Cisco 7600 Series Router SIP, SSC, and 
SPA Software Configuration Guide
November 28, 201
<p>
http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/7600series/76spasw.pdf



Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706 
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Cisco 7600 Series Router SIP, SSC, and 
SPA Software Configuration Guide
November 28, 2011
OL-5070-30THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT 
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE 
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant 
to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial 
environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause 
harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required 
to correct the interference at their own expense. 
The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not 
installed in accordance with Cisco’s installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to 
comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable 
protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. 
Modifying the equipment without Cisco’s written authorization may result in the equipment no longer complying with FCC requirements for Class A or Class B digital 
devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television 
communications at your own expense.
You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its 
peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the following measures:
• Turn the television or radio antenna until the interference stops.
• Move the equipment to one side or the other of the television or radio.
• Move the equipment farther away from the television or radio.
• Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make certain the equipment and the television or radio are on circuits 
controlled by different circuit breakers or fuses.) 
Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate your authority to operate the product. 
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public 
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. 
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH 
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT 
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF 
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, 
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO 
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this 
URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership 
relationship between Cisco and any other company. (1110R)
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
Copyright © 2011, Cisco Systems, Inc.
All rights reserved.   
iii
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
C O N T E N T S
Preface xxix
Objectives xxix
Document Revision History xxix
Organization xlv
Related Documentation xlvii
Cisco 7600 Series Router Documentation xlvii
Other Cisco IOS Software Publications xlviii
Document Conventions xlviii
Obtaining Documentation, Obtaining Support, and Security Guidelines l
Using Cisco IOS Software 1-1
Accessing the CLI Using a Router Console 1-1
Accessing the CLI Using a Directly-Connected Console 1-1
Accessing the CLI from a Remote Console Using Telnet 1-3
Accessing the CLI from a Remote Console Using a Modem 1-5
Using Keyboard Shortcuts 1-6
Using the History Buffer to Recall Commands 1-6
Understanding Command Modes 1-6
Getting Help 1-8
Finding Command Options Example 1-8
Using the no and default Forms of Commands 1-11
Saving Configuration Changes 1-12
Filtering Output from the show and more Commands 1-12
Finding Support Information for Platforms and Cisco Software Images 1-13
Using Cisco Feature Navigator 1-13
Using Software Advisor 1-13
Using Software Release Notes 1-13
SIP, SSC, and SPA Product Overview 2-1
Introduction to SIPs, SSCs, and SPAs 2-1
SPA Interface Processors 2-1
SPA Services Cards 2-2
Shared Port Adapters 2-2   
Contents
iv
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
SIP, SSC, and SPA Compatibility 2-4
Modular Optics Compatibility 2-6
Overview of the SIPs and SSC 3-1
Release History 3-1
Supported SIP Features 3-5
Cisco 7600 SIP-200 Features 3-5
Cisco 7600 SIP-400 Features 3-11
Cisco 7600 SIP-600 Features 3-16
Supported SSC Features 3-19
Cisco 7600 SSC-400 Features 3-19
Restrictions 3-19
Cisco 7600 SIP-200 Restrictions 3-19
Cisco 7600 SIP-400 Restrictions 3-20
Cisco 7600 SIP-600 Restrictions 3-23
Cisco 7600 SSC-400 Restrictions 3-24
Supported MIBs 3-24
Displaying the SIP and SSC Hardware Type 3-26
Example of the show module Command 3-26
Example of the show idprom Command 3-26
SIP-200 and SIP-400 Network Clock Distribution 3-27
Configuring the SIPs and SSC 4-1
Configuration Tasks 4-1
Required Configuration Tasks 4-2
Identifying Slots and Subslots for SIPs, SSCs, and SPAs 4-2
Configuring Compressed Real-Time Protocol 4-5
Configuring Frame Relay Features 4-7
Frame Relay Fragmentation (FRF.12) 4-22
Configuring Layer 2 Interworking Features on a SIP 4-32
Verification 4-44
Configuring Private Hosts over Virtual Private LAN Service (VPLS) 4-54
Configuring BFD over VCCV on SIP-400 4-75
Configuring MPLS Features on a SIP 4-79
Configuring QoS Features on a SIP 4-94
Configuring NAT 4-129
Configuring Lawful Intercept on a Cisco 7600 SIP-400 4-129
Configuring Security ACLs on an Access Interface on a Cisco 7600 SIP-400 4-131   
Contents
v
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Configuring CoPP on the Cisco 7600 SIP-400 4-132
Configuring DBUS COS Queuing on SIP-400 4-138
Configuring IPv6 Hop-by-Hop Header Security on SIP-200 or SIP-400 4-142
Triple Nesting QoS Support on SIP400 4-147
Configuration and Restrictions 4-150
Configuration procedure 4-150
Configuration Samples 4-151
Configuring IGMP Snooping on a SIP-200 4-153
Configuring ACFC and PFC Support on Multilink Interfaces 4-154
Configuring PPPoEoE on a Cisco 7600 SIP-400 4-159
Configuring Source IPv4 and Source MAC Address Binding on the SIP-400 4-164
Resetting a SIP 4-170
Configuration Examples 4-170
Layer 2 Interworking Configuration Examples 4-170
MPLS Configuration Examples 4-172
QoS Configuration Examples 4-173
Private Hosts SVI (Interface VLAN) Configuration Example 4-178
Troubleshooting 4-179
Troubleshooting the SIPs and SSC 5-1
General Troubleshooting Information 5-1
Interpreting Console Error Messages 5-1
Using debug Commands 5-2
Using show Commands 5-2
Using the Cisco IOS Event Tracer to Troubleshoot Problems 5-2
Troubleshooting Oversubscription on the Cisco 7600 SIP-400 5-3
Preparing for Online Insertion and Removal of SIPs, SSCs, and SPAs 5-3
Preparing for Online Removal of a SIP or SSC 5-4
Verifying Deactivation and Activation of a SIP or SSC 5-5
Preparing for Online Removal of a SPA 5-6
Verifying Deactivation and Activation of a SPA 5-7
Deactivation and Activation Configuration Examples 5-8
Overview of the ATM SPAs 6-1
Release History 6-2
Overview 6-3
ATM Overview 6-4   
Contents
vi
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
PVC and SVC Encapsulations 6-4
PVC and SVC Service Classes 6-5
Advanced Quality of Service 6-6
Supported Features 6-7
SIP-Dependent Features 6-7
Basic Features 6-8
SONET/SDH Error, Alarm, and Performance Monitoring 6-9
Layer 2 Features 6-10
Layer 3 Features 6-11
High-Availability Features 6-12
Enhancements to RFC 1483 Spanning Tree Interoperability 6-12
Supported Supervisor Engines and Line Cards 6-13
Interoperability Problem 6-13
BPDU Packet Formats 6-13
Unsupported Features 6-15
Prerequisites 6-16
Restrictions 6-16
Restrictions for SPA-1xOC3-ATM-V2, SPA-3xOC3-ATM-V2, and SPA-1xOC12-ATM-V2 6-17
Supported MIBs 6-17
SPA Architecture 6-18
Path of Cells in the Ingress Direction 6-19
Path of Packets in the Egress Direction 6-19
Displaying the SPA Hardware Type 6-20
Example of the show interfaces Command 6-20
Example of the show diag Command 6-21
Example of the show controllers Command 6-21
Configuring the ATM SPAs 7-1
Configuration Tasks 7-1
Required Configuration Tasks 7-2
Specifying the Interface Address on a SPA 7-3
Modifying the Interface MTU Size 7-3
Creating a Permanent Virtual Circuit 7-8
Creating a PVC on a Point-to-Point Subinterface 7-10
Configuring a PVC on a Multipoint Subinterface 7-12
Configuring RFC 1483 Bridging for PVCs 7-14
Configuring Layer 2 Protocol Tunneling Topology 7-17
Configuring Layer 2 Tunneling Protocol Version 3 (L2TPv3) 7-17   
Contents
vii
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Configuring RFC 1483 Bridging for PVCs with IEEE 802.1Q Tunneling 7-18
Configuring ATM RFC 1483 Half-Bridging 7-20
Configuring ATM Routed Bridge Encapsulation 7-23
Configuring RFC 1483 Bridging of Routed Encapsulations 7-25
Configuring the Bridged Routed Encapsulation within an Automatic Protection Switching 
Group 7-28
Configuring MPLS over RBE 7-29
Configuring Aggregate WRED for PVCs 7-30
Configuring Non-aggregate WRED 7-36
Creating and Configuring Switched Virtual Circuits 7-42
Configuring Traffic Parameters for PVCs or SVCs 7-46
Configuring Virtual Circuit Classes 7-50
Configuring Virtual Circuit Bundles 7-51
Configuring Multi-VLAN to VC Support 7-54
Configuring Link Fragmentation and Interleaving with Virtual Templates 7-54
Configuring the Distributed Compressed Real-Time Protocol 7-58
Configuring Automatic Protection Switching 7-60
Configuring Access Circuit Redundancy on SIP-400 ATM SPA s 7-65
Configuring SONET and SDH Framing 7-76
Configuring for Transmit-Only Mode 7-78
Configuring AToM Cell Relay VP Mode 7-79
Configuring Packed Cell Relay over Multi-Protocol Label Switching (PCRoMPLS) on SIP-400 for CeOP 
and 1-Port OC-48c/STM-16 ATM SPA 7-80
Configuring AToM Cell Relay Port Mode 7-85
Configuring QoS Features on ATM SPAs 7-87
Phase 2 Local Switching Redundancy 7-87
Saving the Configuration 7-88
Multi Router Automatic Protection Switching (MR-APS) Integration with Hot Standby 
Pseudowire 7-89
Failover Operations 7-90
Restrictions 7-91
Verification 7-98
N:1 PVC Mapping to Pseudowires with Non-Unique VPI 7-101
Examples 7-104
Verification 7-105
Shutting Down and Restarting an Interface on a SPA 7-105
Shutting Down an ATM Shared Port Adapter 7-107
Verifying the Interface Configuration 7-108   
Contents
viii
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Verifying Per-Port Interface Status 7-109
Monitoring Per-Port Interface Statistics 7-110
Configuration Examples 7-111
Basic Interface Configuration Example 7-112
MTU Configuration Example 7-112
Permanent Virtual Circuit Configuration Example 7-112
PVC on a Point-to-Point Subinterface Configuration Example 7-113
PVC on a Multipoint Subinterface Configuration Example 7-114
RFC 1483 Bridging for PVCs Configuration Example 7-115
RFC 1483 Bridging for PVCs with IEEE 802.1Q Tunneling Configuration Example 7-116
ATM RFC 1483 Half-Bridging Configuration Example 7-116
ATM Routed Bridge Encapsulation Configuration Example 7-116
Precedence-Based Aggregate WRED Configuration Example 7-116
DSCP-Based Aggregate WRED Configuration Example 7-118
Switched Virtual Circuits Configuration Example 7-118
Traffic Parameters for PVCs or SVCs Configuration Example 7-119
Virtual Circuit Classes Configuration Example 7-120
Virtual Circuit Bundles Configuration Example 7-120
Link Fragmentation and Interleaving with Virtual Templates Configuration Example 7-121
Distributed Compressed Real-Time Protocol Configuration Example 7-122
Automatic Protection Switching Configuration Example 7-123
SONET and SDH Framing Configuration Example 7-123
Layer 2 Protocol Tunneling Topology with a Cisco 7600, Catalyst 5500, and Catalyst 6500 
Configuration Example 7-124
Layer 2 Protocol Tunneling Topology with a Cisco 7600 and Cisco 7200 Configuration Example 7-125
Cisco 7600 Basic Back-to-Back Scenario Configuration Example 7-126
Catalyst 5500 Switch and Cisco 7600 Series Routers in Back-to-Back Topology Configuration 
Example 7-126
Cisco 7600 and Cisco 7200 in Back-to-Back Topology Configuration Example 7-127
Troubleshooting the ATM SPAs 8-1
General Troubleshooting Information 8-1
Interpreting Console Error and System Messages 8-1
Using debug Commands 8-2
Using show Commands 8-2
Monitoring the ATM SPA 8-2
Displaying Hardware Information 8-2   
Contents
ix
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Displaying Information About ATM Interfaces 8-5
Displaying Information About PVCs and SVCs 8-7
Displaying Information About Automatic Protection Switching 8-13
Troubleshooting the ATM Shared Port Adapter 8-15
Understanding Line Coding Errors 8-16
Using the Ping Command to Verify Network Connectivity 8-16
Using Loopback Commands 8-17
Using ATM Debug Commands 8-26
Using the Cisco IOS Event Tracer to Troubleshoot Problems 8-26
Preparing for Online Insertion and Removal of a SPA 8-27
Overview of the CEoP and Channelized ATM SPAs 9-1
Release History 9-1
Overview 9-2
CEoP Frame Formats 9-2
Circuit Emulation Services over Packet Switched Network (CESoPSN) over UDP 9-4
Restrictions and Usage Guidelines 9-5
Configuring CESoPSN with UDP Encapsulation 9-5
Troubleshooting the CESoPSN with UDP Encapsulation Configuration 9-8
Supported Features 9-9
Basic Features 9-9
SONET/SDH Error, Alarm, and Performance Monitoring 9-11
Layer 2 Features 9-13
Layer 3 Features 9-14
High Availability Features 9-15
Unsupported Features 9-15
Prerequisites 9-15
Restrictions 9-16
Supported MIBs 9-16
Displaying the SPA Hardware Type 9-17
Example of the show interfaces cem Command 9-17
Configuring the CEoP and Channelized ATM SPAs 10-1
Configuration Tasks 10-2
Specifying the Interface Address on a SPA 10-2
Configuring Port Usage (Overview) 10-2
Configuring Circuit Emulation 10-13   
Contents
x
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Configuring a CEM Group 10-14
Configuring a CEM Class (Optional) 10-15
Configuring a CEM Pseudowire 10-17
Configuring TDM Local Switching 10-18
Local Switching Redundancy 10-19
Configuring ATM 10-20
Configuring VC QoS on VP-PW CEoP SPAs 10-21
Configuring an ATM Pseudowire 10-22
Configuring Pseudowire Redundancy (Optional) 10-23
Configuring T1 10-24
Configuring E1 10-24
Configuring T3 10-25
T3 Configuration Guidelines 10-25
Configuring Port Usage 10-25
Configuring the SPA for Clear-Channel ATM 10-27
Configuring SONET (OC-3) 10-28
Configuring Inverse Multiplexing over ATM 10-29
IMA Configuration Guidelines 10-30
Configuring an IMA Link Bundle 10-33
Configuring IMA Group Parameters 10-34
Verifying the IMA Configuration 10-36
Configuring Clocking 10-37
BITS Clock Support—Receive and Distribute—CEoP SPA  on SIP-400 10-37
Configuring Clock Recovery 10-40
Verifying Clock Recovery 10-41
Configuring Out-of-Band Clocking 10-42
Configuring CEM Parameters 10-50
Configuring Payload Size (Optional) 10-50
Setting the Dejitter Buffer Size 10-51
Setting the Idle Pattern (Optional) 10-51
Enabling Dummy Mode 10-51
Setting the Dummy Pattern 10-51
Shutting Down a CEM Channel 10-51
Configuring Access Circuit Redundancy on CEoP and ATM SPAs 10-51
Restrictions and Usage Guidelines 10-51
Configuring the ACR Group 10-52
Show Commands 10-56   
Contents
xi
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Troubleshooting the ACR configuration 10-56
Configuring Layer 3 QoS on CEoP SPAs 10-57
Configuring AIS and RAI Alarm Forwarding in CESoPSN Mode on CEoP SPAs 10-61
Configuring SONET Mode 10-62
Configuring SDH AU-4 Mode 10-62
Configuring SDH AU-3 Mode 10-63
Configuring T1 Mode 10-63
Configuring E1 Mode 10-63
Configuration Restrictions 10-64
MR-APS Integration with Hot Standby Pseudowire 10-64
Failover Operations 10-65
Restrictions 10-66
Configuring MR-APS Integration with Hot Standby Pseudowire 10-67
Verification 10-81
Troubleshooting Tips 10-82
Verifying the Interface Configuration 10-82
Overview of the Ethernet SPAs 11-1
Release History 11-1
Supported Ethernet SPA 11-2
2-Port Gigabit Synchronous Ethernet SPA 11-2
Supported Features 11-3
1588V2 Overview 11-4
Time of Day (TOD) 11-6
Precision Time Protocol (PTP) 11-8
Synchronous Ethernet 11-16
SSM and ESMC 11-18
Restrictions 11-19
Supported MIBs 11-20
SPA Architecture 11-21
Path of a Packet in the Ingress Direction 11-21
Path of a Packet in the Egress Direction 11-21
Displaying the SPA Hardware Type 11-22
Example of the show hw-module subslot transceiver Command 11-22
Example of the show interfaces Command 11-22   
Contents
xii
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Configuring the Fast Ethernet and Gigabit Ethernet SPAs 12-1
Configuration Tasks 12-1
Required Configuration Tasks 12-2
Specifying the Interface Address on a SPA 12-4
Modifying the MAC Address on the Interface 12-5
Configuring HSRP 12-6
Customizing VRRP 12-6
Modifying the Interface MTU Size 12-9
Configuring the Encapsulation Type 12-11
Configuring Autonegotiation on an Interface 12-11
Configuring an Ethernet VLAN 12-13
Configuring a Subinterface on a VLAN 12-13
Configuring Layer 2 Switching Features 12-15
Configuring Flow Control Support on the Link 12-21
Configuring 2-Port Gigabit Synchronous Ethernet SPA in Unicast Mode 12-23
Configuring 2-Port Gigabit Synchronous Ethernet SPA in Unicast Neg Mode 12-24
Configuring 2-Port Gigabit Synchronous Ethernet SPA in Multicast Mode 12-25
Configuring ToD on 1588V2 Master 12-26
Configuring ToD on 1588V2 Slave 12-27
Configuring Boundary Clock for 2-Port Gigabit Synchronous Ethernet SPA on Cisco 7600 
SIP-400 12-29
Configuring Network Clock for 2-Port Gigabit Synchronous Ethernet SPA on Cisco 7600 
SIP-400 12-29
Configuring EtherChannels 12-46
Configuring Virtual Private LAN Service (VPLS) and Hierarchical VPLS 12-46
Configuring Connectivity Fault Management (CFM) 12-46
Configuring Maintenance Domains and Maintenance Points 12-49
Configuring CFM in the EVC 12-51
Sample Configuration 12-53
Verifying Ethernet CFM Configuration 12-55
Debugging the Ethernet CFM Configuration 12-56
Configuring Ethernet Operations, Administration, and Maintenance 12-60
Configuring IP Subscriber Awareness over Ethernet 12-78
Configuring a Backup Interface for Flexible UNI 12-79
Flexible QinQ Mapping and Service Awareness on the 1-Port 10-Gigabit Ethernet SPA 12-85
Troubleshooting 12-92
Configuring MultiPoint Bridging over Ethernet on the 1-Port 10-Gigabit Ethernet SPA 12-93   
Contents
xiii
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Configuring QoS on Ethernet SPAs 12-99
Saving the Configuration 12-103
Shutting Down and Restarting an Interface on a SPA 12-103
Verifying the Interface Configuration 12-104
Configuration Examples 12-105
Basic Interface Configuration Example 12-105
MAC Address Configuration Example 12-105
MAC Address Accounting Configuration Example 12-106
HSRP Configuration Example 12-106
MTU Configuration Example 12-108
VLAN Configuration Example 12-108
AToM over GRE Configuration Example 12-109
mVPNoGRE Configuration Examples 12-110
EoMPLS Configuration Example 12-111
Backup Interface for Flexible UNI Configuration Example 12-111
Changing the Speed of a Fast Ethernet SPA Configuration Example 12-114
Ethernet OAM Configuration Example 12-116
Troubleshooting the Fast Ethernet and Gigabit Ethernet SPAs 13-1
General Troubleshooting Information 13-1
Using debug Commands 13-1
Using show Commands 13-2
Performing Basic Interface Troubleshooting 13-2
Verifying the Interface Is Up 13-5
Verifying the Line Protocol Is Up 13-6
Verifying Output Hang Status 13-6
Verifying the CRC Counter 13-6
Verifying Late Collisions 13-6
Verifying the Carrier Signal 13-7
Understanding SPA Automatic Recovery 13-7
When Automatic Recovery Occurs 13-7
If Automatic Recovery Fails 13-7
Configuring the Interface for Internal and External Loopback 13-8
Configuring the Interface for Internal Loopback 13-8
Configuring the Interface for External Loopback 13-8
Verifying Loopback Status 13-8
Using the Cisco IOS Event Tracer to Troubleshoot Problems 13-9   
Contents
xiv
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Preparing for Online Insertion and Removal of a SPA 13-10
Overview of the POS SPAs 14-1
Release History 14-1
POS Technology Overview 14-2
Supported Features 14-2
SONET/SDH Compliance Features 14-3
SONET/SDH Error, Alarm, and Performance Monitoring Features 14-3
SONET/SDH Synchronization Features 14-4
WAN Protocol Features 14-4
Network Management Features 14-5
Restrictions 14-5
Supported MIBs 14-6
SPA Architecture 14-7
4-Port OC-3c/STM-1 POS SPA Architecture 14-7
1-Port OC-192c/STM-64 POS/RPR XFP SPA Architecture 14-8
2-Port OC-48c/STM-16 POS SPA Architecture 14-9
Displaying the SPA Hardware Type 14-10
Example of the show idprom Command 14-11
Example of the show interfaces Command 14-12
Example of the show controllers Command 14-12
Configuring the POS SPAs 15-1
Configuration Tasks 15-1
Specifying the Interface Address on a SPA 15-2
Modifying the Interface MTU Size 15-2
Modifying the POS Framing 15-3
Modifying the Keepalive Interval 15-5
Modifying the CRC Size 15-6
Modifying the Clock Source 15-6
Modifying SONET Payload Scrambling 15-8
Configuring the Encapsulation Type 15-8
Configuring APS 15-9
Configuring POS Alarm Trigger Delays 15-10
Configuring SDCC 15-13
Saving the Configuration 15-14
Shutting Down and Restarting an Interface on a SPA 15-15   
Contents
xv
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Verifying the Interface Configuration 15-15
Verifying Per-Port Interface Status 15-15
Monitoring Per-Port Interface Statistics 15-16
Configuration Examples 15-16
Basic Interface Configuration Example 15-17
MTU Configuration Example 15-17
POS Framing Configuration Example 15-18
Keepalive Configuration Example 15-18
CRC Configuration Example 15-18
Clock Source Configuration Example 15-19
SONET Payload Scrambling Configuration Example 15-19
Encapsulation Configuration Example 15-19
APS Configuration Example 15-19
POS Alarm Trigger Delays Configuration Example 15-21
SDCC Configuration Example 15-21
Overview of the Serial SPAs 16-1
Release History 16-1
Supported Features 16-2
Restrictions 16-2
SPA Features 16-3
Supported MIBs 16-6
Displaying the SPA Hardware Type 16-8
Virtual Tributary Alarms 16-8
Examples of the show interface Command 16-9
Examples of the show controllers Command 16-10
Configuring the 8-Port Channelized T1/E1 SPA 17-1
Configuration Tasks 17-1
Required Configuration Tasks 17-1
Specifying the Interface Address on a SPA 17-6
Optional Configurations 17-6
Saving the Configuration 17-20
Verifying the Interface Configuration 17-20
Verifying Per-Port Interface Status 17-21
Configuration Examples 17-21
Framing and Encapsulation Configuration Example 17-21   
Contents
xvi
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
CRC Configuration Example 17-22
Facility Data Link Configuration Example 17-22
MLPPP Configuration Example 17-23
MFR Configuration Example 17-23
Invert Data on the T1/E1 Interface Example 17-24
Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs 18-1
Configuration Tasks 18-1
Required Configuration Tasks 18-2
Specifying the Interface Address on a SPA 18-5
Optional Configurations 18-5
Verifying the Interface Configuration 18-17
Verifying Per-Port Interface Status 18-18
Monitoring Per-Port Interface Statistics 18-18
Configuration Examples 18-19
DSU Configuration Example 18-19
MDL Configuration Example 18-20
Scrambling Configuration Example 18-20
Framing Configuration Example 18-20
Encapsulation Configuration Example 18-21
Cable Length Configuration Example 18-21
Invert Data Configuration Example 18-21
Trace Trail Buffer Configuration Example 18-21
Configuring the 2-Port and 4-Port Channelized T3 SPAs 19-1
Configuration Tasks 19-1
Required Configuration Tasks 19-2
Specifying the Interface Address on a SPA 19-7
Optional Configurations 19-8
Saving the Configuration 19-25
Verifying the Interface Configuration 19-25
Verifying Per-Port Interface Status 19-26
Configuration Examples 19-28
DSU Configuration Example 19-28
MDL Configuration Example 19-28
Encapsulation Configuration Example 19-29
Framing—Unchannelized Mode Configuration Example 19-29
Facility Data Link Configuration Example 19-29   
Contents
xvii
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Scrambling Configuration Example 19-29
Creating a Multilink Bundle Configuration Example 19-30
Assigning a T1 Interface to a Multilink Bundle Configuration Example 19-30
Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs 20-1
Configuration Tasks 20-1
Required Configuration Tasks 20-2
Selection of Physical Port and Controller Configuration 20-2
Optional Configurations 20-15
Saving the Configuration 20-26
Verifying the Interface Configuration 20-26
Verifying Per-Port Interface Status 20-26
Configuration Tasks 20-27
Configuring CRTP 20-27
Stateful MLPPP MR-APS 20-27
MR-APS Deployment 20-28
Inter Chassis Redundancy Manager 20-28
Automatic Protection Switching 20-29
Failure Protection Scenarios 20-29
Restrictions for Stateful MLPPP with MR-APS Inter-Chassis Redundancy 20-33
Configuring Stateful MLPPP with MR-APS Inter-Chassis Redundancy 20-33
Removing Stateful MLPPP with MR-APS Inter-Chassis Redundancy 20-53
Verification 20-56
Troubleshooting Tips 20-59
Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA 21-1
Modes and Sub-modes Supported on the Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA 21-1
Interface Naming 21-2
LED States 21-2
Restrictions for Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA 21-3
Configuring Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA 21-3
Configuring Interfaces Using SONET Framing 21-3
Configuring Interfaces with SDH Framing 21-7
Configuring BER Testing 21-17
Sending a BERT Pattern on a DS3/E3 Interface 21-18
Inserting Errors in BERT 21-18
Displaying a BERT 21-18   
Contents
xviii
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Terminating a BERT 21-20
Verification 21-20
Configuring the 4-Port Serial Interface SPA 22-1
Configuration Tasks 22-1
Configuring the 4-Port Serial Interface SPA 22-1
Specifying the Interface Address on a SPA 22-2
Verifying the Configuration 22-3
Optional Configurations 22-9
Saving the Configuration 22-22
Verifying the Interface Configuration 22-22
Verifying Per-Port Interface Status 22-22
Configuration Examples 22-23
Inverting the Clock Signal Configuration Example 22-23
NRZI Format Configuration Example 22-23
Cyclic Redundancy Checks Configuration Example 22-24
Encapsulation Configuration Example 22-24
Distributed Multilink PPP Configuration Example 22-24
MLFR Configuration Example 22-24
Bridging Control Protocol Support Configuration Example 22-24
BCP on MLPPP Configuration Example 22-25
Troubleshooting the Serial SPAs 23-1
General Troubleshooting Information 23-1
Interpreting Console Error Messages 23-1
Using debug Commands 23-2
Using show Commands 23-2
Performing Basic Interface Troubleshooting 23-2
Serial Lines: show interfaces serial Status Line Conditions 23-3
Serial Lines: Increasing Output Drops on Serial Link 23-7
Serial Lines: Increasing Input Drops on Serial Link 23-8
Serial Lines: Increasing Input Errors in Excess of 1 Percent of Total Interface Traffic 23-9
Serial Lines: Troubleshooting Serial Line Input Errors 23-9
Serial Lines: Increasing Interface Resets on Serial Link 23-12
Serial Lines: Increasing Carrier Transitions Count on Serial Link 23-13
Using Bit Error Rate Tests 23-14
Configuring a BER Test 23-15   
Contents
xix
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Viewing a BER Test 23-15
Interpreting BER Test Results 23-15
Using loopback Commands 23-16
Using the Cisco IOS Event Tracer to Troubleshoot Problems 23-18
Preparing for Online Insertion and Removal of a SPA 23-18
Overview of the IPSec VPN SPA 24-1
Release History 24-1
Overview of the IPSec VPN SPAs 24-4
Overview of Basic IPSec and IKE Configuration Concepts 24-5
Information About IPSec Configuration 24-5
Information About IKE Configuration 24-6
Configuring VPNs with the IPSec VPN SPAs 24-7
Crypto-Connect Mode 24-7
VRF Mode 24-8
IPSec Feature Support 24-8
IPSec Features Common To All VPN Modes 24-9
IPSec Features in Crypto-Connect Mode 24-17
IPSec Features in VRF Mode 24-18
Interoperability for SPA-IPSEC-2G IPSEC VPN SPA 24-20
Restrictions 24-23
Supported MIBs 24-24
IPSec VPN SPA Hardware Configuration Guidelines 24-25
Displaying the SPA Hardware Type 24-25
Example of the show module Command 24-26
Example of the show crypto eli Command 24-26
Configuring VPNs in Crypto-Connect Mode 25-1
Configuring Ports in Crypto-Connect Mode 25-2
Understanding Port Types in Crypto-Connect Mode 25-2
Crypto-Connect Mode Configuration Guidelines and Restrictions 25-5
Configuring the IPSec VPN SPA Inside Port and Outside Port 25-7
Configuring an Access Port 25-8
Configuring a Routed Port 25-11
Configuring a Trunk Port 25-15
Configuring IPSec VPN SPA Connections to WAN Interfaces 25-20   
Contents
xx
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Displaying the VPN Running State 25-21
Configuring GRE Tunneling in Crypto-Connect Mode 25-21
Understanding GRE Tunneling in Crypto-Connect Mode 25-21
Configuring the GRE Takeover Criteria 25-23
Configuring IP Multicast over a GRE Tunnel 25-26
Configuration Examples 25-28
Access Port in Crypto-Connect Mode Configuration Example 25-29
Routed Port in Crypto-Connect Mode Configuration Example 25-31
Trunk Port in Crypto-Connect Mode Configuration Example 25-34
IPSec VPN SPA Connections to WAN Interfaces Configuration Examples 25-36
GRE Tunneling in Crypto-Connect Mode Configuration Example 25-40
GRE Takeover Criteria Configuration Examples 25-42
IP Multicast over a GRE Tunnel Configuration Example 25-43
Configuring VPNs in VRF Mode 26-1
Configuring VPNs in VRF Mode 26-1
Understanding VPN Configuration in VRF Mode 26-3
VRF Mode Configuration Guidelines and Restrictions 26-4
Configuring VPNs in VRF Mode without Tunnel Protection 26-6
Configuring VPNs in VRF Mode with Tunnel Protection (GRE) 26-11
Configuring an IPSec Virtual Tunnel Interface 26-16
IPSec Virtual Tunnel Interface Configuration Guidelines and Restrictions 26-16
Configuring an IPSec Static Tunnel 26-17
Verifying the IPSec Virtual Tunnel Interface Configuration 26-20
Configuring VTI in the Global Context 26-21
Configuration Examples 26-21
VRF Mode Basic Configuration Example 26-22
VRF Mode Remote Access Using Easy VPN Configuration Example 26-25
VRF Mode PE Configuration Example 26-27
VRF Mode CE Configuration Example 26-30
VRF Mode Tunnel Protection Configuration Example 26-32
IP Multicast in VRF Mode Configuration Example 26-33
IPSec Virtual Tunnel Interfaces Configuration Examples 26-35   
Contents
xxi
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Configuring IPSec VPN Fragmentation and MTU 27-1
Understanding IPSec VPN Fragmentation and MTU 27-1
Overview of Fragmentation and MTU 27-1
IPSec Prefragmentation 27-3
Fragmentation in Different Modes 27-3
Configuring IPSec Prefragmentation 27-9
IPSec Prefragmentation Configuration Guidelines 27-9
Configuring IPSec Prefragmentation Globally 27-10
Configuring IPSec Prefragmentation at the Interface 27-11
Verifying the IPSec Prefragmentation Configuration 27-11
Configuring MTU Settings 27-12
MTU Settings Configuration Guidelines and Restrictions 27-12
Changing the Physical Egress Interface MTU 27-13
Changing the Tunnel Interface MTU 27-13
Changing the Interface VLAN MTU 27-13
Verifying the MTU Size 27-13
Configuring IKE Features Using the IPSec VPN SPA 28-1
Overview of IKE 28-2
Configuring Advanced Encryption Standard in an IKE Policy Map 28-2
Verifying the AES IKE Policy 28-3
Configuring ISAKMP Keyrings 28-4
ISAKMP Keyrings Configuration Guidelines and Restrictions 28-4
Limiting an ISAKMP Profile to a Local Termination Address or Interface 28-4
Limiting a Keyring to a Local Termination Address or Interface 28-5
Configuring Certificate to ISAKMP Profile Mapping 28-6
Certificate to ISAKMP Profile Mapping Configuration Guidelines and Restrictions 28-6
Mapping the Certificate to the ISAKMP Profile 28-6
Verifying the Certificate to ISAKMP Profile Mapping Configuration 28-6
Assigning the Group Name to the Peer 28-12
Verifying the Group Name to Peer Assignation Configuration 28-12
Configuring an Encrypted Preshared Key 28-13
Encrypted Preshared Key Configuration Guidelines and Restrictions 28-13
Configuring an Encrypted Preshared Key 28-14
Verifying the Encrypted Preshared Key Configuration 28-14
Configuring Call Admission Control for IKE 28-15
Configuring the IKE Security Association Limit 28-16   
Contents
xxii
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Configuring a System Resource Limit 28-16
Clearing Call Admission Statistics 28-16
Verifying the Call Admission Control for IKE Configuration 28-17
Configuring Dead Peer Detection 28-17
DPD Configuration Guidelines and Restrictions 28-18
Configuring a Dead Peer Detection Message 28-19
Verifying the DPD Configuration 28-19
Understanding IPSec NAT Transparency 28-19
IPSec NAT Transparency Configuration Guidelines and Restrictions 28-20
Configuring NAT Transparency 28-20
Disabling NAT Transparency 28-20
Configuring NAT Keepalives 28-20
Verifying the NAT Configuration 28-21
Configuration Examples 28-22
Advanced Encryption Standard Configuration Example 28-22
ISAKMP Keyrings Configuration Examples 28-22
Certificate to ISAKMP Profile Mapping Configuration Examples 28-23
Encrypted Preshared Key Configuration Example 28-23
Call Admission Control for IKE Configuration Examples 28-24
Dead Peer Detection Configuration Examples 28-24
ISAKMP NAT Keepalive Configuration Example 28-24
Configuring Enhanced IPSec Features Using the IPSec VPN SPA 29-1
Overview of Enhanced IPSec Features 29-2
Configuring Advanced Encryption Standard in a Transform Set 29-2
Verifying the AES Transform Set 29-2
Configuring Reverse Route Injection 29-3
RRI Configuration Guidelines and Restrictions 29-3
Configuring RRI Under a Static Crypto Map 29-4
Configuring RRI Under a Dynamic Crypto Map 29-5
Configuring the IPSec Anti-Replay Window Size 29-6
Expanding the IPSec Anti-Replay Window Size Globally 29-6
Expanding the IPSec Anti-Replay Window at the Crypto Map Level 29-7
Verifying the IPSec Anti-Replay Window Size Configuration at the Crypto Map Level 29-7
Disabling the IPSec Anti-Replay Checking 29-8
Configuring an IPSec Preferred Peer 29-8
IPSec Preferred Peer Configuration Guidelines and Restrictions 29-9   
Contents
xxiii
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Configuring a Default Peer 29-10
Configuring the IPSec Idle Timer with a Default Peer 29-11
Configuring IPSec Security Association Idle Timers 29-12
IPSec Security Association Idle Timer Configuration Guidelines 29-12
Configuring the IPSec SA Idle Timer Globally 29-12
Configuring the IPSec SA Idle Timer per Crypto Map 29-13
Configuring Distinguished Name-Based Crypto Maps 29-13
Distinguished Name-Based Crypto Map Configuration Guidelines and Restrictions 29-14
Configuring QoS on the SPA-IPSEC-2G IPSEC VPN SPA 29-15
QoS Configuration Guidelines and Restrictions 29-16
Configuring QoS on the WS-IPSEC-3 IPSEC VSPA 29-17
Using the Module QoS Features of the WS-IPSEC-3 IPSEC VSPA 29-18
Using the Carrier QoS Features of the SSC-600 29-22
QoS Configuration Examples 29-24
Configuring Sequenced Crypto ACLs 29-33
Configuring Deny Policy Enhancements for Crypto ACLs 29-33
Deny Policy Enhancements for Crypto ACLs Configuration Guidelines and Restrictions 29-33
Configuration Examples 29-34
Advanced Encryption Standard Configuration Example 29-34
Reverse Route Injection Configuration Examples 29-34
IPSec Anti-Replay Window Size Configuration Examples 29-36
IPSec Preferred Peer Configuration Examples 29-38
IPSec Security Association Idle Timer Configuration Examples 29-38
Distinguished Name-Based Crypto Maps Configuration Example 29-39
QoS Configuration Example 29-40
Deny Policy Enhancements for ACLs Configuration Example 29-40
Configuring PKI Using the IPSec VPN SPA 30-1
Overview of PKI 30-2
Configuring Multiple RSA Key Pairs 30-3
Multiple RSA Key Pairs Configuration Guidelines and Restrictions 30-3
Removing RSA Key Pair Settings 30-4
Verifying RSA Key Information 30-4
Configuring Protected Private Key Storage 30-5
Protected Private Key Storage Configuration Guidelines and Restrictions 30-6
Configuring Private Keys 30-6
Verifying the Protected and Locked Private Keys 30-8   
Contents
xxiv
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Configuring a Trustpoint CA 30-8
Trustpoint CA Configuration Guidelines and Restrictions 30-9
Verifying a Trustpoint CA 30-10
Configuring Query Mode Definition Per Trustpoint 30-11
Query Mode Definition Per Trustpoint Configuration Guidelines and Restrictions 30-12
Verifying Query Mode Definition Per Trustpoint CA 30-13
Configuring a Local Certificate Storage Location 30-14
Local Certificate Storage Location Configuration Guidelines and Restrictions 30-14
Specifying a Local Storage Location for Certificates 30-15
Verifying the Local Certificate Storage Location Configuration 30-15
Configuring Direct HTTP Enroll with CA Servers (Reenroll Using Existing Certificates) 30-16
Direct HTTP Enroll with CA Servers Configuration Guidelines and Restrictions 30-16
Configuring an Enrollment Profile for a Client Router 30-17
Configuring an Enrollment Profile for a Client Router Enrolled with a Third-Party Vendor CA 30-18
Configuring the CA to Accept Enrollment Requests from Clients of a Third-Party Vendor CA 30-20
Configuring Manual Certificate Enrollment (TFTP and Cut-and-Paste) 30-22
Manual Certificate Enrollment (TFTP and Cut-and-Paste) Configuration Guidelines and 
Restrictions 30-22
Configuring Manual Enrollment Using TFTP 30-22
Configuring Certificate Enrollment Using Cut-and-Paste 30-24
Verifying the Manual Certificate Enrollment Configuration 30-24
Configuring Certificate Autoenrollment 30-26
Preloading Root CAs 30-28
Verifying CA Information 30-29
Configuring Key Rollover for Certificate Renewal 30-30
Key Rollover for Certificate Renewal Configuration Guidelines and Restrictions 30-30
Configuring Automatic Certificate Enrollment with Key Rollover 30-31
Configuring Manual Certificate Enrollment with Key Rollover 30-33
Configuring PKI: Query Multiple Servers During Certificate Revocation Check 30-36
Configuring the Online Certificate Status Protocol 30-37
OCSP Configuration Guidelines and Restrictions 30-37
Verifying the OCSP Configuration 30-38
Configuring Optional OCSP Nonces 30-41
Disabling OCSP Nonces 30-41
Configuring Certificate Security Attribute-Based Access Control 30-41
Certificate Security Attribute-Based Access Control Configuration Guidelines and 
Restrictions 30-42   
Contents
xxv
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Verifying Certificate-Based ACLs 30-44
Configuring PKI AAA Authorization Using the Entire Subject Name 30-45
PKI AAA Authorization Using the Entire Subject Name Configuration Guidelines and 
Restrictions 30-45
Configuring Source Interface Selection for Outgoing Traffic with Certificate Authority 30-47
Configuring Persistent Self-Signed Certificates 30-48
Persistent Self-Signed Certificates Configuration Guidelines and Restrictions 30-49
Configuring a Trustpoint and Specifying Self-Signed Certificate Parameters 30-50
Enabling the HTTPS Server 30-51
Verifying the Persistent Self-Signed Certificate Configuration 30-51
Configuring Certificate Chain Verification 30-52
Certificate Chain Verification Configuration Guidelines and Restrictions 30-52
Configuration Examples 30-53
Multiple RSA Key Pairs Configuration Example 30-53
Protected Private Key Storage Configuration Examples 30-54
Trustpoint CA Configuration Example 30-54
Query Mode Definition Per Trustpoint Configuration Example 30-54
Local Certificate Storage Location Configuration Example 30-55
Direct HTTP Enrollment with CA Servers Configuration Examples 30-55
Manual Certificate Enrollment Configuration Examples 30-56
Certificate Autoenrollment Configuration Example 30-59
Key Rollover for Certificate Renewal Configuration Examples 30-60
PKI: Query Multiple Servers During Certificate Revocation Check (CDP Override) Configuration 
Example 30-61
Online Certificate Status Protocol Configuration Examples 30-61
Optional OCSP Nonces Configuration Example 30-62
Certificate Security Attribute-Based Access Control Configuration Example 30-62
PKI AAA Authorization Using the Entire Subject Name Configuration Example 30-63
Source Interface Selection for Outgoing Traffic with Certificate Authority Configuration 
Example 30-63
Persistent Self-Signed Certificates Configuration Examples 30-64
Certificate Chain Verification Configuration Examples 30-65
Configuring Advanced VPNs Using the IPSec VPN SPA 31-1
Overview of Advanced VPNs 31-2
Configuring DMVPN 31-2
DMVPN Configuration Guidelines and Restrictions 31-2
DMVPN Prerequisites 31-3   
Contents
xxvi
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Configuring an IPSec Profile 31-4
Configuring the Hub for DMVPN in VRF Mode 31-5
Configuring the Hub for DMVPN in Crypto-Connect Mode 31-7
Configuring the Spoke for DMVPN in VRF Mode 31-8
Configuring the Spoke for DMVPN in Crypto-Connect Mode 31-10
Verifying the DMVPN Configuration 31-12
Configuring the Easy VPN Server 31-15
Easy VPN Server Configuration Guidelines and Restrictions 31-15
Configuring the Easy VPN Remote 31-16
Easy VPN Remote Configuration Guidelines 31-16
Configuring Easy VPN Remote RSA Signature Storage 31-16
Easy VPN Remote RSA Signature Support Configuration Guidelines and Restrictions 31-17
Configuring Easy VPN Remote RSA Signature Support 31-17
Configuration Examples 31-17
DMVPN Configuration Examples 31-18
Easy VPN Server (Router Side) Configuration Example 31-22
Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA 32-1
Overview of Duplicate Hardware Configurations and IPSec Failover 32-2
Configuring Multiple IPSec VPN SPAs in a Chassis 32-2
Understanding Stateless Failover Using HSRP 32-3
Understanding Stateful Failover Using HSRP and SSP 32-3
Configuring IPSec Failover 32-4
Configuring IPSec Stateless Failover Using HSRP with Crypto-Connect Mode 32-5
Configuring IPSec Stateful Failover Using HSRP and SSP with Crypto-Connect Mode 32-11
Configuring IPSec Stateless and Stateful Failover with VRF Mode 32-18
Verifying HSRP Configurations 32-18
Displaying SSP Information 32-21
Configuring Intrachassis IPSec Stateful Failover Using a Blade Failure Group 32-22
IPSec Stateful Failover Using a BFG Configuration Guidelines and Restrictions 32-22
Configuring a BFG for IPSec Stateful Failover 32-23
Verifying the IPSec Stateful Failover Using a BFG Configuration 32-23
Configuration Examples 32-24
Multiple IPSec VPN SPAs in a Chassis Configuration Example 32-24
IPSec Stateless Failover Using HSRP with Crypto-Connect Mode Configuration Examples 32-27
IPSec Stateful Failover Using HSRP and SSP with Crypto-Connect Mode Configuration 
Example 32-29
IPSec Stateless Failover Using HSRP with VRF Mode Configuration Example 32-33   
Contents
xxvii
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
IPSec Stateful Failover Using HSRP with VRF Mode Configuration Example 32-34
IPSec Stateful Failover Using a Blade Failure Group Configuration Example 32-38
Configuring Monitoring and Accounting for the IPSec VPN SPA 33-1
Overview of Monitoring and Accounting for the IPSec VPN SPA 33-2
Monitoring and Managing IPSec VPN Sessions 33-2
Adding the Description of an IKE Peer 33-2
Verifying Peer Descriptions 33-3
Getting a Summary Listing of Crypto Session Status 33-3
Syslog Notification for Crypto Session Up or Down Status 33-4
Clearing a Crypto Session 33-4
Configuring IPSec VPN Accounting 33-5
Configuring IPSec and IKE MIB Support for Cisco VRF-Aware IPSec 33-9
MIBs Supported by the IPSec and IKE MIB Support for Cisco VRF-Aware IPSec Feature 33-9
Configuring IPSec and IKE MIB Support for Cisco VRF-Aware IPSec 33-9
Configuration Examples 33-10
IPSec VPN Accounting Configuration Example 33-10
IPSec VPN Monitoring Configuration Example 33-11
Troubleshooting the IPSec VPN SPA 34-1
General Troubleshooting Information 34-1
Interpreting Console Error Messages 34-2
Using debug Commands 34-2
Using show Commands 34-2
Monitoring the IPSec VPN SPA 34-3
Displaying IPSec VPN SPA Hardware and System Information 34-3
Displaying IPSec VPN SPA Configuration Information 34-6
Troubleshooting Specific Problems on the IPSec VPN SPA 34-24
Clearing IPsec Security Associations 34-24
Troubleshooting Trunk Port Configurations 34-24
Troubleshooting IPsec Stateful Failover (VPN High Availability) 34-25
Troubleshooting a Blade Failure Group 34-27
Troubleshooting IKE Policy and Transform Sets 34-27
Using Crypto Conditional Debug 34-27
Crypto Conditional Debug Configuration Guidelines and Restrictions 34-29
Enabling Crypto Conditional Debug Filtering 34-29   
Contents
xxviii
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Disabling Crypto Conditional Debugging 34-29
Enabling Crypto Error Debug Messages 34-30
Preparing for Online Insertion and Removal of a SPA 34-30
Upgrading Field-Programmable Devices 35-1
Release History 35-1
FPD Quick Upgrade 35-2
FPD Quick Upgrade Before Upgrading your Cisco IOS Release (Recommended) 35-2
FPD Quick Upgrade After Upgrading your Cisco IOS Release 35-2
Overview of FPD Images and Packages 35-3
Upgrading FPD Images 35-3
Migrating to a Newer Cisco IOS Release 35-3
Upgrading FPD Images in a Production System 35-5
Upgrading FPD Images Using Fast Software Upgrade 35-6
Optional FPD Procedures 35-6
FPD Image Upgrade Examples 35-13
Troubleshooting Problems with FPD Image Upgrades 35-16
Power Failure or Removal of a SIP or SPA During an FPD Image Upgrade 35-16
I N D  E X   
xxix
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Preface
This preface describes the objectives and organization of this document and explains how to find 
additional information on related products and services. This preface contains the following sections:
• Objectives
• Document Revision History
• Organization
• Related Documentation
• Document Conventions
• Obtaining Documentation, Obtaining Support, and Security Guidelines
Objectives
This document describes the configuration and troubleshooting of SPA interface processors (SIPs), SPA 
services cards (SSCs), and shared port adapters (SPAs) that are supported on a Cisco 7600 series router.
Document Revision History
The Document Revision History records technical changes to this document. The table shows the Cisco 
IOS software release number and document revision number for the change, the date of the change, and 
a brief summary of the change.    
xxx
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Preface
  
Release No. Revision Date Change Summary
15.2(1)S OL-5070-30 November 2011 Added support for the following features:
• Frame Relay Fragmentation (FRF.12), 
page 4-22 in Chapter 4, “Configuring the 
SIPs and SSC”.
• Added Chapter 21, “Cisco 1-Port 
Channelized OC-48/DS3 STM-16 SPA.”
• N:1 PVC Mapping to Pseudowires with 
Non-Unique VPI, page 7-101 in Chapter 7, 
“Configuring the ATM SPAs”
• Multi Router Automatic Protection Switching 
(MR-APS) Integration with Hot Standby 
Pseudowire, page 7-89 in Chapter 7, 
“Configuring the ATM SPAs.”
• Updated Configuring Multipoint Bridging, 
page 4-36 in Chapter 4, “Configuring the 
SIPs and SSC”.
15.1(3) S1 OL-5070-29 October 2011 • Updated Chapter 24, “Overview of the IPSec 
VPN SPA” with support information for 
WS-IPSEC-3 SPA and also Chapter 29, 
“Configuring Enhanced IPSec Features Using 
the IPSec VPN SPA”.
• Updated the configuration steps in Chapter 4, 
“Configuring IPv6 Hop-by-Hop Header 
Security on SIP-200 or SIP-400.”
12.2(33) SRE5 OL-5070-28 September 2011 Updated Cisco 7600 SIP 200 configuration 
restrictions in Chapter 16, “Overview of the Serial 
SPAs”.
15.1(2) S2 OL-5070-27 August 2011 Updated Cisco 7600 SIP 200 configuration 
restrictions in Chapter 16, “Overview of the Serial 
SPAs”.
15.1(3)S OL-5070-26 July 2011 Added support for the following features:
• L2TPv3 configuration in Chapter 7, 
“Configuring the ATM SPAs”.
• Stateful MLPPP MR-APS feature in 
Chapter 20, “Configuring 1-Port 
ChOC-3/STM-1 and ChOC-12 / STM-4 
SPAs,”.
15.0(1)S3a OL-5070-25 April 2011 Support added to disable Network Processor 
crashinfo for all the Network Processor exception 
in Chapter 3, “Overview of the SIPs and SSC.”   
xxxi
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Preface
15.1(2)S OL-5070-24 March 2011 Added support for the following features:
• Circuit Emulation Service over UDP in 
Chapter 9, “Overview of the CEoP and 
Channelized ATM SPAs”
• L3 QoS on CEoP SPAs in Chapter 10, 
“Configuring the CEoP and Channelized 
ATM S PAs ”
15.1(1)S1 OL-5070-23 February 2011 • Extended support for the limitation to avoid 
console flooding in Chapter 5, 
“Troubleshooting the SIPs and SSC”
• Added new CLI options for configuring 
hardware timer to bring up controller in 
SONET/SDH Error, Alarm, and Performance 
Monitoring section in the Chapter 9, 
“Overview of the CEoP and Channelized 
ATM S PAs .”
12.2 (33) SRE3 OL-5070-22 January 2011 • Added new CLI options for configuring 
hardware timer to bring up controller in 
SONET/SDH Error, Alarm, and Performance 
Monitoring section in the Chapter 9, 
“Overview of the CEoP and Channelized 
ATM S PAs .”
• Support added to disable Network Processor 
crashinfo for all the Network Processor 
exception in Chapter 3, “Overview of the 
SIPs and SSC.”
12.2 (33) 
SRD6
OL-5070-21 December 2010 Extended support for the limitation to avoid 
console flooding in Chapter 5, “Troubleshooting 
the SIPs and SSC”
15.0(1) S2 OL-5070-20 December 2010 Added limitation to avoid console flooding in 
Chapter 5, “Troubleshooting the SIPs and SSC”   
xxxii
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Preface
  
15.1(1)S OL-5070-19 November 2010 • Added adaptive clock recovery support for 
2XT3E3 CE/ATM SPA in Configuring 
Clocking, page 37.
• Updated Chapter 3, Overview of the SIPs and 
SSC. Added support for the HSPW feature.
• Updated Chapter 10, Configuring the CEoP 
and Channelized ATM SPAs to include the 
IMA Scalability, configuring access circuit 
redundancy on CEoP and ATM SPAs, and E3 
and Channelization support for 
SPA-2CHT3-CE-ATM feature.
• Updated Chapter 11, Overview of the 
Ethernet SPAs with 1588-V2 feature 
enhancements feature. 
• Updated Chapter 14, Overview of the POS 
SPAs and Chapter 16, Overview of the SIPs 
and SSC with SSM support on 
SPA-1XCHOC12/DS0 and 
SPA-1XOC48POS/RPR feature
• Updated Chapter 20, Configuring 1-Port 
ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
with SDH support for 
SPA-1XCHSTM4/OC12 feature.
12.2(33)SRD5 OL-5070-18 October 2010 Added troubleshooting information for:
• Layer 2 features in Chapter 12, “Configuring 
the Fast Ethernet and Gigabit Ethernet SPAs”.
• MPLS VPN
15.0(1) S OL-5070-17 July 2010 Added support for:
• ONS-SC-OC3-EL support  on POS OC3 
SPAs to Modular Optics Compatibility, 
page 6 and SIP, SSC, and SPA Compatibility, 
page 4.
• SPA-1xOC3-ATM-V2, 
SPA-3xOC3-ATM-V2 and 
SPA-1xOC12-ATM-V2 Support on Cisco 
7600 SIP-400 
• Non-Aggregate WRED ATM SPA
• 2-Port Gigabit Synchronous Ethernet SPA
• Added support for feature Configuring BFD 
over VCCV on SIP-400, page 75 in Chapter 4.
• Added restriction for the 2-Port Gigabit 
Ethernet SPA.   
xxxiii
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Preface
12.2 (33) SRE1 OL-5070-16 June 2010 • Added information that Priority percent is not 
supported for ATM SPAs in Table 4-15QoS 
Congestion Management and Avoidance 
Feature Compatibility by SIP and SPA 
Combination.
12.2 (33) SRE1 OL-5070-16 April 2010 • Added information indicating that SVI is not 
supported with MPLSoGRE.
12.2 (33) SRE1 OL-5070-16 April 2010 • Extended support for the following features: 
– Private Host on Pseudoport on CWAN 
cards in Chapter 4, “Configuration 
Tasks”.
– Bridged Routing Encapsulation on 
Automatic Protection Service Group in 
Chapter 7, “Configuration Tasks”.
12.2 (33) 
SRD4
OL-5070-15 Februray 2010 • Support for the following features were 
introduced: 
– Private Host on Pseudoport on CWAN 
cards in Chapter 4, “Configuration 
Tasks”. Private Host on Pseudoport on 
CWAN cards was previously shared as a 
hidden documentation. For SRD4, it has 
been brought to the mainline 
documentation.
– Bridged Routing Encapsulation on 
Automatic Protection Service Group in 
Chapter 7, “Configuration Tasks”.
12.2 (33) SRE OL-5070-14 December 2009 • Supervisor Engine Support for the IPSec VPN 
SPA was added.
• Note added under the session Information 
About IPSec Configuration in the chapter 
Overview of the IPSec VPN SPA.   
xxxiv
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Preface
  
12.2(33)SRE OL-5070-14 November 2009 Support was added for:
• STM1 Electrical SFP to 
SPA-1ChOC3-CE-ATM and 
SPA-1xCHSTM1/OC3 on 7600 in Modular 
Optics Compatibility, page 6 of Chapter 2, 
“SIP, SSC, and SPA Product Overview”. 
• XFP-10F-MM-SR for 10GE SPAs on the 
SIP400 and SIP600 in Modular Optics 
Compatibility, page 6 of Chapter 2, “SIP, 
SSC, and SPA Product Overview”
• X2-DWDM and X2-10GB-LRM/ZR support 
on RSP720-10GE in Modular Optics 
Compatibility, page 6 of Chapter 2, “SIP, 
SSC, and SPA Product Overview”.
• Access Circuit Redundancy on SIP400 2-Port 
and 4-Port OC-3c/STM-1 ATM SPA and QoS 
support (Chapter 7, “Configuring the ATM 
SPAs” added section Configuring Access 
Circuit Redundancy on SIP-400 ATM SPA s, 
page 65
• VC QoS on VP pseudowire. Added support 
for match atm-vci command to ATM VP 
interface in Cisco 7600 SIP-400 
Classification Into a Queue, page 13
• Triple nesting QoS support on SIP-400 to add 
support for an additional level of policy-map 
nesting to Cisco 7600 SIP-400 Policing and 
Dropping, page 13
• RSP720-10GE on Cisco 7600-SSC-400 to 
SPA Services Cards, page 2
• VP and VC mode support on 7600/SIP400 for 
CEoP and 1-Port OC-48c/STM-16 ATM SPA 
to Chapter 9, “Overview of the CEoP and 
Channelized ATM SPAs”
• IEEE IEEE 802.1ag Draft 8.1compliant 
Connectivity Fault Management on EVC 
(VPLS and pseudowire) on SIP-400 and 
SIP-600 in Cisco 7600 SIP-400 Features, 
page 11 and Cisco 7600 SIP-600 Features, 
page 16
• Updates to IPv6 Hop-by-Hop on SIP-200 to 
Cisco 7600 SIP-200 Other QoS Features, 
page 9 and Configuring IPv6 Hop-by-Hop 
Header Security on SIP-200 or SIP-400, 
page 142   
xxxv
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Preface
12.2 (33) 
SRD3
OL-5070-13 September 2009 Support is added for Private Hosts SVI on CWAN 
linecards in Private Hosts SVI (Interface VLAN) 
Configuration Example, page 178
This version of the document with the Private 
Hosts feature is available only to a select set of 
customers.
12.2 (33) 
SRD3
OL-5070-12 September 2009 Support is added for:
• IPv6 Hop-by-Hop Policing for SIP-200 in 
Configuring IPv6 Hop-by-Hop Header 
Security on SIP-200 or SIP-400, page 142
• AIS and RAI alarm forwarding in CESoPSN 
mode on CEoP SPA in Configuring AIS and 
RAI Alarm Forwarding in CESoPSN Mode 
on CEoP SPAs, page 61
• CeOP SPA updates in Chapter 9, “Overview 
of the CEoP and Channelized ATM SPAs”
and Chapter 10, “Configuring the CEoP and 
Channelized ATM SPAs”
12.2 (33) SRD 
2
OL-5070-11 May 2009 • Support was added for: 
– PPP/MLPPP APS performance 
enhancement in Chapter 20, 
“Configuring 1-Port ChOC-3/STM-1 and 
ChOC-12 / STM-4 SPAs” section 
Configuring APS, page 20 and Verifying 
the APS Configuration, page 22
– Support for new pluggable SFP 
ONS-SC-155-ELthe section Modular 
Optics Compatibility, page 6 of 
Chapter 2, “SIP, SSC, and SPA 
Compatibility”
12.2 (33) 
SRD1
OL-5050-10 February 2009 • Support was added for:
– 1xCHOC12STM4 SPA 
– IPv6 Hop-by-Hop    
xxxvi
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Preface
  
12.2 (33) SRD OL-5050-10 October, 2008 • Support was added for the following features:
– IMA on SIP-400 for 24xT1/E1 CEOP and 
1xOC3 CEOP SPAs
– Private Host SVI (interface VLAN)
– SPA-8X1FE-TX-V2 & 
SPA-4X1FE-TX-V2 Support on SIP400
– Port Mode Cell Relay support on Cisco 
7600 SIP400 ATM SPA
– DBUS CoS API on SIP-400
– SIP-400 Hierarchical Queuing 
Framework (HQF)
– L2VPN Interworking- Ethernet VLAN to 
ATM AAL5
– Bridging Routed Encapsulations (BRE) 
on Cisco SIP-400
– Asymmetric Carrier Delay
12.2 (33) SRC 
1
OL-5050-09 May 27, 2008 Support was added for the following features:
• SPA-4XT-Serial (Cisco 4-Port Serial Shared 
Port Adapter) support on 7600/SIP200- 
Added Chapter 21, “Configuring the 4-Port 
Serial Interface SPA”
• Updated Restrictions in Chapter 23 to add the 
limitation that TCP ADJUST-MSS is NOT 
supported on VTI tunnel.   
xxxvii
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Preface
12.2(33)SRC OL-5050-08 Jan 2008 Support was added for the following features:
• CT3 CEoP on c7600-SIP-400
• Accelerated Lawful Intercept on Cisco 7600 
SIP-400
• CoPP Enhancements of Cisco 7600 SIP-400
• PPPoEoE on Cisco 7600 SIP-400
• Source IPv4 and Source MAC Address 
Binding on Cisco 7600 SIP-400
• IMA on SIP-400 for 24xT1/E1 CEOP and 
1xOC3 CEOP SPAs
• IGMP Snooping support on SIP-200
• AFC and PFC support on Multilink Interface 
on SIP-200 for 2- and 4-port CT3, 8-port 
channelized T1/E1 channelized, and 1-port 
channelized OC3/STM-1 SPAs
• Programmable BERT patterns enhancement 
on SIP-200 for 2- and 4-port channelized T3 
and 1-port channelized OC3/STM-1 SPAs
• TDM Local switching
• Phase 2 Local Switching Redundancy
• SPA-1xCHSTM1/OC3
• Cisco Channelized T3 to DS0 Shared Port 
Adapter (SPA-2XCT3/DS0, 
SPA-4XCT3/DS0)
• Cisco 8-Port Channelized T1/E1 Shared Port 
Adapter (SPA-8XCHT1/E1)
• Cisco Clear Channel T3/E3 Shared Port 
Adapter (SPA-2XT3/E3, SPA-4XT3/E3)
12.2(33)SRB1 OL-5070-07 June 4, 2007 Support for the following features was introduced:
• Backup interface for Flexible UNI (for 
Gigabit Ethernet SPAs) on a Cisco 7600 
SIP-400
• Any Transport over MPLS over GRE (AToM 
over GRE) on a Cisco 7600 SIP-400
• MTU support on MLPPP interfaces on a 
Cisco 7600 SIP-200
• ATM pseudowire redundancy for the CEoP 
SPA
• Out-of-band clocking for the CEoP SPA
• Support for XFP-10GZR-OC192LR   
xxxviii
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Preface
  
12.2(33)SRB OL-5070-06 February 27, 2007 Sixth release. Support for the following features 
was introduced:
• Software-based MLP bundles from 256 to 
1024 on a Cisco 7600 SIP-200
• Network clock support on a Cisco 7600 
SIP-200
• Lawful Intercept on a Cisco 7600 SIP-400
• Per-subscriber/per-protocol CoPP support on 
a Cisco 7600 SIP-400
• Security ACLs on a Cisco 7600 SIP-400
• Percent priority/percent bandwidth support 
on a Cisco 7600 SIP-400
• IGMP/PIM snooping for VPLS pseudowire 
on a Cisco 7600 SIP-400
• Dual-priority queue support on a Cisco 7600 
SIP-400
• 24-Port Channelized T1/E1 ATM CEoP SPA, 
1-Port Channelized OC-3 STM1 ATM CEoP 
SPAs, and 2-Port Copper and Optical Gigabit 
Ethernet SPAs.   
xxxix
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Preface
12.2(33)SRA OL-5070-05 June 5, 2006 Fifth release. The following modifications were 
made:
• Support was added for the following SPAs on 
the Cisco 7600 SIP-200:
– 1-Port Channelized OC-3/STM-1 SPA
– 4-Port and 8-Port Fast Ethernet SPA
• Support was added for the 
1-Port OC-48c/STM-16 POS SPA on the 
Cisco 7600 SIP-400
• Support was added for the 2-Port and 
4-Port OC-48c/STM-16 POS SPA on the 
Cisco 7600 SIP-600
• The following features were introduced for 
the IPSec VPN SPA:
– Front-side VRF
– IPSec Virtual Tunnel Interface (VTI)
– Certificate to ISAKMP Profile Mapping
– Call Admission Control
– Periodic Message Option (now supported 
in Dead Peer Detection)
– Reverse Route Injection (RRI)
– IPSec Anti-replay Windowsize
– IPSec Preferred Peer
– Local Certificate Storage Location
– Optional OCSP Nonces
– Persistent Self-signed Certificates
– Certificate Chain Verification
– Easy VPN Remote RSA Signature 
Storage
– IPSec and IKE MIB support for Cisco 
VRF-Aware IPSec 
Note Support is not included for IPSec stateful 
failover using HSRP and SSP.    
xl
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Preface
  
12.2(33)SRA OL-5070-05 June 5, 2006 • The single configuration chapter for the IPSec 
VPN SPA has been restructured into seven 
smaller chapters.
• Support for the following features was 
introduced on the Cisco 7600 SIP-200:
– AToM VP Mode Cell Relay—ATM SPAs
– BCP over dMLPPP (Trunk 
Mode)—Channelized SPAs
– MPLS over RBE—ATM SPAs
– Multi-VC to VLAN scalability
– QoS support on bridging features
– Software-based MLPPP 
– Software-based MLFR
• Support for the following features was 
introduced on the Cisco 7600 SIP-400:
– AToM VP Mode Cell Relay—ATM SPAs
– Ethernet over MPLS (EoMPLS) VC 
Scaling—Increase from 4K to 10K VCs
– Ingress/Egress CoS classification with 
ingress policing per VLAN or EoMPLS 
VC
– Hierarchical VPLS (H-VPLS) with 
MPLS Edge
– Hierarchical QoS support for EoMPLS 
VCs
– Multipoint Bridging (MPB) for Gigabit 
Ethernet SPA
– Multi-VC to VLAN scalability
– Multi-VLAN to VC—ATM SPAs
– QoS support on bridging features
– Tag-Native Mode for Trunk BCP   
xli
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Preface
12.2(18)SXF2 OL-5070-04 February 28, 2006 The following updates were made to the 
documentation:
• Removed the restriction of “Mapping DSCP 
values to MPLS EXP bits is not supported” 
from the Cisco 7600 SIP-600 list of 
restrictions.
• Added the following VPLS scalability 
support information for the Cisco 7600 
SIP-600:
– Up to 4000 VPLS domains
– Up to 60 VPLS peers per domain
– Up to 30,000 pseudowires, used in any 
combination of domains and peers up to 
the 4000-domain or 60-peer maximums. 
For example, support of up to 4000 
domains with 7 peers or up to 60 peers in 
500 domains.
• Added H-VPLS with Q-in-Q edge feature 
support on Cisco 7600 SIP-600—Requires 
Cisco 7600 SIP-600 in the uplink, and any 
LAN port or Cisco 7600 SIP-600 on the 
downlink
• Removed VPLS pseudowire redundancy 
feature support for the Cisco 7600 SIP-600
• Removed the “Cisco 7600 SIP-600 MPLS 
Marking” section
• Modified the encapsulations supported in the 
ATM chapters to “aal5snap” only
• Corrected the note in the “Configuring 
Compressed Real-Time Protocol” section of 
Chapter 4, “Configuring the SIPs and SSC” to 
state:
“cRTP is supported only on the Cisco 7600 
SIP-200 with the 8-Port Channelized T1/E1 
SPA and 2-Port and 4-Port Channelized T3 
SPA.”
12.2(18)SXF2 OL-5070-04 January 27, 2006 The following update to the hardware-based 
MLPPP LFI guidelines was made in Chapter 17, 
“Configuring the 8-Port Channelized T1/E1 SPA,” 
and Chapter 19, “Configuring the 2-Port and 
4-Port Channelized T3 SPAs”:
When hardware-based LFI is enabled, 
fragmentation counters are not displayed.   
xlii
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Preface
  
12.2(18)SXF2 OL-5070-04 January 20, 2006 Fourth release. The following modifications were 
made:
• The 1-Port OC-192c/STM-64 POS/RPR VSR 
Optics SPA was introduced on the Cisco 7600 
SIP-600.
• Support was introduced for the configuration 
of IP multicast over a GRE tunnel on the 
IPSec VPN SPA.
• Support for the “Enhancements to RFC 1483 
Spanning Tree Interoperability” feature was 
added for ATM SPAs on the Cisco 7600 
SIP-200.
• Documentation of a workaround for ATM 
SPA configuration on the Cisco 7600 SIP-200 
was added in Chapter 7, “Configuring the 
ATM S PAs ” to address a Routed Bridge 
Encapsulation (RBE) limitation where only 
one remote MAC address is supported.
12.2(18)SXF OL-5070-03 January 12, 2006 The following modifications were made:
• Adjusted ATM SPA PVC restriction 
(correctly noted elsewhere in the 
documentation) from “A maximum number of 
400 PVCs or SVCs...” to “A maximum 
number of 1000 PVCs or 400 SVCs 
configured with MQC policy maps.”
• Added cross-references throughout 
Chapter 3, “Overview of the SIPs and SSC” to 
the Cisco IOS Release SX Supervisor Engine 
release notes.
• Updated the Cisco 7600 SIP-400 restrictions 
to clarify that the SIP does not work with the 
Supervisor Engine PFC3A or in PFC3A 
mode.
• Updated the Cisco 7600 SIP-600 restrictions 
to clarify lack of support for the Supervisor 
Engine 720 PFC3A or PFC3A mode: 
“The Cisco 7600 SIP-600 is not supported by 
the Supervisor Engine 32. The Cisco 7600 
SIP-600 is supported by the Supervisor 
Engine 720 PFC3B and Supervisor Engine 
720 PFC3BXL. It is not supported with a 
Supervisor Engine 720 PFC3A or in PFC3A 
mode.”   
xliii
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Preface
12.2(18)SXF OL-5070-03 January 12, 2006 • Added a cross-reference to Chapter 3, 
“Overview of the SIPs and SSC” in each of 
the SPA overview chapters to ease location of 
additional features and restrictions that are 
SIP- or SSC-specific.
• Removed the list of supported modules from 
Chapter 24, “Overview of the IPSec VPN 
SPA”. Any unsupported modules will be 
documented in the “Restrictions” section.
• Further qualified Cisco 7600 SIP-200 Any 
Transport over MPLS (AToM) support for 
ATM in Chapter 3, “Overview of the SIPs and 
SSC” to state:
“Any Transport over MPLS (AToM) support, 
including:
– ATM over MPLS (ATMoMPLS)—AAL5 
VC mode
– Ethernet over MPLS 
(EoMPLS)—(Single cell relay) VC 
mode”
• Removed references to “1-Port 10-Gigabit 
Ethernet SPA and 10-Port Gigabit Ethernet 
SPA on a SIP-400” in the “Enabling 
Autonegotiation” and “Disabling 
Autonegotiation” sections of Chapter 12, 
“Configuring the Fast Ethernet and Gigabit 
Ethernet SPAs.”
• Qualified AToM core-facing restriction for 
the Cisco 7600 SIP-200 as follows:
– AToM (ATMoMPLS, FRoMPLS, 
HDLCoMPLS, and PPPoMPLs) on a 
SPA requires a Cisco 7600 SIP-200, 
FlexWAN, Enhanced FlexWAN, or OSM 
PXF interface as the core-facing 
interface.
– AToM (ATMoMPLS, FRoMPLS) on a 
Cisco 7600 SIP-200 also is supported 
with a Cisco 7600 SIP-400 as the 
core-facing interface.
• Documentation of the Fast Software Upgrade 
(FSU) procedure supported by Route 
Processor Redundancy (RPR) for supervisor 
engines was added to Chapter 35, “Upgrading 
Field-Programmable Devices.”   
xliv
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Preface
  
12.2(18)SXF OL-5070-03 September 19, 
2005
Third release. The following hardware was 
introduced:
• 1-Port OC-48c/STM-16 ATM SPA
• 2-Port Gigabit Ethernet SPA
• 5-Port Gigabit Ethernet SPA
• 10-Port Gigabit Ethernet SPA
• 1-Port 10-Gigabit Ethernet SPA
• 1-Port OC-192c/STM-64 POS/RPR SPA
• 1-Port OC-192c/STM-64 POS/RPR XFP SPA
For specific feature changes, see the Release 
History tables in the “Overview” chapters of this 
book.
12.2(18)SXE2 OL-5070-02 August 17, 2005 The following modifications were made:
• Chapter 17, “Configuring the 8-Port 
Channelized T1/E1 SPA” and Chapter 19, 
“Configuring the 2-Port and 4-Port 
Channelized T3 SPAs” were modified to 
clarify support of MLPPP and MLFR for both 
E1 and T1 links.
• Added cRTP to the supported features list for 
the serial SPAs in Chapter 16, “Overview of 
the Serial SPAs.”
• Document was modified with the following 
updates in Chapter 4, “Configuring the SIPs 
and SSC”:
– Removed references to support of 
software-based MLFR.
– In the “Assigning an Interface to an 
MLPPP Bundle,” moved step order of the 
ppp multilink command and qualified it 
as optional.
– Under “MLPPP Configuration 
Guidelines,” added guidelines for 
distributed links on the Cisco 7600 
SIP-200 and restrictions.
– Under “MLPPP Configuration Tasks” 
and “MLFR Configuration Tasks,” added 
task to emphasize that distributed CEF is 
required for these features; however, 
dCEF is automatically enabled on the 
Cisco 7600 series router.
12.2(18)SXE2 OL-5070-02 July 25, 2005 Second release. The Cisco 7600 SSC-400 and 
IPSec VPN SPA were introduced.
12.2(18)SXE OL-5070-01 March 28, 2005 First release.   
xlv
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Preface
Organization
This document contains the following chapters:
Chapter Title Description
Chapter 1 Using Cisco IOS Software Provides an introduction to accessing the 
command-line interface (CLI) and using the Cisco 
IOS software and related tools.
Chapter 2 SIP, SSC, and SPA Product 
Overview
Provides a brief introduction to the SIP and SPA 
products on the Cisco 7600 series router, and 
information about SIP, SSC, SPA, and optics 
compatibility.
Chapter 3 Overview of the SIPs and SSC Describes release history, and feature and 
Management Information Base (MIB) support for 
the SIPs and SSCs on the Cisco 7600 series router.
Chapter 4 Configuring the SIPs and SSC Describes related configuration and verification
information for the SIPs and SSCs on the 
Cisco 7600 series router.
Chapter 5 Troubleshooting the SIPs and SSC Describes techniques that you can use to 
troubleshoot the operation of the SIPs and SSCs on 
the Cisco 7600 series router.
Chapter 6 Overview of the ATM SPAs Describes release history, feature and Management 
Information Base (MIB) support, and an 
introduction to the ATM SPA architecture on the 
Cisco 7600 series router.
Chapter 7 Configuring the ATM SPAs Describes the related configuration and 
verification information for the ATM SPAs on the 
Cisco 7600 series router.
Chapter 8 Troubleshooting the ATM SPAs Describes techniques that you can use to 
troubleshoot the operation of the ATM SPAs on the 
Cisco 7600 series router.
Chapter 9 Overview of the CEoP and 
Channelized ATM SPAs
Describes release history, feature and Management 
Information Base (MIB) support, and an 
introduction to the CEoP SPA architecture on the 
Cisco 7600 series router.
Chapter 10 Configuring the CEoP and 
Channelized ATM SPAs
Describes the related configuration and 
verification information for the CEoP and
Channelized SPAs on the Cisco 7600 series router.
Chapter 11 Overview of the Ethernet SPAs Describes release history, feature and Management 
Information Base (MIB) support, and an 
introduction to the Gigabit Ethernet SPA 
architecture on the Cisco 7600 series router.
Chapter 12 Configuring the Fast Ethernet and 
Gigabit Ethernet SPAs
Describes the related configuration and 
verification information for the Gigabit Ethernet 
SPAs on the Cisco 7600 series router.   
xlvi
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Preface
  
Chapter 13 Troubleshooting the Fast Ethernet 
and Gigabit Ethernet SPAs
Describes techniques that you can use to 
troubleshoot the operation of the Gigabit Ethernet 
SPAs on the Cisco 7600 series router.
Chapter 14 Overview of the POS SPAs Describes release history, feature and Management 
Information Base (MIB) support, and an 
introduction to the POS SPA architecture on the 
Cisco 7600 series router.
Chapter 15 Configuring the POS SPAs Describes the related configuration and 
verification information for the POS SPAs on the 
Cisco 7600 series router.
Chapter 16 Overview of the Serial SPAs Describes release history, feature and Management 
Information Base (MIB) support, and an 
introduction to the serial SPA architecture on the 
Cisco 7600 series router.
Chapter 17 Configuring the 8-Port Channelized 
T1/E1 SPA
Describes the related configuration and 
verification information for the 8-Port Channelized 
T1/E1 SPAs on the Cisco 7600 series router.
Chapter 18 Configuring the 2-Port and 4-Port 
Clear Channel T3/E3 SPAs
Describes the related configuration and 
verification information for the 2-Port and 4-Port 
Clear Channel T3/E3 SPAs on the Cisco 7600 
series router.
Chapter 19 Configuring the 2-Port and 4-Port 
Channelized T3 SPAs
Describes the related configuration and 
verification information for the 2-Port and 4-Port 
Channelized T3 SPAs on the Cisco 7600 series 
router.
Chapter 20 Configuring 1-Port 
ChOC-3/STM-1 and ChOC-12 / 
STM-4 SPAs
Describes the related configuration and 
verification information for the 1-Port Channelized 
OC-3/STM-1 SPA on the Cisco 7600 series router.
Chapter 21 Configuring the 4-Port Serial 
Interface SPA
Describes information about configuring the 4-Port 
Serial Interface Shared Port Adapter (SPA) on the 
Cisco 7600 series router.
Chapter 22 Troubleshooting the Serial SPAs Describes techniques that you can use to 
troubleshoot the operation of the serial SPAs on the 
Cisco 7600 series router.
Chapter 23 Overview of the IPSec VPN SPA Describes release history, feature and Management 
Information Base (MIB) support, and an 
introduction to the IPSec VPN SPA architecture on 
the Cisco 7600 series router.
Chapter 24 Configuring VPNs in 
Crypto-Connect Mode
Describes the related configuration and
verification information for IPSec VPNs using the 
IPSec VPN SPA on the Cisco 7600 series router.
Chapter 25 Configuring VPNs in VRF Mode Describes information about configuring IPSec 
VPNs in Virtual Routing and Forwarding (VRF) 
mode using the IPSec VPN SPA on the Cisco 7600 
series router.
Chapter Title Description   
xlvii
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Preface
Related Documentation
This section refers you to other documentation that also might be useful as you configure your 
Cisco 7600 series router. The documentation listed below is available online. 
Cisco 7600 Series Router Documentation
As you configure your Cisco 7600 series router, you should also refer to the following companion 
publication for important hardware installation information:
• Cisco 7600 Series Ethernet Services 20G Line Card Hardware Installation Guide
Chapter 26 Configuring IPSec VPN 
Fragmentation and MTU
Describes information about configuring IPSec 
VPN fragmentation and the maximum transmission 
unit (MTU) using the IPSec VPN SPA on the 
Cisco 7600 series router.
Chapter 27 Configuring IKE Features Using 
the IPSec VPN SPA
Describes the related configuration and 
verification information for Internet Key Exchange 
(IKE) features using the IPSec VPN SPA on the 
Cisco 7600 series router.
Chapter 28 Configuring Enhanced IPSec 
Features Using the IPSec VPN SPA
Describes the related configuration and 
verification information for enhanced IPSec 
features using the IPSec VPN SPA on the 
Cisco 7600 series router.
Chapter 29 Configuring PKI Using the IPSec 
VPN SPA
Describes the related configuration and 
verification information for Public Key 
Infrastructure (PKI) features using the IPSec VPN 
SPA on the Cisco 7600 series router.
Chapter 30 Configuring Advanced VPNs 
Using the IPSec VPN SPA
Describes the related configuration and 
verification information for advanced IPSec VPNs 
using the IPSec VPN SPA on the Cisco 7600 series 
router.
Chapter 31 Configuring Duplicate Hardware 
and IPSec Failover Using the IPSec 
VPN SPA
Describes the related configuration and 
verification information for duplicate hardware 
configurations and IPSec failover using the IPSec 
VPN SPA on the Cisco 7600 series router.
Chapter 32 Configuring Monitoring and 
Accounting for the IPSec VPN SPA
Describes the related configuration and 
verification information for monitoring and 
accounting using the IPSec VPN SPA on the 
Cisco 7600 series router.
Chapter 33 Troubleshooting the IPSec VPN 
SPA
Describes techniques that you can use to 
troubleshoot the operation of the IPSec VPN SPA 
on the Cisco 7600 series router.
Chapter 34 Upgrading Field-Programmable 
Devices
Provides information about upgrading the 
field-programmable devices on the Cisco 7600 
series router.
Chapter Title Description   
xlviii
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Preface
  
