of echo packets, not a specific delay for TX/RX of a particular echo packet. In some cases, receipt of
BFD echo packets in general can be within their overall tolerances for failure detection and packet
transmission, but a longer delay might develop over a period of time for any particular roundtrip of an
echo packet (See Example 3, page 656).
Beginning in Cisco IOS XR 4.0.1, you can configure the router to detect the actual latency between
transmitted and received echo packets on non-bundle interfaces and also take down the session when the
latency exceeds configured thresholds for that roundtrip latency. For more information, see the
“Configuring BFD Session Teardown Based on Echo Latency Detection” section on page 685.
Table 26 BFD Packet Intervals and Failure Detection Time Examples on Bundle Interfaces
Configured Async Control
Packet Interval (ms)
(bfd address-family ipv4
minimum-interval)
Configured Multiplier
(bfd address-family ipv4
multiplier)
Async Control Packet
Failure Detection Time
(ms)
(Interval x Multiplier)
Echo Packet Interval
(Async Control Packet
Failure Detection Time)
Echo Packet Failure
Detection Time
(Echo Interval x
Multiplier)
50 3 150 150 450
75 4 300 300 1200
200 2 400 400 800
2000 3 6000 6000 18000
15000 3 45000 30000
1
1. The maximum echo packet interval for BFD on bundle member links is the minimum of either 30 seconds or the
asynchronous control packet failure detection time.
90000Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
Information About BFD
HC-658
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
In addition, you can verify that the echo packet path is within specified latency tolerances before starting
a BFD session. With echo startup validation, an echo packet is periodically transmitted on the link while
it is down to verify successful transmission within the configured latency before allowing the BFD
session to change state. For more information, see the “Delaying BFD Session Startup Until Verification
of Echo Path and Latency” section on page 686.
Priority Settings for BFD Packets
For all interfaces under over-subscription, the internal priority needs to be assigned to remote BFD Echo
packets, so that these BFD packets are not overwhelmed by other data packets. In addition, CoS values
need to be set appropriately, so that in the event of an intermediate switch, the reply back of remote BFD
Echo packets are protected from all other packets in the switch.
As configured CoS values in ethernet headers may not be retained in Echo messages, CoS values must
be explicitly configured in the appropriate egress QoS service policy. CoS values for BFD packets
attached to a traffic class can be set using the set cos command. For more information on configuring
class-based unconditional packet marking, see “Configuring Modular QoS Packet Classification” in the
Cisco ASR 9000 Series Aggregation Services Router Modular Quality of Service Configuration Guide.
BFD for IPv4
Cisco IOS XR software supports bidirectional forwarding detection (BFD) singlehop and multihop for
both IPv4 and IPv6.
In BFD for IPv4 single-hop connectivity, Cisco IOS XR software supports both asynchronous mode and
echo mode over physical numbered Packet-over-SONET/SDH (POS) and Gigabit Ethernet links, as
follows:
• Echo mode is initiated only after a session is established using BFD control packets. Echo mode is
always enabled for BFD bundle member interfaces. For physical interfaces, the BFD minimum
interval must also be less than two seconds to support echo packets.
• BFD echo packets are transmitted over UDP/IPv4 using source and destination port 3785. The
source address of the IP packet is the IP address of the output interface (default) or the address
specified with the router-id command if set or the address specified in the echo ipv4 source
command, and the destination address is the local interface address.
• BFD asynchronous packets are transmitted over UDP and IPv4 using source port 49152 and
destination port 3784. For asynchronous mode, the source address of the IP packet is the local
interface address, and the destination address is the remote interface address.
Note BFD multihop does not support echo mode.
Consider the following guidelines when configuring BFD on Cisco IOS XR software:
• BFD is a fixed-length hello protocol, in which each end of a connection transmits packets
periodically over a forwarding path. Cisco IOS XR software supports BFD adaptive detection times.
• BFD can be used with the following applications:
– BGP
– IS-IS
– OSPF and OSPFv3Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
Information About BFD
HC-659
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
– MPLS Traffic Engineering (MPLS-TE)
– Static routes (IPv4 and IPv6)
– Protocol Independent Multicast (PIM)
– Hot Standby Router Protocol (HSRP)
– Virtual Router Redundancy Protocol (VRRP)
Note When multiple applications share the same BFD session, the application with the most aggressive timer
wins locally. Then, the result is negotiated with the peer router.
• BFD is supported for connections over the following interface types:
– Gigabit Ethernet (GigE)
– Ten Gigabit Ethernet (TenGigE)
– Packet-over-SONET/SDH (POS)
– Serial
– Virtual LAN (VLAN)
– Logical interfaces such as bundles, GRE, PWHE
Note BFD is supported on the above interface types and not on logical interfaces unless specifically stated.
For example, BFD cannot be configured on BVI, interflex, satellite, and other interfaces.
• Cisco IOS XR software supports BFD Version 0 and Version 1. BFD sessions are established using
either version, depending upon the neighbor. BFD Version 1 is the default version and is tried
initially for session creation.Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
Information About BFD
HC-660
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
BFD for IPv6
Cisco IOS XR software supports bidirectional forwarding detection (BFD) for both IPv4 and IPv6.
Bidirectional forwarding detection (BFD) for IPv6 supports the verification of live connectivity on
interfaces that use IPv6 addresses.
The live connectivity verification for both IPv4 and IPv6 interfaces is performed by the same services
and processes. Both IPv4 and IPv6 BFD sessions can run simultaneously on the same line card.
The same features and configurations that are supported in BFD for IPv4 are also supported in BFD for
IPv6.
BFD on Bundled VLANs
BFD for IPv4 on bundled VLANS is supported using static routing, IS-IS, and OSPF. When running a
BFD session on a bundled VLAN interface, the BFD session is active as long as the VLAN bundle is up.
As long as the VLAN bundle is active, the following events do not cause the BFD session to fail:
• Failure of a component link.
• Online insertion and removal (OIR) of a line card which hosts one or more of the component links.
• Addition of a component link (by configuration) to the bundle.
• Removal of a component link (by configuration) from the bundle.
• Shutdown of a component link.
• RP switchover.
Note For more information on configuring a VLAN bundle, see the Configuring Link Bundling on the
Cisco ASR 9000 Series Router module.
Keep the following in mind when configuring BFD over bundled VLANs:
• In the case of an RP switchover, configured next-hops are registered in the Routing Information Base
(RIB).
• In the case of a BFD restart, static routes remain in the RIB. BFD sessions are reestablished when
BFD restarts.
Note Static BFD sessions are supported on peers with address prefixes whose next-hops are directly connected
to the router.
BFD Over Member Links on Link Bundles
Beginning in Cisco IOS XR Release 4.0.1, the BFD feature supports BFD sessions on individual
physical bundle member links to monitor Layer 3 connectivity on those links, rather than just at a single
bundle member as in prior releases (Figure 37). Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
Information About BFD
HC-661
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Figure 37 BFD Sessions in Original BFD Over Bundles and Enhanced BFD Over Bundle Member
Links Architectures
When you run BFD on link bundles, you can run an independent BFD session on each underlying
physical interface that is part of that bundle.
When BFD is running on a link bundle member, these layers of connectivity are effectively tested as part
of the interface state monitoring for BFD:
• Layer 1 physical state
• Layer 2 Link Access Control Protocol (LACP) state
• Layer 3 BFD state
The BFD agent on each bundle member link monitors state changes on the link. BFD agents for sessions
running on bundle member links communicate with a bundle manager. The bundle manager determines
the state of member links and the overall availability of the bundle. The state of the member links
contributes to the overall state of the bundle based on the threshold of minimum active links or minimum
active bandwidth that is configured for that bundle.
Overview of BFD State Change Behavior on Member Links and Bundle Status
This section describes when bundle member link states are characterized as active or down, and their
effect on the overall bundle status:
• You can configure BFD on a bundle member interface that is already active or one that is inactive.
For the BFD session to be up using LACP on the interface, LACP must have reached the distributing
state.
Note • A BFD member link is “IIR Active” if the link is in LACP distributing state and the BFD session is
up.
• A BFD member link is “IIR Attached” when the BFD session is down, unless a LACP state
transition is received.
• You can configure timers for up to 3600 seconds (1 hour) to allow for delays in receipt of BFD state
change notifications (SCNs) from peers before declaring a link bundle BFD session down. The
configurable timers apply to these situations:
254921
BFD over Bundle
(Original Feature)
BFD over Bundle Members
(Enhanced Feature)
BFD session
Bundle member linksConfiguring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
Information About BFD
HC-662
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
– BFD session startup (bfd address-family ipv4 timers start command)—Number of seconds to
allow after startup of a BFD member link session for the expected notification from the BFD
peer to be received to declare the session up. If the SCN is not received after that period of time,
the BFD session is declared down.
– Notification of removal of BFD configuration by a neighbor (bfd address-family ipv4 timers
nbr-unconfig command)—Number of seconds to allow after receipt of notification that BFD
configuration has been removed by a BFD neighbor so that any configuration inconsistency
between the BFD peers can be fixed. If the BFD configuration issue is not resolved before the
specified timer is reached, the BFD session is declared down.
• A BFD session sends a DOWN notification when one of these occurs:
– The BFD configuration is removed on the local member link.
The BFD system notifies the peer on the neighbor router that the configuration is removed. The
BFD session is removed from the bundle manager without affecting other bundle member
interfaces or the overall bundle state.
– A member link is removed from the bundle.
Removing a member link from a bundle causes the bundle member to be removed ungracefully.
The BFD session is deleted and BFD on the neighboring router marks the session DOWN rather
than NBR_CONFIG_DOWN.
• In these cases, a DOWN notification is not sent, but the internal infrastructure treats the event as if
a DOWN has occurred:
– The BFD configuration is removed on a neighboring router and the neighbor unconfiguration
timer (if configured) expires.
The BFD system notifies the bundle manager that the BFD configuration has been removed on
the neighboring router and, if bfd timers nbr-unconfig is configured on the link, the timer is
started. If the BFD configuration is removed on the local router before the timer expires, then
the timer is stopped and the behavior is as expected for BFD configuration removal on the local
router.
If the timer expires, then the behavior is the same as for a BFD session DOWN notification.
– The session startup timer expires before notification from the BFD peer is received.
• The BFD session on a bundle member sends BFD state change notifications to the bundle manager.
Once BFD state change notifications for bundle member interfaces are received by the bundle
manager, the bundle manager determines whether or not the corresponding bundle interface is
usable.
• A threshold for the minimum number of active member links on a bundle is used by the bundle
manager to determine whether the bundle remains active, or is down based on the state of its member
links. When BFD is started on a bundle that is already active, the BFD state of the bundle is declared
when the BFD state of all the existing active members is known.
Whenever a member’s state changes, the bundle manager determines if the number of active
members is less than the minimum number of active links threshold. If so, then the bundle is placed,
or remains, in DOWN state. Once the number of active links reaches the minimum threshold then
the bundle returns to UP state.
• Another threshold is configurable on the bundle and is used by the bundle manager to determine the
minimum amount of active bandwidth to be available before the bundle goes to DOWN state. This
is configured using the bundle minimum-active bandwidth command.Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
How to Configure BFD
HC-663
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
• The BFD server responds to information from the bundle manager about state changes for the bundle
interface and notifies applications on that interface while also sending system messages and MIB
traps.
BFD Multipath Sessions
BFD can be applied over virtual interfaces such as GRE tunnel interfaces, PWHE interfaces, or between
interfaces that are multihops away as described in the BFD for MultiHop Paths section. These types of
BFD sessions are referred to BFD Multipath sessions.
As long as one path to the destination is active, these events may or may not cause the BFD Multipath
session to fail as it depends on the interval negotiated versus the convergence time taken to update
forwarding plane:
• Failure of a path
• Online insertion or removal (OIR) of a line card which hosts one or more paths
• Removal of a link (by configuration) which constitutes a path
• Shutdown of a link which constitutes a path
You must configure bfd mutlipath include location location-id command to enable at least one line
card for the underlying mechanism that can be used to send and receive packets for the multipath
sessions.
If a BFD Multipath session is hosted on a line card that is being removed from the bfd multipath include
configuration, online removed, or brought to maintenance mode, then BFD attempts to migrate all BFD
Multipath sessions hosted on that line card to another one. In that case, static routes are removed from
RIB and then the BFD session is established again and included to RIB.
BFD for MultiHop Paths
BFD multihop (BFD-MH) is a BFD session between two addresses that are not on the same subnet. An
example of BFD-MH is a BFD session between PE and CE loopback addresses or BFD sessions between
routers that are several TTL hops away. The applications that support BFD multihop are external and
internal BGP. BFD multihop supports BFD on arbitrary paths, which can span multiple network hops.
The BFD Multihop feature provides sub-second forwarding failure detection for a destination more than
one hop, and up to 255 hops, away. The bfd multihop ttl-drop-threshold command can be used to drop
BFD packets coming from neighbors exceeding a certain number of hops. BFD multihop is supported
on all currently supported media-type for BFD singlehop.
Setting up BFD Multihop
A BFD multihop session is set up between a unique source-destination address pair provided by the
client. A session can be set up between two endpoints that have IP connectivity. For BFD Multihop, IPv4
addresses in both global routing table and in a VRF is supported.
How to Configure BFD
This section includes these procedures:
• BFD Configuration Guidelines, page 664 (required)Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
How to Configure BFD
HC-664
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
• Configuring BFD Under a Dynamic Routing Protocol or Using a Static Route, page 664 (required)
• Configuring BFD on Bundle Member Links, page 673 (optional)
• Enabling Echo Mode to Test the Forwarding Path to a BFD Peer, page 681 (optional)
• Overriding the Default Echo Packet Source Address, page 681 (optional)
• Configuring BFD Session Teardown Based on Echo Latency Detection, page 685 (optional)
• Delaying BFD Session Startup Until Verification of Echo Path and Latency, page 686 (optional)
• Minimizing BFD Session Flapping Using BFD Dampening, page 692 (optional)
• Disabling Echo Mode, page 689 (optional)
• Clearing and Displaying BFD Counters, page 696 (optional)
BFD Configuration Guidelines
Before you configure BFD, consider the following guidelines:
• FRR/TE, FRR/IP, and FRR/LDP using BFD is supported on POS interfaces and Ethernet interfaces.
• To establish a BFD neighbor in Cisco IOS XR software, BFD must either be configured under a
dynamic routing protocol, or using a static route.
• The maximum rate in packets-per-second (pps) for BFD sessions is linecard-dependent. If you have
multiple linecards supporting BFD, then the maximum rate for BFD sessions per system is the
supported linecard rate multiplied by the number of linecards.
– The maximum rate for BFD sessions per linecard is 9600 pps.
• The maximum number of BFD sessions supported on any one card is 1440.
• The maximum number of members in a bundle is 64.
• The maximum number of BFD sessions on VLANs in a bundle is 128.When using BFD with OSPF,
consider the following guidelines:
– BFD establishes sessions from a neighbor to a designated router (DR) or backup DR (BDR)
only when the neighbor state is full.
– BFD does not establish sessions between DR-Other neighbors (for example, when their OSPF
states are both 2-way).
Caution If you are using BFD with Unicast Reverse Path Forwarding (uRPF) on a particular interface, then you
need to use the echo disable command to disable echo mode on that interface; otherwise, echo packets
will be rejected. For more information, see the “Disabling Echo Mode” section on page 689.
To enable or disable IPv4 uRPF checking on an IPv4 interface, use the [no] ipv4 verify unicast source
reachable-via command in interface configuration mode.
Configuring BFD Under a Dynamic Routing Protocol or Using a Static Route
To establish a BFD neighbor, complete at least one of the following procedures to configure BFD under
a dynamic routing protocol or using a static route:
• Enabling BFD on a BGP Neighbor, page 665Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
How to Configure BFD
HC-665
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
• Enabling BFD for OSPF on an Interface, page 667
• Enabling BFD for OSPFv3 on an Interface, page 669
• Enabling BFD on a Static Route, page 671
Enabling BFD on a BGP Neighbor
BFD can be enabled per neighbor, or per interface. This task describes how to enable BFD for BGP on a
neighbor router. To enable BFD per interface, use the steps in the “Enabling BFD for OSPF on an Interface”
section on page 667.
Note BFD neighbor router configuration is supported for BGP only.
SUMMARY STEPS
1. configure
2. router bgp autonomous-system-number
3. bfd minimum-interval milliseconds
4. bfd multiplier multiplier
5. neighbor ip-address
6. remote-as autonomous-system-number
7. bfd fast-detect
8. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 router bgp autonomous-system-number
Example:
RP/0/RSP0/CPU0:router(config)# router bgp 120
Enters BGP configuration mode, allowing you to
configure the BGP routing process.
Use the show bgp command in EXEC mode to obtain
the autonomous-system-number for the current
router.
Step 3 bfd minimum-interval milliseconds
Example:
RP/0/RSP0/CPU0:router(config-bgp)# bfd
minimum-interval 6500
Sets the BFD minimum interval. Range is 15-30000
milliseconds.Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
How to Configure BFD
HC-666
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Step 4 bfd multiplier multiplier
Example:
RP/0/RSP0/CPU0:router(config-bgp)# bfd multiplier 7
Sets the BFD multiplier.
Step 5 neighbor ip-address
Example:
RP/0/RSP0/CPU0:router(config-bgp)# neighbor
172.168.40.24
Places the router in neighbor configuration mode for
BGP routing and configures the neighbor IP address
as a BGP peer.
This example configures the IP address
172.168.40.24 as a BGP peer.
Step 6 remote-as autonomous-system-number
Example:
RP/0/RSP0/CPU0:router(config-bgp-nbr)# remote-as
2002
Creates a neighbor and assigns it a remote
autonomous system.
This example configures the remote autonomous
system to be 2002.
Step 7 bfd fast-detect
Example:
RP/0/RSP0/CPU0:router(config-bgp-nbr)# bfd
fast-detect
Enables BFD between the local networking devices
and the neighbor whose IP address you configured to
be a BGP peer in Step 5.
In the example in Step 5, the IP address
172.168.40.24 was set up as the BGP peer. In this
example, BFD is enabled between the local
networking devices and the neighbor 172.168.40.24.
Step 8 end
or
commit
Example:
RP/0/RSP0/CPU0:router (config-bgp-nbr)# end
or
RP/0/RSP0/CPU0:router(config-bgp-nbr)# commit
Saves configuration changes.
• When you issue the end command, the system
prompts you to commit changes:
Uncommitted changes found, commit them
before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to
the running configuration file, exits the
configuration session, and returns the router
to EXEC mode.
– Entering no exits the configuration session
and returns the router to EXEC mode
without committing the configuration
changes.
– Entering cancel leaves the router in the
current configuration session without
exiting or committing the configuration
changes.
• Use the commit command to save the
configuration changes to the running
configuration file and remain within the
configuration session.
Command or Action PurposeConfiguring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
How to Configure BFD
HC-667
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Enabling BFD for OSPF on an Interface
The following procedures describe how to configure BFD for Open Shortest Path First (OSPF) on an
interface. The steps in the procedure are common to the steps for configuring BFD on IS-IS and MPLS-TE;
only the command mode differs.
Note BFD per interface configuration is supported for OSPF, OSFPv3, IS-IS, and MPLS-TE only. For
information about configuring BFD on an OSPFv3 interface, see Enabling BFD for OSPFv3 on an
Interface, page 669.
SUMMARY STEPS
1. configure
2. router ospf process-name
3. bfd minimum-interval milliseconds
4. bfd multiplier multiplier
5. area area-id
6. interface type interface-path-id
7. bfd fast-detect
8. end
or
commit
9. show run router ospf
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 router ospf process-name
Example:
RP/0/RSP0/CPU0:router(config)# router ospf 0
Enters OSPF configuration mode, allowing you to configure
the OSPF routing process.
Use the show ospf command in EXEC mode to obtain the
process-name for the current router.
Note To configure BFD for IS-IS or MPLS-TE, enter the
corresponding configuration mode. For example,
for MPLS-TE, enter MPLS-TE configuration mode.
Step 3 bfd minimum-interval milliseconds
Example:
RP/0/RSP0/CPU0:router(config-ospf)# bfd
minimum-interval 6500
Sets the BFD minimum interval. Range is 15-30000
milliseconds.
This example sets the BFD minimum interval to 6500
milliseconds.Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
How to Configure BFD
HC-668
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Step 4 bfd multiplier multiplier
Example:
RP/0/RSP0/CPU0:router(config-ospf)# bfd
multiplier 7
Sets the BFD multiplier.
This example sets the BFD multiplier to 7.
Step 5 area area-id
Example:
RP/0/RSP0/CPU0:router(config-ospf)# area 0
Configures an Open Shortest Path First (OSPF) area.
Replace area-id with the OSPF area identifier.
Step 6 interface type interface-path-id
Example:
RP/0/RSP0/CPU0:router(config-ospf-ar)#
interface gigabitEthernet 0/3/0/1
Enters interface configuration mode and specifies the
interface name and notation rack/slot/module/port.
• The example indicates a Gigabit Ethernet interface in
modular services card slot 3.
Step 7 bfd fast-detect
Example:
RP/0/RSP0/CPU0:router(config-ospf-ar-if)# bfd
fast-detect
Enables BFD to detect failures in the path between adjacent
forwarding engines.
Step 8 end
or
commit
Example:
RP/0/RSP0/CPU0:router (config-ospf-ar-if)# end
or
RP/0/RSP0/CPU0:router(config-ospf-ar-if)#
commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 9 show run router ospf
Example:
RP/0/RSP0/CPU0:router (config-ospf-ar-if)# show
run router ospf
Verify that BFD is enabled on the appropriate interface.
Command or Action PurposeConfiguring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
How to Configure BFD
HC-669
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Enabling BFD for OSPFv3 on an Interface
The following procedures describe how to configure BFD for OSPFv3 on an interface. The steps in the
procedure are common to the steps for configuring BFD on IS-IS, and MPLS-TE; only the command mode
differs.
Note BFD per-interface configuration is supported for OSPF, OSPFv3, IS-IS, and MPLS-TE only. For
information about configuring BFD on an OSPF interface, see Enabling BFD for OSPF on an Interface,
page 667.
SUMMARY STEPS
1. configure
2. router ospfv3 process-name
3. bfd minimum-interval milliseconds
4. bfd multiplier multiplier
5. area area-id
6. interface type interface-path-id
7. bfd fast-detect
8. end
or
commit
9. show run router ospfv3
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 router ospfv3 process-name
Example:
RP/0/RSP0/CPU0:router(config)# router ospfv3 0
Enters OSPFv3 configuration mode, allowing you to
configure the OSPFv3 routing process.
Use the show ospfv3 command in EXEC mode to obtain the
process name for the current router.
Note To configure BFD for IS-IS or MPLS-TE, enter the
corresponding configuration mode. For example,
for MPLS-TE, enter MPLS-TE configuration mode.
Step 3 bfd minimum-interval milliseconds
Example:
RP/0/RSP0/CPU0:router(config-ospfv3)# bfd
minimum-interval 6500
Sets the BFD minimum interval. Range is 15-30000
milliseconds.
This example sets the BFD minimum interval to 6500
milliseconds.Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
How to Configure BFD
HC-670
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Step 4 bfd multiplier multiplier
Example:
RP/0/RSP0/CPU0:router(config-ospfv3)# bfd
multiplier 7
Sets the BFD multiplier.
This example sets the BFD multiplier to 7.
Step 5 area area-id
Example:
RP/0/RSP0/CPU0:router(config-ospfv3)# area 0
Configures an OSPFv3 area.
Replace area-id with the OSPFv3 area identifier.
Step 6 interface type interface-path-id
Example:
RP/0/RSP0/CPU0:router(config-ospfv3-ar)#
interface gigabitEthernet 0/1/5/0
Enters interface configuration mode and specifies the
interface name and notation rack/slot/module/port.
• The example indicates a Gigabit Ethernet interface in
modular services card slot 1.
Step 7 bfd fast-detect
Example:
RP/0/RSP0/CPU0:router(config-ospfv3-ar-if)# bfd
fast-detect
Enables BFD to detect failures in the path between adjacent
forwarding engines.
Step 8 end
or
commit
Example:
RP/0/RSP0/CPU0:router
(config-ospfv3-ar-if)# end
or
RP/0/RSP0/CPU0:router(config-ospfv3-ar-if)#
commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 9 show run router ospfv3
Example:
RP/0/RSP0/CPU0:router (config-ospfv3-ar-if)#
show run router ospfv3
Verifies that BFD is enabled on the appropriate interface.
Command or Action PurposeConfiguring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
How to Configure BFD
HC-671
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Enabling BFD on a Static Route
The following procedure describes how to enable BFD on a static route.
Note Bundle VLAN sessions are restricted to an interval of 250 milliseconds and a multiplier of 3. More
aggressive parameters are not allowed.
SUMMARY STEPS
1. configure
2. router static
3. address-family ipv4 unicast address nexthop bfd fast-detect [minimum interval interval]
[multiplier multiplier]
4. vrf vrf-name
5. address-family ipv4 unicast address nexthop bfd fast-detect [minimum interval interval]
[multiplier multiplier]
6. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 router static
Example:
RP/0/RSP0/CPU0:router(config)# router static
Enters static route configuration mode, allowing you to
configure static routing.Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
How to Configure BFD
HC-672
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Step 3 address-family ipv4 unicast address nexthop bfd
fast-detect [minimum-interval interval]
[multiplier multiplier]
Example:
RP/0/RSP0/CPU0:router(config-static)#
address-family ipv4 unicast 0.0.0.0/0 2.6.0.1
bfd fast-detect minimum-interval 1000
multiplier 5
Enables BFD fast-detection on the specified IPV4 unicast
destination address prefix and on the forwarding next-hop
address.
Note Include the optional minimum-interval keyword
and argument to ensure that the next-hop is assigned
with the same hello interval. Replace the interval
argument with a number that specifies the interval
in milliseconds. Range is from 10 through 10000.
Note Include the optional multiplier keyword argument
to ensure that the next hop is assigned with the same
detect multiplier. Replace the multiplier argument
with a number that specifies the detect multiplier.
Range is from 1 through 10.
Note Bundle VLAN sessions are restricted to an interval
of 250 milliseconds and a multiplier of 3. More
aggressive parameters are not allowed.
Step 4 vrf vrf-name
Example:
RP/0/RSP0/CPU0:router(config-static)# vrf vrf1
Specifies a VPN routing and forwarding (VRF) instance,
and enters static route configuration mode for that VRF.
Step 5 address-family ipv4 unicast address nexthop bfd
fast-detect
Example:
RP/0/RSP0/CPU0:router(config-static-vrf)#
address-family ipv4 unicast 0.0.0.0/0 2.6.0.2
Enables BFD fast-detection on the specified IPV4 unicast
destination address prefix and on the forwarding next-hop
address.
Step 6 end
or
commit
Example:
RP/0/RSP0/CPU0:router (config-static-vrf)# end
or
RP/0/RSP0/CPU0:router(config-static-vrf)#
commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found. Commit them?
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the user in the same
command mode without committing the
configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeConfiguring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
How to Configure BFD
HC-673
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Configuring BFD on Bundle Member Links
To configure BFD on bundle member links, complete these procedures:
• Prerequisites, page 673 (required)
• Specifying the BFD Destination Address on a Bundle, page 673 (required)
• Enabling BFD Sessions on Bundle Members, page 674 (required)
• Configuring the Minimum Thresholds for Maintaining an Active Bundle, page 675 (optional)
• Configuring BFD Packet Transmission Intervals and Failure Detection Times on a Bundle, page 677
(optional)
• Configuring Allowable Delays for BFD State Change Notifications Using Timers on a Bundle,
page 679 (optional)
Prerequisites
The physical interfaces that are members of a bundle must be directly connected between peer routers
without any switches in between.
Specifying the BFD Destination Address on a Bundle
To specify the BFD destination address on a bundle, complete these steps:
SUMMARY STEPS
1. configure
2. interface [Bundle-Ether bundle-id
3. bfd address-family ipv4 destination ip-address
4. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface Bundle-Ether bundle-id
Example:
RP/0/RSP0/CPU0:router(config)# interface
Bundle-Ether 1
Enters interface configuration mode for the specified bundle
ID.Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
How to Configure BFD
HC-674
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Enabling BFD Sessions on Bundle Members
To enable BFD sessions on bundle member links, complete these steps:
SUMMARY STEPS
1. configure
2. interface Bundle-Ether bundle-id
3. bfd address-family ipv4 fast-detect
4. end
or
commit
Step 3 bfd address-family ipv4 destination ip-address
Example:
RP/0/RSP0/CPU0:router(config-if)# bfd
address-family ipv4 destination 10.20.20.1
Specifies the primary IPv4 address assigned to the bundle
interface on a connected remote system, where ip-address is
the 32-bit IP address in dotted-decimal format (A.B.C.D).
Step 4 end
or
commit
Example:
RP/0/RSP0/CPU0:router (config-bfd-if)# end
or
RP/0/RSP0/CPU0:router(config-bfd-if)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeConfiguring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
How to Configure BFD
HC-675
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
DETAILED STEPS
Configuring the Minimum Thresholds for Maintaining an Active Bundle
The bundle manager uses two configurable minimum thresholds to determine whether a bundle can be
brought up or remain up, or is down, based on the state of its member links.
• Minimum active number of links
• Minimum active bandwidth available
Whenever the state of a member changes, the bundle manager determines whether the number of active
members or available bandwidth is less than the minimum. If so, then the bundle is placed, or remains,
in DOWN state. Once the number of active links or available bandwidth reaches one of the minimum
thresholds, then the bundle returns to the UP state.
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface Bundle-Ether bundle-id
Example:
RP/0/RSP0/CPU0:router(config)# interface
Bundle-Ether 1
Enters interface configuration mode for the specified bundle
ID.
Step 3 bfd address-family ipv4 fast-detect
Example:
RP/0/RSP0/CPU0:router(config-if)# bfd
address-family ipv4 fast-detect
Enables IPv4 BFD sessions on bundle member links.
Step 4 end
or
commit
Example:
RP/0/RSP0/CPU0:router (config-bfd-if)# end
or
RP/0/RSP0/CPU0:router(config-bfd-if)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
How to Configure BFD
HC-676
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
To configure minimum bundle thresholds, complete these steps:
SUMMARY STEPS
1. configure
2. interface Bundle-Ether bundle-id
3. bundle minimum-active bandwidth kbps t
4. bundle minimum-active links links
5. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface Bundle-Ether bundle-id
Example:
RP/0/RSP0/CPU0:router(config)# interface
Bundle-Ether 1
Enters interface configuration mode for the specified bundle
ID.
Step 3 bundle minimum-active bandwidth kbps
Example:
RP/0/RSP0/CPU0:router(config-if)# bundle
minimum-active bandwidth 580000
Sets the minimum amount of bandwidth required before a
bundle can be brought up or remain up. The range is from 1
through a number that varies depending on the platform and
the bundle type. Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
How to Configure BFD
HC-677
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Configuring BFD Packet Transmission Intervals and Failure Detection Times on a Bundle
BFD asynchronous packet intervals and failure detection times for BFD sessions on bundle member
links are configured using a combination of the bfd address-family ipv4 minimum-interval and bfd
address-family ipv4 multiplier interface configuration commands on a bundle.
The BFD control packet interval is configured directly using the bfd address-family ipv4
minimum-interval command. The BFD echo packet interval and all failure detection times are
determined by a combination of the interval and multiplier values in these commands. For more
information see the “BFD Packet Intervals and Failure Detection” section on page 654.
To configure the minimum transmission interval and failure detection times for BFD asynchronous mode
control and echo packets on bundle member links, complete these steps:
SUMMARY STEPS
1. configure
2. interface Bundle-Ether bundle-id
3. bfd address-family ipv4 minimum-interval milliseconds
4. bfd address-family ipv4 multiplier multiplier
Step 4 bundle minimum-active links links
Example:
RP/0/RSP0/CPU0:router(config-if)# bundle
minimum-active links 2
Sets the number of active links required before a bundle can
be brought up or remain up. The range is from 1 to 32.
Note When BFD is started on a bundle that is already
active, the BFD state of the bundle is declared when
the BFD state of all the existing active members is
known.
Step 5 end
or
commit
Example:
RP/0/RSP0/CPU0:router (config-bfd-if)# end
or
RP/0/RSP0/CPU0:router(config-bfd-if)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeConfiguring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
How to Configure BFD
HC-678
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
5. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface Bundle-Ether bundle-id
Example:
RP/0/RSP0/CPU0:router(config)# interface
Bundle-Ether 1
Enters interface configuration mode for the specified bundle
ID.
Step 3 bfd address-family ipv4 minimum-interval
milliseconds
Example:
RP/0/RSP0/CPU0:router(config-if)#
Note Specifies the minimum interval, in milliseconds, for
asynchronous mode control packets on IPv4 BFD
sessions on bundle member links. The range is from
15 to 30000.Although the command allows you to
configure a minimum of 15 ms, the supported
minium on the Cisco ASR 9000 Series Router is 50
ms.Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
How to Configure BFD
HC-679
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Configuring Allowable Delays for BFD State Change Notifications Using Timers on a Bundle
The BFD system supports two configurable timers to allow for delays in receipt of BFD SCNs from peers
before declaring a BFD session on a link bundle member down:
• BFD session startup
• BFD configuration removal by a neighbor
For more information about how these timers work and other BFD state change behavior, see the
“Overview of BFD State Change Behavior on Member Links and Bundle Status” section on page 661.
To configure the timers that allow for delays in receipt of BFD SCNs from peers, complete these steps:
SUMMARY STEPS
1. configure
2. interface Bundle-Ether bundle-id
3. bfd address-family ipv4 timers start seconds
4. bfd address-family ipv4 timers nbr-unconfig seconds
Step 4 bfd address-family ipv4 multiplier multiplier
Example:
RP/0/RSP0/CPU0:router(config-if)#
Specifies a number that is used as a multiplier with the
minimum interval to determine BFD control and echo
packet failure detection times and echo packet transmission
intervals for IPv4 BFD sessions on bundle member links.
The range is from 2 to 50. The default is 3.
Note Although the command allows you to configure a
minimum of 2, the supported minimum is 3.
Step 5 end
or
commit
Example:
RP/0/RSP0/CPU0:router (config-bfd-if)# end
or
RP/0/RSP0/CPU0:router(config-bfd-if)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeConfiguring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
How to Configure BFD
HC-680
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
5. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface Bundle-Ether bundle-id
Example:
RP/0/RSP0/CPU0:router(config)# interface
Bundle-Ether 1
Enters interface configuration mode for the specified bundle
ID.
Step 3 bfd address-family ipv4 timers start seconds
Example:
RP/0/RSP0/CPU0:router(config-if)#
Specifies the number of seconds after startup of a BFD
member link session to wait for the expected notification
from the BFD peer to be received, so that the session can be
declared up. If the SCN is not received after that period of
time, the BFD session is declared down. The range is 60 to
3600. (In Cisco IOS XR Releases 4.0 and 4.0.1, the
available minimum is 30, but is not recommended.)Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
How to Configure BFD
HC-681
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Enabling Echo Mode to Test the Forwarding Path to a BFD Peer
BFD echo mode is enabled by default for the following interfaces:
• For IPv4 on member links of BFD bundle interfaces.
• For IPv4 on other physical interfaces whose minimum interval is less than two seconds.
Note If you have configured a BFD minimum interval greater than two seconds on a physical interface using
the bfd minimum-interval command, then you will need to change the interval to be less than two
seconds to support and enable echo mode. This does not apply to bundle member links, which always
support echo mode.
Overriding the Default Echo Packet Source Address
If you do not specify an echo packet source address, then BFD uses the IP address of the output interface
as the default source address for an echo packet.
Step 4 bfd address-family ipv4 timers nbr-unconfig
seconds
Example:
RP/0/RSP0/CPU0:router(config-if)#
Specifies the number of seconds to wait after receipt of
notification that BFD configuration has been removed by a
BFD neighbor, so that any configuration inconsistency
between the BFD peers can be fixed. If the BFD
configuration issue is not resolved before the specified
timer is reached, the BFD session is declared down. The
range is 30 to 3600.
Step 5 end
or
commit
Example:
RP/0/RSP0/CPU0:router (config-bfd-if)# end
or
RP/0/RSP0/CPU0:router(config-bfd-if)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeConfiguring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
How to Configure BFD
HC-682
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
In Cisco IOS XR releases before 3.9.0, we recommend that you configure the local router ID using the
router-id command to change the default IP address for the echo packet source address to the adrdress
specified as the router ID.
Beginning in Cisco IOS XR release 3.9.0 and later, you can use the echo ipv4 source command in BFD
or interface BFD configuration mode to specify the IP address that you want to use as the echo packet
source address.
You can override the default IP source address for echo packets for BFD on the entire router, or for a
particular interface:
• Specifying the Echo Packet Source Address Globally for BFD, page 682
• Specifying the Echo Packet Source Address on an Individual Interface or Bundle, page 683
Specifying the Echo Packet Source Address Globally for BFD
To specify the echo packet source IP address globally for BFD on the router, complete the following steps:
SUMMARY STEPS
1. configure
2. bfd
3. echo ipv4 source ip-address
4. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 bfd
Example:
RP/0/RSP0/CPU0:router(config)# bfd
Enters BFD configuration mode.Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
How to Configure BFD
HC-683
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Specifying the Echo Packet Source Address on an Individual Interface or Bundle
To specify the echo packet source IP address on an individual BFD interface or bundle, complete the
following steps:
SUMMARY STEPS
1. configure
2. bfd
3. interface type interface-path-id
4. echo ipv4 source ip-address
5. end
or
commit
Step 3 echo ipv4 source ip-address
Example:
RP/0/RSP0/CPU0:router(config-bfd)# echo ipv4
source 10.10.10.1
Specifies an IPv4 address to be used as the source address
in BFD echo packets, where ip-address is the 32-bit IP
address in dotted-decimal format (A.B.C.D).
Step 4 end
or
commit
Example:
RP/0/RSP0/CPU0:router (config-bfd)# end
or
RP/0/RSP0/CPU0:router(config-bfd)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeConfiguring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
How to Configure BFD
HC-684
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 bfd
Example:
RP/0/RSP0/CPU0:router(config)# bfd
Enters BFD configuration mode.
Step 3 interface type interface-path-id
Example:
RP/0/RSP0/CPU0:router(config-bfd)# interface
gigabitEthernet 0/1/5/0
Enters BFD interface configuration mode for a specific
interface or bundle. In BFD interface configuration mode,
you can specify an IPv4 address on an individual interface
or bundle.
Step 4 echo ipv4 source ip-address
Example:
RP/0/RSP0/CPU0:router(config-bfd)# echo ipv4
source 10.10.10.1
Specifies an IPv4 address to be used as the source address
in BFD echo packets, where ip-address is the 32-bit IP
address in dotted-decimal format (A.B.C.D).
Step 5 end
or
commit
Example:
RP/0/RSP0/CPU0:router (config-bfd-if)# end
or
RP/0/RSP0/CPU0:router(config-bfd-if)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
How to Configure BFD
HC-685
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Configuring BFD Session Teardown Based on Echo Latency Detection
Beginning in Cisco IOS XR 4.0.1, you can configure BFD sessions on non-bundle interfaces to bring
down a BFD session when it exceeds the configured echo latency tolerance.
To configure BFD session teardown using echo latency detection, complete the following steps.
Prerequisites
Before you enable echo latency detection, be sure that your BFD configuration supports echo mode.
Restrictions
Echo latency detection is not supported on bundle interfaces.
SUMMARY STEPS
1. configure
2. bfd
3. echo latency detect [percentage percent-value [count packet-count]
4. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 bfd
Example:
RP/0/RSP0/CPU0:router(config)# bfd
Enters BFD configuration mode.Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
How to Configure BFD
HC-686
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Delaying BFD Session Startup Until Verification of Echo Path and Latency
Beginning in Cisco IOS XR Release 4.0.1, you can verify that the echo packet path is working and within
configured latency thresholds before starting a BFD session on non-bundle interfaces.
To configure BFD echo startup validation, complete the following steps.
Prerequisites
Before you enable echo startup validation, be sure that your BFD configuration supports echo mode.
Restrictions
Echo startup validation is not supported on bundle interfaces.
Step 3 echo latency detect [percentage percent-value
[count packet-count]
Example:
RP/0/RSP0/CPU0:router(config-bfd)# echo latency
detect
Enables echo packet latency detection over the course of a
BFD session, where:
• percentage percent-value—Specifies the percentage of
the echo failure detection time to be detected as bad
latency. The range is 100 to 250. The default is 100.
• count packet-count—Specifies a number of
consecutive packets received with bad latency that will
take down a BFD session. The range is 1 to 10. The
default is 1.
Step 4 end
or
commit
Example:
RP/0/RSP0/CPU0:router (config-bfd)# end
or
RP/0/RSP0/CPU0:router(config-bfd)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeConfiguring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
How to Configure BFD
HC-687
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
SUMMARY STEPS
1. configure
2. bfd
3. echo startup validate [force]
4. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 bfd
Example:
RP/0/RSP0/CPU0:router(config)# bfd
Enters BFD configuration mode.Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
How to Configure BFD
HC-688
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Step 3 echo startup validate [force]
Example:
RP/0/RSP0/CPU0:router(config-bfd)# echo startup
validate
Enables verification of the echo packet path before starting
a BFD session, where an echo packet is periodically
transmitted on the link to verify successful transmission
within the configured latency before allowing the BFD
session to change state.
When the force keyword is not configured, the local system
performs echo startup validation if the following conditions
are true:
• The local router is capable of running echo (echo is
enabled for this session).
• The remote router is capable of running echo (received
control packet from remote system has non-zero
“Required Min Echo RX Interval" value).
When the force keyword is configured, the local system
performs echo startup validation if following conditions are
true.
• The local router is capable of running echo (echo is
enabled for this session).
• The remote router echo capability is not considered
(received control packet from remote system has zero
or non-zero "Required Min Echo RX Interval" value).
Step 4 end
or
commit
Example:
RP/0/RSP0/CPU0:router (config-bfd)# end
or
RP/0/RSP0/CPU0:router(config-bfd)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeConfiguring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
How to Configure BFD
HC-689
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Disabling Echo Mode
BFD does not support asynchronous operation in echo mode in certain environments. Echo mode should
be disabled when using BFD for the following applications or conditions:
• BFD with uRPF (IPv4)
• To support rack reload and online insertion and removal (OIR) when a BFD bundle interface has
member links that span multiple racks.
Note BFD echo mode is automatically disabled for BFD on physical interfaces when the minimum interval is
greater than two seconds. The minimum interval does not affect echo mode on BFD bundle member
links. BFD echo mode is also automatically disabled for BFD on bundled VLANs and IPv6 (global and
link-local addressing).
You can disable echo mode for BFD on the entire router, or for a particular interface:
• Disabling Echo Mode on a Router, page 689
• Disabling Echo Mode on an Individual Interface or Bundle, page 690
Disabling Echo Mode on a Router
To disable echo mode globally on the router complete the following steps:
SUMMARY STEPS
1. configure
2. bfd
3. echo disable
4. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 bfd
Example:
RP/0/RSP0/CPU0:router(config)# bfd
Enters BFD configuration mode.Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
How to Configure BFD
HC-690
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Disabling Echo Mode on an Individual Interface or Bundle
The following procedures describe how to disable echo mode on an interface or bundle .
SUMMARY STEPS
1. configure
2. bfd
3. interface type interface-path-id
4. echo disable
5. end
or
commit
Step 3 echo disable
Example:
RP/0/RSP0/CPU0:router(config-bfd)# echo disable
Disables echo mode on the router.
Step 4 end
or
commit
Example:
RP/0/RSP0/CPU0:router (config-bfd)# end
or
RP/0/RSP0/CPU0:router(config-bfd)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeConfiguring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
How to Configure BFD
HC-691
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 bfd
Example:
RP/0/RSP0/CPU0:router(config)# bfd
Enters BFD configuration mode.
Step 3 interface type interface-path-id
Example:
RP/0/RSP0/CPU0:router(config-bfd)# interface
gigabitEthernet 0/1/5/0
Enters BFD interface configuration mode for a specific
interface or bundle. In BFD interface configuration mode,
you can disable echo mode on an individual interface or
bundle.
Step 4 echo disable
Example:
RP/0/RSP0/CPU0:router(config-bfd-if)# echo
disable
Disables echo mode on the specified individual interface or
bundle.
Step 5 end
or
commit
Example:
RP/0/RSP0/CPU0:router (config-bfd-if)# end
or
RP/0/RSP0/CPU0:router(config-bfd-if)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
How to Configure BFD
HC-692
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Minimizing BFD Session Flapping Using BFD Dampening
To configure BFD dampening to control BFD session flapping, complete the following steps.
SUMMARY STEPS
1. configure
2. bfd
3. dampening [bundle-member]{initial-wait | maximum-wait | secondary-wait} milliseconds
4. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 bfd
Example:
RP/0/RSP0/CPU0:router(config)# bfd
Enters BFD configuration mode.Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
How to Configure BFD
HC-693
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Enabling and Disabling IPv6 Checksum Support
By default, IPv6 checksum calculations on UDP packets are enabled for BFD on the router.
You can disable IPv6 checksum support for BFD on the entire router, or for a particular interface. These
sections describe about:
• Enabling and Disabling IPv6 Checksum Calculations for BFD on a Router, page 694
• Enabling and Disabling IPv6 Checksum Calculations for BFD on an Individual Interface or Bundle,
page 695
Note The command-line interface (CLI) is slightly different in BFD configuration and BFD interface
configuration. For BFD configuration, the disable keyword is not optional. Therefore, to enable BFD
configuration in that mode, you need to use the no form of the command.
Step 3 dampening [bundle-member]{initial-wait |
maximum-wait | secondary-wait} milliseconds
Example:
RP/0/RSP0/CPU0:router(config-bfd)# dampening
initial-wait 30000
Specifies delays in milliseconds for BFD session startup
to control flapping.
Note The value for maximum-wait should be greater
than the value for initial-wait.
Note The dampening values can be defined for bundle
member interfaces and for the non-bundle
interfaces.
Step 4 end
or
commit
Example:
RP/0/RSP0/CPU0:router (config-bfd)# end
or
RP/0/RSP0/CPU0:router(config-bfd)# commit
Saves configuration changes.
• When you issue the end command, the system
prompts you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the
configuration session, and returns the router to
EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeConfiguring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
How to Configure BFD
HC-694
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Enabling and Disabling IPv6 Checksum Calculations for BFD on a Router
To enable or disable IPv6 checksum calculations globally on the router complete the following steps:
SUMMARY STEPS
1. configure
2. bfd
3. ipv6 checksum disable
4. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 bfd
Example:
RP/0/RSP0/CPU0:router(config)# bfd
Enters BFD configuration mode.Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
How to Configure BFD
HC-695
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Enabling and Disabling IPv6 Checksum Calculations for BFD on an Individual Interface or Bundle
The following procedures describe how to enable or disable IPv6 checksum calculations on an interface
or bundle .
SUMMARY STEPS
1. configure
2. bfd
3. interface type interface-path-id
4. ipv6 checksum [disable]
5. end
or
commit
Step 3 ipv6 checksum [disable]
Example:
RP/0/RSP0/CPU0:router(config-bfd-if)# ipv6
checksum disable
Enables IPv6 checksum support on the interface. To disable,
use the disable keyword.
Step 4 end
or
commit
Example:
RP/0/RSP0/CPU0:router (config-bfd)# end
or
RP/0/RSP0/CPU0:router(config-bfd)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeConfiguring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
How to Configure BFD
HC-696
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
DETAILED STEPS
Clearing and Displaying BFD Counters
The following procedure describes how to display and clear BFD packet counters. You can clear packet
counters for BFD sessions that are hosted on a specific node or on a specific interface.
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 bfd
Example:
RP/0/RSP0/CPU0:router(config)# bfd
Enters BFD configuration mode.
Step 3 interface type interface-path-id
Example:
RP/0/RSP0/CPU0:router(config-bfd)# interface
gigabitEthernet 0/1/5/0
Enters BFD interface configuration mode for a specific
interface or bundle.
Step 4 ipv6 checksum [disable]
Example:
RP/0/RSP0/CPU0:router(config-bfd-if)# ipv6
checksum
Enables IPv6 checksum support on the interface. To disable,
use the disable keyword.
Step 5 end
or
commit
Example:
RP/0/RSP0/CPU0:router (config-bfd-if)# end
or
RP/0/RSP0/CPU0:router(config-bfd-if)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
Configuration Examples for Configuring BFD
HC-697
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
SUMMARY STEPS
1. show bfd counters packet [interface type interface-path-id] location node-id
2. clear bfd counters packet [interface type interface-path-id] location node-id
DETAILED STEPS
Configuration Examples for Configuring BFD
This section includes the following BFD configuration examples:
• BFD Over BGP: Example, page 698
• BFD Over OSPF: Examples, page 698
• BFD Over Static Routes: Examples, page 699
• BFD on Bundled VLANs: Example, page 699
• BFD Over Member Links on Link Bundles, page 660
• Echo Packet Source Address: Examples, page 701
• Echo Latency Detection: Examples, page 701
• Echo Startup Validation: Examples, page 702
• BFD Echo Mode Disable: Examples, page 702
• BFD Dampening: Examples, page 702
• BFD IPv6 Checksum: Examples, page 703
Command or Action Purpose
Step 1 show bfd counters [ipv4 | ipv6 | all] packet
[interface type interface-path-id] location
node-id
Example:
RP/0/RSP0/CPU0:router# show bfd counters all
packet location 0/3/cpu0
Displays the BFD counters for IPv4 packets, IPv6 packets,
or all packets.
Step 2 clear bfd counters [ipv4 | ipv6 | all] packet
[interface type interface-path-id] location
node-id
Example:
RP/0/RSP0/CPU0:router# clear bfd counters all
packet location 0/3/cpu0
Clears the BFD counters for IPv4 packets, IPv6 packets, or
all packets.
Step 3 show bfd counters [ipv4 | ipv6 | all] packet
[interface type interface-path-id] location
node-id
Example:
RP/0/RSP0/CPU0:router# show bfd counters all
packet location 0/3/cpu0
Verifies that the BFD counters for IPv4 packets, IPv6
packets, or all packets have been cleared.Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
Configuration Examples for Configuring BFD
HC-698
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
• BFD Peers on Routers Running Cisco IOS and Cisco IOS XR Software: Example, page 703
BFD Over BGP: Example
The following example shows how to configure BFD between autonomous system 65000 and neighbor
192.168.70.24:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# router bgp 65000
RP/0/RSP0/CPU0:router(config-bgp)# bfd multiplier 2
RP/0/RSP0/CPU0:router(config-bgp)# bfd minimum-interval 20
RP/0/RSP0/CPU0:router(config-bgp)# neighbor 192.168.70.24
RP/0/RSP0/CPU0:router(config-bgp-nbr)# remote-as 2
RP/0/RSP0/CPU0:router(config-bgp-nbr)# bfd fast-detect
RP/0/RSP0/CPU0:router(config-bgp-nbr)# commit
RP/0/RSP0/CPU0:router(config-bgp-nbr)# end
RP/0/RSP0/CPU0:router# show run router bgp
BFD Over OSPF: Examples
The following example shows how to enable BFD for OSPF on a Gigabit Ethernet interface:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# router ospf 0
RP/0/RSP0/CPU0:router(config-ospf)# area 0
RP/0/RSP0/CPU0:router(config-ospf-ar)# interface gigabitEthernet 0/3/0/1
RP/0/RSP0/CPU0:router(config-ospf-ar-if)# bfd fast-detect
RP/0/RSP0/CPU0:router(config-ospf-ar-if)# commit
RP/0/RSP0/CPU0:Dec 2 07:06:48.508 : config[65685]: %MGBL-LIBTARCFG-6-COMMIT :
Configuration committed by user 'xxx'. Use 'show configuration commit changes 1000001134'
to view the changes.
RP/0/RSP0/CPU0:router(config-ospf-ar-if)# end
RP/0/RSP0/CPU0:Dec 2 07:06:48.848 : config[65685]: %MGBL-SYS-5-CONFIG_I : Configured from
console by lab
RP/0/RSP0/CPU0:router# show run router ospf
router ospf 0
area 0
interface GigabitEthernet0/3/0/1
bfd fast-detect
The following example shows how to enable BFD for OSPFv3 on a Gigabit Ethernet interface:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# router ospfv3 0
RP/0/RSP0/CPU0:router(config-ospfv3)# bfd minimum-interval 6500
RP/0/RSP0/CPU0:router(config-ospfv3)# bfd multiplier 7
RP/0/RSP0/CPU0:router(config-ospfv3-ar)# area 0
RP/0/RSP0/CPU0:router(config-ospfv3-ar)# interface gigabitethernet 0/1/5/0
RP/0/RSP0/CPU0:router(config-ospfv3-ar-if)# bfd fast-detect
RP/0/RSP0/CPU0:router(config-ospfv3-ar-if)# commit
RP/0/RSP0/CPU0:router(config-ospfv3-ar-if)# end
RP/0/RSP0/CPU0:router# show run router ospfv3
router ospfv3
area 0
interface GigabitEthernet0/1/5/0Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
Configuration Examples for Configuring BFD
HC-699
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
bfd fast-detect
BFD Over Static Routes: Examples
The following example shows how to enable BFD on an IPv4 static route. In this example, BFD sessions
are established with the next-hop 10.3.3.3 when it becomes reachable.
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# router static
RP/0/RSP0/CPU0:router(config-static)# address-family ipv4 unicast
RP/0/RSP0/CPU0:router(config-static)# 10.2.2.0/24 10.3.3.3 bfd fast-detect
RP/0/RSP0/CPU0:router(config-static)# end
The following example shows how to enable BFD on an IPv6 static route. In this example, BFD sessions
are established with the next hop 2001:0DB8:D987:398:AE3:B39:333:783 when it becomes reachable.
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# router static
RP/0/RSP0/CPU0:router(config-static)# address-family ipv6 unicast
RP/0/RSP0/CPU0:router(config-static)# 2001:0DB8:C18:2:1::F/64
2001:0DB8:D987:398:AE3:B39:333:783 bfd fast-detect minimum-interval 150 multiplier 4
RP/0/RSP0/CPU0:router(config-static)# end
RP/0/RSP0/CPU0:router# show run router static address-family ipv6 unicast
BFD on Bundled VLANs: Example
The following example shows how to configure BFD on bundled VLANs:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# interface Bundle-ether 1
RP/0/RSP0/CPU0:router(config-if)# bundle maximum-active links 1
RP/0/RSP0/CPU0:router(config-if)# exit
!
RP/0/RSP0/CPU0:router(config)# interface TenGigE 0/1/0/1
RP/0/RSP0/CPU0:router(config-if)# bundle id 1 mode active
RP/0/RSP0/CPU0:router(config-if)# exit
!
RP/0/RSP0/CPU0:router(config)# interface TenGigE 0/2/0/1
RP/0/RSP0/CPU0:router(config-if)# bundle id 1 mode active
RP/0/RSP0/CPU0:router(config-if)# exit
!
RP/0/RSP0/CPU0:router(config)# router static
RP/0/RSP0/CPU0:router(config-static)# address-family ipv4 unicast
RP/0/RSP0/CPU0:router(config-static-afi)# 10.2.1.0/24 172.16.1.2 bfd fast-detect
minimum-interval 250
RP/0/RSP0/CPU0:router(config-static-afi)# 10.2.2.0/24 172.16.2.2 bfd fast-detect
minimum-interval 250
RP/0/RSP0/CPU0:router(config-static-afi)# 10.2.3.0/24 172.16.3.2 bfd fast-detect
minimum-interval 250
RP/0/RSP0/CPU0:router(config-static-afi)# exit
RP/0/RSP0/CPU0:router(config-static)# exit
!
RP/0/RSP0/CPU0:router(config)# interface Bundle-Ether1.2
RP/0/RSP0/CPU0:router(config-if)# ipv4 address 172.16.2.1 255.255.255.0
RP/0/RSP0/CPU0:router(config-if)# dot1q vlan 2
RP/0/RSP0/CPU0:router(config-if)# exit
!
RP/0/RSP0/CPU0:router(config)# interface Bundle-Ether1.1
RP/0/RSP0/CPU0:router(config-if)# ipv4 address 172.16.1.1 255.255.255.0
RP/0/RSP0/CPU0:router(config-if)# dot1q vlan 1Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
Configuration Examples for Configuring BFD
HC-700
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
BFD on Bundle Member Links: Examples
The following example shows how to configure BFD on member links of Ethernet bundle interfaces:
bfd
interface Bundle-Ether4
echo disable
!
interface GigabitEthernet0/0/0/2.3
echo disable
!
!
interface GigabitEthernet0/0/0/3 bundle id 1 mode active
interface GigabitEthernet0/0/0/4 bundle id 2 mode active
interface GigabitEthernet0/1/0/2 bundle id 3 mode active
interface GigabitEthernet0/1/0/3 bundle id 4 mode active
interface Bundle-Ether1
ipv4 address 192.168.1.1/30
bundle minimum-active links 1
!
interface Bundle-Ether1.1
ipv4 address 192.168.100.1/30
dot1q vlan 1001
!
interface Bundle-Ether2
bfd address-family ipv4 destination 192.168.2.2
bfd address-family ipv4 fast-detect
bfd address-family ipv4 min 83
bfd address-family ipv4 mul 3
ipv4 address 192.168.2.1/30
bundle minimum-active links 1
!
interface Bundle-Ether3
bfd address-family ipv4 destination 192.168.3.2
bfd address-family ipv4 fast-detect
bfd address-family ipv4 min 83
bfd address-family ipv4 mul 3
ipv4 address 192.168.3.1/30
bundle minimum-active links 1
!
interface Bundle-Ether4
bfd address-family ipv4 destination 192.168.4.2
bfd address-family ipv4 fast-detect
bfd address-family ipv4 min 83
bfd address-family ipv4 mul 3
ipv4 address 192.168.4.1/30
bundle minimum-active links 1
!
interface GigabitEthernet 0/0/0/2
ipv4 address 192.168.10.1/30
!
interface GigabitEthernet 0/0/0/2.1
ipv4 address 192.168.11.1/30
ipv6 address beef:cafe::1/64
dot1q vlan 2001
!
interface GigabitEthernet 0/0/0/2.2
ipv4 address 192.168.12.1/30
dot1q vlan 2002
!
interface GigabitEthernet 0/0/0/2.3
ipv4 address 192.168.13.1/30Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
Configuration Examples for Configuring BFD
HC-701
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
dot1q vlan 2003
!
router static
address-family ipv4 unicast
10.10.11.2/32 192.168.11.2 bfd fast-detect minimum-interval 250 multiplier 3
10.10.12.2/32 192.168.12.2 bfd fast-detect minimum-interval 250 multiplier 3
10.10.13.2/32 192.168.13.2 bfd fast-detect minimum-interval 250 multiplier 3
10.10.100.2/32 192.168.100.2 bfd fast-detect minimum-interval 250 multiplier 3
!
address-family ipv6 unicast
babe:cace::2/128 beef:cafe::2 bfd fast-detect minimum-interval 250 multiplier 3
!
Echo Packet Source Address: Examples
The following example shows how to specify the IP address 10.10.10.1 as the source address for BFD
echo packets for all BFD sessions on the router:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# bfd
RP/0/RSP0/CPU0:router(config-bfd)# echo ipv4 source 10.10.10.1
The following example shows how to specify the IP address 10.10.10.1 as the source address for BFD
echo packets on an individual Gigabit Ethernet interface:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# bfd
RP/0/RSP0/CPU0:router(config-bfd)# interface gigabitethernet 0/1/0/0
RP/0/RSP0/CPU0:router(config-bfd-if)# echo ipv4 source 10.10.10.1
The following example shows how to specify the IP address 10.10.10.1 as the source address for BFD
echo packets on an individual Packet-over-SONET (POS) interface:
RP/0/RSP0/CPU0:router # configure
RP/0/RSP0/CPU0:router(config)# bfd
RP/0/RSP0/CPU0:router(config-bfd)# interface pos 0/1/0/0
RP/0/RSP0/CPU0:router(config-bfd-if)# echo ipv4 source 10.10.10.1
Echo Latency Detection: Examples
In the following examples, consider that the BFD minimum interval is 50 ms, and the multiplier is 3 for
the BFD session.
The following example shows how to enable echo latency detection using the default values of 100% of
the echo failure period (I x M) for a packet count of 1. In this example, when one echo packet is detected
with a roundtrip delay greater than 150 ms, the session is taken down:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# bfd
RP/0/RSP0/CPU0:router(config-bfd)# echo latency detect
The following example shows how to enable echo latency detection based on 200% (two times) of the
echo failure period for a packet count of 1. In this example, when one packet is detected with a roundtrip
delay greater than 300 ms, the session is taken down:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# bfd
RP/0/RSP0/CPU0:router(config-bfd)# echo latency detect percentage 200Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
Configuration Examples for Configuring BFD
HC-702
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
The following example shows how to enable echo latency detection based on 100% of the echo failure
period for a packet count of 3. In this example, when three consecutive echo packets are detected with a
roundtrip delay greater than 150 ms, the session is taken down:
RP/0/RSP0/CPU0:router # configure
RP/0/RSP0/CPU0:router(config)# bfd
RP/0/RSP0/CPU0:router(config-bfd)# echo latency detect percentage 100 count 3
Echo Startup Validation: Examples
The following example shows how to enable echo startup validation for BFD sessions on non-bundle
interfaces if the last received control packet contains a non-zero “Required Min Echo RX Interval” value:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# bfd
RP/0/RSP0/CPU0:router(config-bfd)# echo startup validate
The following example shows how to enable echo startup validation for BFD sessions on non-bundle
interfaces regardless of the “Required Min Echo RX Interval” value in the last control packet:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# bfd
RP/0/RSP0/CPU0:router(config-bfd)# echo startup validate force
BFD Echo Mode Disable: Examples
The following example shows how to disable echo mode on a router:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# bfd
RP/0/RSP0/CPU0:router(config-bfd)# echo disable
The following example shows how to disable echo mode on an interface:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# bfd
RP/0/RSP0/CPU0:router(config-bfd)# interface gigabitethernet 0/1/0/0
RP/0/RSP0/CPU0:router(config-bfd-if)# echo disable
BFD Dampening: Examples
The following example shows how to configure an initial and maximum delay for BFD session startup
on BFD bundle members:
RP/0/RSP0/CPU0:router # configure
RP/0/RSP0/CPU0:router(config)# bfd
RP/0/RSP0/CPU0:router(config-bfd)# dampening bundle-member initial-wait 8000
RP/0/RSP0/CPU0:router(config-bfd)# dampening bundle-member maximum-wait 15000
The following example shows how to change the default initial-wait for BFD on a non-bundle interface:
RP/0/RSP0/CPU0:router # configure
RP/0/RSP0/CPU0:router(config)# bfd
RP/0/RSP0/CPU0:router(config-bfd)# dampening initial-wait 30000
RP/0/RSP0/CPU0:router(config-bfd)# dampening maximum-wait 35000Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
Configuration Examples for Configuring BFD
HC-703
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
BFD IPv6 Checksum: Examples
The following example shows how to disable IPv6 checksum calculations for UDP packets for all BFD
sessions on the router:
RP/0/RSP0/CPU0:router # configure
RP/0/RSP0/CPU0:router(config)# bfd
RP/0/RSP0/CPU0:router(config-bfd)# ipv6 checksum disable
The following example shows how to reenable IPv6 checksum calculations for UDP packets for all BFD
sessions on the router:
RP/0/RSP0/CPU0:router # configure
RP/0/RSP0/CPU0:router(config)# bfd
RP/0/RSP0/CPU0:router(config-bfd)# no ipv6 checksum disable
The following example shows how to enable echo mode for BFD sessions on an individual interface:
RP/0/RSP0/CPU0:router # configure
RP/0/RSP0/CPU0:router(config)# bfd
RP/0/RSP0/CPU0:router(config-bfd)# interface gigabitethernet 0/1/0/0
RP/0/RSP0/CPU0:router(config-bfd-if)# ipv6 checksum
The following example shows how to disable echo mode for BFD sessions on an individual interface:
RP/0/RSP0/CPU0:router # configure
RP/0/RSP0/CPU0:router(config)# bfd
RP/0/RSP0/CPU0:router(config-bfd)# interface gigabitethernet 0/1/0/0
RP/0/RSP0/CPU0:router(config-bfd-if)# ipv6 checksum disable
BFD Peers on Routers Running Cisco IOS and Cisco IOS XR Software: Example
The following example shows how to configure BFD on a router interface on Router 1 that is running
Cisco IOS software, and use the bfd neighbor command to designate the IP address 192.0.2.1 of an
interface as its BFD peer on Router 2. Router 2 is running Cisco IOS XR software and uses the router
static command and address-family ipv4 unicast command to designate the path back to Router 1’s
interface with IP address 192.0.2.2.
Router 1 (Cisco IOS software)
Router# configure
Router(config)# interface GigabitEthernet8/1/0
Router(config-if)# description to-TestBed1 G0/0/0/0
Router(config-if)# ip address 192.0.2.2 255.255.255.0
Router(config-if)# bfd interval 100 min_rx 100 multiplier 3
Router(config-if)# bfd neighbor 192.0.2.1
Router 2 (Cisco IOS XR Software)
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# router static
RP/0/RSP0/CPU0:router(config-static)# address-family ipv4 unicast
RP/0/RSP0/CPU0:router(config-static-afi)# 10.10.10.10/32 192.0.2.2 bfd fast-detect
RP/0/RSP0/CPU0:router(config-static-afi)# exit
RP/0/RSP0/CPU0:router(config-static)# exit
RP/0/RSP0/CPU0:router(config)# interface GigabitEthernet0/0/0/0
RP/0/RSP0/CPU0:router(config-if)# ipv4 address 192.0.2.1 255.255.255.0Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
Where to Go Next
HC-704
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Where to Go Next
BFD is supported over multiple platforms. For more detailed information about these commands, see the
related chapters in the corresponding Cisco IOS XR Routing Command Reference and Cisco IOS XR
MPLS Command Reference for your platform at:
http://www.cisco.com/en/US/products/ps5845/prod_command_reference_list.html
• BGP Commands on Cisco IOS XR Software
• IS-IS Commands on Cisco IOS XR Software
• OSPF Commands on Cisco IOS XR Software
• Static Routing Commands on Cisco IOS XR Software
• MPLS Traffic Engineering Commands on Cisco IOS XR Software
Additional References
The following sections provide references related to implementing BFD for Cisco IOS XR software.
Related Documents
Standards
Related Topic Document Title
BFD commands: complete command syntax, command
modes, command history, defaults, usage guidelines,
and examples
Cisco IOS XR Interface and Hardware Command Reference
Configuring QoS packet classification Cisco ASR 9000 Series Aggregation Services Router Modular
Quality of Service Configuration Guide
Standards Title
No new or modified standards are supported by this
feature, and support for existing standards has not been
modified by this feature.
—Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
Additional References
HC-705
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
RFCs
MIBs
Technical Assistance
RFCs Title
rfc5880_bfd_base Bidirectional Forwarding Detection, June 2010
rfc5881_bfd_ipv4_ipv6 BFD for IPv4 and IPv6 (Single Hop), June, 2010
rfc5883_bfd_multihop BFD for Multihop Paths, June, 2010
MIBs MIBs Link
— To locate and download MIBs using Cisco IOS XR software, use the
Cisco MIB Locator found at the following URL and choose a
platform under the Cisco Access Products menu:
http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
Description Link
The Cisco Technical Support website contains
thousands of pages of searchable technical content,
including links to products, technologies, solutions,
technical tips, and tools. Registered Cisco.com users
can log in from this page to access even more content.
http://www.cisco.com/techsupportConfiguring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router
Additional References
HC-706
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02HC-707
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Configuring the Satellite Network Virtualization
(nV) System on the Cisco ASR 9000 Series Router
This module describes the configuration of the Satellite Network Virtualization system on the
Cisco ASR 9000 Series Aggregation Services Routers.
Feature History for Configuring Satellite System on Cisco ASR 9000 Series Router
Contents
• Prerequisites for Configuration, page 708
• Overview of Satellite nV Switching System, page 708
• Overview of Port Extender Model, page 710
• Implementing a Satellite nV System, page 714
• Upgrading and Managing Satellite nV Software, page 722
• Configuration Examples for Satellite nV System, page 728
• Additional References, page 730
Release Modification
Release 4.2.1 • Support for Satellite Network Virtualization (Satellite nV) Service was
included on the Cisco ASR 9000 Series Router.Configuring the Satellite Network Virtualization (nV) System on the Cisco ASR 9000 Series Router
Prerequisites for Configuration
HC-708
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Prerequisites for Configuration
You must be in a user group associated with a task group that includes the proper task IDs. The command
reference guides include the task IDs required for each command. If you suspect user group assignment
is preventing you from using a command, contact your AAA administrator for assistance.
Before configuring the Satellite nV system, you must have these hardware and software installed in your
chassis:
• Hardware : Cisco ASR 9000 Series Aggregation Services Routers with ASR 9000 Enhanced
Ethernet line cards as the location of Inter Chassis Links and Cisco ASR9000v routers as Satellite
boxes.
• Software : Cisco IOS XR Software Release 4.2.1 or later on Cisco ASR 9000 Series Router.
The Satellite nV solution uses the Cisco ASR 9000v as the initial satellite switch. For more information
on hardware requirements, see Cisco ASR 9000 Series Aggregation Services Router Hardware
Installation Guide.
Overview of Satellite nV Switching System
The Cisco ASR 9000 Series Router Satellite Network Virtualization (nV) service or the Satellite
Switching System enables you to configure a topology in which one or more satellite switches
complement one or more Cisco ASR 9000 Series routers, to collectively realize a single virtual switching
system. In this system, the satellite switches act under the management control of the
Cisco ASR 9000 Series Aggregation Services Routers. The complete configuration and management of
the satellite chassis and features is performed through the control plane and management plane of the
Cisco ASR 9000 Series Router.
Interconnection between the Cisco ASR 9000 Series Router and its satellite switches is through standard
ethernet interfaces. These are typically 10 Gigabit Ethernet initially but not restricted to any particular
flavor or line speed of ethernet. See Figure 38.
Figure 38 Cisco ASR 9000 Series Satellite Switching System
Satellite Shelf
Satellite Shelf
Satellite Shelf
N x 10-GE
N x 10-GE
N x 10-GE
ASR 9000
332415Configuring the Satellite Network Virtualization (nV) System on the Cisco ASR 9000 Series Router
Overview of Satellite nV Switching System
HC-709
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
This type of architecture can be realized in a carrier Ethernet transport network, with the satellite
switches used as either access switches, or pre-aggregation and aggregation switches. These switches
feed into an edge router, such as the Cisco ASR 9000 Series Router or Cisco CRS-3 Router where more
advanced L2, L3 services are provisioned.
You can also utilize this model in a FTTB (Fiber To The Business) network application, where business
internet and VPN services are offered on a commercial basis. Further, it can also be used in other
networks, such as wireless/ RAN backhaul aggregation networks.
Benefits of Satellite nV System
The Cisco ASR 9000 Series satellite nV system offers these benefits:
1. Extended port scalability and density - You can create a virtual line card with more than 400
physical Gigabit Ethernet ports. There is a significant increase of ethernet port density in the
resulting logical Cisco ASR 9000 Series Router. For example, a single 24-port TenGigE line card
on the Cisco ASR 9000 Series Router could integrate up to 24 satellite switches each with 44 GigE
ports; this results in an effective port density of 1056 Gigabit Ethernet ports for each Cisco ASR
9000 Series line card slot. In other configurations, even higher port density can be achieved. This is
beneficial because the Cisco ASR 9000 Series Router has a per-slot non blocking capacity of up to
400 Gbps (with appropriate RSPs) and there is no other way of physically fitting hundreds of gigabit
ethernet ports/ SFPs on the face plate of a single Cisco ASR 9000 Series line card. As a result, in
order to utilize the full capacity of an Cisco ASR 9000 Series line card, it is necessary to physically
separate out the ethernet ports, while maintaining logical management control. This would appear
as if all ports were physically on a single large line card of the Cisco ASR 9000 Series Router.
2. Reduced cost - All the edge-routing capabilities and application features of the Cisco IOS XR
software are available on low cost access switches.
3. Reduced operating expense - You can seamlessly upgrade software images, and also manage the
chassis and services from a common point. This includes a single logical router view, single point
of applying CLI or XML interface for the entire system of switches, a single point of monitoring the
entire system of switches and a single point of image management and software upgrades for the
entire system.
4. Enhanced feature consistency - All the features on the regular GigE ports of
Cisco ASR 9000 Series Router are also available on the access ports of a satellite access switch in
a functionally identical and consistent manner. The typical application of a satellite system would
be in the access and aggregation layers of a network. By integrating the access switches along with
the aggregation or core switch, you can ensure that there are no feature gaps between the access
switch and the aggregation or core switch. All features, such as carrier ethernet features, QoS and
OAM, function consistently, from access to core, because of this integrated approach.
5. Improved feature velocity - With the satellite solution, every feature that is implemented on the
Cisco ASR9000 Series Router becomes instantly available at the same time in the access switch,
resulting in an ideal feature velocity for the edge switch.
6. Better resiliency - The nV satellite solution enables better multi-chassis resiliency, as well as better
end-to-end QoS. For more information on QoS capabilities, see Cisco ASR 9000 Series Aggregation
Services Router QoS Configuration Guide.Configuring the Satellite Network Virtualization (nV) System on the Cisco ASR 9000 Series Router
Overview of Port Extender Model
HC-710
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Overview of Port Extender Model
In the Port Extender Satellite switching system, a satellite switch is attached to its parent
Cisco ASR 9000 Series Router through physical ethernet ports.
Note In releases later than Cisco IOS XR Software Release 4.2.1, attachment models beyond the port extender
model will also be supported.
The parent Cisco ASR 9000 Series Router is referred as the host in this model. From a management or
a provisioning point of view, the physical access ports of the satellite switch are equivalent to the
physical ethernet ports on the Cisco ASR9000 Series Router. You do not need a specific console
connection for managing the Satellite Switching System, except for debugging purposes. The interface
and chassis level features of the satellite are visible in the control plane of Cisco IOS XR software
running on the host. This allows the complete management of the satellites and the host as a single
logical router.
Figure 39 Port Extender Satellite Switching System
In this model, a single Cisco ASR 9000 Series Router hosts two satellite switches, SAT1 and SAT2, to
form an overall virtual Cisco ASR 9000 switching system; this is shown by the dotted line surrounding
the Cisco ASR 9000 Series Router, SAT1, and SAT2 in Figure 39.
This structure effectively appears as a single logical Cisco ASR 9000 Series Router to the external
network. External access switches A1, A2 and A3 connect to this overall virtual switch by physically
connecting to SAT1 and SAT2 using normal ethernet links. The links between the satellite switches and
the Cisco ASR 9000 Series Router are ethernet links, and are referred as ICLs (Inter-Chassis Links). The
Cisco ASR 9000 Series Router is referred as the host in this system. When there is congestion on the
interchassis links, an inbuilt QoS protection mechanism is available for the traffic.
Access
LAG1
A1
Access
LAG2
A2
A3
SAT1
SAT2
“Unprotected”
IC link
Protected”
IC link
HOST ASR 9K
(single chassis
OR cluster)
LC1
LC2
Virtual ASR9K Switching System
332678Configuring the Satellite Network Virtualization (nV) System on the Cisco ASR 9000 Series Router
Overview of Port Extender Model
HC-711
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Note SAT1, SAT2, and the host Cisco ASR 9000 Series Router need not be located in the same geographic
location. This means that the ICLs need not be of nominal length for only intra-location or intra-building
use. The ICLs may be tens, hundreds, or even thousands of miles in length, thereby creating a logical
satellite switch spanning a large geography.
Note In a Cisco ASR 9000 Series Router multi-chassis cluster system, there are multiple Cisco ASR 9000
Series Router systems within a single virtual switch system. Logically however, it is still considered a
single host system.
Features Supported in the Satellite nV System
This section provides details of the features of a satellite system.
Satellite System Physical Topology
The satellite system supports the point-to-point hub and spoke physical topology for the ICLs between
satellite switches and the host Cisco ASR 9000 Series Router. This topology allows a physical Ethernet
MAC layer connection from the satellite to the Cisco ASR 9000 Series Router. This can be realized
using a direct Ethernet over Fiber or Ethernet over Optical transport (such as Ethernet over a SONET/
SDH/ CWDM/ DWDM network).
This topology also allows a satellite switch to be geographically at a separate location, other than that of
the host Cisco ASR 9000 Series Router. There is no limit set for the distance, and the solution works
even when the satellite is placed at a distance of tens, hundreds, or even thousands of miles from the host.
Inter-Chassis Link Redundancy Modes and Load Balancing
The Cisco ASR 9000 Series Satellite system supports these redundancy modes:
• Non-redundant inter-chassis links mode - In this mode, there is no link level redundancy between
inter-chassis links of a satellite.
• Redundant inter-chassis links mode - In this mode, the link level redundancy between
inter-chassis links are provided using a single link aggregation (LAG) bundle.
In the redundant ICL mode, the load balancing of traffic between members of the IC bundle is done using
a simple hashing function based on the satellite access port ID, and not based on the flow based hash
using L2 or L3 header contents from the packets. This ensures that a single ICL is used by all packets
for a given satellite access port. As a result, the actions applied for QoS and other features consider all
the packets belonging to a single satellite access port.
For more details on QoS application and configuration on ICLs, see Cisco ASR 9000 Series Aggregation
Services Router Modular Quality of Service Configuration Guide.Configuring the Satellite Network Virtualization (nV) System on the Cisco ASR 9000 Series Router
Overview of Port Extender Model
HC-712
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Satellite Discovery and Control Protocols
A Cisco proprietary discovery and control protocol is used between the satellite switches and the host
Cisco ASR 9000 Series Router devices, to handle discovery, provisioning, and monitoring of the
satellite devices from the host Cisco ASR 9000 Series Satellite System in-band over the ICLs. The
Satellite Discovery And Control (SDAC) Protocol provides the behavioural, semantic, and syntactic
definition of the relationship between a satellite device and its host.
Satellite Discovery and Control Protocol IP Connectivity
The connectivity for the SDAC protocol is provided through a normal in-band IP routed path over the
ICLs using private and public IP addresses appropriate for the carrier's network.
You can configure a management IP address on the host CLI for each satellite switch and corresponding
IP addresses on the ICLs. You can select addresses from the private IPv4 address space (for example,
10.0.0.0/8 or 192.1.168.0/24) in order to prevent any conflict with normal service level IPv4 addresses
being used in the IPv4 FIB. You can also configure a private VRF that is used for only satellite
management traffic, so that the IP addresses assigned to the satellites can be within this private VRF.
This reduces the risk of address conflict or IP address management complexity compared to other IP
addresses and VRFs that are used on the router.
Layer-2 and L2VPN Features
All L2 and L2VPN features that are supported on physical ethernet or bundle ethernet interfaces are also
supported on Satellite Ethernet interfaces. For more details on L2VPN features supported on the Cisco
ASR 9000 Series Satellite System, see Cisco ASR 9000 Series Aggregation Services Router L2VPN and
Ethernet Services Configuration Guide.
Layer-3 and L3VPN Features
All MPLS L3VPN features that are supported on ethernet interfaces such as GRE, netflow, and so on,
are also supported on the Cisco ASR 9000 Series Satellite System. For more information on these
features, see Cisco ASR 9000 Series Aggregation Services Router MPLS Layer 3 VPN Configuration
Guide and Cisco ASR 9000 Series Aggregation Services Router Netflow Configuration Guide.
Layer-2 and Layer-3 Multicast Features
All Layer-2 and Layer-3 multicast features, including IGMP, IGMP snooping, PIM, mLDP, MVPN,
P2MP TE, are supported on Satellite Ethernet interfaces, as they are supported on normal Ethernet and
bundle ethernet interfaces. For more information on these features supported on a satellite system, see
Cisco ASR 9000 Series Aggregation Services Routers Multicast Configuration Guide.Configuring the Satellite Network Virtualization (nV) System on the Cisco ASR 9000 Series Router
Overview of Port Extender Model
HC-713
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Quality of Service
Most Layer-2, Layer-3 QoS and ACL features are supported on Satellite Ethernet interfaces that are
similar to normal physical Ethernet interfaces, with the exception of any ingress policy with a queueing
action. However, for QoS, there may be some functional differences in the behavior because in the
Cisco IOS XR Software Release 4.2.1, user-configured MQC policies are applied on the
Cisco ASR 9000 Series Router, and not on the satellite switch interfaces. For more detailed information
on QoS policy attributes, features, and their configuration, see Cisco ASR 9000 Series Aggregation
Services Router Modular Quality of Service Configuration Guide.
Note User-configured QoS policies are independent of any default port level QoS that are applied in order to
handle IC link congestion and oversubscription scenarios. In addition to the default port-level QoS
applied on the satellite system ports, there is also some default QoS applied on the
Cisco ASR 9000 Series Router side, to the ingress and egress traffic from and to the Satellite Ethernet
ports.
Cluster Support
A cluster of Cisco ASR 9000 Series Routers is supported along with the satellite mode. A single cluster
system can act like one logical Cisco ASR 9000 Series Router host system for a group of satellite
switches. A satellite switch can also have some ICLs connect to rack 0 and other ICLs connect to rack
1 of a cluster system. For more information, see Configuring the nV Edge System on the Cisco ASR 9000
Series Router chapter.
Note The Satellite Ethernet interfaces cannot be used as cluster inter-rack links.
Time of Day Synchronization
The Time of Day parameter on the satellite switch is synchronized with the time of day on the host. This
ensures that time stamps on debug messages and other satellite event logs are consistent with the host,
and with all satellite switches across the network. This is achieved through the SDAC Discovery Protocol
from the host to the satellite switch when the ICLs are discovered.
Satellite Chassis Management
The chassis level management of the satellite is done through the host because the satellite switch is a
logical portion of the overall virtual switch. This ensures that service providers get to manage a single
logical device with respect to all aspects including service-level, as well as box-level management. This
simplifies the network operations. These operations include inventory management, environmental
sensor monitoring, and fault/alarm monitoring for the satellite chassis through the corresponding CLI,
SNMP, and XML interfaces of the host Cisco ASR 9000 Series Router.
Note The satellite system hardware features, support for SFPs, and compatible topologies are described in the
Cisco ASR 9000 Series Aggregation Services Router Hardware Installation Guide.Configuring the Satellite Network Virtualization (nV) System on the Cisco ASR 9000 Series Router
Implementing a Satellite nV System
HC-714
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Restrictions of the Satellite nV System
These are some of the software restrictions of the satellite nV system in the current release. These
restrictions will be eliminated in the future releases.
• The inter-chassis link redundancy is supported only through the static EtherChannel, and not
through LACP based link bundles. Minimum and maximum link commands are not applicable when
ICL is a bundle.
• If a satellite system is operating in redundant ICL mode, then you cannot configure link bundles of
any form (with or without LACP) on the access ports of that same satellite switch.
• If a satellite system is operating in redundant ICL mode, then Ethernet OAM features are not
supported on the access ports of that satellite.
• Multi-chassis Link Aggregation is supported if there are two independent
Cisco ASR 9000 Series Routers acting as the POA (Point of Attachment), each with its own satellite
switch, and the DHD (Dual Homed Device) connecting through each of the satellite switches.
However, MC-LAG is not supported with a single satellite switch that connects two separate
Cisco ASR 9000 Series Routers through an ICL LAG.
Note Refer to the Cisco ASR 9000 Series Aggregation Services Router Release Notes, Release 4.2.1 for
additional software restrictions.
Implementing a Satellite nV System
The Interface Control Plane Extender(ICPE) infrastructure has a mechanism to provide the Control
Plane of an interface physically located on the Satellite device in the local Cisco IOS XR software. After
this infrastructure is established, the interfaces behave like other physical ethernet interfaces on the
router.
The ICPE configuration covers these functional areas, which are each required to set up full connectivity
with a Satellite device:
• Defining the Satellite nV System, page 714
• Configuring the host IP address, page 717
• Configuring the Inter-Chassis Links and IP Connectivity, page 718
• Plug and Play Satellite nV Switch Turn up: (Rack, Plug, and Go installation), page 721
Defining the Satellite nV System
Each satellite that is to be attached to Cisco IOS XR software must be configured on the host, and also
be provided with a unique identifier. In order to provide suitable verification of configuration and
functionality, the satellite type, and its capabilities must also be specified.
Further, in order to provide connectivity with the satellite, an IP address must be configured, which will
be pushed down to the satellite through the Discovery protocol, and allows Control protocol
connectivity.
This task explains how to define the satellite system by assigning an ID and basic identification
information.Configuring the Satellite Network Virtualization (nV) System on the Cisco ASR 9000 Series Router
Implementing a Satellite nV System
HC-715
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
SUMMARY STEPS
1. configure
2. nv
3. satellite
4. serial-number (Optional)
5. description (Optional)
6. type
7. ipv4 address
8. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 nv
Example:
RP/0/RSP0/CPU0:router(config)# nv
Enters the nV configuration submode.
Step 3 satellite id
Example:
RP/0/RSP0/CPU0:router(config-nV)#
satellite <100-65534>
Declares a new satellite that is to be attached to the host and enters
the satellite configuration submode.
Step 4 serial-number
Example:
RP/0/RSP0/CPU0:router(config-nV)#
serial-number CAT1521B1BB
(Optional) Serial number is used for satellite authentication.
Step 5 description id
Example:
RP/0/RSP0/CPU0:router(config-nV)#
description Milpitas Building12
(Optional) Specifies any description string that is associated with a
satellite such as location and so on.
Step 6 type type_name
Example:
RP/0/RSP0/CPU0:router(config-nV)#
satellite 200 type ?
asr9000v Satellite type
Defines the expected type of the attached satellite.Configuring the Satellite Network Virtualization (nV) System on the Cisco ASR 9000 Series Router
Implementing a Satellite nV System
HC-716
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Step 7 ipv4 address address
Example:
RP/0/RSP0/CPU0:router(config-nV)# ipv4
address 10.22.1.2
Specifies the IP address to assign to the satellite. ICPE sets up a
connected route to the specified IP address through all configured
ICLs.
Step 8 end
or
commit
Example:
RP/0/0RSP0/CPU0:router(config)# end
or
RP/0/RSP0/CPU0:router(config)# commit
Saves configuration changes.
• When you issue the end command, the system prompts you to
commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the running
configuration file, exits the configuration session, and
returns the router to EXEC mode.
– Entering no exits the configuration session and returns the
router to EXEC mode without committing the
configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or committing the
configuration changes.
• Use the commit command to save the configuration changes to
the running configuration file and remain within the
configuration session.
Command or Action PurposeConfiguring the Satellite Network Virtualization (nV) System on the Cisco ASR 9000 Series Router
Implementing a Satellite nV System
HC-717
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Configuring the host IP address
This procedure gives you the steps to configure a host IP address on a loopback interface.
SUMMARY STEPS
1. configure
2. interface Loopback0
3. ipv4 address 8.8.8.8 255.255.255.255
4. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface loopback0
Example:
RP/0/RSP0/CPU0:router(config)# interface
loopback0
Specifies the loopback address for the interface.Configuring the Satellite Network Virtualization (nV) System on the Cisco ASR 9000 Series Router
Implementing a Satellite nV System
HC-718
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Configuring the Inter-Chassis Links and IP Connectivity
Inter-Chassis Links (ICLs) need to be explicitly configured, in order to indicate which satellite is
expected to be connected. You must also specify the access, that is down-stream GigE ports, which
crosslink up to the Host through the configured ICL. In order to establish connectivity between the host
and satellite, suitable IP addresses must be configured on both sides. The satellite IP address is
forwarded through the Discovery protocol. The configuration is described in the section, Defining the
Satellite nV System, page 714.
Note This configuration shows the use of the global default VRF. The recommended option is to use a private
VRF for nV IP addresses as shown in the Satellite Management using private VRF subsection under
Satellite System Configuration: Example.
SUMMARY STEPS
1. configure
2. interface
3. description To Sat5 1/46
4. ipv4 point-to-point
5. ipv4 unnumbered Loopback0
Step 3 ipv4 address
Example:
RP/0/RSP0/CPU0:router(config-int)# ipv4
address 8.8.8.8 255.255.255.255
Configures the host IP address on a loopback interface.
Step 4 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config)# end
or
RP/0/RSP0/CPU0:router(config)# commit
Saves configuration changes.
• When you issue the end command, the system prompts you to
commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the running
configuration file, exits the configuration session, and
returns the router to EXEC mode.
– Entering no exits the configuration session and returns the
router to EXEC mode without committing the
configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or committing the
configuration changes.
• Use the commit command to save the configuration changes to
the running configuration file and remain within the
configuration session.
Command or Action PurposeConfiguring the Satellite Network Virtualization (nV) System on the Cisco ASR 9000 Series Router
Implementing a Satellite nV System
HC-719
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
6. nv
7. satellite-fabric-link satellite
8. remote-ports interface-type
9. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RSP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface interface-name
Example:
RP/0/RSP0/CPU0:router(config)# interface
TenGigE0/2/1/0
The supported inter-chassis link interface types are limited by the
connectivity provided on the supported satellites. GigabitEthernet,
TenGigE, and Bundle-Ether interfaces are the only support ICL
types.
Step 3 description
Example:
RP/0/RSP0/CPU0:router(config-interface)#
description To Sat5 1/46
Specifies the description of the supported inter-chassis link
interface type.
Step 4 ipv4 point-to-point
Example:
RP/0/RSP0/CPU0:router(config-interface)#
ipv4 point-to-point
Configures the IPv4 point to point address.
Step 5 ipv4 unnumbered loopback0
Example:
RP/0/RSP0/CPU0:router(config-interface)#
interface unnumbered loopback0
Configures the IPv4 loopback address on the interface.
Step 6 nv
Example:
RP/0/RSP0/CPU0:router(config)# nv
Enters the nV configuration submode.Configuring the Satellite Network Virtualization (nV) System on the Cisco ASR 9000 Series Router
Implementing a Satellite nV System
HC-720
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Note For information on QoS configuration on ICLs , see Cisco ASR 9000 Series Aggregation Services Router
Modular Quality of Service Configuration Guide.
Configuring the Satellite nV Access Interfaces
The access GigabitEthernet interfaces on the satellite are represented locally in Cisco IOS XR Software
using interfaces named GigabitEthernet similar to other non-satellite GigabitEthernet interfaces. The
only difference is that the rack id used for a satellite access GigabitEthernet interface is the configured
satellite ID for that satellite.
These interfaces support all features that are normally configurable on GigabitEthernet interfaces (if
running over a physical IC Link), or Bundle-Ether interfaces (if running over a virtual IC Link).
Step 7 satellite-fabric-link satellite
Example:
RP/0/RSP0/CPU0:router(config-int-nv)#
satellite-fabric-link satelite 200
Specifies that the interface is an ICPE inter-chassis link.
Step 8 remote-ports interface type
Example:
RP/0/RSP0/CPU0:router(config-int-nv)#
remote-ports GigabitEthernet 0/0/0-30
Configures the remote satellite ports 0 to 30.
Step 9 end
or
commit
Example:
RP/0/RSP0/CPU0:router(config)# end
or
RP/0/RSP0/CPU0:router(config)# commit
Saves configuration changes.
• When you issue the end command, the system prompts you to
commit changes:
Uncommitted changes found, commit them before
exiting(yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the running
configuration file, exits the configuration session, and
returns the router to EXEC mode.
– Entering no exits the configuration session and returns the
router to EXEC mode without committing the
configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or committing the
configuration changes.
• Use the commit command to save the configuration changes to
the running configuration file and remain within the
configuration session.
Command or Action PurposeConfiguring the Satellite Network Virtualization (nV) System on the Cisco ASR 9000 Series Router
Implementing a Satellite nV System
HC-721
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Plug and Play Satellite nV Switch Turn up: (Rack, Plug, and Go installation)
1. Unpack the Cisco ASR 9000v rack, stack, and connect to the power cord.
2. Plug in Cisco ASR 9000v qualified optics of correct type into any one or more of the SFP+ slots and
appropriate qualified optics into SFP+ or XFP slots on the host Cisco ASR 9000 Series Router.
Connect through the SMF/MMF fiber.
Note Connect the 10GigE fibers from Cisco ASR 9000 Series Router to any of the 10G SFP+ ports on the
Cisco ASR 9000v in any order.
3. Configure the satellite nV system through CLI or XML on the Cisco ASR 9000 Series Router host
10GigE ports. Configure the host for nV operations as described in the sections Defining the
Satellite nV System, Configuring the host IP address, and Configuring the Inter-Chassis Links and
IP Connectivity.
4. Power up the Cisco ASR 9000v chassis.
5. You can check the status of Cisco ASR 9000v chassis based on these chassis error LEDs on the front
face plate.
– If the Critical Error LED turns ON, then it indicates a serious hardware failure.
– If the Major Error LED turns ON, then it indicates that the hardware is functioning well but
unable to connect to the host.
– If the Critical and Major LEDs are OFF, then the Cisco ASR 9000v is up and running and
connected to the host.
– You can do satellite ethernet port packet loopback tests through the host, if needed, to check end
to end data path.
Note If the satellite software requires an upgrade, it notifies the host Cisco ASR 9000 Series Router. You can
do an inband software upgrade from the Cisco ASR 9000 Series Router, if needed. Use the
show nv satellite status on host Cisco ASR 9000 Series Router to check the status.Configuring the Satellite Network Virtualization (nV) System on the Cisco ASR 9000 Series Router
Upgrading and Managing Satellite nV Software
HC-722
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Upgrading and Managing Satellite nV Software
Satellite software images are bundled inside a PIE called asr9k-9000v-nV-p.pie within the Cisco
ASR9000 Series package. The Cisco IOS XR software production SMU tool can be used to generate
patches for the satellite image in the field to deliver bug fixes or minor enhancements without requiring
a formal software upgrade.
This section provides the commands to manage the satellite nV Software.
Prerequisites
You must have installed the satellite installation procedure using the Plug-and-Play satellite installation
procedure. For more information, see Plug and Play Satellite nV Switch Turn up: (Rack, Plug, and Go
installation).
Installing a Satellite
To download and activate the software image on the satellite, use the install nv satellite transfer/activate commands. The transfer command downloads the image to the satellite. When
the activate command is followed by the transfer command, the software is activated on the satellite.
Example
RP/0/RSP0/CPU0:sat-host#install nv satellite 100 transfer
Install operation initiated successfully.
RP/0/RSP0/CPU0:sat-host#RP/0/RSP0/CPU0:May 3 20:12:46.732 : icpe_gco[1146]:
%PKT_INFRA-ICPE_GCO-6-TRANSFER_DONE : Image transfer completed on Satellite 100
RP/0/RSP0/CPU0:sat-host#install nv satellite 100 activate
Install operation initiated successfully.
LC/0/2/CPU0:May 3 20:13:50.363 : ifmgr[201]: %PKT_INFRA-LINK-3-UPDOWN : Interface
GigabitEthernet100/0/0/28, changed state to Down
RP/0/RSP0/CPU0:May 3 20:13:50.811 : invmgr[254]: %PLATFORM-INV-6-OIROUT : OIR: Node 100
removed
Note If the activate command is run directly, then the software image is transferred to the satellite and also
activated.
Example
RP/0/RSP0/CPU0:sat-host#install nv satellite 101 activate
Install operation initiated successfully.
RP/0/RSP0/CPU0:sat-host#RP/0/RSP0/CPU0:May 3 20:06:33.276 : icpe_gco[1146]:
%PKT_INFRA-ICPE_GCO-6-TRANSFER_DONE : Image transfer completed on Satellite 101
RP/0/RSP0/CPU0:May 3 20:06:33.449 : icpe_gco[1146]: %PKT_INFRA-ICPE_GCO-6-INSTALL_DONE :
Image install completed on Satellite 101
RP/0/RSP0/CPU0:May 3 20:06:33.510 : invmgr[254]: %PLATFORM-INV-6-OIROUT : OIR: Node 101
removedConfiguring the Satellite Network Virtualization (nV) System on the Cisco ASR 9000 Series Router
Upgrading and Managing Satellite nV Software
HC-723
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Monitoring the Satellite Software
• To perform a basic status check, use the show nv satellite status brief command.
RP/0/RSP0/CPU0:shanghai# show nv satellite status brief
Sat-ID Type IP Address MAC address State
------ -------- ------------ -------------- --------------------------------
100 asr9000v 101.102.103.105 dc7b.9426.1594 Connected (Stable)
200 asr9000v 101.102.103.106 0000.0000.0000 Halted; Conflict: no links configured
400 194.168.9.9 0000.0000.0000 Halted; Conflict: satellite has no type
configured
• To check if an upgrade is required on satellite, run the show nv satellite status satellite satellite_id.
Example
RP/0/RSP0/CPU0:sat-host#show nv satellite status satellite 100
Satellite 100
-------------
State: Connected (Stable)
Type: asr9000v
Description: sat-test
MAC address: dc7b.9427.47e4
IPv4 address: 100.1.1.1
Configured Serial Number: CAT1521B1BB
Received Serial Number: CAT1521B1BB
Remote version: Compatible (latest version)
ROMMON: 125.0 (Latest)
FPGA: 1.13 (Latest)
IOS: 200.8 (Latest)
Configured satellite fabric links:
TenGigE0/2/0/6
--------------
State: Satellite Ready
Port range: GigabitEthernet0/0/0-9
TenGigE0/2/0/13
---------------
State: Satellite Ready
Port range: GigabitEthernet0/0/30-39
TenGigE0/2/0/9
--------------
State: Satellite Ready
Port range: GigabitEthernet0/0/10-19
Note In this example’s output, Remote version, ROMMON, FPGA, and IOS must show the latest version.
If it does not, an upgrade is required on the satellite. The version numbers displayed are the installed
version on the ASR 90000v. If a version number is displayed, instead of latest key word in the above
output, that would correspond to the ASR9000v image bundles in the satellite pie.Configuring the Satellite Network Virtualization (nV) System on the Cisco ASR 9000 Series Router
Upgrading and Managing Satellite nV Software
HC-724
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Monitoring the Satellite Protocol Status
• To check the status of the satellite discovery protocol, use the show nv satellite protocol discovery
command.
RP/0/RSP0/CPU0:router# show nv satellite protocol discovery brief
Interface Sat-ID Status Discovered links
-------------- ------ ------------------------------ -----------------------
Te0/1/0/0 100 Satellite Ready Te0/1/0/0
Te0/1/0/1 100 Satellite Ready Te0/1/0/1
(Or)
RP/0/RSP0/CPU0:router# show nv satellite protocol discovery interface TenGigE 0/1/0/0
Satellite ID: 100
Status: Satellite Ready
Remote ports: GigabitEthernet0/0/0-15
Host IPv4 Address: 101.102.103.104
Satellite IPv4 Address: 101.102.103.105
Vendor: cisco, ASR9000v-DC-E
Remote ID: 2
Remote MAC address: dc7b.9426.15c2
Chassis MAC address: dc7b.9426.1594
• To check the status of the satellite control protocol status, use the show nv satellite protocol control
command.
RP/0/RSP0/CPU0:shanghai# sh nv satellite protocol control brief
Sat-ID IP Address Protocol state Channels
------ ------------ -------------- -----------------------------------
101.102.103.105 Connected Ctrl, If-Ext L1, If-Ext L2, X-link, Soft Reset,
Inventory, EnvMon, Alarm
RP/0/RSP0/CPU0:shanghai# sh nv satellite protocol control
Satellite 100
-------------
IP address: 101.102.103.105
Status: Connected
Channels:
Control
-------
Channel status: Open
Messages sent: 24 (24 control), received: 23 (23 control).
Interface Extension Layer 1
---------------------------
Channel status: Open
Messages sent: 7 (3 control), received: 14 (2 control).
Interface Extension Layer 2
---------------------------
Channel status: Open
Messages sent: 11 (3 control), received: 10 (2 control).
Interface Extension Cross-link
------------------------------
Channel status: Open
Messages sent: 4 (3 control), received: 3 (2 control).
….Configuring the Satellite Network Virtualization (nV) System on the Cisco ASR 9000 Series Router
Upgrading and Managing Satellite nV Software
HC-725
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Monitoring the Satellite Inventory
You can use the show inventory chassis, show inventory fans, show environment temperatures
commands in the admin configuration mode to monitor the status of satellite inventory.
RP/0/RSP0/CPU0:shanghai(admin)# show inventory chassis
NAME: "module 0/RSP0/CPU0", DESCR: "ASR9K Fabric, Controller, 4G memory"
PID: A9K-RSP-4G, VID: V02, SN: FOC143781GJ
...
NAME: "fantray SAT100/FT0/SP", DESCR: "ASR9000v"
PID: ASR-9000v-FTA, VID: V00 , SN: CAT1507B228
NAME: "module SAT100/0/CPU0", DESCR: "ASR-9000v GE-SFP Line Card"
PID: ASR-9000v, VID: N/A, SN:
NAME: "module mau GigabitEthernet100/0/CPU0/8", DESCR: "CISCO-AVAGO "
PID: SFP-GE-S, VID: V01, SN: AGM1424P08N
NAME: "module mau TenGigE100/0/CPU0/3", DESCR: "CISCO-FINISAR "
PID: SFP-10G-SR, VID: V02, SN: FNS144502Y3
NAME: "power-module SAT100/PM0/SP", DESCR: "ASR-9000v Power Module"
PID: ASR-9000v, VID: N/A, SN:
NAME: "Satellite Chassis ASR-9000v ID 100", DESCR: "ASR9000v"
PID: ASR-9000v-AC-A, VID: V00 , SN: CAT12345678
RP/0/RSP0/CPU0:sat-host (admin)# show inventory fans
NAME: "fantray 0/FT0/SP", DESCR: "ASR-9006 Fan Tray"
PID: ASR-9006-FAN, VID: V02, SN: FOX1519XHU8
NAME: "fantray 0/FT1/SP", DESCR: "ASR-9006 Fan Tray"
PID: ASR-9006-FAN, VID: V02, SN: FOX1519XHTM
NAME: "fantray SAT100/FT0/SP", DESCR: "ASR9000v"
PID: ASR-9000v-FTA, VID: V01 , SN: CAT1531B4TC
NAME: "fantray SAT101/FT0/SP", DESCR: "ASR9000v"
PID: ASR-9000v-FTA, VID: V01 , SN: CAT1542B0LJ
NAME: "fantray SAT102/FT0/SP", DESCR: "ASR9000v"
PID: ASR-9000v-FTA, VID: V01 , SN: CAT1531B4T7
RP/0/RSP0/CPU0:sat-host(admin)# show inventory | b GigabitEthernet100/
NAME: "module mau GigabitEthernet100/0/CPU0/0", DESCR: "CISCO-FINISAR "
PID: SFP-GE-S, VID: , SN: FNS11350L5E
NAME: "module mau GigabitEthernet100/0/CPU0/1", DESCR: "CISCO-FINISAR "
PID: SFP-GE-S, VID: V01, SN: FNS0934M290
NAME: "module mau GigabitEthernet100/0/CPU0/2", DESCR: "CISCO-FINISAR "
PID: SFP-GE-S, VID: , SN: FNS12280L59Configuring the Satellite Network Virtualization (nV) System on the Cisco ASR 9000 Series Router
Upgrading and Managing Satellite nV Software
HC-726
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
RP/0/RSP0/CPU0:sat-host(admin)# show environment temperatures
R/S/I Modules Sensor (deg C)
0/RSP0/*
host Inlet0 33.1
host Hotspot0 46.9
0/RSP1/*
host Inlet0 32.1
host Hotspot0 45.9
0/0/*
host Inlet0 37.3
host Hotspot0 52.3
0/1/*
spa0 InletTemp 34.0
spa0 Hotspot 34.5
spa1 LocalTemp 38.0
spa1 Chan1Temp 36.0
spa1 Chan2Temp 39.0
spa1 Chan3Temp 39.0
spa1 Chan4Temp 48.0
host Inlet0 36.1
host Hotspot0 64.0
0/2/*
host Inlet0 39.2
host Hotspot0 54.6
0/3/*
host Inlet0 41.3
host Hotspot0 48.5
0/FT0/*
host Inlet0 42.3
host Hotspot0 36.1
0/FT1/*
host Inlet0 40.4
host Hotspot0 35.8
SAT100/FT0/*
host Hotspot0 53.0
SAT101/FT0/*
host Hotspot0 56.0
SAT102/FT0/*
host Hotspot0 53.0Configuring the Satellite Network Virtualization (nV) System on the Cisco ASR 9000 Series Router
Upgrading and Managing Satellite nV Software
HC-727
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Reloading the Satellite Device
In order to reload the satellite device, use the hw-module satellite satellite id/all reload command.
Example
RP/0/RSP0/CPU0:sat-host# hw-module satellite 101 reload
Reload operation completed successfully.
RP/0/RSP0/CPU0:May 3 20:26:51.883 : invmgr[254]: %PLATFORM-INV-6-OIROUT : OIR: Node 101
removed
Port Level Parameters Configured on a Satellite
These are the port-level parameters that can be configured on a satellite nV system:
• Admin state (shut and no shut)
• Ethernet MTU
• Ethernet link auto-negotiation that includes,
– Half and full duplex
– Link speed
– Flow control
• Static configuration of auto-negotiation parameters such as speed, duplex, and flow control
• Carrier delay
• Layer-1 packet loopback which includes,
– Line loopback
– Internal loopback
• All satellite access port features on Cisco ASR 9000 Series Router.Configuring the Satellite Network Virtualization (nV) System on the Cisco ASR 9000 Series Router
Configuration Examples for Satellite nV System
HC-728
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Configuration Examples for Satellite nV System
This section contains these examples:
• Satellite System Configuration: Example, page 728
– Satellite Global Configuration, page 728
– ICL (satellite-fabric-link) Interface Configuration, page 728
– Satellite Interface Configuration, page 729
– Satellite Management using private VRF, page 729
Satellite System Configuration: Example
This example shows a sample configuration for setting up the connectivity of a Satellite System.
Satellite Global Configuration
The satellite ID, type, serial number, description, and satellite IP address are configured in the satellite
global configuration submode:
nv
satellite 100
type asr9000v
serial-number CAT1521B1BB
description milpitas bldg20
ipv4 address 10.0.0.100
!
!
ICL (satellite-fabric-link) Interface Configuration
On the interface connected to the satellite (TenGig or Bundle interface), the ports associated with the
satellite ID must be specified. All fabric links connected to the same satellite must use the same (host)
IPv4 address. The same or different host IPv4 addresses can be used for the same host to connect to
different satellites.
interface Loopback1000
ipv4 address 10.0.0.1 255.0.0.0
interface TenGigE0/2/1/0
description To Sat5 1/46
ipv4 point-to-point
ipv4 unnumbered Loopback1000
nv
satellite-fabric-link satellite 200
remote-ports GigabitEthernet 0/0/0-30
!
!
!
Note These examples illustrate using IP addresses from the global VRF of the router for satellite management
traffic. As discussed Satellite Discovery and Control Protocol IP Connectivity section, this can also be
done using a private VRF, to prevent IP address conflict with the global VRF. In this case, the loopback
interface and the ICL interfaces in the examples must be assigned to the private VRF dedicated for
satellite management traffic.Configuring the Satellite Network Virtualization (nV) System on the Cisco ASR 9000 Series Router
Configuration Examples for Satellite nV System
HC-729
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Satellite Interface Configuration
The Satellite interface can be used as any other regular GigabitEthernet interfaces:
interface GigabitEthernet200/0/0/0
l2transport
!
!
interface GigabitEthernet200/0/0/0
ip address 99.0.0.1 255.255.255.0
!
!
interface GigabitEthernet200/0/0/2
bundle id 100 mode active
!
!
Satellite Management using private VRF
You can use a special private VRF instead of the global default routing table, to configure the loopback
interface and ICLs used for satellite management traffic. IP addresses in this VRF will not conflict with
any other addresses used on the router.
router(config)# vrf NV_MGMT_VRF
router(config)# address ipv4 unicast
router(config)# interface Loopback 1000
router(config)# vrf NV_MGMT_VRF
router(config)# ipv4 address 10.0.0.1 / 24
router(config)# interface TenGige 0/1/0/3
router(config)# vrf NV_MGMT_VRF
router(config)# ipv4 point-to-point
router(config)# ipv4 unnumbered Loopback 1000
router(config)# nv
router(config-nv)# satellite-fabric-link satellite 500
router(config-nv)# remote-ports GigabitEthernet 0/0/28-39
router(config)# nv satellite 500
router(config)# ipv4 address 10.0.0.2 / 24 Configuring the Satellite Network Virtualization (nV) System on the Cisco ASR 9000 Series Router
Additional References
HC-730
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Additional References
These sections provide references to related documents.
Related Documents
Standards
MIBs
Related Topic Document Title
Cisco IOS XR master command reference Cisco IOS XR Master Commands List
Satellite System software upgrade and downgrade on
Cisco IOS XR Software
Cisco ASR 9000 Series Aggregation Services Router Getting Started
Guide
Cisco IOS XR interface configuration commands Cisco ASR 9000 Series Aggregation Services Router Interface and
Hardware Component Command Reference
Satellite QoS configuration information for the Cisco
IOS XR software
Cisco ASR 9000 Series Aggregation Services Router Modular
Quality of Service Configuration Guide
Layer-2 and L2VPN features on the satellite system Cisco ASR 9000 Series Aggregation Services Router L2VPN and
Ethernet Services Configuration Guide
Layer-3 and L3VPN features on the satellite system Cisco ASR 9000 Series Aggregation Services Router MPLS Layer 3
VPN Configuration Guide
Multicast features on the satellite system Cisco ASR 9000 Series Aggregation Services Router Multicast
Configuration Guide
Broadband Network Gateway features on the satellite
system
Cisco ASR 9000 Series Aggregation Services Router Broadband
Network Gateway Configuration Guide
Information about user groups and task IDs Configuring AAA Services on Cisco IOS XR Software module of
Cisco IOS XR System Security Configuration Guide
Standards Title
No new or modified standards are supported by this
feature, and support for existing standards has not been
modified by this feature.
—
MIBs MIBs Link
There are no applicable MIBs for this module. To locate and download MIBs for selected platforms using
Cisco IOS XR software, use the Cisco MIB Locator found at the
following URL:
http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml Configuring the Satellite Network Virtualization (nV) System on the Cisco ASR 9000 Series Router
Additional References
HC-731
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
RFCs
Technical Assistance
RFCs Title
None N.A
Description Link
The Cisco Technical Support website contains
thousands of pages of searchable technical content,
including links to products, technologies, solutions,
technical tips, and tools. Registered Cisco.com users
can log in from this page to access even more content.
http://www.cisco.com/techsupportConfiguring the Satellite Network Virtualization (nV) System on the Cisco ASR 9000 Series Router
Additional References
HC-732
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02HC-733
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Configuring the nV Edge System on the
Cisco ASR 9000 Series Router
This module describes the configuration of the nV Edge system on the Cisco ASR 9000 Series
Aggregation Services Routers.
Feature History for Configuring nV Edge System on Cisco ASR 9000 Series Router
Contents
• Prerequisites for Configuration, page 734
• Overview of Cisco ASR 9000 nV Edge Architecture, page 734
• Benefits of Cisco ASR 9000 Series nV Edge System, page 737
• Restrictions of the Cisco ASR 9000 Series nV Edge System, page 738
• Implementing a Cisco ASR 9000 Series nV Edge System, page 738
• Configuration Examples for nV Edge System, page 739
• Additional References, page 741
Release Modification
Release 4.2.1 • Support for nV Edge system was included on the Cisco ASR 9000
Series Router.Configuring the nV Edge System on the Cisco ASR 9000 Series Router
Prerequisites for Configuration
HC-734
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Prerequisites for Configuration
You must be in a user group associated with a task group that includes the proper task IDs. The command
reference guides include the task IDs required for each command. If you suspect user group assignment
is preventing you from using a command, contact your AAA administrator for assistance.
Before configuring the nV Edge system, you must have these hardware and software installed in your
chassis:
• Hardware : Cisco ASR 9000 Series SPA Interface Processor-700 and Cisco ASR 9000 Enhanced
Ethernet line cards are supported. Cisco ASR 9000 Enhanced Ethernet line card 10 GigE links are
used as IRLs (inter-rack links).
• Software : Cisco IOS XR Software Release 4.2.1 or later on Cisco ASR 9000 Series Router.
For more information on hardware requirements, see Cisco ASR 9000 Series Aggregation Services
Router Hardware Installation Guide.
Overview of Cisco ASR 9000 nV Edge Architecture
A Cisco ASR 9000 Series nV Edge consists of two or more Cisco ASR 9000 Series Router chassis that
are combined to form a single logical switching or routing entity. You can operate two Cisco ASR 9000
Series Router platforms as a single virtual Cisco ASR 9000 Series system. Effectively, they can logically
link two physical chassis with a shared control plane, as if the chassis were two route switch processors
(RSPs) within a single chassis. See Figure 40. The blue lines on top shows the internal eobc
interconnection and the red lines at the bottom show the data plane interconnection.
As a result, you can double the bandwidth capacity of single nodes and eliminate the need for complex
protocol-based high-availability schemes. Hence, you can achieve failover times of less than 50
milliseconds for even the most demanding services and scalability needs.
Figure 40 Cisco ASR 9000 nV Edge Architecture
Active
RSP
0
LC LC
Standby
RSP
LC LC
Active
RSP
1
Inter-rack links
LC LC
Standby
RSP
LC LC
343788Configuring the nV Edge System on the Cisco ASR 9000 Series Router
Overview of Cisco ASR 9000 nV Edge Architecture
HC-735
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Note In Cisco IOS XR Software Release 4.2.1, the scalability of a cluster is limited to two chassis.
Figure 41 EOBC Links on a Cisco ASR 9000 nV Edge System
As illustrated in the Figure 41, the two physical chasses are linked using a Layer 1 10-Gbps connection,
with RSPs communicating using a Layer 1 or Layer 2 Ethernet out-of-band channel (EOBC) extension
to create a single virtual control plane. Each RSP has 2 EOBC ports and with redundant RSPs there will
be 4 connections between the chassis.
The Cisco Virtualized Network Architecture combines the nV Edge system with the satellite devices to
offer the Satellite nV architecture. For more information on Satellite nV models, see Configuring the
Satellite Network Virtualization (nV) System on the Cisco ASR 9000 Series Router chapter.
Inter Rack Links on Cisco ASR 9000 Series nV Edge System
The IRL (Inter Rack Link) connections are required for forwarded traffic going from one chassis out of
interface on the other chassis part of the nV edge system. The IRL has to be a 10 GigE link and it has to
be direct L1 connections. The IRLs are used for forwarding packets whose ingress and egress interfaces
are on separate racks. There can be a maximum of 16 such links between the chassis. A minimum of two
links are required and they should be on two separate line cards, for better resiliency in case one line
card goes down due to any fault. See Cisco ASR 9000 nV Edge Architecture.
Note For more information on QoS on IRLs, see Cisco ASR 9000 Series Aggregation Services Router Modular
QoS Configuration Guide.
0/rsp0
Switch
0/rsp1
Switch
1/rsp1
Switch
1/rsp0
Switch
1
2 3
4
333445
Line Card/RS PCPU
Line Card/RS PCPUConfiguring the nV Edge System on the Cisco ASR 9000 Series Router
Overview of Cisco ASR 9000 nV Edge Architecture
HC-736
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Failure Detection in Cisco ASR 9000 Series nV Edge System
In the Cisco ASR 9000 Series nV Edge system, when the Primary DSC node fails, the RSP in the Backup
DSC node becomes Primary. It executes the duties of the master RSP that hosts the active set of control
plane processes. In a normal scenario of nV Edge System where the Primary and Backup DSC nodes
are hosted on separate racks, the failure detection for the Primary DSC happens through communication
between the racks.
These mechanisms are used to detect RSP failures across rack boundaries:
• FPGA state information detected by the peer RSP in the same chassis is broadcast over the control
links. This information is sent if any state change occurs and periodically every 200ms.
• The UDLD state of the inter rack control or data links are sent to the remote rack, with failures
detected at an interval of 500ms.
• A keep-alive message is sent between RSP cards through the inter rack control links, with a failure
detection time of 10 seconds.
A Split Brain is a condition where the inter rack links between the routers in a Cisco ASR 9000 Series
nV Edge system fails and hence the nodes on both routers start to act as primary node. So, messages are
sent between these racks in order to detect Split Brain avoidance. These occur at 200ms intervals across
the inter-rack data links.
Scenarios for High Availability
These are some sample scenarios for failure detection:
1. Single RSP Failure in the Primary DSC node - The Standby RSP within the same chassis initially
detects the failure through the backplane FPGA. In the event of a failure detection, this RSP
transitions to the active state and notifies the Backup DSC node about the failure through the
inter-chassis control link messaging.
2. Failure of Primary DSC node and the Standby peer RSP - There are multiple cases where this
scenario can occur, such as power-cycle of the Primary DSC rack or simultaneous soft reset of both
RSP cards within the Primary rack.
a. The remote rack failure is initially detected by UDLD failure on the inter rack control link. The
Backup DSC node checks the UDLD state on the inter rack data link. If the rack failure is
confirmed by failure of the data link as well, then the Backup DSC node becomes active.
b. UDLD failure detection occurs every 500ms but the time between control link and data link
failure can vary since these are independent failures detected by the RSP and line cards. A
windowing period of up to 2 seconds is needed to correlate the control and data link failures and
to allow split brain detection messages to be received. The keep-alive messaging between RSPs
acts as a redundant detection mechanism, if the UDLD detection fails to detect a reset RSP card.
3. Failure of Inter Rack Control links (Split Brain) - This failure is initially detected by the UDLD
protocol on the Inter Rack Control links. In this case, the Backup DSC continues to receive UDLD
and keep-alive messages through the inter rack data link. As discussed in the Scenario 2, a
windowing period of two seconds is allowed to synchronize between the control and data link
failures. If the data link has not failed, or Split Brain packets are received across the Management
LAN, then the Backup DSC rack reloads to avoid the split brain condition.Configuring the nV Edge System on the Cisco ASR 9000 Series Router
Benefits of Cisco ASR 9000 Series nV Edge System
HC-737
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Benefits of Cisco ASR 9000 Series nV Edge System
The Cisco ASR 9000 Series nV Edge system architecture offers these benefits:
1. The Cisco ASR 9000 Series nV Edge System appears as a single switch or router to the neighboring
devices.
2. You can logically link two physical chassis with a shared control plane, as if the chassis were two
route switch processors (RSPs) within a single chassis. As a result, you can double the bandwidth
capacity of single nodes and eliminate the need for complex protocol-based high-availability
schemes.
3. You can achieve failover times of less than 50 milliseconds for even the most demanding services
and scalability needs.
4. You can manage the cluster as a single entity rather than two entities. Better resiliency is available
due to chassis protecting one another.
5. Cisco nV technology allows you to extend Cisco ASR 9000 Series Router system capabilities
beyond the physical chassis with remote virtual line cards. These small form-factor (SFF) Cisco
ASR 9000v cards can aggregate hundreds of Gigabit Ethernet connections at the access and
aggregation layers.
6. You can scale up to thousands of Gigabit Ethernet interfaces without having to separately provision
hundreds or thousands of access platforms. This helps you to simplify the network architecture and
reduce the operating expenses (OpEx).
7. The multi-chassis capabilities of Cisco IOS XR Software are employed. These capabilities are
extended to allow for enhanced chassis resiliency including data plane, control plane, and
management plane protection in case of complete failure of any chassis in the Cisco ASR 9000
Series nV Edge System.
8. You can reduce the number of pseudo wires required for achieving pseudowire redundancy.
9. The nV Edge system allows seamless addition of new chassis. There would be no disruption in
traffic or control session flap when a chassis is added to the system.Configuring the nV Edge System on the Cisco ASR 9000 Series Router
Restrictions of the Cisco ASR 9000 Series nV Edge System
HC-738
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Restrictions of the Cisco ASR 9000 Series nV Edge System
These are some of the restrictions for the Cisco ASR 9000 nV Edge system:
• The first generation Cisco ASR 9000 Ethernet linecards are not supported.
• Chassis types that are not similar cannot be connected to form an nV edge system.
• Only Cisco supported SFPs are allowed for all inter rack connections.
• TenGigE SFPs are not supported on EOBC ports.
• The nV Edge control plane links have to be direct physical connections and no network or
intermediate routing or switching devices are allowed in between.
• The nV Edge system does not support mixed speed links.
Implementing a Cisco ASR 9000 Series nV Edge System
This section explains the implementation of Cisco ASR 9000 Series nV Edge System.
• Configuring Cisco ASR 9000 nV Edge System, page 738
Configuring Cisco ASR 9000 nV Edge System
To bring up the Cisco ASR 9000 nV Cluster, you need to perform these steps outlined in the following
subsection.
Single Chassis to Cluster Migration
Consider that there are two individual chassis running Cisco IOS XR Software Release 4.2.0 image. Let
us refer them as rack0 and rack1 in these steps. If they are already running Cisco IOS XR Software
Release 4.2.1 or later, you can avoid the first two steps.
1. You must turbo boot each chassis independently with the Cisco IOS XR Software Release 4.2.1.
2. Upgrade the field programmable devices (FPDs). This step is required because Cisco ASR 9000
Series nV Edge requires at least the RSP rommons to be corresponding to the Cisco IOS XR
Software Release 4.2.1.
3. Collect information: You need to know the chassis serial number for each rack that is to be added
to the cluster. On an operating system, you can get this from show inventory chassis command. On
a system at rommon, you can get the serial number from bpcookie.
4. In order to setup the admin configuration on rack0, enter:
(admin config) # nv edge control serial rack 0
(admin config) # nv edge control serial rack 1
(admin config) # commit
5. Reload Rack 0.
6. Power down Rack 1.Configuring the nV Edge System on the Cisco ASR 9000 Series Router
Configuration Examples for nV Edge System
HC-739
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
7. Physically connect the routers. Connect the inter chassis control links on the front panel of the RSP
cards (labelled SFP+ 0 and SFP+ 1) together. Rack0-RSP0 connects to Rack1-RSP0, and similarly
for RSP1. You can verify the connections once Rack 1 is up using the show nv edge control
interface loc 0/RSP0/CPU0 command.
RP/0/RSP0/CPU0:ios# show nv edge control switch interface loc 0/RSP0/CPU0
Priority lPort Remote_lPort UDLD STP
======== ===== ============ ==== ========
0 0/RSP0/CPU0/12 1/RSP0/CPU0/12 UP Forwarding
1 0/RSP0/CPU0/13 1/RSP1/CPU0/13 UP Blocking
2 0/RSP1/CPU0/12 1/RSP1/CPU0/12 UP On Partner RSP
3 0/RSP1/CPU0/13 1/RSP0/CPU0/13 UP On Partner RSP
Note You do not need any explicit command for inter-chassis control links and it is on by default.
8. Bring up Rack 1.
9. You must also connect your Interchassis Data links. You must configure it to be interchassis data
link interface using the nv edge interface configuration command under the 10Gig interface (only
10Gig) . Ensure that this configuration on both sides of the inter chassis data link (on rack0 and
rack1).
Note You can verify the Interchassis Data Link operation using the show nv edge data forwarding command.
10. After Rack0 and Rack1 comes up fully with all the RSPs and line cards in XR-RUN state, the show
dsc and show redundancy summary commands must have similar command outputs as shown in
nV Edge System Configuration: Example section.
Configuration Examples for nV Edge System
This section contains the following examples:
• nV Edge System Configuration: Example, page 739
nV Edge System Configuration: Example
The following example shows a sample configuration for setting up the connectivity of a Cisco ASR
9000 Series nV Edge System.
IRL (inter-rack-link) Interface Configuration
interfacetenGigE 0/1/1/1
nv
edge
interface
!Configuring the nV Edge System on the Cisco ASR 9000 Series Router
Configuration Examples for nV Edge System
HC-740
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Cisco nV Edge IRL link Support from 10Gig interface
In this case, te0/2/0/0 and te1/2/0/0 provide Inter Rack datalink:
RP/0/RSP0/CPU0:cluster_router#show runn interface te1/2/0/0
interface TenGigE1 /2/0/0
nv
edge
data
interface
transceiver permit pid all
!
RP/0/RSP0/CPU0:cluster_router#show runn interface te0/2/0/0
interface TenGigE0 /2/0/0
nv
edge
data
interface
transceiver permit pid all
!Configuring the nV Edge System on the Cisco ASR 9000 Series Router
Additional References
HC-741
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
Additional References
The following sections provide references to related documents.
Related Documents
Standards
Related Topic Document Title
Cisco IOS XR master command reference Cisco IOS XR Master Commands List
Satellite System software upgrade and downgrade on
Cisco IOS XR Software
Cisco ASR 9000 Series Aggregation Services Router Getting Started
Guide
Cisco IOS XR interface configuration commands Cisco ASR 9000 Series Aggregation Services Router Interface and
Hardware Component Command Reference
Satellite Qos configuration information for the Cisco
IOS XR software
Cisco ASR 9000 Series Aggregation Services Router Modular
Quality of Service Configuration Guide
Layer-2 and L2VPN features on the Satellite system Cisco ASR 9000 Series Aggregation Services Router L2VPN and
Ethernet Services Configuration Guide
Layer-3 and L3VPN features on the Satellite system Cisco ASR 9000 Series Aggregation Services Router MPLS Layer 3
VPN Configuration Guide
Multicast features on the Satellite system Cisco ASR 9000 Series Aggregation Services Router Multicast
Configuration Guide
Broadband Network Gateway features on the Satellite
system
Cisco ASR 9000 Series Aggregation Services Router Broadband
Network Gateway Configuration Guide
Information about user groups and task IDs Configuring AAA Services on Cisco IOS XR Software module of
Cisco IOS XR System Security Configuration Guide
Standards Title
No new or modified standards are supported by this
feature, and support for existing standards has not been
modified by this feature.
—Configuring the nV Edge System on the Cisco ASR 9000 Series Router
Additional References
HC-742
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide
OL-26061-02
MIBs
RFCs
Technical Assistance
MIBs Description
CISCO-RF-MIB Provides DSC chassis active/standby node pair information. In nV
Edge scenario, it provides DSC primary/backup RP information and
switchover notification.
To locate and download MIBs for selected platforms using
Cisco IOS XR software, use the Cisco MIB Locator found at the
following URL:
http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
ENTITY-STATE-MIB Provides redundancy state information for each node.
CISCO-ENTITY-STATE-EXT-MIB Extension to ENTITY-STATE-MIB which defines notifications
(traps) on redundancy status changes.
CISCO-ENTITY-REDUNDANCY-MIB Defines redundancy group types such as Node Redundancy group
type and Process Redundancy group type.
RFCs Title
None N.A
Description Link
The Cisco Technical Support website contains
thousands of pages of searchable technical content,
including links to products, technologies, solutions,
technical tips, and tools. Registered Cisco.com users
can log in from this page to access even more content.
http://www.cisco.com/techsupportHC-743
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-02
HC Cisco IOS XR Interface and Hardware Component
Configuration Guide
IC Cisco IOS XR IP Addresses and Services Configuration Guide
MCC Cisco IOS XR Multicast Configuration Guide
MNC Cisco IOS XR System Monitoring Configuration Guide
MPC Cisco IOS XR MPLS Configuration Guide
QC Cisco IOS XR Modular Quality of Service Configuration
Guide
RC Cisco IOS XR Routing Configuration Guide
SBC Cisco IOS XR Session Border Controller Configuration Guide
SC Cisco IOS XR System Security Configuration Guide
SMC Cisco IOS XR System Management Configuration Guide
VFC Cisco IOS XR Virtual Firewall Configuration Guide
I N D E X
A
action capabilities-conflict command HC-55
action discovery-timeout command HC-55
action uni-directional link-fault command HC-56
address-family ipv4 command HC-672
aggregate none command HC-116
ais-shut command HC-392
aps group command HC-324, HC-390
aps submode
channel command HC-324, HC-390
interface loopback command HC-390
See aps group command
area command (BFD) HC-668, HC-670
B
bert pattern command HC-432, HC-434
BFD
BFD configuration mode HC-682, HC-684, HC-685,
HC-687, HC-689, HC-691, HC-692, HC-694, HC-696
BGP configuration mode HC-665
counters
clearing HC-696
displaying HC-696
dampening, configuring HC-693
echo mode, disabling HC-689, HC-690, HC-691
echo mode, specifying source address HC-683, HC-684,
HC-690
echo startup validation, configuring HC-688
enabling
fast detection HC-672
interface HC-667, HC-669
local device and peer, between HC-666
neighbor HC-665
static route HC-671
fast detection, configuring HC-668, HC-670
IPv6 HC-660
IPv6 checksum, enabling and disabling HC-694, HC-695
ipv6 checksum, enabling or disabling HC-695, HC-696
latency detection, configuring HC-686
OSPF
configuration mode HC-667
session establishment HC-664
OSPFv3 configuration mode HC-669
overview HC-652
prerequisites HC-650
setting
BFD multiplier HC-666
minimum interval HC-665, HC-667, HC-669
multiplier HC-668, HC-670
source and destination ports HC-654
static routes, configuring HC-671
VLAN bundles HC-660
VPN VRF instance, specifying HC-672
bfd command HC-682, HC-684, HC-685, HC-687, HC-689, HC-691,
HC-692, HC-694, HC-696Index
HC-744
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-02
bfd fast-detect command HC-666, HC-668, HC-670
bfd minimum-interval command HC-665, HC-667, HC-669
bfd multiplier command HC-666, HC-668, HC-670
BFD on BGP
example HC-698
BFD on OSPF
example HC-698
buckets archive command HC-116
bundle command HC-607
Bundle-Ether command HC-213
bundle id command HC-213
C
cablelength command HC-406, HC-412, HC-419, HC-420
channel command HC-324, HC-390
channel-group command HC-424, HC-565, HC-570, HC-606
Channelized SONET, configuring HC-311, HC-316, HC-356,
HC-359, HC-714, HC-717, HC-738
CHAP
defined HC-472
enabling HC-591
password, configuring HC-596
ppp HC-507, HC-582
refusing HC-601
clear bfd counters packet command HC-697
clock source command HC-406, HC-407
controller e1 command HC-434
controller mgmtmultilink command HC-606
crc command HC-471, HC-511
D
dampening (BFD) command HC-693
default settings
flow control
Management Ethernet HC-11
mac-address (Management Ethernet) HC-11
speed (Management Ethernet) HC-10
delay trigger command HC-386
duplex command HC-14
E
E1 controller
default configuration values HC-406, HC-407
frame type HC-407, HC-427
E3 controller
cable length, setting HC-406
clock source, default value HC-406
configuring
clear channel HC-409
clear channel serial HC-410
national reserved bits HC-407
E3 configuration mode HC-410
frame type HC-406, HC-413
echo disable command HC-691
echo ipv4 source command HC-683, HC-684, HC-690
echo latency detect command HC-656, HC-686
echo startup validate command HC-688
encap command (Frame Relay) HC-551, HC-559
encapsulation command HC-471, HC-511
encapsulation frame relay command HC-551
encapsulation frame-relay command HC-550
Ethernet interface
configuring
MAC accounting HC-25, HC-42
MAC address HC-25
configuring flow control HC-25
configuring MAC accounting HC-25
configuring the IP address and subnet mask HC-39
configuring the MAC address HC-25, HC-39
configuring the MTU HC-25, HC-39
default settings
flow control HC-25
MAC accounting HC-25
MAC address HC-25
mtu HC-25Index
HC-745
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-02
displaying
Ethernet interfaces HC-40
MAC accounting statistics HC-42
displaying Ethernet interfaces HC-40
enabling flow-control HC-39
enabling Layer 2 transport mode HC-43
Gigabit Ethernet standards HC-27
IEEE 802.3ab 1000BASE-T Gigabit
Ethernet HC-27
IEEE 802.3ae 10 Gbps Ethernet HC-27
IEEE 802.3 Physical Ethernet
Infrastructure HC-27
IEEE 802.3z 1000 Mbps Gigabit Ethernet HC-27
Layer 2 VPN
overview HC-26
VLAN support HC-638
using the flow-control command HC-25, HC-39
using the ipv4 address command HC-39
using the l2transport command HC-43
using the mac-accounting command HC-25
using the mac address command HC-25, HC-39
using the mtu command HC-25, HC-39
using the negotiation auto command HC-40
using the no shutdown command HC-40
VLANs
802.1Q frames tagging HC-636
configuring a Layer 2 VPN attachment
circuit HC-641
configuring subinterfaces HC-639
displaying VLAN interfaces HC-641, HC-645
MTU inheritance HC-637
native VLAN description HC-637
overview HC-636
removing a subinterface HC-643
subinterface overview HC-637
using the show vlan interfaces command HC-641,
HC-645
F
failover HC-213
Fast Ethernet interface
auto-negotiation HC-25
configuring
duplex operation HC-25
MAC accounting HC-25
MTU HC-25
default settings
auto-negotiation HC-25
duplex operation HC-25
interface speed HC-25
MAC accounting HC-25
mtu HC-25
fdl HC-407
fdl ansi HC-407
fdl command HC-407, HC-423
flow-control command HC-25, HC-39
Frame Relay
configuration examples HC-573
configuring
PVC encapsulation HC-559
support type HC-551, HC-559
default configuration, modifying HC-557, HC-558
default settings HC-551
LMI
configuring HC-551, HC-559
disabling HC-551, HC-560, HC-561
enabling HC-551
overview HC-551
polling HC-552, HC-553
overview HC-550
POS interfaces HC-469
prerequisites HC-550
PVCs HC-551
serial interfaces HC-509
frame-relay intf-type command HC-551, HC-559
frame-relay intf-type dce command HC-552Index
HC-746
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-02
frame-relay intf-type dte command HC-552
frame-relay lmi command HC-551
frame-relay lmi disable command HC-561
frame-relay lmi-t391dte command HC-553
frame-relay lmi-type command HC-551, HC-559
framing command HC-406, HC-407
H
HDLC HC-471
I
IEEE 802.3ad standard HC-202
if preconfiguration submode, ipv4 address
command HC-5
if submode
bundle id command HC-221
controller sonet command HC-392
duplex command HC-14
interface command HC-391
ipv4 address command HC-12, HC-295, HC-566
keepalive command HC-391, HC-609
no shutdown command HC-12
pos crc command HC-391
See interface preconfigure command
speed command HC-15
interface command
for Ethernet interfaces HC-642
for VLAN subinterfaces HC-640
forVLAN subinterfaces HC-642
loopback HC-295
null HC-296
interface loopback command HC-390
interface POS command HC-221
interface preconfigure command HC-5
interfaces
Link Bundling HC-197
configuring HC-215
link failover HC-214
prerequisites HC-199
invert command HC-519
ipv4 address command HC-5, HC-39, HC-213, HC-640
Fast Ethernet HC-12
loopback HC-295
ipv6 checksum command HC-695, HC-696
K
keepalive command HC-471, HC-486
keepalive timer
description HC-472
monitoring
POS link state HC-472
L
l2transport command HC-43
L2VPN
See Layer 2 VPN HC-26
See Layer 2 VPN HC-26
Layer 2 VPN
enabling Layer 2 transport mode HC-43
overview HC-26
using the l2transport command HC-43
LCP (Link Control Protocol) HC-471, HC-506
Link Aggregation Control Protocol HC-200, HC-202
link failover HC-214
LMI HC-551, HC-560, HC-561
lmi-n391dte command HC-553
lmi-n392dce command HC-552
lmi-n392dte command HC-553
lmi-n393dce command HC-552
lmi-n393dte command HC-553
lmi-t392dce command HC-552
Local Management Interface (LMI) HC-510
loopbackIndex
HC-747
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-02
naming convention HC-291
loopback, naming convention HC-291
loopback command HC-386
M
mac accounting command HC-42
mac-accounting command HC-25
mac address command HC-25, HC-39
management ethernet interface, configuring HC-10
mdl string command HC-419, HC-420
mdl transmit command HC-407, HC-419, HC-420
mip auto-create command HC-60
mode command HC-410
MS-CHAP authentication
disabling HC-602
enabling HC-591, HC-592
password, configuring HC-598
ppp HC-472, HC-582, HC-598, HC-603
viewing HC-593
mtu command HC-25, HC-39, HC-471, HC-511
Multi-Chassis Link Aggregation
Access Network Redundancy Model HC-205
Core Network Redundancy Model HC-206
multilink command HC-611
multilink fragment delay command HC-608
multilink fragment-size command HC-608
multilink Frame Relay bundle interface HC-566
multilink interleave command HC-611
Multiprotocol Label Switching control processor
(MPLSCP) HC-472, HC-507
N
naming conventions
loopback HC-291
null interface HC-291
preconfigure HC-3
national bits command HC-407, HC-413, HC-427
negotiation auto command HC-25, HC-40
neighbor command (BFD) HC-666
Network Control Protocols (NCPs) HC-472, HC-506
no interface command HC-644
Nonstop forwarding HC-213
no shutdown command
(warning) HC-3
Fast Ethernet HC-12
for Ethernet interfaces HC-40
null interface
configuring HC-292
displaying HC-293
naming convention HC-291
O
overhead command HC-386
P
PAP authentication
defined HC-582
disabling HC-599
enabling HC-591, HC-592, HC-594, HC-595
ppp HC-472, HC-594
refusing HC-600
viewing HC-593
path command HC-387, HC-394
path scrambling command HC-392
ping ethernet cfm command HC-114
Point-to-Point protocol
See PPP
POS (Packet-over-SONET)
See POS interface
pos crc command HC-318
POS interface
bringing up HC-475
configuringIndex
HC-748
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-02
CRC value HC-318, HC-471, HC-479
encapsulation type HC-471
interface encapsulation HC-318, HC-479, HC-609
keepalive timer HC-471, HC-485, HC-486, HC-609
MTU HC-318, HC-471, HC-479, HC-493
optional parameters HC-478
PPP authentication HC-472
default settings
CRC HC-471
encapsulation HC-471
keepalive HC-471
mtu HC-471
Frame Relay encapsulation HC-469
HDLC encapsulation
description
overview HC-471
interface configuration mode
interface command HC-609
interface multilink command HC-608, HC-611
interface pos command HC-318, HC-476, HC-479
PPP encapsulation
description HC-469
overview HC-471
subinterfaces, creating with PVCs HC-480
PPP
CHAP
authentication HC-582
enabling HC-591, HC-592
password, configuring HC-596, HC-597
refusing HC-601
viewing HC-593
default configuration, modfying HC-588, HC-589
interfaces, displaying HC-591
MS-CHAP
disabling HC-602, HC-603
enabling HC-592
authenticaion HC-591
password, configuring HC-598
ppp HC-507, HC-582
viewing HC-593
overview HC-581
PAP
authentication HC-507, HC-594
disabling HC-599
enabling HC-591, HC-592, HC-594, HC-595
refusing HC-600
viewing HC-593
POS configuration example HC-621
POS interface HC-469, HC-471
prerequisites HC-580
serial configuration example HC-621
serial interface HC-503, HC-506
ppp authentication command HC-472, HC-507, HC-581,
HC-592
ppp chap password command HC-597
ppp chap refuse command HC-601
ppp max-bad-auth command HC-589
ppp max-configure command HC-590
ppp max-failure command HC-590
ppp max-terminate command HC-590
ppp ms-chap password command HC-598
ppp ms-chap refuse command HC-603
ppp multilink minimum-active links command HC-611
ppp pap refuse command HC-600
ppp pap sent-username command HC-594, HC-595
ppp timeout authentication command HC-590
ppp timeout retry command HC-590
preconfiguration
advantages HC-3
directory HC-1
naming conventions HC-3
restriction to physical interface HC-1
PVC
POS subinterface HC-480, HC-482
R
remote-as command (BFD) HC-666Index
HC-749
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-02
router bgp command HC-665
router ospf command (BFD) HC-667
router ospfv3 command (BFD) HC-669
router static command (BFD) HC-671
RP, preconfiguration directory HC-1
S
scramble command HC-519
serial interface
configuring
CRC HC-519
interface encapsulation HC-519
IP address and subnet mask HC-516
keepalive timer HC-528
transmit delay HC-519
data stream, inverting HC-519
default settings
CRC HC-511
encapsulation HC-511
keepalive HC-511
mtu HC-511
link state HC-506, HC-507, HC-508
payload scrambling, enabling HC-519
PPP encapsulation HC-506
prerequisites HC-501
show aps command HC-325, HC-393
show bfd counters command HC-697
show bundle Bundle-POS command HC-222
show controllers command HC-411
show controller sonet command HC-388
show frame-relay lmi command HC-552
show interfaces command HC-38, HC-543
for Ethernet interfaces HC-40, HC-44
show mac accounting command HC-42
show ppp interfaces command HC-591, HC-593
show version command HC-38
show vlan command HC-641, HC-645
SLARP (Serial Line Address Resolution
Protocol) HC-473, HC-506, HC-509
SONET (Synchronous Optical Network)
APS HC-388
description HC-381
fast reroute (FFR) HC-393
SONET APS (SONET Automatic Protection
Switching) HC-388
SONET controller
configuring HC-385
frame type HC-386
sonet submode
ais-shut command HC-392
clock source command HC-386, HC-392
delay trigger command HC-386, HC-394
framing command HC-386
loopback command HC-386
overhead command HC-386
path command HC-387, HC-394
path scrambling command HC-392
See controller sonet command
SPAN HR-263
speed command HC-25
management ethernet HC-15
switched port analyzer HR-263
T
T1 controller
ANSI T1.403 or AT&T TR54016 performance
reports HC-407, HC-423
BERT, configuring HC-434
clock source HC-407, HC-423
default configuration values HC-406, HC-407
DS0 timeslots, associating HC-424, HC-565, HC-570,
HC-606
frame type HC-407, HC-423
T1 channel group, creating HC-424, HC-565, HC-570,
HC-606Index
HC-750
Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide
OL-26061-02
T1 configuration mode HC-423, HC-437, HC-564, HC-570,
HC-606
yellow alarms HC-407
T3 controller
cable length, setting HC-406
clock source
configuring HC-412, HC-419, HC-420, HC-605
default value HC-406
configuring HC-414
BERT HC-431
channelized T3 controller HC-416
clear channel E3 controller HC-410
clear channel T3 controller HC-414
FRF.12 end-to-end fragmentation HC-569
MDL messages HC-407
multilink Frame Relay bundle interfaces HC-564
frame type HC-406, HC-419, HC-420
modifying
default E3 controller HC-412
default T3 controller HC-418
timeslots command HC-424, HC-565, HC-570, HC-606
traffic filtering HC-292
transmit-delay command HC-519
transparent switch over HC-10
U
uni-directional link-fault detection command HC-56
V
virtual interface
active/standby RPs HC-293
and active/standby RPs HC-4, HC-293
failover HC-291
naming convention HC-291
null interface definition HC-292
switchover HC-291
VLANs
802.1Q frames tagging HC-636
configuring an IP address and subnet mask HC-640
configuring subinterfaces HC-639
displaying VLAN interfaces HC-641, HC-645
Layer 2 VPN
configuring an attachment circuit HC-641
Layer 2 VPN support HC-638
MTU inheritance HC-637
native VLAN description HC-637
overview HC-636
removing a VLAN subinterface HC-643
subinterface overview HC-637
using the ipv4 address command HC-640
using the no interfawn command HC-644
using the show vlan interfaces command HC-641,
HC-645
vrf command (BFD) HC-672
Y
yellow command HC-407, HC-423
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Cisco IOS XR Carrier Grade NAT
Configuration Guide for the Cisco CRS
Router
Cisco IOS XR Software Release 4.2.x
Customer Order Number: OL-26122-02 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version
of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL
FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE
PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:
www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are
shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Cisco IOS XR Carrier Grade NAT Configuration Guide for the Cisco CRS Router
© 2011 Cisco Systems, Inc. All rights reserved.CGC-iii
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
C O N T E N T S
Preface CGC-v
Changes to This Document CGC-v
Obtaining Documentation and Submitting a Service Request CGC-v
Implementing the Carrier Grade NAT on Cisco IOS XR Software CGC-1
Contents CGC-1
Prerequisites for Implementing the Carrier Grade NAT CGC-1
Carrier Grade NAT Overview and Benefits CGC-1
Carrier Grade NAT Overview CGC-2
Benefits of Carrier Grade NAT CGC-2
NAT and NAPT Overview CGC-2
Network Address and Port Mapping CGC-3
Information About Implementing Carrier Grade NAT CGC-3
Implementing NAT with ICMP CGC-4
Implementing NAT with TCP CGC-4
Double NAT 444 CGC-5
Address Family Translation CGC-5
Policy Functions CGC-5
External Logging CGC-6
Implementing Carrier Grade NAT on Cisco IOS XR Software CGC-6
Getting Started with the Carrier Grade NAT CGC-6
Configuring an Inside and Outside Address Pool Map CGC-12
Configuring the Policy Functions for the Carrier Grade NAT CGC-14
Configuring the Export and Logging for the Network Address Translation Table Entries CGC-27
Configuration Examples for Implementing the Carrier Grade NAT CGC-35
Configuring a Different Inside VRF Map to a Different Outside VRF: Example CGC-35
Configuring a Different Inside VRF Map to a Same Outside VRF: Example CGC-36
Additional References CGC-37
Related Documents CGC-37
Standards CGC-38
MIBs CGC-38
RFCs CGC-38
Technical Assistance CGC-38Contents
CGC-iv
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
IndexCGC-v
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Preface
The Cisco IOS XR Carrier Grade NAT Configuration Guide for the Cisco CRS Router preface contains
the following sections:
• Changes to This Document, page CGC-v
• Obtaining Documentation and Submitting a Service Request, page CGC-v
Changes to This Document
Table 1 lists the technical changes made to this document since it was first printed.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional
information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and
revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed
and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free
service and Cisco currently supports RSS version 2.0.
Table 1 Changes to This Document
Revision Date Change Summary
OL-26122-02 June 2012 Republished with documentation updates for Cisco IOS XR
Release 4.2.1 features.
OL-26122-01 December 2011 Initial release of this document.Preface
CGC-vi
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02CGC-1
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Implementing the Carrier Grade NAT on
Cisco IOS XR Software
This module describes how to implement the Carrier Grade NAT (CGN) on Cisco IOS XR software.
Contents
• Prerequisites for Implementing the Carrier Grade NAT, page 1
• Carrier Grade NAT Overview and Benefits, page 2
• Information About Implementing Carrier Grade NAT, page 4
• Implementing Carrier Grade NAT on Cisco IOS XR Software, page 12
• Configuration Examples for Implementing the Carrier Grade NAT, page 58
• Additional References, page 67
Prerequisites for Implementing the Carrier Grade NAT
The following prerequisites are required to implement Carrier Grade NAT:
• You must be running Cisco IOS XR software Release 3.9.1 or above.
• You must have installed the CGN service package or the pie hfr-services-p.pie-x.x.x or
hfr-services-px.pie-x.x.x (where x.x.x specifies the release number of Cisco IOS XR software).
Note The CGN service package was termed as hfr-cgn-p.pie or hfr-cgn-px.pie for releases prior to Cisco IOS
XR Software Release 4.2.0. The CGN service package is referred as hfr-services-p.pie or
hfr-services-px.pie in Cisco IOS XR Software Release 4.2.0 and later.
• You must be in a user group associated with a task group that includes the proper task IDs. The
command reference guides include the task IDs required for each command.
• In case of Intra chassis redundancy, enable CGSE data and control path monitoring in configuration
mode, where R/S/CPU0 is the CGSE Location -
– service-plim-ha location is R/S/CPU0 datapath-test
– service-plim-ha location is R/S/CPU0 core-to-core-test Implementing the Carrier Grade NAT on Cisco IOS XR Software
Carrier Grade NAT Overview and Benefits
CGC-2
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
– service-plim-ha location is R/S/CPU0 pci-test
– service-plim-ha location is R/S/CPU0 coredump-extraction
– service-plim-ha location R/S/CPU0 linux-timeout 500
– service-plim-ha location R/S/CPU0 msc-timeout 500
Note All the error conditions result in card reload that triggers switchover to standby CGSE. The option of
revertive switchover (that is disabled by default) and forced switchover is also available and can be used
if required. Contact Cisco Technical Support with show tech-support cgn information.
• In case of standalone CGSE (without intra chassis redundancy), enable CGSE data and control path
monitoring in configuration mode, where R/S/CPU0 is the CGSE Location with auto reload
disabled and
– service-plim-ha location R/S/CPU0 datapath-test
– service-plim-ha location R/S/CPU0 core-to-core-test
– service-plim-ha location R/S/CPU0 pci-test
– service-plim-ha location R/S/CPU0 coredump-extraction
– service-plim-ha location R/S/CPU0 linux-timeout 500
– service-plim-ha location R/S/CPU0 msc-timeout 500
– (admin-config) hw-module reset auto disable location R/S/CPU0
Note All the error conditions result in a syslog message. On observation of Heartbeat failures or any HA test
failure messages, contact Cisco Technical Support with show tech-support cgn information.
Note If you suspect user group assignment is preventing you from using a command, contact your AAA
administrator for assistance.
Carrier Grade NAT Overview and Benefits
To implement the Carrier Grade NAT, you should understand the following concepts:
• Carrier Grade NAT Overview, page 2
• Benefits of Carrier Grade NAT, page 3
• NAT and NAPT Overview, page 3
• Network Address and Port Mapping, page 4
Carrier Grade NAT Overview
Carrier Grade Network Address Translation (CGN) is a large scale NAT that is capable of providing
private IPv4 to public IPv4 address translation in the order of millions of translations to support a large
number of subscribers, and at least 10 Gbps full-duplex bandwidth throughput.Implementing the Carrier Grade NAT on Cisco IOS XR Software
Carrier Grade NAT Overview and Benefits
CGC-3
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
CGN is a workable solution to the IPv4 address completion problem, and offers a way for service
provider subscribers and content providers to implement a seamless transition to IPv6. CGN employs
network address and port translation (NAPT) methods to aggregate many private IP addresses into fewer
public IPv4 addresses. For example, a single public IPv4 address with a pool of 32 K port numbers
supports 320 individual private IP subscribers assuming each subscriber requires 100 ports. For example,
each TCP connection needs one port number.
A CGN requires IPv6 to assist with the transition from IPv4 to IPv6.
Benefits of Carrier Grade NAT
CGN offers these benefits:
• Enables service providers to execute orderly transitions to IPv6 through mixed IPv4 and IPv6
networks.
• Provides address family translation but not limited to just translation within one address family.
• Delivers a comprehensive solution suite for IP address management and IPv6 transition.
IPv4 Address Shortage
A fixed-size resource such as the 32-bit public IPv4 address space will run out in a few years. Therefore,
the IPv4 address shortage presents a significant and major challenge to all service providers who depend
on large blocks of public or private IPv4 addresses for provisioning and managing their customers.
Service providers cannot easily allocate sufficient public IPv4 address space to support new customers
that need to access the public IPv4 Internet.
NAT and NAPT Overview
A Network Address Translation (NAT) box is positioned between private and public IP networks that are
addressed with non-global private addresses and a public IP addresses respectively. A NAT performs the
task of mapping one or many private (or internal) IP addresses into one public IP address by employing
both network address and port translation (NAPT) techniques. The mappings, otherwise referred to as
bindings, are typically created when a private IPv4 host located behind the NAT initiates a connection
(for example, TCP SYN) with a public IPv4 host. The NAT intercepts the packet to perform these
functions:
• Rewrites the private IP host source address and port values with its own IP source address and port
values
• Stores the private-to-public binding information in a table and sends the packet. When the public IP
host returns a packet, it is addressed to the NAT. The stored binding information is used to replace
the IP destination address and port values with the private IP host address and port values.
Traditionally, NAT boxes are deployed in the residential home gateway (HGW) to translate multiple
private IP addresses. The NAT boxes are configured on multiple devices inside the home to a single
public IP address, which are configured and provisioned on the HGW by the service provider. In
enterprise scenarios, you can use the NAT functions combined with the firewall to offer security
protection for corporate resources and allow for provider-independent IPv4 addresses. NATs have made
it easier for private IP home networks to flourish independently from service provider IP address
provisioning. Enterprises can permanently employ private IP addressing for Intranet connectivity while Implementing the Carrier Grade NAT on Cisco IOS XR Software
Information About Implementing Carrier Grade NAT
CGC-4
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
relying on a few NAT boxes, and public IPv4 addresses for external public Internet connectivity. NAT
boxes in conjunction with classic methods such as Classless Inter-Domain Routing (CIDR) have slowed
public IPv4 address consumption.
Network Address and Port Mapping
Network address and port mapping can be reused to map new sessions to external endpoints after
establishing a first mapping between an internal address and port to an external address. These NAT
mapping definitions are defined from RFC 4787:
• Endpoint-independent mapping—Reuses the port mapping for subsequent packets that are sent
from the same internal IP address and port to any external IP address and port.
• Address-dependent mapping—Reuses the port mapping for subsequent packets that are sent from
the same internal IP address and port to the same external IP address, regardless of the external port.
Translation Filtering
RFC 4787 provides translation filtering behaviors for NATs. These options are used by NAT to filter
packets originating from specific external endpoints:
• Endpoint-independent filtering—Filters out only packets that are not destined to the internal
address and port regardless of the external IP address and port source.
• Address-dependent filtering—Filters out packets that are not destined to the internal address. In
addition, NAT filters out packets that are destined for the internal endpoint.
• Address and port-dependent filtering—Filters out packets that are not destined to the internal
address. In addition, NAT filets out packets that are destined for the internal endpoint if the packets
were not sent previously.
Information About Implementing Carrier Grade NAT
These sections provide the information about implementation of NAT using ICMP and TCP:
• Implementing NAT with ICMP, page 5
• Implementing NAT with TCP, page 5
• Double NAT 444, page 6
• Address Family Translation, page 6
• Policy Functions, page 6
• Cisco Carrier-Grade Service Engine (CGSE) Applications, page 7Implementing the Carrier Grade NAT on Cisco IOS XR Software
Information About Implementing Carrier Grade NAT
CGC-5
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Implementing NAT with ICMP
This section explains how the Network Address Translation (NAT) devices work in conjunction with
Internet Control Message Protocol (ICMP).
The implementations of NAT varies in terms of how they handle different traffic.
• ICMP Query Session Timeout, page 5
• Implementing NAT with TCP, page 5
ICMP Query Session Timeout
RFC 5508 provides ICMP Query Session timeouts. A mapping timeout is maintained by NATs for ICMP
queries that traverse them. The ICMP Query Session timeout is the period during which a mapping will
stay active without packets traversing the NATs. The timeouts can be set as either Maximum Round Trip
Time (Maximum RTT) or Maximum Segment Lifetime (MSL). For the purpose of constraining the
maximum RTT, the Maximum Segment Lifetime (MSL) is considered a guideline to set packet lifetime.
If the ICMP NAT session timeout is set to a very large duration (240 seconds) it can tie up precious NAT
resources such as Query mappings and NAT Sessions for the whole duration. Also, if the timeout is set
to very low it can result in premature freeing of NAT resources and applications failing to complete
gracefully. The ICMP Query session timeout needs to be a balance between the two extremes. A
60-second timeout is a balance between the two extremes.
Implementing NAT with TCP
This section explains the various NAT behaviors that are applicable to TCP connection initiation. The
detailed NAT with TCP functionality is defined in RFC 5382.
Address and Port Mapping Behavior
A NAT translates packets for each TCP connection using the mapping. A mapping is dynamically
allocated for connections initiated from the internal side, and potentially reused for certain connections
later.
Internally Initiated Connections
A TCP connection is initiated by internal endpoints through a NAT by sending SYN packet. All the
external IP address and port used for translation for that connection are defined in the mapping.
Generally for the client-server applications where an internal client initiates the connection to an
external server, to translate the outbound SYN, the resulting inbound SYN-ACK response mapping is
used, the subsequent outbound ACK, and other packets for the connection.
The 3-way handshake corresponds to method of connection initiation.
Externally Initiated Connections
For the first connection that is initiated by an internal endpoint NAT allocates the mapping. For some
situations, the NAT policy may allow reusing of this mapping for connection initiated from the external
side to the internal endpoint.Implementing the Carrier Grade NAT on Cisco IOS XR Software
Information About Implementing Carrier Grade NAT
CGC-6
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Double NAT 444
The Double NAT 444 solution offers the fastest and simplest way to address the IPv4 depletion problem
without requiring an upgrade to IPv6 anywhere in the network. Service providers can continue offering
new IPv4 customers access to the public IPv4 Internet by using private IPv4 address blocks, if the service
provider is large enough; However, they need to have an overlapping RFC 1918 address space, which
forces the service provider to partition their network management systems and creates complexity with
access control lists (ACL).
Double NAT 444 uses the edge NAT and CGN to hold the translation state for each session. For example,
both NATs must hold 100 entries in their respective translation tables if all the hosts in the residence of
a subscriber have 100 connections to hosts on the Internet). There is no easy way for a private IPv4 host
to communicate with the CGN to learn its public IP address and port information or to configure a static
incoming port forwarding.
Address Family Translation
The IPv6-only to IPv4-only protocol is referred to as address family translation (AFT). The AFT
translates the IP address from one address family into another address family. For example, IPv6 to IPv4
translation is called NAT 64 or IPv4 to IPv6 translation is called NAT 46.
Policy Functions
• Application Level Gateway, page 6
• TCP Maximum Segment Size Adjustment, page 7
• Static Port Forwarding, page 7
• External Logging, page 7
• Cisco Carrier-Grade Service Engine (CGSE) Applications, page 7
• IPv4/IPv6 Stateless Translator (XLAT), page 7
• IPv6 Rapid Depolyment (6RD), page 9
• Stateful NAT64, page 9
• Dual Stack Lite Feature, page 11
• Syslog support, page 11
• Bulk Port Allocation, page 12
Application Level Gateway
The application level gateway (ALG) deals with the applications that are embedded in the IP address
payload. Active FTP and RTSP ALG are supported.
CGN supports both passive and active FTP. FTP clients are supported with inside (private) address and
servers with outside (public) addresses. Passive FTP is provided by the basic NAT function. Active FTP
is used with the ALG.Implementing the Carrier Grade NAT on Cisco IOS XR Software
Information About Implementing Carrier Grade NAT
CGC-7
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
TCP Maximum Segment Size Adjustment
When a host initiates a TCP session with a server, the host negotiates the IP segment size by using the
maximum segment size (MSS) option. The value of the MSS option is determined by the maximum
transmission unit (MTU) that is configured on the host.
Static Port Forwarding
Static port forwarding helps in associating a private IP address and port with a statically allocated public
IP and port. After you have configured static port forwarding, this association remains intact and does
not get removed due to timeouts until the CGSE is rebooted. In case of redundant CGSE cards, it remains
intact until both of the CGSEs are reloaded together or the router is reloaded. There are remote chances
that after a reboot, this association might change. This feature helps in cases where server applications
running on the private network needs access from public internet.
External Logging
External logging configures the export and logging of the NAT table entries, private bindings that are
associated with a particular global IP port address, and to use Netflow to export the NAT table entries.
Cisco Carrier-Grade Service Engine (CGSE) Applications
A Carrier-Grade Services Engine (CGSE) is a physical line interface module (PLIM). When the CGSE
is attached to a single CRS modular service card (forwarding engine), it provides the hardware system
running applications such as NAT44, XLAT, Stateful NAT64 and DS Lite. An individual application
module consumes one CRS linecard slot. Multiple modules can be placed inside a single CRS chassis to
add capacity, scale, and redundancy.
There can be only one ServiceInfra SVI per CGSE Slot. This is used for the Management Plane and is
required to bring up CGSE. This is of local significance within the chassis.
ServiceApp SVI is used to forward the data traffic to the CGSE applications. You can scale up to 256
ServiceApp interfaces for each CGSE. These interfaces can be advertised in IGP/EGP.
IPv4/IPv6 Stateless Translator (XLAT)
IPv4/IPv6 Stateless Translator (XLAT), which runs on the CRS Carrier Grade Services Engine (CGSE),
enables an IPv4-only endpoint that is situated in an IPv4-only network, to communicate with an
IPv6-only end-point that is situated in an IPv6-only network. This like-to-unlike address family
connectivity paradigm provides backwards compatibility between IPv6 and IPv4.
A Stateless XLAT (SL-XLAT) does not create or maintain any per-session or per-flow data structures. It
is an algorithmic operation performed on the IP packet headers that results in the translation of an IPv4
packet to an IPv6 packet, and vice-versa. SL-XLAT requires Cisco IOS XR Software Release 3.9.3 or
4.0.1 or 4.1.0 or later.
Advantages of XLAT
These are the advantages of a stateless translator:
• No states maintained in a SL-XLAT. Also, it supports 1:1 IPv6 to IPv4 address mappings. This
means that one IPv4 address is consumed for each IPv6 to IPv4 translation.Implementing the Carrier Grade NAT on Cisco IOS XR Software
Information About Implementing Carrier Grade NAT
CGC-8
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
• It supports asymmetric packet flows. Because it is stateless, it is not necessary to pin individual
session flows in both directions to a particular SL-XLAT vehicle.
• It offers basic IP transit between IPv4 and IPv6 networks.Implementing the Carrier Grade NAT on Cisco IOS XR Software
Information About Implementing Carrier Grade NAT
CGC-9
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
IPv6 Rapid Depolyment (6RD)
IPv6 Rapid Deployment (6RD) is a mechanism that allows service providers to provide a unicast IPv6
service to customers over their IPv4 network.
6RD Definitions
• 6RD CE /RG/CPE: The 6rd "Customer Edge" router that sits between an IPv6-enabled site and an
IPv4-enabled SP network. In the context of residential broadband deployment, this is referred to as
the Residential Gateway (RG) or Customer Premises Equipment (CPE) or Internet Gateway Device
(IGD). This router has a 6rd tunnel interface acting as an endpoint for the IPv6 in IPv4
encapsulation and forwarding, with at least one 6rd CE LAN side interface and 6rd CE WAN side
interface, respectively.
• 6RD Border Relay (BR): A 6rd-enabled Border Relay router located at the service provider’s
premises. The 6rd BR router has at least one IPv4 interface, a 6rd tunnel interface for multi-point
tunneling, and at least one IPv6 interface that is reachable through the IPv6 Internet or IPv6-enabled
portion of the SP network. A router running IOS can also be a 6RD BR.
• 6RD Delegated Prefix: The IPv6 prefix determined by the 6rd CE device for use by hosts within
the customer site.
• 6RD Prefix (SP Prefix) : An IPv6 prefix selected by the service provider for use by a 6rd domain.
There is exactly one 6rd prefix for a given 6rd domain.
• CE LAN side : The functionality of a 6rd CE that serves the Local Area Network (LAN) or
customer-facing side of the CE. The CE LAN side interface is fully IPv6 enabled.
• CE WAN side : The functionality of a 6rd CE that serves the Wide Area Network (WAN) or Service
Provider- facing side of the CE. The CE WAN side is IPv4 only.
• BR IPv4 address : The IPv4 address of the 6rd Border Relay for a given 6rd domain. This IPv4
address is used by the CE to send packets to a BR in order to reach IPv6 destinations outside of the
6rd domain.
CE IPv4 address : The IPv4 address given to the CE as part of normal IPv4 Internet access (configured
through DHCP, PPP, or otherwise). This address may be global or private within the 6rd domain. This
address is used by a 6rd CE to create the 6rd delegated prefix, as well as to send and receive
IPv4-encapsulated IPv6 packets.
Stateful NAT64
The Stateful NAT64 (Network Address Translation 64) feature provides a translation mechanism that
translates IPv6 packets into IPv4 packets and vice versa. NAT64 allows IPv6-only clients to contact IPv4
servers using unicast UDP, TCP, or ICMP. The public IPv4 address can be shared with several IPv6-only
clients. NAT64 supports communication between:
• IPv6 Network and Public IPv4 Internet
• Public IPv6 Internet and IPv4 Network
NAT64 is implemented on the Cisco CRS router CGSE platform. CGSE (Carrier Grade Service Engine)
has four octeons and supports 20 Gbps full duplex traffic. It works on Linux operating system and traffic
into CGSE is forwarded using serviceApp interfaces. SVIs (Service Virtual Interfaces) are configured to
enable traffic to flow in and out of CGSE.
Each NAT64 instance configured is associated with two serviceApps for the following purposes:
• One serviceApp is used to carry traffic from IPv6 sideImplementing the Carrier Grade NAT on Cisco IOS XR Software
Information About Implementing Carrier Grade NAT
CGC-10
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
• Another serviceApp is used to carry traffic from IPv4 side of the NAT64.
NAT64 instance parameters are configured using the CGN CLI. The NAT64 application in the octeons
updates its NAT64 instance and serviceApp databases, which are used to perform the translation between
IPv6 and IPv4 and vice versa.
Active CGN instance configuration is replicated in the standby CGN instance through the XR control
plane. Translations that are established on the Active CGN instance are exported to the Standby CGN
instance as the failure of the Active CGN affects the service until translations are re-established through
normal packet flow. Service interruption is moderate for the given fault detection time and translation
learning rate in terms of seconds or tens of seconds for a large translation database.
Functionalities Supported in Stateful NAT64
These functionalities are supported in NAT64 implementation:
• TCP, UDP, and ICMP protocol NAT64
• IPv4 to IPv6 header translation and vice versa
• End point independent mapping
• Address dependant filtering
• Multiple Address Pools
• Well known prefix handling
• Netflowv9 logging
• TCP/UDP/ICMP fragments handling
• IP options and ICMP error handling
• Protocol based session timers
• Destination based session timers
• Hairpinning
• DNS64 being decoupled and NAT64 working with decoupled DNS64
• Multiple NAT64 instances each having configurable options
• XML support for configuration and show commands
• CLI consistent with other CGv6 applications
Note A maximum of 64 NAT64 instances are supported in the NAT64 configuration.
These are the configuration parameters for a NAT64 instance:
• NAT64 Prefix—Indicates IPv6 prefix (for mapping destination IPv4 address – default WKP
64:FF9B::/96)
• NAT64 Prefix Length—Indicates IPv6 NAT64 prefix length (/32, to /96)
• NAT64 IPv4 map address pool—Indicates outside IPv4 address space for this NAT64 instance
• IPv4 serviceApp and IPv6 serviceApp interfaces for the instance
• u-bit-reserved flag—When this configuration is enabled, bits in the range 64-71 in the IPv6
addresses are reserved for several purposes including U-Bit. These bits are not used for translation
purposes.Implementing the Carrier Grade NAT on Cisco IOS XR Software
Information About Implementing Carrier Grade NAT
CGC-11
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
• Static port configuration—This is a protocol based configuration which specifies source IPv6
address that needs static mapping to the outside IPv4
• Protocol based timeouts—Indicates active/init timeouts and per destination IP/port timeouts
• tcp mss—Indicates the tcp mss value to be used while translating packets
• tos, traffic class, df override related flags similar to NAT64 stateless
• Netflow information
• Address dependant filtering enabling
• Port limit
• Destination based active timeouts
• Fragment handling timeouts.
Dual Stack Lite Feature
The Dual Stack Lite (DS-Lite) feature enables legacy IPv4 hosts and server communication over both
IPv4 and IPv6 networks. Also, IPv4 hosts may need to access IPv4 internet over an IPv6 access network.
The IPv4 hosts will have private addresses which need to have network address translation (NAT)
completed before reaching the IPv4 internet. The Dual Stack Lite application has these components:
• Basic Bridging BroadBand Element (B4): This is a Customer Premises Equipment (CPE) router
that is attached to the end hosts. The IPv4 packets entering B4 are encapsulated using a IPv6 tunnel
and sent to the Address Family Transition Router (AFTR).
• Address Family Transition Router(AFTR): This is the router that terminates the tunnel from the
B4. It decapsulates the tunneled IPv4 packet, translates the network address and routes to the IPv4
network. In the reverse direction, IPv4 packets coming from the internet are reverse network address
translated and the resultant IPv4 packets are sent the B4 using a IPv6 tunnel.
The Dual Stack Lite feature helps in these functions:
1. Tunnelling IPv4 packets from CE devices over IPv6 tunnels to the CGSE blade.
2. Decapsulating the IPv4 packet and sending the decapsulated content to the IPv4 internet after
completing network address translation.
3. In the reverse direction completing reverse-network address translation and then tunnelling them
over IPv6 tunnels to the CPE device.
IPv6 traffic from the CPE device is natively forwarded.
Syslog support
The NAT44, Stateful NAT64, and DS Lite features support Netflow for logging of the translation records.
Logging of the translation records can be mandated by for Lawful Intercept. The Netflow uses binary
format and hence requires software to parse and present the translation records.
In Cisco IOS XR Software Release 4.2.1 and later, the DS Lite and NAT44 features support Syslog as
an alternative to Netflow. Syslog uses ASCII format and hence can be read by users. However, the log
data volume is higher in Syslog than Netflow.Implementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-12
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Attributes of Syslog Collector
1. Syslog is supported in ASCII format only.
2. Logging to multiple syslog collectors (or relay agents) is not supported.
3. Syslog is supported for DS-Lite and NAT444 in the Cisco IOS XR Software Release 4.2.1.
Bulk Port Allocation
The creation and deletion of NAT sessions need to be logged and these create huge amount of data. These
are stored on Syslog collector which is supported over UDP. In order to reduce the volume of data
generated by the NAT device, bulk port allocation can be enabled. When bulk port allocation is enabled
and when a subscriber creates the first session, a number of contiguous outside ports are pre-allocated.
A bulk allocation message is logged indicating this allocation. Subsequent session creations will use one
of the pre-allocated port and hence does not require logging.
Implementing Carrier Grade NAT on Cisco IOS XR Software
The following configuration tasks are required to implement CGN on Cisco IOS XR software:
• Getting Started with the Carrier Grade NAT, page 12
• Configuring the Service Type Keyword Definition, page 18
• Configuring the Policy Functions for the Carrier Grade NAT, page 21
• Configuring the Carrier Grade Service Engine, page 44
• Configuring IPv4/IPv6 Stateless Translator (XLAT), page 46
• Configuring IPv6 Rapid Development, page 48
• Configuring Dual Stack Lite Instance, page 54
Getting Started with the Carrier Grade NAT
Perform these tasks to get started with the CGN configuration tasks.
• Configuring the Service Role, page 12
• Configuring the Service Instance and Location for the Carrier Grade NAT, page 14
• Configuring the Service Virtual Interfaces, page 15
Configuring the Service Role
Perform this task to configure the service role on the specified location to start the CGN service.
Note Removal of service role is strictly not recommended while the card is active. This puts the card into
FAILED state, which is service impacting.Implementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-13
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
SUMMARY STEPS
1. configure
2. hw-module service cgn location node-id
3. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 hw-module service cgn location node-id
Example:
RP/0/RP0/CPU0:router(config)# hw-module service
cgn location 0/1/CPU0
Configures a CGN service role on location 0/1/CPU0.
Step 3 end
or
commit
Example:
RP/0/RP0/CPU0:router(config)# end
or
RP/0/RP0/CPU0:router(config)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.Implementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-14
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Configuring the Service Instance and Location for the Carrier Grade NAT
Perform this task to configure the service instance and location for the CGN application.
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-location preferred-active node-id [preferred-standby node-id]
4. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGN
application and enters CGN configuration mode.Implementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-15
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Configuring the Service Virtual Interfaces
• Configuring the Infrastructure Service Virtual Interface, page 15
• Configuring the Application Service Virtual Interface, page 17
Configuring the Infrastructure Service Virtual Interface
Perform this task to configure the infrastructure service virtual interface (SVI) to forward the control
traffic. The subnet mask length must be at least 30 (denoted as /30). CGSE uses SVI and it is therefore
recommended that access control list (ACL) be configured to protect it from any form of denial of
service attacks. For a sample ACL configuration, see Configuring ACL for a Infrastructure Service
Virtual Interface: Example, page 60.
Note Do not remove or modify service infra interface configuration when the card is in Active state. The
configuration is service affecting and the line card must be reloaded for the changes to take effect.
SUMMARY STEPS
1. configure
2. interface ServiceInfra value
Step 3 service-location preferred-active node-id
[preferred-standby node-id]
Example:
RP/0/RP0/CPU0:router(config-cgn)#
service-location preferred-active 0/1/CPU0
preferred-standby 0/4/CPU0
Configures the active and standby locations for the CGN
application.
Step 4 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn)# end
or
RP/0/RP0/CPU0:router(config-cgn)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-16
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
3. service-location node-id
4. ipv4 address address/mask
5. end
or
commit
6. reload
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface ServiceInfra value
Example:
RP/0/RP0/CPU0:router(config)# interface
ServiceInfra 1
RP/0/RP0/CPU0:router(config-if)#
Configures the infrastructure service virtual interface (SVI)
as 1 and enters CGN configuration mode.
Step 3 service-location node-id
Example:
RP/0/RP0/CPU0:router(config-if)#
service-location 0/1/CPU0
Configures the location of the CGN service for the
infrastructure SVI.
Step 4 ipv4 address address/mask
Example:
RP/0/RP0/CPU0:router(config-if)# ipv4 address
1.1.1.1/30
Sets the primary IPv4 address for an interface.Implementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-17
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Configuring the Application Service Virtual Interface
Perform this task to configure the application service virtual interface (SVI) to forward data traffic.
SUMMARY STEPS
1. configure
2. interface ServiceApp value
3. service cgn instance-name service-type nat44
4. vrf vrf-name
5. end
or
commit
Step 5 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-if)# end
or
RP/0/RP0/CPU0:router(config-if)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 6 reload
Example:
RP/0/RP0/CPU0:Router#hw-mod location 0/3/cpu0
reload
Once the configuration is complete, the card must be
reloaded for changes to take effect.
WARNING: This will take the requested node out
of service.
Do you wish to continue?[confirm(y/n)] y
Command or Action PurposeImplementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-18
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
DETAILED STEPS
Configuring the Service Type Keyword Definition
Perform this task to configure the service type key definition.
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface ServiceApp value
Example:
RP/0/RP0/CPU0:router(config)# interface
ServiceApp 1
RP/0/RP0/CPU0:router(config-if)#
Configures the application SVI as 1 and enters interface
configuration mode.
Step 3 service cgn instance-name service-type nat44
Example:
RP/0/RP0/CPU0:router(config-if)# service cgn
cgn1
Configures the instance named cgn1 for the CGN
application and enters CGN configuration mode.
Step 4 vrf vrf-name
Example:
RP/0/RP0/CPU0:router(config-if)# vrf insidevrf1
Configures the VPN routing and forwarding (VRF) for the
Service Application interface
Step 5 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-if)# end
or
RP/0/RP0/CPU0:router(config-if)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.Implementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-19
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type nat44 nat1
4. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGN
application and enters CGN configuration mode.
Step 3 service-type nat44 nat1
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
nat44 nat1
Configures the service type keyword definition for CGN
NAT44 application.
Step 4 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn)# end
or
RP/0/RP0/CPU0:router(config-cgn)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.Implementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-20
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Configuring an Inside and Outside Address Pool Map
Perform this task to configure an inside and outside address pool map with the following scenarios:
• The designated address pool is used for CNAT.
• One inside VRF is mapped to only one outside VRF.
• Multiple non-overlapping address pools can be used in a specified outside VRF mapped to different
inside VRF.
• Max Outside public pool per CGSE/CGN instance is 64 K or 65536 addresses. That is, if a /16
address pool is mapped, then we cannot map any other pool to that particular CGSE.
• Multiple inside vrf cannot be mapped to same outside address pool.
• While Mapping Outside Pool Minimum value for prefix is 16 and maximum value is 26.
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type nat44 nat1
4. inside-vrf vrf-name
5. map [outside-vrf outside-vrf-name] address-pool address/prefix
6. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGN
application and enters CGN configuration mode.
Step 3 service-type nat44 nat1
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
nat44 nat1
Configures the service type keyword definition for CGN
NAT44 application.Implementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-21
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Configuring the Policy Functions for the Carrier Grade NAT
• Configuring the Port Limit Per Subscriber, page 22
• Configuring the Timeout Value for the Protocol, page 23
• Configuring the Application Level Gateway, page 28
• Configuring the TCP Adjustment Value for the Maximum Segment Size, page 29
• Configuring the Refresh Direction for the Network Address Translation, page 31
• Configuring the Carrier Grade NAT for Static Port Forwarding, page 33
• Configuring the Dynamic Port Ranges for NAT44, page 34
Step 4 inside-vrf vrf-name
Example:
RP/0/RP0/CPU0:router(config-cgn-nat44)#
inside-vrf insidevrf1
RP/0/RP0/CPU0:router(config-cgn-invrf)#
Configures an inside VRF named insidevrf1 and enters
CGN inside VRF configuration mode.
Step 5 map [outside-vrf outside-vrf-name] address-pool
address/prefix
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf)# map
outside-vrf outside vrf1 address-pool
10.10.0.0/16
or
RP/0/RP0/CPU0:router(config-cgn-invrf)# map
address-pool 100.1.0.0/16
Configures an inside VRF to an outside VRF and address
pool mapping.
Step 6 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf-afi)# end
or
RP/0/RP0/CPU0:router(config-cgn-invrf-afi)#
commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-22
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Configuring the Port Limit Per Subscriber
Perform this task to configure the port limit per subscriber for the system that includes TCP, UDP, and
ICMP.
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type nat44 nat1
4. portlimit value
5. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGN
application and enters CGN configuration mode.
Step 3 service-type nat44 nat1
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
nat44 nat1
Configures the service type keyword definition for CGN
NAT44 application.Implementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-23
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Configuring the Timeout Value for the Protocol
• Configuring the Timeout Value for the ICMP Protocol, page 23
• Configuring the Timeout Value for the TCP Session, page 25
• Configuring the Timeout Value for the UDP Session, page 26
Configuring the Timeout Value for the ICMP Protocol
Perform this task to configure the timeout value for the ICMP type for the CGN instance.
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type nat44 nat1
4. protocol icmp
5. timeout seconds
6. end
or
commit
Step 4 portlimit value
Example:
RP/0/RP0/CPU0:router(config-cgn-nat44)#
portlimit 10
Limits the number of entries per address for each subscriber
of the system
Step 5 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn)# end
or
RP/0/RP0/CPU0:router(config-cgn)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-24
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGN
application and enters CGN configuration mode.
Step 3 service-type nat44 nat1
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
nat44 nat1
Configures the service type keyword definition for CGN
NAT44 application.
Step 4 protocol icmp
Example:
RP/0/RP0/CPU0:router(config-cgn-nat44)#
protocol icmp
RP/0/RP0/CPU0:router(config-cgn-proto)#
Configures the ICMP protocol session. The example shows
how to configure the ICMP protocol for the CGN instance
named cgn1.
Step 5 timeout seconds
Example:
RP/0/RP0/CPU0:router(config-cgn-proto)# timeout
908
Configures the timeout value as 908 for the ICMP session
for the CGN instance named cgn1.
Step 6 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-proto)# end
or
RP/0/RP0/CPU0:router(config-cgn-proto)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.Implementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-25
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Configuring the Timeout Value for the TCP Session
Perform this task to configure the timeout value for either the active or initial sessions for TCP.
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type nat44 nat1
4. protocol tcp
5. session {active | initial} timeout seconds
6. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGN
application and enters CGN configuration mode.
Step 3 service-type nat44 nat1
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
nat44 nat1
Configures the service type keyword definition for CGN
NAT44 application.
Step 4 protocol tcp
Example:
RP/0/RP0/CPU0:router(config-cgn-nat44)#
protocol tcp
RP/0/RP0/CPU0:router(config-cgn-proto)#
Configures the TCP protocol session. The example shows
how to configure the TCP protocol for the CGN instance
named cgn1.Implementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-26
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Configuring the Timeout Value for the UDP Session
Perform this task to configure the timeout value for either the active or initial sessions for UDP.
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type nat44 nat1
4. protocol udp
5. session {active | initial} timeout seconds
6. end
or
commit
Step 5 session {active | initial} timeout seconds
Example:
RP/0/RP0/CPU0:router(config-cgn-proto)# session
initial timeout 90
Configures the timeout value as 90 for the TCP session. The
example shows how to configure the initial session timeout.
Step 6 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-proto)# end
or
RP/0/RP0/CPU0:router(config-cgn-proto)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-27
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGN
application and enters CGN configuration mode.
Step 3 service-type nat44 nat1
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
nat44 nat1
Configures the service type keyword definition for CGN
NAT44 application.
Step 4 protocol udp
Example:
RP/0/RP0/CPU0:router(config-cgn-nat44)#
protocol udp
RP/0/RP0/CPU0:router(config-cgn-proto)#
Configures the UDP protocol sessions. The example shows
how to configure the TCP protocol for the CGN instance
named cgn1.
Step 5 session {active | initial} timeout seconds
Example:
RP/0/RP0/CPU0:router(config-cgn-proto)# session
active timeout 90
Configures the timeout value as 90 for the UDP session. The
example shows how to configure the active session timeout.
Step 6 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-proto)# end
or
RP/0/RP0/CPU0:router(config-cgn-proto)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.Implementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-28
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Configuring the Application Level Gateway
Perform this task to configure the application level gateway (ALG) for the rtsp for the specified CGN
instance. RTSP packets are usually destined to port 554. But this is not always true because RTSP port
value is configurable.
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type nat44 nat1
4. alg rtsp {server-port} value
5. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGN
application and enters CGN configuration mode.
Step 3 service-type nat44 nat1
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
nat44 nat1
Configures the service type keyword definition for CGN
NAT44 application.Implementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-29
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Configuring the TCP Adjustment Value for the Maximum Segment Size
Perform this task to configure the adjustment value for the maximum segment size (MSS) for the VRF.
You can configure the TCP MSS adjustment value on each VRF.
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type nat44 nat1
4. inside-vrf vrf-name
5. protocol tcp
6. mss size
7. end
or
commit
Step 4 alg rtsp [server-port] value
Example:
RP/0/RP0/CPU0:router(config-cgn-nat44)# alg
rtsp server-port 5000
Configures the rtsp ALG on the CGN instance named cgn1
for server port 5000. The default is 554.
Caution The option of specifying a server
port) is currently not supported. Even
if you configure some port, RTSP
works only on the default port (554).
Step 5 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn)# end
or
RP/0/RP0/CPU0:router(config-cgn)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-30
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGN
application and enters CGN configuration mode.
Step 3 service-type nat44 nat1
Example:
RP/0/RP0/CPU0:router(config-cgn)#
service-location preferred-active 0/1/CPU0
preferred-standby 0/4/CPU0
Configures the service type keyword definition for CGN
NAT44 application.
Step 4 inside-vrf vrf-name
Example:
RP/0/RP0/CPU0:router(config-cgn-nat44)#
inside-vrf insidevrf1
RP/0/RP0/CPU0:router(config-cgn-invrf)#
Configures the inside VRF for the CGN instance named
cgn1 and enters CGN inside VRF configuration mode.
Step 5 protocol tcp
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf)#
protocol tcp
RP/0/RP0/CPU0:router(config-cgn-invrf-proto)#
Configures the TCP protocol session and enters CGN inside
VRF AFI protocol configuration mode.Implementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-31
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Configuring the Refresh Direction for the Network Address Translation
Perform this task to configure the NAT mapping refresh direction as outbound for TCP and UDP traffic.
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type nat44 nat1
4. refresh-direction Outbound
5. end
or
commit
Step 6 mss size
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf-afi-proto
)# mss 1100
Configures the adjustment MSS value as 1100 for the inside
VRF.
Step 7 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf-proto)# e
nd
or
RP/0/RP0/CPU0:router(config-cgn-invrf-proto)#
commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-32
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGN
application and enters CGN configuration mode.
Step 3 service-type nat44 nat1
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
nat44 nat1
Configures the service type keyword definition for CGN
NAT44 application.
Step 4 refresh-direction Outbound
Example:
RP/0/RP0/CPU0:router(config-cgn-nat44)#
protocol tcp
RP/0/RP0/CPU0:router(config-cgn-proto)#refreshdirection Outbound
Configures the NAT mapping refresh direction as outbound
for the CGN instance named cgn1.
Step 5 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn)# end
or
RP/0/RP0/CPU0:router(config-cgn)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.Implementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-33
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Configuring the Carrier Grade NAT for Static Port Forwarding
Perform this task to configure CGN for static port forwarding for reserved or nonreserved port numbers.
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type nat44 nat1
4. inside-vrf vrf-name
5. protocol tcp
6. static-forward inside
7. address address port number
8. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGN
application and enters CGN configuration mode.
Step 3 service-type nat44 nat1
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
nat44 nat1
Configures the service type keyword definition for CGN
NAT44 application.
Step 4 inside-vrf vrf-name
Example:
RP/0/RP0/CPU0:router(config-cgn-nat44)#
inside-vrf insidevrf1
RP/0/RP0/CPU0:router(config-cgn-invrf)#
Configures the inside VRF for the CGN instance named
cgn1 and enters CGN inside VRF configuration mode.
Step 5 protocol tcp
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf)#
protocol tcp
RP/0/RP0/CPU0:router(config-cgn-invrf-proto)#
Configures the TCP protocol session and enters CGN inside
VRF AFI protocol configuration mode.Implementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-34
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Configuring the Dynamic Port Ranges for NAT44
Perform this task to configure dynamic port ranges for TCP, UDP, and ICMP ports. The default value
range of 0 to 1023 is preserved and not used for dynamic translations. Therefore, if the value of dynamic
port range start is not configured explicitly, the dynamic port range value starts at 1024.
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type nat44 nat1
4. dynamic port range start value
5. end
or
commit
Step 6 static-forward inside
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf-proto)#
static-forward inside
RP/0/RP0/CPU0:router(config-cgn-ivrf-sport-insi
de)#
Configures the CGN static port forwarding entries on
reserved or nonreserved ports and enters CGN inside static
port inside configuration mode.
Step 7 address address port number
Example:
RP/0/RP0/CPU0:router(config-cgn-ivrf-sport-insi
de)# address 1.2.3.4 port 90
Configures the CGN static port forwarding entries for the
inside VRF.
Step 8 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-ivrf-sport-insi
de)# end
or
RP/0/RP0/CPU0:router(config-cgn-ivrf-sport-insi
de)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-35
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGN
application and enters CGN configuration mode.
Step 3 service-type nat44 nat1
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
nat44 nat1
Configures the service type keyword definition for CGN
NAT44 application.
Step 4 dynamic port range start value
Example:
RP/0/RP0/CPU0:router(config-cgn-nat44)# dynamic
port range start 1024
Configures the value of dynamic port range start for a
CGN NAT 44 instance. The value can range from 1 to
65535.
Step 5 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-ivrf-sport-insi
de)# end
or
RP/0/RP0/CPU0:router(config-cgn-ivrf-sport-insi
de)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.Implementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-36
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Configuring the Export and Logging for the Network Address Translation Table
Entries
• Configuring the Server Address and Port for Netflow Logging, page 36
• Configuring the Path Maximum Transmission Unit for Netflow Logging, page 38
• Configuring the Refresh Rate for Netflow Logging, page 40
• Configuring the Timeout for Netflow Logging, page 42
Configuring the Server Address and Port for Netflow Logging
Perform this task to configure the server address and port to log network address translation (NAT) table
entries for Netflow logging.
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type nat44 nat1
4. inside-vrf vrf-name
5. external-logging netflowv9
6. server
7. address address port number
8. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGN
application and enters CGN configuration mode.
Step 3 service-type nat44 nat1
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
nat44 nat1
Configures the service type keyword definition for CGN
NAT44 application.Implementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-37
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Step 4 inside-vrf vrf-name
Example:
RP/0/RP0/CPU0:router(config-cgn)# inside-vrf
insidevrf1
RP/0/RP0/CPU0:router(config-cgn-invrf)#
Configures the inside VRF for the CGN instance named
cgn1 and enters CGN inside VRF configuration mode.
Step 5 external-logging netflowv9
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf)#
external-logging netflowv9
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
)#
Configures the external-logging facility for the CGN
instance named cgn1 and enters CGN inside VRF address
family external logging configuration mode.
Step 6 server
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
)# server
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
-server)#
Configures the logging server information for the IPv4
address and port for the server that is used for the
netflowv9-based external-logging facility and enters CGN
inside VRF address family external logging server
configuration mode.
Step 7 address address port number
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
-server)# address 2.3.4.5 port 45
Configures the IPv4 address and port number 45 to log
Netflow entries for the NAT table.
Step 8 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
-server)# end
or
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
-server)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-38
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Configuring the Path Maximum Transmission Unit for Netflow Logging
Perform this task to configure the path maximum transmission unit (MTU) for the netflowv9-based
external-logging facility for the inside VRF.
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type nat44 nat1
4. inside-vrf vrf-name
5. external-logging netflowv9
6. server
7. path-mtu value
8. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGN
application and enters CGN configuration mode.
Step 3 service-type nat44 nat1
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
nat44 nat1
Configures the service type keyword definition for CGN
NAT44 application.
Step 4 inside-vrf vrf-name
Example:
RP/0/RP0/CPU0:router(config-cgn)# inside-vrf
insidevrf1
RP/0/RP0/CPU0:router(config-cgn-invrf)#
Configures the inside VRF for the CGN instance named
cgn1 and enters CGN inside VRF configuration mode.Implementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-39
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Step 5 external-logging netflowv9
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf)#
external-logging netflowv9
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
)#
Configures the external-logging facility for the CGN
instance named cgn1 and enters CGN inside VRF address
family external logging configuration mode.
Step 6 server
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
)# server
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
-server)#
Configures the logging server information for the IPv4
address and port for the server that is used for the
netflowv9-based external-logging facility and enters CGN
inside VRF address family external logging server
configuration mode.
Step 7 path-mtu value
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
-server)# path-mtu 2900
Configures the path MTU with the value of 2900 for the
netflowv9-based external-logging facility.
Step 8 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
-server)# end
or
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
-server)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-40
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Configuring the Refresh Rate for Netflow Logging
Perform this task to configure the refresh rate at which the Netflow-v9 logging templates are refreshed
or resent to the Netflow-v9 logging server.
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type nat44 nat1
4. inside-vrf vrf-name
5. external-logging netflowv9
6. server
7. refresh-rate value
8. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGN
application and enters CGN configuration mode.
Step 3 service-type nat44 nat1
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
nat44 nat1
Configures the service type keyword definition for CGN
NAT44 application.
Step 4 inside-vrf vrf-name
Example:
RP/0/RP0/CPU0:router(config-cgn)# inside-vrf
insidevrf1
RP/0/RP0/CPU0:router(config-cgn-invrf)#
Configures the inside VRF for the CGN instance named
cgn1 and enters CGN inside VRF configuration mode.Implementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-41
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Step 5 external-logging netflowv9
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf)#
external-logging netflowv9
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
)#
Configures the external-logging facility for the CGN
instance named cgn1 and enters CGN inside VRF address
family external logging configuration mode.
Step 6 server
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
)# server
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
-server)#
Configures the logging server information for the IPv4
address and port for the server that is used for the
netflow-v9 based external-logging facility and enters CGN
inside VRF address family external logging server
configuration mode.
Step 7 refresh-rate value
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
-server)# refresh-rate 50
Configures the refresh rate value of 50 to log Netflow-based
external logging information for an inside VRF.
Step 8 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
-server)# end
or
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
-server)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-42
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Configuring the Timeout for Netflow Logging
Perform this task to configure the frequency in minutes at which the Netflow-V9 logging templates are
to be sent to the Netflow-v9 logging server.
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type nat44 nat1
4. inside-vrf vrf-name
5. external-logging netflowv9
6. server
7. timeout value
8. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGN
application and enters CGN configuration mode.
Step 3 service-type nat44 nat1
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
nat44 nat1
Configures the service type keyword definition for CGN
NAT44 application.
Step 4 inside-vrf vrf-name
Example:
RP/0/RP0/CPU0:router(config-cgn)# inside-vrf
insidevrf1
RP/0/RP0/CPU0:router(config-cgn-invrf)#
Configures the inside VRF for the CGN instance named
cgn1 and enters CGN inside VRF configuration mode.Implementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-43
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Step 5 external-logging netflowv9
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf)#
external-logging netflowv9
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
)#
Configures the external-logging facility for the CGN
instance named cgn1 and enters CGN inside VRF address
family external logging configuration mode.
Step 6 server
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
)# server
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
-server)#
Configures the logging server information for the IPv4
address and port for the server that is used for the
netflowv9-based external-logging facility and enters CGN
inside VRF address family external logging server
configuration mode.
Step 7 timeout value
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
-server)# timeout 50
Configures the timeout value of 50 for Netflow logging of
NAT table entries for an inside VRF.
Step 8 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
-server)# end
or
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
-server)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-44
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Configuring the Carrier Grade Service Engine
Prerequisites:
These are the prerequisite components for configuring the carrier grade service engine.
Hardware:
• CGSE hardware in chassis
• Latest uboot and mans images in CGSE
Software:
• Load hfr-mini-p.vm or hfr-mini-px.vm
• Load hfr-services-p.pie and activate it
• Load hfr-fpd.pie and activate it
Bringing Up the CGSE Board
• After installing the cgn service pie (the pie installation is similar to any other CRS pie), ensure that
the uboot version (fpga2, fpga3, fpga4, fpga5) is 0.559 & MANS FPGA version is 0.41014 as
depicted below.
RP/0/RP0/CPU0:#admin
RP/0/RP0/CPU0:(admin)#show hw-module fpd location 0/2/cpu0
===================================== ==========================================
Existing Field Programmable Devices
==========================================
HW Current SW Upg/
Location Card Type Version Type Subtype Inst Version Dng?
============ ======================== ======= ==== ======= ==== =========== ====
--------------------------------------------------------------------------------
0/1/CPU0 CRS-CGSE-PLIM 0.88 lc fpga2 0 0.559 No
lc fpga3 0 0.559 No
lc fpga4 0 0.559 No
lc fpga5 0 0.559 No
lc fpga1 0 0.41014 No
lc rommonA 0 1.52 No
lc rommon 0 1.52 Yes
Note Latest uboot version is 559 & MANS is 0.41
Note If one or more FPD needs an upgrade, then this can be accomplished using the following steps.
Make sure that the fpd pie is loaded and activated. If found different, follow the upgrade
procedure in Line Card Upgrade.
• After insertion, the card remains in "IOS XR RUN" state until you install the appropriate cgn service
pie.Implementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-45
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
• After installing the cgn service pie, the card goes to "FAILED" state until you complete the
configuration mentioned in next step. These log messages appear on the console.
LC/0/3/CPU0:Sep 28 23:36:36.815 : plim_services[241]: plim_services_init[2063] Uknown
role Retrying.., Role = -7205769247857836031
LC/0/3/CPU0:Sep 28 23:37:59.341 : plim_services[241]: service_download_thread[3873]
App img download max-retries exhausted, 'plim_services' detected the 'warning'
condition 'Operation not okay'
LC/0/3/CPU0:Sep 28 23:37:59.342 : plim_services[241]: plim_services_tile_failed[752]
TILE0 failed
RP/0/RP1/CPU0:Sep 28 23:38:18.494 : invmgr[240]: %PLATFORM-INV-6-NODE_STATE_CHANGE :
Node: 0/3/0, state: FAILED
• After Successful Boot Up:
RP/0/RP0/CPU0:router#show platform
Sun Dec 20 07:15:38.893 UTC
Node Type PLIM State Config State
-----------------------------------------------------------------------------
0/0/CPU0 MSC Services Plim IOS XR RUN PWR,NSHUT,MON
0/0/0 MSC(SPA) CGSE-TILE OK PWR,NSHUT,MON
0/1/CPU0 MSC Jacket Card IOS XR RUN PWR,NSHUT,MON
0/1/0 MSC(SPA) 8X1GE OK PWR,NSHUT,MON
• Control connection to CGSE, One ServiceInfra Interface per CGSE & IPv4 address of local
significance. Minimum of two valid IPv4 unicast addresses are required for each ServiceInfra SVI.
The Serviceinfra interface removal/modification needs CGSE LC reload.
router(config)
interface ServiceInfra1
ipv4 address 3.1.1.2 255.255.255.252
service-location 0/0/CPU0
logging events link-status
commit
router(config)
hw-module service cgn location 0/0/CPU0
commit
Note This configuration has to be replicated for Standby CGSE Card. The serviceinfra IP has to be
different.
• Specify the service role(cgn) for the given CGSE location
You need to reload the card. It takes about 15minutes.
router#
hw-module location 0/0/CPU0 reload
WARNING: This will take the requested node out of service.
Do you wish to continue?[confirm(y/n)] yImplementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-46
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Configuring IPv4/IPv6 Stateless Translator (XLAT)
These are the sequence of steps for XLAT configuration:
1. Divert the IPv4 traffic to the IPv4 ServiceApp.
2. Divert the IPv6 traffic to the IPv6 ServiceApp.
3. Configure one CGN instance per CGSE.
4. Configure multiple XLAT instances per CGN instance.
5. Configure IPv4 and IPv6 Service Apps.
6. Configure CGN instance.
7. Configure XLAT instances.
8. Associate IPv4 and IPv6 ServiceApps to XLAT instance.
XLAT ServiceApp Configuration
1. IPv4 ServiceApp
– Configure Traffic Type – nat64_stless
– Configure IPv4 address
– Configure static route to divert specific IPv4 subnets (corresponding to IPv6 hosts) to the IPv4
ServiceApp
conf t
int ServiceApp4
service cgn cgn1 service-type nat64 stateless
ipv4 add 2.0.0.1/24
commit
exit
router static
address-family ipv4 unicast
136.136.136.0/24 ServiceApp4 2.0.0.2
commit
exit
end
2. IPv6 ServiceApp
– Configure Type – nat64_stless
– Configure IPv6 address
– Configure static route to divert IPv6 traffic corresponding to XLAT prefix to the IPv6
ServiceApp
conf t
int serviceApp6
service cgn cgn1service-type nat64 stateless
ipv6 address 2001:db8:fe00::1/40
commit
exit
router static
address-family ipv6 unicast
2001:db8:ff00::/40 ServiceApp6 2001:db8:fe00::2
commit
exit
endImplementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-47
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
XLAT Instance Configuration
• IPv4 ServiceApp name
– Service App on which IPv4 traffic enters/leaves
• IPv6 ServiceApp name
– Service App on which IPv6 traffic enters/leaves
• XLAT prefix
– IPv6 prefix corresponding to XLAT translation
• Ubit enabled/disabled
– whether bits 64..71 are reserved or can be used for xlat purposes
• IPv4 & IPv6 TCP MSS configuration
– IPv4 TCP traffic’s MSS value will be set to the smaller of (incoming MSS value)
– IPv6 TCP traffic’s MSS value will be set to the smaller of (incoming MSS value)
• Traceroute pool
– Non Translatable IPv6 source addresses are translated to the IPv4 addresses in this range using
a hash mechanism
– Algorithm to chose IPv4 address from traceroute pool
TTL based – Chose address based on hop count of the pkt
Hash based – Hash IPv6 Source Address and use it for selection
Random – Randomly select an IPv4 address
• IPv4 TOS Setting
– By default IPv4 TOS field is copied from IPv6 Traffic Class field
– This value can be overridden based on the configured TOS value
• IPv6 Traffic Class Setting
– By default IPv6 Traffic Class field is copied from IPv4 TOS field
– This value can be overridden based on the configured Traffic Class value
• IPv4 DF override
– When translating a IPv6 packet when the no Fragment Header IPv4 DF bit is set to 1.
– We can override this and set the DF bit to 0, if incoming IPv6 packets are smaller than 1280
bytes.
– This is to prevent path-mtu blackholing issues.
conf t
service cgn cgn1
service-type nat64 stateless xlat1
ipv6-prefix 2001:db8:ff00::/40
ubit-reserved
address-family ipv4
interface ServiceApp4
tcp mss 1200
tos 64
address-family ipv6
interface ServiceApp6
tcp mss 1200
traffic-class 32Implementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-48
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
df-override
traceroute translation
address-pool 202.1.1.0/24
algorithm Hash
Line Card Upgrade
UPGRADE FROM_ UBOOT to 559 & MANS FPGA to 0.41014
Step 1 Load the fpd pie.
Step 2 Uboot the line card.
hw-module location 0/2/CPU0 uboot-mode
WARNING: This will bring the requested node's PLIM to uboot mode.
Do you wish to continue?[confirm(y/n)]y
Step 3 Wait for the ready for UBOOT log message on the console.
RP/0/RP0/CPU0:#LC/0/2/CPU0:Sep 29 02:38:40.418 : plim_services[239]:
tile_fsm_uboot_doorbell_handler[3222] Plim moved to uboot-mode and ready for UBOOT
upgrade
Step 4 Go to admin mode on the node and upgrade the FPGA MANS.
upgrade hw-module fpd fpga1_location <>
Step 5 Also upgrade these locations for Uboot:
upgrade hw-module fpd fpga2 location <>
upgrade hw-module fpd fpga3 location <>
upgrade hw-module fpd fpga4_location <>
upgrade hw-module fpd fpga5_location <>
Step 6 Reload the card after the successful upgrade operation.
hw-module location <> reload
Step 7 After the card comes up, check for the uboot version . This can be done using the following command
from the admin mode.
show hw-module fpd location <>
Configuring IPv6 Rapid Development
These steps describe the configuration of IPv6 Rapid Development application.
Step 1 These are the 6rd CPE/RG configuration parameters.
SP Prefix 2001:B000::/28
V4 Common Prefix length 0
V4 Common Suffix length 0
RG/CPE Delegated 6RD prefix 2001:B000:a010:1010::/60Implementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-49
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Step 2 These are the 6rd BR (CGSE) configuration parameters.
• Create a CGN instance per CGSE
router(config)#
service cgn demo
service-location preferred-active 0/0/CPU0
• An IPv4 SVI is created to carry IPv4 pkt into the CGSE for Decapsulation and is handed over to
native IPv6 via IPv6 SVI. Service-type should be “tunnel v6rd”
router(config)#
interface ServiceApp4
ipv4 address 1.1.1.1 255.255.255.252
service cgn demo
service-type tunnel v6rd
logging events link-status
• An IPv6 SVI is created to carry IPv6 pkt into the CGSE for Encapsulation and is handed over to
IPv4 N/W via IPv4 SVI. Service-type should be “tunnel v6rd”
router(config)#
interface ServiceApp6
ipv4 address 5000::1/126
service cgn demo service-type tunnel v6rd
logging events link-status
• Configure 6rd instance (string “6rd1” in this example). There can be 64 6rd instances per
CGSE/Chassis.
• Configure 6rd Prefix, BR source IPv4 address & unicast IPv6 address in a single commit.
CE1 (V4) tunnel transport
source
10.1.1.1
BR (V4) tunnel transport
address
100:1:1:1
*Static Routes ::/0 -> 6rd-virtual-int0 via 2001:B006:4010:1010::/ (default route)
2001:B000::/28 -> 6rd-virtual-int0 (direct connect to 6rd)
2001:B000:a010:1010::/60-> Null0 (delegated prefix null route)
2001:B000:a010:1010::/64 -> Ethernet0 (LAN interface)
SP Prefix 2001:B000::/28
V4 Common Prefix length 0
V4 Common Suffix length 0
BR Delegated 6RD prefix 2001:B006:4010:1010::/60
BR (V4) source address 100:1:1:1
*Static Routes 100:1:1:1/32-> Serviceapp4
2001:B000::/28 -> Serviceapp6
2001:B006:4010:1010::/60 -> Null0 (BR delegated prefix null route)
2001:B006:4010:1010::/128 -> Serviceapp6 (BR anycast reachability
route)
2001:B006:4010:1010::1/128 -> Serviceapp6 (BR unicast
reachability route)Implementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-50
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
• address-family command binds IPv4 & IPv6 Serviceapp interface to a particular 6rd instance 6rd1,
for transmitting and receiving 6rd traffic.
router(config)#
service cgn demo
service-type tunnel v6rd 6rd1
br
ipv6-prefix 2001:B000::/28
source-address 100.1.1.1
unicast address 2001:B006:4010:1010::1
!
address-family ipv4
interface ServiceApp4
!
address-family ipv6
interface ServiceApp6
Note Unicast address specifies a unique IPv6 address for a particular CGSE. This is used as a source
IPv6 address while replying to IPv6 ICMP queries destined for BR IPv6 anycast address.
The Unicast address also provides the source IPv6 address during IPv4 ICMP translation to IPv6
ICMP.
Step 3 You can configure routes to the CGSE using these steps.
• To divert the traffic towards CGSE which is destined for BR
router(config)#
router static
address-family ipv4 unicast
100.1.1.1/32 1.1.1.2 (Serviceapp4 NextHop)
• Packets destined to 6rd prefix are routed to CGSE
Router#show route ipv6
S 2001:b000::/28 is directly connected,00:13:44, ServiceApp6
S 2001:b006:4010:1010::/60 is directly connected,00:19:24, Null0
S 2001:b006:4010:1010::/128 is directly connected,00:13:44, ServiceApp6
S 2001:b006:4010:1010::1/128 is directly connected,00:13:44, ServiceApp6
C 5000::/64 is directly connected,00:13:44, ServiceApp6
L 5000::1/128 is directly connected,00:13:44, ServiceApp6
C 2001:db8::/64 is directly connected,01:23:55, GigE0/1/1/4
L 2001:db8::2/128 is directly connected,01:23:55, GigE0/1/1/4
Step 4 This step illustrates the show interface serviceapp 4 accounting command.Implementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-51
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
a. This step shows the output of show cgn tunnel v6rd 6rd1 statistics command.
RP/0/RP0/CPU0:#show cgn tunnel v6rd 6rd1 statistics
Tunnel 6rd configuration
=========================
Tunnel 6rd name: 6rd1
IPv6 Prefix/Length: 2001:db8::/32
Source address: 9.1.1.1
BR Unicast address: 2001:db8:901:101::1
IPv4 Prefix length: 0
IPv4 Suffix length: 0
TOS: 0, TTL: 255, Path MTU: 1280
Tunnel 6rd statistics
======================
IPv4 to IPv6
=============
Incoming packet count : 0 (Total No. of Protocol pkts 41
non Protocol 41)
Incoming tunneled packets count : 0 (Total No. of Protocol pkts 41
non Protocol 41)
Decapsulated packets : 0
ICMP translation count : 0 (ICMPv4 TO ICMPv6 translated count)
Insufficient IPv4 payload drop count : 0 (Payload should carry IPv6 header)
Security check failure drops : 0
No DB entry drop count : 0 (6rd config is incomplete/missing)
Unsupported protocol drop count : 0 (IPv4 protocol type is not 41 (IPv6))
Invalid IPv6 source prefix drop count : 0 (IPv6 Source from RG doesn’t have 6rd
prefix)
IPv6 to IPv4
=============
Incoming packet count : 0
Encapsulated packets count : 0
No DB drop count : 0 (6rd config is not complete/missing)
Unsupported protocol drop count : 0 (Non ICMP pkts destined to IPv6 BR
anycast/unicast address)
IPv4 ICMP
==========
Incoming packets count : 0
281592
From CGSE Towards RG From RG To CGSE
From CGSE Towards Native IPv6 From Native IPv6 To CGSE
RP/0/RP0/CPU0:Router#show interface serviceapp 4 accounting
ServoceApp1
Protocol
IPV4_UNICAST
Pkts In
10149
Pkts Out
6090
Chars In
12239275
Chars Out
689459
RP/0/RP0/CPU0:Router#show interface serviceapp 6 accounting
ServoceApp2
Protocol
IPV4_UNICAST
Pkts In
6090
Pkts Out
10149
Chars In
689459
Chars Out
12239275Implementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-52
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Reply packets count : 0
Throttled packet count : 0 (ICMP throttling in CGSE 64 PKTS/sec
Nontranslatable drops : 0 (ICMPv4 error pkt (ipv4->TL) at least
72 bytes)
Unsupported icmp type drop count : 0 (As per
http://tools.ieft.org/html/draft-ieft-behave-v6v4-xlate-22 )
IPv6 ICMP
==========
Incoming packets count : 0
Reply packets count : 0
Packet Too Big generated packets count : 0
Packet Too Big not generated packets count : 0
NA generated packets count : 0
TTL expiry generated packets count : 0
Unsupported icmp type drop count : 0 (As per
http://tools.ieft.org/html/draft-ieft-behave-v6v4-xlate-22)
Throttled packet count : 0 (ICMP throttling in CSGE 64
pkts/core)
IPv4 to IPv6 Fragments
=======================
Incoming fragments count : 0 (No. of IPv4 Fragments Came in)
Reassembled packet count : 0 (No. of Pkts Reassembled from
Fragments )
Reassembled fragments count : 0 (No. of Fragments Reassembled)
ICMP incoming fragments count : 0 (No. of ICMP Fragments Came in)
Total fragment drop count : 0
Fragments dropped due to timeout : 0 (Fragment dropped due to
reassembly timeout)
Reassembly throttled drop count : 0 (Fragments throttled)
Duplicate fragments drop count : 0
Reassembly disabled drop count : 0 (Number of fragments dropped
while re-assembly is disabled.)
No DB entry fragments drop count : 0 (6rd Config is incomplete
/missing)
Fragments dropped due to security check failure : 0
Insufficient IPv4 payload fragment drop count : 0 (1st Fragment should have IPv6
header)
Unsupported protocol fragment drops : 0 (IPv4 protocol type is not 41
(IPv6) & non ICMP)
Invalid IPv6 prefix fragment drop count : 0 (IPv6 Source from RG doesn’t have
6rd prefix)
=====================================================================
IPv6 to IPv4 Fragments
=======================
Incoming ICMP fragment count : 0
=================================================================================
Step 5 Clear all the 6rd counters using the clear cgn tunnel v6rd 6rd1 statistics command.
RP/0/RP0/CPU0:BR1#clear cgn tunnel v6rd 6rd1 statistics
Ping to BR Anycast Address
• IPv6 Ping from RG to BR Anycast Address
/etc/init.d/service_wan_ipv6 # ping 2001:B006:4010:1010::Implementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-53
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:B006:4010:1010::, timeout is 2 seconds:
PING 2001:B006:4010:1010::(2001:B006:4010:1010::)56 data bytes
64 bytes from 2001:B006:4010:1010::1 : seq=1 ttl=62 time=1.122 ms
64 bytes from 2001:B006:4010:1010::1 : seq=2 ttl=62 time=0.914 ms
--- 2001:B006:4010:1010:: ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
Note Reply will configure IPv6 unicast address as Src address (2001:B006:4010:1010::1).
RP/0/RP0/CPU0:BR1#show cgn tunnel v6rd 6rd1 statistics
IPv6 to IPv4
=============
Incoming packet count : 5
IPv6 ICMP
==========
Incoming packets count : 5
Reply packets count : 5
Enable Additional 6rd Features
• Common 6rd IPv4 Prefix & Suffix Length
– IPv4 Prefix Length : This common prefix can be provisioned on the router and therefore need
not be carried in the IPv6 destination to identify a tunnel endpoint.
– IPv4 Suffix Length : All the 6RD CEs and the BR can agree on a common tail portion of the
V4 address to identify a tunnel endpoint.
Note Note : All the BR parameters have to be given in Single Commit.
• 6rd Tunnel TTL and TOS
– By default the IPv6 Traffic class and Hoplimit field will be copied to the IPv4 TTL and TOS
fields respectively. This default behavior MAY be overridden by above configuration.
– tos value is in decimal
service cgn demo
service-type tunnel v6rd 6rd1
tos 160
ttl 100
commit
• Setting 6rd Tunnel Path MTU
– By default the 6rd Tunnel MTU value is 1280.
service cgn demo
service-type tunnel v6rd 6rd1
path-mtu 1480
commit
• Enabling reassembly of Fragmented Tunnel Packets.
• Fragmented Tunneled IPv4 packets are reassembled by BR before decapsulation.
service cgn demo
service-type tunnel v6rd 6rd1
reassembly-enable
commitImplementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-54
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
RP/0/RP0/CPU0:BR1#show cgn tunnel v6rd 6rd1 statistics
Incoming fragments count : 2
Reassembled packet count : 1
Reassembled fragments count : 2
ICMP incoming fragments count : 0
Total fragment drop count : 0
Fragments dropped due to timeout : 0
Duplicate fragments drop count : 0
No DB entry fragments drop count : 0
Fragments dropped due to security check failure : 0
Insufficient IPv4 payload fragment drop count : 0
Unsupported protocol fragment drops : 0
Invalid IPv6 prefix fragment drop count : 0
Incoming ICMP fragment count : 0
• ICMP Throttling
– By default CGSE throttles 1 per core ( we have 64 cores in CGSE)
RP/0/RP0/CPU0:BR1#config
RP/0/RP0/CPU0:BR1(config)#service cgn cgn1
RP/0/RP0/CPU0:BR1(config-cgn)#protocol icmp rate-limit ?
<0-65472> ICMP rate limit per second, should be multiple of 64
commit
• Reset DF bit
– Tunneled IPv4 packets from BR will have DF bit reset (0) which will allow fragmentation in the
path to RG.
– By default it is set to 1 to support Anycast routing
service cgn demo
service-type tunnel v6rd 6rd1
reset-df-bit
commit
• Additional Information:
– IPv6 Rapid Deployment on IPv4 Infrastructures (6rd) – http://tools.ietf.org/html/rfc5969
– ICMPv4 to ICMPv6 Translation as per
http://tools.ietf.org/html/draft-ietf-behave-v6v4-xlate-22
– Basic Transition Mechanisms for IPv6 Hosts and Routers", RFC 4213, October 2005.
• "An Anycast Prefix for 6to4 Relay Routers", RFC 3068, June 2001.
• “Security Considerations for 6to4", RFC 3964, December 2004.
For line card upgrade procedure, refer Line Card Upgrade, page 48.
Configuring Dual Stack Lite Instance
Perform this task to configure dual stack lite application.
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-location preferred-active node-id preferred-standby node-id
4. service-type ds-lite instance-nameImplementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-55
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
5. portlimit value
6. bulk-port-alloc size value
7. map address-pool address
8. aftr-tunnel-endpoint-address
9. address-family ipv4
10. interface ServiceApp41
11. address-family ipv6
12. interface ServiceApp61
13. protocol tcp
14. session {initial | active} timeout seconds
15. mss size
16. external-logging netflow9
17. server
18. address 90.1.1.1 port 99
19. external-logging syslog
20. server
21. address 90.1.1.1 port 514
22. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGN
application and enters CGN configuration mode.
Step 3 service-location preferred-active node-id
[preferred-standby node-id]
Example:
RP/0/RP0/CPU0:router(config-cgn)#
service-location preferred-active 0/2/CPU0
preferred-standby 0/4/CPU0
Specifies the global command applied per cgn instance. It
initiates the particular instance of the cgn application on the
active and standby locations.Implementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-56
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Step 4 service-type ds-lite instance
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
ds-lite dsl1
Configures the service type keyword definition for the DS
LITE application.
Step 5 portlimit value
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite)#
portlimit 200
Specifies the maximum ports for a given IPV4 private
address. It provides the limits for the number of entries per
address for each subscriber of the system.
Step 6 bulk-port-alloc size value
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite)#
bulk-port-alloc size 128
Enables bulk port allocation and sets bulk size that is used
to reduce logging data volume.
Step 7 map address-pool address
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite)# map
address-pool 52.52.52.0/24
Specifies the address pool for the DS LITE instance.
Note 52.52.52.0/24 is the IPv4 public address pool
assigned to the DS Lite instance.
Step 8 aftr-tunnel-endpoint-address
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite)#
aftr-tunnel-endpoint address 3001:DB8:EOE:E01::
Specifies the IPv6 address of the tunnel end point. The IPv4
elements must address their IPV6 packets to this address.
Step 9 address-family ipv4
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite)#
address-family ipv4
Enters the address family IPv4 configuration mode.
Step 10 interface ServiceApp41
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite-afi)#
interface ServiceApp41
Specifies the ServiceApp on which IPv4 traffic enters and
leaves.
Step 11 address-family ipv6
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite)#
address-family ipv6
Enters the address family IPv6 configuration mode.
Command or Action PurposeImplementing the Carrier Grade NAT on Cisco IOS XR Software
Implementing Carrier Grade NAT on Cisco IOS XR Software
CGC-57
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Step 12 interface ServiceApp61
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite-afi)#
interface ServiceApp61
Specifies the ServiceApp on which IPv6 traffic enters and
leaves.
Step 13 protocol tcp
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite-afi)#
protocol tcp
Configures the TCP protocol session.
Step 14 session {initial | active} timeout seconds
Example:
RP/0/RP0/CPU0:router(config-cgn-proto)# session
initial timeout 90
This command configures the timeout value in seconds for
ICMP,TCP or UDP sessions for a service instance. For TCP
and UDP, you can configure the initial and active session
timeout values. For ICMP, there are no such options. This
configuration is applicable to all the IPv4 addresses that
belong to a particular service instance. This example
configures the initial session timeout value as 90 for the
TCP session.
Step 15 mss size
Example:
RP/0/RP0/CPU0:router(config-cgn-proto)# mss
1100
Configures the adjustment MSS value as 1100.
Step 16 external-logging netflow9
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite)#
external-logging netflowv9
Configures the external-logging facility for the DS LITE
instance named dsl1 and enters the external logging
configuration mode.
Step 17 server
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlog)
# server
Configures the logging server information for the IPv4
address and port for the server that is used for the
netflow-v9 based external-logging facility and enters
external logging server configuration mode.
Step 18 address A.B.C.D port port-number
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlogserver)# address 90.1.1.1 port 99
Configures the netflow server address and port number to
use for netflow version 9 based external logging facility for
DS LITE instance.
Step 19 external-logging syslog
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite)#
external-logging syslog
Configures the external-logging facility for the DS LITE
translation entries that can be logged in syslog servers to
analyze and debug the information.
Command or Action PurposeImplementing the Carrier Grade NAT on Cisco IOS XR Software
Configuration Examples for Implementing the Carrier Grade NAT
CGC-58
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Configuration Examples for Implementing the Carrier Grade NAT
This section provides the following configuration examples for CGN:
• Configuring a Different Inside VRF Map to a Different Outside VRF: Example, page 59
• Configuring a Different Inside VRF Map to a Same Outside VRF: Example, page 60
• Configuring ACL for a Infrastructure Service Virtual Interface: Example, page 60
• NAT44 Configuration: Example, page 61
• NAT64 Stateless Configuration: Example, page 64
• DS Lite Configuration: Example, page 66
• Bulk port allocation and Syslog Configuration: Example, page 67
Step 20 server
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlog)
# server
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlogserver)#
Configures the logging server information for the IPv4
address and port for the server that is used for the syslog
based external-logging facility.
Step 21 address A.B.C.D port port-number
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlogserver)# address 90.1.1.1 port 514
Configures the syslog server address and port number to use
for syslog based external logging facility for DS LITE
instance.
Step 22 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlogserver)# end
or
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlogserver)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing the Carrier Grade NAT on Cisco IOS XR Software
Configuration Examples for Implementing the Carrier Grade NAT
CGC-59
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Configuring a Different Inside VRF Map to a Different Outside VRF: Example
This example shows how to configure a different inside VRF map to a different outside VRF and
different outside address pools:
service cgn cgn1
inside-vrf insidevrf1
map outside-vrf outsidevrf1 address-pool 100.1.1.0/24
!
!
inside-vrf insidevrf2
map outside-vrf outsidevrf2 address-pool 100.1.2.0/24
!
service-location preferred-active 0/2/cpu0 preferred-standby 0/3/cpu0
!
interface ServiceApp 1
vrf insidevrf1
ipv4 address 210.1.1.1 255.255.255.0
service cgn cgn1
!
router static
vrf insidevrf1
0.0.0.0/0 serviceapp 1
!
!
interface ServiceApp 2
vrf insidevrf2
ipv4 address 211.1.1.1 255.255.255.0
service cgn cgn1
service-type nat44 nat1
!
router static
vrf insidevrf2
0.0.0.0/0 serviceapp 2
!
!
interface ServiceApp 3
vrf outsidevrf1
ipv4 address 1.1.1.1 255.255.255.0
service cgn cgn1
service-type nat44 nat1
!
router static
vrf outsidevrf1
100.1.1.0/24 serviceapp 3
!
!
interface ServiceApp 4
vrf outsidevrf2
ipv4 address 2.2.2.1 255.255.255.0
service cgn cgn1
service-type nat44 nat1
!
router static
vrf outsidevrf2
100.1.2.0/24 serviceapp 4Implementing the Carrier Grade NAT on Cisco IOS XR Software
Configuration Examples for Implementing the Carrier Grade NAT
CGC-60
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Configuring a Different Inside VRF Map to a Same Outside VRF: Example
This example shows how to configure a different inside VRF map to the same outside VRF but with
different outside address pools:
service cgn cgn1
inside-vrf insidevrf1
map outside-vrf outsidevrf1 address-pool 100.1.1.0/24
!
inside-vrf insidevrf2
map outside-vrf outsidevrf1 address-pool 200.1.1.0/24
!
!
service-location preferred-active 0/2/cpu0 preferred-standby 0/3/cpu0
!
interface ServiceApp 1
vrf insidevrf1
ipv4 address 1.1.1.1 255.255.255.0
service cgn cgn1
!
router static
vrf insidevrf1
0.0.0.0/0 serviceapp 1
!
!
interface ServiceApp 2
vrf insidevrf2
ipv4 address 2.1.1.1 255.255.255.0
service cgn cgn1
!
router static
vrf insidevrf2
0.0.0.0/0 serviceapp 2
!
!
interface ServiceApp 3
vrf outsidevrf1
ipv4 address 100.1.1.1 255.255.255.0
service cgn cgn1
!
router static
vrf outsidevrf1
100.1.1.0/24 serviceapp 3
200.1.1.0/24 serviceapp 3
!
Configuring ACL for a Infrastructure Service Virtual Interface: Example
In the following example output, the IP address 1.1.1.1 is used by the SVI on the MSC side and IP
address 1.1.1.2 is used in the CGSE PLIM.
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# ipv4 access-list ServiceInfraFilter
RP/0/RP0/CPU0:router(config)# 100 permit ipv4 host 1.1.1.1 any
RP/0/RP0/CPU0:router(config)# 101 permit ipv4 host 1.1.1.2 any
RP/0/RP0/CPU0:router(config)# interface ServiceInfra1
RP/0/RP0/CPU0:router(config-if)# ipv4 address 1.1.1.1 255.255.255.192 service-location
0/1/CPU0
RP/0/RP0/CPU0:router(config-if)# ipv4 access-group ServiceInfraFilter egressImplementing the Carrier Grade NAT on Cisco IOS XR Software
Configuration Examples for Implementing the Carrier Grade NAT
CGC-61
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Use the show controllers services boot-params command to verify the IP addresses of SVI and the
CGSE PLIM.
RP/0/RP0/CPU0:router# show controllers services boot-params location 0/1/CPU0
=============================================
Boot Params
=============================================
Phase of implmentation : 1
Application : CGN
MSC ipv4 addddress : 1.1.1.1
Octeon ipv4 addddress : 1.1.1.2
ipv4netmask : 255.255.255.252
NAT44 Configuration: Example
This example shows a NAT44 sample configuration:
IPv4: 40.22.22.22/16
!
interface Loopback40
description IPv4 Host for NAT44
ipv4 address 40.22.22.22 255.255.0.0
!
interface Loopback41
description IPv4 Host for NAT44
ipv4 address 41.22.22.22 255.255.0.0
!
interface GigabitEthernet0/3/0/0.1
description Connected to P2_CRS-8 GE 0/6/5/0.1
ipv4 address 10.222.5.22 255.255.255.0
dot1q vlan 1
!
router static
address-family ipv4 unicast
180.1.0.0/16 10.222.5.2
181.1.0.0/16 10.222.5.2
!
!
Hardware Configuration for CSGE:
!
vrf InsideCustomer1
address-family ipv4 unicast
IPv4 IPv4
281590
40.22.22.22/16 180.1.1.1/16
41.22.22.22/16 181.1.1.1/16
NAT Bypass
CGSE
Address Pool: 100.0.0.0/24
VRF InsideCustomer1 VRF OutsideCustomer1
Service
App1
Service
Gig 0/3/0/0.1 Gig 0/6/5/0.1 App2 Gig 0/6/5/1.1 Gig 0/6/5/1.1Implementing the Carrier Grade NAT on Cisco IOS XR Software
Configuration Examples for Implementing the Carrier Grade NAT
CGC-62
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
!
!
vrf OutsideCustomer1
address-family ipv4 unicast
!
!
hw-module service cgn location 0/3/CPU0
!
service-plim-ha location 0/3/CPU0 datapath-test
service-plim-ha location 0/3/CPU0 core-to-core-test
service-plim-ha location 0/3/CPU0 pci-test
service-plim-ha location 0/3/CPU0 coredump-extraction
!
!
interface GigabitEthernet0/6/5/0.1
vrf InsideCustomer1
ipv4 address 10.222.5.2 255.255.255.0
dot1q vlan 1
!
interface GigabitEthernet0/6/5/1.1
vrf OutsideCustomer1
ipv4 address 10.12.13.2 255.255.255.0
dot1q vlan 1
!
interface ServiceApp1
vrf InsideCustomer1
ipv4 address 1.1.1.1 255.255.255.252
service cgn cgn1 service-type nat44
!
interface ServiceApp2
vrf OutsideCustomer1
ipv4 address 2.1.1.1 255.255.255.252
service cgn cgn1 service-type nat44
!
interface ServiceInfra1
ipv4 address 75.75.75.75 255.255.255.0
service-location 0/3/CPU0
!
!
router static
!
vrf InsideCustomer1
address-family ipv4 unicast
0.0.0.0/0 ServiceApp1
40.22.0.0/16 10.222.5.22
41.22.0.0/16 10.222.5.22
181.1.0.0/16 vrf OutsideCustomer1 GigabitEthernet0/6/5/1.1 10.12.13.1
!
!
vrf OutsideCustomer1
address-family ipv4 unicast
40.22.0.0/16 vrf InsideCustomer1 GigabitEthernet0/6/5/0.1 10.222.5.22
41.22.0.0/16 vrf InsideCustomer1 GigabitEthernet0/6/5/0.1 10.222.5.22
100.0.0.0/24 ServiceApp2
180.1.0.0/16 10.12.13.1
181.1.0.0/16 10.12.13.1
!
!
!
CGSE Configuration:
service cgn cgn1
service-location preferred-active 0/3/CPU0
service-type nat44 nat44
portlimit 200Implementing the Carrier Grade NAT on Cisco IOS XR Software
Configuration Examples for Implementing the Carrier Grade NAT
CGC-63
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
alg ActiveFTP
inside-vrf InsideCustomer1
map outside-vrf OutsideCustomer1 address-pool 100.0.0.0/24
protocol tcp
static-forward inside
address 41.22.22.22 port 80
!
!
protocol icmp
static-forward inside
address 41.22.22.22 port 80
!
!
external-logging netflow version 9
server
address 172.29.52.68 port 2055
refresh-rate 600
timeout 100 !
!
!
!
!
IPv4: 180.1.1.1/16
!
interface Loopback180
description IPv4 Host for NAT44
ipv4 address 180.1.1.1 255.255.0.0
!
interface Loopback181
description IPv4 Host for NAT44
ipv4 address 181.1.1.1 255.255.0.0
!
interface GigabitEthernet0/6/5/1.1
ipv4 address 10.12.13.1 255.255.255.0
dot1q vlan 1
!
router static
address-family ipv4 unicast
40.22.0.0/16 10.12.13.2
41.22.0.0/16 10.12.13.2
100.0.0.0/24 10.12.13.2 !
!Implementing the Carrier Grade NAT on Cisco IOS XR Software
Configuration Examples for Implementing the Carrier Grade NAT
CGC-64
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
NAT64 Stateless Configuration: Example
This example shows a NAT64 Stateless sample configuration.
IPv6 Configuration:
interface Loopback210
description IPv6 Host for NAT64 XLAT
ipv6 address 2001:db8:1c0:2:2100::/64
ipv6 enable
!
interface GigabitEthernet0/3/0/0.20
description Connected to P2_CRS-8 GE 0/6/5/0.20
ipv6 address 2010::22/64
ipv6 enable
dot1q vlan 20
!
router static
!
address-family ipv6 unicast
2001:db8:100::/40 2010::2
!
!
CGSE Hardware Configuration:
hw-module service cgn location 0/3/CPU0
!
service-plim-ha location 0/3/CPU0 datapath-test
service-plim-ha location 0/3/CPU0 core-to-core-test
service-plim-ha location 0/3/CPU0 pci-test
service-plim-ha location 0/3/CPU0 coredump-extraction
!
interface GigabitEthernet0/6/5/0.20
description Connected to PE22_C12406 GE 0/3/0/0.20
ipv6 address 2010::2/64
ipv6 enable
dot1q vlan 20
!
interface GigabitEthernet0/6/5/1.20
description Connected to P1_CRS-8 GE 0/6/5/1.20
ipv4 address 10.97.97.2 255.255.255.0
dot1q vlan 20
!
interface ServiceApp4
ipv4 address 7.1.1.1 255.255.255.252
service cgn cgn1 service-type nat64 stateless
!
interface ServiceApp6
ipv6 address 2011::1/64
IPv6
281591
IPv4
198.51.100.2/24
CGSE
XLAT NSP - 2001:db8:100::/40
Service
App6
Service
Gig 0/3/0/0.20 Gig 0/6/5/0.20 App4 Gig 0/6/5/1.20 Gig 0/6/5/1.20
2001:db8:01c0:0002:2100
IPv6 Source - 2001:db8:01c0:0002:2100::/64
IPv6 Destination - 2001:db8:01C6:3364:0200::/40
IPv4 Source – 198.51.100.2/24
IPv4 Destination– 192.0.2.33/24Implementing the Carrier Grade NAT on Cisco IOS XR Software
Configuration Examples for Implementing the Carrier Grade NAT
CGC-65
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
service cgn cgn1 service-type nat64 stateless
!
interface ServiceInfra1
ipv4 address 75.75.75.75 255.255.255.0
service-location 0/3/CPU0
!
router static
address-family ipv4 unicast
192.0.2.0/24 ServiceApp4
198.51.100.0/24 10.97.97.1
!
address-family ipv6 unicast
2001:db8:100::/40 ServiceApp6
2001:db8:1c0:2::/64 2010::22
!