An overview of the Cisco 7600 series router features, benefits, and applications can be found in the 
Cisco 7600 Series Internet Router Essentials document located at the following URL:
http://www.cisco.com/en/US/products/hw/routers/ps368/products_quick_start09186a0080092248.html
Some of the following other Cisco 7600 series router publications might be useful to you as you 
configure your Cisco 7600 series router. 
• Cisco 7600 Series Cisco IOS Software Configuration Guide
http://www.cisco.com/en/US/products/hw/routers/ps368/products_installation_and_configuration_
guides_list.html
• Cisco 7600 Series Cisco IOS Command Reference
http://www.cisco.com/en/US/products/hw/routers/ps368/prod_command_reference_list.html
• Cisco 7600 Series Cisco IOS System Message Guide
http://www.cisco.com/en/US/products/hw/routers/ps368/products_system_message_guides_list.ht
ml
• Cisco 7600 Series Internet Router MIB Specifications Guide
http://www.cisco.com/en/US/products/hw/routers/ps368/prod_technical_reference_list.html
Several other publications are also related to the Cisco 7600 series router. For a complete reference of 
related documentation, refer to the Cisco 7600 Series Routers Documentation Roadmap located at the 
following URL:
http://www.cisco.com/en/US/products/hw/routers/ps368/products_documentation_roadmaps_list.html
Other Cisco IOS Software Publications
Your router and the Cisco IOS software running on it contain extensive features. You can find 
documentation for Cisco IOS software features at the following URL:
http://www.cisco.com/cisco/web/psa/default.html?mode=prod
Cisco IOS Release 12.2SR Software Publications
Documentation for Cisco IOS Release 12.2SR, including command reference and system error 
messages, can be found at the following URL:
http://www.cisco.com/en/US/products/ps6922/tsd_products_support_series_home.html
Document Conventions
Within the SIP and SPA software configuration guides, the term router is generally used to refer to a 
variety of Cisco products (for example, routers, access servers, and switches). Routers, access servers, 
and other networking devices that support Cisco IOS software are shown interchangeably within 
examples. These products are used only for illustrative purposes; that is, an example that shows one 
product does not necessarily indicate that other products are not supported.
This documentation uses the following conventions:   
xlix
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Preface
Command syntax descriptions use the following conventions:
Nested sets of square brackets or braces indicate optional or required choices within optional or required 
elements. For example:
Examples use the following conventions:
The following conventions are used to attract the attention of the reader:
Caution Means reader be careful. In this situation, you might do something that could result in equipment 
damage or loss of data.
Convention Description
^ or Ctrl The ^ and Ctrl symbols represent the Control key. For example, the key combination ^D or Ctrl-D
means hold down the Control key while you press the D key. Keys are indicated in capital letters but 
are not case sensitive.
string A string is a nonquoted set of characters shown in italics. For example, when setting an SNMP 
community string to public, do not use quotation marks around the string or the string will include the 
quotation marks.
Convention Description
bold Bold text indicates commands and keywords that you enter exactly as shown.
italics Italic text indicates arguments for which you supply values.
[x] Square brackets enclose an optional element (keyword or argument).
| A vertical line indicates a choice within an optional or required set of keywords or arguments.
[x | y] Square brackets enclosing keywords or arguments separated by a vertical line indicate an optional 
choice.
{x | y} Braces enclosing keywords or arguments separated by a vertical line indicate a required choice.
Convention Description
[x {y | z}] Braces and a vertical line within square brackets indicate a required choice within an optional element.
Convention Description
screen Examples of information displayed on the screen are set in Courier font.
bold screen Examples of text that you must enter are set in Courier bold font.
< > Angle brackets enclose text that is not printed to the screen, such as passwords.
! An exclamation point at the beginning of a line indicates a comment line. (Exclamation points are also 
displayed by the Cisco IOS software for certain processes.)
[ ] Square brackets enclose default responses to system prompts.   
l
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Preface
  
Note Means reader take note. Notes contain helpful suggestions or references to materials that may not be 
contained in this manual.
Tip Means the following information will help you solve a problem. The tips information might not be 
troubleshooting or even an action, but could be useful information, similar to a Timesaver.
Obtaining Documentation, Obtaining Support, and Security 
Guidelines
For information on obtaining documentation, submitting a service request, and gathering additional 
information, see the monthly What's New in Cisco Product Documentation, which also lists all new and 
revised Cisco technical documentation, at: 
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) 
feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds 
are a free service and Cisco currently supports RSS Version 2.0.    
P A R  T  1
Introduction   C H  A  P  T  E  R
   