!
CGSE Configuration:
service cgn cgn1
service-location preferred-active 0/3/CPU0
!
service-type nat64 stateless xlat
ipv6-prefix 2001:db8:100::/40
address-family ipv4
tos 64
interface ServiceApp4
tcp mss 1200
!
address-family ipv6
interface ServiceApp6
traffic-class 32
tcp mss 1200
df-override
!
traceroute translation
address-pool 202.1.1.0/24
algorithm Hash
!
!
IPv4 Hardware Configuration:
interface Loopback251
description IPv4 Host for NAT64 XLAT
ipv4 address 198.51.100.2 255.255.255.0
!
interface GigabitEthernet0/6/5/1.20
description Connected to P2_CRS-8 GE 0/6/5/1.20
ipv4 address 10.97.97.1 255.255.255.0
dot1q vlan 20
!
router static
address-family ipv4 unicast
192.0.2.0/24 10.97.97.2 !
!Implementing the Carrier Grade NAT on Cisco IOS XR Software
Configuration Examples for Implementing the Carrier Grade NAT
CGC-66
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
DS Lite Configuration: Example
IPv6 ServiceApp and Static Route Configuration
conf
int serviceApp61
service cgn cgn1 service-type ds-lite
ipv6 address 2001:202::/32
commit
exit
router static
address-family ipv6 unicast
3001:db8:e0e:e01::/128 ServiceApp61 2001:202::2
commit
exit
end
IPv4 ServiceApp and Static Route Configuration
conf
int serviceApp41
service cgn cgn1 service-type ds-lite
ipv4 add 41.41.41.1/24
commit
exit
router static
address-family ipv4 unicast
52.52.52.0/24 ServiceApp41 41.1.1.2
commit
exit
end
DS Lite Configuration
service cgn cgn1
service-location preferred-active 0/2/CPU0 preferred-standby 0/4/CPU0
service-type ds-lite dsl1
portlimit 200
bulk-port-alloc size 128
map address-pool 52.52.52.0/24
aftr-tunnel-endpoint-address 3001:DB8:E0E:E01::
address-family ipv4
interface ServiceApp41
address-family ipv6
interface ServiceApp61
protocol tcp
session init timeout 300
session active timeout 400
mss 1200
external-logging netflow9
server
address 90.1.1.1 port 99
external-logging syslog
server
address 90.1.1.1 port 514Implementing the Carrier Grade NAT on Cisco IOS XR Software
Additional References
CGC-67
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Bulk port allocation and Syslog Configuration: Example
service cgn cgn2
service-type nat44 natA
inside-vrf broadband
map address-pool 100.1.2.0/24
external-logging syslog
server
address 20.1.1.2 port 514
!
!
bulk-port-alloc size 64
!
!
Additional References
For additional information related to Implementing the Carrier Grade NAT, see the following references:
Related Documents
Standards
Related Topic Document Title
Cisco IOS XR Carrier Grade NAT commands Cisco IOS XR Carrier Grade NAT Command Reference for the
Cisco CRS Router
Cisco CRS Router getting started material Cisco IOS XR Getting Started Guide for the Cisco CRS Router
Information about user groups and task IDs Configuring AAA Services on Cisco IOS XR Software module of the
Cisco IOS XR System Security Configuration Guide
Standards
1
1. Not all supported standards are listed.
Title
No new or modified standards are supported by this feature, and
support for existing standards has not been modified by this
feature.
—Implementing the Carrier Grade NAT on Cisco IOS XR Software
Additional References
CGC-68
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
MIBs
RFCs
Technical Assistance
MIBs MIBs Link
— To locate and download MIBs using Cisco IOS XR software, use the
Cisco MIB Locator found at the following URL and choose a
platform under the Cisco Access Products menu:
http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs
1
1. Not all supported RFCs are listed.
Title
RFC 4787 Network Address Translation (NAT) Behavioral Requirements for
Unicast UDP
RFC 5382 NAT Behavioral Requirements for TCP
RFC 5508 NAT Behavioral Requirements for ICMP
Description Link
The Cisco Technical Support website contains
thousands of pages of searchable technical content,
including links to products, technologies, solutions,
technical tips, and tools. Registered Cisco.com users
can log in from this page to access even more content.
http://www.cisco.com/techsupportCGC-65
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
CGC Cisco IOS XR Carrier Grade NAT Configuration Guide
HC Cisco IOS XR Interface and Hardware Component
Configuration Guide
IC Cisco IOS XR IP Addresses and Services Configuration Guide
MCC Cisco IOS XR Multicast Configuration Guide
MNC Cisco IOS XR System Monitoring Configuration Guide
MPC Cisco IOS XR MPLS Configuration Guide
NFC Cisco IOS XR NetFlow Configuration Guide
QC Cisco IOS XR Modular Quality of Service Configuration
Guide
RC Cisco IOS XR Routing Configuration Guide
SC Cisco IOS XR System Security Configuration Guide
SMC Cisco IOS XR System Management Configuration Guide
VPC Cisco IOS XR Virtual Private Network Configuration Guide
I N D E X
Numerics
85589
2H_Head2
Carrier Grade NAT Overview CGC-2
A
Address Family Translation CGC-5
C
Carrier Grade NAT Overview CGC-2
D
Double NAT 444 CGC-5
E
Export and Logging for the Network Address Translation
Table Entries CGC-27
External Logging CGC-6
I
ICMP Query Session Timeout CGC-4
Inside and Outside Address Pool Map CGC-12
IPv4 Address Completion CGC-2
N
NAT CGC-4
Benefits CGC-2
overview CGC-2
NAT and NAPT CGC-2
NATwith
ICMP CGC-4
TCP CGC-4
P
Policy Functions
Application Gateway CGC-5
configuring CGC-14
overview CGC-5
prerequisites CGC-1
T
Translation Filtering CGC-3Index
CGC-66
Cisco IOS XR Carrier Grade NAT Configuration Guide for the CRS Router
OL-26122-02
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Cisco ASR 9000 Series Aggregation
Services Router Carrier Grade IPv6 (CGv6)
Configuration Guide
Cisco IOS XR Software Release 4.2.x
Customer Order Number: OL-26555-02 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version
of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL
FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE
PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:
www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are
shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration Guide
© 2012 Cisco Systems, Inc. All rights reserved.iii
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration Guide
OL-26555-02
C O N T E N T S
Preface v
Changes to This Document v
Obtaining Documentation and Submitting a Service Request v
Implementing the Carrier Grade IPv6 on Cisco IOS XR Software i-1
Contents i-1
Prerequisites for Implementing the CGv6 i-1
CGv6 Overview and Benefits i-2
CGv6 Overview i-2
Benefits of CGv6 i-2
NAT44 or CGN Overview i-3
DS-Lite Overview i-4
Information About Implementing CGv6 i-5
Implementing NAT with ICMP i-5
Double NAT 444 i-6
Policy Functions i-6
External Logging i-6
Cisco Integrated Service Module (ISM) i-7
Solution Components i-7
Configuring CGv6 on Cisco IOS XR Software i-8
Installing Carrier Grade IPv6 (CGv6) on ISM i-8
Getting Started with the Carrier Grade IPv6 i-13
Configuring an Inside and Outside Address Pool Map i-20
Configuring the Policy Functions for NAT44 i-22
Configuring the Export and Logging for the Network Address Translation Table Entries i-34
Configuring DS Lite Feature on ISM Line Card i-42
Configuration Examples for Implementing the CGv6 i-66
Configuring a Different Inside VRF Map to a Different Outside VRF for NAT44: Example i-66
Configuring a Different Inside VRF Map to a Same Outside VRF for NAT44: Example i-67
NAT44 Configuration: Example i-68
DS Lite Configuration: Example i-71
Additional References i-72
Related Documents i-72
Standards i-72Contents
iv
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration Guide
OL-26555-02
MIBs i-73
RFCs i-73
Technical Assistance i-73
I N D E Xv
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration Guide
OL-26555-02
Preface
The Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
Guide preface contains the following sections:
• Changes to This Document, page CGC-v
• Obtaining Documentation and Submitting a Service Request, page CGC-v
Changes to This Document
Table 1 lists the technical changes made to this document since it was first printed.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional
information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and
revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed
and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free
service and Cisco currently supports RSS version 2.0.
Table 1 Changes to This Document
Revision Date Change Summary
OL-26555-02 August 2012 Re-published with documenttaion updates for Cisco IOS XR
Release 4.2.1. features.
OL-26555-02 April 2012 Initial release of this document for Cisco IOS XR Release 4.2.0.Preface
vi
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration Guide
OL-26555-02CG-1
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration Guide
OL-26555-02
Implementing the Carrier Grade IPv6 on
Cisco IOS XR Software
This module describes how to implement the Carrier Grade IPv6 (CGv6) on Cisco IOS XR software.
Contents
• Prerequisites for Implementing the CGv6, page 1
• CGv6 Overview and Benefits, page 2
• Information About Implementing CGv6, page 5
• Cisco Integrated Service Module (ISM), page 7
• Configuring CGv6 on Cisco IOS XR Software, page 8
• Configuration Examples for Implementing the CGv6, page 66
• Additional References, page 72
The following table lists changes made to the document.
Prerequisites for Implementing the CGv6
The following prerequisites are required to implement CGv6:
• You must be running Cisco IOS XR software Release 4.2.0 or above.
Table 1 Feature History for Implementing CGv6 on ASR 9000
Release Modification
R4.2.0 Initial release of this document.
CGv6 applications such as CGN or NAT44 are supported.
R4.2.1 The following features were introduced:
• DS-Lite.
• Syslog and Bulk Port Allocation for NAT44 and DS-Lite.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
CGv6 Overview and Benefits
CG-2
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
• You must have installed the CGv6 service package, asr9k-services-p.pie (to be used with RSP2) or
asr9k-services-px.pie (to be used with RSP3).
• You must be in a user group associated with a task group that includes the proper task IDs. The
command reference guides include the task IDs required for each command.
Note All the error conditions result in a syslog message. On observation of Heartbeat failure messages, contact
Cisco Technical Support with show tech-support services cgn information.
Note If you suspect user group assignment is preventing you from using a command, contact your AAA
administrator for assistance.
CGv6 Overview and Benefits
To implement the CGv6, you should understand the following concepts:
• CGv6 Overview, page 2
• Benefits of CGv6, page 2
• NAT44 or CGN Overview, page 3
• DS-Lite Overview, page 4
CGv6 Overview
Internet Protocol version 4 (IPv4) has reached exhaustion at the international level (IANA). But service
providers must maintain and continue to accelerate growth. Billions of new devices such as mobile
phones, portable multimedia devices, sensors, and controllers are demanding Internet connectivity at an
increasing rate. The Cisco Carrier Grade IPv6 Solution (CGv6) is designed to help address these
challenges. With Cisco CGv6, you can:
• Preserve investments in IPv4 infrastructure, assets, and delivery models.
• Prepare for the smooth, incremental transition to IPv6 services that are interoperable with IPv4.
• Prosper through accelerated subscriber, device, and service growth that are enabled by the
efficiencies that IPv6 can deliver.
Cisco CGv6 extends the already wide array of IPv6 platforms, solutions, and services. Cisco CGv6 helps
you build a bridge to the future of the Internet with IPv6.
Cisco ASR 9000 Series Aggregation Services Router is part of the Cisco CGv6 solution portfolio and
therefore different CGv6 solutions or applications are implemented on this platform (specifically on ISM
service card). In Cisco IOS XR Release 4.2.0, CGN or NAT44 application is delivered as the first
application. In Cisco IOS XR Release 4.2.1, the DS-Lite feature is added. Additional CGv6 applications
will be delivered in future releases.
Benefits of CGv6
CGv6 offers these benefits:Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
CGv6 Overview and Benefits
CG-3
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
• Enables service providers to execute orderly transitions to IPv6 through mixed IPv4 and IPv6
networks.
• Provides address family translation but not limited to just translation within one address family.
• Delivers a comprehensive solution suite for IP address management and IPv6 transition.
IPv4 Address Shortage
A fixed-size resource such as the 32-bit public IPv4 address space will run out in a few years. Therefore,
the IPv4 address shortage presents a significant and major challenge to all service providers who depend
on large blocks of public or private IPv4 addresses for provisioning and managing their customers.
Service providers cannot easily allocate sufficient public IPv4 address space to support new customers
that need to access the public IPv4 Internet.
NAT44 or CGN Overview
Carrier Grade Network Address Translation (CGN) is a large scale NAT that is capable of providing
private IPv4 to public IPv4 address translation in the order of millions of translations to support a large
number of subscribers, and at least 10 Gbps full-duplex bandwidth throughput.
CGN is a workable solution to the IPv4 address completion problem, and offers a way for service
provider subscribers and content providers to implement a seamless transition to IPv6. CGN employs
network address and port translation (NAPT) methods to aggregate many private IP addresses into fewer
public IPv4 addresses. For example, a single public IPv4 address with a pool of 32 K port numbers
supports 320 individual private IP subscribers assuming each subscriber requires 100 ports. For example,
each TCP connection needs one port number.
A Network Address Translation (NAT) box is positioned between private and public IP networks that are
addressed with non-global private addresses and a public IP addresses respectively. A NAT performs the
task of mapping one or many private (or internal) IP addresses into one public IP address by employing
both network address and port translation (NAPT) techniques. The mappings, otherwise referred to as
bindings, are typically created when a private IPv4 host located behind the NAT initiates a connection
(for example, TCP SYN) with a public IPv4 host. The NAT intercepts the packet to perform these
functions:
• Rewrites the private IP host source address and port values with its own IP source address and port
values
• Stores the private-to-public binding information in a table and sends the packet. When the public IP
host returns a packet, it is addressed to the NAT. The stored binding information is used to replace
the IP destination address and port values with the private IP host address and port values.
Traditionally, NAT boxes are deployed in the residential home gateway (HGW) to translate multiple
private IP addresses. The NAT boxes are configured on multiple devices inside the home to a single
public IP address, which are configured and provisioned on the HGW by the service provider. In
enterprise scenarios, you can use the NAT functions combined with the firewall to offer security
protection for corporate resources and allow for provider-independent IPv4 addresses. NATs have made
it easier for private IP home networks to flourish independently from service provider IP address
provisioning. Enterprises can permanently employ private IP addressing for Intranet connectivity while
relying on a few NAT boxes, and public IPv4 addresses for external public Internet connectivity. NAT
boxes in conjunction with classic methods such as Classless Inter-Domain Routing (CIDR) have slowed
public IPv4 address consumption.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
CGv6 Overview and Benefits
CG-4
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
Network Address and Port Mapping
Network address and port mapping can be reused to map new sessions to external endpoints after
establishing a first mapping between an internal address and port to an external address. These NAT
mapping definitions are defined from RFC 4787:
• Endpoint-independent mapping—Reuses the port mapping for subsequent packets that are sent
from the same internal IP address and port to any external IP address and port.
• Address-dependent mapping—Reuses the port mapping for subsequent packets that are sent from
the same internal IP address and port to the same external IP address, regardless of the external port.
Note CGN on ISM implements Endpoint-independent Mapping.
Translation Filtering
RFC 4787 provides translation filtering behaviors for NATs. These options are used by NAT to filter
packets originating from specific external endpoints:
• Endpoint-independent filtering—Filters out only packets that are not destined to the internal
address and port regardless of the external IP address and port source.
• Address-dependent filtering—Filters out packets that are not destined to the internal address. In
addition, NAT filters out packets that are destined for the internal endpoint.
• Address and port-dependent filtering—Filters out packets that are not destined to the internal
address. In addition, NAT filets out packets that are destined for the internal endpoint if the packets
were not sent previously.
Note CGN on ISM implements Endpoint-independent Filtering.
DS-Lite Overview
The Dual Stack Lite (DS-Lite) feature enables legacy IPv4 hosts and server communication over both
IPv4 and IPv6 networks. Also, IPv4 hosts may need to access IPv4 internet over an IPv6 access network.
The IPv4 hosts will have private addresses which need to have network address translation (NAT)
completed before reaching the IPv4 internet.
The Dual Stack Lite application has these two components:
• Basic Bridging BroadBand Element (B4): This is a Customer Premises Equipment (CPE) router that
is attached to the end hosts. The IPv4 packets entering B4 are encapsulated using a IPv6 tunnel and
sent to the Address Family Transition Router (AFTR).
• Address Family Transition Router(AFTR): This is the router that terminates the tunnel from the B4.
It decapsulates the tunneled IPv4 packet, translates the network address and routes to the IPv4
network. In the reverse direction, IPv4 packets coming from the internet are reverse network address
translated and the resultant IPv4 packets are sent the B4 using a IPv6 tunnel.
The Dual Stack Lite feature helps in these functions:
• Tunnelling IPv4 packets from CE devices over IPv6 tunnels to the ISM blade.
• Decapsulating the IPv4 packet and sending the decapsulated content to the IPv4 internet after
completing network address translation.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Information About Implementing CGv6
CG-5
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
• In the reverse direction completing reverse-network address translation and then tunnelling them
over IPv6 tunnels to the CPE device.
IPv6 traffic from the CPE device is natively forwarded.
Note The number of DS-Lite instances supported on the Integrated Service Module (ISM) line card is 64.
Scalability and Performance of DS Lite
The DS-Lite feature pulls translation entries from the same pool as the NAT44.
• Supports a total of 20 million sessions.
• Number of unique users behind B4 router, basically IPv6 and IPv4 Source tuple, can scale to 1
million.
There is no real limit to the number of B4 routers and their associated tunnels connecting to the AFTR,
except the session limit, which is 20 million B4 routers (assuming each router has only one session). In
reality, a maximum of 1 million B4 routers can connect to an AFTR at any given time.
The performance of DS-Lite traffic, combined IPv4 and IPv6, is 10 Gbps.
Information About Implementing CGv6
These sections provide the information about implementation of NAT using ICMP and TCP:
• Implementing NAT with ICMP, page 5
• Double NAT 444, page 6
• Policy Functions, page 6
• External Logging, page 6
Implementing NAT with ICMP
This section explains how the Network Address Translation (NAT) devices work in conjunction with
Internet Control Message Protocol (ICMP).
The implementations of NAT varies in terms of how they handle different traffic.
ICMP Query Session Timeout
RFC 5508 provides ICMP Query Session timeouts. A mapping timeout is maintained by NATs for ICMP
queries that traverse them. The ICMP Query Session timeout is the period during which a mapping will
stay active without packets traversing the NATs. The timeouts can be set as either Maximum Round Trip
Time (Maximum RTT) or Maximum Segment Lifetime (MSL). For the purpose of constraining the
maximum RTT, the Maximum Segment Lifetime (MSL) is considered a guideline to set packet lifetime.
If the ICMP NAT session timeout is set to a very large duration (240 seconds) it can tie up precious NAT
resources such as Query mappings and NAT Sessions for the whole duration. Also, if the timeout is set
to very low it can result in premature freeing of NAT resources and applications failing to complete
gracefully. The ICMP Query session timeout needs to be a balance between the two extremes. A
60-second timeout is a balance between the two extremes.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Information About Implementing CGv6
CG-6
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
Double NAT 444
The Double NAT 444 solution offers the fastest and simplest way to address the IPv4 depletion problem
without requiring an upgrade to IPv6 anywhere in the network. Service providers can continue offering
new IPv4 customers access to the public IPv4 Internet by using private IPv4 address blocks, if the service
provider is large enough; However, they need to have an overlapping RFC 1918 address space, which
forces the service provider to partition their network management systems and creates complexity with
access control lists (ACL).
Double NAT 444 uses the edge NAT and CGv6 to hold the translation state for each session. For example,
both NATs must hold 100 entries in their respective translation tables if all the hosts in the residence of
a subscriber have 100 connections to hosts on the Internet). There is no easy way for a private IPv4 host
to communicate with the CGv6 to learn its public IP address and port information or to configure a static
incoming port forwarding.
Policy Functions
• Application Level Gateway, page 6
• TCP Maximum Segment Size Adjustment, page 6
• Static Port Forwarding, page 6
Application Level Gateway
The application level gateway (ALG) deals with the applications that are embedded in the IP address
payload.
CGv6 supports both passive and active FTP. FTP clients are supported with inside (private) address and
servers with outside (public) addresses. Passive FTP is provided by the basic NAT function. Active FTP
is used with the ALG.
TCP Maximum Segment Size Adjustment
When a host initiates a TCP session with a server, the host negotiates the IP segment size by using the
maximum segment size (MSS) option. The value of the MSS option is determined by the maximum
transmission unit (MTU) that is configured on the host.
Static Port Forwarding
Static port forwarding configures a fixed, private (internal) IP address and port that are associated with
a particular subscriber while CGv6 allocates a free public IP address and port. Therefore, the inside IP
address and port are associated to a free outside IP address and port.
External Logging
External logging configures the export and logging of the NAT table entries, private bindings that are
associated with a particular global IP port address, and to use Netflow to export the NAT table entries.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Cisco Integrated Service Module (ISM)
CG-7
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
Netflow v9 Support
The NAT44 and DS Lite features support Netflow for logging of the translation records. Logging of the
translation records can be mandated by for Lawful Intercept. The Netflow uses binary format and hence
requires software to parse and present the translation records.
Syslog Support
In Cisco IOS XR Software Release 4.2.1 and later, the DS Lite and NAT44 features support Syslog as
an alternative to Netflow. Syslog uses ASCII format and hence can be read by users. However, the log
data volume is higher in Syslog than Netflow.
Attributes of Syslog Collector
• Syslog is supported in ASCII format only.
• Logging to multiple syslog collectors (or relay agents) is not supported.
• Syslog is supported for DS-Lite and NAT444 in the Cisco IOS XR Software Release 4.2.1.
Bulk Port Allocation
The creation and deletion of NAT sessions need to be logged and these create huge amount of data. These
are stored on Syslog collector which is supported over UDP. In order to reduce the volume of data
generated by the NAT device, bulk port allocation can be enabled. When bulk port allocation is enabled
and when a subscriber creates the first session, a number of contiguous outside ports are pre-allocated.
A bulk allocation message is logged indicating this allocation. Subsequent session creations will use one
of the pre-allocated port and hence does not require logging.
Cisco Integrated Service Module (ISM)
Solution Components
These are the solution components of the Cisco Integrated Service Module (ISM).
• ASR 9000 with IOS XR
– High-capacity, carrier-class SP platform with Cisco IOS XR Software
– Leverages XR infrastructure to divert packets to ISM
– Uniform, integrated configuration and management
• Integrated Service Module
– Flexible Linux-based development & test environment
– Supports required CGv6
– First IPv6 Transition Strategy
• Integrated Service Module
– Hardware:
• CGv6 function residing on ISM Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-8
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
• Intel x86 with 12 CPU cores
– Software:
• IOS-XR on LC, Linux on Intel CPUs
• Integrated configuration and management through Cisco IOS XR Software
• Service Virtual Interface (SVI)
– Two types of Service Virtual Interfaces are used in ISM
• ServiceInfra SVI
• ServiceApp SVI
There can be only one ServiceInfra SVI per ISM Slot. This is used for the management plane and is
required to bring up ISM. This is of local significance within the chassis.
ServiceApp SVI is used to forward the data traffic to the Application. Scale of ISM 244 ServiceApp per
chassis is validated. These interfaces can be advertised in IGP/EGP.
Configuring CGv6 on Cisco IOS XR Software
The following configuration tasks are required to implement CGv6 on Cisco IOS XR software:
• Installing Carrier Grade IPv6 (CGv6) on ISM, page 8
• Getting Started with the Carrier Grade IPv6, page 13
• Configuring the Service Type Keyword Definition, page 19
• Configuring the Policy Functions for NAT44, page 22
• Configuring the Export and Logging for the Network Address Translation Table Entries, page 34
• Configuring DS Lite Feature on ISM Line Card, page 42
Installing Carrier Grade IPv6 (CGv6) on ISM
This section provides instructions on installing CGv6 on the ISM line card, removing CGv6 on the ISM
line card, and reinstalling the CDS TV application support.
Hardware
• ISM hardware in chassis
Software
• asr9k-mini-p.vm or asr9k-mini-px.vm
• asr9k-services-p.pie or asr9k-services-px.pie
• asr9k-fpd-p.pie or asr9k-fpd-px.pie
FPGA UPGRADE
The installation is similar to an FPGA upgrade on any other ASR 9000 cards.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-9
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
Step 1 Load the fpd pie.
Step 2 Run the show hw-module fpd location <> command in admin mode.
RP/0/RP0/CPU0:#admin
RP/0/RSP1/CPU0:LHOTSE#show hw-module fpd location 0/1/CPU0
===================================== ================================================
Existing Field Programmable Devices
================================================
HW Current SW Upg/
Location Card Type Version Type Subtype Inst Version Dng?
============ ======================== ======= ==== ======= ==== =========== ==== =====
--------------------------------------------------------------------------------------
0/1/CPU0 A9K-ISM-100 1.0 lc fpga1 0 0.29 No
1.0 lc cbc 0 18.04 Yes
1.0 lc cpld1 0 0.01 No
1.0 lc fpga7 0 0.17 No
1.0 lc cpld3 0 0.16 No
1.0 lc fpga2 0 0.01 Yes
--------------------------------------------------------------------------------------
If one or more FPD needs an upgrade (can be identified from the Upg/Dng column in the output) then
this can be accomplished using the following steps.
Step 3 Upgrade the identified FPGAs using the relevant commands:
upgrade hw-module fpd fpga1 location <>
upgrade hw-module fpd cbc location <>
upgrade hw-module fpd cpld1 location <>
upgrade hw-module fpd fpga7 location <>
upgrade hw-module fpd cpld3 location <>
upgrade hw-module fpd fpga2 location <>
To upgrade all FPGA using a single command, type:
upgrade hw-module fpd all location <>
Step 4 If one or more FPGAs were upgraded, reload the ISM card after all the upgrade operation completes
successfully.
hw-module location <> reload
Step 5 After the ISM card comes up, check for the FPGA version. This can be done using the following
command from the admin mode.
show hw-module fpd location <>
Change Role of ISM Line Card from CDS TV to CGV6
Accessing CPU consoles on ISM Card
The following output shows ISM card in slot1:
RP/0/RSP0/CPU0 #show platform
0/RSP0/CPU0 A9K-RSP-4G(Active) IOS XR RUN PWR,NSHUT,MON
0/1/CPU0 A9K-ISM-100(LCP) IOS XR RUN PWR,NSHUT,MON
0/1/CPU1 A9K-ISM-100(SE) SEOS-READY
To access LC CPU console:Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-10
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
RP/0/RSP0/CPU0#run attach 0/1/CPU0
#
To return to RSP console:
#exit
To access X86 CPU console:
RP/0/RSP0/CPU0:CRANE#run attachCon 0/0/cpu1 115200
attachCon: Starting console session to node 0/0/cpu1
attachCon: To quit console session type 'detach'
Current Baud 115200
Setting Baud to 115200
localhost.localdomain login: root
Password: rootroot
[root@localhost ~]#
To return to RSP console:
[root@localhost]# detach
Installing CGV6 Application on an ISM Running CDS-TV for Cisco IOS XR Software Release 4.2.0
If the card is in CDS-IS mode, then it must be converted to CDS-TV before installing CGv6. For
installation instructions, see the Cisco ASR 9000 Series Aggregation Services Router ISM Line Card
Installation Guide in the following location :
http://www.cisco.com/en/US/partner/docs/routers/asr9000/hardware/ism_line_card/installation/guide/i
smig.html
Note With kernel.rpm, the "kernel.rpm" or "kernel-4.2.0.rpm" file is referred and with "ism_infra.tgz", the
"ism_infra.tgz" or "ism_infra-4.2.0.tgz" file is referred.
Step 1 Manually remove the non-CGV6 (CDS TV) configuration.
Step 2 Install the Cisco IOS XR Software Release 4.2.0 image on the ASR 9000 router.
Step 3 To handle version incompatibility between APIs of IOS XR and Linux software, run the following
commands as soon as the ISM LCP is in IOS XR RUN state. Delay may result in card reload due to API
mismatch.
RP/0/RSP0/CPU0#proc mandatory OFF fib_mgr location
RP/0/RSP0/CPU0#proc SHUTDOWN fib_mgr location
RP/0/RP0/CPU0:#admin
RP/0/RSP0/CPU0(admin)#debug sim reload-disable location
Step 4 Extract the ism_infra.tgz and kernel.rpm image from the tar file (available in the Download Software
page in Cisco.com) and copy the content to the disk on the RSP console.
RP/0/RSP0/CPU0#copy tftp:///ism_infra.tgz disk0:/
RP/0/RSP0/CPU0#copy tftp:///kernel.rpm disk0:/
Step 5 Copy kernel.rpm and ism_infra.tgz to X86 location.
a. Log into X86 CPU console and start the se_mbox_server process:
[root@localhost]# se_mbox_server -d
b. Log into ISM LC CPU and upload the images to X86:
#avsm_se_upload /disk0:/kernel.rpm
#avsm_se_upload /disk0:/ism_infra.tgz Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-11
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
c. After successful upload, the images should be available under /tmp directory in the X86 CPU.
Step 6 Install the images on X86:
[root@localhost /] cd /tmp
[root@localhost tmp]# rpm -i --force kernel.rpm
[root@localhost tmp]# avsm_install ism_infra.tgz
Step 7 Run the following Cisco IOS XR Software Release 4.2.0 commands in admin mode, on RSP to install
the Services PIE:
RP/0/RSP0/CPU0#admin
(admin)#install add tftp:////asr9k-services-p.pie synchronous
activate
. . . . . . . . . . .
(admin)#exit
Step 8 Run the following Cisco IOS XR Software Release 4.2.0 commands on the RSP to set the service role
as cgn.
RP/0/RSP0/CPU0#config
(config)#hw-module service cgn location
(config)#commit
(config)#exit
Step 9 Revert the changes made in Step 3
RP/0/RSP0/CPU0#proc mandatory ON fib_mgr location
RP/0/RSP0/CPU0#proc START fib_mgr location
RP/0/RP0/CPU0:#admin
RP/0/RSP0/CPU0:(admin)#no debug sim reload-disable location
Step 10 Reload the ISM line card.
RP/0/RSP0/CPU0#hw-module location reload
Step 11 Wait for the card to return to SEOS-READY and proceed with ServiceInfra interface configuration.
Installing CGV6 Application on an ISM Running CDS-TV for Cisco IOS XR Software Release 4.2.1
From Cisco IOS XR Software Release 4.2.1 onwards, the CGv6 application can be installed on an ISM
line card directly without changing from CDS-IS to CDS-TV and then CGv6.
Step 1 Manually remove the non-CGV6 configuration, if any.
Step 2 Install the Cisco IOS XR Software Release 4.2.1 image(asr9k-mini-p/px.vm/pie) on the router.
Step 3 To handle version incompatibility between APIs of IOS XR and Linux software, run the following
commands in admin mode. Enter into maintenance mode by using the following command.
RP/0/RSP0/CPU0#admin
RP/0/RSP0/CPU0(admin)# download recovery to
The card must be in the following state:
RP/0/RSP0/CPU0# show platform
Node Type State Config State
------------------------------------------------------------------------------------------
0/5/CPU0 A9K-ISM-100(LCP) IOS XR RUN PWR,NSHUT,MON
0/5/CPU1 A9K-ISM-100(SE) RECOVERY MODEImplementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-12
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
Sometimes, the card goes into IN-RESET state due to multiple resets or if you miss to execute the step
for a long time.
Reload the card using the following command to get out of the state:
RP/0/RSP0/CPU0(admin)# hw-module location < ism_node_location> reload
Note The command must be executed in admin mode.
Step 4 To install the Services PIE on RSP, run the commands in admin mode:
RP/0/RSP0/CPU0#admin
(admin)#install add tftp:////asr9k-services-p.pie synchronous
activate
. . . . . . . . . . .
(admin)#exit
Step 5 To set the service role as cgn on RSP, run the following commands.
RP/0/RSP0/CPU0#config
(config)#hw-module service cgn location
(config)#commit
(config)#exit
Step 6 To install Linux images on RSP, run the commands in admin mode.
RP/0/RSP0/CPU0#admin
RP/0/RSP0/CPU0(admin)# download install-image from
to
Step 7 Wait for around 12-14 minutes for the card to come at SEOS-READY. Proceed with ServiceInfra
interface configuration.
Change Role of ISM Line Card to CDS TV From CGv6 for Cisco IOS XR Software Release 4.2.1
To convert the ISM line card back to CDS TV from CGv6, perform the following procedure:
Step 1 Manually remove all the CGv6 configuration.
Step 2 Run the following RSP Cisco IOS XR Software Release commands to remove the CGv6 role on
Cisco IOS XR Software Release . By default, reverting the CGv6 role, returns the CDS TV functionality
for ISM line cards running Cisco IOS XR Software Release 4.2.1.
RP/0/RSP0/CPU0#config
RP/0/RSP0/CPU0# no hw-module service cgn location
Step 3 Load the Cisco IOS XR Software Release image.
Step 4 Set the specific role for CDS-TV as required.
Step 5 Upgrade the FPD on the ISM line card if needed
RP/0/RP0/CPU0:#admin
RP/0/RSP0/CPU0:(admin)#upgrade hw-module fpd fpga2 force location
Step 6 Download the recovery image.
RP/0/RSP0/CPU0:(admin)# download recovery-image location Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-13
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
Step 7 Copy corresponding install kit to x86 on a compatible XR image. In case of APIV incompatibilities
between the Cisco IOS XR software and the Linux image on the ISM line card, you may see the
following error messages appear while loading the Cisco IOS XR Software Release 4.2.1 image:
The sys_mgr process shuts down the fib_mgr process as fib_mgr is a mandatory
process.
Step 8 Please run the following to turn this OFF during Install window.
RP/0/RSP0/CPU0#proc mandatory OFF fib_mgr location
RP/0/RSP0/CPU0#proc SHUTDOWN fib_mgr location
Step 9 Please run the following command to avoid ism_sia process crash during the Install window.
RP/0/RSP0/CPU0(admin)#debug sim reload-disable location
Step 10 Execute the CDSTV Install Kit:
a. Extract the install kit:
[root@sim100-rescue-linux tmp]#./cdstv_install-kit.sh
b. Execute the install script:
[root@sim100-rescue-linux tmp]# cd ism-install
[root@sim100-rescue-linux tmp]#./ism-install.sh
Step 11 Reload the ISM line card:
RP/0/RSP0/CPU0#hw-module location reload
Getting Started with the Carrier Grade IPv6
Perform these tasks to get started with the CGv6 configuration tasks.
• Configuring the Service Role, page 13
• Configuring the Service Instance and Location for the Carrier Grade IPv6, page 14
• Configuring the Service Virtual Interfaces, page 15
Configuring the Service Role
Perform this task to configure the service role on the specified location to start the CGv6 service.
Note Removal of service role is strictly not recommended while the card is active. This puts the card into
FAILED state, which is service impacting.
SUMMARY STEPS
1. configure
2. hw-module service cgn location node-idImplementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-14
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
3. end
or
commit
DETAILED STEPS
Configuring the Service Instance and Location for the Carrier Grade IPv6
Perform this task to configure the service instance and location for the CGv6 application.
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-location preferred-active node-id
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 hw-module service cgn location node-id
Example:
RP/0/RP0/CPU0:router(config)# hw-module service
cgn location 0/1/CPU0
Configures a CGv6 service role (cgn) on location
0/1/CPU0.
Step 3 end
or
commit
Example:
RP/0/RP0/CPU0:router(config)# end
or
RP/0/RP0/CPU0:router(config)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-15
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
4. end
or
commit
DETAILED STEPS
Configuring the Service Virtual Interfaces
• Configuring the Infrastructure Service Virtual Interface, page 16
• Configuring the Application Service Virtual Interface, page 17
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGv6
application and enters CGv6 configuration mode.
Step 3 service-location preferred-active node-id
Example:
RP/0/RP0/CPU0:router(config-cgn)#
service-location preferred-active 0/1/CPU0
Configures the active locations for the CGv6 application.
Note preferred-standby option is not supported.
Step 4 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn)# end
or
RP/0/RP0/CPU0:router(config-cgn)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-16
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
Configuring the Infrastructure Service Virtual Interface
Perform this task to configure the infrastructure service virtual interface (SVI) to forward the control
traffic. The subnet mask length must be at least 30 (denoted as /30).
Note Do not remove or modify service infra interface configuration when the card is in Active state. The
configuration is service affecting and the line card must be reloaded for the changes to take effect.
SUMMARY STEPS
1. configure
2. interface ServiceInfra value
3. service-location node-id
4. ipv4 address address/mask
5. end
or
commit
6. reload
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface ServiceInfra value
Example:
RP/0/RP0/CPU0:router(config)# interface
ServiceInfra 1
RP/0/RP0/CPU0:router(config-if)#
Configures the infrastructure service virtual interface (SVI)
as 1 and enters CGv6 configuration mode.
Note Only one service infrastructure SVI can be
configured for a CGv6 instance.
Step 3 service-location node-id
Example:
RP/0/RP0/CPU0:router(config-if)#
service-location 0/1/CPU0
Configures the location of the CGv6 service for the
infrastructure SVI.
Step 4 ipv4 address address/mask
Example:
RP/0/RP0/CPU0:router(config-if)# ipv4 address
1.1.1.1/30
Sets the primary IPv4 address for an interface.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-17
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
Configuring the Application Service Virtual Interface
The following section lists guidelines for selecting serviceapp interfaces for NAT44:
• Pair ServiceApp with ServiceApp, where is an odd integer. This is to ensure that
the ServiceApp pairs works with a maximum throughput. For example, ServiceApp1 with
ServiceApp2 or ServiceApp3 with ServiceApp4
• Pair ServiceApp with ServiceApp or ServiceApp, and so on, where is an odd
integer. However, maintaining a track of these associations can be error prone. For example,
ServiceApp1 with ServiceApp6, ServiceApp1 with ServiceApp10, ServiceApp3 with
ServiceApp8, or ServiceApp3 with ServiceApp12
• Pair ServiceApp with ServiceApp, where is an integer (odd or even integer). For
example, ServiceApp1 with ServiceApp5, or ServiceApp2 with ServiceApp6. Although such
ServiceApp pairs work, the aggregate throughput for Inside-to-Outside and Outside-to-Inside traffic
for the ServiceApp pair is halved.
• Do not pair ServiceApp with ServiceApp, where is an even integer. When used,
Outside-to-Inside traffic is dropped becasue traffic flows in the wrong dispatcher and core.
• Do not pair ServiceApp with ServiceApp, where is an integer. When used,
Outside-to-Inside traffic is dropped becasue traffic flows in the wrong dispatcher and core.
One ServiceApp pair can be used as inside and the other as outside.
Step 5 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-if)# end
or
RP/0/RP0/CPU0:router(config-if)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Step 6 reload
Example:
RP/0/RP0/CPU0:Router#hw-mod location 0/3/cpu0
reload
Once the configuration is complete, the card must be
reloaded for changes to take effect.
WARNING: This will take the requested node out
of service.
Do you wish to continue?[confirm(y/n)] y
Command or Action PurposeImplementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-18
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
Perform the following tasks to configure the application service virtual interface (SVI) to forward data
traffic.
SUMMARY STEPS
1. configure
2. interface ServiceApp value
3. service cgn instance-name service-type nat44
4. vrf vrf-name
5. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 interface ServiceApp value
Example:
RP/0/RP0/CPU0:router(config)# interface
ServiceApp 1
RP/0/RP0/CPU0:router(config-if)#
Configures the application SVI as 1 and enters interface
configuration mode.
Step 3 service cgn instance-name service-type nat44
Example:
RP/0/RP0/CPU0:router(config-if)# service cgn
cgn1
Configures the instance named cgn1 for the CGv6
application and enters CGv6 configuration mode.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-19
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
Configuring the Service Type Keyword Definition
Perform this task to configure the service type key definition.
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type nat44 instance-name
or
4. service-type ds-lite instance-name
5. end
or
commit
Step 4 vrf vrf-name
Example:
RP/0/RP0/CPU0:router(config-if)# vrf insidevrf1
Configures the VPN routing and forwarding (VRF) for the
Service Application interface
Step 5 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-if)# end
or
RP/0/RP0/CPU0:router(config-if)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-20
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
DETAILED STEPS
Configuring an Inside and Outside Address Pool Map
Perform this task to configure an inside and outside address pool map with the following scenarios:
• The designated address pool is used for CNAT.
• One inside VRF is mapped to only one outside VRF.
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn nat44 instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGv6 NAT44
application and enters CGv6 configuration mode.
Step 3 service-type nat44 nat1
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
nat44 nat1
RP/0/RP0/CPU0:router(config-cgn)# service-type
ds-lite ds-lite1
Configures the service type keyword definition for CGv6
NAT44 application.
Step 4 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn)# end
or
RP/0/RP0/CPU0:router(config-cgn)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-21
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
• Multiple non-overlapping address pools can be used in a specified outside VRF mapped to different
inside VRF.
• Max Outside public pool per ISM/CGv6 instance is 64 K or 65536 addresses. That is, if a /16 address
pool is mapped, then we cannot map any other pool to that particular ISM.
• Multiple inside vrf cannot be mapped to same outside address pool.
• While Mapping Outside Pool Minimum value for prefix is 16 and maximum value is 30.
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type nat44 nat1
4. inside-vrf vrf-name
5. map [outside-vrf outside-vrf-name] address-pool address/prefix
6. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGv6
application and enters CGv6 configuration mode.
Step 3 service-type nat44 nat1
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
nat44 nat1
Configures the service type keyword definition for CGv6
NAT44 application.
Step 4 inside-vrf vrf-name
Example:
RP/0/RP0/CPU0:router(config-cgn-nat44)#
inside-vrf insidevrf1
RP/0/RP0/CPU0:router(config-cgn-invrf)#
Configures an inside VRF named insidevrf1 and enters
CGv6 inside VRF configuration mode.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-22
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
Configuring the Policy Functions for NAT44
• Configuring the Port Limit Per Subscriber, page 22
• Configuring the Timeout Value for the Protocol, page 24
• Configuring the TCP Adjustment Value for the Maximum Segment Size, page 29
• Configuring the Refresh Direction for the Network Address Translation, page 30
• Configuring Static Port Forwarding, page 31
• Configuring the Dynamic Port Ranges, page 33
Configuring the Port Limit Per Subscriber
Perform this task to configure the port limit per subscriber for the system that includes TCP, UDP, and
ICMP.
Step 5 map [outside-vrf outside-vrf-name] address-pool
address/prefix
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf)# map
outside-vrf outside vrf1 address-pool
10.10.0.0/16
or
RP/0/RP0/CPU0:router(config-cgn-invrf)# map
address-pool 100.1.0.0/16
Configures an inside VRF to an outside VRF and address
pool mapping.
Step 6 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf-afi)# end
or
RP/0/RP0/CPU0:router(config-cgn-invrf-afi)#
commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-23
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type nat44 nat1
4. portlimit value
5. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGv6
application and enters CGv6 configuration mode.
Step 3 service-type nat44 nat1
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
nat44 nat1
Configures the service type keyword definition for CGv6
NAT44 application.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-24
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
Configuring the Timeout Value for the Protocol
• Configuring the Timeout Value for the ICMP Protocol, page 24
• Configuring the Timeout Value for the TCP Session, page 26
• Configuring the Timeout Value for the UDP Session, page 27
Configuring the Timeout Value for the ICMP Protocol
Perform this task to configure the timeout value for the ICMP type for the CGv6 instance.
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type nat44 nat1
4. protocol icmp
5. timeout seconds
6. end
or
commit
Step 4 portlimit value
Example:
RP/0/RP0/CPU0:router(config-cgn-nat44)#
portlimit 10
Limits the number of entries per address for each subscriber
of the system
Step 5 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn)# end
or
RP/0/RP0/CPU0:router(config-cgn)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-25
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGv6
application and enters CGv6 configuration mode.
Step 3 service-type nat44 nat1
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
nat44 nat1
Configures the service type keyword definition for CGv6
NAT44 application.
Step 4 protocol icmp
Example:
RP/0/RP0/CPU0:router(config-cgn-nat44)#
protocol icmp
RP/0/RP0/CPU0:router(config-cgn-proto)#
Configures the ICMP protocol session. The example shows
how to configure the ICMP protocol for the CGv6 instance
named cgn1.
Step 5 timeout seconds
Example:
RP/0/RP0/CPU0:router(config-cgn-proto)# timeout
908
Configures the timeout value as 908 for the ICMP session
for the CGv6 instance named cgn1.
Step 6 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-proto)# end
or
RP/0/RP0/CPU0:router(config-cgn-proto)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-26
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
Configuring the Timeout Value for the TCP Session
Perform this task to configure the timeout value for either the active or initial sessions for TCP.
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type nat44 nat1
4. protocol tcp
5. session {active | initial} timeout seconds
6. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGv6
application and enters CGv6 configuration mode.
Step 3 service-type nat44 nat1
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
nat44 nat1
Configures the service type keyword definition for CGv6
NAT44 application.
Step 4 protocol tcp
Example:
RP/0/RP0/CPU0:router(config-cgn-nat44)#
protocol tcp
RP/0/RP0/CPU0:router(config-cgn-proto)#
Configures the TCP protocol session. The example shows
how to configure the TCP protocol for the CGv6 instance
named cgn1.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-27
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
Configuring the Timeout Value for the UDP Session
Perform this task to configure the timeout value for either the active or initial sessions for UDP.
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type nat44 nat1
4. protocol udp
5. session {active | initial} timeout seconds
6. end
or
commit
Step 5 session {active | initial} timeout seconds
Example:
RP/0/RP0/CPU0:router(config-cgn-proto)# session
initial timeout 90
Configures the timeout value as 90 for the TCP session. The
example shows how to configure the initial session timeout.
Step 6 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-proto)# end
or
RP/0/RP0/CPU0:router(config-cgn-proto)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-28
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGv6
application and enters CGv6 configuration mode.
Step 3 service-type nat44 nat1
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
nat44 nat1
Configures the service type keyword definition for CGv6
NAT44 application.
Step 4 protocol udp
Example:
RP/0/RP0/CPU0:router(config-cgn-nat44)#
protocol udp
RP/0/RP0/CPU0:router(config-cgn-proto)#
Configures the UDP protocol sessions. The example shows
how to configure the TCP protocol for the CGv6 instance
named cgn1.
Step 5 session {active | initial} timeout seconds
Example:
RP/0/RP0/CPU0:router(config-cgn-proto)# session
active timeout 90
Configures the timeout value as 90 for the UDP session. The
example shows how to configure the active session timeout.
Step 6 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-proto)# end
or
RP/0/RP0/CPU0:router(config-cgn-proto)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-29
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
Configuring the TCP Adjustment Value for the Maximum Segment Size
Perform this task to configure the adjustment value for the maximum segment size (MSS) for the VRF.
You can configure the TCP MSS adjustment value on each VRF.
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type nat44 nat1
4. inside-vrf vrf-name
5. protocol tcp
6. mss size
7. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGv6
application and enters CGv6 configuration mode.
Step 3 service-type nat44 nat1
Example:
RP/0/RP0/CPU0:router(config-cgn)#
service-location preferred-active 0/1/CPU0
Configures the service type keyword definition for CGv6
NAT44 application.
Step 4 inside-vrf vrf-name
Example:
RP/0/RP0/CPU0:router(config-cgn-nat44)#
inside-vrf insidevrf1
RP/0/RP0/CPU0:router(config-cgn-invrf)#
Configures the inside VRF for the CGv6 instance named
cgn1 and enters CGv6 inside VRF configuration mode.
Step 5 protocol tcp
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf)#
protocol tcp
RP/0/RP0/CPU0:router(config-cgn-invrf-proto)#
Configures the TCP protocol session and enters CGv6
inside VRF AFI protocol configuration mode.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-30
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
Configuring the Refresh Direction for the Network Address Translation
Perform this task to configure the NAT mapping refresh direction as outbound for TCP and UDP traffic.
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type nat44 nat1
4. refresh-direction Outbound
5. end
or
commit
Step 6 mss size
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf-afi-proto
)# mss 1100
Configures the adjustment MSS value as 1100 for the inside
VRF.
Step 7 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf-proto)# e
nd
or
RP/0/RP0/CPU0:router(config-cgn-invrf-proto)#
commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-31
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
DETAILED STEPS
Configuring Static Port Forwarding
Perform this task to configure static port forwarding for reserved or nonreserved port numbers.
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGv6
application and enters CGv6 configuration mode.
Step 3 service-type nat44 nat1
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
nat44 nat1
Configures the service type keyword definition for CGv6
NAT44 application.
Step 4 refresh-direction Outbound
Example:
RP/0/RP0/CPU0:router(config-cgn-nat44)#
protocol tcp
RP/0/RP0/CPU0:router(config-cgn-proto)#refreshdirection Outbound
Configures the NAT mapping refresh direction as outbound
for the CGv6 instance named cgn1.
Step 5 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn)# end
or
RP/0/RP0/CPU0:router(config-cgn)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-32
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type nat44 nat1
4. inside-vrf vrf-name
5. protocol tcp
6. static-forward inside
7. address address port number
8. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGv6
application and enters CGv6 configuration mode.
Step 3 service-type nat44 nat1
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
nat44 nat1
Configures the service type keyword definition for CGv6
NAT44 application.
Step 4 inside-vrf vrf-name
Example:
RP/0/RP0/CPU0:router(config-cgn-nat44)#
inside-vrf insidevrf1
RP/0/RP0/CPU0:router(config-cgn-invrf)#
Configures the inside VRF for the CGv6 instance named
cgn1 and enters CGv6 inside VRF configuration mode.
Step 5 protocol tcp
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf)#
protocol tcp
RP/0/RP0/CPU0:router(config-cgn-invrf-proto)#
Configures the TCP protocol session and enters CGv6
inside VRF AFI protocol configuration mode.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-33
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
Configuring the Dynamic Port Ranges
Perform this task to configure dynamic port ranges for TCP, UDP, and ICMP ports. The default value
range of 0 to 1023 is preserved and not used for dynamic translations. Therefore, if the value of dynamic
port range start is not configured explicitly, the dynamic port range value starts at 1024.
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type nat44 nat1
4. dynamic port range start value
5. end
or
commit
Step 6 static-forward inside
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf-proto)#
static-forward inside
RP/0/RP0/CPU0:router(config-cgn-ivrf-sport-insi
de)#
Configures the CGv6 static port forwarding entries on
reserved or nonreserved ports and enters CGv6 inside static
port inside configuration mode.
Step 7 address address port number
Example:
RP/0/RP0/CPU0:router(config-cgn-ivrf-sport-insi
de)# address 1.2.3.4 port 90
Configures the CGv6 static port forwarding entries for the
inside VRF.
Step 8 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-ivrf-sport-insi
de)# end
or
RP/0/RP0/CPU0:router(config-cgn-ivrf-sport-insi
de)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-34
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
DETAILED STEPS
Configuring the Export and Logging for the Network Address Translation Table
Entries
• Configuring the Server Address and Port for Netflow Logging, page 35
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGv6
application and enters CGv6 configuration mode.
Step 3 service-type nat44 nat1
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
nat44 nat1
Configures the service type keyword definition for CGv6
NAT44 application.
Step 4 dynamic port range start value
Example:
RP/0/RP0/CPU0:router(config-cgn-nat44)# dynamic
port range start 1024
Configures the value of dynamic port range start for a
CGv6 NAT 44 instance. The value can range from 1 to
65535.
Step 5 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-ivrf-sport-insi
de)# end
or
RP/0/RP0/CPU0:router(config-cgn-ivrf-sport-insi
de)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-35
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
• Configuring the Path Maximum Transmission Unit for Netflow Logging, page 36
• Configuring the Refresh Rate for Netflow Logging, page 38
• Configuring the Timeout for Netflow Logging, page 40
Configuring the Server Address and Port for Netflow Logging
Perform this task to configure the server address and port to log network address translation (NAT) table
entries for Netflow logging.
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type nat44 nat1
4. inside-vrf vrf-name
5. external-logging netflowv9
6. server
7. address address port number
8. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGv6
application and enters CGv6 configuration mode.
Step 3 service-type nat44 nat1
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
nat44 nat1
Configures the service type keyword definition for CGv6
NAT44 application.
Step 4 inside-vrf vrf-name
Example:
RP/0/RP0/CPU0:router(config-cgn)# inside-vrf
insidevrf1
RP/0/RP0/CPU0:router(config-cgn-invrf)#
Configures the inside VRF for the CGv6 instance named
cgn1 and enters CGv6 inside VRF configuration mode.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-36
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
Configuring the Path Maximum Transmission Unit for Netflow Logging
Perform this task to configure the path maximum transmission unit (MTU) for the netflowv9-based
external-logging facility for the inside VRF.
SUMMARY STEPS
1. configure
2. service cgn instance-name
Step 5 external-logging netflowv9
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf)#
external-logging netflowv9
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
)#
Configures the external-logging facility for the CGv6
instance named cgn1 and enters CGv6 inside VRF address
family external logging configuration mode.
Step 6 server
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
)# server
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
-server)#
Configures the logging server information for the IPv4
address and port for the server that is used for the
netflowv9-based external-logging facility and enters CGv6
inside VRF address family external logging server
configuration mode.
Step 7 address address port number
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
-server)# address 2.3.4.5 port 45
Configures the IPv4 address and port number 45 to log
Netflow entries for the NAT table.
Step 8 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
-server)# end
or
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
-server)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-37
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
3. service-type nat44 nat1
4. inside-vrf vrf-name
5. external-logging netflowv9
6. server
7. path-mtu value
8. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGv6
application and enters CGv6 configuration mode.
Step 3 service-type nat44 nat1
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
nat44 nat1
Configures the service type keyword definition for CGv6
NAT44 application.
Step 4 inside-vrf vrf-name
Example:
RP/0/RP0/CPU0:router(config-cgn)# inside-vrf
insidevrf1
RP/0/RP0/CPU0:router(config-cgn-invrf)#
Configures the inside VRF for the CGv6 instance named
cgn1 and enters CGv6 inside VRF configuration mode.
Step 5 external-logging netflowv9
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf)#
external-logging netflowv9
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
)#
Configures the external-logging facility for the CGv6
instance named cgn1 and enters CGv6 inside VRF address
family external logging configuration mode.
Step 6 server
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
)# server
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
-server)#
Configures the logging server information for the IPv4
address and port for the server that is used for the
netflowv9-based external-logging facility and enters CGv6
inside VRF address family external logging server
configuration mode.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-38
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
Configuring the Refresh Rate for Netflow Logging
Perform this task to configure the refresh rate at which the Netflow-v9 logging templates are refreshed
or resent to the Netflow-v9 logging server.
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type nat44 nat1
4. inside-vrf vrf-name
5. external-logging netflowv9
6. server
7. refresh-rate value
8. end
or
commit
Step 7 path-mtu value
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
-server)# path-mtu 2900
Configures the path MTU with the value of 2900 for the
netflowv9-based external-logging facility.
Step 8 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
-server)# end
or
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
-server)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-39
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGv6
application and enters CGv6 configuration mode.
Step 3 service-type nat44 nat1
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
nat44 nat1
Configures the service type keyword definition for CGv6
NAT44 application.
Step 4 inside-vrf vrf-name
Example:
RP/0/RP0/CPU0:router(config-cgn)# inside-vrf
insidevrf1
RP/0/RP0/CPU0:router(config-cgn-invrf)#
Configures the inside VRF for the CGv6 instance named
cgn1 and enters CGv6 inside VRF configuration mode.
Step 5 external-logging netflowv9
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf)#
external-logging netflowv9
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
)#
Configures the external-logging facility for the CGv6
instance named cgn1 and enters CGv6 inside VRF address
family external logging configuration mode.
Step 6 server
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
)# server
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
-server)#
Configures the logging server information for the IPv4
address and port for the server that is used for the
netflow-v9 based external-logging facility and enters CGv6
inside VRF address family external logging server
configuration mode.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-40
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
Configuring the Timeout for Netflow Logging
Perform this task to configure the frequency in minutes at which the Netflow-V9 logging templates are
to be sent to the Netflow-v9 logging server.
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type nat44 nat1
4. inside-vrf vrf-name
5. external-logging netflowv9
6. server
7. timeout value
8. end
or
commit
Step 7 refresh-rate value
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
-server)# refresh-rate 50
Configures the refresh rate value of 50 to log Netflow-based
external logging information for an inside VRF.
Step 8 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
-server)# end
or
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
-server)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-41
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGv6
application and enters CGv6 configuration mode.
Step 3 service-type nat44 nat1
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
nat44 nat1
Configures the service type keyword definition for CGv6
NAT44 application.
Step 4 inside-vrf vrf-name
Example:
RP/0/RP0/CPU0:router(config-cgn)# inside-vrf
insidevrf1
RP/0/RP0/CPU0:router(config-cgn-invrf)#
Configures the inside VRF for the CGv6 instance named
cgn1 and enters CGv6 inside VRF configuration mode.
Step 5 external-logging netflowv9
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf)#
external-logging netflowv9
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
)#
Configures the external-logging facility for the CGv6
instance named cgn1 and enters CGv6 inside VRF address
family external logging configuration mode.
Step 6 server
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
)# server
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
-server)#
Configures the logging server information for the IPv4
address and port for the server that is used for the
netflowv9-based external-logging facility and enters CGv6
inside VRF address family external logging server
configuration mode.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-42
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
Configuring DS Lite Feature on ISM Line Card
• Configuring a DS Lite Instance, page 42
• Configuring an Address Pool Map for a DS-Lite Instance, page 44
• Configuring Syslog for a DS Lite Instance, page 46
• Configuring Bulk Port Allocation for a DS Lite Instance, page 45
• Configuring IPv6 Tunnel Endpoint Address for a DS-Lite Instance, page 48
• Configuring the Path Maximum Transmission Unit for a DS-Lite Instance, page 49
• Configuring the Port Limit Per Subscriber for a DS-Lite Instance, page 51
• Configuring the Timeout Value for the Protocol for a DS-Lite Instance, page 52
• Configuring the TCP Adjustment Value for the Maximum Segment Size for a DS-Lite Instance,
page 57
• Configuring the Export and Logging for a DS-Lite Instance, page 59
Configuring a DS Lite Instance
Perform this task to configure an instance of the DS-Lite application:
Step 7 timeout value
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
-server)# timeout 50
Configures the timeout value of 50 for Netflow logging of
NAT table entries for an inside VRF.
Step 8 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
-server)# end
or
RP/0/RP0/CPU0:router(config-cgn-invrf-af-extlog
-server)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-43
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type ds-lite instance name
4. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGv6
application and enters CGv6 configuration mode.
Step 3 service-type ds-lite instance-name
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
ds-lite ds-lite1
RP/0/RP0/CPU0:router(config-cgn-ds-lite)#
Configures the service type keyword definition for CGv6
DS-Lite application.
Step 4 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite)# end
or
RP/0/RP0/CPU0:router(config-cgn-ds-lite)#
commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-44
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
Configuring an Address Pool Map for a DS-Lite Instance
Perform this task to configure an address pool map for a DS-Lite instance:
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type ds-lite instance name
4. map address-pool address/prefix
5. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGv6
application and enters CGv6 configuration mode.
Step 3 service-type ds-lite instance-name
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
ds-lite ds-lite1
Configures the service type keyword definition for CGv6
DS-Lite application.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-45
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
Configuring Bulk Port Allocation for a DS Lite Instance
Perform this task to configure bulk port allocation for a DS Lite instance to reduce Netflow or Syslog
data volume:
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type ds-lite ds-lite1
4. bulk-port-alloc size number of ports
5. end
or
commit
Step 4 map address-pool address/prefix
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite)# map
address-pool 10.10.0.0/16
or
RP/0/RP0/CPU0:router(config-cgn-ds-lite)# map
address-pool 100.1.0.0/16
Configures an address pool mapping.
Step 5 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite)# end
or
RP/0/RP0/CPU0:router(config-cgn-ds-lite)#
commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-46
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
DETAILED STEPS
Configuring Syslog for a DS Lite Instance
Perform this task to configure syslog data for a DS Lite instance:
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGv6
application and enters CGv6 configuration mode.
Step 3 service-type ds-lite ds-lite1
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
ds-lite ds-lite1
Configures the service type keyword definition for CGv6
DS-Lite application.
Step 4 bulk-port-alloc size number of ports
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite)#
bulk-port-alloc size 64
RP/0/RP0/CPU0:router(config-cgn-ds-lite)
Allocate ports in bulk to reduce Netflow/Syslog data
volume.
Step 5 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite)# end
or
RP/0/RP0/CPU0:router(config-cgn-ds-lite)#
commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-47
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type ds-lite instance-name
4. external-logging syslog
5. server
6. address server ip address
7. port server port number
8. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGv6
application and enters CGv6 configuration mode.
Step 3 service-type ds-lite instance-name
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
ds-lite ds-lite1
RP/0/RP0/CPU0:router(config-cgn-ds-lite)#
Configures the service type keyword definition for CGv6
DS-Lite application.
Step 4 external-logging syslog
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite)#
external-logging syslog
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlog
Configures the syslog data for the CGv6 instance named
cgn1 and enters CGv6 DS-Lite.
Step 5 server
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlog)
# server
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlogserver)#
Configures the server used to log syslog data.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-48
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
Configuring IPv6 Tunnel Endpoint Address for a DS-Lite Instance
Perform this task to configure the IPv6 tunnel endpoint address for a DS-Lite instance:
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type ds-lite instance name
4. aftr-tunnel-endpoint-address X:X::X IPv6 address
5. end
or
commit
Step 6 address server IP address
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlogserver)# address 100.2.1.1
Configures the server IP address.
Step 7 port server port number
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlogserver)# address 100.2.1.1 port 256
Configures the server port number.
Step 8 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlogserver)# end
or
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlogserver)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-49
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
DETAILED STEPS
Configuring the Path Maximum Transmission Unit for a DS-Lite Instance
Perform this task to configure the path maximum transmission unit (MTU) for a DS-Lite instance:
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGv6
application and enters CGv6 configuration mode.
Step 3 service-type ds-lite instance-name
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
ds-lite ds-lite1
Configures the service type keyword definition for CGv6
DS-Lite application.
Step 4 aftr-tunnel-endpoint-address X:X::X IPv6
address
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite)#
aftr-tunnel-endpoint-address 10:2::10
RP/0/RP0/CPU0:router(config-cgn-ds-lite)
Configures an IPv6 tunnel endpoint address.
Step 5 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite)# end
or
RP/0/RP0/CPU0:router(config-cgn-ds-lite)#
commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-50
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type ds-lite instance name
4. path-mtu value
5. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGv6
application and enters CGv6 configuration mode.
Step 3 service-type ds-lite ds-lite1
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
ds-lite ds-lite1
RP/0/RP0/CPU0:router(config-cgn-ds-lite)
Configures the service type keyword definition for CGv6
DS-Lite application.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-51
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
Configuring the Port Limit Per Subscriber for a DS-Lite Instance
Perform this task to configure the port limit per subscriber for the system that includes TCP, UDP, and
ICMP.
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type ds-lite instance-name
4. port-limit value
5. end
or
commit
Step 4 path-mtu value
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite)#
path-mtu 2000
RP/0/RP0/CPU0:router(config-cgn-ds-lite)
Configures the path MTU with the value of 2000 for the
ds-lite instance.
Step 5 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite)# end
or
RP/0/RP0/CPU0:router(config-cgn-ds-lite)#
commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-52
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
DETAILED STEPS
Configuring the Timeout Value for the Protocol for a DS-Lite Instance
• Configuring the Timeout Value for the ICMP Protocol, page 24
• Configuring the Timeout Value for the TCP Session, page 26
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGv6
application and enters CGv6 configuration mode.
Step 3 service-type ds-lite ds-lite1
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
ds-lite ds-lite1
RP/0/RP0/CPU0:router(config-cgn-ds-lite)
Configures the service type keyword definition for CGv6
DS-Lite application.
Step 4 port-limit value
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite)#
port-limit 65
RP/0/RP0/CPU0:router(config-cgn-ds-lite)
Configures the port value that restricts the number of
translations for the ds-lite instance.
Step 5 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite)# end
or
RP/0/RP0/CPU0:router(config-cgn-ds-lite)#
commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-53
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
• Configuring the Timeout Value for the UDP Session, page 27
Configuring the Timeout Value for the ICMP Protocol
Perform this task to configure the timeout value for the ICMP type for the DS-Lite instance.
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type ds-lite instance-name
4. protocol icmp
5. timeout seconds
6. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGv6
application and enters CGv6 configuration mode.
Step 3 service-type ds-lite ds-lite1
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
ds-lite ds-lite1
RP/0/RP0/CPU0:router(config-cgn-ds-lite)
Configures the service type keyword definition for CGv6
DS-Lite application.
Step 4 protocol icmp
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite)#
protocol icmp
RP/0/RP0/CPU0:router(config-cgn-ds-lite-proto)
Configures the ICMP protocol session.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-54
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
Configuring the Timeout Value for the TCP Session
Perform this task to configure the timeout value for either the active or initial sessions for TCP.
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type ds-lite instance-name
4. protocol tcp
5. session {active | init} timeout seconds
6. end
or
commit
Step 5 timeout seconds
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite-proto)
timeout 90
RP/0/RP0/CPU0:router(config-cgn-ds-lite-proto)
Configures the timeout value for the ICMP session.
Step 6 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite-proto)#
end
or
RP/0/RP0/CPU0:router(config-cgn-ds-lite-proto)#
commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-55
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGv6
application and enters CGv6 configuration mode.
Step 3 service-type ds-lite ds-lite1
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
ds-lite ds-lite1
RP/0/RP0/CPU0:router(config-cgn-ds-lite)
Configures the service type keyword definition for CGv6
DS-Lite application.
Step 4 protocol tcp
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite)#
protocol tcp
RP/0/RP0/CPU0:router(config-cgn-ds-lite-proto)
Configures the TCP protocol session.
Step 5 session {active | initial} timeout seconds
Example:
RP/0/RP0/CPU0:router(config-cgn-proto)# session
initial timeout 90
Configures the timeout value for the TCP session. The
example shows how to configure the initial session timeout.
Step 6 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite-proto)#
end
or
RP/0/RP0/CPU0:router(config-cgn-ds-lite-proto)#
commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-56
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
Configuring the Timeout Value for the UDP Session
Perform this task to configure the timeout value for either the active or initial sessions for UDP.
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type ds-lite instance-name
4. protocol udp
5. session {active | init} timeout seconds
6. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGv6
application and enters CGv6 configuration mode.
Step 3 service-type ds-lite ds-lite1
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
ds-lite ds-lite1
RP/0/RP0/CPU0:router(config-cgn-ds-lite)
Configures the service type keyword definition for CGv6
DS-Lite application.
Step 4 protocol udp
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite)#
protocol icmp
RP/0/RP0/CPU0:router(config-cgn-ds-lite-proto)
Configures the UDP protocol session.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-57
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
Configuring the TCP Adjustment Value for the Maximum Segment Size for a DS-Lite Instance
Perform this task to configure the adjustment value for the maximum segment size (MSS) for the
DS-Lite instance.
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type ds-lite instance-name
4. protocol tcp
5. mss size
6. end
or
commit
Step 5 session {active | initial} timeout seconds
Example:
RP/0/RP0/CPU0:router(config-cgn-proto)# session
initial timeout 90
Configures the timeout value for the UDP session. The
example shows how to configure the initial session timeout.
Step 6 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite-proto)#
end
or
RP/0/RP0/CPU0:router(config-cgn-ds-lite-proto)#
commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-58
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGv6
application and enters CGv6 configuration mode.
Step 3 service-type ds-lite ds-lite1
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
ds-lite ds-lite1
RP/0/RP0/CPU0:router(config-cgn-ds-lite)
Configures the service type keyword definition for CGv6
DS-Lite application.
Step 4 protocol tcp
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite)#
protocol tcp
RP/0/RP0/CPU0:router(config-cgn-ds-lite-proto)
Configures the TCP protocol session.
Step 5 mss size
Example:
RP/0/RP0/CPU0:router(config-cgn-proto)# mss 90
Configures maximum segment size value for TCP sessions
for a ds-lite instance
Step 6 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite-proto)#
end
or
RP/0/RP0/CPU0:router(config-cgn-ds-lite-proto)#
commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-59
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
Configuring the Export and Logging for a DS-Lite Instance
• Configuring the Server Address and Port for Netflow Logging, page 59
• Configuring the Path Maximum Transmission Unit for Netflow Logging, page 60
• Configuring the Refresh Rate for Netflow Logging, page 62
• Configuring the Timeout for Netflow Logging, page 64
Configuring the Server Address and Port for Netflow Logging
Perform this task to configure the server address and port to log DS-Lite table entries for Netflow
logging:
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type ds-lite instance-name
4. external-logging netflowv9
5. server
6. address address port number
7. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGv6
application and enters CGv6 configuration mode.
Step 3 service-type ds-lite instance-name
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
ds-lite ds-lite1
RP/0/RP0/CPU0:router(config-cgn-ds-lite)#
Configures the service type keyword definition for CGv6
DS-Lite application.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-60
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
Configuring the Path Maximum Transmission Unit for Netflow Logging
Perform this task to configure the path maximum transmission unit (MTU) for the netflowv9-based
external-logging facility for a DS-Lite instance:
SUMMARY STEPS
1. configure
Step 4 external-logging netflowv9
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite)#
external-logging netflowv9
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlog)
#
Configures the external-logging facility for the CGv6
instance named cgn1 and enters CGv6 external logging
configuration mode.
Step 5 server
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlog)
# server
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlogserver)#
Configures the logging server information for the IPv4
address and port for the server that is used for the
netflowv9-based external-logging facility and enters CGv6
external logging server configuration mode.
Step 6 address address port number
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlogserver)# address 10.3.20.130 port 45
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlogserver)
Configures the IPv4 address and port number to log Netflow
entries for the DS-Lite instance.
Step 7 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlogserver)# end
or
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlogserver)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-61
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
2. service cgn instance-name
3. service-type ds-lite instance-name
4. external-logging netflowv9
5. server
6. path-mtu value
7. end
or
commit
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGv6
application and enters CGv6 configuration mode.
Step 3 service-type ds-lite instance-name
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
ds-lite ds-lite1
RP/0/RP0/CPU0:router(config-cgn-ds-lite)#
Configures the service type keyword definition for CGv6
DS-Lite application.
Step 4 external-logging netflowv9
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite)#
external-logging netflowv9
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlog)
#
Configures the external-logging facility for the CGv6
instance named cgn1 and enters CGv6 external logging
configuration mode.
Step 5 server
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlog)
# server
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlogserver)#
Configures the logging server information for the IPv4
address and port for the server that is used for the
netflowv9-based external-logging facility and enters CGv6
external logging server configuration mode.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-62
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
Configuring the Refresh Rate for Netflow Logging
Perform this task to configure the refresh rate at which the Netflow-v9 logging templates are refreshed
or resent to the Netflow-v9 logging server:
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type ds-lite instance-name
4. external-logging netflowv9
5. server
6. refresh-rate value
7. end
or
commit
Step 6 path-mtu value
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlogserver)# path mtu 200
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlogserver)
Configures the path MTU with the value of 200 for the
netflowv9-based external-logging facility.
Step 7 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlogserver)# end
or
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlogserver)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-63
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGv6
application and enters CGv6 configuration mode.
Step 3 service-type ds-lite instance-name
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
ds-lite ds-lite1
RP/0/RP0/CPU0:router(config-cgn-ds-lite)#
Configures the service type keyword definition for CGv6
DS-Lite application.
Step 4 external-logging netflowv9
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite)#
external-logging netflowv9
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlog)
#
Configures the external-logging facility for the CGv6
instance named cgn1 and enters CGv6 external logging
configuration mode.
Step 5 server
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlog)
# server
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlogserver)#
Configures the logging server information for the IPv4
address and port for the server that is used for the
netflowv9-based external-logging facility and enters CGv6
external logging server configuration mode.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-64
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
Configuring the Timeout for Netflow Logging
Perform this task to configure the frequency in minutes at which the Netflow-V9 logging templates are
to be sent to the Netflow-v9 logging server:
SUMMARY STEPS
1. configure
2. service cgn instance-name
3. service-type ds-lite instance-name
4. external-logging netflowv9
5. server
6. timeout value
7. end
or
commit
Step 6 refresh-rate value
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlogserver)# refresh-rate 200
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlogserver)
Configures the refresh rate value of 200 to log
Netflow-based external logging information.
Step 7 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlogserver)# end
or
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlogserver)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuring CGv6 on Cisco IOS XR Software
CG-65
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
DETAILED STEPS
Command or Action Purpose
Step 1 configure
Example:
RP/0/RP0/CPU0:router# configure
Enters global configuration mode.
Step 2 service cgn instance-name
Example:
RP/0/RP0/CPU0:router(config)# service cgn cgn1
RP/0/RP0/CPU0:router(config-cgn)#
Configures the instance named cgn1 for the CGv6
application and enters CGv6 configuration mode.
Step 3 service-type ds-lite instance-name
Example:
RP/0/RP0/CPU0:router(config-cgn)# service-type
ds-lite ds-lite1
RP/0/RP0/CPU0:router(config-cgn-ds-lite)#
Configures the service type keyword definition for CGv6
DS-Lite application.
Step 4 external-logging netflowv9
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite)#
external-logging netflowv9
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlog)
#
Configures the external-logging facility for the CGv6
instance named cgn1 and enters CGv6 external logging
configuration mode.
Step 5 server
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlog)
# server
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlogserver)#
Configures the logging server information for the IPv4
address and port for the server that is used for the
netflowv9-based external-logging facility and enters CGv6
external logging server configuration mode.Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuration Examples for Implementing the CGv6
CG-66
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
Configuration Examples for Implementing the CGv6
This section provides the following configuration examples for CGN:
• Configuring a Different Inside VRF Map to a Different Outside VRF for NAT44: Example, page 66
• Configuring a Different Inside VRF Map to a Same Outside VRF for NAT44: Example, page 67
• NAT44 Configuration: Example, page 68
• DS Lite Configuration: Example, page 71
Configuring a Different Inside VRF Map to a Different Outside VRF for NAT44:
Example
This example shows how to configure a different inside VRF map to a different outside VRF and
different outside address pools:
service cgn cgn1
inside-vrf insidevrf1
map outside-vrf outsidevrf1 address-pool 100.1.1.0/24
!
!
Step 6 timeout value
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlogserver)# timeout 200
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlogserver)
Configures the timeout value of 200 for Netflow logging of
the DS-Lite instance.
Step 7 end
or
commit
Example:
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlogserver)# end
or
RP/0/RP0/CPU0:router(config-cgn-ds-lite-extlogserver)# commit
Saves configuration changes.
• When you issue the end command, the system prompts
you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
– Entering yes saves configuration changes to the
running configuration file, exits the configuration
session, and returns the router to EXEC mode.
– Entering no exits the configuration session and
returns the router to EXEC mode without
committing the configuration changes.
– Entering cancel leaves the router in the current
configuration session without exiting or
committing the configuration changes.
• Use the commit command to save the configuration
changes to the running configuration file and remain
within the configuration session.
Command or Action PurposeImplementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuration Examples for Implementing the CGv6
CG-67
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
inside-vrf insidevrf2
map outside-vrf outsidevrf2 address-pool 100.1.2.0/24
!
service-location preferred-active 0/2/cpu0
!
interface ServiceApp 1
vrf insidevrf1
ipv4 address 210.1.1.1 255.255.255.0
service cgn cgn1
!
router static
vrf insidevrf1
0.0.0.0/0 serviceapp 1
!
!
interface ServiceApp 2
vrf outsidevrf1
ipv4 address 211.1.1.1 255.255.255.0
service cgn cgn1
service-type nat44 nat1
!
router static
vrf outsidevrf1
100.1.1.0/24 serviceapp 2
!
!
interface ServiceApp 3
vrf insidevrf2
ipv4 address 1.1.1.1 255.255.255.0
service cgn cgn1
service-type nat44 nat1
!
router static
vrf insidevrf2
0.0.0.0/0 serviceapp 3
!
!
interface ServiceApp 4
vrf outsidevrf2
ipv4 address 2.2.2.1 255.255.255.0
service cgn cgn1
service-type nat44 nat1
!
router static
vrf outsidevrf2
100.1.2.0/24 serviceapp 4
Configuring a Different Inside VRF Map to a Same Outside VRF for NAT44:
Example
This example shows how to configure a different inside VRF map to the same outside VRF but with
different outside address pools:
service cgn cgn1
inside-vrf insidevrf1
map outside-vrf outsidevrf address-pool 100.1.1.0/24
!
!
inside-vrf insidevrf2
map outside-vrf outsidevrf address-pool 100.1.2.0/24Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuration Examples for Implementing the CGv6
CG-68
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
!
service-location preferred-active 0/2/cpu0
!
interface ServiceApp 1
vrf insidevrf1
ipv4 address 210.1.1.1 255.255.255.0
service cgn cgn1
!
router static
vrf insidevrf1
0.0.0.0/0 serviceapp 1
!
!
interface ServiceApp 2
vrf outsidevrf
ipv4 address 211.1.1.1 255.255.255.0
service cgn cgn1
service-type nat44 nat1
!
!
interface ServiceApp 3
vrf insidevrf2
ipv4 address 1.1.1.1 255.255.255.0
service cgn cgn1
service-type nat44 nat1
!
router static
vrf insidevrf2
0.0.0.0/0 serviceapp 3
!
!
interface ServiceApp 4
vrf outsidevrf
ipv4 address 2.2.2.1 255.255.255.0
service cgn cgn1
service-type nat44 nat1
!
router static
vrf outsidevrf
100.1.1.0/24 serviceapp 2
100.1.2.0/24 serviceapp 4
NAT44 Configuration: Example
This example shows a NAT44 sample configuration:
IPv4 IPv4
281590
40.22.22.22/16 180.1.1.1/16
41.22.22.22/16 181.1.1.1/16
NAT Bypass
CGSE
Address Pool: 100.0.0.0/24
VRF InsideCustomer1 VRF OutsideCustomer1
Service
App1
Service
Gig 0/3/0/0.1 Gig 0/6/5/0.1 App2 Gig 0/6/5/1.1 Gig 0/6/5/1.1Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuration Examples for Implementing the CGv6
CG-69
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
IPv4: 40.22.22.22/16
!
interface Loopback40
description IPv4 Host for NAT44
ipv4 address 40.22.22.22 255.255.0.0
!
interface Loopback41
description IPv4 Host for NAT44
ipv4 address 41.22.22.22 255.255.0.0
!
interface GigabitEthernet0/3/0/0.1
description Connected to P2_ASR9000-8 GE 0/6/5/0.1
ipv4 address 10.222.5.22 255.255.255.0
dot1q vlan 1
!
router static
address-family ipv4 unicast
180.1.0.0/16 10.222.5.2
181.1.0.0/16 10.222.5.2
!
!
Hardware Configuration for ISM
!
vrf InsideCustomer1
address-family ipv4 unicast
!
!
vrf OutsideCustomer1
address-family ipv4 unicast
!
!
hw-module service cgn location 0/3/CPU0
!
!
interface GigabitEthernet0/6/5/0.1
vrf InsideCustomer1
ipv4 address 10.222.5.2 255.255.255.0
dot1q vlan 1
!
interface GigabitEthernet0/6/5/1.1
vrf OutsideCustomer1
ipv4 address 10.12.13.2 255.255.255.0
dot1q vlan 1
!
interface ServiceApp1
vrf InsideCustomer1
ipv4 address 1.1.1.1 255.255.255.252
service cgn cgn1 service-type nat44
!
interface ServiceApp2
vrf OutsideCustomer1
ipv4 address 2.1.1.1 255.255.255.252
service cgn cgn1 service-type nat44
!
interface ServiceInfra1
ipv4 address 75.75.75.75 255.255.255.0
service-location 0/3/CPU0
!
!
router static
!Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuration Examples for Implementing the CGv6
CG-70
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
vrf InsideCustomer1
address-family ipv4 unicast
0.0.0.0/0 ServiceApp1
40.22.0.0/16 10.222.5.22
41.22.0.0/16 10.222.5.22
181.1.0.0/16 vrf OutsideCustomer1 GigabitEthernet0/6/5/1.1 10.12.13.1
!
!
vrf OutsideCustomer1
address-family ipv4 unicast
40.22.0.0/16 vrf InsideCustomer1 GigabitEthernet0/6/5/0.1 10.222.5.22
41.22.0.0/16 vrf InsideCustomer1 GigabitEthernet0/6/5/0.1 10.222.5.22
100.0.0.0/24 ServiceApp2
180.1.0.0/16 10.12.13.1
181.1.0.0/16 10.12.13.1
!
!
!
ISM Configuration
service cgn cgn1
service-location preferred-active 0/3/CPU0
service-type nat44 nat44
portlimit 200
alg ActiveFTP
inside-vrf InsideCustomer1
map outside-vrf OutsideCustomer1 address-pool 100.0.0.0/24
protocol tcp
static-forward inside
address 41.22.22.22 port 80
!
!
protocol icmp
static-forward inside
address 41.22.22.22 port 80
!
!
external-logging netflow version 9
server
address 172.29.52.68 port 2055
refresh-rate 600
timeout 100 !
!
!
!
!
IPv4: 180.1.1.1/16
!
interface Loopback180
description IPv4 Host for NAT44
ipv4 address 180.1.1.1 255.255.0.0
!
interface Loopback181
description IPv4 Host for NAT44
ipv4 address 181.1.1.1 255.255.0.0
!
interface GigabitEthernet0/6/5/1.1
ipv4 address 10.12.13.1 255.255.255.0
dot1q vlan 1
!
router static
address-family ipv4 unicastImplementing the Carrier Grade IPv6 on Cisco IOS XR Software
Configuration Examples for Implementing the CGv6
CG-71
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
40.22.0.0/16 10.12.13.2
41.22.0.0/16 10.12.13.2
100.0.0.0/24 10.12.13.2 !
!
Bulk Port Allocation and Syslog Configuration: Example
service cgn cgn2
service-type nat44 natA
inside-vrf broadband
map address-pool 100.1.2.0/24
external-logging syslog
server
address 20.1.1.2 port 514
!
!
bulk-port-alloc size 64
!
!
DS Lite Configuration: Example
IPv6 ServiceApp and Static Route Configuration
conf
int serviceApp61
service cgn cgn1 service-type ds-lite
ipv6 address 2001:202::/32
commit
exit
router static
address-family ipv6 unicast
3001:db8:e0e:e01::/128 ServiceApp61 2001:202::2
commit
exit
end
IPv4 ServiceApp and Static Route Configuration
conf
int serviceApp41
service cgn cgn1 service-type ds-lite
ipv4 add 41.41.41.1/24
commit
exit
router static
address-family ipv4 unicast
52.52.52.0/24 ServiceApp41 41.1.1.2
commit
exit
end
DS Lite Configuration
service cgn cgn1Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Additional References
CG-72
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
service-location preferred-active 0/2/CPU0 preferred-standby 0/4/CPU0
service-type ds-lite dsl1
portlimit 200
bulk-port-alloc size 128
map address-pool 52.52.52.0/24
aftr-tunnel-endpoint-address 3001:DB8:E0E:E01::
address-family ipv4
interface ServiceApp41
address-family ipv6
interface ServiceApp61
protocol tcp
session init timeout 300
session active timeout 400
mss 1200
external-logging netflow9
server
address 90.1.1.1 port 99
external-logging syslog
server
address 90.1.1.1 port 514
Additional References
For additional information related to Implementing the Carrier Grade IPv6, see the following references:
Related Documents
Standards
Related Topic Document Title
Cisco IOS XR Carrier Grade IPv6 commands Cisco IOS XR Carrier Grade IPv6 (CGv6) Command Reference for
the Cisco CRS-1 Router.
Cisco CRS-1 router getting started material Cisco IOS XR Getting Started Guide
Information about user groups and task IDs Configuring AAA Services on Cisco IOS XR Software module of the
Cisco IOS XR System Security Configuration Guide
Standards
1
1. Not all supported standards are listed.
Title
No new or modified standards are supported by this feature, and
support for existing standards has not been modified by this
feature.
—Implementing the Carrier Grade IPv6 on Cisco IOS XR Software
Additional References
CG-73
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02
MIBs
RFCs
Technical Assistance
MIBs MIBs Link
— To locate and download MIBs using Cisco IOS XR software, use the
Cisco MIB Locator found at the following URL and choose a
platform under the Cisco Access Products menu:
http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs
1
1. Not all supported RFCs are listed.
Title
RFC 4787 Network Address Translation (NAT) Behavioral Requirements for
Unicast UDP
RFC 5382 NAT Behavioral Requirements for TCP
RFC 5508 NAT Behavioral Requirements for ICMP
Description Link
The Cisco Technical Support website contains
thousands of pages of searchable technical content,
including links to products, technologies, solutions,
technical tips, and tools. Registered Cisco.com users
can log in from this page to access even more content.
http://www.cisco.com/techsupportImplementing the Carrier Grade IPv6 on Cisco IOS XR Software
Additional References
CG-74
Cisco ASR 9000 Series Aggregation Services Router Carrier Grade IPv6 (CGv6) Configuration
OL-26555-02IN-77
Cisco ASR 9000 Series Aggregation Services Router ROM Monitor Guide
OL-26100-02
I N D E X
Numerics
85589
2H_Head2
Carrier Grade NAT Overview i-2
C
Carrier Grade NAT Overview i-2
D
Double NAT 444 i-6
E
Export and Logging for the Network Address Translation
Table Entries i-34, i-59
External Logging i-6
I
ICMP Query Session Timeout i-5
Inside and Outside Address Pool Map i-20
IPv4 Address Completion i-3
N
NAT i-5
overview i-2
NAT and NAPT i-3
NATwith
ICMP i-5
P
Policy Functions
Application Gateway i-6
configuring i-22
overview i-6
prerequisites i-1
T
Translation Filtering i-4Index
IN-78
Cisco ASR 9000 Series Aggregation Services Router ROM Monitor Guide
OL-26100-02
C H A P T E R
1-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
1
Introduction to the Security Appliance
The security appliance combines advanced stateful firewall and VPN concentrator functionality in one
device, and for some models, an integrated intrusion prevention module called the AIP SSM or an
integrated content security and control module called the CSC SSM. The security appliance includes
many advanced features, such as multiple security contexts (similar to virtualized firewalls), transparent
(Layer 2) firewall or routed (Layer 3) firewall operation, advanced inspection engines, IPSec and
WebVPN support, and many more features. See Appendix A, “Feature Licenses and Specifications,” for
a list of supported platforms and features. For a list of new features, see the Cisco ASA 5500 Series
Release Notes or the Cisco PIX Security Appliance Release Notes.
Note The Cisco PIX 501 and PIX 506E security appliances are not supported.
This chapter includes the following sections:
• Firewall Functional Overview, page 1-1
• VPN Functional Overview, page 1-5
• Intrusion Prevention Services Functional Overview, page 1-5
• Security Context Overview, page 1-6
Firewall Functional Overview
Firewalls protect inside networks from unauthorized access by users on an outside network. A firewall
can also protect inside networks from each other, for example, by keeping a human resources network
separate from a user network. If you have network resources that need to be available to an outside user,
such as a web or FTP server, you can place these resources on a separate network behind the firewall,
called a demilitarized zone (DMZ). The firewall allows limited access to the DMZ, but because the DMZ
only includes the public servers, an attack there only affects the servers and does not affect the other
inside networks. You can also control when inside users access outside networks (for example, access to
the Internet), by allowing only certain addresses out, by requiring authentication or authorization, or by
coordinating with an external URL filtering server.
When discussing networks connected to a firewall, the outside network is in front of the firewall, the
inside network is protected and behind the firewall, and a DMZ, while behind the firewall, allows limited
access to outside users. Because the security appliance lets you configure many interfaces with varied
security policies, including many inside interfaces, many DMZs, and even many outside interfaces if
desired, these terms are used in a general sense only.1-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 1 Introduction to the Security Appliance
Firewall Functional Overview
This section includes the following topics:
• Security Policy Overview, page 1-2
• Firewall Mode Overview, page 1-3
• Stateful Inspection Overview, page 1-4
Security Policy Overview
A security policy determines which traffic is allowed to pass through the firewall to access another
network. By default, the security appliance allows traffic to flow freely from an inside network (higher
security level) to an outside network (lower security level). You can apply actions to traffic to customize
the security policy. This section includes the following topics:
• Permitting or Denying Traffic with Access Lists, page 1-2
• Applying NAT, page 1-2
• Using AAA for Through Traffic, page 1-2
• Applying HTTP, HTTPS, or FTP Filtering, page 1-3
• Applying Application Inspection, page 1-3
• Sending Traffic to the Advanced Inspection and Prevention Security Services Module, page 1-3
• Sending Traffic to the Content Security and Control Security Services Module, page 1-3
• Applying QoS Policies, page 1-3
• Applying Connection Limits and TCP Normalization, page 1-3
Permitting or Denying Traffic with Access Lists
You can apply an access list to limit traffic from inside to outside, or allow traffic from outside to inside.
For transparent firewall mode, you can also apply an EtherType access list to allow non-IP traffic.
Applying NAT
Some of the benefits of NAT include the following:
• You can use private addresses on your inside networks. Private addresses are not routable on the
Internet.
• NAT hides the local addresses from other networks, so attackers cannot learn the real address of a
host.
• NAT can resolve IP routing problems by supporting overlapping IP addresses.
Using AAA for Through Traffic
You can require authentication and/or authorization for certain types of traffic, for example, for HTTP.
The security appliance also sends accounting information to a RADIUS or TACACS+ server.1-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 1 Introduction to the Security Appliance
Firewall Functional Overview
Applying HTTP, HTTPS, or FTP Filtering
Although you can use access lists to prevent outbound access to specific websites or FTP servers,
configuring and managing web usage this way is not practical because of the size and dynamic nature of
the Internet. We recommend that you use the security appliance in conjunction with a separate server
running one of the following Internet filtering products:
• Websense Enterprise
• Secure Computing SmartFilter
Applying Application Inspection
Inspection engines are required for services that embed IP addressing information in the user data packet
or that open secondary channels on dynamically assigned ports. These protocols require the security
appliance to do a deep packet inspection.
Sending Traffic to the Advanced Inspection and Prevention Security Services Module
If your model supports the AIP SSM for intrusion prevention, then you can send traffic to the AIP SSM
for inspection.
Sending Traffic to the Content Security and Control Security Services Module
If your model supports it, the CSC SSM provides protection against viruses, spyware, spam, and other
unwanted traffic. It accomplishes this by scanning the FTP, HTTP, POP3, and SMTP traffic that you
configure the adaptive security appliance to send to it.
Applying QoS Policies
Some network traffic, such as voice and streaming video, cannot tolerate long latency times. QoS is a
network feature that lets you give priority to these types of traffic. QoS refers to the capability of a
network to provide better service to selected network traffic.
Applying Connection Limits and TCP Normalization
You can limit TCP and UDP connections and embryonic connections. Limiting the number of
connections and embryonic connections protects you from a DoS attack. The security appliance uses the
embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated
by flooding an interface with TCP SYN packets. An embryonic connection is a connection request that
has not finished the necessary handshake between source and destination.
TCP normalization is a feature consisting of advanced TCP connection settings designed to drop packets
that do not appear normal.
Firewall Mode Overview
The security appliance runs in two different firewall modes:
• Routed
• Transparent 1-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 1 Introduction to the Security Appliance
Firewall Functional Overview
In routed mode, the security appliance is considered to be a router hop in the network.
In transparent mode, the security appliance acts like a “bump in the wire,” or a “stealth firewall,” and is
not considered a router hop. The security appliance connects to the same network on its inside and
outside interfaces.
You might use a transparent firewall to simplify your network configuration. Transparent mode is also
useful if you want the firewall to be invisible to attackers. You can also use a transparent firewall for
traffic that would otherwise be blocked in routed mode. For example, a transparent firewall can allow
multicast streams using an EtherType access list.
Stateful Inspection Overview
All traffic that goes through the security appliance is inspected using the Adaptive Security Algorithm
and either allowed through or dropped. A simple packet filter can check for the correct source address,
destination address, and ports, but it does not check that the packet sequence or flags are correct. A filter
also checks every packet against the filter, which can be a slow process.
A stateful firewall like the security appliance, however, takes into consideration the state of a packet:
• Is this a new connection?
If it is a new connection, the security appliance has to check the packet against access lists and
perform other tasks to determine if the packet is allowed or denied. To perform this check, the first
packet of the session goes through the “session management path,” and depending on the type of
traffic, it might also pass through the “control plane path.”
The session management path is responsible for the following tasks:
– Performing the access list checks
– Performing route lookups
– Allocating NAT translations (xlates)
– Establishing sessions in the “fast path”
Note The session management path and the fast path make up the “accelerated security path.”
Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are
passed on to the control plane path. Layer 7 inspection engines are required for protocols that have
two or more channels: a data channel, which uses well-known port numbers, and a control channel,
which uses different port numbers for each session. These protocols include FTP, H.323, and SNMP.
• Is this an established connection?
If the connection is already established, the security appliance does not need to re-check packets;
most matching packets can go through the fast path in both directions. The fast path is responsible
for the following tasks:
– IP checksum verification
– Session lookup
– TCP sequence number check
– NAT translations based on existing sessions
– Layer 3 and Layer 4 header adjustments1-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 1 Introduction to the Security Appliance
VPN Functional Overview
For UDP or other connectionless protocols, the security appliance creates connection state
information so that it can also use the fast path.
Data packets for protocols that require Layer 7 inspection can also go through the fast path.
Some established session packets must continue to go through the session management path or the
control plane path. Packets that go through the session management path include HTTP packets that
require inspection or content filtering. Packets that go through the control plane path include the
control packets for protocols that require Layer 7 inspection.
VPN Functional Overview
A VPN is a secure connection across a TCP/IP network (such as the Internet) that appears as a private
connection. This secure connection is called a tunnel. The security appliance uses tunneling protocols to
negotiate security parameters, create and manage tunnels, encapsulate packets, transmit or receive them
through the tunnel, and unencapsulate them. The security appliance functions as a bidirectional tunnel
endpoint: it can receive plain packets, encapsulate them, and send them to the other end of the tunnel
where they are unencapsulated and sent to their final destination. It can also receive encapsulated
packets, unencapsulate them, and send them to their final destination. The security appliance invokes
various standard protocols to accomplish these functions.
The security appliance performs the following functions:
• Establishes tunnels
• Negotiates tunnel parameters
• Authenticates users
• Assigns user addresses
• Encrypts and decrypts data
• Manages security keys
• Manages data transfer across the tunnel
• Manages data transfer inbound and outbound as a tunnel endpoint or router
The security appliance invokes various standard protocols to accomplish these functions.
Intrusion Prevention Services Functional Overview
The Cisco ASA 5500 series adaptive security appliance supports the AIP SSM, an intrusion prevention
services module that monitors and performs real-time analysis of network traffic by looking for
anomalies and misuse based on an extensive, embedded signature library. When the system detects
unauthorized activity, it can terminate the specific connection, permanently block the attacking host, log
the incident, and send an alert to the device manager. Other legitimate connections continue to operate
independently without interruption. For more information, see Configuring the Cisco Intrusion
Prevention System Sensor Using the Command Line Interface.1-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 1 Introduction to the Security Appliance
Security Context Overview
Security Context Overview
You can partition a single security appliance into multiple virtual devices, known as security contexts.
Each context is an independent device, with its own security policy, interfaces, and administrators.
Multiple contexts are similar to having multiple standalone devices. Many features are supported in
multiple context mode, including routing tables, firewall features, IPS, and management. Some features
are not supported, including VPN and dynamic routing protocols.
In multiple context mode, the security appliance includes a configuration for each context that identifies
the security policy, interfaces, and almost all the options you can configure on a standalone device. The
system administrator adds and manages contexts by configuring them in the system configuration,
which, like a single mode configuration, is the startup configuration. The system configuration identifies
basic settings for the security appliance. The system configuration does not include any network
interfaces or network settings for itself; rather, when the system needs to access network resources (such
as downloading the contexts from the server), it uses one of the contexts that is designated as the admin
context.
The admin context is just like any other context, except that when a user logs into the admin context,
then that user has system administrator rights and can access the system and all other contexts.
Note You can run all your contexts in routed mode or transparent mode; you cannot run some contexts in one
mode and others in another.
Multiple context mode supports static routing only.
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Cisco Security Appliance Command Line
Configuration Guide
For the Cisco ASA 5500 Series and Cisco PIX 500 Series
Software Version 7.2
Customer Order Number: N/A, Online only
Text Part Number: OL-10088-02
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCDE, CCSI, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Stackpower, Cisco StadiumVision,
Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are
service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the
Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without
Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study,
IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar,
PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath,
WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0903R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the
document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Cisco Security Appliance Command Line Configuration Guide
Copyright © 2008 Cisco Systems, Inc. All rights reserved.
iii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
CONTENTS
About This Guide xxxv
Document Objectives xxxv
Audience xxxv
Related Documentation xxxvi
Document Organization xxxvi
Document Conventions xxxix
Obtaining Documentation and Submitting a Service Request xxxix
1-xl
PART 1
Getting Started and General Information
CHAPTER 1
Introduction to the Security Appliance 1-1
Firewall Functional Overview 1-1
Security Policy Overview 1-2
Permitting or Denying Traffic with Access Lists 1-2
Applying NAT 1-2
Using AAA for Through Traffic 1-2
Applying HTTP, HTTPS, or FTP Filtering 1-3
Applying Application Inspection 1-3
Sending Traffic to the Advanced Inspection and Prevention Security Services Module 1-3
Sending Traffic to the Content Security and Control Security Services Module 1-3
Applying QoS Policies 1-3
Applying Connection Limits and TCP Normalization 1-3
Firewall Mode Overview 1-3
Stateful Inspection Overview 1-4
VPN Functional Overview 1-5
Intrusion Prevention Services Functional Overview 1-5
Security Context Overview 1-6
CHAPTER 2
Getting Started 2-1
Getting Started with Your Platform Model 2-1
Factory Default Configurations 2-1
Restoring the Factory Default Configuration 2-2
Contents
iv
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
ASA 5505 Default Configuration 2-2
ASA 5510 and Higher Default Configuration 2-3
PIX 515/515E Default Configuration 2-4
Accessing the Command-Line Interface 2-4
Setting Transparent or Routed Firewall Mode 2-5
Working with the Configuration 2-6
Saving Configuration Changes 2-6
Saving Configuration Changes in Single Context Mode 2-7
Saving Configuration Changes in Multiple Context Mode 2-7
Copying the Startup Configuration to the Running Configuration 2-8
Viewing the Configuration 2-8
Clearing and Removing Configuration Settings 2-9
Creating Text Configuration Files Offline 2-9
CHAPTER 3
Enabling Multiple Context Mode 3-1
Security Context Overview 3-1
Common Uses for Security Contexts 3-1
Unsupported Features 3-2
Context Configuration Files 3-2
Context Configurations 3-2
System Configuration 3-2
Admin Context Configuration 3-2
How the Security Appliance Classifies Packets 3-3
Valid Classifier Criteria 3-3
Invalid Classifier Criteria 3-4
Classification Examples 3-5
Cascading Security Contexts 3-8
Management Access to Security Contexts 3-9
System Administrator Access 3-9
Context Administrator Access 3-10
Enabling or Disabling Multiple Context Mode 3-10
Backing Up the Single Mode Configuration 3-10
Enabling Multiple Context Mode 3-10
Restoring Single Context Mode 3-11
CHAPTER 4
Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance 4-1
Interface Overview 4-1
Understanding ASA 5505 Ports and Interfaces 4-2
Contents
v
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Maximum Active VLAN Interfaces for Your License 4-2
Default Interface Configuration 4-4
VLAN MAC Addresses 4-4
Power Over Ethernet 4-4
Monitoring Traffic Using SPAN 4-4
Security Level Overview 4-5
Configuring VLAN Interfaces 4-5
Configuring Switch Ports as Access Ports 4-9
Configuring a Switch Port as a Trunk Port 4-11
Allowing Communication Between VLAN Interfaces on the Same Security Level 4-13
CHAPTER 5
Configuring Ethernet Settings and Subinterfaces 5-1
Configuring and Enabling RJ-45 Interfaces 5-1
Configuring and Enabling Fiber Interfaces 5-3
Configuring and Enabling VLAN Subinterfaces and 802.1Q Trunking 5-3
CHAPTER 6
Adding and Managing Security Contexts 6-1
Configuring Resource Management 6-1
Classes and Class Members Overview 6-1
Resource Limits 6-2
Default Class 6-3
Class Members 6-4
Configuring a Class 6-4
Configuring a Security Context 6-7
Automatically Assigning MAC Addresses to Context Interfaces 6-11
Changing Between Contexts and the System Execution Space 6-11
Managing Security Contexts 6-12
Removing a Security Context 6-12
Changing the Admin Context 6-13
Changing the Security Context URL 6-13
Reloading a Security Context 6-14
Reloading by Clearing the Configuration 6-14
Reloading by Removing and Re-adding the Context 6-15
Monitoring Security Contexts 6-15
Viewing Context Information 6-15
Viewing Resource Allocation 6-16
Viewing Resource Usage 6-19
Monitoring SYN Attacks in Contexts 6-20
Contents
vi
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
CHAPTER 7
Configuring Interface Parameters 7-1
Security Level Overview 7-1
Configuring the Interface 7-2
Allowing Communication Between Interfaces on the Same Security Level 7-6
CHAPTER 8
Configuring Basic Settings 8-1
Changing the Login Password 8-1
Changing the Enable Password 8-1
Setting the Hostname 8-2
Setting the Domain Name 8-2
Setting the Date and Time 8-2
Setting the Time Zone and Daylight Saving Time Date Range 8-3
Setting the Date and Time Using an NTP Server 8-4
Setting the Date and Time Manually 8-5
Setting the Management IP Address for a Transparent Firewall 8-5
CHAPTER 9
Configuring IP Routing 9-1
How Routing Behaves Within the ASA Security Appliance 9-1
Egress Interface Selection Process 9-1
Next Hop Selection Process 9-2
Configuring Static and Default Routes 9-2
Configuring a Static Route 9-3
Configuring a Default Route 9-4
Configuring Static Route Tracking 9-5
Defining Route Maps 9-7
Configuring OSPF 9-8
OSPF Overview 9-9
Enabling OSPF 9-10
Redistributing Routes Into OSPF 9-10
Configuring OSPF Interface Parameters 9-11
Configuring OSPF Area Parameters 9-13
Configuring OSPF NSSA 9-14
Configuring Route Summarization Between OSPF Areas 9-15
Configuring Route Summarization When Redistributing Routes into OSPF 9-16
Defining Static OSPF Neighbors 9-16
Generating a Default Route 9-17
Configuring Route Calculation Timers 9-17
Logging Neighbors Going Up or Down 9-18
Contents
vii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Displaying OSPF Update Packet Pacing 9-19
Monitoring OSPF 9-19
Restarting the OSPF Process 9-20
Configuring RIP 9-20
Enabling and Configuring RIP 9-20
Redistributing Routes into the RIP Routing Process 9-22
Configuring RIP Send/Receive Version on an Interface 9-22
Enabling RIP Authentication 9-23
Monitoring RIP 9-23
The Routing Table 9-24
Displaying the Routing Table 9-24
How the Routing Table is Populated 9-24
Backup Routes 9-26
How Forwarding Decisions are Made 9-26
Dynamic Routing and Failover 9-26
CHAPTER 10
Configuring DHCP, DDNS, and WCCP Services 10-1
Configuring a DHCP Server 10-1
Enabling the DHCP Server 10-2
Configuring DHCP Options 10-3
Using Cisco IP Phones with a DHCP Server 10-4
Configuring DHCP Relay Services 10-5
Configuring Dynamic DNS 10-6
Example 1: Client Updates Both A and PTR RRs for Static IP Addresses 10-7
Example 2: Client Updates Both A and PTR RRs; DHCP Server Honors Client Update Request; FQDN Provided Through Configuration 10-7
Example 3: Client Includes FQDN Option Instructing Server Not to Update Either RR; Server Overrides Client and Updates Both RRs. 10-8
Example 4: Client Asks Server To Perform Both Updates; Server Configured to Update PTR RR Only; Honors Client Request and Updates Both A and PTR RR 10-8
Example 5: Client Updates A RR; Server Updates PTR RR 10-9
Configuring Web Cache Services Using WCCP 10-9
WCCP Feature Support 10-9
WCCP Interaction With Other Features 10-10
Enabling WCCP Redirection 10-10
CHAPTER 11
Configuring Multicast Routing 11-13
Multicast Routing Overview 11-13
Enabling Multicast Routing 11-14
Contents
viii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Configuring IGMP Features 11-14
Disabling IGMP on an Interface 11-15
Configuring Group Membership 11-15
Configuring a Statically Joined Group 11-15
Controlling Access to Multicast Groups 11-15
Limiting the Number of IGMP States on an Interface 11-16
Modifying the Query Interval and Query Timeout 11-16
Changing the Query Response Time 11-17
Changing the IGMP Version 11-17
Configuring Stub Multicast Routing 11-17
Configuring a Static Multicast Route 11-17
Configuring PIM Features 11-18
Disabling PIM on an Interface 11-18
Configuring a Static Rendezvous Point Address 11-19
Configuring the Designated Router Priority 11-19
Filtering PIM Register Messages 11-19
Configuring PIM Message Intervals 11-20
Configuring a Multicast Boundary 11-20
Filtering PIM Neighbors 11-20
Supporting Mixed Bidirectional/Sparse-Mode PIM Networks 11-21
For More Information about Multicast Routing 11-22
CHAPTER 12
Configuring IPv6 12-1
IPv6-enabled Commands 12-1
Configuring IPv6 12-2
Configuring IPv6 on an Interface 12-3
Configuring a Dual IP Stack on an Interface 12-4
Enforcing the Use of Modified EUI-64 Interface IDs in IPv6 Addresses 12-4
Configuring IPv6 Duplicate Address Detection 12-4
Configuring IPv6 Default and Static Routes 12-5
Configuring IPv6 Access Lists 12-6
Configuring IPv6 Neighbor Discovery 12-7
Configuring Neighbor Solicitation Messages 12-7
Configuring Router Advertisement Messages 12-9
Multicast Listener Discovery Support 12-11
Configuring a Static IPv6 Neighbor 12-11
Verifying the IPv6 Configuration 12-11
The show ipv6 interface Command 12-12
The show ipv6 route Command 12-12
Contents
ix
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
The show ipv6 mld traffic Command 12-13
CHAPTER 13
Configuring AAA Servers and the Local Database 13-1
AAA Overview 13-1
About Authentication 13-1
About Authorization 13-2
About Accounting 13-2
AAA Server and Local Database Support 13-2
Summary of Support 13-3
RADIUS Server Support 13-3
Authentication Methods 13-4
Attribute Support 13-4
RADIUS Authorization Functions 13-4
TACACS+ Server Support 13-4
SDI Server Support 13-4
SDI Version Support 13-5
Two-step Authentication Process 13-5
SDI Primary and Replica Servers 13-5
NT Server Support 13-5
Kerberos Server Support 13-5
LDAP Server Support 13-6
Authentication with LDAP 13-6
Authorization with LDAP for VPN 13-7
LDAP Attribute Mapping 13-8
SSO Support for WebVPN with HTTP Forms 13-9
Local Database Support 13-9
User Profiles 13-10
Fallback Support 13-10
Configuring the Local Database 13-10
Identifying AAA Server Groups and Servers 13-12
Using Certificates and User Login Credentials 13-15
Using User Login Credentials 13-15
Using certificates 13-16
Supporting a Zone Labs Integrity Server 13-16
Overview of Integrity Server and Security Appliance Interaction 13-17
Configuring Integrity Server Support 13-17
CHAPTER 14
Configuring Failover 14-1
Understanding Failover 14-1
Contents
x
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Failover System Requirements 14-2
Hardware Requirements 14-2
Software Requirements 14-2
License Requirements 14-2
The Failover and Stateful Failover Links 14-3
Failover Link 14-3
Stateful Failover Link 14-5
Active/Active and Active/Standby Failover 14-6
Active/Standby Failover 14-6
Active/Active Failover 14-10
Determining Which Type of Failover to Use 14-15
Regular and Stateful Failover 14-15
Regular Failover 14-16
Stateful Failover 14-16
Failover Health Monitoring 14-16
Unit Health Monitoring 14-17
Interface Monitoring 14-17
Failover Feature/Platform Matrix 14-18
Failover Times by Platform 14-18
Configuring Failover 14-19
Failover Configuration Limitations 14-19
Configuring Active/Standby Failover 14-19
Prerequisites 14-20
Configuring Cable-Based Active/Standby Failover (PIX Security Appliance Only) 14-20
Configuring LAN-Based Active/Standby Failover 14-21
Configuring Optional Active/Standby Failover Settings 14-25
Configuring Active/Active Failover 14-27
Prerequisites 14-27
Configuring Cable-Based Active/Active Failover (PIX security appliance) 14-27
Configuring LAN-Based Active/Active Failover 14-29
Configuring Optional Active/Active Failover Settings 14-33
Configuring Unit Health Monitoring 14-39
Configuring Failover Communication Authentication/Encryption 14-39
Verifying the Failover Configuration 14-40
Using the show failover Command 14-40
Viewing Monitored Interfaces 14-48
Displaying the Failover Commands in the Running Configuration 14-48
Testing the Failover Functionality 14-49
Controlling and Monitoring Failover 14-49
Forcing Failover 14-49
Contents
xi
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Disabling Failover 14-50
Restoring a Failed Unit or Failover Group 14-50
Monitoring Failover 14-50
Failover System Messages 14-51
Debug Messages 14-51
SNMP 14-51
PART 2
Configuring the Firewall
CHAPTER 15
Firewall Mode Overview 15-1
Routed Mode Overview 15-1
IP Routing Support 15-1
Network Address Translation 15-2
How Data Moves Through the Security Appliance in Routed Firewall Mode 15-3
An Inside User Visits a Web Server 15-3
An Outside User Visits a Web Server on the DMZ 15-4
An Inside User Visits a Web Server on the DMZ 15-6
An Outside User Attempts to Access an Inside Host 15-7
A DMZ User Attempts to Access an Inside Host 15-8
Transparent Mode Overview 15-8
Transparent Firewall Network 15-9
Allowing Layer 3 Traffic 15-9
Allowed MAC Addresses 15-9
Passing Traffic Not Allowed in Routed Mode 15-9
MAC Address Lookups 15-10
Using the Transparent Firewall in Your Network 15-10
Transparent Firewall Guidelines 15-10
Unsupported Features in Transparent Mode 15-11
How Data Moves Through the Transparent Firewall 15-13
An Inside User Visits a Web Server 15-14
An Outside User Visits a Web Server on the Inside Network 15-15
An Outside User Attempts to Access an Inside Host 15-16
CHAPTER 16
Identifying Traffic with Access Lists 16-1
Access List Overview 16-1
Access List Types 16-2
Access Control Entry Order 16-2
Access Control Implicit Deny 16-3
IP Addresses Used for Access Lists When You Use NAT 16-3
Contents
xii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Adding an Extended Access List 16-5
Extended Access List Overview 16-5
Allowing Broadcast and Multicast Traffic through the Transparent Firewall 16-6
Adding an Extended ACE 16-6
Adding an EtherType Access List 16-8
EtherType Access List Overview 16-8
Supported EtherTypes 16-8
Implicit Permit of IP and ARPs Only 16-9
Implicit and Explicit Deny ACE at the End of an Access List 16-9
IPv6 Unsupported 16-9
Using Extended and EtherType Access Lists on the Same Interface 16-9
Allowing MPLS 16-9
Adding an EtherType ACE 16-10
Adding a Standard Access List 16-11
Adding a Webtype Access List 16-11
Simplifying Access Lists with Object Grouping 16-11
How Object Grouping Works 16-12
Adding Object Groups 16-12
Adding a Protocol Object Group 16-13
Adding a Network Object Group 16-13
Adding a Service Object Group 16-14
Adding an ICMP Type Object Group 16-15
Nesting Object Groups 16-15
Using Object Groups with an Access List 16-16
Displaying Object Groups 16-17
Removing Object Groups 16-17
Adding Remarks to Access Lists 16-18
Scheduling Extended Access List Activation 16-18
Adding a Time Range 16-18
Applying the Time Range to an ACE 16-19
Logging Access List Activity 16-20
Access List Logging Overview 16-20
Configuring Logging for an Access Control Entry 16-21
Managing Deny Flows 16-22
CHAPTER 17
Applying NAT 17-1
NAT Overview 17-1
Introduction to NAT 17-2
NAT Control 17-3
Contents
xiii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
NAT Types 17-5
Dynamic NAT 17-5
PAT 17-7
Static NAT 17-7
Static PAT 17-8
Bypassing NAT When NAT Control is Enabled 17-9
Policy NAT 17-9
NAT and Same Security Level Interfaces 17-13
Order of NAT Commands Used to Match Real Addresses 17-14
Mapped Address Guidelines 17-14
DNS and NAT 17-14
Configuring NAT Control 17-16
Using Dynamic NAT and PAT 17-17
Dynamic NAT and PAT Implementation 17-17
Configuring Dynamic NAT or PAT 17-23
Using Static NAT 17-26
Using Static PAT 17-27
Bypassing NAT 17-29
Configuring Identity NAT 17-30
Configuring Static Identity NAT 17-30
Configuring NAT Exemption 17-32
NAT Examples 17-33
Overlapping Networks 17-34
Redirecting Ports 17-35
CHAPTER 18
Permitting or Denying Network Access 18-1
Inbound and Outbound Access List Overview 18-1
Applying an Access List to an Interface 18-2
CHAPTER 19
Applying AAA for Network Access 19-1
AAA Performance 19-1
Configuring Authentication for Network Access 19-1
Authentication Overview 19-2
One-Time Authentication 19-2
Applications Required to Receive an Authentication Challenge 19-2
Security Appliance Authentication Prompts 19-2
Static PAT and HTTP 19-3
Enabling Network Access Authentication 19-3
Contents
xiv
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Enabling Secure Authentication of Web Clients 19-5
Authenticating Directly with the Security Appliance 19-6
Enabling Direct Authentication Using HTTP and HTTPS 19-6
Enabling Direct Authentication Using Telnet 19-6
Configuring Authorization for Network Access 19-6
Configuring TACACS+ Authorization 19-7
Configuring RADIUS Authorization 19-8
Configuring a RADIUS Server to Send Downloadable Access Control Lists 19-9
Configuring a RADIUS Server to Download Per-User Access Control List Names 19-12
Configuring Accounting for Network Access 19-13
Using MAC Addresses to Exempt Traffic from Authentication and Authorization 19-14
CHAPTER 20
Applying Filtering Services 20-1
Filtering Overview 20-1
Filtering ActiveX Objects 20-2
ActiveX Filtering Overview 20-2
Enabling ActiveX Filtering 20-2
Filtering Java Applets 20-3
Filtering URLs and FTP Requests with an External Server 20-4
URL Filtering Overview 20-4
Identifying the Filtering Server 20-4
Buffering the Content Server Response 20-6
Caching Server Addresses 20-6
Filtering HTTP URLs 20-7
Configuring HTTP Filtering 20-7
Enabling Filtering of Long HTTP URLs 20-7
Truncating Long HTTP URLs 20-7
Exempting Traffic from Filtering 20-8
Filtering HTTPS URLs 20-8
Filtering FTP Requests 20-9
Viewing Filtering Statistics and Configuration 20-9
Viewing Filtering Server Statistics 20-10
Viewing Buffer Configuration and Statistics 20-11
Viewing Caching Statistics 20-11
Viewing Filtering Performance Statistics 20-11
Viewing Filtering Configuration 20-12
Contents
xv
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
CHAPTER 21
Using Modular Policy Framework 21-1
Modular Policy Framework Overview 21-1
Modular Policy Framework Features 21-1
Modular Policy Framework Configuration Overview 21-2
Default Global Policy 21-3
Identifying Traffic (Layer 3/4 Class Map) 21-4
Default Class Maps 21-4
Creating a Layer 3/4 Class Map for Through Traffic 21-5
Creating a Layer 3/4 Class Map for Management Traffic 21-7
Configuring Special Actions for Application Inspections (Inspection Policy Map) 21-7
Inspection Policy Map Overview 21-8
Defining Actions in an Inspection Policy Map 21-8
Identifying Traffic in an Inspection Class Map 21-11
Creating a Regular Expression 21-12
Creating a Regular Expression Class Map 21-14
Defining Actions (Layer 3/4 Policy Map) 21-15
Layer 3/4 Policy Map Overview 21-15
Policy Map Guidelines 21-16
Supported Feature Types 21-16
Hierarchical Policy Maps 21-16
Feature Directionality 21-17
Feature Matching Guidelines within a Policy Map 21-17
Feature Matching Guidelines for multiple Policy Maps 21-18
Order in Which Multiple Feature Actions are Applied 21-18
Default Layer 3/4 Policy Map 21-18
Adding a Layer 3/4 Policy Map 21-19
Applying Actions to an Interface (Service Policy) 21-21
Modular Policy Framework Examples 21-21
Applying Inspection and QoS Policing to HTTP Traffic 21-22
Applying Inspection to HTTP Traffic Globally 21-22
Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers 21-23
Applying Inspection to HTTP Traffic with NAT 21-24
CHAPTER 22
Managing AIP SSM and CSC SSM 22-1
Managing the AIP SSM 22-1
About the AIP SSM 22-1
Getting Started with the AIP SSM 22-2
Diverting Traffic to the AIP SSM 22-2
Sessioning to the AIP SSM and Running Setup 22-4
Contents
xvi
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Managing the CSC SSM 22-5
About the CSC SSM 22-5
Getting Started with the CSC SSM 22-7
Determining What Traffic to Scan 22-9
Limiting Connections Through the CSC SSM 22-11
Diverting Traffic to the CSC SSM 22-11
Checking SSM Status 22-13
Transferring an Image onto an SSM 22-14
CHAPTER 23
Preventing Network Attacks 23-1
Configuring TCP Normalization 23-1
TCP Normalization Overview 23-1
Enabling the TCP Normalizer 23-2
Configuring Connection Limits and Timeouts 23-6
Connection Limit Overview 23-7
TCP Intercept Overview 23-7
Disabling TCP Intercept for Management Packets for Clientless SSL Compatibility 23-7
Dead Connection Detection (DCD) Overview 23-7
TCP Sequence Randomization Overview 23-8
Enabling Connection Limits and Timeouts 23-8
Preventing IP Spoofing 23-10
Configuring the Fragment Size 23-11
Blocking Unwanted Connections 23-11
Configuring IP Audit for Basic IPS Support 23-12
CHAPTER 24
Configuring QoS 24-1
QoS Overview 24-1
Supported QoS Features 24-2
What is a Token Bucket? 24-2
Policing Overview 24-3
Priority Queueing Overview 24-3
Traffic Shaping Overview 24-4
How QoS Features Interact 24-4
DSCP and DiffServ Preservation 24-5
Creating the Standard Priority Queue for an Interface 24-5
Determining the Queue and TX Ring Limits 24-6
Configuring the Priority Queue 24-7
Identifying Traffic for QoS Using Class Maps 24-8
Contents
xvii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Creating a QoS Class Map 24-8
QoS Class Map Examples 24-8
Creating a Policy for Standard Priority Queueing and/or Policing 24-9
Creating a Policy for Traffic Shaping and Hierarchical Priority Queueing 24-11
Viewing QoS Statistics 24-13
Viewing QoS Police Statistics 24-13
Viewing QoS Standard Priority Statistics 24-14
Viewing QoS Shaping Statistics 24-14
Viewing QoS Standard Priority Queue Statistics 24-15
CHAPTER 25
Configuring Application Layer Protocol Inspection 25-1
Inspection Engine Overview 25-2
When to Use Application Protocol Inspection 25-2
Inspection Limitations 25-2
Default Inspection Policy 25-3
Configuring Application Inspection 25-5
CTIQBE Inspection 25-9
CTIQBE Inspection Overview 25-9
Limitations and Restrictions 25-10
Verifying and Monitoring CTIQBE Inspection 25-10
DCERPC Inspection 25-11
DCERPC Overview 25-11
Configuring a DCERPC Inspection Policy Map for Additional Inspection Control 25-12
DNS Inspection 25-13
How DNS Application Inspection Works 25-13
How DNS Rewrite Works 25-14
Configuring DNS Rewrite 25-15
Using the Static Command for DNS Rewrite 25-15
Using the Alias Command for DNS Rewrite 25-16
Configuring DNS Rewrite with Two NAT Zones 25-16
DNS Rewrite with Three NAT Zones 25-17
Configuring DNS Rewrite with Three NAT Zones 25-19
Verifying and Monitoring DNS Inspection 25-20
Configuring a DNS Inspection Policy Map for Additional Inspection Control 25-20
ESMTP Inspection 25-23
Configuring an ESMTP Inspection Policy Map for Additional Inspection Control 25-24
FTP Inspection 25-26
FTP Inspection Overview 25-27
Contents
xviii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Using the strict Option 25-27
Configuring an FTP Inspection Policy Map for Additional Inspection Control 25-28
Verifying and Monitoring FTP Inspection 25-31
GTP Inspection 25-32
GTP Inspection Overview 25-32
Configuring a GTP Inspection Policy Map for Additional Inspection Control 25-33
Verifying and Monitoring GTP Inspection 25-37
H.323 Inspection 25-38
H.323 Inspection Overview 25-38
How H.323 Works 25-38
Limitations and Restrictions 25-39
Configuring an H.323 Inspection Policy Map for Additional Inspection Control 25-40
Configuring H.323 and H.225 Timeout Values 25-42
Verifying and Monitoring H.323 Inspection 25-43
Monitoring H.225 Sessions 25-43
Monitoring H.245 Sessions 25-43
Monitoring H.323 RAS Sessions 25-44
HTTP Inspection 25-44
HTTP Inspection Overview 25-44
Configuring an HTTP Inspection Policy Map for Additional Inspection Control 25-45
Instant Messaging Inspection 25-49
IM Inspection Overview 25-49
Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control 25-49
ICMP Inspection 25-52
ICMP Error Inspection 25-52
ILS Inspection 25-53
IPSec Pass Through Inspection 25-54
IPSec Pass Through Inspection Overview 25-54
Configuring an IPSec Pass Through Inspection Policy Map for Additional Inspection Control 25-54
MGCP Inspection 25-56
MGCP Inspection Overview 25-56
Configuring an MGCP Inspection Policy Map for Additional Inspection Control 25-58
Configuring MGCP Timeout Values 25-59
Verifying and Monitoring MGCP Inspection 25-59
NetBIOS Inspection 25-60
Configuring a NetBIOS Inspection Policy Map for Additional Inspection Control 25-60
PPTP Inspection 25-62
RADIUS Accounting Inspection 25-62
Contents
xix
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Configuring a RADIUS Inspection Policy Map for Additional Inspection Control 25-63
RSH Inspection 25-63
RTSP Inspection 25-63
RTSP Inspection Overview 25-63
Using RealPlayer 25-64
Restrictions and Limitations 25-64
SIP Inspection 25-65
SIP Inspection Overview 25-65
SIP Instant Messaging 25-65
Configuring a SIP Inspection Policy Map for Additional Inspection Control 25-66
Configuring SIP Timeout Values 25-70
Verifying and Monitoring SIP Inspection 25-70
Skinny (SCCP) Inspection 25-71
SCCP Inspection Overview 25-71
Supporting Cisco IP Phones 25-71
Restrictions and Limitations 25-72
Verifying and Monitoring SCCP Inspection 25-72
Configuring a Skinny (SCCP) Inspection Policy Map for Additional Inspection Control 25-73
SMTP and Extended SMTP Inspection 25-74
SNMP Inspection 25-76
SQL*Net Inspection 25-76
Sun RPC Inspection 25-77
Sun RPC Inspection Overview 25-77
Managing Sun RPC Services 25-77
Verifying and Monitoring Sun RPC Inspection 25-78
TFTP Inspection 25-79
XDMCP Inspection 25-80
CHAPTER 26
Configuring ARP Inspection and Bridging Parameters 26-1
Configuring ARP Inspection 26-1
ARP Inspection Overview 26-1
Adding a Static ARP Entry 26-2
Enabling ARP Inspection 26-2
Customizing the MAC Address Table 26-3
MAC Address Table Overview 26-3
Adding a Static MAC Address 26-3
Setting the MAC Address Timeout 26-4
Disabling MAC Address Learning 26-4
Contents
xx
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Viewing the MAC Address Table 26-4
PART 3
Configuring VPN
CHAPTER 27
Configuring IPsec and ISAKMP 27-1
Tunneling Overview 27-1
IPsec Overview 27-2
Configuring ISAKMP 27-2
ISAKMP Overview 27-2
Configuring ISAKMP Policies 27-5
Enabling ISAKMP on the Outside Interface 27-6
Disabling ISAKMP in Aggressive Mode 27-6
Determining an ID Method for ISAKMP Peers 27-6
Enabling IPsec over NAT-T 27-7
Using NAT-T 27-7
Enabling IPsec over TCP 27-8
Waiting for Active Sessions to Terminate Before Rebooting 27-9
Alerting Peers Before Disconnecting 27-9
Configuring Certificate Group Matching 27-9
Creating a Certificate Group Matching Rule and Policy 27-10
Using the Tunnel-group-map default-group Command 27-11
Configuring IPsec 27-11
Understanding IPsec Tunnels 27-11
Understanding Transform Sets 27-12
Defining Crypto Maps 27-12
Applying Crypto Maps to Interfaces 27-20
Using Interface Access Lists 27-20
Changing IPsec SA Lifetimes 27-22
Creating a Basic IPsec Configuration 27-22
Using Dynamic Crypto Maps 27-24
Providing Site-to-Site Redundancy 27-26
Viewing an IPsec Configuration 27-26
Clearing Security Associations 27-27
Clearing Crypto Map Configurations 27-27
Supporting the Nokia VPN Client 27-28
CHAPTER 28
Configuring L2TP over IPSec 28-1
L2TP Overview 28-1
Contents
xxi
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
IPSec Transport and Tunnel Modes 28-2
Configuring L2TP over IPSec Connections 28-2
Tunnel Group Switching 28-5
Viewing L2TP over IPSec Connection Information 28-5
Using L2TP Debug Commands 28-7
Enabling IPSec Debug 28-7
Getting Additional Information 28-8
CHAPTER 29
Setting General IPSec VPN Parameters 29-1
Configuring VPNs in Single, Routed Mode 29-1
Configuring IPSec to Bypass ACLs 29-1
Permitting Intra-Interface Traffic 29-2
NAT Considerations for Intra-Interface Traffic 29-3
Setting Maximum Active IPSec VPN Sessions 29-3
Using Client Update to Ensure Acceptable Client Revision Levels 29-3
Understanding Load Balancing 29-5
Implementing Load Balancing 29-6
Prerequisites 29-6
Eligible Platforms 29-7
Eligible Clients 29-7
VPN Load-Balancing Cluster Configurations 29-7
Some Typical Mixed Cluster Scenarios 29-8
Scenario 1: Mixed Cluster with No WebVPN Connections 29-8
Scenario 2: Mixed Cluster Handling WebVPN Connections 29-8
Configuring Load Balancing 29-9
Configuring the Public and Private Interfaces for Load Balancing 29-9
Configuring the Load Balancing Cluster Attributes 29-10
Configuring VPN Session Limits 29-11
CHAPTER 30
Configuring Tunnel Groups, Group Policies, and Users 30-1
Overview of Tunnel Groups, Group Policies, and Users 30-1
Tunnel Groups 30-2
General Tunnel-Group Connection Parameters 30-2
IPSec Tunnel-Group Connection Parameters 30-3
WebVPN Tunnel-Group Connection Parameters 30-4
Configuring Tunnel Groups 30-5
Maximum Tunnel Groups 30-5
Default IPSec Remote Access Tunnel Group Configuration 30-5
Contents
xxii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Configuring IPSec Tunnel-Group General Attributes 30-6
Configuring IPSec Remote-Access Tunnel Groups 30-6
Specifying a Name and Type for the IPSec Remote Access Tunnel Group 30-6
Configuring IPSec Remote-Access Tunnel Group General Attributes 30-7
Configuring IPSec Remote-Access Tunnel Group IPSec Attributes 30-10
Configuring IPSec Remote-Access Tunnel Group PPP Attributes 30-12
Configuring LAN-to-LAN Tunnel Groups 30-13
Default LAN-to-LAN Tunnel Group Configuration 30-13
Specifying a Name and Type for a LAN-to-LAN Tunnel Group 30-14
Configuring LAN-to-LAN Tunnel Group General Attributes 30-14
Configuring LAN-to-LAN IPSec Attributes 30-15
Configuring WebVPN Tunnel Groups 30-17
Specifying a Name and Type for a WebVPN Tunnel Group 30-17
Configuring WebVPN Tunnel-Group General Attributes 30-17
Configuring WebVPN Tunnel-Group WebVPN Attributes 30-20
Customizing Login Windows for WebVPN Users 30-23
Configuring Microsoft Active Directory Settings for Password Management 30-24
Using Active Directory to Force the User to Change Password at Next Logon 30-25
Using Active Directory to Specify Maximum Password Age 30-27
Using Active Directory to Override an Account Disabled AAA Indicator 30-28
Using Active Directory to Enforce Minimum Password Length 30-29
Using Active Directory to Enforce Password Complexity 30-30
Group Policies 30-31
Default Group Policy 30-32
Configuring Group Policies 30-34
Configuring an External Group Policy 30-34
Configuring an Internal Group Policy 30-35
Configuring Group Policy Attributes 30-35
Configuring WINS and DNS Servers 30-35
Configuring VPN-Specific Attributes 30-36
Configuring Security Attributes 30-39
Configuring the Banner Message 30-41
Configuring IPSec-UDP Attributes 30-41
Configuring Split-Tunneling Attributes 30-42
Configuring Domain Attributes for Tunneling 30-43
Configuring Attributes for VPN Hardware Clients 30-45
Configuring Backup Server Attributes 30-48
Configuring Microsoft Internet Explorer Client Parameters 30-49
Configuring Network Admission Control Parameters 30-51
Configuring Address Pools 30-54
Contents
xxiii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Configuring Firewall Policies 30-55
Configuring Client Access Rules 30-58
Configuring Group-Policy WebVPN Attributes 30-59
Configuring User Attributes 30-70
Viewing the Username Configuration 30-71
Configuring Attributes for Specific Users 30-71
Setting a User Password and Privilege Level 30-71
Configuring User Attributes 30-72
Configuring VPN User Attributes 30-72
Configuring WebVPN for Specific Users 30-76
CHAPTER 31
Configuring IP Addresses for VPNs 31-1
Configuring an IP Address Assignment Method 31-1
Configuring Local IP Address Pools 31-2
Configuring AAA Addressing 31-2
Configuring DHCP Addressing 31-3
CHAPTER 32
Configuring Remote Access IPSec VPNs 32-1
Summary of the Configuration 32-1
Configuring Interfaces 32-2
Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface 32-3
Configuring an Address Pool 32-4
Adding a User 32-4
Creating a Transform Set 32-4
Defining a Tunnel Group 32-5
Creating a Dynamic Crypto Map 32-6
Creating a Crypto Map Entry to Use the Dynamic Crypto Map 32-7
CHAPTER 33
Configuring Network Admission Control 33-1
Uses, Requirements, and Limitations 33-1
Configuring Basic Settings 33-1
Specifying the Access Control Server Group 33-2
Enabling NAC 33-2
Configuring the Default ACL for NAC 33-3
Configuring Exemptions from NAC 33-4
Changing Advanced Settings 33-5
Changing Clientless Authentication Settings 33-5
Enabling and Disabling Clientless Authentication 33-5
Contents
xxiv
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Changing the Login Credentials Used for Clientless Authentication 33-6
Configuring NAC Session Attributes 33-7
Setting the Query-for-Posture-Changes Timer 33-8
Setting the Revalidation Timer 33-9
CHAPTER 34
Configuring Easy VPN Services on the ASA 5505 34-1
Specifying the Client/Server Role of the Cisco ASA 5505 34-1
Specifying the Primary and Secondary Servers 34-2
Specifying the Mode 34-3
NEM with Multiple Interfaces 34-3
Configuring Automatic Xauth Authentication 34-4
Configuring IPSec Over TCP 34-4
Comparing Tunneling Options 34-5
Specifying the Tunnel Group or Trustpoint 34-6
Specifying the Tunnel Group 34-6
Specifying the Trustpoint 34-7
Configuring Split Tunneling 34-7
Configuring Device Pass-Through 34-8
Configuring Remote Management 34-8
Guidelines for Configuring the Easy VPN Server 34-9
Group Policy and User Attributes Pushed to the Client 34-9
Authentication Options 34-11
CHAPTER 35
Configuring the PPPoE Client 35-1
PPPoE Client Overview 35-1
Configuring the PPPoE Client Username and Password 35-2
Enabling PPPoE 35-3
Using PPPoE with a Fixed IP Address 35-3
Monitoring and Debugging the PPPoE Client 35-4
Clearing the Configuration 35-5
Using Related Commands 35-5
CHAPTER 36
Configuring LAN-to-LAN IPsec VPNs 36-1
Summary of the Configuration 36-1
Configuring Interfaces 36-2
Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface 36-2
Creating a Transform Set 36-4
Contents
xxv
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Configuring an ACL 36-4
Defining a Tunnel Group 36-5
Creating a Crypto Map and Applying It To an Interface 36-6
Applying Crypto Maps to Interfaces 36-7
CHAPTER 37
Configuring WebVPN 37-1
Getting Started with WebVPN 37-1
Observing WebVPN Security Precautions 37-2
Understanding Features Not Supported for WebVPN 37-2
Using SSL to Access the Central Site 37-3
Using HTTPS for WebVPN Sessions 37-3
Configuring WebVPN and ASDM on the Same Interface 37-3
Setting WebVPN HTTP/HTTPS Proxy 37-4
Configuring SSL/TLS Encryption Protocols 37-4
Authenticating with Digital Certificates 37-5
Enabling Cookies on Browsers for WebVPN 37-5
Managing Passwords 37-5
Using Single Sign-on with WebVPN 37-6
Configuring SSO with HTTP Basic or NTLM Authentication 37-6
Configuring SSO Authentication Using SiteMinder 37-7
Configuring SSO with the HTTP Form Protocol 37-9
Authenticating with Digital Certificates 37-15
Creating and Applying WebVPN Policies 37-15
Creating Port Forwarding, URL, and Access Lists in Global Configuration Mode 37-16
Assigning Lists to Group Policies and Users in Group-Policy or User Mode 37-16
Enabling Features for Group Policies and Users 37-16
Assigning Users to Group Policies 37-16
Using the Security Appliance Authentication Server 37-16
Using a RADIUS Server 37-16
Configuring WebVPN Tunnel Group Attributes 37-17
Configuring WebVPN Group Policy and User Attributes 37-17
Configuring Application Access 37-18
Downloading the Port-Forwarding Applet Automatically 37-18
Closing Application Access to Prevent hosts File Errors 37-18
Recovering from hosts File Errors When Using Application Access 37-18
Understanding the hosts File 37-19
Stopping Application Access Improperly 37-19
Reconfiguring a hosts File 37-20
Configuring File Access 37-22
Contents
xxvi
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Configuring Access to Citrix MetaFrame Services 37-24
Using WebVPN with PDAs 37-25
Using E-Mail over WebVPN 37-26
Configuring E-mail Proxies 37-26
E-mail Proxy Certificate Authentication 37-27
Configuring MAPI 37-27
Configuring Web E-mail: MS Outlook Web Access 37-27
Optimizing WebVPN Performance 37-28
Configuring Caching 37-28
Configuring Content Transformation 37-28
Configuring a Certificate for Signing Rewritten Java Content 37-29
Disabling Content Rewrite 37-29
Using Proxy Bypass 37-29
Configuring Application Profile Customization Framework 37-30
APCF Syntax 37-30
APCF Example 37-32
WebVPN End User Setup 37-32
Defining the End User Interface 37-32
Viewing the WebVPN Home Page 37-33
Viewing the WebVPN Application Access Panel 37-33
Viewing the Floating Toolbar 37-34
Customizing WebVPN Pages 37-35
Using Cascading Style Sheet Parameters 37-35
Customizing the WebVPN Login Page 37-36
Customizing the WebVPN Logout Page 37-37
Customizing the WebVPN Home Page 37-38
Customizing the Application Access Window 37-40
Customizing the Prompt Dialogs 37-41
Applying Customizations to Tunnel Groups, Groups and Users 37-42
Requiring Usernames and Passwords 37-43
Communicating Security Tips 37-44
Configuring Remote Systems to Use WebVPN Features 37-44
Capturing WebVPN Data 37-50
Creating a Capture File 37-51
Using a Browser to Display Capture Data 37-51
CHAPTER 38
Configuring SSL VPN Client 38-1
Installing SVC 38-1
Platform Requirements 38-1
Contents
xxvii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Installing the SVC Software 38-2
Enabling SVC 38-3
Enabling Permanent SVC Installation 38-4
Enabling Rekey 38-5
Enabling and Adjusting Dead Peer Detection 38-5
Enabling Keepalive 38-6
Using SVC Compression 38-6
Viewing SVC Sessions 38-7
Logging Off SVC Sessions 38-8
Updating SVCs 38-8
CHAPTER 39
Configuring Certificates 39-1
Public Key Cryptography 39-1
About Public Key Cryptography 39-1
Certificate Scalability 39-2
About Key Pairs 39-2
About Trustpoints 39-3
About Revocation Checking 39-3
About CRLs 39-3
About OCSP 39-4
Supported CA Servers 39-5
Certificate Configuration 39-5
Preparing for Certificates 39-5
Configuring Key Pairs 39-6
Generating Key Pairs 39-6
Removing Key Pairs 39-7
Configuring Trustpoints 39-7
Obtaining Certificates 39-9
Obtaining Certificates with SCEP 39-9
Obtaining Certificates Manually 39-11
Configuring CRLs for a Trustpoint 39-13
Exporting and Importing Trustpoints 39-14
Exporting a Trustpoint Configuration 39-15
Importing a Trustpoint Configuration 39-15
Configuring CA Certificate Map Rules 39-15
PART 4
System Administration
Contents
xxviii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
CHAPTER 40
Managing System Access 40-1
Allowing Telnet Access 40-1
Allowing SSH Access 40-2
Configuring SSH Access 40-2
Using an SSH Client 40-3
Allowing HTTPS Access for ASDM 40-3
Configuring ASDM and WebVPN on the Same Interface 40-4
Configuring AAA for System Administrators 40-5
Configuring Authentication for CLI Access 40-5
Configuring Authentication To Access Privileged EXEC Mode 40-6
Configuring Authentication for the Enable Command 40-6
Authenticating Users Using the Login Command 40-6
Configuring Command Authorization 40-7
Command Authorization Overview 40-7
Configuring Local Command Authorization 40-8
Configuring TACACS+ Command Authorization 40-11
Configuring Command Accounting 40-14
Viewing the Current Logged-In User 40-14
Recovering from a Lockout 40-15
Configuring a Login Banner 40-16
CHAPTER 41
Managing Software, Licenses, and Configurations 41-1
Managing Licenses 41-1
Obtaining an Activation Key 41-1
Entering a New Activation Key 41-2
Viewing Files in Flash Memory 41-2
Retrieving Files from Flash Memory 41-3
Downloading Software or Configuration Files to Flash Memory 41-3
Downloading a File to a Specific Location 41-4
Downloading a File to the Startup or Running Configuration 41-4
Configuring the Application Image and ASDM Image to Boot 41-5
Configuring the File to Boot as the Startup Configuration 41-6
Performing Zero Downtime Upgrades for Failover Pairs 41-6
Upgrading an Active/Standby Failover Configuration 41-7
Upgrading and Active/Active Failover Configuration 41-8
Backing Up Configuration Files 41-8
Backing up the Single Mode Configuration or Multiple Mode System Configuration 41-9
Backing Up a Context Configuration in Flash Memory 41-9
Contents
xxix
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Backing Up a Context Configuration within a Context 41-9
Copying the Configuration from the Terminal Display 41-10
Configuring Auto Update Support 41-10
Configuring Communication with an Auto Update Server 41-10
Configuring Client Updates as an Auto Update Server 41-12
Viewing Auto Update Status 41-13
CHAPTER 42
Monitoring the Security Appliance 42-1
Using SNMP 42-1
SNMP Overview 42-1
Enabling SNMP 42-3
Configuring and Managing Logs 42-5
Logging Overview 42-5
Logging in Multiple Context Mode 42-5
Enabling and Disabling Logging 42-6
Enabling Logging to All Configured Output Destinations 42-6
Disabling Logging to All Configured Output Destinations 42-6
Viewing the Log Configuration 42-6
Configuring Log Output Destinations 42-7
Sending System Log Messages to a Syslog Server 42-7
Sending System Log Messages to the Console Port 42-8
Sending System Log Messages to an E-mail Address 42-9
Sending System Log Messages to ASDM 42-10
Sending System Log Messages to a Telnet or SSH Session 42-11
Sending System Log Messages to the Log Buffer 42-12
Filtering System Log Messages 42-14
Message Filtering Overview 42-15
Filtering System Log Messages by Class 42-15
Filtering System Log Messages with Custom Message Lists 42-17
Customizing the Log Configuration 42-18
Customizing the Log Configuration 42-18
Configuring the Logging Queue 42-19
Including the Date and Time in System Log Messages 42-19
Including the Device ID in System Log Messages 42-19
Generating System Log Messages in EMBLEM Format 42-20
Disabling a System Log Message 42-20
Changing the Severity Level of a System Log Message 42-21
Changing the Amount of Internal Flash Memory Available for Logs 42-22
Understanding System Log Messages 42-23
Contents
xxx
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
System Log Message Format 42-23
Severity Levels 42-23
CHAPTER 43
Troubleshooting the Security Appliance 43-1
Testing Your Configuration 43-1
Enabling ICMP Debug Messages and System Messages 43-1
Pinging Security Appliance Interfaces 43-2
Pinging Through the Security Appliance 43-4
Disabling the Test Configuration 43-5
Traceroute 43-6
Packet Tracer 43-6
Reloading the Security Appliance 43-6
Performing Password Recovery 43-7
Performing Password Recovery for the ASA 5500 Series Adaptive Security Appliance 43-7
Password Recovery for the PIX 500 Series Security Appliance 43-8
Disabling Password Recovery 43-9
Resetting the Password on the SSM Hardware Module 43-10
Other Troubleshooting Tools 43-10
Viewing Debug Messages 43-11
Capturing Packets 43-11
Viewing the Crash Dump 43-11
Common Problems 43-11
PART 2
Reference
Supported Platforms and Feature Licenses A-1
Security Services Module Support A-9
VPN Specifications A-10
Cisco VPN Client Support A-11
Cisco Secure Desktop Support A-11
Site-to-Site VPN Compatibility A-11
Cryptographic Standards A-12
Example 1: Multiple Mode Firewall With Outside Access B-1
Example 1: System Configuration B-2
Example 1: Admin Context Configuration B-4
Example 1: Customer A Context Configuration B-4
Example 1: Customer B Context Configuration B-4
Example 1: Customer C Context Configuration B-5
Example 2: Single Mode Firewall Using Same Security Level B-6
Contents
xxxi
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Example 3: Shared Resources for Multiple Contexts B-8
Example 3: System Configuration B-9
Example 3: Admin Context Configuration B-9
Example 3: Department 1 Context Configuration B-10
Example 3: Department 2 Context Configuration B-11
Example 4: Multiple Mode, Transparent Firewall with Outside Access B-12
Example 4: System Configuration B-13
Example 4: Admin Context Configuration B-14
Example 4: Customer A Context Configuration B-15
Example 4: Customer B Context Configuration B-15
Example 4: Customer C Context Configuration B-16
Example 5: WebVPN Configuration B-16
Example 6: IPv6 Configuration B-18
Example 7: Cable-Based Active/Standby Failover (Routed Mode) B-20
Example 8: LAN-Based Active/Standby Failover (Routed Mode) B-21
Example 8: Primary Unit Configuration B-21
Example 8: Secondary Unit Configuration B-22
Example 9: LAN-Based Active/Active Failover (Routed Mode) B-22
Example 9: Primary Unit Configuration B-23
Example 9: Primary System Configuration B-23
Example 9: Primary admin Context Configuration B-24
Example 9: Primary ctx1 Context Configuration B-25
Example 9: Secondary Unit Configuration B-25
Example 10: Cable-Based Active/Standby Failover (Transparent Mode) B-26
Example 11: LAN-Based Active/Standby Failover (Transparent Mode) B-27
Example 11: Primary Unit Configuration B-27
Example 11: Secondary Unit Configuration B-28
Example 12: LAN-Based Active/Active Failover (Transparent Mode) B-28
Example 12: Primary Unit Configuration B-29
Example 12: Primary System Configuration B-29
Example 12: Primary admin Context Configuration B-30
Example 12: Primary ctx1 Context Configuration B-31
Example 12: Secondary Unit Configuration B-31
Example 13: Dual ISP Support Using Static Route Tracking B-31
Example 14: ASA 5505 Base License B-33
Example 15: ASA 5505 Security Plus License with Failover and Dual-ISP Backup B-35
Example 15: Primary Unit Configuration B-35
Example 15: Secondary Unit Configuration B-37
Contents
xxxii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Example 16: Network Traffic Diversion B-37
Inspecting All Traffic with the AIP SSM B-43
Inspecting Specific Traffic with the AIP SSM B-44
Verifying the Recording of Alert Events B-45
Troubleshooting the Configuration B-47
Firewall Mode and Security Context Mode C-1
Command Modes and Prompts C-2
Syntax Formatting C-3
Abbreviating Commands C-3
Command-Line Editing C-3
Command Completion C-4
Command Help C-4
Filtering show Command Output C-4
Command Output Paging C-5
Adding Comments C-6
Text Configuration Files C-6
How Commands Correspond with Lines in the Text File C-6
Command-Specific Configuration Mode Commands C-6
Automatic Text Entries C-7
Line Order C-7
Commands Not Included in the Text Configuration C-7
Passwords C-7
Multiple Security Context Files C-7
IPv4 Addresses and Subnet Masks D-1
Classes D-1
Private Networks D-2
Subnet Masks D-2
Determining the Subnet Mask D-3
Determining the Address to Use with the Subnet Mask D-3
IPv6 Addresses D-5
IPv6 Address Format D-5
IPv6 Address Types D-6
Unicast Addresses D-6
Multicast Address D-8
Anycast Address D-9
Required Addresses D-10
IPv6 Address Prefixes D-10
Protocols and Applications D-11
Contents
xxxiii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
TCP and UDP Ports D-11
Local Ports and Protocols D-14
ICMP Types D-15
Selecting LDAP, RADIUS, or Local Authentication and Authorization E-1
Understanding Policy Enforcement of Permissions and Attributes E-2
Configuring an External LDAP Server E-2
Reviewing the LDAP Directory Structure and Configuration Procedure E-3
Organizing the Security Appliance LDAP Schema E-3
Searching the Hierarchy E-4
Binding the Security Appliance to the LDAP Server E-5
Defining the Security Appliance LDAP Schema E-5
Cisco -AV-Pair Attribute Syntax E-14
Example Security Appliance Authorization Schema E-15
Loading the Schema in the LDAP Server E-18
Defining User Permissions E-18
Example User File E-18
Reviewing Examples of Active Directory Configurations E-19
Example 1: Configuring LDAP Authorization with Microsoft Active Directory (ASA/PIX) E-19
Example 2: Configuring LDAP Authentication with Microsoft Active Directory E-20
Example 3: LDAP Authentication and LDAP Authorization with Microsoft Active Directory E-22
Configuring an External RADIUS Server E-24
Reviewing the RADIUS Configuration Procedure E-24
Security Appliance RADIUS Authorization Attributes E-25
Security Appliance TACACS+ Attributes E-32
GLOSSARY
INDEX
Contents
xxxiv
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
xxxv
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
About This Guide
This preface introduce the Cisco Security Appliance Command Line Configuration Guide, and includes
the following sections:
• Document Objectives, page xxxv
• Audience, page xxxv
• Related Documentation, page xxxvi
• Document Organization, page xxxvi
• Document Conventions, page xxxix
• , page xxxix
Document Objectives
The purpose of this guide is to help you configure the security appliance using the command-line
interface. This guide does not cover every feature, but describes only the most common configuration
scenarios.
You can also configure and monitor the security appliance by using ASDM, a web-based GUI
application. ASDM includes configuration wizards to guide you through some common configuration
scenarios, and online Help for less common scenarios. For more information, see:
http://www.cisco.com/univercd/cc/td/doc/product/netsec/secmgmt/asdm/index.htm
This guide applies to the Cisco PIX 500 series security appliances (PIX 515E, PIX 525, and PIX 535)
and the Cisco ASA 5500 series security appliances (ASA 5505, ASA 5510, ASA 5520, ASA 5540, and
ASA 5550). Throughout this guide, the term “security appliance” applies generically to all supported
models, unless specified otherwise. The PIX 501, PIX 506E, and PIX 520 security appliances are not
supported.
Audience
This guide is for network managers who perform any of the following tasks:
• Manage network security
• Install and configure firewalls/security appliances
• Configure VPNs
• Configure intrusion detection software
xxxvi
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
About This Guide
Related Documentation
For more information, refer to the following documentation:
• Cisco PIX Security Appliance Release Notes
• Cisco ASDM Release Notes
• Cisco PIX 515E Quick Start Guide
• Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0
• Migrating to ASA for VPN 3000 Series Concentrator Administrators
• Cisco Security Appliance Command Reference
• Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide
• Cisco ASA 5500 Series Release Notes
• Cisco Security Appliance Logging Configuration and System Log Messages
• Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators
Document Organization
This guide includes the chapters and appendixes described in Table 1.
Table 1 Document Organization
Chapter/Appendix Definition
Part 1: Getting Started and General Information
Chapter 1, “Introduction to the
Security Appliance”
Provides a high-level overview of the security appliance.
Chapter 2, “Getting Started” Describes how to access the command-line interface, configure the firewall mode, and
work with the configuration.
Chapter 3, “Enabling Multiple
Context Mode”
Describes how to use security contexts and enable multiple context mode.
Chapter 4, “Configuring Switch
Ports and VLAN Interfaces for
the Cisco ASA 5505 Adaptive
Security Appliance”
Describes how to configure switch ports and VLAN interfaces for the ASA 5505 adaptive
security appliance.
Chapter 5, “Configuring
Ethernet Settings and
Subinterfaces”
Describes how to configure Ethernet settings for physical interfaces and add subinterfaces.
Chapter 6, “Adding and
Managing Security Contexts”
Describes how to configure multiple security contexts on the security appliance.
Chapter 7, “Configuring
Interface Parameters”
Describes how to configure each interface and subinterface for a name, security, level, and
IP address.
Chapter 8, “Configuring Basic
Settings”
Describes how to configure basic settings that are typically required for a functioning
configuration.
Chapter 9, “Configuring IP
Routing”
Describes how to configure IP routing.
xxxvii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
About This Guide
Chapter 10, “Configuring
DHCP, DDNS, and WCCP
Services”
Describes how to configure the DHCP server and DHCP relay.
Chapter 11, “Configuring
Multicast Routing”
Describes how to configure multicast routing.
Chapter 12, “Configuring IPv6” Describes how to enable and configure IPv6.
Chapter 13, “Configuring AAA
Servers and the Local Database”
Describes how to configure AAA servers and the local database.
Chapter 14, “Configuring
Failover”
Describes the failover feature, which lets you configure two security appliances so that one
will take over operation if the other one fails.
Part 2: Configuring the Firewall
Chapter 15, “Firewall Mode
Overview”
Describes in detail the two operation modes of the security appliance, routed and
transparent mode, and how data is handled differently with each mode.
Chapter 16, “Identifying Traffic
with Access Lists”
Describes how to identify traffic with access lists.
Chapter 17, “Applying NAT” Describes how address translation is performed.
Chapter 18, “Permitting or
Denying Network Access”
Describes how to control network access through the security appliance using access lists.
Chapter 19, “Applying AAA for
Network Access”
Describes how to enable AAA for network access.
Chapter 20, “Applying Filtering
Services”
Describes ways to filter web traffic to reduce security risks or prevent inappropriate use.
Chapter 21, “Using Modular
Policy Framework”
Describes how to use the Modular Policy Framework to create security policies for TCP,
general connection settings, inspection, and QoS.
Chapter 22, “Managing AIP
SSM and CSC SSM”
Describes how to configure the security appliance to send traffic to an AIP SSM or a CSC
SSM, how to check the status of an SSM, and how to update the software image on an
intelligent SSM.
Chapter 23, “Preventing
Network Attacks”
Describes how to configure protection features to intercept and respond to network attacks.
Chapter 24, “Configuring QoS” Describes how to configure the network to provide better service to selected network
traffic over various technologies, including Frame Relay, Asynchronous Transfer Mode
(ATM), Ethernet and 802.1 networks, SONET, and IP routed networks.
Chapter 25, “Configuring
Application Layer Protocol
Inspection”
Describes how to use and configure application inspection.
Chapter 26, “Configuring
ARP Inspection and Bridging
Parameters”
Describes how to enable ARP inspection and how to customize bridging operations.
Part 3: Configuring VPN
Chapter 27, “Configuring IPsec
and ISAKMP”
Describes how to configure ISAKMP and IPSec tunneling to build and manage VPN
“tunnels,” or secure connections between remote users and a private corporate network.
Table 1 Document Organization (continued)
Chapter/Appendix Definition
xxxviii
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
About This Guide
Chapter 28, “Configuring L2TP
over IPSec”
Describes how to configure IPSec over L2TP on the security appliance.
Chapter 29, “Setting General
IPSec VPN Parameters”
Describes miscellaneous VPN configuration procedures.
Chapter 30, “Configuring
Tunnel Groups, Group Policies,
and Users”
Describes how to configure VPN tunnel groups, group policies, and users.
Chapter 31, “Configuring IP
Addresses for VPNs”
Describes how to configure IP addresses in your private network addressing scheme, which
let the client function as a tunnel endpoint.
Chapter 32, “Configuring
Remote Access IPSec VPNs”
Describes how to configure a remote access VPN connection.
Chapter 33, “Configuring
Network Admission Control”
Describes how to configure Network Admission Control (NAC).
Chapter 34, “Configuring Easy
VPN Services on the ASA 5505”
Describes how to configure Easy VPN on the ASA 5505 adaptive security appliance.
Chapter 35, “Configuring the
PPPoE Client”
Describes how to configure the PPPoE client provided with the security appliance.
Chapter 36, “Configuring
LAN-to-LAN IPsec VPNs”
Describes how to build a LAN-to-LAN VPN connection.
Chapter 37, “Configuring
WebVPN”
Describes how to establish a secure, remote-access VPN tunnel to a security appliance
using a web browser.
Chapter 38, “Configuring SSL
VPN Client”
Describes how to install and configure the SSL VPN Client.
Chapter 39, “Configuring
Certificates”
Describes how to configure a digital certificates, which contains information that identifies
a user or device. Such information can include a name, serial number, company,
department, or IP address. A digital certificate also contains a copy of the public key for
the user or device.
Part 4: System Administration
Chapter 40, “Managing System
Access”
Describes how to access the security appliance for system management through Telnet,
SSH, and HTTPS.
Chapter 41, “Managing
Software, Licenses, and
Configurations”
Describes how to enter license keys and download software and configurations files.
Chapter 42, “Monitoring the
Security Appliance”
Describes how to monitor the security appliance.
Chapter 43, “Troubleshooting
the Security Appliance”
Describes how to troubleshoot the security appliance.
Part 4: Reference
Appendix A, “Feature Licenses
and Specifications”
Describes the feature licenses and specifications.
Appendix B, “Sample
Configurations”
Describes a number of common ways to implement the security appliance.
Table 1 Document Organization (continued)
Chapter/Appendix Definition
xxxix
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
About This Guide
Document Conventions
Command descriptions use these conventions:
• Braces ({ }) indicate a required choice.
• Square brackets ([ ]) indicate optional elements.
• Vertical bars ( | ) separate alternative, mutually exclusive elements.
• Boldface indicates commands and keywords that are entered literally as shown.
• Italics indicate arguments for which you supply values.
Examples use these conventions:
• Examples depict screen displays and the command line in screen font.
• Information you need to enter in examples is shown in boldface screen font.
• Variables for which you must supply a value are shown in italic screen font.
Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the
manual.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional
information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and
revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed
and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free
service and Cisco currently supports RSS Version 2.0.
Appendix C, “Using the
Command-Line Interface”
Describes how to use the CLI to configure the the security appliance.
Appendix D, “Addresses,
Protocols, and Ports”
Provides a quick reference for IP addresses, protocols, and applications.
Appendix E, “Configuring an
External Server for
Authorization and
Authentication”
Provides information about configuring LDAP and RADIUS authorization servers.
“Glossary” Provides a handy reference for commonly-used terms and acronyms.
“Index” Provides an index for the guide.
Table 1 Document Organization (continued)
Chapter/Appendix Definition
xl
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
About This Guide
P A R T 1
Getting Started and General Information
CH A P T E R
1-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
1
Introduction to the Security Appliance
The security appliance combines advanced stateful firewall and VPN concentrator functionality in one
device, and for some models, an integrated intrusion prevention module called the AIP SSM or an
integrated content security and control module called the CSC SSM. The security appliance includes
many advanced features, such as multiple security contexts (similar to virtualized firewalls), transparent
(Layer 2) firewall or routed (Layer 3) firewall operation, advanced inspection engines, IPSec and
WebVPN support, and many more features. See Appendix A, “Feature Licenses and Specifications,” for
a list of supported platforms and features. For a list of new features, see the Cisco ASA 5500 Series
Release Notes or the Cisco PIX Security Appliance Release Notes.
Note The Cisco PIX 501 and PIX 506E security appliances are not supported.
This chapter includes the following sections:
• Firewall Functional Overview, page 1-1
• VPN Functional Overview, page 1-5
• Intrusion Prevention Services Functional Overview, page 1-5
• Security Context Overview, page 1-6
Firewall Functional Overview
Firewalls protect inside networks from unauthorized access by users on an outside network. A firewall
can also protect inside networks from each other, for example, by keeping a human resources network
separate from a user network. If you have network resources that need to be available to an outside user,
such as a web or FTP server, you can place these resources on a separate network behind the firewall,
called a demilitarized zone (DMZ). The firewall allows limited access to the DMZ, but because the DMZ
only includes the public servers, an attack there only affects the servers and does not affect the other
inside networks. You can also control when inside users access outside networks (for example, access to
the Internet), by allowing only certain addresses out, by requiring authentication or authorization, or by
coordinating with an external URL filtering server.
When discussing networks connected to a firewall, the outside network is in front of the firewall, the
inside network is protected and behind the firewall, and a DMZ, while behind the firewall, allows limited
access to outside users. Because the security appliance lets you configure many interfaces with varied
security policies, including many inside interfaces, many DMZs, and even many outside interfaces if
desired, these terms are used in a general sense only.
1-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 1 Introduction to the Security Appliance
Firewall Functional Overview
This section includes the following topics:
• Security Policy Overview, page 1-2
• Firewall Mode Overview, page 1-3
• Stateful Inspection Overview, page 1-4
Security Policy Overview
A security policy determines which traffic is allowed to pass through the firewall to access another
network. By default, the security appliance allows traffic to flow freely from an inside network (higher
security level) to an outside network (lower security level). You can apply actions to traffic to customize
the security policy. This section includes the following topics:
• Permitting or Denying Traffic with Access Lists, page 1-2
• Applying NAT, page 1-2
• Using AAA for Through Traffic, page 1-2
• Applying HTTP, HTTPS, or FTP Filtering, page 1-3
• Applying Application Inspection, page 1-3
• Sending Traffic to the Advanced Inspection and Prevention Security Services Module, page 1-3
• Sending Traffic to the Content Security and Control Security Services Module, page 1-3
• Applying QoS Policies, page 1-3
• Applying Connection Limits and TCP Normalization, page 1-3
Permitting or Denying Traffic with Access Lists
You can apply an access list to limit traffic from inside to outside, or allow traffic from outside to inside.
For transparent firewall mode, you can also apply an EtherType access list to allow non-IP traffic.
Applying NAT
Some of the benefits of NAT include the following:
• You can use private addresses on your inside networks. Private addresses are not routable on the
Internet.
• NAT hides the local addresses from other networks, so attackers cannot learn the real address of a
host.
• NAT can resolve IP routing problems by supporting overlapping IP addresses.
Using AAA for Through Traffic
You can require authentication and/or authorization for certain types of traffic, for example, for HTTP.
The security appliance also sends accounting information to a RADIUS or TACACS+ server.
1-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 1 Introduction to the Security Appliance
Firewall Functional Overview
Applying HTTP, HTTPS, or FTP Filtering
Although you can use access lists to prevent outbound access to specific websites or FTP servers,
configuring and managing web usage this way is not practical because of the size and dynamic nature of
the Internet. We recommend that you use the security appliance in conjunction with a separate server
running one of the following Internet filtering products:
• Websense Enterprise
• Secure Computing SmartFilter
Applying Application Inspection
Inspection engines are required for services that embed IP addressing information in the user data packet
or that open secondary channels on dynamically assigned ports. These protocols require the security
appliance to do a deep packet inspection.
Sending Traffic to the Advanced Inspection and Prevention Security Services Module
If your model supports the AIP SSM for intrusion prevention, then you can send traffic to the AIP SSM
for inspection.
Sending Traffic to the Content Security and Control Security Services Module
If your model supports it, the CSC SSM provides protection against viruses, spyware, spam, and other
unwanted traffic. It accomplishes this by scanning the FTP, HTTP, POP3, and SMTP traffic that you
configure the adaptive security appliance to send to it.
Applying QoS Policies
Some network traffic, such as voice and streaming video, cannot tolerate long latency times. QoS is a
network feature that lets you give priority to these types of traffic. QoS refers to the capability of a
network to provide better service to selected network traffic.
Applying Connection Limits and TCP Normalization
You can limit TCP and UDP connections and embryonic connections. Limiting the number of
connections and embryonic connections protects you from a DoS attack. The security appliance uses the
embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated
by flooding an interface with TCP SYN packets. An embryonic connection is a connection request that
has not finished the necessary handshake between source and destination.
TCP normalization is a feature consisting of advanced TCP connection settings designed to drop packets
that do not appear normal.
Firewall Mode Overview
The security appliance runs in two different firewall modes:
• Routed
• Transparent
1-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 1 Introduction to the Security Appliance
Firewall Functional Overview
In routed mode, the security appliance is considered to be a router hop in the network.
In transparent mode, the security appliance acts like a “bump in the wire,” or a “stealth firewall,” and is
not considered a router hop. The security appliance connects to the same network on its inside and
outside interfaces.
You might use a transparent firewall to simplify your network configuration. Transparent mode is also
useful if you want the firewall to be invisible to attackers. You can also use a transparent firewall for
traffic that would otherwise be blocked in routed mode. For example, a transparent firewall can allow
multicast streams using an EtherType access list.
Stateful Inspection Overview
All traffic that goes through the security appliance is inspected using the Adaptive Security Algorithm
and either allowed through or dropped. A simple packet filter can check for the correct source address,
destination address, and ports, but it does not check that the packet sequence or flags are correct. A filter
also checks every packet against the filter, which can be a slow process.
A stateful firewall like the security appliance, however, takes into consideration the state of a packet:
• Is this a new connection?
If it is a new connection, the security appliance has to check the packet against access lists and
perform other tasks to determine if the packet is allowed or denied. To perform this check, the first
packet of the session goes through the “session management path,” and depending on the type of
traffic, it might also pass through the “control plane path.”
The session management path is responsible for the following tasks:
– Performing the access list checks
– Performing route lookups
– Allocating NAT translations (xlates)
– Establishing sessions in the “fast path”
Note The session management path and the fast path make up the “accelerated security path.”
Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are
passed on to the control plane path. Layer 7 inspection engines are required for protocols that have
two or more channels: a data channel, which uses well-known port numbers, and a control channel,
which uses different port numbers for each session. These protocols include FTP, H.323, and SNMP.
• Is this an established connection?
If the connection is already established, the security appliance does not need to re-check packets;
most matching packets can go through the fast path in both directions. The fast path is responsible
for the following tasks:
– IP checksum verification
– Session lookup
– TCP sequence number check
– NAT translations based on existing sessions
– Layer 3 and Layer 4 header adjustments
1-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 1 Introduction to the Security Appliance
VPN Functional Overview
For UDP or other connectionless protocols, the security appliance creates connection state
information so that it can also use the fast path.
Data packets for protocols that require Layer 7 inspection can also go through the fast path.
Some established session packets must continue to go through the session management path or the
control plane path. Packets that go through the session management path include HTTP packets that
require inspection or content filtering. Packets that go through the control plane path include the
control packets for protocols that require Layer 7 inspection.
VPN Functional Overview
A VPN is a secure connection across a TCP/IP network (such as the Internet) that appears as a private
connection. This secure connection is called a tunnel. The security appliance uses tunneling protocols to
negotiate security parameters, create and manage tunnels, encapsulate packets, transmit or receive them
through the tunnel, and unencapsulate them. The security appliance functions as a bidirectional tunnel
endpoint: it can receive plain packets, encapsulate them, and send them to the other end of the tunnel
where they are unencapsulated and sent to their final destination. It can also receive encapsulated
packets, unencapsulate them, and send them to their final destination. The security appliance invokes
various standard protocols to accomplish these functions.
The security appliance performs the following functions:
• Establishes tunnels
• Negotiates tunnel parameters
• Authenticates users
• Assigns user addresses
• Encrypts and decrypts data
• Manages security keys
• Manages data transfer across the tunnel
• Manages data transfer inbound and outbound as a tunnel endpoint or router
The security appliance invokes various standard protocols to accomplish these functions.
Intrusion Prevention Services Functional Overview
The Cisco ASA 5500 series adaptive security appliance supports the AIP SSM, an intrusion prevention
services module that monitors and performs real-time analysis of network traffic by looking for
anomalies and misuse based on an extensive, embedded signature library. When the system detects
unauthorized activity, it can terminate the specific connection, permanently block the attacking host, log
the incident, and send an alert to the device manager. Other legitimate connections continue to operate
independently without interruption. For more information, see Configuring the Cisco Intrusion
Prevention System Sensor Using the Command Line Interface.
1-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 1 Introduction to the Security Appliance
Security Context Overview
Security Context Overview
You can partition a single security appliance into multiple virtual devices, known as security contexts.
Each context is an independent device, with its own security policy, interfaces, and administrators.
Multiple contexts are similar to having multiple standalone devices. Many features are supported in
multiple context mode, including routing tables, firewall features, IPS, and management. Some features
are not supported, including VPN and dynamic routing protocols.
In multiple context mode, the security appliance includes a configuration for each context that identifies
the security policy, interfaces, and almost all the options you can configure on a standalone device. The
system administrator adds and manages contexts by configuring them in the system configuration,
which, like a single mode configuration, is the startup configuration. The system configuration identifies
basic settings for the security appliance. The system configuration does not include any network
interfaces or network settings for itself; rather, when the system needs to access network resources (such
as downloading the contexts from the server), it uses one of the contexts that is designated as the admin
context.
The admin context is just like any other context, except that when a user logs into the admin context,
then that user has system administrator rights and can access the system and all other contexts.
Note You can run all your contexts in routed mode or transparent mode; you cannot run some contexts in one
mode and others in another.
Multiple context mode supports static routing only.
CH A P T E R
2-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
2
Getting Started
This chapter describes how to access the command-line interface, configure the firewall mode, and work
with the configuration. This chapter includes the following sections:
• Getting Started with Your Platform Model, page 2-1
• Factory Default Configurations, page 2-1
• Accessing the Command-Line Interface, page 2-4
• Setting Transparent or Routed Firewall Mode, page 2-5
• Working with the Configuration, page 2-6
Getting Started with Your Platform Model
This guide applies to multiple security appliance platforms and models: the PIX 500 series security
appliances and the ASA 5500 series adaptive security appliances. There are some hardware differences
between the PIX and the ASA security appliance. Moreover, the ASA 5505 includes a built-in switch,
and requires some special configuration. For these hardware-based differences, the platforms or models
supported are noted directly in each section.
Some models do not support all features covered in this guide. For example, the ASA 5505 adaptive
security appliance does not support security contexts. This guide might not list each supported model
when discussing a feature. To determine the features that are supported for your model before you start
your configuration, see the “Supported Platforms and Feature Licenses” section on page A-1 for a
detailed list of the features supported for each model.
Factory Default Configurations
The factory default configuration is the configuration applied by Cisco to new security appliances. The
factory default configuration is supported on all models except for the PIX 525 and PIX 535 security
appliances.
For the PIX 515/515E and the ASA 5510 and higher security appliances, the factory default
configuration configures an interface for management so you can connect to it using ASDM, with which
you can then complete your configuration.
For the ASA 5505 adaptive security appliance, the factory default configuration configures interfaces
and NAT so that the security appliance is ready to use in your network immediately.
2-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 2 Getting Started
Factory Default Configurations
The factory default configuration is available only for routed firewall mode and single context mode. See
Chapter 3, “Enabling Multiple Context Mode,” for more information about multiple context mode. See
the “Setting Transparent or Routed Firewall Mode” section on page 2-5 for more information about
routed and transparent firewall mode.
This section includes the following topics:
• Restoring the Factory Default Configuration, page 2-2
• ASA 5505 Default Configuration, page 2-2
• ASA 5510 and Higher Default Configuration, page 2-3
• PIX 515/515E Default Configuration, page 2-4
Restoring the Factory Default Configuration
To restore the factory default configuration, enter the following command:
hostname(config)# configure factory-default [ip_address [mask]]
If you specify the ip_address, then you set the inside or management interface IP address, depending on
your model, instead of using the default IP address of 192.168.1.1. The http command uses the subnet
you specify. Similarly, the dhcpd address command range consists of addresses within the subnet that
you specify.
After you restore the factory default configuration, save it to internal Flash memory using the write
memory command. The write memory command saves the running configuration to the default location
for the startup configuration, even if you previously configured the boot config command to set a
different location; when the configuration was cleared, this path was also cleared.
Note This command also clears the boot system command, if present, along with the rest of the configuration.
The boot system command lets you boot from a specific image, including an image on the external Flash
memory card. The next time you reload the security appliance after restoring the factory configuration,
it boots from the first image in internal Flash memory; if you do not have an image in internal Flash
memory, the security appliance does not boot.
To configure additional settings that are useful for a full configuration, see the setup command.
ASA 5505 Default Configuration
The default factory configuration for the ASA 5505 adaptive security appliance configures the
following:
• An inside VLAN 1 interface that includes the Ethernet 0/1 through 0/7 switch ports. If you did not
set the IP address in the configure factory-default command, then the VLAN 1 IP address and mask
are 192.168.1.1 and 255.255.255.0.
• An outside VLAN 2 interface that includes the Ethernet 0/0 switch port. VLAN 2 derives its IP
address using DHCP.
• The default route is also derived from DHCP.
• All inside IP addresses are translated when accessing the outside using interface PAT.
• By default, inside users can access the outside with an access list, and outside users are prevented
from accessing the inside.
2-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 2 Getting Started
Factory Default Configurations
• The DHCP server is enabled on the security appliance, so a PC connecting to the VLAN 1 interface
receives an address between 192.168.1.2 and 192.168.1.254.
• The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network.
The configuration consists of the following commands:
interface Ethernet 0/0
switchport access vlan 2
no shutdown
interface Ethernet 0/1
switchport access vlan 1
no shutdown
interface Ethernet 0/2
switchport access vlan 1
no shutdown
interface Ethernet 0/3
switchport access vlan 1
no shutdown
interface Ethernet 0/4
switchport access vlan 1
no shutdown
interface Ethernet 0/5
switchport access vlan 1
no shutdown
interface Ethernet 0/6
switchport access vlan 1
no shutdown
interface Ethernet 0/7
switchport access vlan 1
no shutdown
interface vlan2
nameif outside
no shutdown
ip address dhcp setroute
interface vlan1
nameif inside
ip address 192.168.1.1 255.255.255.0
security-level 100
no shutdown
global (outside) 1 interface
nat (inside) 1 0 0
http server enable
http 192.168.1.0 255.255.255.0 inside
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd auto_config outside
dhcpd enable inside
logging asdm informational
ASA 5510 and Higher Default Configuration
The default factory configuration for the ASA 5510 and higher adaptive security appliance configures
the following:
• The management interface, Management 0/0. If you did not set the IP address in the configure
factory-default command, then the IP address and mask are 192.168.1.1 and 255.255.255.0.
• The DHCP server is enabled on the security appliance, so a PC connecting to the interface receives
an address between 192.168.1.2 and 192.168.1.254.
• The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network.
2-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 2 Getting Started
Accessing the Command-Line Interface
The configuration consists of the following commands:
interface management 0/0
ip address 192.168.1.1 255.255.255.0
nameif management
security-level 100
no shutdown
asdm logging informational 100
asdm history enable
http server enable
http 192.168.1.0 255.255.255.0 management
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable management
PIX 515/515E Default Configuration
The default factory configuration for the PIX 515/515E security appliance configures the following:
• The inside Ethernet1 interface. If you did not set the IP address in the configure factory-default
command, then the IP address and mask are 192.168.1.1 and 255.255.255.0.
• The DHCP server is enabled on the security appliance, so a PC connecting to the interface receives
an address between 192.168.1.2 and 192.168.1.254.
• The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network.
The configuration consists of the following commands:
interface ethernet 1
ip address 192.168.1.1 255.255.255.0
nameif management
security-level 100
no shutdown
asdm logging informational 100
asdm history enable
http server enable
http 192.168.1.0 255.255.255.0 management
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable management
Accessing the Command-Line Interface
For initial configuration, access the command-line interface directly from the console port. Later, you
can configure remote access using Telnet or SSH according to Chapter 40, “Managing System Access.”
If your system is already in multiple context mode, then accessing the console port places you in the
system execution space. See Chapter 3, “Enabling Multiple Context Mode,” for more information about
multiple context mode.
Note If you want to use ASDM to configure the security appliance instead of the command-line interface, you
can connect to the default management address of 192.168.1.1 (if your security appliance includes a
factory default configuration. See the “Factory Default Configurations” section on page 2-1.). On the
2-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 2 Getting Started
Setting Transparent or Routed Firewall Mode
ASA 5510 and higher adaptive security appliances, the interface to which you connect with ASDM is
Management 0/0. For the ASA 5505 adaptive security appliance, the switch port to which you connect
with ASDM is any port, except for Ethernet 0/0. For the PIX 515/515E security appliance, the interface
to which you connect with ASDM is Ethernet 1. If you do not have a factory default configuration, follow
the steps in this section to access the command-line interface. You can then configure the minimum
parameters to access ASDM by entering the setup command.
To access the command-line interface, perform the following steps:
Step 1 Connect a PC to the console port using the provided console cable, and connect to the console using a
terminal emulator set for 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control.
See the hardware guide that came with your security appliance for more information about the console
cable.
Step 2 Press the Enter key to see the following prompt:
hostname>
This prompt indicates that you are in user EXEC mode.
Step 3 To access privileged EXEC mode, enter the following command:
hostname> enable
The following prompt appears:
Password:
Step 4 Enter the enable password at the prompt.
By default, the password is blank, and you can press the Enter key to continue. See the “Changing the
Enable Password” section on page 8-1 to change the enable password.
The prompt changes to:
hostname#
To exit privileged mode, enter the disable, exit, or quit command.
Step 5 To access global configuration mode, enter the following command:
hostname# configure terminal
The prompt changes to the following:
hostname(config)#
To exit global configuration mode, enter the exit, quit, or end command.
Setting Transparent or Routed Firewall Mode
You can set the security appliance to run in routed firewall mode (the default) or transparent firewall
mode.
For multiple context mode, you can use only one firewall mode for all contexts. You must set the mode
in the system execution space.
2-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 2 Getting Started
Working with the Configuration
When you change modes, the security appliance clears the configuration because many commands are
not supported for both modes. If you already have a populated configuration, be sure to back up your
configuration before changing the mode; you can use this backup for reference when creating your new
configuration. See the “Backing Up Configuration Files” section on page 41-8. For multiple context
mode, the system configuration is erased. This action removes any contexts from running. If you then
re-add a context that has an existing configuration that was created for the wrong mode, the context
configuration will not work correctly. Be sure to recreate your context configurations for the correct
mode before you re-add them, or add new contexts with new paths for the new configurations.
If you download a text configuration to the security appliance that changes the mode with the
firewall transparent command, be sure to put the command at the top of the configuration; the security
appliance changes the mode as soon as it reads the command and then continues reading the
configuration you downloaded. If the command is later in the configuration, the security appliance clears
all the preceding lines in the configuration. See the “Downloading Software or Configuration Files to
Flash Memory” section on page 41-3 for information about downloading text files.
• To set the mode to transparent, enter the following command in the system execution space:
hostname(config)# firewall transparent
This command also appears in each context configuration for informational purposes only; you
cannot enter this command in a context.
• To set the mode to routed, enter the following command in the system execution space:
hostname(config)# no firewall transparent
Working with the Configuration
This section describes how to work with the configuration. The security appliance loads the
configuration from a text file, called the startup configuration. This file resides by default as a hidden
file in internal Flash memory. You can, however, specify a different path for the startup configuration.
(For more information, see Chapter 41, “Managing Software, Licenses, and Configurations.”)
When you enter a command, the change is made only to the running configuration in memory. You must
manually save the running configuration to the startup configuration for your changes to remain after a
reboot.
The information in this section applies to both single and multiple security contexts, except where noted.
Additional information about contexts is in Chapter 3, “Enabling Multiple Context Mode.”
This section includes the following topics:
• Saving Configuration Changes, page 2-6
• Copying the Startup Configuration to the Running Configuration, page 2-8
• Viewing the Configuration, page 2-8
• Clearing and Removing Configuration Settings, page 2-9
• Creating Text Configuration Files Offline, page 2-9
Saving Configuration Changes
This section describes how to save your configuration, and includes the following topics:
• Saving Configuration Changes in Single Context Mode, page 2-7
2-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 2 Getting Started
Working with the Configuration
• Saving Configuration Changes in Multiple Context Mode, page 2-7
Saving Configuration Changes in Single Context Mode
To save the running configuration to the startup configuration, enter the following command:
hostname# write memory
Note The copy running-config startup-config command is equivalent to the write memory command.
Saving Configuration Changes in Multiple Context Mode
You can save each context (and system) configuration separately, or you can save all context
configurations at the same time. This section includes the following topics:
• Saving Each Context and System Separately, page 2-7
• Saving All Context Configurations at the Same Time, page 2-7
Saving Each Context and System Separately
To save the system or context configuration, enter the following command within the system or context:
hostname# write memory
Note The copy running-config startup-config command is equivalent to the write memory command.
For multiple context mode, context startup configurations can reside on external servers. In this case, the
security appliance saves the configuration back to the server you identified in the context URL, except
for an HTTP or HTTPS URL, which do not let you save the configuration to the server.
Saving All Context Configurations at the Same Time
To save all context configurations at the same time, as well as the system configuration, enter the
following command in the system execution space:
hostname# write memory all [/noconfirm]
If you do not enter the /noconfirm keyword, you see the following prompt:
Are you sure [Y/N]:
After you enter Y, the security appliance saves the system configuration and each context. Context
startup configurations can reside on external servers. In this case, the security appliance saves the
configuration back to the server you identified in the context URL, except for an HTTP or HTTPS URL,
which do not let you save the configuration to the server.
After the security appliance saves each context, the following message appears:
‘Saving context ‘b’ ... ( 1/3 contexts saved ) ’
Sometimes, a context is not saved because of an error. See the following information for errors:
• For contexts that are not saved because of low memory, the following message appears:
The context 'context a' could not be saved due to Unavailability of resources
2-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 2 Getting Started
Working with the Configuration
• For contexts that are not saved because the remote destination is unreachable, the following message
appears:
The context 'context a' could not be saved due to non-reachability of destination
• For contexts that are not saved because the context is locked, the following message appears:
Unable to save the configuration for the following contexts as these contexts are
locked.
context ‘a’ , context ‘x’ , context ‘z’ .
A context is only locked if another user is already saving the configuration or in the process of
deleting the context.
• For contexts that are not saved because the startup configuration is read-only (for example, on an
HTTP server), the following message report is printed at the end of all other messages:
Unable to save the configuration for the following contexts as these contexts have
read-only config-urls:
context ‘a’ , context ‘b’ , context ‘c’ .
• For contexts that are not saved because of bad sectors in the Flash memory, the following message
appears:
The context 'context a' could not be saved due to Unknown errors
Copying the Startup Configuration to the Running Configuration
Copy a new startup configuration to the running configuration using one of these options:
• To merge the startup configuration with the running configuration, enter the following command:
hostname(config)# copy startup-config running-config
A merge adds any new commands from the new configuration to the running configuration. If the
configurations are the same, no changes occur. If commands conflict or if commands affect the
running of the context, then the effect of the merge depends on the command. You might get errors,
or you might have unexpected results.
• To load the startup configuration and discard the running configuration, restart the security
appliance by entering the following command:
hostname# reload
Alternatively, you can use the following commands to load the startup configuration and discard the
running configuration without requiring a reboot:
hostname/contexta(config)# clear configure all
hostname/contexta(config)# copy startup-config running-config
Viewing the Configuration
The following commands let you view the running and startup configurations.
• To view the running configuration, enter the following command:
hostname# show running-config
2-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 2 Getting Started
Working with the Configuration
• To view the running configuration of a specific command, enter the following command:
hostname# show running-config command
• To view the startup configuration, enter the following command:
hostname# show startup-config
Clearing and Removing Configuration Settings
To erase settings, enter one of the following commands.
• To clear all the configuration for a specified command, enter the following command:
hostname(config)# clear configure configurationcommand [level2configurationcommand]
This command clears all the current configuration for the specified configuration command. If you
only want to clear the configuration for a specific version of the command, you can enter a value for
level2configurationcommand.
For example, to clear the configuration for all aaa commands, enter the following command:
hostname(config)# clear configure aaa
To clear the configuration for only aaa authentication commands, enter the following command:
hostname(config)# clear configure aaa authentication
• To disable the specific parameters or options of a command, enter the following command:
hostname(config)# no configurationcommand [level2configurationcommand] qualifier
In this case, you use the no command to remove the specific configuration identified by qualifier.
For example, to remove a specific nat command, enter enough of the command to identify it
uniquely as follows:
hostname(config)# no nat (inside) 1
• To erase the startup configuration, enter the following command:
hostname(config)# write erase
• To erase the running configuration, enter the following command:
hostname(config)# clear configure all
Note In multiple context mode, if you enter clear configure all from the system configuration, you
also remove all contexts and stop them from running.
Creating Text Configuration Files Offline
This guide describes how to use the CLI to configure the security appliance; when you save commands,
the changes are written to a text file. Instead of using the CLI, however, you can edit a text file directly
on your PC and paste a configuration at the configuration mode command-line prompt in its entirety, or
line by line. Alternatively, you can download a text file to the security appliance internal Flash memory.
See Chapter 41, “Managing Software, Licenses, and Configurations,” for information on downloading
the configuration file to the security appliance.
2-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 2 Getting Started
Working with the Configuration
In most cases, commands described in this guide are preceded by a CLI prompt. The prompt in the
following example is “hostname(config)#”:
hostname(config)# context a
In the text configuration file you are not prompted to enter commands, so the prompt is omitted as
follows:
context a
For additional information about formatting the file, see Appendix C, “Using the Command-Line
Interface.”
CH A P T E R
3-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
3
Enabling Multiple Context Mode
This chapter describes how to use security contexts and enable multiple context mode. This chapter
includes the following sections:
• Security Context Overview, page 3-1
• Enabling or Disabling Multiple Context Mode, page 3-10
Security Context Overview
You can partition a single security appliance into multiple virtual devices, known as security contexts.
Each context is an independent device, with its own security policy, interfaces, and administrators.
Multiple contexts are similar to having multiple standalone devices. Many features are supported in
multiple context mode, including routing tables, firewall features, IPS, and management. Some features
are not supported, including VPN and dynamic routing protocols.
This section provides an overview of security contexts, and includes the following topics:
• Common Uses for Security Contexts, page 3-1
• Unsupported Features, page 3-2
• Context Configuration Files, page 3-2
• How the Security Appliance Classifies Packets, page 3-3
• Cascading Security Contexts, page 3-8
• Management Access to Security Contexts, page 3-9
Common Uses for Security Contexts
You might want to use multiple security contexts in the following situations:
• You are a service provider and want to sell security services to many customers. By enabling
multiple security contexts on the security appliance, you can implement a cost-effective,
space-saving solution that keeps all customer traffic separate and secure, and also eases
configuration.
• You are a large enterprise or a college campus and want to keep departments completely separate.
• You are an enterprise that wants to provide distinct security policies to different departments.
• You have any network that requires more than one security appliance.
3-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 3 Enabling Multiple Context Mode
Security Context Overview
Unsupported Features
Multiple context mode does not support the following features:
• Dynamic routing protocols
Security contexts support only static routes. You cannot enable OSPF or RIP in multiple context
mode.
• VPN
• Multicast
Context Configuration Files
This section describes how the security appliance implements multiple context mode configurations and
includes the following sections:
• Context Configurations, page 3-2
• System Configuration, page 3-2
• Admin Context Configuration, page 3-2
Context Configurations
The security appliance includes a configuration for each context that identifies the security policy,
interfaces, and almost all the options you can configure on a standalone device. You can store context
configurations on the internal Flash memory or the external Flash memory card, or you can download
them from a TFTP, FTP, or HTTP(S) server.
System Configuration
The system administrator adds and manages contexts by configuring each context configuration location,
allocated interfaces, and other context operating parameters in the system configuration, which, like a
single mode configuration, is the startup configuration. The system configuration identifies basic
settings for the security appliance. The system configuration does not include any network interfaces or
network settings for itself; rather, when the system needs to access network resources (such as
downloading the contexts from the server), it uses one of the contexts that is designated as the admin
context. The system configuration does include a specialized failover interface for failover traffic only.
Admin Context Configuration
The admin context is just like any other context, except that when a user logs in to the admin context,
then that user has system administrator rights and can access the system and all other contexts. The
admin context is not restricted in any way, and can be used as a regular context. However, because
logging into the admin context grants you administrator privileges over all contexts, you might need to
restrict access to the admin context to appropriate users. The admin context must reside on Flash
memory, and not remotely.
If your system is already in multiple context mode, or if you convert from single mode, the admin context
is created automatically as a file on the internal Flash memory called admin.cfg. This context is named
“admin.” If you do not want to use admin.cfg as the admin context, you can change the admin context.
3-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 3 Enabling Multiple Context Mode
Security Context Overview
How the Security Appliance Classifies Packets
Each packet that enters the security appliance must be classified, so that the security appliance can
determine to which context to send a packet. This section includes the following topics:
• Valid Classifier Criteria, page 3-3
• Invalid Classifier Criteria, page 3-4
• Classification Examples, page 3-5
Note If the destination MAC address is a multicast or broadcast MAC address, the packet is duplicated and
delivered to each context.
Valid Classifier Criteria
This section describes the criteria used by the classifier, and includes the following topics:
• Unique Interfaces, page 3-3
• Unique MAC Addresses, page 3-3
• NAT Configuration, page 3-3
Unique Interfaces
If only one context is associated with the ingress interface, the security appliance classifies the packet
into that context. In transparent firewall mode, unique interfaces for contexts are required, so this method
is used to classify packets at all times.
Unique MAC Addresses
If multiple contexts share an interface, then the classifier uses the interface MAC address. The security
appliance lets you assign a different MAC address in each context to the same shared interface, whether
it is a shared physical interface or a shared subinterface. By default, shared interfaces do not have unique
MAC addresses; the interface uses the physical interface burned-in MAC address in every context. An
upstream router cannot route directly to a context without unique MAC addresses. You can set the MAC
addresses manually when you configure each interface (see the “Configuring the Interface” section on
page 7-2), or you can automatically generate MAC addresses (see the “Automatically Assigning MAC
Addresses to Context Interfaces” section on page 6-11).
NAT Configuration
If you do not have unique MAC addresses, then the classifier intercepts the packet and performs a
destination IP address lookup. All other fields are ignored; only the destination IP address is used. To
use the destination address for classification, the classifier must have knowledge about the subnets
located behind each security context. The classifier relies on the NAT configuration to determine the
subnets in each context. The classifier matches the destination IP address to either a static command or
a global command. In the case of the global command, the classifier does not need a matching nat
command or an active NAT session to classify the packet. Whether the packet can communicate with the
destination IP address after classification depends on how you configure NAT and NAT control.
For example, the classifier gains knowledge about subnets 10.10.10.0, 10.20.10.0 and 10.30.10.0 when
the context administrators configure static commands in each context:
• Context A:
3-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 3 Enabling Multiple Context Mode
Security Context Overview
static (inside,shared) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
• Context B:
static (inside,shared) 10.20.10.0 10.20.10.0 netmask 255.255.255.0
• Context C:
static (inside,shared) 10.30.10.0 10.30.10.0 netmask 255.255.255.0
Note For management traffic destined for an interface, the interface IP address is used for classification.
Invalid Classifier Criteria
The following configurations are not used for packet classification:
• NAT exemption—The classifier does not use a NAT exemption configuration for classification
purposes because NAT exemption does not identify a mapped interface.
• Routing table—If a context includes a static route that points to an external router as the next-hop
to a subnet, and a different context includes a static command for the same subnet, then the classifier
uses the static command to classify packets destined for that subnet and ignores the static route.
3-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 3 Enabling Multiple Context Mode
Security Context Overview
Classification Examples
Figure 3-2 shows multiple contexts sharing an outside interface. The classifier assigns the packet to
Context B because Context B includes the MAC address to which the router sends the packet.
Figure 3-1 Packet Classification with a Shared Interface using MAC Addresses
Classifier
Context A Context B
MAC 000C.F142.4CDA MAC 000C.F142.4CDB MAC 000C.F142.4CDC
GE 0/1.2 GE 0/1.3
GE 0/0.1 (Shared Interface)
Admin
Context
GE 0/1.1
Host
209.165.201.1
Host
209.165.200.225
Host
209.165.202.129
Packet Destination:
209.165.201.1 via MAC 000C.F142.4CDC
Internet
Inside
Customer A
Inside
Customer B
Admin
Network
153367
3-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 3 Enabling Multiple Context Mode
Security Context Overview
Figure 3-2 shows multiple contexts sharing an outside interface without MAC addresses assigned. The
classifier assigns the packet to Context B because Context B includes the address translation that
matches the destination address.
Figure 3-2 Packet Classification with a Shared Interface using NAT
Note that all new incoming traffic must be classified, even from inside networks. Figure 3-3 shows a host
on the Context B inside network accessing the Internet. The classifier assigns the packet to Context B
because the ingress interface is Gigabit Ethernet 0/1.3, which is assigned to Context B.
Note If you share an inside interface and do not use unique MAC addresses, the classifier imposes some major
restrictions. The classifier relies on the address translation configuration to classify the packet within a
context, and you must translate the destination addresses of the traffic. Because you do not usually
perform NAT on outside addresses, sending packets from inside to outside on a shared interface is not
always possible; the outside network is large, (the Web, for example), and addresses are not predictable
for an outside NAT configuration. If you share an inside interface, we suggest you use unique MAC
addresses.
Classifier
Context A Context B
GE 0/1.2 GE 0/1.3
GE 0/0.1 (Shared Interface)
Admin
Context
GE 0/1.1
Host
10.1.1.13
Host
10.1.1.13
Host
10.1.1.13
Dest Addr Translation
209.165.201.3
Packet Destination:
209.165.201.3
10.1.1.13
Internet
Inside
Customer A
Inside
Customer B
Admin
Network
92399
3-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 3 Enabling Multiple Context Mode
Security Context Overview
Figure 3-3 Incoming Traffic from Inside Networks
Host
10.1.1.13
Host
10.1.1.13
Host
10.1.1.13
Classifier
Context A Context B
GE 0/1.2 GE 0/1.3
GE 0/0.1
Admin
Context
GE 0/1.1
Inside
Customer A
Inside
Customer B
Internet
Admin
Network
92395
3-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 3 Enabling Multiple Context Mode
Security Context Overview
For transparent firewalls, you must use unique interfaces. Figure 3-4 shows a host on the Context B
inside network accessing the Internet. The classifier assigns the packet to Context B because the ingress
interface is Gigabit Ethernet 1/0.3, which is assigned to Context B.
Figure 3-4 Transparent Firewall Contexts
Cascading Security Contexts
Placing a context directly in front of another context is called cascading contexts; the outside interface
of one context is the same interface as the inside interface of another context. You might want to cascade
contexts if you want to simplify the configuration of some contexts by configuring shared parameters in
the top context.
Note Cascading contexts requires that you configure unique MAC addresses for each context interface.
Because of the limitations of classifying packets on shared interfaces without MAC addresses, we do not
recommend using cascading contexts without unique MAC addresses.
Host
10.1.3.13
Host
10.1.2.13
Host
10.1.1.13
Context A Context B
GE 1/0.2 GE 1/0.3
Admin
Context
GE 1/0.1
GE 0/0.1 GE 0/0.3
GE 0/0.2
Classifier
Inside
Customer A
Inside
Customer B
Internet
Admin
Network
92401
3-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 3 Enabling Multiple Context Mode
Security Context Overview
Figure 3-5 shows a gateway context with two contexts behind the gateway.
Figure 3-5 Cascading Contexts
Management Access to Security Contexts
The security appliance provides system administrator access in multiple context mode as well as access
for individual context administrators. The following sections describe logging in as a system
administrator or as a a context administrator:
• System Administrator Access, page 3-9
• Context Administrator Access, page 3-10
System Administrator Access
You can access the security appliance as a system administrator in two ways:
• Access the security appliance console.
From the console, you access the system execution space.
• Access the admin context using Telnet, SSH, or ASDM.
See Chapter 40, “Managing System Access,” to enable Telnet, SSH, and SDM access.
As the system administrator, you can access all contexts.
When you change to a context from admin or the system, your username changes to the default
“enable_15” username. If you configured command authorization in that context, you need to either
configure authorization privileges for the “enable_15” user, or you can log in as a different name for
which you provide sufficient privileges in the command authorization configuration for the context. To
log in with a username, enter the login command. For example, you log in to the admin context with the
Admin
Context
Context A
Gateway
Context
GE 1/1.43
GE 0/0.2
Outside
GE 1/1.8
GE 0/0.1
(Shared Interface)
Internet
Inside Inside
Outside
Inside
Outside
153366
3-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 3 Enabling Multiple Context Mode
Enabling or Disabling Multiple Context Mode
username “admin.” The admin context does not have any command authorization configuration, but all
other contexts include command authorization. For convenience, each context configuration includes a
user “admin” with maximum privileges. When you change from the admin context to context A, your
username is altered, so you must log in again as “admin” by entering the login command. When you
change to context B, you must again enter the login command to log in as “admin.”
The system execution space does not support any AAA commands, but you can configure its own enable
password, as well as usernames in the local database to provide individual logins.
Context Administrator Access
You can access a context using Telnet, SSH, or ASDM. If you log in to a non-admin context, you can
only access the configuration for that context. You can provide individual logins to the context. See See
Chapter 40, “Managing System Access,” to enable Telnet, SSH, and SDM access and to configure
management authentication.
Enabling or Disabling Multiple Context Mode
Your security appliance might already be configured for multiple security contexts depending on how
you ordered it from Cisco. If you are upgrading, however, you might need to convert from single mode
to multiple mode by following the procedures in this section. ASDM does not support changing modes,
so you need to change modes using the CLI.
This section includes the following topics:
• Backing Up the Single Mode Configuration, page 3-10
• Enabling Multiple Context Mode, page 3-10
• Restoring Single Context Mode, page 3-11
Backing Up the Single Mode Configuration
When you convert from single mode to multiple mode, the security appliance converts the running
configuration into two files. The original startup configuration is not saved, so if it differs from the
running configuration, you should back it up before proceeding.
Enabling Multiple Context Mode
The context mode (single or multiple) is not stored in the configuration file, even though it does endure
reboots. If you need to copy your configuration to another device, set the mode on the new device to
match using the mode command.
When you convert from single mode to multiple mode, the security appliance converts the running
configuration into two files: a new startup configuration that comprises the system configuration, and
admin.cfg that comprises the admin context (in the root directory of the internal Flash memory). The
original running configuration is saved as old_running.cfg (in the root directory of the internal Flash
memory). The original startup configuration is not saved. The security appliance automatically adds an
entry for the admin context to the system configuration with the name “admin.”
To enable multiple mode, enter the following command:
hostname(config)# mode multiple
3-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 3 Enabling Multiple Context Mode
Enabling or Disabling Multiple Context Mode
You are prompted to reboot the security appliance.
Restoring Single Context Mode
If you convert from multiple mode to single mode, you might want to first copy a full startup
configuration (if available) to the security appliance; the system configuration inherited from multiple
mode is not a complete functioning configuration for a single mode device. Because the system
configuration does not have any network interfaces as part of its configuration, you must access the
security appliance from the console to perform the copy.
To copy the old running configuration to the startup configuration and to change the mode to single
mode, perform the following steps in the system execution space:
Step 1 To copy the backup version of your original running configuration to the current startup configuration,
enter the following command in the system execution space:
hostname(config)# copy flash:old_running.cfg startup-config
Step 2 To set the mode to single mode, enter the following command in the system execution space:
hostname(config)# mode single
The security appliance reboots.
3-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 3 Enabling Multiple Context Mode
Enabling or Disabling Multiple Context Mode
CH A P T E R
4-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
4
Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
This chapter describes how to configure the switch ports and VLAN interfaces of the ASA 5505 adaptive
security appliance.
Note To configure interfaces of other models, see Chapter 5, “Configuring Ethernet Settings and
Subinterfaces,” and Chapter 7, “Configuring Interface Parameters.”
This chapter includes the following sections:
• Interface Overview, page 4-1
• Configuring VLAN Interfaces, page 4-5
• Configuring Switch Ports as Access Ports, page 4-9
• Configuring a Switch Port as a Trunk Port, page 4-11
• Allowing Communication Between VLAN Interfaces on the Same Security Level, page 4-13
Interface Overview
This section describes the ports and interfaces of the ASA 5505 adaptive security appliance, and includes
the following topics:
• Understanding ASA 5505 Ports and Interfaces, page 4-2
• Maximum Active VLAN Interfaces for Your License, page 4-2
• Default Interface Configuration, page 4-4
• VLAN MAC Addresses, page 4-4
• Power Over Ethernet, page 4-4
• Security Level Overview, page 4-5
4-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Interface Overview
Understanding ASA 5505 Ports and Interfaces
The ASA 5505 adaptive security appliance supports a built-in switch. There are two kinds of ports and
interfaces that you need to configure:
• Physical switch ports—The adaptive security appliance has eight Fast Ethernet switch ports that
forward traffic at Layer 2, using the switching function in hardware. Two of these ports are PoE
ports. See the “Power Over Ethernet” section on page 4-4 for more information. You can connect
these interfaces directly to user equipment such as PCs, IP phones, or a DSL modem. Or you can
connect to another switch.
• Logical VLAN interfaces—In routed mode, these interfaces forward traffic between VLAN
networks at Layer 3, using the configured security policy to apply firewall and VPN services. In
transparent mode, these interfaces forward traffic between the VLANs on the same network at Layer
2, using the configured security policy to apply firewall services. See the “Maximum Active VLAN
Interfaces for Your License” section for more information about the maximum VLAN interfaces.
VLAN interfaces let you divide your equipment into separate VLANs, for example, home, business,
and Internet VLANs.
To segregate the switch ports into separate VLANs, you assign each switch port to a VLAN interface.
Switch ports on the same VLAN can communicate with each other using hardware switching. But when
a switch port on VLAN 1 wants to communicate with a switch port on VLAN 2, then the adaptive
security appliance applies the security policy to the traffic and routes or bridges between the two
VLANs.
Note Subinterfaces are not available for the ASA 5505 adaptive security appliance.
Maximum Active VLAN Interfaces for Your License
In transparent firewall mode, you can configure two active VLANs in the Base license and three active
VLANs in the Security Plus license, one of which must be for failover.
In routed mode, you can configure up to three active VLANs with the Base license, and up to 20 active
VLANs with the Security Plus license.
An active VLAN is a VLAN with a nameif command configured.
4-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Interface Overview
With the Base license, the third VLAN can only be configured to initiate traffic to one other VLAN. See
Figure 4-1 for an example network where the Home VLAN can communicate with the Internet, but
cannot initiate contact with Business.
Figure 4-1 ASA 5505 Adaptive Security Appliance with Base License
With the Security Plus license, you can configure 20 VLAN interfaces. You can configure trunk ports to
accomodate multiple VLANs per port.
Note The ASA 5505 adaptive security appliance supports Active/Standby failover, but not Stateful failover.
See Figure 4-2 for an example network.
Figure 4-2 ASA 5505 Adaptive Security Appliance with Security Plus License
ASA 5505
with Base License
Business
Internet
Home
153364
ASA 5505
with Security Plus
License
Failover
ASA 5505
Inside
Backup ISP
Primary ISP
DMZ
Failover Link
153365
4-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Interface Overview
Default Interface Configuration
If your adaptive security appliance includes the default factory configuration, your interfaces are
configured as follows:
• The outside interface (security level 0) is VLAN 2.
Ethernet0/0 is assigned to VLAN 2 and is enabled.
The VLAN 2 IP address is obtained from the DHCP server.
• The inside interface (security level 100) is VLAN 1
Ethernet 0/1 through Ethernet 0/7 are assigned to VLAN 1 and is enabled.
VLAN 1 has IP address 192.168.1.1.
Restore the default factory configuration using the configure factory-default command.
Use the procedures in this chapter to modify the default configuration, for example, to add VLAN
interfaces.
If you do not have a factory default configuration, all switch ports are in VLAN 1, but no other
parameters are configured.
VLAN MAC Addresses
In routed firewall mode, all VLAN interfaces share a MAC address. Ensure that any connected switches
can support this scenario. If the connected switches require unique MAC addresses, you can manually
assign MAC addresses.
In transparent firewall mode, each VLAN has a unique MAC address. You can override the generated
MAC addresses if desired by manually assigning MAC addresses.
Power Over Ethernet
Ethernet 0/6 and Ethernet 0/7 support PoE for devices such as IP phones or wireless access points. If you
install a non-PoE device or do not connect to these switch ports, the adaptive security appliance does not
supply power to the switch ports.
If you shut down the switch port using the shutdown command, you disable power to the device. Power
is restored when you enter no shutdown. See the “Configuring Switch Ports as Access Ports” section on
page 4-9 for more information about shutting down a switch port.
To view the status of PoE switch ports, including the type of device connected (Cisco or IEEE 802.3af),
use the show power inline command.
Monitoring Traffic Using SPAN
If you want to monitor traffic that enters or exits one or more switch ports, you can enable SPAN, also
known as switch port monitoring. The port for which you enable SPAN (called the destination port)
receives a copy of every packet transmitted or received on a specified source port. The SPAN feature lets
you attach a sniffer to the destination port so you can monitor all traffic; without SPAN, you would have
to attach a sniffer to every port you want to monitor. You can only enable SPAN for one destination port.
4-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Configuring VLAN Interfaces
See the switchport monitor command in the Cisco Security Appliance Command Reference for more
information.
Security Level Overview
Each VLAN interface must have a security level in the range 0 to 100 (from lowest to highest). For
example, you should assign your most secure network, such as the inside business network, to level 100.
The outside network connected to the Internet can be level 0. Other networks, such as a home network
can be in-between. You can assign interfaces to the same security level.
The level controls the following behavior:
• Network access—By default, there is an implicit permit from a higher security interface to a lower
security interface (outbound). Hosts on the higher security interface can access any host on a lower
security interface. You can limit access by applying an access list to the interface.
• If you enable communication for same security interfaces, there is an implicit permit for interfaces
to access other interfaces on the same security level or lower. See the “Allowing Communication
Between VLAN Interfaces on the Same Security Level” section on page 4-13 for more information.
• Inspection engines—Some application inspection engines are dependent on the security level. For
same security interfaces, inspection engines apply to traffic in either direction.
– NetBIOS inspection engine—Applied only for outbound connections.
– SQL*Net inspection engine—If a control connection for the SQL*Net (formerly OraServ) port
exists between a pair of hosts, then only an inbound data connection is permitted through the
adaptive security appliance.
• Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level
to a lower level).
For same security interfaces, you can filter traffic in either direction.
• NAT control—When you enable NAT control, you must configure NAT for hosts on a higher security
interface (inside) when they access hosts on a lower security interface (outside).
Without NAT control, or for same security interfaces, you can choose to use NAT between any
interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside
interface might require a special keyword.
• established command—This command allows return connections from a lower security host to a
higher security host if there is already an established connection from the higher level host to the
lower level host.
For same security interfaces, you can configure established commands for both directions.
Configuring VLAN Interfaces
For each VLAN to pass traffic, you need to configure an interface name (the nameif command), and for
routed mode, an IP address. You should also change the security level from the default, which is 0. If
you name an interface “inside” and you do not set the security level explicitly, then the adaptive security
appliance sets the security level to 100.
For information about how many VLANs you can configure, see the “Maximum Active VLAN
Interfaces for Your License” section on page 4-2.
4-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Configuring VLAN Interfaces
Note If you are using failover, do not use this procedure to name interfaces that you are reserving for failover
communications. See Chapter 14, “Configuring Failover,” to configure the failover link.
If you change the security level of an interface, and you do not want to wait for existing connections to
time out before the new security information is used, you can clear the connections using the
clear local-host command.
To configure a VLAN interface, perform the following steps:
Step 1 To specify the VLAN ID, enter the following command:
hostname(config)# interface vlan number
Where the number is between 1 and 4090.
For example, enter the following command:
hostname(config)# interface vlan 100
To remove this VLAN interface and all associated configuration, enter the no interface vlan command.
Because this interface also includes the interface name configuration, and the name is used in other
commands, those commands are also removed.
Step 2 (Optional) For the Base license, allow this interface to be the third VLAN by limiting it from initiating
contact to one other VLAN using the following command:
hostname(config-if)# no forward interface vlan number
Where number specifies the VLAN ID to which this VLAN interface cannot initiate traffic.
With the Base license, you can only configure a third VLAN if you use this command to limit it.
For example, you have one VLAN assigned to the outside for Internet access, one VLAN assigned to an
inside business network, and a third VLAN assigned to your home network. The home network does not
need to access the business network, so you can use the no forward interface command on the home
VLAN; the business network can access the home network, but the home network cannot access the
business network.
If you already have two VLAN interfaces configured with a nameif command, be sure to enter the no
forward interface command before the nameif command on the third interface; the adaptive security
appliance does not allow three fully functioning VLAN interfaces with the Base license on the ASA 5505
adaptive security appliance.
Note If you upgrade to the Security Plus license, you can remove this command and achieve full
functionality for this interface. If you leave this command in place, this interface continues to be
limited even after upgrading.
Step 3 To name the interface, enter the following command:
hostname(config-if)# nameif name
The name is a text string up to 48 characters, and is not case-sensitive. You can change the name by
reentering this command with a new value. Do not enter the no form, because that command causes all
commands that refer to that name to be deleted.
Step 4 To set the security level, enter the following command:
hostname(config-if)# security-level number
4-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Configuring VLAN Interfaces
Where number is an integer between 0 (lowest) and 100 (highest).
Step 5 (Routed mode only) To set the IP address, enter one of the following commands.
Note To set an IPv6 address, see the “Configuring IPv6 on an Interface” section on page 12-3.
To set the management IP address for transparent firewall mode, see the “Setting the
Management IP Address for a Transparent Firewall” section on page 8-5. In transparent mode,
you do not set the IP address for each interface, but rather for the whole adaptive security
appliance or context.
For failover, you must set the IP address an standby address manually; DHCP and PPPoE are not
supported.
• To set the IP address manually, enter the following command:
hostname(config-if)# ip address ip_address [mask] [standby ip_address]
The standby keyword and address is used for failover. See Chapter 14, “Configuring Failover,” for
more information.
• To obtain an IP address from a DHCP server, enter the following command:
hostname(config-if)# ip address dhcp [setroute]
Reenter this command to reset the DHCP lease and request a new lease.
If you do not enable the interface using the no shutdown command before you enter the ip address
dhcp command, some DHCP requests might not be sent.
• To obtain an IP address from a PPPoE server, see Chapter 35, “Configuring the PPPoE Client.”
Step 6 (Optional) To assign a private MAC address to this interface, enter the following command:
hostname(config-if)# mac-address mac_address [standby mac_address]
By default in routed mode, all VLANs use the same MAC address. In transparent mode, the VLANs use
unique MAC addresses. You might want to set unique VLANs or change the generated VLANs if your
switch requires it, or for access control purposes.
Step 7 (Optional) To set an interface to management-only mode, so that it does not allow through traffic, enter
the following command:
hostname(config-if)# management-only
Step 8 By default, VLAN interfaces are enabled. To enable the interface, if it is not already enabled, enter the
following command:
hostname(config-if)# no shutdown
To disable the interface, enter the shutdown command.
The following example configures seven VLAN interfaces, including the failover interface which is
configured separately using the failover lan command:
hostname(config)# interface vlan 100
hostname(config-if)# nameif outside
hostname(config-if)# security-level 0
hostname(config-if)# ip address 10.1.1.1 255.255.255.0
4-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Configuring VLAN Interfaces
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 200
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# ip address 10.2.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 201
hostname(config-if)# nameif dept1
hostname(config-if)# security-level 90
hostname(config-if)# ip address 10.2.2.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 202
hostname(config-if)# nameif dept2
hostname(config-if)# security-level 90
hostname(config-if)# ip address 10.2.3.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 300
hostname(config-if)# nameif dmz
hostname(config-if)# security-level 50
hostname(config-if)# ip address 10.3.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 400
hostname(config-if)# nameif backup-isp
hostname(config-if)# security-level 50
hostname(config-if)# ip address 10.1.2.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# failover lan faillink vlan500
hostname(config)# failover interface ip faillink 10.4.1.1 255.255.255.0 standby 10.4.1.2
255.255.255.0
The following example configures three VLAN interfaces for the Base license. The third home interface
cannot forward traffic to the business interface.
hostname(config)# interface vlan 100
hostname(config-if)# nameif outside
hostname(config-if)# security-level 0
hostname(config-if)# ip address dhcp
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 200
hostname(config-if)# nameif business
hostname(config-if)# security-level 100
hostname(config-if)# ip address 10.1.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 300
hostname(config-if)# no forward interface vlan 200
hostname(config-if)# nameif home
hostname(config-if)# security-level 50
hostname(config-if)# ip address 10.2.1.1 255.255.255.0
hostname(config-if)# no shutdown
4-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Configuring Switch Ports as Access Ports
Configuring Switch Ports as Access Ports
By default, all switch ports are shut down. To assign a switch port to one VLAN, configure it as an access
port. To create a trunk port to carry multiple VLANs, see the “Configuring a Switch Port as a Trunk Port”
section on page 4-11.
By default, the speed and duplex for switch ports are set to auto-negotiate. The default auto-negotiation
setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover
cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation
phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the
interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation
for both settings, then Auto-MDI/MDIX is also disabled.
Caution The ASA 5505 adaptive security appliance does not support Spanning Tree Protocol for loop detection
in the network. Therefore you must ensure that any connection with the adaptive security appliance does
not end up in a network loop.
To configure a switch port, perform the following steps:
Step 1 To specify the switch port you want to configure, enter the following command:
hostname(config)# interface ethernet0/port
Where port is 0 through 7. For example, enter the following command:
hostname(config)# interface ethernet0/1
Step 2 To assign this switch port to a VLAN, enter the following command:
hostname(config-if)# switchport access vlan number
Where number is the VLAN ID, between 1 and 4090.
Note You might assign multiple switch ports to the primary or backup VLANs if the Internet access device
includes Layer 2 redundancy.
Step 3 (Optional) To prevent the switch port from communicating with other protected switch ports on the same
VLAN, enter the following command:
hostname(config-if)# switchport protected
You might want to prevent switch ports from communicating with each other if the devices on those
switch ports are primarily accessed from other VLANs, you do not need to allow intra-VLAN access,
and you want to isolate the devices from each other in case of infection or other security breach. For
example, if you have a DMZ that hosts three web servers, you can isolate the web servers from each other
if you apply the switchport protected command to each switch port. The inside and outside networks
can both communicate with all three web servers, and vice versa, but the web servers cannot
communicate with each other.
Step 4 (Optional) To set the speed, enter the following command:
hostname(config-if)# speed {auto | 10 | 100}
4-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Configuring Switch Ports as Access Ports
The auto setting is the default. If you set the speed to anything other than auto on PoE ports Ethernet
0/6 or 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will
not be detected and supplied with power.
Step 5 (Optional) To set the duplex, enter the following command:
hostname(config-if)# duplex {auto | full | half}
The auto setting is the default. If you set the duplex to anything other than auto on PoE ports Ethernet
0/6 or 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will
not be detected and supplied with power.
Step 6 To enable the switch port, if it is not already enabled, enter the following command:
hostname(config-if)# no shutdown
To disable the switch port, enter the shutdown command.
The following example configures five VLAN interfaces, including the failover interface which is
configured using the failover lan command:
hostname(config)# interface vlan 100
hostname(config-if)# nameif outside
hostname(config-if)# security-level 0
hostname(config-if)# ip address 10.1.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 200
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# ip address 10.2.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 300
hostname(config-if)# nameif dmz
hostname(config-if)# security-level 50
hostname(config-if)# ip address 10.3.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 400
hostname(config-if)# nameif backup-isp
hostname(config-if)# security-level 50
hostname(config-if)# ip address 10.1.2.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# failover lan faillink vlan500
hostname(config)# failover interface ip faillink 10.4.1.1 255.255.255.0 standby 10.4.1.2
255.255.255.0
hostname(config)# interface ethernet 0/0
hostname(config-if)# switchport access vlan 100
hostname(config-if)# no shutdown
hostname(config-if)# interface ethernet 0/1
hostname(config-if)# switchport access vlan 200
hostname(config-if)# no shutdown
hostname(config-if)# interface ethernet 0/2
hostname(config-if)# switchport access vlan 300
hostname(config-if)# no shutdown
hostname(config-if)# interface ethernet 0/3
4-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Configuring a Switch Port as a Trunk Port
hostname(config-if)# switchport access vlan 400
hostname(config-if)# no shutdown
hostname(config-if)# interface ethernet 0/4
hostname(config-if)# switchport access vlan 500
hostname(config-if)# no shutdown
Configuring a Switch Port as a Trunk Port
By default, all switch ports are shut down. This procedure tells how to create a trunk port that can carry
multiple VLANs using 802.1Q tagging. Trunk mode is available only with the Security Plus license.
To create an access port, where an interface is assigned to only one VLAN, see the “Configuring Switch
Ports as Access Ports” section on page 4-9.
By default, the speed and duplex for switch ports are set to auto-negotiate. The default auto-negotiation
setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover
cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation
phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the
interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation
for both settings, then Auto-MDI/MDIX is also disabled.
To configure a trunk port, perform the following steps:
Step 1 To specify the switch port you want to configure, enter the following command:
hostname(config)# interface ethernet0/port
Where port is 0 through 7. For example, enter the following command:
hostname(config)# interface ethernet0/1
Step 2 To assign VLANs to this trunk, enter one or more of the following commands.
• To assign native VLANs, enter the following command:
hostname(config-if)# switchport trunk native vlan vlan_id
where the vlan_id is a single VLAN ID between 1 and 4090.
Packets on the native VLAN are not modified when sent over the trunk. For example, if a port has
VLANs 2, 3 and 4 assigned to it, and VLAN 2 is the native VLAN, then packets on VLAN 2 that
egress the port are not modified with an 802.1Q header. Frames which ingress (enter) this port and
have no 802.1Q header are put into VLAN 2.
Each port can only have one native VLAN, but every port can have either the same or a different
native VLAN.
• To assign VLANs, enter the following command:
hostname(config-if)# switchport trunk allowed vlan vlan_range
where the vlan_range (with VLANs between 1 and 4090) can be identified in one of the following
ways:
A single number (n)
A range (n-x)
Separate numbers and ranges by commas, for example:
4-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Configuring a Switch Port as a Trunk Port
5,7-10,13,45-100
You can enter spaces instead of commas, but the command is saved to the configuration with
commas.
You can include the native VLAN in this command, but it is not required; the native VLAN is passed
whether it is included in this command or not.
This switch port cannot pass traffic until you assign at least one VLAN to it, native or non-native.
Step 3 To make this switch port a trunk port, enter the following command:
hostname(config-if)# switchport mode trunk
To restore this port to access mode, enter the switchport mode access command.
Step 4 (Optional) To prevent the switch port from communicating with other protected switch ports on the same
VLAN, enter the following command:
hostname(config-if)# switchport protected
You might want to prevent switch ports from communicating with each other if the devices on those
switch ports are primarily accessed from other VLANs, you do not need to allow intra-VLAN access,
and you want to isolate the devices from each other in case of infection or other security breach. For
example, if you have a DMZ that hosts three web servers, you can isolate the web servers from each other
if you apply the switchport protected command to each switch port. The inside and outside networks
can both communicate with all three web servers, and vice versa, but the web servers cannot
communicate with each other.
Step 5 (Optional) To set the speed, enter the following command:
hostname(config-if)# speed {auto | 10 | 100}
The auto setting is the default.
Step 6 (Optional) To set the duplex, enter the following command:
hostname(config-if)# duplex {auto | full | half}
The auto setting is the default.
Step 7 To enable the switch port, if it is not already enabled, enter the following command:
hostname(config-if)# no shutdown
To disable the switch port, enter the shutdown command.
The following example configures seven VLAN interfaces, including the failover interface which is
configured using the failover lan command. VLANs 200, 201, and 202 are trunked on Ethernet 0/1.
hostname(config)# interface vlan 100
hostname(config-if)# nameif outside
hostname(config-if)# security-level 0
hostname(config-if)# ip address 10.1.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 200
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# ip address 10.2.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 201
hostname(config-if)# nameif dept1
4-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Allowing Communication Between VLAN Interfaces on the Same Security Level
hostname(config-if)# security-level 90
hostname(config-if)# ip address 10.2.2.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 202
hostname(config-if)# nameif dept2
hostname(config-if)# security-level 90
hostname(config-if)# ip address 10.2.3.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 300
hostname(config-if)# nameif dmz
hostname(config-if)# security-level 50
hostname(config-if)# ip address 10.3.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 400
hostname(config-if)# nameif backup-isp
hostname(config-if)# security-level 50
hostname(config-if)# ip address 10.1.2.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# failover lan faillink vlan500
hostname(config)# failover interface ip faillink 10.4.1.1 255.255.255.0 standby 10.4.1.2
255.255.255.0
hostname(config)# interface ethernet 0/0
hostname(config-if)# switchport access vlan 100
hostname(config-if)# no shutdown
hostname(config-if)# interface ethernet 0/1
hostname(config-if)# switchport mode trunk
hostname(config-if)# switchport trunk allowed vlan 200-202
hostname(config-if)# switchport trunk native vlan 5
hostname(config-if)# no shutdown
hostname(config-if)# interface ethernet 0/2
hostname(config-if)# switchport access vlan 300
hostname(config-if)# no shutdown
hostname(config-if)# interface ethernet 0/3
hostname(config-if)# switchport access vlan 400
hostname(config-if)# no shutdown
hostname(config-if)# interface ethernet 0/4
hostname(config-if)# switchport access vlan 500
hostname(config-if)# no shutdown
Allowing Communication Between VLAN Interfaces on the Same Security Level
By default, interfaces on the same security level cannot communicate with each other. Allowing
communication between same security interfaces lets traffic flow freely between all same security
interfaces without access lists.
4-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Allowing Communication Between VLAN Interfaces on the Same Security Level
Note If you enable NAT control, you do not need to configure NAT between same security level interfaces.
See the “NAT and Same Security Level Interfaces” section on page 17-13 for more information on NAT
and same security level interfaces.
If you enable same security interface communication, you can still configure interfaces at different
security levels as usual.
To enable interfaces on the same security level so that they can communicate with each other, enter the
following command:
hostname(config)# same-security-traffic permit inter-interface
To disable this setting, use the no form of this command.
CH A P T E R
5-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
5
Configuring Ethernet Settings and Subinterfaces
This chapter describes how to configure and enable physical Ethernet interfaces and how to add
subinterfaces. If you have both fiber and copper Ethernet ports (for example, on the 4GE SSM for the
ASA 5510 and higher series adaptive security appliance), this chapter describes how to configure the
inteface media type.
In single context mode, complete the procedures in this chapter and then continue your interface
configuration in Chapter 7, “Configuring Interface Parameters.” In multiple context mode, complete the
procedures in this chapter in the system execution space, then assign interfaces and subinterfaces to
contexts according to Chapter 6, “Adding and Managing Security Contexts,” and finally configure the
interface parameters within each context according to Chapter 7, “Configuring Interface Parameters.”
Note To configure interfaces for the ASA 5505 adaptive security appliance, see Chapter 4, “Configuring
Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance.”
This chapter includes the following sections:
• Configuring and Enabling RJ-45 Interfaces, page 5-1
• Configuring and Enabling Fiber Interfaces, page 5-3
• Configuring and Enabling VLAN Subinterfaces and 802.1Q Trunking, page 5-3
Configuring and Enabling RJ-45 Interfaces
This section describes how to configure Ethernet settings for physical interfaces, and how to enable the
interface. By default, all physical interfaces are shut down. You must enable the physical interface before
any traffic can pass through it or through a subinterface. For multiple context mode, if you allocate a
physical interface or subinterface to a context, the interfaces are enabled by default in the context.
However, before traffic can pass through the context interface, you must also enable the interface in the
system configuration according to this procedure.
By default, the speed and duplex for copper (RJ-45) interfaces are set to auto-negotiate.
The ASA 5550 adaptive security appliance and the 4GE SSM for the ASA 5510 and higher adaptive
security appliance includes two connector types: copper RJ-45 and fiber SFP. RJ-45 is the default. If you
want to configure the security appliance to use the fiber SFP connectors, see the “Configuring and
Enabling Fiber Interfaces” section on page 5-3.
For RJ-45 interfaces on the ASA 5500 series adaptive security appliance, the default auto-negotiation
setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover
cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation
5-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 5 Configuring Ethernet Settings and Subinterfaces
Configuring and Enabling RJ-45 Interfaces
phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the
interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation
for both settings, then Auto-MDI/MDIX is also disabled. For Gigabit Ethernet, when the speed and
duplex are set to 1000 and full, then the interface always auto-negotiates; therefore Auto-MDI/MDIX is
always enabled and you cannot disable it.
To enable the interface, or to set a specific speed and duplex, perform the following steps:
Step 1 To specify the interface you want to configure, enter the following command:
hostname(config)# interface physical_interface
The physical_interface ID includes the type, slot, and port number as type[slot/]port.
The physical interface types include the following:
• ethernet
• gigabitethernet
For the PIX 500 series security appliance, enter the type followed by the port number, for example,
ethernet0.
For the ASA 5500 series adaptive security appliance, enter the type followed by slot/port, for example,
gigabitethernet0/1. Interfaces that are built into the chassis are assigned to slot 0, while interfaces on
the 4GE SSM are assigned to slot 1.
The ASA 5500 series adaptive security appliance also includes the following type:
• management
The management interface is a Fast Ethernet interface designed for management traffic only, and is
specified as management0/0. You can, however, use it for through traffic if desired (see the
management-only command). In transparent firewall mode, you can use the management interface
in addition to the two interfaces allowed for through traffic. You can also add subinterfaces to the
management interface to provide management in each security context for multiple context mode.
Step 2 (Optional) To set the speed, enter the following command:
hostname(config-if)# speed {auto | 10 | 100 | 1000 | nonegotiate}
The auto setting is the default. The speed nonegotiate command disables link negotiation.
Step 3 (Optional) To set the duplex, enter the following command:
hostname(config-if)# duplex {auto | full | half}
The auto setting is the default.
Step 4 To enable the interface, enter the following command:
hostname(config-if)# no shutdown
To disable the interface, enter the shutdown command. If you enter the shutdown command for a
physical interface, you also shut down all subinterfaces. If you shut down an interface in the system
execution space, then that interface is shut down in all contexts that share it.
5-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 5 Configuring Ethernet Settings and Subinterfaces
Configuring and Enabling Fiber Interfaces
Configuring and Enabling Fiber Interfaces
This section describes how to configure Ethernet settings for physical interfaces, and how to enable the
interface. By default, all physical interfaces are shut down. You must enable the physical interface before
any traffic can pass through it or through a subinterface. For multiple context mode, if you allocate a
physical interface or subinterface to a context, the interfaces are enabled by default in the context.
However, before traffic can pass through the context interface, you must also enable the interface in the
system configuration according to this procedure.
By default, the connectors used on the 4GE SSM or for built-in interfaces in slot 1 on the ASA 5550
adaptive security appliance are the RJ-45 connectors. To use the fiber SFP connectors, you must set the
media type to SFP. The fiber interface has a fixed speed and does not support duplex, but you can set the
interface to negotiate link parameters (the default) or not to negotiate.
To enable the interface, set the media type, or to set negotiation settings, perform the following steps:
Step 1 To specify the interface you want to configure, enter the following command:
hostname(config)# interface gigabitethernet 1/port
The 4GE SSM interfaces are assigned to slot 1, as shown in the interface ID in the syntax (the interfaces
built into the chassis are assigned to slot 0).
Step 2 To set the media type to SFP, enter the following command:
hostname(config-if)# media-type sfp
To restore the defaukt RJ-45, enter the media-type rj45 command.
Step 3 (Optional) To disable link negotiation, enter the following command:
hostname(config-if)# speed nonegotiate
For fiber Gigabit Ethernet interfaces, the default is no speed nonegotiate, which sets the speed to 1000
Mbps and enables link negotiation for flow-control parameters and remote fault information. The speed
nonegotiate command disables link negotiation.
Step 4 To enable the interface, enter the following command:
hostname(config-if)# no shutdown
To disable the interface, enter the shutdown command. If you enter the shutdown command for a
physical interface, you also shut down all subinterfaces. If you shut down an interface in the system
execution space, then that interface is shut down in all contexts that share it.
Configuring and Enabling VLAN Subinterfaces and 802.1Q Trunking
This section describes how to configure and enable a VLAN subinterface. An interface with one or more
VLAN subinterfaces is automatically configured as an 802.1Q trunk.
5-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 5 Configuring Ethernet Settings and Subinterfaces
Configuring and Enabling VLAN Subinterfaces and 802.1Q Trunking
You must enable the physical interface before any traffic can pass through an enabled subinterface (see
the “Configuring and Enabling RJ-45 Interfaces” section on page 5-1 or the “Configuring and Enabling
Fiber Interfaces” section on page 5-3). For multiple context mode, if you allocate a subinterface to a
context, the interfaces are enabled by default in the context. However, before traffic can pass through the
context interface, you must also enable the interface in the system configuration with this procedure.
Subinterfaces let you divide a physical interface into multiple logical interfaces that are tagged with
different VLAN IDs. Because VLANs allow you to keep traffic separate on a given physical interface,
you can increase the number of interfaces available to your network without adding additional physical
interfaces or security appliances. This feature is particularly useful in multiple context mode so you can
assign unique interfaces to each context.
To determine how many subinterfaces are allowed for your platform, see Appendix A, “Feature Licenses
and Specifications.”
Note If you use subinterfaces, you typically do not also want the physical interface to pass traffic, because the
physical interface passes untagged packets. Because the physical interface must be enabled for the
subinterface to pass traffic, ensure that the physical interface does not pass traffic by leaving out the
nameif command. If you want to let the physical interface pass untagged packets, you can configure the
nameif command as usual. See the “Configuring Interface Parameters” section on page 7-1 for more
information about completing the interface configuration.
To add a subinterface and assign a VLAN to it, perform the following steps:
Step 1 To specify the new subinterface, enter the following command:
hostname(config)# interface physical_interface.subinterface
See the “Configuring and Enabling RJ-45 Interfaces” section for a description of the physical interface
ID.
The subinterface ID is an integer between 1 and 4294967293.
For example, enter the following command:
hostname(config)# interface gigabitethernet0/1.100
Step 2 To specify the VLAN for the subinterface, enter the following command:
hostname(config-subif)# vlan vlan_id
The vlan_id is an integer between 1 and 4094. Some VLAN IDs might be reserved on connected
switches, so check the switch documentation for more information.
You can only assign a single VLAN to a subinterface, and not to the physical interface. Each subinterface
must have a VLAN ID before it can pass traffic. To change a VLAN ID, you do not need to remove the
old VLAN ID with the no option; you can enter the vlan command with a different VLAN ID, and the
security appliance changes the old ID.
Step 3 To enable the subinterface, enter the following command:
hostname(config-subif)# no shutdown
To disable the interface, enter the shutdown command. If you shut down an interface in the system
execution space, then that interface is shut down in all contexts that share it.
CH A P T E R
6-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
6
Adding and Managing Security Contexts
This chapter describes how to configure multiple security contexts on the security appliance, and
includes the following sections:
• Configuring Resource Management, page 6-1
• Configuring a Security Context, page 6-7
• Automatically Assigning MAC Addresses to Context Interfaces, page 6-11
• Changing Between Contexts and the System Execution Space, page 6-11
• Managing Security Contexts, page 6-12
For information about how contexts work and how to enable multiple context mode, see Chapter 3,
“Enabling Multiple Context Mode.”
Configuring Resource Management
By default, all security contexts have unlimited access to the resources of the security appliance, except
where maximum limits per context are enforced. However, if you find that one or more contexts use too
many resources, and they cause other contexts to be denied connections, for example, then you can
configure resource management to limit the use of resources per context.