1-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
1
Using Cisco IOS Software
This chapter provides information to prepare you to configure a SPA interface processor (SIP) or shared 
port adapter (SPA) using the Cisco IOS software. It includes the following sections:
• Accessing the CLI Using a Router Console, page 1-1
• Using Keyboard Shortcuts, page 1-6
• Using the History Buffer to Recall Commands, page 1-6
• Understanding Command Modes, page 1-6
• Getting Help, page 1-8
• Using the no and default Forms of Commands, page 1-11
• Saving Configuration Changes, page 1-12
• Filtering Output from the show and more Commands, page 1-12
• Finding Support Information for Platforms and Cisco Software Images, page 1-13
Accessing the CLI Using a Router Console
The following sections describe how to access the command-line interface (CLI) using a 
directly-connected console or by using Telnet or a modem to obtain a remote console:
• Accessing the CLI Using a Directly-Connected Console, page 1-1
• Accessing the CLI from a Remote Console Using Telnet, page 1-3
• Accessing the CLI from a Remote Console Using a Modem, page 1-5
For more detailed information about configuring and accessing a router through various services, refer 
to the Cisco IOS Terminal Services Configuration Guide and Cisco IOS Terminal Services Command 
Reference publications.
For more information about making the console cable connections, refer to the Cisco 7600 Series Router 
Module Installation Guide.
Accessing the CLI Using a Directly-Connected Console
This section describes how to connect to the console port on the router and use the console interface to 
access the CLI.    
1-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 1      Using Cisco IOS Software
  Accessing the CLI Using a Router Console
The console port on a Cisco 7600 series router is an EIA/TIA-232 asynchronous, serial connection with 
hardware flow control and an RJ-45 connector. The console port is located on the front panel of the 
supervisor engine, as shown in Figure 1-1 and Figure 1-2.
Figure 1-1 Supervisor Engine 720 Console Port Connector
Figure 1-2 Supervisor Engine 32 Console Port Connector
Connecting to the Console Port
Before you can use the console interface on the router using a terminal or PC, you must perform the 
following steps:
Step 1 Configure your terminal emulation software with the following settings:
• 9600 bits per second (bps) 
• 8 data bits
• No parity
• 2 stop bits
Note These are the default serial communication parameters on the router. For information about how to 
change the default settings to meet the requirements of your terminal or host, refer to the Cisco IOS 
Terminal Services Configuration Guide.
Step 2 Connect a terminal or PC to the console port using one of the following methods:
a. To connect to the console port using the cable and adapters provided in the accessory kit that shipped 
with your Cisco 7600 series router:
– Place the console port mode switch in the in position (factory default).
122989
Console port
138281
Console port
CATALYST 6500 SUPERVISOR ENGINE 32
WS-SUP32-GE-3B
STATUS
SYSTEM
ACTIVE
PWR MGMT
RESET
CONSOLE   
1-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 1      Using Cisco IOS Software
  Accessing the CLI Using a Router Console
– Connect to the port using the RJ-45-to-RJ-45 cable and RJ-45-to-DB-25 DTE adapter or using 
the RJ-45-to-DB-9 DTE adapter (labeled “Terminal”). 
b. To connect to the console port using a Catalyst 5000 family Supervisor Engine III console cable:
– Place the console port mode switch in the out position.
– Connect to the port using the Supervisor Engine III cable and the appropriate adapter for the 
terminal connection. 
Using the Console Interface
To access the CLI using the console interface, complete the following steps:
Step 1 After you attach the terminal hardware to the console port on the router and you configure your terminal 
emulation software with the proper settings, the following prompt appears:
Press Return for Console prompt
Step 2 Press Return to enter user EXEC configuration mode. The following prompt appears:
Router>
Step 3 From user EXEC configuration mode, enter the enable command as shown in the following example:
Router> enable
Step 4 At the password prompt, enter your system’s password. (The following example shows entry of the 
password called “enablepass”):
Password: enablepass
Step 5 When your enable password is accepted, the privileged EXEC configuration mode prompt appears:
Router#
Step 6 You now have access to the CLI in privileged EXEC configuration mode and you can enter the necessary 
commands to complete your desired tasks.
Step 7 To exit the console session, enter the quit command as shown in the following example:
Router# quit
Accessing the CLI from a Remote Console Using Telnet
This section describes how to connect to the console interface on a router using Telnet to access the CLI. 
Preparing to Connect to the Router Console Using Telnet
Before you can access the router remotely using Telnet from a TCP/IP network, you need to configure 
the router to support virtual terminal lines (vtys) using the line vty global configuration command. You 
also should configure the vtys to require login and specify a password.    
1-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 1      Using Cisco IOS Software
  Accessing the CLI Using a Router Console
Note To prevent disabling login on the line, be careful that you specify a password with the password
command when you configure the login line configuration command. If you are using authentication, 
authorization, and accounting (AAA), you should configure the login authentication line configuration 
command. To prevent disabling login on the line for AAA authentication when you configure a list with 
the login authentication command, you must also configure that list using the aaa authentication login
global configuration command. For more information about AAA services, refer to the Cisco IOS 
Security Configuration Guide and Cisco IOS Security Command Reference publications.
In addition, before you can make a Telnet connection to the router, you must have a valid host name for 
the router or have an IP address configured on the router. For more information about requirements for 
connecting to the router using Telnet, information about customizing your Telnet services, and using 
Telnet key sequences, refer to the Cisco IOS Terminal Services Configuration Guide.
Using Telnet to Access a Console Interface
To access a console interface using Telnet, complete the following steps:
Step 1 From your terminal or PC, enter one of the following commands:
• connect host [port] [keyword]
• telnet host [port] [keyword]
In this syntax, host is the router host name or an IP address, port is a decimal port number (23 is the 
default), and keyword is a supported keyword. For more information, refer to the Cisco IOS Terminal 
Services Command Reference.
Note If you are using an access server, then you will need to specify a valid port number such as telnet 
172.20.52.40 2004, in addition to the host name or IP address.
The following example shows the telnet command to connect to the router named router:
unix_host% telnet router
Trying 172.20.52.40...
Connected to 172.20.52.40.
Escape character is '^]'.
unix_host% connect 
Step 2 At the password prompt, enter your login password. The following example shows entry of the password 
called “mypass”:
User Access Verification
Password: mypass
Note If no password has been configured, press Return.
Step 3 From user EXEC configuration mode, enter the enable command as shown in the following example:
Router> enable   
1-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 1      Using Cisco IOS Software
  Accessing the CLI Using a Router Console
Step 4 At the password prompt, enter your system’s password. (The following example shows entry of the 
password called “enablepass”):
Password: enablepass
Step 5 When the enable password is accepted, the privileged EXEC configuration mode prompt appears:
Router#
Step 6 You now have access to the CLI in privileged EXEC configuration mode and you can enter the necessary 
commands to complete your desired tasks.
Step 7 To exit the Telnet session, use the exit or logout command as shown in the following example:
Router# logout
Accessing the CLI from a Remote Console Using a Modem
To access the router remotely using a modem through an asynchronous connection, connect the modem 
to the console port. 
The console port on a Cisco 7600 series router is an EIA/TIA-232 asynchronous, serial connection with 
hardware flow control and an RJ-45 connector. The console port is located on the front panel of the 
supervisor engine, as shown in Figure 1-3 and Figure 1-4.
Figure 1-3 Supervisor Engine 720 Console Port Connector
Figure 1-4 Supervisor Engine 32 Console Port Connector
To connect a modem to the console port, place the console port mode switch in the in position. Connect 
to the port using the RJ-45-to-RJ-45 cable and the RJ-45-to-DB-25 DCE adapter (labeled “Modem”). 
122989
Console port
138281
Console port
CATALYST 6500 SUPERVISOR ENGINE 32
WS-SUP32-GE-3B
STATUS
SYSTEM
ACTIVE
PWR MGMT
RESET
CONSOLE   
1-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 1      Using Cisco IOS Software
  Using Keyboard Shortcuts
Using Keyboard Shortcuts
Commands are not case sensitive. You can abbreviate commands and parameters if the abbreviations 
contain enough letters to be different from any other currently available commands or parameters.
Table 1-1 lists the keyboard shortcuts for entering and editing commands. 
Using the History Buffer to Recall Commands
The history buffer stores the last 20 commands you entered. History substitution allows you to access 
these commands without retyping them, by using special abbreviated commands. 
Table 1-2 lists the history substitution commands. 
Understanding Command Modes
You use the CLI to access Cisco IOS software. Because the CLI is divided into many different modes, 
the commands available to you at any given time depend on the mode that you are currently in. Entering 
a question mark (?) at the CLI prompt allows you to obtain a list of commands available for each 
command mode.
Table 1-1 Keyboard Shortcuts
Keystrokes Purpose
Ctrl-B or 
the Left Arrow key
1
Move the cursor back one character
Ctrl-F or
the Right Arrow key1
Move the cursor forward one character
Ctrl-A Move the cursor to the beginning of the command line
Ctrl-E Move the cursor to the end of the command line
Esc B Move the cursor back one word
Esc F Move the cursor forward one word
1. The arrow keys function only on ANSI-compatible terminals such as VT100s.
Table 1-2 History Substitution Commands
Command Purpose
Ctrl-P or the Up Arrow key
1
Recall commands in the history buffer, beginning 
with the most recent command. Repeat the key 
sequence to recall successively older commands.
Ctrl-N or the Down Arrow key1 Return to more recent commands in the history 
buffer after recalling commands with Ctrl-P or the 
Up Arrow key.
Router# show history While in EXEC mode, list the last several 
commands you have just entered. 
1. The arrow keys function only on ANSI-compatible terminals such as VT100s.   
1-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 1      Using Cisco IOS Software
  Understanding Command Modes
When you log in to the CLI, you are in user EXEC mode. User EXEC mode contains only a limited 
subset of commands. To have access to all commands, you must enter privileged EXEC mode, normally 
by using a password. From privileged EXEC mode you can issue any EXEC command—user or 
privileged mode—or you can enter global configuration mode. Most EXEC commands are one-time 
commands. For example, show commands show important status information, and clear commands 
clear counters or interfaces. The EXEC commands are not saved when the software reboots.
CLI configurations are not visible in the running configuration displays when the DBUS Class Of 
Service (CoS) bits are set to the default values 5, 6, or 7. The IOS is designed this way to prevent simple 
configurations from becoming huge if each default setting is displayed. For example, if you specify 
load-interval 300 on an interface, which is equivalent to no load-interval, the default setting is not 
shown in the running configuration display. 
Configuration modes allow you to make changes to the running configuration. If you later save the 
running configuration to the startup configuration, these changed commands are stored when the 
software is rebooted. To enter specific configuration modes, you must start at global configuration mode. 
From global configuration mode, you can enter interface configuration mode and a variety of other 
modes, such as protocol-specific modes.
ROM monitor mode is a separate mode used when the Cisco IOS software cannot load properly. If a valid 
software image is not found when the software boots or if the configuration file is corrupted at startup, 
the software might enter ROM monitor mode.
Table 1-3 describes how to access and exit various common command modes of the Cisco IOS software. 
It also shows examples of the prompts displayed for each mode.
For more information on command modes, refer to the “Using the Command-Line Interface” chapter in 
the Cisco IOS Configuration Fundamentals and Network Management Configuration Guide.
Table 1-3 Accessing and Exiting Command Modes
Command 
Mode Access Method Prompt Exit Method
User EXEC Log in. Router> Use the logout command.
Privileged 
EXEC
From user EXEC mode, 
use the enable EXEC 
command.
Router# To return to user EXEC mode, use the disable
command.
Global configuration
From privileged EXEC 
mode, use the configure 
terminal privileged 
EXEC command.
Router(config)# To return to privileged EXEC mode from global 
configuration mode, use the exit or end command.
Interface configuration
From global configuration mode, specify an 
interface using an 
interface command.
Router(config-if)# To return to global configuration mode, use the exit
command.
To return to privileged EXEC mode, use the end
command. 
ROM monitor From privileged EXEC 
mode, use the reload
EXEC command. Press 
the Break key during the 
first 60 seconds while the 
system is booting.
> To exit ROM monitor mode, use the continue 
command.   
1-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 1      Using Cisco IOS Software
  Getting Help
Getting Help
Entering a question mark (?) at the CLI prompt displays a list of commands available for each command 
mode. You can also get a list of keywords and arguments associated with any command by using the 
context-sensitive help feature.
To get help specific to a command mode, a command, a keyword, or an argument, use one of the 
following commands:
Finding Command Options Example
This section provides an example of how to display syntax for a command. The syntax can consist of 
optional or required keywords and arguments. To display keywords and arguments for a command, enter 
a question mark (?) at the configuration prompt or after entering part of a command followed by a space. 
The Cisco IOS software displays a list and brief description of available keywords and arguments. For 
example, if you were in global configuration mode and wanted to see all the keywords or arguments for 
the arap command, you would type arap ?.
The <cr> symbol in command help output stands for “carriage return.” On older keyboards, the carriage 
return key is the Return key. On most modern keyboards, the carriage return key is the Enter key. The 
<cr> symbol at the end of command help output indicates that you have the option to press Enter to 
complete the command and that the arguments and keywords in the list preceding the <cr> symbol are 
optional. The <cr> symbol by itself indicates that no more arguments or keywords are available and that 
you must press Enter to complete the command.
Table 1-5 shows examples of how you can use the question mark (?) to assist you in entering commands.
Table 1-4 Help Commands and Purpose
Command Purpose
help Provides a brief description of the help system in any command mode.
abbreviated-command-entry? Provides a list of commands that begin with a particular character string. (No space 
between command and question mark.)
abbreviated-command-entry<Tab> Completes a partial command name.
? Lists all commands available for a particular command mode.
command ? Lists the keywords or arguments that you must enter next on the command line. 
(Space between command and question mark.)   
1-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 1      Using Cisco IOS Software
  Getting Help
Table 1-5 Finding Command Options
Command Comment
Router> enable
Password: <password>
Router#
Enter the enable command and 
password to access privileged EXEC 
commands. You are in privileged EXEC 
mode when the prompt changes to a “#” 
from the “>”; for example, Router> to 
Router#.
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
Enter the configure terminal privileged 
EXEC command to enter global configuration mode. You are in global configuration mode when the prompt changes 
to Router(config)#.
Router(config)# interface serial ?
<0-6> Serial interface number
Router(config)# interface serial 4 ?
/
Router(config)# interface serial 4/ ?
<0-3> Serial interface number
Router(config)# interface serial 4/0 ?
<cr>
Router(config)# interface serial 4/0
Router(config-if)#
Enter interface configuration mode by 
specifying the serial interface that you 
want to configure using the interface 
serial global configuration command.
Enter ? to display what you must enter 
next on the command line. In this 
example, you must enter the serial 
interface slot number and port number, 
separated by a forward slash.
When the <cr> symbol is displayed, you 
can press Enter to complete the 
command.
You are in interface configuration mode 
when the prompt changes to Router(config-if)#.   
1-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 1      Using Cisco IOS Software
  Getting Help
Router(config-if)# ?
Interface configuration commands:
.
.
.
ip Interface Internet Protocol config commands
keepalive Enable keepalive
lan-name LAN Name command
llc2 LLC2 Interface Subcommands
load-interval Specify interval for load calculation for an
interface
locaddr-priority Assign a priority group
logging Configure logging for interface
loopback Configure internal loopback on an interface
mac-address Manually set interface MAC address
mls mls router sub/interface commands
mpoa MPOA interface configuration commands
mtu Set the interface Maximum Transmission Unit (MTU)
netbios Use a defined NETBIOS access list or enable
name-caching
no Negate a command or set its defaults
nrzi-encoding Enable use of NRZI encoding
ntp Configure NTP
.
.
.
Router(config-if)#
Enter ? to display a list of all the 
interface configuration commands 
available for the serial interface. This 
example shows only some of the 
available interface configuration 
commands.
Router(config-if)# ip ?
Interface IP configuration subcommands:
access-group Specify access control for packets
accounting Enable IP accounting on this interface
address Set the IP address of an interface
authentication authentication subcommands
bandwidth-percent Set EIGRP bandwidth limit
broadcast-address Set the broadcast address of an interface
cgmp Enable/disable CGMP
directed-broadcast Enable forwarding of directed broadcasts
dvmrp DVMRP interface commands
hello-interval Configures IP-EIGRP hello interval
helper-address Specify a destination address for UDP broadcasts
hold-time Configures IP-EIGRP hold time
.
.
.
Router(config-if)# ip
Enter the command that you want to 
configure for the interface. This 
example uses the ip command.
Enter ? to display what you must enter 
next on the command line. This example 
shows only some of the available 
interface IP configuration commands.
Table 1-5 Finding Command Options (continued)
Command Comment   
1-11
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 1      Using Cisco IOS Software
  Using the no and default Forms of Commands
Using the no and default Forms of Commands
Almost every configuration command has a no form. In general, use the no form to disable a function. 
Use the command without the no keyword to re-enable a disabled function or to enable a function that 
is disabled by default. For example, IP routing is enabled by default. To disable IP routing, use the no ip 
routing command; to re-enable IP routing, use the ip routing command. The Cisco IOS software
command reference publications provide the complete syntax for the configuration commands and 
describe what the no form of a command does.
Router(config-if)# ip address ?
A.B.C.D IP address
negotiated IP Address negotiated over PPP
Router(config-if)# ip address
Enter the command that you want to 
configure for the interface. This 
example uses the ip address command.
Enter ? to display what you must enter 
next on the command line. In this 
example, you must enter an IP address 
or the negotiated keyword.
A carriage return (<cr>) is not displayed; therefore, you must enter additional keywords or arguments to 
complete the command.
Router(config-if)# ip address 172.16.0.1 ?
A.B.C.D IP subnet mask
Router(config-if)# ip address 172.16.0.1
Enter the keyword or argument that you 
want to use. This example uses the 
172.16.0.1 IP address.
Enter ? to display what you must enter 
next on the command line. In this 
example, you must enter an IP subnet 
mask.
A <cr> is not displayed; therefore, you 
must enter additional keywords or 
arguments to complete the command.
Router(config-if)# ip address 172.16.0.1 255.255.255.0 ?
secondary Make this IP address a secondary address
<cr>
Router(config-if)# ip address 172.16.0.1 255.255.255.0
Enter the IP subnet mask. This example 
uses the 255.255.255.0 IP subnet mask.
Enter ? to display what you must enter 
next on the command line. In this 
example, you can enter the secondary
keyword, or you can press Enter.
A <cr> is displayed; you can press 
Enter to complete the command, or you 
can enter another keyword.
Router(config-if)# ip address 172.16.0.1 255.255.255.0
Router(config-if)#
In this example, Enter is pressed to 
complete the command.
Table 1-5 Finding Command Options (continued)
Command Comment   
1-12
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 1      Using Cisco IOS Software
  Saving Configuration Changes
Many CLI commands also have a default form. By issuing the command default command-name, you 
can configure the command to its default setting. The Cisco IOS software command reference 
publications describe the function of the default form of the command when the default form performs 
a different function than the plain and no forms of the command. To see what default commands are 
available on your system, enter default ? in the appropriate command mode.
Saving Configuration Changes
Use the copy running-config startup-config command to save your configuration changes to the startup 
configuration so that the changes will not be lost if the software reloads or a power outage occurs. For 
example:
Router# copy running-config startup-config
Building configuration...
It might take a minute or two to save the configuration. After the configuration has been saved, the 
following output appears:
[OK]
Router#
On most platforms, this task saves the configuration to NVRAM. On the Class A Flash file system 
platforms, this task saves the configuration to the location specified by the CONFIG_FILE environment 
variable. The CONFIG_FILE variable defaults to NVRAM.
Filtering Output from the show and more Commands
You can search and filter the output of show and more commands. This functionality is useful if you 
need to sort through large amounts of output or if you want to exclude output that you need not see.
To use this functionality, enter a show or more command followed by the “pipe” character (|); one of the 
keywords begin, include, or exclude; and a regular expression on which you want to search or filter (the 
expression is case sensitive):
show command | {begin | include | exclude} regular-expression
The output matches certain lines of information in the configuration file. The following example 
illustrates how to use output modifiers with the show interface command when you want the output to 
include only lines in which the expression “protocol” appears:
Router# show interface | include protocol
FastEthernet0/0 is up, line protocol is up
Serial4/0 is up, line protocol is up
Serial4/1 is up, line protocol is up
Serial4/2 is administratively down, line protocol is down
Serial4/3 is administratively down, line protocol is down
For more information on the search and filter functionality, refer to the “Using the Command-Line 
Interface” chapter in the Cisco IOS Configuration Fundamentals and Network Management 
Configuration Guide.   
1-13
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 1      Using Cisco IOS Software
  Finding Support Information for Platforms and Cisco Software Images
Finding Support Information for Platforms and Cisco Software 
Images
Cisco IOS software is packaged in feature sets consisting of software images that support specific 
platforms. The feature sets available for a specific platform depend on which Cisco IOS software images 
are included in a release. To identify the set of software images available in a specific release or to find 
out if a feature is available in a given Cisco IOS software image, you can use Cisco Feature Navigator 
or the software release notes.
Using Cisco Feature Navigator
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image 
support. Access Cisco Feature Navigator at http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. You must 
have an account on Cisco.com. If you do not have an account or have forgotten your username or 
password, click Cancel at the login dialog box and follow the instructions that appear. 
Using Software Advisor
To see if a feature is supported by a Cisco IOS release, to locate the software document for that feature, 
or to check the minimum software requirements of Cisco IOS software with the hardware installed on 
your router, Cisco maintains the Software Advisor tool on Cisco.com at 
http://tools.cisco.com/Support/Fusion/FusionHome.do
You must be a registered user on Cisco.com to access this tool.
Using Software Release Notes
Cisco IOS software releases include release notes that provide the following information:
• Platform support information
• Memory recommendations
• New feature information
• Open and resolved severity 1 and 2 caveats for all platforms
Release notes are intended to be release-specific for the most current release, and the information 
provided in these documents may not be cumulative in providing information about features that first 
appeared in previous releases. Refer to Cisco Feature Navigator for cumulative feature information.   
1-14
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 1      Using Cisco IOS Software
  Finding Support Information for Platforms and Cisco Software ImagesC H  A  P  T  E  R
2-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
2
SIP, SSC, and SPA Product Overview
This chapter provides an introduction to SPA interface processors (SIPs), SPA services cards (SSCs), 
and shared port adapters (SPAs). It includes the following sections:
• Introduction to SIPs, SSCs, and SPAs, page 2-1
• SIP, SSC, and SPA Compatibility, page 2-4
• Modular Optics Compatibility, page 2-6
For more hardware details for the specific SIPs, SSCs, and SPAs that are supported on the Cisco 7600 
series router, refer to the companion publication, Cisco 7600 Series Router SIP, SSC, and SPA Hardware 
Installation Guide.
Introduction to SIPs, SSCs, and SPAs
SIPs, SSCs, and SPAs are a new carrier card and port adapter architecture to increase modularity, 
flexibility, and density across Cisco Systems routers for network connectivity. This section describes the 
SIPs, SSCs, and SPAs and provides some guidelines for their use. 
SPA Interface Processors
The following list describes some of the general characteristics of a SIP: 
• A SIP is a carrier card that inserts into a router slot like a line card. It provides no network 
connectivity on its own.
• A SIP contains one or more subslots, which are used to house one or more SPAs. The SPA provides 
interface ports for network connectivity.
• During normal operation the SIP should reside in the router fully populated either with functional 
SPAs in all subslots, or with a blank filler plate (SPA-BLANK=) inserted in all empty subslots. 
• SIPs support online insertion and removal (OIR) with SPAs inserted in their subslots. SPAs also 
support OIR and can be inserted or removed independently from the SIP.2-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 2      SIP, SSC, and SPA Product Overview
  Introduction to SIPs, SSCs, and SPAs
SPA Services Cards
The following list describes some of the general charateristics of an SSC:
• An SSC is a carrier card that inserts into a router slot like a line card. It provides no network 
connectivity.
• An SSC provides one or more subslots, which are used to house one or more SPAs. The supported 
SPAs do not provide interface ports for network connectivity, but provide certain services.
• During normal operation the SSC should reside in the router fully populated either with functional 
SPAs in all subslots, or with a blank filler plate (SPA-BLANK=) inserted in all empty subslots. 
• SSCs support online insertion and removal (OIR) with SPAs inserted in their subslots. SPAs also 
support OIR and can be inserted or removed independently from the SSC.
• Cisco IOS Release 12.2(33) SRE adds support for Route Switch Processor 720 10GE to the Cisco 
7600 SSC-400.
Shared Port Adapters
The following list describes some of the general characteristics of a SPA:
• A SPA is a modular type of port adapter that inserts into a subslot of a compatible SIP carrier card 
to provide network connectivity and increased interface port density. A SIP can hold one or more 
SPAs, depending on the SIP type.
• Some SPAs provide services rather than network connectivity, and insert into subslots of compatible 
SSCs. For example, the IPSec VPN SPA provides services such as IP Security (IPSec) 
encryption/decryption, generic routing encapsulation (GRE ), and Internet Key Exchange (IKE) key 
generation.
• SPAs are available in the following sizes, as shown in Figure 2-1 and Figure 2-2:
– Single-height SPA—Inserts into one SIP subslot.
– Double-height SPA—Inserts into two single, vertically aligned SIP subslots.
Figure 2-1 Single-Height and Double-Height SPA Sizes
Single-height SPA
Double-height SPA
Front of SIP
1168862-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 2      SIP, SSC, and SPA Product Overview
  Introduction to SIPs, SSCs, and SPAs
Figure 2-2 Horizontal and Vertical Chassis Slot Orientation for SPAs
• Each SPA provides a certain number of connectors, or ports, that are the interfaces to one or more 
networks. These interfaces can be individually configured using the Cisco IOS command-line 
interface (CLI).
• Either a blank filler plate or a functional SPA should reside in every subslot of an SIP during normal 
operation to maintain cooling integrity. Blank filler plates are available in single-height form only.
• SPAs support online insertion and removal (OIR). They can be inserted or removed independently 
from the SIP. SIPs also support online insertion and removal (OIR) with SPAs inserted in their 
subslots.
SPA 0 SPA 1
SPA 2 SPA 3
Front of SIP, horizontal chassis slots
SPA 0 SPA 1
SPA 2 SPA 3
Vertical slot orientation
SPA 0 SPA 1
Double-height SPA SPA 3
SPA 1
Double-height SPA
116887
SPA 0
SPA 22-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 2      SIP, SSC, and SPA Product Overview
  SIP, SSC, and SPA Compatibility
SIP, SSC, and SPA Compatibility
The following tables show SIP and SPA compatibility by SPA technology area on the Cisco 7600 series 
router.
Note For more information about the introduction of support for different SIPs and SPAs, refer to the “Release 
History” sections in the overview chapters of this document
Table 2-1 SIP and SPA Compatibility Table for ATM SPAs
SPA Product ID SIP Type
Cisco 7600 
SIP-200
Cisco 7600 
SIP-400
Cisco 7600 
SIP-600
Cisco 7600 
SSC-400
1-Port, 2-Port and 4-Port 
OC-3c/STM-1 ATM SPA 
SPA-1xOC3-ATM-v
2 
SPA-2XOC3-ATM,
SPA-3XOC3-ATMv2
SPA-4XOC3-ATM
Yes Yes No No
1-Port OC-12c/STM-4 ATM SPA SPA-1XOC12-ATM No Yes No No 
1-Port OC-48c/STM-16 ATM SPA SPA-1XOC48-ATM No Yes No No
Table 2-2 SIP and SPA Compatibility Table for Ethernet SPAs
SPA Product ID SIP Type
Cisco 7600 
SIP-200
Cisco 7600 
SIP-400
Cisco 7600 
SIP-600
Cisco 7600 
SSC-400
1-Port 10-Gigabit Ethernet SPA
1
1. Only one 1-Port 10-Gigabit Ethernet SPA can be installed in a SIP-400 at a time; no other SPAs can be installed in the same SIP-400. Only one 1-Port 
10-Gigabit or one 10-port 1-Gigabit Ethernet SPA can be installed on a SIP-600 at a time; no other SPAs can be installed on the same SIP-600.
SPA-1XTENGE-XFP, No No Yes No
SPA-1X10GE-L-V2 No Yes Yes No
2-Port Gigabit Ethernet SPA SPA-2X1GE, 
SPA-2X1GE-V2
No Yes No No
5-Port Gigabit Ethernet SPA SPA-5X1GE No No Yes No
 SPA-5X1GE-V2 No Yes Yes No
10-Port Gigabit Ethernet SPA SPA-10X1GE, 
SPA-10X1GE-V2
No No Yes No
4-Port and 8-Port Fast Ethernet 
SPA
SPA-4X1FE-TX-V2, 
SPA-8X1FE-TX-V2
Yes Yes No No2-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 2      SIP, SSC, and SPA Product Overview
  SIP, SSC, and SPA Compatibility
Certain restrictions apply while using the SIP-600 and the IPSec VPN SPA on the same chassis:
• The SIP-600 should not be installed in the same chassis with an IPSec VPN SPA when running SXF.
• The SIP-600 is not supported in 12.2(33)SRA. 
• Starting with 12.2(33)SRB, the SIP-600 and IPSec VPN SPA can be present in the same chassis. 
However, SIP-600 subinterfaces cannot be used when VPN crypto-connect mode is configured.
Table 2-3 SIP and SPA Compatibility Table for the IPSec VPN SPA
SPA Product ID SIP Type
Cisco 7600 
SIP-200
Cisco 7600 
SIP-400
Cisco 7600 
SIP-600
Cisco 7600 
SSC-400
IPSec VPN SPA SPA-IPSEC-2G No No No Yes
Table 2-4 SIP and SPA Compatibility Table for POS SPAs
SPA Product ID SIP Type
Cisco 7600 
SIP-200
Cisco 7600 
SIP-400
Cisco 7600 
SIP-600
Cisco 7600 
SSC-400
2-Port and 4-Port OC-3c/STM-1 
POS SPA
SPA-2XOC3-POS, 
SPA-4XOC3-POS
Yes Yes No No
1-Port OC-12c/STM-4 POS SPA SPA-1XOC12-POS No Yes No No
1-Port OC-48c/STM-16 POS SPA SPA-1XOC48-POS/RPR No Yes No No
2-Port and 4-Port OC-48c/STM-16 
POS SPA
SPA-2XOC48-POS/RPR, 
SPA-4XOC48-POS/RPR
No No Yes No
1-Port OC-192c/STM-64 POS/RPR 
SPA
SPA-OC192POS-LR, 
SPA-OC192POS-VSR, 
SPA-OC192POS-XFP
No No Yes No
1-Port Channelized OC-12/STM-4 
SPA
SPA-1XCHOC12/DS0 No Yes No No
Table 2-5 SIP and SPA Compatibility Table for Serial SPAs
SPA Product ID SIP Type
Cisco 7600 
SIP-200
Cisco 7600 
SIP-400
Cisco 7600 
SIP-600
Cisco 7600 
SSC-400
1-Port Channelized OC-3/STM-1 SPA SPA-1XCHSTM1/OC3 Yes Yes No No
2-Port and 4-Port Channelized T3 SPA SPA-2XCT3/DS0, 
SPA-4XCT3/DS0
Yes Yes No No
2-Port and 4-Port Clear Channel T3/E3 
SPA
SPA-2XT3/E3, 
SPA-4XT3/E3
Yes Yes No No
8-Port Channelized T1/E1 SPA SPA-8XCHT1/E1 Yes Yes No No
1-Port Channelized OC-12/STM-4 SPA SPA-1XCHOC12/DS0 No Yes No No2-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 2      SIP, SSC, and SPA Product Overview
  Modular Optics Compatibility
Modular Optics Compatibility
Some SPAs implement small form-factor pluggable (SFP) optical transceivers to provide network 
connectivity. An SFP module is a transceiver device that mounts into the front panel to provide network 
connectivity.
Cisco Systems qualifies the SFP modules that can be used with SPAs. 
Note The SPAs will only accept the SFP modules listed as supported in this document. An SFP check is run 
every time an SFP module is inserted into a SPA and only SFP modules that pass this check will be usable.
Table 2-7 shows the optics modules qualified for use with a SPA.
Table 2-6 SIP and SPA Compatibility Table for CEoP SPAs
SPA Product ID SIP Type
Cisco 7600 
SIP-200
Cisco 7600 
SIP-400
Cisco 7600 
SIP-600
Cisco 7600 
SSC-400
1-Port Channelized OC-3 STM1 ATM 
CEoP SPA
SPA-1CHOC3-CE-ATM No Yes No No
24-Port Channelized T1/E1 ATM CEoP 
SPA
SPA-24CHT1-CE-ATM No Yes No No
2-Port Channelized T3/E3 ATM CEoP 
SPA
SPA-2CHT3-CE-ATM No Yes No No
Table 2-7 SPA Optics Compatibility
SPA Qualified Optics Modules (Cisco Part Numbers)
1-port and 3 port ATM V2 SPA
2-Port and4-Port OC-3c/STM-1 ATM-SPA
ONS-SC-155-EL 1-Port and 3-port OC-3c/STM-1 
ATM S PA - v 2
• SFP-OC3-MM
• SFP-OC3-SR
• SFP-OC3-IR1
• SFP-OC3-LR1
• SFP-OC3-LR2
• ONS-SC-155-EL
1-Port OC-12c/STM-4 ATM SPA • SFP-OC12-MM
• SFP-OC12-SR
• SFP-OC12-IR1
• SFP-OC12-LR1
• SFP-OC12-LR2
1-Port OC-48c/STM-16 ATM SPA • SFP-OC48-IR1
• SFP-OC48-SR2-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 2      SIP, SSC, and SPA Product Overview
  Modular Optics Compatibility
1-Port 10-Gigabit Ethernet SPA • XFP-10GLR-OC192SR
• XFP-10GER-OC192IR
• XFP-10GZR-OC192LR
• XFP-10F-MM-SR 
(Supported only on SIP-400 and SIP-600 
from Cisco IOS release 12.2(33)SRE)
• X2-DWDM on on RSP720
• X2-10GB-LRM/ZR on RSP720
2-Port Gigabit Ethernet SPA • SFP-GE-S
• SFP-GE-L
• SFP-GE-Z
• SFP-GE-T
5-Port Gigabit Ethernet SPA • SFP-GE-S
• SFP-GE-L
• SFP-GE-Z
• SFP-GE-T
10-Port Gigabit Ethernet SPA • SFP-GE-S
• SFP-GE-L
• SFP-GE-Z
• SFP-GE-T
2-Port and 4-Port OC-3c/STM-1 POS SPA • SFP-OC3-MM
• SFP-OC3-SR
• SFP-OC3-IR1
• SFP-OC3-LR1
• SFP-OC3-LR2
• ONS-SC-155-EL
1-Port OC-12c/STM-4 POS SPA • SFP-OC12-MM
• SFP-OC12-SR
• SFP-OC12-IR1
• SFP-OC12-LR1
• SFP-OC12-LR2
1-Port OC-48c/STM-16 POS SPA • SFP-OC48-SR
• SFP-OC48-IR1
• SFP-OC48-LR2
Table 2-7 SPA Optics Compatibility (continued)
SPA Qualified Optics Modules (Cisco Part Numbers)2-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 2      SIP, SSC, and SPA Product Overview
  Modular Optics Compatibility
5-Port Gigabit Ethernet SPA • SFP-GE-S
• SFP-GE-L
• SFP-GE-Z
• SFP-GE-T
10-Port Gigabit Ethernet SPA • SFP-GE-S
• SFP-GE-L
• SFP-GE-Z
• SFP-GE-T
2-Port and 4-Port OC-3c/STM-1 POS SPA • SFP-OC3-MM
• SFP-OC3-SR
• SFP-OC3-IR1
• SFP-OC3-LR1
• SFP-OC3-LR2
• ONS-SC-155-EL
1-Port OC-12c/STM-4 POS SPA • SFP-OC12-MM
• SFP-OC12-SR
• SFP-OC12-IR1
• SFP-OC12-LR1
• SFP-OC12-LR2
1-Port OC-48c/STM-16 POS SPA • SFP-OC48-SR
• SFP-OC48-IR1
• SFP-OC48-LR2
Table 2-7 SPA Optics Compatibility (continued)
SPA Qualified Optics Modules (Cisco Part Numbers)2-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 2      SIP, SSC, and SPA Product Overview
  Modular Optics Compatibility
1-Port Channelized OC-3 STM1 ATM CEoP SPA • SFP-OC3-MM
• SFP-OC3-SR
• SFP-OC3-IR1
• SFP-OC3-LR1
• SFP-OC3-LR2 
• ONS-SC-155-EL 
• STM1E-SFP
1-Port Channelized OC-12/STM-4 SPA 
(Supported on SIP-400 from 12.2(33)SRD 1)
• SFP-OC12-MM
• SFP-OC12-SR
• SFP-OC12-IR1
• SFP-OC12-LR1
• SFP-OC12-LR2
Table 2-7 SPA Optics Compatibility (continued)
SPA Qualified Optics Modules (Cisco Part Numbers)2-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 2      SIP, SSC, and SPA Product Overview
  Modular Optics Compatibility   
P A R  T  2
SPA Interface Processors and 
SPA Services Cards   C H  A  P  T  E  R
3-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
3
Overview of the SIPs and SSC
This chapter provides an overview of the release history, and feature and Management Information Base 
(MIB) support for the Cisco 7600 SIP-200, Cisco 7600 SIP-400, Cisco 7600 SIP-600, and Cisco 7600 
SSC-400. 
This chapter includes the following sections:
• Release History, page 3-1
• Supported SIP Features, page 3-5
• Supported SSC Features, page 3-19
• Restrictions, page 3-19
• Supported MIBs, page 3-24
• Displaying the SIP and SSC Hardware Type, page 3-26
• SIP-200 and SIP-400 Network Clock Distribution, page 3-27
Release History
Note For release history information about the introduction of SPA support on the SIPs, refer to the 
corresponding “Overview” chapters in the SPA technology sections of this document. In addition, 
features specific to certain SPA technologies are documented in the corresponding SPA sections of this 
document.3-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 3      Overview of the SIPs and SSC
  Release History
Release Modification
Cisco IOS Release 
12.2(33)SRE3
Support added to disable Network Processor crashinfo for all the Network 
Processor exception
Cisco IOS Release 
15.0(1)S
Support for the following features was introduced:
• 1-Port Clear Channel OC-3 ATM SPA Version 2
• 3-Port Clear Channel OC-3 ATM SPA Version 2
• 1-Port Clear Channel OC-12 ATM SPA Version 2
Cisco IOS Release 
12.2(33)SRE
Support for the following features was added:
• RSP720-10GE supervisor engine was added for SSC-400
• IPv6 Hop-by-Hop Header Security on SIP-200
• Access Circuit Redundancy on 2-Port OC-3c/STM-1 ATM SPA on 
SIP-400
• VC QoS on VP-PW on SIP-400
Cisco IOS Release 
12.2(33)SRD1 
Support for IPv6 Hop-by-Hop Header Security and 1xCHOC12STM4 SPA on 
SIP-400 was introduced 
Cisco IOS Release 
12.2(33)SRD
Support for the following features was introduced:
• AToM - ATM Cell Relay over MPLS, Port Mode on SIP400/SIP200
• SPA-8X1FE-TX-V2 & SPA-4X1FE-TX-V2 on SIP400
• Hierarchical Queuing Framework (HQF)
• CLI to control DBUS CoS priority on SIP400
• Private host SVI (Interface VLAN)
• Asymmetric Carrier Delay on SIP-200/400/6003-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 3      Overview of the SIPs and SSC
  Release History
Cisco IOS Release 
12.2(33)SRC
Support for the following features was introduced:
• CT3 CEoP on c7600-SIP-400
• Accelerated Lawful Intercept on Cisco 7600 SIP-400
• CoPP Enhancements of Cisco 7600 SIP-400
• PPPoEoE on Cisco 7600 SIP-400
• Source IPv4 and Source MAC Address Binding on Cisco 7600 SIP-400
• 12in1 Serial SPA support on 7600/SIP200
• IMA on SIP-400 for 24xT1/E1 CEOP and 1xOC3 CEOP SPAs
• IGMP Snooping support on SIP-200
• AFC and PFC support on Multilink Interface on SIP-200 for 2- and 4-port 
CT3, 8-port channelized T1/E1 channelized, 1-port channelized 
OC3/STM-1 SPAs
• Programmable BERT patterns enhancement on SIP-200 for 2- and 4-port 
channelized T3 and 1-port channelized OC3/STM-1 SPAs
• TDM Local switching
• Phase 2 Local Switching Redundancy
• SPA-1xCHSTM1/OC3
• Cisco Channelized T3 to DS0 Shared Port Adapter (SPA-2XCT3/DS0, 
SPA-4XCT3/DS0)
• Cisco 8-Port Channelized T1/E1 Shared Port Adapter (SPA-8XCHT1/E1)
• Cisco Clear Channel T3/E3 Shared Port Adapter (SPA-2XT3/E3, 
SPA-4XT3/E3)
Cisco IOS Release 
12.2(33)SRB1
Support for the following feature was introduced:
• MTU support on MLPPP interfaces on a Cisco 7600 SIP-200
• Any Transport over MPLS over GRE (AToM over GRE) on a Cisco 7600 
SIP-400
Cisco IOS Release 
12.2(33)SRB
Support for the following features was introduced:
• Software-based MLP bundles from 256 to 1024 on a Cisco 7600 SIP-200
• Lawful Intercept on a Cisco 7600 SIP-400
• Per-subscriber/per-protocol CoPP support on a Cisco 7600 SIP-400
• Security ACLs on a Cisco 7600 SIP-400
• Percent priority/percent bandwidth support on a Cisco 7600 SIP-400
• Network Clock Support on a Cisco 7600 SIP-200
• IGMP/PIM snooping for VPLS pseudowire on a Cisco 7600 SIP-400
• Dual-priority queue support on a Cisco 7600 SIP-4003-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 3      Overview of the SIPs and SSC
  Release History
Cisco IOS Release 
12.2(33)SRA
Support for the following features was introduced on the Cisco 7600 SIP-200:
• Bridge Control Protocol (BCP) over dMLPPP
• MPLS over RBE
• Multi-VC to VLAN Scalability
• QoS support on bridging features
• Software-based dMLPPP 
• Software-based dMLFR
• Tag-Native Mode for Trunk BCP
Support for the following features was introduced on the Cisco 7600 SIP-400:
• Ethernet over MPLS (EoMPLS) VC Scaling
• Ingress/Egress CoS classification with ingress policing per VLAN or 
EoMPLS VC
• Hierarchical VPLS (H-VPLS) with MPLS Edge
• Hierarchical QoS support for Ethernet over MPLS (EoMPLS) VCs
• Multipoint Bridging (MPB)
• Multi-VC to VLAN scalability
• Multi-VLAN to VC support
• QoS support on bridging features
• Tag-Native Mode for Trunk BCP
Cisco IOS Release 
12.2(18)SXF
Support for the following SIP hardware was introduced on the Cisco 7600 
series router and Catalyst 6500 series switch:
• Cisco 7600 SIP-600
Support for the following features was introduced on the Cisco 7600 SIP-400:
• Policing by committed information rate (CIR) percentage
• QoS matching on class of service (CoS)—2-Port Gigabit Ethernet SPA 
only
Cisco IOS Release 
12.2(18)SXE2
Support for the following SPA services card (SSC) was introduced on the 
Cisco 7600 series router and Catalyst 6500 series switch:
• Cisco 7600 SSC-400
Cisco IOS Release 
12.2(18)SXE
Support for the following SPA interface processor (SIP) hardware was 
introduced on the Cisco 7600 series router and Catalyst 6500 series switch:
• Cisco 7600 SIP-200
• Cisco 7600 SIP-4003-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 3      Overview of the SIPs and SSC
  Supported SIP Features
Supported SIP Features
The Cisco 7600 SIP-200, Cisco 7600 SIP-400, and Cisco 7600 SIP-600 are high-performance, 
feature-rich SPA interface processors that function as carrier cards for shared port adapters (SPAs) on 
the Cisco 7600 series router. These SIPs are supported on the Cisco 7600 series router and Catalyst 6500 
series switch, and are compatible with one or more platform-independent SPAs. For more information 
on SPA compatibility, see the “SIP, SSC, and SPA Compatibility” section on page 2-4.
The Cisco 7600 series router is an edge aggregation router, and the SIPs provide a cost-effective solution 
for customers seeking moderate- to high-port density and line rate services:
• The Cisco 7600 SIP-200 provides WAN edge aggregation through lower-speed and low-density 
SPAs for network environments requiring regional office connectivity to headquarters, or collapsed 
LAN/WAN deployment.
• The Cisco 7600 SIP-400 provides higher-speed, high-density link aggregation for network 
environments requiring leased line and metro aggregation.
• The Cisco 7600 SIP-600 provides a high-speed interface for WANs and metro aggregation.
This section provides a list of some of the primary features supported by the SIP hardware and software. 
For feature compatibility information by SIP and SPA combination, and information about configuring 
these features, see Chapter 4, “Configuring the SIPs and SSC.”
Cisco 7600 SIP-200 Features
• Field-programmable device (FPD) upgrade support
The Cisco 7600 SIP-200 supports the standard FPD upgrade methods for the Cisco 7600 series 
router. For more information about FPD support, see Chapter 35, “Upgrading Field-Programmable 
Devices.”
Cisco 7600 SIP-200 High-Availability Features
• Automatic protection switching (APS)—ATM and POS SPAs
• Multilink PPP APS performance improvements to decrease switchover time 
• Online insertion and removal (OIR) of the SIP and SPAs
• Nonstop Forwarding (NSF)
• Stateful switchover (SSO)—Not supported with dMLFR feature (dMLFR only supports RPR+)
Cisco 7600 SIP-200 ATM Features
• Aggregate Weighted Random Early Detection (WRED)
• ATM Adaptation Layer 5 (AAL5) Subnetwork Access Protocol (SNAP)
• AAL5 over Multiprotocol Label Switching (MPLS)
• ATM Cell Relay over MPLS in Port Mode
• ATM virtual circuit (VC) bundles
• RFC 1483, Multiprotocol Encapsulation over ATM Adaptation Layer 5, Multipoint Bridging (MPB) 
on the 2-Port and 4-Port OC-3c/STM-1 ATM SPA3-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 3      Overview of the SIPs and SSC
  Supported SIP Features
• VC bundle Class of Service (CoS) precedence mapping
For a comprehensive list of supported and unsupported ATM features, SIP-dependent features, and 
restrictions see Chapter 6, “Overview of the ATM SPAs.”
Cisco 7600 SIP-200 Frame Relay Features
For additional Frame Relay features, see also the MPLS and Quality of Service (QoS) feature sections.
Note Based on your link configuration, Multilink PPP (MLPPP) and Multilink Frame Relay (MLFR) are 
either software-based on the Cisco 7600 SIP-200, or hardware-based on the 8-Port Channelized T1/E1 
SPA, 2-Port and 4-Port Channelized T3 SPA, and 1-Port Channelized OC-3/STM-1 SPA. For more 
information, see the corresponding configuration chapters for the SIPs and the serial SPAs.
• Distributed Multilink Frame Relay (dMLFR) (FRF.16)
• Frame Relay over MPLS (FRoMPLS)
• Frame Relay VC bundles
• Frame Relay switching
• RFC 1490, Multiprotocol Interconnect over Frame Relay, Multipoint Bridging (MPB) on the 2-Port 
and 4-Port Clear Channel T3/E3 SPA, 2-Port and 4-Port Channelized T3 SPA, and the 8-Port 
Channelized T1/E1 SPA
• VC bundle Class of Service (CoS) precedence mapping
Cisco 7600 SIP-200 MPLS Features
• Explicit null
• Label disposition
• Label imposition
• Label swapping
• QoS tunneling
• Virtual private network (VPN) routing and forwarding (VRF) instance description
• dMLPPP with MPLS on VPN—Supported between the customer edge (CE) and provider edge (PE) 
devices
• Any Transport over MPLS (AToM) support, including:
– ATM over MPLS (ATMoMPLS)—AAL5 VC mode
– ATM Cell Relay over MPLS —Port Mode
– Ethernet over MPLS (EoMPLS)—(Single cell relay) VC mode
– Frame Relay over MPLS (FRoMPLS)
– FRoMPLS with dMLFR—Supported between the CE and PE devices
– High-Level Data Link Control (HDLC) over MPLS (HDLCoMPLS)
– PPP over MPLS (PPPoMPLS)—Not supported with dMLPPP or dLFI
• Hierarchical QoS for EoMPLS VCs3-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 3      Overview of the SIPs and SSC
  Supported SIP Features
Beginning in Cisco IOS Release 12.2(33)SRA, the Cisco 7600 SIP-200 adds the following MPLS feature 
support:
• MPLS over RBE—ATM SPAs only
Beginning in Cisco IOS Release 12.2(33)SRB, the Cisco 7600 SIP-200 adds the following support:
• Software-based MLP bundles from 256 to 1024
Cisco 7600 SIP-200 MPLS Classification
• Default copy of IP precedence to MPLS experimental (EXP) bit
• Match on MPLS EXP bit using Modular QoS CLI (MQC)
Cisco 7600 SIP-200 MPLS Congestion Management
• Low latency queueing (LLQ)
• Class-based weighted fair queueing (CBWFQ)
Cisco 7600 SIP-200 MPLS Encapsulations
• ATM AAL5 SNAP
• Frame Relay
• HDLC
• MLPPP
• PPP
Cisco 7600 SIP-200 MPLS Marking
• Set MPLS EXP bit using MQC
Cisco 7600 SIP-200 MPLS Traffic Shaping
• Traffic shaping using MQC
Cisco 7600 SIP-200 Multiservice Features
• Compressed Real-Time Protocol (CRTP)
• FRF.11—Supported only in Cisco IOS Release 12.2(18)SXE and Cisco IOS Release 12.2(18)SXE2; 
Support for this feature was removed in Cisco IOS Release 12.2(18)SXF3-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 3      Overview of the SIPs and SSC
  Supported SIP Features
Cisco 7600 SIP-200 QoS Features
This section provides a list of the Quality of Service (QoS) features that are supported by the Cisco 7600 
SIP-200.
Cisco 7600 SIP-200 ATM SPA QoS Implementation
For the 2-Port and 4-Port OC-3c/STM-1 ATM SPA, the following applies:
• In the ingress direction, all Quality of Service (QoS) features are supported by the Cisco 7600 
SIP-200.
• In the egress direction:
– All queueing based features (such as class-based weighted fair queueing [CBWFQ], and ATM 
per-VC WFQ) are implemented on the Segmentation and Reassembly (SAR) processor on the 
SPA.
– Policing is implemented on the SIP.
– Class queue shaping is not supported.
Cisco 7600 SIP-200 Packet Marking
• IP precedence
• Differentiated Services Code Point (DSCP)
• Class-based marking
• ATM cell loss priority (CLP) to EXP marking/Type of Service (ToS)/DSCP
• Frame relay discard eligibility (DE) to EXP marking/ToS/DSCP
Cisco 7600 SIP-200 Policing and Dropping
• Aggregate
• Dual rate
• Hierarchical
• DSCP Markdown
• Policing—Precedence, DSCP marking 
• Policing—EXP marking
• Policing - Setting priority percent on a policy map
• Explicit Drop in Class
• Matching packet length
• IPv6 Hop-by-Hop Header Security on SIP-200
Cisco 7600 SIP-200 Classification Into a Queue
• MPLS EXP
• ACL number
• Configurable queue size3-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 3      Overview of the SIPs and SSC
  Supported SIP Features
• Network-based application recognition (NBAR)/dSTILE (NBAR feature is not supported in Release 
15.0(1)S and later Releases)
Cisco 7600 SIP-200 Congestion Management
• Weighted fair queueing (WFQ) 
• Class-based weighted fair queueing (CBWFQ) 
• Per-VC CBWFQ 
• Allocation, DSCP, EXP and precedence matching 
• LLQ or priority queueing (strict priority only)
• Configurable LLQ burst size 
Cisco 7600 SIP-200 Congestion Avoidance
• Random early detection (RED) 
• Weighted random early detection (WRED)
• DiffServ-compliant WRED 
• Aggregate WRED—ATM SPAs only
Cisco 7600 SIP-200 Shaping
• Generic traffic shaping (GTS)/Distributed traffic shaping (DTS)
• Hierarchical service policy with GTS
• Hierarchical traffic shaping with Frame Relay (FR)
• Hierarchical traffic shaping FR adaptive to FECN, BECN (Cisco 7600 SIP-200 only)
• Hierarchical traffic shaping for PPP and HDLC 
• Ingress shaping 
• Egress shaping
Note Egress shaping is not supported on the Cisco 7600 SIP-200 for the 2-Port and 4-Port 
OC-3c/STM-1 ATM SPA.
• Shaping by percentage
Cisco 7600 SIP-200 Other QoS Features
• Hierarchical QoS for EoMPLS VCs
• QoS with MLPPP
Beginning in Cisco IOS Release 12.2(33)SRA, the Cisco 7600 SIP-200 adds the following QoS feature 
support:
• QoS on bridging features3-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 3      Overview of the SIPs and SSC
  Supported SIP Features
Cisco 7600 SIP-200 Fragmentation Features
• FRF.12
Cisco 7600 SIP-200 Layer 2 Protocols and Encapsulation
• AAL5 Network Layer Protocol ID (NLPID)
• AAL5 SNAP
• Cisco Frame Relay
• IETF Frame Relay
• Frame Relay two-octet header
• Frame Relay BECN/FECN
• Frame Relay PVC
• Frame Relay UNI
• HDLC
• MLPPP
• PPP
Cisco 7600 SIP-200 Layer 2 Interworking
• ATM VC trunk emulation 
• Bridged and routed RFC 1483, Multiprotocol Encapsulation over ATM Adaptation Layer 5
• RFC 1483, Multiprotocol Encapsulation over ATM Adaptation Layer 5, Multipoint Bridging (MPB) 
• RFC 1490, Multiprotocol Interconnect over Frame Relay, Multipoint Bridging (MPB) 
• Bridging of Routed Encapsulations (BRE)
• Routed bridged encapsulation (RBE) 
Note RBE is not supported when using the Intermediate System-to-Intermediate System (IS-IS) 
routing protocol.
• RFC 3518, Point-to-Point Protocol (PPP) Bridging Control Protocol (BCP)
Beginning in Cisco IOS Release 12.2(33)SRA, the Cisco 7600 SIP-200 adds the following Layer 2 
interworking feature support:
• BCP support on 8-Port Channelized T1/E1 SPA, 2-Port and 4-Port Channelized T3 SPAs, 
1-Port Channelized OC-3/STM-1 SPA, 2-Port and 4-Port Clear Channel T3/E3 SPAs, 
and 2-Port and 4-Port OC-3c/STM-1 POS SPAs
• BCP (trunk mode) support over MLPPP on 8-Port Channelized T1/E1 SPA, 2-Port and 4-Port 
Channelized T3 SPAs, and 1-Port Channelized OC-3/STM-1 SPA 
• Multi-VC to VLAN scalability
• QoS support on bridging
• Software-based MLPPP 
• Software-based MLFR3-11
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 3      Overview of the SIPs and SSC
  Supported SIP Features
• Asymmetric Carrier Delay 
Cisco 7600 SIP-400 Features
• FPD upgrade support—The Cisco 7600 SIP-400 supports the standard FPD upgrade methods for the 
Cisco 7600 series router. For more information about FPD support, see Chapter 35, “Upgrading 
Field-Programmable Devices.”
• Lawful Intercept—The Cisco 7600 SIP-400 supports Lawful Intercept in Cisco IOS Release 
12.2(33)SRB and later releases. 
• Starting in Cisco IOS Release 12.2(33)SRE, SIP-400 supports IEEE 802.1ag Draft 8.1 compliant 
Connectivity Fault Management (CFM) on EVC (VPLS and pseudowire).
This includes the ability to configure 802.1ag on an EVC that is configured with xconnect as well 
as for monitoring the VPLS core as listed below:
– Support for CFM on an EFP that is configured forEoMPLS using xconnect (scalable EoMPLS) 
or is connected to a bridge domain with VPLS uplink
– Support for monitoring the VPLS core using CFM on the VFI
See details of CFM and 802.1ag configuration on 
http://www.cisco.com/en/US/docs/ios/12_2sr/12_2sra/feature/guide/srethcfm.html
Note Network Processor crashinfo also known as eventinfo is disabled for all Network Processor exception 
by default.
Cisco 7600 SIP-400 High-Availability Features
• Automatic protection switching (APS)—ATM and POS SPAs
• Multi Link PPP APS performance improvements to decrease switchover time with PPP/MLPPP 
bundles
• Online insertion and removal (OIR) of the SIP and SPAs
• Stateful switchover (SSO)
• Access Circuit Redundancy (ACR) and ACR QoS on all the following ATM SPAs on SIP-400:
– 2-Port OC-3c/STM-1 ATM SPA
– 1-Port OC-12c/STM-4 ATM SPA
– 1-Port OC-48c/STM-16 ATM SPA
Cisco 7600 SIP-400 MPLS Features
Note For the Cisco 7600 SIP-400, the following MPLS features are implemented on the Supervisor 
Engine 720 (PFC3B and PFC3BXL) and the Route Switch Processor 720 (PFC3C and PFC3CXL): 
Label imposition, label swapping, label disposition, explicit null, default copy of IP precedence to EXP 
bit classification, and QoS tunneling. For more information about the requirements for Policy Feature 
Cards (PFCs) on the Cisco 7600 series router, refer to the Release Notes for Cisco IOS Release 12.2SX 3-12
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 3      Overview of the SIPs and SSC
  Supported SIP Features
on the Supervisor Engine 720, Supervisor Engine 32, and Supervisor Engine 2 at the following URL: 
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/release/notes/OL_416
4.html
• VRF description
• Any Transport over MPLS (AToM) support, including:
– ATMoMPLS—AAL0 mode (single cell relay only)
– ATMoMPLS—AAL5 mode
– ATMoMPLS—Port Mode
– EoMPLS—Port mode
– EoMPLS—VLAN mode
– FRoMPLS—DLCI mode
Beginning in Cisco IOS Release 12.2(33)SRA, the Cisco 7600 SIP-400 adds the following MPLS feature 
support:
• Ethernet over MPLS (EoMPLS) VC scaling
• Ingress/Egress CoS classification with ingress policing per VLAN or EoMPLS VC
• Hierarchical VPLS (H-VPLS) with MPLS Edge
• Hierarchical QoS support for Ethernet over MPLS (EoMPLS) VCs
Effective from Cisco IOS Release 15.1(01)S, the Cisco 7600 SIP-400 adds support for:
• Hot-Standby PsuedoWire (HSPW) Support for Ethernet, ATM and TDM ACs 
Cisco 7600 SIP-400 MPLS Congestion Management
• LLQ
• CBWFQ
Cisco 7600 SIP-400 MPLS Encapsulations
• ATM AAL5 SNAP
• Ethernet with 802.1q
• Frame Relay
• HDLC 
• Generic Routing Encapsulation (GRE)
• PPP 
Cisco 7600 SIP-400 MPLS Marking
• Set MPLS EXP bits at tag imposition using MQC (set mpls-experiment command)—Input IP 
interface
• Set MPLS EXP bits on topmost label (set EXP topmost) using MQC (set mpls-experiment topmost
command)—Input and output MPLS interface
• Mapping Ethernet 802.1q priority bits to MPLS EXP bits for EoMPLS3-13
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 3      Overview of the SIPs and SSC
  Supported SIP Features
Cisco 7600 SIP-400 QoS Features
This section provides a list of the Quality of Service (QoS) features that are supported by the Cisco 7600 
SIP-400.
Cisco 7600 SIP-400 Packet Marking
• IP precedence (set ip precedence command)—Input and output
• DSCP (set dscp command)—Input and output
• Class-based marking
• DE to EXP marking/ToS/DSCP 
• CLP to EXP marking/ToS/DSCP 
• Ethernet 802.1q priority bits to EXP marking (EoMPLS)
Cisco 7600 SIP-400 Policing and Dropping
• Dual rate 
• Hierarchical 
• Dual-rate policer with three-color marker
• Policing—Percent
• Policing—Precedence, DSCP marking 
• Policing—EXP marking
• Policing—Set ATM CLP, FR DE
• Policing—Set MPLS EXP bits on topmost label (set EXP topmost)
• Policing - Setting priority percent on a policy map
• Explicit Drop in Class 
• IPv6 Hop-by-Hop Header Security
• Triple nesting QoS on policy-maps 
Cisco 7600 SIP-400 Classification Into a Queue
• Access control lists (IPv4 and IPv6)
– Access group (match access-group command)—Input and output
– Address (IPv6 compress mode only)
– Name
– Number
– Source and destination port
– TCP flag (IPv4 only)
• ATM CLP (match atm clp command)—Input ATM interface
• Configurable queue size
• CoS (match cos command)—Input and output dot1q tagged frames
• Frame Relay DE (match fr-de command)—Input Frame Relay interface3-14
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 3      Overview of the SIPs and SSC
  Supported SIP Features
• Inner CoS (match cos inner command)
• IP DSCP (match dscp command)—Input and output
• IP precedence (match ip precedence command)—Input and output
• MPLS EXP (match mpls experimental command)—Input and output MPLS interface
• Multiple matches per class map (up to 8)
Beginning in Cisco IOS Release 12.2(33)SRA, the Cisco 7600 SIP-400 adds the following QoS 
classification feature support:
• Ingress/Egress CoS classification with ingress policing per VLAN or EoMPLS VC
Beginning in Cisco IOS Release12.2(33)SRE support is added for: 
• Modular QoS CLI (MQC) policy support existing on ATM VC is extended to the ATM PVP on 
2-Port and 4-Port OC-3c/STM-1 ATM SPA and the below three flavors of CEoP SPA:
– SPA-24XT1E1-CE
– SPA-1XOC3-CE
– SPA-2XT3E3-CE
• ATM VCI (match atm-vci command)—Input ATM PVP Interface is added to the ATM VP
Cisco 7600 SIP-400 Congestion Management
• CBWFQ 
• Per-VC CBWFQ
• DSCP, EXP and Precedence matching 
• LLQ or priority queueing (strict priority only) 
Note For the 12.2(33) SRD a parent shaper or conditional policer has no effect when only LLQ traffic is 
flowing through a physical port. For example, if only 200 Mbps of LLQ traffic is flowing, a 100-Mbps 
parent shaper gives the full 200-Mbps output. However, if the ratio of LLQ to non-LLQ traffic on a 
subinterface is such that the LLQ rate is higher than the non-LLQ rate, the shaper output is inaccurate. 
(For example, on a system configured for 200 Mbps of LLQ and 500 kbps of non-LLQ, a 100-Mbps 
parent shaper gives 165-Mbps output. Therefore, we recommend that customers configure an explicit 
policer if the LLQ traffic rate might exceed the parent shape rate, which could starve regular traffic 
significantly.
• Hierarchical Queuing Framework (HQF)
• Dual-priority queuing
• CLI to control DBUS CoS queuing
This feature allows users to configure which DBUS CoS values are mapped to the high-priority 
queue in the SIP-400 switch. The hw-module slot slot queue priority switch-fpga output cos 
values|none command is used on the Routing Processor (RP) to configure the priority values. 
Cisco 7600 SIP-400 Congestion Avoidance
• RED 
• WRED 3-15
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 3      Overview of the SIPs and SSC
  Supported SIP Features
• DiffServ-compliant WRED
• Aggregate WRED—ATM SPAs only
Cisco 7600 SIP-400 Shaping
• Hierarchical traffic shaping using class-default (not supported for user-defined class)
• Hierarchical traffic shaping FR 
• Hierarchical traffic shaping for PPP and HDLC
• Egress shaping 
Cisco 7600 SIP-400 Fragmentation Features
• dLFI with ATM
Cisco 7600 SIP-400 Layer 2 Protocols and Encapsulation
• PPP
• AAL5 SNAP
• HDLC
• Cisco Frame Relay
• IETF Frame Relay
• Frame Relay two-octet header
• Frame Relay BECN/FECN
• Frame Relay PVC
• Frame Relay UNI
Cisco 7600 SIP-400 Layer 2 Interworking
• Bridged and routed RFC 1483, Multiprotocol Encapsulation over ATM Adaptation Layer 5
• RFC 3518, Point-to-Point Protocol (PPP) Bridging Control Protocol (BCP), on the 2-Port and 
4-Port OC-3c/STM-1 POS SPA and 1-Port OC-12c/STM-4 POS SPA.
Beginning in Cisco IOS Release 12.2(33)SRB1, the Cisco 7600 SIP-400 supports:
• Backup Interface for Flexible UNI (for Gigabit Ethernet SPAs)
Beginning in Cisco IOS Release 12.2(33)SRA, the Cisco 7600 SIP-400 supports: 
• BCP on POS SPAs (OC-3c/STM-1, OC-12c/STM-4, OC-48c/STM-16, and OC-192c/STM-64)
• Multipoint Bridging (MPB)
• Multi-VC to VLAN scalability
• QoS support on bridging features
• L2VPN Interworking (Ethernet VLAN to ATM AAL5)
Six types of configurations for L2VPN Interworking (Ethernet VLAN to ATM AAL5) are supported 
on the SIP-400. For configuration procedures, refer to the following URL: 
http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_l2vpn_intrntwkg.html 3-16
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 3      Overview of the SIPs and SSC
  Supported SIP Features
• Asymmetric Carrier Delay 
• BFD for VCCV (Phase 1) Type1 Support on SIP-400 to verify and diagnose the forwarding path of 
pseudowires 
Cisco 7600 SIP-600 Features
• FPD upgrade support—The Cisco 7600 SIP-600 supports the standard FPD upgrade methods for the 
Cisco 7600 series router. For more information about FPD support, see Chapter 35, “Upgrading 
Field-Programmable Devices.”
• Layer 2 switch port 
• EtherChannel and Link Aggregate Control Protocol (IEEE 802.3ad) 
• Control Plane Policing (CoPP)
• Cisco IOS Release 12.2(33)SRE and later releases introduce support for IEEE 802.1ag Draft 8.1
compliant Connectivity Fault Management (CFM) on EVC on SIP-600. This includes the ability to 
configure 802.1ag to monitor the VPLS core using CFM on the VFI.
See details of CFM and 802.1ag configuration on 
http://www.cisco.com/en/US/docs/ios/12_2sr/12_2sra/feature/guide/srethcfm.html.
Cisco 7600 SIP-600 High Availability Features
• Automatic protection switching (APS)
• Online insertion and removal (OIR) of the SIP and SPAs
• Nonstop Forwarding (NSF)
• Stateful switchover (SSO)
Cisco 7600 SIP-600 MPLS Features
• Unicast switching, with specific support for up to six label push operations, one label pop operation 
(two label pop operations in case of Explicit Null), or one label swap with up to five label push 
operations, at each MPLS switch node
• Support for Explicit Null label to preserve CoS information when forwarding packets from 
provider (P) to provider edge (PE) routers
• Support for Implicit Null label to request that penultimate hop router forward IP packets without 
labels to the router at the end of the label switch path (LSP)
• VRF
• Traffic engineering
• Any Transport over MPLS (AToM) support—EoMPLS only, including:
– PFC-based (No MAC address learning)
– SIP-based (MAC address learning, requires SIP as uplink)
– Up to 4000 EoMPLS VCs per system3-17
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 3      Overview of the SIPs and SSC
  Supported SIP Features
• Virtual Private LAN Service (VPLS) support, including:
– H-VPLS with MPLS edge—H-VPLS with MPLS edge requires either an OSM or Cisco 7600 
SIP-600 in both the downlink (facing UPE) and uplink (MPLS core). For more information 
about configuring H-VPLS, see Chapter 12, “Configuring the Fast Ethernet and Gigabit 
Ethernet SPAs.”
– H-VPLS with Q-in-Q edge—Requires Cisco 7600 SIP-600 in the uplink, and any LAN port or 
Cisco 7600 SIP-600 on the downlink
– Up to 4000 VPLS domains
– Up to 60 VPLS peers per domain
– Up to 30,000 pseudowires, used in any combination of domains and peers up to the 
4000-domain or 60-peer maximums; for example, support of up to 4000 domains with 7 peers 
or up to 60 peers in 500 domains
• MPLS Operation, Administration, and Maintenance (OAM) support, including:
– LSP ping and traceroute 
– Virtual Circuit Connection Verification (VCCV)
Cisco 7600 SIP-600 Layer 2 Protocols and Encapsulation
• HDLC (Cisco Systems)
• PPP
• PPP over SONET/SDH
• Layer 2 Gigabit Ethernet support, including:
– IEEE 802.3z 1000 Mbps Gigabit Ethernet
– IEEE 802.3ab 1000BaseT Gigabit Ethernet
– IEEE 802.3ae 10 Gbps Ethernet (1-Port 10-Gigabit Ethernet SPA only)
– Jumbo frame (up to 9216 bytes)
– ARPA, IEEE 802.3 SAP, IEEE 802.3 SNAP, Q-in-Q
– IEEE 802.1q VLANs
– Autonegotiation support including IEEE 802.3 flow control and pause frames
– Gigabit Ethernet Channel (GEC)
– IEEE 802.3ad link aggregation
– Address Resolution Protocol (ARP)/Reverse ARP (RARP)
– Hot Standby Router Protocol (HSRP)
– Virtual Router Redundancy Protocol (VRRP)3-18
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 3      Overview of the SIPs and SSC
  Supported SIP Features
Cisco 7600 SIP-600 QoS Features
This section provides a list of the Quality of Service (QoS) features that are supported by the Cisco 7600 
SIP-600.
• MQC
Cisco 7600 SIP-600 Packet Marking
• IP precedence (set ip precedence command)
• DSCP (set dscp command)
• MPLS EXP (match mpls experimental command)
Note Mapping 802.1p CoS values to MPLS EXP bits is supported using EoMPLS only.
Cisco 7600 SIP-600 Policing and Dropping
• Input policing on a per-port and per-VLAN basis
Cisco 7600 SIP-600 Classification Into a Queue
• Input and output ACLs on a per-port and per-VLAN basis
• Input VLAN (match input vlan command)
• IP DSCP (match dscp command)
• IP precedence (match ip precedence command)
• MPLS EXP (match mpls experimental command)
• QoS group (match qos-group command)
• VLAN (match vlan command)
Cisco 7600 SIP-600 Congestion Management
• CBWFQ
• LLQ
Cisco 7600 SIP-600 Congestion Avoidance
• WRED 
Cisco 7600 SIP-600 Shaping
• Output shaping on a per-port and per-VLAN basis
• Output hierarchical traffic shaping—Two levels of shaping on an interface, subinterface, or group 
of subinterfaces 3-19
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 3      Overview of the SIPs and SSC
  Supported SSC Features
Supported SSC Features
The Cisco 7600 SSC-400 is a streamlined services card that provides a very high bandwidth data path 
between the Cisco 7600 series router platform backplane and the high-speed interconnects on the IPSec 
VPN SPA. 
For more information about the features and configuration supported by the IPSec VPN SPA with the 
Cisco 7600 SSC-400, see the related chapters in the IPSec VPN Shared Port Adapter part of this book.
Cisco 7600 SSC-400 Features
• Support of up to two IPSec VPN SPAs per slot
• Online insertion and removal (OIR) of the SSC and SPAs
• Support for RSP720-10GE supervisor engine is added for SSC-400 beginning with Cisco IOS 
Release 12.2(33)SRE
Restrictions
This section documents unsupported features and feature restrictions for the SIPs and SSC on the 
Cisco 7600 series router.
Cisco 7600 SIP-200 Restrictions
As of Cisco IOS Release 12.2(18)SXE, the Cisco 7600 SIP-200 has the following restrictions:
• The Cisco 7600 SIP-200 is not supported with a Supervisor Engine 1, Supervisor Engine 1A, 
Supervisor Engine 2, or Supervisor Engine 720A.
• A maximum number of 200 PVCs or SVCs using Link Fragmentation and Interleaving (LFI) is 
supported for all ATM SPAs (or other ATM modules) in a Cisco 7600 series router.
• The following features are not supported:
– ATM LAN Emulation (LANE)
– dLFI over Frame Relay (dLFIoFR)
– PPP over Frame Relay (PPPoFR)
– MLP over Frame Relay (MLPoFR)
– dLFI with MPLS
– Layer 2 Tunneling Protocol (L2TP) version 2
– L2TP version 3
– Legacy Priority Queueing and Custom Queueing
– PPP over Ethernet (PPPoE)
– Reliable PPP (RFC 1663, PPP Reliable Transmission)
– Stacker Compression (STAC)
– X.25, Link Access Procedure, Balanced (LAPB)3-20
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 3      Overview of the SIPs and SSC
  Restrictions
• PPP over MPLS (PPPoMPLS) is not supported with dMLPPP or dLFI.
• High availability (HA) features have some restrictions when configured with the following 
distributed features on the Cisco 7600 SIP-200:
– When you configure HA with dMLFR, the Cisco 7600 SIP-200 only supports RPR+.
– HA features with dLFI over ATM (dLFIoATM) are not supported.
– HA features with dLFI over Frame Relay (dLFIoFR) are not supported.
• NBAR feature is not supported in Release 15.0(1)S and later Releases.
Cisco 7600 SIP-400 Restrictions
In Cisco IOS Release 12.2(18)SXE and later, the Cisco 7600 SIP-400 has the following restrictions:
• The Cisco 7600 SIP-400 is not supported with a Supervisor Engine 1, Supervisor Engine 1A, or 
Supervisor Engine 2. It is also not supported with a Supervisor Engine 720 PFC3A, or in PFC3A 
mode. 
For more information about the requirements for Policy Feature Cards (PFCs) on the Cisco 7600 
series router, refer to the Release Notes for Cisco IOS Release 12.2SX on the Supervisor Engine 720, 
Supervisor Engine 32, and Supervisor Engine 2 at the following URL: 
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/release/notes/OL
_4164.html
• The Cisco 7600 SIP-400 is not supported with PFC-2 based systems.
• EtherChannel is not supported on Cisco 7600 SIP-400 
• A maximum number of 200 PVCs or SVCs using Link Fragmentation and Interleaving (LFI) is 
supported for all ATM SPAs (or other ATM modules) in a Cisco 7600 series router.
• For AToM in Cisco IOS 12.2SX releases, the Cisco 7600 SIP-400 does not support the following 
features when they are located in the data path. This means you should not configure the following 
features if the SIP is facing the customer edge (CE) or the MPLS core:
– HDLCoMPLS
– PPPoMPLS
– Virtual Private LAN Service (VPLS)
• For AToM beginning in Cisco IOS Release 12.2(33)SRA, the Cisco 7600 SIP-400 supports the 
following features on CE-facing interfaces:
– HDLCoMPLS
– PPPoMPLS
– VPLS
• The Cisco 7600 SIP-400 supports EoMPLS with directly connected provider edge (PE) devices 
when the Cisco 7600 SIP-400 is on the MPLS core side of the network.
• The Cisco 7600 SIP-400 does not support the ability to enable or disable tunneling of Layer 2 
packets, such as for the VLAN Trunking Protocol (VTP), Cisco Discovery Protocol (CDP), and 
bridge protocol data unit (BPDU). The Cisco 7600 SIP-400 tunnels BPDUs, and always blocks VTP 
and CDP packets from the tunnel.
• In ATMoMPLS AAL5 and cell mode, the Cisco 7600 SIP-400 supports non-matching VPIs/VCIs 
between PEs if the Cisco 7600 SIP-400 is on both sides of the network.
• The Cisco 7600 SIP-400 supports matching on FR-DE to set MPLS-EXP for FRoMPLS.3-21
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 3      Overview of the SIPs and SSC
  Restrictions
• The Cisco 7600 SIP-400 supports use of the xconnect command to configure AToM circuits for all 
AToM connection types.
• The Cisco 7600 SIP-400 does not support the following QoS classification features with AToM:
– Matching on data-link connection identifier (DLCI) is unsupported.
– Matching on virtual LAN (VLAN) is unsupported.
– Matching on class of service (CoS) is unsupported in Cisco IOS Release 12.2(18)SXE and 
Cisco IOS Release 12.2(18)SXE2 only. Beginning in Cisco IOS Release 12.2(18)SXF, it is 
supported with the 2-Port Gigabit Ethernet SPA.
– Matching on input interface is unsupported.
– Matching on packet length is unsupported.
– Matching on media access control (MAC) address is unsupported.
– Matching on protocol type, including Border Gateway Protocol (BGP), is unsupported.
• The Cisco 7600 SIP-400 does not support the following QoS classification features using MQC:
– ACL IPv6 full address 
– ACL IPv6 TCP flags
– Class map (match class-map command)
– CoS inner (match cos inner command)—Supported beginning in Cisco IOS 
Release 12.2(33)SRA on 2-Port Gigabit Ethernet SPA input and output interfaces and with 
bridging features.
– Destination sensitive services (DSS)
– Discard class (match discard-class command)
– Frame Relay DLCI (match fr-dlci command)—Supported beginning in Cisco IOS 
Release 12.2(33)SRA on Frame Relay input and output interfaces and with Frame Relay 
bridging features.
– Input interface (match input-interface command)
– Input VLAN (match input vlan command)—Supported beginning in Cisco IOS 
Release 12.2(33)SRA on output interfaces only.
– IP RTP (match ip rtp command)
– IPv4 and IPv6 ToS
– MAC address (match mac command)
– Match protocol (match protocol command)—Supports IP only.
– Packet length (match packet length command)
– QoS group (match qos-group command)
– Source and destination autonomous system (AS) (match as command)
– Source and destination Border Gateway Protocol (BGP) community (match bgp-community
command)
– VLAN (match vlan command)
– VLAN inner (match vlan inner command)—Supported beginning in Cisco IOS 
Release 12.2(33)SRA on input and output interfaces and with bridging features.3-22
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 3      Overview of the SIPs and SSC
  Restrictions
• The Cisco 7600 SIP-400 does not support the following QoS marking features:
– CoS (set cos command)
– CoS inner (set cos inner command)
• The Cisco 7600 SIP-400 does not support the following QoS marking features using MQC:
– QoS group (set qos-group command)
– Next-hop (set next-hop command)
– Discard class (set discard-class command)
– Table (set table command)
• The Cisco 7600 SIP-400 does not support the following QoS queueing actions using MQC:
– Flow-based queueing
– Adaptive shaping
• The Cisco 7600 SIP-400 does not support the following QoS policing feature:
– Policing by Committed Information Rate (CIR) percentage (police cir percent
command)—Supported as of Cisco IOS Release 12.2(18)SXF.
• The Cisco 7600 SIP-400 does not support the following Frame Relay features:
– Matching on DLCI.
– Bridging encapsulation.
– Multicast on multipoint interfaces.
– FRF.5 
– FRF.8.
– FRF.12 fragmentation
– FRF.16 multilink support of four-octet extended addressing on an SVC
– NNI 
– PVC bundling
– PPP over Frame Relay
• The Cisco 7600 SIP-400 does not support RFC 1483, Multiprotocol Encapsulation over ATM 
Adaptation Layer 5, Multipoint Bridging (MPB). However, point-to-point bridging is supported.
• As of Cisco IOS Release 12.2(18)SXF, when using the Cisco 7600 SIP-400 with the 2-Port Gigabit 
Ethernet SPA or the 1-Port OC-48c/STM-16 ATM SPA, consider the following oversubscription 
guidelines:
– The Cisco 7600 SIP-400 only supports installation of one 1-Port OC-48c/STM-16 ATM SPA 
without any other SPAs installed in the SIP.
– The Cisco 7600 SIP-400 supports installation of up to two 2-Port Gigabit Ethernet SPAs without 
any other SPAs installed in the SIP.
– The Cisco 7600 SIP-400 supports installation of any combination of OC-3 or OC-12 POS or 
ATM SPAs, up to a combined ingress bandwidth of OC-48 rates.
– The Cisco 7600 SIP-400 supports installation of any combination of OC-3 or OC-12 POS or 
ATM SPAs up to a combined ingress bandwidth of OC-24 rates, when installed with a single 
2-Port Gigabit Ethernet SPA.
For more details on SIP-400 oversubscription guidelines refer to 3-23
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 3      Overview of the SIPs and SSC
  Restrictions
• Q-in-Q (the ability to map a single 802.1Q tag or a random double tag combination into a VPLS 
instance, a Layer 3 MPLS VPN, or an EoMPLS VC) is not supported. 
• Cisco Discovery Protocol (CDP) is disabled by default on the 2-Port Gigabit Ethernet SPA interfaces 
and subinterfaces on the Cisco 7600 SIP-400.
• The SDH, E1/E3 modes are not qualified on 1XCHOC12/DS0 SPA on Cisco 7600 SIP-400 in 
12.2(33)SRD1 release. 
• MFR, FRF.12 is not supported on 1XCHOC12/DS0 SPA on Cisco 7600 SIP-400 in 12.2(33)SRD1 
release. 
• VC QoS on VP-PW feature works only with Single Cell Relay and does not work with Packed Cell 
Relay.
• Effective from Cisco IOS Release 15.1(01)S, the Hot-Standby Psuedo Wires (HSPW) feature is 
supported on SIP400 PW having imposition and disposition on access side for ScEoMPLS, ATM 
and TDM cross connect.The feature also supports a maximum number of 6000 backup PWs.
– SONET OC3 SPA supports a maximum number of 576 PWs.
• 24T1E1 SPA supports a maximum number of 191 PWs.
Cisco 7600 SIP-600 Restrictions
As of Cisco IOS Release 12.2(18)SXF, the Cisco 7600 SIP-600 has the following restrictions:
• The Cisco 7600 SIP-600 is not supported by the Supervisor Engine 32 or the Supervisor Engine 720 
with PFC3A. 
For more information about the requirements for Policy Feature Cards (PFCs) on the Cisco 7600 
series router, refer to the Release Notes for Cisco IOS Release 12.2SX on the Supervisor Engine 720, 
Supervisor Engine 32, and Supervisor Engine 2 at the following 
URL:http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/release/note
s/OL_4164.html
The Cisco 7600 SIP-600 supports installation of only a single SPA in the first subslot.
• Removal of one type of SPA and reinsertion of a different type of SPA during OIR causes a reload 
of the Cisco 7600 SIP-600.
• Q-in-Q (the ability to map a single 802.1Q tag or a random double tag combination into a VPLS 
instance, a Layer 3 MPLS VPN, or an EoMPLS VC) is not supported. 
• H-VPLS with MPLS edge requires either an OSM or Cisco 7600 SIP-600 in both the downlink 
(facing UPE) and uplink (MPLS core).
• Output policing is not supported.
• The aggregate guaranteed bandwidth configured for all QOS policies applied to a main interface 
cannot exceed the bandwidth of the link. 1% of the link rate bandwidth is reserved for control packet 
traffic. The remaining 99% of guaranteed rates are available for QoS configuration.  For policies 
applied to the main interface, an attempt is made to acquire the 1% guaranteed rate from 
class-default. If control packet bandwidth can not be acquired, then errors are reported in the log file.
• On any Cisco 7600 SIP-600 Ethernet port subinterface using VLANs, a unique VLAN ID must be 
assigned. This VLAN ID cannot be in use by any other interface on the Cisco 7600 series router.
• Certain restrictions apply when using the SIP-600 and the IPSec VPN SPA on the same chassis:
– The SIP-600 should not be installed in the same chassis with an IPSec VPN SPA when running 
SXF.3-24
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 3      Overview of the SIPs and SSC
  Supported MIBs
– The SIP-600 is not supported in 12.2(33)SRA.
– Starting with SRB, the SIP-600 and IPSec VPN SPA can be present in the same chassis. 
However, SIP-600 subinterfaces cannot be used when VPN crypto-connect mode is configured.
Cisco 7600 SSC-400 Restrictions
As of Cisco IOS Release 12.2(18)SXE2, the Cisco 7600 SSC-400 has the following restrictions:
• The Cisco 7600 SSC-400 is only supported by the Supervisor Engine 720 (MSFC3 and PFC3). 
For more information about the requirements for Policy Feature Cards (PFCs) on the Cisco 7600 
series router, refer to the Release Notes for Cisco IOS Release 12.2SX on the Supervisor Engine 720, 
Supervisor Engine 32, and Supervisor Engine 2 at the following URL:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/release/notes/OL
_4164.html
The Cisco 7600 SSC-400 only supports two IPSec VPN SPAs.
As of Cisco IOS Release 12.2(18)SXF, the Cisco 7600 SSC-400 has the following restrictions:
• The Cisco 7600 SSC-400 is not supported by the Supervisor Engine 32. The Cisco 7600 SSC-400 
is only supported by the Supervisor Engine 720 (MSFC3 and PFC3). 
For more information about the requirements for Policy Feature Cards (PFCs) on the Cisco 7600 
series router, refer to the Release Notes for Cisco IOS Release 12.2SX on the Supervisor Engine 720, 
Supervisor Engine 32, and Supervisor Engine 2 at the following URL:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/release/notes/OL
_4164.html
• The Cisco 7600 SSC-400 only supports two IPSec VPN SPAs.
Supported MIBs
The following MIBs are supported in Cisco IOS Release 12.2(18)SXE and later for the Cisco 7600 
SIP-200 on a Cisco 7600 series router:
• CISCO-ENTITY-ASSET-MIB
• CISCO-ENTITY-EXT-MIB
• CISCO-ENTITY-FRU-CONTROL-MIB
• ENTITY-MIB
• OLD-CISCO-CHASSIS-MIB
The following MIBs are supported in Cisco IOS Release 12.2(18)SXE and later for the Cisco 7600 
SIP-400 on a Cisco 7600 series router:
• ATM-ACCOUNTING-INFORMATION-MIB (RFC 2512)
• ATM-MIB (RFC 2515)
• ATM-SOFT-PVC-MIB
• ATM-TC-MIB
• ATM-TRACE-MIB
• CISCO-AAL5-MIB3-25
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 3      Overview of the SIPs and SSC
  Supported MIBs
• CISCO-ATM-CONN-MIB
• CISCO-ATM-RM-MIB
• CISCO-ATM TRAFFIC-MIB
• CISCO-CLASS-BASED-QOS-MIB
• CISCO-ENTITY-ASSET-MIB
• CISCO-ENTITY-EXT-MIB
• CISCO-ENTITY-FRU-CONTROL-MIB
• ENTITY-MIB
• IF-MIB
• OLD-CISCO-CHASSIS-MIB
• SONET MIB (RFC 2558)
The following MIBs are supported in Cisco IOS Release 12.2(18)SXF and later for the Cisco 7600 
SIP-600 on a Cisco 7600 series router:
• CISCO-ENTITY-ASSET-MIB
• CISCO-ENTITY-EXT-MIB
• CISCO-ENTITY-FRU-CONTROL-MIB
• ENTITY-MIB
• OLD-CISCO-CHASSIS-MIB
The following MIBs are supported in Cisco IOS Release 12.2(18)SXE2 and later for the Cisco 7600 
SSC-400 on a Cisco 7600 series router:
• CISCO-ENTITY-ASSET-MIB
• CISCO-ENTITY-EXT-MIB
• CISCO-ENTITY-FRU-CONTROL-MIB
• ENTITY-MIB
• ETHER-MIB 
• OLD-CISCO-CHASSIS-MIB
For more information about MIB support on a Cisco 7600 series router, refer to the Cisco 7600 Series 
Internet Router MIB Specifications Guide at the following URL:
http://www.cisco.com/en/US/products/hw/routers/ps368/prod_technical_reference_list.html
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use 
Cisco MIB Locator found at the following URL:
http://tools.cisco.com/ITDIT/MIBS/servlet/index
If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of 
supported MIBs and download MIBs from the Cisco MIBs page at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml3-26
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 3      Overview of the SIPs and SSC
  Displaying the SIP and SSC Hardware Type
To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your 
account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify 
that your e-mail address is registered with Cisco.com. If the check is successful, account details with a 
new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com 
by following the directions found at this URL:
https://tools.cisco.com/RPF/register/register.do
Displaying the SIP and SSC Hardware Type
To verify the SIP or SSC hardware type that is installed in your Cisco 7600 series router, you can use 
the show module command. There are other commands on the Cisco 7600 series router that also provide 
SIP and SSC hardware information, such as the show idprom command and show diagbus command. 
Table 3-1 shows the hardware description that appears in the show module and show idprom command 
output for each type of SIP that is supported on the Cisco 7600 series router.
Example of the show module Command
The following example shows output from the show module command on the Cisco 7600 series router 
with a Cisco 7600 SIP-400 installed in slot 13:
Router# show module 13
Mod Ports Card Type                              Model              Serial No.
--- ----- -------------------------------------- ------------------ -----------
13    0  4-subslot SPA Interface Processor-400  7600-SIP-400       JAB0851042X
Mod MAC addresses                       Hw    Fw           Sw           Status
--- ---------------------------------- ------ ------------ ------------ -------
13  00e0.aabb.cc00 to 00e0.aabb.cc3f   0.525 12.2(PP_SPL_ 12.2(PP_SPL_ Ok
Mod Online Diag Status 
--- -------------------
13 Pass
Example of the show idprom Command
The following example shows sample output for a Cisco 7600 SIP-200 installed in slot 4 of the router:
Router# show idprom module 4
IDPROM for module #4
  (FRU is '4-subslot SPA Interface Processor-200')
  OEM String = 'Cisco Systems'
  Product Number = '7600-SIP-200'
Table 3-1 SIP Hardware Descriptions in show Commands
SIP Description in show module and show idprom Commands
Cisco 7600 SIP-200 4-subslot SPA Interface Processor-200 / 7600-SIP-200 
Cisco 7600 SIP-400 4-subslot SPA Interface Processor-400 / 7600-SIP-400
Cisco 7600 SIP-600 1-subslot SPA Interface Processor-600 / 7600-SIP-600
Cisco 7600 SSC-400 2-subslot Services SPA Carrier-400 / 7600-SSC-400 3-27
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 3      Overview of the SIPs and SSC
  SIP-200 and SIP-400 Network Clock Distribution
  Serial Number = 'SAD0738006Y'
  Manufacturing Assembly Number = '73-8272-03'
  Manufacturing Assembly Revision = '03'
  Hardware Revision = 0.333
  Current supplied (+) or consumed (-) = -4.77A
SIP-200 and SIP-400 Network Clock Distribution
The Cisco 7600 series routers have a distributed clocking system with two 8 KHZ backplane reference 
clocks that connect to every slot in the backplane to provide an egress (Tx) timing reference for the SPAs. 
Starting with Cisco IOS release 12.2(33)SRB,the SIP-200 or SIP-400 can take clock input from various 
clock sources and distribute the clock to other supported cards by way of the chassis backplane to allow 
network operators to synchronize the transmit clocks of serial interfaces to a central timing reference.   
Synchronization to a central timing reference can help eliminate frame slips and associated loss of data 
on SONET and SDH interfaces. 
Both the SIP-200 and the SIP-400 can act as the source that drives the backplane reference clocks by 
other SIPs. When a SIP-200 or SIP-400 is the source of the clocks, the SIP uses the recovered Rx clock 
from any one of its SPA's input ports (see Table 3- 2 for which SPAs support this functionality). The SIP 
either derives an 8-KHz [no space] clock that it drives onto one or both backplane signals, or provides 
its own Stratum 3 clock to the backplane.
Both the SIP-200 and the SIP-400 can also receive backplane clocks for use by their SPAs. When the 
SIP-200 and the SIP-400 receives backplane clocks, the clocks are dejittered and provided to the SPAs.
Table 3-2 shows reference clock sources. Table 3-3 shows the reference clock sources available for 
mapping to the backplane. Table 3-4 shows the clocks available to specific line cards.
Table 3-2 Reference Clock Sources
Reference Clock Input for Data 
Transmission SIP-200 SIP-400
Local All supported SONET/Serial 
SPAs
All supported SONET/Serial 
SPAs
Line All supported SONET/Serial 
SPAs
All supported SONET/Serial 
SPAs
BITS Input SPA-8XCHT1/E1 SPA-24CHT1-CE-ATM
Table 3-3 Reference Clock Sources Available for Mapping to Backplane
Clock Source Line Card SPA Clock Derived From
Internal Oscillator SIP-200 Not applicable Not applicable
SIP-400 Not applicable Not applicable3-28
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 3      Overview of the SIPs and SSC
  SIP-200 and SIP-400 Network Clock Distribution
Interface SIP-200 SONET/SDH
SPA-2XOC3-POS, 
SPA-4XOC3-POS
SPA-2XOC3-ATM, 
SPA-4XOC3-ATM
SIP-400 SPA-1CHOC3-CE-AT
M
SPA-2XOC3-POS, 
SPA-4XOC3-POS
SPA-1XOC12-POS
SPA-1XOC48-POS
SPA-2XOC3-ATM, 
SPA-4XOC3-ATM
SPA-1XOC12-ATM
SPA-1XOC-48ATM
8X1FE-TX-V2
4X1FE-TX-V2
Controller SIP-200 SPA-8XCHT1/E1 T1/E1
SPA-1XCHSTM1/OC3 STM1/OC3
SPA-2XT3/E3, 
SPA-4XT3/E3
Cannot provide clock to 
backplane
SPA-2XCT3/DS0,
SPA-4XCT3/DS0
Cannot provide the 
clock to backplane
Table 3-4 Line Cards Able to Receive Clocks from Backplane
Line Card SPA
Minimum Interface Level for 
Clock Source Input
SIP-200 SPA-8XCHT1/E1 Cannot take clock from 
backplane
SPA-2XT3/E3, SPA-4XT3/E3 Cannot take clock from 
backplane
SPA-2XCT3/DS0, 
SPA-4XCT3/DS0
Cannot take clock from 
backplane
SPA-1XCHSTM1/OC3 STM1/OC3
SPA-2XOC3-POS, 
SPA-4XOC3-POS
SPA-2XOC3-ATM, 
SPA-4XOC3-ATM
Table 3-3 Reference Clock Sources Available for Mapping to Backplane
Clock Source Line Card SPA Clock Derived From3-29
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 3      Overview of the SIPs and SSC
  SIP-200 and SIP-400 Network Clock Distribution
Note The default clock for T3 / E3 interfaces for the SPA-1xCHSTM1/OC3 or SPA-1xCHOC12/STM4 are 
internal. 
If you have line configuration on the T3, you must change the clock source back to line, to get the setup 
back to the old state after upgrade.
For additional information, see BITS Clock Support—Receive and Distribute—CEoP SPA on SIP-400, 
page 10-37.
SIP-400 SPA-24CHT1-CE-ATM T1/E1
SPA-1CHOC3-CE-ATM STM1/OC3
SPA-2XOC3-POS, 
SPA-4XOC3-POS
SPA-1XOC12-POS STM4/OC12
SPA-2XOC3-ATM, 
SPA-4XOC3-ATM
STM1/OC3
SPA-1XOC12-ATM STM4/OC12
SPA-1XOC-48ATM STM16/OC48
Table 3-4 Line Cards Able to Receive Clocks from Backplane
Line Card SPA
Minimum Interface Level for 
Clock Source Input3-30
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 3      Overview of the SIPs and SSC
  SIP-200 and SIP-400 Network Clock DistributionC H  A  P  T  E  R
4-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
4
Configuring the SIPs and SSC
This chapter provides information about configuring SIPs and SSCs on the Cisco 7600 series router. It 
includes the following sections:
• Configuration Tasks, page 4-1
• Configuration Examples, page 4-170
For information about managing your system images and configuration files, refer to the Cisco IOS 
Configuration Fundamentals Configuration Guide and Cisco IOS Configuration Fundamentals 
Command Reference publications that correspond to your Cisco IOS software release.
For more information about the commands used in this chapter,refer to the Cisco IOS Software Releases 
15.0SR Command References and to the Cisco IOS Software Releases 12.2SX Command References. 
Also refer to the related Cisco IOS Release 12.2 software command reference and master index 
publications. For more information, see the “Related Documentation” section on page xlvii.
Configuration Tasks
This section describes how to configure the SIPs and SSCs and includes information about verifying the 
configuration.
It includes the following topics:
• Required Configuration Tasks, page 4-2
• Identifying Slots and Subslots for SIPs, SSCs, and SPAs, page 4-2
• Configuring Compressed Real-Time Protocol, page 4-5
• Configuring Frame Relay Features, page 4-7
• Configuring Layer 2 Interworking Features on a SIP, page 4-32
• Configuring Private Hosts over Virtual Private LAN Service (VPLS), page 4-54
• Configuring BFD over VCCV on SIP-400, page 4-75
• Configuring MPLS Features on a SIP, page 4-79
• Configuring QoS Features on a SIP, page 4-94
• Configuring NAT, page 4-129
• Configuring Lawful Intercept on a Cisco 7600 SIP-400, page 4-129
• Configuring Security ACLs on an Access Interface on a Cisco 7600 SIP-400, page 4-131
• Configuring CoPP on the Cisco 7600 SIP-400, page 4-1324-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
• Configuring IGMP Snooping on a SIP-200, page 4-153
• Configuring ACFC and PFC Support on Multilink Interfaces, page 4-154
• Configuring PPPoEoE on a Cisco 7600 SIP-400, page 4-159
• Configuring Source IPv4 and Source MAC Address Binding on the SIP-400, page 4-164
• Resetting a SIP, page 4-170
• Layer 2 Interworking Configuration Examples, page 4-170
• MPLS Configuration Examples, page 4-172
• QoS Configuration Examples, page 4-173
• Private Hosts SVI (Interface VLAN) Configuration Example, page 4-178
This section identifies those features that have SIP-specific configuration guidelines for you to consider 
and refers you to the supporting platform documentation.
Many of the Cisco IOS software features on the Cisco 7600 series router that the FlexWAN and 
Enhanced FlexWAN modules support, the SIPs also support. Use this chapter while also referencing the 
list of supported features on the SIPs in Chapter 3, “Overview of the SIPs and SSC.”
Note When referring to the other platform documentation, be sure to note any SIP-specific configuration 
guidelines described in this document.Layer 2 Interworking Configuration Examples, page 4-170
For information about configuring other features supported on the Cisco 7600 series router but not 
discussed in this document, refer to the Cisco 7600 Series Cisco IOS Software Configuration Guide, 
12.2SR at the following URL:
http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/swcg.html
Note Effective from Cisco IOS Software Release 15.0(1)S, a number of QoS commands documented in this 
chapter are hidden in the software image; hence you have to use their replacement commands. Although 
the hidden commands are still available on Cisco IOS Software, you cannot access these commands from 
the CLI interactive help. For more information on the replacement commands, see the Legacy QoS 
Command Deprecation feature document at:
http://www.cisco.com/en/US/docs/ios/ios_xe/qos/configuration/guide/legacy_qos_cli_deprecation_xe.
html
Required Configuration Tasks
As of Cisco IOS Release 12.2(18)SXE, there are not any features that require direct configuration on the 
SIP or SSC. This means that you do not need to attach to the SIP or SSC itself to perform any 
configuration.
However, the Cisco 7600 SIP-200 and Cisco 7600 SIP-400 do implement and support certain features 
that are configurable at the system level on the Route Processor (RP).
Identifying Slots and Subslots for SIPs, SSCs, and SPAs
This section describes how to specify the physical locations of a SIP and SPA on the Cisco 7600 series 
routers within the command-line interface (CLI) to configure or monitor those devices.4-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Note For simplicity, any reference to “SIP” in this section also applies to the SSC.
Specifying the Slot Location for a SIP or SSC
The Cisco 7600 series router supports different chassis models, each of which supports a certain number 
of chassis slots. 
Note The Cisco 7600 series router SIPs are not supported with a Supervisor Engine 1, Supervisor Engine 1A, 
Supervisor Engine 2, or Supervisor Engine 720-3A.4-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Figure 4-1 shows an example of a SIP installed in slot 6 on a Cisco 7609 router. The Cisco 7609 router 
has nine vertically-oriented chassis slots, which are numbered 1 to 9 from right to left. 
Figure 4-1 SIP and SPA Installed in a Cisco 7609 Router
Some commands allow you to display information about the SIP itself, such as show module, show 
sip-disk, show idprom module, show hw-module slot, and show diagbus. These commands require 
you to specify the chassis slot location where the SIP that you want information about is installed. 
For example, to display status and information about the SIP installed in slot 6 as shown in Figure 4-1, 
enter the following command:
Router# show module 6
For more information about the commands used in this chapter, refer to the Cisco IOS Software Releases 
15.0SR Command References and to the Cisco IOS Software Releases 12.2SX Command References..
1 SIP subslot 0 4 SIP subslot 3
2 SIP subslot 1 5 Chassis slots 1–9 (numbered from right to left)
3 SIP subslot 2
129006
INPUT
OK
FAN
OK
OUTPUT
FAIL
o
INPUT
OK
FAN
OK
OUTPUT
FAIL
o
SUPERVISOR2
WS-X6K-SUP2-2GE
STATUS
SYSTEM
CONSOL
PW
E
R MGMT
RESET
CONSOLE
CONSOLE
PORT
MODE
PCMCIA EJECT
PORT 1 PORT 2
Switch    Load   
100%
1%
LINK
LINK
SUPERVISOR2
WS-X6K-SUP2-2GE
STATUS
SYSTEM
CONSOL
PW
E
R MGMT
RESET
CONSOLE
CONSOLE
PORT
MODE
PCMCIA EJECT
PORT 1 PORT 2
Switch    Load  
100%
1%
LINK
LINK
SWITCH FABRIC MDL
STATUS
SELECT
NEXT
WS-C6500-SFM
ACTIVE
OC12 POS MM
OSM-40C12-POS-MM
STATUS
2
1
4
3
RESET
LINK
1
LINK
2
LINK
3
LINK
4
CARRIER
ALARM
ACTIVE
TX
RX
TX
PORT 1
RX
CARRIER
ALARM
ACTIVE
TX
RX
TX
PORT 2
RX
CARRIER
ALARM
ACTIVE
TX
RX
TX
PORT 3
RX
CARRIER
ALARM
ACTIVE
TX
RX
TX
RX
OC12 POS MM
OSM-40C12-POS-MM
STATUS
2
1
4
3
RESET
LINK
1
LINK
2
LINK
3
LINK
4
CARRIER
ALARM
ACTIVE
TX
RX
TX
PORT 1
RX
CARRIER
ALARM
ACTIVE
TX
RX
TX
PORT 2
RX
CARRIER
ALARM
ACTIVE
TX
RX
TX
PORT 3
RX
CARRIER
ALARM
ACTIVE
TX
RX
TX
RX
OC12 POS MM
OSM-40C12-POS-MM
STATUS
2
1
4
3
RESET
LINK
1
LINK
2
LINK
3
LINK
4
CARRIER
ALARM
ACTIVE
TX
RX
TX
PORT 1
RX
CARRIER
ALARM
ACTIVE
TX
RX
TX
PORT 2
RX
CARRIER
ALARM
ACTIVE
TX
RX
TX
PORT 3
RX
CARRIER
ALARM
ACTIVE
TX
RX
TX
RX
8 PORT OC3 POS MM
OSM-8OC3-POS MM
STATUS
1
1
2
2
3
3
1
2
3
4
4
4
RESET
LINK
CARRIER
ALARM   
LINK
LINK
LINK
LINK
5
6
7
8
8 PORT OC3 POS MM
OSM-8OC3-POS MM
STATUS
1
1
2
2
3
3
1
2
3
4
4
4
RESET
LINK
CARRIER
ALARM   
LINK
LINK
LINK
LINK
5
6
7
8
STATUS
2
0
3
1
PROCESSOR
SPA INTERFACE
7600-SIP-200
LINK
CARRIER
ALARM
LINK
5
POWER SUPPLY 1 POWER SUPPLY 2
3 1
4 2
SPA-4XT3 E/ 3 TX
RX
A/L
0
C/A
TX
RX
A/L
1
C/A
TX
RX
A/L
2
C/A
TX
RX
A/L
3
STATUS
C/A4-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Specifying the SIP or SSC Subslot Location for a SPA
SIP subslots begin their numbering with “0” and have a horizontal or vertical orientation depending on 
the orientation of the SIP in the router chassis slot, as shown in the “SIP, SSC, and SPA Product 
Overview” chapter of the Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide.
Figure 4-1 shows an example of a Cisco 7600 SIP-200 installed with a vertical orientation on a 
Cisco 7609 router. The Cisco 7600 SIP-200 supports four subslots for the installation of SPAs. In this 
example, the subslot locations are vertically oriented as follows:
• SIP subslot 0—Top–right subslot
• SIP subslot 1—Bottom–right subslot
• SIP subslot 2—Top–left subslot
• SIP subslot 3—Bottom–left subslot
Figure 4-2 shows the faceplate for the Cisco 7600 SIP-200 in a horizontal orientation.
Figure 4-2 Cisco 7600 SIP-200 Faceplate
In this view, the subslot locations in a horizontal orientation are as follows:
• SIP subslot 0—Top–left subslot
• SIP subslot 1—Top–right subslot
• SIP subslot 2—Bottom–left subslot
• SIP subslot 3—Bottom–right subslot
The SIP subslot numbering is indicated by a small numeric label beside the subslot on the faceplate. 
Just as with the SIPs, some commands allow you to display information about the SPA itself, such as 
show idprom module and show hw-module subslot. These commands require you to specify both the 
physical location of the SIP and SPA in the format, slot/subslot, where: 
• slot—Specifies the chassis slot number in the Cisco 7600 series router where the SIP is installed. 
• subslot—Specifies the secondary slot of the SIP where the SPA is installed.
For example, to display the operational status for the SPA installed in the first subslot of the SIP in 
chassis slot 6 shown in Figure 4-1, enter the following command:
Router# show hw-module subslot 6/0 oir
For more information about the commands used in this chapter, refer to the Cisco IOS Software Releases 
15.0SR Command References and to the Cisco IOS Software Releases 12.2SX Command References.
Configuring Compressed Real-Time Protocol 
Compressed Real-Time Protocol (CRTP), from RFC 1889 (RTP: A Transport Protocol for Real-Time 
Applications), provides bandwidth efficiencies over low-speed links by compressing the UDP/RTP/IP 
header when transporting voice. With CRTP, the header for Voice over IP traffic can be reduced from 40 
STATUS
2
0
3
1
SPA INTERFACE
PROCESSOR
7600-SIP-200
1168494-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
bytes to approximately 2 to 5 bytes offering substantial bandwidth efficiencies for low-speed links. 
CRTP is supported over Frame Relay, ATM, PPP, distributed MLPPP (dMLPPP), and HDLC 
encapsulated interfaces.
Table 4-1 provides information about where the CRTP feature for SPA interfaces is supported. 
CRTP Configuration Guidelines
To support CRTP on the Cisco 7600 SIP-200, consider the following guidelines:
• High-level Data Link Control (HDLC), PPP, or Frame Relay encapsulation must be configured.
• TCP or RTP header compression, or both, must be enabled.
• When distributed fast-switching is enabled, the detail option is not available with the show ip rtp 
header-compression and show ip tcp header-compression commands. Users who need the 
detailed information for either of these commands can retrieve this information by disabling 
distributed fast-switching and then entering the show ip rtp header-compression detail or show ip 
tcp header-compression detail commands.
• When using CRTP with distributed features on the Cisco 7600 SIP-200, consider the following 
guidelines and restrictions:
– Hardware- and software-based CRTP is supported with Distributed Link Fragmentation and 
Interleaving over Leased Lines (dLFIoLL) if only one link is present on the multilink interface. 
– The following restrictions apply to Multilink PPP interfaces that use LFI:
If RTP header compression is configured, RTP packets originating on or destined to the router 
will be fast-switched if the link is limited to one channel. If the link has more than one channel, 
the packets will be process-switched.
Table 4-1 CRTP Feature Compatibility by SIP and SPA Combination
Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600
Hardware-based CRTP In Cisco IOS Release 12.2(18)SXE and later:
• 8-Port Channelized T1/E1 SPA
• 2-Port and 4-Port Channelized T3 SPA
Not supported. Not supported.
Hardware- and 
software-based CRTP 
In Cisco IOS Release 12.2(33)SRA:
• 8-Port Channelized T1/E1 SPA
• 2-Port and 4-Port Channelized T3 SPA
• 1-Port Channelized OC-3/STM-1 SPA
Not supported. Not supported.
CRTP with 
dLFIoLL—Only 
supported with one link 
present on the multilink 
interface
In Cisco IOS Release 12.2(18)SXE and later:
• 8-Port Channelized T1/E1 SPA
• 2-Port and 4-Port Channelized T3 SPA
Support for the following SPA was added in Cisco 
IOS Release 12.2(33)SRA:
• 1-Port Channelized OC-3/STM-1 SPA
Not supported. Not supported.
CRTP with dMLPPP Supported. Not supported if LFI is enabled. Not supported. Not supported.
CRTP with dMLPPP and 
MPLS
Not supported. Not supported. Not supported.4-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
CRTP should not be configured on a multilink interface when LFI is enabled on the multilink 
interface if the multilink bundle has more than one member link, and a QoS policy with a feature 
is enabled on the multilink interface.
Note In a dMLPPP/dLFI configuration, packets do not carry the MLPPP header and sequence 
number. Thus, MLPPP distributes the packets across all member links. As a result, packets 
that are compressed by CRTP may arrive out-of-order at the receiving router. This prohibits 
CRTP from decompressing the packet header and forces CRTP to drop the packets.
For information on configuring CRTP, see Configuring Distributed Compressed Real-Time Protocol at 
the following URL:
http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfdcrtp.html
Configuring Frame Relay Features
Many of the Frame Relay features supported on the FlexWAN and Enhanced FlexWAN modules on the 
Cisco 7600 series router are also supported by the SIPs. For a list of the supported Frame Relay features 
on the SIPs, see Chapter 3, “Overview of the SIPs and SSC.”
This section describes those Frame Relay features that have SIP-specific configuration guidelines. After 
you review the SIP-specific guidelines described in this document, then refer to the referenced URLs for 
more information about configuring Frame Relay features.
The Frame Relay features for SIPs and SPAs are qualified as distributed features because the processing 
for the feature is handled by the SIP or SPA, or a combination of both.
Configuring Distributed Multilink Frame Relay (FRF.16) on the Cisco 7600 SIP-200
The Distributed Multilink Frame Relay (dMLFR) feature provides a cost-effective way to increase 
bandwidth for particular applications by enabling multiple serial links to be aggregated into a single 
bundle of bandwidth. Multilink Frame Relay is supported on the User-Network Interface (UNI) and the 
Network-to-Network Interface (NNI) in Frame Relay networks.
Note Based on your link configuration, dMLFR can be either software-based on the Cisco 7600 SIP-200, or 
hardware-based on the 8-Port Channelized T1/E1 SPA, 2-Port and 4-Port Channelized T3 SPAs, and 
1-Port Channelized OC-3/STM-1 SPA. For more information about the hardware-based configuration, 
see also Chapter 17, “Configuring the 8-Port Channelized T1/E1 SPA,” and Chapter 19, “Configuring 
the 2-Port and 4-Port Channelized T3 SPAs.”4-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Table 4-2 provides information about where the dMLFR feature for SPA interfaces is supported. 
This section includes the following topics:
• Overview of dMLFR, page 4-8
• dMLFR Configuration Guidelines, page 4-9
• dMLFR Configuration Tasks, page 4-10
• Verifying dMLFR, page 4-13
Overview of dMLFR
The Distributed Multilink Frame Relay feature enables you to create a virtual interface called a bundle
or bundle interface. The bundle interface emulates a physical interface for the transport of frames. The 
Frame Relay data link runs on the bundle interface, and Frame Relay virtual circuits are built upon it. 
The bundle is made up of multiple serial links, called bundle links. Each bundle link within a bundle 
corresponds to a physical interface. Bundle links are invisible to the Frame Relay data-link layer, so 
Frame Relay functionality cannot be configured on these interfaces. Regular Frame Relay functionality 
that you want to apply to these links must be configured on the bundle interface. Bundle links are visible 
to peer devices. The local router and peer devices exchange link integrity protocol control messages to 
determine which bundle links are operational and to synchronize which bundle links should be 
associated with which bundles. 
For link management, each end of a bundle link follows the MLFR link integrity protocol and exchanges 
link control messages with its peer (the other end of the bundle link). To bring up a bundle link, both 
ends of the link must complete an exchange of ADD_LINK and ADD_LINK_ACK messages. To 
maintain the link, both ends periodically exchange HELLO and HELLO_ACK messages. This exchange 
of hello messages and acknowledgments serves as a keepalive mechanism for the link. If a router is 
sending hello messages but not receiving acknowledgments, it will resend the hello message up to a 
configured maximum number of times. If the router exhausts the maximum number of retries, the bundle 
link line protocol is considered down (unoperational). 
The bundle link interface’s line protocol status is considered up (operational) when the peer device 
acknowledges that it will use the same link for the bundle. The line protocol remains up when the peer 
device acknowledges the hello messages from the local router. 
The bundle interface’s line status becomes up when at least one bundle link has its line protocol status 
up. The bundle interface’s line status goes down when the last bundle link is no longer in the up state. 
This behavior complies with the Class A bandwidth requirement defined in FRF.16. 
Table 4-2 dMLFR Feature Compatibility by SIP and SPA Combination
Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600
Hardware- and 
software-based dMLFR
In Cisco IOS Release 12.2(18)SXE and 
later:
• 8-Port Channelized T1/E1 SPA
• 2-Port and 4-Port Channelized T3 SPA
In Cisco IOS Release 12.2(33)SRA and 
later:
• 1-Port Channelized OC-3/STM-1 SPA
InCisco IOS Release 12.2(33)SRC and 
later: 
Not supported. Not supported.4-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
The bundle interface’s line protocol status is considered up when the Frame Relay data-link layer at the 
local router and peer device synchronize using the Local Management Interface (LMI), when LMI is 
enabled. The bundle line protocol remains up as long as the LMI keepalives are successful. 
dMLFR Configuration Guidelines
To support dMLFR on the Cisco 7600 SIP-200, consider the following guidelines:
• dMLFR must be configured on the peer device.
• The dMLFR peer device must not send frames that require assembly.
• The Cisco 7600 SIP-200 supports distributed links under the following conditions:
– All links are on the same Cisco 7600 SIP-200.
– T1 and E1 links cannot be mixed in a bundle.
– Member links in a bundle are recommended to have the same bandwidth.
• QoS is implemented on the Cisco 7600 SIP-200 for dMLFR.
• dMLFR is supported with Frame Relay over MPLS (FRoMPLS) on the Cisco 7600 SIP-200 between 
the customer edge (CE) and provider edge (PE) of the MPLS network.
• The Cisco 7600 SIP-200 only supports the RPR+ High Availability (HA) feature with dMLFR.
• dMLFR is supported in software by the Cisco 7600 SIP-200, or in hardware by the supported SPA. 
This support is determined by your link configuration. 
• dMLFR is supported in software if bundle link members are on different SPAs in the same SIP.
Software-Based Guidelines
dMLFR will be implemented in the software if any of the following conditions are met:
• Any one bundle link member is a fractional T1 or E1 link.
• There are more than 12 T1 or E1 links in a bundle.
Hardware-Based Guidelines
dMLFR will be implemented in the hardware when all of the following conditions are met:
• All bundle link members are T1 or E1 only.
• All bundle links are on the same SPA.
• There are no more than 12 links in a bundle.
dMLFR Restrictions
When configuring dMLFR on the Cisco 7600 SIP-200, consider the following restrictions:
• FRF.9 hardware compression is not supported.
• Software compression is not supported.
• Encryption is not supported.
• The maximum differential delay supported is 50 ms when supported in hardware, and 100 ms when 
supported in software.
• Fragmentation is not supported on the transmit side.4-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
dMLFR Configuration Tasks
The following sections describe how to configure dMLFR:
• Creating a Multilink Frame Relay Bundle, page 4-10 (required)
• Assigning an Interface to a dMLFR Bundle, page 4-11 (required)
Creating a Multilink Frame Relay Bundle
SUMMARY STEPS
Step 1 interface mfr number
Step 2 frame-relay multilink bid name
Step 3 frame-relay intf-type dce
DETAILED STEPS
To configure the bundle interface for dMLFR, use the following commands beginning in global 
configuration mode:
Command Purpose
Step 1 Router(config)# interface mfr number Configures a multilink Frame Relay bundle interface and 
enters interface configuration mode, where:
• number—Specifies the number for the Frame Relay 
bundle. 
Step 2 Router(config-if)# frame-relay 
multilink bid name
(Optional) Assigns a bundle identification name to a 
multilink Frame Relay bundle, where:
• name—Specifies the name for the Frame Relay 
bundle.
Note The bundle identification (BID) will not go into 
effect until the interface has gone from the down 
state to the up state. One way to bring the interface 
down and back up again is by using the shutdown
and no shutdown commands in interface 
configuration mode. 
Step 3 Router(config-if)# frame-relay intf-type 
dce
Configures the router to function as a digital 
communications equipment (DCE) device, or as a switch.4-11
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Assigning an Interface to a dMLFR Bundle
To configure an interface link and associate it as a member of a dMLFR bundle, use the following 
commands beginning in global configuration mode. Repeat these steps to assign multiple links to the 
dMLFR bundle.
SUMMARY STEPS
Step 1 interface serial address
OR
interface serial slot/subslot/port/t1-number:channel-group
OR
interface serial slot/subslot/port:channel-group
Step 2 encapsulation frame-relay mfr number [name]
Step 3 frame-relay multilink lid name
Step 4 Router(config-if)# frame-relay multilink hello seconds
Step 5 Router(config-if)# frame-relay multilink ack seconds
Step 6 Router(config-if)# frame-relay multilink retry number
DETAILED STEPS
If you use this task to assign more than 12 T1 or E1 interface links as part of the same bundle, or if any 
of the T1/E1 interface links are fractional T1/E1, or any links reside on multiple SPAs as part of the same 
bundle, then software-based dMLFR is implemented automatically by the Cisco 7600 SIP-200.4-12
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Command Purpose
Step 1 1-Port Channelized OC-3/STM-1 SPA
Router(config)# interface serial address
2-Port and 4-Port Channelized T3 SPA
Router(config)# interface serial
slot/subslot/port/t1-number:channel-group
8-Port Channelized T1/E1 SPA
Router(config)# interface serial 
slot/subslot/port:channel-group
Specifies a serial interface and enters interface 
configuration mode, where:
• address—For the different supported syntax options 
for the address argument for the 1-Port Channelized 
OC-3/STM-1 SPA, refer to the “Interface Naming” 
section of the “Configuring the 1-Port Channelized 
OC-3/STM-1 SPA” chapter.
• slot—Specifies the chassis slot number where the SIP 
is installed.
• subslot—Specifies the secondary slot number on a 
SIP where a SPA is installed.
• port—Specifies the number of the interface port on 
the SPA.
• t1-number—Specifies the logical T1 number in 
channelized mode.
• channel-group—Specifies the logical channel group 
assigned to the time slots within the T1 or E1 group.
Note If you configure a fractional T1/E1 interface on 
the SPA using a channel group and specify that 
fractional T1/E1 channel group as part of this 
task, then software-based dMLFR is implemented 
automatically by the Cisco 7600 SIP-200 when 
you assign the interface to the dMLFR bundle.
Step 2 Router(config-if)# encapsulation 
frame-relay mfr number name
Creates a multilink Frame Relay bundle link and 
associates the link with a bundle, where:
• number—Specifies the number for the Frame Relay 
bundle. This number should match the dMLFR 
interface number specified in the interface mfr
command.
• name—(Optional) Specifies the name for the Frame 
Relay bundle.
Step 3 Router(config-if)# frame-relay multilink 
lid name
(Optional) Assigns a bundle link identification name with 
a multilink Frame Relay bundle link, where:
• name—Specifies the name for the Frame Relay 
bundle.
Note The bundle link identification (LID) will not go 
into effect until the interface has gone from the 
down state to the up state. One way to bring the 
interface down and back up again is by using the 
shutdown and no shutdown commands in 
interface configuration mode.4-13
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Verifying dMLFR
To verify dMLFR configuration, use the show frame-relay multilink command. If you use the show 
frame-relay multilink command without any options, information for all bundles and bundle links is 
displayed.
The following examples show output for the show frame-relay multilink command with the serial
number and detailed options. Detailed information about the specified bundle links is displayed.
Router# show frame-relay multilink serial6 detailed
Bundle: MFR49, State = down, class = A, fragmentation disabled
 BID = MFR49
 No. of bundle links = 1, Peer's bundle-id = 
 Bundle links:
  Serial6/0/0:0, HW state = up, link state = Add_sent, LID = test
    Cause code = none, Ack timer = 4, Hello timer = 10,
    Max retry count = 2, Current count = 0,
    Peer LID = , RTT = 0 ms
    Statistics:
    Add_link sent = 21, Add_link rcv'd = 0,
    Add_link ack sent = 0, Add_link ack rcv'd = 0,
    Add_link rej sent = 0, Add_link rej rcv'd = 0,
    Remove_link sent = 0, Remove_link rcv'd = 0,
    Remove_link_ack sent = 0, Remove_link_ack rcv'd = 0,
    Hello sent = 0, Hello rcv'd = 0,
    Hello_ack sent = 0, Hello_ack rcv'd = 0,
    outgoing pak dropped = 0, incoming pak dropped = 0 
Step 4 Router(config-if)# frame-relay multilink 
hello seconds
(Optional) Configures the interval at which a bundle link 
will send out hello messages, where:
• seconds—Specifies the number of seconds between 
hello messages sent out over the multilink bundle. 
The default is 10 seconds.
Step 5 Router(config-if)# frame-relay multilink 
ack seconds
(Optional) Configures the number of seconds that a 
bundle link will wait for a hello message acknowledgment 
before resending the hello message, where:
• seconds—Specifies the number of seconds a bundle 
link will wait for a hello message acknowledgment 
before resending the hello message. The default is 4 
seconds.
Step 6 Router(config-if)# frame-relay multilink 
retry number
(Optional) Configures the maximum number of times a 
bundle link will resend a hello message while waiting for 
an acknowledgment, where:
• number—Specifies the maximum number of times a 
bundle link will resend a hello message while waiting 
for an acknowledgment. The default is 2 tries.
Command Purpose4-14
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Configuring Distributed Multilink PPP on the Cisco 7600 SIP-200
The Distributed Multilink Point-to-Point Protocol (dMLPPP) feature allows you to combine T1/E1 lines 
into a bundle that has the combined bandwidth of multiple T1/E1 lines. This is done by using a dMLPPP 
link. You choose the number of bundles and the number of T1/E1 lines in each bundle. This allows you 
to increase the bandwidth of your network links beyond that of a single T1/E1 line without having to 
purchase a T3 line. 
Note Based on your link configuration, dMLPPP can be either software-based on the Cisco 7600 SIP-200, or 
hardware-based on the 8-Port Channelized T1/E1 SPA and 2-Port and 4-Port Channelized T3 SPAs. For 
more information about the hardware-based configuration, see also Chapter 17, “Configuring the 8-Port 
Channelized T1/E1 SPA,” Chapter 19, “Configuring the 2-Port and 4-Port Channelized T3 SPAs.”, and 
Chapter 25, “configuring the 1-Port Channelized OC3/STM-1 SPA.
SIP-200 includes the per-fragment overhead of the MLPPP header for every fragment. On the Cisco 7600
series router, if you apply a QoS policy (with queuing CLI like bandwidth, WRED, shaping or a 
non-queuing CLI like policing on the egress interface of the MLP bundle having any number of member 
links in it), the rate and number of packets received can be different in the following situations:
• Without an MLP header
• If the policy is applied on the ingress side of the MLP bundle
This difference narrows down as the size of the packet increases say, from 50 to 480 bytes. This behavior
is expected owing to line card architecture.
Note On SIP-400 shaping and policing is done without taking the MLP header into account.
Table 4-3 provides information about where the dMLppp feature for SPA interfaces is supported.
This section includes the following topics:
• dMLPPP Configuration Guidelines, page 4-15
• dMLPPP Configuration Tasks, page 4-15
• Verifying dMLPPP, page 4-20
Table 4-3 dMLPPP Feature Compatibility by SIP and SPA Combination
Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600
Hardware-based dMLPPP Supported Not supported. Not supported.
Hardware- and 
software-based dMLPPP
In Cisco IOS Release 12.2(18)SXE and 
later:
• 8-Port Channelized T1/E1 SPA
• 2-Port and 4-Port Channelized T3 SPA
In Cisco IOS Release 12.2(33)SRA and 
later:
• 1-Port Channelized OC3/STM-1 SPA
Not supported. Not supported.4-15
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
dMLPPP Configuration Guidelines
dMLPPP is supported in software by the Cisco 7600 SIP-200, or in hardware by the supported SPA. This 
support is determined by your link configuration. 
The Cisco 7600 SIP-200 supports distributed links under the following conditions:
• All links are on the same Cisco 7600 SIP-200.
• T1 and E1 links cannot be mixed in a bundle.
• Member links in a bundle are recommended to have the same bandwidth.
• Multilink interface creation is not supported beyond 65535. If you configure a multilink interface 
number that is more than 65535, on a switchover, you will experience a connectivity loss.
• QoS is implemented on the Cisco 7600 SIP-200 for dMLPPP.
Software-Based Guidelines
dMLPPP will be implemented in the software if any of the following conditions are met:
• Any one bundle link member is a fractional T1 or E1 link.
• There are more than 12 T1 or E1 links in a bundle.
• To enable fragmentation for software-based dMLPPP, you must configure the ppp multilink 
interleave command. This command is not required to enable fragmentation for hardware-based 
dMLPPP.
Hardware-Based Guidelines
dMLPPP will be implemented in the hardware when all of the following conditions are met:
• All bundle link members are T1 or E1 only.
• All bundle links are on the same SPA.
• There are no more than 12 links in a bundle.
dMLPPP Restrictions
When configuring dMLPPP on the Cisco 7600 SIP-200, consider the following restrictions:
• Hardware and software compression is not supported.
• Encryption is not supported.
• The maximum differential delay supported is 50 ms when supported in hardware, and 100 ms when 
supported in software.
dMLPPP Configuration Tasks
The following sections describe how to configure dMLPPP:
• Enabling Distributed CEF Switching, page 4-15 (required)
• Creating a dMLPPP Bundle, page 4-16 (required)
• Assigning an Interface to a dMLPPP Bundle, page 4-18 (required)
• Configuring Link Fragmentation and Interleaving over dMLPPP, page 4-20 (optional)
Enabling Distributed CEF Switching
To enable dMLPPP, you must first enable distributed CEF switching. Distributed CEF switching is 
enabled by default on the Cisco 7600 series router.4-16
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Note When the value of the cef table is high due to high number of routes and the LC doesnot have enough 
memory, CEF gets disabled. New xconnect does not get activated on the device irrespective of LC being 
used or not used as ingress or egress LC.
SUMMARY STEPS
Step 1 ip cef distributed
DETAILED STEPS
To enable dCEF, use the following command in global configuration mode:
Creating a dMLPPP Bundle
SUMMARY STEPS
Step 1 interface multilink group-number
Step 2 ip address ip-address mask
Step 3 ppp multilink interleave
Step 4 ppp multilink mrru local | remote mrru-value
Step 5 mtu bytes 
Step 6 ppp multilink fragment delay delay
DETAILED STEPS
Command Purpose
Router(config)# ip cef distributed Enables distributed CEF switching. 4-17
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
To configure a dMLPPP bundle, use the following commands beginning in global configuration mode:
Command Purpose
Step 1 Router(config)# interface multilink 
group-number
Creates a multilink interface and enters interface 
configuration mode, where:
• group-number—Specifies the group number for 
the multilink bundle.
Note To enable no interface 
multilink group-number, 
remove the associated multilink 
group for the member links 
using the command no ppp 
multilink.
Step 2 Router(config-if)# ip address ip-address
mask
Sets the IP address for the multilink group, where:
• ip-address—Specifies the IP address for the 
interface.
• mask—Specifies the mask for the associated IP 
subnet.
Step 3 Router(config-if)# ppp multilink interleave (Optional—Software-based LFI) Enables 
fragmentation for the interfaces assigned to the 
multilink bundle. Fragmentation is disabled by default 
in software-based LFI.
Step 4 Router(config-if)# ppp multilink mrru
[local | remote] mrru-value
Configures the MRRU value negotiated on a multilink 
bundle when MLP is used.
• local—(Optional) Configures the local MRRU 
value. The default values for the local MRRU are 
the value of the multilink group interface MTU for 
multilink group members, and 1524 bytes for all 
other interfaces.
• remote—(Optional) Configures the minimum 
value that software will accept from the peer when 
it advertises its MRRU. By default, the software 
accepts any peer MRRU value of 128 or higher. 
You can specify a higher minimum acceptable 
MRRU value in a range from 128 to 16384 bytes.4-18
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Assigning an Interface to a dMLPPP Bundle
To configure an interface PPP link and associate it as a member of a multilink bundle, use the following 
commands beginning in global configuration mode. Repeat these steps to assign multiple links to the 
dMLPPP bundle.
Note If you use this task to assign more than 12 T1 or E1 interface links as part of the same bundle, or if any 
of the T1/E1 interface links are fractional T1/E1, or any links reside on multiple SPAs as part of the same 
bundle, then software-based dMLPPP is implemented automatically by the Cisco 7600 SIP-200.
SUMMARY STEPS
Step 1 interface serial address 
OR
interface serial slot/subslot/port/t1-number:channel-group
OR
interface serial slot/subslot/port:channel-group
OR
Step 2 encapsulation ppp
Step 3 ppp multilink
Step 4 ppp authentication chap
Step 5 ppp chap hostname name
Step 6 ppp multilink group group-number
Step 5 Router(config-if)# mtu bytes (Optional) Adjusts the maximum packet size or MTU 
size.
• Once you configure the MRRU on the bundle 
interface, you enable the router to receive large 
reconstructed MLP frames. You may want to 
configure the bundle MTU so the router can 
transmit large MLP frames, although it is not 
strictly necessary.
• The maximum recommended value for the bundle 
MTU is the value of the peer’s MRRU. The default 
MTU for serial interfaces is 1500. The software 
will automatically reduce the bundle interface 
MTU if necessary, to avoid violating the peer’s 
MRRU.
Step 6 Router(config-if)# ppp multilink fragment 
delay delay
(Optional) Sets the fragmentation size satisfying the 
configured delay on the multilink bundle, where:
• delay—Specifies the delay in milliseconds.
Command Purpose4-19
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
DETAILED STEPS
Command Purpose
Step 1 1-Port Channelized OC-3/STM-1 SPA
Router(config)# interface serial address
2-Port and 4-Port Channelized T3 SPA
Router(config)# interface serial
slot/subslot/port/t1-number:channel-group
8-Port Channelized T1/E1 SPA
Router(config)# interface serial 
slot/subslot/port:channel-group
1 Port Channelized OC12/STM4 SPA 
Router(config)# interface serial address
Specifies a serial interface and enters interface 
configuration mode, where:
• address—For the different supported syntax options 
for the address argument for the 1-Port Channelized 
OC-3/STM-1 SPA, refer to the “Interface Naming” 
section of the “Configuring the 1-Port Channelized 
OC-3/STM-1 SPA” chapter.
• slot—Specifies the chassis slot number where the SIP 
is installed.
• subslot—Specifies the secondary slot number on a 
SIP where a SPA is installed.
• port—Specifies the number of the interface port on 
the SPA.
• t1-number—Specifies the logical T1 number in 
channelized mode.
• channel-group—Specifies the logical channel group 
assigned to the time slots within the T1 or E1 group.
Note If you configure a fractional T1/E1 interface on 
the SPA using a channel group and specify that 
fractional T1/E1 channel group as part of this 
task, then software-based dMLPPP is 
implemented automatically by the Cisco 7600 
SIP-200 when you assign the interface to the 
dMLPPP bundle.
Step 2 Router(config-if)# encapsulation ppp Enables PPP encapsulation.
Note To enable no encapsulation ppp, 
remove the associated multilink 
group for the member links using 
the command no ppp multilink.
Step 3 Router(config-if)# ppp multilink (Optional) Enables dMLPPP on the interface.
Step 4 Router(config-if)# ppp authentication 
chap
(Optional) Enables Challenge Handshake Authentication 
Protocol (CHAP) authentication.
Step 5 Router(config-if)# ppp chap hostname
name
(Optional) Assigns a name to be sent in the CHAP 
challenge.
• name—Specifies an alternate username that will be 
used for CHAP authentication
Step 6 Router(config-if)# ppp multilink group 
group-number
Assigns the interface to a multilink bundle, where:
• group-number—Specifies the group number for the 
multilink bundle. This number should match the 
dMLPPP interface number specified in the interface 
multilink command.4-20
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Configuring Link Fragmentation and Interleaving over dMLPPP
Link fragmentation and interleaving (LFI) over dMLPPP is supported in software on the Cisco 7600 
SIP-200, or in hardware on the 2-Port and 4-Port Channelized T3 SPA and the 8-Port Channelized T1/E1 
SPA. This support is determined by your link configuration.
Software-Based Guidelines
When configuring LFI over dMLPPP, consider the following guidelines for software-based LFI:
• LFI over dMLPPP will be configured in software if there is more than one link assigned to the 
dMLPPP bundle. 
• LFI is disabled by default in software-based LFI. To enable LFI on the multilink interface, use the 
ppp multilink interleave command.
• Fragmentation size is calculated from the delay configured and the member link bandwidth.
• You must configure a policy map with a class under the multilink interface.
• CRTP should not be configured on a multilink interface when LFI is enabled on the multilink 
interface if the multilink bundle has more than one member link, and a QoS policy with a feature is 
enabled on the multilink interface.
Hardware-Based Guidelines
When configuring LFI over dMLPPP, consider the following guidelines for hardware-based LFI:
• LFI over dMLPPP will be configured in hardware if you only assign one link (either T1/E1 or 
fractional T1/E1) to the dMLPPP bundle.
• LFI is enabled by default in hardware-based LFI with a default size of 512 bytes. To enable LFI on 
the serial interface, use the ppp multilink interleave command.
• A policy map having a class needs to be applied to the multilink interface.
Verifying dMLPPP
To verify dMLPPP configuration, use the show ppp multilink command, as shown in the following 
example:
Router# show ppp multilink
Multilink2, bundle name is group2
  Bundle up for 00:01:21
  Bundle is Distributed
  0 lost fragments, 0 reordered, 0 unassigned
  0 discarded, 0 lost received, 1/255 load
  0x0 received sequence, 0x0 sent sequence
  Member links: 2 active, 0 inactive (max not set, min not set)
    Se4/3/0/1:0, since 00:01:21, no frags rcvd
    Se4/3/0/1:1, since 00:01:19, no frags rcvd
If hardware-based dMLPPP is configured on the SPA, the show ppp multilink command displays 
“Multilink in Hardware” as shown in the following example:
Router# show ppp multilink
Multilink1, bundle name is group1
  Bundle up for 00:00:13
  Bundle is Distributed
  0 lost fragments, 0 reordered, 0 unassigned
  0 discarded, 0 lost received, 206/255 load
  0x0 received sequence, 0x0 sent sequence4-21
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
  Member links: 2 active, 0 inactive (max not set, min not set)
    Se4/2/0/1:0, since 00:00:13, no frags rcvd
    Se4/2/0/2:0, since 00:00:10, no frags rcvd
  Distributed fragmentation on. Fragment size 512.  Multilink in Hardware. 
Configuring Distributed Link Fragmentation and Interleaving for Frame Relay and ATM Interfaces 
The Distributed Link Fragmentation and Interleaving (dLFI) feature supports the transport of real-time 
traffic, such as voice, and non-real-time traffic, such as data, on lower-speed Frame Relay and ATM 
virtual circuits (VCs) and on leased lines without causing excessive delay to the real-time traffic. 
This feature is implemented using dMLPPP over Frame Relay, ATM, and leased lines. The feature 
enables delay-sensitive real-time packets and non-real-time packets to share the same link by 
fragmenting the large data packets into a sequence of smaller data packets (fragments). The fragments 
are then interleaved with the real-time packets. On the receiving side of the link, the fragments are 
reassembled and the packets reconstructed. 
The dLFI feature is often useful in networks that send real-time traffic using Distributed Low Latency 
Queueing, such as voice, but have bandwidth problems that delay this real-time traffic due to the 
transport of large, less time-sensitive data packets. The dLFI feature can be used in these networks to 
disassemble the large data packets into multiple segments. The real-time traffic packets then can be sent 
between these segments of the data packets. In this scenario, the real-time traffic does not experience a 
lengthy delay waiting for the low- data packets to traverse the network. The data packets are reassembled 
at the receiving side of the link, so the data is delivered intact. 
The ability to configure Quality of Service (QoS) using the Modular QoS CLI while also using dMLPPP 
is also introduced as part of the dLFI feature. 
For specific information about configuring dLFI, refer to the FlexWAN and Enhanced FlexWAN Module 
Installation and Configuration Note located at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/core/cis7600/cfgnotes/flexport/combo/index.htm
For information about configuring dLFI on ATM SPAs, see the “Configuring Link Fragmentation and 
Interleaving with Virtual Templates” section on page 7-54 in Chapter 7, “Configuring the ATM SPAs.”
Table 4-4 provides information about where the dLFI feature for SPA interfaces is supported. 
Table 4-4 dLFI Feature Compatibility by SIP and SPA Combination
Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600
Hardware-based dLFI In Cisco IOS Release 12.2(18)SXE and 
later:
• 8-Port Channelized T1/E1 SPA
• 2-Port and 4-Port Channelized T3 SPA
In Cisco IOS Release 
12.2(18)SXE and later:
• 2-Port OC-3c/STM-1 
ATM S PA
• 1-Port OC-12c/STM-4 
ATM S PA
Not supported.
Hardware- and 
software-based dLFI 
In Cisco IOS Release 12.2(33)SRA:
• 8-Port Channelized T1/E1 SPA
• 2-Port and 4-Port Channelized T3 SPA
• 1-Port Channelized OC-3/STM-1 SPA
Not supported. Not supported.4-22
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Cisco 7600 Series Router LFI Restrictions
When configuring LFI on the Cisco 7600 series router, consider the following restrictions:
• A maximum number of 200 permanent virtual circuits (PVCs) or switched virtual circuits (SVCs) 
using Link Fragmentation and Interleaving (LFI) is supported for all ATM SPAs (or other ATM 
modules) in a Cisco 7600 series router. 
• LFI using FRF.12 is supported in hardware only for the 2-Port and 4-Port Channelized T3 SPA and 
8-Port Channelized T1/E1 SPA. 
• LFI over dMLPPP is supported in software or hardware depending on your link configuration. For 
more information about software-based LFI over dMLPPP, see the “Configuring Link 
Fragmentation and Interleaving over dMLPPP” section on page 4-20. For more information about 
hardware-based LFI over dMLPPP, refer to the Chapter 17, “Configuring the 8-Port Channelized 
T1/E1 SPA,” and Chapter 19, “Configuring the 2-Port and 4-Port Channelized T3 SPAs.”
• QoS is implemented on the Cisco 7600 SIP-200 for dLFI.
Frame Relay Fragmentation (FRF.12)
Frame Relay Fragmentation (FRF.12) supports voice and other real-time delay-sensitive data on 
low-speed links. The standard accommodates variations in frame sizes that allows a combination of 
real-time and non real-time data.
FRF.12 is developed to allow long data frames to be fragmented into smaller pieces (fragments) and 
interleaved with real-time frames. In this way, real-time and non-real-time data frames are carried 
together on lower-speed links without causing excessive delay to the real-time traffic.
dLFI with MPLS Not supported. Not supported. Not supported.
dLFI with MPLS on VPN Supported between the CE and PE devices, 
and with virtual routing and forwarding 
(VRF) configuration.
Not supported. Not supported.
Table 4-4 dLFI Feature Compatibility by SIP and SPA Combination
Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-6004-23
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Table 4-5 shows the list of SPAs supporting FRF.12 on SIP-400. The table also lists the fragment size 
and fragment mode.
Ta b l e 4 - 5 List of SPAs supporting FRF.12 on SIP-400
Restrictions
Following restrictions apply for FRF.12 on SIP-400:
• FRF.12 supports SPA with fragmentation and re-assembly capability in their hardware. 
• Fragmentation support is available only for fragment size of 128, 256 and 512 bytes. Any other value 
configured is rounded off to the nearest lower denomination from the allowed fragment size with a 
console message.
• Fragmentation statistics counters are not supported for SPA based fragmentation.
Configuring FRF.12 on SIP-400
Configure FRF.12 on SIP-400 through Policy-map-class
Complete the following to configure FRF.12 on SIP-400 through policy-map-class.
SUMMARY STEPS
Step 1 enable
Step 2 configure terminal
Step 3 class-map class-map-name
Step 4 match ip precedence precedence-range
Step 5 policy-map policy-map-name
Step 6 class class-name
Step 7 priority percent {x% | y ms}
Step 8 map-class frame-relay map-class-name 
Step 9 frame-relay fragment fragment_size
Step 10 service-policy input | output policy-map-name
Step 11 interface serial slot/subslot/port:channel-group
Step 12 ip address address mask
Step 13 encapsulation frame-relay
SPA Name
Fragment Size 
Supported (bytes) Fragment Mode 
1-port Channelized OC12/STM-4 SPA 128, 256, and 512 Hardware
8-Port Channelized T1/E1 SPA 128, 256, and 512 Hardware
2-Port and 4-Port Channelized T3 SPA 128, 256, and 512 Hardware
1-Port Channelized OC-3/STM-1 SPA 128, 256, and 512 Hardware
1-Port Channelizes OC48/DS3 SPA 128, 256, and 512 Hardware4-24
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Step 14 frame-relay interface-type dce | dte
Step 15 frame-relay interface-dlci dlci-number
Step 16 class frf12
Step 17 exit4-25
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
DETAILED STEPS
Command or Action Purpose
Step 1 enable
Example:
Router> enable
Enables privileged EXEC mode. Enter your password when prompted.
Step 2 configure terminal
Example:
Router# configure terminal
Enters global configuration mode.
Step 3 class-map [match-all | 
match-any] class-name
Example:
Router(config)# class-map 
match-all prec4
Creates a traffic class.
• match-all—(Optional) Specifies that all match criteria in the class map must 
be matched, using a logical function AND of all matching statements defined 
under the class. This is the default keyword.
• match-any—(Optional) Specifies that one or more match criteria must match, 
using a logical function OR of all matching statements defined under the class. 
• class-name—Specifies the user-defined name of the class.
Note You can define up to 256 unique class maps.
Step 4 match ip precedence 
precedence-range
Example:
Router(config-cmap)# match 
ip precedence 4
Matches the precedence value in the IP header.
• precedence-range: Specifies the precedence value ranging from 0 to 7.
Step 5 policy-map policy-map-name
Example:
Router(config-cmap)# 
policy-map child2
Specifies the name of the policy map to be created or modified.
• policy-map-name—Specifies the name of the policy to configure.
Step 6 class class-name
Example:
Router(config-pmap)# class 
prec4
Specifies the name of a predefined class included in the service policy.
• class-name—Specifies the name of the class to configure.
Step 7 priority percent x% | y ms
Example:
Router(config-pmap-c)# 
priority percent 45
Enables conditional policing rate (kbps or link percent). Conditional policing is 
used if the logical or physical link is congested, where:
• x —Specifies the burst size in kbps.The burst size configures the network to 
accommodate temporary bursts of traffic.
• y —Specifies the burst size in bytes.
• ms —Specifies the burst size in bytes. 4-26
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Step 8 map-class frame-relay 
map-class-name 
Example:
Router(config-pmap-c)# 
map-class frame-relay 
frf12
Specifies a map class to define FRF.12.
Step 9 frame-relay fragment 
fragment_size
Example:
Router(config-map-class)# 
frame-relay fragment 128
Enables fragmentation of frame relay frames for a frame relay map class.
Step 10 service-policy input | output 
policy-map-name
Example:
Router(config-map-class)# 
service-policy output 
parent2
Attaches a traffic policy to the input or output direction of an interface, where:
• policy-map-name—Specifies the name of the traffic policy to configure.
Step 11 interface serial 
slot/subslot/port:channel-grou
p
Example:
Router(config-map-class)# 
interface serial 3/0/2/1:0
Selects the interface to configure.
• slot/subslot/port:channel-group—Specifies the location of the interface.
Step 12 ip address ip-address mask
Example:
Router(config-if)# ip 
address 111.10.10.11 
255.255.255.0
Sets an IP address for an interface.
• ip-address—IP address.
• mask—Mask for the associated subnet.
Step 13 encapsulation frame-relay
Example:
Router(config-if)# 
encapsulation frame-relay
Enables frame relay encapsulation and allows frame relay processing on the 
supported interface.
Step 14 frame-relay interface-type 
dce | dte
Example:
Router(config-if)# 
frame-relay interface-type 
dte
Configures the router to function as a Digital Communications Equipment (DCE) 
or Data Terminal Equipment (DTE) device.
Command or Action Purpose4-27
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Configuration Example
This is an example to configure FRF.12 on SIP-400 through policy-map-class.
Router> enable
Router# configure terminal
Router(config)# class-map match-all precedence 4
Router(config-cmap)# match ip precedence 4
Router(config-cmap)# policy-map child2
Router(config-pmap)# class precedence 4
Router(config-pmap-c)# priority percent 45
Router(config-pmap-c)# map-class frame-relay frf12
Router(config-map-class)# frame-relay fragment 128
Router(config-map-class)# service-policy output parent2
Router(config-map-class)# interface serial 3/0/2/1:0
Router(config-if)# ip address 111.10.10.11 255.255.255.0
Router(config-if)# encapsulation frame-relay
Router(config-if)# frame-relay intf-type dte
Router(config-if)# frame-relay interface-dlci 100   
Router(config-fr-dlci)# class frf12
Router(config-fr-dlci)# exit
This is an example to disable FRF.12 on SIP-400 through policy-map-class:
Router(config-map-class)# interface Serial3/0/2/1:0
Router(config-if)# frame-relay interface-dlci 100
Router(config-fr-dlci)# no class frf12
Step 15 frame-relay interface-dlci 
dlci-number
Example:
Router(config-if)# 
frame-relay interface-dlci 
100
Creates the specified DLCI on the subinterface and enters DLCI configuration 
mode, where:
• dlci-number—Specifies the DLCI number to be used on the specified 
subinterface.
Step 16 class frf12
no class frf12
Example:
Router(config-fr-dlci)# 
class frf12
Router(config-fr-dlci)# no 
class frf12
Specifies a class to define FRF.12.
Use the no form of this command to disable frame relay fragmentation.
Step 17 exit
Example:
Router(config-fr-dlci)# 
exit
Returns the command-line interface (CLI) to privileged EXEC mode.
Command or Action Purpose4-28
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Configure End-to-end FRF.12 Fragmentation on SIP-400 
Complete the following to configure end-to-end FRF.12 fragmentation on SIP-400.
SUMMARY STEPS
Step 1 enable
Step 2 configure terminal
Step 3 interface serial slot/subslot/port:channel-group
Step 4 ip address address mask
Step 5 encapsulation frame-relay
Step 6 frame-relay interface-dlci dlci-number [protocol ip ip-address]
Step 7 frame-relay interface-type dce | dte
Step 8 frame-relay fragment fragment_size end-to-end
Step 9 exit4-29
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
DETAILED STEPS
Command or Action Purpose
Step 1 enable
Example:
Router> enable
Enables privileged EXEC mode. 
Enter your password when prompted.
Step 2 configure terminal
Example:
Router# configure terminal
Enters global configuration mode.
Step 3 interface serial 
slot/subslot/port:channel-grou
p
Example:
Router(config-map-class)# 
interface Serial 3/0/2/1:0
Selects the interface to configure.
• slot/subslot/port:channel-group—Specifies the location of the interface.
Step 4 ip address ip-address mask
Example:
Router(config-if)# ip 
address 111.10.10.11 
255.255.255.0
Sets an IP address for an interface.
• ip-address—IP address.
• mask—Mask for the associated subnet.
Step 5 encapsulation frame-relay
Example:
Router(config-if)# 
encapsulation frame-relay
Enables frame relay encapsulation and allows frame relay processing on the 
supported interface.
Step 6 frame-relay interface-dlci 
dlci-number [protocol ip 
ip-address]
Example:
Router(config-if)# 
frame-relay interface-dlci 
100
For point-to-point subinterfaces, assigns a data link connection identifier (DLCI) 
to the interface that connects to the new router, and provides the IP address of the 
serial port on the new router. This command should be used if the staging router is 
acting as the BOOTP server.
Step 7 frame-relay interface-type 
dce | dte
Example:
Router(config-if)# 
frame-relay interface-type 
dte
Configures the router to function as a Digital Communications Equipment (DCE) 
or Data Terminal Equipment (DTE) device.4-30
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Configuration Example
This is an example to configure FRF.12 on SIP-400 through policy-map-class.
Router> enable
Router# configure terminal
Router(config)# interface Serial3/0/2/1:0
Router(config-if)# ip address 111.10.10.11 255.255.255.0
Router(config-if)# encapsulation frame-relay
Router(config-if)# frame-relay interface-dlci 100
Router(config-if)# frame-relay intf-type dte
Router(config-if)# frame-relay fragment 128 end-to-end
Router(config-if)# exit
Verifying the Configuration
This section provides the commands to verify the configuration of FRF.12 on SIP-400.
Router# show frame-relay fragment
interface                dlci frag-type  size in-frag    out-frag   dropped-frag
Se3/0/2/1:0.1            *** fragment counters are not supported ***       
Note The show frame-relay fragment command does not work for hardware based fragmentation.
Router# show frame-relay pvc
PVC Statistics for interface Serial3/0/2/1:0 (Frame Relay DCE)
              Active     Inactive      Deleted       Static
  Local          1            0            0            0
  Switched     0            0            0            0
  Unused        0            0            0            0
DLCI = 100, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial3/0/2/1:0.1
  input pkts 20            output pkts 17           in bytes 7640      
  out bytes 5799           dropped pkts 0           in pkts dropped 0         
Step 8 frame-relay fragment 
fragment_size end-to-end
no frame-relay fragment 
fragment_size end-to-end
Example:
Router(config-if)# 
frame-relay fragment 128 
end-to-end
Router(config-if)# no 
frame-relay fragment 128 
end-to-end
Enables fragmentation of frame relay frames on an interface.
Use the no form of this command to disable frame relay fragmentation.
Step 9 exit
Example:
Router(config-if)# exit
Returns the command-line interface (CLI) to privileged EXEC mode.
Command or Action Purpose4-31
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
  out pkts dropped 0                out bytes dropped 0         
  in FECN pkts 0           in BECN pkts 0           out FECN pkts 0         
  out BECN pkts 0          in DE pkts 0             out DE pkts 0         
  out bcast pkts 16        out bcast bytes 5760      
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
  pvc create time 00:19:08, last time pvc status changed 00:09:22
  fragment type end-to-end fragment size 128 <<<<<<<<<
Troubleshooting Tips
Configuring Voice over Frame Relay FRF.11 and FRF.12
Voice over Frame Relay (VoFR) enables a router to carry voice traffic (for example, telephone calls and 
faxes) over a frame relay network using the FRF.11 protocol. This specification defines multiplexed data, 
voice, fax, dual-tone multi-frequency (DTMF) digit-relay, and channel-associated signaling (CAS) 
frame formats. The Frame Relay backbone must be configured to include the map class and Local 
Management Interface (LMI). 
The Cisco VoFR implementation enables dynamic- and tandem-switched calls and Cisco trunk calls. 
Dynamic-switched calls include dial-plan information included that processes and routes calls based on 
the telephone numbers. The dial-plan information is contained within dial-peer entries. 
Note Because the Cisco 7600 series router does not support voice modules, it can act only as a VoFR tandem 
switch when FRF.11 or FRF.12 is configured on the SIPs. 
Tandem-switched calls are switched from incoming VoFR to an outgoing VoFR-enabled data-link 
connection identifier (DLCI) and tandem nodes enable the process. The nodes also switch Cisco trunk 
calls. 
Permanent calls are processed over the Cisco private-line trunks and static FRF.11 trunks that specify 
the frame format and coder types for voice traffic over a Frame Relay network. 
VoFR connections depend on the hardware platform and type of call. The types of calls are: 
• Switched (user dialed or auto-ringdown and tandem) 
• Permanent (Cisco trunk or static FRF.11 trunk) 
Problem Solution
How do I debug the NPC frame relay. Use the debug npc frame-relay command to 
display information related to Frame Relay 
fragmentation on an NPC. Use the command on 
LC.
How do I display the contents of the next hop 
protocol address to DLCI mapping table on the 
router.
Use the show frame-relay map command. 
Sample output of the command: 
Router#show frame-relay map
Serial1/2 (up): ip 172.16.1.4 dlci 
401(0x191,0x6410), dynamic,
       broadcast,, status defined, active
Serial1/2 (up): ip 172.16.1.5 dlci 
501(0x1F5,0x7C50), dynamic,
       broadcast,, status defined, active
Serial1/2 (up): ip 172.16.1.2 dlci 
301(0x12D,0x48D0), dynamic,
       broadcast,, status defined, active4-32
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Note FRF.11 support was removed in Cisco IOS Release 12.2(18)SXF on the Cisco 7600 series router.
Table 4-6 provides information about where the VoFR feature for SPA interfaces is supported. 
For specific information about configuring voice over Frame Relay FRF.11 and FRF.12, refer to the 
Cisco IOS Voice, Video, and Fax Configuration Guide located at the following URL: 
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fvvfax_c/vvfvofr.htm
Configuring Layer 2 Interworking Features on a SIP
This section provides SIP-specific information about configuring the Layer 2 interworking features on 
the Cisco 7600 series router. It includes the following topics:
• Configuring Bridging for ATM Interfaces (RFC 1483/RFC 2684), page 4-33
Table 4-6 VoFR Feature Compatibility by SIP and SPA Combination
Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600
FRF.11 In Cisco IOS Releases 12.2(18)SXE and 
12.2(18)SXE2:
• 8-Port Channelized T1/E1 SPA
• 2-Port and 4-Port Channelized T3 SPA
Not supported Not supported
FRF.12 In Cisco IOS Release 12.2(18)SXE and later, 
and in Cisco IOS Release 12.2(33)SRA for 
FRF.12 in SPA, which is hardware mode:
• 8-Port Channelized T1/E1 SPA
• 2-Port and 4-Port Channelized T3 SPA
• 1-Port Channelized OC-3/STM-1 SPA
In Cisco IOS Release 12.2(18)SXE and later, 
and in Cisco IOS Release 12.2(33)SRA for 
FRF.12 in LC mode, which is software mode: 
• SPA-12in1
• SPA-2xt3/e3
• SPA-4xt3/e3
Supported Not supported
FRF.12 Effective with 15.2(1)S Release, FRF.12 
supports SIP-400 with the following 
Channelized SPAs:
• 1-port Channelized OC12/STM4 SPA
• 8-port Channelized T1/E1 SPA
• 2-port and 4-port Channelized T3 SPA
• 1-port Channelized OC3/STM1 SPA
• 1-port Channelized OC48/STM16/DS3 
SPA
Supported Not supported4-33
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
• Configuring Multipoint Bridging, page 4-36
• Configuring Private Hosts over Virtual Private LAN Service (VPLS), page 4-54
Configuring Bridging for ATM Interfaces (RFC 1483/RFC 2684)
The following types of bridging are supported on ATM SPAs in the Cisco 7600 series router. For 
information about SIP and SPA compatibility with each of these features, see Table 4-7.
Note RFC 1483 has been obsoleted and superseded by RFC 2684, Multiprotocol Encapsulation over ATM 
Adaptation Layer 5. To avoid confusion, this document continues to refer to the original RFC numbers.
• RFC 1483/RFC 2684 bridging for point-to-point PVCs —RFC 1483 has been obsoleted and 
superseded by RFC 2684, Multiprotocol Encapsulation over ATM Adaptation Layer 5. RFC 2684 
specifies the implementation of point-to-point bridging of Layer 2 PDUs from an ATM interface.
• RFC 1483/RFC 2684 bridging with IEEE 802.1Q tunneling—Allows service providers to aggregate 
multiple VLANs over a single VLAN, while still keeping the individual VLANs segregated and 
preserving the VLAN IDs for each customer. This tunneling simplifies traffic management for the 
service provider, while keeping customer networks secure.
• RFC 1483/RFC 2684 half-bridging—Routes IP traffic from a stub-bridged Ethernet LAN over a 
bridged RFC 1483/RFC 2684 ATM interface, without using integrated routing and bridging (IRB). 
This allows bridged traffic that terminates on an ATM PVC to be routed on the basis of the 
destination IP address.
• ATM routed bridge encapsulation (RBE)—The ATM SPAs support ATM Routed Bridge 
Encapsulation (RBE), which is similar in functionality to RFC 1483 ATM half-bridging, except that 
ATM half-bridging is configured on a point-to-multipoint PVC, while RBE is configured on a 
point-to-point PVC.
• Bridging of routed encapsulations (BRE)—Enables an ATM SPA to receive RFC 1483/2684 routed 
encapsulated packets and forward them as Layer 2 frames. In a BRE configuration, the PVC receives 
the routed PDUs, removes the RFC 1483 routed encapsulation header, and adds an Ethernet MAC 
header to the packet. The Layer 2 encapsulated packet is then switched by the forwarding engine to 
the Layer 2 interface determined by the VLAN number and destination MAC.
• Per VLAN Spanning Tree (PVST) to PVST+ Bridge Protocol Data Unit (BPDU) 
interoperability—PVST is a Cisco proprietary protocol that allows a Cisco device to support 
multiple spanning tree topologies on a per-VLAN basis. PVST uses the BPDUs defined in IEEE 
802.1D, but instead of one STP instance per switch, there is one STP instance per VLAN. PVST+ 
is a Cisco proprietary protocol that creates one STP instance per VLAN (as in PVST). However, 
PVST+ enhances PVST and uses Cisco proprietary BPDUs with a special 802.2 Subnetwork Access 
Protocol (SNAP) Organizational Unique Identifier (OUI) instead of the standard IEEE 802.1D 
frame format used by PVST. PVST+ BPDUs are also known as Simple Symmetric Transmission 
Protocol (SSTP) BPDUs.
Note The 1GE SPA on SIP-400 does not support the encapsulation dot1q vlan-id [native] command4-34
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Table 4-7 provides information about where the bridging features for ATM SPA interfaces are supported. 
For more details about the implementation and information about configuring bridging for ATM SPA 
interfaces, see Chapter 7, “Configuring the ATM SPAs.”
Table 4-7 Bridging for ATM Interfaces Feature Compatibility by SIP and SPA Combination
Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600
RFC 1483/RFC 2684 
Bridging for 
Point-to-Point PVCs 
(bridge-domain
command)
In Cisco IOS Release 
12.2(18)SXE and later, 
and in Cisco IOS Release 
12.2(33)SRA:
• 2-Port and 4-Port 
OC-3c/STM-1 ATM 
SPA
In Cisco IOS Release 
12.2(18)SXE and later, 
and in Cisco IOS Release 
12.2(33)SRA:
• 2-Port and 4-Port 
OC-3c/STM-1 ATM 
SPA
• 1-Port OC-12c/STM-4 
ATM S PA
Not supported.
RFC 1483/RFC 2684 
Bridging with IEEE 
802.1Q Tunneling for 
Point-to-Point PVCs 
(bridge-domain 
dot1q-tunnel command)
In Cisco IOS Release 
12.2(18)SXE and later, 
and in Cisco IOS Release 
12.2(33)SRA and later:
• 2-Port and 4-Port 
OC-3c/STM-1 ATM 
SPA
In Cisco IOS Release 
12.2(18)SXE and later, 
and in Cisco IOS Release 
12.2(33)SRA:
• 2-Port and 4-Port 
OC-3c/STM-1 ATM 
SPA
• 1-Port OC-12c/STM-4 
ATM S PA
In Cisco IOS Release 
12.2(18)SXF and Cisco 
IOS Release 12.2(33)SRA 
and later:
• 1-Port 
OC-48c/STM-16 
ATM S PA
Not supported.
RFC 1483/RFC 2684 
Half-Bridging for 
Point-to-Multipoint PVCs
In Cisco IOS Release 
12.2(18)SXE and later, 
and in Cisco IOS Release 
12.2(33)SRA:
• 2-Port and 4-Port 
OC-3c/STM-1 ATM 
SPA
Not supported. Not supported.
RFC 1483/RFC 2684 
Routed Bridge 
Encapsulation (RBE) for 
Point-to-Point PVCs
In Cisco IOS Release 
12.2(18)SXE and later, 
and in Cisco IOS Release 
12.2(33)SRA:
• 2-Port and 4-Port 
OC-3c/STM-1 ATM 
SPA
Not supported. Not supported.4-35
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
RFC 1483/RFC 2684 
Bridging of Routed 
Encapsulations (BRE) for 
PVCs
In Cisco IOS Release 
12.2(18)SXE and later, 
and in Cisco IOS Release 
12.2(33)SRA:
• 2-Port and 4-Port 
OC-3c/STM-1 ATM 
SPA
Not supported. Not supported.
Enhancements to RFC 
1483/RFC 2684 Spanning 
Tree Interoperability 
(PVST to PVST+ BPDU 
Interoperability)
In Cisco IOS Release 
12.2(18)SXF2 and later, 
and in Cisco IOS Release 
12.2(33)SRA:
• 2-Port and 4-Port 
OC-3c/STM-1 ATM 
SPA
In Cisco IOS Release 
12.2(18)SXF2 and later, 
and in Cisco IOS Release 
12.2(33)SRA:
• 2-Port and 4-Port 
OC-3c/STM-1 ATM 
SPA
• 1-Port OC-12c/STM-4 
ATM S PA
• 1-Port 
OC-48c/STM-16 
ATM S PA
Not supported.
Multi-VLAN to VC In Cisco IOS Release 
12.2(18)SXE and later, 
and in Cisco IOS Release 
12.2(33)SRA and later:
• 2-Port and 4-Port 
OC-3c/STM-1 ATM 
SPA
In Cisco IOS Release 
12.2(33)SRA:
• 2-Port and 4-Port 
OC-3c/STM-1 ATM 
SPA
• 1-Port OC-12c/STM-4 
ATM S PA
• 1-Port 
OC-48c/STM-16 
ATM S PA
Not supported.
Table 4-7 Bridging for ATM Interfaces Feature Compatibility by SIP and SPA Combination (continued)
Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-6004-36
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Configuring Multipoint Bridging 
Multipoint bridging (MPB) enables the connection of multiple ATM PVCs, Frame Relay PVCs, Bridge 
Control Protocol (BCP) ports, and WAN Gigabit Ethernet subinterfaces into a single broadcast domain 
(virtual LAN), together with the LAN ports on that VLAN. This enables service providers to add support 
for ethernet-based layer 2 services to the proven technology of their existing ATM and Frame Relay 
legacy networks. Customers can then use their current VLAN-based networks over the ATM or Frame 
Relay cloud. This also allows service providers to gradually update their core networks to the latest 
Gigabit Ethernet optical technologies, while still supporting their existing customer base.
ATM interfaces use RFC 1483/RFC 2684 bridging, and Frame Relay interfaces use RFC 1490/RFC 2427 
bridging, both of which provide an encapsulation method to allow the transport of Ethernet frames over 
each type of Layer 2 network.
Beginning in Cisco IOS Release 12.2(33)SRA, MPB support is added on the Cisco 7600 SIP-400 to 
multiplex different VLANs that are configured across multiple Gigabit Ethernet subinterfaces into a 
single broadcast domain. Gigabit Ethernet interfaces can also reside on different Cisco 7600 SIP-400s 
and belong to the same bridge domain. 4-37
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Table 4-8 provides information about where the MPB features for SPA interfaces are supported. 
Table 4-8 MPB Feature Compatibility by SIP and SPA Combination
Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600
MPB—60 VCs or 
interfaces per VLAN 
globally in system 
In Cisco IOS Release 
12.2(18)SXE and later:
• 2-Port and 4-Port 
OC-3c/STM-1 ATM 
SPA
• 2-Port and 4-Port 
Channelized T3 SPA
• 2-Port and 4-Port 
Clear Channel T3/E3 
SPA
• 8-Port Channelized 
T1/E1 SPA
In Cisco IOS Release 
12.2(18)SXE and later:
• 2-Port and 4-Port 
OC-3c/STM-1 ATM 
SPA
• 1-Port OC-12c/STM-4 
ATM S PA
Not supported.
MPB—112 VCs or 
interfaces per VLAN on 
each SIP
Note If you are using 
Virtual Private 
LAN Service 
(VPLS), see the 
MPB configuration 
guidelines.
In Cisco IOS Release 
12.2(33)SRA:
• 1-Port Channelized 
OC-3/STM-1 SPA
• 2-Port and 4-Port 
OC-3c/STM-1 ATM 
SPA
• 2-Port and 4-Port 
OC-3c/STM-1 POS 
SPA
• 2-Port and 4-Port 
Channelized T3 SPA
• 2-Port and 4-Port 
Clear Channel T3/E3 
SPA
• 8-Port Channelized 
T1/E1 SPA
Not applicable. Not supported.4-38
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
MPB—120 VCs or 
interfaces per VLAN on 
each SIP
Note If you are using 
VPLS, see the 
MPB bridging 
configuration 
guidelines.
Not supported. In Cisco IOS Release 
12.2(33)SRA:
• 2-Port and 4-Port 
OC-3c/STM-1 ATM 
SPA
• 1-Port OC-12c/STM-4 
ATM S PA
• 1-Port 
OC-48c/STM-16 ATM 
SPA
• 2-Port and 4-Port 
OC-3c/STM-1 POS 
SPA
• 1-Port OC-12c/STM-4 
POS SPA
• 1-Port OC-48c/STM-16 
POS SPA
In Cisco IOS Release 
15.2(1)S:
• 1-Port Channelized 
OC12/STM-4 SPA
• 2-Port and 4-Port 
T3/E3 SPA
• 8-Port Channelized 
T1/E1 SPA
• 1-Port Channelized 
OC-3/STM-1 SPA
• 1-Port Channelized 
OC48/STM/16/DS3 
SPA
• 2 and 4-Port Clear 
Channel T3/E3 SPA
Not supported.
MPB on Gigabit 
Ethernet—Layer 2 
bridging of frames 
between subinterfaces on 
different physical Gigabit 
Ethernet ports
Not supported. In Cisco IOS Release 
12.2(33)SRA:
• 2-Port Gigabit 
Ethernet SPA
Not supported.
PIM snooping for MPB Not supported. Supported for all SPAs in 
Cisco IOS Release 
12.2(33)SRA.
Not supported.
Table 4-8 MPB Feature Compatibility by SIP and SPA Combination (continued)
Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-6004-39
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Configuring MPB for ATM PVCs
You can configure MPB manually on individual PVCs, or you can configure a range of PVCs to 
configure all of the PVCs at one time. ATM interfaces use RFC 1483/RFC 2684 bridging, which provides 
an encapsulation method to allow the transport of Ethernet frames over the Layer 2 network.
Note RFC 1483 has been obsoleted and superseded by RFC 2684, Multiprotocol Encapsulation over ATM 
Adaptation Layer 5. To avoid confusion, this document continues to refer to the original RFC numbers.
MPB for ATM PVCs Configuration Guidelines
• Only ATM permanent virtual circuits (PVCs) are supported. SVCs are not supported.
• MPB is not supported on VLAN IDs 0, 1, 1002–1005, and 4095.
• Refer to Table 4-8 for limitations on the number of supported VCs. 
• If you are using VPLS on a VC, then the total number of supported VC connection points for MPB 
(112 for the Cisco 7600 SIP-200, or 120 for the Cisco 7600 SIP-400) is reduced by one for each 
VPLS VC configured on that bridged VLAN. This reduces the total available number of VC 
connection points for MPB on that VLAN globally for that SIP. For example, if you configure 
10 VPLS VCs on bridged VLAN 100, for a SPA on a Cisco 7600 SIP-200 in slot 4, then 
10 connection points are allocated to the VPLS VCs for VLAN 100 across the SIP in slot 4. The 
total number of connection points available for MPB on VLAN 100 for the Cisco 7600 SIP-200 in 
slot 4 is 112 minus 10, or 102. A different VLAN (for example, VLAN 300) on that same Cisco 7600 
SIP-200 in slot 4, without any VPLS VCs, will have the full 112 VCs available.
• Routing and bridging is supported on the same interface or subinterface, but for security reasons, 
routing and bridging is not supported on any given PVC. Therefore, you should not configure an IP 
address on a point-to-point subinterface and then configure bridging on a PVC on that subinterface.
• For a limited form of trunking on ATM PVCs supporting multiple VLANs to a single VC, you can 
configure dot1q tag. However, this configuration can lead to a performance penalty. When using this 
configuration, you can specify up to 32 bridge-domain command entries for a single PVC. The 
highest tag value in a group of bridge-domain commands must be greater than the first tag entered 
(but less than 32 greater than the first tag entered).
SUMMARY STEPS
Step 1 vlan vlan-id | vlan-range 
Step 2 interface atm slot/subslot/port
Step 3 interface atm slot/subslot/port.subinterface point-to-point | multipoint
Note All commands up till here must be executed at the global configutation mode. Herafter the commands 
will be executed at the sub-interface configuration mode
Step 4 no ip address 
Step 5 pvc name vpi |vci
or 
range range-name pvc start-vpi|start-vci end-vpi | end-vci 4-40
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Step 6 bridge-domain vlan-id access | dot1q tag| dot1q-tunnel ignore-bpdu-pid pvst-tlv CE-vlan increment 
split-horizon
DETAILED STEPS
To configure MPB for ATM PVCs, perform the following steps beginning in global configuration mode.
Command Purpose
Step 1 Router(config)# vlan vlan-id | vlan-range Adds the specified VLAN IDs to the VLAN 
database and enters VLAN configuration mode, 
where:
• vlan-id—Specifies a single VLAN ID. The 
valid range is from 2 to 4094.
• vlan-range—Specifies multiple VLAN IDs, as 
either a list or a range. The vlan-range can 
contain a list of the VLAN IDs, separated by a 
comma (,), dash (-), or both.
Note Before you can use a VLAN for multipoint 
bridging, you must manually enter its 
VLAN ID into the VLAN database.
Step 2 Router(config)# interface atm slot/subslot/port Specifies or creates an ATM interface, where:
• slot—Specifies the chassis slot number where 
the SIP is installed.
• subslot—Specifies the secondary slot number 
on a SIP where a SPA is installed.
• port—Specifies the number of the interface 
port on the SPA.
Step 3 Router(config)# interface atm 
slot/subslot/port.subinterface point-to-point | 
multipoint
Specifies or creates a subinterface and enters 
subinterface configuration mode, where:
• slot—Specifies the chassis slot number where 
the SIP is installed.
• subslot—Specifies the secondary slot number 
on a SIP where a SPA is installed.
• port—Specifies the number of the interface 
port on the SPA.
• .subinterface—Specifies the number of the 
subinterface on the interface port.
• point-to-point—Specifies a point-to-point 
subinterface.
• multipoint—Specifies a multipoint 
subinterface that allows multiple PVCs to use 
the same subinterface.
Step 4 Router(config-subif)# no ip address Disables IP processing on the subinterface by 
removing its IP address.4-41
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Use the following commands (pvc and bridge-domain) to create and configure PVCs individually. Repeat these 
commands as desired. Or, use the range pvc and bridge-domain command with the increment keyword to 
configure a range of PVCs.
Step 5 Router(config-subif)# pvc [name] vpi/vci
or 
Router(config-subif)# range [range-name] pvc
start-vpi/start-vci end-vpi/end-vci
Configures a new ATM PVC or range of ATM 
PVCs with the specified VPI and VCI numbers and 
enters VC configuration mode or PVC range 
configuration mode, where:
• name—(Optional) Specifies the descriptive 
name to identify this PVC.
• vpi/vci—Specifies the virtual path identifier 
(VPI) and virtual channel identifier (VCI) for 
this PVC.
• range-name—(Optional) Specifies the 
descriptive name of the range, up to a 
maximum of 15 characters.
• start-vpi/—Specifies the beginning value for 
the range of virtual path identifiers (VPIs). The 
valid range is from 0 to 255, with a default of 0.
• start-vci—Specifies the beginning value for a 
range of virtual channel identifiers (VCIs). The 
valid range is from 32 to 65535.
• end-vpi/—Specifies the end value for the range 
of VPIs. The valid range is from 0 to 255, with 
a default that is equal to the start-vpi value.
• end-vci—Specifies the end value for a range of 
virtual channel identifiers (VCIs). The VCI 
value ranges from 32 to 65535.
Command Purpose4-42
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Step 6 Router(config-if-atm-vc)# bridge-domain
vlan-id access | dot1q tag| dot1q-tunnel 
ignore-bpdu-pid pvst-tlv CE-vlan increment 
split-horizon
Enables RFC 1483 bridging to map a bridged 
VLAN to an ATM PVC, where:
• vlan-id—Specifies the number of the VLAN to 
be used in this bridging configuration. The 
valid range is from 2 to 4094. The VLAN ID 
must have been previously added to the VLAN 
database in Step 1.
• access—(Optional) Enables access-only 
bridging access mode, in which the bridged 
connection does not transmit or act upon bridge 
protocol data unit (BPDU) packets. 
• dot1q—(Optional) Enables IEEE 802.1Q 
tagging to preserve the class of service (CoS) 
information from the Ethernet frames across 
the ATM network. If not specified, the ingress 
side assumes a CoS value of 0 for QoS 
purposes. Using the dot1q keyword helps avoid 
misconfiguration because incoming untagged 
frames, or tagged frames that don’t match the 
specified vlan-id are dropped.
• tag—(Optional—ATM PVCs only) Specifies 
the IEEE 802.1Q value in the range 1 to 4095. 
You can specify up to 32 bridge-domain
command entries using dot1q tag for a single 
PVC. The highest tag value in a group of 
bridge-domain commands must be greater 
than the first tag entered (but less than 32 
greater than the first tag entered).
• dot1q-tunnel—(Optional) Enables IEEE 
802.1Q tunneling mode, so that service 
providers can use a single VLAN to support 
customers who have multiple VLANs, while 
preserving customer VLAN IDs and keeping 
traffic in different customer VLANs 
segregated. 
Note The access, dot1q, and dot1q-tunnel
options are mutually exclusive. If you do 
not specify any of these options, the 
connection operates in “raw” bridging 
access mode, which is similar to access, 
except that the connection processes and 
transmits BPDU packets. 
• ignore-bpdu-pid—(Optional—ATM PVCs 
only) Ignores the protocol-ID field in RFC 
1497 bridge protocol data unit (BPDU) 
packets, to allow interoperation with ATM 
customer premises equipment (CPE) devices 
that do not distinguish BPDU packets from data 
packets. 
Command Purpose4-43
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Verifying MPB for ATM PVCs
To display information about the PVCs that have been configured on ATM interfaces, use the following 
commands:
• show atm pvc—Displays a summary of the PVCs that have been configured.
• show atm vlan—Displays the connections between PVCs and VLANs.
Note Use the show atm vlan command instead of the show interface trunk command to display information 
about ATM interfaces being used for multipoint bridging.
The following shows an example of each command:
Router# show atm pvc
VCD / Peak Avg/Min Burst
Interface Name VPI VCI Type Encaps SC Kbps Kbps Cells Sts
5/0/0 1 0 102 PVC SNAP UBR 599040 UP
5/0/0 2 0 103 PVC SNAP UBR 599040 UP
5/0/0 3 0 111 PVC SNAP UBR 599040 UP
5/0/0 3 0 111 PVC SNAP UBR 599040 UP
5/0/0 3 0 111 PVC SNAP UBR 599040 UP
Router# show atm vlan
Options Legend: DQ - dot1q; DT - dot1q-tunnel; MD - multi-dot1q;
AC - access; SP - split-horizon; BR - broadcast;
IB - ignore-bpdu-pid;
DEF - default
Interface VCD VPI Network Customer PVC Options
/VCI Vlan ID Dot1Q-ID Status
ATM5/0/0 1 0/102 102 1002 UP MD
ATM5/0/0 2 0/103 103 1003 UP MD
• pvst-tlv CE-vlan—(Optional) When 
transmitting, translates PVST+ BPDUs into 
IEEE BPDUs. When receiving, translates IEEE 
BPDUs into PVST+ BPDUs. CE-vlan specifies 
the customer-edge VLAN in the SSTP 
Tag-Length-Value (TLV) to be inserted in an 
IEEE BPDU to a PVST+ BPDU conversion.
• increment—(Optional—PVC range 
configuration mode only) Increments the 
bridge domain number for each PVC in the 
range. This keyword is used when you are 
configuring a range of PVCs using the range 
pvc command.
• split-horizon—(Optional) Drops egress traffic 
going out a VC or interface with split-horizon 
configured, that arrived on an interface with 
split-horizon configured. 
Command Purpose4-44
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
ATM5/0/0 3 0/111 111 1111 UP MD
ATM5/0/0 3 0/111 112 1112 UP MD
ATM5/0/0 3 0/111 113 1113 UP MD
Verification
Use these commands to verify operation.
Configuring MPB for Frame Relay 
You can configure MPB for Frame Relay on individual DLCI circuits. You can optionally add 802.1Q 
tagging or 802.1Q tunneling. Frame Relay interfaces use RFC 1490/RFC 2427 bridging, which provides 
an encapsulation method to allow the transport of Ethernet frames over the Layer 2 network.
Note RFC 1490 has been obsoleted and superseded by RFC 2427, Multiprotocol Interconnect over Frame 
Relay. To avoid confusion, this document continues to refer to the original RFC numbers.
MPB for Frame Relay Configuration Guidelines
• Multipoint bridging on Frame Relay interfaces supports only IETF encapsulation. Cisco 
encapsulation is not supported for MPB.
• MPB is not supported on VLAN IDs 0, 1, 1002–1005, and 4095.
• Refer to Table 4- 8 for limitations on the number of supported VCs. 
• If you are using VPLS, then the total number of supported DLCI connection points for MPB (112 for 
the Cisco 7600 SIP-200, or 120 for the Cisco 7600 SIP-400) is reduced by one for each VPLS 
instance configured on that bridged VLAN. This reduces the total available number of DLCI 
connection points for MPB on that VLAN globally for that SIP. For example, if you configure 
10 VPLS instances on a bridged VLAN 100, for a SPA on a Cisco 7600 SIP-200 in slot 4, then 
10 connection points are allocated to the VPLS instances for VLAN 100 across the SIP in slot 4. 
Command Purpose
Router# show ethernet service evc [id evc-id | interface
interface-id] [detail] 
Displays information pertaining to a specific EVC if an EVC 
ID is specified, or pertaining to all EVCs on an interface if an 
interface is specified. The detail option provides additional 
information on the EVC.
Router# show ethernet service instance [id instance-id
interface interface-id | interface interface-id] [detail]
Displays information about one or more service instances: If a 
service instance ID and interface are specified, only data 
pertaining to that particular service instance is displayed. If 
only an interface ID is specified, displays data for all service 
instances on the given interface.
Router# show ethernet service interface [interface-id] 
[detail]
Displays information in the Port Data Block (PDB).
Router# show ethernet service instance summary Displays overall EVC count as well as individual interface 
EVC count.4-45
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
The total number of connection points available for MPB on VLAN 100 for the Cisco 7600 SIP-200 
in slot 4 is 112 minus 10, or 102. A different VLAN (for example, VLAN 300) on that same 
Cisco 7600 SIP-200 in slot 4, without any VPLS DLCIs, will have the full 112 DLCIs available.
• Routing and bridging is supported on the same interface or subinterface, but for security reasons, 
routing and bridging is not supported on any given DLCI. Therefore, you should not configure an 
IP address on a point-to-point subinterface and then configure bridging on a DLCI on that 
subinterface.
SUMMARY STEPS
Step 1 vlan vlan-id | vlan-range 
Step 2 interface serial slot/subslot/port
or
interface pos slot/subslot/port
Step 3 encapsulation frame-relay ietf
Step 4 interface serial slot/subslot/port.subinterface point-to-point | multipoint
OR
interface serial slot/subslot/port/t1-number:channel-group.subinterface point-to-point | multipoint
OR
interface serial slot/subslot/port:channel-group.subinterface point-to-point | multipoint
OR
interface pos slot/subslot/port.subinterface point-to-point | multipoint
OR
interface serial address
Note All commands up till here must be executed at the global configutation mode. Herafter the commands 
will be executed at the sub-interface configuration mode unless specifically mentioned otherwise
Step 5 no ip address
Step 6 frame-relay interface-dlci dlci ietf
Step 7 bridge-domain vlan-id access | dot1q | dot1q-tunnel pvst-tlv CE-vlan split-horizon (This command 
is executed on the DLCI interface configuration mode)
Note ChOC-12  does not support the bridge-domain command.4-46
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
DETAILED STEPS
To configure MPB for Frame Relay on serial or POS SPAs, perform the following steps beginning in 
global configuration mode:
Command Purpose
Step 1 Router(config)# vlan vlan-id | vlan-range Adds the specified VLAN IDs to the VLAN database 
and enters VLAN configuration mode, where:
• vlan-id—Specifies a single VLAN ID. The valid 
range is from 2 to 4094.
• vlan-range—Specifies multiple VLAN IDs, as 
either a list or a range. The vlan-range can 
contain a list of the VLAN IDs, separated by a 
comma (,), dash (-), or both.
Note Before you can use a VLAN for multipoint 
bridging, you must manually enter its VLAN 
ID into the VLAN database.
Step 2 Router(config)# interface serial 
slot/subslot/port
or 
Router(config)# interface pos slot/subslot/port
Specifies or creates a serial or POS interface, where:
• slot—Specifies the chassis slot number where 
the SIP is installed.
• subslot—Specifies the secondary slot number on 
a SIP where a SPA is installed.
• port—Specifies the number of the interface port 
on the SPA.
Step 3 Router(config-if) encapsulation frame-relay 
ietf
Enables Frame Relay encapsulation on the interface, 
using IETF encapsulation. You must specify the ietf 
keyword either here or in Step 6 for each individual 
DLCI.
Note Multipoint bridging does not support Cisco 
encapsulation using the cisco keyword.4-47
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Step 4 2-Port and 4-Port Clear Channel T3/E3 SPA
Router(config)# interface serial
slot/subslot/port.subinterface point-to-point | 
multipoint
2-Port and 4-Port Channelized T3 SPA
Router(config)# interface serial
slot/subslot/port/t1-number:channel-group.subi
nterface point-to-point | multipoint
8-Port Channelized T1/E1 SPA
Router(config)# interface serial 
slot/subslot/port:channel-group.subinterface 
point-to-point | multipoint
1-Port Channelized OC-3/STM-1 SPA and 1-Port 
Channelized OC-12/STM-4 SPA
Router(config)# interface serial address
1-Port OC-12c/STM-4 POS SPA or 2-Port and 4-Port 
OC-3c/STM-1 POS SPA
Router(config)# interface pos
slot/subslot/port.subinterface point-to-point | 
multipoint
Specifies or creates a subinterface and enters 
subinterface configuration mode, where:
• slot—Specifies the chassis slot number where 
the SIP is installed.
• subslot—Specifies the secondary slot number on 
a SIP where a SPA is installed.
• port—Specifies the number of the interface port 
on the SPA.
• .subinterface—Specifies the number of the 
subinterface on the interface port.
• t1-number—Specifies the logical T1 number in 
channelized mode.
• address—For the different supported syntax 
options for the address argument for the 1-Port 
Channelized OC-3/STM-1 SPA or 1-Port 
Channelized OC-12/STM-4 SPA, see the 
“Interface Naming” section of the “Configuring 
the 1-Port Channelized OC-3/STM-1 SPA” 
chapter. 
• channel-group—Specifies the logical channel 
group assigned to the time slots within the T1 or 
E1 group.
• point-to-point—Specifies a point-to-point 
subinterface.
• multipoint—Allows multiple PVCs to use the 
same subinterface
Step 5 Router(config-subif)# no ip address Disables IP processing on a particular interface by 
removing its IP address.
Command Purpose4-48
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Step 6 Router(config-subif)# frame-relay 
interface-dlci dlci ietf
Creates the specified DLCI on the subinterface and 
enters DLCI configuration mode, where:
• dlci—Specifies the DLCI number to be used on 
the specified subinterface.
• ietf—(Optional) Specifies IETF encapsulation. 
This option is required if you did not specify 
IETF encapsulation in Step 4.
Note This command includes other options that 
are not supported when using multipoint 
bridging.
Step 7 Router(config-fr-dlci)# bridge-domain vlan-id
access | dot1q | dot1q-tunnel pvst-tlv CE-vlan
split-horizon
Enables RFC 1490 bridging to map a bridged VLAN 
to a Frame Relay DLCI, where:
• vlan-id —Specifies the number of the VLAN to 
be used in this bridging configuration. The valid 
range is from 2 to 4094. The VLAN ID must 
have been previously added to the VLAN 
database in Step 1.
• access—(Optional) Enables access-only 
bridging access mode, in which the bridged 
connection does not transmit or act upon bridge 
protocol data unit (BPDU) packets. 
• dot1q—(Optional) Enables IEEE 802.1Q 
tagging to preserve the class of service (CoS) 
information from the Ethernet frames across the 
Frame Relay network. If not specified, the 
ingress side assumes a CoS value of 0 for QoS 
purposes. Using the dot1q keyword helps avoid 
misconfiguration because incoming untagged 
frames, or tagged frames that do not match the 
specified vlan-id are dropped.
• dot1q-tunnel—(Optional) Enables IEEE 
802.1Q tunneling mode, so that service 
providers can use a single VLAN to support 
customers who have multiple VLANs, while 
preserving customer VLAN IDs and keeping 
traffic in different customer VLANs segregated.
Command Purpose4-49
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Verifying MPB for Frame Relay
To display information about the DLCIs that have been configured on Frame Relay interfaces, use the 
show frame-relay vlan command.
Router# show frame-relay vlan
Interface            Bridge DLCI     Domain
POS3/1/0.100              100          100
Configuring MPB for Gigabit Ethernet
Beginning in Cisco IOS Release 12.2(33)SRA, MPB support is added on the Cisco 7600 SIP-400 to 
multiplex different VLANs that are configured across multiple Gigabit Ethernet subinterfaces into a 
single broadcast domain. Gigabit Ethernet interfaces can also reside on different Cisco 7600 SIP-400s 
and belong to the same bridge domain.
MPB for Gigabit Ethernet Configuration Guidelines
• The Cisco 7600 SIP-400 can support a total of up to 4096 subinterfaces and bridge-domain instances 
per VLAN. For example, one subinterface with a configured VLAN using MPB will consume two 
of the available 4096 total allowable subinterfaces and bridge domains combined.
• Up to 60 subinterfaces can be put into the same bridge domain on the Cisco 7600 SIP-400.
Note The access, dot1q, and dot1q-tunnel
options are mutually exclusive. If you do not 
specify any of these options, the connection 
operates in “raw” bridging access mode, 
which is similar to access, except that the 
connection processes and transmits BPDU 
packets. 
• pvst-tlv CE-vlan—(Optional) When 
transmitting, translates PVST+ BPDUs into 
IEEE BPDUs. When receiving, translates IEEE 
BPDUs into PVST+ BPDUs. CE-vlan specifies 
the customer-edge VLAN in the SSTP 
Tag-Length-Value (TLV) to be inserted in an 
IEEE BPDU to a PVST+ BPDU conversion. 
• split-horizon—(Optional) Drops egress traffic 
going out a VC or interface with split-horizon 
configured, that arrived on an interface with 
split-horizon configured.
Note ChOC-12  does not support the 
bridge-domain command.
Command Purpose4-50
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
To configure MPB for Gigabit Ethernet, perform the following steps beginning in global configuration 
mode:
Command Purpose
Step 1 Router(config)# vlan {vlan-id | 
vlan-range}
Adds the specified VLAN IDs to the VLAN database and 
enters VLAN configuration mode, where:
• vlan-id—Specifies a single VLAN ID. The valid 
range is from 2 to 4094.
• vlan-range—Specifies multiple VLAN IDs, as either 
a list or a range. The vlan-range can contain a list of 
the VLAN IDs, separated by a comma (,), dash (-), or 
both.
Note Before you can use a VLAN for multipoint 
bridging, you must manually enter its VLAN ID 
into the VLAN database.
Step 2 Router(config)# interface gigabitethernet 
slot/subslot/port.subinterface
Specifies or creates a Gigabit Ethernet subinterface and 
enters subinterface configuration mode, where:
• slot—Specifies the chassis slot number where the SIP 
is installed.
• subslot—Specifies the secondary slot number on a 
SIP where a SPA is installed.
• port—Specifies the number of the interface port on 
the SPA.
• .subinterface—Specifies the number of the 
subinterface on the interface port.4-51
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Step 3 Router(config-subif) encapsulation dot1q 
vlan-id
Enables IEEE 802.1Q encapsulation on the interface, 
where vlan-id specifies the virtual LAN identifier. The 
allowed range is from 1 to 4095. 
Step 4 Router(config-subif)# bridge-domain
vlan-id [dot1q | dot1q-tunnel] [bpdu 
{drop | transparent}] [split-horizon]
Enables bridging of VLANs across Gigabit Ethernet 
subinterfaces, where:
• vlan-id —Specifies the number of the VLAN to be 
used in this bridging configuration. The valid range is 
from 2 to 4094. The VLAN ID must have been 
previously added to the VLAN database in Step 1.
• dot1q—(Optional) Enables IEEE 802.1Q tagging to 
preserve the class of service (CoS) information from 
the Ethernet frames across the ATM network. If not 
specified, the ingress side assumes a CoS value of 0 
for QoS purposes. 
• dot1q-tunnel—(Optional) Enables IEEE 802.1Q 
tunneling mode, so that service providers can use a 
single VLAN to support customers who have 
multiple VLANs, while preserving customer VLAN 
IDs and keeping traffic in different customer VLANs 
segregated. 
Note The dot1q and dot1q-tunnel options are 
mutually exclusive. If you do not specify either of 
these options, the connection operates in “raw” 
bridging access mode, which is similar to access, 
except that the connection processes and 
transmits BPDU packets. 
• bpdu {drop | transparent}—(Optional) Specifies 
whether or not BPDUs are processed or dropped, 
where:
– drop—Specifies BPDU packets are dropped on 
the subinterface.
– transparent—Specifies BPDU packets are 
forwarded as data on the subinterface, but not 
processed.
• split-horizon—(Optional) Drops egress traffic going 
out a VC or interface with split-horizon configured, 
that arrived on an interface with split-horizon 
configured.
Command Purpose4-52
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Configuring Private Hosts SVI (Interface VLAN)
The Private Hosts feature allows automatic insertion of Router (SVI) MAC intothe Private Hosts 
configuration. Private Hosts track the L2 port that a server is connected to, and limit undesired traffic 
through MAC-layer ACLs.  Hosts can carry multiple traffic types via trunk port, remain isolated from 
each other, and still communicate to a common server. Private hosts work at Layer 2 interface level.
Port classification
• Isolated ports: The hosts which need to be isolated will be directly or indirectly connected through 
DSLAMs to this type of ports. The unicast traffic received on these ports should be always destined 
towards specified upstream devices
• Promiscuous ports: The ports facing the core network or devices like BRAS and  multicast servers 
are called promiscuous ports. These ports can allow any unicast or broadcast traffic received from 
upstream devices.
Private hosts traffic is treated as Layer 2 traffic and routing needs an external router to be configured. 
Instead of configuring a server MAC address into Private Hosts, you must configure the router MAC 
address. This featureadds the SVIs into the Private Host configuration, eliminating the need for the 
external router
Configuration tasks
To configure the private hosts SVI (Interface VLAN) feature, perform the following steps in the global 
configuration mode:
Command Purpose
Step 1 Router(config)# [no] private-hosts  This command is used enable or disable private hosts 
feature on a Cisco 7600 device globally. A [no] form of 
the command disables the private hosts feature globally. 
This command is in disabled mode by default
Step 2 Router(config)# [no] private-hosts 
mac-list <mac-list name> <mac address > 
This command is used to populate the MAC address list. 
A [no] form of the command is used to delete MAC 
address from the list. The list itself is deleted after the 
deletion of last MAC address
Step 3 Router(config)# [no] private-hosts 
vlan-list <VLAN-ID>
This command is used to provide list of VLANs that need 
to be isolated. A [no] form will remove the given VLANs 
from the isolated VLAN list. 
Note This VLAN -list is also used to program the 
promiscuous devices' MAC addresses
Step 4 Router(config)# [no] private-hosts 
promiscous <mac-list name> [vlan-list 
<VLAN IDs>]
This command is used to provide list of promiscuous 
MAC addresses and optional VLAN-list on which these 
devices might exist. 
If the VLAN-list is not given, the VLAN list is taken from 
the global isolated VLAN- list configured. This command 
can be executed multiple times with different MAC-list 
and vlan-list combination4-53
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Restrictions
The following restrictions should be considered while configuring the private hosts SVI feature:
• You cannot restrict Private Host SVIs to a configured subset of VLANs. If you want a subset of 
VLANs to use SVI's, you must ensure there are no SVIs on the VLANs that are not to be routed.
• This feature is applicable only to native system.
• This feature is not supported on hybrid systems.
• This feature installs protocol independent PACLs and enables MAC classification on the VLAN. As 
a result features like RACLs do not work with it. 
• This feature is supported only PFC-3BXL or above cards.
• This feature is not supported on EARL6 or below.
Sample Configuration
PE18_C7606#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
PE18_C7606(config)#private-hosts
PE18_C7606(config)#private-hosts mac-list ML1 10de.aa0d.e2ad
PE18_C7606(config)#private-hosts vlan-list?
vlan-list
PE18_C7606(config)#private-hosts vlan-list 1
PE18_C7606(config)#private-hosts promiscuous?
promiscuous
PE18_C7606(config)#private-hosts promiscuous ML1
Verifying the Private Hosts SVI (Interface VLAN) configuration
Use the following show commands to verify the Private Hosts SVI (Interface VLAN) configuration:
Command Purpose
Router(config)# show private-hosts 
configuration
Displays the global private hosts configuration
Router(config)# show private-hosts access-lists Displays the private hosts related access lists
Router(config)# show private-hosts interface 
configuration 
Displays the ports on which the feature is enabled 
with the configured mode
Router(config)# show private-hosts mac-list Displays the configured mac-lists and their 
members4-54
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Configuring Private Hosts over Virtual Private LAN Service (VPLS)
The private host feature supports the redirection of broadcast and unicast from isolated ports over VPLS 
virtual circuit. The private host feature allows the addition of one VPLS enabled VLAN (cross-connect 
configured on a VLAN) in the private host vlan-list, along with the regular VLAN and SVI. 
Restrictions and Guidelines
While configuring private hosts over VPLS, besides noting the private host SVI restrictions listed in 
Restrictions, page 4-165, keep the following additional guidelines in mind:
• Private host limits VPLS support for only one VLAN. If the private host Vlan-list already has a 
VPLS VLAN (VLAN with cross-connect), the addtion of another VPLS VLAN will be blocked. 
• If any VLAN in the Vlan-list has cross-connect configured, configuring cross-connect on another 
VLAN in the Vlan-list will be blocked.
Configuration Steps
Use the following commands to configure private hosts over VPLS.
SUMMARY STEPS
1. [no] private-hosts
2. private-hosts vlan-list vlan-ids
3. private-hosts promiscuous mac list name
4. private-hosts mac-list mac list name mac-id
DETAILED STEPS
Command Purpose
Router(config)#[no] private-hosts
Example:
PE17_C7606(config)#private-hosts 
Globally enables or disables the Private Hosts SVI 
feature on a Cisco 7600 device. The ‘no’ form of 
the command disables this feature globally. By 
default, this command is in disabled mode.
Router(config)#private-hosts vlan-list vlan-ids
Example:
PE17_C7606(config)#private-hosts vlan-list 
10-15
Enables private hosts on the specified VLAN or 
range of VLAN IDs.4-55
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Verifying the Private Hosts on the VPLS Configuration
Use the following show commands to verify the private hosts over VPLS configuration:
Example
PE17_C7606#show private-hosts ?
access-lists   Show the private hosts related access lists
  configuration  Show private hosts global configuration
  interface      Show private hosts interface related configuration
  mac-list       Show the mac lists and their members
Table 4-9 provides the troubleshooting solutions for the Private Host feature.
Table 4-9 Troubleshooting Scenarios for Private Host feature
Router(config)#private-hosts promiscuous mac 
list name
Example:
PE17_C7606(config)#private-hosts 
promiscuous maclist-1
Sets a name for a group of private hosts enabled 
with promiscuous MAC addresses.
Router(config)#private-hosts mac-list mac list 
name mac-id
Example:
PE17_C7606(config)#private-hosts mac-list 
maclist-1 0000.1e11.00d1
Assigns MAC addresses to the MAC list.
Command Purpose
Command Purpose
Router(config)# show private-hosts access-lists Displays access lists related to private hosts
Router(config)#show private-hosts 
configuration
Displays private hosts global configuration
Router(config)# show private-hosts interface  Displays configuation related to private hosts 
interface.
Router(config)# show private-hosts mac-list Displays MAC lists and their members.
Problem Solution
To troubleshoot and view all the TCAM entries. Use the sh hw-mod su subslot tcam command to verify and 
troubleshoot issues related to the TCAM entries.
To troubleshoot and view virtual VLAN IDs on a qinq 
subinterface.
Use the test hw-mod su subslot command to troubleshoot 
issues related to virtual VLAN ID values on a QnQ 
subinterface.4-56
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Configuring PPP Bridging Control Protocol Support
The Bridging Control Protocol (BCP) feature on the SIPs and SPAs enables forwarding of Ethernet 
frames over serial and SONET networks, and provides a high-speed extension of enterprise LAN 
backbone traffic through a metropolitan area. The implementation of BCP on the SPAs includes support 
for IEEE 802.1D Spanning Tree Protocol, IEEE 802.1Q Virtual LAN (VLAN), and high-speed switched 
LANs. 
The Bridging Control Protocol (BCP) feature provides support for BCP to Cisco devices, as described 
in RFC 3518, Point-to-Point Protocol (PPP) Bridging Control Protocol (BCP). The Cisco 
implementation of BCP is a VLAN infrastructure that does not require the use of subinterfaces to group 
Ethernet 802.1Q trunks and the corresponding PPP links. This approach enables users to process VLAN 
encapsulated packets without having to configure subinterfaces for every possible VLAN configuration.
BCP operates in two different modes:
• Trunk mode BCP (switchport)—A single BCP link can carry multiple VLANs. 
• Single-VLAN BCP (bridge-domain)—A single BCP link carries only one VLAN. 
In addition, in Cisco IOS Release 12.2(33)SRA, BCP is supported over dMLPPP links on the Cisco 7600 
SIP-200 with the 2-Port and 4-Port Channelized T3 SPA and 8-Port Channelized T1/E1 SPA. BCP over 
dMLPPP is supported in trunk mode only. 
Effective from Cisco IOS release 15.2(1)S, BCP over dMLPPP is also supported on the Cisco 7600 SIP 
400 with the following the following SPAs:
• 2-Port and 4-Port Channelized T3 SPA
• 8-Port Channelized T1/E1 SPA
• 1-Port Channelized OC12/STM-4 SPA
• 1-Port Channelized OC-3/STM-1 SPA
• 1-Port Channelized OC48/STM/16/DS3 SPA
• 2 and 4-Port Clear Channel T3/E3 SPA
BCP Feature Compatibility 
Table 4-10 provides information about where the BCP features are supported.
Incorrect VLAN ID is programmed. Use the command show hw-module subslot tcam all_entries 
vlan to confirm the correct VLAN IDs.
Erroneous or disabled TCAM entries Use the show plat soft qos tcamfeature and show platform 
software qos tcam commands to correct the TCAM entries.
Problem Solution4-57
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Table 4-10 BCP Feature Compatibility by SIP and SPA Combination
Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600
Trunk mode BCP (switchport) In Cisco IOS Release 
12.2(18)SXE and later:
• 2-Port and 4-Port 
Channelized T3 SPA
• 2-Port and 4-Port Clear 
Channel T3/E3 SPA
• 8-Port Channelized T1/E1 
SPA
• 2-Port and 4-Port 
OC-3c/STM-1 POS SPA
Support for the following SPA 
was added in Cisco IOS 
Release 12.2(33)SRA:
• 1-Port Channelized 
OC-3/STM-1 SPA 
In Cisco IOS Release 
12.2(18)SXE and later:
• 1-Port OC-12c/STM-4 
POS SPA
• 2-Port and 4-Port 
OC-3c/STM-1 POS SPA
• 1-Port OC-48c/STM-16 
POS SPA
In Cisco IOS release 
15.2(1)S:
• 1-Port Channelized 
OC12/STM-4 SPA
• 2-Port and 4-Port T3/E3 
SPA
• 8-Port Channelized 
T1/E1 SPA
• 1-Port Channelized 
OC-3/STM-1 SPA
• 1-Port Channelized 
OC48/STM/16/DS3 SPA
• 2 and 4-Port Clear 
Channel T3/E3 SPA
Not supported.4-58
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Tag-native Mode for Trunk BCP 
(switchport)
• In Cisco IOS 12.2SX 
releases—Not supported.
• In Cisco IOS Release 
12.2(33)SRA:
– 2-Port and 4-Port 
Channelized T3 SPA
– 2-Port and 4-Port 
Clear Channel T3/E3 
SPA
– 8-Port Channelized 
T1/E1 SPA
– 2-Port and 4-Port 
OC-3c/STM-1 POS 
SPA
– 1-Port Channelized 
OC-3/STM-1 SPA
• In Cisco IOS 12.2SX 
releases—Not supported.
• In Cisco IOS Release 
12.2(33)SRA:
– 1-Port 
OC-12c/STM-4 POS 
SPA
– 2-Port and 4-Port 
OC-3c/STM-1 POS 
SPA
– 1-Port OC-48c/STM-1
6 POS SPA
• In Cisco IOS release 
15.2(1)S:
– 1-Port Channelized 
OC12/STM-4 SPA
– 2-Port and 4-Port 
Channelized T3 SPA
– 8-Port Channelized 
T1/E1 SPA
– 1-Port Channelized 
OC-3/STM-1 SPA
– 1-Port Channelized 
OC48/STM/16/DS3 
SPA
– 2 and 4-Port Clear 
Channel T3/E3 SPA
Not supported.
Table 4-10 BCP Feature Compatibility by SIP and SPA Combination (continued)
Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-6004-59
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
BCP Configuration Guidelines
When configuring BCP support for SPAs on the Cisco 7600 SIP-200 and Cisco 7600 SIP-400, consider 
the following guidelines:
• Be sure to refer to Table 4-10 for feature compatibility information.
• Beginning in Cisco IOS Release 12.2(33)SRA, QoS is supported on bridged interfaces. In Cisco IOS 
Release 12.2(18)SXF2 and earlier, QoS is not supported on bridged interfaces.
Single-VLAN BCP 
(bridge-domain)
In Cisco IOS Release 
12.2(18)SXE and later:
• 2-Port and 4-Port 
Channelized T3 SPA
• 2-Port and 4-Port Clear 
Channel T3/E3 SPA
• 8-Port Channelized T1/E1 
SPA
• 2-Port and 4-Port 
OC-3c/STM-1 POS SPA
Support for the following SPA 
was added in In Cisco IOS 
Release 12.2(33)SRA:
• 1-Port Channelized 
OC-3/STM-1 SPA 
In Cisco IOS Release 
12.2(33)SRA:
• 1-Port OC-12c/STM-4 
POS SPA
• 2-Port and 4-Port 
OC-3c/STM-1 POS SPA
• 1-Port OC-48c/STM-16 
POS SPA
In Cisco IOS release 
15.2(1)S:
• 1-Port Channelized 
OC12/STM-4 SPA
• 2-Port and 4-Port 
Channelized T3 SPA
• 8-Port Channelized 
T1/E1 SPA
• 1-Port Channelized 
OC-3/STM-1 SPA
• 1-Port Channelized 
OC48/STM/16/DS3 SPA
• 2 and 4-Port Clear 
Channel T3/E3 SPA
Not supported.
BCP over dMLPPP (trunk mode 
only)
In Cisco IOS Release 
12.2(33)SRA:
• 2-Port and 4-Port 
Channelized T3 SPA
• 8-Port Channelized T1/E1 
SPA
In Cisco IOS release 
15.2(1)S:
• 1-Port Channelized 
OC12/STM-4 SPA
• 2-Port and 4-Port 
Channelized T3 SPA
• 8-Port Channelized 
T1/E1 SPA
• 1-Port Channelized 
OC-3/STM-1 SPA
• 1-Port Channelized 
OC48/STM/16/DS3 SPA
Not supported.
Table 4-10 BCP Feature Compatibility by SIP and SPA Combination (continued)
Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-6004-60
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
• Although RFC 3518 specifies support for Token Ring and Fiber Distributed Data Interface (FDDI), 
BCP on the Cisco 7600 SIP-200 and Cisco 7600 SIP-400 supports only Ethernet currently.
Configuring BCP in Trunk Mode
When BCP is configured in trunk mode, a single BCP link can carry multiple VLANs. This usage of 
BCP is consistent with that of normal Ethernet trunk ports.
Trunk Mode BCP Configuration Guidelines
When configuring BCP support in trunk mode for SPAs on the Cisco 7600 SIP-200 and Cisco 7600 
SIP-400, consider the following guidelines:
• Be sure to refer to Table 4-10 for feature compatibility information.
• There are some differences between the Ethernet trunk ports and BCP trunk ports.
– Ethernet trunk ports support ISL and 802.1Q encapsulation, but BCP trunk ports support only 
802.1Q.
– Ethernet trunk ports support Dynamic Trunk Protocol (DTP), which is used to automatically 
determine the trunking status of the link. BCP trunk ports are always in trunk state and no DTP 
negotiation is performed.
– The default behavior of Ethernet trunk ports is to allow all VLANs on the trunk. The default 
behavior of BCP trunks is to disallow all VLANs. This means that VLANs that need to be 
allowed have to be explicitly configured on the BCP trunk port.
• Use the switchport command under the WAN interface when configuring trunk mode BCP.
• The SIPs support the following maximum number of BCP ports on any given VLAN:
– In Cisco IOS Release 12.2(18)SXE and later—Maximum of 60 BCP ports
– In Cisco IOS Release 12.2(33)SRA—Maximum of 112 BCP ports on Cisco 7600 SIP-200 and 
maximum of 120 BCP ports on Cisco 7600 SIP-400.
• To use VLANs in trunk mode BCP, you must use the vlan command to manually add the VLANs to 
the VLAN database. The default behavior for trunk mode BCP allows no VLANs.
• Trunk mode BCP is not supported on VLAN IDs 0, 1006–1023, and 1025. 
• The native VLAN (VLAN1) has the following restrictions for trunk mode BCP:
– In Cisco IOS Release 12.2SX—The native VLAN is not supported.
– Beginning in Cisco IOS Release 12.2(33)SRA—The native VLAN is supported.
• For trunk mode BCP (switchport), STP interoperability is the same as that of Ethernet switchports. 
This means that the STP path cost of WAN links can be changed and other STP functionality such 
as BPDU Guard and PortFast will work on the WAN links. However, it is not recommended to 
change the default values.
• VLAN Trunking Protocol (VTP) is supported.
Note The management VLAN, VLAN 1, must be explicitly enabled on the trunk to send VTP 
advertisements.4-61
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
To configure BCP in trunk mode, perform the following steps beginning in global configuration mode:
Command Purpose
Step 1 Router(config)# vlan dot1q tag native (Optional) Enables dot1q tagging for all VLANs in a 
trunk. By default, packets on the native VLAN are sent 
untagged. When you enable dot1q tagging, packets are 
tagged with the native VLAN ID.
Step 2 1-Port Channelized OC-3/STM-1 SPA or 1-Port 
Channelized OC-12/STM-4 SPA 
Router(config)# interface serial address
2-Port and 4-Port Clear Channel T3/E3 SPA
Router(config)# interface serial 
slot/subslot/port