This section includes the following topics:
• Classes and Class Members Overview, page 6-1
• Configuring a Class, page 6-4
Classes and Class Members Overview
The security appliance manages resources by assigning contexts to resource classes. Each context uses
the resource limits set by the class. This section includes the following topics:
• Resource Limits, page 6-2
• Default Class, page 6-3
• Class Members, page 6-4
6-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Configuring Resource Management
Resource Limits
When you create a class, the security appliance does not set aside a portion of the resources for each
context assigned to the class; rather, the security appliance sets the maximum limit for a context. If you
oversubscribe resources, or allow some resources to be unlimited, a few contexts can “use up” those
resources, potentially affecting service to other contexts.
You can set the limit for individual resources, as a percentage (if there is a hard system limit) or as an
absolute value.
You can oversubscribe the security appliance by assigning more than 100 percent of a resource across
all contexts. For example, you can set the Bronze class to limit connections to 20 percent per context,
and then assign 10 contexts to the class for a total of 200 percent. If contexts concurrently use more than
the system limit, then each context gets less than the 20 percent you intended. (See Figure 6-1.)
Figure 6-1 Resource Oversubscription
If you assign an absolute value to a resource across all contexts that exceeds the practical limit of the
security appliance, then the performance of the security appliance might be impaired.
The security appliance lets you assign unlimited access to one or more resources in a class, instead of a
percentage or absolute number. When a resource is unlimited, contexts can use as much of the resource
as the system has available or that is practically available. For example, Context A, B, and C are in the
Silver Class, which limits each class member to 1 percent of the connections, for a total of 3 percent; but
the three contexts are currently only using 2 percent combined. Gold Class has unlimited access to
connections. The contexts in the Gold Class can use more than the 97 percent of “unassigned”
connections; they can also use the 1 percent of connections not currently in use by Context A, B, and C,
even if that means that Context A, B, and C are unable to reach their 3 percent combined limit. (See
Figure 6-2.) Setting unlimited access is similar to oversubscribing the security appliance, except that you
have less control over how much you oversubscribe the system.
Total Number of System Connections = 999,900
Maximum connections
allowed.
Connections denied
because system limit
was reached.
Connections in use.
1 2 3 4 5 6 7 8 9 10
Max. 20%
(199,800)
16%
(159,984)
12%
(119,988)
8%
(79,992)
4%
(39,996)
Contexts in Class
104895
6-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Configuring Resource Management
Figure 6-2 Unlimited Resources
Default Class
All contexts belong to the default class if they are not assigned to another class; you do not have to
actively assign a context to the default class.
If a context belongs to a class other than the default class, those class settings always override the default
class settings. However, if the other class has any settings that are not defined, then the member context
uses the default class for those limits. For example, if you create a class with a 2 percent limit for all
concurrent connections, but no other limits, then all other limits are inherited from the default class.
Conversely, if you create a class with a limit for all resources, the class uses no settings from the default
class.
By default, the default class provides unlimited access to resources for all contexts, except for the
following limits, which are by default set to the maximum allowed per context:
• Telnet sessions—5 sessions.
• SSH sessions—5 sessions.
• IPSec sessions—5 sessions.
• MAC addresses—65,535 entries.
Maximum connections
allowed.
Connections denied
because system limit
was reached.
Connections in use.
A B C 1 2 3
1%
2%
3%
5%
4%
Contexts Silver Class Contexts Gold Class
50% 43%
153211
6-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Configuring Resource Management
Figure 6-3 shows the relationship between the default class and other classes. Contexts A and C belong
to classes with some limits set; other limits are inherited from the default class. Context B inherits no
limits from default because all limits are set in its class, the Gold class. Context D was not assigned to
a class, and is by default a member of the default class.
Figure 6-3 Resource Classes
Class Members
To use the settings of a class, assign the context to the class when you define the context. All contexts
belong to the default class if they are not assigned to another class; you do not have to actively assign a
context to default. You can only assign a context to one resource class. The exception to this rule is that
limits that are undefined in the member class are inherited from the default class; so in effect, a context
could be a member of default plus another class.
Configuring a Class
To configure a class in the system configuration, perform the following steps. You can change the value
of a particular resource limit by reentering the command with a new value.
Step 1 To specify the class name and enter the class configuration mode, enter the following command in the
system execution space:
hostname(config)# class name
The name is a string up to 20 characters long. To set the limits for the default class, enter default for the
name.
Step 2 To set the resource limits, see the following options:
• To set all resource limits (shown in Table 6-1) to be unlimited, enter the following command:
hostname(config-resmgmt)# limit-resource all 0
Default Class
Class Gold
(All Limits
Set)
Class Silver
(Some Limits
Set)
Class
Bronze
(Some
Limits
Set)
Context A
Context B
Context C
Context D
104689
6-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Configuring Resource Management
For example, you might want to create a class that includes the admin context that has no limitations.
The default class has all resources set to unlimited by default.
• To set a particular resource limit, enter the following command:
hostname(config-resmgmt)# limit-resource [rate] resource_name number[%]
For this particular resource, the limit overrides the limit set for all. Enter the rate argument to set
the rate per second for certain resources. For resources that do not have a system limit, you cannot
set the percentage (%) between 1 and 100; you can only set an absolute value. See Table 6-1 for
resources for which you can set the rate per second and which to not have a system limit.
Table 6-1 lists the resource types and the limits. See also the show resource types command.
6-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Configuring Resource Management
For example, to set the default class limit for conns to 10 percent instead of unlimited, enter the
following commands:
hostname(config)# class default
hostname(config-class)# limit-resource conns 10%
All other resources remain at unlimited.
To add a class called gold, enter the following commands:
hostname(config)# class gold
Table 6-1 Resource Names and Limits
Resource Name
Rate or
Concurrent
Minimum and
Maximum Number
per Context System Limit1
1. If this column value is N/A, then you cannot set a percentage of the resource because there is no hard system limit for the resource.
Description
mac-addresses Concurrent N/A 65,535 For transparent firewall mode, the number of
MAC addresses allowed in the MAC address
table.
conns Concurrent
or Rate
N/A Concurrent connections:
See the “Supported
Platforms and Feature
Licenses” section on
page A-1 for the
connection limit for your
platform.
Rate: N/A
TCP or UDP connections between any two
hosts, including connections between one
host and multiple other hosts.
inspects Rate N/A N/A Application inspections.
hosts Concurrent N/A N/A Hosts that can connect through the security
appliance.
asdm Concurrent 1 minimum
5 maximum
32 ASDM management sessions.
Note ASDM sessions use two HTTPS
connections: one for monitoring that
is always present, and one for making
configuration changes that is present
only when you make changes. For
example, the system limit of 32
ASDM sessions represents a limit of
64 HTTPS sessions.
ssh Concurrent 1 minimum
5 maximum
100 SSH sessions.
syslogs Rate N/A N/A System log messages.
telnet Concurrent 1 minimum
5 maximum
100 Telnet sessions.
xlates Concurrent N/A N/A Address translations.
6-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Configuring a Security Context
hostname(config-class)# limit-resource mac-addresses 10000
hostname(config-class)# limit-resource conns 15%
hostname(config-class)# limit-resource rate conns 1000
hostname(config-class)# limit-resource rate inspects 500
hostname(config-class)# limit-resource hosts 9000
hostname(config-class)# limit-resource asdm 5
hostname(config-class)# limit-resource ssh 5
hostname(config-class)# limit-resource rate syslogs 5000
hostname(config-class)# limit-resource telnet 5
hostname(config-class)# limit-resource xlates 36000
Configuring a Security Context
The security context definition in the system configuration identifies the context name, configuration file
URL, and interfaces that a context can use.
Note If you do not have an admin context (for example, if you clear the configuration) then you must first
specify the admin context name by entering the following command:
hostname(config)# admin-context name
Although this context name does not exist yet in your configuration, you can subsequently enter the
context name command to match the specified name to continue the admin context configuration.
To add or change a context in the system configuration, perform the following steps:
Step 1 To add or modify a context, enter the following command in the system execution space:
hostname(config)# context name
The name is a string up to 32 characters long. This name is case sensitive, so you can have two contexts
named “customerA” and “CustomerA,” for example. You can use letters, digits, or hyphens, but you
cannot start or end the name with a hyphen.
“System” or “Null” (in upper or lower case letters) are reserved names, and cannot be used.
Step 2 (Optional) To add a description for this context, enter the following command:
hostname(config-ctx)# description text
Step 3 To specify the interfaces you can use in the context, enter the command appropriate for a physical
interface or for one or more subinterfaces.
• To allocate a physical interface, enter the following command:
hostname(config-ctx)# allocate-interface physical_interface [map_name]
[visible | invisible]
• To allocate one or more subinterfaces, enter the following command:
hostname(config-ctx)# allocate-interface
physical_interface.subinterface[-physical_interface.subinterface]
[map_name[-map_name]] [visible | invisible]
6-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Configuring a Security Context
You can enter these commands multiple times to specify different ranges. If you remove an allocation
with the no form of this command, then any context commands that include this interface are removed
from the running configuration.
Transparent firewall mode allows only two interfaces to pass through traffic; however, on the ASA
adaptive security appliance, you can use the dedicated management interface, Management 0/0, (either
the physical interface or a subinterface) as a third interface for management traffic.
Note The management interface for transparent mode does not flood a packet out the interface when that
packet is not in the MAC address table.
You can assign the same interfaces to multiple contexts in routed mode, if desired. Transparent mode
does not allow shared interfaces.
The map_name is an alphanumeric alias for the interface that can be used within the context instead of
the interface ID. If you do not specify a mapped name, the interface ID is used within the context. For
security purposes, you might not want the context administrator to know which interfaces are being used
by the context.
A mapped name must start with a letter, end with a letter or digit, and have as interior characters only
letters, digits, or an underscore. For example, you can use the following names:
int0
inta
int_0
For subinterfaces, you can specify a range of mapped names.
If you specify a range of subinterfaces, you can specify a matching range of mapped names. Follow these
guidelines for ranges:
• The mapped name must consist of an alphabetic portion followed by a numeric portion. The
alphabetic portion of the mapped name must match for both ends of the range. For example, enter
the following range:
int0-int10
If you enter gigabitethernet0/1.1-gigabitethernet0/1.5 happy1-sad5, for example, the command
fails.
• The numeric portion of the mapped name must include the same quantity of numbers as the
subinterface range. For example, both ranges include 100 interfaces:
gigabitethernet0/0.100-gigabitethernet0/0.199 int1-int100
If you enter gigabitethernet0/0.100-gigabitethernet0/0.199 int1-int15, for example, the command
fails.
Specify visible to see physical interface properties in the show interface command even if you set a
mapped name. The default invisible keyword specifies to only show the mapped name.
The following example shows gigabitethernet0/1.100, gigabitethernet0/1.200, and
gigabitethernet0/2.300 through gigabitethernet0/1.305 assigned to the context. The mapped names are
int1 through int8.
hostname(config-ctx)# allocate-interface gigabitethernet0/1.100 int1
hostname(config-ctx)# allocate-interface gigabitethernet0/1.200 int2
hostname(config-ctx)# allocate-interface gigabitethernet0/2.300-gigabitethernet0/2.305
int3-int8
6-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Configuring a Security Context
Step 4 To identify the URL from which the system downloads the context configuration, enter the following
command:
hostname(config-ctx)# config-url url
When you add a context URL, the system immediately loads the context so that it is running, if the
configuration is available.
Note Enter the allocate-interface command(s) before you enter the config-url command. The security
appliance must assign interfaces to the context before it loads the context configuration; the context
configuration might include commands that refer to interfaces (interface, nat, global...). If you enter the
config-url command first, the security appliance loads the context configuration immediately. If the
context contains any commands that refer to interfaces, those commands fail.
See the following URL syntax:
• disk:/[path/]filename
This URL indicates the internal Flash memory. The filename does not require a file extension,
although we recommend using “.cfg”. If the configuration file is not available, you see the following
message:
WARNING: Could not fetch the URL disk:/url
INFO: Creating context with default config
You can then change to the context, configure it at the CLI, and enter the write memory command
to write the file to Flash memory.
Note The admin context file must be stored on the internal Flash memory.
• ftp://[user[:password]@]server[:port]/[path/]filename[;type=xx]
The type can be one of the following keywords:
– ap—ASCII passive mode
– an—ASCII normal mode
– ip—(Default) Binary passive mode
– in—Binary normal mode
The server must be accessible from the admin context. The filename does not require a file
extension, although we recommend using “.cfg”. If the configuration file is not available, you see
the following message:
WARNING: Could not fetch the URL ftp://url
INFO: Creating context with default config
You can then change to the context, configure it at the CLI, and enter the write memory command
to write the file to the FTP server.
• http[s]://[user[:password]@]server[:port]/[path/]filename
The server must be accessible from the admin context. The filename does not require a file
extension, although we recommend using “.cfg”. If the configuration file is not available, you see
the following message:
WARNING: Could not fetch the URL http://url
INFO: Creating context with default config
6-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Configuring a Security Context
If you change to the context and configure the context at the CLI, you cannot save changes back to
HTTP or HTTPS servers using the write memory command. You can, however, use the copy tftp
command to copy the running configuration to a TFTP server.
• tftp://[user[:password]@]server[:port]/[path/]filename[;int=interface_name]
The server must be accessible from the admin context. Specify the interface name if you want to
override the route to the server address. The filename does not require a file extension, although we
recommend using “.cfg”. If the configuration file is not available, you see the following message:
WARNING: Could not fetch the URL tftp://url
INFO: Creating context with default config
You can then change to the context, configure it at the CLI, and enter the write memory command
to write the file to the TFTP server.
To change the URL, reenter the config-url command with a new URL.
See the “Changing the Security Context URL” section on page 6-13 for more information about
changing the URL.
For example, enter the following command:
hostname(config-ctx)# config-url ftp://joe:passw0rd1@10.1.1.1/configlets/test.cfg
Step 5 (Optional) To assign the context to a resource class, enter the following command:
hostname(config-ctx)# member class_name
If you do not specify a class, the context belongs to the default class. You can only assign a context to
one resource class.
For example, to assign the context to the gold class, enter the following command:
hostname(config-ctx)# member gold
Step 6 To view context information, see the show context command in the Cisco Security Appliance Command
Reference.
The following example sets the admin context to be “administrator,” creates a context called
“administrator” on the internal Flash memory, and then adds two contexts from an FTP server:
hostname(config)# admin-context administrator
hostname(config)# context administrator
hostname(config-ctx)# allocate-interface gigabitethernet0/0.1
hostname(config-ctx)# allocate-interface gigabitethernet0/1.1
hostname(config-ctx)# config-url flash:/admin.cfg
hostname(config-ctx)# context test
hostname(config-ctx)# allocate-interface gigabitethernet0/0.100 int1
hostname(config-ctx)# allocate-interface gigabitethernet0/0.102 int2
hostname(config-ctx)# allocate-interface gigabitethernet0/0.110-gigabitethernet0/0.115
int3-int8
hostname(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/test.cfg
hostname(config-ctx)# member gold
hostname(config-ctx)# context sample
hostname(config-ctx)# allocate-interface gigabitethernet0/1.200 int1
hostname(config-ctx)# allocate-interface gigabitethernet0/1.212 int2
hostname(config-ctx)# allocate-interface gigabitethernet0/1.230-gigabitethernet0/1.235
int3-int8
6-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Automatically Assigning MAC Addresses to Context Interfaces
hostname(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/sample.cfg
hostname(config-ctx)# member silver
Automatically Assigning MAC Addresses to Context Interfaces
To allow contexts to share interfaces, we suggest that you assign unique MAC addresses to each context
interface. The MAC address is used to classify packets within a context. If you share an interface, but do
not have unique MAC addresses for the interface in each context, then the destination IP address is used
to classify packets. The destination address is matched with the context NAT configuration, and this
method has some limitations compared to the MAC address method. See the “How the Security
Appliance Classifies Packets” section on page 3-3 for information about classifying packets.
By default, the physical interface uses the burned-in MAC address, and all subinterfaces of a physical
interface use the same burned-in MAC address.
You can automatically assign private MAC addresses to each shared context interface by entering the
following command in the system configuration:
hostname(config)# mac-address auto
For use with failover, the security appliance generates both an active and standby MAC address for each
interface. If the active unit fails over and the standby unit becomes active, the new active unit starts using
the active MAC addresses to minimize network disruption.
When you assign an interface to a context, the new MAC address is generated immediately. If you enable
this command after you create context interfaces, then MAC addresses are generated for all interfaces
immediately after you enter the command. If you use the no mac-address auto command, the MAC
address for each interface reverts to the default MAC address. For example, subinterfaces of
GigabitEthernet 0/1 revert to using the MAC address of GigabitEthernet 0/1.
The MAC address is generated using the following format:
• Active unit MAC address: 12_slot.port_subid.contextid.
• Standby unit MAC address: 02_slot.port_subid.contextid.
For platforms with no interface slots, the slot is always 0. The port is the interface port. The subid is an
internal ID for the subinterface, which is not viewable. The contextid is an internal ID for the context,
viewable with the show context detail command. For example, the interface GigabitEthernet 0/1.200 in
the context with the ID 1 has the following generated MAC addresses, where the internal ID for
subinterface 200 is 31:
• Active: 1200.0131.0001
• Standby: 0200.0131.0001
In the rare circumstance that the generated MAC address conflicts with another private MAC address in
your network, you can manually set the MAC address for the interface within the context. See the
“Configuring the Interface” section on page 7-2 to manually set the MAC address.
Changing Between Contexts and the System Execution Space
If you log in to the system execution space (or the admin context using Telnet or SSH), you can change
between contexts and perform configuration and monitoring tasks within each context. The running
configuration that you edit in a configuration mode, or that is used in the copy or write commands,
6-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Managing Security Contexts
depends on your location. When you are in the system execution space, the running configuration
consists only of the system configuration; when you are in a context, the running configuration consists
only of that context. For example, you cannot view all running configurations (system plus all contexts)
by entering the show running-config command. Only the current configuration displays.
To change between the system execution space and a context, or between contexts, see the following
commands:
• To change to a context, enter the following command:
hostname# changeto context name
The prompt changes to the following:
hostname/name#
• To change to the system execution space, enter the following command:
hostname/admin# changeto system
The prompt changes to the following:
hostname#
Managing Security Contexts
This section describes how to manage security contexts, and includes the following topics:
• Removing a Security Context, page 6-12
• Changing the Admin Context, page 6-13
• Changing the Security Context URL, page 6-13
• Reloading a Security Context, page 6-14
• Monitoring Security Contexts, page 6-15
Removing a Security Context
You can only remove a context by editing the system configuration. You cannot remove the current
admin context, unless you remove all contexts using the clear context command.
Note If you use failover, there is a delay between when you remove the context on the active unit and when
the context is removed on the standby unit. You might see an error message indicating that the number
of interfaces on the active and standby units are not consistent; this error is temporary and can be
ignored.
Use the following commands for removing contexts:
• To remove a single context, enter the following command in the system execution space:
hostname(config)# no context name
All context commands are also removed.
• To remove all contexts (including the admin context), enter the following command in the system
execution space:
6-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Managing Security Contexts
hostname(config)# clear context
Changing the Admin Context
The system configuration does not include any network interfaces or network settings for itself; rather,
when the system needs to access network resources (such as downloading the contexts from the server),
it uses one of the contexts that is designated as the admin context.
The admin context is just like any other context, except that when a user logs in to the admin context,
then that user has system administrator rights and can access the system and all other contexts. The
admin context is not restricted in any way, and can be used as a regular context. However, because
logging into the admin context grants you administrator privileges over all contexts, you might need to
restrict access to the admin context to appropriate users.
You can set any context to be the admin context, as long as the configuration file is stored in the internal
Flash memory. To set the admin context, enter the following command in the system execution space:
hostname(config)# admin-context context_name
Any remote management sessions, such as Telnet, SSH, or HTTPS, that are connected to the admin
context are terminated. You must reconnect to the new admin context.
Note A few system commands, including ntp server, identify an interface name that belongs to the admin
context. If you change the admin context, and that interface name does not exist in the new admin
context, be sure to update any system commands that refer to the interface.
Changing the Security Context URL
You cannot change the security context URL without reloading the configuration from the new URL.
The security appliance merges the new configuration with the current running configuration. Reentering
the same URL also merges the saved configuration with the running configuration. A merge adds any
new commands from the new configuration to the running configuration. If the configurations are the
same, no changes occur. If commands conflict or if commands affect the running of the context, then the
effect of the merge depends on the command. You might get errors, or you might have unexpected
results. If the running configuration is blank (for example, if the server was unavailable and the
configuration was never downloaded), then the new configuration is used. If you do not want to merge
the configurations, you can clear the running configuration, which disrupts any communications through
the context, and then reload the configuration from the new URL.
To change the URL for a context, perform the following steps:
Step 1 If you do not want to merge the configuration, change to the context and clear its configuration by
entering the following commands. If you want to perform a merge, skip to Step 2.
hostname# changeto context name
hostname/name# configure terminal
hostname/name(config)# clear configure all
Step 2 If required, change to the system execution space by entering the following command:
hostname/name(config)# changeto system
6-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Managing Security Contexts
Step 3 To enter the context configuration mode for the context you want to change, enter the following
command:
hostname(config)# context name
Step 4 To enter the new URL, enter the following command:
hostname(config)# config-url new_url
The system immediately loads the context so that it is running.
Reloading a Security Context
You can reload the context in two ways:
• Clear the running configuration and then import the startup configuration.
This action clears most attributes associated with the context, such as connections and NAT tables.
• Remove the context from the system configuration.
This action clears additional attributes, such as memory allocation, which might be useful for
troubleshooting. However, to add the context back to the system requires you to respecify the URL
and interfaces.
This section includes the following topics:
• Reloading by Clearing the Configuration, page 6-14
• Reloading by Removing and Re-adding the Context, page 6-15
Reloading by Clearing the Configuration
To reload the context by clearing the context configuration, and reloading the configuration from the
URL, perform the following steps:
Step 1 To change to the context that you want to reload, enter the following command:
hostname# changeto context name
Step 2 To access configuration mode, enter the following command:
hostname/name# configure terminal
Step 3 To clear the running configuration, enter the following command:
hostname/name(config)# clear configure all
This command clears all connections.
Step 4 To reload the configuration, enter the following command:
hostname/name(config)# copy startup-config running-config
The security appliance copies the configuration from the URL specified in the system configuration. You
cannot change the URL from within a context.
6-15
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Managing Security Contexts
Reloading by Removing and Re-adding the Context
To reload the context by removing the context and then re-adding it, perform the steps in the following
sections:
1. “Automatically Assigning MAC Addresses to Context Interfaces” section on page 6-11
2. “Configuring a Security Context” section on page 6-7
Monitoring Security Contexts
This section describes how to view and monitor context information, and includes the following topics:
• Viewing Context Information, page 6-15
• Viewing Resource Allocation, page 6-16
• Viewing Resource Usage, page 6-19
• Monitoring SYN Attacks in Contexts, page 6-20
Viewing Context Information
From the system execution space, you can view a list of contexts including the name, allocated
interfaces, and configuration file URL.
From the system execution space, view all contexts by entering the following command:
hostname# show context [name | detail| count]
The detail option shows additional information. See the following sample displays below for more
information.
If you want to show information for a particular context, specify the name.
The count option shows the total number of contexts.
The following is sample output from the show context command. The following sample display shows
three contexts:
hostname# show context
Context Name Interfaces URL
*admin GigabitEthernet0/1.100 disk0:/admin.cfg
GigabitEthernet0/1.101
contexta GigabitEthernet0/1.200 disk0:/contexta.cfg
GigabitEthernet0/1.201
contextb GigabitEthernet0/1.300 disk0:/contextb.cfg
GigabitEthernet0/1.301
Total active Security Contexts: 3
Table 6-2 shows each field description.
Table 6-2 show context Fields
Field Description
Context Name Lists all context names. The context name with the asterisk (*) is the admin context.
Interfaces The interfaces assigned to the context.
URL The URL from which the security appliance loads the context configuration.
6-16
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Managing Security Contexts
The following is sample output from the show context detail command:
hostname# show context detail
Context "admin", has been created, but initial ACL rules not complete
Config URL: disk0:/admin.cfg
Real Interfaces: Management0/0
Mapped Interfaces: Management0/0
Flags: 0x00000013, ID: 1
Context "ctx", has been created, but initial ACL rules not complete
Config URL: ctx.cfg
Real Interfaces: GigabitEthernet0/0.10, GigabitEthernet0/1.20,
GigabitEthernet0/2.30
Mapped Interfaces: int1, int2, int3
Flags: 0x00000011, ID: 2
Context "system", is a system resource
Config URL: startup-config
Real Interfaces:
Mapped Interfaces: Control0/0, GigabitEthernet0/0,
GigabitEthernet0/0.10, GigabitEthernet0/1, GigabitEthernet0/1.10,
GigabitEthernet0/1.20, GigabitEthernet0/2, GigabitEthernet0/2.30,
GigabitEthernet0/3, Management0/0, Management0/0.1
Flags: 0x00000019, ID: 257
Context "null", is a system resource
Config URL: ... null ...
Real Interfaces:
Mapped Interfaces:
Flags: 0x00000009, ID: 258
See the Cisco Security Appliance Command Reference for more information about the detail output.
The following is sample output from the show context count command:
hostname# show context count
Total active contexts: 2
Viewing Resource Allocation
From the system execution space, you can view the allocation for each resource across all classes and
class members.
To view the resource allocation, enter the following command:
hostname# show resource allocation [detail]
This command shows the resource allocation, but does not show the actual resources being used. See the
“Viewing Resource Usage” section on page 6-19 for more information about actual resource usage.
The detail argument shows additional information. See the following sample displays for more
information.
The following sample display shows the total allocation of each resource as an absolute value and as a
percentage of the available system resources:
hostname# show resource allocation
Resource Total % of Avail
Conns [rate] 35000 N/A
Inspects [rate] 35000 N/A
Syslogs [rate] 10500 N/A
Conns 305000 30.50%
Hosts 78842 N/A
6-17
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Managing Security Contexts
SSH 35 35.00%
Telnet 35 35.00%
Xlates 91749 N/A
All unlimited
Table 6-3 shows each field description.
The following is sample output from the show resource allocation detail command:
hostname# show resource allocation detail
Resource Origin:
A Value was derived from the resource 'all'
C Value set in the definition of this class
D Value set in default class
Resource Class Mmbrs Origin Limit Total Total %
Conns [rate] default all CA unlimited
gold 1 C 34000 34000 N/A
silver 1 CA 17000 17000 N/A
bronze 0 CA 8500
All Contexts: 3 51000 N/A
Inspects [rate] default all CA unlimited
gold 1 DA unlimited
silver 1 CA 10000 10000 N/A
bronze 0 CA 5000
All Contexts: 3 10000 N/A
Syslogs [rate] default all CA unlimited
gold 1 C 6000 6000 N/A
silver 1 CA 3000 3000 N/A
bronze 0 CA 1500
All Contexts: 3 9000 N/A
Conns default all CA unlimited
gold 1 C 200000 200000 20.00%
silver 1 CA 100000 100000 10.00%
bronze 0 CA 50000
All Contexts: 3 300000 30.00%
Hosts default all CA unlimited
gold 1 DA unlimited
silver 1 CA 26214 26214 N/A
bronze 0 CA 13107
All Contexts: 3 26214 N/A
SSH default all C 5
gold 1 D 5 5 5.00%
Table 6-3 show resource allocation Fields
Field Description
Resource The name of the resource that you can limit.
Total The total amount of the resource that is allocated across all contexts. The amount
is an absolute number of concurrent instances or instances per second. If you
specified a percentage in the class definition, the security appliance converts the
percentage to an absolute number for this display.
% of Avail The percentage of the total system resources that is allocated across all contexts, if
the resource has a hard system limit. If a resource does not have a system limit, this
column shows N/A.
6-18
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Managing Security Contexts
silver 1 CA 10 10 10.00%
bronze 0 CA 5
All Contexts: 3 20 20.00%
Telnet default all C 5
gold 1 D 5 5 5.00%
silver 1 CA 10 10 10.00%
bronze 0 CA 5
All Contexts: 3 20 20.00%
Xlates default all CA unlimited
gold 1 DA unlimited
silver 1 CA 23040 23040 N/A
bronze 0 CA 11520
All Contexts: 3 23040 N/A
mac-addresses default all C 65535
gold 1 D 65535 65535 100.00%
silver 1 CA 6553 6553 9.99%
bronze 0 CA 3276
All Contexts: 3 137623 209.99%
Table 6-4 shows each field description.
Table 6-4 show resource allocation detail Fields
Field Description
Resource The name of the resource that you can limit.
Class The name of each class, including the default class.
The All contexts field shows the total values across all classes.
Mmbrs The number of contexts assigned to each class.
Origin The origin of the resource limit, as follows:
• A—You set this limit with the all option, instead of as an individual resource.
• C—This limit is derived from the member class.
• D—This limit was not defined in the member class, but was derived from the
default class. For a context assigned to the default class, the value will be “C”
instead of “D.”
The security appliance can combine “A” with “C” or “D.”
Limit The limit of the resource per context, as an absolute number. If you specified a
percentage in the class definition, the security appliance converts the percentage to
an absolute number for this display.
Total The total amount of the resource that is allocated across all contexts in the class.
The amount is an absolute number of concurrent instances or instances per second.
If the resource is unlimited, this display is blank.
% of Avail The percentage of the total system resources that is allocated across all contexts in
the class. If the resource is unlimited, this display is blank. If the resource does not
have a system limit, then this column shows N/A.
6-19
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Managing Security Contexts
Viewing Resource Usage
From the system execution space, you can view the resource usage for each context and display the
system resource usage.
From the system execution space, view the resource usage for each context by entering the following
command:
hostname# show resource usage [context context_name | top n | all | summary | system]
[resource {resource_name | all} | detail] [counter counter_name [count_threshold]]
By default, all context usage is displayed; each context is listed separately.
Enter the top n keyword to show the contexts that are the top n users of the specified resource. You must
specify a single resource type, and not resource all, with this option.
The summary option shows all context usage combined.
The system option shows all context usage combined, but shows the system limits for resources instead
of the combined context limits.
For the resource resource_name, see Table 6-1 for available resource names. See also the show resource
type command. Specify all (the default) for all types.
The detail option shows the resource usage of all resources, including those you cannot manage. For
example, you can view the number of TCP intercepts.
The counter counter_name is one of the following keywords:
• current—Shows the active concurrent instances or the current rate of the resource.
• denied—Shows the number of instances that were denied because they exceeded the resource limit
shown in the Limit column.
• peak—Shows the peak concurrent instances, or the peak rate of the resource since the statistics were
last cleared, either using the clear resource usage command or because the device rebooted.
• all—(Default) Shows all statistics.
The count_threshold sets the number above which resources are shown. The default is 1. If the usage of
the resource is below the number you set, then the resource is not shown. If you specify all for the
counter name, then the count_threshold applies to the current usage.
Note To show all resources, set the count_threshold to 0.
The following is sample output from the show resource usage context command, which shows the
resource usage for the admin context:
hostname# show resource usage context admin
Resource Current Peak Limit Denied Context
Telnet 1 1 5 0 admin
Conns 44 55 N/A 0 admin
Hosts 45 56 N/A 0 admin
The following is sample output from the show resource usage summary command, which shows the
resource usage for all contexts and all resources. This sample shows the limits for 6 contexts.
hostname# show resource usage summary
Resource Current Peak Limit Denied Context
Syslogs [rate] 1743 2132 N/A 0 Summary
Conns 584 763 280000(S) 0 Summary
6-20
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Managing Security Contexts
Xlates 8526 8966 N/A 0 Summary
Hosts 254 254 N/A 0 Summary
Conns [rate] 270 535 N/A 1704 Summary
Inspects [rate] 270 535 N/A 0 Summary
S = System: Combined context limits exceed the system limit; the system limit is shown.
The following is sample output from the show resource usage summary command, which shows the
limits for 25 contexts. Because the context limit for Telnet and SSH connections is 5 per context, then
the combined limit is 125. The system limit is only 100, so the system limit is shown.
hostname# show resource usage summary
Resource Current Peak Limit Denied Context
Telnet 1 1 100[S] 0 Summary
SSH 2 2 100[S] 0 Summary
Conns 56 90 N/A 0 Summary
Hosts 89 102 N/A 0 Summary
S = System: Combined context limits exceed the system limit; the system limit is shown.
The following is sample output from the show resource usage system command, which shows the
resource usage for all contexts, but it shows the system limit instead of the combined context limits. The
counter all 0 option is used to show resources that are not currently in use. The Denied statistics indicate
how many times the resource was denied due to the system limit, if available.
hostname# show resource usage system counter all 0
Resource Current Peak Limit Denied Context
Telnet 0 0 100 0 System
SSH 0 0 100 0 System
ASDM 0 0 32 0 System
Syslogs [rate] 1 18 N/A 0 System
Conns 0 1 280000 0 System
Xlates 0 0 N/A 0 System
Hosts 0 2 N/A 0 System
Conns [rate] 1 1 N/A 0 System
Inspects [rate] 0 0 N/A 0 System
Monitoring SYN Attacks in Contexts
The security appliance prevents SYN attacks using TCP Intercept. TCP Intercept uses the SYN cookies
algorithm to prevent TCP SYN-flooding attacks. A SYN-flooding attack consists of a series of SYN
packets usually originating from spoofed IP addresses. The constant flood of SYN packets keeps the
server SYN queue full, which prevents it from servicing connection requests. When the embryonic
connection threshold of a connection is crossed, the security appliance acts as a proxy for the server and
generates a SYN-ACK response to the client SYN request. When the security appliance receives an ACK
back from the client, it can then authenticate the client and allow the connection to the server.
You can monitor the rate of attacks for individual contexts using the show perfmon command; you can
monitor the amount of resources being used by TCP intercept for individual contexts using the show
resource usage detail command; you can monitor the resources being used by TCP intercept for the
entire system using the show resource usage summary detail command.
The following is sample output from the show perfmon command that shows the rate of TCP intercepts
for a context called admin.
hostname/admin# show perfmon
Context:admin
PERFMON STATS: Current Average
Xlates 0/s 0/s
6-21
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Managing Security Contexts
Connections 0/s 0/s
TCP Conns 0/s 0/s
UDP Conns 0/s 0/s
URL Access 0/s 0/s
URL Server Req 0/s 0/s
WebSns Req 0/s 0/s
TCP Fixup 0/s 0/s
HTTP Fixup 0/s 0/s
FTP Fixup 0/s 0/s
AAA Authen 0/s 0/s
AAA Author 0/s 0/s
AAA Account 0/s 0/s
TCP Intercept 322779/s 322779/s
The following is sample output from the show resource usage detail command that shows the amount
of resources being used by TCP Intercept for individual contexts. (Sample text in italics shows the TCP
intercept information.)
hostname(config)# show resource usage detail
Resource Current Peak Limit Denied Context
memory 843732 847288 unlimited 0 admin
chunk:channels 14 15 unlimited 0 admin
chunk:fixup 15 15 unlimited 0 admin
chunk:hole 1 1 unlimited 0 admin
chunk:ip-users 10 10 unlimited 0 admin
chunk:list-elem 21 21 unlimited 0 admin
chunk:list-hdr 3 4 unlimited 0 admin
chunk:route 2 2 unlimited 0 admin
chunk:static 1 1 unlimited 0 admin
tcp-intercepts 328787 803610 unlimited 0 admin
np-statics 3 3 unlimited 0 admin
statics 1 1 unlimited 0 admin
ace-rules 1 1 unlimited 0 admin
console-access-rul 2 2 unlimited 0 admin
fixup-rules 14 15 unlimited 0 admin
memory 959872 960000 unlimited 0 c1
chunk:channels 15 16 unlimited 0 c1
chunk:dbgtrace 1 1 unlimited 0 c1
chunk:fixup 15 15 unlimited 0 c1
chunk:global 1 1 unlimited 0 c1
chunk:hole 2 2 unlimited 0 c1
chunk:ip-users 10 10 unlimited 0 c1
chunk:udp-ctrl-blk 1 1 unlimited 0 c1
chunk:list-elem 24 24 unlimited 0 c1
chunk:list-hdr 5 6 unlimited 0 c1
chunk:nat 1 1 unlimited 0 c1
chunk:route 2 2 unlimited 0 c1
chunk:static 1 1 unlimited 0 c1
tcp-intercept-rate 16056 16254 unlimited 0 c1
globals 1 1 unlimited 0 c1
np-statics 3 3 unlimited 0 c1
statics 1 1 unlimited 0 c1
nats 1 1 unlimited 0 c1
ace-rules 2 2 unlimited 0 c1
console-access-rul 2 2 unlimited 0 c1
fixup-rules 14 15 unlimited 0 c1
memory 232695716 232020648 unlimited 0 system
chunk:channels 17 20 unlimited 0 system
chunk:dbgtrace 3 3 unlimited 0 system
chunk:fixup 15 15 unlimited 0 system
chunk:ip-users 4 4 unlimited 0 system
chunk:list-elem 1014 1014 unlimited 0 system
chunk:list-hdr 1 1 unlimited 0 system
chunk:route 1 1 unlimited 0 system
6-22
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 6 Adding and Managing Security Contexts
Managing Security Contexts
block:16384 510 885 unlimited 0 system
block:2048 32 34 unlimited 0 system
The following sample output shows the resources being used by TCP intercept for the entire system.
(Sample text in italics shows the TCP intercept information.)
hostname(config)# show resource usage summary detail
Resource Current Peak Limit Denied Context
memory 238421312 238434336 unlimited 0 Summary
chunk:channels 46 48 unlimited 0 Summary
chunk:dbgtrace 4 4 unlimited 0 Summary
chunk:fixup 45 45 unlimited 0 Summary
chunk:global 1 1 unlimited 0 Summary
chunk:hole 3 3 unlimited 0 Summary
chunk:ip-users 24 24 unlimited 0 Summary
chunk:udp-ctrl-blk 1 1 unlimited 0 Summary
chunk:list-elem 1059 1059 unlimited 0 Summary
chunk:list-hdr 10 11 unlimited 0 Summary
chunk:nat 1 1 unlimited 0 Summary
chunk:route 5 5 unlimited 0 Summary
chunk:static 2 2 unlimited 0 Summary
block:16384 510 885 unlimited 0 Summary
block:2048 32 35 unlimited 0 Summary
tcp-intercept-rate 341306 811579 unlimited 0 Summary
globals 1 1 unlimited 0 Summary
np-statics 6 6 unlimited 0 Summary
statics 2 2 N/A 0 Summary
nats 1 1 N/A 0 Summary
ace-rules 3 3 N/A 0 Summary
console-access-rul 4 4 N/A 0 Summary
fixup-rules 43 44 N/A 0 Summary
CH A P T E R
7-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
7
Configuring Interface Parameters
This chapter describes how to configure each interface and subinterface for a name, security level, and
IP address. For single context mode, the procedures in this chapter continue the interface configuration
started in Chapter 5, “Configuring Ethernet Settings and Subinterfaces.” For multiple context mode, the
procedures in Chapter 5, “Configuring Ethernet Settings and Subinterfaces,” are performed in the system
execution space, while the procedures in this chapter are performed within each security context.
Note To configure interfaces for the ASA 5505 adaptive security appliance, see Chapter 4, “Configuring
Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance.”
This chapter includes the following sections:
• Security Level Overview, page 7-1
• Configuring the Interface, page 7-2
• Allowing Communication Between Interfaces on the Same Security Level, page 7-6
Security Level Overview
Each interface must have a security level from 0 (lowest) to 100 (highest). For example, you should
assign your most secure network, such as the inside host network, to level 100. While the outside
network connected to the Internet can be level 0. Other networks, such as DMZs can be in between. You
can assign interfaces to the same security level. See the “Allowing Communication Between Interfaces
on the Same Security Level” section on page 7-6 for more information.
The level controls the following behavior:
• Network access—By default, there is an implicit permit from a higher security interface to a lower
security interface (outbound). Hosts on the higher security interface can access any host on a lower
security interface. You can limit access by applying an access list to the interface.
If you enable communication for same security interfaces (see the “Allowing Communication
Between Interfaces on the Same Security Level” section on page 7-6), there is an implicit permit for
interfaces to access other interfaces on the same security level or lower.
• Inspection engines—Some application inspection engines are dependent on the security level. For
same security interfaces, inspection engines apply to traffic in either direction.
– NetBIOS inspection engine—Applied only for outbound connections.
7-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 7 Configuring Interface Parameters
Configuring the Interface
– SQL*Net inspection engine—If a control connection for the SQL*Net (formerly OraServ) port
exists between a pair of hosts, then only an inbound data connection is permitted through the
security appliance.
• Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level
to a lower level).
For same security interfaces, you can filter traffic in either direction.
• NAT control—When you enable NAT control, you must configure NAT for hosts on a higher security
interface (inside) when they access hosts on a lower security interface (outside).
Without NAT control, or for same security interfaces, you can choose to use NAT between any
interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside
interface might require a special keyword.
• established command—This command allows return connections from a lower security host to a
higher security host if there is already an established connection from the higher level host to the
lower level host.
For same security interfaces, you can configure established commands for both directions.
Configuring the Interface
By default, all physical interfaces are shut down. You must enable the physical interface before any
traffic can pass through an enabled subinterface. For multiple context mode, if you allocate a physical
interface or subinterface to a context, the interfaces are enabled by default in the context. However,
before traffic can pass through the context interface, you must also enable the interface in the system
configuration. If you shut down an interface in the system execution space, then that interface is down
in all contexts that share it.
Before you can complete your configuration and allow traffic through the security appliance, you need
to configure an interface name, and for routed mode, an IP address. You should also change the security
level from the default, which is 0. If you name an interface “inside” and you do not set the security level
explicitly, then the security appliance sets the security level to 100.
Note If you are using failover, do not use this procedure to name interfaces that you are reserving for failover
and Stateful Failover communications. See Chapter 14, “Configuring Failover.” to configure the failover
and state links.
For multiple context mode, follow these guidelines:
• Configure the context interfaces from within each context.
• You can only configure context interfaces that you already assigned to the context in the system
configuration.
• The system configuration only lets you configure Ethernet settings and VLANs. The exception is
for failover interfaces; do not configure failover interfaces with this procedure. See the Failover
chapter for more information.
Note If you change the security level of an interface, and you do not want to wait for existing connections to
time out before the new security information is used, you can clear the connections using the
clear local-host command.
7-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 7 Configuring Interface Parameters
Configuring the Interface
To configure an interface or subinterface, perform the following steps:
Step 1 To specify the interface you want to configure, enter the following command:
hostname(config)# interface {physical_interface[.subinterface] | mapped_name}
The physical_interface ID includes the type, slot, and port number as type[slot/]port.
The physical interface types include the following:
• ethernet
• gigabitethernet
For the PIX 500 series security appliance, enter the type followed by the port number, for example,
ethernet0.
For the ASA 5500 series adaptive security appliance, enter the type followed by slot/port, for example,
gigabitethernet0/1. Interfaces that are built into the chassis are assigned to slot 0, while interfaces on
the 4GE SSM are assigned to slot 1. For the ASA 5550 adaptive security appliance, for maximum
throughput, be sure to balance your traffic over the two interface slots; for example, assign the inside
interface to slot 1 and the outside interface to slot 0.
The ASA 5510 and higher adaptive security appliance also includes the following type:
• management
The management interface is a Fast Ethernet interface designed for management traffic only, and is
specified as management0/0. You can, however, use it for through traffic if desired (see the
management-only command). In transparent firewall mode, you can use the management interface
in addition to the two interfaces allowed for through traffic. You can also add subinterfaces to the
management interface to provide management in each security context for multiple context mode.
Append the subinterface ID to the physical interface ID separated by a period (.).
In multiple context mode, enter the mapped name if one was assigned using the allocate-interface
command.
For example, enter the following command:
hostname(config)# interface gigabitethernet0/1.1
Step 2 To name the interface, enter the following command:
hostname(config-if)# nameif name
The name is a text string up to 48 characters, and is not case-sensitive. You can change the name by
reentering this command with a new value. Do not enter the no form, because that command causes all
commands that refer to that name to be deleted.
Step 3 To set the security level, enter the following command:
hostname(config-if)# security-level number
Where number is an integer between 0 (lowest) and 100 (highest).
Step 4 (Optional) To set an interface to management-only mode, enter the following command:
hostname(config-if)# management-only
The ASA 5510 and higher adaptive security appliance includes a dedicated management interface called
Management 0/0, which is meant to support traffic to the security appliance. However, you can configure
any interface to be a management-only interface using the management-only command. Also, for
Management 0/0, you can disable management-only mode so the interface can pass through traffic just
like any other interface.
7-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 7 Configuring Interface Parameters
Configuring the Interface
Note Transparent firewall mode allows only two interfaces to pass through traffic; however, on the
The ASA 5510 and higher adaptive security appliance, you can use the Management 0/0
interface (either the physical interface or a subinterface) as a third interface for management
traffic. The mode is not configurable in this case and must always be management-only.
Step 5 To set the IP address, enter one of the following commands.
In routed firewall mode, you set the IP address for all interfaces. In transparent firewall mode, you do
not set the IP address for each interface, but rather for the whole security appliance or context. The
exception is for the Management 0/0 management-only interface, which does not pass through traffic.
To set the management IP address for transparent firewall mode, see the “Setting the Management IP
Address for a Transparent Firewall” section on page 8-5. To set the IP address of the Management 0/0
interface or subinterface, use one of the following commands.
To set an IPv6 address, see the “Configuring IPv6 on an Interface” section on page 12-3.
For failover, you must set the IP address an standby address manually; DHCP and PPPoE are not
supported.
• To set the IP address manually, enter the following command:
hostname(config-if)# ip address ip_address [mask] [standby ip_address]
The standby keyword and address is used for failover. See Chapter 14, “Configuring Failover,” for
more information.
• To obtain an IP address from a DHCP server, enter the following command:
hostname(config-if)# ip address dhcp [setroute]
Reenter this command to reset the DHCP lease and request a new lease.
If you do not enable the interface using the no shutdown command before you enter the ip address
dhcp command, some DHCP requests might not be sent.
• To obtain an IP address from a PPPoE server, see Chapter 35, “Configuring the PPPoE Client.”
Step 6 (Optional) To assign a private MAC address to this interface, enter the following command:
hostname(config-if)# mac-address mac_address [standby mac_address]
The mac_address is in H.H.H format, where H is a 16-bit hexadecimal digit. For example, the
MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE.
By default, the physical interface uses the burned-in MAC address, and all subinterfaces of a physical
interface use the same burned-in MAC address.
For use with failover, set the standby MAC address. If the active unit fails over and the standby unit
becomes active, the new active unit starts using the active MAC addresses to minimize network
disruption, while the old active unit uses the standby address.
In multiple context mode, if you share an interface between contexts, you can assign a unique MAC
address to the interface in each context. This feature lets the security appliance easily classify packets
into the appropriate context. Using a shared interface without unique MAC addresses is possible, but has
some limitations. See the “How the Security Appliance Classifies Packets” section on page 3-3 for more
information. You can assign each MAC address manually, or you can automatically generate MAC
addresses for shared interfaces in contexts. See the “Automatically Assigning MAC Addresses to
Context Interfaces” section on page 6-11 to automatically generate MAC addresses. If you automatically
generate MAC addresses, you can use the mac-address command to override the generated address.
7-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 7 Configuring Interface Parameters
Configuring the Interface
For single context mode, or for interfaces that are not shared in multiple context mode, you might want
to assign unique MAC addresses to subinterfaces. For example, your service provider might perform
access control based on the MAC address.
Step 7 To enable the interface, if it is not already enabled, enter the following command:
hostname(config-if)# no shutdown
To disable the interface, enter the shutdown command. If you enter the shutdown command for a
physical interface, you also shut down all subinterfaces. If you shut down an interface in the system
execution space, then that interface is shut down in all contexts that share it, even though the context
configurations show the interface as enabled.
The following example configures parameters for the physical interface in single mode:
hostname(config)# interface gigabitethernet0/1
hostname(config-if)# speed 1000
hostname(config-if)# duplex full
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# ip address 10.1.1.1 255.255.255.0
hostname(config-if)# no shutdown
The following example configures parameters for a subinterface in single mode:
hostname(config)# interface gigabitethernet0/1.1
hostname(config-subif)# vlan 101
hostname(config-subif)# nameif dmz1
hostname(config-subif)# security-level 50
hostname(config-subif)# ip address 10.1.2.1 255.255.255.0
hostname(config-subif)# mac-address 000C.F142.4CDE standby 020C.F142.4CDE
hostname(config-subif)# no shutdown
The following example configures interface parameters in multiple context mode for the system
configuration, and allocates the gigabitethernet 0/1.1 subinterface to contextA:
hostname(config)# interface gigabitethernet0/1
hostname(config-if)# speed 1000
hostname(config-if)# duplex full
hostname(config-if)# no shutdown
hostname(config-if)# interface gigabitethernet0/1.1
hostname(config-subif)# vlan 101
hostname(config-subif)# no shutdown
hostname(config-subif)# context contextA
hostname(config-ctx)# ...
hostname(config-ctx)# allocate-interface gigabitethernet0/1.1
The following example configures parameters in multiple context mode for the context configuration:
hostname/contextA(config)# interface gigabitethernet0/1.1
hostname/contextA(config-if)# nameif inside
hostname/contextA(config-if)# security-level 100
hostname/contextA(config-if)# ip address 10.1.2.1 255.255.255.0
hostname/contextA(config-if)# mac-address 030C.F142.4CDE standby 040C.F142.4CDE
hostname/contextA(config-if)# no shutdown
7-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 7 Configuring Interface Parameters
Allowing Communication Between Interfaces on the Same Security Level
Allowing Communication Between Interfaces on the Same Security Level
By default, interfaces on the same security level cannot communicate with each other. Allowing
communication between same security interfaces provides the following benefits:
• You can configure more than 101 communicating interfaces.
If you use different levels for each interface and do not assign any interfaces to the same security
level, you can configure only one interface per level (0 to 100).
• You want traffic to flow freely between all same security interfaces without access lists.
Note If you enable NAT control, you do not need to configure NAT between same security level interfaces.
See the “NAT and Same Security Level Interfaces” section on page 17-13 for more information on NAT
and same security level interfaces.
If you enable same security interface communication, you can still configure interfaces at different
security levels as usual.
To enable interfaces on the same security level so that they can communicate with each other, enter the
following command:
hostname(config)# same-security-traffic permit inter-interface
To disable this setting, use the no form of this command.
CH A P T E R
8-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
8
Configuring Basic Settings
This chapter describes how to configure basic settings on your security appliance that are typically
required for a functioning configuration. This chapter includes the following sections:
• Changing the Login Password, page 8-1
• Changing the Enable Password, page 8-1
• Setting the Hostname, page 8-2
• Setting the Domain Name, page 8-2
• Setting the Date and Time, page 8-2
• Setting the Management IP Address for a Transparent Firewall, page 8-5
Changing the Login Password
The login password is used for Telnet and SSH connections. By default, the login password is “cisco.”
To change the password, enter the following command:
hostname(config)# {passwd | password} password
You can enter passwd or password. The password is a case-sensitive password of up to 16 alphanumeric
and special characters. You can use any character in the password except a question mark or a space.
The password is saved in the configuration in encrypted form, so you cannot view the original password
after you enter it. Use the no password command to restore the password to the default setting.
Changing the Enable Password
The enable password lets you enter privileged EXEC mode. By default, the enable password is blank. To
change the enable password, enter the following command:
hostname(config)# enable password password
The password is a case-sensitive password of up to 16 alphanumeric and special characters. You can use
any character in the password except a question mark or a space.
This command changes the password for the highest privilege level. If you configure local command
authorization, you can set enable passwords for each privilege level from 0 to 15.
8-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 8 Configuring Basic Settings
Setting the Hostname
The password is saved in the configuration in encrypted form, so you cannot view the original password
after you enter it. Enter the enable password command without a password to set the password to the
default, which is blank.
Setting the Hostname
When you set a hostname for the security appliance, that name appears in the command line prompt. If
you establish sessions to multiple devices, the hostname helps you keep track of where you enter
commands. The default hostname depends on your platform.
For multiple context mode, the hostname that you set in the system execution space appears in the
command line prompt for all contexts. The hostname that you optionally set within a context does not
appear in the command line, but can be used by the banner command $(hostname) token.
To specify the hostname for the security appliance or for a context, enter the following command:
hostname(config)# hostname name
This name can be up to 63 characters. A hostname must start and end with a letter or digit, and have as
interior characters only letters, digits, or a hyphen.
This name appears in the command line prompt. For example:
hostname(config)# hostname farscape
farscape(config)#
Setting the Domain Name
The security appliance appends the domain name as a suffix to unqualified names. For example, if you
set the domain name to “example.com,” and specify a syslog server by the unqualified name of “jupiter,”
then the security appliance qualifies the name to “jupiter.example.com.”
The default domain name is default.domain.invalid.
For multiple context mode, you can set the domain name for each context, as well as within the system
execution space.
To specify the domain name for the security appliance, enter the following command:
hostname(config)# domain-name name
For example, to set the domain as example.com, enter the following command:
hostname(config)# domain-name example.com
Setting the Date and Time
This section describes how to set the date and time, either manually or dynamically using an NTP server.
Time derived from an NTP server overrides any time set manually. This section also describes how to
set the time zone and daylight saving time date range.
Note In multiple context mode, set the time in the system configuration only.
8-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 8 Configuring Basic Settings
Setting the Date and Time
This section includes the following topics:
• Setting the Time Zone and Daylight Saving Time Date Range, page 8-3
• Setting the Date and Time Using an NTP Server, page 8-4
• Setting the Date and Time Manually, page 8-5
Setting the Time Zone and Daylight Saving Time Date Range
By default, the time zone is UTC and the daylight saving time date range is from 2:00 a.m. on the first
Sunday in April to 2:00 a.m. on the last Sunday in October. To change the time zone and daylight saving
time date range, perform the following steps:
Step 1 To set the time zone, enter the following command in global configuration mode:
hostname(config)# clock timezone zone [-]hours [minutes]
Where zone specifies the time zone as a string, for example, PST for Pacific Standard Time.
The [-]hours value sets the number of hours of offset from UTC. For example, PST is -8 hours.
The minutes value sets the number of minutes of offset from UTC.
Step 2 To change the date range for daylight saving time from the default, enter one of the following commands.
The default recurring date range is from 2:00 a.m. on the first Sunday in April to 2:00 a.m. on the last
Sunday in October.
• To set the start and end dates for daylight saving time as a specific date in a specific year, enter the
following command:
hostname(config)# clock summer-time zone date {day month | month day} year hh:mm {day
month | month day} year hh:mm [offset]
If you use this command, you need to reset the dates every year.
The zone value specifies the time zone as a string, for example, PDT for Pacific Daylight Time.
The day value sets the day of the month, from 1 to 31. You can enter the day and month as April 1
or as 1 April, for example, depending on your standard date format.
The month value sets the month as a string. You can enter the day and month as April 1 or as 1 April,
for example, depending on your standard date format.
The year value sets the year using four digits, for example, 2004. The year range is 1993 to 2035.
The hh:mm value sets the hour and minutes in 24-hour time.
The offset value sets the number of minutes to change the time for daylight saving time. By default,
the value is 60 minutes.
• To specify the start and end dates for daylight saving time, in the form of a day and time of the
month, and not a specific date in a year, enter the following command.
hostname(config)# clock summer-time zone recurring [week weekday month hh:mm week
weekday month hh:mm] [offset]
This command lets you set a recurring date range that you do not need to alter yearly.
The zone value specifies the time zone as a string, for example, PDT for Pacific Daylight Time.
The week value specifies the week of the month as an integer between 1 and 4 or as the words first
or last. For example, if the day might fall in the partial fifth week, then specify last.
8-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 8 Configuring Basic Settings
Setting the Date and Time
The weekday value specifies the day of the week: Monday, Tuesday, Wednesday, and so on.
The month value sets the month as a string.
The hh:mm value sets the hour and minutes in 24-hour time.
The offset value sets the number of minutes to change the time for daylight saving time. By default,
the value is 60 minutes.
Setting the Date and Time Using an NTP Server
To obtain the date and time from an NTP server, perform the following steps:
Step 1 To configure authentication with an NTP server, perform the following steps:
a. To enable authentication, enter the following command:
hostname(config)# ntp authenticate
b. To specify an authentication key ID to be a trusted key, which is required for authentication with an
NTP server, enter the following command:
hostname(config)# ntp trusted-key key_id
Where the key_id is between 1 and 4294967295. You can enter multiple trusted keys for use with
multiple servers.
c. To set a key to authenticate with an NTP server, enter the following command:
hostname(config)# ntp authentication-key key_id md5 key
Where key_id is the ID you set in Step 1b using the ntp trusted-key command, and key is a string
up to 32 characters in length.
Step 2 To identify an NTP server, enter the following command:
hostname(config)# ntp server ip_address [key key_id] [source interface_name] [prefer]
Where the key_id is the ID you set in Step 1b using the ntp trusted-key command.
The source interface_name identifies the outgoing interface for NTP packets if you do not want to use
the default interface in the routing table. Because the system does not include any interfaces in multiple
context mode, specify an interface name defined in the admin context.
The prefer keyword sets this NTP server as the preferred server if multiple servers have similar
accuracy. NTP uses an algorithm to determine which server is the most accurate and synchronizes to that
one. If servers are of similar accuracy, then the prefer keyword specifies which of those servers to use.
However, if a server is significantly more accurate than the preferred one, the security appliance uses the
more accurate one. For example, the security appliance uses a server of stratum 2 over a server of
stratum 3 that is preferred.
You can identify multiple servers; the security appliance uses the most accurate server.
Note SNTP is not supported; only NTP is supported.
8-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 8 Configuring Basic Settings
Setting the Management IP Address for a Transparent Firewall
Setting the Date and Time Manually
To set the date time manually, enter the following command:
hostname# clock set hh:mm:ss {month day | day month} year
Where hh:mm:ss sets the hour, minutes, and seconds in 24-hour time. For example, set 20:54:00 for 8:54
pm.
The day value sets the day of the month, from 1 to 31. You can enter the day and month as april 1 or as
1 april, for example, depending on your standard date format.
The month value sets the month. Depending on your standard date format, you can enter the day and
month as april 1 or as 1 april.
The year value sets the year using four digits, for example, 2004. The year range is 1993 to 2035.
The default time zone is UTC. If you change the time zone after you enter the clock set command using
the clock timezone command, the time automatically adjusts to the new time zone.
This command sets the time in the hardware chip, and does not save the time in the configuration file.
This time endures reboots. Unlike the other clock commands, this command is a privileged EXEC
command. To reset the clock, you need to set a new time for the clock set command.
Setting the Management IP Address for a Transparent Firewall
Transparent firewall mode only
A transparent firewall does not participate in IP routing. The only IP configuration required for the
security appliance is to set the management IP address. This address is required because the security
appliance uses this address as the source address for traffic originating on the security appliance, such
as system messages or communications with AAA servers. You can also use this address for remote
management access.
For multiple context mode, set the management IP address within each context.
To set the management IP address, enter the following command:
hostname(config)# ip address ip_address [mask] [standby ip_address]
This address must be on the same subnet as the upstream and downstream routers. You cannot set the
subnet to a host subnet (255.255.255.255). This address must be IPv4; the transparent firewall does not
support IPv6.
The standby keyword and address is used for failover. See Chapter 14, “Configuring Failover,” for more
information.
8-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 8 Configuring Basic Settings
Setting the Management IP Address for a Transparent Firewall
CH A P T E R
9-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
9
Configuring IP Routing
This chapter describes how to configure IP routing on the security appliance. This chapter includes the
following sections:
• How Routing Behaves Within the ASA Security Appliance, page 9-1
• Configuring Static and Default Routes, page 9-2
• Defining Route Maps, page 9-7
• Configuring OSPF, page 9-8
• Configuring RIP, page 9-20
• The Routing Table, page 9-24
• Dynamic Routing and Failover, page 9-26
How Routing Behaves Within the ASA Security Appliance
The ASA security appliance uses both routing table and XLATE tables for routing decisions. To handle
destination IP translated traffic, that is, untranslated traffic, ASA searches for existing XLATE, or static
translation to select the egress interface. The selection process is as follows:
Egress Interface Selection Process
1. If destination IP translating XLATE already exists, the egress interface for the packet is determined
from the XLATE table, but not from the routing table.
2. If destination IP translating XLATE does not exist, but a matching static translation exists, then the
egress interface is determined from the static route and an XLATE is created, and the routing table
is not used.
3. If destination IP translating XLATE does not exist and no matching static translation exists, the
packet is not destination IP translated. The security appliance processes this packet by looking up
the route to select egress interface, then source IP translation is performed (if necessary).
For regular dynamic outbound NAT, initial outgoing packets are routed using the route table and
then creating the XLATE. Incoming return packets are forwarded using existing XLATE only. For
static NAT, destination translated incoming packets are always forwarded using existing XLATE or
static translation rules.
9-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring Static and Default Routes
Next Hop Selection Process
After selecting egress interface using any method described above, an additional route lookup is
performed to find out suitable next hop(s) that belong to previously selected egress interface. If there are
no routes in routing table that explicitly belong to selected interface, the packet is dropped with level 6
error message 110001 "no route to host", even if there is another route for a given destination network
that belongs to different egress interface. If the route that belongs to selected egress interface is found,
the packet is forwarded to corresponding next hop.
Load sharing on the security appliance is possible only for multiple next-hops available using single
egress interface. Load sharing cannot share multiple egress interfaces.
If dynamic routing is in use on security appliance and route table changes after XLATE creation, for
example route flap, then destination translated traffic is still forwarded using old XLATE, not via route
table, until XLATE times out. It may be either forwarded to wrong interface or dropped with message
110001 "no route to host" if old route was removed from the old interface and attached to another one
by routing process.
The same problem may happen when there is no route flaps on the security appliance itself, but some
routing process is flapping around it, sending source translated packets that belong to the same flow
through the security appliance using different interfaces. Destination translated return packets may be
forwarded back using the wrong egress interface.
This issue has a high probability in same security traffic configuration, where virtually any traffic may
be either source-translated or destination-translated, depending on direction of initial packet in the flow.
When this issue occurs after a route flap, it can be resolved manually by using the clear xlate
command, or automatically resolved by an XLATE timeout. XLATE timeout may be decreased if
necessary. To ensure that this rarely happens, make sure that there is no route flaps on security appliance
and around it. That is, ensure that destination translated packets that belong to the same flow are always
forwarded the same way through the security appliance.
Configuring Static and Default Routes
This section describes how to configure static and default routes on the security appliance.
Multiple context mode does not support dynamic routing, so you must use static routes for any networks
to which the security appliance is not directly connected; for example, when there is a router between a
network and the security appliance.
You might want to use static routes in single context mode in the following cases:
• Your networks use a different router discovery protocol from RIP or OSPF.
• Your network is small and you can easily manage static routes.
• You do not want the traffic or CPU overhead associated with routing protocols.
The simplest option is to configure a default route to send all traffic to an upstream router, relying on the
router to route the traffic for you. However, in some cases the default gateway might not be able to reach
the destination network, so you must also configure more specific static routes. For example, if the
default gateway is outside, then the default route cannot direct traffic to any inside networks that are not
directly connected to the security appliance.
In transparent firewall mode, for traffic that originates on the security appliance and is destined for a
non-directly connected network, you need to configure either a default route or static routes so the
security appliance knows out of which interface to send traffic. Traffic that originates on the security
9-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring Static and Default Routes
appliance might include communications to a syslog server, Websense or N2H2 server, or AAA server.
If you have servers that cannot all be reached through a single default route, then you must configure
static routes.
The security appliance supports up to three equal cost routes on the same interface for load balancing.
This section includes the following topics:
• Configuring a Static Route, page 9-3
• Configuring a Default Route, page 9-4
• Configuring Static Route Tracking, page 9-5
For information about configuring IPv6 static and default routes, see the “Configuring IPv6 Default and
Static Routes” section on page 12-5.
Configuring a Static Route
To add a static route, enter the following command:
hostname(config)# route if_name dest_ip mask gateway_ip [distance]
The dest_ip and mask is the IP address for the destination network and the gateway_ip is the address of
the next-hop router.The addresses you specify for the static route are the addresses that are in the packet
before entering the security appliance and performing NAT.
The distance is the administrative distance for the route. The default is 1 if you do not specify a value.
Administrative distance is a parameter used to compare routes among different routing protocols. The
default administrative distance for static routes is 1, giving it precedence over routes discovered by
dynamic routing protocols but not directly connect routes. The default administrative distance for routes
discovered by OSPF is 110. If a static route has the same administrative distance as a dynamic route, the
static routes take precedence. Connected routes always take precedence over static or dynamically
discovered routes.
Static routes remain in the routing table even if the specified gateway becomes unavailable. If the
specified gateway becomes unavailable, you need to remove the static route from the routing table
manually. However, static routes are removed from the routing table if the specified interface goes down.
They are reinstated when the interface comes back up.
Note If you create a static route with an administrative distance greater than the administrative distance of the
routing protocol running on the security appliance, then a route to the specified destination discovered
by the routing protocol takes precedence over the static route. The static route is used only if the
dynamically discovered route is removed from the routing table.
The following example creates a static route that sends all traffic destined for 10.1.1.0/24 to the router
(10.1.2.45) connected to the inside interface:
hostname(config)# route inside 10.1.1.0 255.255.255.0 10.1.2.45 1
You can define up to three equal cost routes to the same destination per interface. ECMP is not supported
across multiple interfaces. With ECMP, the traffic is not necessarily divided evenly between the routes;
traffic is distributed among the specified gateways based on an algorithm that hashes the source and
destination IP addresses.
The following example shows static routes that are equal cost routes that direct traffic to three different
gateways on the outside interface. The security appliance distributes the traffic among the specified
gateways.
9-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring Static and Default Routes
hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.1
hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.2
hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.3
Configuring a Default Route
A default route identifies the gateway IP address to which the security appliance sends all IP packets for
which it does not have a learned or static route. A default route is simply a static route with 0.0.0.0/0 as
the destination IP address. Routes that identify a specific destination take precedence over the default
route.
Note In ASA software Versions 7.0 and later, if you have two default routes configured on different interfaces
that have different metrics, the connection to the ASA firewall that is made from the higher metric
interface fails, but connections to the ASA firewall from the lower metric interface succeed as expected.
PIX software Version 6.3 supports connections from both the the higher and the lower metric interfaces.
You can define up to three equal cost default route entries per device. Defining more than one equal cost
default route entry causes the traffic sent to the default route to be distributed among the specified
gateways. When defining more than one default route, you must specify the same interface for each
entry.
If you attempt to define more than three equal cost default routes, or if you attempt to define a default
route with a different interface than a previously defined default route, you receive the message
“ERROR: Cannot add route entry, possible conflict with existing routes.”
You can define a separate default route for tunneled traffic along with the standard default route. When
you create a default route with the tunneled option, all traffic from a tunnel terminating on the security
appliance that cannot be routed using learned or static routes, is sent to this route. For traffic emerging
from a tunnel, this route overrides over any other configured or learned default routes.
The following restrictions apply to default routes with the tunneled option:
• Do not enable unicast RPF (ip verify reverse-path) on the egress interface of tunneled route.
Enabling uRPF on the egress interface of a tunneled route causes the session to fail.
• Do not enable TCP intercept on the egress interface of the tunneled route. Doing so causes the
session to fail.
• Do not use the VoIP inspection engines (CTIQBE, H.323, GTP, MGCP, RTSP, SIP, SKINNY), the
DNS inspect engine, or the DCE RPC inspection engine with tunneled routes. These inspection
engines ignore the tunneled route.
You cannot define more than one default route with the tunneled option; ECMP for tunneled traffic is
not supported.
To define the default route, enter the following command:
hostname(config)# route if_name 0.0.0.0 0.0.0.0 gateway_ip [distance | tunneled]
Tip You can enter 0 0 instead of 0.0.0.0 0.0.0.0 for the destination network address and mask, for example:
hostname(config)# route outside 0 0 192.168.1 1
9-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring Static and Default Routes
The following example shows a security appliance configured with three equal cost default routes and a
default route for tunneled traffic. Unencrypted traffic received by the security appliance for which there
is no static or learned route is distributed among the gateways with the IP addresses 192.168.2.1,
192.168.2.2, 192.168.2.3. Encrypted traffic receive by the security appliance for which there is no static
or learned route is passed to the gateway with the IP address 192.168.2.4.
hostname(config)# route outside 0 0 192.168.2.1
hostname(config)# route outside 0 0 192.168.2.2
hostname(config)# route outside 0 0 192.168.2.3
hostname(config)# route outside 0 0 192.168.2.4 tunneled
Configuring Static Route Tracking
One of the problems with static routes is that there is no inherent mechanism for determining if the route
is up or down. They remain in the routing table even if the next hop gateway becomes unavailable. Static
routes are only removed from the routing table if the associated interface on the security appliance goes
down.
The static route tracking feature provides a method for tracking the availability of a static route and
installing a backup route if the primary route should fail. This allows you to, for example, define a
default route to an ISP gateway and a backup default route to a secondary ISP in case the primary ISP
becomes unavailable.
The security appliance does this by associating a static route with a monitoring target that you define. It
monitors the target using ICMP echo requests. If an echo reply is not received within a specified time
period, the object is considered down and the associated route is removed from the routing table. A
previously configured backup route is used in place of the removed route.
When selecting a monitoring target, you need to make sure it can respond to ICMP echo requests. The
target can be any network object that you choose, but you should consider using:
• the ISP gateway (for dual ISP support) address
• the next hop gateway address (if you are concerned about the availability of the gateway)
• a server on the target network, such as a AAA server, that the security appliance needs to
communicate with
• a persistent network object on the destination network (a desktop or notebook computer that may be
shut down at night is not a good choice)
You can configure static route tracking for statically defined routes or default routes obtained through
DHCP or PPPoE. You can only enable PPPoE clients on multiple interface with route tracking.
To configure static route tracking, perform the following steps:
Step 1 Configure the tracked object monitoring parameters:
a. Define the monitoring process:
hostname(config)# sla monitor sla_id
If you are configuring a new monitoring process, you are taken to SLA monitor configuration mode.
If you are changing the monitoring parameters for an unscheduled monitoring process that already
has a type defined, you are taken directly to the SLA protocol configuration mode.
b. Specify the monitoring protocol. If you are changing the monitoring parameters for an unscheduled
monitoring process that already has a type defined, you are taken directly to SLA protocol
configuration mode and cannot change this setting.
9-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring Static and Default Routes
hostname(config-sla-monitor)# type echo protocol ipIcmpEcho target_ip interface
if_name
The target_ip is the IP address of the network object whose availability the tracking process
monitors. While this object is available, the tracking process route is installed in the routing table.
When this object becomes unavailable, the tracking process removed the route and the backup route
is used in its place.
c. Schedule the monitoring process:
hostname(config)# sla monitor schedule sla_id [life {forever | seconds}] [start-time
{hh:mm[:ss] [month day | day month] | pending | now | after hh:mm:ss}] [ageout
seconds] [recurring]
Typically, you will use sla monitor schedule sla_id life forever start-time now for the monitoring
schedule, and allow the monitoring configuration determine how often the testing occurs. However,
you can schedule this monitoring process to begin in the future and to only occur at specified times.
Step 2 Associate a tracked static route with the SLA monitoring process by entering the following command:
hostname(config)# track track_id rtr sla_id reachability
The track_id is a tracking number you assign with this command. The sla_id is the ID number of the
SLA process you defined in Step 1.
Step 3 Define the static route to be installed in the routing table while the tracked object is reachable using one
of the following options:
• To track a static route, enter the following command:
hostname(config)# route if_name dest_ip mask gateway_ip [admin_distance] track
track_id
You cannot use the tunneled option with the route command with static route tracking.
• To track a default route obtained through DHCP, enter the following commands:
hostname(config)# interface phy_if
hostname(config-if)# dhcp client route track track_id
hostname(config-if)# ip addresss dhcp setroute
hostname(config-if)# exit
Note You must use the setroute argument with the ip address dhcp command to obtain the
default route using DHCP.
• To track a default route obtained through PPPoE, enter the following commands:
hostname(config)# interface phy_if
hostname(config-if)# pppoe client route track track_id
hostname(config-if)# ip addresss pppoe setroute
hostname(config-if)# exit
Note You must use the setroute argument with the ip address pppoe command to obtain the
default route using PPPoE.
Step 4 Define the backup route to use when the tracked object is unavailable using one of the following options.
The administrative distance of the backup route must be greater than the administrative distance of the
tracked route. If it is not, the backup route will be installed in the routing table instead of the tracked
route.
9-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Defining Route Maps
• To use a static route, enter the following command:
hostname(config)# route if_name dest_ip mask gateway_ip [admin_distance]
The static route must have the same destination and mask as the tracked route. If you are tracking a
default route obtained through DHCP or PPPoE, then the address and mask would be 0.0.0.0 0.0.0.0.
• To use a default route obtained through DHCP, enter the following commands:
hostname(config)# interface phy_if
hostname(config-if)# dhcp client route track track_id
hostname(config-if)# dhcp client route distance admin_distance
hostname(config-if)# ip addresss dhcp setroute
hostname(config-if)# exit
You must use the setroute argument with the ip address dhcp command to obtain the default route
using DHCP. Make sure the administrative distance is greater than the administrative distance of the
tracked route.
• To use a default route obtained through PPPoE, enter the following commands:
hostname(config)# interface phy_if
hostname(config-if)# pppoe client route track track_id
hostname(config-if)# pppoe client route distance admin_distance
hostname(config-if)# ip addresss pppoe setroute
hostname(config-if)# exit
You must use the setroute argument with the ip address pppoe command to obtain the default route
using PPPoE. Make sure the administrative distance is greater than the administrative distance of
the tracked route.
Defining Route Maps
Route maps are used when redistributing routes into an OSPF or RIP routing process. They are also used
when generating a default route into an OSPF routing process. A route map defines which of the routes
from the specified routing protocol are allowed to be redistributed into the target routing process.
To define a route map, perform the following steps:
Step 1 To create a route map entry, enter the following command:
hostname(config)# route-map name {permit | deny} [sequence_number]
Route map entries are read in order. You can identify the order using the sequence_number option, or
the security appliance uses the order in which you add the entries.
Step 2 Enter one or more match commands:
• To match any routes that have a destination network that matches a standard ACL, enter the
following command:
hostname(config-route-map)# match ip address acl_id [acl_id] [...]
If you specify more than one ACL, then the route can match any of the ACLs.
• To match any routes that have a specified metric, enter the following command:
hostname(config-route-map)# match metric metric_value
9-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
The metric_value can be from 0 to 4294967295.
• To match any routes that have a next hop router address that matches a standard ACL, enter the
following command:
hostname(config-route-map)# match ip next-hop acl_id [acl_id] [...]
If you specify more than one ACL, then the route can match any of the ACLs.
• To match any routes with the specified next hop interface, enter the following command:
hostname(config-route-map)# match interface if_name
If you specify more than one interface, then the route can match either interface.
• To match any routes that have been advertised by routers that match a standard ACL, enter the
following command:
hostname(config-route-map)# match ip route-source acl_id [acl_id] [...]
If you specify more than one ACL, then the route can match any of the ACLs.
• To match the route type, enter the following command:
hostname(config-route-map)# match route-type {internal | external [type-1 | type-2]}
Step 3 Enter one or more set commands.
If a route matches the match commands, then the following set commands determine the action to
perform on the route before redistributing it.
• To set the metric, enter the following command:
hostname(config-route-map)# set metric metric_value
The metric_value can be a value between 0 and 294967295
• To set the metric type, enter the following command:
hostname(config-route-map)# set metric-type {type-1 | type-2}
The following example shows how to redistribute routes with a hop count equal to 1 into OSPF. The
security appliance redistributes these routes as external LSAs with a metric of 5, metric type of Type 1.
hostname(config)# route-map 1-to-2 permit
hostname(config-route-map)# match metric 1
hostname(config-route-map)# set metric 5
hostname(config-route-map)# set metric-type type-1
Configuring OSPF
This section describes how to configure OSPF. This section includes the following topics:
• OSPF Overview, page 9-9
• Enabling OSPF, page 9-10
• Redistributing Routes Into OSPF, page 9-10
• Configuring OSPF Interface Parameters, page 9-11
• Configuring OSPF Area Parameters, page 9-13
9-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
• Configuring OSPF NSSA, page 9-14
• Defining Static OSPF Neighbors, page 9-16
• Configuring Route Summarization Between OSPF Areas, page 9-15
• Configuring Route Summarization When Redistributing Routes into OSPF, page 9-16
• Generating a Default Route, page 9-17
• Configuring Route Calculation Timers, page 9-17
• Logging Neighbors Going Up or Down, page 9-18
• Displaying OSPF Update Packet Pacing, page 9-19
• Monitoring OSPF, page 9-19
• Restarting the OSPF Process, page 9-20
OSPF Overview
OSPF uses a link-state algorithm to build and calculate the shortest path to all known destinations. Each
router in an OSPF area contains an identical link-state database, which is a list of each of the router
usable interfaces and reachable neighbors.
The advantages of OSPF over RIP include the following:
• OSPF link-state database updates are sent less frequently than RIP updates, and the link-state
database is updated instantly rather than gradually as stale information is timed out.
• Routing decisions are based on cost, which is an indication of the overhead required to send packets
across a certain interface. The security appliance calculates the cost of an interface based on link
bandwidth rather than the number of hops to the destination. The cost can be configured to specify
preferred paths.
The disadvantage of shortest path first algorithms is that they require a lot of CPU cycles and memory.
The security appliance can run two processes of OSPF protocol simultaneously, on different sets of
interfaces. You might want to run two processes if you have interfaces that use the same IP addresses
(NAT allows these interfaces to coexist, but OSPF does not allow overlapping addresses). Or you might
want to run one process on the inside, and another on the outside, and redistribute a subset of routes
between the two processes. Similarly, you might need to segregate private addresses from public
addresses.
You can redistribute routes into an OSPF routing process from another OSPF routing process, a RIP
routing process, or from static and connected routes configured on OSPF-enabled interfaces.
The security appliance supports the following OSPF features:
• Support of intra-area, interarea, and external (Type I and Type II) routes.
• Support of a virtual link.
• OSPF LSA flooding.
• Authentication to OSPF packets (both password and MD5 authentication).
• Support for configuring the security appliance as a designated router or a designated backup router.
The security appliance also can be set up as an ABR; however, the ability to configure the security
appliance as an ASBR is limited to default information only (for example, injecting a default route).
• Support for stub areas and not-so-stubby-areas.
9-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
• Area boundary router type-3 LSA filtering.
• Advertisement of static and global address translations.
Enabling OSPF
To enable OSPF, you need to create an OSPF routing process, specify the range of IP addresses
associated with the routing process, then assign area IDs associated with that range of IP addresses.
To enable OSPF, perform the following steps:
Step 1 To create an OSPF routing process, enter the following command:
hostname(config)# router ospf process_id
This command enters the router configuration mode for this OSPF process.
The process_id is an internally used identifier for this routing process. It can be any positive integer. This
ID does not have to match the ID on any other device; it is for internal use only. You can use a maximum
of two processes.
Step 2 To define the IP addresses on which OSPF runs and to define the area ID for that interface, enter the
following command:
hostname(config-router)# network ip_address mask area area_id
The following example shows how to enable OSPF:
hostname(config)# router ospf 2
hostname(config-router)# network 10.0.0.0 255.0.0.0 area 0
Redistributing Routes Into OSPF
The security appliance can control the redistribution of routes between OSPF routing processes. The
security appliance matches and changes routes according to settings in the redistribute command or by
using a route map. See also the “Generating a Default Route” section on page 9-17 for another use for
route maps.
To redistribute static, connected, RIP, or OSPF routes into an OSPF process, perform the following steps:
Step 1 (Optional) Create a route-map to further define which routes from the specified routing protocol are
redistributed in to the OSPF routing process. See the “Defining Route Maps” section on page 9-7.
Step 2 If you have not already done so, enter the router configuration mode for the OSPF process you want to
redistribute into by entering the following command:
hostname(config)# router ospf process_id
Step 3 To specify the routes you want to redistribute, enter the following command:
hostname(config-router)# redistribute {ospf process_id
[match {internal | external 1 | external 2}] | static | connected | rip}
[metric metric-value] [metric-type {type-1 | type-2}] [tag tag_value] [subnets] [route-map
map_name]
9-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
The ospf process_id, static, connected, and rip keywords specify from where you want to redistribute
routes.
You can either use the options in this command to match and set route properties, or you can use a route
map. The tag and subnets options do not have equivalents in the route-map command. If you use both
a route map and options in the redistribute command, then they must match.
The following example shows route redistribution from OSPF process 1 into OSPF process 2 by
matching routes with a metric equal to 1. The security appliance redistributes these routes as external
LSAs with a metric of 5, metric type of Type 1, and a tag equal to 1.
hostname(config)# route-map 1-to-2 permit
hostname(config-route-map)# match metric 1
hostname(config-route-map)# set metric 5
hostname(config-route-map)# set metric-type type-1
hostname(config-route-map)# set tag 1
hostname(config-route-map)# router ospf 2
hostname(config-router)# redistribute ospf 1 route-map 1-to-2
The following example shows the specified OSPF process routes being redistributed into OSPF
process 109. The OSPF metric is remapped to 100.
hostname(config)# router ospf 109
hostname(config-router)# redistribute ospf 108 metric 100 subnets
The following example shows route redistribution where the link-state cost is specified as 5 and the
metric type is set to external, indicating that it has lower priority than internal metrics.
hostname(config)# router ospf 1
hostname(config-router)# redistribute ospf 2 metric 5 metric-type external
Configuring OSPF Interface Parameters
You can alter some interface-specific OSPF parameters as necessary. You are not required to alter any
of these parameters, but the following interface parameters must be consistent across all routers in an
attached network: ospf hello-interval, ospf dead-interval, and ospf authentication-key. Be sure that if
you configure any of these parameters, the configurations for all routers on your network have
compatible values.
To configure OSPF interface parameters, perform the following steps:
Step 1 To enter the interface configuration mode, enter the following command:
hostname(config)# interface interface_name
Step 2 Enter any of the following commands:
• To specify the authentication type for an interface, enter the following command:
hostname(config-interface)# ospf authentication [message-digest | null]
• To assign a password to be used by neighboring OSPF routers on a network segment that is using
the OSPF simple password authentication, enter the following command:
hostname(config-interface)# ospf authentication-key key
The key can be any continuous string of characters up to 8 bytes in length.
9-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
The password created by this command is used as a key that is inserted directly into the OSPF header
when the security appliance software originates routing protocol packets. A separate password can
be assigned to each network on a per-interface basis. All neighboring routers on the same network
must have the same password to be able to exchange OSPF information.
• To explicitly specify the cost of sending a packet on an OSPF interface, enter the following
command:
hostname(config-interface)# ospf cost cost
The cost is an integer from 1 to 65535.
• To set the number of seconds that a device must wait before it declares a neighbor OSPF router down
because it has not received a hello packet, enter the following command:
hostname(config-interface)# ospf dead-interval seconds
The value must be the same for all nodes on the network.
• To specify the length of time between the hello packets that the security appliance sends on an OSPF
interface, enter the following command:
hostname(config-interface)# ospf hello-interval seconds
The value must be the same for all nodes on the network.
• To enable OSPF MD5 authentication, enter the following command:
hostname(config-interface)# ospf message-digest-key key_id md5 key
Set the following values:
– key_id—An identifier in the range from 1 to 255.
– key—Alphanumeric password of up to 16 bytes.
Usually, one key per interface is used to generate authentication information when sending packets
and to authenticate incoming packets. The same key identifier on the neighbor router must have the
same key value.
We recommend that you not keep more than one key per interface. Every time you add a new key,
you should remove the old key to prevent the local system from continuing to communicate with a
hostile system that knows the old key. Removing the old key also reduces overhead during rollover.
• To set the priority to help determine the OSPF designated router for a network, enter the following
command:
hostname(config-interface)# ospf priority number_value
The number_value is between 0 to 255.
• To specify the number of seconds between LSA retransmissions for adjacencies belonging to an
OSPF interface, enter the following command:
hostname(config-interface)# ospf retransmit-interval seconds
The seconds must be greater than the expected round-trip delay between any two routers on the
attached network. The range is from 1 to 65535 seconds. The default is 5 seconds.
• To set the estimated number of seconds required to send a link-state update packet on an OSPF
interface, enter the following command:
hostname(config-interface)# ospf transmit-delay seconds
9-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
The seconds is from 1 to 65535 seconds. The default is 1 second.
The following example shows how to configure the OSPF interfaces:
hostname(config)# router ospf 2
hostname(config-router)# network 2.0.0.0 255.0.0.0 area 0
hostname(config-router)# interface inside
hostname(config-interface)# ospf cost 20
hostname(config-interface)# ospf retransmit-interval 15
hostname(config-interface)# ospf transmit-delay 10
hostname(config-interface)# ospf priority 20
hostname(config-interface)# ospf hello-interval 10
hostname(config-interface)# ospf dead-interval 40
hostname(config-interface)# ospf authentication-key cisco
hostname(config-interface)# ospf message-digest-key 1 md5 cisco
hostname(config-interface)# ospf authentication message-digest
The following is sample output from the show ospf command:
hostname(config)# show ospf
Routing Process "ospf 2" with ID 20.1.89.2 and Domain ID 0.0.0.2
Supports only single TOS(TOS0) routes
Supports opaque LSA
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
Number of external LSA 5. Checksum Sum 0x 26da6
Number of opaque AS LSA 0. Checksum Sum 0x 0
Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
External flood list length 0
Area BACKBONE(0)
Number of interfaces in this area is 1
Area has no authentication
SPF algorithm executed 2 times
Area ranges are
Number of LSA 5. Checksum Sum 0x 209a3
Number of opaque link LSA 0. Checksum Sum 0x 0
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0
Configuring OSPF Area Parameters
You can configure several area parameters. These area parameters (shown in the following task table)
include setting authentication, defining stub areas, and assigning specific costs to the default summary
route. Authentication provides password-based protection against unauthorized access to an area.
Stub areas are areas into which information on external routes is not sent. Instead, there is a default
external route generated by the ABR, into the stub area for destinations outside the autonomous system.
To take advantage of the OSPF stub area support, default routing must be used in the stub area. To further
reduce the number of LSAs sent into a stub area, you can configure the no-summary keyword of the
area stub command on the ABR to prevent it from sending summary link advertisement (LSA type 3)
into the stub area.
To specify area parameters for your network, perform the following steps:
9-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to
configure by entering the following command:
hostname(config)# router ospf process_id
Step 2 Enter any of the following commands:
• To enable authentication for an OSPF area, enter the following command:
hostname(config-router)# area area-id authentication
• To enable MD5 authentication for an OSPF area, enter the following command:
hostname(config-router)# area area-id authentication message-digest
• To define an area to be a stub area, enter the following command:
hostname(config-router)# area area-id stub [no-summary]
• To assign a specific cost to the default summary route used for the stub area, enter the following
command:
hostname(config-router)# area area-id default-cost cost
The cost is an integer from 1 to 65535. The default is 1.
The following example shows how to configure the OSPF area parameters:
hostname(config)# router ospf 2
hostname(config-router)# area 0 authentication
hostname(config-router)# area 0 authentication message-digest
hostname(config-router)# area 17 stub
hostname(config-router)# area 17 default-cost 20
Configuring OSPF NSSA
The OSPF implementation of an NSSA is similar to an OSPF stub area. NSSA does not flood type 5
external LSAs from the core into the area, but it can import autonomous system external routes in a
limited way within the area.
NSSA imports type 7 autonomous system external routes within an NSSA area by redistribution. These
type 7 LSAs are translated into type 5 LSAs by NSSA ABRs, which are flooded throughout the whole
routing domain. Summarization and filtering are supported during the translation.
You can simplify administration if you are an ISP or a network administrator that must connect a central
site using OSPF to a remote site that is using a different routing protocol using NSSA.
Before the implementation of NSSA, the connection between the corporate site border router and the
remote router could not be run as an OSPF stub area because routes for the remote site could not be
redistributed into the stub area, and two routing protocols needed to be maintained. A simple protocol
such as RIP was usually run and handled the redistribution. With NSSA, you can extend OSPF to cover
the remote connection by defining the area between the corporate router and the remote router as an
NSSA.
9-15
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
To specify area parameters for your network as needed to configure OSPF NSSA, perform the following
steps:
Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to
configure by entering the following command:
hostname(config)# router ospf process_id
Step 2 Enter any of the following commands:
• To define an NSSA area, enter the following command:
hostname(config-router)# area area-id nssa [no-redistribution]
[default-information-originate]
• To summarize groups of addresses, enter the following command:
hostname(config-router)# summary address ip_address mask [not-advertise] [tag tag]
This command helps reduce the size of the routing table. Using this command for OSPF causes an
OSPF ASBR to advertise one external route as an aggregate for all redistributed routes that are
covered by the address.
OSPF does not support summary-address 0.0.0.0 0.0.0.0.
In the following example, the summary address 10.1.0.0 includes address 10.1.1.0, 10.1.2.0,
10.1.3.0, and so on. Only the address 10.1.0.0 is advertised in an external link-state advertisement:
hostname(config-router)# summary-address 10.1.1.0 255.255.0.0
Before you use this feature, consider these guidelines:
– You can set a type 7 default route that can be used to reach external destinations. When
configured, the router generates a type 7 default into the NSSA or the NSSA area boundary
router.
– Every router within the same area must agree that the area is NSSA; otherwise, the routers will
not be able to communicate.
Configuring Route Summarization Between OSPF Areas
Route summarization is the consolidation of advertised addresses. This feature causes a single summary
route to be advertised to other areas by an area boundary router. In OSPF, an area boundary router
advertises networks in one area into another area. If the network numbers in an area are assigned in a
way such that they are contiguous, you can configure the area boundary router to advertise a summary
route that covers all the individual networks within the area that fall into the specified range.
To define an address range for route summarization, perform the following steps:
Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to
configure by entering the following command:
hostname(config)# router ospf process_id
9-16
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
Step 2 To set the address range, enter the following command:
hostname(config-router)# area area-id range ip-address mask [advertise | not-advertise]
The following example shows how to configure route summarization between OSPF areas:
hostname(config)# router ospf 1
hostname(config-router)# area 17 range 12.1.0.0 255.255.0.0
Configuring Route Summarization When Redistributing Routes into OSPF
When routes from other protocols are redistributed into OSPF, each route is advertised individually in
an external LSA. However, you can configure the security appliance to advertise a single route for all
the redistributed routes that are covered by a specified network address and mask. This configuration
decreases the size of the OSPF link-state database.
To configure the software advertisement on one summary route for all redistributed routes covered by a
network address and mask, perform the following steps:
Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to
configure by entering the following command:
hostname(config)# router ospf process_id
Step 2 To set the summary address, enter the following command:
hostname(config-router)# summary-address ip_address mask [not-advertise] [tag tag]
Note OSPF does not support summary-address 0.0.0.0 0.0.0.0.
The following example shows how to configure route summarization. The summary address 10.1.0.0
includes address 10.1.1.0, 10.1.2.0, 10.1.3.0, and so on. Only the address 10.1.0.0 is advertised in an
external link-state advertisement:
hostname(config)# router ospf 1
hostname(config-router)# summary-address 10.1.0.0 255.255.0.0
Defining Static OSPF Neighbors
You need to define static OSPF neighbors to advertise OSPF routes over a point-to-point, non-broadcast
network. This lets you broadcast OSPF advertisements across an existing VPN connection without
having to encapsulate the advertisements in a GRE tunnel.
To define a static OSPF neighbor, perform the following tasks:
Step 1 Create a static route to the OSPF neighbor. See the “Configuring Static and Default Routes” section on
page 9-2 for more information about creating static routes.
9-17
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
Step 2 Define the OSPF neighbor by performing the following tasks:
a. Enter router configuration mode for the OSPF process. Enter the following command:
hostname(config)# router ospf pid
b. Define the OSPF neighbor by entering the following command:
hostname(config-router)# neighbor addr [interface if_name]
The addr argument is the IP address of the OSPF neighbor. The if_name is the interface used to
communicate with the neighbor. If the OSPF neighbor is not on the same network as any of the
directly-connected interfaces, you must specify the interface.
Generating a Default Route
You can force an autonomous system boundary router to generate a default route into an OSPF routing
domain. Whenever you specifically configure redistribution of routes into an OSPF routing domain, the
router automatically becomes an autonomous system boundary router. However, an autonomous system
boundary router does not by default generate a default route into the OSPF routing domain.
To generate a default route, perform the following steps:
Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to
configure by entering the following command:
hostname(config)# router ospf process_id
Step 2 To force the autonomous system boundary router to generate a default route, enter the following
command:
hostname(config-router)# default-information originate [always] [metric metric-value]
[metric-type {1 | 2}] [route-map map-name]
The following example shows how to generate a default route:
hostname(config)# router ospf 2
hostname(config-router)# default-information originate always
Configuring Route Calculation Timers
You can configure the delay time between when OSPF receives a topology change and when it starts an
SPF calculation. You also can configure the hold time between two consecutive SPF calculations.
To configure route calculation timers, perform the following steps:
Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to
configure by entering the following command:
hostname(config)# router ospf process_id
9-18
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
Step 2 To configure the route calculation time, enter the following command:
hostname(config-router)# timers spf spf-delay spf-holdtime
The spf-delay is the delay time (in seconds) between when OSPF receives a topology change and when
it starts an SPF calculation. It can be an integer from 0 to 65535. The default time is 5 seconds. A value
of 0 means that there is no delay; that is, the SPF calculation is started immediately.
The spf-holdtime is the minimum time (in seconds) between two consecutive SPF calculations. It can be
an integer from 0 to 65535. The default time is 10 seconds. A value of 0 means that there is no delay;
that is, two SPF calculations can be done, one immediately after the other.
The following example shows how to configure route calculation timers:
hostname(config)# router ospf 1
hostname(config-router)# timers spf 10 120
Logging Neighbors Going Up or Down
By default, the system sends a system message when an OSPF neighbor goes up or down.
Configure this command if you want to know about OSPF neighbors going up or down without turning
on the debug ospf adjacency command. The log-adj-changes router configuration command provides
a higher level view of the peer relationship with less output. Configure log-adj-changes detail if you
want to see messages for each state change.
To log neighbors going up or down, perform the following steps:
Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to
configure by entering the following command:
hostname(config)# router ospf process_id
Step 2 To configure logging for neighbors going up or down, enter the following command:
hostname(config-router)# log-adj-changes [detail]
Note Logging must be enabled for the the neighbor up/down messages to be sent.
The following example shows how to log neighbors up/down messages:
hostname(config)# router ospf 1
hostname(config-router)# log-adj-changes detail
9-19
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring OSPF
Displaying OSPF Update Packet Pacing
OSPF update packets are automatically paced so they are not sent less than 33 milliseconds apart.
Without pacing, some update packets could get lost in situations where the link is slow, a neighbor could
not receive the updates quickly enough, or the router could run out of buffer space. For example, without
pacing packets might be dropped if either of the following topologies exist:
• A fast router is connected to a slower router over a point-to-point link.
• During flooding, several neighbors send updates to a single router at the same time.
Pacing is also used between resends to increase efficiency and minimize lost retransmissions. You also
can display the LSAs waiting to be sent out an interface. The benefit of the pacing is that OSPF update
and retransmission packets are sent more efficiently.
There are no configuration tasks for this feature; it occurs automatically.
To observe OSPF packet pacing by displaying a list of LSAs waiting to be flooded over a specified
interface, enter the following command:
hostname# show ospf flood-list if_name
Monitoring OSPF
You can display specific statistics such as the contents of IP routing tables, caches, and databases. You
can use the information provided to determine resource utilization and solve network problems. You can
also display information about node reachability and discover the routing path that your device packets
are taking through the network.
To display various OSPF routing statistics, perform one of the following tasks, as needed:
• To display general information about OSPF routing processes, enter the following command:
hostname# show ospf [process-id [area-id]]
• To display the internal OSPF routing table entries to the ABR and ASBR, enter the following
command:
hostname# show ospf border-routers
• To display lists of information related to the OSPF database for a specific router, enter the following
command:
hostname# show ospf [process-id [area-id]] database
• To display a list of LSAs waiting to be flooded over an interface (to observe OSPF packet pacing),
enter the following command:
hostname# show ospf flood-list if-name
• To display OSPF-related interface information, enter the following command:
hostname# show ospf interface [if_name]
• To display OSPF neighbor information on a per-interface basis, enter the following command:
hostname# show ospf neighbor [interface-name] [neighbor-id] [detail]
• To display a list of all LSAs requested by a router, enter the following command:
hostname# show ospf request-list neighbor if_name
9-20
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring RIP
• To display a list of all LSAs waiting to be resent, enter the following command:
hostname# show ospf retransmission-list neighbor if_name
• To display a list of all summary address redistribution information configured under an OSPF
process, enter the following command:
hostname# show ospf [process-id] summary-address
• To display OSPF-related virtual links information, enter the following command:
hostname# show ospf [process-id] virtual-links
Restarting the OSPF Process
To restart an OSPF process, clear redistribution, or counters, enter the following command:
hostname(config)# clear ospf pid {process | redistribution | counters
[neighbor [neighbor-interface] [neighbor-id]]}
Configuring RIP
Devices that support RIP send routing-update messages at regular intervals and when the network
topology changes. These RIP packets contain information about the networks that the devices can reach,
as well as the number of routers or gateways that a packet must travel through to reach the destination
address. RIP generates more traffic than OSPF, but is easier to configure.
RIP has advantages over static routes because the initial configuration is simple, and you do not need to
update the configuration when the topology changes. The disadvantage to RIP is that there is more
network and processing overhead than static routing.
The security appliance supports RIP Version 1 and RIP Version 2.
This section describes how to configure RIP. This section includes the following topics:
• Enabling and Configuring RIP, page 9-20
• Redistributing Routes into the RIP Routing Process, page 9-22
• Configuring RIP Send/Receive Version on an Interface, page 9-22
• Enabling RIP Authentication, page 9-23
• Monitoring RIP, page 9-23
Enabling and Configuring RIP
You can only enable one RIP routing process on the security appliance. After you enable the RIP routing
process, you must define the interfaces that will participate in that routing process using the network
command. By default, the security appliance sends RIP Version 1 updates and accepts RIP Version 1 and
Version 2 updates.
9-21
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring RIP
To enable and configure the RIP routing process, perform the following steps:
Step 1 Start the RIP routing process by entering the following command in global configuration mode:
hostname(config): router rip
You enter router configuration mode for the RIP routing process.
Step 2 Specify the interfaces that will participate in the RIP routing process. Enter the following command for
each interface that will participate in the RIP routing process:
hostname(config-router): network network_address
If an interface belongs to a network defined by this command, the interface will participate in the RIP
routing process. If an interface does not belong to a network defined by this command, it will not send
or receive RIP updates.
Step 3 (Optional) Specify the version of RIP used by the security appliance by entering the following command:
hostname(config-router): version [1 | 2]
You can override this setting on a per-interface basis.
Step 4 (Optional) To generate a default route into RIP, enter the following command:
hostname(config-router): default-information originate
Step 5 (Optional) To specify an interface to operate in passive mode, enter the following command:
hostname(config-router): passive-interface [default | if_name]
Using the default keyword causes all interfaces to operate in passive mode. Specifying an interface name
sets only that interface to passive RIP mode. In passive mode, RIP routing updates are accepted by but
not sent out of the specified interface. You can enter this command for each interface you want to set to
passive mode.
Step 6 (Optional) Disable automatic route summarization by entering the following command:
hostname(config-router): no auto-summarize
RIP Version 1 always uses automatic route summarization; you cannot disable it for RIP Version 1. RIP
Version 2 uses route summarization by default; you can disable it using this command.
Step 7 (Optional) To filter the networks received in updates, perform the following steps:
a. Create a standard access list permitting the networks you want the RIP process to allow in the
routing table and denying the networks you want the RIP process to discard.
b. Enter the following command to apply the filter. You can specify an interface to apply the filter to
only those updates received by that interface.
hostname(config-router): distribute-list acl in [interface if_name]
You can enter this command for each interface you want to apply a filter to. If you do not specify an
interface name, the filter is applied to all RIP updates.
Step 8 (Optional) To filter the networks sent in updates, perform the following steps:
a. Create a standard access list permitting the networks you want the RIP process to advertise and
denying the networks you do not want the RIP process to advertise.
b. Enter the following command to apply the filter. You can specify an interface to apply the filter to
only those updates sent by that interface.
hostname(config-router): distribute-list acl out [interface if_name]
9-22
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring RIP
You can enter this command for each interface you want to apply a filter to. If you do not specify an
interface name, the filter is applied to all RIP updates.
Redistributing Routes into the RIP Routing Process
You can redistribute routes from the OSPF, static, and connected routing processes into the RIP routing
process.
To redistribute a routes into the RIP routing process, perform the following steps:
Step 1 (Optional) Create a route-map to further define which routes from the specified routing protocol are
redistributed in to the RIP routing process. See the “Defining Route Maps” section on page 9-7 for more
information about creating a route map.
Step 2 Choose one of the following options to redistribute the selected route type into the RIP routing process.
• To redistribute connected routes into the RIP routing process, enter the following command:
hostname(config-router): redistribute connected [metric {metric_value | transparent}]
[route-map map_name]
• To redistribute static routes into the RIP routing process, enter the following command:
hostname(config-router): redistribute static [metric {metric_value | transparent}]
[route-map map_name]
• To redistribute routes from an OSPF routing process into the RIP routing process, enter the
following command:
hostname(config-router): redistribute ospf pid [match {internal | external [1 | 2] |
nssa-external [1 | 2]}] [metric {metric_value | transparent}] [route-map map_name]
Configuring RIP Send/Receive Version on an Interface
You can override the globally-set version of RIP the security appliance uses to send and receive RIP
updates on a per-interface basis.
To configure the RIP send and receive
Step 1 (Optional) To specify the version of RIP advertisements sent from an interface, perform the following
steps:
a. Enter interface configuration mode for the interface you are configuring by entering the following
command:
hostname(config)# interface phy_if
b. Specify the version of RIP to use when sending RIP updates out of the interface by entering the
following command:
hostname(config-if)# rip send version {[1] [2]}
9-23
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Configuring RIP
Step 2 (Optional) To specify the version of RIP advertisements permitted to be received by an interface,
perform the following steps:
a. Enter interface configuration mode for the interface you are configuring by entering the following
command:
hostname(config)# interface phy_if
b. Specify the version of RIP to allow when receiving RIP updates on the interface by entering the
following command:
hostname(config-if)# rip receive version {[1] [2]}
RIP updates received on the interface that do not match the allowed version are dropped.
Enabling RIP Authentication
The security appliance supports RIP message authentication for RIP Version 2 messages.
To enable RIP message authentication, perform the following steps:
Step 1 Enter interface configuration mode for the interface you are configuring by entering the following
command:
hostname(config)# interface phy_if
Step 2 (Optional) Set the authentication mode by entering the following command. By default, text
authentication is used. MD5 authentication is recommended.
hostname(config-if)# rip authentication mode {text | md5}
Step 3 Enable authentication and configure the authentication key by entering the following command:
hostname(config-if)# rip authentication key key key_id key-id
Monitoring RIP
To display various RIP routing statistics, perform one of the following tasks, as needed:
• To display the contents of the RIP routing database, enter the following command:
hostname# show rip database
• To display the RIP commands in the running configuration, enter the following command:
hostname# show running-config router rip
Use the following debug commands only to troubleshoot specific problems or during troubleshooting
sessions with Cisco TAC. Debugging output is assigned high priority in the CPU process and can render
the system unusable. It is best to use debug commands during periods of lower network traffic and fewer
users. Debugging during these periods decreases the likelihood that increased debug command
processing overhead will affect system performance.
• To display RIP processing events, enter the following command:
hostname# debug rip events
9-24
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
The Routing Table
• To display RIP database events, enter the following command:
hostname# debug rip database
The Routing Table
This section contains the following topics:
• Displaying the Routing Table, page 9-24
• How the Routing Table is Populated, page 9-24
• How Forwarding Decisions are Made, page 9-26
Displaying the Routing Table
To view the entries in the routing table, enter the following command:
hostname# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 10.86.194.1 to network 0.0.0.0
S 10.1.1.0 255.255.255.0 [3/0] via 10.86.194.1, outside
C 10.86.194.0 255.255.254.0 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 10.86.194.1, outside
On the ASA 5505 adaptive security appliance, the following route is also shown. It is the internal
loopback interface, which is used by the VPN Hardware Client feature for individual user authentication.
C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
How the Routing Table is Populated
The security appliance routing table can be populated by statically defined routes, directly connected
routes, and routes discovered by the RIP and OSPF routing protocols. Because the security appliance
can run multiple routing protocols in addition to having static and connected routed in the routing table,
it is possible that the same route is discovered or entered in more than one manner. When two routes to
the same destination are put into the routing table, the one that remains in the routing table is determined
as follows:
• If the two routes have different network prefix lengths (network masks), then both routes are
considered unique and are entered in to the routing table. The packet forwarding logic then
determines which of the two to use.
For example, if the RIP and OSPF processes discovered the following routes:
– RIP: 192.168.32.0/24
9-25
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
The Routing Table
– OSPF: 192.168.32.0/19
Even though OSPF routes have the better administrative distance, both routes are installed in the
routing table because each of these routes has a different prefix length (subnet mask). They are
considered different destinations and the packet forwarding logic determine which route to use.
• If the security appliance learns about multiple paths to the same destination from a single routing
protocol, such as RIP, the route with the better metric (as determined by the routing protocol) is
entered into the routing table.
Metrics are values associated with specific routes, ranking them from most preferred to least
preferred. The parameters used to determine the metrics differ for different routing protocols. The
path with the lowest metric is selected as the optimal path and installed in the routing table. If there
are multiple paths to the same destination with equal metrics, load balancing is done on these equal
cost paths.
• If the security appliance learns about a destination from more than one routing protocol, the
administrative distances of the routes are compared and the routes with lower administrative
distance is entered into the routing table.
Administrative distance is a route parameter that security appliance uses to select the best path when
there are two or more different routes to the same destination from two different routing protocols.
Because the routing protocols have metrics based on algorithms that are different from the other
protocols, it is not always possible to determine the “best path” for two routes to the same destination
that were generated by different routing protocols.
Each routing protocol is prioritized using an administrative distance value. Table 9-1 shows the default
administrative distance values for the routing protocols supported by the security appliance.
The smaller the administrative distance value, the more preference is given to the protocol. For example,
if the security appliance receives a route to a certain network from both an OSPF routing process (default
administrative distance - 110) and a RIP routing process (default administrative distance - 100), the
security appliance chooses the OSPF route because OSPF has a higher preference. This means the router
adds the OSPF version of the route to the routing table.
In the above example, if the source of the OSPF-derived route was lost (for example, due to a power
shutdown), the security appliance would then use the RIP-derived route until the OSPF-derived route
reappears.
The administrative distance is a local setting. For example, if you use the distance-ospf command to
change the administrative distance of routes obtained through OSPF, that change would only affect the
routing table for the security appliance the command was entered on. The administrative distance is not
advertised in routing updates.
Administrative distance does not affect the routing process. The OSPF and RIP routing processes only
advertise the routes that have been discovered by the routing process or redistributed into the routing
process. For example, the RIP routing process advertises RIP routes, even if routes discovered by the
OSPF routing process are used in the security appliance routing table.
Table 9-1 Default Administrative Distance for Supported Routing Protocols
Route Source Default Administrative Distance
Connected interface 0
Static route 1
OSPF 110
RIP 120
9-26
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 9 Configuring IP Routing
Dynamic Routing and Failover
Backup Routes
A backup route is registered when the initial attempt to install the route in the routing table fails because
another route was installed instead. If the route that was installed in the routing table fails, the routing
table maintenance process calls each routing protocol process that has registered a backup route and
requests them to reinstall the route in the routing table. If there are multiple protocols with registered
backup routes for the failed route, the preferred route is chosen based on administrative distance.
Because of this process, you can create “floating” static routes that are installed in the routing table when
the route discovered by a dynamic routing protocol fails. A floating static route is simply a static route
configured with a greater administrative distance than the dynamic routing protocols running on the
security appliance. When the corresponding route discover by a dynamic routing process fails, the static
route is installed in the routing table.
How Forwarding Decisions are Made
Forwarding decisions are made as follows:
• If the destination does not match an entry in the routing table, the packet is forwarded through the
interface specified for the default route. If a default route has not been configured, the packet is
discarded.
• If the destination matches a single entry in the routing table, the packet is forwarded through the
interface associated with that route.
• If the destination matches more than one entry in the routing table, and the entries all have the same
network prefix length, the packets for that destination are distributed among the interfaces
associated with that route.
• If the destination matches more than one entry in the routing table, and the entries have different
network prefix lengths, then the packet is forwarded out of the interface associated with the route
that has the longer network prefix length.
For example, a packet destined for 192.168.32.1 arrives on an interface of a security appliance with the
following routes in the routing table:
hostname# show route
....
R 192.168.32.0/24 [120/4] via 10.1.1.2
O 192.168.32.0/19 [110/229840] via 10.1.1.3
....
In this case, a packet destined to 192.168.32.1 is directed toward 10.1.1.2, because 192.168.32.1 falls
within the 192.168.32.0/24 network. It also falls within the other route in the routing table, but the
192.168.32.0/24 has the longest prefix within the routing table (24 bits verses 19 bits). Longer prefixes
are always preferred over shorter ones when forwarding a packet.
Dynamic Routing and Failover
Dynamic routes are not replicated to the standby unit or failover group in a failover configuration.
Therefore, immediately after a failover occurs, some packets received by the security appliance may be
dropped because of a lack of routing information or routed to a default static route while the routing table
is repopulated by the configured dynamic routing protocols.
CH A P T E R
10-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
10
Configuring DHCP, DDNS, and WCCP Services
This chapter describes how to configure the DHCP server, dynamic DNS (DDNS) update methods, and
WCCP on the security appliance. DHCP provides network configuration parameters, such as IP
addresses, to DHCP clients. The security appliance can provide a DHCP server or DHCP relay services
to DHCP clients attached to security appliance interfaces. The DHCP server provides network
configuration parameters directly to DHCP clients. DHCP relay passes DHCP requests received on one
interface to an external DHCP server located behind a different interface.
DDNS update integrates DNS with DHCP. The two protocols are complementary: DHCP centralizes and
automates IP address allocation; DDNS update automatically records the association between assigned
addresses and hostnames at pre-defined intervals. DDNS allows frequently changing address-hostname
associations to be updated frequently. Mobile hosts, for example, can then move freely on a network
without user or administrator intervention. DDNS provides the necessary dynamic updating and
synchronizing of the name to address and address to name mappings on the DNS server.
WCCP specifies interactions between one or more routers, Layer 3 switches, or security appliances and
one or more web caches. The feature transparently redirects selected types of traffic to a group of web
cache engines to optimize resource usage and lower response times.
This chapter includes the following sections:
• Configuring a DHCP Server, page 10-1
• Configuring DHCP Relay Services, page 10-5
• Configuring Dynamic DNS, page 10-6
• Configuring Web Cache Services Using WCCP, page 10-9
Configuring a DHCP Server
This section describes how to configure DHCP server provided by the security appliance. This section
includes the following topics:
• Enabling the DHCP Server, page 10-2
• Configuring DHCP Options, page 10-3
• Using Cisco IP Phones with a DHCP Server, page 10-4
10-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 10 Configuring DHCP, DDNS, and WCCP Services
Configuring a DHCP Server
Enabling the DHCP Server
The security appliance can act as a DHCP server. DHCP is a protocol that supplies network settings to
hosts including the host IP address, the default gateway, and a DNS server.
Note The security appliance DHCP server does not support BOOTP requests.
In multiple context mode, you cannot enable the DHCP server or DHCP relay on an interface that is used
by more than one context.
You can configure a DHCP server on each interface of the security appliance. Each interface can have
its own pool of addresses to draw from. However the other DHCP settings, such as DNS servers, domain
name, options, ping timeout, and WINS servers, are configured globally and used by the DHCP server
on all interfaces.
You cannot configure a DHCP client or DHCP Relay services on an interface on which the server is
enabled. Additionally, DHCP clients must be directly connected to the interface on which the server is
enabled.
To enable the DHCP server on a given security appliance interface, perform the following steps:
Step 1 Create a DHCP address pool. Enter the following command to define the address pool:
hostname(config)# dhcpd address ip_address-ip_address interface_name
The security appliance assigns a client one of the addresses from this pool to use for a given length of time.
These addresses are the local, untranslated addresses for the directly connected network.
The address pool must be on the same subnet as the security appliance interface.
Step 2 (Optional) To specify the IP address(es) of the DNS server(s) the client will use, enter the following
command:
hostname(config)# dhcpd dns dns1 [dns2]
You can specify up to two DNS servers.
Step 3 (Optional) To specify the IP address(es) of the WINS server(s) the client will use, enter the following
command:
hostname(config)# dhcpd wins wins1 [wins2]
You can specify up to two WINS servers.
Step 4 (Optional) To change the lease length to be granted to the client, enter the following command:
hostname(config)# dhcpd lease lease_length
This lease equals the amount of time (in seconds) the client can use its allocated IP address before the
lease expires. Enter a value between 300 to 1,048,575. The default value is 3600 seconds.
Step 5 (Optional) To configure the domain name the client uses, enter the following command:
hostname(config)# dhcpd domain domain_name
Step 6 (Optional) To configure the DHCP ping timeout value, enter the following command:
hostname(config)# dhcpd ping_timeout milliseconds
To avoid address conflicts, the security appliance sends two ICMP ping packets to an address before
assigning that address to a DHCP client. This command specifies the timeout value for those packets.
10-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 10 Configuring DHCP, DDNS, and WCCP Services
Configuring a DHCP Server
Step 7 (Transparent Firewall Mode) Define a default gateway. To define the default gateway that is sent to
DHCP clients, enter the following command.
hostname(config)# dhcpd option 3 ip gateway_ip
If you do not use the DHCP option 3 to define the default gateway, DHCP clients use the IP address of
the management interface. The management interface does not route traffic.
Step 8 To enable the DHCP daemon within the security appliance to listen for DHCP client requests on the
enabled interface, enter the following command:
hostname(config)# dhcpd enable interface_name
For example, to assign the range 10.0.1.101 to 10.0.1.110 to hosts connected to the inside interface, enter
the following commands:
hostname(config)# dhcpd address 10.0.1.101-10.0.1.110 inside
hostname(config)# dhcpd dns 209.165.201.2 209.165.202.129
hostname(config)# dhcpd wins 209.165.201.5
hostname(config)# dhcpd lease 3000
hostname(config)# dhcpd domain example.com
hostname(config)# dhcpd enable inside
Configuring DHCP Options
You can configure the security appliance to send information for the DHCP options listed in RFC 2132.
The DHCP options fall into one of three categories:
• Options that return an IP address.
• Options that return a text string.
• Options that return a hexadecimal value.
The security appliance supports all three categories of DHCP options. To configure a DHCP option, do
one of the following:
• To configure a DHCP option that returns one or two IP addresses, enter the following command:
hostname(config)# dhcpd option code ip addr_1 [addr_2]
• To configure a DHCP option that returns a text string, enter the following command:
hostname(config)# dhcpd option code ascii text
• To configure a DHCP option that returns a hexadecimal value, enter the following command:
hostname(config)# dhcpd option code hex value
Note The security appliance does not verify that the option type and value that you provide match the expected
type and value for the option code as defined in RFC 2132. For example, you can enter the dhcpd option
46 ascii hello command and the security appliance accepts the configuration although option 46 is
defined in RFC 2132 as expecting a single-digit, hexadecimal value. For more information about the
option codes and their associated types and expected values, refer to RFC 2132.
Table 10-1 shows the DHCP options that are not supported by the dhcpd option command.
10-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 10 Configuring DHCP, DDNS, and WCCP Services
Configuring a DHCP Server
Specific options, DHCP option 3, 66, and 150, are used to configure Cisco IP Phones. See the “Using
Cisco IP Phones with a DHCP Server” section on page 10-4 topic for more information about
configuring those options.
Using Cisco IP Phones with a DHCP Server
Enterprises with small branch offices that implement a Cisco IP Telephony Voice over IP solution
typically implement Cisco CallManager at a central office to control Cisco IP Phones at small branch
offices. This implementation allows centralized call processing, reduces the equipment required, and
eliminates the administration of additional Cisco CallManager and other servers at branch offices.
Cisco IP Phones download their configuration from a TFTP server. When a Cisco IP Phone starts, if it
does not have both the IP address and TFTP server IP address preconfigured, it sends a request with
option 150 or 66 to the DHCP server to obtain this information.
• DHCP option 150 provides the IP addresses of a list of TFTP servers.
• DHCP option 66 gives the IP address or the hostname of a single TFTP server.
Cisco IP Phones might also include DHCP option 3 in their requests, which sets the default route.
Cisco IP Phones might include both option 150 and 66 in a single request. In this case, the security
appliance DHCP server provides values for both options in the response if they are configured on the
security appliance.
You can configure the security appliance to send information for most options listed in RFC 2132. The
following example shows the syntax for any option number, as well as the syntax for commonly-used
options 66, 150, and 3:
• To provide information for DHCP requests that include an option number as specified in RFC-2132,
enter the following command:
Table 10-1 Unsupported DHCP Options
Option Code Description
0 DHCPOPT_PAD
1 HCPOPT_SUBNET_MASK
12 DHCPOPT_HOST_NAME
50 DHCPOPT_REQUESTED_ADDRESS
51 DHCPOPT_LEASE_TIME
52 DHCPOPT_OPTION_OVERLOAD
53 DHCPOPT_MESSAGE_TYPE
54 DHCPOPT_SERVER_IDENTIFIER
58 DHCPOPT_RENEWAL_TIME
59 DHCPOPT_REBINDING_TIME
61 DHCPOPT_CLIENT_IDENTIFIER
67 DHCPOPT_BOOT_FILE_NAME
82 DHCPOPT_RELAY_INFORMATION
255 DHCPOPT_END
10-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 10 Configuring DHCP, DDNS, and WCCP Services
Configuring DHCP Relay Services
hostname(config)# dhcpd option number value
• To provide the IP address or name of a TFTP server for option 66, enter the following command:
hostname(config)# dhcpd option 66 ascii server_name
• To provide the IP address or names of one or two TFTP servers for option 150, enter the following
command:
hostname(config)# dhcpd option 150 ip server_ip1 [server_ip2]
The server_ip1 is the IP address or name of the primary TFTP server while server_ip2 is the
IP address or name of the secondary TFTP server. A maximum of two TFTP servers can be
identified using option 150.
• To set the default route, enter the following command:
hostname(config)# dhcpd option 3 ip router_ip1
Configuring DHCP Relay Services
A DHCP relay agent allows the security appliance to forward DHCP requests from clients to a router
connected to a different interface.
The following restrictions apply to the use of the DHCP relay agent:
• The relay agent cannot be enabled if the DHCP server feature is also enabled.
• Clients must be directly connected to the security appliance and cannot send requests through
another relay agent or a router.
• For multiple context mode, you cannot enable DHCP relay on an interface that is used by more than
one context.
Note DHCP Relay services are not available in transparent firewall mode. A security appliance in transparent
firewall mode only allows ARP traffic through; all other traffic requires an access list. To allow DHCP
requests and replies through the security appliance in transparent mode, you need to configure two
access lists, one that allows DCHP requests from the inside interface to the outside, and one that allows
the replies from the server in the other direction.
Note When DHCP relay is enabled and more than one DHCP relay server is defined, the security appliance
forwards client requests to each defined DHCP relay server. Replies from the servers are also forwarded
to the client until the client DHCP relay binding is removed. The binding is removed when the security
appliance receives any of the following DHCP messages: ACK, NACK, or decline.
To enable DHCP relay, perform the following steps:
Step 1 To set the IP address of a DHCP server on a different interface from the DHCP client, enter the following
command:
hostname(config)# dhcprelay server ip_address if_name
You can use this command up to 4 times to identify up to 4 servers.
Step 2 To enable DHCP relay on the interface connected to the clients, enter the following command:
10-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 10 Configuring DHCP, DDNS, and WCCP Services
Configuring Dynamic DNS
hostname(config)# dhcprelay enable interface
Step 3 (Optional) To set the number of seconds allowed for relay address negotiation, enter the following
command:
hostname(config)# dhcprelay timeout seconds
Step 4 (Optional) To change the first default router address in the packet sent from the DHCP server to the
address of the security appliance interface, enter the following command:
hostname(config)# dhcprelay setroute interface_name
This action allows the client to set its default route to point to the security appliance even if the DHCP
server specifies a different router.
If there is no default router option in the packet, the security appliance adds one containing the interface
address.
The following example enables the security appliance to forward DHCP requests from clients connected
to the inside interface to a DHCP server on the outside interface:
hostname(config)# dhcprelay server 201.168.200.4
hostname(config)# dhcprelay enable inside
hostname(config)# dhcprelay setroute inside
Configuring Dynamic DNS
This section describes examples for configuring the security appliance to support Dynamic DNS. DDNS
update integrates DNS with DHCP. The two protocols are complementary—DHCP centralizes and
automates IP address allocation, while dynamic DNS update automatically records the association
between assigned addresses and hostnames. When you use DHCP and dynamic DNS update, this
configures a host automatically for network access whenever it attaches to the IP network. You can locate
and reach the host using its permanent, unique DNS hostname. Mobile hosts, for example, can move
freely without user or administrator intervention.
DDNS provides address and domain name mappings so hosts can find each other even though their
DHCP-assigned IP addresses change frequently. The DDNS name and address mappings are held on the
DHCP server in two resource records: the A RR contains the name to IP address mapping while the PTR
RR maps addresses to names. Of the two methods for performing DDNS updates—the IETF standard
defined by RFC 2136 and a generic HTTP method—the security appliance supports the IETF method in
this release.
The two most common DDNS update configurations are:
• The DHCP client updates the A RR while the DHCP server updates PTR RR.
• The DHCP server updates both the A and PTR RRs.
In general, the DHCP server maintains DNS PTR RRs on behalf of clients. Clients may be configured
to perform all desired DNS updates. The server may be configured to honor these updates or not. To
update the PTR RR, the DHCP server must know the Fully Qualified Domain Name of the client. The
client provides an FQDN to the server using a DHCP option called Client FQDN.
The following examples present these common scenarios:
• Example 1: Client Updates Both A and PTR RRs for Static IP Addresses, page 10-7
10-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 10 Configuring DHCP, DDNS, and WCCP Services
Configuring Dynamic DNS
• Example 2: Client Updates Both A and PTR RRs; DHCP Server Honors Client Update Request;
FQDN Provided Through Configuration, page 10-7
• Example 3: Client Includes FQDN Option Instructing Server Not to Update Either RR; Server
Overrides Client and Updates Both RRs., page 10-8
• Example 4: Client Asks Server To Perform Both Updates; Server Configured to Update PTR RR
Only; Honors Client Request and Updates Both A and PTR RR, page 10-8
• Example 5: Client Updates A RR; Server Updates PTR RR, page 10-9
Example 1: Client Updates Both A and PTR RRs for Static IP Addresses
The following example configures the client to request that it update both A and PTR resource records
for static IP addresses. To configure this example, perform the following steps:
Step 1 To define a DDNS update method called ddns-2 that requests that the client update both the A and PTR
RRs, enter the following commands:
hostname(config)# ddns update method ddns-2
hostname(DDNS-update-method)# ddns both
Step 2 To associate the method ddns-2 with the eth1 interface, enter the following commands:
hostname(DDNS-update-method)# interface eth1
hostname(config-if)# ddns update ddns-2
hostname(config-if)# ddns update hostname asa.example.com
Step 3 To configure a static IP address for eth1, enter the following commands:
hostname(config-if)# ip address 10.0.0.40 255.255.255.0
Example 2: Client Updates Both A and PTR RRs; DHCP Server Honors Client Update Request; FQDN Provided Through Configuration
The following example configures 1) the DHCP client to request that it update both the A and PTR RRs,
and 2) the DHCP server to honor the requests. To configure this example, perform the following steps:
Step 1 To configure the DHCP client to request that the DHCP server perform no updates, enter the following
command:
hostname(config)# dhcp-client update dns server none
Step 2 To create a DDNS update method named ddns-2 on the DHCP client that requests that the client perform
both A and PTR updates, enter the following commands:
hostname(config)# ddns update method ddns-2
hostname(DDNS-update-method)# ddns both
Step 3 To associate the method named ddns-2 with the security appliance interface named Ethernet0, and enable
DHCP on the interface, enter the following commands:
hostname(DDNS-update-method)# interface Ethernet0
hostname(if-config)# ddns update ddns-2
hostname(if-config)# ddns update hostname asa.example.com
hostname(if-config)# ip address dhcp
10-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 10 Configuring DHCP, DDNS, and WCCP Services
Configuring Dynamic DNS
Step 4 To configure the DHCP server, enter the following command:
hostname(if-config)# dhcpd update dns
Example 3: Client Includes FQDN Option Instructing Server Not to Update Either RR; Server Overrides Client and Updates Both RRs.
The following example configures the DHCP client to include the FQDN option instructing the DHCP
server not to update either the A or PTR updates. The example also configures the server to override the
client request. As a result, the client backs off without performing any updates.
To configure this scenario, perform the following steps:
Step 1 To configure the update method named ddns-2 to request that it make both A and PTR RR updates, enter
the following commands:
hostname(config)# ddns update method ddns-2
hostname(DDNS-update-method)# ddns both
Step 2 To assign the DDNS update method named ddns-2 on interface Ethernet0 and provide the client
hostname (asa), enter the following commands:
hostname(DDNS-update-method)# interface Ethernet0
hostname(if-config)# ddns update ddns-2
hostname(if-config)# ddns update hostname asa.example.com
Step 3 To enable the DHCP client feature on the interface, enter the following commands:
hostname(if-config)# dhcp client update dns server none
hostname(if-config)# ip address dhcp
Step 4 To configure the DHCP server to override the client update requests, enter the following command:
hostname(if-config)# dhcpd update dns both override
Example 4: Client Asks Server To Perform Both Updates; Server Configured to Update PTR RR Only; Honors Client Request and Updates Both A and PTR RR
The following example configures the server to perform only PTR RR updates by default. However, the
server honors the client request that it perform both A and PTR updates. The server also forms the FQDN
by appending the domain name (example.com) to the hostname provided by the client (asa).
To configure this scenario, perform the following steps:
Step 1 To configure the DHCP client on interface Ethernet0, enter the following commands:
hostname(config)# interface Ethernet0
hostname(config-if)# dhcp client update dns both
hostname(config-if)# ddns update hostname asa
Step 2 To configure the DHCP server, enter the following commands:
hostname(config-if)# dhcpd update dns
10-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 10 Configuring DHCP, DDNS, and WCCP Services
Configuring Web Cache Services Using WCCP
hostname(config-if)# dhcpd domain example.com
Example 5: Client Updates A RR; Server Updates PTR RR
The following example configures the client to update the A resource record and the server to update the
PTR records. Also, the client uses the domain name from the DHCP server to form the FQDN.
To configure this scenario, perform the following steps:
Step 1 To define the DDNS update method named ddns-2, enter the following commands:
hostname(config)# ddns update method ddns-2
hostname(DDNS-update-method)# ddns
Step 2 To configure the DHCP client for interface Ethernet0 and assign the update method to the interface, enter
the following commands:
hostname(DDNS-update-method)# interface Ethernet0
hostname(config-if)# dhcp client update dns
hostname(config-if)# ddns update ddns-2
hostname(config-if)# ddns update hostname asa
Step 3 To configure the DHCP server, enter the following commands:
hostname(config-if)# dhcpd update dns
hostname(config-if)# dhcpd domain example.com
Configuring Web Cache Services Using WCCP
The purpose of web caching is to reduce latency and network traffic. Previously-accessed web pages are
stored in a cache buffer, so if a user needs the page again, they can retrieve it from the cache instead of
the web server.
WCCP specifies interactions between the security appliance and external web caches. The feature
transparently redirects selected types of traffic to a group of web cache engines to optimize resource
usage and lower response times. The security appliance only supports WCCP version 2.
Using a security appliance as an intermediary eliminates the need for a separate router to do the WCCP
redirect because the security appliance takes care of redirecting requests to cache engines. When the
security appliance knows when a packet needs redirection, it skips TCP state tracking, TCP sequence
number randomization, and NAT on these traffic flows.
This section includes the following topics:
• WCCP Feature Support, page 10-9
• WCCP Interaction With Other Features, page 10-10
• Enabling WCCP Redirection, page 10-10
WCCP Feature Support
The following WCCPv2 features are supported with the security appliance:
10-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 10 Configuring DHCP, DDNS, and WCCP Services
Configuring Web Cache Services Using WCCP
• Redirection of multiple TCP/UDP port-destined traffic.
• Authentication for cache engines in a service group.
The following WCCPv2 features are not supported with the security appliance:
• Multiple routers in a service group is not supported. Multiple Cache Engines in a service group is
still supported.
• Multicast WCCP is not supported.
• The Layer 2 redirect method is not supported; only GRE encapsulation is supported.
• WCCP source address spoofing.
WCCP Interaction With Other Features
In the security appliance implementation of WCCP, the following applies as to how the protocol interacts
with other configurable features:
• An ingress access list entry always takes higher priority over WCCP. For example, if an access list
does not permit a client to communicate with a server then traffic will not be redirected to a cache
engine. Both ingress interface access lists and egress interface access lists will be applied.
• TCP intercept, authorization, URL filtering, inspect engines, and IPS features are not applied to a
redirected flow of traffic.
• When a cache engine cannot service a request and packet is returned, or when a cache miss happens
on a cache engine and it requests data from a web server, then the contents of the traffic flow will
be subject to all the other configured features of the security appliance.
• In failover, WCCP redirect tables are not replicated to standby units. After a failover, packets will
not be redirected until the tables are rebuilt. Sessions redirected prior to failover will likely be reset
by the web server.
Enabling WCCP Redirection
There are two steps to configuring WCCP redirection on the security appliance. The first involves
identifying the service to be redirected with the wccp command, and the second is defining on which
interface the redirection occurs with the wccp redirect command. The wccp command can optionally
also define which cache engines can participate in the service group, and what traffic should be
redirected to the cache engine.
WCCP redirect is supported only on the ingress of an interface. The only topology that the security
appliance supports is when client and cache engine are behind the same interface of the security
appliance and the cache engine can directly communicate with the client without going through the
security appliance.
The following configuration tasks assume you have already installed and configured the cache engines
you wish to include in your network.
To configure WCCP redirection, perform the following steps:
Step 1 To enable a WCCP service group, enter the following command:
hostname(config)# wccp {web-cache | service_number} [redirect-list access_list]
[group-list access_list] [password password]
10-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 10 Configuring DHCP, DDNS, and WCCP Services
Configuring Web Cache Services Using WCCP
The standard service is web-cache, which intercepts TCP port 80 (HTTP) traffic and redirects that traffic
to the cache engines, but you can identify a service number if desired between 0 and 254. For example,
to transparently redirect native FTP traffic to a cache engine, use WCCP service 60. You can enter this
command multiple times for each service group you want to enable.
The redirect-list access_list argument controls traffic redirected to this service group.
The group-list access_list argument determines which web cache IP addresses are allowed to participate
in the service group.
The password password argument specifies MD5 authentication for messages received from the service
group. Messages that are not accepted by the authentication are discarded.
Step 2 To enable WCCP redirection on an interface, enter the following command:
hostname(config)# wccp interface interface_name {web-cache | service_number} redirect in
The standard service is web-cache, which intercepts TCP port 80 (HTTP) traffic and redirects that traffic
to the cache engines, but you can identify a service number if desired between 0 and 254. For example,
to transparently redirect native FTP traffic to a cache engine, use WCCP service 60. You can enter this
command multiple times for each service group you want to participate in.
For example, to enable the standard web-cache service and redirect HTTP traffic that enters the inside
interface to a web cache, enter the following commands:
hostname(config)# wccp web-cache
hostname(config)# wccp interface inside web-cache redirect in
10-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 10 Configuring DHCP, DDNS, and WCCP Services
Configuring Web Cache Services Using WCCP
CH A P T E R
11-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
11
Configuring Multicast Routing
This chapter describes how to configure multicast routing. This section includes the following topics:
• Multicast Routing Overview, page 11-13
• Enabling Multicast Routing, page 11-14
• Configuring IGMP Features, page 11-14
• Configuring Stub Multicast Routing, page 11-17
• Configuring a Static Multicast Route, page 11-17
• Configuring PIM Features, page 11-18
• For More Information about Multicast Routing, page 11-22
Multicast Routing Overview
The security appliance supports both stub multicast routing and PIM multicast routing. However, you
cannot configure both concurrently on a single security appliance.
Stub multicast routing provides dynamic host registration and facilitates multicast routing. When
configured for stub multicast routing, the security appliance acts as an IGMP proxy agent. Instead of
fully participating in multicast routing, the security appliance forwards IGMP messages to an upstream
multicast router, which sets up delivery of the multicast data. When configured for stub multicast
routing, the security appliance cannot be configured for PIM.
The security appliance supports both PIM-SM and bi-directional PIM. PIM-SM is a multicast routing
protocol that uses the underlying unicast routing information base or a separate multicast-capable
routing information base. It builds unidirectional shared trees rooted at a single Rendezvous Point per
multicast group and optionally creates shortest-path trees per multicast source.
Bi-directional PIM is a variant of PIM-SM that builds bi-directional shared trees connecting multicast
sources and receivers. Bi-directional trees are built using a DF election process operating on each link
of the multicast topology. With the assistance of the DF, multicast data is forwarded from sources to the
Rendezvous Point, and therefore along the shared tree to receivers, without requiring source-specific
state. The DF election takes place during Rendezvous Point discovery and provides a default route to the
Rendezvous Point.
Note If the security appliance is the PIM RP, use the untranslated outside address of the security appliance as
the RP address.
11-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 11 Configuring Multicast Routing
Enabling Multicast Routing
Enabling Multicast Routing
Enabling multicast routing lets the security appliance forward multicast packets. Enabling multicast
routing automatically enables PIM and IGMP on all interfaces. To enable multicast routing, enter the
following command:
hostname(config)# multicast-routing
The number of entries in the multicast routing tables are limited by the amount of RAM on the system.
Table 11-1 lists the maximum number of entries for specific multicast tables based on the amount of
RAM on the security appliance. Once these limits are reached, any new entries are discarded.
Configuring IGMP Features
IP hosts use IGMP to report their group memberships to directly connected multicast routers. IGMP uses
group addresses (Class D IP address) as group identifiers. Host group address can be in the range
224.0.0.0 to 239.255.255.255. The address 224.0.0.0 is never assigned to any group. The address
224.0.0.1 is assigned to all systems on a subnet. The address 224.0.0.2 is assigned to all routers on a
subnet.
When you enable multicast routing on the security appliance, IGMP Version 2 is automatically enabled
on all interfaces.
Note Only the no igmp command appears in the interface configuration when you use the show run
command. If the multicast-routing command appears in the device configuration, then IGMP is
automatically enabled on all interfaces.
This section describes how to configure optional IGMP setting on a per-interface basis. This section
includes the following topics:
• Disabling IGMP on an Interface, page 11-15
• Configuring Group Membership, page 11-15
• Configuring a Statically Joined Group, page 11-15
• Controlling Access to Multicast Groups, page 11-15
• Limiting the Number of IGMP States on an Interface, page 11-16
• Modifying the Query Interval and Query Timeout, page 11-16
• Changing the Query Response Time, page 11-17
• Changing the IGMP Version, page 11-17
Table 11-1 Entry Limits for Multicast Tables
Table 16 MB 128 MB 128+ MB
MFIB 1000 3000 5000
IGMP Groups 1000 3000 5000
PIM Routes 3000 7000 12000
11-15
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 11 Configuring Multicast Routing
Configuring IGMP Features
Disabling IGMP on an Interface
You can disable IGMP on specific interfaces. This is useful if you know that you do not have any
multicast hosts on a specific interface and you want to prevent the security appliance from sending host
query messages on that interface.
To disable IGMP on an interface, enter the following command:
hostname(config-if)# no igmp
To reenable IGMP on an interface, enter the following command:
hostname(config-if)# igmp
Note Only the no igmp command appears in the interface configuration.
Configuring Group Membership
You can configure the security appliance to be a member of a multicast group. Configuring the security
appliance to join a multicast group causes upstream routers to maintain multicast routing table
information for that group and keep the paths for that group active.
To have the security appliance join a multicast group, enter the following command:
hostname(config-if)# igmp join-group group-address
Configuring a Statically Joined Group
Sometimes a group member cannot report its membership in the group, or there may be no members of
a group on the network segment, but you still want multicast traffic for that group to be sent to that
network segment. You can have multicast traffic for that group sent to the segment in one of two ways:
• Using the igmp join-group command (see Configuring Group Membership, page 11-15). This
causes the security appliance to accept and to forward the multicast packets.
• Using the igmp static-group command. The security appliance does not accept the multicast
packets but rather forwards them to the specified interface.
To configure a statically joined multicast group on an interface, enter the following command:
hostname(config-if)# igmp static-group group-address
Controlling Access to Multicast Groups
To control the multicast groups that hosts on the security appliance interface can join, perform the
following steps:
Step 1 Create an access list for the multicast traffic. You can create more than one entry for a single access list.
You can use extended or standard access lists.
• To create a standard access list, enter the following command:
11-16
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 11 Configuring Multicast Routing
Configuring IGMP Features
hostname(config)# access-list name standard [permit | deny] ip_addr mask
The ip_addr argument is the IP address of the multicast group being permitted or denied.
• To create an extended access list, enter the following command:
hostname(config)# access-list name extended [permit | deny] protocol src_ip_addr
src_mask dst_ip_addr dst_mask
The dst_ip_addr argument is the IP address of the multicast group being permitted or denied.
Step 2 Apply the access list to an interface by entering the following command:
hostname(config-if)# igmp access-group acl
The acl argument is the name of a standard or extended IP access list.
Limiting the Number of IGMP States on an Interface
You can limit the number of IGMP states resulting from IGMP membership reports on a per-interface
basis. Membership reports exceeding the configured limits are not entered in the IGMP cache and traffic
for the excess membership reports is not forwarded.
To limit the number of IGMP states on an interface, enter the following command:
hostname(config-if)# igmp limit number
Valid values range from 0 to 500, with 500 being the default value. Setting this value to 0 prevents
learned groups from being added, but manually defined memberships (using the igmp join-group and
igmp static-group commands) are still permitted. The no form of this command restores the default
value.
Modifying the Query Interval and Query Timeout
The security appliance sends query messages to discover which multicast groups have members on the
networks attached to the interfaces. Members respond with IGMP report messages indicating that they
want to receive multicast packets for specific groups. Query messages are addressed to the all-systems
multicast group, which has an address of 224.0.0.1, with a time-to-live value of 1.
These messages are sent periodically to refresh the membership information stored on the security
appliance. If the security appliance discovers that there are no local members of a multicast group still
attached to an interface, it stops forwarding multicast packet for that group to the attached network and
it sends a prune message back to the source of the packets.
By default, the PIM designated router on the subnet is responsible for sending the query messages. By
default, they are sent once every 125 seconds. To change this interval, enter the following command:
hostname(config-if)# igmp query-interval seconds
If the security appliance does not hear a query message on an interface for the specified timeout value
(by default, 255 seconds), then the security appliance becomes the designated router and starts sending
the query messages. To change this timeout value, enter the following command:
hostname(config-if)# igmp query-timeout seconds
11-17
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 11 Configuring Multicast Routing
Configuring Stub Multicast Routing
Note The igmp query-timeout and igmp query-interval commands require IGMP Version 2.
Changing the Query Response Time
By default, the maximum query response time advertised in IGMP queries is 10 seconds. If the security
appliance does not receive a response to a host query within this amount of time, it deletes the group.
To change the maximum query response time, enter the following command:
hostname(config-if)# igmp query-max-response-time seconds
Changing the IGMP Version
By default, the security appliance runs IGMP Version 2, which enables several additional features such
as the igmp query-timeout and igmp query-interval commands.
All multicast routers on a subnet must support the same version of IGMP. The security appliance does
not automatically detect version 1 routers and switch to version 1. However, a mix of IGMP Version 1
and 2 hosts on the subnet works; the security appliance running IGMP Version 2 works correctly when
IGMP Version 1 hosts are present.
To control which version of IGMP is running on an interface, enter the following command:
hostname(config-if)# igmp version {1 | 2}
Configuring Stub Multicast Routing
A security appliance acting as the gateway to the stub area does not need to participate in PIM. Instead,
you can configure it to act as an IGMP proxy agent and forward IGMP messages from hosts connected
on one interface to an upstream multicast router on another. To configure the security appliance as an
IGMP proxy agent, forward the host join and leave messages from the stub area interface to an upstream
interface.
To forward the host join and leave messages, enter the following command from the interface attached
to the stub area:
hostname(config-if)# igmp forward interface if_name
Note Stub Multicast Routing and PIM are not supported concurrently.
Configuring a Static Multicast Route
When using PIM, the security appliance expects to receive packets on the same interface where it sends
unicast packets back to the source. In some cases, such as bypassing a route that does not support
multicast routing, you may want unicast packets to take one path and multicast packets to take another.
Static multicast routes are not advertised or redistributed.
11-18
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 11 Configuring Multicast Routing
Configuring PIM Features
To configure a static multicast route for PIM, enter the following command:
hostname(config)# mroute src_ip src_mask {input_if_name | rpf_addr) [distance]
To configure a static multicast route for a stub area, enter the following command:
hostname(config)# mroute src_ip src_mask input_if_name [dense output_if_name] [distance]
Note The dense output_if_name keyword and argument pair is only supported for stub multicast routing.
Configuring PIM Features
Routers use PIM to maintain forwarding tables for forwarding multicast diagrams. When you enable
multicast routing on the security appliance, PIM and IGMP are automatically enabled on all interfaces.
Note PIM is not supported with PAT. The PIM protocol does not use ports and PAT only works with protocols
that use ports.
This section describes how to configure optional PIM settings. This section includes the following
topics:
• Disabling PIM on an Interface, page 11-18
• Configuring a Static Rendezvous Point Address, page 11-19
• Configuring the Designated Router Priority, page 11-19
• Filtering PIM Register Messages, page 11-19
• Configuring PIM Message Intervals, page 11-20
• Configuring a Multicast Boundary, page 11-20
• Filtering PIM Neighbors, page 11-20
• Supporting Mixed Bidirectional/Sparse-Mode PIM Networks, page 11-21
Disabling PIM on an Interface
You can disable PIM on specific interfaces. To disable PIM on an interface, enter the following
command:
hostname(config-if)# no pim
To reenable PIM on an interface, enter the following command:
hostname(config-if)# pim
Note Only the no pim command appears in the interface configuration.
11-19
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 11 Configuring Multicast Routing
Configuring PIM Features
Configuring a Static Rendezvous Point Address
All routers within a common PIM sparse mode or bidir domain require knowledge of the PIM RP
address. The address is statically configured using the pim rp-address command.
Note The security appliance does not support Auto-RP or PIM BSR; you must use the pim rp-address
command to specify the RP address.
You can configure the security appliance to serve as RP to more than one group. The group range
specified in the access list determines the PIM RP group mapping. If an access list is not specified, then
the RP for the group is applied to the entire multicast group range (224.0.0.0/4).
To configure the address of the PIM PR, enter the following command:
hostname(config)# pim rp-address ip_address [acl] [bidir]
The ip_address argument is the unicast IP address of the router to be a PIM RP. The acl argument is the
name or number of a standard access list that defines which multicast groups the RP should be used with.
Do not use a host ACL with this command. Excluding the bidir keyword causes the groups to operate
in PIM sparse mode.
Note The security appliance always advertises the bidir capability in the PIM hello messages regardless of the
actual bidir configuration.
Configuring the Designated Router Priority
The DR is responsible for sending PIM register, join, and prune messaged to the RP. When there is more
than one multicast router on a network segment, there is an election process to select the DR based on
DR priority. If multiple devices have the same DR priority, then the device with the highest IP address
becomes the DR.
By default, the security appliance has a DR priority of 1. You can change this value by entering the
following command:
hostname(config-if)# pim dr-priority num
The num argument can be any number from 1 to 4294967294.
Filtering PIM Register Messages
You can configure the security appliance to filter PIM register messages. To filter PIM register messages,
enter the following command:
hostname(config)# pim accept-register {list acl | route-map map-name}
11-20
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 11 Configuring Multicast Routing
Configuring PIM Features
Configuring PIM Message Intervals
Router query messages are used to elect the PIM DR. The PIM DR is responsible for sending router
query messages. By default, router query messages are sent every 30 seconds. You can change this value
by entering the following command:
hostname(config-if)# pim hello-interval seconds
Valid values for the seconds argument range from 1 to 3600 seconds.
Every 60 seconds, the security appliance sends PIM join/prune messages. To change this value, enter the
following command:
hostname(config-if)# pim join-prune-interval seconds
Valid values for the seconds argument range from 10 to 600 seconds.
Configuring a Multicast Boundary
Address scoping defines domain boundaries so that domains with RPs that have the same IP address do
not leak into each other. Scoping is performed on the subnet boundaries within large domains and on the
boundaries between the domain and the Internet.
You can set up an administratively scoped boundary on an interface for multicast group addresses using
the multicast boundary command. IANA has designated the multicast address range 239.0.0.0 to
239.255.255.255 as the administratively scoped addresses. This range of addresses can be reused in
domains administered by different organizations. They would be considered local, not globally unique.
To configure a multicast boundary, enter the following command:
hostname(config-if)# multicast boundary acl [filter-autorp]
A standard ACL defines the range of addresses affected. When a boundary is set up, no multicast data
packets are allowed to flow across the boundary from either direction. The boundary allows the same
multicast group address to be reused in different administrative domains.
You can configure the filter-autorp keyword to examine and filter Auto-RP discovery and
announcement messages at the administratively scoped boundary. Any Auto-RP group range
announcements from the Auto-RP packets that are denied by the boundary access control list (ACL) are
removed. An Auto-RP group range announcement is permitted and passed by the boundary only if all
addresses in the Auto-RP group range are permitted by the boundary ACL. If any address is not
permitted, the entire group range is filtered and removed from the Auto-RP message before the Auto-RP
message is forwarded.
Filtering PIM Neighbors
You can define the routers that can become PIM neighbors with the pim neighbor-filter command. By
filtering the routers that can become PIM neighbors, you can:
• Prevent unauthorized routers from becoming PIM neighbors.
• Prevent attached stub routers from participating in PIM.
To define the neighbors that can become a PIM neighbor, perform the following steps:
11-21
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 11 Configuring Multicast Routing
Configuring PIM Features
Step 1 Use the access-list command to define a standard access list defines the routers you want to participate
in PIM.
For example the following access list, when used with the pim neighbor-filter command, prevents the
10.1.1.1 router from becoming a PIM neighbor:
hostname(config)# access-list pim_nbr deny 10.1.1.1 255.255.255.255
Step 2 Use the pim neighbor-filter command on an interface to filter the neighbor routers.
For example, the following commands prevent the 10.1.1.1 router from becoming a PIM neighbor on
interface GigabitEthernet0/3:
hostname(config)# interface GigabitEthernet0/3
hostname(config-if)# pim neighbor-filter pim_nbr
Supporting Mixed Bidirectional/Sparse-Mode PIM Networks
Bidirectional PIM allows multicast routers to keep reduced state information. All of the multicast routers
in a segment must be bidirectionally enabled in order for bidir to elect a DF.
The pim bidir-neighbor-filter command enables the transition from a sparse-mode-only network to a
bidir network by letting you specify the routers that should participate in DF election while still allowing
all routers to participate in the sparse-mode domain. The bidir-enabled routers can elect a DF from
among themselves, even when there are non-bidir routers on the segment. Multicast boundaries on the
non-bidir routers prevent PIM messages and data from the bidir groups from leaking in or out of the bidir
subset cloud.
When the pim bidir-neighbor-filter command is enabled, the routers that are permitted by the ACL are
considered to be bidir-capable. Therefore:
• If a permitted neighbor does not support bidir, the DF election does not occur.
• If a denied neighbor supports bidir, then DF election does not occur.
• If a denied neighbor des not support bidir, the DF election occurs.
To control which neighbors can participate in the DF election, perform the following steps:
Step 1 Use the access-list command to define a standard access list that permits the routers you want to
participate in the DF election and denies all others.
For example, the following access list permits the routers at 10.1.1.1 and 10.2.2.2 to participate in the
DF election and denies all others:
hostname(config)# access-list pim_bidir permit 10.1.1.1 255.255.255.255
hostname(config)# access-list pim_bidir permit 10.1.1.2 255.255.255.255
hostname(config)# access-list pim_bidir deny any
Step 2 Enable the pim bidir-neighbor-filter command on an interface.
The following example applies the access list created previous step to the interface GigabitEthernet0/3.
hostname(config)# interface GigabitEthernet0/3
hostname(config-if)# pim bidir-neighbor-filter pim_bidir
11-22
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 11 Configuring Multicast Routing
For More Information about Multicast Routing
For More Information about Multicast Routing
The following RFCs from the IETF provide technical details about the IGMP and multicast routing
standards used for implementing the SMR feature:
• RFC 2236 IGMPv2
• RFC 2362 PIM-SM
• RFC 2588 IP Multicast and Firewalls
• RFC 2113 IP Router Alert Option
• IETF draft-ietf-idmr-igmp-proxy-01.txt
CH A P T E R
12-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
12
Configuring IPv6
This chapter describes how to enable and configure IPv6 on the security appliance. IPv6 is available in
Routed firewall mode only.
This chapter includes the following sections:
• IPv6-enabled Commands, page 12-1
• Configuring IPv6, page 12-2
• Verifying the IPv6 Configuration, page 12-11
For an sample IPv6 configuration, see Appendix B, “Sample Configurations.”
IPv6-enabled Commands
The following security appliance commands can accept and display IPv6 addresses:
• capture
• configure
• copy
• http
• name
• object-group
• ping
• show conn
• show local-host
• show tcpstat
• ssh
• telnet
• tftp-server
• who
• write
12-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Configuring IPv6
Note Failover does not support IPv6. The ipv6 address command does not support setting standby addresses
for failover configurations. The failover interface ip command does not support using IPv6 addresses
on the failover and Stateful Failover interfaces.
When entering IPv6 addresses in commands that support them, simply enter the IPv6 address using
standard IPv6 notation, for example ping fe80::2e0:b6ff:fe01:3b7a. The security appliance correctly
recognizes and processes the IPv6 address. However, you must enclose the IPv6 address in square
brackets ([ ]) in the following situations:
• You need to specify a port number with the address, for example
[fe80::2e0:b6ff:fe01:3b7a]:8080.
• The command uses a colon as a separator, such as the write net and config net commands, for
example configure net [fe80::2e0:b6ff:fe01:3b7a]:/tftp/config/pixconfig.
The following commands were modified to work for IPv6:
• debug
• fragment
• ip verify
• mtu
• icmp (entered as ipv6 icmp)
The following inspection engines support IPv6:
• FTP
• HTTP
• ICMP
• SMTP
• TCP
• UDP
Configuring IPv6
This section contains the following topics:
• Configuring IPv6 on an Interface, page 12-3
• Configuring a Dual IP Stack on an Interface, page 12-4
• Enforcing the Use of Modified EUI-64 Interface IDs in IPv6 Addresses, page 12-4
• Configuring IPv6 Duplicate Address Detection, page 12-4
• Configuring IPv6 Default and Static Routes, page 12-5
• Configuring IPv6 Access Lists, page 12-6
• Configuring IPv6 Neighbor Discovery, page 12-7
• Configuring a Static IPv6 Neighbor, page 12-11
12-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Configuring IPv6
Configuring IPv6 on an Interface
At a minimum, each interface needs to be configured with an IPv6 link-local address. Additionally, you
can add a site-local and global address to the interface.
Note The security appliance does not support IPv6 anycast addresses.
You can configure both IPv6 and IPv4 addresses on an interface.
To configure IPv6 on an interface, perform the following steps:
Step 1 Enter interface configuration mode for the interface on which you are configuring the IPv6 addresses:
hostname(config)# interface if
Step 2 Configure an IPv6 address on the interface. You can assign several IPv6 addresses to an interface, such
as an IPv6 link-local, site-local, and global address. However, at a minimum, you must configure a
link-local address.
There are several methods for configuring IPv6 addresses. Pick the method that suits your needs from
the following:
• The simplest method is to enable stateless autoconfiguration on the interface. Enabling stateless
autoconfiguration on the interface configures IPv6 addresses based on prefixes received in Router
Advertisement messages. A link-local address, based on the Modified EUI-64 interface ID, is
automatically generated for the interface when stateless autoconfiguration is enabled. To enable
stateless autoconfiguration, enter the following command:
hostname(config-if)# ipv6 address autoconfig
• If you only need to configure a link-local address on the interface and are not going to assign any
other IPv6 addresses to the interface, you have the option of manually defining the link-local address
or generating one based on the interface MAC address (Modified EUI-64 format):
– Enter the following command to manually specify the link-local address:
hostname(config-if)# ipv6 address ipv6-address link-local
– Enter the following command to enable IPv6 on the interface and automatically generate the
link-local address using the Modified EUI-64 interface ID based on the interface MAC address:
hostname(config-if)# ipv6 enable
Note You do not need to use the ipv6 enable command if you enter any other ipv6 address
commands on an interface; IPv6 support is automatically enabled as soon as you assign an
IPv6 address to the interface.
• Assign a site-local or global address to the interface. When you assign a site-local or global address,
a link-local address is automatically created. Enter the following command to add a global or
site-local address to the interface. Use the optional eui-64 keyword to use the Modified EUI-64
interface ID in the low order 64 bits of the address.
hostname(config-if)# ipv6 address ipv6-address [eui-64]
12-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Configuring IPv6
Step 3 (Optional) Suppress Router Advertisement messages on an interface. By default, Router Advertisement
messages are automatically sent in response to router solicitation messages. You may want to disable
these messages on any interface for which you do not want the security appliance to supply the IPv6
prefix (for example, the outside interface).
Enter the following command to suppress Router Advertisement messages on an interface:
hostname(config-if)# ipv6 nd suppress-ra
Configuring a Dual IP Stack on an Interface
The security appliance supports the configuration of both IPv6 and IPv4 on an interface. You do not need
to enter any special commands to do so; simply enter the IPv4 configuration commands and IPv6
configuration commands as you normally would. Make sure you configure a default route for both IPv4
and IPv6.
Enforcing the Use of Modified EUI-64 Interface IDs in IPv6 Addresses
RFC 3513: Internet Protocol Version 6 (IPv6) Addressing Architecture requires that the interface
identifier portion of all unicast IPv6 addresses, except those that start with binary value 000, be 64 bits
long and be constructed in Modified EUI-64 format. The security appliance can enforce this requirement
for hosts attached to the local link.
To enforce the use of Modified EUI-64 format interface identifiers in IPv6 addresses on a local link,
enter the following command:
hostname(config)# ipv6 enforce-eui64 if_name
The if_name argument is the name of the interface, as specified by the namif command, on which you
are enabling the address format enforcement.
When this command is enabled on an interface, the source addresses of IPv6 packets received on that
interface are verified against the source MAC addresses to ensure that the interface identifiers use the
Modified EUI-64 format. If the IPv6 packets do not use the Modified EUI-64 format for the interface
identifier, the packets are dropped and the following system log message is generated:
%PIX|ASA-3-325003: EUI-64 source address check failed.
The address format verification is only performed when a flow is created. Packets from an existing flow
are not checked. Additionally, the address verification can only be performed for hosts on the local link.
Packets received from hosts behind a router will fail the address format verification, and be dropped,
because their source MAC address will be the router MAC address and not the host MAC address.
Configuring IPv6 Duplicate Address Detection
During the stateless autoconfiguration process, duplicate address detection verifies the uniqueness of
new unicast IPv6 addresses before the addresses are assigned to interfaces (the new addresses remain in
a tentative state while duplicate address detection is performed). Duplicate address detection is
performed first on the new link-local address. When the link local address is verified as unique, then
duplicate address detection is performed all the other IPv6 unicast addresses on the interface.
12-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Configuring IPv6
Duplicate address detection is suspended on interfaces that are administratively down. While an
interface is administratively down, the unicast IPv6 addresses assigned to the interface are set to a
pending state. An interface returning to an administratively up state restarts duplicate address detection
for all of the unicast IPv6 addresses on the interface.
When a duplicate address is identified, the state of the address is set to DUPLICATE, the address is not
used, and the following error message is generated:
%PIX|ASA-4-325002: Duplicate address ipv6_address/MAC_address on interface
If the duplicate address is the link-local address of the interface, the processing of IPv6 packets is
disabled on the interface. If the duplicate address is a global address, the address is not used. However,
all configuration commands associated with the duplicate address remain as configured while the state
of the address is set to DUPLICATE.
If the link-local address for an interface changes, duplicate address detection is performed on the new
link-local address and all of the other IPv6 address associated with the interface are regenerated
(duplicate address detection is performed only on the new link-local address).
The security appliance uses neighbor solicitation messages to perform duplicate address detection. By
default, the number of times an interface performs duplicate address detection is 1.
To change the number of duplicate address detection attempts, enter the following command:
hostname(config-if)# ipv6 nd dad attempts value
The value argument can be any value from 0 to 600. Setting the value argument to 0 disables duplicate
address detection on the interface.
When you configure an interface to send out more than one duplicate address detection attempt, you can
also use the ipv6 nd ns-interval command to configure the interval at which the neighbor solicitation
messages are sent out. By default, they are sent out once every 1000 milliseconds.
To change the neighbor solicitation message interval, enter the following command:
hostname(config-if)# ipv6 nd ns-interval value
The value argument can be from 1000 to 3600000 milliseconds.
Note Changing this value changes it for all neighbor solicitation messages sent out on the interface, not just
those used for duplicate address detection.
Configuring IPv6 Default and Static Routes
The security appliance automatically routes IPv6 traffic between directly connected hosts if the
interfaces to which the hosts are attached are enabled for IPv6 and the IPv6 ACLs allow the traffic.
The security appliance does not support dynamic routing protocols. Therefore, to route IPv6 traffic to a
non-connected host or network, you need to define a static route to the host or network or, at a minimum,
a default route. Without a static or default route defined, traffic to non-connected hosts or networks
generate the following error message:
%PIX|ASA-6-110001: No route to dest_address from source_address
You can add a default route and static routes using the ipv6 route command.
To configure an IPv6 default route and static routes, perform the following steps:
12-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Configuring IPv6
Step 1 To add the default route, use the following command:
hostname(config)# ipv6 route if_name ::/0 next_hop_ipv6_addr
The address ::/0 is the IPv6 equivalent of “any.”
Step 2 (Optional) Define IPv6 static routes. Use the following command to add an IPv6 static route to the IPv6
routing table:
hostname(config)# ipv6 route if_name destination next_hop_ipv6_addr [admin_distance]
Note The ipv6 route command works like the route command used to define IPv4 static routes.
Configuring IPv6 Access Lists
Configuring an IPv6 access list is similar configuring an IPv4 access, but with IPv6 addresses.
To configure an IPv6 access list, perform the following steps:
Step 1 Create an access entry. To create an access list, use the ipv6 access-list command to create entries for
the access list. There are two main forms of this command to choose from, one for creating access list
entries specifically for ICMP traffic, and one to create access list entries for all other types of IP traffic.
• To create an IPv6 access list entry specifically for ICMP traffic, enter the following command:
hostname(config)# ipv6 access-list id [line num] {permit | deny} icmp source
destination [icmp_type]
• To create an IPv6 access list entry, enter the following command:
hostname(config)# ipv6 access-list id [line num] {permit | deny} protocol source
[src_port] destination [dst_port]
The following describes the arguments for the ipv6 access-list command:
• id—The name of the access list. Use the same id in each command when you are entering multiple
entries for an access list.
• line num—When adding an entry to an access list, you can specify the line number in the list where
the entry should appear.
• permit | deny—Determines whether the specified traffic is blocked or allowed to pass.
• icmp—Indicates that the access list entry applies to ICMP traffic.
• protocol—Specifies the traffic being controlled by the access list entry. This can be the name (ip,
tcp, or udp) or number (1-254) of an IP protocol. Alternatively, you can specify a protocol object
group using object-group grp_id.
• source and destination—Specifies the source or destination of the traffic. The source or destination
can be an IPv6 prefix, in the format prefix/length, to indicate a range of addresses, the keyword any,
to specify any address, or a specific host designated by host host_ipv6_addr.
12-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Configuring IPv6
• src_port and dst_port—The source and destination port (or service) argument. Enter an operator (lt
for less than, gt for greater than, eq for equal to, neq for not equal to, or range for an inclusive
range) followed by a space and a port number (or two port numbers separated by a space for the
range keyword).
• icmp_type—Specifies the ICMP message type being filtered by the access rule. The value can be a
valid ICMP type number (from 0 to 155) or one of the ICMP type literals as shown in Appendix D,
“Addresses, Protocols, and Ports”. Alternatively, you can specify an ICMP object group using
object-group id.
Step 2 To apply the access list to an interface, enter the following command:
hostname(config)# access-group access_list_name {in | out} interface if_name
Configuring IPv6 Neighbor Discovery
The IPv6 neighbor discovery process uses ICMPv6 messages and solicited-node multicast addresses to
determine the link-layer address of a neighbor on the same network (local link), verify the reachability
of a neighbor, and keep track of neighboring routers.
This section contains the following topics:
• Configuring Neighbor Solicitation Messages, page 12-7
• Configuring Router Advertisement Messages, page 12-9
• Multicast Listener Discovery Support, page 12-11
Configuring Neighbor Solicitation Messages
Neighbor solicitation messages (ICMPv6 Type 135) are sent on the local link by nodes attempting to
discover the link-layer addresses of other nodes on the local link. The neighbor solicitation message is
sent to the solicited-node multicast address.The source address in the neighbor solicitation message is
the IPv6 address of the node sending the neighbor solicitation message. The neighbor solicitation
message also includes the link-layer address of the source node.
After receiving a neighbor solicitation message, the destination node replies by sending a neighbor
advertisement message (ICPMv6 Type 136) on the local link. The source address in the neighbor
advertisement message is the IPv6 address of the node sending the neighbor advertisement message; the
destination address is the IPv6 address of the node that sent the neighbor solicitation message. The data
portion of the neighbor advertisement message includes the link-layer address of the node sending the
neighbor advertisement message.
After the source node receives the neighbor advertisement, the source node and destination node can
communicate. Figure 12-1 shows the neighbor solicitation and response process.
12-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Configuring IPv6
Figure 12-1 IPv6 Neighbor Discovery—Neighbor Solicitation Message
Neighbor solicitation messages are also used to verify the reachability of a neighbor after the link-layer
address of a neighbor is identified. When a node wants to verifying the reachability of a neighbor, the
destination address in a neighbor solicitation message is the unicast address of the neighbor.
Neighbor advertisement messages are also sent when there is a change in the link-layer address of a node
on a local link. When there is such a change, the destination address for the neighbor advertisement is
the all-nodes multicast address.
You can configure the neighbor solicitation message interval and neighbor reachable time on a
per-interface basis. See the following topics for more information:
• Configuring the Neighbor Solicitation Message Interval, page 12-8
• Configuring the Neighbor Reachable Time, page 12-8
Configuring the Neighbor Solicitation Message Interval
To configure the interval between IPv6 neighbor solicitation retransmissions on an interface, enter the
following command:
hostname(config-if)# ipv6 nd ns-interval value
Valid values for the value argument range from 1000 to 3600000 milliseconds. The default value is 1000
milliseconds.
This setting is also sent in router advertisement messages.
Configuring the Neighbor Reachable Time
The neighbor reachable time enables detecting unavailable neighbors. Shorter configured times enable
detecting unavailable neighbors more quickly; however, shorter times consume more IPv6 network
bandwidth and processing resources in all IPv6 network devices. Very short configured times are not
recommended in normal IPv6 operation.
To configure the amount of time that a remote IPv6 node is considered reachable after a reachability
confirmation event has occurred, enter the following command:
hostname(config-if)# ipv6 nd reachable-time value
132958
A and B can now exchange
packets on this link
ICMPv6 Type = 135
Src = A
Dst = solicited-node multicast of B
Data = link-layer address of A
Query = what is your link address?
ICMPv6 Type = 136
Src = B
Dst = A
Data = link-layer address of B
12-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Configuring IPv6
Valid values for the value argument range from 0 to 3600000 milliseconds. The default is 0.
This information is also sent in router advertisement messages.
When 0 is used for the value, the reachable time is sent as undetermined. It is up to the receiving devices
to set and track the reachable time value. To see the time used by the security appliance when this value
is set to 0, use the show ipv6 interface command to display information about the IPv6 interface,
including the ND reachable time being used.
Configuring Router Advertisement Messages
Router advertisement messages (ICMPv6 Type 134) are periodically sent out each IPv6 configured
interface of security appliance. The router advertisement messages are sent to the all-nodes multicast
address.
Figure 12-2 IPv6 Neighbor Discovery—Router Advertisement Message
Router advertisement messages typically include the following information:
• One or more IPv6 prefix that nodes on the local link can use to automatically configure their IPv6
addresses.
• Lifetime information for each prefix included in the advertisement.
• Sets of flags that indicate the type of autoconfiguration (stateless or stateful) that can be completed.
• Default router information (whether the router sending the advertisement should be used as a default
router and, if so, the amount of time (in seconds) the router should be used as a default router).
• Additional information for hosts, such as the hop limit and MTU a host should use in packets that it
originates.
• The amount of time between neighbor solicitation message retransmissions on a given link.
• The amount of time a node considers a neighbor reachable.
Router advertisements are also sent in response to router solicitation messages (ICMPv6 Type 133).
Router solicitation messages are sent by hosts at system startup so that the host can immediately
autoconfigure without needing to wait for the next scheduled router advertisement message. Because
router solicitation messages are usually sent by hosts at system startup, and the host does not have a
configured unicast address, the source address in router solicitation messages is usually the unspecified
IPv6 address (0:0:0:0:0:0:0:0). If the host has a configured unicast address, the unicast address of the
interface sending the router solicitation message is used as the source address in the message. The
destination address in router solicitation messages is the all-routers multicast address with a scope of the
link. When a router advertisement is sent in response to a router solicitation, the destination address in
the router advertisement message is the unicast address of the source of the router solicitation message.
132917
Router advertisement packet definitions:
ICMPv6 Type = 134
Src = router link-local address
Dst = all-nodes multicast address
Data = options, prefix, lifetime, autoconfig flag
Router
advertisement
Router
advertisement
12-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Configuring IPv6
You can configure the following settings for router advertisement messages:
• The time interval between periodic router advertisement messages.
• The router lifetime value, which indicates the amount of time IPv6 nodes should consider security
appliance to be the default router.
• The IPv6 network prefixes in use on the link.
• Whether or not an interface transmits router advertisement messages.
Unless otherwise noted, the router advertisement message settings are specific to an interface and are
entered in interface configuration mode. See the following topics for information about changing these
settings:
• Configuring the Router Advertisement Transmission Interval, page 12-10
• Configuring the Router Lifetime Value, page 12-10
• Configuring the IPv6 Prefix, page 12-10
• Suppressing Router Advertisement Messages, page 12-11
Configuring the Router Advertisement Transmission Interval
By default, router advertisements are sent out every 200 seconds. To change the interval between router
advertisement transmissions on an interface, enter the following command:
ipv6 nd ra-interval [msec] value
Valid values range from 3 to 1800 seconds (or 500 to 1800000 milliseconds if the msec keyword is used).
The interval between transmissions should be less than or equal to the IPv6 router advertisement lifetime
if security appliance is configured as a default router by using the ipv6 nd ra-lifetime command. To
prevent synchronization with other IPv6 nodes, randomly adjust the actual value used to within 20
percent of the desired value.
Configuring the Router Lifetime Value
The router lifetime value specifies how long nodes on the local link should consider security appliance
as the default router on the link.
To configure the router lifetime value in IPv6 router advertisements on an interface, enter the following
command:
hostname(config-if)# ipv6 nd ra-lifetime seconds
Valid values range from 0 to 9000 seconds. The default is 1800 seconds. Entering 0 indicates that
security appliance should not be considered a default router on the selected interface.
Configuring the IPv6 Prefix
Stateless autoconfiguration uses IPv6 prefixes provided in router advertisement messages to create the
global unicast address from the link-local address.
To configure which IPv6 prefixes are included in IPv6 router advertisements, enter the following
command:
hostname(config-if)# ipv6 nd prefix ipv6-prefix/prefix-length
Note For stateless autoconfiguration to work properly, the advertised prefix length in router advertisement
messages must always be 64 bits.
12-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Verifying the IPv6 Configuration
Suppressing Router Advertisement Messages
By default, Router Advertisement messages are automatically sent in response to router solicitation
messages. You may want to disable these messages on any interface for which you do not want security
appliance to supply the IPv6 prefix (for example, the outside interface).
To suppress IPv6 router advertisement transmissions on an interface, enter the following command:
hostname(config-if)# ipv6 nd suppress-ra
Entering this command causes the security appliance to appear as a regular IPv6 neighbor on the link
and not as an IPv6 router.
Multicast Listener Discovery Support
Multicast Listener Discovery Protocol (MLD) Version 2 is supported to discover the presence of
multicast address listeners on their directly attached links, and to discover specifically which multicast
addresses are of interest to those neighboring nodes. ASA becomes a multicast address listener, or a
host, but not a multicast router, and responds to Multicast Listener Queries and sends Multicast Listener
Reports only.
The following commands were added or enhanced to support MLD:
• clear ipv6 mld traffic Command
• show ipv6 mld Command
Configuring a Static IPv6 Neighbor
You can manually define a neighbor in the IPv6 neighbor cache. If an entry for the specified IPv6 address
already exists in the neighbor discovery cache—learned through the IPv6 neighbor discovery
process—the entry is automatically converted to a static entry. Static entries in the IPv6 neighbor
discovery cache are not modified by the neighbor discovery process.
To configure a static entry in the IPv6 neighbor discovery cache, enter the following command:
hostname(config-if)# ipv6 neighbor ipv6_address if_name mac_address
The ipv6_address argument is the link-local IPv6 address of the neighbor, the if_name argument is the
interface through which the neighbor is available, and the mac_address argument is the MAC address of
the neighbor interface.
Note The clear ipv6 neighbors command does not remove static entries from the IPv6 neighbor discovery
cache; it only clears the dynamic entries.
Verifying the IPv6 Configuration
This section describes how to verify your IPv6 configuration. You can use various clear, and show
commands to verify your IPv6 settings.
This section includes the following topics:
• The show ipv6 interface Command, page 12-12
12-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Verifying the IPv6 Configuration
• The show ipv6 route Command, page 12-12
• The show ipv6 mld traffic Command, page 12-13
The show ipv6 interface Command
To display the IPv6 interface settings, enter the following command:
hostname# show ipv6 interface [if_name]
Including the interface name, such as “outside”, displays the settings for the specified interface.
Excluding the name from the command displays the setting for all interfaces that have IPv6 enabled on
them. The output for the command shows the following:
• The name and status of the interface.
• The link-local and global unicast addresses.
• The multicast groups the interface belongs to.
• ICMP redirect and error message settings.
• Neighbor discovery settings.
The following is sample output from the show ipv6 interface command:
hostname# show ipv6 interface
ipv6interface is down, line protocol is down
IPv6 is enabled, link-local address is fe80::20d:88ff:feee:6a82 [TENTATIVE]
No global unicast address is configured
Joined group address(es):
ff02::1
ff02::1:ffee:6a82
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
Note The show interface command only displays the IPv4 settings for an interface. To see the IPv6
configuration on an interface, you need to use the show ipv6 interface command. The show ipv6
interface command does not display any IPv4 settings for the interface (if both types of addresses are
configured on the interface).
The show ipv6 route Command
To display the routes in the IPv6 routing table, enter the following command:
hostname# show ipv6 route
The output from the show ipv6 route command is similar to the IPv4 show route command. It displays
the following information:
• The protocol that derived the route.
• The IPv6 prefix of the remote network.
• The administrative distance and metric for the route.
• The address of the next-hop router.
12-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Verifying the IPv6 Configuration
• The interface through which the next hop router to the specified network is reached.
The following is sample output from the show ipv6 route command:
hostname# show ipv6 route
IPv6 Routing Table - 7 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
L fe80::/10 [0/0]
via ::, inside
L fec0::a:0:0:a0a:a70/128 [0/0]
via ::, inside
C fec0:0:0:a::/64 [0/0]
via ::, inside
L ff00::/8 [0/0]
via ::, inside
The show ipv6 mld traffic Command
To display the MLD traffic counters in the IPv6 routing table, enter the following command:
hostname# show ipv6 mld traffic
The output from the show ipv6 mld traffic command displays whether the expected number of MLD
protocol messages have been received and sent.
The following is sample output from the show ipv6 mld traffic command:
hostname# show ipv6 mld traffic
show ipv6 mld traffic
MLD Traffic Counters
Elapsed time since counters cleared: 00:01:19
Received Sent
Valid MLD Packets 1 3
Queries 1 0
Reports 0 3
Leaves 0 0
Mtrace packets 0 0
Errors:
Malformed Packets 0
Martian source 0
Non link-local source 0
Hop limit is not equal to 1 0
12-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 12 Configuring IPv6
Verifying the IPv6 Configuration
CH A P T E R
13-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
13
Configuring AAA Servers and the Local Database
This chapter describes support for AAA (pronounced “triple A”) and how to configure AAA servers and
the local database.
This chapter contains the following sections:
• AAA Overview, page 13-1
• AAA Server and Local Database Support, page 13-2
• Configuring the Local Database, page 13-10
• Identifying AAA Server Groups and Servers, page 13-12
• Using Certificates and User Login Credentials, page 13-15
• Supporting a Zone Labs Integrity Server, page 13-16
AAA Overview
AAA enables the security appliance to determine who the user is (authentication), what the user can do
(authorization), and what the user did (accounting).
AAA provides an extra level of protection and control for user access than using access lists alone. For
example, you can create an access list allowing all outside users to access Telnet on a server on the DMZ
network. If you want only some users to access the server and you might not always know IP addresses
of these users, you can enable AAA to allow only authenticated and/or authorized users to make it
through the security appliance. (The Telnet server enforces authentication, too; the security appliance
prevents unauthorized users from attempting to access the server.)
You can use authentication alone or with authorization and accounting. Authorization always requires a
user to be authenticated first. You can use accounting alone, or with authentication and authorization.
This section includes the following topics:
• About Authentication, page 13-1
• About Authorization, page 13-2
• About Accounting, page 13-2
About Authentication
Authentication controls access by requiring valid user credentials, which are typically a username and
password. You can configure the security appliance to authenticate the following items:
13-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
AAA Server and Local Database Support
• All administrative connections to the security appliance including the following sessions:
– Telnet
– SSH
– Serial console
– ASDM (using HTTPS)
– VPN management access
• The enable command
• Network access
• VPN access
About Authorization
Authorization controls access per user after users authenticate. You can configure the security appliance
to authorize the following items:
• Management commands
• Network access
• VPN access
Authorization controls the services and commands available to each authenticated user. Were you not to
enable authorization, authentication alone would provide the same access to services for all
authenticated users.
If you need the control that authorization provides, you can configure a broad authentication rule, and
then have a detailed authorization configuration. For example, you authenticate inside users who attempt
to access any server on the outside network and then limit the outside servers that a particular user can
access using authorization.
The security appliance caches the first 16 authorization requests per user, so if the user accesses the same
services during the current authentication session, the security appliance does not resend the request to
the authorization server.
About Accounting
Accounting tracks traffic that passes through the security appliance, enabling you to have a record of
user activity. If you enable authentication for that traffic, you can account for traffic per user. If you do
not authenticate the traffic, you can account for traffic per IP address. Accounting information includes
when sessions start and stop, username, the number of bytes that pass through the security appliance for
the session, the service used, and the duration of each session.
AAA Server and Local Database Support
The security appliance supports a variety of AAA server types and a local database that is stored on the
security appliance. This section describes support for each AAA server type and the local database.
This section contains the following topics:
• Summary of Support, page 13-3
13-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
AAA Server and Local Database Support
• RADIUS Server Support, page 13-3
• TACACS+ Server Support, page 13-4
• SDI Server Support, page 13-4
• NT Server Support, page 13-5
• Kerberos Server Support, page 13-5
• LDAP Server Support, page 13-6
• SSO Support for WebVPN with HTTP Forms, page 13-9
• Local Database Support, page 13-9
Summary of Support
Table 13-1 summarizes the support for each AAA service by each AAA server type, including the local
database. For more information about support for a specific AAA server type, refer to the topics
following the table.
RADIUS Server Support
The security appliance supports RADIUS servers.
Table 13-1 Summary of AAA Support
AAA Service
Database Type
Local RADIUS TACACS+ SDI NT Kerberos LDAP
HTTP
Form
Authentication of...
VPN users Yes Yes Yes Yes Yes Yes Yes Yes1
1. HTTP Form protocol supports single sign-on authentication for WebVPN users only.
Firewall sessions Yes Yes Yes Yes Yes Yes Yes No
Administrators Yes Yes Yes Yes2
2. SDI is not supported for HTTP administrative access.
Yes Yes Yes No
Authorization of...
VPN users Yes Yes No No No No Yes No
Firewall sessions No Yes3
3. For firewall sessions, RADIUS authorization is supported with user-specific access lists only, which are received or
specified in a RADIUS authentication response.
Yes No No No No No
Administrators Yes4
4. Local command authorization is supported by privilege level only.
No Yes No No No No No
Accounting of...
VPN connections No Yes Yes No No No No No
Firewall sessions No Yes Yes No No No No No
Administrators No Yes5
5. Command accounting is available for TACACS+ only.
Yes No No No No No
13-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
AAA Server and Local Database Support
This section contains the following topics:
• Authentication Methods, page 13-4
• Attribute Support, page 13-4
• RADIUS Authorization Functions, page 13-4
Authentication Methods
The security appliance supports the following authentication methods with RADIUS:
• PAP—For all connection types.
• CHAP—For L2TP-over-IPSec.
• MS-CHAPv1—For L2TP-over-IPSec.
• MS-CHAPv2—For L2TP-over-IPSec, and for regular IPSec remote access connections when the
password management feature is enabled.
Attribute Support
The security appliance supports the following sets of RADIUS attributes:
• Authentication attributes defined in RFC 2138.
• Accounting attributes defined in RFC 2139.
• RADIUS attributes for tunneled protocol support, defined in RFC 2868.
• Cisco IOS VSAs, identified by RADIUS vendor ID 9.
• Cisco VPN-related VSAs, identified by RADIUS vendor ID 3076.
• Microsoft VSAs, defined in RFC 2548.
RADIUS Authorization Functions
The security appliance can use RADIUS servers for user authorization for network access using dynamic
access lists or access list names per user. To implement dynamic access lists, you must configure the
RADIUS server to support it. When the user authenticates, the RADIUS server sends a downloadable
access list or access list name to the security appliance. Access to a given service is either permitted or
denied by the access list. The security appliance deletes the access list when the authentication session
expires.
TACACS+ Server Support
The security appliance supports TACACS+ authentication with ASCII, PAP, CHAP, and MS-CHAPv1.
SDI Server Support
The RSA SecureID servers are also known as SDI servers.
This section contains the following topics:
• SDI Version Support, page 13-5
13-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
AAA Server and Local Database Support
• Two-step Authentication Process, page 13-5
• SDI Primary and Replica Servers, page 13-5
SDI Version Support
The security appliance supports SDI Version 5.0 and 6.0. SDI uses the concepts of an SDI primary and
SDI replica servers. Each primary and its replicas share a single node secret file. The node secret file has
its name based on the hexadecimal value of the ACE/Server IP address with .sdi appended.
A version 5.0 or 6.0 SDI server that you configure on the security appliance can be either the primary or
any one of the replicas. See the “SDI Primary and Replica Servers” section on page 13-5 for information
about how the SDI agent selects servers to authenticate users.
Two-step Authentication Process
SDI version 5.0 and 6.0 uses a two-step process to prevent an intruder from capturing information from
an RSA SecurID authentication request and using it to authenticate to another server. The Agent first
sends a lock request to the SecurID server before sending the user authentication request. The server
locks the username, preventing another (replica) server from accepting it. This means that the same user
cannot authenticate to two security appliances using the same authentication servers simultaneously.
After a successful username lock, the security appliance sends the passcode.
SDI Primary and Replica Servers
The security appliance obtains the server list when the first user authenticates to the configured server,
which can be either a primary or a replica. The security appliance then assigns priorities to each of the
servers on the list, and subsequent server selection derives at random from those assigned priorities. The
highest priority servers have a higher likelihood of being selected.
NT Server Support
The security appliance supports Microsoft Windows server operating systems that support NTLM
version 1, collectively referred to as NT servers.
Note NT servers have a maximum length of 14 characters for user passwords. Longer passwords are truncated.
This is a limitation of NTLM version 1.
Kerberos Server Support
The security appliance supports 3DES, DES, and RC4 encryption types.
Note The security appliance does not support changing user passwords during tunnel negotiation. To avoid
this situation happening inadvertently, disable password expiration on the Kerberos/Active Directory
server for users connecting to the security appliance.
For a simple Kerberos server configuration example, see Example 13-2.
13-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
AAA Server and Local Database Support
LDAP Server Support
This section describes using an LDAP directory with the security appliance for user authentication and
VPN authorization. This section includes the following topics:
• Authentication with LDAP, page 13-6
• Authorization with LDAP for VPN, page 13-7
• LDAP Attribute Mapping, page 13-8
For example configuration procedures used to set up LDAP authentication or authorization, see
Appendix E, “Configuring an External Server for Authorization and Authentication”.
Authentication with LDAP
During authentication, the security appliance acts as a client proxy to the LDAP server for the user, and
authenticates to the LDAP server in either plain text or using the Simple Authentication and Security
Layer (SASL) protocol. By default, the security appliance passes authentication parameters, usually a
username and password, to the LDAP server in plain text. Whether using SASL or plain text, you can
secure the communications between the security appliance and the LDAP server with SSL using the
ldap-over-ssl command.
Note If you do not configure SASL, we strongly recommend that you secure LDAP communications with
SSL. See the ldap-over-ssl command in the Cisco Security Appliance Command Reference.
When user LDAP authentication has succeeded, the LDAP server returns the attributes for the
authenticated user. For VPN authentication, these attributes generally include authorization data which
is applied to the VPN session. Thus, using LDAP accomplishes authentication and authorization in a
single step.
Securing LDAP Authentication with SASL
The security appliance supports the following SASL mechanisms, listed in order of increasing strength:
• Digest-MD5 — The security appliance responds to the LDAP server with an MD5 value computed
from the username and password.
• Kerberos — The security appliance responds to the LDAP server by sending the username and realm
using the GSSAPI (Generic Security Services Application Programming Interface) Kerberos
mechanism.
You can configure the security appliance and LDAP server to support any combination of these SASL
mechanisms. If you configure multiple mechanisms, the security appliance retrieves the list of SASL
mechanisms configured on the server and sets the authentication mechanism to the strongest mechanism
configured on both the security appliance and the server. For example, if both the LDAP server and the
security appliance support both mechanisms, the security appliance selects Kerberos, the stronger of the
mechanisms.
The following example configures the security appliance for authentication to an LDAP directory server
named ldap_dir_1 using the digest-MD5 SASL mechanism, and communicating over an SSL-secured
connection:
hostname(config)# aaa-server ldap_dir_1 protocol ldap
hostname(config-aaa-server-group)# aaa-server ldap_dir_1 host 10.1.1.4
hostname(config-aaa-server-host)# sasl-mechanism digest-md5
hostname(config-aaa-server-host)# ldap-over-ssl enable
13-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
AAA Server and Local Database Support
hostname(config-aaa-server-host)#
Setting the LDAP Server Type
The security appliance supports LDAP Version 3. In the current release, it is compatible only with the
Sun Microsystems JAVA System Directory Server (formerly named the Sun ONE Directory Server) and
the Microsoft Active Directory. In later releases, the security appliance will support other OpenLDAP
servers.
By default, the security appliance auto-detects whether it is connected to a Microsoft or a Sun LDAP
directory server. However, if auto-detection fails to determine the LDAP server type, and you know the
server is either a Microsoft or Sun server, you can manually configure the server type. The following
example sets the LDAP directory server ldap_dir_1 to the Sun Microsystems type:
hostname(config)# aaa-server ldap_dir_1 protocol ldap
hostname(config-aaa-server-group)# aaa-server ldap_dir_1 host 10.1.1.4
hostname(config-aaa-server-host)# server-type sun
hostname(config-aaa-server-host)#
Note • Sun—The DN configured on the security appliance to access a Sun directory server must be able to
access the default password policy on that server. We recommend using the directory administrator,
or a user with directory administrator privileges, as the DN. Alternatively, you can place an ACI on
the default password policy.
• Microsoft—You must configure LDAP over SSL to enable password management with Microsoft
Active Directory.
Authorization with LDAP for VPN
When user LDAP authentication for VPN access has succeeded, the security appliance queries the LDAP
server which returns LDAP attributes. These attributes generally include authorization data that applies
to the VPN session. Thus, using LDAP accomplishes authentication and authorization in a single step.
There may be cases, however, where you require authorization from an LDAP directory server that is
separate and distinct from the authentication mechanism. For example, if you use an SDI or certificate
server for authentication, no authorization information is passed back. For user authorizations in this
case, you can query an LDAP directory after successful authentication, accomplishing authentication
and authorization in two steps.
To set up VPN user authorization using LDAP, you must first create a AAA server group and a tunnel
group. You then associate the server and tunnel groups using the tunnel-group general-attributes
command. While there are other authorization-related commands and options available for specific
requirements, the following example shows fundamental commands for enabling user authorization with
LDAP. This example then creates an IPSec remote access tunnel group named remote-1, and assigns that
new tunnel group to the previously created ldap_dir_1 AAA server for authorization.
hostname(config)# tunnel-group remote-1 type ipsec-ra
hostname(config)# tunnel-group remote-1 general-attributes
hostname(config-general)# authorization-server-group ldap_dir_1
hostname(config-general)#
13-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
AAA Server and Local Database Support
After you complete this fundamental configuration work, you can configure additional LDAP
authorization parameters such as a directory password, a starting point for searching a directory, and the
scope of a directory search:
hostname(config)# aaa-server ldap_dir_1 protocol ldap
hostname(config-aaa-server-group)# aaa-server ldap_dir_1 host 10.1.1.4
hostname(config-aaa-server-host)# ldap-login-dn obscurepassword
hostname(config-aaa-server-host)# ldap-base-dn starthere
hostname(config-aaa-server-host)# ldap-scope subtree
hostname(config-aaa-server-host)#
See LDAP commands in the Cisco Security Appliance Command Reference for more information.
LDAP Attribute Mapping
If you are introducing a security appliance to an existing LDAP directory, your existing LDAP attribute
names and values are probably different from the existing ones. You must create LDAP attribute maps
that map your existing user-defined attribute names and values to Cisco attribute names and values that
are compatible with the security appliance. You can then bind these attribute maps to LDAP servers or
remove them as needed. You can also show or clear attribute maps.
Note To use the attribute mapping features correctly, you need to understand the Cisco LDAP attribute names
and values as well as the user-defined attribute names and values.
The following command, entered in global configuration mode, creates an unpopulated LDAP attribute
map table named att_map_1:
hostname(config)# ldap attribute-map att_map_1
hostname(config-ldap-attribute-map)#
The following commands map the user-defined attribute name department to the Cisco attribute name
cVPN3000-IETF-Radius-Class. The second command maps the user-defined attribute value Engineering
to the user-defined attribute department and the Cisco-defined attribute value group1.
hostname(config)# ldap attribute-map att_map_1
hostname(config-ldap-attribute-map)# map-name department cVPN3000-IETF-Radius-Class
hostname(config-ldap-attribute-map)# map-value department Engineering group1
hostname(config-ldap-attribute-map)#
The following commands bind the attribute map att_map_1 to the LDAP server ldap_dir_1:
hostname(config)# aaa-server ldap_dir_1 host 10.1.1.4
hostname(config-aaa-server-host)# ldap-attribute-map att_map_1
hostname(config-aaa-server-host)#
Note The command to create an attribute map (ldap attribute-map) and the command to bind it to an LDAP
server (ldap-attribute-map) differ only by a hyphen and the mode.
The following commands display or clear all LDAP attribute maps in the running configuration:
hostname# show running-config all ldap attribute-map
hostname(config)# clear configuration ldap attribute-map
hostname(config)#
The names of frequently mapped Cisco LDAP attributes and the type of user-defined attributes they
would commonly be mapped to include:
13-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
AAA Server and Local Database Support
cVPN3000-IETF-Radius-Class — Department or user group
cVPN3000-IETF-Radius-Filter-Id — Access control list
cVPN3000-IETF-Radius-Framed-IP-Address — A static IP address
cVPN3000-IPSec-Banner1 — A organization title
cVPN3000-Tunneling-Protocols — Allow or deny dial-in
For a list of Cisco LDAP attribute names and values, see Appendix E, “Configuring an External Server
for Authorization and Authentication”. Alternatively, you can enter “?” within ldap-attribute-map mode
to display the complete list of Cisco LDAP attribute names, as shown in the following example:
hostname(config)# ldap attribute-map att_map_1
hostname(config-ldap-attribute-map)# map-name att_map_1 ?
ldap mode commands/options:
cisco-attribute-names:
cVPN3000-Access-Hours
cVPN3000-Allow-Network-Extension-Mode
cVPN3000-Auth-Service-Type
cVPN3000-Authenticated-User-Idle-Timeout
cVPN3000-Authorization-Required
cVPN3000-Authorization-Type
:
:
cVPN3000-X509-Cert-Data
hostname(config-ldap-attribute-map)#
SSO Support for WebVPN with HTTP Forms
The security appliance can use the HTTP Form protocol for single sign-on (SSO) authentication of
WebVPN users only. Single sign-on support lets WebVPN users enter a username and password only
once to access multiple protected services and Web servers. The WebVPN server running on the security
appliance acts as a proxy for the user to the authenticating server. When a user logs in, the WebVPN
server sends an SSO authentication request, including username and password, to the authenticating
server using HTTPS. If the server approves the authentication request, it returns an SSO authentication
cookie to the WebVPN server. The security appliance keeps this cookie on behalf of the user and uses it
to authenticate the user to secure websites within the domain protected by the SSO server.
In addition to the HTTP Form protocol, WebVPN administrators can choose to configure SSO with the
HTTP Basic and NTLM authentication protocols (the auto-signon command), or with Computer
Associates eTrust SiteMinder SSO server (formerly Netegrity SiteMinder) as well. For an in-depth
discussion of configuring SSO with either HTTP Forms, auto-signon or SiteMinder, see the Configuring
WebVPN chapter.
Local Database Support
The security appliance maintains a local database that you can populate with user profiles.
This section contains the following topics:
• User Profiles, page 13-10
• Fallback Support, page 13-10
13-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
Configuring the Local Database
User Profiles
User profiles contain, at a minimum, a username. Typically, a password is assigned to each username,
although passwords are optional.
The username attributes command lets you enter the username mode. In this mode, you can add other
information to a specific user profile. The information you can add includes VPN-related attributes, such
as a VPN session timeout value.
Fallback Support
The local database can act as a fallback method for several functions. This behavior is designed to help
you prevent accidental lockout from the security appliance.
For users who need fallback support, we recommend that their usernames and passwords in the local
database match their usernames and passwords in the AAA servers. This provides transparent fallback
support. Because the user cannot determine whether a AAA server or the local database is providing the
service, using usernames and passwords on AAA servers that are different than the usernames and
passwords in the local database means that the user cannot be certain which username and password
should be given.
The local database supports the following fallback functions:
• Console and enable password authentication—When you use the aaa authentication console
command, you can add the LOCAL keyword after the AAA server group tag. If the servers in the
group all are unavailable, the security appliance uses the local database to authenticate
administrative access. This can include enable password authentication, too.
• Command authorization—When you use the aaa authorization command command, you can
add the LOCAL keyword after the AAA server group tag. If the TACACS+ servers in the group all
are unavailable, the local database is used to authorize commands based on privilege levels.
• VPN authentication and authorization—VPN authentication and authorization are supported to
enable remote access to the security appliance if AAA servers that normally support these VPN
services are unavailable. The authentication-server-group command, available in tunnel-group
general attributes mode, lets you specify the LOCAL keyword when you are configuring attributes
of a tunnel group. When VPN client of an administrator specifies a tunnel group configured to
fallback to the local database, the VPN tunnel can be established even if the AAA server group is
unavailable, provided that the local database is configured with the necessary attributes.
Configuring the Local Database
This section describes how to manage users in the local database. You can use the local database for
CLI access authentication, privileged mode authentication, command authorization, network access
authentication, and VPN authentication and authorization. You cannot use the local database for network
access authorization. The local database does not support accounting.
For multiple context mode, you can configure usernames in the system execution space to provide
individual logins using the login command; however, you cannot configure any aaa commands in the
system execution space.
Caution If you add to the local database users who can gain access to the CLI but who should not be allowed to
enter privileged mode, enable command authorization. (See the “Configuring Local Command
Authorization” section on page 40-8.) Without command authorization, users can access privileged
13-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
Configuring the Local Database
mode (and all commands) at the CLI using their own password if their privilege level is 2 or greater (2 is
the default). Alternatively, you can use RADIUS or TACACS+ authentication so that the user cannot use
the login command, or you can set all local users to level 1 so you can control who can use the system
enable password to access privileged mode.
To define a user account in the local database, perform the following steps:
Step 1 Create the user account. To do so, enter the following command:
hostname(config)# username name {nopassword | password password [mschap]} [privilege
priv_level]
where the options are as follows:
• username—A string from 4 to 64 characters long.
• password password—A string from 3 to 16 characters long.
• mschap—Specifies that the password will be converted to unicode and hashed using MD4 after you
enter it. Use this keyword if users are authenticated using MSCHAPv1 or MSCHAPv2.
• privilege level—The privilege level that you want to assign to the new user account (from 0 to 15).
The default is 2. This privilege level is used with command authorization.
• nopassword—Creates a user account with no password.
The encrypted and nt-encrypted keywords are typically for display only. When you define a password
in the username command, the security appliance encrypts it when it saves it to the configuration for
security purposes. When you enter the show running-config command, the username command does
not show the actual password; it shows the encrypted password followed by the encrypted or
nt-encrypted keyword (when you specify mschap). For example, if you enter the password “test,” the
show running-config display would appear to be something like the following:
username pat password DLaUiAX3l78qgoB5c7iVNw== nt-encrypted
The only time you would actually enter the encrypted or nt-encrypted keyword at the CLI is if you are
cutting and pasting a configuration to another security appliance and you are using the same password.
Step 2 To configure a local user account with VPN attributes, follow these steps:
a. Enter the following command:
hostname(config)# username username attributes
When you enter a username attributes command, you enter username mode. The commands
available in this mode are as follows:
• group-lock
• password-storage
• vpn-access-hours
• vpn-filter
• vpn-framed-ip-address
• vpn-group-policy
• vpn-idle-timeout
• vpn-session-timeout
• vpn-simultaneous-logins
• vpn-tunnel-protocol
13-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
Identifying AAA Server Groups and Servers
• webvpn
Use these commands as needed to configure the user profile. For more information about these
commands, see the Cisco Security Appliance Command Reference.
b. When you have finished configuring the user profiles, enter exit to return to config mode.
For example, the following command assigns a privilege level of 15 to the admin user account:
hostname(config)# username admin password passw0rd privilege 15
The following command creates a user account with no password:
hostname(config)# username bcham34 nopassword
The following commands creates a user account with a password, enters username mode, and specifies
a few VPN attributes:
hostname(config)# username rwilliams password gOgeOus
hostname(config)# username rwilliams attributes
hostname(config-username)# vpn-tunnel-protocol IPSec
hostname(config-username)# vpn-simultaneous-logins 6
hostname(config-username)# exit
Identifying AAA Server Groups and Servers
If you want to use an external AAA server for authentication, authorization, or accounting, you must first
create at least one AAA server group per AAA protocol and add one or more servers to each group. You
identify AAA server groups by name. Each server group is specific to one type of server: Kerberos,
LDAP, NT, RADIUS, SDI, or TACACS+.
The security appliance contacts the first server in the group. If that server is unavailable, the security
appliance contacts the next server in the group, if configured. If all servers in the group are unavailable,
the security appliance tries the local database if you configured it as a fallback method (management
authentication and authorization only). If you do not have a fallback method, the security appliance
continues to try the AAA servers.
To create a server group and add AAA servers to it, follow these steps:
Step 1 For each AAA server group you need to create, follow these steps:
a. Identify the server group name and the protocol. To do so, enter the following command:
hostname(config)# aaa-server server_group protocol {kerberos | ldap | nt | radius |
sdi | tacacs+}
For example, to use RADIUS to authenticate network access and TACACS+ to authenticate CLI
access, you need to create at least two server groups, one for RADIUS servers and one for TACACS+
servers.
You can have up to 15 single-mode server groups or 4 multi-mode server groups. Each server group
can have up to 16 servers in single mode or up to 4 servers in multi-mode.
When you enter a aaa-server protocol command, you enter group mode.
b. If you want to specify the maximum number of requests sent to a AAA server in the group before
trying the next server, enter the following command:
13-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
Identifying AAA Server Groups and Servers
hostname(config-aaa-server-group)# max-failed-attempts number
The number can be between 1 and 5. The default is 3.
If you configured a fallback method using the local database (for management access only; see the
“Configuring AAA for System Administrators” section on page 40-5 and the “Configuring
TACACS+ Command Authorization” section on page 40-11 to configure the fallback mechanism),
and all the servers in the group fail to respond, then the group is considered to be unresponsive, and
the fallback method is tried. The server group remains marked as unresponsive for a period of 10
minutes (by default) so that additional AAA requests within that period do not attempt to contact
the server group, and the fallback method is used immediately. To change the unresponsive period
from the default, see the reactivation-mode command in the following step.
If you do not have a fallback method, the security appliance continues to retry the servers in the
group.
c. If you want to specify the method (reactivation policy) by which failed servers in a group are
reactivated, enter the following command:
hostname(config-aaa-server-group)# # reactivation-mode {depletion [deadtime minutes] |
timed}
Where the depletion keyword reactivates failed servers only after all of the servers in the group are
inactive.
The deadtime minutes argument specifies the amount of time in minutes, between 0 and 1440, that
elapses between the disabling of the last server in the group and the subsequent re-enabling of all
servers. The default is 10 minutes.
The timed keyword reactivates failed servers after 30 seconds of down time.
d. If you want to send accounting messages to all servers in the group (RADIUS or TACACS+ only),
enter the following command:
hostname(config-aaa-server-group)# accounting-mode simultaneous
To restore the default of sending messages only to the active server, enter the accounting-mode
single command.
Step 2 For each AAA server on your network, follow these steps:
a. Identify the server, including the AAA server group it belongs to. To do so, enter the following
command:
hostname(config)# aaa-server server_group (interface_name) host server_ip
When you enter a aaa-server host command, you enter host mode.
b. As needed, use host mode commands to further configure the AAA server.
The commands in host mode do not apply to all AAA server types. Table 13-2 lists the available
commands, the server types they apply to, and whether a new AAA server definition has a default
value for that command. Where a command is applicable to the server type you specified and no
default value is provided (indicated by “—”), use the command to specify the value. For more
information about these commands, see the Cisco Security Appliance Command Reference.
13-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
Identifying AAA Server Groups and Servers
Example 13-1 shows commands that add one TACACS+ group with one primary and one backup server,
one RADIUS group with a single server, and an NT domain server.
Example 13-1 Multiple AAA Server Groups and Servers
hostname(config)# aaa-server AuthInbound protocol tacacs+
hostname(config-aaa-server-group)# max-failed-attempts 2
hostname(config-aaa-server-group)# reactivation-mode depletion deadtime 20
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthInbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
Table 13-2 Host Mode Commands, Server Types, and Defaults
Command Applicable AAA Server Types Default Value
accounting-port RADIUS 1646
acl-netmask-convert RADIUS standard
authentication-port RADIUS 1645
kerberos-realm Kerberos —
key RADIUS —
TACACS+ —
ldap-attribute-map LDAP —
ldap-base-dn LDAP —
ldap-login-dn LDAP —
ldap-login-password LDAP —
ldap-naming-attribute LDAP —
ldap-over-ssl LDAP —
ldap-scope LDAP —
nt-auth-domain-controller NT —
radius-common-pw RADIUS —
retry-interval Kerberos 10 seconds
RADIUS 10 seconds
SDI 10 seconds
sasl-mechanism LDAP —
server-port Kerberos 88
LDAP 389
NT 139
SDI 5500
TACACS+ 49
server-type LDAP auto-discovery
timeout All 10 seconds
13-15
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
Using Certificates and User Login Credentials
hostname(config-aaa-server-host)# exit
hostname(config)# aaa-server AuthInbound (inside) host 10.1.1.2
hostname(config-aaa-server-host)# key TACPlusUauthKey2
hostname(config-aaa-server-host)# exit
hostname(config)# aaa-server AuthOutbound protocol radius
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.3
hostname(config-aaa-server-host)# key RadUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# aaa-server NTAuth protocol nt
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server NTAuth (inside) host 10.1.1.4
hostname(config-aaa-server-host)# nt-auth-domain-controller primary1
hostname(config-aaa-server-host)# exit
Example 13-2 shows commands that configure a Kerberos AAA server group named watchdogs, add a
AAA server to the group, and define the Kerberos realm for the server. Because Example 13-2 does not
define a retry interval or the port that the Kerberos server listens to, the security appliance uses the
default values for these two server-specific parameters. Table 13-2 lists the default values for all AAA
server host mode commands.
Note Kerberos realm names use numbers and upper-case letters only. Although the security appliance accepts
lower-case letters for a realm name, it does not translate lower-case letters to upper-case letters. Be sure
to use upper-case letters only.
Example 13-2 Kerberos Server Group and Server
hostname(config)# aaa-server watchdogs protocol kerberos
hostname(config-aaa-server-group)# aaa-server watchdogs host 192.168.3.4
hostname(config-aaa-server-host)# kerberos-realm EXAMPLE.COM
hostname(config-aaa-server-host)# exit
hostname(config)#
Using Certificates and User Login Credentials
The following section describes the different methods of using certificates and user login credentials
(username and password) for authentication and authorization. This applies to both IPSec and WebVPN.
In all cases, LDAP authorization does not use the password as a credential. RADIUS authorization uses
either a common password for all users or the username as a password.
Using User Login Credentials
The default method for authentication and authorization uses the user login credentials.
• Authentication
– Enabled by authentication server group setting
– Uses the username and password as credentials
• Authorization
– Enabled by authorization server group setting
– Uses the username as a credential
13-16
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
Supporting a Zone Labs Integrity Server
Using certificates
If user digital certificates are configured, the security appliance first validates the certificate. It does not,
however, use any of the DNs from the certificates as a username for the authentication.
If both authentication and authorization are enabled, the security appliance uses the user login
credentials for both user authentication and authorization.
• Authentication
– Enabled by authentication server group setting
– Uses the username and password as credentials
• Authorization
– Enabled by authorization server group setting
– Uses the username as a credential
If authentication is disabled and authorization is enabled, the security appliance uses the primary DN
field for authorization.
• Authentication
– DISABLED (set to None) by authentication server group setting
– No credentials used
• Authorization
– Enabled by authorization server group setting
– Uses the username value of the certificate primary DN field as a credential
Note If the primary DN field is not present in the certificate, the security appliance uses the secondary DN
field value as the username for the authorization request.
For example, consider a user certificate that contains the following Subject DN fields and values:
Cn=anyuser,OU=sales;O=XYZCorporation;L=boston;S=mass;C=us;ea=anyuser@example.com.
If the Primary DN = EA (E-mail Address) and the Secondary DN = CN (Common Name), then the
username used in the authorization request would be anyuser@example.com.
Supporting a Zone Labs Integrity Server
This section introduces the Zone Labs Integrity Server, also called Check Point Integrity Server, and
presents an example procedure for configuring the security appliance to support the Zone Labs Integrity
Server. The Integrity server is a central management station for configuring and enforcing security
policies on remote PCs. If a remote PC does not conform to the security policy dictated by the Integrity
Server, it will not be granted access to the private network protected by the Integrity Server and security
appliance.
This section includes the following topics:
• Overview of Integrity Server and Security Appliance Interaction, page 13-17
• Configuring Integrity Server Support, page 13-17
13-17
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
Supporting a Zone Labs Integrity Server
Overview of Integrity Server and Security Appliance Interaction
The VPN client software and the Integrity client software are co-resident on a remote PC. The following
steps summarize the actions of the remote PC, security appliance, and Integrity server in the
establishment of a session between the PC and the enterprise private network:
1. The VPN client software (residing on the same remote PC as the Integrity client software) connects
to the security appliance and tells the security appliance what type of firewall client it is.
2. Once it approves the client firewall type, the security appliance passes Integrity server address
information back to the Integrity client.
3. With the security appliance acting as a proxy, the Integrity client establishes a restricted connection
with the Integrity server. A restricted connection is only between the Integrity client and server.
4. The Integrity server determines if the Integrity client is in compliance with the mandated security
policies. If the client is in compliance with security policies, the Integrity server instructs the
security appliance to open the connection and provide the client with connection details.
5. On the remote PC, the VPN client passes connection details to the Integrity client and signals that
policy enforcement should begin immediately and the client can no enter the private network.
6. Once the connection is established, the server continues to monitor the state of the client using client
heartbeat messages.
Note The current release of the security appliance supports one Integrity Server at a time even though the user
interfaces support the configuration of up to five Integrity Servers. If the active Server fails, configure
another Integrity Server on the security appliance and then reestablish the client VPN session.
Configuring Integrity Server Support
This section describes an example procedure for configuring the security appliance to support the Zone
Labs Integrity Servers. The procedure involves configuring address, port, connection fail timeout and
fail states, and SSL certificate parameters.
First, you must configure the hostname or IP address of the Integrity server. The following example
commands, entered in global configuration mode, configure an Integrity server using the IP address
10.0.0.5. They also specify port 300 (the default port is 5054) and the inside interface for
communications with the Integrity server.
hostname(config)# zonelabs-integrity server-address 10.0.0.5
hostname(config)# zonelabs-integrity port 300
hostname(config)# zonelabs-integrity interface inside
hostname(config)#
If the connection between the security appliance and the Integrity server fails, the VPN client
connections remain open by default so that the enterprise VPN is not disrupted by the failure of an
Integrity server. However, you may want to close the VPN connections if the Zone Labs Integrity Server
fails. The following commands ensure that the security appliance waits 12 seconds for a response from
either the active or standby Integrity servers before declaring an the Integrity server as failed and closing
the VPN client connections:
hostname(config)# zonelabs-integrity fail-timeout 12
hostname(config)# zonelabs-integrity fail-close
hostname(config)#
13-18
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 13 Configuring AAA Servers and the Local Database
Supporting a Zone Labs Integrity Server
The following command returns the configured VPN client connection fail state to the default and
ensures the client connections remain open:
hostname(config)# zonelabs-integrity fail-open
hostname(config)#
The following example commands specify that the Integrity server connects to port 300 (default is port
80) on the security appliance to request the server SSL certificate. While the server SSL certificate is
always authenticated, these commands also specify that the client SSL certificate of the Integrity server
be authenticated.
hostname(config)# zonelabs-integrity ssl-certificate-port 300
hostname(config)# zonelabs-integrity ssl-client-authentication
hostname(config)#
To set the firewall client type to the Zone Labs Integrity type, use the client-firewall command as
described in the “Configuring Firewall Policies” section on page 30-55. The command arguments that
specify firewall policies are not used when the firewall type is zonelabs-integrity because the Integrity
server determines the policies.
CH A P T E R
14-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
14
Configuring Failover
This chapter describes the security appliance failover feature, which lets you configure two security
appliances so that one takes over operation if the other one fails.
Note The ASA 5505 series adaptive security appliance does not support Stateful Failover or Active/Active
failover.
This chapter includes the following sections:
• Understanding Failover, page 14-1
• Configuring Failover, page 14-19
• Controlling and Monitoring Failover, page 14-49
For failover configuration examples, see Appendix B, “Sample Configurations.”
Understanding Failover
The failover configuration requires two identical security appliances connected to each other through a
dedicated failover link and, optionally, a Stateful Failover link. The health of the active interfaces and
units is monitored to determine if specific failover conditions are met. If those conditions are met,
failover occurs.
The security appliance supports two failover configurations, Active/Active failover and Active/Standby
failover. Each failover configuration has its own method for determining and performing failover.
With Active/Active failover, both units can pass network traffic. This lets you configure load balancing
on your network. Active/Active failover is only available on units running in multiple context mode.
With Active/Standby failover, only one unit passes traffic while the other unit waits in a standby state.
Active/Standby failover is available on units running in either single or multiple context mode.
Both failover configurations support stateful or stateless (regular) failover.
Note VPN failover is not supported on units running in multiple context mode. VPN failover available for
Active/Standby failover configurations only.
14-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
This section includes the following topics:
• Failover System Requirements, page 14-2
• The Failover and Stateful Failover Links, page 14-3
• Active/Active and Active/Standby Failover, page 14-6
• Regular and Stateful Failover, page 14-15
• Failover Health Monitoring, page 14-16
• Failover Feature/Platform Matrix, page 14-18
• Failover Times by Platform, page 14-18
Failover System Requirements
This section describes the hardware, software, and license requirements for security appliances in a
failover configuration. This section contains the following topics:
• Hardware Requirements, page 14-2
• Software Requirements, page 14-2
• License Requirements, page 14-2
Hardware Requirements
The two units in a failover configuration must have the same hardware configuration. They must be the
same model, have the same number and types of interfaces, and the same amount of RAM.
Note The two units do not have to have the same size Flash memory. If using units with different Flash
memory sizes in your failover configuration, make sure the unit with the smaller Flash memory has
enough space to accommodate the software image files and the configuration files. If it does not,
configuration synchronization from the unit with the larger Flash memory to the unit with the smaller
Flash memory will fail.
Software Requirements
The two units in a failover configuration must be in the operating modes (routed or transparent, single
or multiple context). They have the same major (first number) and minor (second number) software
version. However, you can use different versions of the software during an upgrade process; for example,
you can upgrade one unit from Version 7.0(1) to Version 7.0(2) and have failover remain active. We
recommend upgrading both units to the same version to ensure long-term compatibility.
See “Performing Zero Downtime Upgrades for Failover Pairs” section on page 41-6 for more
information about upgrading the software on a failover pair.
License Requirements
On the PIX 500 series security appliance, at least one of the units must have an unrestricted (UR) license.
The other unit can have a Failover Only (FO) license, a Failover Only Active-Active (FO_AA) license,
or another UR license. Units with a Restricted license cannot be used for failover, and two units with FO
or FO_AA licenses cannot be used together as a failover pair.
14-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
Note The FO license does not support Active/Active failover.
The FO and FO_AA licenses are intended to be used solely for units in a failover configuration and not
for units in standalone mode. If a failover unit with one of these licenses is used in standalone mode, the
unit reboots at least once every 24 hours until the unit is returned to failover duty. A unit with an FO or
FO_AA license operates in standalone mode if it is booted without being connected to a failover peer
with a UR license. If the unit with a UR license in a failover pair fails and is removed from the
configuration, the unit with the FO or FO_AA license does not automatically reboot every 24 hours; it
operates uninterrupted unless the it is manually rebooted.
When the unit automatically reboots, the following message displays on the console:
=========================NOTICE=========================
This machine is running in secondary mode without
a connection to an active primary PIX. Please
check your connection to the primary system.
REBOOTING....
========================================================
The ASA 5500 series adaptive security appliance platform does not have this restriction.
The Failover and Stateful Failover Links
This section describes the failover and the Stateful Failover links, which are dedicated connections
between the two units in a failover configuration. This section includes the following topics:
• Failover Link, page 14-3
• Stateful Failover Link, page 14-5
Failover Link
The two units in a failover pair constantly communicate over a failover link to determine the operating
status of each unit. The following information is communicated over the failover link:
• The unit state (active or standby).
• Power status (cable-based failover only—available only on the PIX 500 series security appliance).
• Hello messages (keep-alives).
• Network link status.
• MAC address exchange.
• Configuration replication and synchronization.
Caution All information sent over the failover and Stateful Failover links is sent in clear text unless you secure
the communication with a failover key. If the security appliance is used to terminate VPN tunnels, this
information includes any usernames, passwords and preshared keys used for establishing the tunnels.
Transmitting this sensitive data in clear text could pose a significant security risk. We recommend
securing the failover communication with a failover key if you are using the security appliance to
terminate VPN tunnels.
14-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
On the PIX 500 series security appliance, the failover link can be either a LAN-based connection or a
dedicated serial Failover cable. On the ASA 5500 series adaptive security appliance, the failover link can
only be a LAN-based connection.
This section includes the following topics:
• LAN-Based Failover Link, page 14-4
• Serial Cable Failover Link (PIX Security Appliance Only), page 14-4
LAN-Based Failover Link
You can use any unused Ethernet interface on the device as the failover link; however, you cannot specify
an interface that is currently configured with a name. The LAN failover link interface is not configured
as a normal networking interface. It exists for failover communication only. This interface should only
be used for the LAN failover link (and optionally for the stateful failover link).
Connect the LAN failover link in one of the following two ways:
• Using a switch, with no other device on the same network segment (broadcast domain or VLAN) as
the LAN failover interfaces of the ASA.
• Using a crossover Ethernet cable to connect the appliances directly, without the need for an external
switch.
Note When you use a crossover cable for the LAN failover link, if the LAN interface fails, the link is brought
down on both peers. This condition may hamper troubleshooting efforts because you cannot easily
determine which interface failed and caused the link to come down.
Note The ASA supports Auto-MDI/MDIX on its copper Ethernet ports, so you can either use a crossover cable
or a straight-through cable. If you use a straight-through cable, the interface automatically detects the
cable and swaps one of the transmit/receive pairs to MDIX.
Serial Cable Failover Link (PIX Security Appliance Only)
The serial Failover cable, or “cable-based failover,” is only available on the PIX 500 series security
appliance. If the two units are within six feet of each other, then we recommend that you use the serial
Failover cable.
The cable that connects the two units is a modified RS-232 serial link cable that transfers data at
117,760 bps (115 Kbps). One end of the cable is labeled “Primary”. The unit attached to this end of the
cable automatically becomes the primary unit. The other end of the cable is labeled “Secondary”. The
unit attached to this end of the cable automatically becomes the secondary unit. You cannot override
these designations in the PIX 500 series security appliance software. If you purchased a PIX 500 series
security appliance failover bundle, this cable is included. To order a spare, use part number PIX-FO=.
The benefits of using cable-based failover include:
• The PIX 500 series security appliance can immediately detect a power loss on the peer unit and
differentiate between a power loss from an unplugged cable.
• The standby unit can communicate with the active unit and can receive the entire configuration
without having to be bootstrapped for failover. In LAN-based failover you need to configure the
failover link on the standby unit before it can communicate with the active unit.
• The switch between the two units in LAN-based failover can be another point of hardware failure;
cable-based failover eliminates this potential point of failure.
14-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
• You do not have to dedicate an Ethernet interface (and switch) to the failover link.
• The cable determines which unit is primary and which is secondary, eliminating the need to
manually enter that information in the unit configurations.
The disadvantages include:
• Distance limitation—the units cannot be separated by more than 6 feet.
• Slower configuration replication.
Stateful Failover Link
To use Stateful Failover, you must configure a Stateful Failover link to pass all state information. You
have three options for configuring a Stateful Failover link:
• You can use a dedicated Ethernet interface for the Stateful Failover link.
• If you are using LAN-based failover, you can share the failover link.
• You can share a regular data interface, such as the inside interface. However, this option is not
recommended.
If you are using a dedicated Ethernet interface for the Stateful Failover link, you can use either a switch
or a crossover cable to directly connect the units. If you use a switch, no other hosts or routers should be
on this link.
Note Enable the PortFast option on Cisco switch ports that connect directly to the security appliance.
If you use a data interface as the Stateful Failover link, you receive the following warning when you
specify that interface as the Stateful Failover link:
******* WARNING ***** WARNING ******* WARNING ****** WARNING *********
Sharing Stateful failover interface with regular data interface is not
a recommended configuration due to performance and security concerns.
******* WARNING ***** WARNING ******* WARNING ****** WARNING *********
Sharing a data interface with the Stateful Failover interface can leave you vulnerable to replay attacks.
Additionally, large amounts of Stateful Failover traffic may be sent on the interface, causing
performance problems on that network segment.
Note Using a data interface as the Stateful Failover interface is only supported in single context, routed mode.
In multiple context mode, the Stateful Failover link resides in the system context. This interface and the
failover interface are the only interfaces in the system context. All other interfaces are allocated to and
configured from within security contexts.
Note The IP address and MAC address for the Stateful Failover link does not change at failover unless the
Stateful Failover link is configured on a regular data interface.
Caution All information sent over the failover and Stateful Failover links is sent in clear text unless you secure
the communication with a failover key. If the security appliance is used to terminate VPN tunnels, this
information includes any usernames, passwords and preshared keys used for establishing the tunnels.
14-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
Transmitting this sensitive data in clear text could pose a significant security risk. We recommend
securing the failover communication with a failover key if you are using the security appliance to
terminate VPN tunnels.
Failover Interface Speed for Stateful Links
If you use the failover link as the Stateful Failover link, you should use the fastest Ethernet interface
available. If you experience performance problems on that interface, consider dedicating a separate
interface for the Stateful Failover interface.
Use the following failover interface speed guidelines for Cisco PIX security appliances and Cisco ASA
adaptive security appliances:
• Cisco ASA 5520/5540/5550 and PIX 515E/535
– The stateful link speed should match the fastest data link
• Cisco ASA 5510 and PIX 525
– Stateful link speed can be 100 Mbps, even though the data interface can operate at 1 Gigabit due
to the CPU speed limitation.
For optimum performance when using long distance LAN failover, the latency for the failover link
should be less than 10 milliseconds and no more than 250 milliseconds. If latency is less than 10
milliseconds, some performance degradation occurs due to retransmission of failover messages.
All platforms support sharing of failover heartbeat and stateful link, but we recommend using a separate
heartbeat link on systems with high Stateful Failover traffic.
Active/Active and Active/Standby Failover
This section describes each failover configuration in detail. This section includes the following topics:
• Active/Standby Failover, page 14-6
• Active/Active Failover, page 14-10
• Determining Which Type of Failover to Use, page 14-15
Active/Standby Failover
This section describes Active/Standby failover and includes the following topics:
• Active/Standby Failover Overview, page 14-6
• Primary/Secondary Status and Active/Standby Status, page 14-7
• Device Initialization and Configuration Synchronization, page 14-7
• Command Replication, page 14-8
• Failover Triggers, page 14-9
• Failover Actions, page 14-9
Active/Standby Failover Overview
Active/Standby failover lets you use a standby security appliance to take over the functionality of a failed
unit. When the active unit fails, it changes to the standby state while the standby unit changes to the
active state. The unit that becomes active assumes the IP addresses (or, for transparent firewall, the
14-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
management IP address) and MAC addresses of the failed unit and begins passing traffic. The unit that
is now in standby state takes over the standby IP addresses and MAC addresses. Because network
devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere
on the network.
Note For multiple context mode, the security appliance can fail over the entire unit (including all contexts)
but cannot fail over individual contexts separately.
Primary/Secondary Status and Active/Standby Status
The main differences between the two units in a failover pair are related to which unit is active and which
unit is standby, namely which IP addresses to use and which unit actively passes traffic.
However, a few differences exist between the units based on which unit is primary (as specified in the
configuration) and which unit is secondary:
• The primary unit always becomes the active unit if both units start up at the same time (and are of
equal operational health).
• The primary unit MAC addresses are always coupled with the active IP addresses. The exception to
this rule occurs when the secondary unit is active, and cannot obtain the primary unit MAC addresses
over the failover link. In this case, the secondary unit MAC addresses are used.
Device Initialization and Configuration Synchronization
Configuration synchronization occurs when one or both devices in the failover pair boot. Configurations
are always synchronized from the active unit to the standby unit. When the standby unit completes its
initial startup, it clears its running configuration (except for the failover commands needed to
communicate with the active unit), and the active unit sends its entire configuration to the standby unit.
The active unit is determined by the following:
• If a unit boots and detects a peer already running as active, it becomes the standby unit.
• If a unit boots and does not detect a peer, it becomes the active unit.
• If both units boot simultaneously, then the primary unit becomes the active unit and the secondary
unit becomes the standby unit.
Note If the secondary unit boots without detecting the primary unit, it becomes the active unit. It uses its own
MAC addresses for the active IP addresses. However, when the primary unit becomes available, the
secondary unit changes the MAC addresses to those of the primary unit, which can cause an interruption
in your network traffic. To avoid this, configure the failover pair with virtual MAC addresses. See the
“Configuring Virtual MAC Addresses” section on page 14-26 for more information.
When the replication starts, the security appliance console on the active unit displays the message
“Beginning configuration replication: Sending to mate,” and when it is complete, the security appliance
displays the message “End Configuration Replication to mate.” During replication, commands entered
on the active unit may not replicate properly to the standby unit, and commands entered on the standby
unit may be overwritten by the configuration being replicated from the active unit. Avoid entering
commands on either unit in the failover pair during the configuration replication process. Depending
upon the size of the configuration, replication can take from a few seconds to several minutes.
On the standby unit, the configuration exists only in running memory. To save the configuration to Flash
memory after synchronization:
14-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
• For single context mode, enter the write memory command on the active unit. The command is
replicated to the standby unit, which proceeds to write its configuration to Flash memory.
• For multiple context mode, enter the write memory all command on the active unit from the system
execution space. The command is replicated to the standby unit, which proceeds to write its
configuration to Flash memory. Using the all keyword with this command causes the system and all
context configurations to be saved.
Note Startup configurations saved on external servers are accessible from either unit over the network and do
not need to be saved separately for each unit. Alternatively, you can copy the contexts on disk from the
active unit to an external server, and then copy them to disk on the standby unit, where they become
available when the unit reloads.
Command Replication
Command replication always flows from the active unit to the standby unit. As commands are entered
on the active unit, they are sent across the failover link to the standby unit. You do not have to save the
active configuration to Flash memory to replicate the commands.
The following commands are replicated to the standby unit:
• all configuration commands except for the mode, firewall, and failover lan unit commands
• copy running-config startup-config
• delete
• mkdir
• rename
• rmdir
• write memory
The following commands are not replicated to the standby unit:
• all forms of the copy command except for copy running-config startup-config
• all forms of the write command except for write memory
• debug
• failover lan unit
• firewall
• mode
• show
Note Changes made on the standby unit are not replicated to the active unit. If you enter a command on the
standby unit, the security appliance displays the message **** WARNING **** Configuration
Replication is NOT performed from Standby unit to Active unit. Configurations are no
longer synchronized. This message displays even when you enter many commands that do not affect
the configuration.
If you enter the write standby command on the active unit, the standby unit clears its running
configuration (except for the failover commands used to communicate with the active unit), and the
active unit sends its entire configuration to the standby unit.
14-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
For multiple context mode, when you enter the write standby command in the system execution space,
all contexts are replicated. If you enter the write standby command within a context, the command
replicates only the context configuration.
Replicated commands are stored in the running configuration. To save the replicated commands to the
Flash memory on the standby unit:
• For single context mode, enter the copy running-config startup-config command on the active unit.
The command is replicated to the standby unit, which proceeds to write its configuration to Flash
memory.
• For multiple context mode, enter the copy running-config startup-config command on the active
unit from the system execution space and within each context on disk. The command is replicated
to the standby unit, which proceeds to write its configuration to Flash memory. Contexts with startup
configurations on external servers are accessible from either unit over the network and do not need
to be saved separately for each unit. Alternatively, you can copy the contexts on disk from the active
unit to an external server, and then copy them to disk on the standby unit.
Failover Triggers
The unit can fail if one of the following events occurs:
• The unit has a hardware failure or a power failure.
• The unit has a software failure.
• Too many monitored interfaces fail.
• The no failover active command is entered on the active unit or the failover active command is
entered on the standby unit.
Failover Actions
In Active/Standby failover, failover occurs on a unit basis. Even on systems running in multiple context
mode, you cannot fail over individual or groups of contexts.
Table 14-1 shows the failover action for each failure event. For each failure event, the table shows the
failover policy (failover or no failover), the action taken by the active unit, the action taken by the
standby unit, and any special notes about the failover condition and actions.
Table 14-1 Failover Behavior
Failure Event Policy Active Action Standby Action Notes
Active unit failed (power or
hardware)
Failover n/a Become active
Mark active as
failed
No hello messages are received on
any monitored interface or the
failover link.
Formerly active unit recovers No failover Become standby No action None.
Standby unit failed (power or
hardware)
No failover Mark standby as
failed
n/a When the standby unit is marked as
failed, then the active unit does not
attempt to fail over, even if the
interface failure threshold is
surpassed.
Failover link failed during
operation
No failover Mark failover
interface as failed
Mark failover
interface as failed
You should restore the failover link
as soon as possible because the
unit cannot fail over to the standby
unit while the failover link is down.
14-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
Active/Active Failover
This section describes Active/Active failover. This section includes the following topics:
• Active/Active Failover Overview, page 14-10
• Primary/Secondary Status and Active/Standby Status, page 14-11
• Device Initialization and Configuration Synchronization, page 14-11
• Command Replication, page 14-12
• Failover Triggers, page 14-13
• Failover Actions, page 14-14
Active/Active Failover Overview
Active/Active failover is only available to security appliances in multiple context mode. In an
Active/Active failover configuration, both security appliances can pass network traffic.
In Active/Active failover, you divide the security contexts on the security appliance into failover groups.
A failover group is simply a logical group of one or more security contexts. You can create a maximum
of two failover groups on the security appliance. The admin context is always a member of failover
group 1. Any unassigned security contexts are also members of failover group 1 by default.
The failover group forms the base unit for failover in Active/Active failover. Interface failure monitoring,
failover, and active/standby status are all attributes of a failover group rather than the unit. When an
active failover group fails, it changes to the standby state while the standby failover group becomes
active. The interfaces in the failover group that becomes active assume the MAC and IP addresses of the
interfaces in the failover group that failed. The interfaces in the failover group that is now in the standby
state take over the standby MAC and IP addresses.
Note A failover group failing on a unit does not mean that the unit has failed. The unit may still have another
failover group passing traffic on it.
When creating the failover groups, you should create them on the unit that will have failover group 1 in
the active state.
Failover link failed at startup No failover Mark failover
interface as failed
Become active If the failover link is down at
startup, both units become active.
Stateful Failover link failed No failover No action No action State information becomes out of
date, and sessions are terminated if
a failover occurs.
Interface failure on active unit
above threshold
Failover Mark active as
failed
Become active None.
Interface failure on standby
unit above threshold
No failover No action Mark standby as
failed
When the standby unit is marked as
failed, then the active unit does not
attempt to fail over even if the
interface failure threshold is
surpassed.
Table 14-1 Failover Behavior (continued)
Failure Event Policy Active Action Standby Action Notes
14-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
Note Active/Active failover generates virtual MAC addresses for the interfaces in each failover group. If you
have more than one Active/Active failover pair on the same network, it is possible to have the same
default virtual MAC addresses assigned to the interfaces on one pair as are assigned to the interfaces of
the other pairs because of the way the default virtual MAC addresses are determined. To avoid having
duplicate MAC addresses on your network, make sure you assign each physical interface a virtual active
and standby MAC address.
Primary/Secondary Status and Active/Standby Status
As in Active/Standby failover, one unit in an Active/Active failover pair is designated the primary unit,
and the other unit the secondary unit. Unlike Active/Standby failover, this designation does not indicate
which unit becomes active when both units start simultaneously. Instead, the primary/secondary
designation does two things:
• Determines which unit provides the running configuration to the pair when they boot
simultaneously.
• Determines on which unit each failover group appears in the active state when the units boot
simultaneously. Each failover group in the configuration is configured with a primary or secondary
unit preference. You can configure both failover groups be in the active state on a single unit in the
pair, with the other unit containing the failover groups in the standby state. However, a more typical
configuration is to assign each failover group a different role preference to make each one active on
a different unit, distributing the traffic across the devices.
Note The security appliance does not provide load balancing services. Load balancing must be
handled by a router passing traffic to the security appliance.
Which unit each failover group becomes active on is determined as follows:
• When a unit boots while the peer unit is not available, both failover groups become active on the
unit.
• When a unit boots while the peer unit is active (with both failover groups in the active state), the
failover groups remain in the active state on the active unit regardless of the primary or secondary
preference of the failover group until one of the following:
– A failover occurs.
– You manually force the failover group to the other unit with the no failover active command.
– You configured the failover group with the preempt command, which causes the failover group
to automatically become active on the preferred unit when the unit becomes available.
• When both units boot at the same time, each failover group becomes active on its preferred unit after
the configurations have been synchronized.
Device Initialization and Configuration Synchronization
Configuration synchronization occurs when one or both units in a failover pair boot. The configurations
are synchronized as follows:
• When a unit boots while the peer unit is active (with both failover groups active on it), the booting
unit contacts the active unit to obtain the running configuration regardless of the primary or
secondary designation of the booting unit.
14-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
• When both units boot simultaneously, the secondary unit obtains the running configuration from the
primary unit.
When the replication starts, the security appliance console on the unit sending the configuration displays
the message “Beginning configuration replication: Sending to mate,” and when it is complete, the
security appliance displays the message “End Configuration Replication to mate.” During replication,
commands entered on the unit sending the configuration may not replicate properly to the peer unit, and
commands entered on the unit receiving the configuration may be overwritten by the configuration being
received. Avoid entering commands on either unit in the failover pair during the configuration
replication process. Depending upon the size of the configuration, replication can take from a few
seconds to several minutes.