2-Port and 4-Port Channelized T3 SPA
Router(config)# interface serial
slot/subslot/port/t1-number:channel-group
8-Port Channelized T1/E1 SPA
Router(config)# interface serial 
slot/subslot/port:channel-group
1-Port OC-12c/STM-4 POS SPA or 2-Port and 
4-Port OC-3c/STM-1 POS SPA
Router(config)# interface pos
slot/subslot/port
Specifies an interface and enters interface configuration 
mode, where:
• address—For the different supported syntax options 
for the address argument for the 1-Port Channelized 
OC-3/STM-1 SPA, refer to the “Interface Naming” 
section of the “Configuring the 1-Port Channelized 
OC-3/STM-1 SPA” chapter.
• slot—Specifies the chassis slot number where the SIP 
is installed.
• subslot—Specifies the secondary slot number on a 
SIP where a SPA is installed.
• port—Specifies the number of the interface port on 
the SPA.
• t1-number—Specifies the logical T1 number in 
channelized mode.
• channel-group—Specifies the logical channel group 
assigned to the time slots within the T1 or E1 group.
Step 3 Router(config-if)# switchport Puts an interface that is in Layer 3 mode into Layer 2 
mode for Layer 2 configuration. PPP encapsulation is 
automatically configured, and the interface is 
automatically configured for trunk mode and nonegotiate 
status.
Step 4 Router(config-if)# shutdown Disables the interface.4-62
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Step 5 Router(config-if)# no shutdown Restarts the disabled interface. 
Step 6 Router(config-if)# switchport trunk 
allowed vlan {all | {add | remove | except} 
vlan-list [,vlan-list...] | vlan-list 
[,vlan-list...]}
(Optional) Controls which VLANs can receive and 
transmit traffic on the trunk, where:
• all—Enables all applicable VLANs. 
• add vlan-list [,vlan-list...]—Appends the specified 
list of VLANs to those currently set instead of 
replacing the list. 
• remove vlan-list [,vlan-list...]—Removes the 
specified list of VLANs from those currently set 
instead of replacing the list. 
• except vlan-list [,vlan-list...]—Excludes the 
specified list of VLANs from those currently set 
instead of replacing the list.
• vlan-list [,vlan-list...]—Specifies a single VLAN 
number from 1 to 4094, or a continuous range of 
VLANs that are described by two VLAN numbers 
from 1 to 4094. You can specify multiple VLAN 
numbers or ranges using a comma-separated list. 
To specify a range of VLANs, enter the smaller 
VLAN number first, separated by a hyphen and the 
larger VLAN number at the end of the range. 
Note Do not enable the reserved VLAN range (1006 to 
1024) on trunks when connecting a Cisco 7600 
series router running the Cisco IOS software on 
both the supervisor engine and the MSFC to a 
Cisco 7600 series router running the Catalyst 
operating system. These VLANs are reserved in 
Cisco 7600 series routers running the Catalyst 
operating system. If enabled, Cisco 7600 series 
routers running the Catalyst operating system 
may error-disable the ports if there is a trunking 
channel between these systems. 
Command Purpose4-63
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Verifying BCP in Trunk Mode
Because the PPP link has to flap (be brought down and renegotiated), it is important that you run the 
following show commands after you configure BCP in trunk mode to confirm the configuration:
The following output of the show interfaces commands provide an example of the information that is 
displayed when BCP is configured in trunk mode.
Note When switchport is configured, the encapsulation is automatically changed to PPP.
Router# show interfaces trunk
Port      Mode         Encapsulation  Status        Native vlan
PO4/1/0 on 802.1q trunking 1
Port Vlans allowed on trunk
PO4/1/0 1-1005,1025-1026,1028-4094
Port Vlans allowed and active in management domain
PO4/1/0 1,100,200
Port Vlans in spanning tree forwarding state and not pruned
PO4/1/0 1,100,200
Router# show interfaces switchport
Name: PO4/1/0
Command Purpose
1-Port Channelized OC-3/STM-1 SPA or 1-Port 
Channelized OC-12/STM-4 SPA
Router# show interfaces [serial address] trunk 
[module number]
2-Port and 4-Port Channelized T3 SPA
Router# show interfaces [serial
slot/subslot/port/t1-number:channel-group] 
trunk [module number]
2-Port and 4-Port Clear Channel T3/E3 SPA
Router# show interfaces [serial 
slot/subslot/port] trunk [module number]
8-Port Channelized T1/E1 SPA
Router# show interfaces [serial 
slot/subslot/port:channel-group] trunk [module 
number]
1-Port OC-12c/STM-4 POS SPA or 2-Port and 4-Port 
OC-3c/STM-1 POS SPA
Router# show interfaces [pos slot/subslot/port] 
trunk [module number]
Displays the interface-trunk information, where:
• address—For the different supported syntax 
options for the address argument for the 
1-Port Channelized OC-3/STM-1 SPA, refer 
to the “Interface Naming” section of the 
“Configuring the 1-Port Channelized 
OC-3/STM-1 SPA” chapter.
• slot—Specifies the chassis slot number where 
the SIP is installed.
• subslot—Specifies the secondary slot number 
on a SIP where a SPA is installed.
• port—Specifies the number of the interface 
port on the SPA.
• t1-number—Specifies the logical T1 number 
in channelized mode.
• channel-group—Specifies the logical channel 
group assigned to the time slots within the T1 
or E1 group.
• module number—(Optional) Specifies the 
chassis slot number of the SIP and displays 
information for all interfaces of the SPAs in 
that SIP.4-64
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: 100
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Router# show interfaces pos4/1/0
POS4/1/0 is up, line protocol is up
Hardware is Packet over Sonet
MTU 4470 bytes, BW 155000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, crc 16, loopback not set
Keepalive set (10 sec)
Scramble disabled
LCP Open
Open: BRIDGECP, CDPCP
Last input 00:00:05, output 00:00:05, output hang never
Last clearing of "show interface" counters 18:48:09
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 1000 bits/sec, 1 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
13161719 packets input, 1145463122 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicast)
0 runts, 0 giants, 0 throttles
0 parity
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1685 packets output, 620530 bytes, 0 underruns
0 output errors, 0 applique, 30 interface resets
0 output buffer failures, 0 output buffers swapped out
11 carrier transitions
Configuring BCP in Single-VLAN Mode
When BCP is configured in single-VLAN mode, a single BCP link carries only one VLAN. This is 
considered BCP in access mode.
Single-VLAN Mode BCP Configuration Guidelines
When configuring BCP support in single-VLAN mode for SPAs on the Cisco 7600 SIP-200 and 
Cisco 7600 SIP-400, consider the following guidelines:
• Be sure to refer to Table 4-10 for feature compatibility information.4-65
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
• Use the bridge-domain vlan-id dot1q form of the command under a WAN interface or an ATM 
PVC. The dot1q keyword is necessary. It indicates that all frames on the BCP link will be tagged 
with a 802.1Q header. Untagged frames received on a BCP link will be dropped.
• For serial and POS SPA interfaces, the encapsulation of the interface must be PPP; otherwise, the 
bridge-domain command will not be accepted. 
• The ATM SPAs on the Cisco 7600 series router do not support single-VLAN BCP.
• For single-VLAN BCP, you can configure the following maximum number of VCs per VLAN:
– In Cisco IOS Release 12.2SX—60 VCs or interfaces per VLAN per chassis.
– Beginning in Cisco IOS Release 12.2(33)SRA—112 VCs or interfaces per VLAN per 
Cisco 7600 SIP-200; 120 VCs or interfaces per VLAN per Cisco 7600 SIP-400.
• VLANs must be manually added to the VLAN database, using the vlan command, to be able to use 
those VLANs in single-VLAN BCP.
• BCP is not supported on VLAN IDs 0, 1 (native), 1006–1023, and 1025.
• For single-VLAN BCP, only basic Spanning Tree Protocol (STP) interoperability is supported. This 
means that single-VLAN BCP interfaces will participate in the STP domain and the correct path cost 
of the links will be calculated; however, changing any STP parameters for the link is not supported.
• VLAN Trunking Protocol (VTP) is not supported on single-VLAN BCP.
To configure BCP in single-VLAN mode on serial or POS SPAs, perform the following steps beginning 
in global configuration mode:
Command Purpose
Step 1 1-Port Channelized OC-3/STM-1 SPA or 1-Port 
Channelized OC-12/STM-4 SPA 
Router(config)# interface serial address
2-Port and 4-Port Channelized T3 SPA
Router(config)# interface serial
slot/subslot/port/t1-number:channel-group
8-Port Channelized T1/E1 SPA
Router(config)# interface serial 
slot/subslot/port:channel-group
1-Port OC-12c/STM-4 POS SPA or 2-Port and 
4-Port OC-3c/STM-1 POS SPA
Router(config)# interface pos
slot/subslot/port
2-Port and 4-Port Clear Channel T3/E3 SPA
Router(config)# interface serial 
slot/subslot/port
Specifies an interface and enters interface configuration 
mode, where:
• address—For the different supported syntax options 
for the address argument for the 1-Port Channelized 
OC-3/STM-1 SPA, refer to the “Interface Naming” 
section of the “Configuring the 1-Port Channelized 
OC-3/STM-1 SPA” chapter.
• slot—Specifies the chassis slot number where the SIP 
is installed.
• subslot—Specifies the secondary slot number on a 
SIP where a SPA is installed.
• port—Specifies the number of the interface port on 
the SPA.
• t1-number—Specifies the logical T1 number in 
channelized mode.
• channel-group—Specifies the logical channel group 
assigned to the time slots within the T1 or E1 group.
Step 2 Router(config-if)# no ip address Disables IP processing on a particular interface by 
removing its IP address.
Step 3 Router(config-if)# encapsulation ppp Configures the interface for PPP encapsulation.4-66
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Verifying BCP in Single-VLAN Mode
Because the PPP link has to flap (be brought down and renegotiated), it is important that you run the 
following show command after you configure BCP in single-VLAN mode to confirm the configuration:
Router# show interfaces pos4/1/0
POS4/1/0 is up, line protocol is up
Hardware is Packet over Sonet
MTU 4470 bytes, BW 155000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, crc 16, loopback not set
Keepalive set (10 sec)
Scramble disabled
LCP Open
Open: BRIDGECP, CDPCP
Last input 00:00:09, output 00:00:09, output hang never
Last clearing of "show interface" counters 00:00:24
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 1
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 1000 bits/sec, 1 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
32 packets input, 1709 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicast)
0 runts, 0 giants, 0 throttles
0 parity
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
17 packets output, 1764 bytes, 0 underruns
0 output errors, 0 applique, 3 interface resets
0 output buffer failures, 0 output buffers swapped out
1 carrier transitions
Step 4 Router(config-if)# bridge-domain vlan-id
[dot1q | dot1q-tunnel]
Establishes a domain and tags all Ethernet frames on the 
BCP link with the 802.1Q header, where:
• vlan-id—Specifies the number of the VLAN to be 
used in this bridging configuration. The valid range is 
from 2 to 4094. The VLAN ID must have been 
previously added to the VLAN database.
• dot1q—(Optional) Enables IEEE 802.1Q tagging to 
preserve the class of service (CoS) information from 
the Ethernet frames across the WAN interface. If not 
specified, the ingress side assumes a CoS value of 0 
for QoS purposes. Using the dot1q keyword helps 
avoid misconfiguration because incoming untagged 
frames, or tagged frames that do not match the 
specified vlan-id are dropped.
• dot1q-tunnel—(Optional) Enables IEEE 802.1Q 
tunneling mode, so that service providers can use a 
single VLAN to support customers who have 
multiple VLANs, while preserving customer VLAN 
IDs and keeping traffic in different customer VLANs 
segregated. 
Step 5 Router(config-if)# shutdown Disables the interface.
Step 6 Router(config-if)# no shutdown Restarts the disabled interface. 
Command Purpose4-67
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Configuring BCP over dMLPPP
Beginning in Cisco IOS Release 12.2(33)SRA, BCP is supported over dMLPPP links on the Cisco 7600 
SIP-200 with the 2-Port and 4-Port Channelized T3 SPA and 8-Port Channelized T1/E1 SPA. BCP over 
dMLPPP is supported in trunk mode only.
Effective from Cisco IOS release 15.2(1)S, BCP over dMLPPP is also supported on the Cisco 7600 SIP 
400 with the following the following SPAs:
• 2-Port and 4-Port Channelized T3 SPA
• 8-Port Channelized T1/E1 SPA
• 1-Port Channelized OC12/STM-4 SPA
• 1-Port Channelized OC-3/STM-1 SPA
• 1-Port Channelized OC48/STM/16/DS3 SPA
For more information about configuring the BCP over dMLPPP feature, see Chapter 17, “Configuring 
the 8-Port Channelized T1/E1 SPA,” and Chapter 18, “Configuring the 2-Port and 4-Port Clear Channel 
T3/E3 SPAs.”
Configuring Virtual Private LAN Service
Virtual Private LAN Service (VPLS) enables geographically separate LAN segments to be 
interconnected as a single bridged domain over a packet switched network, such as IP, MPLS, or a hybrid 
of both. 
VPLS solves the network reconfiguration problems at the CE that are associated with Layer 2 Virtual 
Private Network (L2VPN) implementations. The current Cisco IOS software L2VPN implementation 
builds a point-to-point connection to interconnect the two attachment VCs of two peering customer sites. 
To communicate directly among all sites of an L2VPN network, a distinct emulated VC needs to be 
created between each pair of peering attachment VCs. For example, when two sites of the same L2VPN 
network are connected to the same PE, it requires that two separate emulated VCs be established towards 
a given remote site, instead of sharing a common emulated VC between these two sites. For a L2VPN 
customer who uses the service provider backbone to interconnect its LAN segments, the current 
implementation effectively turns its multiaccess broadcast network into a fully meshed point-to-point 
network, which requires extensive reconfiguration on the existing CE devices. 
VPLS is a multipoint L2VPN architecture that connects two or more customer devices using EoMPLS 
bridging techniques. VPLS with EoMPLS uses an MPLS-based provider core, where the PE routers have 
to cooperate to forward customer Ethernet traffic for a given VPLS instance in the core. 
VPLS uses the provider core to join multiple attachment circuits together to simulate a virtual bridge 
that connects the multiple attachment circuits together. From a customer point of view, there is no 
topology for VPLS. All of the CE devices appear to connect to a logical bridge emulated by the provider 
core.
Hierarchical Virtual Private LAN Service with MPLS to the Edge
In a flat or non-hierarchical VPLS configuration, a full mesh of pseudowires (PWs) is needed between 
all PE nodes. A pseudowire defines a VLAN and its corresponding pseudoport. 
Hierarchical Virtual Private LAN Service (H-VPLS) reduces both signaling and replication overhead by 
using a combination of full-mesh and hub-and-spoke configurations. Hub-and-spoke configurations 
operate with split horizon to allow packets to be switched between pseudowires (PWs), which effectively 
reduce the number of PWs between PEs. 4-68
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Figure 4-3 H-VPLS with MPLS to the Edge Network 
In the H-VPLS with MPLS to the edge architecture, Ethernet Access Islands (EAIs) work in combination 
with a VPLS core network, with MPLS as the underlying transport mechanism. EAIs operate like 
standard Ethernet networks. In Figure 4-3, devices CE1, CE2a and CE2b reside in an EAI. Traffic from 
any CE devices within the EAI are switched locally within the EAI by the user-facing provider edge 
(UPE) device along the computed spanning-tree path. Each user-facing provider edge device is 
connected to one or more network-facing provider edge devices using PWs. The traffic local to the UPE 
is not forward to any network-facing provider edge devices.
VPLS Configuration Guidelines
When configuring VPLS on a SIP, consider the following guidelines:
• For support of specific VPLS features by SIP, see Table 4- 11.
• The SIPs support up to 4000 VPLS domains per Cisco 7600 series router.
• The SIPs support up to 60 VPLS peers per domain per Cisco 7600 series router.
• The SIPs support up to 30,000 pseudowires, used in any combination of domains and peers up to the 
4000-domain or 60-peer maximums. For example, support of up to 4000 domains with 7 peers, or 
up to 60 peers in 500 domains.
• When configuring VPLS on a Cisco 7600 SIP-600, consider the following guidelines:
– Q-in-Q (the ability to map a single 802.1Q tag or a random double tag combination into a VPLS 
instance, a Layer 3 MPLS VPN, or an EoMPLS VC) is not supported.
– H-VPLS with Q-in-Q edge—Requires a Cisco 7600 SIP-600 in the uplink, and any LAN port 
or Cisco 7600 SIP-600 on the downlink.
• H-VPLS with MPLS edge requires either an OSM module, Cisco 7600 SIP-600, or Cisco 7600 
SIP-400 in both the downlink (facing UPE) and uplink (MPLS core). 
• The Cisco 7600 SIP-400 and Cisco 7600 SIP-600 provide Transparent LAN Services (TLS) and 
Ethernet Virtual Connection Services (EVCS).
PE-PoP
PE-PoP
158088
PE-CLE
L2VPN
router
CE4
7600s
802.3 .1Q Full Mesh LDP
AToM
or
L2TPv3
PSN
CE1
400
401
CE2a
CE2b
Customer applied
VLAN Tags for WG
isolation (CE-VLAN)
PE-PoP
Data 401 EType SA DA 100 33
MPLS network
SP applied VCLabel & Tunnel LSP
VPLS functioning
between
participating PEs4-69
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
• The Cisco 7600 SIP-400 does not support redundant PW links from a UPE to multiple NPEs. 
• For information about configuring VPLS on the SIPs, consider the guidelines in this document and 
then refer to the “Virtual Private LAN Services on the Optical Services Modules” section of the 
Optical Services Module Software Configuration Note for the Cisco 7600 series router at the 
following URL:
http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/mpls.html4-70
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
VPLS Feature Compatibility
Table 4-11 provides information about where the VPLS features are supported.4-71
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Table 4-11 VPLS Feature Compatibility by SIP and SPA Combination
Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600
H-VPLS with MPLS edge Not supported. In Cisco IOS Release 
12.2(33)SRA:
• 2-Port Gigabit Ethernet SPA
• 2-Port and 4-Port 
OC-3c/STM-1 POS SPA
• 1-Port OC-12c/STM-4 POS 
SPA
• 1-Port OC-48c/STM-16 POS 
SPA
In Cisco IOS release 15.2(1)S:
• 1-Port Channelized 
OC12/STM-4 SPA
• 2-Port and 4-Port Channelized 
T3 SPA
• 8-Port Channelized T1/E1 
SPA
• 1-Port Channelized 
OC-3/STM-1 SPA
• 1-Port Channelized 
OC48/STM/16/DS3 SPA
• 2 and 4-Port Clear Channel 
T3/E3 SPA
In Cisco IOS Release 
12.2(18)SXF and later:
• 1-Port 10-Gigabit Ethernet 
SPA
• 5-Port Gigabit Ethernet SPA
• 10-Port Gigabit Ethernet 
SPA
• 1-Port OC-192c/STM-64 
POS/RPR SPA
• 2-Port and 
4-Port OC-48c/STM-16 
POS SPA
Support for the following SPAs 
was added in Cisco IOS Release 
12.2(33)SRA:
• 2-Port and 
4-Port OC-48c/STM-16 
POS SPA4-72
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
H-VPLS with Q-in-Q edge Not supported. Not supported. In Cisco IOS Release 
12.2(18)SXF and later:
• 1-Port 10-Gigabit Ethernet 
SPA
• 5-Port Gigabit Ethernet SPA
• 10-Port Gigabit Ethernet 
SPA
• 1-Port OC-192c/STM-64 
POS/RPR SPA
• 2-Port and 
4-Port OC-48c/STM-16 
POS SPA
Support for the following SPAs 
was added in Cisco IOS Release 
12.2(33)SRA:
• 2-Port and 
4-Port OC-48c/STM-16 
POS SPA
VPLS with 
point-to-multipoint EoMPLS 
and fully-meshed PE 
configuration
Not supported. In Cisco IOS Release 
12.2(33)SRA:
• 2-Port Gigabit Ethernet SPA
• 2-Port and 4-Port 
OC-3c/STM-1 POS SPA
• 1-Port OC-12c/STM-4 POS 
SPA
• 1-Port OC-48c/STM-16 POS 
SPA
In Cisco IOS release 15.2(1)S:
• 1-Port Channelized 
OC12/STM-4 SPA
• 2-Port and 4-Port Channelized 
T3 SPA
• 8-Port Channelized T1/E1 
SPA
• 1-Port Channelized 
OC-3/STM-1 SPA
• 1-Port Channelized 
OC48/STM/16/DS3 SPA
• 2 and 4-Port Clear Channel 
T3/E3 SPA
In Cisco IOS Release 
12.2(18)SXF and later:
• 1-Port 10-Gigabit Ethernet 
SPA
• 5-Port Gigabit Ethernet SPA
• 10-Port Gigabit Ethernet 
SPA
• 1-Port OC-192c/STM-64 
POS/RPR SPA
• 2-Port and 
4-Port OC-48c/STM-16 
POS SPA
Support for the following SPAs 
was added in Cisco IOS Release 
12.2(33)SRA:
• 2-Port and 
4-Port OC-48c/STM-16 
POS SPA
Table 4-11 VPLS Feature Compatibility by SIP and SPA Combination (continued)
Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-6004-73
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Configuring Asymmetric Carrier-Delay
During redundant link deployments where the remote network element is enabled, a link or port may be 
displayed as UP before the port or link is ready to forward data. This leads to traffic loss during 
switchover, as UP events are notified faster than the DOWN events leading to traffic loss.
Table 4-12 lists the differences between the conventional Carrier-Delay and Assymetric Carrier-Delay 
implementations.
Table 4-12 Conventional Carrier-Delay versus Assymetric Carrier-Delay
Restrictions and Usage Guidelines 
• The acceptable limit to configure Carrier-Delay DOWN time is eleven milliseconds and above for 
SIP-600 line cards. By default, Carrier-Delay is configured to 10 milliseconds during a card bootup. 
If you prefer to increase the default value of 10 milliseconds, you can manually configure and set 
the values on the SIP-600. The acceptable limit to configure carrier-delay UP time is 4 seconds and 
above for SIP-200 and SIP-400 cards only if there is a scaled EVC configuration. Otherwise you can 
configure carrier-delay UP time to less than 4 seconds.
Conventional Carrier -Delay implementation Assymetric Carrier-Delay implementation
You can configure Carrier-Delay on a main 
physical interface.
You can configure Assymetric Carrier-Delay on a 
main physical interface.
The acceptable limit to configure Carrier-Delay 
UP time is 4 seconds and above.
The acceptable limit to configure Carrier-Delay 
DOWN time is 11 milliseconds and above for 
SIP-600. 
The acceptable limit to configure carrier-delay UP 
time is 4 seconds and above for SIP-200 and 
SIP-400 cards only if there is a scaled EVC 
configuration. Otherwise you can configure 
carrier-delay UP time to less than 4 seconds.
You can configure a single delay value for UP and 
DOWN events on a link. 
You can configure separate delay values for each 
DOWN and UP events on a link.
Traffic losses and timer optimization issues when 
the link is UP or DOWN. 
Delays are useful when the link is enabled or 
disabled (due to physical link failures/restoration 
or remote end events) before the actual link status 
is declared. 
To prevent traffic loss in the SIP -200/400/600 
line cards, you can configure seperate 
notifications or carrier-delay values during card 
boot UP/DOWN event notifications.
Erroneous cascading impact on other features in 
the SIP200/SIP400/SIP600 line cards. Example: 
An erroneous routing table convergence occurs 
where the link is available in the routing table.
Dependent features such as Routing Convergence 
and FRR are delayed on the local end.
Disruption of the fast readout links. Delays streamlined ensuring stable topologies.4-74
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
• As the Fast Link feature and Carrier-Delay features are mutually exclusive, Fast Link feature is 
enabled by default.
• If you configure Carrier-Delay values, Fast Link feature is disabled on a line card.
• Though the Fast Link feature is configured by default in the card, the Carrier-Delay feature 
overwrites the Fast Link feature when configured.
• If you have not configured the Carrier-Delay values, Fast link feature values are utilized for DOWN
event notification.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type slot/bay/port 
4. carrier-delay [0-60]
5. carrier-delay [{up | down} [seconds]{msec| sec}]
6. end
DETAILED STEPS
Command or Action Purpose
Step 1 enable
Example:
Router> enable
Enables privileged EXEC mode. 
• Enter your password if prompted.
Step 2 configure terminal
Example:
Router# configure terminal
Enters global configuration mode.
Step 3 config # interface type slot/bay/port
Example:
P19_C7609-S(config)#int gig8/0/1
Selects the maininterface to configure. 
Step 4 carrier-delay [0-60]
Example:
P19_C7609-S(config)#carrier-delay 20
Configures the conventional carrier-delay value in seconds.
Note Ensure that the Carrier-Delay values are configured within 
the acceptable range of 0-60. If not, the router displays an 
error message.4-75
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Note Once you have configured assymetric carrier delay (ACD) UP timer, the link should come UP only after 
the configured delay. 
A situation where the remote end comes UP sooner than the local end(where ACD is configured) is 
expected, as the remote end does not have any asymetric carrier delay configured. SPA detects and then 
signals to the remote end that the PORT is UP. Whereas the local end (ACD configured), will come UP 
only after the UP timer is configured.
Verification
You can use the show run command to display the Carrier-Delay configurations on an SIP-200/400 
physical interface.
sh run int Fa2/0/0
Building configuration...
Current configuration: 219 bytes
!
interface FastEthernet2/0/0 
ip address 32.0.0.1 255.255.255.0
logging event link-status
carrier-delay up 10
carrier-delay down 5
end
Configuring BFD over VCCV on SIP-400
BFD over VCCV is a mechanism for operation and management of pseudowires to enable fault detection 
and diagnostics.Bidirectional forwarding detection (BFD) is a protocol that detects faults in the 
bidirectional path between two forwarding engines. In pseudowires, BFD uses the virtual circuit 
connectivity verification (VCCV) for detecting data plane failures. VCCV provides a control channel 
that is associated with a pseudowire (PW) and the corresponding operations and management functions. 
MPLS pseudowires can dynamically signal or statically configure virtual circuit (VC) labels. VCCV 
control channel (CC) types define possible control channels that VCCV can support and connection 
verification (CV) types indicate the types of CV packets and protocols that can be sent on the specified 
control channel. In dynamically signalled pseudowires, the CC types and CV types are also signalled. In 
statically configured pseudowires, the CC and CV types must be configured on both ends of the 
pseudowire. 
Step 5 carrier-delay [{up | down} 
[seconds]{msec| sec}] 
Example:
P19_C7609-S(config-if)#carrier-delay up 8
P19_C7609-S(config-if)#carrier-delay down 
5
Configures the Assymetric Carrier-Delay up or down value in 
milliseconds or seconds.
Note ‘Four seconds’ is the lower limit for the Assymmetric 
Carrier-Delay UP timer value, on a scaled EVC 
configuration. If you configure the UP timer to be lesser 
than 4secs the following message is displayed: 
Minimum carrier-delay for UP timer is 4secs if there 
is a scaled EVC configuration
Step 6 end Exits the configuration mode.
Command or Action Purpose4-76
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
The following BFD over VCCV modes are possible on pseudowires:
• BFD over VCCV on static pseudowire with attachment circuit signaling
• BFD over VCCV on static pseudowire with out attachment circuit signaling
• BFD over VCCV on dynamic pseudowire with out attachment circuit signaling
Configuration Restrictions
Follow these restrictions while configuring BFD over VCCV on SIP-400.
• Only BFD over VCCV Type1 without internet protocol (IP) /user datagram protocol (UDP) is 
supported. In VCCV Type1, traffic follows the same path as pseudowire data traffic and VCCV Type 
1 can be used only for MPLS pseudowires with control word.
• L2TPv3 is currently not supported.
• Pseudowire redundancy is not supported.
• Only ATM is supported as attachment circuit. 
• Up to 1200 pseudowires can be enabled for BFD over VCCV.
• When BFD over VCCV is enabled on the pseudowire, switched virtual interface (SVI) based 
ethernet over multi protocol label switching (EoMPLS) is not supported.
• When BFD over VCCV is enabled on the pseudowire, multipoint core-facing interface is not 
supported.
• BFD over VCCV sessions are supported only on single-segment pseudowires between provider edge 
routers (PEs).
• BFD over VCCV sessions between terminating PE routers (T-PEs) and switching PE routers (S-PEs) 
are not supported.
• BFD over VCCV sessions are supported only on multi-segment pseudowires between terminating 
PE routers (T-PEs).
• Only these SPAs are supported on the line card edge that faces the attachment circuit:
– 2-Port OC-3c/STM-1 ATM SPA
– 4-Port OC-3c/STM-1 ATM SPA
– 1-Port OC-12c/STM-4 ATM SPA
– 1-Port OC-48c/STM-16 ATM SPA
Configuration Steps
Perform these steps to configure BFD over VCCV.
SUMMARY STEPS
Step 1 enable
Step 2 configure terminal
Step 3 bfd-template single-hop bfd-template-name
Step 4 interval min-tx msec min-rx msec multiplier number
Step 5 exit4-77
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Step 6 pseudowire-class pseudowire-class-name
Step 7 encapsulation mpls
Step 8 vccv bfd template bfd-template-name
Step 9 exit
Step 10 interface atmslot/subslot/port
Step 11 pvc vpi/vci l2transport
Step 12 xconnect destination vc-id pseudowire-class pseudowire-class-name
Step 13 exit
DETAILED STEPS
Command Purpose
Step 1 Router> enable Enables privileged EXEC mode. Enter your password if 
prompted.
Step 2 Router# configure terminal Enters global configuration mode.
Step 3 Router(config)# bfd-template single-hop
bfd-template-name
Specifies the BFD template.
Step 4 Router(config-bfd)# interval min-tx msec
min-rx msec multiplier number
Router(config-bfd)# interval min-tx 500 
min-rx 500 multiplier 3
Specifies the following BFD VCCV parameters:
• min-tx: Minimum transmission interval in 
milliseconds, that the local system uses when 
transmitting BFD control packets. The valid range is 
50-999.
• min-rx: Minimum receiving interval in milliseconds, 
between received control packets that this system is 
capable of supporting. The valid range is 50-999.
• multiplier: The negotiated transmit interval, 
multiplied by this value, provides the detection time 
for the transmitting system in asynchronous mode.
Step 5 Router(config-bfd)# exit Exits from the BFD template configuration mode.
Step 6 Router(config)# pseudowire-class
pseudowire-class-name
Router(config)# pseudowire-class BFD
Specifies the pseudowire class.
Step 7 Router(config-pw-class)# encapsulation 
mpls
Specifies the encapsulation method. 
Step 8 Router(config-pw-class)# vccv bfd 
template bfd-template-name
Router(config-pw-class)# vccv bfd 
template bfd-template
Applies the configured BFD interval timers to BFD 
VCCV pseudowire class.
Step 9 Router(config-pw-class)# exit Exits from the pseudowire class configuration mode.4-78
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Note If you apply or remove a QoS service policy on the ATM PVC, then the configured BFD VCCV sessions 
are also renegotiated and a minimal drop in data traffic occurs.
Verifying BFD VCCV Configuration
Use the show mpls l2 vc command to verify the BFD VCCV configuration.
RouterA# show mpls l2transport vc detail
Local interface: AT3/0/0 up, line protocol up, ATM AAL5 2/101 up
  Destination address: 23.1.1.1, VC ID: 1, VC status: up
    Output interface: Gi5/1, imposed label stack {2559}
    Preferred path: not configured 
    Default path: active
    Next hop: 9.1.1.2
  Create time: 00:18:39, last status change time: 00:04:50
  Signaling protocol: LDP, peer 23.1.1.1:0 up
    Targeted Hello: 22.1.1.1(LDP Id) -> 23.1.1.1, LDP is UP
    Status TLV support (local/remote)   : enabled/supported
      LDP route watch                   : enabled
      Label/status state machine        : established, LruRru
      Last local dataplane   status rcvd: No fault
      Last local SSS circuit status rcvd: No fault
      Last local SSS circuit status sent: No fault
      Last local  LDP TLV    status sent: No fault
      Last remote LDP TLV    status rcvd: No fault
      Last remote LDP ADJ    status rcvd: No fault
MPLS VC labels: local 16, remote 2559 
    Group ID: local 0, remote 0
    MTU: local 4470, remote 4470
    Remote interface description: ^M  Sequencing: receive disabled, send disabled
  Control Word: On (configured: autosense)
  VCCV BFD protection active
     BFD Template - bfd
     CC Type -  1
     CV Type - fault detection only with IP/UDP headers 
  SSO Descriptor: 23.1.1.1/1, local label: 16
    SSM segment/switch IDs: 8195/4097 (used), PWID: 12290
Step 10 Router(config)# interface atm
slot/subslot/port
Router(config)# interface atm3/0/0
Specifies an ATM interface and enters interface 
configuration mode.
Step 11 Router(config-if)# pvc vpi/vci l2transport
Router(config-if)# pvc 2/101 l2transport 
Assigns a virtual path identifier (VPI) and a virtual circuit 
identifier (VCI). The l2transport keyword indicates that 
the permanent virtual circuit (PVC) is a switched PVC 
instead of a terminated PVC. 
Step 12 Router(config-atm-pvc)# xconnect 
destination vc-id pseudowire-class 
pseudowire-class-name
Router(config-atm-pvc)# xconnect
16.1.1.1 2 pseudowire-class BFD
Specifies the virtual circuit (VC).
• destination: Specifies the loopback address of the 
remote router.
• vc-id: Identifies the virtual circuit between the PE 
routers at each end point of the VC. It must be unique 
for each VC. 
Step 13 Router(config-atm-pvc)# exit Exits from the ATM PVC configuration mode.
Command Purpose4-79
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
  VC statistics:
    transit packet totals: receive 225, send 89
    transit byte totals:   receive 13300, send 5340
    transit packet drops:  receive 0, seq error 0, send 0
Alternatively, you can also use the show bfd neighbors command from the destination router to verify 
the configuration.
RouterB# show bfd neighbors mpls-pw 22.1.1.1 vcid 1 detail
NeighAddr                         LD/RD    RH/RS     State     Int
22.1.1.1       :1                   1/1     Up        Up        N/A
Session state is UP and not using echo function.
OurAddr: 0.0.0.0        
Local Diag: 0, Demand mode: 0, Poll bit: 0
MinTxInt: 500000, MinRxInt: 500000, Multiplier: 3
Received MinRxInt: 500000, Received Multiplier: 3
Holddown (hits): 1372(2), Hello (hits): 500(4051)
Rx Count: 3200, Rx Interval (ms) min/max/avg: 1/488/91 last: 128 ms ago
Tx Count: 3203, Tx Interval (ms) min/max/avg: 40/472/91 last: 128 ms ago
Elapsed time watermarks: 0 0 (last: 0)
Registered protocols: Xconnect
Uptime: 00:04:49
Last packet: Version: 1                  - Diagnostic: 0
             State bit: Up               - Demand bit: 0
             Poll bit: 0                 - Final bit: 1
             Multiplier: 3               - Length: 24
             My Discr.: 1                - Your Discr.: 1
             Min tx interval: 500000     - Min rx interval: 500000
             Min Echo interval: 0 
Debugging the BFD Configuration
Use these debug commands to troubleshoot the BFD VCCV configuration.
Configuring MPLS Features on a SIP
Many of the MPLS features supported on the FlexWAN and Enhanced FlexWAN modules on the 
Cisco 7600 series router are also supported by the SIPs. For a list of the supported MPLS features on the 
SIPs, see Chapter 3, “Overview of the SIPs and SSC.”
This section describes those MPLS features that have SIP-specific configuration guidelines. After you 
review the SIP-specific guidelines described in this document, then refer to the following URL for more 
information about configuring MPLS features:
Command Purpose
debug condition xconnect peer ipaddress vcid 
vcid
Allows conditional filtering of debug messages 
based on VC ID.
debug mpls l2 vc vccv events Debugs any transport over MPLS (AToM) VCCV 
events.
debug mpls l2 vc vccv bfd events Enables the debug event messages during the 
creation of a BFD session. This command enables 
debug event messages when BFD sends the data 
plane fault notification to L2VPN and also when 
L2VPN sends the attachment circuit signaling 
status to BFD.4-80
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
http://www.cisco.com/en/US/docs/routers/7600/install_config/flexwan_config/flexmpls.html
This section includes the following topics:
• Configuring Any Transport over MPLS on a SIP, page 4-80
• Configuring Hierarchical Virtual Private LAN Service (H-VPLS) with MPLS to the Edge, page 4-83
• Configuring MPLS Traffic Engineering Class-Based Tunnel Selection (CBTS) on the Cisco 7600 
SIP-600, page 4-83
Configuring Any Transport over MPLS on a SIP
Any Transport over MPLS (AToM) transports Layer 2 packets over a Multiprotocol Label Switching 
(MPLS) backbone. AToM uses a directed Label Distribution Protocol (LDP) session between edge 
routers for setting up and maintaining connections. Forwarding occurs through the use of two levels of 
labels, switching between the edge routers. The external label (tunnel label) routes the packet over the 
MPLS backbone to the egress Provider Edge (PE) at the ingress PE. The VC label is a demuxing label 
that determines the connection at the tunnel endpoint (the particular egress interface on the egress PE as 
well as the virtual path identifier [VPI]/virtual channel identifier [VCI] value for an ATM Adaptation 
Layer 5 [AAL5] protocol data unit [PDU], the data-link connection identifier [DLCI] value for a Frame 
Relay PDU, or the virtual LAN [VLAN] identifier for an Ethernet frame).
For specific information about configuring AToM features, refer to the FlexWAN and Enhanced 
FlexWAN Module Installation and Configuration Note located at the following URL:
http://www.cisco.com/en/US/docs/routers/7600/install_config/flexwan_config/flexmpls.html
Note When referring to the FlexWAN documentation, be sure to note any SIP-specific configuration 
guidelines described in this document.
Cisco 7600 SIP-200 AToM Features
The Cisco 7600 SIP-200 supports the following AToM features:
• ATM over MPLS (ATMoMPLS)—AAL5 VC mode
• Ethernet over MPLS (EoMPLS)—(Single cell relay) VC mode
• Frame Relay over MPLS (FRoMPLS)
• FRoMPLS with dMLFR—Supported between the CE and PE devices.
• High-Level Data Link Control (HDLC) over MPLS (HDLCoMPLS)
• PPP over MPLS (PPPoMPLS)—Not supported with dMLPPP or dLFI
• Hierarchical QoS for EoMPLS VCs
Cisco  7600 SIP-200 AToM Configuration Guidelines
When configuring AToM with a Cisco  7600 SIP-200, consider the following guidelines:
• You cannot use a SIP-200 and an Ethernet SPA on the customer-facing side because the Ethernet 
SPA is a Layer 3 only interface. 
• Because the SIP-200 supports WAN interfaces, you can use the SIP-200 for non-Ethernet access 
(FR,HDLC,ATM,PPP) at the customer-facing side.
• For VLAN-based xconnect (also called line card-based EoMPLS), the customer-facing port must be 
a Layer 2 port and the backbone-facing card must be a Layer 3 port. 4-81
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
• The SIP-200 does not supportdot1q subinterface-based xconnect towards the edge.
Cisco 7600 SIP-400 AToM Features
The Cisco 7600 SIP-400 supports the following AToM features:
• ATMoMPLS—AAL0 mode (single cell relay only. From 12.2(33) release onwards packed cell 
relay) 
• ATMoMPLS—AAL5 mode
• ATMoMPLS— Port mode cell relay (from Cisco IOS 12.2(33) SRD release onwards)
• EoMPLS—Port mode
• EoMPLS—VLAN mode
• FRoMPLS—DLCI mode
• TDM over MPLS (Starting from Cisco IOS release 12.2(33) SRD onwards)
• Beginning in Cisco IOS Release 12.2(33)SRA:
– Hierarchical QoS for EoMPLS VCs
– HDLCoMPLS
– PPPoMPLS
– ATM local switching
Cisco 7600 SIP-400 AToM Configuration Guidelines
When configuring AToM with a Cisco 7600 SIP-400, consider the following guidelines:
• The Cisco 7600 SIP-400 is not supported with a Supervisor Engine 1, Supervisor Engine 1A, 
Supervisor Engine 2, or Supervisor Engine 720 PFC3A.
• The Cisco 7600 SIP-400 is not supported with PFC-2-based systems.
• For AToM in Cisco IOS 12.2SX releases, the Cisco 7600 SIP-400 does not support the following 
features when they are located in the data path. This means you should not configure the following 
features if the SIP is facing the customer edge (CE) or the MPLS core:
– HDLCoMPLS
– PPPoMPLS
– VPLS
• For AToM beginning in Cisco IOS Release 12.2(33)SRA, the Cisco 7600 SIP-400 supports the 
following features on CE-facing interfaces:
– HDLCoMPLS
– PPPoMPLS
– VPLS
• The Cisco 7600 SIP-400 supports EoMPLS with directly connected provider edge (PE) devices 
when the Cisco 7600 SIP-400 is on the MPLS core side of the network.
• The Cisco 7600 SIP-400 does not support the ability to enable or disable tunneling of Layer 2 
packets, such as for the VLAN Trunking Protocol (VTP), Cisco Discovery Protocol (CDP), and 
bridge protocol data unit (BPDU). The Cisco 7600 SIP-400 tunnels BPDUs, and always blocks VTP 
and CDP packets from the tunnel.4-82
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
• In ATMoMPLS AAL5 and cell mode, the Cisco 7600 SIP-400 supports non-matching VPIs/VCIs 
between PEs if the Cisco 7600 SIP-400 is on both sides of the network.
• The Cisco 7600 SIP-400 supports matching on FR-DE to set MPLS-EXP for FRoMPLS.
• The Cisco 7600 SIP-400 does not support the following QoS classification features with AToM:
– Matching on data-link connection identifier (DLCI) is unsupported.
– Matching on virtual LAN (VLAN) is unsupported.
– Matching on class of service (CoS) is unsupported in Cisco IOS Release 12.2(18)SXE and 
Cisco IOS Release 12.2(18)SXE2 only. Beginning in Cisco IOS Release 12.2(18)SXF, it is 
supported with the 2-Port Gigabit Ethernet SPA.
– Matching on input interface is unsupported.
– Matching on packet length is unsupported.
– Matching on media access control (MAC) address is unsupported.
– Matching on protocol type, including Border Gateway Protocol (BGP), is unsupported.
Understanding MPLS Imposition on the Cisco 7600 SIP-400 to Set MPLS Experimental Bits
The MPLS imposition function encapsulates non-MPLS frames (such as Ethernet, VLAN, Frame Relay, 
ATM, or IP) into MPLS frames. MPLS disposition performs the reverse function.
An input QoS policy map is applied to ingress packets before MPLS imposition takes place. This means 
that the packets are treated as non-MPLS frames, so any MPLS-related matches have no effect. In the 
case of marking experimental (EXP) bits using the set mpls experimental command, the information is 
passed to the AToM or MPLS component to set the EXP bits. After imposition takes place, the frame 
becomes an MPLS frame and an output QoS policy map (if it exists) can apply MPLS-related criteria.
On the egress side, an output QoS policy map is applied to the egress packets after MPLS disposition 
takes place. This means that packets are treated as non-MPLS frames, so any MPLS-related criteria has 
no effect. Before disposition, the frame is an MPLS frame and the input QoS policy map (if it exists) can 
apply MPLS-related criteria.
The Encoded Address Recognition Logic (EARL) is a centralized processing engine for learning and 
forwarding packets based upon MAC address on the Cisco 7600 series router supervisor engines. The 
EARL stores the VLAN, MAC address, and port relationships. These relationships are used to make 
switching decisions in hardware. The EARL engine also performs MPLS imposition, and the MPLS EXP 
bits are copied either from the IP TOS field (using trust dscp or trust precedence mode), or from the 
DBUS header QoS field (using trust cos mode).
When using the 2-Port Gigabit Ethernet SPA with the Cisco 7600 SIP-400 as the customer-side interface 
configured for 802.1Q encapsulation for IP imposition with MPLS, the Layer 2 CoS value is not 
automatically copied into the corresponding MPLS packet’s EXP bits. Instead, the value in the IP 
precedence bits is copied. 
To maintain the 802.1Q CoS values, classify the imposition traffic on the customer-facing Gigabit 
Ethernet interface in the input direction to match on CoS value, and then set the MPLS experimental 
action for that class as shown in the following example:
Router(config)# class-map cos0
Router(config-cmap)# match cos 0
Router(config-cmap)# exit
!
Router(config)# class-map cos1
Router(config-cmap)# match cos 1
Router(config-cmap)# exit
!4-83
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Router(config)# policy-map policy1
Router(config-pmap)# class cos0
Router(config-pmap-c)# set mpls experimental imposition 0
Router(config-pmap-c)# exit
Router(config-pmap)# class cos1
Router(config-pmap-c)# set mpls experimental imposition 1
Cisco 7600 SIP-600 AToM Features
The Cisco 7600 SIP-600 supports the following AToM features:
• Any Transport over MPLS (AToM) support—EoMPLS only (Encoded Address Recognition Logic 
[EARL]-based and SIP-based EoMPLS)
Configuring Hierarchical Virtual Private LAN Service (H-VPLS) with MPLS to the Edge 
The Cisco 7600 SIP-400 and Cisco 7600 SIP-600 support the H-VPLS with MPLS to the Edge feature. 
For more information about VPLS support on the SIPs, see the “Configuring Virtual Private LAN 
Service” section on page 4-67.
Configuring MPLS Traffic Engineering Class-Based Tunnel Selection (CBTS) on the Cisco 7600 
SIP-600
Multiprotocol Label Switching (MPLS) Traffic Engineering (TE) Class-Based Tunnel Selection (CBTS) 
enables you to dynamically route and forward traffic with different class of service (CoS) values onto 
different TE tunnels between the same tunnel headend and the same tailend. The TE tunnels can be 
regular TE or DiffServ-aware TE (DS-TE) tunnels. 
The set of TE (or DS-TE) tunnels from the same headend to the same tailend that you configure to carry 
different CoS values is referred to as a “tunnel bundle.” Tunnels are “bundled” by creating a master 
tunnel and then attaching member tunnels to the master tunnel. After configuration, CBTS dynamically 
routes and forwards each packet into the tunnel that meets the following requirements:
• Is configured to carry the CoS of the packet 
• Has the right tailend for the destination of the packet 
Because CBTS offers dynamic routing over DS-TE tunnels and requires minimum configuration, it 
greatly eases deployment of DS-TE in large-scale networks. 
CBTS can distribute all CoS values on eight different tunnels. 
CBTS also allows the TE tunnels of a tunnel bundle to exit headend routers through different interfaces.
CTBS configuration involves performing the following tasks:
• Creating multiple (DS-) TE tunnels withe same headend and tailend and indicating on each of these 
tunnels which CoSs are to be transported on the tunnel.
• Creating a master tunnel, attaching the member tunnels to it, and making the master tunnel visible 
for routing.4-84
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
MPLS Traffic Engineering Class-Based Tunnel Selection (CBTS) Configuration Guidelines
When configuring MPLS Traffic Engineering Class-Based Tunnel Selection (CBTS), consider the 
following guidelines:
• CBTS has the following prerequisites: 
– MPLS enabled on all tunnel interfaces 
– Cisco Express Forwarding (CEF) or distributed CEF (dCEF) enabled in general configuration 
mode 
• CBTS has the following restrictions: 
– For a given destination, all CoS values are carried in tunnels terminating at the same tailend. 
Either all CoS values are carried in tunnels or no values are carried in tunnels. In other words, 
for a given destination, you cannot map some CoS values in a DS-TE tunnel and other CoS 
values in a Shortest Path First (SPF) Label Distribution Protocol (LDP) or SPF IP path. 
– No LSP is established for the master tunnel and regular traffic engineering attributes 
(bandwidth, path option, fast reroute) are irrelevant on a master tunnel. TE attributes 
(bandwidth, bandwidth pool, preemption, priorities, path options, and so on) are configured 
completely independently for each tunnel.
– CBTS does not allow load-balancing of a given EXP value in multiple tunnels. If two or more 
tunnels are configured to carry a given experimental (EXP) value, CBTS picks one of these 
tunnels to carry this EXP value. 
– CBTS supports aggregate control of bumping (that is, it is possible to define default tunnels to 
be used if other tunnels go down. However, CBTS does not allow control of bumping if the 
default tunnel goes down. CBTS does not support finer-grain control of bumping. For example, 
if the voice tunnel goes down, redirect voice to T2, but if video goes down, redirect to T3.
– The operation of CBTS is not supported with Any Transport over MPLS (AToM), MPLS TE 
Automesh, or label-controlled (LC)-ATM. 
Creating Multiple MPLS Member TE or DS-TE Tunnels from the Same Headend to the Same Tailend 
SUMMARY STEPS
Step 1 interface tunnel number
Step 2 ip unnumbered type number
Step 3 tunnel destination {hostname | ip-address}
Step 4 tunnel mode mpls traffic-eng
Step 5 tunnel mpls traffic-eng bandwidth [sub-pool | global] bandwidth
Step 6 tunnel mpls traffic-eng exp [list-of-exp-values] [default]
Step 7 exit
DETAILED STEPS
Perform the following task to create multiple MPLS member TE or DS-TE tunnels with the same 
headend and same tailend and to configure EXP values to be carried by each of these tunnels. The 
procedure begins in global configuration mode.4-85
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Command Purpose
Step 1 Router(config)# interface tunnel number Configures a tunnel interface type and enters 
interface configuration mode.
• number—Number of the tunnel interface that 
you want to create or configure.
Step 2 Router(config-if)# ip unnumbered type number Enables IP processing on an interface without 
assigning an explicit IP address to the interface. 
• type—Type of another interface on which the 
router has an assigned IP address.
• number—Number of another interface on which 
the router has an assigned IP address. It cannot be 
another unnumbered interface.
Step 3 Router(config-if)# tunnel destination {hostname | 
ip-address} 
Specifies the destination of the tunnel for this path 
option. 
• hostname—Name of the host destination.
• ip-address—IP address of the host destination 
expressed in four-part, dotted decimal notation.
Step 4 Router(config-if)# tunnel mode mpls traffic-eng Sets the mode of a tunnel to MPLS for TE.
Step 5 Router(config-if)# tunnel mpls traffic-eng bandwidth
[sub-pool | global] bandwidth
Configures the bandwidth for the MPLS TE tunnel. If 
automatic bandwidth is configured for the tunnel, use 
the tunnel mpls traffic-eng bandwidth command to 
configure the initial tunnel bandwidth, which is 
adjusted by the auto-bandwidth mechanism. 
• sub-pool—(Optional) Indicates a subpool 
tunnel. 
• global—(Optional) Indicates a global pool 
tunnel. Entering this keyword is not necessary, 
for all tunnels are global pool in the absence of 
the sub-pool keyword. But if users of 
pre-DiffServ-aware Traffic Engineering (DS-TE) 
images enter this keyword, it is accepted.
• bandwidth—Bandwidth, in kilobits per second, 
set aside for the MPLS traffic engineering tunnel. 
Range is between 1 and 4294967295. 
Note You can configure any existing mpls 
traffic-eng command on these TE or DS-TE 
tunnels. 4-86
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Creating a Master Tunnel, Attaching Member Tunnels, and Making the Master Tunnel Visible
SUMMARY STEPS
Step 1 interface tunnel number
Step 2 ip unnumbered type number
Step 3 tunnel destination {hostname | ip-address}
Step 4 tunnel mode mpls traffic-eng exp-bundle master
Step 5 tunnel mode mpls traffic-eng exp-bundle member tunnel-id
Step 6 tunnel mpls traffic-eng autoroute announce
Step 7 tunnel mpls traffic-eng autoroute metric absolute | relative value
Step 6 Router(config-if)# tunnel mpls traffic-eng exp
[list-of-exp-values] [default]
Specifies an EXP value or values for an MPLS TE 
tunnel. 
• list-of-exp-values—EXP value or values that are 
are to be carried by the specified tunnel. Values 
range from 0 to 7. 
• default—The specified tunnel is to carry all EXP 
values that are:
– Not explicitly allocated to another tunnel 
– Allocated to a tunnel that is currently down 
Step 7 Router(config-if)# exit Exits to global configuration mode. 
Step 8 Repeat steps 1 through 7 on the same headend router 
to create additional tunnels from this headend to the 
same tailend.
Command Purpose4-87
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
DETAILED STEPS
Perform the followings task to create a master tunnel, attach member tunnels to it, and make the master 
tunnel visible for routing. The procedure begins in global configuration mode.
Command Purpose
Step 1 Router(config)# interface tunnel number Configures a tunnel interface type and enters 
interface configuration mode.
• number—Number of the tunnel interface that 
you want to create or configure.
Step 2 Router(config-if)# ip unnumbered type number Enables IP processing on an interface without 
assigning an explicit IP address to the interface. 
• type—Type of another interface on which the 
router has an assigned IP address.
• number—Number of another interface on which 
the router has an assigned IP address. It cannot 
be another unnumbered interface.
Step 3 Router(config-if)# tunnel destination {hostname | 
ip-address} 
Specifies the destination of the tunnel for this path 
option. 
• hostname—Name of the host destination.
• ip-address—IP address of the host destination 
expressed in four-part, dotted decimal notation.
Step 4 Router(config-if)# tunnel mode mpls traffic-eng
exp-bundle master
Specifies this is the master tunnel for the CBTS 
configuration.
Step 5 Router(config-if)# tunnel mode mpls traffic-eng
exp-bundle member tunnel-id
Attaches a member tunnel to the master tunnel.
• tunnel-id—Number of the tunnel interface to be 
attached to the master tunnel.
Repeat this command for each member tunnel.4-88
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Note Alternatively, static routing could be used instead of autoroute to make the TE or DS-TE tunnels visible 
for routing. 
Verifying That the MPLS TE or DS-TE Tunnels Are Operating and Announced to the IGP 
The following show commands can be used to verify that the MPLS TE or DS-TE tunnels are operating 
and announced to the IGP. The commands are all entered in privileged EXEC configuration mode.
Step 6 Router(config-if)# tunnel mpls traffic-eng autoroute 
announce
Specifies that the Interior Gateway Protocol (IGP) 
should use the tunnel (if the tunnel is up) in its 
enhanced SPF calculation. 
Step 7 Router(config-if)# tunnel mpls traffic-eng autoroute 
metric absolute | relative value
(Optional) Specifies the MPLS TE tunnel metric that 
the IGP enhanced SPF calculation uses. 
• absolute—Indicates the absolute metric mode; 
you can enter a positive metric value. 
• relative—Indicates the relative metric mode; 
you can enter a positive, negative, or zero value. 
• value—Metric that the IGP enhanced SPF 
calculation uses. The relative value can be from 
–10 to 10. 
Note Even though the value for a relative metric 
can be from –10 to +10, configuring a tunnel 
metric with a negative value is considered a 
misconfiguration. If the metric to the tunnel 
tailend appears to be 4 from the routing 
table, then the cost to the tunnel tailend 
router is actually 3 because 1 is added to the 
cost for getting to the loopback address. In 
this instance, the lowest value that you can 
configure for the relative metric is -3.
Command Purpose
Command Purpose
Router# show mpls traffic-eng topology {A.B.C.D | igp-id
{isis nsap-address | ospf A.B.C.D} [brief] 
Shows the MPLS traffic engineering global topology as 
currently known at this node. 
• A.B.C.D—Specifies the node by the IP address (router 
identifier to interface address). 
• igp-id—Specifies the node by IGP router identifier. 
• isis nsap-address—Specifies the node by router 
identification (nsap-address) if you are using IS-IS. 
• ospf A.B.C.D—Specifies the node by router identifier if 
you are using OSPF. 
• brief—Provides a less detailed version of the topology.
Router# show mpls traffic-eng exp Displays EXP mapping. 4-89
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
The show mpls traffic-eng topology command output displays the MPLS TE global topology: 
Router# show mpls traffic-eng topology 10.0.0.1
IGP Id: 10.0.0.1, MPLS TE Id:10.0.0.1 Router Node  (ospf 10  area 0) id 1
link[0]: Broadcast, DR: 180.0.1.2, nbr_node_id:6, gen:18
  frag_id 0, Intf Address:180.0.1.1
  TE metric:1, IGP metric:1, attribute_flags:0x0
  SRLGs: None 
  physical_bw: 100000 (kbps), max_reservable_bw_global: 1000 (kbps)
  max_reservable_bw_sub: 0 (kbps)
                         Global Pool       Sub Pool
       Total Allocated   Reservable        Reservable
       BW (kbps)         BW (kbps)         BW (kbps)
       ---------------   -----------       ----------
bw[0]:            0             1000                0
bw[1]:            0             1000                0
bw[2]:            0             1000                0
bw[3]:            0             1000                0
bw[4]:            0             1000                0
bw[5]:            0             1000                0
bw[6]:            0             1000                0
bw[7]:          100              900                0
link[1]: Broadcast, DR: 180.0.2.2, nbr_node_id:7, gen:19
  frag_id 1, Intf Address:180.0.2.1
  TE metric:1, IGP metric:1, attribute_flags:0x0
  SRLGs: None 
  physical_bw: 100000 (kbps), max_reservable_bw_global: 1000 (kbps)
  max_reservable_bw_sub: 0 (kbps)
                         Global Pool       Sub Pool
       Total Allocated   Reservable        Reservable
       BW (kbps)         BW (kbps)         BW (kbps)
       ---------------   -----------       ----------
bw[0]:            0             1000                0
bw[1]:            0             1000                0
Router# show ip cef [type number] [detail]  Displays entries in the forwarding information base (FIB) or 
displays a summary of the FIB. 
• type number —Identifies the interface type and number 
for which to display FIB entries. 
• detail—Displays detailed FIB entry information.
Router# show mpls forwarding-table [network {mask | 
length} [detail]
Displays the contents of the MPLS label forwarding 
information base (LFIB). 
• network—Identifies the destination network number. 
• mask—Identifies the network mask to be used with the 
specified network. 
• length—Identifies the number of bits in the destination 
mask. 
• detail—Displays information in long form (includes 
length of encapsulation, length of MAC string, maximum 
transmission unit [MTU], and all labels).
Router# show mpls traffic-eng autoroute Displays tunnels that are announced to the Interior Gateway 
Protocol (IGP).
Command Purpose4-90
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
bw[2]:            0             1000                0
bw[3]:            0             1000                0
bw[4]:            0             1000                0
bw[5]:            0             1000                0
bw[6]:            0             1000                0
bw[7]:            0             1000                0
The show mpls traffic-eng exp command output displays EXP mapping information about a tunnel: 
Router# show mpls traffic-eng exp
Destination: 10.0.0.9
Master:Tunnel10Status: IP
Members: StatusConf EXPActual EXP
Tunnel1UP/ACTIVE55
Tunnel2UP/ACTIVEdefault0 1 2 3 4 6 7
Tunnel3UP/INACTIVE(T)2
Tunnel4DOWN3
Tunnel5UP/ACTIVE(NE)
(T)=Tailend is different to master
(NE)=There is no exp value configured on this tunnel.
The show ip cef detail command output displays detailed FIB entry information for a tunnel: 
Router# show ip cef tunnel1 detail
IP CEF with switching (Table Version 46), flags=0x0
31 routes, 0 reresolve, 0 unresolved (0 old, 0 new), peak 2
2 instant recursive resolutions, 0 used background process
8 load sharing elements, 8 references
6 in-place/0 aborted modifications
34696 bytes allocated to the FIB table data structures
universal per-destination load sharing algorithm, id 9EDD49E1
1(0) CEF resets
Resolution Timer: Exponential (currently 1s, peak 1s)
Tree summary:
8-8-8-8 stride pattern
short mask protection disabled
31 leaves, 23 nodes using 26428 bytes
Table epoch: 0 (31 entries at this epoch)
Adjacency Table has 13 adjacencies
10.0.0.9/32, version 45, epoch 0, per-destination sharing
0 packets, 0 bytes
tag information set, all rewrites inherited
local tag: tunnel head
via 0.0.0.0, Tunnel1, 0 dependencies
traffic share 1
next hop 0.0.0.0, Tunnel1
valid adjacency
tag rewrite with Tu1, point2point, tags imposed {12304}
0 packets, 0 bytes switched through the prefix
tmstats: external 0 packets, 0 bytes
internal 0 packets, 0 bytes
The show mpls forwarding-table detail command output displays detailed information from the MPLS 
LFIB: 
Router# show mpls forwarding 10.0.0.9 detail
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop    
tag    tag or VC   or Tunnel Id      switched   interface              
Tun hd Untagged    10.0.0.9/32       0          Tu1        point2point  4-91
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
MAC/Encaps=14/18, MRU=1500, Tag Stack{12304}, via Fa6/0
00027D884000000ED70178A88847 03010000
No output feature configured
Per-exp selection: 1  
Untagged    10.0.0.9/32       0          Tu2        point2point  
MAC/Encaps=14/18, MRU=1500, Tag Stack{12305}, via Fa6/1
00027D884001000ED70178A98847 03011000
No output feature configured
Per-exp selection: 2  3  
Untagged    10.0.0.9/32       0          Tu3        point2point  
MAC/Encaps=14/18, MRU=1500, Tag Stack{12306}, via Fa6/1
00027D884001000ED70178A98847 03012000
No output feature configured
Per-exp selection: 4  5  
Untagged    10.0.0.9/32       0          Tu4        point2point  
MAC/Encaps=14/18, MRU=1500, Tag Stack{12307}, via Fa6/1
00027D884001000ED70178A98847 03013000
No output feature configured
Per-exp selection: 0  6  7 
The show mpls traffic-eng autoroute command output displays tunnels that are announced to the 
Interior Gateway Protocol (IGP). 
Router# show mpls traffic-eng autoroute
MPLS TE autorouting enabled
destination 10.0.0.9, area ospf 10  area 0, has 4 tunnels
Tunnel1     (load balancing metric 20000000, nexthop 10.0.0.9)
(flags: Announce)
Tunnel2     (load balancing metric 20000000, nexthop 10.0.0.9)
(flags: Announce)
Tunnel3     (load balancing metric 20000000, nexthop 10.0.0.9)
(flags: Announce)
Tunnel4     (load balancing metric 20000000, nexthop 10.0.0.9)
(flags: Announce)4-92
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Troubleshooting
This section describes how to troubleshoot common ATMoMPLS and EoMPLS issues.
Scenarios/Problems Solution
How do I list all the L2transport 
VCs and their status (whether up 
or down), and also the 
pseudowire destination IP 
address? 
Use the show mpls l2 vc command. This example displays detailed status for a 
specific VC: 
Router# show mpls l2 vc 1100 detail
Local interface: VFI VPLS-1100 up
 MPLS VC type is VFI, internetworking type is Ethernet
 Destination address: 1.1.1.1,VC ID:1100, VC status: up
  Output interface: Tu0,imposed label stack {27 17}
  Preferred path: not configured
  Default path: active
  Next hop:point2point
 Create time:2d23h, last status change time: 2d23h
 Signaling protocol: LDP, peer 1.1.1.1:0 up
  MPLS VC labels: local 17, remote 17
  Group ID: local 0, remote 0
  MTU: local 1500, remote 1500
  Remote interface description:
 Sequencing: receive disabled, send disabled
 VC statistics
  packet totals: receive 1146978, send 3856011
  byte totals: receive 86579172, send 316899920
  packet drops: receive 0, send 0
These examples show the status of the active and backup pseudowires before, during, 
and after a switchover:
Router# show mpls l2 vc detail
Local intf     Local circuit              Dest address    VC ID      
Status    
-------------  -------------------------- --------------- ---------- 
----------
AT0/2/0.1      ATM VPC CELL 50            10.1.1.2         100        UP        
AT0/2/0.1      ATM VPC CELL 50            10.1.1.3         100        
STANDBY 4-93
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
The show mpls l2 vc detail command on the backup PE router displays the status of 
the pseudowires as shown in this example. The active pseudowire on the backup PE 
router has the HOTSTANDBY status. 
Router-standby# show mpls l2 vc detail
Local intf     Local circuit              Dest address    VC ID      
Status    
-------------  -------------------------- --------------- ---------- 
----------
AT0/2/0.1      ATM VPC CELL 50            10.1.1.2         100        
HOTSTANDBY
AT0/2/0.1      ATM VPC CELL 50            10.1.1.3         100        DOWN 
During a switchover, the status of the active and backup pseudowires changes:
Router# show mpls l2 vc detail
Local intf     Local circuit              Dest address    VC ID      
Status    
-------------  -------------------------- --------------- ---------- 
----------
AT0/2/0.1      ATM VPC CELL 50            10.1.1.2         100        
RECOVERING
AT0/2/0.1      ATM VPC CELL 50            10.1.1.3         100        DOWN      
After the switchover is complete, the recovering pseudowire shows a status of UP: 
Router# show mpls l2 vc detail
Local intf     Local circuit              Dest address    VC ID      
Status    
-------------  -------------------------- --------------- ---------- 
----------
AT0/2/0.1      ATM VPC CELL 50            10.1.1.2         100        UP        
AT0/2/0.1      ATM VPC CELL 50            10.1.1.3         100        
STANDBY 
Scenarios/Problems Solution4-94
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Configuring QoS Features on a SIP
This section describes configuration of the SIP-specific QoS features using the Modular QoS 
command-line interface (CLI). Before referring to any other QoS documentation for the platform or in 
the Cisco IOS software, use this section to determine SIP-specific QoS feature support and configuration 
guidelines. 
For additional details about QoS concepts and features in Cisco IOS 12.2 releases, you can then refer to 
the Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.2, at
http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/fqos_c.html
This section includes the following topics:
• General QoS Feature Configuration Guidelines, page 4-95
• Configuring QoS Features Using MQC, page 4-96
• Configuring QoS Traffic Classes on a SIP, page 4-96
• Configuring QoS Class-Based Marking Policies on a SIP, page 4-102
• Configuring QoS Congestion Management and Avoidance Policies on a SIP, page 4-105
• Configuring Dual-Priority Queuing on a Cisco 7600 SIP-400, page 4-113
How do I verify whether the LDP 
neighborship is established 
between the PE routers? 
Use the show mpls ldp neighbor command. This example shows a sample output of 
the command:
PE1#show mpls ldp neighbor
Peer LDP Ident: 11.11.11.11:0; Local LDP Ident 10.10.10.10:0
TCP connection: 11.11.11.11.32784 - 10.10.10.10.646
State: Oper; Msgs sent/rcvd: 1073/1061; UPstream
Up time: 14:53:49
LDP discovery sources:
GigabitEthernet1/1, Src IP addr: 110.110.110.1
Targeted Hello 10.10.10.10 -> 11.11.11.11, active <<-- This should be 
'active'.
Addresses bound to peer LDP Ident:
11.11.11.11 7.23.8.20 120.120.120.2 110.110.110.1
How do I check locally generated 
LDP PDUs? 
Use the show mpls ldp discovery command. This example displays a sample output 
of the command: 
Router# show mpls ldp discovery
Local LDP Identifier:
    10.1.1.1:0
Discovery Sources:
    Interfaces:
        Ethernet1/1/3 (ldp): xmit/recv
            LDP Id: 172.23.0.77:0
            LDP Id: 10.144.0.44:0
            LDP Id: 10.155.0.55:0
        ATM3/0.1 (ldp): xmit/recv
            LDP Id: 10.203.0.7:2
        ATM0/0.2 (tdp): xmit/recv
            TDP Id: 10.119.0.1:1
Targeted Hellos:
        10.8.1.1 -> 10.133.0.33 (ldp): active, xmit/recv
            LDP Id: 10.133.0.33:0
        10.8.1.1 -> 192.168.7.16 (tdp): passive, xmit/recv
            TDP Id: 10.133.0.33:0Router#
Scenarios/Problems Solution4-95
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
• Configuring Priority Percent on a Policy-Map on a Cisco 7600 SIP-400, page 4-115
• Configuring Percent Priority and Percent Bandwidth Support on a Cisco 7600 SIP-400, page 4-116
• Configuring QoS Traffic Shaping Policies on a SIP, page 4-117
• Configuring QoS Traffic Policing Policies on a SIP, page 4-118
• Attaching a QoS Traffic Policy to an Interface, page 4-124
• Configuring Network-Based Application Recognition and Distributed Network-Based Application 
Recognition, page 4-124
• Configuring Hierarchical QoS on a SIP, page 4-126
• Configuring PFC QoS on a Cisco 7600 SIP-600, page 4-129
• Configuring IPv6 Hop-by-Hop Header Security, page 4-143
General QoS Feature Configuration Guidelines
This section identifies some general QoS feature guidelines for certain types of SPAs. You can find other 
feature-specific SIP and SPA configuration guidelines and restrictions in the other QoS sections of this 
chapter.
ATM SPA QoS Configuration Guidelines
Follow these guidelines for the 2-Port and 4-Port OC-3c/STM-1 ATM SPA:
• In the ingress direction, all QoS features are supported by the Cisco 7600 SIP-200.
• In the egress direction:
– All queueing-based features (such as class-based weighted fair queueing [CBWFQ], and ATM 
per-VC WFQ, WRED, and shaping) are implemented on the segmentation and reassembly 
(SAR) processor on the SPA.
– Policing is implemented on the SIP.
– Class queue shaping is not supported.
Effective 15.1(2)S release onwards, all the QoS features for ATM SPA is applicable for CEoP SPA. For 
more information on configuring QoS Features on CEoP SPAs, see Chapter 10, “Configuring the CEoP 
and Channelized ATM SPAs”.
Ethernet SPA QoS Configuration Guidelines
For the Ethernet SPAs, the following QoS behavior applies:
• In both the ingress and egress directions, all QoS features calculate packet size similarly to how 
packet size calculation is performed by the FlexWAN and Enhanced FlexWAN modules on the 
Cisco 7600 series router. 
• Specifically, all features consider the IEEE 802.3 Layer 2 headers and the Layer 3 protocol payload. 
The CRC, interframe gap, and preamble are not included in the packet size calculations.
Note For Fast Ethernet SPAs, QoS cannot change the speed of an interface (for example, Fast Ethernet SPAs 
cannot change QoS settings whenever an interface speed is changed between 100 and 10 Mbps). When 
the speed is changed, the user must also adjust the QoS setting accordingly. 4-96
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Configuring QoS Features Using MQC
The Modular QoS CLI (MQC) is a CLI structure that allows users to create traffic policies and attach 
these policies to interfaces. A traffic policy contains a traffic class and one or more QoS features. A 
traffic class is used to select traffic, while the QoS features in the traffic policy determine how to treat 
the classified traffic. 
If you apply a traffic policy at a main interface that also contains subinterfaces, then all of the traffic that 
goes through the subinterfaces is processed according to the policy at the main interface. For example, 
if you configure a traffic shaping policy at the main interface, all of the traffic going through the 
subinterfaces is aggregated and shaped to the rate defined in the traffic shaping policy at the main 
interface.
To configure QoS features using the Modular QoS CLI on the SIPs, complete the following basic steps:
Step 1 Define a traffic class using the class-map command.
Step 2 Create a traffic policy by associating the traffic class with one or more QoS features (using the 
policy-map command).
Step 3 Attach the traffic policy to the interface using the service-policy command.
MQC policy support existing on ATM VC is extended to the ATM PVP from Cisco IOS Release 
12.2(33)SRE.
For a complete discussion about MQC, refer to the Modular Quality of Service Command-Line Interface 
Overview Chapter of the Cisco IOS Quality of Service Solutions Configuration Guide,
Release 12.2 publication at:
http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfmcli2.html
Configuring QoS Traffic Classes on a SIP
Use the QoS classification features to select your network traffic and categorize it into classes for further 
QoS processing based on matching certain criteria. The default class, named class-default, is the class 
to which traffic is directed for any traffic that does not match any of the selection criteria in the 
configured class maps. 
QoS Traffic Class Configuration Guidelines
When configuring traffic classes on a SIP, consider the following guidelines:
• You can define up to 256 unique class maps.
• A single class map can contain up to 8 different match command statements.
• For ATM bridging, Frame Relay bridging, MPB, and BCP features, the following matching features 
are supported on bridged frames beginning in Cisco IOS Release 12.2(33)SRA:
– Matching on ATM CLP bit (input interface only)
– Matching on CoS
– Matching on Frame Relay DE bit (input interface only)
– Matching on Frame Relay DLCI
– Matching on inner CoS 4-97
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
– Matching on inner VLAN
– Matching on IP DSCP
– Matching on IP precedence
– Matching on VLAN
• The Cisco 7600 SIP-600 does not support combining matches on QoS group or input VLAN with 
other types of matching criteria (for example, access control lists [ACLs]) in the same class or policy 
map.
• The Cisco 7600 SIP-400 supports matching on ACLs for routed traffic only. Matching on ACLs is 
not supported for bridged traffic.
• The SIP-400 does not support dynamic, time-based, or tos-matching ACLs. The SIP-400 also does 
not support the log option in ACL.
• When configuring hierarchical QoS on the Cisco 7600 SIP-600, if you configure matching on an 
input VLAN in a parent policy, then only matching on a QoS group is supported in the child policy.
• For support of specific matching criteria by SIP, see Table 4-13.
SUMMARY STEPS
Step 1 class-map [match-all | match-any] class-name
Step 2 match type
DETAILED STEPS
To create a user-defined QoS traffic class, use the following commands beginning in global configuration 
mode:
Command Purpose
Step 1 Router(config)# class-map [match-all | 
match-any] class-name
Creates a traffic class, where:
• match-all—(Optional) Specifies that all match 
criteria in the class map must be matched, using a 
logical AND of all matching statements defined 
under the class. This is the default.
• match-any—(Optional) Specifies that one or more 
match criteria must match, using a logical OR of all 
matching statements defined under the class.
• class-name—Specifies the user-defined name of the 
class.
Note You can define up to 256 unique class maps.
Step 2 Router(config-cmap)# match type Specifies the matching criterion to be applied to the 
traffic, where type represents one of the forms of the 
match command supported by the SIP as shown in 
Table 4-13.
Note A single class-map can contain up to 8 different 
match command statements.4-98
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Table 4-13 provides information about which QoS classification features are supported for SIPs on the 
Cisco 7600 series router. For more information about most of the commands documented in this table, 
refer to the Cisco IOS Quality of Service Solutions Command Reference.
Table 4-13 QoS Classification Feature Compatibility by SIP
Feature (match command) Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600
Matching on access 
control list (ACL) 
number
(match access-group
command)
Supported for all SPAs with the 
following types of ACLs:
• Protocols—ICMP, IGMP, 
EIGRP, OSPF, PIM, and 
GRE
• Source and destination port
• TCP flags
• ToS (DSCP and 
precedence)
Supported for all SPAs with the 
following types of ACLs:
• Source and destination port 
• TCP flag (IPv4 only)
• IP address (IPv6 compress 
mode only)
Supported for all SPAs with 
the following types of ACLs:
• IPv4 and IPv6
• Protocols—ICMP, IGMP, 
UDP, and MAC
• Source and destination 
ports
• TCP flags 
• ToS
Matching on ACL name 
(match access-group 
name command)
Supported for all SPAs. Supported for all SPAs. Supported for all SPAs.
Match on any packet
(match any command)
Note Not supported for 
user-defined class 
maps.
Supported for all SPAs. Supported for all SPAs. Supported for all SPAs.
Matching on ATM cell 
loss priority (CLP) 
(match atm clp
command)
• Supported for all ATM 
SPAs.
• Cisco IOS Release 
12.2(33)SRA—Support 
added for ATM CLP 
matching with RFC 1483 
bridging features.
• Supported for all ATM 
SPAs on ATM input 
interface only.
• Cisco IOS Release 
12.2(33)SRA—Support 
added for ATM CLP 
matching with RFC 1483 
bridging features on ATM 
input interface only.
Not supported.
Matching on class map
(match class-map
command)
Supported for all SPAs. Not supported. Not supported.4-99
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Matching on Class of 
Service (CoS) (match 
cos command)
Supported in Cisco IOS Release 
12.2(33)SRA on the 4-Port and 
8-Port Fast Ethernet SPA using 
dot1q encapsulation.
• Supported on Fast ethernet 
SPAs from 12.2(33) SRD 
onwards.
• 2-Port Gigabit Ethernet 
SPA only—Input and 
output 802.1Q tagged 
frames.
• Cisco IOS Release 
12.2(33)SRA—Support 
added for inner CoS 
matching with bridging 
features.
Supported in Cisco IOS 
Release 12.2(33)SRA for 
switchport queueing.
Note CoS classification is 
available through 
PFC QoS using MAC 
address ACLs.
Matching on inner CoS 
(match cos inner
command)
• Supported for all SPAs.
• Cisco IOS Release 
12.2(33)SRA—Supported 
added for inner CoS 
matching with bridging 
features.
Supported in Cisco IOS Release 
12.2(33)SRA on the 2-Port 
Gigabit Ethernet SPA and Fast 
ethernet SPA from 12.2(33) 
SRD:
• Input and output interfaces
• Inner CoS matching with 
bridging features
Not supported.
Match on Frame Relay 
discard eligibility (DE) 
bit (match fr-de
command)
• Supported for Frame Relay 
input and output interfaces.
• Cisco IOS Release 
12.2(33)SRA—Support 
added for Frame Relay DE 
matching with Frame Relay 
bridging features.
• Supported for a Frame 
Relay input interface only.
• Cisco IOS Release 
12.2(33)SRA—Support 
added for Frame Relay DE 
matching with Frame Relay 
bridging features on input 
Frame Relay interface only.
Note Because the Cisco 7600 
SIP-400 acts as a Frame 
Relay data terminal 
equipment (DTE) 
device only, and not a 
data communications 
equipment (DCE) 
device, the Cisco 7600 
SIP-400 does not 
support dropping of 
frames that match on FR 
DE bits; however, other 
QoS actions are 
supported.
Not supported.
Table 4-13 QoS Classification Feature Compatibility by SIP (continued)
Feature (match command) Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-6004-100
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Match on Frame Relay 
data-link connection 
identifier (DLCI) (match 
fr-dlci command)
• Supported for Frame Relay 
input and output interfaces.
• Cisco IOS Release 
12.2(33)SRA—Support 
added for Frame Relay 
DLCI matching with Frame 
Relay bridging features.
Supported in Cisco IOS Release 
12.2(33)SRA on Frame Relay 
input and output interfaces, and 
with Frame Relay bridging 
features.
Not supported.
Match on input VLAN
(match input vlan
command—Matches the 
VLAN from an input 
interface)
Supported for EoMPLS 
interfaces.
Supported in Cisco IOS Release 
12.2(33)SRA—Output interface 
only, and with bridging features.
Note Service policy is applied 
on the output interface 
of the Cisco 7600 
SIP-400 to match the 
VLAN from the input 
interface.
Supported in Cisco IOS 
Release 
12.2(33)SRA—Output 
interface only for 
software-based EoMPLS.
Note The service policy is 
applied on the output 
interface of the 
Cisco 7600 SIP-600 
to match the VLAN 
from the input 
interface. If you 
configure matching 
on an input VLAN in 
a parent policy with 
hierarchical QoS, 
then only matching 
on QoS group is 
supported in the child 
policy.
Match on IP DSCP 
(match ip dscp
command)
• Supported for all SPAs.
• Cisco IOS Release 
12.2(33)SRA—Support 
added for IP DSCP 
matching with bridging 
features on an input 
interface only.
• Supported for all SPAs.
• Cisco IOS Release 
12.2(33)SRA—Support 
added for IP DSCP 
matching with bridging 
features.
Supported for all SPAs.
Match on DSCP (match 
dscp command)
• Supported for all SPAs. • Supported for all SPAs. • Supported for all SPAs.
Match on IP (match IP
command)
• Supported for all SPAs. • Supported for all SPAs. • Supported for all SPAs.
Match on IP precedence 
(match ip precedence
command)
Supported for all SPAs. • Supported for all SPAs.
• Cisco IOS Release 
12.2(33)SRA—Support 
added for IP precedence 
matching with bridging 
features.
Supported for all SPAs.
Table 4-13 QoS Classification Feature Compatibility by SIP (continued)
Feature (match command) Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-6004-101
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Match on IP Real-Time 
Protocol (RTP) 
(match ip rtp command)
Supported for all SPAs. Not supported. Not supported.
Match on MAC address 
for an ACL name
(match mac address
command)
Not supported. Not supported. Not supported.
Match on destination 
MAC address
(match 
destination-address 
mac command)
Not supported. Not supported. Not supported.
Match on source MAC 
address
(match source-address 
mac command)
Not supported. Not supported. Not supported.
Match on MPLS 
experimental (EXP) bit 
(match mpls 
experimental command)
Supported for all SPAs. Supported for all SPAs. Supported for all SPAs.
Match on Layer 3 packet 
length in IP header 
(match packet length
command)
Supported for all SPAs. Not supported. Not supported.
Match on QoS group 
(match qos-group
command)
Supported in Cisco IOS Release 
12.2(33)SRA—Output interface 
only.
Not supported. Supported in software-based 
EoMPLS configurations only 
using hierarchical QoS, 
where the parent policy 
configures matching on input 
VLAN and the child policy 
configures matching on QoS 
group. 
Match on protocol
(match protocol
command)
Not supported for NBAR. Not supported. Supports matching on IP and 
IPv6.
Match on VLAN
(match vlan
command—Matches the 
outer VLAN of a Layer 2 
802.1Q frame)
Not supported. Supported in Cisco IOS Release 
12.2(33)SRA:
• Input and output interfaces
• Outer VLAN ID matching 
for 802.1Q tagged frames
Supported in Cisco IOS 
Release 12.2(33)SRA:
• Output interface only
• Outer VLAN ID 
matching for 802.1Q 
tagged frames
Table 4-13 QoS Classification Feature Compatibility by SIP (continued)
Feature (match command) Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-6004-102
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Configuring QoS Class-Based Marking Policies on a SIP
After you have created your traffic classes, you can configure traffic policies to configure marking 
features to apply certain actions to the selected traffic in those classes. 
In most cases, the purpose of a packet mark is identification. After a packet is marked, downstream 
devices identify traffic based on the marking and categorize the traffic according to network needs. This 
categorization occurs when the match commands in the traffic class are configured to identify the 
packets by the mark (for example, match ip precedence, match ip dscp, match cos, and so on). The 
traffic policy using this traffic class can then set the appropriate QoS features for the marked traffic.
In some cases, the markings can be used for purposes besides identification. Distributed WRED, for 
instance, can use the IP precedence, IP DSCP, or MPLS EXP values to detect and drop packets. In ATM 
networks, the CLP bit of the packet is used to determine the precedence of packets in a congested 
environment. If congestion occurs in the ATM network, packets with the CLP bit set to 1 are dropped 
before packets with the CLP bit set to 0. Similarly, the DE bit of a Frame Relay frame is used to 
determine the priority of a frame in a congested Frame Relay network. In Frame Relay networks, frames 
with the DE bit set to 1 are dropped before frames with the DE bit set to 0. 
QoS Class-Based Marking Policy Configuration Guidelines
When configuring class-based marking on a SIP, consider the following guidelines:
• Packet marking is supported on interfaces, subinterfaces, and ATM virtual circuits (VCs). In an 
ATM PVC, you can configure packet marking in the same traffic policy where you configure the 
queueing actions, on a per-VC basis. However, only PVC configuration of service policies is 
supported for classes using multipoint bridging (MPB) match criteria.
• For ATM bridging, Frame Relay bridging, MPB, and BCP features, the following marking features 
are supported on bridged frames beginning in Cisco IOS Release 12.2(33)SRA:
– Set ATM CLP bit (output interface only)
– Set Frame Relay DE bit (output interface only)
– Set inner CoS
Match on VLAN Inner
(match vlan inner
command—Matches the 
innermost VLAN of the 
802.1Q tag in the Layer 2 
frame)
• Supported for all SPAs.
• Cisco IOS Release 
12.2(33)SRA—Support 
added for inner VLAN ID 
matching with bridging 
features.
Supported in Cisco IOS Release 
12.2(33)SRA:
• Input and output interface
• Inner VLAN ID matching 
with bridging features
Not supported.
Match ATM VCI
(match atm-vci
command)
• Not supported Supported on ATM PVP Not supported
No match on specified 
criteria
(match not command)
Supported for all SPAs. Supported for all SPAs. Not supported.
Table 4-13 QoS Classification Feature Compatibility by SIP (continued)
Feature (match command) Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-6004-103
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
• If a service policy configures both class-based marking and marking as part of a policing action, then 
the marking using policing takes precedence over any class-based marking.
• The Cisco 7600 SIP-600 supports marking on input interfaces only.
• For support of specific marking criteria by SIP, see Table 4-14.
SUMMARY STEPS
Step 1 policy-map policy-map-name
Step 2 class class-name | class-default
Step 3 set type
DETAILED STEPS
To configure a QoS traffic policy with class-based marking, use the following commands beginning in 
global configuration mode:
Command Purpose
Step 1 Router(config)# policy-map
policy-map-name
Creates or modifies a traffic policy and enters policy map 
configuration mode, where:
• policy-map-name—Specifies the name of the traffic 
policy to configure. Names can be a maximum of 40 
alphanumeric characters.
Step 2 Router (config-pmap)# class class-name |
class-default
Specifies the name of the traffic class to which this policy 
applies and enters policy-map class configuration mode, 
where:
• class-name—Specifies that the policy applies to a 
user-defined class name previously configured.
• class-default—Specifies that the policy applies to 
the default traffic class.
Step 3 Router(config-pmap-c)# set type Specifies the marking action to be applied to the traffic, 
where type represents one of the forms of the set
command supported by the SIP as shown in Table 4-14.4-104
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Table 4-14 provides information about which QoS class-based marking features are supported for SIPs 
on the Cisco 7600 series router.
Table 4-14 QoS Class-Based Marking Feature Compatibility by SIP
Marking Feature (set 
command) Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600
Set ATM CLP bit
(set atm-clp
command—Marks the ATM 
cell loss bit with value of 1)
• Supported for ATM output 
interfaces only.
• Cisco IOS Release 
12.2(33)SRA—Support 
added for ATM CLP marking 
on output interfaces also with 
RFC 1483 bridging features.
Supported for ATM SPA 
output interfaces only.
Not supported.
Set discard class
(set discard-class
command—Marks the packet 
with a discard class value for 
per-hop behavior)
Not supported. Not supported. Not supported.
Set Frame Relay DE bit
(set fr-de command—Marks 
the Frame Relay discard 
eligibility bit with value of 1)
• Supported for Frame Relay 
output interfaces only.
• Cisco IOS Release 
12.2(33)SRA—Support 
added for Frame Relay DE 
marking on output interfaces 
only with Frame Relay 
bridging features.
Supported for Frame Relay 
output interfaces only.
Not supported.
Set DSCP Supported for all SPAs. Supported for all SPAs. Supported for all SPAs on 
an input interface.
Set Precedence Supported for all SPAs. Supported for all SPAs. Supported for all SPAs on 
an input interface.
Set IP DSCP
(set ip dscp
command—Marks the IP 
differentiated services code 
point [DSCP] in the type of 
service [ToS] byte with a 
value from 0 to 63)
Supported for all SPAs. Supported for all SPAs. Supported for all SPAs on 
an input interface.
Set IP precedence
(set ip precedence
command—Marks the 
precedence value in the IP 
header with a value from
0 to 7.)
Supported for all SPAs. Supported for all SPAs. Supported for all SPAs on 
an input interface.4-105
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
For more detailed information about configuring class-based marking features, refer to the Class-Based 
Marking document located at the following URL:
http://www.cisco.com/en/US/docs/ios/12_1t/12_1t5/feature/guide/cbpmark2.html
Note When referring to other class-based marking documentation, be sure to note any SIP-specific 
configuration guidelines described in this document.
Configuring QoS Congestion Management and Avoidance Policies on a SIP
This section describes SIP- and SPA-specific information for configuring QoS traffic policies for 
congestion management and avoidance features. These features are generally referred to as queueing 
features.
QoS Congestion Management and Avoidance Policy Configuration Guidelines
When configuring queueing features on a SIP, consider the following guidelines:
Set Layer 2 802.1Q CoS
(set cos command—Marks 
the CoS value from 0 to 7 in 
an 802.1Q tagged frame)
• Supported for all SPAs.
• In Cisco IOS Release 
12.2(33)SRA—Not 
supported with set cos-inner
command on the same 
interface.
Supported in Cisco IOS 
Release 12.2(33)SRA.
Not supported.
Set Layer 2 802.1Q CoS
(set cos-inner 
command—Marks the inner 
CoS field from 0 to 7 in a 
bridged frame)
Supported in Cisco IOS Release 
12.2(33)SRA with bridging 
features on the 4-Port and 8-Port 
Fast Ethernet SPA.
Supported in Cisco IOS 
Release 12.2(33)SRA with 
bridging features.
Not supported.
Set MPLS experimental 
(EXP) bit on label imposition
(set mpls experimental 
imposition command)
Supported for all SPAs. Supported for all SPAs.
Note The table keyword is 
not supported.
Supported for all SPAs on 
an input interface.
Set MPLS EXP on topmost 
MPLS label
(set mpls experimental 
topmost command)
Supported for all SPAs. Supported for all SPAs. Not supported.
Set QoS group
(set qos-group
command—Marks the packet 
with a QoS group 
association)
Not supported. Not supported. Supported only for 
software-based EoMPLS 
on an input SPA 
switchport interface.
Table 4-14 QoS Class-Based Marking Feature Compatibility by SIP (continued)
Marking Feature (set 
command) Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-6004-106
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
• The Cisco 7600 series router supports different forms of queueing features. See Table 4-15 to 
determine which queueing features are supported by SIP type.
• When configuring queueing on the Cisco 7600 SIP-400, consider the following guidelines:
– A queue on the Cisco 7600 SIP-400 is not assured any minimum bandwidth.
– You cannot configure bandwidth or shaping with queueing under the same class in a service 
policy on the Cisco 7600 SIP-400.
– If you want to define bandwidth parameters and priority under different classes in the same 
service policy on the Cisco 7600 SIP-400, then you can only use the bandwidth remaining 
percent command. The Cisco 7600 SIP-400 does not support other forms of the bandwidth
command with priority in the same service policy.
• You can use policing with queueing to limit the traffic rate.
• On the Cisco 7600 SIP-400, WRED is supported on bridged VCs with classification on precedence 
and DSCP values. On other SIPs, WRED does not work on bridged VCs (for example, VCs that 
implement MPB). 
• When configuring WRED on the Cisco 7600 SIP-400, consider the following guidelines:
– WRED is supported on bridged VCs with classification on precedence and DSCP values.
– WRED explicit congestion notification (ECN) is not supported for output traffic on ATM SPAs. 
– ECN is supported for IP traffic on output POS interfaces only.
– You can use the low-order TOS bits in the IP header for explicit congestion notification (ECN) 
for WRED. If you configure random-detect ecn in a service policy and apply it to either a POS 
interface or a VC on a POS interface, then if at least one of the ECN bits is set and the packet 
is a candidate for dropping, the Cisco 7600 SIP-400 marks both ECN bits. If either one of the 
ECN bits is set, the Cisco 7600 SIP-400 will not drop the packet.
– WRED ECN is not support for MPLS packets.
• On the Cisco 7600 SIP-400, the default queue limit is calculated on the following basis:
– As of Cisco IOS 12.2(33) SRB Release, the default queue limit is calculated based on the 
number of 250-byte packets that the SIP can transmit in one half of a second. For example, for 
an OC-3 SPA with a rate of 155 Mbps, the default queue limit is 38,750 packets (155000000 x 
0.5 / 250 x 8). As of Cisco IOS 12.2(33)SRB Release, configurable values for queue-limit and 
WRED thresholds are in units of 250-byte buffers when configuring these parameters on a 
SIP-400.  
– When configured in Cisco IOS 12.2(33) SXF Release and Cisco IOS 12.2(33)SRA Release, the 
configured queue-limit and WRED thresholds on the SIP-400 are in units of packets, regardless 
of the packet size.
• For more detailed information about configuring congestion management features, refer to the Cisco 
IOS Quality of Service Solutions Configuration Guide document corresponding to your Cisco IOS 
software release.4-107
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Table 4-15 provides information about which QoS queueing features are supported for SIPs on the 
Cisco 7600 series router.
Note Effective with Cisco IOS Release 15.0(1)S, the fair-queue (WFQ) command is not available on Cisco 
IOS Software. Use the MQC equivalent fair-queue (WFQ) command in the Legacy QoS Command 
Deprecation feature document at:
http://www.cisco.com/en/US/docs/ios/ios_xe/qos/configuration/guide/legacy_qos_cli_deprecation_xe.
html
Table 4-15 QoS Congestion Management and Avoidance Feature Compatibility by SIP and SPA Combination
Congestion Management and 
Avoidance Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600
Aggregate Weighted Random 
Early Detection 
(random-detect aggregate, 
random-detect dscp (aggregate), 
and random-detect precedence 
(aggregate) commands)
Supported for ATM SPA 
PVCs only—Cisco IOS 
Release 12.2(18)SXE and 
later and in Cisco IOS 
Release 12.2(33)SRA
Supported for ATM SPA 
PVCs only—Cisco IOS 
Release 12.2(18)SXE and 
later and in Cisco IOS 
Release 12.2(33)SRA.
Supported for all SPAs.
For more information on 
configuring aggregate 
WRED, see the 
“Configuring Aggregate 
WRED for PVCs” section 
on page 7-30.
Class-based Weighted Fair 
Queueing (CBWFQ)
(bandwidth, queue-limit
commands)
Supported for all SPAs. Supported for all SPAs. Supported for all SPAs.
Dual-Queue Support
(priority and priority level
commands)
Not supported. Supported for all 
SPAs—Cisco IOS Release 
12.2(33)SRB and later.
Not supported.
Flow-based Queueing (fair 
queueing/WFQ)
(fair-queue command)
Supported for all SPAs. Not supported. Not supported.
Low Latency Queueing (LLQ)/ 
Queueing
(priority command)
Supported for all SPAs. Supported for all SPAs. Supported for all SPAs.4-108
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Random Early Detection (RED)
(random-detect commands)
Supported for all SPAs.
• ATM SPAs—Up to 106 
unique WRED 
minimum threshold 
(min-th), maximum 
threshold (max-th), and 
mark probability 
profiles supported.
• Other SPAs—Up to 128 
unique WRED min-th, 
max-th, and mark 
probability profiles 
supported. 
Supported for all SPAs.
• ATM SPAs—Up to 106 
unique WRED minimum 
threshold (min-th), 
maximum threshold 
(max-th), and mark 
probability profiles 
supported.
• Other SPAs—Up to 128 
unique WRED min-th, 
max-th, and mark 
probability profiles 
supported. 
Not supported.
Weighted RED (WRED) Supported for all SPAs, with 
the following exception:
• WRED is not supported 
on bridged VCs.
Supported for all SPAs, with 
the following restriction:
• WRED is supported on 
bridged VCs with 
classification on 
precedence and DSCP 
values.
Not supported.
Priority percent on Policy Map Supported
Note Priority percent is 
not supported in 
ATM SPAs for both 
SIP200 and SIP400. 
Supported
Note Priority percent is not 
supported in ATM 
SPAs for both SIP200 
and SIP400. 
Not Supported
All QoS features in ingress Supported Supported Supported
Strict priorityand Ingress, no 
queueing 
Supported Supported Supported
Table 4-15 QoS Congestion Management and Avoidance Feature Compatibility by SIP and SPA Combination 
Congestion Management and 
Avoidance Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-6004-109
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Policing, classification, policing 
and marking in egress
Supported Supported Supported
Oversubscription Supported Supported
Note In Cisco IOS 
12.2(33)SRB 
Release, 
oversubscription is 
only supported for 
two 2-Port Copper 
and Optical Gigabit 
Ethernet SPAs.  
Note In the Cisco IOS 
12.2(33)SRC Release 
support for 
oversubscription is 
extended to the 1-Port 
10-Gigabit Ethernet 
SPA.  Ingress 
oversubscription is 
only supported on 
Ethernet SPAs.
Note Cisco IOS 
12.2(33)SRC Release 
supports the 
following specific 
SPA combinations:
Any combination of POS, 
ATM, CEoPs, and serial or 
channelized SPAs up to 
OC-48 aggregate bandwidth
One 2-Port Gigabit Ethernet 
SPA or 2-Port Copper and 
Optical Gigabit Ethernet SPA 
and up to OC-24 equivalents 
of POS, ATM, CEoPs, and 
serial or channelized SPAs.
One2-Port Copper and 
Optical Gigabit Ethernet SPA 
or two 2-Port 5GEv2 SPAs. 
(These are the ingress 
oversubscription 
combinations. This is the only 
case where the SIP-400 is 
oversubscribed on ingress.
Supported
Table 4-15 QoS Congestion Management and Avoidance Feature Compatibility by SIP and SPA Combination 
Congestion Management and 
Avoidance Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-6004-110
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
SUMMARY STEPS
Step 1 policy-map policy-map-name
Step 2 class class-name | class-default
Step 3 bandwidth bandwidth-kbps | percent percent
Step 4 queue-limit number-of-packets
DETAILED STEPS
To configure a QoS CBWFQ policy, use the following commands beginning in global configuration 
mode:
Command Purpose
Step 1 Router(config)# policy-map
policy-map-name
Creates or modifies a traffic policy and enters policy map 
configuration mode, where:
• policy-map-name—Specifies the name of the traffic 
policy to configure. Names can be a maximum of 40 
alphanumeric characters.
Step 2 Router (config-pmap)# class class-name |
class-default
Specifies the name of the traffic class to which this policy 
applies and enters policy-map class configuration mode, 
where:
• class-name—Specifies that the policy applies to a 
user-defined class name previously configured.
• class-default—Specifies that the policy applies to 
the default traffic class.4-111
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Sample Configuration Scenario
Router#show policy-map interface
GigabitEthernet3/3/0
Service-policy output: policy_map_1
Counters last updated 00:00:02 ago
queue stats for all priority classes:
Queueing
queue limit 25000 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
Class-map: classmap_1 (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: ip precedence 1
Priority: Strict, b/w exceed drops: 0 
Strict priority
Class-map: class-default (match-any)
4 packets, 240 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Step 3 Router(config-pmap-c)# bandwidth
bandwidth-kbps | percent percent
Specifies the bandwidth allocated to a class belonging to 
a policy map.
Note The amount of bandwidth configured should be 
large enough to also accommodate Layer 2 
overhead.
• bandwidth-kbps—Specifies the amount of 
bandwidth, in number of kbps, to be assigned to a 
class.
• percent—Specifies the amount of guaranteed 
bandwidth, based on the absolute percent of available 
bandwidth.
• percentage—Used in conjunction with the percent 
keyword, the percentage of the total available 
bandwidth to be set aside for the priority classes.
Note If strict priority is assigned to a class in the parent 
policy, and control packets do not fall in that 
class, the interface may flap between the UP and 
DOWN states as the strict priority consumes the 
entire bandwidth. 
See Sample Configuration Scenario, page 111 for 
a sample scenaio illustrating this effect.
Step 4 Router(config-pmap-c)# queue-limit
number-of-packets
Specifies the maximum number of packets the queue can 
hold for a class policy configured in a policy map.
• number-of-packets—A number in the range 1-65536 
specifying the maximum number of packets that the 
queue for this class can accumulate.
Command Purpose4-112
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Match: any
queue limit 2 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 4/240
Router#
Router#
Router#show policy-map interface
 GigabitEthernet3/3/0 
  Service-policy output: policy_map_1
  Counters last updated 00:00:02 ago
    queue stats for all priority classes:
      Queueing
      queue limit 25000 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 0/0
    Class-map: classmap_1 (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: ip precedence 1 
      Priority: Strict, b/w exceed drops: 0                       
Strict priority
    Class-map: class-default (match-any)
      4 packets, 240 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: any 
          
      queue limit 2 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 4/240
Router#
Router#show interface GigabitEthernet3/3/0
GigabitEthernet3/3/0 is up, line protocol is up
  Hardware is GigEther SPA, address is 0023.33c5.dc40 (bia 0023.33c5.dc40)
  Internet address is 9.30.65.47/16
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, 
BW=100000 kbps (interface bandwidth)
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not supported
  Full Duplex, 100Mbps, media type is T
  output flow-control is unsupported, input flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:01, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/274/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: Class-based queueing
  Output queue: 0/40 (size/max)
  5 minute input rate 2000 bits/sec, 4 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     983112 packets input, 71000650 bytes, 0 no buffer
     Received 73032 broadcasts (0 IP multicasts)4-113
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
     0 runts, 0 giants, 0 throttles
     274 input errors, 17 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 514955 multicast, 0 pause input
     6856 packets output, 519181 bytes, 0 underruns
     0 output errors, 0 collisions, 4 interface resets
     0 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out Router#
Router#
Configuring Dual-Priority Queuing on a Cisco 7600 SIP-400
When configuring Dual-Priority Queuing, consider the following guidelines:
• Only two priority levels are supported. 
• Level 1 is higher than level 2. 
• Propagation is supported on both levels.
• A priority without a level is mapped to level 1.
• The police rate includes a Layer 2 header but not cyclic redundancy check (CRC), preamble, or 
interframe gap.
• Dual-priority queuing is not supported on ATM SPAs.
SUMMARY STEPS
Step 1 priority
Step 2 priority leve
Step 3 priority y ms
Step 4 priority x kbps y bytes
Step 5 priority percent x% | y ms
DETAILED STEPS
To configure dual-priority queuing, use the following commands:
Command or Action Purpose
Router(config-pmap-c)# priority Gives priority to a class of traffic belonging to a 
policy map.
Router(config-pmap-c)# priority level Configures multiple priority queues.
• level—A range of priority levels. Valid values 
are from 1 (high priority) to 4 (low priority). 
The default is 1.4-114
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Configuring Hierarchical Queuing Framework on a Cisco 7600 SIP-400
Hierarchical Queuing Framework configuration involves two modules residing on the SIP-400 line card 
- the HQF client and the HQF mapper functions. The HQF client processes requests from the mapper. 
The role of the mapper module is primarily to create, update, and delete queues. While configuring the 
HQF, use the following guidelines:
• Only two priority levels are supported. 
• Level 1 is higher than level 2. 
• Propagation is supported on both levels.
• A priority without a level is mapped to level 1.
• The sum of bandwidth percentage and another queue’s bandwidth reservation must not exceed 100% 
bandwidth.
• The police rate includes a Layer 2 header but not cyclic redundancy check (CRC), preamble, or 
interframe gap.
• Dual-priority queuing is not supported on ATM SPAs.
SUMMARY STEPS
Step 1 policy-map policy-name
Step 2 class class-name
Step 3 priority y ms
Step 4 priority x kbps y bytes
Step 5 priority percent x% | y ms
Step 6 police rate
DETAILED STEPS
To configure dual-priority queuing, use the following commands:
Router(config-pmap-c)# priority y ms • ms—Specifies the burst size in bytes. The 
burst size configures the network to 
accommodate temporary bursts of traffic.
Router(config-pmap-c)# priority x kbps y bytes • x kbps—Specifies the burst size in kbps.
• y bytes—Specifies the burst size in bytes.
Router(config-pmap-c)# priority percent x% | 
y ms
Enables conditional policing rate (kbps or link 
percent). Conditional policing is used if the 
logical or physical link is congested.
Command or Action Purpose4-115
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Configuring Priority Percent on a Policy-Map on a Cisco 7600 SIP-400
SUMMARY STEPS
Step 1 class-map name
Step 2 match ip precedence 0-7
Step 3 policy-map name
Step 4 class voip 
Step 5 priority percent 1-100
DETAILED STEPS
To configure priority percent on a policy-map, use the following commands:
Command or Action Purpose
Router(config)# policy-map policy-name Specifies the name of the policy map to be created 
or modified.
Router(config-pmap)# class class-name • Specifies the name of a predefined class 
included in the service policy.
Router(config-pmap-c)# priority y ms • ms—Specifies the burst size in bytes. The 
burst size configures the network to 
accommodate temporary bursts of traffic.
Router(config-pmap-c)# priority x kbps y bytes • x kbps—Specifies the burst size in kbps.
• y bytes—Specifies the burst size in bytes.
Router(config-pmap-c)# priority percent x% | 
y ms
Enables conditional policing rate (kbps or link 
percent). Conditional policing is used if the 
logical or physical link is congested.
Router(config-pmap-c)# police rate Sets the policing rate (in bps)
Command or Action Purpose
Router(config-pmap-c)# class-map name
Example:
Router(config-pmap-c)# class-map voip
Specifies a class belonging to a policy map.
Router(config-pmap-c)# match ip precedence
0-7
Example:
Router(config-pmap-c)# match ip precedence 3
Matches the precedence value in the IP header 
with a value from 0 to 7.4-116
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Note Queuing for QoS features like CBWFQ, LLQ, WRED, happens on the ATM-SPA itself 
(SPA-ATM-OC3/OC12/OC48 on SIP200/SIP400). Because of hardware limitations, a policy-map with 
priority percent, can not work on SPA-ATM-OC3/OC12/OC48. 
So while configuring dLFIoATM on SPA-ATM-OC3/OC12/OC48 on SIP200/SIP400, a 
Virtual-Template interface configured with a policy-map having priority percent command can not be 
associated to a PVC
Configuring Percent Priority and Percent Bandwidth Support on a Cisco 7600 SIP-400
SUMMARY STEPS
Step 1 bandwidth x kbps
Step 2 bandwidth percent x%
Step 3 bandwidth remaining percent x%
DETAILED STEPS
To configure percent priority and percent bandwidth, use the following commands:
Router(config-pmap-c)# policy-map name
Example:
Router(config-pmap-c)# policy-map llq
Specifies the name of the policy map.
Router(config-pmap-c)# class name
Example:
Router(config-pmap-c)# class voip
Specifies the traffic class to which the policy 
applies
Router(config-pmap-c)# priority percent 1-100
Example:
Router(config-pmap-c)# priority percent 23
Enables specified conditional policing rate on the 
policy map
Command or Action Purpose
Command or Action Purpose
Router(config-pmap-c)# bandwidth x kbps Specifies or modifies the bandwidth allocated for 
a class belonging to a policy map.
Router(config-pmap-c)# bandwidth percent x% Specifies the amount of guaranteed bandwidth, 
based on an absolute percent of available 
bandwidth.
Router(config-pmap-c)# bandwidth remaining 
percent x%
Specifies the remaining percent—Amount of 
guaranteed bandwidth, based on a relative percent 
of available bandwidth.4-117
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Configuring QoS Traffic Shaping Policies on a SIP
This section describes SIP- and SPA-specific information for configuring QoS traffic policies for 
shaping traffic. 
QoS Traffic Shaping Policy Configuration Guidelines
When configuring queueing features on a SIP, consider the following guidelines:
• The Cisco 7600 series router supports different forms of queueing features. See Table 4-16 to 
determine which traffic shaping features are supported by SIP type.
• Use a hierarchical policy if you want to achieve minimum bandwidth guarantees using CBWFQ with 
a Frame Relay map class. First, configure a parent policy to shape to the total bandwidth required 
(on the Cisco 7600 SIP-400, use the class-default in Cisco IOS Release 12.2(18)SXF, or a 
user-defined class beginning in Cisco IOS Release 12.2(33)SRA). Then, define a child policy using 
CBWFQ for the minimum bandwidth percentages.
• ATM SPAs do not support MQC-based traffic shaping. You need to configure traffic shaping for 
ATM interfaces using ATM Layer 2 VC shaping. 
• For more detailed information about configuring congestion management features, refer to the Cisco 
IOS Quality of Service Solutions Configuration Guide document corresponding to your Cisco IOS 
software release.
Table 4-16 provides information about which QoS traffic shaping features are supported for SIPs on the 
Cisco 7600 series router.
Table 4-16 QoS Traffic Shaping Feature Compatibility by SIP and SPA Combination
Traffic Shaping Feature (shape 
command) Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600
Adaptive shaping for Frame Relay
(shape adaptive command)
Supported for all SPAs. Not supported. Not supported.
Class-based shaping
(shape average, shape peak 
commands)
Supported for all SPAs. Shape average is supported 
for all SPAs with the 
following exceptions:
• Committed burst 
(bc)—Not supported.
• Excess burst (be)—Not 
supported.
Supports only shape 
average for all SPAs.
Policy-map class shaping of 
average-rate of traffic by 
percentage of bandwidth
(shape average percent 
command)
Not supported. Not supported. Not supported.
Policy-map class shaping with 
adaptation to backward explicit 
congestion notification (BECN)
(shape adaptive command)
Supported for all SPAs. Not supported. Not supported.4-118
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Configuring QoS Traffic Policing Policies on a SIP
This section describes SIP- and SPA-specific information for configuring QoS traffic policing policies.
QoS Traffic Policing Policy Configuration Guidelines
When configuring traffic policing on a SIP, consider the following guidelines:
• The Cisco 7600 series router supports different forms of policing using the police command. See 
Table 4-17 to determine which policing features are supported by SIP type.
• When configuring policing on the Cisco 7600 SIP-600, consider the following guidelines:
– The Cisco 7600 SIP-600 supports conform-action policing on input interfaces only, unless it is 
being implemented with queueing. 
– The Cisco 7600 SIP-600 does not support any policing actions (shown in Table 4-18) using the 
exceed-action or violate-action keywords on an input interface.
– The Cisco 7600 SIP-600 supports exceed-action policing on an output interface with a drop
action only, when the policing is being implemented with queueing.
– The Cisco 7600 SIP-600 supports marking for exceed-action policing only using the 
set-dscp-transmit command.
• When configuring a policing service policy and specifying the CIR in bits per second without 
specifying the optional conform (bc) or peak (be) burst in bytes, the Cisco 7600 SIP-400 calculates 
the burst size based on the number of bytes that it can transmit in 250 ms using the CIR value.
For example, a CIR of 1 Mbps (or 1,000,000 bps) is equivalent to 125,000 bytes per second, which 
is 125 bytes per millisecond. 
The calculated burst is 250 x 125 = 31250 bytes. If the calculated burst is less than the interface 
maximum transmission unit (MTU), then the interface MTU is used as the burst size.
This behaviour remains till SRE Release. From Release 15.0(1)S onwards, if the calculated burst 
size is less than the MTU,  SIP 400 will not increment the burst size to the MTU.
• You can use policing with queueing to limit the traffic rate.
• If a service policy configures both class-based marking and marking as part of a policing action, then 
the marking using policing takes precedence over any class-based marking.
Policy-map class shaping with 
reflection of forward explicit 
congestion notification (FECN) as 
BECN
(shape fecn-adapt command)
Supported for all SPAs. Not supported. Not supported.
Policy-map class shaping of 
peak-rate of traffic by percentage 
of bandwidth
(shape peak percent command)
Not supported. Not supported. Not supported.
Table 4-16 QoS Traffic Shaping Feature Compatibility by SIP and SPA Combination (continued)
Traffic Shaping Feature (shape 
command) Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-6004-119
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
• When configuring policing with MPB features on the Cisco 7600 SIP-200 and Cisco 7600 SIP-400, 
the set-cos-inner-transmit action is supported beginning in Cisco IOS Release 12.2(33)SRA.
• SIP-400 line cards do not support multiple marking actions in one police class of traffic. For 
example - set-cos-inner-transmit and set-cos-transmit both cannot be configured together as below:
class accPriority
priority
police cir percent 40 pir percent 100
conform-action set-cos-inner-transmit 5
conform-action set-cos-transmit 5
• Set-mpls-experimental-topmost-transmit command configuration guidelines on SIP-400.
Refer Table 4-18 for QoS Policing Action Compatibility by SIP and SPA Combination. 
The set-mpls-experimental-topmost-transmit is valid for ingress side only. The 
set-mpls-experimental-topmost-transmit command is only effective when the SIP-400 receives a 
packet from line with the MPLS tag. The set-mpls-experimental-imposition-transmit is effective 
when the imposition is done on the ingress side. 
If SIP-400 does the imposition it inserts the EXPERIMENTAL bit(s) directly otherwise it copies the 
EXP bit to DBUS COS. EARL will then copy the DBUS COS to EXP while doing the imposition. 
This is expected behaviour. So even though set-mpls-experimental-topmost-transmit is supported 
on SIP-400, it works differently in the L3VPN case where the packet coming in from line is not an 
MPLS tagged packet.
Note For any policer command, the minimum policer configuration value is 8kbps.
Table 4-17 provides information about which policing features are supported for SIPs on the Cisco 7600 
series router.
Table 4-17 QoS Policing Feature Compatibility by SIP and SPA Combination
Policing Feature (police command) Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600
Policing by aggregate policer 
(police aggregate command)
Not supported. Not supported. Supported for all 
SPAs.
Policing by bandwidth using token 
bucket algorithm
(police command)
Supported for all SPAs. Supported for all SPAs. Supported for all 
SPAS.
Policing by committed information 
rate (CIR) percentage 
(police (percent) command—police 
cir percent form)
Supported for all SPAs. Supported for all SPAs. Not supported.
Policing with 2-color marker (CIR 
and peak information rate [PIR])
(police (two rates) command—police 
cir pir form)
Supported for all SPAs. Supported for all SPAs. Supported for all 
SPAs.4-120
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
To create QoS traffic policies with policing, use the following commands beginning in global 
configuration mode:
Policing by flow mask
(police flow mask command)
Not supported. Not supported. Supported for all 
SPAs.
Policing by microflow
(police flow command)
Not supported. Not supported. Supported for all 
SPAs.
Table 4-17 QoS Policing Feature Compatibility by SIP and SPA Combination (continued)
Policing Feature (police command) Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600
Command Purpose
Step 1 Router(config)# policy-map
policy-map-name
Creates or modifies a traffic policy and enters policy map 
configuration mode, where:
• policy-map-name—Specifies the name of the traffic 
policy to configure. Names can be a maximum of 40 
alphanumeric characters.
Step 2 Router (config-pmap)# class {class-name |
class-default}
Specifies the name of the traffic class to which this policy 
applies and enters policy-map class configuration mode, 
where:
• class-name—Specifies that the policy applies to a 
user-defined class name previously configured.
• class-default—Specifies that the policy applies to 
the default traffic class.
Use one of the following forms of police commands to evaluate traffic for the specified class. See Table 4-17 to 
determine which SIPs support the different policing features.
Step 3 Router(config-pmap-c)# police bps
[burst-normal] [burst-max] 
conform-action action exceed-action
action violate-action action
Specifies a maximum bandwidth usage by a traffic class 
through the use of a token bucket algorithm, where:
• bps—Specifies the average rate in bits per second. 
Valid values are 8000 to 200000000. 
• burst-normal—(Optional) Specifies the normal burst 
size in bytes. Valid values are 1000 to 51200000. The 
default normal burst size is 1500 bytes. 
• burst-max—(Optional) Specifies the excess burst size 
in bytes. Valid values are 1000 to 51200000. 
• action—Specifies the policing command (as shown in 
Table 4-18) for the action to be applied to the 
corresponding conforming, exceeding, or violating 
traffic.4-121
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Step 4 Router(config-pmap-c)# police cir percent
percentage [burst-in-msec] [bc
conform-burst-in-msec] [pir percent
percentage] [be peak-burst-in-msec] 
[conform-action action [exceed-action
action [violate-action action]]]
Configures traffic policing on the basis of a percentage of 
bandwidth available on an interface, where:
• cir percent percentage—Specifies the committed 
information rate (CIR) bandwidth percentage. Valid 
values are 1 to 100.
• burst-in-msec—(Optional) Burst in milliseconds. 
Valid values are 1 to 2000.
• bc conform-burst-in-msec—(Optional) Specifies the 
conform burst (bc) size used by the first token bucket 
for policing traffic in milliseconds. Valid values are 
1 to 2000.
• pir percent percentage—(Optional) Specifies the 
peak information rate (PIR) bandwidth percentage. 
Valid values are 1 to 100.
• be peak-burst-in-msec—(Optional) Specifies the 
peak burst (be) size used by the second token bucket 
for policing traffic in milliseconds. Valid values are 1 
to 2000.
• action—Specifies the policing command (as shown in 
Table 4-18) for the action to be applied to the 
corresponding conforming, exceeding, or violating 
traffic.
Step 5 Router(config-pmap-c)# police {cir cir} 
[bc conform-burst] {pir pir} [be
peak-burst] [conform-action action
[exceed-action action [violate-action
action]]] 
Configures traffic policing using two rates, the committed 
information rate (CIR) and the peak information rate 
(PIR), where:
• cir cir—Specifies the CIR at which the first token 
bucket is updated as a value in bits per second. Valid 
values are 8000 to 200000000.
• bc conform-burst—(Optional) Specifies the conform 
burst (bc) size in bytes used by the first token bucket 
for policing. Valid values are 1000 to 51200000.
• pir pir—Specifies the PIR at which the second token 
bucket is updated as a value in bits per second. Valid 
values are 8000 to 200000000.
• be peak-burst—(Optional) Specifies the peak burst 
(be) size in bytes used by the second token bucket for 
policing. The size varies according to the interface 
and platform in use.
• action—(Optional) Specifies the policing command 
(as shown in Table 4-18) for the action to be applied 
to the corresponding conforming, exceeding, or 
violating traffic.
Command Purpose4-122
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Step 6 Router(config-pmap-c)# police flow
{bits-per-second [normal-burst-bytes] 
[maximum-burst-bytes] [pir
peak-rate-bps]} | [conform-action action] 
[exceed-action action] [violate-action
action] 
Configures a microflow policer, where:
• bits-per-second—Specifies the CIR in bits per 
second. Valid values are from 32000 to 4000000000 
bits per second. 
• normal-burst-bytes—(Optional) Specifies the CIR 
token bucket size. Valid values are from 1000 to 
512000000 bytes. 
• maximum-burst-bytes—(Optional) Specifies the PIR 
token-bucket size. Valid values are from 1000 to 
32000000 bytes. 
• pir peak-rate-bps—(Optional) Specifies the PIR in 
bits per second. Valid values are from 32000 to 
4000000000 bits per second. 
• action—Specifies the policing command (as shown in 
Table 4-18) for the action to be applied to the 
corresponding conforming, exceeding, or violating 
traffic.
Step 7 Router(config-pmap-c)# police flow mask
{dest-only | full-flow | src-only} 
{bits-per-second [normal-burst-bytes] 
[maximum-burst-bytes]} [conform-action
action] [exceed-action action]
Configures a flow mask to be used for policing, where:
• dest-only—Specifies the destination-only flow 
mask. 
• full-flow—Specifies the full-flow mask. 
• src-only—Specifies the source-only flow mask. 
• bits-per-second—Specifies the CIR in bits per 
second. Valid values are from 32000 to 4000000000 
bits per second. 
• normal-burst-bytes—(Optional) Specifies the CIR 
token bucket size. Valid values are from 1000 to 
512000000 bytes. 
• maximum-burst-bytes—(Optional) Specifies the PIR 
token bucket size. Valid values are from 1000 to 
32000000 bytes. 
• action—Specifies the policing command (as shown in 
Table 4-18) for the action to be applied to the 
corresponding conforming or exceeding traffic.
Step 8 Router(config-pmap-c)# police aggregate
name
Specifies a previously defined aggregate policer name 
and configures the policy-map class to use the specified 
name of the aggregate policer. 
Command Purpose4-123
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Table 4-18 provides information about which policing actions are supported for SIPs on the Cisco 7600 
series router.
Note For restrictions on use of certain marking features with different types of policing actions (conform, 
exceed, or violate actions), be sure to see the “QoS Traffic Policing Policy Configuration Guidelines” 
section on page 4-118.
Table 4-18 QoS Policing Action Compatibility by SIP and SPA Combination
Policing Action (set command) Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600
Drop the packet
(drop command)
Supported for all 
SPAs.
Supported for all SPAs. Supported for all 
SPAs—Input interface 
only.
Set the ATM CLP bit to 1 and transmit
(set-clp-transmit command)
Supported only for 
ATM SPAs .
Supported only for CeoP and 
ATM S PAs .
Not supported.
Set the inner CoS value and transmit
(set-cos-inner-transmit command)
Supported in Cisco 
IOS Release 
12.2(33)SRA with 
bridging features.
Supported in Cisco IOS Release 
12.2(33)SRA with bridging 
features.
Not supported.
Set the Frame Relay DE bit to 1 and 
transmit
(set-frde-transmit command)
Supported for all 
SPAs.
Supported for all SPAs. Not supported.
Set the IP precedence and transmit
(set-prec-transmit command)
Supported for all 
SPAs.
Supported for all SPAs. Supported for all SPAs 
—Input interface only.
Set the IP DSCP and transmit
(set-dscp-transmit command)
Supported for all 
SPAs.
Supported for all SPAs. Supported for all 
SPAs—Input interface 
only.
Set the MPLS EXP bit (0–7) on 
imposition and transmit
(set-mpls-experimental-impositiontransmit command
Supported for all 
SPAs.
Supported for all SPAs. Supported for all 
SPAs.
Set the MPLS EXP bit in the topmost 
label and transmit
(set-mpls-experimental-topmost-tr
ansmit command)
Supported for all 
SPAs.
Supported for all SPAs.
Refer to QoS Traffic Class 
Configuration Guidelines, page 
4-96
Supported for all 
SPAs.
Transmit all packets without 
alteration
(transmit command)
Supported for all 
SPAs.
Supported for all SPAs Supported for all 
SPAs.4-124
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Attaching a QoS Traffic Policy to an Interface
Before a traffic policy can be enabled for a class of traffic, it must be configured on an interface. A traffic 
policy also can be attached to an ATM permanent virtual circuit (PVC) subinterface, Frame Relay 
data-link connection identifier (DLCI), and Ethernet subinterfaces.
Traffic policies can be applied for traffic coming into an interface (input), and for traffic leaving that 
interface (output).
Attaching a QoS Traffic Policy for an Input Interface
When you attach a traffic policy to an input interface, the policy is applied to traffic coming into that 
interface. To attach a traffic policy for an input interface, use the following command beginning in 
interface configuration mode:
Attaching a QoS Traffic Policy to an Output Interface
When you attach a traffic policy to an output interface, the policy is applied to traffic leaving that 
interface. To attach a traffic policy to an output interface, use the following command beginning in 
interface configuration mode:
Configuring Network-Based Application Recognition and Distributed Network-Based Application 
Recognition
Note Network-Based Application Recognition (NBAR) and Distributed Network-Based Application 
Recognition (dNBAR) are supported on the Cisco 7600 SIP-200 only. NBAR feature is not supported in 
Release 15.0(1)S and later Releases.
The purpose of IP quality of service (QoS) is to provide appropriate network resources (bandwidth, 
delay, jitter, and packet loss) to applications. QoS maximizes the return on investments on network 
infrastructure by ensuring that mission-critical applications get the required performance and noncritical 
applications do not hamper the performance of critical applications. 
Command Purpose
Router(config-if)# service-policy input 
policy-map-name
Attaches a traffic policy to the input direction of an 
interface, where:
• policy-map-name—Specifies the name of the traffic 
policy to configure. 
Command Purpose
Router(config-if)# service-policy output 
policy-map-name
Attaches a traffic policy to the output direction of an 
interface, where:
• policy-map-name—Specifies the name of the traffic 
policy to configure. 4-125
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
IP QoS can be deployed by defining classes or categories of applications. These classes are defined by 
using various classification techniques available in Cisco IOS software. After these classes are defined 
and attached to an interface, the desired QoS features, such as marking, congestion management, 
congestion avoidance, link efficiency mechanisms, or policing and shaping can then be applied to the 
classified traffic to provide the appropriate network resources amongst the defined classes. 
Classification, therefore, is an important first step in configuring QoS in a network infrastructure. 
NBAR is a classification engine that recognizes a wide variety of applications, including web-based and 
other difficult-to-classify protocols that utilize dynamic TCP/UDP port assignments. When an 
application is recognized and classified by NBAR, a network can invoke services for that specific 
application. NBAR ensures that network bandwidth is used efficiently by classifying packets and then 
applying QoS to the classified traffic. Some examples of class-based QoS features that can be used on 
traffic after the traffic is classified by NBAR include: 
• Class-based marking (the set command) 
• Class-based weighted fair queueing (the bandwidth and queue-limit commands) 
• Low latency queueing (the priority command) 
• Traffic policing (the police command) 
• Traffic shaping (the shape command) 
Note The NBAR feature is used for classifying traffic by protocol. The other class-based QoS features 
determine how the classified traffic is forwarded and are documented separately from NBAR.
Furthermore, NBAR is not the only method of classifying network traffic so that QoS features can be 
applied to classified traffic.
For information on the class-based features that can be used to forward NBAR-classified traffic, see the 
individual feature modules for the particular class-based feature as well as the Cisco IOS Quality of 
Service Solutions Configuration Guide.
Many of the non-NBAR classification options for QoS are documented in the “Modular Quality of 
Service Command-Line Interface” section of the Cisco IOS Quality of Service Solutions Configuration 
Guide. These commands are configured using the match command in class map configuration mode.
NBAR introduces several new classification features that identify applications and protocols from 
Layer 4 through Layer 7: 
• Statically assigned TCP and UDP port numbers 
• Protocols that are non-UDP and non-TCP 
• Dynamically assigned TCP and UDP port numbers. Classification of such applications requires 
stateful inspection; that is, the ability to discover the data connections to be classified by parsing the 
connections where the port assignments are made. 
• Sub-port classification or classification based on deep packet inspection; that is, classification by 
looking deeper into the packet. 
NBAR can classify static port protocols. Although access control lists (ACLs) can also be used for this 
purpose, NBAR is easier to configure and can provide classification statistics that are not available when 
using ACLs. 4-126
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
NBAR includes a Protocol Discovery feature that provides an easy way to discover application protocols 
that are transversing an interface. The Protocol Discovery feature discovers any protocol traffic 
supported by NBAR. Protocol Discovery maintains the following per-protocol statistics for enabled 
interfaces: total number of input and output packets and bytes, and input and output bit rates. The 
Protocol Discovery feature captures key statistics associated with each protocol in a network that can be 
used to define traffic classes and QoS policies for each traffic class. 
For specific information about configuring NBAR and dNBAR, refer to the Network-Based Application 
Recognition and Distributed Network-Based Application Recognition feature documentation located at 
the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t8/dtnbarad.htm
Configuring Hierarchical QoS on a SIP
Table 4-19 provides information about where the hierarchical QoS features for SPA interfaces are 
supported. 
Configuring Hierarchical QoS with Tiered Policy Maps
Hierarchical QoS with tiered policy maps is a configuration where the actions associated with a class 
contain a queuing action (such as shaping) and a nested service policy, which in itself is a policy map 
with classes and actions. This hierarchy of the QoS policy map is then translated into a corresponding 
hierarchy of queues.
Hierarchical QoS with Tiered Policy Maps Configuration Guidelines
When configuring hierarchical QoS with tiered policy maps on a SIP, consider the following guidelines:
• For information about where hierarchical QoS with tiered policy maps is supported, see Table 4-19 
on page 4-126.
• You can configure up to three levels of hierarchy within the policy maps.
Table 4-19 Hierarchical QoS Feature Compatibility by SIP and SPA Combination
Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600
Hierarchical QoS for EoMPLS VCs Supported for all SPAs in Cisco 
IOS Release 12.2(18)SXE and 
later, and in Cisco IOS Release 
12.2(33)SRA.
Supported for all SPAs 
beginning in Cisco IOS 
Release 12.2(33)SRA.
Supported for all SPAs 
in Cisco IOS Release 
12.2(18)SXF and later, 
and in Cisco IOS 
Release 12.2(33)SRA.
Hierarchical QoS—Tiered policy 
maps with parent policy using 
class-default only on the main 
interface.
Not applicable. Supported for all SPAs 
in Cisco IOS Release 
12.2(18)SXF and later.
Supported in Cisco IOS 
Release 12.2(18)SXF 
and later, and in Cisco 
IOS Release 
12.2(33)SRA using 
match vlan command in 
parent policy.
Hierarchical QoS—Tiered policy 
maps with parent policy in 
user-defined or class-default classes 
on the main interface.
Supported for all SPAs in Cisco 
IOS Release 12.2(18)SXF and 
later, and in Cisco IOS Release 
12.2(33)SRA.
Supported for all SPAs 
in Cisco IOS Release 
12.2(33)SRA.
Not supported.4-127
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
• The parent policy map has the following restrictions on a main interface:
– In Cisco IOS Release 12.2(18)SXF and later—Supports the shape queueing action in the default 
class (class-default) only.
– In Cisco IOS Release 12.2(33)SRA—Supports VLAN or ACL matching, and shape or 
bandwidth queueing actions in any class, user-defined and class-default.
• When configuring hierarchical QoS for software-based EoMPLS on the Cisco 7600 SIP-600, if you 
configure match input vlan in the parent policy, then you can only configure match qos-group in 
the child policy.
• In hierarchical QoS, you cannot configure just a set command in the parent policy. The set command 
works only if you configure other commands in the policy.
• The child policy map supports shape, bandwidth, LLQ, queue limit, and WRED QoS features.
• With hierarchical QoS on a subinterface, the parent policy map supports hierarchical QoS using the 
shape average command as a queueing action in the default class (class-default) only.
• If you configure service policies at the main interface, subinterface, and VC levels, then the policy 
applied at the VC level takes precedence over a policy at the interface.
• In a Frame Relay configuration, if you need to define service policies at the interface, subinterface, 
and PVC at the same time, then you can use a map class.
• For a POS subinterface with a Frame Relay PVC, a service policy can be applied either at the 
subinterface or at the PVC, but not both.
• Use a hierarchical policy if you want to achieve minimum bandwidth guarantees using CBWFQ with 
a map class. First, configure a parent policy to shape to the total bandwidth required (use the 
class-default in Cisco IOS Release 12.2(18)SXF, or a user-defined class beginning in Cisco IOS 
Release 12.2(33)SRA). Then, define a child policy using CBWFQ for the minimum bandwidth 
percentages.
• You can configure hierarchical QoS up to the following limits, according to the current Cisco IOS 
software limits:
– Up to 1024 class maps
– Up to 1024 policy maps
– Up to 256 classes within a policy map
– Up to 8 match statements per class
• If a hierarchical policy-map is applied on the SIP-400 interface , the child policy will only receive 
the packets which are not dropped by its parent. In other words, packets which are dropped in parent 
policy-map in a particular class because of some qos action are not visible to child policy-maps 
attached to that class and thus will not be classified. 
An example is illustrated:
Class-map: voip (match-any)
          16894 packets, 4375196 bytes
          30 second offered rate 116000 bps, drop rate 108000 bps
          Match: any 
          Priority: 32 kbps, burst bytes 1500, b/w exceed drops: 889
          