On the unit receiving the configuration, the configuration exists only in running memory. To save the
configuration to Flash memory after synchronization enter the write memory all command in the system
execution space on the unit that has failover group 1 in the active state. The command is replicated to
the peer unit, which proceeds to write its configuration to Flash memory. Using the all keyword with this
command causes the system and all context configurations to be saved.
Note Startup configurations saved on external servers are accessible from either unit over the network and do
not need to be saved separately for each unit. Alternatively, you can copy the contexts configuration files
from the disk on the primary unit to an external server, and then copy them to disk on the secondary unit,
where they become available when the unit reloads.
Command Replication
After both units are running, commands are replicated from one unit to the other as follows:
• Commands entered within a security context are replicated from the unit on which the security
context appears in the active state to the peer unit.
Note A context is considered in the active state on a unit if the failover group to which it belongs is
in the active state on that unit.
• Commands entered in the system execution space are replicated from the unit on which failover
group 1 is in the active state to the unit on which failover group 1 is in the standby state.
• Commands entered in the admin context are replicated from the unit on which failover group 1 is in
the active state to the unit on which failover group 1 is in the standby state.
All configuration and file commands (copy, rename, delete, mkdir, rmdir, and so on) are replicated,
with the following exceptions. The show, debug, mode, firewall, and failover lan unit commands are
not replicated.
Failure to enter the commands on the appropriate unit for command replication to occur causes the
configurations to be out of synchronization. Those changes may be lost the next time the initial
configuration synchronization occurs.
The following commands are replicated to the standby unit:
• all configuration commands except for the mode, firewall, and failover lan unit commands
• copy running-config startup-config
• delete
• mkdir
• rename
14-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
• rmdir
• write memory
The following commands are not replicated to the standby unit:
• all forms of the copy command except for copy running-config startup-config
• all forms of the write command except for write memory
• debug
• failover lan unit
• firewall
• mode
• show
You can use the write standby command to resynchronize configurations that have become out of sync.
For Active/Active failover, the write standby command behaves as follows:
• If you enter the write standby command in the system execution space, the system configuration
and the configurations for all of the security contexts on the security appliance is written to the peer
unit. This includes configuration information for security contexts that are in the standby state. You
must enter the command in the system execution space on the unit that has failover group 1 in the
active state.
Note If there are security contexts in the active state on the peer unit, the write standby command
causes active connections through those contexts to be terminated. Use the failover active
command on the unit providing the configuration to make sure all contexts are active on that
unit before entering the write standby command.
• If you enter the write standby command in a security context, only the configuration for the security
context is written to the peer unit. You must enter the command in the security context on the unit
where the security context appears in the active state.
Replicated commands are not saved to the Flash memory when replicated to the peer unit. They are
added to the running configuration. To save replicated commands to Flash memory on both units, use
the write memory or copy running-config startup-config command on the unit that you made the
changes on. The command is replicated to the peer unit and cause the configuration to be saved to Flash
memory on the peer unit.
Failover Triggers
In Active/Active failover, failover can be triggered at the unit level if one of the following events occurs:
• The unit has a hardware failure.
• The unit has a power failure.
• The unit has a software failure.
• The no failover active or the failover active command is entered in the system execution space.
Failover is triggered at the failover group level when one of the following events occurs:
• Too many monitored interfaces in the group fail.
• The no failover active group group_id or failover active group group_id command is entered.
14-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
You configure the failover threshold for each failover group by specifying the number or percentage of
interfaces within the failover group that must fail before the group fails. Because a failover group can
contain multiple contexts, and each context can contain multiple interfaces, it is possible for all
interfaces in a single context to fail without causing the associated failover group to fail.
See the “Failover Health Monitoring” section on page 14-16 for more information about interface and
unit monitoring.
Failover Actions
In an Active/Active failover configuration, failover occurs on a failover group basis, not a system basis.
For example, if you designate both failover groups as active on the primary unit, and failover group 1
fails, then failover group 2 remains active on the primary unit while failover group 1 becomes active on
the secondary unit.
Note When configuring Active/Active failover, make sure that the combined traffic for both units is within the
capacity of each unit.
Table 14-2 shows the failover action for each failure event. For each failure event, the policy (whether
or not failover occurs), actions for the active failover group, and actions for the standby failover group
are given.
Table 14-2 Failover Behavior for Active/Active Failover
Failure Event Policy
Active Group
Action
Standby Group
Action Notes
A unit experiences a power or
software failure
Failover Become standby
Mark as failed
Become active
Mark active as
failed
When a unit in a failover pair fails,
any active failover groups on that
unit are marked as failed and
become active on the peer unit.
Interface failure on active failover
group above threshold
Failover Mark active
group as failed
Become active None.
Interface failure on standby failover
group above threshold
No failover No action Mark standby
group as failed
When the standby failover group is
marked as failed, the active failover
group does not attempt to fail over,
even if the interface failure
threshold is surpassed.
Formerly active failover group
recovers
No failover No action No action Unless configured with the
preempt command, the failover
groups remain active on their
current unit.
Failover link failed at startup No failover Become active Become active If the failover link is down at
startup, both failover groups on
both units become active.
14-15
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
Determining Which Type of Failover to Use
The type of failover you choose depends upon your security appliance configuration and how you plan
to use the security appliances.
If you are running the security appliance in single mode, then you can only use Active/Standby failover.
Active/Active failover is only available to security appliances running in multiple context mode.
If you are running the security appliance in multiple context mode, then you can configure either
Active/Active failover or Active/Standby failover.
• To provide load balancing, use Active/Active failover.
• If you do not want to provide load balancing, use Active/Standby or Active/Active failover.
Table 14-3 provides a comparison of some of the features supported by each type of failover
configuration:
Regular and Stateful Failover
The security appliance supports two types of failover, regular and stateful. This section includes the
following topics:
• Regular Failover, page 14-16
• Stateful Failover, page 14-16
Stateful Failover link failed No failover No action No action State information becomes out of
date, and sessions are terminated if
a failover occurs.
Failover link failed during operation No failover n/a n/a Each unit marks the failover
interface as failed. You should
restore the failover link as soon as
possible because the unit cannot fail
over to the standby unit while the
failover link is down.
Table 14-2 Failover Behavior for Active/Active Failover (continued)
Failure Event Policy
Active Group
Action
Standby Group
Action Notes
Table 14-3 Failover Configuration Feature Support
Feature Active/Active Active/Standby
Single Context Mode No Yes
Multiple Context Mode Yes Yes
Load Balancing Network Configurations Yes No
Unit Failover Yes Yes
Failover of Groups of Contexts Yes No
Failover of Individual Contexts No No
14-16
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
Regular Failover
When a failover occurs, all active connections are dropped. Clients need to reestablish connections when
the new active unit takes over.
Stateful Failover
When Stateful Failover is enabled, the active unit continually passes per-connection state information to
the standby unit. After a failover occurs, the same connection information is available at the new active
unit. Supported end-user applications are not required to reconnect to keep the same communication
session.
The state information passed to the standby unit includes the following:
• NAT translation table.
• TCP connection states.
• UDP connection states.
• The ARP table.
• The Layer 2 bridge table (when running in transparent firewall mode).
• The HTTP connection states (if HTTP replication is enabled).
• The ISAKMP and IPSec SA table.
• GTP PDP connection database.
The information that is not passed to the standby unit when Stateful Failover is enabled includes the
following:
• The HTTP connection table (unless HTTP replication is enabled).
• The user authentication (uauth) table.
• The routing tables. After a failover occurs, some packets may be lost our routed out of the wrong
interface (the default route) while the dynamic routing protocols rediscover routes.
• State information for Security Service Modules.
• DHCP server address leases.
• L2TP over IPSec sessions.
Note If failover occurs during an active Cisco IP SoftPhone session, the call remains active because the call
session state information is replicated to the standby unit. When the call is terminated, the IP SoftPhone
client loses connection with the Call Manager. This occurs because there is no session information for
the CTIQBE hangup message on the standby unit. When the IP SoftPhone client does not receive a
response back from the Call Manager within a certain time period, it considers the Call Manager
unreachable and unregisters itself.
Failover Health Monitoring
The security appliance monitors each unit for overall health and for interface health. See the following
sections for more information about how the security appliance performs tests to determine the state of
each unit:
• Unit Health Monitoring, page 14-17
14-17
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
• Interface Monitoring, page 14-17
Unit Health Monitoring
The security appliance determines the health of the other unit by monitoring the failover link. When a
unit does not receive three consecutive hello messages on the failover link, the unit sends an ARP request
on all interfaces, including the failover interface. The action the security appliance takes depends on the
response from the other unit. See the following possible actions:
• If the security appliance receives a response on the failover interface, then it does not fail over.
• If the security appliance does not receive a response on the failover link, but receives a response on
another interface, then the unit does not failover. The failover link is marked as failed. You should
restore the failover link as soon as possible because the unit cannot fail over to the standby while
the failover link is down.
• If the security appliance does not receive a response on any interface, then the standby unit switches
to active mode and classifies the other unit as failed.
Note If a failed unit does not recover and you believe it should not be failed, you can reset the state by entering
the failover reset command. If the failover condition persists, however, the unit will fail again.
You can configure the frequency of the hello messages and the hold time before failover occurs. A faster
poll time and shorter hold time speed the detection of unit failures and make failover occur more quickly,
but it can also cause “false” failures due to network congestion delaying the keepalive packets. See
Configuring Unit Health Monitoring, page 14-39 for more information about configuring unit health
monitoring.
Interface Monitoring
You can monitor up to 250 interfaces divided between all contexts. You should monitor important
interfaces, for example, you might configure one context to monitor a shared interface (because the
interface is shared, all contexts benefit from the monitoring).
When a unit does not receive hello messages on a monitored interface for half of the configured hold
time, it runs the following tests:
1. Link Up/Down test—A test of the interface status. If the Link Up/Down test indicates that the
interface is operational, then the security appliance performs network tests. The purpose of these
tests is to generate network traffic to determine which (if either) unit has failed. At the start of each
test, each unit clears its received packet count for its interfaces. At the conclusion of each test, each
unit looks to see if it has received any traffic. If it has, the interface is considered operational. If one
unit receives traffic for a test and the other unit does not, the unit that received no traffic is
considered failed. If neither unit has received traffic, then the next test is used.
2. Network Activity test—A received network activity test. The unit counts all received packets for up
to 5 seconds. If any packets are received at any time during this interval, the interface is considered
operational and testing stops. If no traffic is received, the ARP test begins.
3. ARP test—A reading of the unit ARP cache for the 2 most recently acquired entries. One at a time,
the unit sends ARP requests to these machines, attempting to stimulate network traffic. After each
request, the unit counts all received traffic for up to 5 seconds. If traffic is received, the interface is
considered operational. If no traffic is received, an ARP request is sent to the next machine. If at the
end of the list no traffic has been received, the ping test begins.
14-18
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Understanding Failover
4. Broadcast Ping test—A ping test that consists of sending out a broadcast ping request. The unit then
counts all received packets for up to 5 seconds. If any packets are received at any time during this
interval, the interface is considered operational and testing stops.
If all network tests fail for an interface, but this interface on the other unit continues to successfully pass
traffic, then the interface is considered to be failed. If the threshold for failed interfaces is met, then a
failover occurs. If the other unit interface also fails all the network tests, then both interfaces go into the
“Unknown” state and do not count towards the failover limit.
An interface becomes operational again if it receives any traffic. A failed security appliance returns to
standby mode if the interface failure threshold is no longer met.
Note If a failed unit does not recover and you believe it should not be failed, you can reset the state by entering
the failover reset command. If the failover condition persists, however, the unit will fail again.
Failover Feature/Platform Matrix
Table 14-4 shows the failover features supported by each hardware platform.
Failover Times by Platform
Table 14-5 shows the minimum, default, and maximum failover times for the PIX 500 series security
appliance.
Table 14-6 shows the minimum, default, and maximum failover times for the ASA 5500 series adaptive
security appliance.
Table 14-4 Failover Feature Support by Platform
Platform Cable-Base Failover LAN-Based Failover Stateful Failover
ASA 5505 series adaptive
security appliance
No Yes No
ASA 5500 series adaptive
security appliance (other than
the ASA 5505)
No Yes Yes
PIX 500 series security
appliance
Yes Yes Yes
Table 14-5 PIX 500 series security appliance failover times.
Failover Condition Minimum Default Maximum
Active unit loses power or stops normal operation. 800 milliseconds 45 seconds 45 seconds
Active unit interface link down. 500 milliseconds 5 seconds 15 seconds
Active unit interface up, but connection problem
causes interface testing.
5 seconds 25 seconds 75 seconds
14-19
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Configuring Failover
This section describes how to configure failover and includes the following topics:
• Failover Configuration Limitations, page 14-19
• Configuring Active/Standby Failover, page 14-19
• Configuring Active/Active Failover, page 14-27
• Configuring Unit Health Monitoring, page 14-39
• Configuring Failover Communication Authentication/Encryption, page 14-39
• Verifying the Failover Configuration, page 14-40
Failover Configuration Limitations
You cannot configure failover with the following type of IP addresses:
• IP addresses obtained through DHCP
• IP addresses obtained through PPPoE
• IPv6 addresses
Additionally, the following restrictions apply:
• Stateful Failover is not supported on the ASA 5505 adaptive security appliance.
• Active/Active failover is not supported on the ASA 5505 adaptive security appliance.
• You cannot configure failover when Easy VPN Remote is enabled on the ASA 5505 adaptive
security appliance.
• VPN failover is not supported in multiple context mode.
Configuring Active/Standby Failover
This section provides step-by-step procedures for configuring Active/Standby failover. This section
includes the following topics:
• Prerequisites, page 14-20
• Configuring Cable-Based Active/Standby Failover (PIX Security Appliance Only), page 14-20
Table 14-6 ASA 5500 series adaptive security appliance failover times.
Failover Condition Minimum Default Maximum
Active unit loses power or stops normal operation. 800 milliseconds 15 seconds 45 seconds
Active unit main board interface link down. 500 milliseconds 5 seconds 15 seconds
Active unit 4GE card interface link down. 2 seconds 5 seconds 15 seconds
Active unit IPS or CSC card fails. 2 seconds 2 seconds 2 seconds
Active unit interface up, but connection problem
causes interface testing.
5 seconds 25 seconds 75 seconds
14-20
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
• Configuring LAN-Based Active/Standby Failover, page 14-21
• Configuring Optional Active/Standby Failover Settings, page 14-25
Prerequisites
Before you begin, verify the following:
• Both units have the same hardware, software configuration, and proper license.
• Both units are in the same mode (single or multiple, transparent or routed).
Configuring Cable-Based Active/Standby Failover (PIX Security Appliance Only)
Follow these steps to configure Active/Standby failover using a serial cable as the failover link. The
commands in this task are entered on the primary unit in the failover pair. The primary unit is the unit
that has the end of the cable labeled “Primary” plugged into it. For devices in multiple context mode, the
commands are entered in the system execution space unless otherwise noted.
You do not need to bootstrap the secondary unit in the failover pair when you use cable-based failover.
Leave the secondary unit powered off until instructed to power it on.
Cable-based failover is only available on the PIX 500 series security appliance.
To configure cable-based Active/Standby failover, perform the following steps:
Step 1 Connect the Failover cable to the PIX 500 series security appliances. Make sure that you attach the end
of the cable marked “Primary” to the unit you use as the primary unit, and that you attach the end of the
cable marked “Secondary” to the other unit.
Step 2 Power on the primary unit.
Step 3 If you have not done so already, configure the active and standby IP addresses for each data interface
(routed mode), for the management IP address (transparent mode), or for the management-only
interface. To receive packets from both units in a failover pair, standby IP addresses need to be
configured on all interfaces. The standby IP address is used on the security appliance that is currently
the standby unit, and it must be in the same subnet as the active IP address.
Note Do not configure an IP address for the Stateful Failover link if you are going to use a dedicated
Stateful Failover interface. You use the failover interface ip command to configure a dedicated
Stateful Failover interface in a later step.
hostname(config-if)# ip address active_addr netmask standby standby_addr
In routed firewall mode and for the management-only interface, this command is entered in interface
configuration mode for each interface. In transparent firewall mode, the command is entered in global
configuration mode.
In multiple context mode, you must configure the interface addresses from within each context. Use the
changeto context command to switch between contexts. The command prompt changes to
hostname/context(config-if)#, where context is the name of the current context. You must enter a
management IP address for each context in transparent firewall multiple context mode.
Step 4 (Optional) To enable Stateful Failover, configure the Stateful Failover link.
14-21
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Note Stateful Failover is not available on the ASA 5505 series adaptive security appliance.
a. Specify the interface to be used as the Stateful Failover link:
hostname(config)# failover link if_name phy_if
The if_name argument assigns a logical name to the interface specified by the phy_if argument. The
phy_if argument can be the physical port name, such as Ethernet1, or a previously created
subinterface, such as Ethernet0/2.3. This interface should not be used for any other purpose.
b. Assign an active and standby IP address to the Stateful Failover link:
hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr
Note If the Stateful Failover link uses a data interface, skip this step. You have already defined the
active and standby IP addresses for the interface.
The standby IP address must be in the same subnet as the active IP address. You do not need to
identify the standby IP address subnet mask.
The Stateful Failover link IP address and MAC address do not change at failover unless it uses a data
interface. The active IP address always stays with the primary unit, while the standby IP address
stays with the secondary unit.
c. Enable the interface:
hostname(config)# interface phy_if
hostname(config-if)# no shutdown
Step 5 Enable failover:
hostname(config)# failover
Step 6 Power on the secondary unit and enable failover on the unit if it is not already enabled:
hostname(config)# failover
The active unit sends the configuration in running memory to the standby unit. As the configuration
synchronizes, the messages “Beginning configuration replication: sending to mate.” and “End
Configuration Replication to mate” appear on the primary console.
Step 7 Save the configuration to Flash memory on the primary unit. Because the commands entered on the
primary unit are replicated to the secondary unit, the secondary unit also saves its configuration to Flash
memory.
hostname(config)# copy running-config startup-config
Configuring LAN-Based Active/Standby Failover
This section describes how to configure Active/Standby failover using an Ethernet failover link. When
configuring LAN-based failover, you must bootstrap the secondary device to recognize the failover link
before the secondary device can obtain the running configuration from the primary device.
14-22
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Note If you are changing from cable-based failover to LAN-based failover, you can skip any steps, such as
assigning the active and standby IP addresses for each interface, that you completed for the cable-based
failover configuration.
This section includes the following topics:
• Configuring the Primary Unit, page 14-22
• Configuring the Secondary Unit, page 14-24
Configuring the Primary Unit
Follow these steps to configure the primary unit in a LAN-based, Active/Standby failover configuration.
These steps provide the minimum configuration needed to enable failover on the primary unit. For
multiple context mode, all steps are performed in the system execution space unless otherwise noted.
To configure the primary unit in an Active/Standby failover pair, perform the following steps:
Step 1 If you have not done so already, configure the active and standby IP addresses for each data interface
(routed mode), for the management IP address (transparent mode), or for the management-only
interface. To receive packets from both units in a failover pair, standby IP addresses need to be
configured on all interfaces. The standby IP address is used on the security appliance that is currently
the standby unit, and it must be in the same subnet as the active IP address.
Note Do not configure an IP address for the Stateful Failover link if you are going to use a dedicated
Stateful Failover interface. You use the failover interface ip command to configure a dedicated
Stateful Failover interface in a later step.
hostname(config-if)# ip address active_addr netmask standby standby_addr
In routed firewall mode and for the management-only interface, this command is entered in interface
configuration mode for each interface. In transparent firewall mode, the command is entered in global
configuration mode.
In multiple context mode, you must configure the interface addresses from within each context. Use the
changeto context command to switch between contexts. The command prompt changes to
hostname/context(config-if)#, where context is the name of the current context. You must enter a
management IP address for each context in transparent firewall multiple context mode.
Step 2 (PIX security appliance only) Enable LAN-based failover:
hostname(config)# failover lan enable
Step 3 Designate the unit as the primary unit:
hostname(config)# failover lan unit primary
Step 4 Define the failover interface:
a. Specify the interface to be used as the failover interface:
hostname(config)# failover lan interface if_name phy_if
The if_name argument assigns a name to the interface specified by the phy_if argument. The phy_if
argument can be the physical port name, such as Ethernet1, or a previously created subinterface,
such as Ethernet0/2.3. On the ASA 5505 adaptive security appliance, the phy_if specifies a VLAN.
14-23
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
b. Assign the active and standby IP address to the failover link:
hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr
The standby IP address must be in the same subnet as the active IP address. You do not need to
identify the standby address subnet mask.
The failover link IP address and MAC address do not change at failover. The active IP address for
the failover link always stays with the primary unit, while the standby IP address stays with the
secondary unit.
c. Enable the interface:
hostname(config)# interface phy_if
hostname(config-if)# no shutdown
Step 5 (Optional) To enable Stateful Failover, configure the Stateful Failover link.
Note Stateful Failover is not available on the ASA 5505 series adaptive security appliance.
a. Specify the interface to be used as Stateful Failover link:
hostname(config)# failover link if_name phy_if
Note If the Stateful Failover link uses the failover link or a data interface, then you only need to
supply the if_name argument.
The if_name argument assigns a logical name to the interface specified by the phy_if argument. The
phy_if argument can be the physical port name, such as Ethernet1, or a previously created
subinterface, such as Ethernet0/2.3. This interface should not be used for any other purpose (except,
optionally, the failover link).
b. Assign an active and standby IP address to the Stateful Failover link.
Note If the Stateful Failover link uses the failover link or data interface, skip this step. You have
already defined the active and standby IP addresses for the interface.
hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr
The standby IP address must be in the same subnet as the active IP address. You do not need to
identify the standby address subnet mask.
The Stateful Failover link IP address and MAC address do not change at failover unless it uses a data
interface. The active IP address always stays with the primary unit, while the standby IP address
stays with the secondary unit.
c. Enable the interface.
Note If the Stateful Failover link uses the failover link or data interface, skip this step. You have
already enabled the interface.
hostname(config)# interface phy_if
hostname(config-if)# no shutdown
Step 6 Enable failover:
14-24
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
hostname(config)# failover
Step 7 Save the system configuration to Flash memory:
hostname(config)# copy running-config startup-config
Configuring the Secondary Unit
The only configuration required on the secondary unit is for the failover interface. The secondary unit
requires these commands to initially communicate with the primary unit. After the primary unit sends
its configuration to the secondary unit, the only permanent difference between the two configurations is
the failover lan unit command, which identifies each unit as primary or secondary.
For multiple context mode, all steps are performed in the system execution space unless noted otherwise.
To configure the secondary unit, perform the following steps:
Step 1 (PIX security appliance only) Enable LAN-based failover:
hostname(config)# failover lan enable
Step 2 Define the failover interface. Use the same settings as you used for the primary unit.
a. Specify the interface to be used as the failover interface:
hostname(config)# failover lan interface if_name phy_if
The if_name argument assigns a name to the interface specified by the phy_if argument.
b. Assign the active and standby IP address to the failover link. To receive packets from both units in
a failover pair, standby IP addresses need to be configured on all interfaces.
hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr
Note Enter this command exactly as you entered it on the primary unit when you configured the
failover interface on the primary unit.
c. Enable the interface:
hostname(config)# interface phy_if
hostname(config-if)# no shutdown
Step 3 (Optional) Designate this unit as the secondary unit:
hostname(config)# failover lan unit secondary
Note This step is optional because by default units are designated as secondary unless previously
configured.
Step 4 Enable failover:
hostname(config)# failover
After you enable failover, the active unit sends the configuration in running memory to the standby unit.
As the configuration synchronizes, the messages “Beginning configuration replication: Sending to mate”
and “End Configuration Replication to mate” appear on the active unit console.
14-25
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Step 5 After the running configuration has completed replication, save the configuration to Flash memory:
hostname(config)# copy running-config startup-config
Configuring Optional Active/Standby Failover Settings
You can configure the following optional Active/Standby failover setting when you are initially
configuring failover or after failover has already been configured. Unless otherwise noted, the
commands should be entered on the active unit.
This section includes the following topics:
• Enabling HTTP Replication with Stateful Failover, page 14-25
• Disabling and Enabling Interface Monitoring, page 14-25
• Configuring Interface Health Monitoring, page 14-26
• Configuring Failover Criteria, page 14-26
• Configuring Virtual MAC Addresses, page 14-26
Enabling HTTP Replication with Stateful Failover
To allow HTTP connections to be included in the state information replication, you need to enable HTTP
replication. Because HTTP connections are typically short-lived, and because HTTP clients typically
retry failed connection attempts, HTTP connections are not automatically included in the replicated state
information.
Enter the following command in global configuration mode to enable HTTP state replication when
Stateful Failover is enabled:
hostname(config)# failover replication http
Disabling and Enabling Interface Monitoring
By default, monitoring physical interfaces is enabled and monitoring subinterfaces is disabled. You can
monitor up to 250 interfaces on a unit. You can control which interfaces affect your failover policy by
disabling the monitoring of specific interfaces and enabling the monitoring of others. This lets you
exclude interfaces attached to less critical networks from affecting your failover policy.
For units in multiple configuration mode, use the following commands to enable or disable health
monitoring for specific interfaces:
• To disable health monitoring for an interface, enter the following command within a context:
hostname/context(config)# no monitor-interface if_name
• To enable health monitoring for an interface, enter the following command within a context:
hostname/context(config)# monitor-interface if_name
For units in single configuration mode, use the following commands to enable or disable health
monitoring for specific interfaces:
• To disable health monitoring for an interface, enter the following command in global configuration
mode:
hostname(config)# no monitor-interface if_name
14-26
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
• To enable health monitoring for an interface, enter the following command in global configuration
mode:
hostname(config)# monitor-interface if_name
Configuring Interface Health Monitoring
The security appliance sends hello packets out of each data interface to monitor interface health. If the
security appliance does not receive a hello packet from the corresponding interface on the peer unit for
over half of the hold time, then the additional interface testing begins. If a hello packet or a successful
test result is not received within the specified hold time, the interface is marked as failed. Failover occurs
if the number of failed interfaces meets the failover criteria.
Decreasing the poll and hold times enables the security appliance to detect and respond to interface
failures more quickly, but may consume more system resources.
To change the interface poll time, enter the following command in global configuration mode:
hostname(config)# failover polltime interface [msec] time [holdtime time]
Valid values for the poll time are from 1 to 15 seconds or, if the optional msec keyword is used, from
500 to 999 milliseconds. The hold time determines how long it takes from the time a hello packet is
missed to when the interface is marked as failed. Valid values for the hold time are from 5 to 75 seconds.
You cannot enter a hold time that is less than 5 times the poll time.
Note If the interface link is down, interface testing is not conducted and the standby unit could become active
in just one interface polling period if the number of failed interface meets or exceeds the configured
failover criteria.
Configuring Failover Criteria
By default, a single interface failure causes failover. You can specify a specific number of interfaces or
a percentage of monitored interfaces that must fail before a failover occurs.
To change the default failover criteria, enter the following command in global configuration mode:
hostname(config)# failover interface-policy num[%]
When specifying a specific number of interfaces, the num argument can be from 1 to 250. When
specifying a percentage of interfaces, the num argument can be from 1 to 100.
Configuring Virtual MAC Addresses
In Active/Standby failover, the MAC addresses for the primary unit are always associated with the active
IP addresses. If the secondary unit boots first and becomes active, it uses the burned-in MAC address for
its interfaces. When the primary unit comes online, the secondary unit obtains the MAC addresses from
the primary unit. The change can disrupt network traffic.
You can configure virtual MAC addresses for each interface to ensure that the secondary unit uses the
correct MAC addresses when it is the active unit, even if it comes online before the primary unit. If you
do not specify virtual MAC addresses the failover pair uses the burned-in NIC addresses as the MAC
addresses.
Note You cannot configure a virtual MAC address for the failover or Stateful Failover links. The MAC and IP
addresses for those links do not change during failover.
14-27
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Enter the following command on the active unit to configure the virtual MAC addresses for an interface:
hostname(config)# failover mac address phy_if active_mac standby_mac
The phy_if argument is the physical name of the interface, such as Ethernet1. The active_mac and
standby_mac arguments are MAC addresses in H.H.H format, where H is a 16-bit hexadecimal digit. For
example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE.
The active_mac address is associated with the active IP address for the interface, and the standby_mac
is associated with the standby IP address for the interface.
There are multiple ways to configure virtual MAC addresses on the security appliance. When more than
one method has been used to configure virtual MAC addresses, the security appliance uses the following
order of preference to determine which virtual MAC address is assigned to an interface:
1. The mac-address command (in interface configuration mode) address.
2. The failover mac address command address.
3. The mac-address auto command generated address.
4. The burned-in MAC address.
Use the show interface command to display the MAC address used by an interface.
Configuring Active/Active Failover
This section describes how to configure Active/Active failover.
Note Active/Active failover is not available on the ASA 5505 series adaptive security appliance.
This section includes the following topics:
• Prerequisites, page 14-27
• Configuring Cable-Based Active/Active Failover (PIX security appliance), page 14-27
• Configuring LAN-Based Active/Active Failover, page 14-29
• Configuring Optional Active/Active Failover Settings, page 14-33
Prerequisites
Before you begin, verify the following:
• Both units have the same hardware, software configuration, and proper license.
• Both units are in multiple context mode.
Configuring Cable-Based Active/Active Failover (PIX security appliance)
Follow these steps to configure Active/Active failover using a serial cable as the failover link. The
commands in this task are entered on the primary unit in the failover pair. The primary unit is the unit
that has the end of the cable labeled “Primary” plugged into it. For devices in multiple context mode, the
commands are entered in the system execution space unless otherwise noted.
You do not need to bootstrap the secondary unit in the failover pair when you use cable-based failover.
Leave the secondary unit powered off until instructed to power it on.
14-28
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Cable-based failover is only available on the PIX 500 series security appliance.
To configure cable-based, Active/Active failover, perform the following steps:
Step 1 Connect the failover cable to the PIX 500 series security appliances. Make sure that you attach the end
of the cable marked “Primary” to the unit you use as the primary unit, and that you attach the end of the
cable marked “Secondary” to the unit you use as the secondary unit.
Step 2 Power on the primary unit.
Step 3 If you have not done so already, configure the active and standby IP addresses for each data interface
(routed mode), for the management IP address (transparent mode), or for the management-only
interface. To receive packets from both units in a failover pair, standby IP addresses need to be
configured on all interfaces. The standby IP address is used on the security appliance that is currently
the standby unit, and it must be in the same subnet as the active IP address.
You must configure the interface addresses from within each context. Use the changeto context
command to switch between contexts. The command prompt changes to
hostname/context(config-if)#, where context is the name of the current context. You must enter a
management IP address for each context in transparent firewall multiple context mode.
Note Do not configure an IP address for the Stateful Failover link if you are going to use a dedicated
Stateful Failover interface. You use the failover interface ip command to configure a dedicated
Stateful Failover interface in a later step.
hostname/context(config-if)# ip address active_addr netmask standby standby_addr
In routed firewall mode and for the management-only interface, this command is entered in interface
configuration mode for each interface. In transparent firewall mode, the command is entered in global
configuration mode.
Step 4 (Optional) To enable Stateful Failover, configure the Stateful Failover link.
a. Specify the interface to be used as Stateful Failover link:
hostname(config)# failover link if_name phy_if
The if_name argument assigns a logical name to the interface specified by the phy_if argument. The
phy_if argument can be the physical port name, such as Ethernet1, or a previously created
subinterface, such as Ethernet0/2.3. This interface should not be used for any other purpose (except,
optionally, the failover link).
b. Assign an active and standby IP address to the Stateful Failover link:
hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr
The standby IP address must be in the same subnet as the active IP address. You do not need to
identify the standby IP address subnet mask.
The Stateful Failover link IP address and MAC address do not change at failover except for when
Stateful Failover uses a regular data interface. The active IP address always stays with the primary
unit, while the standby IP address stays with the secondary unit.
c. Enable the interface:
hostname(config)# interface phy_if
hostname(config-if)# no shutdown
Step 5 Configure the failover groups. You can have at most two failover groups. The failover group command
creates the specified failover group if it does not exist and enters the failover group configuration mode.
14-29
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
For each failover group, you need to specify whether the failover group has primary or secondary
preference using the primary or secondary command. You can assign the same preference to both
failover groups. For load balancing configurations, you should assign each failover group a different unit
preference.
The following example assigns failover group 1 a primary preference and failover group 2 a secondary
preference:
hostname(config)# failover group 1
hostname(config-fover-group)# primary
hostname(config-fover-group)# exit
hostname(config)# failover group 2
hostname(config-fover-group)# secondary
hostname(config-fover-group)# exit
Step 6 Assign each user context to a failover group using the join-failover-group command in context
configuration mode.
Any unassigned contexts are automatically assigned to failover group 1. The admin context is always a
member of failover group 1.
Enter the following commands to assign each context to a failover group:
hostname(config)# context context_name
hostname(config-context)# join-failover-group {1 | 2}
hostname(config-context)# exit
Step 7 Enable failover:
hostname(config)# failover
Step 8 Power on the secondary unit and enable failover on the unit if it is not already enabled:
hostname(config)# failover
The active unit sends the configuration in running memory to the standby unit. As the configuration
synchronizes, the messages “Beginning configuration replication: Sending to mate” and “End
Configuration Replication to mate” appear on the primary console.
Step 9 Save the configuration to Flash memory on the Primary unit. Because the commands entered on the
primary unit are replicated to the secondary unit, the secondary unit also saves its configuration to Flash
memory.
hostname(config)# copy running-config startup-config
Step 10 If necessary, force any failover group that is active on the primary to the active state on the secondary.
To force a failover group to become active on the secondary unit, issue the following command in the
system execution space on the primary unit:
hostname# no failover active group group_id
The group_id argument specifies the group you want to become active on the secondary unit.
Configuring LAN-Based Active/Active Failover
This section describes how to configure Active/Active failover using an Ethernet failover link. When
configuring LAN-based failover, you must bootstrap the secondary device to recognize the failover link
before the secondary device can obtain the running configuration from the primary device.
This section includes the following topics:
14-30
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
• Configure the Primary Unit, page 14-30
• Configure the Secondary Unit, page 14-32
Configure the Primary Unit
To configure the primary unit in an Active/Active failover configuration, perform the following steps:
Step 1 If you have not done so already, configure the active and standby IP addresses for each data interface
(routed mode), for the management IP address (transparent mode), or for the management-only
interface.To receive packets from both units in a failover pair, standby IP addresses need to be configured
on all interfaces. The standby IP address is used on the security appliance that is currently the standby
unit, and it must be in the same subnet as the active IP address.
You must configure the interface addresses from within each context. Use the changeto context
command to switch between contexts. The command prompt changes to
hostname/context(config-if)#, where context is the name of the current context. In transparent
firewall mode, you must enter a management IP address for each context.
Note Do not configure an IP address for the Stateful Failover link if you are going to use a dedicated
Stateful Failover interface. You use the failover interface ip command to configure a dedicated
Stateful Failover interface in a later step.
hostname/context(config-if)# ip address active_addr netmask standby standby_addr
In routed firewall mode and for the management-only interface, this command is entered in interface
configuration mode for each interface. In transparent firewall mode, the command is entered in global
configuration mode.
Step 2 Configure the basic failover parameters in the system execution space.
a. (PIX security appliance only) Enable LAN-based failover:
hostname(config)# hostname(config)# failover lan enable
b. Designate the unit as the primary unit:
hostname(config)# failover lan unit primary
c. Specify the failover link:
hostname(config)# failover lan interface if_name phy_if
The if_name argument assigns a logical name to the interface specified by the phy_if argument. The
phy_if argument can be the physical port name, such as Ethernet1, or a previously created
subinterface, such as Ethernet0/2.3. On the ASA 5505 adaptive security appliance, the phy_if
specifies a VLAN. This interface should not be used for any other purpose (except, optionally, the
Stateful Failover link).
d. Specify the failover link active and standby IP addresses:
hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr
The standby IP address must be in the same subnet as the active IP address. You do not need to
identify the standby IP address subnet mask. The failover link IP address and MAC address do not
change at failover. The active IP address always stays with the primary unit, while the standby IP
address stays with the secondary unit.
14-31
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Step 3 (Optional) To enable Stateful Failover, configure the Stateful Failover link:
a. Specify the interface to be used as Stateful Failover link:
hostname(config)# failover link if_name phy_if
The if_name argument assigns a logical name to the interface specified by the phy_if argument. The
phy_if argument can be the physical port name, such as Ethernet1, or a previously created
subinterface, such as Ethernet0/2.3. This interface should not be used for any other purpose (except,
optionally, the failover link).
Note If the Stateful Failover link uses the failover link or a regular data interface, then you only
need to supply the if_name argument.
b. Assign an active and standby IP address to the Stateful Failover link.
Note If the Stateful Failover link uses the failover link or a regular data interface, skip this step.
You have already defined the active and standby IP addresses for the interface.
hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr
The standby IP address must be in the same subnet as the active IP address. You do not need to
identify the standby address subnet mask.
The state link IP address and MAC address do not change at failover. The active IP address always
stays with the primary unit, while the standby IP address stays with the secondary unit.
c. Enable the interface.
Note If the Stateful Failover link uses the failover link or regular data interface, skip this step. You
have already enabled the interface.
hostname(config)# interface phy_if
hostname(config-if)# no shutdown
Step 4 Configure the failover groups. You can have at most two failover groups. The failover group command
creates the specified failover group if it does not exist and enters the failover group configuration mode.
For each failover group, specify whether the failover group has primary or secondary preference using
the primary or secondary command. You can assign the same preference to both failover groups. For
load balancing configurations, you should assign each failover group a different unit preference.
The following example assigns failover group 1 a primary preference and failover group 2 a secondary
preference:
hostname(config)# failover group 1
hostname(config-fover-group)# primary
hostname(config-fover-group)# exit
hostname(config)# failover group 2
hostname(config-fover-group)# secondary
hostname(config-fover-group)# exit
Step 5 Assign each user context to a failover group using the join-failover-group command in context
configuration mode.
Any unassigned contexts are automatically assigned to failover group 1. The admin context is always a
member of failover group 1.
14-32
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Enter the following commands to assign each context to a failover group:
hostname(config)# context context_name
hostname(config-context)# join-failover-group {1 | 2}
hostname(config-context)# exit
Step 6 Enable failover:
hostname(config)# failover
Configure the Secondary Unit
When configuring LAN-based Active/Active failover, you need to bootstrap the secondary unit to
recognize the failover link. This allows the secondary unit to communicate with and receive the running
configuration from the primary unit.
To bootstrap the secondary unit in an Active/Active failover configuration, perform the following steps:
Step 1 (PIX security appliance only) Enable LAN-based failover:
hostname(config)# failover lan enable
Step 2 Define the failover interface. Use the same settings as you used for the primary unit:
a. Specify the interface to be used as the failover interface:
hostname(config)# failover lan interface if_name phy_if
The if_name argument assigns a logical name to the interface specified by the phy_if argument. The
phy_if argument can be the physical port name, such as Ethernet1, or a previously created
subinterface, such as Ethernet0/2.3. On the ASA 5505 adaptive security appliance, the phy_if
specifies a VLAN.
b. Assign the active and standby IP address to the failover link. To receive packets from both units in
a failover pair, standby IP addresses need to be configured on all interfaces.
hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr
Note Enter this command exactly as you entered it on the primary unit when you configured the
failover interface.
The standby IP address must be in the same subnet as the active IP address. You do not need to
identify the standby address subnet mask.
c. Enable the interface:
hostname(config)# interface phy_if
hostname(config-if)# no shutdown
Step 3 (Optional) Designate this unit as the secondary unit:
hostname(config)# failover lan unit secondary
Note This step is optional because by default units are designated as secondary unless previously
configured otherwise.
14-33
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Step 4 Enable failover:
hostname(config)# failover
After you enable failover, the active unit sends the configuration in running memory to the standby unit.
As the configuration synchronizes, the messages Beginning configuration replication: Sending to
mate and End Configuration Replication to mate appear on the active unit console.
Step 5 After the running configuration has completed replication, enter the following command to save the
configuration to Flash memory:
hostname(config)# copy running-config startup-config
Step 6 If necessary, force any failover group that is active on the primary to the active state on the secondary
unit. To force a failover group to become active on the secondary unit, enter the following command in
the system execution space on the primary unit:
hostname# no failover active group group_id
The group_id argument specifies the group you want to become active on the secondary unit.
Configuring Optional Active/Active Failover Settings
The following optional Active/Active failover settings can be configured when you are initially
configuring failover or after you have already established failover. Unless otherwise noted, the
commands should be entered on the unit that has failover group 1 in the active state.
This section includes the following topics:
• Configuring Failover Group Preemption, page 14-33
• Enabling HTTP Replication with Stateful Failover, page 14-34
• Disabling and Enabling Interface Monitoring, page 14-34
• Configuring Interface Health Monitoring, page 14-34
• Configuring Failover Criteria, page 14-34
• Configuring Virtual MAC Addresses, page 14-35
• Configuring Asymmetric Routing Support, page 14-35
Configuring Failover Group Preemption
Assigning a primary or secondary priority to a failover group specifies which unit the failover group
becomes active on when both units boot simultaneously. However, if one unit boots before the other, then
both failover groups become active on that unit. When the other unit comes online, any failover groups
that have the unit as a priority do not become active on that unit unless manually forced over, a failover
occurs, or the failover group is configured with the preempt command. The preempt command causes
a failover group to become active on the designated unit automatically when that unit becomes available.
Enter the following commands to configure preemption for the specified failover group:
hostname(config)# failover group {1 | 2}
hostname(config-fover-group)# preempt [delay]
You can enter an optional delay value, which specifies the number of seconds the failover group remains
active on the current unit before automatically becoming active on the designated unit.
14-34
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Enabling HTTP Replication with Stateful Failover
To allow HTTP connections to be included in the state information, you need to enable HTTP
replication. Because HTTP connections are typically short-lived, and because HTTP clients typically
retry failed connection attempts, HTTP connections are not automatically included in the replicated state
information. You can use the replication http command to cause a failover group to replicate HTTP state
information when Stateful Failover is enabled.
To enable HTTP state replication for a failover group, enter the following command. This command only
affects the failover group in which it was configured. To enable HTTP state replication for both failover
groups, you must enter this command in each group. This command should be entered in the system
execution space.
hostname(config)# failover group {1 | 2}
hostname(config-fover-group)# replication http
Disabling and Enabling Interface Monitoring
You can monitor up to 250 interfaces on a unit. By default, monitoring of physical interfaces is enabled
and the monitoring of subinterfaces is disabled. You can control which interfaces affect your failover
policy by disabling the monitoring of specific interfaces and enabling the monitoring of others. This lets
you exclude interfaces attached to less critical networks from affecting your failover policy.
To disable health monitoring on an interface, enter the following command within a context:
hostname/context(config)# no monitor-interface if_name
To enable health monitoring on an interface, enter the following command within a context:
hostname/context(config)# monitor-interface if_name
Configuring Interface Health Monitoring
The security appliance sends hello packets out of each data interface to monitor interface health. If the
security appliance does not receive a hello packet from the corresponding interface on the peer unit for
over half of the hold time, then the additional interface testing begins. If a hello packet or a successful
test result is not received within the specified hold time, the interface is marked as failed. Failover occurs
if the number of failed interfaces meets the failover criteria.
Decreasing the poll and hold times enables the security appliance to detect and respond to interface
failures more quickly, but may consume more system resources.
To change the default interface poll time, enter the following commands:
hostname(config)# failover group {1 | 2}
hostname(config-fover-group)# polltime interface seconds
Valid values for the poll time are from 1 to 15 seconds or, if the optional msec keyword is used, from
500 to 999 milliseconds. The hold time determines how long it takes from the time a hello packet is
missed to when the interface is marked as failed. Valid values for the hold time are from 5 to 75 seconds.
You cannot enter a hold time that is less than 5 times the poll time.
Configuring Failover Criteria
By default, if a single interface fails failover occurs. You can specify a specific number of interfaces or
a percentage of monitored interfaces that must fail before a failover occurs. The failover criteria is
specified on a failover group basis.
14-35
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
To change the default failover criteria for the specified failover group, enter the following commands:
hostname(config)# failover group {1 | 2}
hostname(config-fover-group)# interface-policy num[%]
When specifying a specific number of interfaces, the num argument can be from 1 to 250. When
specifying a percentage of interfaces, the num argument can be from 1 to 100.
Configuring Virtual MAC Addresses
Active/Active failover uses virtual MAC addresses on all interfaces. If you do not specify the virtual
MAC addresses, then they are computed as follows:
• Active unit default MAC address: 00a0.c9physical_port_number.failover_group_id01.
• Standby unit default MAC address: 00a0.c9physical_port_number.failover_group_id02.
Note If you have more than one Active/Active failover pair on the same network, it is possible to have the
same default virtual MAC addresses assigned to the interfaces on one pair as are assigned to the
interfaces of the other pairs because of the way the default virtual MAC addresses are determined. To
avoid having duplicate MAC addresses on your network, make sure you assign each physical interface
a virtual active and standby MAC address for all failover groups.
You can configure specific active and standby MAC addresses for an interface by entering the following
commands:
hostname(config)# failover group {1 | 2}
hostname(config-fover-group)# mac address phy_if active_mac standby_mac
The phy_if argument is the physical name of the interface, such as Ethernet1. The active_mac and
standby_mac arguments are MAC addresses in H.H.H format, where H is a 16-bit hexadecimal digit. For
example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE.
The active_mac address is associated with the active IP address for the interface, and the standby_mac
is associated with the standby IP address for the interface.
There are multiple ways to configure virtual MAC addresses on the security appliance. When more than
one method has been used to configure virtual MAC addresses, the security appliance uses the following
order of preference to determine which virtual MAC address is assigned to an interface:
1. The mac-address command (in interface configuration mode) address.
2. The failover mac address command address.
3. The mac-address auto command generate address.
4. The automatically generated failover MAC address.
Use the show interface command to display the MAC address used by an interface.
Configuring Asymmetric Routing Support
When running in Active/Active failover, a unit may receive a return packet for a connection that
originated through its peer unit. Because the security appliance that receives the packet does not have
any connection information for the packet, the packet is dropped. This most commonly occurs when the
two security appliances in an Active/Active failover pair are connected to different service providers and
the outbound connection does not use a NAT address.
14-36
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
You can prevent the return packets from being dropped using the asr-group command on interfaces
where this is likely to occur. When an interface configured with the asr-group command receives a
packet for which it has no session information, it checks the session information for the other interfaces
that are in the same group. If it does not find a match, the packet is dropped. If it finds a match, then one
of the following actions occurs:
• If the incoming traffic originated on a peer unit, some or all of the layer 2 header is rewritten and
the packet is redirected to the other unit. This redirection continues as long as the session is active.
• If the incoming traffic originated on a different interface on the same unit, some or all of the layer
2 header is rewritten and the packet is reinjected into the stream.
Note Using the asr-group command to configure asymmetric routing support is more secure than using the
static command with the nailed option.
The asr-group command does not provide asymmetric routing; it restores asymmetrically routed packets
to the correct interface.
Prerequisites
You must have to following configured for asymmetric routing support to function properly:
• Active/Active Failover
• Stateful Failover—passes state information for sessions on interfaces in the active failover group to
the standby failover group.
• replication http—HTTP session state information is not passed to the standby failover group, and
therefore is not present on the standby interface. For the security appliance to be able re-route
asymmetrically routed HTTP packets, you need to replicate the HTTP state information.
You can configure the asr-group command on an interface without having failover configured, but it
does not have any effect until Stateful Failover is enabled.
Configuring Support for Asymmetrically Routed Packets
To configure support for asymmetrically routed packets, perform the following steps:
Step 1 Configure Active/Active Stateful Failover for the failover pair. See Configuring Active/Active Failover,
page 14-27.
Step 2 For each interface that you want to participate in asymmetric routing support enter the following
command. You must enter the command on the unit where the context is in the active state so that the
command is replicated to the standby failover group. For more information about command replication,
see Command Replication, page 14-12.
hostname/ctx(config)# interface phy_if
hostname/ctx(config-if)# asr-group num
Valid values for num range from 1 to 32. You need to enter the command for each interface that
participates in the asymmetric routing group. You can view the number of ASR packets transmitted,
received, or dropped by an interface using the show interface detail command. You can have more than
one ASR group configured on the security appliance, but only one per interface. Only members of the
same ASR group are checked for session information.
14-37
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Example
Figure 14-1 shows an example of using the asr-group command for asymmetric routing support.
Figure 14-1 ASR Example
The two units have the following configuration (configurations show only the relevant commands). The
device labeled SecAppA in the diagram is the primary unit in the failover pair.
Example 14-1 Primary Unit System Configuration
hostname primary
interface GigabitEthernet0/1
description LAN/STATE Failover Interface
interface GigabitEthernet0/2
no shutdown
interface GigabitEthernet0/3
no shutdown
interface GigabitEthernet0/4
no shutdown
interface GigabitEthernet0/5
no shutdown
failover
failover lan unit primary
failover lan interface folink GigabitEthernet0/1
failover link folink
failover interface ip folink 10.0.4.1 255.255.255.0 standby 10.0.4.11
failover group 1
primary
failover group 2
secondary
admin-context admin
context admin
description admin
250093
192.168.1.1 192.168.2.2
SecAppA SecAppB
ISP A
Inside
network
Failover/State link
Outbound Traffic
Return Traffic
ISP B
192.168.2.1 192.168.1.2
14-38
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
allocate-interface GigabitEthernet0/2
allocate-interface GigabitEthernet0/3
config-url flash:/admin.cfg
join-failover-group 1
context ctx1
description context 1
allocate-interface GigabitEthernet0/4
allocate-interface GigabitEthernet0/5
config-url flash:/ctx1.cfg
join-failover-group 2
Example 14-2 admin Context Configuration
hostname SecAppA
interface GigabitEthernet0/2
nameif outsideISP-A
security-level 0
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
asr-group 1
interface GigabitEthernet0/3
nameif inside
security-level 100
ip address 10.1.0.1 255.255.255.0 standby 10.1.0.11
monitor-interface outside
Example 14-3 ctx1 Context Configuration
hostname SecAppB
interface GigabitEthernet0/4
nameif outsideISP-B
security-level 0
ip address 192.168.2.2 255.255.255.0 standby 192.168.2.1
asr-group 1
interface GigabitEthernet0/5
nameif inside
security-level 100
ip address 10.2.20.1 255.255.255.0 standby 10.2.20.11
Figure 14-1 on page 14-37 shows the ASR support working as follows:
1. An outbound session passes through security appliance SecAppA. It exits interface outsideISP-A
(192.168.1.1).
2. Because of asymmetric routing configured somewhere upstream, the return traffic comes back
through the interface outsideISP-B (192.168.2.2) on security appliance SecAppB.
3. Normally the return traffic would be dropped because there is no session information for the traffic
on interface 192.168.2.2. However, the interface is configure with the command asr-group 1. The
unit looks for the session on any other interface configured with the same ASR group ID.
4. The session information is found on interface outsideISP-A (192.168.1.2), which is in the standby
state on the unit SecAppB. Stateful Failover replicated the session information from SecAppA to
SecAppB.
5. Instead of being dropped, the layer 2 header is re-written with information for interface 192.168.1.1
and the traffic is redirected out of the interface 192.168.1.2, where it can then return through the
interface on the unit from which it originated (192.168.1.1 on SecAppA). This forwarding continues
as needed until the session ends.
14-39
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Configuring Unit Health Monitoring
The security appliance sends hello packets over the failover interface to monitor unit health. If the
standby unit does not receive a hello packet from the active unit for two consecutive polling periods, it
sends additional testing packets through the remaining device interfaces. If a hello packet or a response
to the interface test packets is not received within the specified hold time, the standby unit becomes
active.
You can configure the frequency of hello messages when monitoring unit health. Decreasing the poll
time allows a unit failure to be detected more quickly, but consumes more system resources.
To change the unit poll time, enter the following command in global configuration mode:
hostname(config)# failover polltime [msec] time [holdtime [msec] time]
You can configure the polling frequency from 1 to 15 seconds or, if the optional msec keyword is used,
from 200 to 999 milliseconds. The hold time determines how long it takes from the time a hello packet
is missed to when failover occurs. The hold time must be at least 3 times the poll time. You can configure
the hold time from 1 to 45 seconds or, if the optional msec keyword is used, from 800 to 990
milliseconds.
Setting the security appliance to use the minimum poll and hold times allows it to detect and respond to
unit failures in under a second, but it also increases system resource usage and can cause false failure
detection in cases where the networks are congested or where the security appliance is running near full
capacity.
Configuring Failover Communication Authentication/Encryption
You can encrypt and authenticate the communication between failover peers by specifying a shared
secret or hexadecimal key.
Note On the PIX 500 series security appliance, if you are using the dedicated serial failover cable to connect
the units, then communication over the failover link is not encrypted even if a failover key is configured.
The failover key only encrypts LAN-based failover communication.
Caution All information sent over the failover and Stateful Failover links is sent in clear text unless you secure
the communication with a failover key. If the security appliance is used to terminate VPN tunnels, this
information includes any usernames, passwords and preshared keys used for establishing the tunnels.
Transmitting this sensitive data in clear text could pose a significant security risk. We recommend
securing the failover communication with a failover key if you are using the security appliance to
terminate VPN tunnels.
Enter the following command on the active unit of an Active/Standby failover pair or on the unit that has
failover group 1 in the active state of an Active/Active failover pair:
hostname(config)# failover key {secret | hex key}
The secret argument specifies a shared secret that is used to generate the encryption key. It can be from
1 to 63 characters. The characters can be any combination of numbers, letters, or punctuation. The hex
key argument specifies a hexadecimal encryption key. The key must be 32 hexadecimal characters (0-9,
a-f).
14-40
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Note To prevent the failover key from being replicated to the peer unit in clear text for an existing failover
configuration, disable failover on the active unit (or in the system execution space on the unit that has
failover group 1 in the active state), enter the failover key on both units, and then re-enable failover.
When failover is re-enabled, the failover communication is encrypted with the key.
For new LAN-based failover configurations, the failover key command should be part of the failover
pair bootstrap configuration.
Verifying the Failover Configuration
This section describes how to verify your failover configuration. This section includes the following
topics:
• Using the show failover Command, page 14-40
• Viewing Monitored Interfaces, page 14-48
• Displaying the Failover Commands in the Running Configuration, page 14-48
• Testing the Failover Functionality, page 14-49
Using the show failover Command
This section describes the show failover command output. On each unit you can verify the failover status
by entering the show failover command. The information displayed depends upon whether you are using
Active/Standby or Active/Active failover.
This section includes the following topics:
• show failover—Active/Standby, page 14-40
• Show Failover—Active/Active, page 14-44
show failover—Active/Standby
The following is sample output from the show failover command for Active/Standby Failover.
Table 14-7 provides descriptions for the information shown.
hostname# show failover
Failover On
Cable status: N/A - LAN-based failover enabled
Failover unit Primary
Failover LAN Interface: fover Ethernet2 (up)
Unit Poll frequency 1 seconds, holdtime 3 seconds
Interface Poll frequency 15 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
failover replication http
Last Failover at: 22:44:03 UTC Dec 8 2004
This host: Primary - Active
Active time: 13434 (sec)
Interface inside (10.130.9.3): Normal
Interface outside (10.132.9.3): Normal
Other host: Secondary - Standby Ready
Active time: 0 (sec)
Interface inside (10.130.9.4): Normal
Interface outside (10.132.9.4): Normal
14-41
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Stateful Failover Logical Update Statistics
Link : fover Ethernet2 (up)
Stateful Obj xmit xerr rcv rerr
General 1950 0 1733 0
sys cmd 1733 0 1733 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 6 0 0 0
UDP conn 0 0 0 0
ARP tbl 106 0 0 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 15 0 0 0
VPN IPSEC upd 90 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 2 1733
Xmit Q: 0 2 15225
In multiple context mode, using the show failover command in a security context displays the failover
information for that context. The information is similar to the information shown when using the
command in single context mode. Instead of showing the active/standby status of the unit, it displays the
active/standby status of the context. Table 14-7 provides descriptions for the information shown.
Failover On
Last Failover at: 04:03:11 UTC Jan 4 2003
This context: Negotiation
Active time: 1222 (sec)
Interface outside (192.168.5.121): Normal
Interface inside (192.168.0.1): Normal
Peer context: Not Detected
Active time: 0 (sec)
Interface outside (192.168.5.131): Normal
Interface inside (192.168.0.11): Normal
Stateful Failover Logical Update Statistics
Status: Configured.
Stateful Obj xmit xerr rcv rerr
RPC services 0 0 0 0
TCP conn 99 0 0 0
UDP conn 0 0 0 0
ARP tbl 22 0 0 0
Xlate_Timeout 0 0 0 0
GTP PDP 0 0 0 0
GTP PDPMCB 0 0 0 0
14-42
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Table 14-7 Show Failover Display Description
Field Options
Failover • On
• Off
Cable status: • Normal—The cable is connected to both units, and they both have
power.
• My side not connected—The serial cable is not connected to this
unit. It is unknown if the cable is connected to the other unit.
• Other side is not connected—The serial cable is connected to this
unit, but not to the other unit.
• Other side powered off—The other unit is turned off.
• N/A—LAN-based failover is enabled.
Failover Unit Primary or Secondary.
Failover LAN Interface Displays the logical and physical name of the failover link.
Unit Poll frequency Displays the number of seconds between hello messages sent to the
peer unit and the number of seconds during which the unit must receive
a hello message on the failover link before declaring the peer failed.
Interface Poll frequency n seconds
The number of seconds you set with the failover polltime interface
command. The default is 15 seconds.
Interface Policy Displays the number or percentage of interfaces that must fail to trigger
failover.
Monitored Interfaces Displays the number of interfaces monitored out of the maximum
possible.
failover replication http Displays if HTTP state replication is enabled for Stateful Failover.
Last Failover at: The date and time of the last failover in the following form:
hh:mm:ss UTC DayName Month Day yyyy
UTC (Coordinated Universal Time) is equivalent to GMT (Greenwich
Mean Time).
This host:
Other host:
For each host, the display shows the following information.
Primary or Secondary • Active
• Standby
Active time: n (sec)
The amount of time the unit has been active. This time is cumulative,
so the standby unit, if it was active in the past, also shows a value.
slot x Information about the module in the slot or empty.
14-43
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Interface name (n.n.n.n): For each interface, the display shows the IP address currently being
used on each unit, as well as one of the following conditions:
• Failed—The interface has failed.
• No Link—The interface line protocol is down.
• Normal—The interface is working correctly.
• Link Down—The interface has been administratively shut down.
• Unknown—The security appliance cannot determine the status of
the interface.
• Waiting—Monitoring of the network interface on the other unit has
not yet started.
Stateful Failover Logical
Update Statistics
The following fields relate to the Stateful Failover feature. If the Link
field shows an interface name, the Stateful Failover statistics are shown.
Link • interface_name—The interface used for the Stateful Failover link.
• Unconfigured—You are not using Stateful Failover.
• up—The interface is up and functioning.
• down—The interface is either administratively shutdown or is
physically down.
• failed—The interface has failed and is not passing stateful data.
Stateful Obj For each field type, the following statistics are shown. They are
counters for the number of state information packets sent between the
two units; the fields do not necessarily show active connections through
the unit.
• xmit—Number of transmitted packets to the other unit.
• xerr—Number of errors that occurred while transmitting packets to
the other unit.
• rcv—Number of received packets.
• rerr—Number of errors that occurred while receiving packets from
the other unit.
General Sum of all stateful objects.
sys cmd Logical update system commands; for example, LOGIN and Stay
Alive.
up time Up time, which the active unit passes to the standby unit.
RPC services Remote Procedure Call connection information.
TCP conn TCP connection information.
UDP conn Dynamic UDP connection information.
ARP tbl Dynamic ARP table information.
L2BRIDGE tbl Layer 2 bridge table information (transparent firewall mode only).
Xlate_Timeout Indicates connection translation timeout information.
VPN IKE upd IKE connection information.
Table 14-7 Show Failover Display Description (continued)
Field Options
14-44
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Show Failover—Active/Active
The following is sample output from the show failover command for Active/Active Failover. Table 14-8
provides descriptions for the information shown.
hostname# show failover
Failover On
Failover unit Primary
Failover LAN Interface: third GigabitEthernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 4 seconds
Interface Policy 1
Monitored Interfaces 8 of 250 maximum
failover replication http
Group 1 last failover at: 13:40:18 UTC Dec 9 2004
Group 2 last failover at: 13:40:06 UTC Dec 9 2004
This host: Primary
Group 1 State: Active
Active time: 2896 (sec)
Group 2 State: Standby Ready
Active time: 0 (sec)
slot 0: ASA-5530 hw/sw rev (1.0/7.0(0)79) status (Up Sys)
slot 1: SSM-IDS-20 hw/sw rev (1.0/5.0(0.11)S91(0.11)) status (Up)
admin Interface outside (10.132.8.5): Normal
admin Interface third (10.132.9.5): Normal
admin Interface inside (10.130.8.5): Normal
admin Interface fourth (10.130.9.5): Normal
ctx1 Interface outside (10.1.1.1): Normal
ctx1 Interface inside (10.2.2.1): Normal
ctx2 Interface outside (10.3.3.2): Normal
ctx2 Interface inside (10.4.4.2): Normal
Other host: Secondary
VPN IPSEC upd IPSec connection information.
VPN CTCP upd cTCP tunnel connection information.
VPN SDI upd SDI AAA connection information.
VPN DHCP upd Tunneled DHCP connection information.
GTP PDP GTP PDP update information. This information appears only if inspect
GTP is enabled.
GTP PDPMCB GTP PDPMCB update information. This information appears only if
inspect GTP is enabled.
Logical Update Queue
Information
For each field type, the following statistics are used:
• Cur—Current number of packets
• Max—Maximum number of packets
• Total—Total number of packets
Recv Q The status of the receive queue.
Xmit Q The status of the transmit queue.
Table 14-7 Show Failover Display Description (continued)
Field Options
14-45
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Group 1 State: Standby Ready
Active time: 190 (sec)
Group 2 State: Active
Active time: 3322 (sec)
slot 0: ASA-5530 hw/sw rev (1.0/7.0(0)79) status (Up Sys)
slot 1: SSM-IDS-20 hw/sw rev (1.0/5.0(0.1)S91(0.1)) status (Up)
admin Interface outside (10.132.8.6): Normal
admin Interface third (10.132.9.6): Normal
admin Interface inside (10.130.8.6): Normal
admin Interface fourth (10.130.9.6): Normal
ctx1 Interface outside (10.1.1.2): Normal
ctx1 Interface inside (10.2.2.2): Normal
ctx2 Interface outside (10.3.3.1): Normal
ctx2 Interface inside (10.4.4.1): Normal
Stateful Failover Logical Update Statistics
Link : third GigabitEthernet0/2 (up)
Stateful Obj xmit xerr rcv rerr
General 1973 0 1895 0
sys cmd 380 0 380 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 1435 0 1450 0
UDP conn 0 0 0 0
ARP tbl 124 0 65 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 15 0 0 0
VPN IPSEC upd 90 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 1 1895
Xmit Q: 0 0 1940
The following is sample output from the show failover group command for Active/Active Failover. The
information displayed is similar to that of the show failover command, but limited to the specified
group. Table 14-8 provides descriptions for the information shown.
hostname# show failover group 1
Last Failover at: 04:09:59 UTC Jan 4 2005
This host: Secondary
State: Active
Active time: 186 (sec)
admin Interface outside (192.168.5.121): Normal
admin Interface inside (192.168.0.1): Normal
Other host: Primary
State: Standby
Active time: 0 (sec)
admin Interface outside (192.168.5.131): Normal
admin Interface inside (192.168.0.11): Normal
Stateful Failover Logical Update Statistics
Status: Configured.
14-46
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
RPC services 0 0 0 0
TCP conn 33 0 0 0
UDP conn 0 0 0 0
ARP tbl 12 0 0 0
Xlate_Timeout 0 0 0 0
GTP PDP 0 0 0 0
GTP PDPMCB 0 0 0 0
Table 14-8 Show Failover Display Description
Field Options
Failover • On
• Off
Failover Unit Primary or Secondary.
Failover LAN Interface Displays the logical and physical name of the failover link.
Unit Poll frequency Displays the number of seconds between hello messages sent to the
peer unit and the number of seconds during which the unit must receive
a hello message on the failover link before declaring the peer failed.
Interface Poll frequency n seconds
The number of seconds you set with the failover polltime interface
command. The default is 15 seconds.
Interface Policy Displays the number or percentage of interfaces that must fail before
triggering failover.
Monitored Interfaces Displays the number of interfaces monitored out of the maximum
possible.
Group 1 Last Failover at:
Group 2 Last Failover at:
The date and time of the last failover for each group in the following
form:
hh:mm:ss UTC DayName Month Day yyyy
UTC (Coordinated Universal Time) is equivalent to GMT (Greenwich
Mean Time).
This host:
Other host:
For each host, the display shows the following information.
Role Primary or Secondary
System State • Active or Standby Ready
• Active Time in seconds
Group 1 State
Group 2 State
• Active or Standby Ready
• Active Time in seconds
slot x Information about the module in the slot or empty.
14-47
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
context Interface name
(n.n.n.n):
For each interface, the display shows the IP address currently being
used on each unit, as well as one of the following conditions:
• Failed—The interface has failed.
• No link—The interface line protocol is down.
• Normal—The interface is working correctly.
• Link Down—The interface has been administratively shut down.
• Unknown—The security appliance cannot determine the status of
the interface.
• Waiting—Monitoring of the network interface on the other unit has
not yet started.
Stateful Failover Logical
Update Statistics
The following fields relate to the Stateful Failover feature. If the Link
field shows an interface name, the Stateful Failover statistics are shown.
Link • interface_name—The interface used for the Stateful Failover link.
• Unconfigured—You are not using Stateful Failover.
• up—The interface is up and functioning.
• down—The interface is either administratively shutdown or is
physically down.
• failed—The interface has failed and is not passing stateful data.
Stateful Obj For each field type, the following statistics are used. They are counters
for the number of state information packets sent between the two units;
the fields do not necessarily show active connections through the unit.
• xmit—Number of transmitted packets to the other unit
• xerr—Number of errors that occurred while transmitting packets to
the other unit
• rcv—Number of received packets
• rerr—Number of errors that occurred while receiving packets from
the other unit
General Sum of all stateful objects.
sys cmd Logical update system commands; for example, LOGIN and Stay
Alive.
up time Up time, which the active unit passes to the standby unit.
RPC services Remote Procedure Call connection information.
TCP conn TCP connection information.
UDP conn Dynamic UDP connection information.
ARP tbl Dynamic ARP table information.
L2BRIDGE tbl Layer 2 bridge table information (transparent firewall mode only).
Xlate_Timeout Indicates connection translation timeout information.
VPN IKE upd IKE connection information.
Table 14-8 Show Failover Display Description (continued)
Field Options
14-48
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Configuring Failover
Viewing Monitored Interfaces
To view the status of monitored interfaces, enter the following command. In single context mode, enter
this command in global configuration mode. In multiple context mode, enter this command within a
context.
primary/context(config)# show monitor-interface
For example:
hostname/context(config)# show monitor-interface
This host: Primary - Active
Interface outside (192.168.1.2): Normal
Interface inside (10.1.1.91): Normal
Other host: Secondary - Standby
Interface outside (192.168.1.3): Normal
Interface inside (10.1.1.100): Normal
Displaying the Failover Commands in the Running Configuration
To view the failover commands in the running configuration, enter the following command:
hostname(config)# show running-config failover
All of the failover commands are displayed. On units running multiple context mode, enter this command
in the system execution space. Entering show running-config all failover displays the failover
commands in the running configuration and includes commands for which you have not changed the
default value.
VPN IPSEC upd IPSec connection information.
VPN CTCP upd cTCP tunnel connection information.
VPN SDI upd SDI AAA connection information.
VPN DHCP upd Tunneled DHCP connection information.
GTP PDP GTP PDP update information. This information appears only if inspect
GTP is enabled.
GTP PDPMCB GTP PDPMCB update information. This information appears only if
inspect GTP is enabled.
Logical Update Queue
Information
For each field type, the following statistics are used:
• Cur—Current number of packets
• Max—Maximum number of packets
• Total—Total number of packets
Recv Q The status of the receive queue.
Xmit Q The status of the transmit queue.
Table 14-8 Show Failover Display Description (continued)
Field Options
14-49
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Controlling and Monitoring Failover
Testing the Failover Functionality
To test failover functionality, perform the following steps:
Step 1 Test that your active unit or failover group is passing traffic as expected by using FTP (for example) to
send a file between hosts on different interfaces.
Step 2 Force a failover to the standby unit by entering the following command:
• For Active/Standby failover, enter the following command on the active unit:
hostname(config)# no failover active
• For Active/Active failover, enter the following command on the unit where the failover group
containing the interface connecting your hosts is active:
hostname(config)# no failover active group group_id
Step 3 Use FTP to send another file between the same two hosts.
Step 4 If the test was not successful, enter the show failover command to check the failover status.
Step 5 When you are finished, you can restore the unit or failover group to active status by enter the following
command:
• For Active/Standby failover, enter the following command on the active unit:
hostname(config)# failover active
• For Active/Active failover, enter the following command on the unit where the failover group
containing the interface connecting your hosts is active:
hostname(config)# failover active group group_id
Controlling and Monitoring Failover
This sections describes how to control and monitor failover. This section includes the following topics:
• Forcing Failover, page 14-49
• Disabling Failover, page 14-50
• Restoring a Failed Unit or Failover Group, page 14-50
• Monitoring Failover, page 14-50
Forcing Failover
To force the standby unit or failover group to become active, enter one of the following commands:
• For Active/Standby failover:
Enter the following command on the standby unit:
hostname# failover active
Or, enter the following command on the active unit:
14-50
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Controlling and Monitoring Failover
hostname# no failover active
• For Active/Active failover:
Enter the following command in the system execution space of the unit where the failover group is
in the standby state:
hostname# failover active group group_id
Or, enter the following command in the system execution space of the unit where the failover group
is in the active state:
hostname# no failover active group group_id
Entering the following command in the system execution space causes all failover groups to become
active:
hostname# failover active
Disabling Failover
To disable failover, enter the following command:
hostname(config)# no failover
Disabling failover on an Active/Standby pair causes the active and standby state of each unit to be
maintained until you restart. For example, the standby unit remains in standby mode so that both units
do not start passing traffic. To make the standby unit active (even with failover disabled), see the
“Forcing Failover” section on page 14-49.
Disabling failover on an Active/Active pair causes the failover groups to remain in the active state on
whichever unit they are currently active on, no matter which unit they are configured to prefer. The no
failover command should be entered in the system execution space.
Restoring a Failed Unit or Failover Group
To restore a failed unit to an unfailed state, enter the following command:
hostname(config)# failover reset
To restore a failed Active/Active failover group to an unfailed state, enter the following command:
hostname(config)# failover reset group group_id
Restoring a failed unit or group to an unfailed state does not automatically make it active; restored units
or groups remain in the standby state until made active by failover (forced or natural). An exception is a
failover group configured with the preempt command. If previously active, a failover group becomes
active if it is configured with the preempt command and if the unit on which it failed is the preferred
unit.
Monitoring Failover
When a failover occurs, both security appliances send out system messages. This section includes the
following topics:
• Failover System Messages, page 14-51
14-51
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Controlling and Monitoring Failover
• Debug Messages, page 14-51
• SNMP, page 14-51
Failover System Messages
The security appliance issues a number of system messages related to failover at priority level 2, which
indicates a critical condition. To view these messages, see the Cisco Security Appliance Logging
Configuration and System Log Messages to enable logging and to see descriptions of the system
messages.
Note During switchover, failover logically shuts down and then bring up interfaces, generating syslog 411001
and 411002 messages. This is normal activity.
Debug Messages
To see debug messages, enter the debug fover command. See the Cisco Security Appliance Command
Reference for more information.
Note Because debugging output is assigned high priority in the CPU process, it can drastically affect system
performance. For this reason, use the debug fover commands only to troubleshoot specific problems or
during troubleshooting sessions with Cisco TAC.
SNMP
To receive SNMP syslog traps for failover, configure the SNMP agent to send SNMP traps to SNMP
management stations, define a syslog host, and compile the Cisco syslog MIB into your SNMP
management station. See the snmp-server and logging commands in the Cisco Security Appliance
Command Reference for more information.
14-52
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 14 Configuring Failover
Controlling and Monitoring Failover
P A R T 2
Configuring the Firewall
CH A P T E R
15-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
15
Firewall Mode Overview
This chapter describes how the firewall works in each firewall mode. To set the firewall mode, see the
“Setting Transparent or Routed Firewall Mode” section on page 2-5.
Note In multiple context mode, you cannot set the firewall mode separately for each context; you can only set
the firewall mode for the entire security appliance.
This chapter includes the following sections:
• Routed Mode Overview, page 15-1
• Transparent Mode Overview, page 15-8
Routed Mode Overview
In routed mode, the security appliance is considered to be a router hop in the network. It can perform
NAT between connected networks, and can use OSPF or RIP (in single context mode). Routed mode
supports many interfaces. Each interface is on a different subnet. You can share interfaces between
contexts.
This section includes the following topics:
• IP Routing Support, page 15-1
• Network Address Translation, page 15-2
• How Data Moves Through the Security Appliance in Routed Firewall Mode, page 15-3
IP Routing Support
The security appliance acts as a router between connected networks, and each interface requires an
IP address on a different subnet. In single context mode, the routed firewall supports OSPF and RIP.
Multiple context mode supports static routes only. We recommend using the advanced routing
capabilities of the upstream and downstream routers instead of relying on the security appliance for
extensive routing needs.
15-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Routed Mode Overview
Network Address Translation
NAT substitutes the local address on a packet with a global address that is routable on the destination
network. By default, NAT is not required. If you want to enforce a NAT policy that requires hosts on a
higher security interface (inside) to use NAT when communicating with a lower security interface
(outside), you can enable NAT control (see the nat-control command).
Note NAT control was the default behavior for software versions earlier than Version 7.0. If you upgrade a
security appliance from an earlier version, then the nat-control command is automatically added to your
configuration to maintain the expected behavior.
Some of the benefits of NAT include the following:
• You can use private addresses on your inside networks. Private addresses are not routable on the
Internet.
• NAT hides the local addresses from other networks, so attackers cannot learn the real address of a
host.
• NAT can resolve IP routing problems by supporting overlapping IP addresses.
Figure 15-1 shows a typical NAT scenario, with a private network on the inside. When the inside user
sends a packet to a web server on the Internet, the local source address of the packet is changed to a
routable global address. When the web server responds, it sends the response to the global address, and
the security appliance receives the packet. The security appliance then translates the global address to
the local address before sending it on to the user.
Figure 15-1 NAT Example
Web Server
www.example.com
209.165.201.2
10.1.2.1
10.1.2.27
Source Addr Translation
10.1.2.27 209.165.201.10
Originating
Packet
Dest Addr Translation
209.165.201.10 10.1.2.27
Responding
Packet
Outside
Inside
92405
15-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Routed Mode Overview
How Data Moves Through the Security Appliance in Routed Firewall Mode
This section describes how data moves through the security appliance in routed firewall mode, and
includes the following topics:
• An Inside User Visits a Web Server, page 15-3
• An Outside User Visits a Web Server on the DMZ, page 15-4
• An Inside User Visits a Web Server on the DMZ, page 15-6
• An Outside User Attempts to Access an Inside Host, page 15-7
• A DMZ User Attempts to Access an Inside Host, page 15-8
An Inside User Visits a Web Server
Figure 15-2 shows an inside user accessing an outside web server.
Figure 15-2 Inside to Outside
The following steps describe how data moves through the security appliance (see Figure 15-2):
1. The user on the inside network requests a web page from www.example.com.
2. The security appliance receives the packet and because it is a new session, the security appliance
verifies that the packet is allowed according to the terms of the security policy (access lists, filters,
AAA).
Web Server
10.1.1.3
www.example.com
User
10.1.2.27
209.165.201.2
10.1.2.1 10.1.1.1
Source Addr Translation
10.1.2.27 209.165.201.10
Outside
Inside DMZ
92404
15-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Routed Mode Overview
For multiple context mode, the security appliance first classifies the packet according to either a
unique interface or a unique destination address associated with a context; the destination address
is associated by matching an address translation in a context. In this case, the interface would be
unique; the www.example.com IP address does not have a current address translation in a context.
3. The security appliance translates the local source address (10.1.2.27) to the global address
209.165.201.10, which is on the outside interface subnet.
The global address could be on any subnet, but routing is simplified when it is on the outside
interface subnet.
4. The security appliance then records that a session is established and forwards the packet from the
outside interface.
5. When www.example.com responds to the request, the packet goes through the security appliance,
and because the session is already established, the packet bypasses the many lookups associated
with a new connection. The security appliance performs NAT by translating the global destination
address to the local user address, 10.1.2.27.
6. The security appliance forwards the packet to the inside user.
An Outside User Visits a Web Server on the DMZ
Figure 15-3 shows an outside user accessing the DMZ web server.
Figure 15-3 Outside to DMZ
Web Server
10.1.1.3
User
209.165.201.2
10.1.2.1 10.1.1.1
Dest Addr Translation
209.165.201.3 10.1.1.13
Outside
Inside DMZ
92406
15-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Routed Mode Overview
The following steps describe how data moves through the security appliance (see Figure 15-3):
1. A user on the outside network requests a web page from the DMZ web server using the global
destination address of 209.165.201.3, which is on the outside interface subnet.
2. The security appliance receives the packet and because it is a new session, the security appliance
verifies that the packet is allowed according to the terms of the security policy (access lists, filters,
AAA).
For multiple context mode, the security appliance first classifies the packet according to either a
unique interface or a unique destination address associated with a context; the destination address
is associated by matching an address translation in a context. In this case, the classifier “knows” that
the DMZ web server address belongs to a certain context because of the server address translation.
3. The security appliance translates the destination address to the local address 10.1.1.3.
4. The security appliance then adds a session entry to the fast path and forwards the packet from the
DMZ interface.
5. When the DMZ web server responds to the request, the packet goes through the security appliance
and because the session is already established, the packet bypasses the many lookups associated
with a new connection. The security appliance performs NAT by translating the local source address
to 209.165.201.3.
6. The security appliance forwards the packet to the outside user.
15-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Routed Mode Overview
An Inside User Visits a Web Server on the DMZ
Figure 15-4 shows an inside user accessing the DMZ web server.
Figure 15-4 Inside to DMZ
The following steps describe how data moves through the security appliance (see Figure 15-4):
1. A user on the inside network requests a web page from the DMZ web server using the destination
address of 10.1.1.3.
2. The security appliance receives the packet and because it is a new session, the security appliance
verifies that the packet is allowed according to the terms of the security policy (access lists, filters,
AAA).
For multiple context mode, the security appliance first classifies the packet according to either a
unique interface or a unique destination address associated with a context; the destination address
is associated by matching an address translation in a context. In this case, the interface is unique;
the web server IP address does not have a current address translation.
3. The security appliance then records that a session is established and forwards the packet out of the
DMZ interface.
4. When the DMZ web server responds to the request, the packet goes through the fast path, which lets
the packet bypass the many lookups associated with a new connection.
5. The security appliance forwards the packet to the inside user.
Web Server
10.1.1.3
User
10.1.2.27
209.165.201.2
10.1.2.1 10.1.1.1
Inside DMZ
Outside
92403
15-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Routed Mode Overview
An Outside User Attempts to Access an Inside Host
Figure 15-5 shows an outside user attempting to access the inside network.
Figure 15-5 Outside to Inside
The following steps describe how data moves through the security appliance (see Figure 15-5):
1. A user on the outside network attempts to reach an inside host (assuming the host has a routable
IP address).
If the inside network uses private addresses, no outside user can reach the inside network without
NAT. The outside user might attempt to reach an inside user by using an existing NAT session.
2. The security appliance receives the packet and because it is a new session, the security appliance
verifies if the packet is allowed according to the security policy (access lists, filters, AAA).
3. The packet is denied, and the security appliance drops the packet and logs the connection attempt.
If the outside user is attempting to attack the inside network, the security appliance employs many
technologies to determine if a packet is valid for an already established session.
www.example.com
User
10.1.2.27
209.165.201.2
10.1.2.1 10.1.1.1
Outside
Inside DMZ
92407
15-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Transparent Mode Overview
A DMZ User Attempts to Access an Inside Host
Figure 15-6 shows a user in the DMZ attempting to access the inside network.
Figure 15-6 DMZ to Inside
The following steps describe how data moves through the security appliance (see Figure 15-6):
1. A user on the DMZ network attempts to reach an inside host. Because the DMZ does not have to
route the traffic on the internet, the private addressing scheme does not prevent routing.
2. The security appliance receives the packet and because it is a new session, the security appliance
verifies if the packet is allowed according to the security policy (access lists, filters, AAA).
3. The packet is denied, and the security appliance drops the packet and logs the connection attempt.
Transparent Mode Overview
Traditionally, a firewall is a routed hop and acts as a default gateway for hosts that connect to one of its
screened subnets. A transparent firewall, on the other hand, is a Layer 2 firewall that acts like a “bump
in the wire,” or a “stealth firewall,” and is not seen as a router hop to connected devices.
This section describes transparent firewall mode, and includes the following topics:
• Transparent Firewall Network, page 15-9
• Allowing Layer 3 Traffic, page 15-9
• Passing Traffic Not Allowed in Routed Mode, page 15-9
• MAC Address Lookups, page 15-10
• Using the Transparent Firewall in Your Network, page 15-10
• Transparent Firewall Guidelines, page 15-10
Web Server
10.1.1.3
User
10.1.2.27
209.165.201.2
10.1.2.1 10.1.1.1
Outside
Inside DMZ
92402
15-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Transparent Mode Overview
• Unsupported Features in Transparent Mode, page 15-11
• How Data Moves Through the Transparent Firewall, page 15-13
Transparent Firewall Network
The security appliance connects the same network on its inside and outside interfaces. Because the
firewall is not a routed hop, you can easily introduce a transparent firewall into an existing network; IP
readdressing is unnecessary.
Allowing Layer 3 Traffic
IPv4 traffic is allowed through the transparent firewall automatically from a higher security interface to
a lower security interface, without an access list. ARPs are allowed through the transparent firewall in
both directions without an access list. ARP traffic can be controlled by ARP inspection. For Layer 3
traffic travelling from a low to a high security interface, an extended access list is required.
Allowed MAC Addresses
The following destination MAC addresses are allowed through the transparent firewall. Any MAC
address not on this list is dropped.
• TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF
• IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF
• IPv6 multicast MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF
• BPDU multicast address equal to 0100.0CCC.CCCD
• Appletalk multicast MAC addresses from 0900.0700.0000 to 0900.07FF.FFFF
Passing Traffic Not Allowed in Routed Mode
In routed mode, some types of traffic cannot pass through the security appliance even if you allow it in
an access list. The transparent firewall, however, can allow almost any traffic through using either an
extended access list (for IP traffic) or an EtherType access list (for non-IP traffic).
Note The transparent mode security appliance does not pass CDP packets or IPv6 packets, or any packets that
do not have a valid EtherType greater than or equal to 0x600. For example, you cannot pass IS-IS
packets. An exception is made for BPDUs, which are supported.
For example, you can establish routing protocol adjacencies through a transparent firewall; you can
allow OSPF, RIP, EIGRP, or BGP traffic through based on an extended access list. Likewise, protocols
like HSRP or VRRP can pass through the security appliance.
Non-IP traffic (for example AppleTalk, IPX, BPDUs, and MPLS) can be configured to go through using
an EtherType access list.
15-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Transparent Mode Overview
For features that are not directly supported on the transparent firewall, you can allow traffic to pass
through so that upstream and downstream routers can support the functionality. For example, by using
an extended access list, you can allow DHCP traffic (instead of the unsupported DHCP relay feature) or
multicast traffic such as that created by IP/TV.
MAC Address Lookups
When the security appliance runs in transparent mode, the outgoing interface of a packet is determined
by performing a MAC address lookup instead of a route lookup. Route statements can still be configured,
but they only apply to security appliance-originated traffic. For example, if your syslog server is located
on a remote network, you must use a static route so the security appliance can reach that subnet.
Using the Transparent Firewall in Your Network
Figure 15-7 shows a typical transparent firewall network where the outside devices are on the same
subnet as the inside devices. The inside router and hosts appear to be directly connected to the outside
router.
Figure 15-7 Transparent Firewall Network
Transparent Firewall Guidelines
Follow these guidelines when planning your transparent firewall network:
10.1.1.1
10.1.1.2
Management IP
10.1.1.3
192.168.1.2
Network A
Network B
Internet
92411
15-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Transparent Mode Overview
• A management IP address is required; for multiple context mode, an IP address is required for each
context.
Unlike routed mode, which requires an IP address for each interface, a transparent firewall has an
IP address assigned to the entire device. The security appliance uses this IP address as the source
address for packets originating on the security appliance, such as system messages or AAA
communications.
The management IP address must be on the same subnet as the connected network. You cannot set
the subnet to a host subnet (255.255.255.255).
You can configure an IP address for the Management 0/0 management-only interface. This IP
address can be on a separate subnet from the main management IP address.
Note If the management IP address is not configured, transient traffic does not pass through the
transparent firewall. For multiple context mode, transient traffic does not pass through virtual
contexts.
• The transparent security appliance uses an inside interface and an outside interface only. If your
platform includes a dedicated management interface, you can also configure the management
interface or subinterface for management traffic only.
In single mode, you can only use two data interfaces (and the dedicated management interface, if
available) even if your security appliance includes more than two interfaces.
• Each directly connected network must be on the same subnet.
• Do not specify the security appliance management IP address as the default gateway for connected
devices; devices need to specify the router on the other side of the security appliance as the default
gateway.
• For multiple context mode, each context must use different interfaces; you cannot share an interface
across contexts.
• For multiple context mode, each context typically uses a different subnet. You can use overlapping
subnets, but your network topology requires router and NAT configuration to make it possible from
a routing standpoint.
Unsupported Features in Transparent Mode
Table 15-1 lists the features are not supported in transparent mode.
Table 15-1 Unsupported Features in Transparent Mode
Feature Description
Dynamic DNS —
DHCP relay The transparent firewall can act as a DHCP server, but it does not
support the DHCP relay commands. DHCP relay is not required
because you can allow DHCP traffic to pass through using two
extended access lists: one that allows DCHP requests from the inside
interface to the outside, and one that allows the replies from the server
in the other direction.
15-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Transparent Mode Overview
Dynamic routing protocols You can, however, add static routes for traffic originating on the
security appliance. You can also allow dynamic routing protocols
through the security appliance using an extended access list.
IPv6 You also cannot allow IPv6 using an EtherType access list.
Multicast You can allow multicast traffic through the security appliance by
allowing it in an extended access list.
NAT NAT is performed on the upstream router.
QoS —
VPN termination for through
traffic
The transparent firewall supports site-to-site VPN tunnels for
management connections only. It does not terminate VPN connections
for traffic through the security appliance. You can pass VPN traffic
through the security appliance using an extended access list, but it
does not terminate non-management connections. WebVPN is also not
supported.
Table 15-1 Unsupported Features in Transparent Mode (continued)
Feature Description
15-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Transparent Mode Overview
How Data Moves Through the Transparent Firewall
Figure 15-8 shows a typical transparent firewall implementation with an inside network that contains a
public web server. The security appliance has an access list so that the inside users can access Internet
resources. Another access list lets the outside users access only the web server on the inside network.
Figure 15-8 Typical Transparent Firewall Data Path
This section describes how data moves through the security appliance, and includes the following topics:
• An Inside User Visits a Web Server, page 15-14
• An Outside User Visits a Web Server on the Inside Network, page 15-15
• An Outside User Attempts to Access an Inside Host, page 15-16
www.example.com
209.165.201.2
Management IP
209.165.201.6
209.165.200.230
Web Server
209.165.200.225
Host
209.165.201.3
Internet
92412
15-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Transparent Mode Overview
An Inside User Visits a Web Server
Figure 15-9 shows an inside user accessing an outside web server.
Figure 15-9 Inside to Outside
The following steps describe how data moves through the security appliance (see Figure 15-9):
1. The user on the inside network requests a web page from www.example.com.
2. The security appliance receives the packet and adds the source MAC address to the MAC address
table, if required. Because it is a new session, it verifies that the packet is allowed according to the
terms of the security policy (access lists, filters, AAA).
For multiple context mode, the security appliance first classifies the packet according to a unique
interface.
3. The security appliance records that a session is established.
4. If the destination MAC address is in its table, the security appliance forwards the packet out of the
outside interface. The destination MAC address is that of the upstream router, 209.186.201.2.
If the destination MAC address is not in the security appliance table, the security appliance attempts
to discover the MAC address by sending an ARP request and a ping. The first packet is dropped.
5. The web server responds to the request; because the session is already established, the packet
bypasses the many lookups associated with a new connection.
6. The security appliance forwards the packet to the inside user.
Management IP
209.165.201.6
www.example.com
209.165.201.2
Host
209.165.201.3
Internet
92408
15-15
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Transparent Mode Overview
An Outside User Visits a Web Server on the Inside Network
Figure 15-10 shows an outside user accessing the inside web server.
Figure 15-10 Outside to Inside
The following steps describe how data moves through the security appliance (see Figure 15-10):
1. A user on the outside network requests a web page from the inside web server.
2. The security appliance receives the packet and adds the source MAC address to the MAC address
table, if required. Because it is a new session, it verifies that the packet is allowed according to the
terms of the security policy (access lists, filters, AAA).
For multiple context mode, the security appliance first classifies the packet according to a unique
interface.
3. The security appliance records that a session is established.
4. If the destination MAC address is in its table, the security appliance forwards the packet out of the
inside interface. The destination MAC address is that of the downstream router, 209.186.201.1.
If the destination MAC address is not in the security appliance table, the security appliance attempts
to discover the MAC address by sending an ARP request and a ping. The first packet is dropped.
5. The web server responds to the request; because the session is already established, the packet
bypasses the many lookups associated with a new connection.
Host
209.165.201.2
209.165.201.1
209.165.200.230
Web Server
209.165.200.225
Management IP
209.165.201.6
Internet
92409
15-16
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 15 Firewall Mode Overview
Transparent Mode Overview
6. The security appliance forwards the packet to the outside user.
An Outside User Attempts to Access an Inside Host
Figure 15-11 shows an outside user attempting to access a host on the inside network.
Figure 15-11 Outside to Inside
The following steps describe how data moves through the security appliance (see Figure 15-11):
1. A user on the outside network attempts to reach an inside host.
2. The security appliance receives the packet and adds the source MAC address to the MAC address
table, if required. Because it is a new session, it verifies if the packet is allowed according to the
terms of the security policy (access lists, filters, AAA).
For multiple context mode, the security appliance first classifies the packet according to a unique
interface.
3. The packet is denied, and the security appliance drops the packet.
4. If the outside user is attempting to attack the inside network, the security appliance employs many
technologies to determine if a packet is valid for an already established session.
Management IP
209.165.201.6
Host
209.165.201.2
Host
209.165.201.3
Internet
92410
CH A P T E R
16-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
16
Identifying Traffic with Access Lists
This chapter describes how to identify traffic with access lists. This chapter includes the following
topics:
• Access List Overview, page 16-1
• Adding an Extended Access List, page 16-5
• Adding an EtherType Access List, page 16-8
• Adding a Standard Access List, page 16-11
• Adding a Webtype Access List, page 16-11
• Simplifying Access Lists with Object Grouping, page 16-11
• Adding Remarks to Access Lists, page 16-18
• Scheduling Extended Access List Activation, page 16-18
• Logging Access List Activity, page 16-20
For information about IPv6 access lists, see the “Configuring IPv6 Access Lists” section on page 12-6.
Access List Overview
Access lists are made up of one or more Access Control Entries. An ACE is a single entry in an access
list that specifies a permit or deny rule, and is applied to a protocol, a source and destination IP address
or network, and optionally the source and destination ports.
Access lists are used in a variety of features. If your feature uses Modular Policy Framework, you can
use an access list to identify traffic within a traffic class map. For more information on Modular Policy
Framework, see Chapter 21, “Using Modular Policy Framework.”
This section includes the following topics:
• Access List Types, page 16-2
• Access Control Entry Order, page 16-2
• Access Control Implicit Deny, page 16-3
• IP Addresses Used for Access Lists When You Use NAT, page 16-3
16-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Access List Overview
Access List Types
Table 16-1 lists the types of access lists and some common uses for them.
Access Control Entry Order
An access list is made up of one or more Access Control Entries. Depending on the access list type, you
can specify the source and destination addresses, the protocol, the ports (for TCP or UDP), the ICMP
type (for ICMP), or the EtherType.
Each ACE that you enter for a given access list name is appended to the end of the access list.
The order of ACEs is important. When the security appliance decides whether to forward or drop a
packet, the security appliance tests the packet against each ACE in the order in which the entries are
listed. After a match is found, no more ACEs are checked. For example, if you create an ACE at the
beginning of an access list that explicitly permits all traffic, no further statements are ever checked.
Table 16-1 Access List Types and Common Uses
Access List Use Access List Type Description
Control network access for IP traffic
(routed and transparent mode)
Extended The security appliance does not allow any traffic from a
lower security interface to a higher security interface
unless it is explicitly permitted by an extended access list.
Note To access the security appliance interface for
management access, you do not also need an
access list allowing the host IP address. You only
need to configure management access according
to Chapter 40, “Managing System Access.”
Identify traffic for AAA rules Extended AAA rules use access lists to identify traffic.
Control network access for IP traffic for a
given user
Extended,
downloaded from a
AAA server per user
You can configure the RADIUS server to download a
dynamic access list to be applied to the user, or the server
can send the name of an access list that you already
configured on the security appliance.
Identify addresses for NAT (policy NAT
and NAT exemption)
Extended Policy NAT lets you identify local traffic for address
translation by specifying the source and destination
addresses in an extended access list.
Establish VPN access Extended You can use an extended access list in VPN commands.
Identify traffic in a traffic class map for
Modular Policy Framework
Extended
EtherType
Access lists can be used to identify traffic in a class map,
which is used for features that support Modular Policy
Framework. Features that support Modular Policy
Framework include TCP and general connection settings,
and inspection.
For transparent firewall mode, control
network access for non-IP traffic
EtherType You can configure an access list that controls traffic based
on its EtherType.
Identify OSPF route redistribution Standard Standard access lists include only the destination address.
You can use a standard access list to control the
redistribution of OSPF routes.
Filtering for WebVPN Webtype You can configure a Webtype access list to filter URLs.
16-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Access List Overview
You can disable an ACE by specifying the keyword inactive in the access-list command.
Access Control Implicit Deny
Access lists have an implicit deny at the end of the list, so unless you explicitly permit it, traffic cannot
pass. For example, if you want to allow all users to access a network through the security appliance
except for particular addresses, then you need to deny the particular addresses and then permit all others.
For EtherType access lists, the implicit deny at the end of the access list does not affect IP traffic or
ARPs; for example, if you allow EtherType 8037, the implicit deny at the end of the access list does not
now block any IP traffic that you previously allowed with an extended access list (or implicitly allowed
from a high security interface to a low security interface). However, if you explicitly deny all traffic with
an EtherType ACE, then IP and ARP traffic is denied.
IP Addresses Used for Access Lists When You Use NAT
When you use NAT, the IP addresses you specify for an access list depend on the interface to which the
access list is attached; you need to use addresses that are valid on the network connected to the interface.
This guideline applies for both inbound and outbound access lists: the direction does not determine the
address used, only the interface does.
For example, you want to apply an access list to the inbound direction of the inside interface. You
configure the security appliance to perform NAT on the inside source addresses when they access outside
addresses. Because the access list is applied to the inside interface, the source addresses are the original
untranslated addresses. Because the outside addresses are not translated, the destination address used in
the access list is the real address (see Figure 16-1).
Figure 16-1 IP Addresses in Access Lists: NAT Used for Source Addresses
See the following commands for this example:
hostname(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host
209.165.200.225
209.165.200.225
Inside
Outside
Inbound ACL
Permit from 10.1.1.0/24 to 209.165.200.225
10.1.1.0/24
PAT
10.1.1.0/24 209.165.201.4:port
104634
16-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Access List Overview
hostname(config)# access-group INSIDE in interface inside
If you want to allow an outside host to access an inside host, you can apply an inbound access list on the
outside interface. You need to specify the translated address of the inside host in the access list because
that address is the address that can be used on the outside network (see Figure 16-2).
Figure 16-2 IP Addresses in Access Lists: NAT used for Destination Addresses
See the following commands for this example:
hostname(config)# access-list OUTSIDE extended permit ip host 209.165.200.225 host
209.165.201.5
hostname(config)# access-group OUTSIDE in interface outside
209.165.200.225
Inside
Outside
Static NAT
10.1.1.34 209.165.201.5
ACL
Permit from 209.165.200.225 to 209.165.201.5
104636
16-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Adding an Extended Access List
If you perform NAT on both interfaces, keep in mind the addresses that are visible to a given interface.
In Figure 16-3, an outside server uses static NAT so that a translated address appears on the inside
network.
Figure 16-3 IP Addresses in Access Lists: NAT used for Source and Destination Addresses
See the following commands for this example:
hostname(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host
10.1.1.56
hostname(config)# access-group INSIDE in interface inside
Adding an Extended Access List
This section describes how to add an extended access list, and includes the following sections:
• Extended Access List Overview, page 16-5
• Allowing Broadcast and Multicast Traffic through the Transparent Firewall, page 16-6
• Adding an Extended ACE, page 16-6
Extended Access List Overview
An extended access list is made up of one or more ACEs, in which you can specify the line number to
insert the ACE, source and destination addresses, and, depending on the ACE type, the protocol, the
ports (for TCP or UDP), or the ICMP type (for ICMP). You can identify all of these parameters within
the access-list command, or you can use object groups for each parameter. This section describes how
to identify the parameters within the command. To use object groups, see the “Simplifying Access Lists
with Object Grouping” section on page 16-11.
209.165.200.225
10.1.1.0/24
Inside
Outside
Static NAT
10.1.1.56
ACL
Permit from 10.1.1.0/24 to 10.1.1.56
PAT
10.1.1.0/24 209.165.201.4:port
104635
16-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Adding an Extended Access List
For information about logging options that you can add to the end of the ACE, see the “Logging Access
List Activity” section on page 16-20. For information about time range options, see “Scheduling
Extended Access List Activation” section on page 16-18.
For TCP and UDP connections, you do not need an access list to allow returning traffic, because the
FWSM allows all returning traffic for established, bidirectional connections. For connectionless
protocols such as ICMP, however, the security appliance establishes unidirectional sessions, so you
either need access lists to allow ICMP in both directions (by applying access lists to the source and
destination interfaces), or you need to enable the ICMP inspection engine. The ICMP inspection engine
treats ICMP sessions as bidirectional connections.
You can apply only one access list of each type (extended and EtherType) to each direction of an
interface. You can apply the same access lists on multiple interfaces. See Chapter 18, “Permitting or
Denying Network Access,” for more information about applying an access list to an interface.
Note If you change the access list configuration, and you do not want to wait for existing connections to time
out before the new access list information is used, you can clear the connections using the clear
local-host command.
Allowing Broadcast and Multicast Traffic through the Transparent Firewall
In routed firewall mode, broadcast and multicast traffic is blocked even if you allow it in an access list,
including unsupported dynamic routing protocols and DHCP (unless you configure DHCP relay).
Transparent firewall mode can allow any IP traffic through. This feature is especially useful in multiple
context mode, which does not allow dynamic routing, for example.
Note Because these special types of traffic are connectionless, you need to apply an extended access list to
both interfaces, so returning traffic is allowed through.
Table 16-2 lists common traffic types that you can allow through the transparent firewall.
Adding an Extended ACE
When you enter the access-list command for a given access list name, the ACE is added to the end of
the access list unless you specify the line number.
Table 16-2 Transparent Firewall Special Traffic
Traffic Type Protocol or Port Notes
DHCP UDP ports 67 and 68 If you enable the DHCP server, then the security
appliance does not pass DHCP packets.
EIGRP Protocol 88 —
OSPF Protocol 89 —
Multicast streams The UDP ports vary depending
on the application.
Multicast streams are always destined to a
Class D address (224.0.0.0 to 239.x.x.x).
RIP (v1 or v2) UDP port 520 —
16-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Adding an Extended Access List
To add an ACE, enter the following command:
hostname(config)# access-list access_list_name [line line_number] [extended]
{deny | permit} protocol source_address mask [operator port] dest_address mask
[operator port | icmp_type] [inactive]
Tip Enter the access list name in upper case letters so the name is easy to see in the configuration. You might
want to name the access list for the interface (for example, INSIDE), or for the purpose for which it is
created (for example, NO_NAT or VPN).
Typically, you identify the ip keyword for the protocol, but other protocols are accepted. For a list of
protocol names, see the “Protocols and Applications” section on page D-11.
Enter the host keyword before the IP address to specify a single address. In this case, do not enter a mask.
Enter the any keyword instead of the address and mask to specify any address.
You can specify the source and destination ports only for the tcp or udp protocols. For a list of permitted
keywords and well-known port assignments, see the “TCP and UDP Ports” section on page D-11. DNS,
Discard, Echo, Ident, NTP, RPC, SUNRPC, and Talk each require one definition for TCP and one for
UDP. TACACS+ requires one definition for port 49 on TCP.
Use an operator to match port numbers used by the source or destination. The permitted operators are
as follows:
• lt—less than
• gt—greater than
• eq—equal to
• neq—not equal to
• range—an inclusive range of values. When you use this operator, specify two port numbers, for
example:
range 100 200
You can specify the ICMP type only for the icmp protocol. Because ICMP is a connectionless protocol,
you either need access lists to allow ICMP in both directions (by applying access lists to the source and
destination interfaces), or you need to enable the ICMP inspection engine (see the “Adding an ICMP
Type Object Group” section on page 16-15). The ICMP inspection engine treats ICMP sessions as
stateful connections. To control ping, specify echo-reply (0) (security appliance to host) or echo (8)
(host to security appliance). See the “Adding an ICMP Type Object Group” section on page 16-15 for a
list of ICMP types.
When you specify a network mask, the method is different from the Cisco IOS software access-list
command. The security appliance uses a network mask (for example, 255.255.255.0 for a Class C mask).
The Cisco IOS mask uses wildcard bits (for example, 0.0.0.255).
To make an ACE inactive, use the inactive keyword. To reenable it, enter the entire ACE without the
inactive keyword. This feature lets you keep a record of an inactive ACE in your configuration to make
reenabling easier.
To remove an ACE, enter the no access-list command with the entire command syntax string as it
appears in the configuration:
hostname(config)# no access-list access_list_name [line line_number] [extended]
{deny | permit} protocol source_address mask [operator port] dest_address mask
[operator port | icmp_type] [inactive]
If the entry that you are removing is the only entry in the access list, the entire access list is removed.
16-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Adding an EtherType Access List
See the following examples:
The following access list allows all hosts (on the interface to which you apply the access list) to go
through the security appliance:
hostname(config)# access-list ACL_IN extended permit ip any any
The following sample access list prevents hosts on 192.168.1.0/24 from accessing the 209.165.201.0/27
network. All other addresses are permitted.
hostname(config)# access-list ACL_IN extended deny tcp 192.168.1.0 255.255.255.0
209.165.201.0 255.255.255.224
hostname(config)# access-list ACL_IN extended permit ip any any
If you want to restrict access to only some hosts, then enter a limited permit ACE. By default, all other
traffic is denied unless explicitly permitted.
hostname(config)# access-list ACL_IN extended permit ip 192.168.1.0 255.255.255.0
209.165.201.0 255.255.255.224
The following access list restricts all hosts (on the interface to which you apply the access list) from
accessing a website at address 209.165.201.29. All other traffic is allowed.
hostname(config)# access-list ACL_IN extended deny tcp any host 209.165.201.29 eq www
hostname(config)# access-list ACL_IN extended permit ip any any
Adding an EtherType Access List
Transparent firewall mode only
This section describes how to add an EtherType access list, and includes the following sections:
• EtherType Access List Overview, page 16-8
• Adding an EtherType ACE, page 16-10
EtherType Access List Overview
An EtherType access list is made up of one or more ACEs that specify an EtherType. This section
includes the following topics:
• Supported EtherTypes, page 16-8
• Implicit Permit of IP and ARPs Only, page 16-9
• Implicit and Explicit Deny ACE at the End of an Access List, page 16-9
• IPv6 Unsupported, page 16-9
• Using Extended and EtherType Access Lists on the Same Interface, page 16-9
• Allowing MPLS, page 16-9
Supported EtherTypes
An EtherType ACE controls any EtherType identified by a 16-bit hexadecimal number.
EtherType access lists support Ethernet V2 frames.
16-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Adding an EtherType Access List
802.3-formatted frames are not handled by the access list because they use a length field as opposed to
a type field.
BPDUs, which are handled by the access list, are the only exception: they are SNAP-encapsulated, and
the security appliance is designed to specifically handle BPDUs.
The security appliance receives trunk port (Cisco proprietary) BPDUs. Trunk BPDUs have VLAN
information inside the payload, so the security appliance modifies the payload with the outgoing VLAN
if you allow BPDUs.
Note If you use failover, you must allow BPDUs on both interfaces with an EtherType access list to avoid
bridging loops.
Implicit Permit of IP and ARPs Only
IPv4 traffic is allowed through the transparent firewall automatically from a higher security interface to
a lower security interface, without an access list. ARPs are allowed through the transparent firewall in
both directions without an access list. ARP traffic can be controlled by ARP inspection.
However, to allow any traffic with EtherTypes other than IPv4 and ARP, you need to apply an EtherType
access list, even from a high security to a low security interface.
Because EtherTypes are connectionless, you need to apply the access list to both interfaces if you want
traffic to pass in both directions.
Implicit and Explicit Deny ACE at the End of an Access List
For EtherType access lists, the implicit deny at the end of the access list does not affect IP traffic or
ARPs; for example, if you allow EtherType 8037, the implicit deny at the end of the access list does not
now block any IP traffic that you previously allowed with an extended access list (or implicitly allowed
from a high security interface to a low security interface). However, if you explicitly deny all traffic with
an EtherType ACE, then IP and ARP traffic is denied.
IPv6 Unsupported
EtherType ACEs do not allow IPv6 traffic, even if you specify the IPv6 EtherType.
Using Extended and EtherType Access Lists on the Same Interface
You can apply only one access list of each type (extended and EtherType) to each direction of an
interface. You can also apply the same access lists on multiple interfaces.
Allowing MPLS
If you allow MPLS, ensure that Label Distribution Protocol and Tag Distribution Protocol TCP
connections are established through the security appliance by configuring both MPLS routers connected
to the security appliance to use the IP address on the security appliance interface as the router-id for LDP
or TDP sessions. (LDP and TDP allow MPLS routers to negotiate the labels (addresses) used to forward
packets.)
On Cisco IOS routers, enter the appropriate command for your protocol, LDP or TDP. The interface is
the interface connected to the security appliance.
16-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Adding an EtherType Access List
hostname(config)# mpls ldp router-id interface force
Or
hostname(config)# tag-switching tdp router-id interface force
Adding an EtherType ACE
To add an EtherType ACE, enter the following command:
hostname(config)# access-list access_list_name ethertype {permit | deny} {ipx | bpdu |
mpls-unicast | mpls-multicast | any | hex_number}
The hex_number is any EtherType that can be identified by a 16-bit hexadecimal number greater than or
equal to 0x600. See RFC 1700, “Assigned Numbers,” at http://www.ietf.org/rfc/rfc1700.txt for a list of
EtherTypes.
To remove an ACE, enter the no access-list command with the entire command syntax string as it
appears in the configuration:
hostname(config)# no access-list access_list_name [line line_number] [extended]
{deny | permit} protocol source_address mask [operator port] dest_address mask
[operator port | icmp_type] [inactive]
To remove an EtherType ACE, enter the no access-list command with the entire command syntax string
as it appears in the configuration:
ehostname(config)# no access-list access_list_name ethertype {permit | deny} {ipx | bpdu |
mpls-unicast | mpls-multicast | any | hex_number}
Note If an EtherType access list is configured to deny all, all ethernet frames are discarded. Only physical
protocol traffic, such as auto-negotiation, is still allowed.
When you enter the access-list command for a given access list name, the ACE is added to the end of
the access list.
Tip Enter the access_list_name in upper case letters so the name is easy to see in the configuration. You
might want to name the access list for the interface (for example, INSIDE), or for the purpose (for
example, MPLS or IPX).
For example, the following sample access list allows common EtherTypes originating on the inside
interface:
hostname(config)# access-list ETHER ethertype permit ipx
hostname(config)# access-list ETHER ethertype permit bpdu
hostname(config)# access-list ETHER ethertype permit mpls-unicast
hostname(config)# access-group ETHER in interface inside
The following access list allows some EtherTypes through the security appliance, but denies IPX:
hostname(config)# access-list ETHER ethertype deny ipx
hostname(config)# access-list ETHER ethertype permit 0x1234
hostname(config)# access-list ETHER ethertype permit bpdu
hostname(config)# access-list ETHER ethertype permit mpls-unicast
hostname(config)# access-group ETHER in interface inside
hostname(config)# access-group ETHER in interface outside
16-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Adding a Standard Access List
The following access list denies traffic with EtherType 0x1256, but allows all others on both interfaces:
hostname(config)# access-list nonIP ethertype deny 1256
hostname(config)# access-list nonIP ethertype permit any
hostname(config)# access-group ETHER in interface inside
hostname(config)# access-group ETHER in interface outside
Adding a Standard Access List
Single context mode only
Standard access lists identify the destination IP addresses of OSPF routes, and can be used in a route
map for OSPF redistribution. Standard access lists cannot be applied to interfaces to control traffic.
The following command adds a standard ACE. To add another ACE at the end of the access list, enter
another access-list command specifying the same access list name. Apply the access list using the
“Defining Route Maps” section on page 9-7.
To add an ACE, enter the following command:
hostname(config)# access-list access_list_name standard {deny | permit} {any | ip_address
mask}
To remove an ACE, enter the no access-list command with the entire command syntax string as it
appears in the configuration:
hostname(config)# no access-list access_list_name standard {deny | permit} {any |
ip_address mask}
The following sample access list identifies routes to 192.168.1.0/24:
hostname(config)# access-list OSPF standard permit 192.168.1.0 255.255.255.0
Adding a Webtype Access List
To add an access list to the configuration that supports filtering for WebVPN, enter the following
command:
hostname(config)# access-list access_list_name webtype {deny | permit} url [url_string | any]
To remove a Webtype access list, enter the no access-list command with the entire syntax string as it
appears in the configuration:
hostname(config)# access-list access_list_name webtype {deny | permit} url [url_string | any]
For information about logging options that you can add to the end of the ACE, see the “Logging Access
List Activity” section on page 16-20.
Simplifying Access Lists with Object Grouping
This section describes how to use object grouping to simplify access list creation and maintenance.
This section includes the following topics:
• How Object Grouping Works, page 16-12
• Adding Object Groups, page 16-12
16-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Simplifying Access Lists with Object Grouping
• Nesting Object Groups, page 16-15
• Displaying Object Groups, page 16-17
• Removing Object Groups, page 16-17
• Using Object Groups with an Access List, page 16-16
How Object Grouping Works
By grouping like-objects together, you can use the object group in an ACE instead of having to enter an
ACE for each object separately. You can create the following types of object groups:
• Protocol
• Network
• Service
• ICMP type
For example, consider the following three object groups:
• MyServices—Includes the TCP and UDP port numbers of the service requests that are allowed
access to the internal network
• TrustedHosts—Includes the host and network addresses allowed access to the greatest range of
services and servers
• PublicServers—Includes the host addresses of servers to which the greatest access is provided
After creating these groups, you could use a single ACE to allow trusted hosts to make specific service
requests to a group of public servers.
You can also nest object groups in other object groups.
Note The ACE system limit applies to expanded access lists. If you use object groups in ACEs, the number of
actual ACEs that you enter is fewer, but the number of expanded ACEs is the same as without object
groups. In many cases, object groups create more ACEs than if you added them manually, because
creating ACEs manually leads you to summarize addresses more than an object group does. To view the
number of expanded ACEs in an access list, enter the show access-list access_list_name command.
Adding Object Groups
This section describes how to add object groups.
This section includes the following topics:
• Adding a Protocol Object Group, page 16-13
• Adding a Network Object Group, page 16-13
• Adding a Service Object Group, page 16-14
• Adding an ICMP Type Object Group, page 16-15
16-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Simplifying Access Lists with Object Grouping
Adding a Protocol Object Group
To add or change a protocol object group, follow these steps. After you add the group, you can add more
objects as required by following this procedure again for the same group name and specifying additional
objects. You do not need to reenter existing objects; the commands you already set remain in place unless
you remove them with the no form of the command.
To add a protocol group, follow these steps:
Step 1 To add a protocol group, enter the following command:
hostname(config)# object-group protocol grp_id
The grp_id is a text string up to 64 characters in length.
The prompt changes to protocol configuration mode.
Step 2 (Optional) To add a description, enter the following command:
hostname(config-protocol)# description text
The description can be up to 200 characters.
Step 3 To define the protocols in the group, enter the following command for each protocol:
hostname(config-protocol)# protocol-object protocol
The protocol is the numeric identifier of the specific IP protocol (1 to 254) or a keyword identifier (for
example, icmp, tcp, or udp). To include all IP protocols, use the keyword ip. For a list of protocols you
can specify, see the “Protocols and Applications” section on page D-11.
For example, to create a protocol group for TCP, UDP, and ICMP, enter the following commands:
hostname(config)# object-group protocol tcp_udp_icmp
hostname(config-protocol)# protocol-object tcp
hostname(config-protocol)# protocol-object udp
hostname(config-protocol)# protocol-object icmp
Adding a Network Object Group
To add or change a network object group, follow these steps. After you add the group, you can add more
objects as required by following this procedure again for the same group name and specifying additional
objects. You do not need to reenter existing objects; the commands you already set remain in place unless
you remove them with the no form of the command.
Note A network object group supports IPv4 and IPv6 addresses, depending on the type of access list. For more
information about IPv6 access lists, see “Configuring IPv6 Access Lists” section on page 12-6.
To add a network group, follow these steps:
Step 1 To add a network group, enter the following command:
hostname(config)# object-group network grp_id
The grp_id is a text string up to 64 characters in length.
The prompt changes to network configuration mode.
16-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Simplifying Access Lists with Object Grouping
Step 2 (Optional) To add a description, enter the following command:
hostname(config-network)# description text
The description can be up to 200 characters.
Step 3 To define the networks in the group, enter the following command for each network or address:
hostname(config-network)# network-object {host ip_address | ip_address mask}
For example, to create network group that includes the IP addresses of three administrators, enter the
following commands:
hostname(config)# object-group network admins
hostname(config-network)# description Administrator Addresses
hostname(config-network)# network-object host 10.1.1.4
hostname(config-network)# network-object host 10.1.1.78
hostname(config-network)# network-object host 10.1.1.34
Adding a Service Object Group
To add or change a service object group, follow these steps. After you add the group, you can add more
objects as required by following this procedure again for the same group name and specifying additional
objects. You do not need to reenter existing objects; the commands you already set remain in place unless
you remove them with the no form of the command.