          police:
              cir 100000 bps, bc 3125 bytes
            conformed 968 packets, 250362 bytes; actions: 
Only these are passed and the rest are dropped
              transmit
            exceeded 15926 packets, 4124834 bytes; actions:4-128
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
              drop
            conformed 100000 bps, exceed 1649000 bps
          Service-policy : out
          Counters last updated 00:00:01 ago
            Class-map: prec0 (match-any)
              966 packets, 250194 bytes 
Only those packets which are not dropped in parent pmap are seen by this child policy-map.
              30 second offered rate 8000 bps, drop rate 7000 bps
              Match: ip precedence 0 
              QoS Set
                precedence 2
                  Packets marked 966
              police:
                  cir 8000 bps, bc 1500 bytes
                conformed 77 packets, 19943 bytes; actions:
                  transmit
                exceeded 889 packets, 230251 bytes; actions:
                  drop
                conformed 8000 bps, exceed 91000 bps
Configuring Hierarchical QoS for EoMPLS VCs
The Hierarchical Quality of Service (HQoS) for EoMPLS VCs feature extends support for hierarchical, 
parent and child relationships in QoS policy maps. This feature also provides EoMPLS per-VC QoS for 
point-to-point VCs. 
The new feature adds the ability to match the virtual LAN (VLAN) IDs that were present on a packet 
when the packet was originally received by the router. It also supports the ability to match on a QoS 
group that is set to the same value of the IP precedence or 802.1P class of service (CoS) bits that are 
received on the incoming interface. This allows service providers to classify traffic easily for all or part 
of a particular EoMPLS network, as well as to preserve the customer’s original differentiated services 
(DiffServ) QoS values. 
In EoMPLS applications, the parent policy map typically specifies the maximum or the minimum 
bandwidth for a group of specific VCs in an EoMPLS network. Then child policy maps in the policy can 
implement a different bandwidth or perform other QoS operations (such as traffic shaping) on a subset 
of the selected VCs. 
This feature enables service providers to provide more granular QoS services to their customers. It also 
gives service providers the ability to preserve customer IP precedence or CoS values in the network.
Note For information about where hierarchical QoS for EoMPLS VCs is supported, see Table 4-19 on 
page 4-126.4-129
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
For more information about configuring hierarchical QoS for EoMPLS VCs, refer to the Optical 
Services Module Configuration Note located at the following URL:
http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SR_OSM_config/OSM.pdf
Configuring PFC QoS on a Cisco 7600 SIP-600 
The Cisco 7600 SIP-600 supports most of the same QoS features as those supported by the Policy 
Feature Card on the Cisco 7600 series router.
This section describes those QoS features that have SIP-specific configuration guidelines. After you 
review the SIP-specific guidelines described in this document, then refer to the Cisco 7600 Series Cisco 
IOS Software Configuration Guide, 12.2SR located at the following URL:
http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/swcg.html
PFC QoS on a Cisco 7600 SIP-600 Configuration Guidelines 
• Output policing is not supported.
Configuring NAT 
This section describes guidelines for configuring Network Address Translation (NAT). Developed by 
Cisco, NAT allows a single device, such as a router, to act as agent between the Internet public network 
and a local private network.
For details on NAT refer to Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services 
Module Configuration Guide, 2.2 located at the following URL:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/nat.html
For NAT configuration commands refer to the Cisco IOS IP Addressing Services Command Reference 
located at the following URL:
http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_nat.html
As a general restriction, while configuring NAT make sure nat pool size is limited to 15 bits. 
If you configure the nat pool size to more than 15 bits the following error message is displayed on the 
system:
Error Message pool size should be maximum 15 bits long.
Configuring Lawful Intercept on a Cisco 7600 SIP-400
This section describes configuring Lawful Intercept on a Cisco 7600 SIP-400. For initial configuration 
of the Lawful Intercept feature, see the Cisco 7600 Lawful Intercept Configuration Guide at the 
following URL:
http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/lawful_intercept/76licfg.htm
l4-130
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
SUMMARY STEPS
• snmp-server view viewA ciscoTap2MIB included
OR
snmp-server view viewA ciscoIpTapMIB included
• snmp-server group groupA v3 auth read viewA write viewA notify viewA
• snmp-server user user1 groupA v3 auth md5 cisco
DETAILED STEPS
To configure Lawful Intercept on a Cisco 7600 SIP-400, use the following commands:
Command Purpose
Router(config)# snmp-server view viewA ciscoTap2MIB 
included
Router(config)# snmp-server view viewA ciscoIpTapMIB 
included
Creates a view having access to the 
MIBS.
Router(config)# snmp-server group groupA v3 auth read 
viewA write viewA notify viewA
Creates a group having access to this 
view.
Router(config)# snmp-server user user1 groupA v3 auth 
md5 cisco
Creates a user who is a member of 
groupA.4-131
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Configuring Security ACLs on an Access Interface on a Cisco 7600 SIP-400
This section describes configuration of the SIP-specific ACL features on access interfaces. Before 
referring to any other ACL documentation for the platform or in the Cisco IOS software, use this section 
to determine SIP-specific ACL feature support and configuration guidelines. 
An Access Control List (ACL) is a collection of ordered permit and deny statements, referred to as 
Access Control Entries (ACEs), which determine whether a particular packet will be forwarded or 
dropped. An ACL offers application layer awareness, providing operational staff with some flexibility 
in the level of isolation of a host. For instance, an ACL may be applied to enforce complete host isolation, 
denying all traffic to and from that particular host or, alternately, to just filter certain traffic flows, while 
permitting all others.
For additional details about ACL concepts and features in Cisco IOS Release 12.2, refer to the Cisco IOS 
Security Configuration Guide, Release 12.2, at the following URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/fsecur_c.html
This section includes the following topics:
• Security ACL Configuration Guidelines, page 4-131
• Configuring Security ACL, page 4-131
Security ACL Configuration Guidelines
• Up to 100 unique ACLs are recommended per chassis, with a maximum of 24 ACEs per ACL for 
Security ACL.
• Up to one input ACL and one output ACL are recommended for all 8K subinterfaces on the SIP.
• Source and Destination IPv4 Address, Port Number, ToS/DSCP, Protocol type, and TCP flags can 
be specified in the ACEs. As of Cisco IOS Release 12.2(33)SRB, IPV6 is not supported.
• Template Security ACL is not supported as of Cisco IOS Release 12.2(33)SRB.
• Security ACLs are only supported on a Route Switch Processor 720 (RSP720) with a Cisco 7600 
SIP-400.
• Standard, extended, and named ACLs are supported; other ACL types such as reflexive and 
time-based ACLs are not supported.
Configuring Security ACL 
SUMMARY STEPS
Step 1 access-list access list number permit ip host ip address any
Step 2 interface gigabitethernet slot/subslot/port access
Step 3 ip address address
Step 4 encapsulation dot1q vlan-id
Step 5 ip access-group access-list-number in
Step 6 ip access-group access-list-number out4-132
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
DETAILED STEPS
Verifying ACL Configuration
Use the following command to verify ACL configuration:
Configuring CoPP on the Cisco 7600 SIP-400
This section describes the configuration of Control Plane Policing (CoPP) on the Cisco 7600 SIP-400.
Because the majority of control plane processing is done on the CPU, a malicious user can attack a router 
by simply pumping control plane traffic to the router. On an unprotected router, this results in the CPU 
utilization nearing 100%, resource exhaustion, and the command line console being locked, intensifying 
the problem because the user is not able to apply any rectifying action on the router.
Using CoPP protects the control plane against these denial-of-service (DoS) attacks, ensuring routing 
stability, reachability, and packet delivery by providing filtering and rate-limiting capabilities for control 
plane packets.
Command or Action Purpose
Step 1 Router(config)# access-list access list
number permit ip host ip address any
Configures an access list.
Step 2 Router(config-int)# interface 
gigabitethernet slot/subslot/port access
Selects the gigabitethernet interface.
Step 3 Router(config-int)# ip address address Specifies the IP address.
Step 4 Router(config-int)# encapsulation dot1q
vlan-id
Enables traffic encapsulation.
• vlan-id—Virtual LAN identifier; valid values are from 
1 to 4094.
Step 5 Router(config-int)# ip access-group
access-list-number in
Sets filtering method.
• access-list-number—Number of an access list. This is 
a decimal number from 1 to 199 or 1300 to 2699.
• in—Filters on inbound packets.
Step 6 Router(config-int)# ip access-group
access-list-number out
Sets filtering method.
• access-list-number—Number of an access list. This is 
a decimal number from 1 to 199 or 1300 to 2699.
• out—Filters on outbound packets. 
Command or Action Purpose
Router# show access-list [access-list-number | 
name]
Displays access list configuration.
• access-list-number—(Optional) Access list 
number to display. The range is 0 to 1199. 
The system displays all access lists by 
default.
• name—(Optional) Name of the IP access list 
to display. 4-133
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
For additional information regarding DoS and CoPP, refer to the Cisco 7600 Series Router Cisco IOS 
Software Configuration Guide.
This section contains the following topics:
• Configuring Per-Subscriber/Per-Protocol CoPP on Access Interfaces on a Cisco 7600 SIP-400, page 
4-134
• Configuring Per-Subinterface CoPP on Access Interfaces on a Cisco 7600 SIP-400, page 4-1364-134
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Configuring Per-Subscriber/Per-Protocol CoPP on Access Interfaces on a Cisco 7600 SIP-400
This section describes the configuration of Per-Subscriber/Per-Protocol CoPP on a Cisco 7600 SIP-400. 
Per-Subscriber/Per-Protocol CoPP Configuration Guidelines
• The Cisco 7600 CoPP feature is supported with a Route Switch Processor 720 (RSP720) and 
Cisco 7600 SIP-400 combination only. 
• When enabling the RP-based aggregate CoPP functionality, the required class maps should be 
configured for each of the protocol-matching criteria. The CoPP policy maps should be created for 
all the protocols that need to be policed.
• Once the router processor decides to install a rate-limiter on an interface, there will be a delay for 
actually installing the rate-limiter on the Cisco 7600 SIP-400. During this interval, it is possible that 
the aggregate rate-limiter would start dropping good user packets, if the per-interface rates are not 
chosen carefully. For example, consider that there are 10 interfaces and 100 pps is used as the 
aggregate rate and 15 pps as the per-interface rate. If there are seven attacks on the router at a time, 
the aggregate limit would be exceeded and user traffic would be affected. 
• As of Cisco IOS Release 12.2(33)SRB, the CoPP Per-subscriber/Per-Protocol feature is only 
supported for DHCP, ARP, and ICMP protocols. DHCP and ARP policing are performed on the SPA, 
while ICMP policing is performed at the router processor level.
SUMMARY STEPS
• class-map arp-peruser
• match protocol arp
• match subscriber access
• class-map dhcp-peruser
• match protocol dhcp
• match subscriber access
• policy-map copp-peruser
• class arp-peruser
• police rate units pps burst burst-in-packets packets
• control-plane user-type access
• service-policy input copp-peruser
• platform copp observation-period time
• platform copp interface arp off
DETAILED STEPS
To configure Per-Subscriber/Per-Protocol CoPP support, use the following commands:
Command or Action Purpose
Router(config)# class-map arp-peruser Creates a class map for ARP.
Router(config-cmap)# match protocol arp  Matches ARP traffic.
Router(config-cmap)# match subscriber access  Defines the class map for access interfaces.4-135
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Verifying Per-Subscriber/Per-Protocol CoPP
To verify Per-Subscriber/Per-Protocol CoPP configuration, use the following commands:
Router(config)# class-map dhcp-peruser  Creates a class map for DHCP.
Router(config-cmap)# match protocol dhcp  Configures the match criterion for a DHCP class 
map.
Router(config-cmap) match subscriber access Defines the class map for access interfaces.
Router(config)# policy-map copp-peruser  Specifies CoPP as the policy map.
Router(config-pmap)# class arp-peruser Creates an ARP peruser class.
Router(config-pmap-c)# police rate units pps 
burst burst-in-packets packets
Specifies the burst rate.
• units—Rate at which traffic is policed in 
packets per second. Valid values are 1 to 
2000000 pps.
• burst-in-packets—(Optional) Specifies the 
burst rate that is used for policing traffic. 
Valid values are 1 to 512000 packets.
Router(config-pmap-c)# class dhcp-peruser Creates a DHCP peruser class.
Router(config-pmap-c)# police rate units pps 
burst burst-in-packets packets
Specifies the burst rate.
• units—Rate at which traffic is policed in 
packets per second. Valid values are 1 to 
2000000 pps.
• burst-in-packets—(Optional) Specifies the 
burst rate that is used for policing traffic. 
Valid values are 1 to 512000 packets.
Router(config)# control-plane user-type access Applies the policy on control-plane-user 
interface.
Router(config-cp-user)# service-policy input 
copp-peruser
Configures the per-user policy map.
Router(config)# platform copp 
observation-period time
Configures the observation window.
• time—Amount of time in minutes.
Router# platform copp interface arp off Clears a per-subinterface rate-limiter for ARP on 
an interface.
• interface—Defines interface.
Command or Action Purpose4-136
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Configuring Per-Subinterface CoPP on Access Interfaces on a Cisco 7600 SIP-400
This section describes the configuration of Per-Subinterface CoPP on a Cisco 7600 SIP-400. 
Per-Subinterface CoPP Configuration Guidelines
This section describes guidelines to consider when configuring Per-Subinterface CoPP.
• Per-Subinterface CoPP is supported on Cisco 7600 series routers with Supervisor 720, SIP-400, and 
Ethernet SPAs.
• The following packet types can be rate-limited on the SIP-400:
– DHCP packets
– ARP packets
– ATM OAM packets
– Ethernet OAM packets
– PPPoE discovery packets
Note DHCP and ARP packets are supported in Cisco IOS Release 12.2(33)SRB and later. 
ATM OAM, Ethernet OAM, and PPPoE discovery packets are supported in Cisco IOS 
Release 12.2(33)SRC and later.
• If there is a normal QoS policy installed on an interface, the SIP-400 first applies the QoS policy, 
then the Security ACL, then the CoPP rate-limiter on a packet.
• During a switchover, all dynamic rate-limiters on the router are turned off.
• During online insertion and removal (OIR) of a line card, the rate-limiters on the interfaces are reset.
Configuring Per-Subinterface CoPP
SUMMARY STEPS
• class-map class-map-name
• match protocol protocol-name [arp | dhcp | atm-oam | ethernet-oam | pppoe-discovery]
• match subscriber access
• policy-map policy-map-name
Command or Action Purpose
Router# show platform copp rate-limit [arp | 
dhcp | all]
Displays configuration settings.
• arp—Displays ARP information.
• dhcp—Displays DHCP information.
• all—Displays ARP and DHCP information.
Router# show policy-map policy-map-name Verifies that packets match the desired class.
• policy-map-name—(Optional) Name of the 
policy map.4-137
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
• class class-map-name
• police rate units [pps burst burst-in-packets packets | bps burst burst-in-bytes bytes]
• control-plane user-type access
• service-policy input policy-map-name
• platform copp observation-period time
• platform copp interface protocol-name off
DETAILED STEPS
To configure Per-Subinterface CoPP support, use the following commands:
Command or Action Purpose
Router(config)# class-map class-map-name Creates a class map for the packet protocol.
Router(config-cmap)# match protocol
protocol-name [arp | dhcp | atm-oam | 
ethernet-oam | pppoe-discovery]
Matches packet protocol traffic.
Router(config-cmap)# match subscriber access Defines the class map for access interfaces.
Router(config)# policy-map policy-map-name Specifies CoPP as the policy map.
Router(config-pmap)# class class-map-name Creates a class map for the packet protocol.
Router(config-pmap-c)# police rate units [pps
burst burst-in-packets packets | bps burst 
burst-in-bytes bytes]
Specifies the burst rate.
• units—Rate at which traffic is policed in 
packets per second. Valid values are 1 to 
2000000.
• burst-in-packets—(Optional) Specifies the 
burst rate (in packets per second) that is used 
for policing traffic. Valid values are 1 to 
512000 packets.
• burst-in-bytes—(Optional) Specifies the 
burst rate (in bytes per second) that is used for 
policing traffic. Valid values are 100 to 1000 
bytes.
Router(config)# control-plane user-type access Applies the policy on the control-plane user 
interface.
Router(config-cp-user)# service-policy input 
policy-map-name
Configures the policy map.
Router(config)# platform copp
observation-period time
Configures the observation window.
• time—Amount of time in minutes.
Router# platform copp interface protocol-name
off
Clears a per-subinterface limiter for the packet 
protocol on an interface.
• interface—Defines the interface.
• protocol-name—Defines the packet protocol.4-138
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Verifying Per-Subinterface CoPP
To verify Per-Subinterface CoPP configuration, use the following commands:
Configuring DBUS COS Queuing on SIP-400
Packets coming from the Hyperion ASIC to the SIP-400 switch are buffered in two queues - High 
Priority (HP) and Low Priority (LP). Packets with the Bridge Protocol Data Unit (BPDU) bit or certain 
Class-of-Service (CoS) values set, are sent as high-priority. When the BPDU bit is not set, egress packets 
on the SIP-400 switch are placed in an internal low or high priority queue. 
This feature provides a CLI to allow the user to specify the DBUS CoS values in the SIP-400 switch's 
high priority queue.   
Note The CoS values can only be set in the internally generated DBUS header and not in headers that exist 
prior to the packet entering the Cisco 7600 router or those on packets leaving the Cisco 7600 router.
The configuration is available per slot and not in the global configuration mode. This is so that any line 
card can be configured to use hardware configuration values stored for that slot independent of any other 
line card in the chassis.
If no values are specified using the command, then SIP-400 cards use the default DBUS CoS values of 
5, 6, and 7. The CoS values input from the command are stored in the running configuration. These 
configured values are set whenever there is a line card Online Insertion or Removal (OIR).  If the 
SIP-400 card is physically removed from the chassis, the configured CoS values are removed from the 
running configuration. If the SIP-400 is reinserted in the chassis, the default CoS values are used until 
the configuration is modified. 
This feature has a minimal impact on memory and bandwidth.
Configuration Guidelines and Restrictions
Keep the following guidelines in mind while configuring this feature:
• DBUS COS Queuing is supported only on the SIP-400. 
• The DBUS COS Queuing command allow the end user to only control the CoS value queuing 
behavior.  The command does not allow the user to specify queuing behavior for the BPDU bit.  
• For the SIP-400, a warning message is displayed if the values 6 and 7 do not map to the priority 
queue.
Command or Action Purpose
Router# show platform copp rate-limit
protocol-name [arp | dhcp | atm-oam | 
ethernet-oam | pppoe-discovery | all]
Displays configuration settings for the selected 
packet protocol or all protocols.
Router# show platform np copp [ifnum] [detail] Displays debug information for a given session or 
for all sessions.
• ifnum—Identifies a specific session ID.
• detail—Shows full rate-limiting values.4-139
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Configuration Steps
Use the commands described in the following sections to configure the DBUS COS Queuing on SIP-400:
SUMMARY STEPS
Step 1 Router# hw-module slot slot queue priority switch-fpga output cos values |none
Step 2 Router# no hw-module slot slot queue priority switch-fpga output
DETAILED STEPS
Sample configuration
The following is an example of the feature configuration:
Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# ! Map only CoS values 4, 5, 6, and 7 to the high priority queue
Command or Action Purpose
Router# hw-module slot slot queue priority 
switch-fpga output cos values |none
Example:
Router# hw-module slot 5 queue priority 
switch-fpga output none
S pecifies the CoS values that are placed in the 
SIP-400 switch high priority queue.
slot is the slot being configured in the chassis 
cos values are in the range of 0-7.  
If the none keyword is specified, all the CoS 
values go to the SIP-400 switch's low priority 
queue.  
Note If CoS values 6 and 7 are not set to the 
SIP-400 switch's high priority queue by 
the CLI, then the terminal displays a 
SIP-400 specific warning message, since 
not prioritizing the valuescan severely 
affect performance.
The each individual cos value should be formatted 
with a space in between like 4 5 6 7.  
You can configure non-consecutive values 
example 3 5 6 7 as long as 6 and 7 are included in 
the list.  
This command replaces any values that were 
previously set.
Router# no hw-module slot slot queue priority 
switch-fpga output
Example:
Router# no hw-module slot 5 queue priority 
switch-fpga output
Sets the CoS values back to the defaults4-140
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Router(config)# hw-module slot 5 queue priority switch-fpga output 4 5 6 7
Router(config)# ! Map only CoS values 6 and 7 to the high priority queue
Router(config)# ! Note that this un-maps 4 and 5 from the high priority queue
Router(config)# hw-module slot 5 queue priority switch-fpga output 6 7
Router(config)# do show running-config | include qos-priority
Router(config)# hw-module slot 5 queue priority switch-fpga output 6 7
Router(config)# ! Remove all CoS values from the high priority queue
Router(config)# hw-module slot 5 queue priority switch-fpga output none
WARNING: CoS values 6 and 7 are typically considered high priority.
Setting these values to low priority may cause service disturbances during traffic congestion.
Router(config)# do show running-config | include switch-fpga
Router(config)# hw-module slot 5 queue priority switch-fpga output none
HELP Messages
You can access command line help to view command options and allowed arguments, while configuring 
the feature. Some examples are illustrated below:
Router(config)#hw-module slot 5 ?
   queue  Linecard internal queueing configuration
Router(config)#hw-module slot 5 queue ?
   priority  Specify priority values
Router(config)#hw-module slot 5 queue priority ?
   switch-fpga  Switch FPGA internal queueing configuration
Router(config)#hw-module slot 5 queue priority switch-fpga ?
   output  Output policy
Router(config)#hw-module slot 5 queue priority switch-fpga output ?
   <0-7>  Up to 8 class of service values separated by spaces
   none   No priority values
Verifying the DBUS COS Queuing Configuration
Use the following show commands to verify the DBUS COS Queuing configuration:4-141
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Verification Examples
SIP-400-5#show platform hardware bonham counters
Bonham Packet Counters:
AEFC A S Packets   (offset 0x00A2)         0
AEFC B S Packets   (offset 0x00A6)         0
AEFC A BG Packets  (offset 0x00AA)         0
AEFC B BG Packets  (offset 0x00AE)         0
SPI Tx Packets     (offset 0x018C) 305473085
SPI Rx Packets     (offset 0x0212) 851791536
DDR Tx Hi Packets  (offset 0x028C)         1
DDR Tx Low Packets (offset 0x0290) 851785180
DDR Rx Packets     (offset 0x030A) 306352642
CP FIFO Tx Packets (offset 0x0388)      6446
CP FIFO Rx Packets (offset 0x0408)      6455
INP to ENP Packets (offset 0x0488)         0
PKT BUF HP Packets (offset 0x050C)  30000000
PKT BUF LP Packets (offset 0x0510) 275466630
AEFC A Good Notify (offset 0x00CA)         0
AEFC A Bad Notify  (offset 0x00CE)         1
AEFC B Good Notify (offset 0x00D2)         0
AEFC B Bad Notify  (offset 0x00D6)         1
AEFC A Sent Msg    (offset 0x00DA)         0
AEFC A Drop Msg    (offset 0x00DE)         0
AEFC B Sent Msg    (offset 0x00E2)         0
AEFC B Drop Msg    (offset 0x00E6)         0
Error Counters:
SPI Rx Addr Errors (offset 0x0204)         0
DDR Rx Hdr CRC Err (offset 0x030E)         0
DDR Rx Pkt CRC Err (offset 0x0312)         0
DDR Rx Seq Errors  (offset 0x0316)         0
DDR Rx Len Errors  (offset 0x031A)         0
DDR Tx HP Errors   (offset 0x0294)         0
DDR Tx LP Errors   (offset 0x0298)         0
CP FIFO Tx Errors  (offset 0x038C)         0
CP FIFO Rx Errors  (offset 0x040C)         0
CP FIFO Rx Seq Err (offset 0x0410)         0
INP to ENP Errors  (offset 0x048C)         0
Pkt buf HP pkt drops (offset 0x0534)       0
Pkt buf LP pkt drops (offset 0x0538)  886012
Pkt buf LLQ pkt drops(offset 0x0546)       0
Show Command Description
SIP-400#show platform hardware bonham 
counters
Displays the aggregate counters for both low and 
high priority packets dropped by the SIP-400 
switch due to egress oversubscription.
Note The SIP-400 switch does not maintain 
per-interface counters for these dropped 
packets but aggregates them.
SIP-400# show platform hardware bonham 
register | inc Priority
Shows the setting in hardware 
The first bit is CoS 0 and the ninth bit is BPDU.
SIP-400# show platform hardware bonham
counters | inc PKT BUF
Shows the total packet count through 
high-priority and low-priority queues4-142
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Packets which are classified as high priority in the egress path are reflected in the 'PKT BUF HP Packets' 
counter.  Low priority packets are reflected in the 'PKT BUF LP Packets" counter.  
High priority packets that have been dropped by the SIP-400 switch because of backpressure from the 
egress network processor, are reflected in the 'Pkt buf HP pkt drops' counter.  Low priority drops are 
reflected in the 'Pkt buf LP pkt drops' counter.
Configuring IPv6 Hop-by-Hop Header Security on SIP-200 or SIP-400 
IPv6 Hop-by-Hop (HBH) extension header is part of the original specification of the IPv6 protocol (RFC 
2460). An IPv6 packet Hop-by-Hop extension header is identified by the header type 0, and when 
present, this extension header must always be the first extension header (EH) to follow the main header. 
Because a node must process any received packet that has an HBH extension header, forwarding packets 
containing the HBH header can represent a security threat. This can happen when a large number of IPv6 
packets with Hop-by-Hop (HBH) extension headers are sent, creating a possibility of Denial of Service 
(DoS) attacks. 
The IPv6 - Hop-by-Hop Rate Limiter feature provides protection from Denial of Service (DoS) attacks. 
This feature allows IPv6 traffic with Hop-by-Hop headers to be rate-limited on the 7600 SIP-400 and 
SIP-200 line cards.
Cisco IOS Release 12.2(33)SRD1 introduces support for configuring IPv6 Hop-by-Hop policing on 
SIP-400 and Cisco IOS Release 12.2(33)SRD3 introduces support for this feature on SIP-200. 
The Cisco 7600 routers treat IPv6 packets with HBH extension headers as Layer 2 packets.  Layer 3 
ACLs cannot be applied to these packets; hence a way to rate-limit these on the line card is needed.  For 
Cisco IOS Releases 12.2(33)SRD1 and 12.2(33)SRE, only the first extension header of type 
Hop-by-Hop is rate-limited by the line card. 
The SIP-200 and SIP-400 line cards support this feature on SUP720, SUP32, RSP720-1GE and 
RSP720-10GE supervisors.
The policer is a Packets-Per-Second (PPS) policer and is per network processor. rate-limits can be 
configured up to and including 25600 pps. The default police rate is 21.36 k pps, and ROMMON variable 
is IPv6_policer_rate. Setting the policer rate to zero drops all the IPv6 HBH packets.
Usage Guidelines 
The following factors need to be considered while configuring the IPv6 Hop-By-Hop Policing feature: 
• Setting the police rate to 0 drops all the IPv6 HBH packets. 
• After setting the police rate, the setting will remain on the line card even if the line card is moved 
to another chassis running Cisco IOS Release 12.2(33)SRD3 or later. 
• IPv6 packets with HBH and EH will bypass other QoS configured on the line card. 
Supported Supervisor Engines and SPAs
The Cisco 7600 supports IPv6 Hop-By-Hop Policing rate limit on the following : 
• Supervisor engines: 
– Supervisor Engine 720 4-143
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
– Supervisor Engine 32 
– RSP720-1GE 
– RSP720-10GE 
• SIP-400 supporting the following SPAs: 
– SPA-2x1GE-V2 
– SPA-5x1GE-V2 
– SPA-2xOC3-POS 
– SPA-4xOC3-POS 
– SPA-1xOC12-POS 
– SPA-1xOC48-POS 
– SPA-1CHOC3-CE-ATM 
– SPA-24CHT1-CE-ATM 
– SPA-2xOC3-ATM 
– SPA-4xOC3-ATM 
– SPA-1xOC12-ATM 
– SPA-1xOC48-ATM 
• SIP-200supporting the following SPAs: 
– SPA-2xOC3-POS 
– SPA-4xOC3-POS 
– SPA-1xOC12-POS 
– SPA-2xOC3-ATM 
– SPA-4xOC3-ATM 
– SPA-1xOC12-ATM 
Configuring IPv6 Hop-by-Hop Header Security 
To connect to a specific line card for the purpose of executing the test platform police ipv6 set
command, test platform police ipv6 get command, or test platform police ipv6 disable use the attach
command in privileged EXEC mode. 
You can then set the IPv6 internal police rate by using the test platform police ipv6 set command in 
privileged EXEC mode from the line card console.
SUMMARY STEPS
Use the following summary of commands to configure the IPv6 Hop-by-Hop feature on a SIP-400 or a 
SIP-200.
Step 1 Router # attach slot
Step 2 SIP-400-slot> enable 4-144
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Step 3 SIP-400-slot# test platform police ipv6 set rate
Step 4 SIP-400-slot# test platform police ipv6 disable
DETAILED STEPS
Command or Action Purpose 
Router# attach slot
Example: 
Router# attach 3 
Allows you to log in to the specified interface of 
the SIP-400 or SIP-200 console.
SIP-400-slot> enable
Example: 
SIP-400-3> enable
Enables privileged EXEC mode. 4-145
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Note To exit the slot, type Control+C three times from the attach console slot. The ^C^C^C key sequence 
ends the session. This tip is also displayed as you enter the console slot. 
Sample Configuration
To set the policer on the SIP-400 and use the get command to display the configured police rate
PE17_C7606# attach 2
Entering CONSOLE for slot 2
Type "^C^C^C" to end this session
SIP-400-2> enable
SIP-400-2# test platform police ipv6 set ?
  <0-25600>  pps, 0 to drop all the IPv6 HBH packets
SIP-400-2# test platform police ipv6 set  1000
SIP-400-2# test platform police ipv6 get
For SIP-400: 
SIP-400-3# test platform police ipv6 set rate
Example: 
SIP-400-3# test platform police ipv6 set 1022 
For SIP-200: 
SIP-200-3# test platform police ipv6 set rate
Example: 
SIP-200-3# test platform police ipv6 set 300 
Sets the IPv6 internal police rate, in packets per 
second (pps), on the SIP-400 interface. 
Sets the IPv6 internal police rate, in packets per 
second (pps), on the SIP-200 interface. 
SIP-400-3# test platform police ipv6 disable
Example: 
SIP-400-3# test platform police ipv6 disable
 Disables the IPv6 internal policer. 
Note On a SIP-400, rate=65535 indicates that 
the policer is disabled.
Command or Action Purpose 4-146
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
IPv6 with HBH header is policed at 1001.35 pps
OR
SIP-400-8# test platform police ipv6 set ? 
<0-25600> pps, 0 drop all the IPv6 HBH packets 
SIP-400-8# test platform police ipv6 set 300
SIP-400-8# test platform police ipv6 get
IPv6 with HBH header is policed at 292.6 pps 
To disable the IPv6 internal policer on the SIP-400:
SIP-400-8# test platform police ipv6 disable
SIP-400-8# test platform police ipv6 get
IPv6 with HBH header is not policed.
To set the policer on the SIP-200 and use the get command to display the configured police rate
SIP-200-2# test platform police ipv6 set 0 
Dropping all the IPv6 HBH Policer 
SIP-200-2# test platform police ipv6 set 1000
IPv6 HBH packet policer rate = 1000 pps
SIP-200-2# test platform police ipv6 get     
IPv6 HBH packet policer rate = 1000 pps, Rate in rommon = 1000 pps 
To disable the IPv6 internal policer on the SIP-200:
SIP-200-2# test platform police ipv6 disable
SIP-200-2# test platform police ipv6 get
IPv6 with HBH header is not policed.
SIP-200-2# show platform software ipv6-policer
IPv6 HBH packet policer rate = 1000 pps
Rate in rommon = 1000 pps
Packets dropped = 297850, Packets punted to RP = 37424
Verifying the IPv6 Hop-By-Hop Policing Configuration
To verify the configuration of the IPv6 Hop-by-Hop policing feature, use the following show commands:
Command or Action Purpose
SIP-400-slot# test platform police ipv6 get
OR
SIP-200-slot# test platform police ipv6 get
Displays the IPv6 internal police rate on the line 
card.
SIP-400-slot# show platform np rppp rate Displays information about all the internal 
policers, where:
• np refers to the Network Processor.
• rppp stands for Routing Punt Path Policer.
• rate signifies the aggregate policer speed at 
which packets are routed to the RP.4-147
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Verification Examples
To view the policer rate limit:
SIP-400-4# test platform police ipv6 get   
IPv6 with HBH header is policed at 0.0 pps
To view the packets rate-limited :
SIP-400-4# show platform np rppp rate  | inc HBH
IPv6 HBH packet policer rate = 0.0pps,x = 0,y2 = 0,tokens = 10240, SIP-400-4#
SIP-400-3# show platform np rppp rate
RPPP NP Client Rate Information:
  Default RPPP rate = 1335.14pps,x = 1,y2 = 6,tokens = 10240,
                pkts=0
  Priority RPPP rate = 1335.14pps,x = 1,y2 = 6,tokens = 10240,
                pkts=0
  L4R/PBHK configs RPPP rate = 21362.30pps,x = 1,y2 = 2,tokens = 10240,
                pkts=0
  Broadband FSOL RPPP rate = 10681.15pps,x = 1,y2 = 3,tokens = 10240,
                pkts=0
  CFM RPPP rate = 1335.14pps,x = 1,y2 = 6,tokens = 4194304,
                pkts=0
  IPv6 HBH packet policer rate = 21362.30pps,x = 1,y2 = 2,tokens = 10240,
                pkts=0
SIP-200-1# show platform software ipv6-policer
IPv6 HBH packet policer rate = 21000 pps,
Rate in rommon =  21000 pps
Packets dropped = 0 packets, Packets punted to RP = 0.
Note The values for setting and getting may not match exactly and are approximated.
Triple Nesting QoS Support on SIP400
Beginning with the Cisco IOS Release 12.2(33)SRE, SIP-400 extends configuration support for three 
levels of policy on the SIP-400 line card, from the existing support for two levels of queuing. The third 
level of user-defined QoS policy maps will support non-queuing features. 
Triple nesting QoS on SIP-400 allows you to define an MQC policy with parent, child and grand-child 
(Three nested policies). Queuing classes are supported for parent and child while the third grandchild 
level supports only non-queuing actions like policing and marking. 
SIP-200-slot#show platform software 
ipv6-policer 
Displays full details of the policer rate limit and 
rate-limited packets.
Note All the commands listed above can be run on the SIP-400 and SIP-200 line cards.
Command or Action Purpose4-148
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
The Triple Nesting QoS feature is not expected to have any significant change in memory or CPU 
utilization on the SIP-400
This policy-map can be applied to following interfaces:
• PPP Main Interface
• Sub Interfaces 
• EVC (either on the main interface or on the subinterface configured with dot1q).
• FR DLCI 
• ATM VC 
The following con depicts that a policy with a third-level grandchild non-queing policy is currently not 
supported on SIP-400.
Pseudo Policy:
parent
 queuing
  child
     queuing
     grand-child
      Policing (No queuing allowed)
This feature is applicable on both ingress and egress QoS policy maps.
The following table shows the Triple Nesting QoS support over the various interfaces:
FLAT Policy Parent Policy Child Policy Grandchild Policy
Ingress Egress Ingress Egress Ingress Egress Ingress Egress
UDC CD UDC CD UDC CD UDC CD UDC CD UDC CD UDC CD UDC CD
GIG main interface
shape  -  -  Yes Yes No No Yes Yes Yes Yes Yes Yes No No No No
priority No No Yes Yes No No No No Yes Yes Yes Yes No No No No
band 
width
No No Yes Yes No No Yes Yes No No Yes Yes No No No No
p olicy Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
ip prec 
marking
Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
GIG dot1Q/QinQ sub interface
shape - - Yes Yes -  - - - Yes Yes Yes Yes No No No No
priority No No Yes Yes No No No No Yes Yes Yes Yes No No No No
band 
width
No No Yes Yes No No Yes Yes No No Yes Yes No No No No
p olicy Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
ip prec 
marking
Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes4-149
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
EVC
shape Yes Yes Yes Yes - - - - Yes Yes Yes Yes No No No No
priority No No Yes Yes No No No No Yes Yes Yes Yes No No No No
band 
width
No No Yes Yes No No Yes Yes No No Yes Yes No No No No
p olicy Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
ip prec 
marking
Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
ISG
shape  No No No Yes No No No Yes No No Yes Yes No No No  No
priority No No No Yes No No No No No No Yes Yes No No No  No
band 
width
No No No Yes No No No Yes No No Yes Yes No No No No
p olicy Yes Yes No Yes Yes Yes No Yes Yes Yes Yes Yes Yes Yes Yes Yes
ip prec 
marking
Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
Channelized interface (SONET/SDH such as the 1-Port Channelized OC-3/STM-1 SPA)
shape  No No Yes Yes No No Yes Yes No No Yes Yes No No No  No
priority No No Yes Yes No No No No No No Yes Yes No No No No
band 
width
No No Yes Yes No No Yes Yes No No Yes Yes No No No No
p olicy Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
ip prec 
marking
Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
POS with FR
shape  No No Yes Yes No No Yes Yes No No Yes Yes No No No  No
priority No No Yes Yes No No No No No No Yes Yes No No No No
band 
width
No No Yes Yes No No Yes Yes No No Yes Yes No No No No
p olicy Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
ip prec 
marking
Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
ATM PVC
shape  No No No No No No No No No No No No No No No  No
priority No No Yes Yes No No No No No No No No No No No No
band 
width
No No Yes Yes No No No No No No No No No No No No
FLAT Policy Parent Policy Child Policy Grandchild Policy
Ingress Egress Ingress Egress Ingress Egress Ingress Egress
UDC CD UDC CD UDC CD UDC CD UDC CD UDC CD UDC CD UDC CD4-150
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Configuration and Restrictions
• Queuing Support on third level policy map
• ATM SPA doesn't support Hierarchical queuing
• Any service-policy supporting existing features on eother the ingress or the egress side, can have an 
extra level of policer in ingress or egress side too. This policer can be applied on a user-defined class 
or class-default in the third level of policy-map.
• If a hierarchical policy-map is applied to subniterface, then the parent class has to be class-default
Configuration procedure
SUMMARY STEPS
Step 1 service-policy output Parent
Step 2 service-policy ingress_policy
Step 3 service-policy input third ingress_policy_level
DETAILED STEPS
p olicy Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
ip prec 
marking
Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
FLAT Policy Parent Policy Child Policy Grandchild Policy
Ingress Egress Ingress Egress Ingress Egress Ingress Egress
UDC CD UDC CD UDC CD UDC CD UDC CD UDC CD UDC CD UDC CD
Command Purpose
Router(config-if)# service-policy output Parent
Example:
Router(config-if)# service-policy output
Parent-155M
Applies this service-policy to an interface on the 
egress side4-151
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Configuration Samples
Example of Third Level User Defined Egress QoS Policy-Map
policy-map NMC_POLICING
  class NMC_RP
   police 8000 8000 8000
     conform-action set-dscp-transmit cs6
     exceed-action set-dscp-transmit cs6
  class NMC_SNMP
   police cir 8000 bc 8000 be 8000
    conform-action set-dscp-transmit af21
    exceed-action set-dscp-transmit af21
policy-map CE_EGRESS_QUEUING
  class NMC
   bandwidth remaining percent 1
   service-policy NMC_POLICING Level THREE Policy-map - Only policing
policy-map Parent-155M Level ONE Policy-map
  class class-default
   shape average 147712000
   service-policy CE_EGRESS_QUEUING <<<< Level TWO Policy-map
Router(config-if)#service-policy ingress_policy
Example:
Router(config-if)#service-policy ingress_policy
Applies this service-policy to an interface on the 
ingress side
Router(config-if)#service-policy input third 
ingress_policy_level
Example:
Router(config-if)# service-policy input 
ingress-three
Specifies that the service-policy applied on the 
ingress side is a grandchild level policy
Command Purpose4-152
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Applying this service-policy to a Main interface
interface GigabitEthernet1/3/0
service-policy output Parent-155M
Applying this service-policy to a Sub interface
interface GigabitEthernet1/2/1.100
 encapsulation dot1Q 456
 service-policy output Parent-155M
Applying this service-policy to FR DLCI
interface Serial7/3/0/1:10
encapsulation frame-relay IETF
 frame-relay interface-dlci 20
service-policy output Parent-155M
Applying this service-policy to EVC
interface GigabitEthernet1/3/0
service instance 51 ethernet
  encapsulation dot1q 51
service-policy output Parent-155M
Example of Third Level User Defined Ingress QoS Policy-Map
policy-map ingress-one
  class COS3
   police cir 10240000 bc 1280000
    conform-action set-dscp-transmit af21
    exceed-action set-dscp-transmit af22
policy-map ingress-two
  class NMC
    shape average 10000000
   service-policy ingress-one
policy-map ingress-three
  class COS1
    shape average 10000
   service-policy ingress-two4-153
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Applying this service-policy to a Main interface
interface GigabitEthernet1/2/0
 no ip address
 negotiation auto
 service-policy input ingress-three
Example of Third Level User Defined QoS Policy-Map for ATM
policy-map tnq2
  class class-default
   police 400000
policy-map tnq1
  class video
   police 300000
   service-policy tnq2
policy-map tnq
  class tnq
   police 10000000
   service-policy tnq1
Applying this service-policy to a ATM PVC
interface ATM1/0/0
 no ip address
 no atm enable-ilmi-trap
 pvc 10/100 
  service-policy out tnq
Configuring IGMP Snooping on a SIP-200
IGMP snooping constrains the flooding of multicast traffic by dynamically configuring Layer 2 
interfaces so that multicast traffic is forwarded to only those interfaces associated with IP multicast 
devices. As the name implies, IGMP snooping requires the LAN router to snoop on the IGMP 
transmissions between the host and the router and to keep track of multicast groups and member ports. 
When the router receives an IGMP report from a host for a particular multicast group, the router adds 
the host port number to the forwarding table entry; when it receives an IGMP Leave Group message from 
a host, it removes the host port from the table entry. It also periodically deletes entries if it does not 
receive IGMP membership reports from the multicast clients.4-154
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
The multicast router sends out periodic general queries to all VLANs. All hosts interested in this 
multicast traffic send join requests and are added to the forwarding table entry. The router creates one 
entry per VLAN in the IGMP snooping IP multicast forwarding table for each group from which it 
receives an IGMP join request.
For more information and configuration instructions, see the Cisco 7600 Series Router IOS Software 
Configuration Guide, Release 12.2SR.
Configuring ACFC and PFC Support on Multilink Interfaces
About ACFC and PFC
Using the Address and Control Field Compression (ACFC) and PPP Protocol Field Compression (PFC) 
Support on Multilink Interfaces feature, you can control the negotiation and application of the Link 
Control Protocol (LCP) configuration options for ACFC and PFC. 
If ACFC is negotiated during Point-to-Point Protocol (PPP) negotiation, Cisco routers may omit the 
High-Level Data Link Control (HDLC) header on links using HDLC encapsulation. IF PFC is negotiated 
during PPP negotiation, Cisco routers may compress the PPP protocol field from two bytes to one byte.
The PPP commands described in this section provide options to control PPP negotiation, allowing the 
HDLC framing and the protocol field to remain uncompressed. These commands allow the system 
administrator to control when PPP negotiates the ACFC and PFC options during initial LCP negotiations 
and how the results of the PPP negotiation are applied.
Note Address and control field compression is only applicable to links that use PPP in HDLC-like framing as 
described by RFC 1662.
Restrictions and Usage Guidelines
ACFC and PFC should be configured with the link shut down.
Note When Multilink PPP is configured in hardware, ACFC and PFC are active only when all links in the 
bundle have ACFC and PFC configured.
Using ACFC and PFC can result in gains in effective bandwidth because they reduce the amount of 
framing overhead for each packet. However, using ACFC or PFC changes the alignment of the network 
data in the frame, which in turn can impair the switching efficiency of the packets both at the local and 
remote ends of the connection. For these reasons, it is generally recommended that ACFC and PFC not 
be enabled without carefully considering the potential results.
ACFC and PFC options are supported only when the serial interfaces are multilink member interfaces.
ACFC and PFC configured on MLP interfaces do not have any effect during PPP negotiation or during 
packet transmission.4-155
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Supported Platforms
SIP-200/SPA
This feature is supported on SIP-200 for the following SPAs:
• 2-Port and 4-Port Channelized T3 SPA
• 8-Port Channelized T1/E1 SPA
• 1-Port Channelized OC3/STM-1 SPA
Configuring ACFC and PFC Support
The following sections list the configuration tasks for ACFC and PFC handling.
Configuring ACFC Support
SUMMARY STEPS
Use the following summary of commands to configure the ACFC.
Step 1 enable 
Step 2 configure terminal 
Step 3 interface serial slot/subslot/port:channel-group
Step 4 shutdown
Step 5 ppp acfc remote {apply | reject | ignore}
Step 6 ppp acfc local {request | forbid}
Step 7 no shutdown
DETAILED STEPS
To configure ACFC support, perform the following tasks in interface configuration mode:
Command Purpose
Step 1 Router> enable Enables privileged EXEC mode.
• Enter your password if prompted.
Step 2 Router# configure terminal Enables global configuration mode.4-156
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
ACFC Configuration Example
The following example configures the interface to accept ACFC requests from a remote peer and perform 
ACFC on frames sent to the peer, and include the ACFC option in its outbound configuration in its 
outbound configuration requests:
Router> enable
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# interface serial 4/1/1/1:0
Router(config-if)# shutdown
Router(config-if)# ppp acfc remote apply
Router(config-if)# ppp acfc local request
Router(config-if)# no shutdown
Configuring PFC Support
SUMMARY STEPS
Use the following summary of commands to configure the PFC.
Step 3 Router(config)# interface serial
slot/subslot/port:channel-group
Example:
Router(config)# interface serial 2/1/0:2
Selects the interface to configure.
• slot/subslot/port:channel-group—Specifies the 
location of the interface. 
Step 4 Router(config-if)# shutdown Shuts down the interface.
Step 5 Router(config-if)# ppp acfc remote {apply | reject | ignore}
Example:
Router(config-if)# ppp acfc remote apply
Configures how the router handles the ACFC option 
in configuration requests received from a remote 
peer.
• apply—ACFC options are accepted and ACFC 
may be performed on frames sent to the remote 
peer.
• reject—ACFC options are explicitly ignored.
• ignore—ACFC options are accepted, but ACFC 
is not performed on frames sent to the remote 
peer.
Step 6 Router(config-if)# ppp acfc local {request | forbid}
Example:
Router(config-if)# ppp acfc local request 
Configures how the router handles ACFC in its 
outbound configuration requests.
• request—The ACFC option is included in 
outbound configuration requests.
• forbid—The ACFC option is not sent in 
outbound configuration requests, and requests 
from a remote peer to add the ACFC option are 
not accepted.
Step 7 Router(config-if)# no shutdown Reenables the interface.
Command Purpose4-157
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Step 1 enable 
Step 2 configure terminal 
Step 3 interface serial slot/subslot/port:channel-group
Step 4 shutdown
Step 5 ppp pfc remote {apply | reject | ignore}
Step 6 ppp pfc local {request | forbid}
Step 7 no shutdown
DETAILED STEPS
To configure PFC support, perform the following tasks in interface configuration mode:
:
Command Purpose
Step 1 Router> enable Enables privileged EXEC mode.
• Enter your password if prompted.
Step 2 Router# configure terminal Enables global configuration mode.
Step 3 Router(config)# interface serial
slot/subslot/port:channel-group
Example:
Router(config)# interface serial 3/0/0:0
Selects the interface to configure.
• slot/subslot/port:channel-group—Specifies the 
location of the interface. 
Step 4 Router(config-if)# shutdown Shuts down the interface
Step 5 Router(config-if)# ppp pfc remote {apply | reject | ignore}
Example:
Router(config-if)# ppp pfc remote apply 
Configures how the router handles the PFC option in 
configuration requests received from a remote peer.
• apply—PFC options are accepted and PFC may 
be performed on frames sent to the remote peer.
• reject—PFC options are explicitly ignored.
• ignore—PFC options are accepted, but PFC is 
not performed on frames sent to the remote peer.
Step 6 Router(config-if)# ppp pfc local {request | forbid}
Example:
Router(config-if)# ppp pfc local forbid
Configures how the router handles PFC in its 
outbound configuration requests.
• request—The PFC option is included in 
outbound configuration requests.
• forbid—The PFC option is not sent in outbound 
configuration requests, and requests from a 
remote peer to add the PFC option are not 
accepted.
Step 7 Router(config-if)# no shutdown Reenables the interface.4-158
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
PFC Configuration Example
The following example configures the interface to explicitly ignore the PFC option received from a 
remote peer, and exclude the PFC option from its outbound configuration requests and reject any request 
from a remote peer to add the PFC option:
Router> enable
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# interface serial 4/1/1/1:0
Router(config-if)# shutdown
Router(config-if)# ppp pfc remote reject
Router(config-if)# ppp pfc local forbid
Router(config-if)# no shutdown4-159
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Configuring PPPoEoE on a Cisco 7600 SIP-400
Point-to-Point Protocol (PPP) provides a standard method of communicating to peers over a 
point-to-point link. An Ethernet link provides multipoint communication between multiple peers. PPP 
over Ethernet (PPPoE) allows point-to-point communication across multipoint Ethernet links. 
The PPPoE over Ethernet interface (PPPoEoE) enables the Cisco 7600 series router with Cisco 7600 
SIP-400 to terminate Ethernet PPP sessions over Ethernet links. The PPPoE over IEEE 802.1Q VLANs 
feature enables the router to terminate Ethernet PPP sessions across VLAN links. IEEE 802.1Q 
encapsulation is used to interconnect a VLAN-capable router with another VLAN-capable networking 
device. The packets on the 802.1Q link contain a standard Ethernet frame and the VLAN information 
associated with that frame.
Supported Features
PPPoEoE on the Cisco 7600 SIP-400 supports the following features:
• PPPoE discovery packets (rate-limited), PPPoE PPP control packets, and PPPoE PPP IP data 
packets provide a per-user session on an Ethernet interface.
• PPPoE is supported on main interfaces, 802.1Q and QinQ access interfaces, and VLAN ranges 
(802.1Q ranges and QinQ inner ranges).
• 8 K PPPoE sessions are supported.
• PPPoE and IP sessions can be configured on the same subinterface.
Limitations and Restrictions
PPPoEoE on the Cisco 7600 SIP-400 has the following limitations and restrictions:
• PPP over ATM (PPPoA) is not supported.
• Tunneling of PPPoE sessions (Level 2 Tunneling Protocol) is not supported.
• Ambiguous VLANs and a range of VLANs for IP session interfaces are not supported. However, a 
range of VLANs is supported for PPPoE-configured interfaces.
• Negotiated maximum transmission unit (MTU) value can only be 1492 or 1500 bytes.
• If the ip tcp adjust-mss command is used, the only value supported is 1468.
• PPPoE can only be configured on subinterfaces using the access keyword.
Configuration Tasks for PPPoE over Ethernet
To configure PPPoE over Ethernet, perform the following tasks:
• Configuring a Virtual Template Interface, page 4-160
• Creating an Ethernet Interface and Enabling PPPoE, page 4-161
• Configuring PPPoE in a BBA Group, page 4-162
• Configuring PPPoE over 802.1Q VLANs on a Cisco 7600 SIP-400, page 4-1634-160
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Configuring a Virtual Template Interface
Configure a virtual template before you configure PPPoE on an Ethernet interface. The virtual template 
interface is a logical entity that is applied dynamically as needed to an incoming PPP session request. 
SUMMARY STEPS
Step 1 interface virtual-template number
Step 2 ip unnumbered ethernet number
Step 3 mtu bytes
Step 4 ppp authentication chap
Step 5 ppp ipcp ip address required
DETAILED STEPS
To create and configure a virtual template interface, enter the following commands beginning in global 
configuration mode:
The following example shows the configuration of a virtual template interface:
Router(config)# interface virtual-template 1
Router(config-if)# ip unnumbered ethernet 21
Router(config-if)# no peer default ip address
Router(config-if)# ppp authentication chap
Router(config-if)# ppp authorization vpn1
Router(config-if)# ppp accounting vpn1
Note The PPP commands shown in these examples are typical of virtual template configurations. Not all PPP 
commands are required. Refer to the PPP documentation for more information.
Command or Action Purpose
Step 1 Router(config)# interface 
virtual-template number
Creates a virtual template interface and enters interface 
configuration mode.
Step 2 Router(config-if)# ip unnumbered 
ethernet number
Enables IP without assigning a specific IP address on the 
LAN.
Step 3 Router(config-if)# mtu bytes (Optional) Sets the maximum MTU size for the interface.
Note MTU size can be set only to 1492 or 1500.
Step 4 Router(config-if)# ppp authentication 
chap
Enables PPP authentication on the virtual template 
interface.
Step 5 Router(config-if)# ppp ipcp ip address 
required
Required for legacy dial-up and DSL networks. Prevents a 
PPP session from being set up with 0.0.0.0 remote ip 
address.4-161
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Monitoring and Maintaining a Virtual Access Interface
When a virtual template interface is applied dynamically to an incoming user session, a virtual access 
interface (VAI) is created. You cannot use the command line interface (CLI) to directly create or 
configure a VAI, but you can display and clear the VAI by using the following commands in privileged 
EXEC mode.
SUMMARY STEPS
Step 1 clear interface virtual-access number
DETAILED STEPS
The following example shows how to display the active VAI configuration:
Router# show interfaces virtual-access 1.1 configuration
!
interface virtual-access1.1
if vrf forwarding vrf-1
ip unnumbered Loopback1
no ip proxy-arp
peer default ip address pool vrf-1
ppp authentication chap
end
Note Virtual-access 1.1 is a PPPoE subinterface.
The following example shows how to clear a live session:
Router# clear interface virtual-access 1.1
Router#
Creating an Ethernet Interface and Enabling PPPoE
SUMMARY STEPS
Step 1 interface gigabitethernet number
Step 2 protocol pppoe group group-name
Command or Action Purpose
Router# show interfaces virtual-access number
configuration
Displays the configuration of the active VAI that 
was created using a virtual template interface.
The configuration keyword restricts output to 
configuration information.
Router# clear interface virtual-access number Tears down the live sessions and frees the memory 
for other client users.4-162
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
DETAILED STEPS
To create an Ethernet interface and enable PPPoE on it, enter the following commands beginning in 
global configuration mode:
Configuring PPPoE in a BBA Group
Note Cisco IOS Release 12.2(33)SRC does not support the configuration of BBA groups using RADIUS. You 
must configure BBA groups manually.
SUMMARY STEPS
Step 1 bba-group pppoe name
Step 2 virtual-template template-number
Step 3 pppoe limit per-mac per-mac-limit
Step 4 pppoe limit max-sessions number
Step 5 pppoe limit per-vc per-vc-limit
Step 6 exit
Step 7 interface type number access
Step 8 encapsulation dot1q vlan-id
Step 9 pppoe enable group group-name
DETAILED STEPS
To configure a broadband aggregation (BBA) group for PPPoE and link it to the appropriate virtual 
template interface, enter the following commands beginning in global configuration mode:
Command or Action Purpose
Step 1 Router(config)# interface 
gigabitethernet number
Creates an Ethernet interface and enters interface 
configuration mode.
Step 2 Router(config-if)# protocol pppoe 
group group-name
Enables PPPoE and allows PPPoE sessions to be created 
through that interface.
Command or Action Purpose
Step 1 Router(config)# bba-group pppoe name Configures a BBA group to be used to establish PPPoE 
sessions.
name identifies the BBA group. You can have multiple 
BBA groups.
Step 2 Router(config-bba)# virtual-template
template-number
Specifies the virtual template interface to use to clone 
VA I s .
Step 3 Router(config-bba)# pppoe limit 
per-mac per-mac-limit
(Optional) Specifies the maximum number of sessions per 
MAC address for each PPPoE port that uses the group.4-163
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Configuring PPPoE over 802.1Q VLANs on a Cisco 7600 SIP-400
PPPoE over IEEE 802.1Q VLANs enables the Cisco 7600 series router with the SIP-400 to support 
PPPoE over IEEE 802.1Q encapsulated VLAN interfaces. IEEE 802.1Q encapsulation is used to 
interconnect a VLAN-capable router with another VLAN-capable networking device. The packets on the 
802.1Q link contain a standard Ethernet frame and the VLAN information associated with that frame.
Note PPPoE is disabled by default on a VLAN.
Configuring a Virtual Template
Before configuring PPPoE on an IEEE 802.1Q VLAN interface, configure a virtual template and a BBA 
group. See the “Configuring a Virtual Template Interface” section on page 4-160, and the “Configuring 
PPPoE in a BBA Group” section on page 4-162.
Creating an Ethernet IEEE 802.1Q Encapsulated Subinterface and Enabling PPPoE
SUMMARY STEPS
Step 1 interface gigabitethernet slot/subslot/port.number access
Step 2 encapsulation dot1q vlan-id [second-dot1q inner-vlan-id]
Step 3 pppoe enable group group-name
DETAILED STEPS
To create an Ethernet 802.1Q interface and enable PPPoE on it, enter the following commands beginning 
in global configuration mode.
Step 4 Router(config-bba)# pppoe limit 
max-sessions number
(Optional) Specifies the maximum number of PPPoE 
sessions that can be terminated on this router from all 
interfaces.
Step 5 Router(config-bba)# pppoe limit per-vc
per-vc-limit
(Optional) Specifies the maximum number of PPPoE 
sessions for each VC that uses the group.
Step 6 Router(config-bba)# exit Returns to global configuration mode.
Step 7 Router(config)# interface type number 
access
Specifies the type of interface to which you want to attach 
the BBA group and enters interface configuration mode.
Note The access keyword is required on subinterfaces, 
but must not be used for main interfaces.
Step 8 Router(config-if)# encapsulation dot1q
vlan-id
Enables IEEE 802.1Q encapsulation of traffic on a 
specified subinterface in a VLAN. Specify the VLAN 
identifier.
Note This step is required only for 802.1Q and QinQ 
interfaces.
Step 9 Router(config-if)# pppoe enable group 
group-name
Attaches the BBA group to the VLAN.
Command or Action Purpose4-164
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Verifying PPPoE over Ethernet and IEEE 802.1Q VLAN
To verify PPPoEoE and IEEE 802.1Q VLAN, enter the following commands in privileged EXEC mode:
Clearing PPPoE Sessions
To clear PPPoE sessions, enter the following commands in privileged EXEC mode:
Configuring Source IPv4 and Source MAC Address Binding on the SIP-400
The Source IPv4 and Source MAC Address Binding feature is used in conjunction with the DHCP 
Authorized ARP and Secure ARP features to provide a check of the source IPv4 and source MAC 
address binding information before a packet can proceed to a higher level of processing. If the binding 
information does not exist, the packet is dropped.
Configuration Guidelines
When configuring source IPv4 and source MAC address binding, follow these guidelines:
Command or Action Purpose
Step 1 Router(config)# interface 
gigabitethernetslot/subslot/port.number 
access
Creates a Gigabit Ethernet subinterface and enters 
subinterface configuration mode.
Step 2 Router(config-subif) # encapsulation 
dot1q vlan-id [second-dot1q 
inner-vlan-id]
Enables IEEE 802.1Q encapsulation on a specified 
subinterface in VLANs.
Step 3 Router(config-subif)# pppoe enable 
group group-name
Enables PPPoE and allows PPPoE sessions to be created 
through the specified subinterface.
Command or Action Purpose
Router# show pppoe session all Displays PPPoE session information for each 
session ID.
Router# show pppoe session packets Displays PPPoE session statistics.
Router# show pppoe summary Displays PPPoE summary statistics.
Command or Action Purpose
Router# clear pppoe all Clears all PPPoE sessions.
Router# clear pppoe interface Clears all PPPoE sessions on a physical interface 
or subinterface.
Router# clear pppoe rmac Clears PPPoE sessions from a client host MAC 
address.
Router# pppoe interface interface vlan
vlan-number
Clears sessions on a per-VLAN basis in 
ambiguous VLAN cases.4-165
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
• Supports access subinterfaces on the Cisco 7600 series routers in DHCP and non-DHCP 
environments.
Note Static entry of the MAC and IP address is required in a non-DHCP environment.
• Supports IPv4 unicast packets only.
• Supports Ethernet interfaces, subinterfaces, and routed Switched Virtual Interfaces (SVIs).
• Supports interface/subinterface and intelligent edge (iEdge) IP sessions.
• Supports up to 128000 IPv4 and MAC address bindings (subscriber entries) for the Cisco 7600 
series router, and 8000 MAC address subscriber entries for each Cisco 7600 SIP-400.
• This feature is recommended primarily for access-facing interfaces and subinterfaces.
• Supports Cisco 7600 series router with RSP720, SUP720, or SUP 32.
• Supports on Cisco 7600 SIP-400 for the following Ethernet SPAs:
– 2-Port Gigabit Ethernet SPA
– 5-Port Gigabit Ethernet SPA
– 10-Port Gigabit Ethernet SPA
• Supports only Ethernet and Ethernet logical interfaces. This feature can be supported on other 
interfaces provided they have Ethernet encapsulations underneath their primary encapsulation (for 
example, RBE or routed bridged PVC or EVC).
• If you are using EVC, this feature must be configured for bridge domain. 
Restrictions
When configuring source IPv4 and source MAC address binding, note these restrictions:
• This feature cannot be used if multiple clients are using the same MAC address and they are on the 
same logical interfaces (VLAN).
• This feature does not support native LAN cards on the Cisco 7600 series router.
• This feature supports only one EVC per SVI.
Configuring Source IPv4 and Source MAC Address Binding
To configure this feature, perform the following tasks:
• Securing ARP Table Entries to DHCP Leases, page 4-165
• Configuring the Interfaces for Source IPv4 and Source MAC Address Binding, page 4-166
• Configuring DHCP Authorized ARP, page 4-168
• Showing the Number of Dropped Packets, page 4-169
Securing ARP Table Entries to DHCP Leases
This task describes how to secure ARP table entries to DHCP leases, starting in global configuration 
mode.4-166
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
SUMMARY STEPS
Step 1 configure terminal
Step 2 ip dhcp pool pool-name
Step 3 network network-number
Step 4 update arp
Step 5 exit
DETAILED STEPS
Example:
Router# configure terminal
Router(config)# ip dhcp pool tc10
Router(dhcp-config)# network 10.0.0.0 255.255.255.0
Router(dhcp-config)# update arp
Router(dhcp-config)# exit
Configuring the Interfaces for Source IPv4 and Source MAC Address Binding
This task describes how to enable source IPv4 and source MAC address binding in interface 
configuration mode.
SUMMARY STEPS
Step 1 configure terminal
Step 2 interface vlan vlan-number
Step 3 ip address ip-address mask
Command Purpose
Step 1 Router# configure terminal Enters global configuration mode.
Step 2 Router(config)# ip dhcp pool
pool-name
Configures a DHCP address pool and enters DHCP pool 
configuration mode.
pool-name—Name of the pool. Can either be a symbolic string 
or an integer.
Step 3 Router(dhcp-config)# network
network-number
Configures the network number and mask for a DHCP address 
pool.
network-number—IP address of the primary DHCP address 
pool.
Note Use the network command to configure the Cisco 7600 
series router as a DHCP server. Otherwise, the 
Cisco 7600 acts as a DHCP relay agent and gets the 
address from an outside server.
Step 4 Router(dhcp-config)# update arp Secures insecure ARP table entries to the corresponding DHCP 
leases.
Step 5 Router(dhcp-config)# exit Exits DHCP pool configuration mode.4-167
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Step 4 ip verify unicast source reachable-via rx l2-src
Step 5 no shutdown
DETAILED STEPS
Command Purpose
Step 1 Router# configure terminal Enters global configuration mode.
Step 2 Router(config)# interface vlan
vlan-number
Specifies interface and VLAN number and enters interface 
configuration mode.
vlan-number—Range is from 1 to 4094.
Note To configure a main interface, use the interface type
slot/subslot/port command in global configuration 
mode.
Step 3 Router(config-if)# ip address 
ip-address mask
Sets an IP address for an interface.
ip-address—IP address.
mask—Mask for the associated subnet.
Step 4 Router(config-if)# ip verify unicast 
source reachable-via rx l2-src
Enables source IPv4 and source MAC address binding.
Step 5 Router(config-if)# no shutdown Enables the interface.4-168
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Example:
Router# configure terminal
Router(config)# interface vlan 10
Router(config-if)# ip address 10.0.0.1 255.255.255.0
Router(config-if)# ip verify unicast source reachable-via rx l2-src
Router(config-if)# no shutdown
Configuring DHCP Authorized ARP
This task describes how to disable dynamic ARP learning on an interface, starting in interface 
configuration mode.
SUMMARY STEPS
Step 1 configure terminal
Step 2 interface type slot/subslot/port
Step 3 arp authorized
Step 4 arp timeout seconds
Step 5 service instance id ethernet
Step 6 encapsulation dot1q vlan-id
Step 7 rewrite ingress tag pop {1 | 2} symmetric
Step 8 bridge-domain bridge-id
Step 9 no shutdown
Step 10 exit
DETAILED STEPS
Command Purpose
Step 1 Router# configure terminal Enters global configuration mode.
Step 2 Router(config)# interface type
slot/subslot/port
Configures an interface type and enters interface configuration 
mode.
type slot/subslot/port—Specifies the type and location of the 
interface.
Step 3 Router(config-if)# arp authorized Disables dynamic ARP learning on an interface.
Step 4 Router(config-if)# arp timeout 
seconds
Configures how long an entry remains in the ARP cache.
seconds—Time (in seconds) that an entry remains in the ARP 
cache. A value of 0 means that entries are never cleared from the 
cache.
Step 5 Router(config-if)# service instance
id ethernet
Configures an Ethernet service instance on an interface and 
enters Ethernet service configuration mode.
id—Integer in the range of 1 to 4294967295 that uniquely 
identifies a service instance on an interface.4-169
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Tasks
Example:
Router# configure terminal
Router(config)# interface gigabitethernet 8/0/1
Router(config-if)# arp authorized
Router(config-if)# arp timeout 60
Router(config-if)# service instance 101 ethernet
Router(config-if-srv)# encapsulation dot1q 101
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config-if-srv)# bridge-domain 10
Router(config-if-srv)# no shutdown
Router(config-if-srv)# end
Showing the Number of Dropped Packets
This task describes how to display the number of packets dropped when the source IPv4 and source MAC 
address binding check has failed.
Example”
Router# attach 8
Entering CONSOLE for slot 8
Type “^C^C^C” to end this session
SIP-400-8# show platform drops detail
Global drops:
Drops for all interfaces:
Gi8/0/0 ENP ifixp 16 Source masking (normal occurrence)
Gi8/0/1 INP ifixp 3 BPDUs are not supported on this i/f
Step 6 Router(config-if-srv)# 
encapsulation dot1q vlan-id
Defines the matching criteria to map 802.1Q frames ingress on 
an interface to the appropriate service instance.
vlan-id—VLAN ID, an integer in the range 1 to 4094.
Step 7 Router(config-if-srv)# rewrite 
ingress tag pop {1 | 2} symmetric
Specifies the encapsulation adjustment to be performed on the 
frame ingress to the service instance.
pop {1 | 2}—One or two tags are removed from the packet.
symmetric—(Optional) Specifies tagging on the packets in the 
reverse direction (egress). 
Step 8 Router(config-if-serv)# 
bridge-domain bridge-id
Binds the service instance to a bridge domain instance.
bridge-id—Identifier for the bridge domain instance, an integer 
in the range of 1 to a platform-specific upper limit.
Step 9 Router(config-if-srv)# no shutdown Enables the interface.
Step 10 Router(config-if-srv)# end Ends the current configuration session and returns to privileged 
EXEC mode.
Command Purpose
Command Purpose
Step 1 Router# attach slot-number Attaches to the SIP-400.
slot-number—location of SIP-400.
Step 2 SIP-400-8# show platform drops 
detail
(Router prompt changes to SIP-400 prompt.) Shows statistics 
regarding dropped packets.4-170
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Examples
Gi8/0/1 ENP ifixp 2008 Source masking (normal occurrence)
Gi8/0/1 INP ifixp 2000 Src IP/MAC check failed
Gi8/0/1 ENP ifixp 13 Source masking (normal occurrence)
SIP-400-8#
Resetting a SIP
To reset a SIP, use the following command in privileged EXEC configuration mode:
Configuration Examples
This section includes the following examples for configuring SIPs installed in a Cisco 7600 series router: 
• Layer 2 Interworking Configuration Examples, page 4-170
• MPLS Configuration Examples, page 4-172
• QoS Configuration Examples, page 4-173
• Private Hosts SVI (Interface VLAN) Configuration Example, page 4-178
Layer 2 Interworking Configuration Examples
This section includes the following Layer 2 interworking configuration examples:
• BCP in Trunk Mode Configuration Example, page 4-170
• BCP in Single-VLAN Mode Configuration Example, page 4-171
BCP in Trunk Mode Configuration Example
The following example shows how to configure BCP in trunk mode:
! Enter global configuration mode. 
! 
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
!
! Specify the interface address.
!
Router(config)# interface pos4/1/0
!
! Put the interface in Layer 2 mode for Layer 2 configuration.
Router(config-if)# switchport
%Please shut/no shut POS4/1/0 to bring up BCP
!
Command Purpose
Router# hw-module module slot reset Turns power off and on to the SIP in the specified slot, 
where:
• slot—Specifies the chassis slot number where the 
SIP is installed.4-171
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Examples
! When the switchport command is configured, the interface is automatically configured for 
! trunk mode and nonegotiate status.
! Restart the interface to enable BCP.
!
Router(config-if)# shutdown
Router(config-if)# no shutdown
!
! Enable all VLANs for receiving and transmitting traffic on the trunk.
!
Router(config-if)# switchport trunk allowed vlan all
%Internal vlans not available for bridging:1006-1018,1021
The following example shows sample output from the show running-config command for this 
configuration. The switchport mode trunk and switchport nonegotiate commands are automatically 
NVgened when the switchport command is configured:
Router# show running-config interface pos4/1/0
Building configuration...
Current configuration : 191 bytes
!
interface POS4/1/0
switchport
switchport trunk allowed vlan all
switchport mode trunk
switchport nonegotiate
no ip address
encapsulation ppp
clock source internal
end
BCP in Single-VLAN Mode Configuration Example
The following example shows how to configure BCP in single-VLAN mode:
! Enter global configuration mode.
! 
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
!
! Specify the interface address
!
Router(config)# interface pos4/1/0
!
! Disable IP processing on the interface. This is recommended for BCP interfaces.
!
Router(config-if)# no ip address
!
! Configure PPP encapsulation. You must configure PPP encapsulation before using the
! bridge-domain command.
!
Router(config-if)# encapsulation ppp
!
! Configure the bridging domain tag all Ethernet frames on the BCP link with the 802.1Q 
! header.
!
Router(config-if)# bridge-domain 100 dot1q
%Please shut/no shut POS4/1/0 to bring up BCP
!
! Restart the interface to enable BCP.
!
Router(config-if)# shutdown
Router(config-if)# no shutdown4-172
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Examples
The following example shows sample output from the show running-config command for this 
configuration:
Router# show running-config interface pos4/1/0
Building configuration...
Current configuration : 122 bytes
!
interface POS4/1/0
no ip address
encapsulation ppp
bridge-domain 100 dot1q
clock source internal
end
The following example shows an example of the message that is sent if you attempt to configure the 
bridge-domain command without configuring PPP encapsulation:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# interface pos4/1/0
Router(config-if)# bridge-domain 100 dot1q
Must set encapsulation to PPP before using hw bridging over PPP
MPLS Configuration Examples
This section includes the following MPLS configuration examples:
• Multiprotocol Label Switching (MPLS) Traffic Engineering (TE) Class-Based Tunnel Selection 
(CBTS) Configuration Example, page 4-172
Multiprotocol Label Switching (MPLS) Traffic Engineering (TE) Class-Based Tunnel Selection 
(CBTS) Configuration Example
The following example shows how to configure Multiprotocol Label Switching (MPLS) Traffic 
Engineering (TE) Class-Based Tunnel Selection (CBTS). Tunnel1, Tunnel2, and Tunnel3 are member 
tunnels, and Tunnel4 is the master tunnel.
Router(config)# interface Tunnel1
Router(config-if)# ip unnumbered loopback0
Router(config-if)# interface destination 24.1.1.1
Router(config-if)# tunnel mode mpls traffic-eng
Router(config-if)# tunnel mpls traffic-eng bandwidth sub-pool 30000
Router(config-if)# tunnel mpls traffic-eng exp 5
Router(config)# interface Tunnel2
Router(config-if)# ip unnumbered loopback0
Router(config-if)# interface destination 24.1.1.1
Router(config-if)# tunnel mode mpls traffic-eng
Router(config-if)# tunnel mpls traffic-eng bandwidth 50000
Router(config-if)# tunnel mpls traffic-eng exp 3 4
Router(config)# interface Tunnel3
Router(config-if)# ip unnumbered loopback0
Router(config-if)# interface destination 24.1.1.1
Router(config-if)# tunnel mode mpls traffic-eng
Router(config-if)# tunnel mpls traffic-eng bandwidth 10000
Router(config-if)# tunnel mpls traffic-eng exp default
Router(config)# interface Tunnel4
Router(config-if)# interface destination 24.1.1.14-173
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Examples
Router(config-if)# tunnel mpls traffic-eng exp-bundle master
Router(config-if)# tunnel mpls traffic-eng exp-bundle member Tunnel1
Router(config-if)# tunnel mpls traffic-eng exp-bundle member Tunnel2
Router(config-if)# tunnel mpls traffic-eng exp-bundle member Tunnel3
Router(config-if)# tunnel mpls traffic-eng autoroute enable
QoS Configuration Examples
This section includes the following QoS configuration examples:
• QoS with Multipoint Bridging Configuration Examples, page 4-173
• Hierarchical QoS with 2-Level Policy Map Configuration Examples, page 4-177
QoS with Multipoint Bridging Configuration Examples
The SIPs and SPAs support a subset of QoS features with MPB configurations. 
• For ATM bridging, Frame Relay bridging, MPB, and BCP features on the Cisco 7600 SIP-200 and 
Cisco 7600 SIP-400, these matching features are supported on bridged frames beginning in Cisco 
IOS Release 12.2(33)SRA:
– Matching on ATM CLP bit
– Matching on Frame Relay DE bit
– Matching on Frame Relay DLCI
– Matching on inner VLAN
– Matching on inner CoS 
– Matching on IP DSCP (input interface only)
• For ATM bridging, Frame Relay bridging, MPB, and BCP features on the Cisco 7600 SIP-200 and 
Cisco 7600 SIP-400, these marking features are supported on bridged frames beginning in Cisco 
IOS Release 12.2(33)SRA:
– Set ATM CLP bit (output interface only)
– Set Frame Relay DE bit (output interface only)
– Set inner CoS
• For ATM bridging, Frame Relay bridging, MPB, and BCP features on the Cisco 7600 SIP-200 and 
Cisco 7600 SIP-400, the following marking features with policing are supported on bridged frames 
beginning in Cisco IOS Release 12.2(33)SRA:
– Set inner CoS
For more information about configuring QoS on SIPs and SPAs, see the “Configuring QoS Features on 
a SIP” section on page 4-94.
This section includes the following QoS with MPB configuration examples:
• Matching All Traffic on an Inner VLAN Tag with MPB on SIPs and SPAs on the Cisco 7600 Series 
Router Example, page 4-174
• Marking the Inner CoS Value with MPB on SIPs and SPAs on the Cisco 7600 Series Router 
Example, page 4-174
• Configuring QoS Matching, Shaping, and Marking with MPB on SIPs and SPAs on the Cisco 7600 
Series Router Example, page 4-1754-174
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Examples
• Setting the Inner CoS Value as a Policing Action for SIPs and SPAs on the Cisco 7600 Series Router 
Example, page 4-176
Matching All Traffic on an Inner VLAN Tag with MPB on SIPs and SPAs on the Cisco 7600 Series Router Example
You can match traffic on an inner VLAN ID of a packet when you are using bridging features on a SPA. 
The following example shows configuration of a QoS class that filters all bridged traffic for VLAN 100 
into a class named “vlan-inner-100.” An output service policy is then applied to the SPA interface that 
bridges all outgoing traffic for the vlan-inner-100 class into VLAN 100.
! Configure the class maps with your matching criteria.
!
Router(config)# class-map match-all vlan-inner-100
Router(config-cmap)# match vlan inner 100
!
! Apply the service policy to an input or output bridged interface or VC.
!
Router(config)# interface atm3/0/0
Router(config-if)# pvc 100/100
Router(config-if-atm-vc)# bridge-domain 100 dot1q
Router(config-if-atm-vc)# service-policy output vlan-inner-100
Router(config-if)# end
Marking the Inner CoS Value with MPB on SIPs and SPAs on the Cisco 7600 Series Router Example
The following example shows configuration of a QoS class that filters all traffic matching on VLAN 100 
into a class named “vlan-inner-100.” The configuration shows the definition of a policy-map (also named 
“vlan-inner-100”) that marks the inner CoS with a value of 3 for traffic in the vlan-inner-100 class. Since 
marking of the inner CoS value is only supported with bridging features, the configuration also shows 
the service policy being applied as an output policy to a serial SPA interface that bridges traffic into 
VLAN 100 using the bridge-domain command.
! Configure the class maps with your matching criteria.
!
Router(config)# class-map match-all vlan-inner-100
Router(config-cmap)# match vlan inner 100
Router(config-cmap)# exit
!
! Configure the policy map to mark all traffic in a class. 
!
Router(config)# policy-map vlan-inner-100
Router(config-pmap)# class vlan-inner-100
Router(config-pmap-c)# set cos-inner 3
Router(config-pmap-c)# exit
Router(config-pmap)# exit
!
! Apply the service policy to an input or output bridged interface or VC.
!
Router(config)# interface serial3/0/0
Router(config-if)# no ip address
Router(config_if)# encapsulation ppp
Router(config-if)# bridge-domain 100 dot1q
Router(config-if)# service-policy output vlan-inner-100
Router(config-if)# shutdown
Router(config-if)# no shutdown
Router(config-if)# end4-175
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Examples
Configuring QoS Matching, Shaping, and Marking with MPB on SIPs and SPAs on the Cisco 7600 Series Router Example
The following example shows a complete QoS configuration of matching, shaping, and marking with 
MPB on SIPs and SPAs.
! Configure the class maps with your matching criteria.
! The following class maps configure matching on the inner VLAN ID.
!
Router(config)# class-map match-all vlan100
Router(config-cmap)# match vlan inner 100
Router(config-cmap)# exit
Router(config)# class-map match-all vlan200
Router(config-cmap)# match vlan inner 200
Router(config-cmap)# exit
Router(config)# class-map match-all vlan300
Router(config-cmap)# match vlan inner 300
Router(config-cmap)# exit
!
! The following class maps configure matching on the inner CoS value.
!
Router(config)# class-map match-all cos0
Router(config-cmap)# match cos inner 0
Router(config-cmap)# exit
Router(config)# class-map match-all cos1
Router(config-cmap)# match cos inner 1
Router(config-cmap)# exit
Router(config)# class-map match-all cos2
Router(config-cmap)# match cos inner 2
Router(config-cmap)# exit
Router(config)# class-map match-all cos7
Router(config-cmap)# match cos inner 7
Router(config-cmap)# exit
!
! Configure a policy map for the defined classes.
! The following policies define shaping characteristics for classes
! on different VLANs
!
Router(config)# policy-map vlan100
Router(config-pmap)# class cos1
Router(config-pmap-c)# bandwidth percent 10
Router(config-pmap-c)# exit
Router(config-pmap)# class cos2
Router(config-pmap-c)# bandwidth percent 20
Router(config-pmap-c)# exit
Router(config-pmap)# class cos7
Router(config-pmap-c)# percent 30
Router(config-pmap-c)# exit
Router(config-pmap)# exit
Router(config)# policy-map vlan200
Router(config-pmap)# class cos1
Router(config-pmap-c)# bandwidth percent 10
Router(config-pmap-c)# exit
Router(config-pmap)# class cos2
Router(config-pmap-c)# bandwidth percent 20
Router(config-pmap-c)# exit
Router(config-pmap)# class cos7
Router(config-pmap-c)# percent 30
Router(config-pmap-c)# exit
Router(config-pmap)# exit
!
! The following policy map defines criteria for an output interface using MPB
!
Router(config)# policy-map egress_mpb
Router(config-pmap)# class vlan1004-176
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Examples
Router(config-pmap-c)# bandwidth percent 30
Router(config-pmap-c)# service-policy vlan100
Router(config-pmap-c)# exit
Router(config-pmap)# class vlan200
Router(config-pmap-c)# bandwidth percent 40
Router(config-pmap-c)# service-policy vlan200
!
! The following policy map defines criteria for an input interface using MPB
!
Router(config)# policy-map ingress_mpb
Router(config-pmap)# class vlan100
Router(config-pmap-c)# set cos-inner 5
Router(config-pmap-c)# exit
Router(config-pmap)# class vlan200
Router(config-pmap-c)# set cos-inner 3
!
! The following policy map defines criteria for an ATM output interface using MPB
! Note: You can only mark ATM CLP on an ATM output interface with MPB
!
Router(config)# policy-map atm_clp
Router(config-pmap)# class cos1
Router(config-pmap-c)# set atm-clp
Router(config-pmap-c)# exit
Router(config-pmap)# class cos2
Router(config-pmap-c)# set atm-clp
Router(config-pmap-c)# exit
Router(config-pmap)# exit
!
! Configure an interface for MPB and apply the service policies.
! The following example configures a POS interface in BCP trunk mode and applies two 
! different service policies for the output and input traffic on the interface.
!
Router(config)# interface POS3/0/0
Router(config-if)# switchport
Router(config-if)# shutdown
Router(config-if)# no shutdown
Router(config-if)# switchport trunk allowed vlan 100,200,300
Router(config-if)# service-policy output egress_mpb
Router(config-if)# service-policy input ingress_mpb
!
! The following example configures an ATM interface with bridging on VLAN 100
! and applies a service policy for setting the ATM CLP for the output traffic.
!
Router(config)# interface ATM 4/1/0
Router(config-if)# pvc 1/100
Router(config-if-atm-vc)# bridge-domain 100
Router(config-if-atm-vc)# service-policy output atm-clp
Setting the Inner CoS Value as a Policing Action for SIPs and SPAs on the Cisco 7600 Series Router Example
The following example shows configuration of a QoS class that filters all traffic for virtual LAN (VLAN) 
100 into a class named “vlan-inner-100,” and establishes a traffic shaping policy for the vlan-inner-100 
class. The service policy limits traffic to a CIR of 20 percent and a PIR of 40 percent, with a conform 
burst (bc) of 300 ms, and peak burst (be) of 400 ms, and sets the inner CoS value to 3. Because setting 
of the inner CoS value is only supported with bridging features, the configuration also shows the service 
policy being applied as an output policy for an ATM SPA interface permanent virtual circuit (PVC) that 
bridges traffic into VLAN 100 using the bridge-domain command.
! Configure the class maps with your matching criteria
!
Router(config)# class-map match-all vlan-inner-100
Router(config-cmap)# match vlan inner 1004-177
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Examples
Router(config-cmap)# exit
!
! Configure the policy map to police all traffic in a class and mark conforming traffic 
! (marking traffic whose rate is less than the conform burst)
!
Router(config)# policy-map vlan-inner-100
Router(config-pmap-c)# police cir percent 20 bc 300 ms be 400 ms pir percent 40 
conform-action set-cos-inner-transmit 3
Router(config-pmap-c)# exit
Router(config-pmap)# exit
!
! Apply the service policy to an input or output bridged interface or VC.
!
Router(config)# interface atm3/0/0
Router(config-if)# pvc 100/100
Router(config-if-atm-vc)# bridge-domain 100 dot1q
Router(config-if-atm-vc)# service-policy output vlan-inner-100
Router(config-if)# end
Hierarchical QoS with 2-Level Policy Map Configuration Examples
The following example shows configuration of hierarchical QoS that maps to two levels of hierarchical 
queues (you can configure up to three levels). The first-level policy (the parent policy) configures the 
aggregated data rate to be shaped to 1 Mbps for the class-default class. The second-level policy (the child 
policy) configures the traffic in User-A class for 40 percent of the bandwidth and traffic in User-B class 
for 60 percent of the bandwidth.
Because this example shows the parent policy applying to the class-default class, it is supported in Cisco 
IOS Release 12.2(33)SXF and later, as well as in Cisco IOS Release 12.2(33)SRA.
! Configure the class maps with your matching criteria
!
Router(config)# class-map match-any User-A
Router(config-cmap)# match access-group A
Router(config-cmap)# exit
Router(config)# class-map match-any User-B
Router(config-cmap)# match access-group B
Router(config-cmap)# exit
!
! Configure the parent policy for class-default to shape 
! all traffic in that class and apply a second-level policy. 
!
Router(config)# policy-map parent
Router(config-pmap)# class class-default
Router(config-pmap-c)# shape 1000000
Router(config-pmap-c)# service-policy child
Router(config-pmap-c)# exit
Router(config-pmap)# exit
!
! Configure the child policy to allocate different percentages of
! bandwidth by class.
!
Router(config)# policy-map Child
Router(config-pmap)# class User-A
Router(config-pmap-c)# bandwidth percent 40
Router(config-pmap-c)# exit
Router(config-pmap)# class User-B
Router(config-pmap-c)# bandwidth percent 60
Router(config-pmap-c)# exit
Router(config-pmap)# exit
!
! Apply the parent service policy to an input or output interface.4-178
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Configuration Examples
!
Router(config)# interface GigabitEthernet 2/0/0
Router(config-if)# service-policy output parent
The following example shows configuration of hierarchical QoS that maps to two levels of hierarchical 
queues, where the parent policy configures average traffic shaping rates on both user-defined classes as 
well as the class-default class, which is supported beginning in Cisco IOS Release 12.2(33)SRA. This 
configuration does not show the corresponding class map configuration, which also are required to 
support these policy maps.
! Configure the parent policy for user-defined and class-default classes to shape 
! traffic in those classes and apply a second-level policy. 
!
Router(config)# policy-map parent
Router(config-pmap)# class input-vlan100
Router(config-pmap-c)# shape average 100000
Router(config-pmap-c)# service-policy child-pm
Router(config-pmap-c)# exit
Router(config-pmap)# class input-vlan200
Router(config-pmap-c)# shape average 100000
Router(config-pmap-c)# service-policy child-pm
Router(config-pmap-c)# exit
Router(config-pmap)# class class-default
Router(config-pmap-c)# shape average 200000
Router(config-pmap-c)# service-policy child-pm
Router(config-pmap-c)# exit
Router(config-pmap)# exit
!
! Configure the child policy to allocate different percentages of
! bandwidth by class.
!
Router(config)# policy-map child-pm
Router(config-pmap)# class cos0
Router(config-pmap-c)# bandwidth percent 10
Router(config-pmap-c)# exit
Router(config-pmap)# class cos1
Router(config-pmap-c)# bandwidth percent 10
Router(config-pmap-c)# exit
Router(config-pmap)# exit
!
! Apply the parent service policy to an input or output interface.
!
Router(config)# interface gigabitethernet 2/0/0
Router(config-if)# service-policy output parent-pm
Private Hosts SVI (Interface VLAN) Configuration Example
The following example shows a typical configuration of the private hosts SVI (Interface VLAN) feature.
Note New feature-related commands are highlighted.
Router(config)#private-hosts vlan-list 200-202,204-205
Router(config)#private-hosts promiscuous maclist-1
Router(config)#private-hosts promiscuous maclist-2
Router(config)#private-hosts mac-list maclist-1 0000.1111.9991
Router(config)#private-hosts mac-list maclist-2 0000.1111.99924-179
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Troubleshooting
Router(config)#private-hosts layer3
Router(config)#private-hosts
!
!
Router(config)#interface GigabitEthernet3/0/1
Router(config-if)# switchport
Router(config-if)#switchport access vlan 201
Router(config-if)#switchport mode access
Router(config-if)#private-hosts mode promiscuous
!
Router(config-if)#interface GigabitEthernet3/0/2
Router(config-if)#switchport
Router(config-if)#switchport trunk encapsulation dot1q
Router(config-if)#switchport trunk allowed vlan 200-205
Router(config-if)#switchport mode trunk
Router(config-if)#private-hosts mode isolated
!
''The following example shows another configuration of the private hosts SVI:
PE17_C7606(config)#
PE17_C7606(config)#private-hosts
PE17_C7606(config)#private-hosts mac-list ?
  WORD  mac list name
PE17_C7606(config)#private-hosts mac-list ml1 ?
  H.H.H  48-bit MAC address
PE17_C7606(config)#private-hosts mac-list ml1 000a.001e.000d
PE17_C7606(config)#private-hosts vlan-list 1
PE17_C7606(config)# private-hosts ?
Private hosts configuration subcommands:
  layer3       enable layer 3 routing with private hosts
  mac-list     MAC addresses list
  promiscuous  MAC addresses list
  vlan-list    Enables private hosts feature on a set of vlans
  <cr>
PE17_C7606(config)# private-hosts promiscuous ml1 vlan-list 1
PE17_C7606(config)#
Troubleshooting
Table 4-20 lists some of the QoS troubleshooting scenarios in a SIP-400.
Table 4-20 QoS Troubleshooting on a SIP-400
Problem Solution
Error message on applying service-policy on any 
interface
Check if you have configured the service-policy 
correctly. If not, re-apply the service policy on the 
interface. If the issue persists, contact TAC.
No drop in priority queues despite excessive 
traffic flow
To troubleshoot priority queues, configure the 
explicit policer value for the priority traffic. If the 
issue persists, contact TAC.4-180
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 4      Configuring the SIPs and SSC
  Troubleshooting
No drops in class bandwidth when the offered rate 
crosses the configured bandwidth 
1. Use the bandwidth command to ensure that a 
minimum bandwidth and not the maximum 
bandwidt exists. 
2. Use the shape average command instead of 
the bandwidth command to assign a 
maximum bandwidth. 
3. If the issue persists, contact TAC.
Drops in some classes and no drops in others The traffic drops depend on the traffic pattern. 
Reserved bandwidth is forced when there is a 
congestion on the parent shaper or physical link 
that completely depends on the traffic pattern. If 
the issue persists, contact TAC.
Problem SolutionC H  A  P  T  E  R
5-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
5
Troubleshooting the SIPs and SSC
This chapter describes techniques that you can use to troubleshoot the operation of your SIPs.
It includes the following sections:
• General Troubleshooting Information, page 5-1
• Using the Cisco IOS Event Tracer to Troubleshoot Problems, page 5-2
• Troubleshooting Oversubscription on the Cisco 7600 SIP-400, page 5-3
• Preparing for Online Insertion and Removal of SIPs, SSCs, and SPAs, page 5-3
The first section provides information about basic interface troubleshooting. If you are having a problem 
with your SPA, use the steps in the “Using the Cisco IOS Event Tracer to Troubleshoot Problems”
section to begin your investigation of a possible interface configuration problem.
To perform more advanced troubleshooting, see the other sections in this chapter.
General Troubleshooting Information
This section describes general information for troubleshooting SIPs, SSCs, and SPAs. It includes the 
following sections:
• Interpreting Console Error Messages, page 5-1
• Using debug Commands, page 5-2
• Using show Commands, page 5-2
Interpreting Console Error Messages
To view the explanations and recommended actions for Cisco 7600 series router error messages, 
including messages related to Cisco 7600 series router SIPs and SSCs, refer to the following documents:
• Cisco 7600 Series Cisco IOS System Message Guide, 12.2SX (for error messages in Release 12.2SX)
• System Error Messages for Cisco IOS Release 12.2S (for error messages in Release 12.2S)
System error messages are organized in the documentation according to the particular system facility 
that produces the messages. The SIP and SSC error messages use the following facility names:
• Cisco 7600 SIP-200—C7600_SIP200
• Cisco 7600 SIP-400—SIP4005-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 5      Troubleshooting the SIPs and SSC
  Using the Cisco IOS Event Tracer to Troubleshoot Problems
• Cisco 7600 SIP-600—SIP600
• Cisco 7600 SSC-400—C7600_SSC400
Note Rate limit SIP200_MP-4-PAUSE ensures that one pause message is logged per unique occurrence 
across the SIP200 reloads and the subsequent occurrences are only statistically accounted. This is 
applicable only for SIP 200 and not for SIP 400 and SIP 600.
Using debug Commands
Along with the other debug commands supported on the Cisco 7600 series router, you can obtain 
specific debug information for SIPs and SSCs on the Cisco 7600 series router using the debug 
hw-module privileged EXEC command.
The debug hw-module command is intended for use by Cisco Systems technical support personnel. 
Caution Because debugging output is assigned high priority in the CPU process, it can render the system 
unusable. For this reason, use debug commands only to troubleshoot specific problems or during 
troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands 
during periods of lower network traffic and fewer users. Debugging during these periods decreases the 
likelihood that increased debug command processing overhead will affect system use.
For more information about other debug commands that can be used on a Cisco 7600 series router, refer 
to the Cisco 7600 Series Cisco IOS Command Reference, 12.2 SXand to the Cisco IOS Debug Command 
Reference, Release 12.2 SR.
Using show Commands
There are several show commands that you can use to monitor and troubleshoot the SIPs and SSCs on 
the Cisco 7600 series router. This chapter describes using the show hw-module slot command to 
perform troubleshooting of your SPA.
For more information about show commands to verify and monitor SIPs and SSCs, see the following 
chapters of this guide:
• Chapter 4, “Configuring the SIPs and SSC”
Using the Cisco IOS Event Tracer to Troubleshoot Problems
Note This feature is intended for use as a software diagnostic tool and should be configured only under the 
direction of a Cisco Technical Assistance Center (TAC) representative.
The Event Tracer feature provides a binary trace facility for troubleshooting Cisco IOS software. This 
feature gives Cisco service representatives additional insight into the operation of the Cisco IOS 
software and can be useful in helping to diagnose problems in the unlikely event of an operating system 
malfunction or, in the case of redundant systems, Route Processor switchover. 5-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 5      Troubleshooting the SIPs and SSC
  Troubleshooting Oversubscription on the Cisco 7600 SIP-400
Event tracing works by reading informational messages from specific Cisco IOS software subsystem 
components that have been preprogrammed to work with event tracing, and by logging messages from 
those components into system memory. Trace messages stored in memory can be displayed on the screen 
or saved to a file for later analysis. 
The SPAs currently support the “spa” component to trace SPA OIR-related events.
Troubleshooting Oversubscription on the Cisco 7600 SIP-400
As of Cisco IOS Release 12.2(18)SXF, when using the Cisco 7600 SIP-400 with the 2-Port Gigabit 
Ethernet SPA or the 1-Port OC-48c/STM-16 ATM SPA, consider the following oversubscription 
guidelines:
• The Cisco 7600 SIP-400 only supports installation of one 1-Port OC-48c/STM-16 ATM SPA 
without any other SPAs installed in the SIP.
• The Cisco 7600 SIP-400 supports installation of up to two 2-Port Gigabit Ethernet SPAs without any 
other SPAs installed in the SIP.
• The Cisco 7600 SIP-400 supports installation of any combination of OC-3 or OC-12 POS or ATM 
SPAs, up to a combined ingress bandwidth of OC-48 rates.
• The Cisco 7600 SIP-400 supports installation of any combination of OC-3 or OC-12 POS or ATM 
SPAs up to a combined ingress bandwidth of OC-24 rates, when installed with a single 2-Port 
Gigabit Ethernet SPA.
Configurations on the Cisco 7600 SIP-400 with an unsupported aggregate SPA bandwidth greater than 
OC-48 rates generates the following error message:
SLOT 3: 00:00:05: %SIPSPA-4-MAX_BANDWIDTH: Total SPA bandwidth exceeds line card capacity 
of 2488 Mbps
Preparing for Online Insertion and Removal of SIPs, SSCs, and 
SPAs
The Cisco 7600 series router supports online insertion and removal (OIR) of the SPA interface processor 
(SIP) or SPA services card (SSC), in addition to each of the shared port adapters (SPAs). Therefore, you 
can remove a SIP or SSC with its SPAs still intact, or you can remove a SPA independently from the SIP 
or SSC, leaving the SIP or SSC installed in the router.
This section includes the following topics on OIR support:
• Preparing for Online Removal of a SIP or SSC, page 5-4
• Verifying Deactivation and Activation of a SIP or SSC, page 5-5
• Preparing for Online Removal of a SPA, page 5-6
• Verifying Deactivation and Activation of a SPA, page 5-7
• Deactivation and Activation Configuration Examples, page 5-8
Note For simplicity, any reference to “SIP” in this section also applies to the SSC.5-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 5      Troubleshooting the SIPs and SSC
  Preparing for Online Insertion and Removal of SIPs, SSCs, and SPAs
Preparing for Online Removal of a SIP or SSC
The Cisco 7600 series router supports OIR of the SIP and the SSC. To do this, you can power down a 
SIP (which automatically deactivates any installed SPAs) and remove the SIP with the SPAs still intact.
Although graceful deactivation of a SIP is preferred using the no power enable module command, the 
Cisco 7600 series router does support removal of the SIP without deactivating it first. If you plan to 
remove a SIP, you can deactivate the SIP first, using the no power enable module global configuration 
command. When you deactivate a SIP using this command, it automatically deactivates each of the SPAs 
that are installed in that SIP. Therefore, it is not necessary to deactivate each of the SPAs prior to 
deactivating the SIP. 
Either a blank filler plate or a functional SPA should reside in every subslot of a SIP during normal 
operation.
For more information about the recommended procedures for physical removal of the SIP, refer to the 
Cisco 7600 Series Router SIP, SSC, and SPA Hardware Installation Guide.
Deactivating a SIP or SSC
To deactivate a SIP or SSC and its installed SPAs prior to removal of the SIP, use the following command
in global configuration mode: 
For more information about chassis slot numbering, refer to the “Identifying Slots and Subslots for SIPs, 
SSCs, and SPAs” section in this guide.
Reactivating a SIP or SSC
Once you deactivate a SIP or SSC, whether or not you have performed an OIR, you must use the power 
enable module global configuration command to reactivate the SIP.
If you did not issue a command to deactivate the SPAs installed in a SIP, but you did deactivate the SIP 
using the no power enable module command, then you do not need to reactivate the SPAs after an OIR 
of the SIP. The installed SPAs automatically reactivate upon reactivation of the SIP in the router. 
For example, consider the case where you remove a SIP from the router to replace it with another SIP. 
You reinstall the same SPAs into the new SIP. When you enter the power enable module command on 
the router, the SPAs will automatically reactivate with the new SIP.
Command Purpose
Router(config)# no power enable module 
slot 
Shuts down any installed interfaces, and deactivates the 
SIP in the specified slot, where:
• slot—Specifies the chassis slot number where the 
SIP is installed.5-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 5      Troubleshooting the SIPs and SSC
  Preparing for Online Insertion and Removal of SIPs, SSCs, and SPAs
To activate a SIP and its installed SPAs after the SIP has been deactivated, use the following command
in global configuration mode:
For more information about chassis slot numbering, refer to the “Identifying Slots and Subslots for SIPs, 
SSCs, and SPAs” section in this guide.
Verifying Deactivation and Activation of a SIP or SSC
To verify the deactivation of a SIP or SSC, enter the show module command in privileged EXEC 
configuration mode. Observe the Status field associated with the SIP that you want to verify. 
The following example shows that the Cisco 7600 SIP-400 located in slot 13 is deactivated. This is 
indicated by its “PwrDown” status.
Router# show module 13
Mod Ports Card Type                              Model              Serial No.
--- ----- -------------------------------------- ------------------ -----------
13    0  4-subslot SPA Interface Processor-400  7600-SIP-400       JAB0851042X
Mod MAC addresses                       Hw    Fw           Sw           Status
--- ---------------------------------- ------ ------------ ------------ -------
13  00e0.aabb.cc00 to 00e0.aabb.cc3f   0.525 12.2(PP_SPL_ 12.2(PP_SPL_ Ok
Mod Online Diag Status 
--- -------------------
13 PwrDown
To verify activation and proper operation of a SIP, enter the show module command and observe “Ok” 
in the Status field as shown in the following example:
Router# show module 2
Mod Ports Card Type                              Model              Serial No.
--- ----- -------------------------------------- ------------------ -----------
  2    0 4-subslot SPA Interface Processor-200 7600-SIP-200 JAB074905S1 
Mod MAC addresses                       Hw    Fw           Sw           Status
--- ---------------------------------- ------ ------------ ------------ -------
  2  0000.0000.0000 to 0000.0000.003f   0.232 12.2(2004082 12.2(2004082 Ok
Mod Online Diag Status
--- -------------------
  2 Pass
Command Purpose
Router(config)# power enable module slot  Activates the SIP in the specified slot and its installed 
SPAs, where:
• slot—Specifies the chassis slot number where the 
SIP is installed.5-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 5      Troubleshooting the SIPs and SSC
  Preparing for Online Insertion and Removal of SIPs, SSCs, and SPAs
Preparing for Online Removal of a SPA
The Cisco 7600 series router supports OIR of a SPA independently of removing the SIP or SSC. This 
means that a SIP can remain installed in the router with one SPA remaining active, while you remove 
another SPA from one of the SIP subslots. If you are not planning to immediately replace a SPA into the 
SIP, then be sure to install a blank filler plate in the subslot. The SIP should always be fully installed 
with either functional SPAs or blank filler plates.
The interface configuration is retained (recalled) if a SIP or SPA is removed and then replaced with one 
of the same type. This is not the case if you replace a Cisco 7600 SIP-200 with a Cisco 7600 SIP-400 or 
vice versa.
If you are planning to remove a SIP along with its SPAs, then you do not need to follow the instructions 
in this section. To remove a SIP, see the “Preparing for Online Removal of a SIP or SSC” section on 
page 5-4.
Note If you move the SPA (SPA-8XTE1/ SPA-4xCT3/DS0 / SPA-2xCT3/DS0/SPA-1xCHSTM1/OC3) from 
one LC to another type of LC in the same bay and same slot, the system will not retain the configuration 
of the old interface.
Deactivating a SPA
Although graceful deactivation of a SPA is preferred using the hw-module subslot shutdown command, 
the Cisco 7600 series router does support removal of the SPA without deactivating it first. Before 
deactivating a SPA, ensure that the SIP is seated securely into the slot before pulling out the SPA itself.
Note If you are preparing for an OIR of a SPA, it is not necessary to independently shut down each of the 
interfaces prior to deactivation of the SPA. The hw-module subslot shutdown command automatically 
stops traffic on the interfaces and deactivates them along with the SPA in preparation for OIR. In similar 
fashion, you do not need to independently restart any interfaces on a SPA after OIR of a SPA or SIP.
To deactivate a SPA and all of its interfaces prior to removal of the SPA, use the following command in 
global configuration mode:
Command Purpose
Router(config)# hw-module subslot
slot/subslot shutdown [powered | 
unpowered]
Deactivates the SPA in the specified slot and subslot of 
the SIP, where:
• slot—Specifies the chassis slot number where the 
SIP is installed.
• subslot—Specifies subslot number on a SIP where 
a SPA is installed. 
• powered—(Optional) Shuts down the SPA and all 
of its interfaces, and leaves them in an 
administratively down state with power enabled. 
This is the default state.
• unpowered—(Optional) Shuts down the SPA and 
all of its interfaces, and leaves them in an 
administratively down state without power.5-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 5      Troubleshooting the SIPs and SSC
  Preparing for Online Insertion and Removal of SIPs, SSCs, and SPAs
For more information about chassis slot and SIP subslot numbering, refer to the “Identifying Slots and 
Subslots for SIPs, SSCs, and SPAs” section in this guide.
Reactivating a SPA
Note You do not need to reactivate a SPA after an OIR of either the SIP or a SPA if you did not deactivate the 
SPA prior to removal. If the router is running, then the SPAs automatically start upon insertion into the 
SIP or with insertion of a SIP into the router.
If you deactivate a SPA using the hw-module subslot shutdown global configuration command and 
need to reactivate it without performing an OIR, you need to use the no hw-module subslot shutdown
global configuration command to reactivate the SPA and its interfaces.
To activate a SPA and its interfaces after the SPA has been deactivated, use the following command in 
global configuration mode:
Verifying Deactivation and Activation of a SPA
When you deactivate a SPA, the corresponding interfaces are also deactivated. This means that these 
interfaces will no longer appear in the output of the show interface command. 
To verify the deactivation of a SPA, enter the show hw-module subslot all oir command in privileged 
EXEC configuration mode. Observe the Operational Status field associated with the SPA that you want 
to verify. 
In the following example, the SPA located in subslot 1 of the SIP in slot 2 of the router is administratively 
down from the hw-module subslot shutdown command:
Router# show hw-module subslot all oir
Module         Model              Operational Status
-------------- ------------------ -------------------------
subslot 2/0    SPA-4XOC3-POS ok
subslot 2/1    SPA-4XOC3-ATM admin down
To verify activation and proper operation of a SPA, enter the show hw-module subslot all oir command 
and observe “ok” in the Operational Status field as shown in the following example:
Router# show hw-module subslot all oir
Module         Model              Operational Status
-------------- ------------------ -------------------------
subslot 2/0    SPA-4XOC3-POS ok
subslot 2/1    SPA-4XOC3-ATM ok
Command Purpose
Router(config)# no hw-module subslot
slot/subslot shutdown
Activates the SPA and its interfaces in the specified slot 
and subslot of the SIP, where:
• slot—Specifies the chassis slot number where the 
SIP is installed.
• subslot—Specifies subslot number on a SIP where 
a SPA is installed. 5-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 5      Troubleshooting the SIPs and SSC
  Preparing for Online Insertion and Removal of SIPs, SSCs, and SPAs
Deactivation and Activation Configuration Examples
This section provides the following examples of deactivating and activating SIPs and SPAs:
• Deactivation of a SIP Configuration Example, page 5-8
• Activation of a SIP Configuration Example, page 5-8
• Deactivation of a SPA Configuration Example, page 5-8
• Activation of a SPA Configuration Example, page 5-8
Deactivation of a SIP Configuration Example
Deactivate a SIP when you want to perform OIR of the SIP. The following example deactivates the SIP 
that is installed in slot 5 of the router, its SPAs, and all of the interfaces. The corresponding console 
messages are shown:
Router# configure terminal
Router(config)# no power enable module 5
1w4d: %OIR-6-REMCARD: Card removed from slot 5, interfaces disabled
1w4d: %C6KPWR-SP-4-DISABLED: power to module in slot 5 set off (admin request)
Activation of a SIP Configuration Example
Activate a SIP if you have previously deactivated it. If you did not deactivate the SPAs, the SPAs 
automatically reactivate with reactivation of the SIP.
The following example activates the SIP that is installed in slot 5 of the router, its SPA, and all of the 
interfaces (as long as the hw-module subslot shutdown command was not issued to also deactivate 
the SPA):
Router# configure terminal
Router(config)# power enable module 5
Notice that there are no corresponding console messages shown with activation. If you re-enter the 
power enable module command, a message is displayed indicating that the module is already 
enabled:
Router(config)# power enable module 5
% module is already enabled
Deactivation of a SPA Configuration Example
Deactivate a SPA when you want to perform OIR of that SPA. The following example deactivates the 
SPA (and its interfaces) that is installed in subslot 0 of the SIP located in slot 2 of the router and removes 
power to the SPA. Notice that no corresponding console messages are shown:
Router# configure terminal
Router(config)# hw-module subslot 2/0 shutdown unpowered
Activation of a SPA Configuration Example
Activate a SPA if you have previously deactivated it. If you have not deactivated a SPA and its interfaces 
during OIR of a SIP, then the SPA is automatically reactivated upon reactivation of the SIP.
The following example activates the SPA that is installed in slot 2 of the router and all of its interfaces. 5-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 5      Troubleshooting the SIPs and SSC
  Preparing for Online Insertion and Removal of SIPs, SSCs, and SPAs
Router# configure terminal
Router(config)# no hw-module subslot 2/0 shutdown 
Router#5-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 5      Troubleshooting the SIPs and SSC
  Preparing for Online Insertion and Removal of SIPs, SSCs, and SPAs   
P A R  T  3
ATM Shared Port Adapters   C H  A  P  T  E  R
6-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
6
Overview of the ATM SPAs
This chapter provides an overview of the release history, features, and MIB support for the 1-Port 
OC-48c/STM-16 ATM SPA, 1-Port OC-12c/STM-4 ATM SPA, and the 2-Port and 4-Port OC-3c/STM-1 
ATM SPA. This chapter includes the following sections: 
• Release History, page 6-2
• Overview, page 6-3
• Supported Features, page 6-7
• Unsupported Features, page 6-15
• Prerequisites, page 6-16
• Restrictions, page 6-16
• Supported MIBs, page 6-17
• SPA Architecture, page 6-18
• Displaying the SPA Hardware Type, page 6-206-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 6      Overview of the ATM SPAs
  Release History
Release History
Release Modification
15.0(1)S • Network Clocking and SSM functionality support was added.
• Support for the following ATM SPAs introduced:
– 1-Port Clear Channel OC-3 ATM SPA Version 2
– 3-Port Clear Channel OC-3 ATM SPA Version 2
– 1-Port Clear Channel OC-12 ATM SPA Version 2
12.2(33)SRE • Support for the following features has been added for the ATM SPAs:
– VC QoS on VP-PW
– QoS support on Access Circuit Redundancy
– Access Circuit Redundancy for ATM clients in single APS (SR 
APS ) environment.
12.2(33)SRD • Support for the following features was introduced for ATM SPAs on 
the Cisco 7600 SIP-400:
– Port mode cell relay (single cell relay) 
– Port mode cell relay (packed cell relay)
– Bridged Routed Encapsulation (BRE)
12.2(33)SRC  • Support for Phase 2 Local Switching Redundancy 
12.2(33)SRA  • Some restrictions for QoS and MLPPP bundles were added. 
• Support for the following features was introduced for ATM SPAs on 
the Cisco 7600 SIP-200:
– AToM VP Mode Cell Relay
– MPLS over RBE
– Multi-VC to VLAN scalability
– QoS support on bridging features
• Support for the following features was introduced for ATM SPAs on 
the Cisco 7600 SIP-400:
– AToM VP Mode Cell Relay
– Multi-VC to VLAN scalability
– Multi-VLAN to VC 
– QoS support on bridging features 6-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 6      Overview of the ATM SPAs
  Overview
Overview
The ATM SPAs are single-width, double-height, cross-platform Optical Carrier (OC) ATM adapter cards 
that provide OC-3c/STM-1c (155.52 Mbps), OC-12c/STM-4c (622.080 Mbps), or OC-48/STM-16 
(2488 Mbps) connectivity and can be used in a Cisco 7600 series router. The ATM SPAs come in the 
following models:
• 2-Port and 4-Port OC-3c/STM-1 ATM SPA (SPA-2XOC3-ATM=, SPA-4XOC3-ATM=) 
• 1-Port OC-12c/STM-4 POS SPA (SPA-1XOC12-ATM=) 
• 1-Port OC-48c/STM-16 ATM SPA (SPA-1XOC48-ATM=)
• 1-Port and 3-port Clear Channel OC-3 ATM SPA Version 2 (SPA-1xOC3-ATM-V2=, 
SPA-3xOC3-ATM-V2)
• 1-Port Clear Channel OC-12 ATM SPA Version 2 (SPA-1xOC12-ATM-V2=)
The OC-3c ATM SPAs must be installed in a Cisco 7600 SIP-200 or Cisco 7600 SIP-400 SPA interface 
processor (SIP) before they can be used in the Cisco 7600 series router. The 1-Port OC-12c/STM-4 ATM 
SPA and 1-Port OC-48c/STM-16 ATM SPA must be installed in a Cisco 7600 SIP-400 before they can 
be used in the Cisco 7600 series router. 
You can install the SPA in the SIP before or after you insert the SIP into the router chassis. This allows 
you to perform online insertion and removal (OIR) operations either by removing individual SPAs from 
the SIP, or by removing the entire SIP (and its contained SPAs) from the router chassis. 
The ATM SPAs provide cost-effective wide-area network (WAN) connectivity for service providers 