To add a service group, follow these steps:
Step 1 To add a service group, enter the following command:
hostname(config)# object-group service grp_id {tcp | udp | tcp-udp}
The grp_id is a text string up to 64 characters in length.
Specify the protocol for the services (ports) you want to add, either tcp, udp, or tcp-udp keywords.
Enter tcp-udp keyword if your service uses both TCP and UDP with the same port number, for example,
DNS (port 53).
The prompt changes to service configuration mode.
Step 2 (Optional) To add a description, enter the following command:
hostname(config-service)# description text
The description can be up to 200 characters.
Step 3 To define the ports in the group, enter the following command for each port or range of ports:
hostname(config-service)# port-object {eq port | range begin_port end_port}
For a list of permitted keywords and well-known port assignments, see the “Protocols and Applications”
section on page D-11.
For example, to create service groups that include DNS (TCP/UDP), LDAP (TCP), and RADIUS (UDP),
enter the following commands:
hostname(config)# object-group service services1 tcp-udp
hostname(config-service)# description DNS Group
hostname(config-service)# port-object eq domain
16-15
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Simplifying Access Lists with Object Grouping
hostname(config-service)# object-group service services2 udp
hostname(config-service)# description RADIUS Group
hostname(config-service)# port-object eq radius
hostname(config-service)# port-object eq radius-acct
hostname(config-service)# object-group service services3 tcp
hostname(config-service)# description LDAP Group
hostname(config-service)# port-object eq ldap
Adding an ICMP Type Object Group
To add or change an ICMP type object group, follow these steps. After you add the group, you can add
more objects as required by following this procedure again for the same group name and specifying
additional objects. You do not need to reenter existing objects; the commands you already set remain in
place unless you remove them with the no form of the command.
To add an ICMP type group, follow these steps:
Step 1 To add an ICMP type group, enter the following command:
hostname(config)# object-group icmp-type grp_id
The grp_id is a text string up to 64 characters in length.
The prompt changes to ICMP type configuration mode.
Step 2 (Optional) To add a description, enter the following command:
hostname(config-icmp-type)# description text
The description can be up to 200 characters.
Step 3 To define the ICMP types in the group, enter the following command for each type:
hostname(config-icmp-type)# icmp-object icmp_type
See the “ICMP Types” section on page D-15 for a list of ICMP types.
For example, to create an ICMP type group that includes echo-reply and echo (for controlling ping),
enter the following commands:
hostname(config)# object-group icmp-type ping
hostname(config-service)# description Ping Group
hostname(config-icmp-type)# icmp-object echo
hostname(config-icmp-type)# icmp-object echo-reply
Nesting Object Groups
To nest an object group within another object group of the same type, first create the group that you want
to nest according to the “Adding Object Groups” section on page 16-12. Then follow these steps:
Step 1 To add or edit an object group under which you want to nest another object group, enter the following
command:
hostname(config)# object-group {{protocol | network | icmp-type} grp_id | service grp_id
{tcp | udp | tcp-udp}}
16-16
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Simplifying Access Lists with Object Grouping
Step 2 To add the specified group under the object group you specified in Step 1, enter the following command:
hostname(config-group_type)# group-object grp_id
The nested group must be of the same type.
You can mix and match nested group objects and regular objects within an object group.
For example, you create network object groups for privileged users from various departments:
hostname(config)# object-group network eng
hostname(config-network)# network-object host 10.1.1.5
hostname(config-network)# network-object host 10.1.1.9
hostname(config-network)# network-object host 10.1.1.89
hostname(config-network)# object-group network hr
hostname(config-network)# network-object host 10.1.2.8
hostname(config-network)# network-object host 10.1.2.12
hostname(config-network)# object-group network finance
hostname(config-network)# network-object host 10.1.4.89
hostname(config-network)# network-object host 10.1.4.100
You then nest all three groups together as follows:
hostname(config)# object-group network admin
hostname(config-network)# group-object eng
hostname(config-network)# group-object hr
hostname(config-network)# group-object finance
You only need to specify the admin object group in your ACE as follows:
hostname(config)# access-list ACL_IN extended permit ip object-group admin host
209.165.201.29
Using Object Groups with an Access List
To use object groups in an access list, replace the normal protocol (protocol), network
(source_address mask, etc.), service (operator port), or ICMP type (icmp_type) parameter with
object-group grp_id parameter.
For example, to use object groups for all available parameters in the access-list {tcp | udp} command,
enter the following command:
hostname(config)# access-list access_list_name [line line_number] [extended] {deny |
permit} {tcp | udp} object-group nw_grp_id [object-group svc_grp_id] object-group
nw_grp_id [object-group svc_grp_id] [log [[level] [interval secs] | disable | default]]
[inactive | time-range time_range_name]
You do not have to use object groups for all parameters; for example, you can use an object group for
the source address, but identify the destination address with an address and mask.
The following normal access list that does not use object groups restricts several hosts on the inside
network from accessing several web servers. All other traffic is allowed.
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.4 host 209.165.201.29
eq www
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.78 host 209.165.201.29
eq www
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.89 host 209.165.201.29
eq www
16-17
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Simplifying Access Lists with Object Grouping
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.4 host 209.165.201.16
eq www
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.78 host 209.165.201.16
eq www
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.89 host 209.165.201.16
eq www
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.4 host 209.165.201.78
eq www
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.78 host 209.165.201.78
eq www
hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.89 host 209.165.201.78
eq www
hostname(config)# access-list ACL_IN extended permit ip any any
hostname(config)# access-group ACL_IN in interface inside
If you make two network object groups, one for the inside hosts, and one for the web servers, then the
configuration can be simplified and can be easily modified to add more hosts:
hostname(config)# object-group network denied
hostname(config-network)# network-object host 10.1.1.4
hostname(config-network)# network-object host 10.1.1.78
hostname(config-network)# network-object host 10.1.1.89
hostname(config-network)# object-group network web
hostname(config-network)# network-object host 209.165.201.29
hostname(config-network)# network-object host 209.165.201.16
hostname(config-network)# network-object host 209.165.201.78
hostname(config-network)# access-list ACL_IN extended deny tcp object-group denied
object-group web eq www
hostname(config)# access-list ACL_IN extended permit ip any any
hostname(config)# access-group ACL_IN in interface inside
Displaying Object Groups
To display a list of the currently configured object groups, enter the following command:
hostname(config)# show object-group [protocol | network | service | icmp-type | id grp_id]
If you enter the command without any parameters, the system displays all configured object groups.
The following is sample output from the show object-group command:
hostname# show object-group
object-group network ftp_servers
description: This is a group of FTP servers
network-object host 209.165.201.3
network-object host 209.165.201.4
object-group network TrustedHosts
network-object host 209.165.201.1
network-object 192.168.1.0 255.255.255.0
group-object ftp_servers
Removing Object Groups
To remove an object group, enter one of the following commands.
Note You cannot remove an object group or make an object group empty if it is used in an access list.
16-18
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Adding Remarks to Access Lists
• To remove a specific object group, enter the following command:
hostname(config)# no object-group grp_id
• To remove all object groups of the specified type, enter the following command:
hostname(config)# clear object-group [protocol | network | services | icmp-type]
If you do not enter a type, all object groups are removed.
Adding Remarks to Access Lists
You can include remarks about entries in any access list, including extended, EtherType, and standard
access lists. The remarks make the access list easier to understand.
To add a remark after the last access-list command you entered, enter the following command:
hostname(config)# access-list access_list_name remark text
If you enter the remark before any access-list command, then the remark is the first line in the access list.
If you delete an access list using the no access-list access_list_name command, then all the remarks are
also removed.
The text can be up to 100 characters in length. You can enter leading spaces at the beginning of the text.
Trailing spaces are ignored.
For example, you can add remarks before each ACE, and the remark appears in the access list in this
location. Entering a dash (-) at the beginning of the remark helps set it apart from ACEs.
hostname(config)# access-list OUT remark - this is the inside admin address
hostname(config)# access-list OUT extended permit ip host 209.168.200.3 any
hostname(config)# access-list OUT remark - this is the hr admin address
hostname(config)# access-list OUT extended permit ip host 209.168.200.4 any
Scheduling Extended Access List Activation
You can schedule each ACE to be activated at specific times of the day and week by applying a time
range to the ACE. This section includes the following topics:
• Adding a Time Range, page 16-18
• Applying the Time Range to an ACE, page 16-19
Adding a Time Range
To add a time range to implement a time-based access list, perform the following steps:
Step 1 Identify the time-range name by entering the following command:
hostname(config)# time-range name
Step 2 Specify the time range as either a recurring time range or an absolute time range.
16-19
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Scheduling Extended Access List Activation
Note Users could experience a delay of approximately 80 to 100 seconds after the specified end time
for the ACL to become inactive. For example, if the specified end time is 3:50, because the end
time is inclusive, the command is picked up anywhere between 3:51:00 and 3:51:59. After the
command is picked up, the security appliance finishes any currently running task and then
services the command to deactivate the ACL.
Multiple periodic entries are allowed per time-range command. If a time-range command has both
absolute and periodic values specified, then the periodic commands are evaluated only after the
absolute start time is reached, and are not further evaluated after the absolute end time is reached.
• Recurring time range:
hostname(config-time-range)# periodic days-of-the-week time to [days-of-the-week] time
You can specify the following values for days-of-the-week:
– monday, tuesday, wednesday, thursday, friday, saturday, and sunday.
– daily
– weekdays
– weekend
The time is in the format hh:mm. For example, 8:00 is 8:00 a.m. and 20:00 is 8:00 p.m.
• Absolute time range:
hostname(config-time-range)# absolute start time date [end time date]
The time is in the format hh:mm. For example, 8:00 is 8:00 a.m. and 20:00 is 8:00 p.m.
The date is in the format day month year; for example, 1 january 2006.
The following is an example of an absolute time range beginning at 8:00 a.m. on January 1, 2006.
Because no end time and date are specified, the time range is in effect indefinitely.
hostname(config)# time-range for2006
hostname(config-time-range)# absolute start 8:00 1 january 2006
The following is an example of a weekly periodic time range from 8:00 a.m. to 6:00 p.m on weekdays.:
hostname(config)# time-range workinghours
hostname(config-time-range)# periodic weekdays 8:00 to 18:00
Applying the Time Range to an ACE
To apply the time range to an ACE, use the following command:
hostname(config)# access-list access_list_name [extended] {deny | permit}...[time-range
name]
See the “Adding an Extended Access List” section on page 16-5 for complete access-list command
syntax.
16-20
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Logging Access List Activity
Note If you also enable logging for the ACE, use the log keyword before the time-range keyword. If you
disable the ACE using the inactive keyword, use the inactive keyword as the last keyword.
The following example binds an access list named “Sales” to a time range named “New_York_Minute.”
hostname(config)# access-list Sales line 1 extended deny tcp host 209.165.200.225 host
209.165.201.1 time-range New_York_Minute
Logging Access List Activity
This section describes how to configure access list logging for extended access lists and Webtype access
lists.
This section includes the following topics:
• Access List Logging Overview, page 16-20
• Configuring Logging for an Access Control Entry, page 16-21
• Managing Deny Flows, page 16-22
Access List Logging Overview
By default, when traffic is denied by an extended ACE or a Webtype ACE, the security appliance
generates system message 106023 for each denied packet, in the following form:
%ASA|PIX-4-106023: Deny protocol src [interface_name:source_address/source_port] dst
interface_name:dest_address/dest_port [type {string}, code {code}] by access_group acl_id
If the security appliance is attacked, the number of system messages for denied packets can be very large.
We recommend that you instead enable logging using system message 106100, which provides statistics
for each ACE and lets you limit the number of system messages produced. Alternatively, you can disable
all logging.
Note Only ACEs in the access list generate logging messages; the implicit deny at the end of the access list
does not generate a message. If you want all denied traffic to generate messages, add the implicit ACE
manually to the end of the access list, as follows.
hostname(config)# access-list TEST deny ip any any log
The log options at the end of the extended access-list command lets you to set the following behavior:
• Enable message 106100 instead of message 106023
• Disable all logging
• Return to the default logging using message 106023
System message 106100 is in the following form:
%ASA|PIX-n-106100: access-list acl_id {permitted | denied} protocol
interface_name/source_address(source_port) -> interface_name/dest_address(dest_port)
hit-cnt number ({first hit | number-second interval})
16-21
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Logging Access List Activity
When you enable logging for message 106100, if a packet matches an ACE, the security appliance
creates a flow entry to track the number of packets received within a specific interval. The security
appliance generates a system message at the first hit and at the end of each interval, identifying the total
number of hits during the interval. At the end of each interval, the security appliance resets the hit count
to 0. If no packets match the ACE during an interval, the security appliance deletes the flow entry.
A flow is defined by the source and destination IP addresses, protocols, and ports. Because the source
port might differ for a new connection between the same two hosts, you might not see the same flow
increment because a new flow was created for the connection. See the “Managing Deny Flows” section
on page 16-22 to limit the number of logging flows.
Permitted packets that belong to established connections do not need to be checked against access lists;
only the initial packet is logged and included in the hit count. For connectionless protocols, such as
ICMP, all packets are logged even if they are permitted, and all denied packets are logged.
See the Cisco Security Appliance Logging Configuration and System Log Messages for detailed
information about this system message.
Configuring Logging for an Access Control Entry
To configure logging for an ACE, see the following information about the log option:
hostname(config)# access-list access_list_name [extended] {deny | permit}...[log [[level]
[interval secs] | disable | default]]
See the “Adding an Extended Access List” section on page 16-5 and “Adding a Webtype Access List”
section on page 16-11 for complete access-list command syntax.
If you enter the log option without any arguments, you enable system log message 106100 at the default
level (6) and for the default interval (300 seconds). See the following options:
• level—A severity level between 0 and 7. The default is 6.
• interval secs—The time interval in seconds between system messages, from 1 to 600. The default
is 300. This value is also used as the timeout value for deleting an inactive flow.
• disable—Disables all access list logging.
• default—Enables logging to message 106023. This setting is the same as having no log option.
For example, you configure the following access list:
hostname(config)# access-list outside-acl permit ip host 1.1.1.1 any log 7 interval 600
hostname(config)# access-list outside-acl permit ip host 2.2.2.2 any
hostname(config)# access-list outside-acl deny ip any any log 2
hostname(config)# access-group outside-acl in interface outside
When a packet is permitted by the first ACE of outside-acl, the security appliance generates the
following system message:
%ASA|PIX-7-106100: access-list outside-acl permitted tcp outside/1.1.1.1(12345) ->
inside/192.168.1.1(1357) hit-cnt 1 (first hit)
Although 20 additional packets for this connection arrive on the outside interface, the traffic does not
have to be checked against the access list, and the hit count does not increase.
If one more connection by the same host is initiated within the specified 10 minute interval (and the
source and destination ports remain the same), then the hit count is incremented by 1 and the following
message is displayed at the end of the 10 minute interval:
%ASA|PIX-7-106100: access-list outside-acl permitted tcp outside/1.1.1.1(12345)->
inside/192.168.1.1(1357) hit-cnt 2 (600-second interval)
16-22
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 16 Identifying Traffic with Access Lists
Logging Access List Activity
When a packet is denied by the third ACE, the security appliance generates the following system
message:
%ASA|PIX-2-106100: access-list outside-acl denied ip outside/3.3.3.3(12345) ->
inside/192.168.1.1(1357) hit-cnt 1 (first hit)
20 additional attempts within a 5 minute interval (the default) result in the following message at the end
of 5 minutes:
%ASA|PIX-2-106100: access-list outside-acl denied ip outside/3.3.3.3(12345) ->
inside/192.168.1.1(1357) hit-cnt 21 (300-second interval)
Managing Deny Flows
When you enable logging for message 106100, if a packet matches an ACE, the security appliance
creates a flow entry to track the number of packets received within a specific interval. The security
appliance has a maximum of 32 K logging flows for ACEs. A large number of flows can exist
concurrently at any point of time. To prevent unlimited consumption of memory and CPU resources, the
security appliance places a limit on the number of concurrent deny flows; the limit is placed only on deny
flows (and not permit flows) because they can indicate an attack. When the limit is reached, the security
appliance does not create a new deny flow for logging until the existing flows expire.
For example, if someone initiates a DoS attack, the security appliance can create a large number of deny
flows in a short period of time. Restricting the number of deny flows prevents unlimited consumption of
memory and CPU resources.
When you reach the maximum number of deny flows, the security appliance issues system message
106100:
%ASA|PIX-1-106101: The number of ACL log deny-flows has reached limit (number).
To configure the maximum number of deny flows and to set the interval between deny flow alert
messages (106101), enter the following commands:
• To set the maximum number of deny flows permitted per context before the security appliance stops
logging, enter the following command:
hostname(config)# access-list deny-flow-max number
The number is between 1 and 4096. 4096 is the default.
• To set the amount of time between system messages (number 106101) that identify that the
maximum number of deny flows was reached, enter the following command:
hostname(config)# access-list alert-interval secs
The seconds are between 1 and 3600. 300 is the default.
CH A P T E R
17-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
17
Applying NAT
This chapter describes Network Address Translation (NAT). In routed firewall mode, the security
appliance can perform NAT between each network.
Note In transparent firewall mode, the security appliance does not support NAT.
This chapter contains the following sections:
• NAT Overview, page 17-1
• Configuring NAT Control, page 17-16
• Using Dynamic NAT and PAT, page 17-17
• Using Static NAT, page 17-26
• Using Static PAT, page 17-27
• Bypassing NAT, page 17-29
• NAT Examples, page 17-33
NAT Overview
This section describes how NAT works on the security appliance, and includes the following topics:
• Introduction to NAT, page 17-2
• NAT Control, page 17-3
• NAT Types, page 17-5
• Policy NAT, page 17-9
• NAT and Same Security Level Interfaces, page 17-13
• Order of NAT Commands Used to Match Real Addresses, page 17-14
• Mapped Address Guidelines, page 17-14
• DNS and NAT, page 17-14
17-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Introduction to NAT
Address translation substitutes the real address in a packet with a mapped address that is routable on the
destination network. NAT is comprised of two steps: the process in which a real address is translated into
a mapped address, and then the process to undo translation for returning traffic.
The security appliance translates an address when a NAT rule matches the traffic. If no NAT rule
matches, processing for the packet continues. The exception is when you enable NAT control.
NAT control requires that packets traversing from a higher security interface (inside) to a lower security
interface (outside) match a NAT rule, or else processing for the packet stops. (See the “Security Level
Overview” section on page 7-1 for more information about security levels, and see “NAT Control”
section on page 17-3 for more information about NAT control).
Note In this document, all types of translation are generally referred to as NAT. When discussing NAT, the
terms inside and outside are relative, and represent the security relationship between any two interfaces.
The higher security level is inside and the lower security level is outside; for example, interface 1 is at
60 and interface 2 is at 50, so interface 1 is “inside” and interface 2 is “outside.”
Some of the benefits of NAT are as follows:
• You can use private addresses on your inside networks. Private addresses are not routable on the
Internet. (See the “Private Networks” section on page D-2 for more information.)
• NAT hides the real addresses from other networks, so attackers cannot learn the real address of a
host.
• You can resolve IP routing problems such as overlapping addresses.
See Table 25-1 on page 25-3 for information about protocols that do not support NAT.
Figure 17-1 shows a typical NAT scenario, with a private network on the inside. When the inside host at
10.1.2.27 sends a packet to a web server, the real source address, 10.1.2.27, of the packet is changed to
a mapped address, 209.165.201.10. When the server responds, it sends the response to the mapped
address, 209.165.201.10, and the security appliance receives the packet. The security appliance then
undoes the translation of the mapped address, 209.165.201.10 back to the real address, 10.1.2.27 before
sending it on to the host.
17-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Figure 17-1 NAT Example
See the following commands for this example:
hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.1-209.165.201.15
NAT Control
NAT control requires that packets traversing from an inside interface to an outside interface match a NAT
rule; for any host on the inside network to access a host on the outside network, you must configure NAT
to translate the inside host address (see Figure 17-2).
Figure 17-2 NAT Control and Outbound Traffic
Web Server
www.cisco.com
Outside
Inside
209.165.201.2
10.1.2.1
10.1.2.27
130023
Translation
10.1.2.27 209.165.201.10
Originating
Packet
Undo Translation
209.165.201.10 10.1.2.27
Responding
Security Packet
Appliance
10.1.1.1 NAT
No NAT
209.165.201.1
Inside Outside
10.1.2.1
Security
Appliance
132212
17-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Interfaces at the same security level are not required to use NAT to communicate. However, if you
configure dynamic NAT or PAT on a same security interface, then all traffic from the interface to a same
security interface or an outside interface must match a NAT rule (see Figure 17-3).
Figure 17-3 NAT Control and Same Security Traffic
Similarly, if you enable outside dynamic NAT or PAT, then all outside traffic must match a NAT rule
when it accesses an inside interface (see Figure 17-4).
Figure 17-4 NAT Control and Inbound Traffic
Static NAT does not cause these restrictions.
By default, NAT control is disabled, so you do not need to perform NAT on any networks unless you
choose to perform NAT. If you upgraded from an earlier version of software, however, NAT control
might be enabled on your system. Even with NAT control disabled, you need to perform NAT on any
addresses for which you configure dynamic NAT. See the “Dynamic NAT and PAT Implementation”
section on page 17-17 for more information on how dynamic NAT is applied.
If you want the added security of NAT control but do not want to translate inside addresses in some cases,
you can apply a NAT exemption or identity NAT rule on those addresses. (See the “Bypassing NAT”
section on page 17-29 for more information).
To configure NAT control, see the “Configuring NAT Control” section on page 17-16.
Note In multiple context mode, the packet classifier might rely on the NAT configuration to assign packets to
contexts if you do not enable unique MAC addresses for shared interfaces. See the “How the Security
Appliance Classifies Packets” section on page 3-3 for more information about the relationship between
the classifier and NAT.
10.1.1.1 Dyn. NAT
No NAT
209.165.201.1
Level 50 Level 50
or
Outside
10.1.2.1
Security
Appliance
10.1.1.1 No NAT 10.1.1.1
Level 50 Level 50
Security
Appliance
132215
209.165.202.129 No NAT 209.165.202.129
Outside Inside
Security
Appliance
209.165.202.129
209.165.200.240
Dyn. NAT 10.1.1.50
Outside Inside
Security
Appliance
No NAT
132213
17-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
NAT Types
This section describes the available NAT types. You can implement address translation as dynamic NAT,
Port Address Translation, static NAT, or static PAT or as a mix of these types. You can also configure
rules to bypass NAT, for example, if you enable NAT control but do not want to perform NAT. This
section includes the following topics:
• Dynamic NAT, page 17-5
• PAT, page 17-7
• Static NAT, page 17-7
• Static PAT, page 17-8
• Bypassing NAT When NAT Control is Enabled, page 17-9
Dynamic NAT
Dynamic NAT translates a group of real addresses to a pool of mapped addresses that are routable on the
destination network. The mapped pool can include fewer addresses than the real group. When a host you
want to translate accesses the destination network, the security appliance assigns it an IP address from
the mapped pool. The translation is added only when the real host initiates the connection. The
translation is in place only for the duration of the connection, and a given user does not keep the same
IP address after the translation times out (see the timeout xlate command in the Cisco Security
Appliance Command Reference). Users on the destination network, therefore, cannot reliably initiate a
connection to a host that uses dynamic NAT (even if the connection is allowed by an access list), and the
security appliance rejects any attempt to connect to a real host address directly. See the following “Static
NAT” or “Static PAT” sections for reliable access to hosts.
Note In some cases, a translation is added for a connection (see the show xlate command) even though the
session is denied by the security appliance. This condition occurs with an outbound access list, a
management-only interface, or a backup interface. The translation times out normally.
Figure 17-5 shows a remote host attempting to connect to the real address. The connection is denied
because the security appliance only allows returning connections to the mapped address.
17-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Figure 17-5 Remote Host Attempts to Connect to the Real Address
Figure 17-6 shows a remote host attempting to initiate a connection to a mapped address. This address
is not currently in the translation table, so the security appliance drops the packet.
Figure 17-6 Remote Host Attempts to Initiate a Connection to a Mapped Address
Note For the duration of the translation, a remote host can initiate a connection to the translated host if an
access list allows it. Because the address is unpredictable, a connection to the host is unlikely. However
in this case, you can rely on the security of the access list.
Web Server
www.example.com
Outside
Inside
209.165.201.2
10.1.2.1
10.1.2.27
Translation
10.1.2.27 209.165.201.10
10.1.2.27
Security
Appliance
132216
Web Server
www.example.com
Outside
Inside
209.165.201.2
10.1.2.1
10.1.2.27
Security
Appliance
209.165.201.10
132217
17-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Dynamic NAT has these disadvantages:
• If the mapped pool has fewer addresses than the real group, you could run out of addresses if the
amount of traffic is more than expected.
Use PAT if this event occurs often, because PAT provides over 64,000 translations using ports of a
single address.
• You have to use a large number of routable addresses in the mapped pool; if the destination network
requires registered addresses, such as the Internet, you might encounter a shortage of usable
addresses.
The advantage of dynamic NAT is that some protocols cannot use PAT. For example, PAT does not work
with IP protocols that do not have a port to overload, such as GRE version 0. PAT also does not work
with some applications that have a data stream on one port and the control path on another and are not
open standard, such as some multimedia applications. See the “When to Use Application Protocol
Inspection” section on page 25-2 for more information about NAT and PAT support.
PAT
PAT translates multiple real addresses to a single mapped IP address. Specifically, the security appliance
translates the real address and source port (real socket) to the mapped address and a unique port above
1024 (mapped socket). Each connection requires a separate translation, because the source port differs
for each connection. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026.
After the connection expires, the port translation also expires after 30 seconds of inactivity. The timeout
is not configurable. Users on the destination network cannot reliably initiate a connection to a host that
uses PAT (even if the connection is allowed by an access list). Not only can you not predict the real or
mapped port number of the host, but the security appliance does not create a translation at all unless the
translated host is the initiator. See the following “Static NAT” or “Static PAT” sections for reliable access
to hosts.
PAT lets you use a single mapped address, thus conserving routable addresses. You can even use the
security appliance interface IP address as the PAT address. PAT does not work with some multimedia
applications that have a data stream that is different from the control path. See the “When to Use
Application Protocol Inspection” section on page 25-2 for more information about NAT and PAT
support.
Note For the duration of the translation, a remote host can initiate a connection to the translated host if an
access list allows it. Because the port address (both real and mapped) is unpredictable, a connection to
the host is unlikely. Nevertheless, in this case, you can rely on the security of the access list. However,
policy PAT does not support time-based ACLs.
Static NAT
Static NAT creates a fixed translation of real address(es) to mapped address(es).With dynamic NAT and
PAT, each host uses a different address or port for each subsequent translation. Because the mapped
address is the same for each consecutive connection with static NAT, and a persistent translation rule
exists, static NAT allows hosts on the destination network to initiate traffic to a translated host (if there
is an access list that allows it).
The main difference between dynamic NAT and a range of addresses for static NAT is that static NAT
allows a remote host to initiate a connection to a translated host (if there is an access list that allows it),
while dynamic NAT does not. You also need an equal number of mapped addresses as real addresses with
static NAT.
17-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Static PAT
Static PAT is the same as static NAT, except it lets you specify the protocol (TCP or UDP) and port for
the real and mapped addresses.
This feature lets you identify the same mapped address across many different static statements, so long
as the port is different for each statement (you cannot use the same mapped address for multiple static
NAT statements).
For applications that require application inspection for secondary channels (FTP, VoIP, etc.), the security
appliance automatically translates the secondary ports.
For example, if you want to provide a single address for remote users to access FTP, HTTP, and SMTP,
but these are all actually different servers on the real network, you can specify static PAT statements for
each server that uses the same mapped IP address, but different ports (see Figure 17-7).
Figure 17-7 Static PAT
See the following commands for this example:
hostname(config)# static (inside,outside) tcp 209.165.201.3 ftp 10.1.2.27 ftp netmask
255.255.255.255
hostname(config)# static (inside,outside) tcp 209.165.201.3 http 10.1.2.28 http netmask
255.255.255.255
hostname(config)# static (inside,outside) tcp 209.165.201.3 smtp 10.1.2.29 smtp netmask
255.255.255.255
You can also use static PAT to translate a well-known port to a non-standard port or vice versa. For
example, if your inside web servers use port 8080, you can allow outside users to connect to port 80, and
then undo translation to the original port 8080. Similarly, if you want to provide extra security, you can
tell your web users to connect to non-standard port 6785, and then undo translation to port 80.
Host
Outside
Inside
Undo Translation
209.165.201.3:21 10.1.2.27
Undo Translation
209.165.201.3:80 10.1.2.28
Undo Translation
209.165.201.3:25 10.1.2.29
FTP server
10.1.2.27
HTTP server
10.1.2.28
SMTP server
10.1.2.29
130031
17-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Bypassing NAT When NAT Control is Enabled
If you enable NAT control, then inside hosts must match a NAT rule when accessing outside hosts. If
you do not want to perform NAT for some hosts, then you can bypass NAT for those hosts (alternatively,
you can disable NAT control). You might want to bypass NAT, for example, if you are using an
application that does not support NAT (see the “When to Use Application Protocol Inspection” section
on page 25-2 for information about inspection engines that do not support NAT).
You can configure traffic to bypass NAT using one of three methods. All methods achieve compatibility
with inspection engines. However, each method offers slightly different capabilities, as follows:
• Identity NAT (nat 0 command)—When you configure identity NAT (which is similar to dynamic
NAT), you do not limit translation for a host on specific interfaces; you must use identity NAT for
connections through all interfaces. Therefore, you cannot choose to perform normal translation on
real addresses when you access interface A, but use identity NAT when accessing interface B.
Regular dynamic NAT, on the other hand, lets you specify a particular interface on which to translate
the addresses. Make sure that the real addresses for which you use identity NAT are routable on all
networks that are available according to your access lists.
For identity NAT, even though the mapped address is the same as the real address, you cannot initiate
a connection from the outside to the inside (even if the interface access list allows it). Use static
identity NAT or NAT exemption for this functionality.
• Static identity NAT (static command)—Static identity NAT lets you specify the interface on which
you want to allow the real addresses to appear, so you can use identity NAT when you access
interface A, and use regular translation when you access interface B. Static identity NAT also lets
you use policy NAT, which identifies the real and destination addresses when determining the real
addresses to translate (see the “Policy NAT” section on page 17-9 for more information about policy
NAT). For example, you can use static identity NAT for an inside address when it accesses the
outside interface and the destination is server A, but use a normal translation when accessing the
outside server B.
• NAT exemption (nat 0 access-list command)—NAT exemption allows both translated and remote
hosts to initiate connections. Like identity NAT, you do not limit translation for a host on specific
interfaces; you must use NAT exemption for connections through all interfaces. However,
NAT exemption does let you specify the real and destination addresses when determining the real
addresses to translate (similar to policy NAT), so you have greater control using NAT exemption.
However unlike policy NAT, NAT exemption does not consider the ports in the access list.
Policy NAT
Policy NAT lets you identify real addresses for address translation by specifying the source and
destination addresses in an extended access list. You can also optionally specify the source and
destination ports. Regular NAT can only consider the real addresses. For example, you can use translate
the real address to mapped address A when it accesses server A, but translate the real address to mapped
address B when it accesses server B.
Note Policy NAT does not support time-based ACLs.
When you specify the ports in policy NAT for applications that require application inspection for
secondary channels (FTP, VoIP, etc.), the security appliance automatically translates the secondary ports.
17-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Note All types of NAT support policy NAT except for NAT exemption. NAT exemption uses an access list to
identify the real addresses, but differs from policy NAT in that the ports are not considered. See the
“Bypassing NAT” section on page 17-29 for other differences. You can accomplish the same result as
NAT exemption using static identity NAT, which does support policy NAT.
Figure 17-8 shows a host on the 10.1.2.0/24 network accessing two different servers. When the host
accesses the server at 209.165.201.11, the real address is translated to 209.165.202.129. When the host
accesses the server at 209.165.200.225, the real address is translated to 209.165.202.130 so that the host
appears to be on the same network as the servers, which can help with routing.
Figure 17-8 Policy NAT with Different Destination Addresses
See the following commands for this example:
hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0
255.255.255.224
hostname(config)# access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224
255.255.255.224
hostname(config)# nat (inside) 1 access-list NET1
hostname(config)# global (outside) 1 209.165.202.129
hostname(config)# nat (inside) 2 access-list NET2
hostname(config)# global (outside) 2 209.165.202.130
Server 1
209.165.201.11
Server 2
209.165.200.225
DMZ
Inside
10.1.2.27
10.1.2.0/24
130039
209.165.201.0/27 209.165.200.224/27
Translation
10.1.2.27 209.165.202.129
Translation
10.1.2.27 209.165.202.130
Packet
Dest. Address:
209.165.201.11
Packet
Dest. Address:
209.165.200.225
17-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Figure 17-9 shows the use of source and destination ports. The host on the 10.1.2.0/24 network accesses
a single host for both web services and Telnet services. When the host accesses the server for web
services, the real address is translated to 209.165.202.129. When the host accesses the same server for
Telnet services, the real address is translated to 209.165.202.130.
Figure 17-9 Policy NAT with Different Destination Ports
See the following commands for this example:
hostname(config)# access-list WEB permit tcp 10.1.2.0 255.255.255.0 209.165.201.11
255.255.255.255 eq 80
hostname(config)# access-list TELNET permit tcp 10.1.2.0 255.255.255.0 209.165.201.11
255.255.255.255 eq 23
hostname(config)# nat (inside) 1 access-list WEB
hostname(config)# global (outside) 1 209.165.202.129
hostname(config)# nat (inside) 2 access-list TELNET
hostname(config)# global (outside) 2 209.165.202.130
For policy static NAT (and for NAT exemption, which also uses an access list to identify traffic), both
translated and remote hosts can originate traffic. For traffic originated on the translated network, the
NAT access list specifies the real addresses and the destination addresses, but for traffic originated on
the remote network, the access list identifies the real addresses and the source addresses of remote hosts
who are allowed to connect to the host using this translation.
Web and Telnet server:
209.165.201.11
Internet
Inside
Translation
10.1.2.27:80 209.165.202.129
10.1.2.27
10.1.2.0/24
Translation
10.1.2.27:23 209.165.202.130
Web Packet
Dest. Address:
209.165.201.11:80
Telnet Packet
Dest. Address:
209.165.201.11:23
130040
17-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Figure 17-10 shows a remote host connecting to a translated host. The translated host has a policy static
NAT translation that translates the real address only for traffic to and from the 209.165.201.0/27
network. A translation does not exist for the 209.165.200.224/27 network, so the translated host cannot
connect to that network, nor can a host on that network connect to the translated host.
Figure 17-10 Policy Static NAT with Destination Address Translation
See the following commands for this example:
hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.224 209.165.201.0
255.255.255.224
hostname(config)# static (inside,outside) 209.165.202.128 access-list NET1
Note For policy static NAT, in undoing the translation, the ACL in the static command is not used. If the
destination address in the packet matches the mapped address in the static rule, the static rule is used to
untranslate the address.
Note Policy NAT does not support SQL*Net, but it is supported by regular NAT. See the “When to Use
Application Protocol Inspection” section on page 25-2 for information about NAT support for other
protocols.
You cannot use policy static NAT to translate different real addresses to the same mapped address. For
example, Figure 17-11 shows two inside hosts, 10.1.1.1 and 10.1.1.2, that you want to be translated to
209.165.200.225. When outside host 209.165.201.1 connects to 209.165.200.225, then the connection
goes to 10.1.1.1. When outside host 209.165.201.2 connects to the same mapped address,
209.165.200.225, you want the connection to go to 10.1.1.2. However, only one source address in the
access list can be used. Since the first ACE is for 10.1.1.1, then all inbound connections sourced from
209.165.201.1 and 209.165.201.2 and destined to 209.165.200.255 will have their destination address
translated to 10.1.1.1.
209.165.201.11 209.165.200.225
DMZ
Inside
No Translation
10.1.2.27
10.1.2.27
10.1.2.0/27
209.165.201.0/27 209.165.200.224/27
Undo Translation
209.165.202.128
130037
17-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Figure 17-11 Real Addresses Cannot Share the Same Mapped Address
See the following commands for this example. (Although the second ACE in the example does allow
209.165.201.2 to connect to 209.165.200.225, it only allows 209.165.200.225 to be translated to
10.1.1.1.)
hostname(config)# static (in,out) 209.165.200.225 access-list policy-nat
hostname(config)# access-list policy-nat permit ip host 10.1.1.1 host 209.165.201.1
hostname(config)# access-list policy-nat permit ip host 10.1.1.2 host 209.165.201.2
NAT and Same Security Level Interfaces
NAT is not required between same security level interfaces even if you enable NAT control. You can
optionally configure NAT if desired. However, if you configure dynamic NAT when NAT control is
enabled, then NAT is required. See the “NAT Control” section on page 17-3 for more information. Also,
when you specify a group of IP address(es) for dynamic NAT or PAT on a same security interface, then
you must perform NAT on that group of addresses when they access any lower or same security level
interface (even when NAT control is not enabled). Traffic identified for static NAT is not affected.
See the “Allowing Communication Between Interfaces on the Same Security Level” section on page 7-6
to enable same security communication.
Note The security appliance does not support VoIP inspection engines when you configure NAT on same
security interfaces. These inspection engines include Skinny, SIP, and H.323. See the “When to Use
Application Protocol Inspection” section on page 25-2 for supported inspection engines.
209.165.201.1
Outside
Inside
10.1.1.1
209.165.201.2
10.1.1.2
Undo Translation
209.165.200.225 10.1.1.1
209.165.200.225 10.1.1.2
No Undo Translation
242981
17-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Order of NAT Commands Used to Match Real Addresses
The security appliance matches real addresses to NAT commands in the following order:
1. NAT exemption (nat 0 access-list)—In order, until the first match. Identity NAT is not included in
this category; it is included in the regular static NAT or regular NAT category. We do not recommend
overlapping addresses in NAT exemption statements because unexpected results can occur.
2. Static NAT and Static PAT (regular and policy) (static)—In order, until the first match. Static
identity NAT is included in this category.
3. Policy dynamic NAT (nat access-list)—In order, until the first match. Overlapping addresses are
allowed.
4. Regular dynamic NAT (nat)—Best match. Regular identity NAT is included in this category. The
order of the NAT commands does not matter; the NAT statement that best matches the real address
is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an
interface. If you want to translate a subset of your network (10.1.1.1) to a different address, then you
can create a statement to translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific
statement for 10.1.1.1 is used because it matches the real address best. We do not recommend using
overlapping statements; they use more memory and can slow the performance of the security
appliance.
Mapped Address Guidelines
When you translate the real address to a mapped address, you can use the following mapped addresses:
• Addresses on the same network as the mapped interface.
If you use addresses on the same network as the mapped interface (through which traffic exits the
security appliance), the security appliance uses proxy ARP to answer any requests for mapped
addresses, and thus intercepts traffic destined for a real address. This solution simplifies routing,
because the security appliance does not have to be the gateway for any additional networks.
However, this approach does put a limit on the number of available addresses used for translations.
For PAT, you can even use the IP address of the mapped interface.
• Addresses on a unique network.
If you need more addresses than are available on the mapped interface network, you can identify
addresses on a different subnet. The security appliance uses proxy ARP to answer any requests for
mapped addresses, and thus intercepts traffic destined for a real address. If you use OSPF, and you
advertise routes on the mapped interface, then the security appliance advertises the mapped
addresses. If the mapped interface is passive (not advertising routes) or you are using static routing,
then you need to add a static route on the upstream router that sends traffic destined for the mapped
addresses to the security appliance.
DNS and NAT
You might need to configure the security appliance to modify DNS replies by replacing the address in
the reply with an address that matches the NAT configuration. You can configure DNS modification
when you configure each translation.
For example, a DNS server is accessible from the outside interface. A server, ftp.cisco.com, is on the
inside interface. You configure the security appliance to statically translate the ftp.cisco.com real address
(10.1.3.14) to a mapped address (209.165.201.10) that is visible on the outside network (see
17-15
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Overview
Figure 17-12). In this case, you want to enable DNS reply modification on this static statement so that
inside users who have access to ftp.cisco.com using the real address receive the real address from the
DNS server, and not the mapped address.
When an inside host sends a DNS request for the address of ftp.cisco.com, the DNS server replies with
the mapped address (209.165.201.10). The security appliance refers to the static statement for the inside
server and translates the address inside the DNS reply to 10.1.3.14. If you do not enable DNS reply
modification, then the inside host attempts to send traffic to 209.165.201.10 instead of accessing
ftp.cisco.com directly.
Figure 17-12 DNS Reply Modification
See the following command for this example:
hostname(config)# static (inside,outside) 209.165.201.10 10.1.3.14 netmask 255.255.255.255
dns
Note If a user on a different network (for example, DMZ) also requests the IP address for ftp.cisco.com from
the outside DNS server, then the IP address in the DNS reply is also modified for this user, even though
the user is not on the Inside interface referenced by the static command.
DNS Server
Outside
Inside
User
130021
1
2
3
4
5
DNS Reply Modification
209.165.201.10 10.1.3.14
DNS Reply
209.165.201.10
DNS Reply
10.1.3.14
DNS Query
ftp.cisco.com?
FTP Request
10.1.3.14
Security
Appliance
ftp.cisco.com
10.1.3.14
Static Translation
on Outside to:
209.165.201.10
17-16
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Configuring NAT Control
Figure 17-13 shows a web server and DNS server on the outside. The security appliance has a static
translation for the outside server. In this case, when an inside user requests the address for ftp.cisco.com
from the DNS server, the DNS server responds with the real address, 209.165.20.10. Because you want
inside users to use the mapped address for ftp.cisco.com (10.1.2.56) you need to configure DNS reply
modification for the static translation.
Figure 17-13 DNS Reply Modification Using Outside NAT
See the following command for this example:
hostname(config)# static (outside,inside) 10.1.2.56 209.165.201.10 netmask 255.255.255.255
dns
Configuring NAT Control
NAT control requires that packets traversing from an inside interface to an outside interface match a NAT
rule. See the “NAT Control” section on page 17-3 for more information.
To enable NAT control, enter the following command:
hostname(config)# nat-control
To disable NAT control, enter the no form of the command.
ftp.cisco.com
209.165.201.10
DNS Server
Outside
Inside
User
10.1.2.27
Static Translation on Inside to:
10.1.2.56
130022
1
2
7
6
5
4
3
DNS Query
ftp.cisco.com?
DNS Reply
209.165.201.10
DNS Reply Modification
209.165.201.10 10.1.2.56
DNS Reply
10.1.2.56
FTP Request
209.165.201.10
Dest Addr. Translation
10.1.2.56 209.165.201.10
FTP Request
10.1.2.56
Security
Appliance
17-17
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Dynamic NAT and PAT
Using Dynamic NAT and PAT
This section describes how to configure dynamic NAT and PAT, and includes the following topics:
• Dynamic NAT and PAT Implementation, page 17-17
• Configuring Dynamic NAT or PAT, page 17-23
Dynamic NAT and PAT Implementation
For dynamic NAT and PAT, you first configure a nat command identifying the real addresses on a given
interface that you want to translate. Then you configure a separate global command to specify the
mapped addresses when exiting another interface (in the case of PAT, this is one address). Each nat
command matches a global command by comparing the NAT ID, a number that you assign to each
command (see Figure 17-14).
Figure 17-14 nat and global ID Matching
See the following commands for this example:
hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10
130027
Web Server:
www.cisco.com
Outside
Inside
Global 1: 209.165.201.3-
209.165.201.10
NAT 1: 10.1.2.0/24
10.1.2.27
Translation
10.1.2.27 209.165.201.3
17-18
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Dynamic NAT and PAT
You can enter a nat command for each interface using the same NAT ID; they all use the same global
command when traffic exits a given interface. For example, you can configure nat commands for Inside
and DMZ interfaces, both on NAT ID 1. Then you configure a global command on the Outside interface
that is also on ID 1. Traffic from the Inside interface and the DMZ interface share a mapped pool or a
PAT address when exiting the Outside interface (see Figure 17-15).
Figure 17-15 nat Commands on Multiple Interfaces
See the following commands for this example:
hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0
hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10
Web Server:
www.cisco.com
Outside
DMZ
Inside
Global 1: 209.165.201.3-
209.165.201.10
NAT 1: 10.1.2.0/24
NAT 1: 10.1.1.0/24
10.1.1.15
10.1.2.27
130028
Translation
10.1.2.27 209.165.201.3
Translation
10.1.1.15 209.165.201.4
17-19
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Dynamic NAT and PAT
You can also enter a global command for each interface using the same NAT ID. If you enter a global
command for the Outside and DMZ interfaces on ID 1, then the Inside nat command identifies traffic to
be translated when going to both the Outside and the DMZ interfaces. Similarly, if you also enter a nat
command for the DMZ interface on ID 1, then the global command on the Outside interface is also used
for DMZ traffic. (See Figure 17-16).
Figure 17-16 global and nat Commands on Multiple Interfaces
See the following commands for this example:
hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0
hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10
hostname(config)# global (dmz) 1 10.1.1.23
If you use different NAT IDs, you can identify different sets of real addresses to have different mapped
addresses. For example, on the Inside interface, you can have two nat commands on two different
NAT IDs. On the Outside interface, you configure two global commands for these two IDs. Then, when
traffic from Inside network A exits the Outside interface, the IP addresses are translated to pool A
addresses; while traffic from Inside network B are translated to pool B addresses (see Figure 17-17). If
you use policy NAT, you can specify the same real addresses for multiple nat commands, as long as the
the destination addresses and ports are unique in each access list.
Web Server:
www.cisco.com
Outside
DMZ
Inside
Global 1: 209.165.201.3-
209.165.201.10
NAT 1: 10.1.2.0/24
NAT 1: 10.1.1.0/24
Global 1: 10.1.1.23
10.1.1.15
10.1.2.27
130024
Translation
10.1.2.27 209.165.201.3
Translation
10.1.1.15 209.165.201.4
Translation
10.1.2.27 10.1.1.23:2024
Security
Appliance
17-20
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Dynamic NAT and PAT
Figure 17-17 Different NAT IDs
See the following commands for this example:
hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0
hostname(config)# nat (inside) 2 192.168.1.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10
hostname(config)# global (outside) 2 209.165.201.11
You can enter multiple global commands for one interface using the same NAT ID; the security
appliance uses the dynamic NAT global commands first, in the order they are in the configuration, and
then uses the PAT global commands in order. You might want to enter both a dynamic NAT global
command and a PAT global command if you need to use dynamic NAT for a particular application, but
want to have a backup PAT statement in case all the dynamic NAT addresses are depleted. Similarly, you
might enter two PAT statements if you need more than the approximately 64,000 PAT sessions that a
single PAT mapped statement supports (see Figure 17-18).
Web Server:
www.cisco.com
Outside
Inside
Global 1: 209.165.201.3-
209.165.201.10
Global 2: 209.165.201.11
NAT 1: 10.1.2.0/24
NAT 2: 192.168.1.0/24
10.1.2.27
192.168.1.14
Translation
10.1.2.27 209.165.201.3
Translation
192.168.1.14 209.165.201.11:4567
130025
Security
Appliance
17-21
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Dynamic NAT and PAT
Figure 17-18 NAT and PAT Together
See the following commands for this example:
hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.3-209.165.201.4
hostname(config)# global (outside) 1 209.165.201.5
For outside NAT, you need to identify the nat command for outside NAT (the outside keyword). If you
also want to translate the same traffic when it accesses an inside interface (for example, traffic on a DMZ
is translated when accessing the Inside and the Outside interfaces), then you must configure a separate
nat command without the outside option. In this case, you can identify the same addresses in both
statements and use the same NAT ID (see Figure 17-19). Note that for outside NAT (DMZ interface to
Inside interface), the inside host uses a static command to allow outside access, so both the source and
destination addresses are translated.
Web Server:
www.cisco.com
Outside
Inside
Global 1: 209.165.201.3-
209.165.201.4
Global 1: 209.165.201.5
NAT 1: 10.1.2.0/24
10.1.2.27
10.1.2.28
10.1.2.29
130026
Translation
10.1.2.27 209.165.201.3
Translation
10.1.2.28 209.165.201.4
Translation
10.1.2.29 209.165.201.5:6096
17-22
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Dynamic NAT and PAT
Figure 17-19 Outside NAT and Inside NAT Combined
See the following commands for this example:
hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 outside
hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0
hostname(config)# static (inside,dmz) 10.1.1.5 10.1.2.27 netmask 255.255.255.255
hostname(config)# global (outside) 1 209.165.201.3-209.165.201.4
hostname(config)# global (inside) 1 10.1.2.30-1-10.1.2.40
When you specify a group of IP address(es) in a nat command, then you must perform NAT on that group
of addresses when they access any lower or same security level interface; you must apply a global
command with the same NAT ID on each interface, or use a static command. NAT is not required for
that group when it accesses a higher security interface, because to perform NAT from outside to inside,
you must create a separate nat command using the outside keyword. If you do apply outside NAT, then
the NAT requirements preceding come into effect for that group of addresses when they access all higher
security interfaces. Traffic identified by a static command is not affected.
Outside
DMZ
Inside
Global 1: 209.165.201.3-
209.165.201.10
Global 1: 10.1.2.30-
10.1.2.40 Static to DMZ: 10.1.2.27 10.1.1.5
Outside NAT 1: 10.1.1.0/24
NAT 1: 10.1.1.0/24
10.1.1.15
10.1.2.27
Translation
10.1.1.15 209.165.201.4
Translation
10.1.1.15 10.1.2.30
Undo Translation
10.1.1.5 10.1.2.27
130038
17-23
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Dynamic NAT and PAT
Configuring Dynamic NAT or PAT
This section describes how to configure dynamic NAT or dynamic PAT. The configuration for dynamic
NAT and PAT are almost identical; for NAT you specify a range of mapped addresses, and for PAT you
specify a single address.
Figure 17-20 shows a typical dynamic NAT scenario. Only translated hosts can create a NAT session,
and responding traffic is allowed back. The mapped address is dynamically assigned from a pool defined
by the global command.
Figure 17-20 Dynamic NAT
Figure 17-21 shows a typical dynamic PAT scenario. Only translated hosts can create a NAT session, and
responding traffic is allowed back. The mapped address defined by the global command is the same for
each translation, but the port is dynamically assigned.
Figure 17-21 Dynamic PAT
For more information about dynamic NAT, see the “Dynamic NAT” section on page 17-5. For more
information about PAT, see the “PAT” section on page 17-7.
Note If you change the NAT configuration, and you do not want to wait for existing translations to time out
before the new NAT information is used, you can clear the translation table using the clear xlate
command. However, clearing the translation table disconnects all current connections that use
translations.
10.1.1.1 209.165.201.1
Inside Outside
10.1.1.2 209.165.201.2
130032
Security
Appliance
10.1.1.1:1025 209.165.201.1:2020
Inside Outside
10.1.1.1:1026 209.165.201.1:2021
10.1.1.2:1025 209.165.201.1:2022
130034
Security
Appliance
17-24
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Dynamic NAT and PAT
To configure dynamic NAT or PAT, perform the following steps:
Step 1 To identify the real addresses that you want to translate, enter one of the following commands:
• Policy NAT:
hostname(config)# nat (real_interface) nat_id access-list acl_name [dns] [outside]
[norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]
You can identify overlapping addresses in other nat commands. For example, you can identify
10.1.1.0 in one command, but 10.1.1.1 in another. The traffic is matched to a policy NAT command
in order, until the first match, or for regular NAT, using the best match.
See the following description about options for this command:
– access-list acl_name—Identify the real addresses and destination addresses using an extended
access list. Create the access list using the access-list command (see the “Adding an Extended
Access List” section on page 16-5). This access list should include only permit ACEs. You can
optionally specify the real and destination ports in the access list using the eq operator. Policy
NAT considers the inactive and time-range keywords, but it does not support ACL with all
inactive and time-range ACEs.
– nat_id—An integer between 1 and 65535. The NAT ID should match a global command NAT
ID. See the “Dynamic NAT and PAT Implementation” section on page 17-17 for more
information about how NAT IDs are used. 0 is reserved for NAT exemption. (See the
“Configuring NAT Exemption” section on page 17-32 for more information about NAT
exemption.)
– dns—If your nat command includes the address of a host that has an entry in a DNS server, and
the DNS server is on a different interface from a client, then the client and the DNS server need
different addresses for the host; one needs the mapped address and one needs the real address.
This option rewrites the address in the DNS reply to the client. The translated host needs to be
on the same interface as either the client or the DNS server. Typically, hosts that need to allow
access from other interfaces use a static translation, so this option is more likely to be used with
the static command. (See the “DNS and NAT” section on page 17-14 for more information.)
– outside—If this interface is on a lower security level than the interface you identify by the
matching global statement, then you must enter outside to identify the NAT instance as
outside NAT.
– norandomseq, tcp tcp_max_conns, udp udp_max_conns, and emb_limit—These keywords set
connection limits. However, we recommend using a more versatile method for setting
connection limits; see the “Configuring Connection Limits and Timeouts” section on page 23-6.
• Regular NAT:
hostname(config)# nat (real_interface) nat_id real_ip [mask [dns] [outside]
[norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]]
The nat_id is an integer between 1 and 2147483647. The NAT ID must match a global command
NAT ID. See the “Dynamic NAT and PAT Implementation” section on page 17-17 for more
information about how NAT IDs are used. 0 is reserved for identity NAT. See the “Configuring
Identity NAT” section on page 17-30 for more information about identity NAT.
See the preceding policy NAT command for information about other options.
Step 2 To identify the mapped address(es) to which you want to translate the real addresses when they exit a
particular interface, enter the following command:
hostname(config)# global (mapped_interface) nat_id {mapped_ip[-mapped_ip] | interface}
17-25
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Dynamic NAT and PAT
This NAT ID should match a nat command NAT ID. The matching nat command identifies the addresses
that you want to translate when they exit this interface.
You can specify a single address (for PAT) or a range of addresses (for NAT). The range can go across
subnet boundaries if desired. For example, you can specify the following “supernet”:
192.168.1.1-192.168.2.254
For example, to translate the 10.1.1.0/24 network on the inside interface, enter the following command:
hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.1-209.165.201.30
To identify a pool of addresses for dynamic NAT as well as a PAT address for when the NAT pool is
exhausted, enter the following commands:
hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.5
hostname(config)# global (outside) 1 209.165.201.10-209.165.201.20
To translate the lower security dmz network addresses so they appear to be on the same network as the
inside network (10.1.1.0), for example, to simplify routing, enter the following commands:
hostname(config)# nat (dmz) 1 10.1.2.0 255.255.255.0 outside dns
hostname(config)# global (inside) 1 10.1.1.45
To identify a single real address with two different destination addresses using policy NAT, enter the
following commands (see Figure 17-8 on page 17-10 for a related figure):
hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0
255.255.255.224
hostname(config)# access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224
255.255.255.224
hostname(config)# nat (inside) 1 access-list NET1 tcp 0 2000 udp 10000
hostname(config)# global (outside) 1 209.165.202.129
hostname(config)# nat (inside) 2 access-list NET2 tcp 1000 500 udp 2000
hostname(config)# global (outside) 2 209.165.202.130
To identify a single real address/destination address pair that use different ports using policy NAT, enter
the following commands (see Figure 17-9 on page 17-11 for a related figure):
hostname(config)# access-list WEB permit tcp 10.1.2.0 255.255.255.0 209.165.201.11
255.255.255.255 eq 80
hostname(config)# access-list TELNET permit tcp 10.1.2.0 255.255.255.0 209.165.201.11
255.255.255.255 eq 23
hostname(config)# nat (inside) 1 access-list WEB
hostname(config)# global (outside) 1 209.165.202.129
hostname(config)# nat (inside) 2 access-list TELNET
hostname(config)# global (outside) 2 209.165.202.130
17-26
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Static NAT
Using Static NAT
This section describes how to configure a static translation.
Figure 17-22 shows a typical static NAT scenario. The translation is always active so both translated and
remote hosts can originate connections, and the mapped address is statically assigned by the static
command.
Figure 17-22 Static NAT
You cannot use the same real or mapped address in multiple static commands between the same two
interfaces. Do not use a mapped address in the static command that is also defined in a global command
for the same mapped interface.
For more information about static NAT, see the “Static NAT” section on page 17-7.
Note If you remove a static command, existing connections that use the translation are not affected. To remove
these connections, enter the clear local-host command.
You cannot clear static translations from the translation table with the clear xlate command; you must
remove the static command instead. Only dynamic translations created by the nat and global commands
can be removed with the clear xlate command.
To configure static NAT, enter one of the following commands.
• For policy static NAT, enter the following command:
hostname(config)# static (real_interface,mapped_interface) {mapped_ip | interface}
access-list acl_name [dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]]
[udp udp_max_conns]
Create the access list using the access-list command (see the “Adding an Extended Access List”
section on page 16-5). This access list should include only permit ACEs. The source subnet mask
used in the access list is also used for the mapped addresses. You can also specify the real and
destination ports in the access list using the eq operator. Policy NAT does not consider the inactive
or time-range keywords; all ACEs are considered to be active for policy NAT configuration. See the
“Policy NAT” section on page 17-9 for more information.
If you specify a network for translation (for example, 10.1.1.0 255.255.255.0), then the security
appliance translates the .0 and .255 addresses. If you want to prevent access to these addresses, be
sure to configure an access list to deny access.
See the “Configuring Dynamic NAT or PAT” section on page 17-23 for information about the other
options.
10.1.1.1 209.165.201.1
Inside Outside
10.1.1.2 209.165.201.2
130035
Security
Appliance
17-27
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Static PAT
• To configure regular static NAT, enter the following command:
hostname(config)# static (real_interface,mapped_interface) {mapped_ip | interface}
real_ip [netmask mask] [dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]]
[udp udp_max_conns]
See the “Configuring Dynamic NAT or PAT” section on page 17-23 for information about the
options.
For example, the following policy static NAT example shows a single real address that is translated to
two mapped addresses depending on the destination address (see Figure 17-8 on page 17-10 for a related
figure):
hostname(config)# access-list NET1 permit ip host 10.1.2.27 209.165.201.0 255.255.255.224
hostname(config)# access-list NET2 permit ip host 10.1.2.27 209.165.200.224
255.255.255.224
hostname(config)# static (inside,outside) 209.165.202.129 access-list NET1
hostname(config)# static (inside,outside) 209.165.202.130 access-list NET2
The following command maps an inside IP address (10.1.1.3) to an outside IP address (209.165.201.12):
hostname(config)# static (inside,outside) 209.165.201.12 10.1.1.3 netmask 255.255.255.255
The following command maps the outside address (209.165.201.15) to an inside address (10.1.1.6):
hostname(config)# static (outside,inside) 10.1.1.6 209.165.201.15 netmask 255.255.255.255
The following command statically maps an entire subnet:
hostname(config)# static (inside,dmz) 10.1.1.0 10.1.2.0 netmask 255.255.255.0
Using Static PAT
This section describes how to configure a static port translation. Static PAT lets you translate the real IP
address to a mapped IP address, as well as the real port to a mapped port. You can choose to translate
the real port to the same port, which lets you translate only specific types of traffic, or you can take it
further by translating to a different port.
Figure 17-23 shows a typical static PAT scenario. The translation is always active so both translated and
remote hosts can originate connections, and the mapped address and port is statically assigned by the
static command.
Figure 17-23 Static PAT
For applications that require application inspection for secondary channels (FTP, VoIP, etc.), the security
appliance automatically translates the secondary ports.
10.1.1.1:23 209.165.201.1:23
Inside Outside
10.1.1.2:8080 209.165.201.2:80
130044
Security
Appliance
17-28
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Using Static PAT
You cannot use the same real or mapped address in multiple static statements between the same two
interfaces. Do not use a mapped address in the static command that is also defined in a global command
for the same mapped interface.
For more information about static PAT, see the “Static PAT” section on page 17-8.
Note If you remove a static command, existing connections that use the translation are not affected. To remove
these connections, enter the clear local-host command.
You cannot clear static translations from the translation table with the clear xlate command; you must
remove the static command instead. Only dynamic translations created by the nat and global commands
can be removed with the clear xlate command.
To configure static PAT, enter one of the following commands.
• For policy static PAT, enter the following command:
hostname(config)# static (real_interface,mapped_interface) {tcp | udp}
{mapped_ip | interface} mapped_port access-list acl_name [dns] [norandomseq]
[[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]
Create the access list using the access-list command (see the “Adding an Extended Access List”
section on page 16-5). The protocol in the access list must match the protocol you set in this
command. For example, if you specify tcp in the static command, then you must specify tcp in the
access list. Specify the port using the eq operator. This access list should include only permit ACEs.
The source subnet mask used in the access list is also used for the mapped addresses. Policy NAT
does not consider the inactive or time-range keywords; all ACEs are considered to be active for
policy NAT configuration.
If you specify a network for translation (for example, 10.1.1.0 255.255.255.0), then the security
appliance translates the .0 and .255 addresses. If you want to prevent access to these addresses, be
sure to configure an access list to deny access.
See the “Configuring Dynamic NAT or PAT” section on page 17-23 for information about the other
options.
• To configure regular static PAT, enter the following command:
hostname(config)# static (real_interface,mapped_interface) {tcp | udp} {mapped_ip |
interface} mapped_port real_ip real_port [netmask mask] [dns] [norandomseq] [[tcp]
tcp_max_conns [emb_limit]] [udp udp_max_conns]
See the “Configuring Dynamic NAT or PAT” section on page 17-23 for information about the
options.
Note When configuring static PAT with FTP, you need to add entries for both TCP ports 20 and 21. You must
specify port 20 so that the source port for the active transfer is not modified to another port, which may
interfere with other devices that perform NAT on FTP traffic.
For example, for Telnet traffic initiated from hosts on the 10.1.3.0 network to the security appliance
outside interface (10.1.2.14), you can redirect the traffic to the inside host at 10.1.1.15 by entering the
following commands:
hostname(config)# access-list TELNET permit tcp host 10.1.1.15 eq telnet 10.1.3.0
255.255.255.0 eq telnet
hostname(config)# static (inside,outside) tcp 10.1.2.14 telnet access-list TELNET
17-29
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Bypassing NAT
For HTTP traffic initiated from hosts on the 10.1.3.0 network to the security appliance outside interface
(10.1.2.14), you can redirect the traffic to the inside host at 10.1.1.15 by entering:
hostname(config)# access-list HTTP permit tcp host 10.1.1.15 eq http 10.1.3.0
255.255.255.0 eq http
hostname(config)# static (inside,outside) tcp 10.1.2.14 http access-list HTTP
To redirect Telnet traffic from the security appliance outside interface (10.1.2.14) to the inside host at
10.1.1.15, enter the following command:
hostname(config)# static (inside,outside) tcp 10.1.2.14 telnet 10.1.1.15 telnet netmask
255.255.255.255
If you want to allow the preceding real Telnet server to initiate connections, though, then you need to
provide additional translation. For example, to translate all other types of traffic, enter the following
commands. The original static command provides translation for Telnet to the server, while the nat and
global commands provide PAT for outbound connections from the server.
hostname(config)# static (inside,outside) tcp 10.1.2.14 telnet 10.1.1.15 telnet netmask
255.255.255.255
hostname(config)# nat (inside) 1 10.1.1.15 255.255.255.255
hostname(config)# global (outside) 1 10.1.2.14
If you also have a separate translation for all inside traffic, and the inside hosts use a different mapped
address from the Telnet server, you can still configure traffic initiated from the Telnet server to use the
same mapped address as the static statement that allows Telnet traffic to the server. You need to create
a more exclusive nat statement just for the Telnet server. Because nat statements are read for the best
match, more exclusive nat statements are matched before general statements. The following example
shows the Telnet static statement, the more exclusive nat statement for initiated traffic from the Telnet
server, and the statement for other inside hosts, which uses a different mapped address.
hostname(config)# static (inside,outside) tcp 10.1.2.14 telnet 10.1.1.15 telnet netmask
255.255.255.255
hostname(config)# nat (inside) 1 10.1.1.15 255.255.255.255
hostname(config)# global (outside) 1 10.1.2.14
hostname(config)# nat (inside) 2 10.1.1.0 255.255.255.0
hostname(config)# global (outside) 2 10.1.2.78
To translate a well-known port (80) to another port (8080), enter the following command:
hostname(config)# static (inside,outside) tcp 10.1.2.45 80 10.1.1.16 8080 netmask
255.255.255.255
Bypassing NAT
This section describes how to bypass NAT. You might want to bypass NAT when you enable NAT control.
You can bypass NAT using identity NAT, static identity NAT, or NAT exemption. See the “Bypassing
NAT When NAT Control is Enabled” section on page 17-9 for more information about these methods.
This section includes the following topics:
• Configuring Identity NAT, page 17-30
• Configuring Static Identity NAT, page 17-30
• Configuring NAT Exemption, page 17-32
17-30
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Bypassing NAT
Configuring Identity NAT
Identity NAT translates the real IP address to the same IP address. Only “translated” hosts can create
NAT translations, and responding traffic is allowed back.
Figure 17-24 shows a typical identity NAT scenario.
Figure 17-24 Identity NAT
Note If you change the NAT configuration, and you do not want to wait for existing translations to time out
before the new NAT information is used, you can clear the translation table using the clear xlate
command. However, clearing the translation table disconnects all current connections that use
translations.
To configure identity NAT, enter the following command:
hostname(config)# nat (real_interface) 0 real_ip [mask [dns] [outside] [norandomseq]
[[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]
See the “Configuring Dynamic NAT or PAT” section on page 17-23 for information about the options.
For example, to use identity NAT for the inside 10.1.1.0/24 network, enter the following command:
hostname(config)# nat (inside) 0 10.1.1.0 255.255.255.0
Configuring Static Identity NAT
Static identity NAT translates the real IP address to the same IP address. The translation is always active,
and both “translated” and remote hosts can originate connections. Static identity NAT lets you use
regular NAT or policy NAT. Policy NAT lets you identify the real and destination addresses when
determining the real addresses to translate (see the “Policy NAT” section on page 17-9 for more
209.165.201.1 209.165.201.1
Inside Outside
209.165.201.2 209.165.201.2
130033
Security
Appliance
17-31
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Bypassing NAT
information about policy NAT). For example, you can use policy static identity NAT for an inside address
when it accesses the outside interface and the destination is server A, but use a normal translation when
accessing the outside server B.
Figure 17-25 shows a typical static identity NAT scenario.
Figure 17-25 Static Identity NAT
Note If you remove a static command, existing connections that use the translation are not affected. To remove
these connections, enter the clear local-host command.
You cannot clear static translations from the translation table with the clear xlate command; you must
remove the static command instead. Only dynamic translations created by the nat and global commands
can be removed with the clear xlate command.
To configure static identity NAT, enter one of the following commands:
• To configure policy static identity NAT, enter the following command:
hostname(config)# static (real_interface,mapped_interface) real_ip access-list acl_id
[dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]
Create the access list using the access-list command (see the “Adding an Extended Access List”
section on page 16-5). This access list should include only permit ACEs. Make sure the source
address in the access list matches the real_ip in this command. Policy NAT does not consider the
inactive or time-range keywords; all ACEs are considered to be active for policy NAT
configuration. See the “Policy NAT” section on page 17-9 for more information.
See the “Configuring Dynamic NAT or PAT” section on page 17-23 for information about the other
options.
• To configure regular static identity NAT, enter the following command:
hostname(config)# static (real_interface,mapped_interface) real_ip real_ip [netmask
mask] [dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]
Specify the same IP address for both real_ip arguments.
See the “Configuring Dynamic NAT or PAT” section on page 17-23 for information about the other
options.
For example, the following command uses static identity NAT for an inside IP address (10.1.1.3) when
accessed by the outside:
hostname(config)# static (inside,outside) 10.1.1.3 10.1.1.3 netmask 255.255.255.255
209.165.201.1 209.165.201.1
Inside Outside
209.165.201.2 209.165.201.2
130036
Security
Appliance
17-32
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
Bypassing NAT
The following command uses static identity NAT for an outside address (209.165.201.15) when accessed
by the inside:
hostname(config)# static (outside,inside) 209.165.201.15 209.165.201.15 netmask
255.255.255.255
The following command statically maps an entire subnet:
hostname(config)# static (inside,dmz) 10.1.2.0 10.1.2.0 netmask 255.255.255.0
The following static identity policy NAT example shows a single real address that uses identity NAT
when accessing one destination address, and a translation when accessing another:
hostname(config)# access-list NET1 permit ip host 10.1.2.27 209.165.201.0 255.255.255.224
hostname(config)# access-list NET2 permit ip host 10.1.2.27 209.165.200.224
255.255.255.224
hostname(config)# static (inside,outside) 10.1.2.27 access-list NET1
hostname(config)# static (inside,outside) 209.165.202.130 access-list NET2
Configuring NAT Exemption
NAT exemption exempts addresses from translation and allows both real and remote hosts to originate
connections. NAT exemption lets you specify the real and destination addresses when determining the
real traffic to exempt (similar to policy NAT), so you have greater control using NAT exemption than
identity NAT. However unlike policy NAT, NAT exemption does not consider the ports in the access list.
Use static identity NAT to consider ports in the access list.
Figure 17-26 shows a typical NAT exemption scenario.
Figure 17-26 NAT Exemption
Note If you remove a NAT exemption configuration, existing connections that use NAT exemption are not
affected. To remove these connections, enter the clear local-host command.
To configure NAT exemption, enter the following command:
hostname(config)# nat (real_interface) 0 access-list acl_name [outside] [norandomseq]
[[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]
Create the access list using the access-list command (see the “Adding an Extended Access List” section
on page 16-5). This access list can include both permit ACEs and deny ACEs. Do not specify the real
and destination ports in the access list; NAT exemption does not consider the ports. NAT exemption
considers the inactive and time-range keywords, but it does not support ACL with all inactive and
time-range ACEs.
209.165.201.1 209.165.201.1
Inside Outside
209.165.201.2 209.165.201.2
130036
Security
Appliance
17-33
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Examples
See the “Configuring Dynamic NAT or PAT” section on page 17-23 for information about the other
options.
By default, this command exempts traffic from inside to outside. If you want traffic from outside to
inside to bypass NAT, then add an additional nat command and enter outside to identify the NAT
instance as outside NAT. You might want to use outside NAT exemption if you configure dynamic NAT
for the outside interface and want to exempt other traffic.
For example, to exempt an inside network when accessing any destination address, enter the following
command:
hostname(config)# access-list EXEMPT permit ip 10.1.2.0 255.255.255.0 any
hostname(config)# nat (inside) 0 access-list EXEMPT
To use dynamic outside NAT for a DMZ network, and exempt another DMZ network, enter the following
command:
hostname(config)# nat (dmz) 1 10.1.2.0 255.255.255.0 outside dns
hostname(config)# global (inside) 1 10.1.1.45
hostname(config)# access-list EXEMPT permit ip 10.1.3.0 255.255.255.0 any
hostname(config)# nat (dmz) 0 access-list EXEMPT
To exempt an inside address when accessing two different destination addresses, enter the following
commands:
hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0
255.255.255.224
hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.200.224
255.255.255.224
hostname(config)# nat (inside) 0 access-list NET1
NAT Examples
This section describes typical scenarios that use NAT solutions, and includes the following topics:
• Overlapping Networks, page 17-34
• Redirecting Ports, page 17-35
17-34
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Examples
Overlapping Networks
In Figure 17-27, the security appliance connects two private networks with overlapping address ranges.
Figure 17-27 Using Outside NAT with Overlapping Networks
Two networks use an overlapping address space (192.168.100.0/24), but hosts on each network must
communicate (as allowed by access lists). Without NAT, when a host on the inside network tries to access
a host on the overlapping DMZ network, the packet never makes it past the security appliance, which
sees the packet as having a destination address on the inside network. Moreover, if the destination
address is being used by another host on the inside network, that host receives the packet.
To solve this problem, use NAT to provide non-overlapping addresses. If you want to allow access in
both directions, use static NAT for both networks. If you only want to allow the inside interface to access
hosts on the DMZ, then you can use dynamic NAT for the inside addresses, and static NAT for the DMZ
addresses you want to access. This example shows static NAT.
To configure static NAT for these two interfaces, perform the following steps. The 10.1.1.0/24 network
on the DMZ is not translated.
Step 1 Translate 192.168.100.0/24 on the inside to 10.1.2.0 /24 when it accesses the DMZ by entering the
following command:
hostname(config)# static (inside,dmz) 10.1.2.0 192.168.100.0 netmask 255.255.255.0
Step 2 Translate the 192.168.100.0/24 network on the DMZ to 10.1.3.0/24 when it accesses the inside by
entering the following command:
hostname(config)# static (dmz,inside) 10.1.3.0 192.168.100.0 netmask 255.255.255.0
Step 3 Configure the following static routes so that traffic to the dmz network can be routed correctly by the
security appliance:
hostname(config)# route dmz 192.168.100.128 255.255.255.128 10.1.1.2 1
hostname(config)# route dmz 192.168.100.0 255.255.255.128 10.1.1.2 1
192.168.100.2
inside
192.168.100.0/24
outside
10.1.1.2
192.168.100.1
192.168.100.2
dmz
192.168.100.0/24
10.1.1.1 192.168.100.3
130029
192.168.100.3
17-35
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Examples
The security appliance already has a connected route for the inside network. These static routes allow
the security appliance to send traffic for the 192.168.100.0/24 network out the DMZ interface to the
gateway router at 10.1.1.2. (You need to split the network into two because you cannot create a static
route with the exact same network as a connected route.) Alternatively, you could use a more broad route
for the DMZ traffic, such as a default route.
If host 192.168.100.2 on the DMZ network wants to initiate a connection to host 192.168.100.2 on the
inside network, the following events occur:
1. The DMZ host 192.168.100.2 sends the packet to IP address 10.1.2.2.
2. When the security appliance receives this packet, the security appliance translates the source address
from 192.168.100.2 to 10.1.3.2.
3. Then the security appliance translates the destination address from 10.1.2.2 to 192.168.100.2, and
the packet is forwarded.
Redirecting Ports
Figure 17-28 illustrates a typical network scenario in which the port redirection feature might be useful.
Figure 17-28 Port Redirection Using Static PAT
In the configuration described in this section, port redirection occurs for hosts on external networks as
follows:
• Telnet requests to IP address 209.165.201.5 are redirected to 10.1.1.6.
• FTP requests to IP address 209.165.201.5 are redirected to 10.1.1.3.
• HTTP request to security appliance outside IP address 209.165.201.25 are redirected to 10.1.1.5.
• HTTP port 8080 requests to PAT address 209.165.201.15 are redirected to 10.1.1.7 port 80.
Telnet Server
10.1.1.6
209.165.201.25
209.165.201.5
209.165.201.15
10.1.1.1
Inside
FTP Server
10.1.1.3
Web Server
10.1.1.5
Web Server
10.1.1.7
Outside
130030
17-36
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 17 Applying NAT
NAT Examples
To implement this scenario, perform the following steps:
Step 1 Configure PAT for the inside network by entering the following commands:
hostname(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0
hostname(config)# global (outside) 1 209.165.201.15
Step 2 Redirect Telnet requests for 209.165.201.5 to 10.1.1.6 by entering the following command:
hostname(config)# static (inside,outside) tcp 209.165.201.5 telnet 10.1.1.6 telnet netmask
255.255.255.255
Step 3 Redirect FTP requests for IP address 209.165.201.5 to 10.1.1.3 by entering the following command:
hostname(config)# static (inside,outside) tcp 209.165.201.5 ftp 10.1.1.3 ftp netmask
255.255.255.255
Step 4 Redirect HTTP requests for the security appliance outside interface address to 10.1.1.5 by entering the
following command:
hostname(config)# static (inside,outside) tcp interface www 10.1.1.5 www netmask
255.255.255.255
Step 5 Redirect HTTP requests on port 8080 for PAT address 209.165.201.15 to 10.1.1.7 port 80 by entering
the following command:
hostname(config)# static (inside,outside) tcp 209.165.201.15 8080 10.1.1.7 www netmask
255.255.255.255
CH A P T E R
18-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
18
Permitting or Denying Network Access
This chapter describes how to control network access through the security appliance using access lists.
To create an extended access lists or an EtherType access list, see Chapter 16, “Identifying Traffic with
Access Lists.”
Note You use ACLs to control network access in both routed and transparent firewall modes. In transparent
mode, you can use both extended ACLs (for Layer 3 traffic) and EtherType ACLs (for Layer 2 traffic).
To access the security appliance interface for management access, you do not also need an access list
allowing the host IP address. You only need to configure management access according to Chapter 40,
“Managing System Access.”
This chapter includes the following sections:
• Inbound and Outbound Access List Overview, page 18-1
• Applying an Access List to an Interface, page 18-2
Inbound and Outbound Access List Overview
By default, all traffic from a higher-security interface to a lower-security interface is allowed. Access
lists let you either allow traffic from lower-security interfaces, or restrict traffic from higher-security
interfaces.
The security appliance supports two types of access lists:
• Inbound—Inbound access lists apply to traffic as it enters an interface.
• Outbound—Outbound access lists apply to traffic as it exits an interface.
Note “Inbound” and “outbound” refer to the application of an access list on an interface, either to traffic
entering the security appliance on an interface or traffic exiting the security appliance on an interface.
These terms do not refer to the movement of traffic from a lower security interface to a higher security
interface, commonly known as inbound, or from a higher to lower interface, commonly known as
outbound.
An outbound access list is useful, for example, if you want to allow only certain hosts on the inside
networks to access a web server on the outside network. Rather than creating multiple inbound access
lists to restrict access, you can create a single outbound access list that allows only the specified hosts
18-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 18 Permitting or Denying Network Access
Applying an Access List to an Interface
(see Figure 18-1). See the “IP Addresses Used for Access Lists When You Use NAT” section on
page 16-3 for information about NAT and IP addresses. The outbound access list prevents any other hosts
from reaching the outside network.
Figure 18-1 Outbound Access List
See the following commands for this example:
hostname(config)# access-list OUTSIDE extended permit tcp host 209.165.201.4
host 209.165.200.225 eq www
hostname(config)# access-list OUTSIDE extended permit tcp host 209.165.201.6
host 209.165.200.225 eq www
hostname(config)# access-list OUTSIDE extended permit tcp host 209.165.201.8
host 209.165.200.225 eq www
hostname(config)# access-group OUTSIDE out interface outside
Applying an Access List to an Interface
To apply an extended access list to the inbound or outbound direction of an interface, enter the following
command:
hostname(config)# access-group access_list_name {in | out} interface interface_name
[per-user-override]
You can apply one access list of each type (extended and EtherType) to both directions of the interface.
See the “Inbound and Outbound Access List Overview” section on page 18-1 for more information about
access list directions.
Web Server:
209.165.200.225
Inside HR Eng
Outside
Static NAT
10.1.1.14 209.165.201.4
Static NAT
10.1.2.67 209.165.201.6 Static NAT
10.1.3.34 209.165.201.8
ACL Outbound
Permit HTTP from 209.165.201.4, 209.165.201.6,
and 209.165.201.8 to 209.165.200.225
Deny all others
132210
ACL Inbound
Permit from any to any
ACL Inbound
Permit from any to any
ACL Inbound
Permit from any to any
Security
appliance
18-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 18 Permitting or Denying Network Access
Applying an Access List to an Interface
The per-user-override keyword allows dynamic access lists that are downloaded for user authorization
to override the access list assigned to the interface. For example, if the interface access list denies all
traffic from 10.0.0.0, but the dynamic access list permits all traffic from 10.0.0.0, then the dynamic
access list overrides the interface access list for that user. See the “Configuring RADIUS Authorization”
section for more information about per-user access lists. The per-user-override keyword is only
available for inbound access lists.
For connectionless protocols, you need to apply the access list to the source and destination interfaces
if you want traffic to pass in both directions.
The following example illustrates the commands required to enable access to an inside web server with
the IP address 209.165.201.12 (this IP address is the address visible on the outside interface after NAT):
hostname(config)# access-list ACL_OUT extended permit tcp any host 209.165.201.12 eq www
hostname(config)# access-group ACL_OUT in interface outside
You also need to configure NAT for the web server.
The following access lists allow any hosts to communicate between the inside and hr networks, but only
specific hosts (209.168.200.3 and 209.168.200.4) to access the outside network, as shown in the last line
below:
hostname(config)# access-list ANY extended permit ip any any
hostname(config)# access-list OUT extended permit ip host 209.168.200.3 any
hostname(config)# access-list OUT extended permit ip host 209.168.200.4 any
hostname(config)# access-group ANY in interface inside
hostname(config)# access-group ANY in interface hr
hostname(config)# access-group OUT out interface outside
For example, the following sample access list allows common EtherTypes originating on the inside
interface:
hostname(config)# access-list ETHER ethertype permit ipx
hostname(config)# access-list ETHER ethertype permit bpdu
hostname(config)# access-list ETHER ethertype permit mpls-unicast
hostname(config)# access-group ETHER in interface inside
The following access list allows some EtherTypes through the security appliance, but denies all others:
hostname(config)# access-list ETHER ethertype permit 0x1234
hostname(config)# access-list ETHER ethertype permit bpdu
hostname(config)# access-list ETHER ethertype permit mpls-unicast
hostname(config)# access-group ETHER in interface inside
hostname(config)# access-group ETHER in interface outside
The following access list denies traffic with EtherType 0x1256 but allows all others on both interfaces:
hostname(config)# access-list nonIP ethertype deny 1256
hostname(config)# access-list nonIP ethertype permit any
hostname(config)# access-group ETHER in interface inside
hostname(config)# access-group ETHER in interface outside
18-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 18 Permitting or Denying Network Access
Applying an Access List to an Interface
CH A P T E R
19-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
19
Applying AAA for Network Access
This chapter describes how to enable AAA (pronounced “triple A”) for network access.
For information about AAA for management access, see the “Configuring AAA for System
Administrators” section on page 40-5.
This chapter contains the following sections:
• AAA Performance, page 19-1
• Configuring Authentication for Network Access, page 19-1
• Configuring Authorization for Network Access, page 19-6
• Configuring Accounting for Network Access, page 19-13
• Using MAC Addresses to Exempt Traffic from Authentication and Authorization, page 19-14
AAA Performance
The security appliance uses “cut-through proxy” to significantly improve performance compared to a
traditional proxy server. The performance of a traditional proxy server suffers because it analyzes every
packet at the application layer of the OSI model. The security appliance cut-through proxy challenges a
user initially at the application layer and then authenticates against standard AAA servers or the local
database. After the security appliance authenticates the user, it shifts the session flow, and all traffic
flows directly and quickly between the source and destination while maintaining session state
information.
Configuring Authentication for Network Access
This section includes the following topics:
• Authentication Overview, page 19-2
• Enabling Network Access Authentication, page 19-3
• Enabling Secure Authentication of Web Clients, page 19-5
• Authenticating Directly with the Security Appliance, page 19-6
19-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Authentication for Network Access
Authentication Overview
The security appliance lets you configure network access authentication using AAA servers. This section
includes the following topics:
• One-Time Authentication, page 19-2
• Applications Required to Receive an Authentication Challenge, page 19-2
• Security Appliance Authentication Prompts, page 19-2
• Static PAT and HTTP, page 19-3
• Enabling Network Access Authentication, page 19-3
One-Time Authentication
A user at a given IP address only needs to authenticate one time for all rules and types, until the
authentication session expires. (See the timeout uauth command in the Cisco Security Appliance
Command Reference for timeout values.) For example, if you configure the security appliance to
authenticate Telnet and FTP, and a user first successfully authenticates for Telnet, then as long as the
authentication session exists, the user does not also have to authenticate for FTP.
Applications Required to Receive an Authentication Challenge
Although you can configure the security appliance to require authentication for network access to any
protocol or service, users can authenticate directly with HTTP, HTTPS, Telnet, or FTP only. A user must
first authenticate with one of these services before the security appliance allows other traffic requiring
authentication.
The authentication ports that the security appliance supports for AAA are fixed:
• Port 21 for FTP
• Port 23 for Telnet
• Port 80 for HTTP
• Port 443 for HTTPS
Security Appliance Authentication Prompts
For Telnet and FTP, the security appliance generates an authentication prompt.
For HTTP, the security appliance uses basic HTTP authentication by default, and provides an
authentication prompt. You can optionally configure the security appliance to redirect users to an
internal web page where they can enter their username and password (configured with the aaa
authentication listener command).
For HTTPS, the security appliance generates a custom login screen. You can optionally configure the
security appliance to redirect users to an internal web page where they can enter their username and
password (configured with the aaa authentication listener command).
Redirection is an improvement over the basic method because it provides an improved user experience
when authenticating, and an identical user experience for HTTP and HTTPS in both Easy VPN and
firewall modes. It also supports authenticating directly with the security appliance.
19-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Authentication for Network Access
You might want to continue to use basic HTTP authentication if: you do not want the security appliance
to open listening ports; if you use NAT on a router and you do not want to create a translation rule for
the web page served by the security appliance; basic HTTP authentication might work better with your
network. For example non-browser applications, like when a URL is embedded in email, might be more
compatible with basic authentication.
After you authenticate correctly, the security appliance redirects you to your original destination. If the
destination server also has its own authentication, the user enters another username and password. If you
use basic HTTP authentication and need to enter another username and password for the destination
server, then you need to configure the virtual http command.
Note If you use HTTP authentication without using the aaa authentication secure-http-client command, the
username and password are sent from the client to the security appliance in clear text. We recommend
that you use the aaa authentication secure-http-client command whenever you enable HTTP
authentication. For more information about the aaa authentication secure-http-client command, see
the “Enabling Secure Authentication of Web Clients” section on page 19-5.
For FTP, a user has the option of entering the security appliance username followed by an at sign (@)
and then the FTP username (name1@name2). For the password, the user enters the security appliance
password followed by an at sign (@) and then the FTP password (password1@password2). For example,
enter the following text.
name> jamiec@jchrichton
password> letmein@he110
This feature is useful when you have cascaded firewalls that require multiple logins. You can separate
several names and passwords by multiple at signs (@).
Static PAT and HTTP
For HTTP authentication, the security appliance checks real ports when static PAT is configured. If it
detects traffic destined for real port 80, regardless of the mapped port, the security appliance intercepts
the HTTP connection and enforces authentication.
For example, assume that outside TCP port 889 is translated to port 80 (www) and that any relevant
access lists permit the traffic:
static (inside,outside) tcp 10.48.66.155 889 192.168.123.10 www netmask 255.255.255.255
Then when users try to access 10.48.66.155 on port 889, the security appliance intercepts the traffic and
enforces HTTP authentication. Users see the HTTP authentication page in their web browsers before the
security appliance allows HTTP connection to complete.
If the local port is different than port 80, as in the following example:
static (inside,outside) tcp 10.48.66.155 889 192.168.123.10 111 netmask 255.255.255.255
Then users do not see the authentication page. Instead, the security appliance sends to the web browser
an error message indicating that the user must be authenticated prior using the requested service.
Enabling Network Access Authentication
To enable network access authentication, perform the following steps:
19-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Authentication for Network Access
Step 1 Using the aaa-server command, identify your AAA servers. If you have already identified your AAA
servers, continue to the next step.
For more information about identifying AAA servers, see the “Identifying AAA Server Groups and
Servers” section on page 13-12.
Step 2 Using the access-list command, create an access list that identifies the source addresses and destination
addresses of traffic you want to authenticate. For steps, see the “Adding an Extended Access List”
section on page 16-5.
The permit ACEs mark matching traffic for authentication, while deny entries exclude matching traffic
from authentication. Be sure to include the destination ports for either HTTP, HTTPS, Telnet, or FTP in
the access list because the user must authenticate with one of these services before other services are
allowed through the security appliance.
Step 3 To configure authentication, enter the following command:
hostname(config)# aaa authentication match acl_name interface_name server_group
Where acl_name is the name of the access list you created in Step 2, interface_name is the name of the
interface as specified with the nameif command, and server_group is the AAA server group you created
in Step 1.
Note You can alternatively use the aaa authentication include command (which identifies traffic within the
command). However, you cannot use both methods in the same configuration. See the Cisco Security
Appliance Command Reference for more information.
Step 4 (Optional) To enable the redirection method of authentication for HTTP or HTTPS connections, enter
the following command:
hostname(config)# aaa authentication listener http[s] interface_name [port portnum]
redirect
where the interface_name argument is the interface on which you want to enable listening ports.
The port portnum argument specifies the port number that the security appliance listens on; the defaults
are 80 (HTTP) and 443 (HTTPS).
Enter this command separately for HTTP and for HTTPS.
Step 5 (Optional) If you are using the local database for network access authentication and you want to limit
the number of consecutive failed login attempts that the security appliance allows any given user
account, use the following command:
hostname(config)# aaa local authentication attempts max-fail number
Where number is between 1 and 16.
For example:
hostname(config)# aaa local authentication attempts max-fail 7
Tip To clear the lockout status of a specific user or all users, use the clear aaa local user lockout command.
For example, the following commands authenticate all inside HTTP traffic and SMTP traffic:
hostname(config)# aaa-server AuthOutbound protocol tacacs+
19-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Authentication for Network Access
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# access-list MAIL_AUTH extended permit tcp any any eq smtp
hostname(config)# access-list MAIL_AUTH extended permit tcp any any eq www
hostname(config)# aaa authentication match MAIL_AUTH inside AuthOutbound
hostname(config)# aaa authentication listener http inside redirect
The following commands authenticate Telnet traffic from the outside interface to a particular server
(209.165.201.5):
hostname(config)# aaa-server AuthInbound protocol tacacs+
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthInbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# access-list TELNET_AUTH extended permit tcp any host 209.165.201.5 eq
telnet
hostname(config)# aaa authentication match TELNET_AUTH outside AuthInbound
Enabling Secure Authentication of Web Clients
The security appliance provides a method of securing HTTP authentication. Without securing HTTP
authentication, usernames and passwords from the client to the security appliance would be passed as
clear text. By using the aaa authentication secure-http-client command, you enable the exchange of
usernames and passwords between a web client and the security appliance with HTTPS.
After enabling this feature, when a user requires authentication when using HTTP, the security appliance
redirects the HTTP user to an HTTPS prompt. After you authenticate correctly, the security appliance
redirects you to the original HTTP URL.
To enable secure authentication of web clients, enter the following command:
hostname(config)# aaa authentication secure-http-client
Secured web-client authentication has the following limitations:
• A maximum of 16 concurrent HTTPS authentication sessions are allowed. If all 16 HTTPS
authentication processes are running, a new connection requiring authentication will not succeed.
• When uauth timeout 0 is configured (the uauth timeout is set to 0), HTTPS authentication might
not work. If a browser initiates multiple TCP connections to load a web page after HTTPS
authentication, the first connection is let through, but the subsequent connections trigger
authentication. As a result, users are continuously presented with an authentication page, even if the
correct username and password are entered each time. To work around this, set the uauth timeout
to 1 second with the timeout uauth 0:0:1 command. However, this workaround opens a 1-second
window of opportunity that might allow non-authenticated users to go through the firewall if they
are coming from the same source IP address.
• Because HTTPS authentication occurs on the SSL port 443, users must not configure an access-list
command statement to block traffic from the HTTP client to HTTP server on port 443. Furthermore,
if static PAT is configured for web traffic on port 80, it must also be configured for the SSL port. In
the following example, the first line configures static PAT for web traffic and the second line must
be added to support the HTTPS authentication configuration.
static (inside,outside) tcp 10.132.16.200 www 10.130.16.10 www
static (inside,outside) tcp 10.132.16.200 443 10.130.16.10 443
19-6
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Authorization for Network Access
Authenticating Directly with the Security Appliance
If you do not want to allow HTTP, HTTPS, Telnet, or FTP through the security appliance but want to
authenticate other types of traffic, you can authenticate with the security appliance directly using HTTP,
HTTPS, or Telnet.
This section includes the following topics:
• Enabling Direct Authentication Using HTTP and HTTPS, page 19-6
• Enabling Direct Authentication Using Telnet, page 19-6
Enabling Direct Authentication Using HTTP and HTTPS
If you enabled the redirect method of HTTP and HTTPS authentication in the “Enabling Network Access
Authentication” section on page 19-3, then you also automatically enabled direct authentication. If you
want to continue to use basic HTTP authentication, but want to enable direct authentication for HTTP
and HTTPS, then enter the following command:
hostname(config)# aaa authentication listener http[s] interface_name [port portnum]
where the interface_name argument is the interface on which you want to enable direct authentication.
The port portnum argument specifies the port number that the security appliance listens on; the defaults
are 80 (HTTP) and 443 (HTTPS).
Enter this command separately for HTTP and for HTTPS.
You can authenticate directly with the security appliance at the following URLs when you enable AAA
for the interface:
http://interface_ip[:port]/netaccess/connstatus.html
https://interface_ip[:port]/netaccess/connstatus.html
Enabling Direct Authentication Using Telnet
To enable direct authentication with Telnet, configure a virtual Telnet server. With virtual Telnet, the user
Telnets to a given IP address configured on the security appliance, and the security appliance provides a
Telnet prompt. To configure a virtual Telnet server, enter the following command:
hostname(config)# virtual telnet ip_address
where the ip_address argument sets the IP address for the virtual Telnet server. Make sure this address
is an unused address that is routed to the security appliance. For example, if you perform NAT for inside
addresses when they access the outside, and you want to provide outside access to the virtual Telnet
server, you can use one of the global NAT addresses for the virtual Telnet server address.
Configuring Authorization for Network Access
After a user authenticates for a given connection, the security appliance can use authorization to further
control traffic from the user.
This section includes the following topics:
• Configuring TACACS+ Authorization, page 19-7
• Configuring RADIUS Authorization, page 19-8
19-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Authorization for Network Access
Configuring TACACS+ Authorization
You can configure the security appliance to perform network access authorization with TACACS+. You
identify the traffic to be authorized by specifying access lists that authorization rules must match.
Alternatively, you can identify the traffic directly in authorization rules themselves.
Tip Using access lists to identify traffic to be authorized can greatly reduced the number of authorization
commands you must enter. This is because each authorization rule you enter can specify only one source
and destination subnet and service, whereas an access list can include many entries.
Authentication and authorization statements are independent; however, any unauthenticated traffic
matched by an authorization statement will be denied. For authorization to succeed, a user must first
authenticate with the security appliance. Because a user at a given IP address only needs to authenticate
one time for all rules and types, if the authentication session hasn’t expired, authorization can occur even
if the traffic is matched by an authentication statement.
After a user authenticates, the security appliance checks the authorization rules for matching traffic. If
the traffic matches the authorization statement, the security appliance sends the username to the
TACACS+ server. The TACACS+ server responds to the security appliance with a permit or a deny for
that traffic, based on the user profile. The security appliance enforces the authorization rule in the
response.
See the documentation for your TACACS+ server for information about configuring network access
authorizations for a user.
To configure TACACS+ authorization, perform the following steps:
Step 1 Enable authentication. For more information, see the “Enabling Network Access Authentication” section
on page 19-3. If you have already enabled authentication, continue to the next step.
Step 2 Using the access-list command, create an access list that identifies the source addresses and destination
addresses of traffic you want to authorize. For steps, see the “Adding an Extended Access List” section
on page 16-5.
The permit ACEs mark matching traffic for authorization, while deny entries exclude matching traffic
from authorization. The access list you use for authorization matching should contain rules that are equal
to or a subset of the rules in the access list used for authentication matching.
Note If you have configured authentication and want to authorize all the traffic being authenticated,
you can use the same access list you created for use with the aaa authentication match
command.
Step 3 To enable authorization, enter the following command:
hostname(config)# aaa authorization match acl_name interface_name server_group
where acl_name is the name of the access list you created in Step 2, interface_name is the name of the
interface as specified with the nameif command or by default, and server_group is the AAA server group
you created when you enabled authentication.
19-8
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Authorization for Network Access
Note Alternatively, you can use the aaa authorization include command (which identifies traffic
within the command) but you cannot use both methods in the same configuration. See the Cisco
Security Appliance Command Reference for more information.
The following commands authenticate and authorize inside Telnet traffic. Telnet traffic to servers other
than 209.165.201.5 can be authenticated alone, but traffic to 209.165.201.5 requires authorization.
hostname(config)# access-list TELNET_AUTH extended permit tcp any any eq telnet
hostname(config)# access-list SERVER_AUTH extended permit tcp any host 209.165.201.5 eq
telnet
hostname(config)# aaa-server AuthOutbound protocol tacacs+
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# aaa authentication match TELNET_AUTH inside AuthOutbound
hostname(config)# aaa authorization match SERVER_AUTH inside AuthOutbound
Configuring RADIUS Authorization
When authentication succeeds, the RADIUS protocol returns user authorizations in the access-accept
message sent by a RADIUS server. For more information about configuring authentication, see the
“Configuring Authentication for Network Access” section on page 19-1.
When you configure the security appliance to authenticate users for network access, you are also
implicitly enabling RADIUS authorizations; therefore, this section contains no information about
configuring RADIUS authorization on the security appliance. It does provide information about how the
security appliance handles access list information received from RADIUS servers.
You can configure a RADIUS server to download an access list to the security appliance or an access list
name at the time of authentication. The user is authorized to do only what is permitted in the
user-specific access list.
Note If you have used the access-group command to apply access lists to interfaces, be aware of the following
effects of the per-user-override keyword on authorization by user-specific access lists:
• Without the per-user-override keyword, traffic for a user session must be permitted by both the
interface access list and the user-specific access list.
• With the per-user-override keyword, the user-specific access list determines what is permitted.
For more information, see the access-group command entry in the Cisco Security Appliance Command
Reference.
This section includes the following topics:
• Configuring a RADIUS Server to Send Downloadable Access Control Lists, page 19-9
• Configuring a RADIUS Server to Download Per-User Access Control List Names, page 19-12
19-9
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Authorization for Network Access
Configuring a RADIUS Server to Send Downloadable Access Control Lists
This section describes how to configure Cisco Secure ACS or a third-party RADIUS server, and includes
the following topics:
• About the Downloadable Access List Feature and Cisco Secure ACS, page 19-9
• Configuring Cisco Secure ACS for Downloadable Access Lists, page 19-10
• Configuring Any RADIUS Server for Downloadable Access Lists, page 19-11
• Converting Wildcard Netmask Expressions in Downloadable Access Lists, page 19-12
About the Downloadable Access List Feature and Cisco Secure ACS
Downloadable access lists is the most scalable means of using Cisco Secure ACS to provide the
appropriate access lists for each user. It provides the following capabilities:
• Unlimited access list size—Downloadable access lists are sent using as many RADIUS packets as
required to transport the full access list from Cisco Secure ACS to the security appliance.
• Simplified and centralized management of access lists—Downloadable access lists enable you to
write a set of access lists once and apply it to many user or group profiles and distribute it to many
security appliances.
This approach is most useful when you have very large access list sets that you want to apply to more
than one Cisco Secure ACS user or group; however, its ability to simplify Cisco Secure ACS user and
group management makes it useful for access lists of any size.
The security appliance receives downloadable access lists from Cisco Secure ACS using the following
process:
1. The security appliance sends a RADIUS authentication request packet for the user session.
2. If Cisco Secure ACS successfully authenticates the user, Cisco Secure ACS returns a RADIUS
access-accept message that contains the internal name of the applicable downloadable access list.
The Cisco IOS cisco-av-pair RADIUS VSA (vendor 9, attribute 1) contains the following
attribute-value pair to identify the downloadable access list set:
ACS:CiscoSecure-Defined-ACL=acl-set-name
where acl-set-name is the internal name of the downloadable access list, which is a combination of
the name assigned to the access list by the Cisco Secure ACS administrator and the date and time
that the access list was last modified.
3. The security appliance examines the name of the downloadable access list and determines if it has
previously received the named downloadable access list.
– If the security appliance has previously received the named downloadable access list,
communication with Cisco Secure ACS is complete and the security appliance applies the
access list to the user session. Because the name of the downloadable access list includes the
date and time it was last modified, matching the name sent by Cisco Secure ACS to the name of
an access list previous downloaded means that the security appliance has the most recent
version of the downloadable access list.
– If the security appliance has not previously received the named downloadable access list, it may
have an out-of-date version of the access list or it may not have downloaded any version of the
access list. In either case, the security appliance issues a RADIUS authentication request using
the downloadable access list name as the username in the RADIUS request and a null password
attribute. In a cisco-av-pair RADIUS VSA, the request also includes the following
attribute-value pairs:
19-10
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Authorization for Network Access
AAA:service=ip-admission
AAA:event=acl-download
In addition, the security appliance signs the request with the Message-Authenticator attribute
(IETF RADIUS attribute 80).
4. Upon receipt of a RADIUS authentication request that has a username attribute containing the name
of a downloadable access list, Cisco Secure ACS authenticates the request by checking the
Message-Authenticator attribute. If the Message-Authenticator attribute is missing or incorrect,
Cisco Secure ACS ignores the request. The presence of the Message-Authenticator attribute
prevents malicious use of a downloadable access list name to gain unauthorized network access. The
Message-Authenticator attribute and its use are defined in RFC 2869, RADIUS Extensions,
available at http://www.ietf.org.
5. If the access list required is less than approximately 4 KB in length, Cisco Secure ACS responds
with an access-accept message containing the access list. The largest access list that can fit in a
single access-accept message is slightly less than 4 KB because some of the message must be other
required attributes.
Cisco Secure ACS sends the downloadable access list in a cisco-av-pair RADIUS VSA. The access
list is formatted as a series of attribute-value pairs that each contain an ACE and are numbered
serially:
ip:inacl#1=ACE-1
ip:inacl#2=ACE-2
.
.
.
ip:inacl#n=ACE-n
An example of an attribute-value pair follows:
ip:inacl#1=permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
6. If the access list required is more than approximately 4 KB in length, Cisco Secure ACS responds
with an access-challenge message that contains a portion of the access list, formatted as described
above, and an State attribute (IETF RADIUS attribute 24), which contains control data used by
Cisco Secure ACS to track the progress of the download. Cisco Secure ACS fits as many complete
attribute-value pairs into the cisco-av-pair RADIUS VSA as it can without exceeding the maximum
RADIUS message size.
The security appliance stores the portion of the access list received and responds with another
access-request message containing the same attributes as the first request for the downloadable
access list plus a copy of the State attribute received in the access-challenge message.
This repeats until Cisco Secure ACS sends the last of the access list in an access-accept message.
Configuring Cisco Secure ACS for Downloadable Access Lists
You can configure downloadable access lists on Cisco Secure ACS as a shared profile component and
then assign the access list to a group or to an individual user.
The access list definition consists of one or more security appliance commands that are similar to the
extended access-list command (see the “Adding an Extended Access List” section on page 16-5), except
without the following prefix:
access-list acl_name extended
The following example is a downloadable access list definition on Cisco Secure ACS version 3.3:
+--------------------------------------------+
19-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Authorization for Network Access
| Shared profile Components |
| |
| Downloadable IP ACLs Content |
| |
| Name: acs_ten_acl |
| |
| ACL Definitions |
| |
| permit tcp any host 10.0.0.254 |
| permit udp any host 10.0.0.254 |
| permit icmp any host 10.0.0.254 |
| permit tcp any host 10.0.0.253 |
| permit udp any host 10.0.0.253 |
| permit icmp any host 10.0.0.253 |
| permit tcp any host 10.0.0.252 |
| permit udp any host 10.0.0.252 |
| permit icmp any host 10.0.0.252 |
| permit ip any any |
+--------------------------------------------+
For more information about creating downloadable access lists and associating them with users, see the
user guide for your version of Cisco Secure ACS.
On the security appliance, the downloaded access list has the following name:
#ACSACL#-ip-acl_name-number
The acl_name argument is the name that is defined on Cisco Secure ACS (acs_ten_acl in the preceding
example), and number is a unique version ID generated by Cisco Secure ACS.
The downloaded access list on the security appliance consists of the following lines:
access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit tcp any host 10.0.0.254
access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit udp any host 10.0.0.254
access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit icmp any host 10.0.0.254
access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit tcp any host 10.0.0.253
access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit udp any host 10.0.0.253
access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit icmp any host 10.0.0.253
access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit tcp any host 10.0.0.252
access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit udp any host 10.0.0.252
access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit icmp any host 10.0.0.252
access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit ip any any
Configuring Any RADIUS Server for Downloadable Access Lists
You can configure any RADIUS server that supports Cisco IOS RADIUS VSAs to send user-specific
access lists to the security appliance in a Cisco IOS RADIUS cisco-av-pair VSA (vendor 9, attribute 1).
In the cisco-av-pair VSA, configure one or more ACEs that are similar to the access-list extended
command (see the “Adding an Extended Access List” section on page 16-5), except that you replace the
following command prefix:
access-list acl_name extended
with the following text:
ip:inacl#nnn=
The nnn argument is a number in the range from 0 to 999999999 that identifies the order of the command
statement to be configured on the security appliance. If this parameter is omitted, the sequence value is
0, and the order of the ACEs inside the cisco-av-pair RADIUS VSA is used.
19-12
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Authorization for Network Access
The following example is an access list definition as it should be configured for a cisco-av-pair VSA on
a RADIUS server:
ip:inacl#1=permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
ip:inacl#99=deny tcp any any
ip:inacl#2=permit udp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
ip:inacl#100=deny udp any any
ip:inacl#3=permit icmp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
For information about making unique per user the access lists that are sent in the cisco-av-pair attribute,
see the documentation for your RADIUS server.
On the security appliance, the downloaded access list name has the following format:
AAA-user-username
The username argument is the name of the user that is being authenticated.
The downloaded access list on the security appliance consists of the following lines. Notice the order
based on the numbers identified on the RADIUS server.
access-list AAA-user-bcham34-79AD4A08 permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list AAA-user-bcham34-79AD4A08 permit udp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list AAA-user-bcham34-79AD4A08 permit icmp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list AAA-user-bcham34-79AD4A08 deny tcp any any
access-list AAA-user-bcham34-79AD4A08 deny udp any any
Downloaded access lists have two spaces between the word “access-list” and the name. These spaces
serve to differentiate a downloaded access list from a local access list. In this example, “79AD4A08” is
a hash value generated by the security appliance to help determine when access list definitions have
changed on the RADIUS server.
Converting Wildcard Netmask Expressions in Downloadable Access Lists
If a RADIUS server provides downloadable access lists to Cisco VPN 3000 Series Concentrators as well
as to the security appliance, you may need the security appliance to convert wildcard netmask
expressions to standard netmask expressions. This is because Cisco VPN 3000 Series Concentrators
support wildcard netmask expressions but the security appliance only supports standard netmask
expressions. Configuring the security appliance to convert wildcard netmask expressions helps minimize
the effects of these differences upon how you configure downloadable access lists on your RADIUS
servers. Translation of wildcard netmask expressions means that downloadable access lists written for
Cisco VPN 3000 Series Concentrators can be used by the security appliance without altering the
configuration of the downloadable access lists on the RADIUS server.
You configure access list netmask conversion on a per server basis, using the acl-netmask-convert
command, available in the AAA-server configuration mode. For more information about configuring a
RADIUS server, see “Identifying AAA Server Groups and Servers” section on page 13-12. For more
information about the acl-netmask-convert command, see the Cisco Security Appliance Command
Reference.
Configuring a RADIUS Server to Download Per-User Access Control List Names
To download a name for an access list that you already created on the security appliance from the
RADIUS server when a user authenticates, configure the IETF RADIUS filter-id attribute (attribute
number 11) as follows:
filter-id=acl_name
19-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Configuring Accounting for Network Access
Note In Cisco Secure ACS, the value for filter-id attributes are specified in boxes in the HTML interface,
omitting filter-id= and entering only acl_name.
For information about making unique per user the filter-id attribute value, see the documentation for your
RADIUS server.
See the “Adding an Extended Access List” section on page 16-5 to create an access list on the security
appliance.
Configuring Accounting for Network Access
The security appliance can send accounting information to a RADIUS or TACACS+ server about any
TCP or UDP traffic that passes through the security appliance. If that traffic is also authenticated, then
the AAA server can maintain accounting information by username. If the traffic is not authenticated, the
AAA server can maintain accounting information by IP address. Accounting information includes when
sessions start and stop, username, the number of bytes that pass through the security appliance for the
session, the service used, and the duration of each session.
To configure accounting, perform the following steps:
Step 1 If you want the security appliance to provide accounting data per user, you must enable authentication.
For more information, see the “Enabling Network Access Authentication” section on page 19-3. If you
want the security appliance to provide accounting data per IP address, enabling authentication is not
necessary and you can continue to the next step.
Step 2 Using the access-list command, create an access list that identifies the source addresses and destination
addresses of traffic you want accounted. For steps, see the “Adding an Extended Access List” section on
page 16-5.
The permit ACEs mark matching traffic for authorization, while deny entries exclude matching traffic
from authorization.
Note If you have configured authentication and want accounting data for all the traffic being
authenticated, you can use the same access list you created for use with the aaa authentication
match command.
Step 3 To enable accounting, enter the following command:
hostname(config)# aaa accounting match acl_name interface_name server_group
Note Alternatively, you can use the aaa accounting include command (which identifies traffic within
the command) but you cannot use both methods in the same configuration. See the Cisco
Security Appliance Command Reference for more information.
The following commands authenticate, authorize, and account for inside Telnet traffic. Telnet traffic to
servers other than 209.165.201.5 can be authenticated alone, but traffic to 209.165.201.5 requires
authorization and accounting.
19-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Using MAC Addresses to Exempt Traffic from Authentication and Authorization
hostname(config)# aaa-server AuthOutbound protocol tacacs+
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# access-list TELNET_AUTH extended permit tcp any any eq telnet
hostname(config)# access-list SERVER_AUTH extended permit tcp any host 209.165.201.5 eq
telnet
hostname(config)# aaa authentication match TELNET_AUTH inside AuthOutbound
hostname(config)# aaa authorization match SERVER_AUTH inside AuthOutbound
hostname(config)# aaa accounting match SERVER_AUTH inside AuthOutbound
Using MAC Addresses to Exempt Traffic from Authentication and Authorization
The security appliance can exempt from authentication and authorization any traffic from specific MAC
addresses. For example, if the security appliance authenticates TCP traffic originating on a particular
network but you want to allow unauthenticated TCP connections from a specific server, you would use
a MAC exempt rule to exempt from authentication and authorization any traffic from the server specified
by the rule.
This feature is particularly useful to exempt devices such as IP phones that cannot respond to
authentication prompts.
To use MAC addresses to exempt traffic from authentication and authorization, perform the following
steps:
Step 1 To configure a MAC list, enter the following command:
hostname(config)# mac-list id {deny | permit} mac macmask
Where the id argument is the hexadecimal number that you assign to the MAC list. To group a set of
MAC addresses, enter the mac-list command as many times as needed with the same ID value. Because
you can only use one MAC list for AAA exemption, be sure that your MAC list includes all the MAC
addresses you want to exempt. You can create multiple MAC lists, but you can only use one at a time.
The order of entries matters, because the packet uses the first entry it matches, as opposed to a best match
scenario. If you have a permit entry, and you want to deny an address that is allowed by the permit entry,
be sure to enter the deny entry before the permit entry.
The mac argument specifies the source MAC address in 12-digit hexadecimal form; that is,
nnnn.nnnn.nnnn.
The macmask argument specifies the portion of the MAC address that should be used for matching. For
example, ffff.ffff.ffff matches the MAC address exactly. ffff.ffff.0000 matches only the first 8 digits.
Step 2 To exempt traffic for the MAC addresses specified in a particular MAC list, enter the following
command:
hostname(config)# aaa mac-exempt match id
Where id is the string identifying the MAC list containing the MAC addresses whose traffic is to be
exempt from authentication and authorization. You can only enter one instance of the aaa mac-exempt
command.
19-15
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Using MAC Addresses to Exempt Traffic from Authentication and Authorization
The following example bypasses authentication for a single MAC address:
hostname(config)# mac-list abc permit 00a0.c95d.0282 ffff.ffff.ffff
hostname(config)# aaa mac-exempt match abc
The following entry bypasses authentication for all Cisco IP Phones, which have the hardware ID
0003.E3:
hostname(config)# mac-list acd permit 0003.E300.0000 FFFF.FF00.0000
hostname(config)# aaa mac-exempt match acd
The following example bypasses authentication for a a group of MAC addresses except for
00a0.c95d.02b2. Enter the deny statement before the permit statement, because 00a0.c95d.02b2 matches
the permit statement as well, and if it is first, the deny statement will never be matched.
hostname(config)# mac-list 1 deny 00a0.c95d.0282 ffff.ffff.ffff
hostname(config)# mac-list 1 permit 00a0.c95d.0000 ffff.ffff.0000
hostname(config)# aaa mac-exempt match 1
19-16
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 19 Applying AAA for Network Access
Using MAC Addresses to Exempt Traffic from Authentication and Authorization
CH A P T E R
20-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
20
Applying Filtering Services
This chapter describes ways to filter web traffic to reduce security risks or prevent inappropriate use.
This chapter contains the following sections:
• Filtering Overview, page 20-1
• Filtering ActiveX Objects, page 20-2
• Filtering Java Applets, page 20-3
• Filtering URLs and FTP Requests with an External Server, page 20-4
• Viewing Filtering Statistics and Configuration, page 20-9
Filtering Overview
This section describes how filtering can provide greater control over traffic passing through the security
appliance. Filtering can be used in two distinct ways:
• Filtering ActiveX objects or Java applets
• Filtering with an external filtering server
Instead of blocking access altogether, you can remove specific undesirable objects from HTTP traffic,
such as ActiveX objects or Java applets, that may pose a security threat in certain situations.
You can also use URL filtering to direct specific traffic to an external filtering server, such an Secure
Computing SmartFilter (formerly N2H2) or Websense filtering server. Long URL, HTTPS, and FTP
filtering can now be enabled using both Websense and Secure Computing SmartFilter for URL filtering.
Filtering servers can block traffic to specific sites or types of sites, as specified by the security policy.
Note URL caching will only work if the version of the URL server software from the URL server vender
supports it.
Because URL filtering is CPU-intensive, using an external filtering server ensures that the throughput of
other traffic is not affected. However, depending on the speed of your network and the capacity of your
URL filtering server, the time required for the initial connection may be noticeably slower when filtering
traffic with an external filtering server.
20-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-02
Chapter 20 Applying Filtering Services
Filtering ActiveX Objects
Filtering ActiveX Objects
This section describes how to apply filtering to remove ActiveX objects from HTTP traffic passing
through the firewall. This section includes the following topics:
• ActiveX Filtering Overview, page 20-2
• Enabling ActiveX Filtering, page 20-2
ActiveX Filtering Overview
ActiveX objects may pose security risks because they can contain code intended to attack hosts and
servers on a protected network. You can disable ActiveX objects with ActiveX filtering.
ActiveX controls, formerly known as OLE or OCX controls, are components you can insert in a web
page or other application. These controls include custom forms, calendars, or any of the extensive
third-party forms for gathering or displaying information. As a technology, ActiveX creates many
potential problems for network clients including causing workstations to fail, introducing network
security problems, or being used to attack servers.
The filter activex command blocks the HTML