across their existing ATM networks. Using a highly modular approach, the SPA and SIP form factors 
maximize the flexibility of an existing Cisco 7600 series router, allowing service providers to mix and 
match SPAs to more easily meet evolving port-density and networking media needs. 
The ATM SPAs also use small form-factor pluggable (SFP) optical transceivers, giving service providers 
port-level flexibility for different types of optical media (such as single mode and multimode). Changing 
the type of optical network involves simply replacing the transceiver, not the SPAs or SIP. 
12.2(18)SXE  • Support was introduced for the 2-Port and 4-Port OC-3c/STM-1 ATM 
SPAs on the Cisco 7600 SIP-200 and Cisco 7600 SIP-400 SPA 
interface processors (SIPs) on the Cisco 7600 series router and 
Catalyst 6500 series switch.
• Support was introduced for the 1-Port OC-12c/STM-4 ATM SPA on 
the Cisco 7600 SIP-400 on the Cisco 7600 series router and 
Catalyst 6500 series switch.
12.2(18)SXF • Support was introduced for the 1-Port OC-48c/STM-16 ATM SPA on 
the Cisco 7600 SIP-400 on the Cisco 7600 series router and 
Catalyst 6500 series switch.
12.2(18)SXF2 • Support for the “Enhancements to RFC 1483 Spanning Tree 
Interoperability” feature was added for ATM SPAs on the Cisco 7600 
series router and Catalyst 6500 series switch.
• Documentation of a workaround for ATM SPA configuration on the 
Cisco 7600 SIP-200 has been added in Chapter 7, “Configuring the 
ATM S PAs ” to address a Routed Bridge Encapsulation (RBE) 
limitation where only one remote MAC address is supported.6-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 6      Overview of the ATM SPAs
  Overview
Note A maximum of two ATM SPAs can be installed in each SIP, and these SPAs can be different models (such 
as a 2-Port OC-3c/STM-1 ATM SPA and a 1-Port OC-12c/STM-4 ATM SPA). You can also mix SPAs 
of different types, such as ATM and POS, in a SIP, depending on the space requirements of the SIPs. An 
exception is that only one 1-Port OC-48c/STM-16 ATM SPA can be installed in a SIP; the other slot 
should be left empty.
See the following sections for more information about the ATM SPAs:
• ATM Overview, page 6-4
• PVC and SVC Encapsulations, page 6-4
• PVC and SVC Service Classes, page 6-5
• Advanced Quality of Service, page 6-6
ATM Overview
Asynchronous Transfer Mode (ATM) uses cell-switching and multiplexing technology that combines the 
benefits of circuit switching (constant transmission delay and guaranteed capacity) with those of packet 
switching (flexibility and efficiency for intermittent traffic). ATM transmits small cells (53 bytes) with 
minimal overhead (5 bytes of header and checksum, with 48 bytes for data payload), allowing for very 
quick switching times between the input and output interfaces on a router. 
ATM is a connection-oriented environment, in which each ATM endpoint (or node) must establish a 
separate connection to the specific endpoints in the ATM network with which it wants to exchange 
traffic. This connection (or channel) between the two endpoints is called a virtual circuit (VC). 
Each VC is uniquely identified by the combination of a virtual path identifier (VPI) and a virtual channel 
identifier (VCI). The VC is treated as a point-to-point mechanism to another router or host and is capable 
of supporting bidirectional traffic.
In an ATM network, a VC can be either a permanent virtual circuit (PVC) or a switched virtual circuit 
(SVC). A network operator must manually configure a PVC, which remains in force until it is manually 
torn down. An SVC is set up and torn down using an ATM signaling mechanism. On the ATM SPAs, this 
signaling is based on the ATM Forum User-Network Interface (UNI) specification V3.x and V4.0.
PVC and SVC Encapsulations
PVCs and SVCs are configured with an ATM encapsulation type that is based upon the ATM Adaptation 
Layer (AAL). The following types are supported: 
• AAL5CISCOPPP—AAL5 Cisco PPP encapsulation, which is Cisco’s proprietary PPP over ATM 
encapsulation. 
• AAL5MUX—ATM Adaptation Layer 5 MUX encapsulation, also known as null encapsulation, that 
supports a single protocol (IP or IPX). 
• AAL5NLPID—(Supported on ATM SPAs in a Cisco 7600 SIP-200 only) AAL5 Network Layer 
Protocol Identification (NLPID) encapsulation, which allows ATM interfaces to interoperate with 
High-Speed Serial Interfaces (HSSIs) that are using an ATM data service unit (ADSU) and running 
ATM-Data Exchange Interface (DXI).6-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 6      Overview of the ATM SPAs
  Overview
• AAL5SNAP—AAL5 Logical Link Control/Subnetwork Access Protocol (LLC/SNAP) 
encapsulation, which supports Inverse ARP and incorporates the LLC/SNAP that precedes the 
protocol datagram. This allows the use of multiple protocols over the same VC, and is particularly 
well–suited for encapsulating IP packets. 
Note The 1-Port OC-48c/STM-16 ATM SPA supports only AAL5MUX and AAL5SNAP encapsulations.
PVC and SVC Service Classes
ATM was designed with built-in quality of service capabilities to allow it to efficiently multiplex 
different types of traffic over the same links. To accomplish this, each PVC or SVC is configured with 
a service class that defines the traffic parameters, such as maximum cell rate or burst rate, for the circuit. 
The following service classes are available in ATM networks: 
• Constant Bit Rate (CBR)—The ATM router transmits ATM cells in a continuous bit-stream that is 
suitable for real-time traffic, such as voice and video. CBR is typically used for VCs that need a 
static amount of bandwidth (constant bit rate or average cell rate) that is continuously available for 
the duration of the active connection. The ATM router guarantees that a VC with a CBR service class 
can send cells at the peak cell rate (PCR) at any time, but the VC is also free to use only part of the 
allocated bandwidth, or none of the bandwidth, as well. 
• Unspecified Bit Rate (UBR)—The ATM router does not make any quality of service (QoS) 
commitment at all to the PVC or SVC, but instead uses a best-effort attempt to send the traffic 
transmitted by the PVC or SVC. UBR typically is the default configuration and is used for 
non-critical Internet connectivity, including e–mail, file transfers, web browsing, and so forth. The 
ATM router enforces a maximum peak cell rate (PCR) for the VC, to prevent the VC from using all 
the bandwidth that is available on the line. 
• Unspecified Bit Rate Plus (UBR+)—UBR+ is a special ATM service class developed by Cisco 
Systems. UBR+ uses MCR (Minimum Cell Rate) along with PCR (Peak Cell Rate). In UBR+, the 
MCR is a “soft guarantee” of minimum bandwidth. A router signals the MCR value at call setup 
time when a switched VC is created. The ATM router is then responsible for the guarantee of the 
bandwidth specified in the MCR parameter. A UBR+ VC is a UBR VC for which the MCR is 
signaled by the router and guaranteed by the ATM router. Therefore, UBR+ affects connection 
admission control and resource allocation on ATM routers. The UBR+ service class is supported 
only on SVCs for an ATM SPA. It is not supported on PVCs for an ATM SPA. 
Note UBR+ is not supported on the 1-Port OC-48c/STM-16 ATM SPA.
• Variable Bit Rate–Non-Real Time (VBR–nrt)—The ATM router attempts to guarantee a minimum 
burst size (MBS) and sustainable cell rate (SCR) for non-real-time traffic that is bursty in nature, 
such as database queries or aggregation of large volumes of traffic from many different sources. The 
ATM router also enforces a maximum peak cell rate (PCR) for the VC, to prevent the VC from using 
all of the bandwidth that is available on the line. 
• Variable Bit Rate–Real Time (VBR–rt)—The ATM router guarantees a maximum burst size (MBS) 
and sustainable cell rate (SCR) for real-time traffic that is bursty in nature, such as voice, video 
conferencing, and multiplayer gaming. VBR-rt traffic has a higher priority than VBR-nrt traffic, 
allowing the real-time traffic to preempt the non-real-time traffic, if necessary. The ATM router also 
enforces a maximum peak cell rate (PCR) for the VC, to prevent the VC from using all the 
bandwidth that is available on the line. 6-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 6      Overview of the ATM SPAs
  Overview
Note The ATM SPAs do not support the Available Bit Rate (ABR) service class, which uses a minimum cell 
rate (MCR). 
Advanced Quality of Service
In addition to the integrated QoS capabilities that are provided by the standard ATM service classes, the 
ATM SPA cards support a number of advanced QoS features. These features include the following:
• Per-VC and Per-VP Traffic Shaping—Enables service providers to control the bandwidth provided 
at the VC or VP level. You cannot shape a VC that is part of a shaped VP. You can however enable 
both VC and VP shaping simultaneously (as long as shaped VCs use a different VPI value than the 
shaped VP). 
• Layer 3 (IP) QoS at the Per-VC Level—Allows marking and classifying traffic at the IP layer, for 
each VC, enabling service providers to control the individual traffic flows for a customer, so as to 
meet the customer’s particular QoS needs. The IP QoS can use the IP type of service (ToS) bits, the 
RFC 2475 Differentiated Services Code Point (DSCP) bits, and the MPLS EXP bits. WRED, LLQ, 
CBWFQ, policing, classification, and marking are supported.
• Multiprotocol Label Switching (MPLS)—Allows service providers to provide cost-effective virtual 
private networks (VPNs) to their customers, while simplifying load balancing and QoS 
management, without incurring the overhead of extensive Layer 3 routing. 
• IP to ATM Mapping—Creates a mapping between the Cell Loss Priority (CLP) bit in ATM cell 
headers and the IP precedence or IP Differentiated Services Code Point (DSCP) bits. 
• VC Bundling—Selects the output VC on the basis of the IP Class of Service (CoS) bits. (Supported 
only when using the Cisco 7600 SIP-200 and not the Cisco 7600 SIP-400.) 
• MQC policy support existing on ATM VC is extended to the ATM PVP from Cisco IOS Release 
12.2(33)SRE. An existing CLI is configurable under ATM L2 PVP mode. 
See Chapter 4, “Configuring the SIPs and SSC”, section Configuring QoS Features Using MQC, 
page 4-96 for details on the configuration command. 
The following example briefly depicts the modular QoS CLI configuration on the ATM PVC :
interface atm slot/bay/port
    atm pvp 10 l2transport
        service-policy  [input/output] <policy-map name>
For a complete discussion about MQC, refer to the Modular Quality of Service Command-Line Interface 
Overview Chapter of the Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.2
publication at: 
http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/12_2sr/qos_12_2sr_book.html
Note Additional QoS features are expected to be added with each Cisco IOS software release. Please see the 
release notes for each release for additional features that might be supported and for the restrictions that 
might affect existing features. 6-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 6      Overview of the ATM SPAs
  Supported Features
Supported Features
This section provides a list of some of the primary features supported by the ATM hardware and 
software:
• SIP-Dependent Features, page 6-7
• Basic Features, page 6-8
• SONET/SDH Error, Alarm, and Performance Monitoring, page 6-9
• Layer 2 Features, page 6-10
• Layer 3 Features, page 6-11
• High-Availability Features, page 6-12
• Enhancements to RFC 1483 Spanning Tree Interoperability, page 6-12
• Supported Supervisor Engines and Line Cards, page 6-13
• Interoperability Problem, page 6-13
• BPDU Packet Formats, page 6-13
SIP-Dependent Features
Most features for the ATM SPAs are supported on both the Cisco 7600 SIP-200 and Cisco 7600 SIP-400, 
but some features are supported only on a particular model of SIP. Table 6-1 lists the features that are 
supported on only one model of SIP. Any supported features for the ATM SPAs that are not listed in this 
table are supported on both SIPs. 
Table 6-1 SIP-Dependent Feature Support
Feature
Supported on 
Cisco 7600 
SIP-200 
Supported on 
Cisco 7600 
SIP-400
AAL5NLPID encapsulation and Routed-NLPID-PDUs Yes No 
ATM VC Access Trunk Emulation (multi-VLAN to VC) Yes Yes 
Bridging of Routed Encapsulations (BRE) Yes Yes 
Frame Relay to ATM (FR-ATM) internetworking No No 
RFC-1483 ATM Half-Bridging and Routed Bridged Encapsulation 
(RBE)
Yes No 
VC Bundling (Selects the output VC on the basis of the IP CoS bits) Yes No 
RFC 1483, Multiprotocol Encapsulation over ATM Adaptation 
Layer 5, Multipoint Bridging (MPB) (also known as multi-VC to 
VLAN) on the 2-Port and 4-Port OC-3c/STM-1c ATM SPA
Yes Yes
Aggregate WRED Yes Yes
Access Circuit Redundancy (ACR) No Yes
QoS support on ACR interface No Yes
VC QoS on VP pseudowire No Yes
Network Clock and SSM support No Yes6-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 6      Overview of the ATM SPAs
  Supported Features
Basic Features
• Bellcore GR-253-CORE SONET/SDH compliance (ITU-T G.707, G.783, G.957, G.958) 
• Interface-compatible with other Cisco ATM adapters 
Note The ATM SPA is functionally similar to other ATM port adapters on the Cisco 7600 series 
router, but because it is a different card type, the configuration for the slot is lost when you 
replace an existing ATM port adapter with an ATM SPA in a SIP. 
• Supports both permanent virtual circuits (PVCs) and switched virtual circuits (SVCs) 
• An absolute maximum of 16,384 (16K) configured VCs per ATM SPA (4,096 [4K] per interface) 
with the following recommended limitations: 
– On a Cisco 7600 SIP-400, 8000 PVCs are supported on multipoint subinterfaces. The limit of 
16,384 PVCs only applies to the Cisco 7600 SIP-200.
– A recommended maximum number of 2,048 PVCs on all point-to-point subinterfaces for all 
ATM SPAs in a SIP. 
– A recommended maximum number of 16,380 PVCs on all multipoint subinterfaces for all ATM 
SPAs in a SIP, and a recommended maximum number of 200 PVCs per each individual 
multipoint subinterface. 
– A recommended maximum number of 400 SVCs for all ATM SPAs in a SIP. 
– A recommended maximum number of 1,024 PVCs using service policies for all ATM SPAs in 
a SIP. 
• Up to 4,096 simultaneous segmentations and reassemblies (SARs) per interface 
• Supports a maximum number of 200 PVCs or SVCs using Link Fragmentation and Interleaving 
(LFI) for all ATM SPAs (or other ATM modules) in a Cisco 7600 series router
• Supports a maximum number of 1024 PVCs or 400 SVCs configured with Modular QoS CLI (MQC) 
policy maps
• Up to 1,000 maximum virtual templates per router 
• ATM adaptation layer 5 (AAL5) for data traffic
• Hardware switching of multicast packets for point-to-point subinterfaces
• SONET/SDH (software selectable) optical fiber (2-Port and 4-Port OC-3c/STM-1 ATM SPA, 1-Port 
OC-48c/STM-16 ATM SPA, or 1-Port OC-12c/STM-4 ATM SPA), depending on the model of ATM 
SPA 
• Uses small form-factor pluggable (SFP) optical transceivers, allowing the same ATM SPA hardware 
to support multimode (MM), single-mode intermediate (SMI), or single-mode long (SML) reach, 
depending on the capabilities of the SPA 
• ATM section, line, and path alarm indication signal (AIS) cells, including support for F4 and F5 
flows, loopback, and remote defect indication (RDI) 
• Operation, Administration, and Maintenance (OAM) cells except OAM Emulation
• Online insertion and removal (OIR) of individual ATM SPAs from the SIP, as well as OIR of the 
SIPs with ATM SPAs installed 
• Supports the Network Clocking and the Synchronization Status Message(SSM) functionality. (ATM 
SPAs in a Cisco 7600 SIP-400 only). The supported ATM SPAs are:6-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 6      Overview of the ATM SPAs
  Supported Features
– SPA-2xOC3-ATM 
– SPA-4xOC3-ATM 
– SPA-1xOC12-ATM
– SPA-1xOC48-ATM 
– SPA-1xOC3-ATM-V2
– SPA-2xOC3-ATM-V2
– SPA-3xOC3-ATM-V2
– SPA-1xOC12-ATM-V2 
For information on configuring the network clock see, Configuring Boundary Clock for 2-Port Gigabit 
Synchronous Ethernet SPA on Cisco 7600 SIP-400, page 12-29
SONET/SDH Error, Alarm, and Performance Monitoring
• Fiber removed and reinserted 
• Signal failure bit error rate (SF-BER)
• Signal degrade bit error rate (SD-BER)
• Signal label payload construction (C2)
• Path trace byte (J1)
• Section Diagnostics:
– Loss of signal (SLOS)
– Loss of frame (SLOF)
– Error counts for B1 
– Threshold crossing alarms (TCA) for B1 (B1-TCA) 
• Line Diagnostics:
– Line alarm indication signal (LAIS)
– Line remote defect indication (LRDI)
– Line remote error indication (LREI)
– Error counts for B2
– Threshold crossing alarms for B2 (B2-TCA) 
• Path Diagnostics:
– Path alarm indication signal (PAIS)
– Path remote defect indication (PRDI)
– Path remote error indication (PREI)
– Error counts for B3
– Threshold crossing alarms for B3 (B3-TCA) 
– Loss of pointer (PLOP)
– New pointer events (NEWPTR)
– Positive stuffing event (PSE)6-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 6      Overview of the ATM SPAs
  Supported Features
– Negative stuffing event (NSE)
• The following loopback tests are supported:
– Network (line) loopback 
– Internal (diagnostic) loopback 
• Supported SONET/SDH synchronization:
– Local (internal) timing (for inter-router connections over dark fiber or wavelength division 
multiplexing [WDM] equipment) 
– Loop (line) timing (for connecting to SONET/SDH equipment) 
– +/– 4.6 ppm clock accuracy over full operating temperature 
Layer 2 Features
• Supports the following encapsulation types:
– AAL5SNAP (LLC/SNAP)
– LLC encapsulated bridged protocol
– AAL5MUX (VC multiplexing)
– AAL5NLPID and Routed-NLPID-PDUs (ATM SPAs in a Cisco 7600 SIP-200 only) 
– AAL5CISCOPPP 
• Supports the following ATM traffic classes and per-VC traffic shaping modes:
– Constant bit rate (CBR) with peak rate 
– Unspecified bit rate (UBR) with peak cell rate (PCR) 
– Non-real-time variable bit rate (VBR-nrt)
– Variable bit rate real-time (VBR-rt) 
– Unspecified bit rate plus (UBR+) on SVCs
Note ATM shaping is supported, but class queue-based shaping is not. 
• ATM point-to-point and multipoint connections 
• Explicit Forward Congestion Indication (EFCI) bit in the ATM cell header 
• Frame Relay to ATM (FR-ATM) internetworking (ATM SPAs in a Cisco 7600 SIP-200 only) 
• Integrated Local Management Interface (ILMI) operation, including keepalive, PVC discovery, and 
address registration and deregistration 
• Link Fragmentation and Interleaving (LFI) performed in hardware 
• VC–to–VC local switching and cell relay 
• VP–to–VP local switching and cell relay
• AToM VP Mode Cell Relay support
• RFC 1755, ATM Signaling Support for IP over ATM
• ATM User-Network Interface (UNI) signalling V3.0, V3.1, and V4.0 only 
• RFC 2225, Classical IP and ARP over ATM (obsoletes RFC 1577) 6-11
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 6      Overview of the ATM SPAs
  Supported Features
• Unspecified bit rate plus (UBR+) traffic service class on SVCs
Post 15.0(1)S release, information for support to the static PWs using Point-to-Multipoint TE or RSVP, 
refer to http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_te_p2mp_static.html.
Layer 3 Features
• ATM VC Access Trunk Emulation (multi-VLAN to VC) (ATM SPAs in a Cisco 7600 SIP-200 only) 
• ATM over MPLS (AToM) in AAL5 mode (except for AToM cell packing) 
• ATM over MPLS (AToM) in AAL5/AAL0 VC mode
• Bridging of Routed Encapsulations (BRE) (ATM SPAs in a Cisco 7600 SIP-200 and Cisco 7600 
SIP-400 only) 
• Distributed Link Fragmentation and Interleaving (dLFI) for ATM (dLFI packet counters are 
supported, but dLFI byte counters are not supported) 
• LFI with dCRTP 
• No limitation on the maximum number of VCs per VPI, up to the maximum number of 4,096 total 
VCs per interface (so there is no need to configure this limit using the atm vc-per-vp command, 
which is required on other ATM SPAs)
• OAM flow connectivity using OAM ping for segment or end-to-end loopback
• PVC multicast (Protocol Independent Multicast [PIM] dense and sparse modes) 
• Quality of Service (QoS):
– Policing
– IP-to-ATM class of service (IP precedence and DSCP)
– Per-VC class-based weighted fair queueing (CBWFQ)
– Per-VC Layer 3 queueing
– VC Bundling (Cisco 7600 SIP-200 only) 
– Weighted Random Early Detection (WRED)
– Aggregate WRED
• RFC 1483, Multiprotocol Encapsulation over ATM Adaptation Layer 5:
– Routed Bridge Encapsulation (RBE) (ATM SPAs in a Cisco 7600 SIP-200 only) 
– Half-bridging (ATM SPAs in a Cisco 7600 SIP-200 only) 
– PVC bridging (full-bridging) on Cisco 7600 SIP-200 and Cisco 7600 SIP-400 
• Supports oversubscription by default 
• Routing protocols: 
– Border Gateway Protocol (BGP)
– Enhanced Interior Gateway Routing Protocol (EIGRP) 
– Interior Gateway Routing Protocol (IGRP) 
– Integrated Intermediate System-to-Intermediate System (IS-IS) 
– Open Shortest Path First (OSPF) 
– Routing Information Protocol version 1 and version 2 (RIPv1 and RIPv2) 6-12
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 6      Overview of the ATM SPAs
  Supported Features
High-Availability Features
• 1+1 Automatic Protection Switching (APS) redundancy (PVC circuits only) 
• Route Processor Redundancy (RPR) 
• RPR Plus (RPR+) 
• OSPF Nonstop Forwarding (NSF) 
• Stateful Switchover (SSO) 
Enhancements to RFC 1483 Spanning Tree Interoperability
This section describes an interoperability feature for the various spanning tree implementations across 
1483 Bridge Mode ATM PVCs. Historically, vendors have not implemented spanning tree across RFC 
1483 encapsulation consistently; furthermore, some Cisco IOS releases may not support the full range 
of spanning tree options. This feature attempts to smooth some of the practical challenges of 
interworking common variations of spanning tree over RFC 1483 Bridge Mode encapsulation. 
Note This feature set is only supported on RFC 1483 Bridge Mode ATM permanent virtual circuits (PVCs).
Some basic terms include the following:
• IEEE 802.1D is a standard for interconnecting LANs through media access control (MAC) bridges. 
IEEE 802.1D uses the Spanning Tree Protocol to eliminate loops in the bridge topology, which cause 
broadcast storms.
• Spanning Tree Protocol (STP) as defined in IEEE 802.1D is a link-management protocol that 
provides path redundancy while preventing undesirable loops in the network. An IEEE 802.1D 
spanning tree makes it possible to have one spanning tree instance for the whole switch, regardless 
of the number of VLANs configured on the switch.
• Bridge Protocol Data Unit (BPDU) is the generic name for the frame used by the various spanning 
tree implementations. The Spanning Tree Protocol uses the BPDU information to elect the root 
switch and root port for the switched network, as well as the root port and designated port for each 
switched segment.
• Per VLAN Spanning Tree (PVST) is a Cisco proprietary protocol that allows a Cisco device to 
support multiple spanning tree topologies on a per-VLAN basis. PVST uses the BPDUs defined in 
IEEE 802.1D (see Figure 6-2 on page 6-14), but instead of one STP instance per switch, there is one 
STP instance per VLAN.
• PVST+ is a Cisco proprietary protocol that creates one STP instance per VLAN (as in PVST). 
However, PVST+ enhances PVST and uses Cisco proprietary BPDUs with a special 802.2 
Subnetwork Access Protocol (SNAP) Organizational Unique Identifier (OUI)
1
 (see Figure 6-2 on 
page 6-14) instead of the standard IEEE 802.1D frame format used by PVST. PVST+ BPDUs are 
also known as Simple Symmetric Transmission Protocol (SSTP) BPDUs.
Note RFC 1483 is referenced throughout this section, although it has been superseded by RFC 2684.
1. The Organizational Unique Identifier (OUI) portion of the MAC address often identifies the vendor of the upper 
layer protocol or the manufacturer of the Ethernet adapter. The OUI value of 00-00-0C identifies Cisco 
Systems as the manufacturer of the Ethernet adapter.6-13
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 6      Overview of the ATM SPAs
  Supported Features
Supported Supervisor Engines and Line Cards
The Cisco 7600 series routers support PVST to PVST+ BPDU interoperability with the Cisco 7600 
SIP-200. 
Interoperability Problem
The current interoperability problem can be summarized as follows:
• When transmitting STP BPDUs, many vendors’ implementations of ATM-to-Ethernet bridging are 
not fully compliant with the specifications of RFC 1483, Appendix B. The most common variation 
of the standard is to use an ATM Common Part Convergence Sublayer (CPCS) SNAP protocol data 
unit (PDU) with OUI: 00-80-C2 and PID: 00-07. Appendix B reserved this OUI/PID combination 
for generic Ethernet frames without BPDUs. Appendix B specifies OUI: 00-80-C2 and protocol 
identifier (PID): 00-0E for frames with BPDU contents.
• There are several varieties of the Spanning Tree Protocol used by Cisco products on ATM interfaces. 
The Catalyst 5000 series supports only PVST on ATM interfaces. The Cisco 7600 series router and 
Catalyst 6500 series switches support only PVST+ on ATM interfaces. Most other Cisco routers 
implement classic IEEE 802.1D on ATM interfaces.
When the Cisco 7600 series router and the Catalyst 6500 series switch first implemented RFC 1483 
Bridging (on Cisco IOS Release 12.1E) on the Cisco 7600 FlexWAN module, the platform used 
OUI: 00-80-C2 and PID: 00-0E to maximize interoperability with all other Cisco IOS products. 
However, there are so many implementations that do not send PVST or IEEE 802.1D BPDUs with 
PID: 00-0E that the Cisco 7600 series routers and the Catalyst 6500 series switches reverted to the 
more common implementation of RFC 1483 (with PID: 00-07) in Cisco IOS Release 12.2SX. This 
spanning tree interoperability feature provides the option of encapsulating BPDUs across RFC 1483 
with either PID: 00-07 or PID: 00-0E.
BPDU Packet Formats
The various BPDU packet formats are described in this section. Figure 6-1 shows the generic IEEE 
802.2/802.3 frame format, which is used by PVST+, but is not used by PVST.
Figure 6-1 IEEE 802.2/802.3 SNAP Encapsulation Frame Format
Destination
Addr
146310
Source
Addr
Length
DSAP
AA
802.3 MAC
SSAP
AA
Cntl
03
OUI Type Data CRC
6 6 2 1 1 1  2  4 3 38-1492
802.2 LLC 802.2 SNAP6-14
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 6      Overview of the ATM SPAs
  Supported Features
In an Ethernet SNAP frame, the SSAP and DSAP fields are always set to AA. These codes identify it as 
a SNAP frame. The Control field always has a value of 03, which specifies connectionless logical link 
control (LLC) services.
The Type field identifies the upper layer protocol to which data should be passed. For example, a Type
field of hex 0800 represents IP, while a value of 8137 indicates that data is meant for IPX.
Catalyst 5000 PVST BPDU Packet Format
The Catalyst 5000 series switches send and receive BPDUs in PVST format on ATM interfaces (see 
Figure 6-2).
Figure 6-2 BPDU PVST Frame Format Used by the Catalyst 5000 Switch
• BPDUs sent by the Catalyst 5000 series switch use a PID of 0x00-07, which does not comply with 
RFC 1483. The Cisco 7600 series router also has the ability to send BPDUs in this data format.
• The PAD portion of the ATM encapsulation varies from 0 to 47 bytes in length to ensure complete 
ATM cell payloads.
• By using the bridge-domain command’s ignore-bpdu-pid optional keyword, the Catalyst 5000 
series switch sends this frame by default.
• The Catalyst 5000 series switch cannot accept the PVST+ BPDUs and blocks the ATM port, giving 
the following error messages:
%SPANTREE-2-RX_1QNON1QTRUNK: Rcved 1Q-BPDU on non-1Q-trun port 6/1 vlan 10
%SPANTREE-2-RX_BLKPORTPVID: Block 6/1 on rcving vlan 10 for inc peer vlan 0
Cisco 7200 and Cisco 7500 Series Routers IEEE 802.1D BPDU Frame Format
Figure 6-3 shows the Cisco 7200 and Cisco 7500 series routers IEEE 802.1D BPDU frame format.
Figure 6-3 Frame Format for the Cisco 7200 and Cisco 7500 Series Routers IEEE 802.1D BPDU
LLC
AA-AA-03
146220
OUI
00-00-0C
PID
00-07
PAD
00-00
<DST MAC ADDR>
01-80-C2-00-00-00 <SA MAC ADDR>
ATM Encapsulation 802.3 Encapsulation
LEN
<Length>
LLC
42-42-03
BPDU
Payload
LLC
AA-AA-03
146221
OUI
00-00-0C
PID
00-0E
BPDU
<Payload>6-15
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 6      Overview of the ATM SPAs
  Unsupported Features
Cisco 7600 Router PVST+ BPDU Frame Format
The Cisco 7600 series router PVST+ BPDU packet format is shown in Figure 6-4. These BPDUs are not 
IEEE 802.1D BPDUs, but Cisco proprietary SSTP BPDUs.
Figure 6-4 Cisco 7600 Router PVST+ BPDU Frame Format (1483 Bridge Mode)
Cisco L2PT BPDU Frame Format
Figure 6-5 shows the Cisco Layer 2 Protocol Tunneling (L2PT) BPDU SNAP frame format.
Figure 6-5 L2PT BPDU SNAP Frame Format
Unsupported Features
• The following High Availability features are not supported: 
– APS N+1 redundancy is not supported.
– APS redundancy is not supported on SVCs.
– APS reflector mode (aps reflector interface configuration command) is not supported. 
• The atm bridge-enable command, which was used in previous releases on other ATM interfaces to 
enable multipoint bridging on PVCs, is not supported on ATM SPA interfaces. Instead, use the 
bridge option with the encapsulation command to enable RFC 1483 half-bridging on PVCs. See 
the “Configuring ATM Routed Bridge Encapsulation” section on page 7-23. 
• PVC autoprovisioning (create on-demand VC class configuration command) is not supported. 
• Creating SVCs with UNI signalling version 4.1 is not supported (UNI signalling v 3.0, v 3.1, and 
v 4.0 are supported). 
• Enhanced Remote Defect Indication–Path (ERDI-P) is not supported. 
• Fast Re-Route (FRR) over ATM is not supported. 
• LAN Emulation (LANE) is not supported. 
• Multicast SVCs are not supported. 
• Available Bit Rate (ABR) traffic service class is not supported. 
• Unspecified bit rate plus (UBR+) traffic service class is not supported on PVCs. 
• AAL2 is not supported
146222
DA (SSTP DA MAC)
01-00-0C-CC-CC-CD
SA
<SA MAC>
LEN
<Length>
LLC
AA-AA-03
OUI
00-00-0C
Type (SSTP)
01-0B
BPDU
<Payload>
LLC
AA-AA-03
OUI
00-80-C2
PID
00-07
PAD
00-00
ATM Encapsulation
146223
DA (L2PTDA MAC)
01-00-0C-CD-CD-D0
SA
<SA MAC>
LEN
<Length>
LLC
AA-AA-03
OUI
00-00-0C
Type (SSTP)
01-0B
BPDU
<Payload>6-16
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 6      Overview of the ATM SPAs
  Prerequisites
Prerequisites
• The 2-Port and 4-Port OC-3c/STM-1 ATM SPAs must use either the Cisco 7600 SIP-200 or 
Cisco 7600 SIP-400.
• The 1-Port OC-12c/STM-4 ATM SPA must use the Cisco 7600 SIP-400. 
• The 1-Port OC-48c/STM-16 ATM SPA must use the Cisco 7600 SIP-400.
• The Cisco 7600 SIP-200 requires a Cisco 7600 series router using a SUP-720 3B and above 
processor that is running Cisco IOS Release 12.2(18)SXE or later release. 
• The Cisco 7600 SIP-400 requires a Cisco 7600 series router using a SUP-720 processor that is 
running Cisco IOS Release 12.2(18)SXE or later release. 
• Before beginning to configure the ATM SPA, have the following information available: 
– Protocols you plan to route on the new interfaces.
– IP addresses for all ports on the new interfaces, including subinterfaces.
– Bridging encapsulations you plan to use.
Restrictions
• The 1-Port OC-48c/STM-16 ATM SPA does not support the following features: AToM, BRE, LFI, 
RBE, SVCs, UBR+, RFC 2225 (formerly RFC 1577), or bridging. 
• The ATM SPAs in the Cisco 7600 series router do not support APS reflector and reflector channel 
modes. (These modes require a facing path terminating element [PTE], which is typically a 
Cisco ATM switch.) 
• The ATM SPA is functionally similar to other ATM port adapters on the Cisco 7600 series router, 
such as the PA-A3, but it is a different card type, so the slot’s previous configuration is lost when 
you replace an existing ATM port adapter with an ATM SPA. 
• The following restrictions apply to the operation of QoS on the ATM SPAs:
– The ATM SPAs do not support bandwidth-limited priority queueing, but support only strict 
priority policy maps (that is, the priority command without any parameters). 
– A maximum of one priority command is supported in a policy map. 
– You cannot use the match input interface command in policy maps and class maps that are 
being used for ATM SPAs. 
– Hierarchical traffic shaping (traffic shaping on both the VC and VP for a circuit) is not 
supported. Traffic shaping can be configured only on the VC or on the VP, but not both. 
– ATM (Layer 2) output shaping is supported, but IP (Layer 3) shaping on an output (egress) 
interface is not supported. In particular, this means that you cannot use any shape class-map 
configuration commands in policy maps that are being used in the output direction. This 
includes the shape adaptive, shape average, shape fecn-adapt, and shape peak commands. 
– The ATM SPA interfaces support a maximum of six configured precedences (using the 
random-detect aggregate command) in each class map in a policy map. The maximum number 
of configurable subclass groups is seven. 
– STP is not supported in ATM Multi-Vlan-to-VC mode.6-17
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 6      Overview of the ATM SPAs
  Supported MIBs
• For best performance, we recommend the following maximums:
– A maximum number of 2,048 PVCs on all point-to-point subinterfaces for all ATM SPAs in a 
SIP. 
– A maximum number of 16,380 PVCs on all multipoint subinterfaces for all ATM SPAs in a SIP. 
– A maximum number of 400 SVCs for all ATM SPAs in a SIP. 
– A maximum number of 1024 PVCs or SVCs s using service policies for all ATM SPAs in a 
router. 
– A maximum number of 200 PVCs or SVCs using Link Fragmentation and Interleaving (LFI) 
for all ATM SPAs in a router. 
– A maximum number of 200 PVCs on each multipoint subinterface being used on an ATM SPA. 
Note These limits are flexible and depend on all factors that affect performance in the router, such 
as processor card, type of traffic, and so on. 
• In the default configuration of the transmit path trace buffer, the ATM SPA does not support 
automatic updates of remote host name and IP address (as displayed by the show controllers atm
command). This information is updated only when the interface is shut down and reactivated (using 
the shutdown and no shutdown commands). Information for the received path trace buffer, 
however, is automatically updated. 
• The show ppp multilink command displays only the packet counters, and not byte counters, for a 
dLFI configuration on an ATM SPA interface. 
• MLPPP is supported, but not MLPPP bundles. 
• Concurrent configuration of RFC-1483 bridging and Bridged Routing Encapsulation is not allowed 
on SIP 200 or SIP 400
Restrictions for SPA-1xOC3-ATM-V2, SPA-3xOC3-ATM-V2, and 
SPA-1xOC12-ATM-V2
• These are the restrictions for the 1-Port Clear Channel OC-3, 3-Port Clear Channel OC-3, and 1-Port 
Clear Channel OC-12 ATM SPA Version 2(SPA-1xOC3-ATM-V2, SPA-3xOC3-ATM-V2, and 
SPA-1xOC12-ATM-V2):
– A MQC service-policy having only class-default is not supported. 
– The maximum mark-probablility in a WRED policy is 31.
– An MQC policy with more than six user-defined queueing classes is not supported.
• Ingress classification feature is not enabled on the Cisco 7600 Series router.
Supported MIBs
The following MIBs are supported in Cisco IOS Release 12.2(18)SXE and later releases for the ATM 
SPAs on the Cisco 7600 series router. 
Common MIBs
• ENTITY-MIB 6-18
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 6      Overview of the ATM SPAs
  SPA Architecture
• IF-MIB 
• MIB-II
• MPLS-CEM-MIB
Cisco-Specific Common MIBs
• CISCO-ENTITY-EXT-MIB 
• OLD-CISCO-CHASSIS-MIB 
• CISCO-CLASS-BASED-QOS-MIB 
• CISCO-ENTITY-FRU-CONTROL-MIB 
• CISCO-ENTITY-ASSET-MIB 
• CISCO-ENTITY-SENSOR-MIB
• CISCO-MQC-MIB 
• CISCO-AAL5-MIB
• CISCO-ATM-MIB 
• CISCO-CLASS-BASED-QOS-MIB
Cisco-Specific MPLS MIBs
• CISCO-IETF-PW-MIB
• CISCO-IETF-PW-MPLS-MIB
For more information about MIB support on a Cisco 7600 series router, refer to the Cisco 7600 Series 
Internet Router MIB Specifications Guide.
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use 
Cisco MIB Locator found at the following URL:
http://tools.cisco.com/ITDIT/MIBS/servlet/index
If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of 
supported MIBs and download MIBs from the Cisco MIBs page at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your 
account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify 
that your e-mail address is registered with Cisco.com. If the check is successful, account details with a 
new random password will be e-mailed to you.
SPA Architecture
This section provides an overview of the data path for the ATM SPAs, for use in troubleshooting and 
monitoring. Figure 6-6 shows the data path for ATM traffic as it travels between the ATM optical 
connectors on the front panel of the ATM SPA to the backplane connector that connects the SPA to the 
SIP. 6-19
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 6      Overview of the ATM SPAs
  SPA Architecture
Figure 6-6 ATM SPA Data Architecture
Path of Cells in the Ingress Direction
The following steps describe the path of an ingress cell as it is received from the ATM network and 
converted to a data packet before transmission through the SIP to the router’s processors for switching, 
routing, or further processing: 
1. The SONET/SDH framer device receives incoming cells on a per-port basis from the SPA’s optical 
circuitry. (The ATM SPA supports 1, 2, or 4 optical ports, depending on the model of SPA.) 
2. The SONET/SDH framer removes the SONET overhead information, performs any necessary clock 
and data recovery, and processes any SONET/SDH alarms that might be present. The framer then 
extracts the 53-byte ATM cells from the data stream and forwards each cell to the ATM segmentation 
and reassembly (SAR) engine. 
3. The SAR engine receives the cells from the framer and reassembles them into the original packets, 
temporarily storing them in a per-port receive buffer until they can be forwarded to the LFI 
field-programmable gate array (FPGA). The SAR engine discards any packets that have been 
corrupted in transit. 
4. The LFI FPGA receives the packets from the SAR engine and forwards them to the host processor 
for further routing, switching, or additional processing. The FPGA also performs LFI reassembly as 
needed, and collects the traffic statistics for the packets that it passes. 
Path of Packets in the Egress Direction
The following steps describe the path of an egress packet as the SPA receives it from the router through 
the SIP and converts it to ATM cells for transmission on the ATM network: 
1. The LFI FPGA receives the packets from the host processor and stores them in its packet buffers 
until the SAR engine is ready to receive them. The FPGA also performs any necessary LFI 
processing on the packets before forwarding them to the SAR engine. The FPGA also collects the 
traffic statistics for the packets that it passes. 
2. The SAR engine receives the packets from the FPGA and supports multiple CBWFQ queues to store 
the packets until they can be fully segmented. The SAR engine performs the necessary WRED queue 
admission and CBWFQ QoS traffic scheduling on its queues before segmenting the packets into 
ATM cells and shaping the cells into the SONET/SDH framer. 
Catalyst 5500 switch
mer
N
Cus
L
Catalyst 6500 switch
Cisco 7600 router
L2PT
ATM 6/1/0 interface
(Layer 2
protocol tunneling
enabled)
Gig2/1
interface
(L2PT enabled)
Service
provider ATM
network
Service
provider ATM
network6-20
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 6      Overview of the ATM SPAs
  Displaying the SPA Hardware Type
3. The SONET/SDH framer receives the packets from the SAR engine and inserts each cell into the 
SONET data stream, adding the necessary clocking, SONET overhead, and alarm information. The 
framer then outputs the data stream out the appropriate optical port. 
4. The optical port conveys the optical data onto the physical layer of the ATM network. 
Displaying the SPA Hardware Type
To verify the SPA hardware type that is installed in your Cisco 7600 series router, use the show 
interfaces, show diag, or show controllers commands. A number of other show commands also provide 
information about the SPA hardware. 
Table 6-2 shows the hardware description that appears in the show interfaces and show diag command 
output for each type of ATM SPA that is supported on the Cisco 7600 series router. 
Example of the show interfaces Command
The following example shows output from the show interfaces atm command on a Cisco 7600 series 
router with an ATM SPA installed in the first subslot of a SIP that is installed in slot 5:
Router# show interfaces atm 5/0/0
ATM5/0/0 is up, line protocol is up 
  Hardware is SPA-4XOC3-ATM, address is 000d.2959.d780 (bia 000d.2959.d78a)
  MTU 4470 bytes, sub MTU 4470, BW 149760 Kbit, DLY 80 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ATM, loopback not set
  Encapsulation(s): AAL5
  4095 maximum active VCs, 1 current VCCs
  VC idle disconnect time: 300 seconds
  0 carrier transitions
  Last input 00:00:09, output 00:00:09, output hang never
  Last clearing of "show interface" counters 00:01:26
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     5 packets input, 540 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicast)
     0 runts, 0 giants, 0 throttles
Table 6-2 ATM SPA Hardware Descriptions in show Commands
SPA 
Description in show interfaces 
Command Description in show diag Command 
SPA-2XOC3-ATM Hardware is SPA-2XOC3-ATM SPA-2XOC3-ATM (0x046E)
SPA-4XOC3-ATM Hardware is SPA-4XOC3-ATM SPA-4XOC3-ATM (0x3E1)
SPA-1XOC12-ATM Hardware is SPA-1XOC12-ATM SPA-1XOC12-ATM (0x03E5)
SPA-1XOC48-ATM Hardware is SPA-1XOC48-ATM SPA-1XOC48-ATM (0x3E6)
SPA-1xOC3-ATM-V2 Hardware is SPA-1xOC3-ATM-V2 SPA-1xOC3-ATM-V2
SPA-3xOC3-ATM-V2 Hardware is SPA-3xOC3-ATM-V2 SPA-3xOC3-ATM-V2
SPA-1xOC12-ATM-V2 Hardware is SPA-1xOC12-ATM-V2 SPA-1xOC12-ATM-V26-21
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 6      Overview of the ATM SPAs
  Displaying the SPA Hardware Type
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     5 packets output, 720 bytes, 0 underruns 
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
Note The value for “packets output” in the default version of the show interfaces atm command includes the 
bytes used for ATM AAL5 padding, trailer and ATM cell header. To see the packet count without the 
padding, header, and trailer information, use the show interfaces atm statistics or show atm pvc
commands. 
Example of the show diag Command
The following example shows output from the show diag command on a Cisco 7600 series router with 
two ATM SPAs installed in a Cisco 7600 SIP-400 that is installed in slot 4:
Router# show diag 4
Slot 4: Logical_index 8
        4-adapter SIP-400 controller 
        Board is analyzed ipc ready 
        HW rev 0.300, board revision 08
        Serial Number:  Part number: 73-8272-03
        Slot database information:
        Flags: 0x2004   Insertion time: 0x1961C (01:16:54 ago)
        Controller Memory Size:
                384 MBytes CPU Memory
                128 MBytes Packet Memory
                512 MBytes Total on Board SDRAM
        IOS (tm) cwlc Software (sip1-DW-M), Released Version 12.2(17)SX [BLD-sipedon2 107]
        SPA Information:
        subslot 4/0: SPA-4XOC3-ATM (0x3E1), status: ok
        subslot 4/1: SPA-1XOC12-ATM (0x3E5), status: ok
Example of the show controllers Command
The following example shows output from the show controllers atm command on a Cisco 7600 series 
router with an ATM SPA installed in the second subslot of a SIP that is installed in slot 5:
Router# show controllers atm 5/1/0
Interface ATM5/1/0 (SPA-4XOC3-ATM[4/0]) is up
Framing mode: SONET OC3 STS-3c
SONET Subblock:
SECTION
  LOF = 0          LOS    = 0                            BIP(B1) = 603
LINE
  AIS = 0          RDI    = 2          FEBE = 2332       BIP(B2) = 1018
PATH
  AIS = 0          RDI    = 1          FEBE = 28         BIP(B3) = 228
  LOP = 0          NEWPTR = 0          PSE  = 1          NSE     = 2
Active Defects: None
Active Alarms:  None6-22
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 6      Overview of the ATM SPAs
  Displaying the SPA Hardware Type
Alarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP B3-TCA
ATM framing errors:
  HCS (correctable):   0
  HCS (uncorrectable): 0
APS
 not configured 
PATH TRACE BUFFER : STABLE 
BER thresholds:  SF = 10e-3  SD = 10e-6
TCA thresholds:  B1 = 10e-6  B2 = 10e-6  B3 = 10e-6
  Clock source:  line 
The following are the actions performed on the peer end of a SPA on the Cisco 7600 Router:
Remote SPA Cable Removal:
Active Defects: SLOS
Active Alarms:  SLOS
Alarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP B3-TCA
Remote SPA removal:
Active Defects: SLOS PRDI PLOP
Active Alarms: SLOS
Alarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP B3-TCA
On a MCP with actions performed on the peer end of a Barbarian SPA:
===================================================
Remote SPA Cable Removal:
Active Defects: SLOF SLOS PLOP
Active Alarms:  SLOS
Alarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP B3-TCA
ATM framing errors:
  HCS (correctable):   823
  HCS (uncorrectable): 361
Putting the cable back:
Intermediate state:
Active Defects: SD SLOS B1-TCA B2-TCA PRDI PLOP
Active Alarms:  SLOS SD B1-TCA B2-TCA
Alarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP B3-TCA
ATM framing errors:
  HCS (correctable):   1145
  HCS (uncorrectable): 516
Final state:
Active Defects: None
Active Alarms:  None6-23
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 6      Overview of the ATM SPAs
  Displaying the SPA Hardware Type
Alarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP B3-TCA
ATM framing errors:
  HCS (correctable):   1145
  HCS (uncorrectable): 516
Remote SPA removal:
Active Defects: SLOS PRDI PLOP
Active Alarms: SLOS
Alarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP B3-TCA
ATM framing errors:
HCS (correctable): 1145
HCS (uncorrectable): 523
Remote SPA insertion:
Intermediate state:
Active Defects: SLOS B1-TCA LAIS PAIS PRDI
Active Alarms: SLOS B1-TCA
Alarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP B3-TCA
ATM framing errors:
HCS (correctable): 1145
HCS (uncorrectable): 523
Final state:
Active Defects: None
Active Alarms: None
Alarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP B3-TCA
ATM framing errors:
HCS (correctable): 1145
HCS (uncorrectable): 5236-24
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 6      Overview of the ATM SPAs
  Displaying the SPA Hardware TypeC H  A  P  T  E  R
7-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
7
Configuring the ATM SPAs
This chapter provides information about configuring the ATM SPAs on the Cisco 7600 series router. It 
includes the following sections: 
• Configuration Tasks, page 7-1
• Verifying the Interface Configuration, page 7-108
• Configuration Examples, page 7-111
For information about managing your system images and configuration files, refer to the Cisco IOS 
Configuration Fundamentals Configuration Guide and Cisco IOS Configuration Fundamentals 
Command Reference publications that correspond to your Cisco IOS software release.
For more information about the commands used in this chapter, refer to the Cisco IOS Software Releases 
15.0SR Command References and to the Cisco IOS Software Releases 12.2SX Command References. 
Also refer to the related Cisco IOS Release 12.2 software command reference and master index 
publications. For more information, see the “Related Documentation” section on page xlvii.
Configuration Tasks
This section describes the most common configurations for the ATM SPAs on a Cisco 7600 series router. 
It contains procedures for the following configurations: 
• Required Configuration Tasks, page 7-2
• Specifying the Interface Address on a SPA, page 7-3
• Modifying the Interface MTU Size, page 7-3
• Creating a Permanent Virtual Circuit, page 7-8
• Creating a PVC on a Point-to-Point Subinterface, page 7-10
• Configuring a PVC on a Multipoint Subinterface, page 7-12
• Configuring RFC 1483 Bridging for PVCs, page 7-14
• Configuring Layer 2 Protocol Tunneling Topology, page 7-17
• Configuring Layer 2 Tunneling Protocol Version 3 (L2TPv3), page 7-17
• Configuring RFC 1483 Bridging for PVCs with IEEE 802.1Q Tunneling, page 7-18
• Configuring ATM RFC 1483 Half-Bridging, page 7-20
• Configuring ATM Routed Bridge Encapsulation, page 7-23
• Configuring RFC 1483 Bridging of Routed Encapsulations, page 7-257-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
• Verifying the Bridged Routed Encapsulation within an Automatic Protection Switching Group 
Configuration, page 7-29
• Configuring the Bridged Routed Encapsulation within an Automatic Protection Switching Group, 
page 7-28
• Configuring Aggregate WRED for PVCs, page 7-30
• Configuring Non-aggregate WRED, page 7-36
• Configuring Traffic Parameters for PVCs or SVCs, page 7-46
• Configuring Virtual Circuit Classes, page 7-50
• Configuring Virtual Circuit Bundles, page 7-51
• Configuring Multi-VLAN to VC Support, page 7-54
• Configuring Link Fragmentation and Interleaving with Virtual Templates, page 7-54
• Configuring the Distributed Compressed Real-Time Protocol, page 7-58
• Configuring Automatic Protection Switching, page 7-60
• Configuring SONET and SDH Framing, page 7-76
• Configuring for Transmit-Only Mode, page 7-78
• Configuring AToM Cell Relay VP Mode, page 7-79
• Configuring QoS Features on ATM SPAs, page 7-87
• Saving the Configuration, page 7-88
• Shutting Down and Restarting an Interface on a SPA, page 7-105
• Shutting Down an ATM Shared Port Adapter, page 7-107
Required Configuration Tasks
The ATM SPA interface must be initially configured with an IP address to allow further configuration. 
Some of the required configuration commands implement default values that might or might not be 
appropriate for your network. If the default value is correct for your network, then you do not need to 
configure the command. To perform the basic configuration of each interface, use the following 
procedure beginning in global configuration mode:
Command or Action Purpose
Step 1 Router(config)# interface atm slot/subslot/port Enters interface configuration mode for the indicated port 
on the specified ATM SPA. 
Step 2 Router(config-if)# ip address address mask
[secondary] 
(Optional in some configurations) Assigns the specified IP 
address and subnet mask to the interface. Repeat the 
command with the optional secondary keyword to assign 
additional, secondary IP addresses to the port. 
Step 3 Router(config-if)# description string (Optional) Assigns an arbitrary string, up to 80 characters 
long, to the interface. This string can identify the purpose or 
owner of the interface, or any other information that might 
be useful for monitoring and troubleshooting. 
Step 4 Router(config-if)# no shutdown Enables the interface. 7-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
Specifying the Interface Address on a SPA
Two ATM SPAs can be installed in a SIP. SPA interface ports begin numbering with “0” from left to right. 
Single-port SPAs use only the port number 0. To configure or monitor SPA interfaces, you need to 
specify the physical location of the SIP, SPA, and interface in the CLI. The interface address format is 
slot/subslot/port, where: 
• slot—Specifies the chassis slot number in the Cisco 7600 series router where the SIP is installed. 
• subslot—Specifies the secondary slot of the SIP where the SPA is installed.
• port—Specifies the number of the individual interface port on a SPA. 
The following example shows how to specify the first interface (0) on a SPA installed in the first subslot 
of a SIP (0) installed in chassis slot 3:
Router(config)# interface serial 3/0/0
This command shows a serial SPA as a representative example, however the same slot/subslot/port 
format is similarly used for other SPAs (such as ATM and POS) and other non-channelized SPAs.
For more information about identifying slots and subslots, see the “Identifying Slots and Subslots for 
SIPs, SSCs, and SPAs” section on page 4-2.
Modifying the Interface MTU Size
The maximum transmission unit (MTU) values might need to be reconfigured from their defaults on the 
ATM SPAs to match the values used in your network. 
Interface MTU Configuration Guidelines
When configuring the interface MTU size on an ATM SPA, consider the following guidelines.
The Cisco IOS software supports several types of configurable MTU options at different levels of the 
protocol stack. You should ensure that all MTU values are consistent to avoid unnecessary fragmentation 
of packets. These MTU values are the following: 
• Interface MTU—Configured on a per-interface basis and defines the maximum packet size (in bytes) 
that is allowed for traffic received on the network. The ATM SPA checks traffic coming in from the 
network and drops packets that are larger than this maximum value. Because different types of Layer 
2 interfaces support different MTU values, choose a value that supports the maximum possible 
packet size that is possible in your particular network topology. 
• IP MTU—Configured on a per-interface or per-subinterface basis and determines the largest 
maximum IP packet size (in bytes) that is allowed on the IP network without being fragmented. If 
an IP packet is larger than the IP MTU value, the ATM SPA fragments it into smaller IP packets 
before forwarding it on to the next hop. 
Note Repeat Step 1 through Step 4 for each port on the ATM SPA to be configured. 
Step 5 Router(config-if)# end Exits interface configuration mode and returns to privileged 
EXEC mode. 
Command or Action Purpose7-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
• Multiprotocol Label Switching (MPLS) MTU—Configured on a per-interface or per-subinterface 
basis and defines the MTU value for packets that are tagged with MPLS labels or tag headers. When 
an IP packet that contains MPLS labels is larger than the MPLS MTU value, the ATM SPA 
fragments it into smaller IP packets. When a non-IP packet that contains MPLS labels is larger than 
the MPLS MTU value, the ATM SPA drops it. 
All devices on a particular physical medium must have the same MPLS MTU value to allow proper 
MPLS operation. Because MPLS labels are added on to the existing packet and increase the packet’s 
size, choose appropriate MTU values so as to avoid unnecessarily fragmenting MPLS-labeled 
packets. 
If the IP MTU or MPLS MTU values are currently the same size as the interface MTU, changing the 
interface MTU size also automatically sets the IP MTU or MPLS MTU values to the new value. 
Changing the interface MTU value does not affect the IP MTU or MPLS MTU values if they are not 
currently set to the same size as the interface MTU. 
Different encapsulation methods and the number of MPLS MTU labels add additional overhead to a 
packet. For example, Subnetwork Access Protocol (SNAP) encapsulation adds an 8-byte header, 
IEEE 802.1Q encapsulation adds a 2-byte header, and each MPLS label adds a 4-byte header. Consider 
the maximum possible encapsulations and labels that are to be used in your network when choosing the 
MTU values. 
Tip The MTU values on the local ATM SPA interfaces must match the values being used in the ATM network 
and remote ATM interface. Changing the MTU values on an ATM SPA does not reset the local interface, 
but be aware that other platforms and ATM SPAs do reset the link when the MTU value changes. This 
could cause a momentary interruption in service, so we recommend changing the MTU value only when 
the interface is not being used. 
Note The interface MTU value on the ATM SPA also determines which packets are recorded as “giants” in the 
show interfaces atm command. The interface considers a packet to be a giant packet when it is more 
than 24 bytes larger than the interface MTU size. For example, if using an MTU size of 1500 bytes, the 
interface increments the giants counter when it receives a packet larger than 1524 bytes.7-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
Interface MTU Configuration Task
To change the MTU values on the ATM SPA interfaces, use the following procedure beginning in global 
configuration mode: 
Verifying the MTU Size
This example verifies the MTU sizes for an interface. Use the show interface, show ip interface, and 
show mpls interface commands for 2-Port and 4-Port OC-3c/STM-1 ATM SPA:
Router# show interface atm 4/1/0
ATM4/1/0 is up, line protocol is up 
  Hardware is SPA-4XOC3-ATM, address is 000d.2959.d5ca (bia 000d.2959.d5ca)
  MTU 4470 bytes, sub MTU 4470, BW 149760 Kbit, DLY 80 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ATM, loopback not set
  Encapsulation(s): AAL5
  4095 maximum active VCs, 0 current VCCs
  VC idle disconnect time: 300 seconds
  0 carrier transitions
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never 
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  30 second input rate 0 bits/sec, 0 packets/sec
  30 second output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
Command or Action Purpose
Step 1 Router(config)# interface atm slot/subslot/port Enters interface configuration mode for the indicated port 
on the specified ATM SPA. 
Step 2 Router(config-if)# mtu bytes (Optional) Configures the maximum transmission unit 
(MTU) size for the interface. The valid range for bytes is 
from 64 to 9216 bytes, with a default of 4470 bytes. As a 
general rule, do not change the MTU value unless you have 
a specific application need to do so. 
Note If the IP MTU or MPLS MTU values are currently 
the same size as the interface MTU, changing the 
interface MTU size also automatically sets the IP 
MTU or MPLS MTU values to the same value. 
Step 3 Router(config-if)# ip mtu bytes (Optional) Configures the MTU value, in bytes, for IP 
packets on this interface. The valid range for an ATM SPA 
is 64 to 9288, with a default value equal to the MTU value 
configured in Step 2. 
Step 4 Router(config-if)# mpls mtu bytes (Optional) Configures the MTU value, in bytes, for 
MPLS-labeled packets on this interface. The valid range for 
an ATM SPA is 64 to 9216 bytes, with a default value equal 
to the MTU value configured in Step 2. 
Note Repeat Step 1 through Step 4 for each interface port on the ATM SPA to be configured. 
Step 5 Router(config-if)# end Exits interface configuration mode and returns to privileged 
EXEC mode. 7-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
Router# show ip interface atm 4/1/0
ATM4/1/0 is up, line protocol is up
  Internet address is 200.1.0.2/24
  Broadcast address is 255.255.255.255
  Address determined by non-volatile memory
  MTU is 4470 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Multicast reserved groups joined: 224.0.0.9
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP Feature Fast switching turbo vector
  IP Null turbo vector
  VPN Routing/Forwarding "vpn2600-2"
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF 
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Probe proxy name replies are disabled
  Policy routing is disabled
  Network address translation is disabled
  WCCP Redirect outbound is disabled
  WCCP Redirect exclude is disabled
  BGP Policy Mapping is disabled
Router# show mpls interface atm 4/1/0 detail
Interface ATM3/0:
        IP labeling enabled (ldp)
        LSP Tunnel labeling not enabled
        MPLS operational
        MPLS turbo vector
        MTU = 4470
        ATM labels: Label VPI = 1
                Label VCI range = 33 - 65535
                Control VC = 0/32
To view the maximum possible size for datagrams passing out the interface using the configured MTU 
value, use the show atm interface atm command: 
Router# show atm interface atm 4/1/0
   Interface ATM4/1/0: 
   AAL enabled: AAL5, Maximum VCs: 4096, Current VCCs: 2 
   Maximum Transmit Channels: 0 7-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
   Max. Datagram Size: 4528
   PLIM Type: SONET - 155000Kbps, TX clocking: LINE 
   Cell-payload scrambling: ON 
   sts-stream scrambling: ON 
   8359 input, 8495 output, 0 IN fast, 0 OUT fast, 0 out drop 
   Avail bw = 155000 
   Config. is ACTIVE
This example verifies the MTU size for an interface. Use the show interface, show ip interface, and 
show mpls interface commands for 3-Port Clear Channel OC-3 ATM SPA.
Router# show interface atm 0/2/2
ATM0/2/2 is up, line protocol is up 
  Hardware is SPA-3XOC3-ATM-V2, address is 001a.3044.7522 (bia 001a.3044.7522)
  MTU 4470 bytes, sub MTU 4470, BW 149760 Kbit, DLY 80 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ATM, loopback not set
  Keepalive not supported 
  Encapsulation(s): AAL5 AAL0
  4095 maximum active VCs, 1 current VCCs
  VC Auto Creation Disabled.
  VC idle disconnect time: 300 seconds
  4 carrier transitions
  Last input never, output 00:04:11, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     5 packets input, 540 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles 
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     5 packets output, 540 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 output buffer failures, 0 output buffers swapped out
Router# show ip interface atm 0/2/2.1
ATM0/2/2.1 is up, line protocol is up
  Internet address is 10.4.0.2/24
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 4470 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is disabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP Distributed switching is disabled
  IP CEF switching turbo vector
  IP Null turbo vector
  Associated unicast routing topologies:
        Topology "base", operation state is UP
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled7-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Probe proxy name replies are disabled
  Policy routing is disabled
  Network address translation is disabled
  BGP Policy Mapping is disabled
  Input features: MCI Check
  WCCP Redirect outbound is disabled
  WCCP Redirect inbound is disabled
  WCCP Redirect exclude is disabled
Router# show mpls interface atm 0/3/2.1
Interface              IP            Tunnel   BGP Static Operational
ATM0/3/2.1             Yes (ldp)     No       No  No     Yes         
CE1#show mpls interface atm0/3/2.1 det
Interface ATM0/3/2.1:
        IP labeling enabled (ldp):
          Interface config
        LSP Tunnel labeling not enabled
        BGP labeling not enabled
        MPLS operational
        MTU = 4470
To view the maximum possible size for datagrams passing out the interface using the configured MTU 
value, use the show atm interface atm command: 
Router# show atm interface atm 0/2/2
Interface ATM0/2/2:
AAL enabled:  AAL0 , Maximum VCs: 4095, Current VCCs: 1
Max. Datagram Size: 4528
PLIM Type: SONET - 155000Kbps, TX clocking: LINE
Cell-payload scrambling: ON
sts-stream scrambling: ON
5 input, 5 output, 0 IN fast, 0 OUT fast, 0 out drop
 Avail bw = 149760 
Config. is ACTIVE
Creating a Permanent Virtual Circuit
To use a permanent virtual circuit (PVC), configure the PVC in both the router and the ATM switch. 
PVCs remain active until the circuit is removed from either configuration. To create a PVC on the ATM 
interface and enter interface ATM VC configuration mode, perform the following procedure beginning 
in global configuration mode:
Command or Action Purpose
Step 1 Router(config)# interface atm slot/subslot/port
or 
Router(config)# interface atm
slot/subslot/port.subinterface
Enters interface or subinterface configuration mode for the 
indicated port on the specified ATM SPA.
Step 2 Router(config-if)# ip address address mask Assigns the specified IP address and subnet mask to the 
interface or subinterface. 7-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
Step 3 Router(config-if)# atm tx-latency milliseconds (Optional) Configures the default transmit latency for VCs 
on this ATM SPA interface. The valid range for milliseconds
is from 1 to 200, with a default of 100 milliseconds. 
Step 4 Router(config-if)# pvc [name] vpi/vci [ilmi | qsaal] Configures a new ATM PVC by assigning its VPI/VCI 
numbers and enters ATM VC configuration mode. The valid 
values for vpi/vci are:
• vpi—Specifies the VPI ID. The valid range is 0 to 255. 
• vci—Specifies the VCI ID. The valid range is 1 to 
65535. Values 1 to 31 are reserved and should not be 
used, except for 5 for the QSAAL PVC and 16 for the 
ILMI PVC. 
You can also configure the following options: 
• name—(Optional) An arbitrary string that identifies 
this PVC. 
• ilmi—(Optional) Configures the VC to exclusively 
carry ILMI protocol traffic (default).
• qsaal—(Optional) Configures the VC to exclusively 
carry QSAAL protocol traffic. 
Note When using the pvc command, remember that the vpi/vci combination forms a unique identifier for the 
interface and all of its subinterfaces. If you specify a vpi/vci combination that has been used on another 
subinterface, the Cisco IOS software assumes that you want to modify that PVC’s configuration and 
automatically switches to its parent subinterface. 
Step 5 Router(config-if-atm-vc)# protocol protocol 
{protocol-address | inarp} [[no] broadcast] 
Configures the PVC for a particular protocol and maps it to 
a specific protocol-address. 
• protocol—Typically set to either ip or ppp, but other 
values are possible. 
• protocol-address—Destination address or virtual 
interface template for this PVC (if appropriate for the 
protocol). 
• inarp—Specifies that the PVC uses Inverse ARP to 
determine its address. 
• [no] broadcast—(Optional) Specifies that this 
mapping should (or should not) be used for broadcast 
packets. 
Step 6 Router(config-if-atm-vc)# inarp minutes (Optional) If using Inverse ARP, configures how often the 
PVC transmits Inverse ARP requests to confirm its address 
mapping. The valid range is 1 to 60 minutes, with a default 
of 15 minutes. 
Step 7 Router(config-if-atm-vc)# encapsulation aal5snap (Optional) Configures the ATM adaptation layer (AAL) and 
encapsulation type. The default and only supported type is 
aal5snap.
Step 8 Router(config-if-atm-vc)# tx-limit buffers (Optional) Specifies the number of transmit buffers for this 
VC. The valid range is from 1 to 57343, with a default value 
that is based on the current VC line rate and on the latency 
value that is configured with the atm tx-latency command. 
Command or Action Purpose7-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
Verifying a PVC Configuration
To verify the configuration of a particular PVC, use the show atm pvc command: 
Router# show atm pvc 1/100
ATM3/0/0: VCD: 1, VPI: 1, VCI: 100
UBR, PeakRate: 149760
AAL5-LLC/SNAP, etype:0x0, Flags: 0xC20, VCmode: 0x0
OAM frequency: 0 second(s), OAM retry frequency: 1 second(s)
OAM up retry count: 3, OAM down retry count: 5
OAM Loopback status: OAM Disabled
OAM VC status: Not Managed
ILMI VC status: Not Managed
InARP frequency: 15 minutes(s)
Transmit priority 6
InPkts: 94964567, OutPkts: 95069747, InBytes: 833119350, OutBytes: 838799016
InPRoc: 1, OutPRoc: 1, Broadcasts: 0
InFast: 0, OutFast: 0, InAS: 94964566, OutAS: 95069746
InPktDrops: 0,  OutPktDrops: 0 
CrcErrors: 0, SarTimeOuts: 0, OverSizedSDUs: 0, LengthViolation: 0, CPIErrors: 0
Out CLP=1 Pkts: 0
OAM cells received: 0
F5 InEndloop: 0, F5 InSegloop: 0, F5 InAIS: 0, F5 InRDI: 0
F4 InEndloop: 0, F4 InSegloop: 0, F4 InAIS: 0, F4 InRDI: 0
OAM cells sent: 0
F5 OutEndloop: 0, F5 OutSegloop: 0, F5 OutRDI: 0
F4 OutEndloop: 0, F4 OutSegloop: 0, F4 OutRDI: 0
OAM cell drops: 0
Status: UP
VC 1/100 doesn't exist on 7 of 8 ATM interface(s)
Tip To verify the configuration and current status of all PVCs on a particular interface, you can also use the 
show atm vc interface atm command. 
Creating a PVC on a Point-to-Point Subinterface
Use point-to-point subinterfaces to provide each pair of routers with its own subnet. When you create a 
PVC on a point-to-point subinterface, the router assumes it is the only point-to-point PVC that is 
configured on the subinterface, and it forwards all IP packets with a destination IP address in the same 
subnet to this VC. To configure a point-to-point PVC, perform the following procedure beginning in 
global configuration mode:
Note Repeat Step 4 through Step 8 for each PVC to be configured on this interface. 
Step 9 Router(config-if-atm-vc)# end Exits ATM VC configuration mode and returns to privileged 
EXEC mode. 
Command or Action Purpose7-11
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
Command or Action Purpose
Step 1 Router(config)# interface atm
slot/subslot/port.subinterface point-to-point
Creates the specified point-to-point subinterface on the 
given port on the specified ATM SPA, and enters 
subinterface configuration mode. 
Step 2 Router(config-subif)# ip address address mask Assigns the specified IP address and subnet mask to this 
subinterface. 
Step 3 Router(config-subif)# pvc [name] vpi/vci [ilmi | qsaal] Configures a new ATM PVC by assigning its VPI/VCI 
numbers and enters ATM VC configuration mode. The valid 
values for vpi/vci are:
• vpi—Specifies the VPI ID. The valid range is 0 to 255. 
• vci—Specifies the VCI ID. The valid range is 1 to 
65535. Values 1 to 31 are reserved and should not be 
used, except for 5 for the QSAAL PVC and 16 for the 
ILMI PVC. 
You can also configure the following options: 
• name—(Optional) An arbitrary string that identifies 
this PVC. 
• ilmi—(Optional) Configures the PVC to use ILMI 
encapsulation (default). 
• qsaal—(Optional) Configures the PVC to use QSAAL 
encapsulation. 
Note When using the pvc command, remember that the vpi/vci combination forms a unique identifier for the 
interface and all of its subinterfaces. If you specify a vpi/vci combination that has been used on another 
subinterface, the Cisco IOS software assumes that you want to modify that PVC’s configuration and 
automatically switches to its parent subinterface. 
Step 4 Router(config-if-atm-vc)# protocol protocol 
protocol-address [[no] broadcast] 
Configures the PVC for a particular protocol and maps it to 
a specific protocol-address. 
• protocol—Typically set to ppp for point-to-point 
subinterfaces, but other values are possible. 
• protocol-address—Destination address or virtual 
template interface for this PVC (as appropriate for the 
specified protocol). 
• [no] broadcast—(Optional) Specifies that this 
mapping should (or should not) be used for broadcast 
packets. 
The protocol command also has an inarp option, but this 
option is not meaningful on point-to-point PVCs that use a 
manually configured address. 
Step 5 Router(config-if-atm-vc)# encapsulation aal5snap (Optional) Configures the ATM adaptation layer (AAL) and 
encapsulation type. The default and only supported type is 
aal5snap.
Note Repeat Step 1 through Step 5 for each point-to-point subinterface to be configured on this ATM SPA. 
Step 6 Router(config-if)# end Exits interface configuration mode and returns to privileged 
EXEC mode. 7-12
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
Verifying a Point-to-Point PVC Configuration
To verify the configuration of a particular PVC, use the show atm pvc command: 
Router# show atm pvc 3/12
ATM3/1/0.12: VCD: 3, VPI: 3, VCI: 12 
UBR, PeakRate: 149760
AAL5-LLC/SNAP, etype:0x0, Flags: 0xC20, VCmode: 0x0
OAM frequency: 0 second(s), OAM retry frequency: 1 second(s)
OAM up retry count: 3, OAM down retry count: 5
OAM Loopback status: OAM Disabled
OAM VC status: Not Managed
ILMI VC status: Not Managed
InARP frequency: 15 minutes(s)
Transmit priority 6
InPkts: 3949645, OutPkts: 3950697, InBytes: 28331193, OutBytes: 28387990 
InPRoc: 1, OutPRoc: 1, Broadcasts: 0
InFast: 0, OutFast: 0, InAS: 3949645, OutAS: 3950697 
InPktDrops: 0,  OutPktDrops: 0 
CrcErrors: 0, SarTimeOuts: 0, OverSizedSDUs: 0, LengthViolation: 0, CPIErrors: 0
Out CLP=1 Pkts: 0
OAM cells received: 0
F5 InEndloop: 0, F5 InSegloop: 0, F5 InAIS: 0, F5 InRDI: 0
F4 InEndloop: 0, F4 InSegloop: 0, F4 InAIS: 0, F4 InRDI: 0
OAM cells sent: 0
F5 OutEndloop: 0, F5 OutSegloop: 0, F5 OutRDI: 0
F4 OutEndloop: 0, F4 OutSegloop: 0, F4 OutRDI: 0
OAM cell drops: 0
Status: UP
Tip To verify the configuration and current status of all PVCs on a particular interface, you can also use the 
show atm vc interface atm command. 
Configuring a PVC on a Multipoint Subinterface
Creating a multipoint subinterface allows you to create a point-to-multipoint PVC that can be used as a 
broadcast PVC for all multicast requests. To create a PVC on a multipoint subinterface, use the following 
procedure beginning in global configuration mode:
Command or Action Purpose
Step 1 Router(config)# interface atm
slot/subslot/port.subinterface multipoint
Creates the specified point-to-multipoint subinterface on 
the given port on the specified ATM SPA, and enters 
subinterface configuration mode. 
Step 2 Router(config-subif)# ip address address mask Assigns the specified IP address and subnet mask to this 
subinterface. 
Step 3 Router(config-subif)# no ip directed-broadcast  (Optional) Disables the forwarding of IP directed 
broadcasts, which are sometimes used in denial of service 
(DOS) attacks. 7-13
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
Step 4 Router(config-subif)# pvc [name] vpi/vci [ilmi | qsaal] Configures a new ATM PVC by assigning its VPI/VCI 
numbers and enters ATM VC configuration mode. The valid 
values for vpi/vci are:
• vpi—Specifies the VPI ID. The valid range is 0 to 255. 
• vci—Specifies the VCI ID. The valid range is 1 to 
65535. Values 1 to 31 are reserved and should not be 
used, except for 5 for the QSAAL PVC and 16 for the 
ILMI PVC. 
You can also configure the following options: 
• name—(Optional) An arbitrary string that identifies 
this PVC. 
• ilmi—(Optional) Configures the PVC to use ILMI 
encapsulation (default). 
• qsaal—(Optional) Configures the PVC to use QSAAL 
encapsulation. 
Note When using the pvc command, remember that the vpi/vci combination forms a unique identifier for the 
interface and all of its subinterfaces. If you specify a vpi/vci combination that has been used on another 
subinterface, the Cisco IOS software assumes that you want to modify that PVC’s configuration and 
automatically switches to its parent subinterface. 
Step 5 Router(config-if-atm-vc)# protocol protocol 
{protocol-address | inarp} broadcast
Configures the PVC for a particular protocol and maps it to 
a specific protocol-address. 
• protocol—Typically set to ip for multipoint 
subinterfaces, but other values are possible. 
• protocol-address—Destination address or virtual 
template interface for this PVC (if appropriate for the 
protocol). 
• inarp—Specifies that the PVC uses Inverse ARP to 
determine its address. 
• broadcast— Specifies that this mapping should be 
used for multicast packets. 
Step 6 Router(config-if-atm-vc)# inarp minutes (Optional) If using Inverse ARP, configures how often the 
PVC transmits Inverse ARP requests to confirm its address 
mapping. The valid range is 1 to 60 minutes, with a default 
of 15 minutes. 
Step 7 Router(config-if-atm-vc)# encapsulation aal5snap (Optional) Configures the ATM adaptation layer (AAL) and 
encapsulation type. The default and only supported type is 
aal5snap.
Note Repeat Step 1 through Step 7 for each multipoint subinterface to be configured on this ATM SPA. 
Step 8 Router(config-if)# end Exits interface configuration mode and returns to privileged 
EXEC mode. 
Command or Action Purpose7-14
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
Verifying a Multipoint PVC Configuration
To verify the configuration of a particular PVC, use the show atm pvc command: 
Router# show atm pvc 1/120
ATM3/1/0.120: VCD: 1, VPI: 1, VCI: 120 
UBR, PeakRate: 149760
AAL5-LLC/SNAP, etype:0x0, Flags: 0xC20, VCmode: 0x0
OAM frequency: 0 second(s), OAM retry frequency: 1 second(s)
OAM up retry count: 3, OAM down retry count: 5
OAM Loopback status: OAM Disabled
OAM VC status: Not Managed
ILMI VC status: Not Managed
InARP frequency: 15 minutes(s)
Transmit priority 6
InPkts: 1394964, OutPkts: 1395069, InBytes: 1833119, OutBytes: 1838799 
InPRoc: 1, OutPRoc: 1, Broadcasts: 0
InFast: 0, OutFast: 0, InAS: 94964, OutAS: 95062 
InPktDrops: 0,  OutPktDrops: 0 
CrcErrors: 0, SarTimeOuts: 0, OverSizedSDUs: 0, LengthViolation: 0, CPIErrors: 0
Out CLP=1 Pkts: 0
OAM cells received: 0
F5 InEndloop: 0, F5 InSegloop: 0, F5 InAIS: 0, F5 InRDI: 0
F4 InEndloop: 0, F4 InSegloop: 0, F4 InAIS: 0, F4 InRDI: 0
OAM cells sent: 0
F5 OutEndloop: 0, F5 OutSegloop: 0, F5 OutRDI: 0
F4 OutEndloop: 0, F4 OutSegloop: 0, F4 OutRDI: 0
OAM cell drops: 0
Status: UP
Note To verify the configuration and current status of all PVCs on a particular interface, you can also use the 
show atm vc interface atm command. 
Configuring RFC 1483 Bridging for PVCs
RFC 1483, Multiprotocol Encapsulation over ATM Adaptation Layer 5, specifies the implementation of 
point-to-point bridging of Layer 2 protocol data units (PDUs) from an ATM interface. Figure 7-1 shows 
an example in which the two routers receive VLANs over their respective trunk links and then forward 
that traffic out through the ATM interfaces into the ATM cloud. 
Figure 7-1 Example of RFC 1483 Bridging Topology
Note RFC 1483 has been updated and superseded by RFC 2684, Multiprotocol Encapsulation over ATM 
Adaptation Layer 5. 
Switch 1 Router 1 Router 2 Switch 2
117341
Trunk ports Trunk ports RFC 1483
ports
ATM7-15
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
RFC 1483 Bridging for PVCs Configuration Guidelines
When configuring RFC 1483 bridging for PVCs, consider the following guidelines:
• PVCs must use AAL5 Subnetwork Access Protocol (SNAP) encapsulation. 
• To use the Virtual Trunking Protocol (VTP), ensure that each main interface has a subinterface that 
has been configured for the management VLANs (VLAN 1 and VLANs 1002 to 1005). VTP is not 
supported on bridged VCs on a Cisco 7600 SIP-200.
• RFC 1483 bridging in a switched virtual circuit (SVC) environment is not supported. 
• The 1-Port OC-48c/STM-16 ATM SPA does not support RFC 1483 bridging.
RFC 1483 Bridging for PVCs Configuration Task
To configure RFC 1483 bridging for PVCs, perform the following procedure beginning in global 
configuration mode:
Command or Action Purpose
Step 1 Router(config)# interface atm
slot/subslot/port.subinterface point-to-point
(Optional) Creates the specified point-to-point subinterface 
on the given port on the specified ATM SPA, and enters 
subinterface configuration mode. 
Note Although it is most common to create the PVCs on 
subinterfaces, you can also omit this step to create 
the PVCs for RFC 1483 bridging on the main 
interface. 
Step 2 Router(config-subif)# pvc [name] vpi/vci [ilmi | qsaal] Configures a new ATM PVC by assigning its VPI/VCI 
numbers and enters ATM VC configuration mode. The valid 
values for vpi/vci are:
• vpi—Specifies the VPI ID. The valid range is 0 to 255. 
• vci—Specifies the VCI ID. The valid range is 1 to 
65535. Values 1 to 31 are reserved and should not be 
used, except for 5 for the QSAAL PVC and 16 for the 
ILMI PVC. 
You can also configure the following options: 
• name—(Optional) An arbitrary string that identifies 
this PVC. 
• ilmi—(Optional) Configures the PVC to use ILMI 
encapsulation (default). 
• qsaal—(Optional) Configures the PVC to use QSAAL 
encapsulation. 7-16
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
Verifying the RFC 1483 Bridging Configuration
To verify the RFC 1483 bridging configuration and status, use the show interface atm command:
Router# show interface atm 6/1/0.3
ATM6/1/0.3 is up, line protocol is up
  Hardware is SPA-4XOC3-ATM
  Internet address is 10.10.10.13/24
  MTU 4470 bytes, BW 149760 Kbit, DLY 80 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ATM
  5 packets input, 566 bytes
  5 packets output, 566 bytes
  1445 OAM cells input, 1446 OAM cells output
Step 3 Router(config-if-atm-vc)# bridge-domain vlan-id
[access | dot1q tag | dot1q-tunnel] [ignore-bpdu-pid] 
| {pvst-tlv CE-vlan} [increment] [split-horizon] 
Binds the PVC to the specified vlan-id. You can optionally 
specify the following keywords: 
• dot1q—(Optional) Includes the IEEE 802.1Q tag, 
which preserves the VLAN ID and class of service 
(CoS) information across the ATM cloud.
• dot1q-tunnel—(Optional) Enables tunneling of IEEE 
802.1Q VLANs over the same link. See the 
“Configuring RFC 1483 Bridging for PVCs with IEEE 
802.1Q Tunneling” section on page 7-18. 
• ignore-bpdu-pid—(Optional) Ignores bridge protocol 
data unit (BPDU) packets, to allow interoperation with 
ATM customer premises equipment (CPE) devices that 
do not distinguish BPDU packets from data packets. 
Without this keyword, IEEE BPDUs are sent out using 
a PID of 0x00-0E, which complies with RFC 1483. 
With this keyword, IEEE BPDUs are sent out using a 
PID of 0x00-07, which is normally reserved for RFC 
1483 data.
• pvst-tlv—When transmitting, the pvst-tlv keyword 
translates PVST+ BPDUs into IEEE BPDUs. When 
receiving, the pvst-tlv keyword translates IEEE 
BPDUs into PVST+ BPDUs.
• split-horizon—(Optional) Enables RFC 1483 split 
horizon mode to globally prevent bridging between 
PVCs in the same VLAN.
Step 4 Router(config-if-atm-vc)# encapsulation aal5snap (Optional) Configures the ATM adaptation layer (AAL) and 
encapsulation type. The default and only supported type is 
aal5snap. 
Note Repeat Step 1 through Step 4 for each interface on the ATM SPA to be configured. 
Step 5 Router(config-if-atm-vc)# end Exits ATM VC configuration mode and returns to privileged 
EXEC mode. 
Command or Action Purpose7-17
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
Configuring Layer 2 Protocol Tunneling Topology
To enable BPDU translation for the Layer 2 Protocol Tunneling (L2PT) topologies, use the following 
command line:
bridge-domain PE vlan dot1q-tunnel ignore-bpdu-pid pvst-tlv CE vlan
Configuring Layer 2 Tunneling Protocol Version 3 (L2TPv3)
Complete the following steps to configure ATM L2TPv3:
Verifying L2TPv3 Configuration
To verify the configuration of a PVP, use the show atm vp command in EXEC mode.
Router# show atm vp 5
ATM4/1/0  VPI: 5, Cell-Relay, PeakRate: 155000, CesRate: 0, DataVCs: 0,
CesVCs: 0, Status: ACTIVE
  VCD    VCI Type     InPkts  OutPkts  AAL/Encap     Status
Command or Action Purpose
Step 1 Router# enable Enables privileged EXEC mode.
• Enter your password if prompted.
Step 2 Router# configure terminal Enters global configuration mode.
Step 3 Router(config)# interface ATM type slot/port Specifies the interface by type, slot, and port number, and 
enters interface configuration mode.
Step 4 Router(config-if)# atm pvp vpi l2transport Specifies that the PVP is dedicated to transporting ATM 
cells.
• vpi—ATM network virtual path identifier (VPI) of the 
VC to multiplex on the permanent virtual path. The 
range is from 0 to 255. 
Note The l2transport keyword indicates that the PVP is 
for cell relay. Once you enter this command, you 
can enter l2transport PVP configuration mode. This 
configuration mode is for Layer 2 transport only; it 
is not for terminated PVPs. 
Step 5 Router(config-if)# xconnect peer-ip-address vcid
pw-class pw-class-name
Specifies the IP address of the peer PE router and the 32-bit 
virtual circuit identifier shared between the PEs at each end 
of the control channel.
• The peer router ID (IP address) and virtual circuit ID 
must be a unique combination on the router.
• pw-class-name—The pseudowire class configuration 
from which the data encapsulation type (L2TPv3) is 
taken. The pseudowire class parameter binds the 
cross-connect statement to a specific pseudowire class. 
The pseudowire class then serves as the template 
configuration for all attachment circuits bound to it.7-18
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
    8      3 PVC           0        0  F4 OAM        ACTIVE  
    9      4 PVC           0        0  F4 OAM        ACTIVE  
TotalInPkts: 0, TotalOutPkts: 0, TotalInFast: 0, TotalOutFast: 0, 
TotalBroadcasts: 0
Configuring RFC 1483 Bridging for PVCs with IEEE 802.1Q Tunneling
RFC 1483 bridging (see the “Configuring RFC 1483 Bridging for PVCs” section on page 7-14) can also 
include IEEE 802.1Q tunneling, which allows service providers to aggregate multiple VLANs over a 
single VLAN, while still keeping the individual VLANs segregated and preserving the VLAN IDs for 
each customer. This tunneling simplifies traffic management for the service provider, while keeping the 
customer networks secure. 
Also, the IEEE 802.1Q tunneling is configured only on the service provider routers, so it does not require 
any additional configuration on the customer-side routers. The customer side is not aware of the 
configuration. 
Note For complete information on IEEE 802.1Q tunneling on a Cisco 7600 series router, see the Cisco 7600 
Series Cisco IOS Software Configuration Guide, 12.2SX
Note RFC 1483 has been updated and superseded by RFC 2684, Multiprotocol Encapsulation over ATM 
Adaptation Layer 5. 
RFC 1483 Bridging for PVCs with IEEE 802.1Q Tunneling Configuration Guidelines
When configuring RFC 1483 bridging for PVCs with IEEE 802.1Q tunneling, consider the following 
guidelines:
• Customer equipment must be configured for RFC 1483 bridging with IEEE 802.1Q tunneling using 
the bridge-domain dot1q ATM VC configuration command. See the “Configuring RFC 1483 
Bridging for PVCs” section on page 7-14 for more information. 
• PVCs must use AAL5 encapsulation. 
• RFC 1483 bridged PVCs must terminate on the ATM SPA, and the traffic forwarded over this 
bridged connection to the edge must be forwarded through an Ethernet port. 
• To use the Virtual Trunking Protocol (VTP), each main interface should have a subinterface that has 
been configured for the management VLANs (VLANs 1 and 1002–1005). 
• RFC 1483 bridging in a switched virtual circuit (SVC) environment is not supported. 7-19
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
RFC 1483 Bridging for PVCs with IEEE 802.1Q Tunneling Configuration Task
To configure RFC 1483 bridging for PVCs with IEEE 802.1Q tunneling, perform the following 
procedure beginning in global configuration mode:
Command or Action Purpose
Step 1 Router(config)# interface atm
slot/subslot/port.subinterface point-to-point
(Optional) Creates the specified point-to-point subinterface 
on the given port on the specified ATM SPA, and enters 
subinterface configuration mode. 
Note Although it is most common to create the PVCs on 
subinterfaces, you can also omit this step to create 
the PVCs for RFC 1483 bridging on the main 
interface. 
Step 2 Router(config-subif)# pvc [name] vpi/vci [ilmi | qsaal] Configures a new ATM PVC by assigning its VPI/VCI 
numbers and enters ATM VC configuration mode. The valid 
values for vpi/vci are:
• vpi—Specifies the VPI ID. The valid range is 0 to 255. 
• vci—Specifies the VCI ID. The valid range is 1 to 
65535. Values 1 to 31 are reserved and should not be 
used, except for 5 for the QSAAL PVC and 16 for the 
ILMI PVC. 
You can also configure the following options: 
• name—(Optional) An arbitrary string that identifies 
this PVC. 
• ilmi—(Optional) Configures the PVC to use ILMI 
encapsulation (default). 
• qsaal—(Optional) Configures the PVC to use QSAAL 
encapsulation. 
Note When using the pvc command, remember that the vpi/vci combination forms a unique identifier for the 
interface and all of its subinterfaces. If you specify a vpi/vci combination that has been used on another 
subinterface, the Cisco IOS software assumes that you want to modify that PVC’s configuration and 
automatically switches to its parent subinterface. 
Step 3 Router(config-if-atm-vc)# bridge-domain vlan-id
dot1q-tunnel
Binds the PVC to the specified vlan-id and enables the use 
of IEEE 802.1Q tunneling on the PVC. This preserves the 
VLAN ID information across the ATM cloud. 
Step 4 Router(config-if-atm-vc)# encapsulation aal5snap (Optional) Configures the ATM adaptation layer (AAL) and 
encapsulation type. The default and only supported type is 
aal5snap.
Note Repeat Step 1 through Step 4 for each interface on the ATM SPA to be configured. 
Step 5 Router(config-if-atm-vc)# end Exits ATM VC configuration mode and returns to privileged 
EXEC mode. 7-20
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
Verifying the RFC 1483 for PVCs Bridging with IEEE 802.1Q Tunneling Configuration 
To verify the IEEE 802.1Q tunneling on an ATM SPA, use the show 12-protocol-tunnel command:
Router# show l2protocol-tunnel
CoS for Encapsulated Packets: 5
Port    Protocol  Shutdown  Drop      Encapsulation Decapsulation Drop
                  Threshold Threshold Counter       Counter       Counter
------- --------  --------- --------- ------------- ------------- -------------
Gi4/2    cdp           ----      ----             0             0             0
         stp           ----      ----             0             0             0
         vtp           ----      ----             0             0             0
ATM6/2/1 cdp           ----      ----           n/a           n/a           n/a
         stp           ----      ----           n/a           n/a           n/a
         vtp           ----      ----           n/a           n/a           n/a
Note The counters in the output of the show l2protocol-tunnel command are not applicable for ATM 
interfaces when IEEE 802.1Q tunneling is enabled.
Use the following command to display the interfaces that are configured with an IEEE 802.1Q tunnel: 
Router# show dot1q-tunnel
LAN Port(s)
-----------
Gi4/2
ATM Port(s)
-----------
ATM6/2/1 
Configuring ATM RFC 1483 Half-Bridging
The ATM SPA supports ATM RFC 1483 half-bridging, which routes IP traffic from a stub-bridged 
Ethernet LAN over a bridged RFC 1483 ATM interface, without using integrated routing and bridging 
(IRB). This allows bridged traffic that terminates on an ATM PVC to be routed on the basis of the 
destination IP address. 
For example, Figure 7-2 shows a remote bridged Ethernet network connecting to a routed network over 
a device that bridges the Ethernet LAN to the ATM interface. 
Figure 7-2 ATM RFC 1483 Half-Bridging
When half-bridging is configured, the ATM interface receives the bridged IP packets and routes them 
according to each packet’s IP destination address. Similarly, when packets are routed to this ATM PVC, 
it then forwards them out as bridged packets on its bridge connection. 
117339
ATM 4/1/0.100
172.31.5.9
Ethernet subnet
172.31.5.07-21
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
This use of a stub network topology offers better performance and flexibility over integrated routing and 
bridging (IRB). This also helps to avoid a number of issues such as broadcast storms and security risks. 
In particular, half-bridging reduces the potential security risks that are associated with normal bridging 
configurations. Because the ATM interface allocates a single virtual circuit (VC) to a subnet (which 
could be as small as a single IP address), half-bridging limits the size of the nonsecured network that can 
be allowed access to the larger routed network. This makes half-bridging configurations ideally suited 
for customer access points, such digital subscriber lines (DSL). 
Note RFC 1483 has been updated and superseded by RFC 2684, Multiprotocol Encapsulation over ATM 
Adaptation Layer 5. However, to avoid confusion, this document continues to use the previously-used 
terminology of “RFC 1483 ATM half-bridging.” 
To configure a point-to-multipoint ATM PVC for ATM half-bridging, use the configuration task in the 
following section. 
Note Use the following configuration task when you want to configure point-to-multipoint PVCs for 
half-bridging operation. Use the configuration task in the “Configuring ATM Routed Bridge 
Encapsulation” section on page 7-23 to configure a point-to-point PVC for similar functionality. 
ATM RFC 1483 Half-Bridging Configuration Guidelines
When configuring ATM RFC 1483 half-bridging, consider the following guidelines:
• Supports only IP traffic and access lists. 
• Supports only fast switching and process switching. 
• Supports only PVCs that are configured on multipoint subinterfaces. SVCs are not supported for 
half-bridging. 
• A maximum of one PVC can be configured for half-bridging on each subinterface. Other PVCs can 
be configured on the same subinterface, as long as they are not configured for half-bridging as well. 
• The same PVC cannot be configured for both half-bridging and full bridging. 
ATM RFC 1483 Half-Bridging Configuration Task
To configure ATM RFC 1483 half-bridging, perform the following procedure beginning in global 
configuration mode:
Command or Action Purpose
Step 1 Router(config)# interface atm
slot/subslot/port.subinterface multipoint
Creates the specified point-to-point subinterface on the 
given port on the specified ATM SPA, and enters 
subinterface configuration mode. 
Step 2 Router(config-subif)# ip address address mask
[secondary] 
Assigns the specified IP address and subnet mask to this 
subinterface. This IP address should be on the same subnet 
as the remote bridged network (the Ethernet network). 7-22
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
Verifying the ATM RFC 1483 Half-Bridging Configuration
To verify the ATM RFC 1483 half-bridging configuration, use the show atm vc command: 
Router# show atm vc 20
ATM4/0/0.20: VCD: 20, VPI: 1, VCI: 20
UBR, PeakRate: 149760
AAL5-LLC/SNAP, etype:0x0, Flags: 0xC20, VCmode: 0x0
OAM frequency: 0 second(s)
InARP frequency: 15 minutes(s), 1483-half-bridged-encap
Transmit priority 6
InPkts: 2411, OutPkts: 2347, InBytes: 2242808, OutBytes: 1215746
InPRoc: 226, OutPRoc: 0
InFast: 0, OutFast: 0, InAS: 2185, OutAS: 2347
InPktDrops: 1,  OutPktDrops: 0
InByteDrops: 0, OutByteDrops: 0
CrcErrors: 139, SarTimeOuts: 0, OverSizedSDUs: 0, LengthViolation: 0, CPIErrors: 0
Out CLP=1 Pkts: 0
OAM cells received: 0
OAM cells sent: 0
Status: UP
Step 3 Router(config-subif)# pvc [name] vpi/vci [ilmi | qsaal] Configures a new ATM PVC by assigning its VPI/VCI 
numbers and enters ATM VC configuration mode. The valid 
values for vpi/vci are:
• vpi—Specifies the VPI ID. The valid range is 0 to 255. 
• vci—Specifies the VCI ID. The valid range is 1 to 
65535. Values 1 to 31 are reserved and should not be 
used, except for 5 for the QSAAL PVC and 16 for the 
ILMI PVC. 
You can also configure the following options: 
• name—(Optional) An arbitrary string that identifies 
this PVC. 
• ilmi—(Optional) Configures the PVC to use ILMI 
encapsulation (default). 
• qsaal—(Optional) Configures the PVC to use QSAAL 
encapsulation. 
Note When using the pvc command, remember that the vpi/vci combination forms a unique identifier for the 
interface and all of its subinterfaces. If you specify a vpi/vci combination that has been used on another 
subinterface, the Cisco IOS software assumes that you want to modify that PVC’s configuration and 
automatically switches to its parent subinterface. 
Step 4 Router(config-if-atm-vc)# encapsulation aal5snap
bridge
(Optional) Configures the ATM adaptation layer (AAL) and 
encapsulation type, and specifies that half-bridging should 
be used. 
Step 5 Router(config-if-atm-vc)# end  Exits ATM VC configuration mode and returns to privileged 
EXEC mode. 
Command or Action Purpose7-23
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
Configuring ATM Routed Bridge Encapsulation
The ATM SPAs support ATM Routed Bridge Encapsulation (RBE), which is similar in functionality to 
RFC 1483 ATM half-bridging, except that ATM half-bridging is configured on a point-to-multipoint 
PVC, while RBE is configured on a point-to-point PVC (see the “Configuring ATM RFC 1483 
Half-Bridging” section on page 7-20). 
Note The 1-Port OC-48c/STM-16 ATM SPA does not support RBE.
Use the following configuration task to configure a point-to-point subinterface and PVC for RBE 
bridging. 
Note RFC 1483 has been updated and superseded by RFC 2684, Multiprotocol Encapsulation over ATM 
Adaptation Layer 5. 
ATM Routed Bridge Encapsulation Configuration Guidelines
When configuring ATM RBE, consider the following guidelines:
• Supported only on ATM SPAs in a Cisco 7600 SIP-200. RBE is not supported when using a 
Cisco 7600 SIP-400.
• Supports only AAL5SNAP encapsulation. 
• Supports only IP access lists, not MAC-layer access lists. 
• Supports only fast switching and process switching. 
• Supports distributed Cisco Express Forwarding (dCEF). 
• Supports only PVCs on point-to-point subinterfaces. SVCs are not supported for half-bridging. 
• The bridge-domain command cannot be used on any PVC that is configured for RBE, because an 
RBE PVC acts as the termination point for bridged packets. 
• The atm bridge-enable command, which was used in previous releases on other ATM interfaces, is 
not supported on ATM SPA interfaces. 
• The IS-IS protocol is not supported with point-to-point PVCs that are configured for RBE bridging.
RBE Configuration Limitation Supports Only One Remote MAC Address
On the Cisco 7600 series router with a Supervisor Engine 720 or Route Switch Processor 720 (RSP720) 
and the following SPA, an ATM PVC with an RBE configuration can send packets to only a single MAC 
address:
• ATM SPA on the Cisco 7600 SIP-200
This restriction occurs because the Cisco 7600 series router keeps only one MAC address attached to an 
RBE PVC. The MAC address-to-PVC mapping is refreshed when a packet is received from the host. If 
there are multiple hosts connected to the PVC, the mapping is not stable and traffic forwarding is 
affected. 7-24
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
The solution to this problem is as follows:
1. Configure the ATM PVC for RFC 1483 bridging using the bridge domain vlan x command line 
interface.
2. Configure an interface vlan vlan x with the IP address of the RBE subinterface.
ATM Routed Bridge Encapsulation Configuration Task
To configure ATM routed bridge encapsulation, perform the following procedure beginning in global 
configuration mode:
Command or Action Purpose
Step 1 Router(config)# interface atm
slot/subslot/port.subinterface point-to-point
Creates the specified multipoint subinterface on the given 
port on the specified ATM SPA, and enters subinterface 
configuration mode. 
Step 2 Router(config-subif)# atm route-bridge ip Enables ATM RFC 1483 half-bridging (RBE bridging). 
Note The atm route-bridge ip command can be issued 
either before or after you create the PVC. 
Step 3 Router(config-subif)# ip address address mask
[secondary] 
Assigns the specified IP address and subnet mask to this 
subinterface. This IP address should be on the same subnet 
as the remote bridged network (the Ethernet network). 
Step 4 Router(config-subif)# pvc [name] vpi/vci [ilmi | qsaal] Configures a new ATM PVC by assigning its VPI/VCI 
numbers and enters ATM VC configuration mode. The valid 
values for vpi/vci are:
• vpi—Specifies the VPI ID. The valid range is 0 to 255. 
• vci—Specifies the VCI ID. The valid range is 1 to 
65535. Values 1 to 31 are reserved and should not be 
used, except for 5 for the QSAAL PVC and 16 for the 
ILMI PVC. 
You can also configure the following options: 
• name—(Optional) An arbitrary string that identifies 
this PVC. 
• ilmi—(Optional) Configures the PVC to use ILMI 
encapsulation (default). 
• qsaal—(Optional) Configures the PVC to use QSAAL 
encapsulation. 
Note When using the pvc command, remember that the vpi/vci combination forms a unique identifier for the 
interface and all of its subinterfaces. If you specify a vpi/vci combination that has been used on another 
subinterface, the Cisco IOS software assumes that you want to modify that PVC’s configuration and 
automatically switches to its parent subinterface. 
Step 5 Router(config-if-atm-vc)# encapsulation aal5snap (Optional) Configures the ATM adaptation layer (AAL) and 
encapsulation type. The only supported encapsulation for 
an RBE PVC is aal5snap. 
Step 6 Router(config-if-atm-vc)# end  Exits ATM VC configuration mode and returns to privileged 
EXEC mode. 7-25
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
Note The atm route-bridge ip command, like other subinterface configuration commands, is not 
automatically removed when you delete a subinterface. If you want to remove a subinterface and 
re-create it without the half-bridging, be sure to manually remove the half-bridging configuration, using 
the no atm route-bridge ip command. 
Verifying the ATM Routed Bridge Encapsulation Configuration
To verify the RBE bridging configuration, use the show ip cache verbose command: 
Router# show ip cache verbose
IP routing cache 3 entries, 572 bytes
   9 adds, 6 invalidates, 0 refcounts
Minimum invalidation interval 2 seconds, maximum interval 5 seconds,
   quiet interval 3 seconds, threshold 0 requests
Invalidation rate 0 in last second, 0 in last 3 seconds
Last full cache invalidation occurred 00:30:34 ago
Prefix/Length       Age       Interface         Next Hop
10.1.0.51/32-24     00:30:10  Ethernet3/1/0     10.1.0.51    14  
0001C9F2A81D00600939BB550800
10.8.100.50/32-24   00:00:04  ATM1/1/0.2        10.8.100.50  28  
00010000AA030080C2000700000007144F5D201C0800
10.8.101.35/32-24   00:06:09  ATM1/1/0.4        10.8.101.35  28  
00020000AA030080C20007000000E01E8D3F901C0800
Note The show IP cache command is not supported in the RBE feature
Configuring RFC 1483 Bridging of Routed Encapsulations
When RFC 1483 routed ATM-based packets come into the Cisco 7600 series router through a PVC, there 
is no Ethernet payload header on them. Bridging of routed encapsulations (BRE) enables the router to 
receive RFC 1483 routed encapsulated packets and forward them as Layer 2 frames. In a BRE 
configuration, the PVC receives the routed PDUs, removes the RFC 1483 routed encapsulation header, 
and adds an Ethernet MAC header to the packet. The Layer 2 encapsulated packet is then switched by 
the forwarding engine to the Layer 2 interface determined by the VLAN number and destination MAC 
address.
BRE is supported on all SIP-200 and SIP-400 ATM SPAs. The PVCs must be AAL5 encapsulated. 
Note The 1-Port OC-48c/STM-16 ATM SPA does not support bridging.
Figure 7-3 shows a topology where an interface on an ATM SPA receives routed PDUs from the ATM 
cloud and encapsulates them as Layer 2 frames. It then forwards the frames to the Layer 2 customer 
device. 7-26
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
Figure 7-3 Example of BRE Topology
RFC 1483 Bridging of Routed Encapsulations Configuration Guidelines
When configuring RFC 1483 bridging of routed encapsulations, consider the following guidelines:
• BRE requires that the ATM SPAs are installed in a Cisco 7600 SIP-200. 
• PVCs must use AAL5 encapsulation. 
• RFC 1483 bridged PVCs must terminate on the ATM SPA, and the traffic forwarded over this 
bridged connection to the edge must be forwarded through an Ethernet port. 
• To use the Virtual Trunking Protocol (VTP), each main interface should have a subinterface that has 
been configured for the management VLANs (VLAN 1 and VLANs 1002 to 1005). 
• Concurrent configuration of RFC 1483 bridging and BRE on the same PVC and VLAN is not 
supported.
• Bridging between RFC 1483 bridged PVCs is not supported.
• RFC 1483 bridging in a switched virtual circuit (SVC) environment is not supported. 
• You should not use the same VLAN in BRE and bridge-domain.
Note While configuring BRE on an ATM interface, the BRE end does not have an ip address configured (L2) 
whereas at the non BRE end, an ip address is configured (L3).
RFC 1483 Bridging of Routed Encapsulations Configuration Task
To configure RFC 1483 bridging of routed encapsulations, perform the following procedure beginning 
in global configuration mode:
ATM
CPE1 Cisco 7600 CPE2
Ethernet
frames
RFC 1483
Routed Encapsulated
ATM PDUs
117340
Edge router
CE
Command or Action Purpose
Step 1 Router(config)# interface atm slot/subslot/port Enters interface configuration mode for the indicated port 
on the specified ATM SPA. 
Step 2 Router(config-if)# no ip address Assigns no IP address to the interface. 
Step 3 Router(config-if)# spanning-tree bpdufilter enable (Optional) Blocks all Spanning Tree BPDUs on the ATM 
interface. This command should be used if this ATM 
interface is configured only for BRE VLANs. 
Note If this ATM interface is configured for both BRE 
and RFC 1483 bridged VLANs, do not enter this 
command unless you want to explicitly block 
BPDUs on the interface. 7-27
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
Verifying the RFC 1483 Bridging of Routed Encapsulations Configuration
Use the following commands to verify the RFC 1483 bridging of routed encapsulations configuration:
Router# show running-config interface atm
Step 4 Router(config-if)# no shutdown  Enables the interface. 
Step 5 Router(config-if)# interface atm
slot/subslot/port.subinterface point-to-point
Creates the specified point-to-point subinterface on the 
given port on the specified ATM SPA, and enters 
subinterface configuration mode. 
Step 6 Router(config-subif)# no ip address Assigns no IP address to the subinterface. 
Step 7 Router(config-subif)# pvc [name] vpi/vci [ilmi | qsaal] Configures a new ATM PVC by assigning its VPI/VCI 
numbers and enters ATM VC configuration mode. The valid 
values for vpi/vci are:
• vpi—Specifies the VPI ID. The valid range is 0 to 255. 
• vci—Specifies the VCI ID. The valid range is 1 to 
65535. Values 1 to 31 are reserved and should not be 
used, except for 5 for the QSAAL PVC and 16 for the 
ILMI PVC. 
You can also configure the following options: 
• name—(Optional) An arbitrary string that identifies 
this PVC. 
• ilmi—(Optional) Configures the PVC to use ILMI 
encapsulation (default). 
• qsaal—(Optional) Configures the PVC to use QSAAL 
encapsulation. 
Note When using the pvc command, remember that the vpi/vci combination forms a unique identifier for the 
interface and all of its subinterfaces. If you specify a vpi/vci combination that has been used on another 
subinterface, the Cisco IOS software assumes that you want to modify that PVC’s configuration and 
automatically switches to its parent subinterface. 
Step 8 Router(config-if-atm-vc)# bre-connect vlan-id [mac
mac-address] 
Enables BRE bridging on the PVC, where:
• mac mac-address—(Optional) Specifies the hardware 
(MAC) address of the destination customer premises 
equipment (CPE) device at the remote end of the VLAN 
connection. 
Step 9 Router(config-if-atm-vc)# interface gigabitethernet
slot/port
Enters interface configuration mode for the specified 
Gigabit Ethernet interface. 
Step 10 Router(config-if)# switchport Configures the Gigabit Ethernet interface for Layer 2 
switching.
Step 11 Router(config-if)# switchport access vlan vlan-id (Optional) Specifies the default VLAN for the interface. 
This should be the same VLAN ID that was specified in the 
bre-connect command in Step 8. 
Step 12 Router(config-if)# switchport mode access  Puts the interface into nontrunking mode.
Step 13 Router(config-if)# end Exits interface configuration mode and returns to privileged 
EXEC mode. 
Command or Action Purpose7-28
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
10/0/3.111 Building configuration...
Current configuration : 149 bytes
!
interface ATM10/0/3.111 point-to-point  no atm enable-ilmi-trap  no 
snmp trap link-status  pvc 11/101
bre-connect 11 mac 0100.1234.1234
Router# show running-config interface gigabitethernet 1/2
interface GigabitEthernet1/2
 no ip address
 switchport
 switchport access vlan 100 
 no cdp enable
!
Router# show vlan id 100
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
100  VLAN0100                         active    Gi1/2, AT5/0/2
VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
100  enet  100100     1500  -      -      -        -    -        0      0 
Router# show atm vlan
Interface       Bridge VCD         Vlan ID
ATM4/5/0/2.1    1                  100 
Configuring the Bridged Routed Encapsulation within an Automatic Protection 
Switching Group
You can configure only one VC on the same VLAN. To configure more than one VC, customers 
configure two different VLANS on the protected and working interface of the Automatic Protection 
Switching (APS) group. This workaround is not a viable long-term solution because it results in high 
convergence time and an inefficient use of VLANS. To resolve these limitations, you can use the 
BRE+APS feature to configure two VCs for the same VLAN, provided their parent interfaces too belong 
to the same Automatic Protection Switching (APS) group.
The show atm vlan bre command is used to reflect the status of the PVCs configured. 
Supported Line Cards
This feature is supported on the SIP-200 and SIP-400 line cards.
Requirements and Restrictions
Follow these requirements and restrictions when you configure the BRE+APS feature:
• You can configure BRE-connect VLANS for two different VCs if the new VC:
– belongs to the same APS group to which the first VC belongs.
– does not belong to the same ATM interface as the first VC.7-29
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
• Before you change the APS parameters of an interface (changing the APS group or removing the 
APS configurations), first ensure that the BRE configurations on the interface are removed.
Note To configure APS on an ATM interface, refer Configuring APS, page 15-9
Verifying the Bridged Routed Encapsulation within an Automatic Protection Switching Group 
Configuration
This example shows how to verify the configuration of BRE ATM VLAN:
Router# show atm vlan bre
Interface Bre VCD VPI/VCI Vlan Learned MAC Virtual MAC State
ATM3/0/0.1 1 0/11 100 0000.0000.0000 0000.0300.0001 UP
ATM3/0/0.2 2 1/13 200 0000.0000.0000 0000.0300.0002 UP
ATM4/0/0.2 2 1/13 300 0000.0000.0000 0000.0400.0002 DN
Warning Messages
Consider instances where you have configured APS on the main interface, and have configured BRE 
within a main interface and subinterface. The warning message “%ATM2/0/0 - Remove BRE configs on 
this interface before changing APS configs"appears when you attempt to modify the APS configurations 
in the main interface, without removing the BRE configurations first.
Configuring MPLS over RBE
The ATM SPAs support MLPS over RBE on a Cisco 7600 SIP-200. For more information on routed 
bridged encapsulation (RBE), see the “Configuring ATM Routed Bridge Encapsulation” section on 
page 7-23. To use this feature, configure both RBE and MPLS on the ATM subinterface using the 
following procedure:
Verifying MPLS over RBE Configuration
Use the following commands to verify MPLS over RBE configuration:
Router# show running interfaces a4/1/0.200
interface ATM4/1/0.200 point-to-point
Command or Action Purpose
Step 1 Router(config)# show atm vlan bre Verifies the configuration and displays the status of the 
PVC. An active VC is displayed as UP and an inactive VC 
as DN (down).
Command or Action Purpose
Step 1 Router(config)# interface atm slot/subslot/port Enters interface configuration mode for the indicated port 
on the specified ATM SPA. 
Step 2 Router(config-if)# ip address Assigns an IP address to the interface. 
Step 3 Router(config-if)# atm route-bridge ip Configures RBE.
Step 4 Router(config-if)# mpls ip Configures MPLS.7-30
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
 ip address 3.0.0.2 255.255.0.0
 atm route-bridged ip
 tag-switching ip
 pvc 10/200 
 !
Router# show mpls interfaces
Interface              IP            Tunnel   Operational
ATM4/1/0.200           Yes (ldp)     No       Yes         
Router# show mpls ldp bindings
  tib entry: 5.0.0.0/16, rev 2
        local binding:  tag: imp-null
  tib entry: 6.0.0.0/16, rev 4
        local binding:  tag: imp-null
        remote binding: tsr: 3.0.0.1:0, tag: imp-null
Router# show mpls ldp neighbor
    Peer LDP Ident: 3.0.0.1:0; Local LDP Ident 3.0.0.2:0
        TCP connection: 3.0.0.1.646 - 3.0.0.2.11001
        State: Oper; Msgs sent/rcvd: 134/131; Downstream
        Up time: 01:51:08
        LDP discovery sources:
          ATM4/1/0.200, Src IP addr: 6.0.0.1
        Addresses bound to peer LDP Ident:
          6.0.0.1         
Router# show mpls forwarding
Local  Outgoing    Prefix              Bytes tag  Outgoing   Next Hop    
tag    tag or VC   or Tunnel Id        switched   interface              
16     Pop tag     3.0.0.0/16        0          AT4/1/0.200 6.0.0.1      
17     Pop tag     16.16.16.16/32    0          AT4/1/0.200 6.0.0.1      
18     19          13.13.13.13/32    134        AT4/1/0.200 6.0.0.1       <<<<<
19     Pop tag     17.17.17.17/32    0          PO8/0/0.1  point2point  
Configuring Aggregate WRED for PVCs
Weighted Random Early Detection (WRED) is the Cisco implementation of Random Early Detection 
(RED) for standard Cisco IOS platforms. RED is a congestion-avoidance technique that takes advantage 
of the congestion-control mechanism of TCP to anticipate and avoid congestion before it occurs. By 
dropping packets prior to periods of high congestion, RED tells the packet source (usually TCP) to 
decrease its transmission rate. When configured, WRED can selectively discard lower priority traffic and 
provide differentiated performance characteristics for different classes of service.
The Aggregate WRED feature provides a means to overcome limitations of WRED implementations that 
can only support a limited number of unique subclasses. When an interface enables support for aggregate 
WRED, subclasses that share the same minimum threshold, maximum threshold, and mark probability 
values can be configured into one aggregate subclass based on their IP precedence value or differentiated 
services code point (DSCP) value. (The DSCP value is the first six bits of the IP type of service [ToS] 
byte.) You can also define a default aggregate subclass for all subclasses that have not been explicitly 
defined.
For more complete information on WRED, refer to the Cisco IOS Quality of Service Solutions 
Configuration Guide.7-31
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
Aggregate WRED Configuration Guidelines
When configuring aggregate WRED on an ATM SPA interface, consider the following guidelines:
• The Aggregate WRED feature requires that the ATM SPAs are installed in a Cisco 7600 SIP-200 or 
a Cisco 7600 SIP-400.
• With the Aggregate WRED feature, the previous configuration limitation of a maximum of 6 
precedence values per class per WRED policy map is no longer in effect.
• When you configure a policy map class for aggregated WRED on an ATM interface, then you cannot 
also configure the standard random-detect commands in interface configuration or policy-map 
class configuration mode.
• Specifying the precedence-based keyword is optional, precedence-based is the default form of 
aggregate WRED.
• The set of subclass values (IP precedence or DSCP) defined on a random-detect precedence 
(aggregate) or random-detect dscp (aggregate) CLI will be aggregated into a single hardware 
WRED resource. The statistics for these subclasses will also be aggregated.
• Defining WRED parameter values for the default aggregate class is optional. If defined, WRED 
parameters applied to the default aggregate class will be used for all subclasses that have not been 
explicitly configured. If all possible IP precedence or DSCP values are defined as subclasses, a 
default specification is unnecessary. If the optional parameters for a default aggregate class are not 
defined and packets with an unconfigured IP precedence or DSCP value arrive at the interface, these 
undefined subclass values will be set based on interface (VC) bandwidth.
• After aggregate WRED has been configured in a service policy map, the service policy map must be 
applied at the ATM VC level (as shown in Step 5 through Step 8 of “Configuring Aggregate WRED 
Based on IP Precedence”).
• The Aggregate WRED feature is not supported in a switched virtual circuit (SVC) environment.
Configuring Aggregate WRED Based on IP Precedence
To configure aggregate WRED to drop packets based on IP precedence values, use the following 
commands beginning in global configuration mode:
Command Purpose
Step 1 Router(config)# policy-map policy-map-name Creates or modifies a policy map that can be 
attached to one or more interfaces to specify a 
service policy.
• policy-map-name—Name of a service policy 
map to be created. The name can be a maximum 
of 40 alphanumeric characters.
Step 2 Router(config-pmap)# class {class-name | class-default} Specifies the class policy to be configured.
• class-name—Name of class you want to 
configure. Note that WRED can be defined for a 
user-defined class only if the class has the 
bandwidth/shape feature enabled.
• class-default—Default class.7-32
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
Step 3 Router(config-pmap-c)# random-detect 
[precedence-based] aggregate [minimum-thresh
min-thresh maximum-thresh max-thresh mark-probability
mark-prob]
Enables aggregate WRED based on IP precedence 
values. If optional parameters for a default aggregate 
class are not defined, these parameters will be set 
based on interface (VC) bandwidth.
• precedence-based—(Optional) Specifies that 
aggregate WRED is to drop packets based on IP 
precedence values. This is the default.
• min-thresh—(Optional) Minimum threshold in 
number of packets. The value range of this 
argument is from 1 to 12288. 
• max-thresh—(Optional) Maximum threshold in 
number of packets. The value range of this 
argument is from the value of the minimum 
threshold argument to 12288. 
• mark-prob—(Optional) Denominator for the 
fraction of packets dropped when the average 
queue depth is at the maximum threshold. The 
value range is from 1 to 255. 
Step 4 Router(config-pmap-c)# random-detect precedence values 
sub-class-val1 [...[sub-class-val8]] minimum-thresh
min-thresh maximum-thresh max-thresh 
[mark-probability mark-prob]
Configures the WRED parameters for packets with 
one or more specific IP precedence values. 
• sub-class-val1 [...[sub-class-val8]]—One or 
more specific IP precedence values to which the 
following WRED profile parameter 
specifications are to apply. A maximum of 8 
subclasses (IP precedence values) can be 
specified per CLI entry. The IP precedence 
value can be a number from 0 to 7.
• min-thresh—Minimum threshold in number of 
packets. The value range of this argument is from 
1 to 12288. 
• max-thresh—Maximum threshold in number of 
packets. The value range of this argument is from 
the value of the minimum threshold argument to 
12288. 
• mark-prob—Denominator for the fraction of 
packets dropped when the average queue depth is 
at the maximum threshold. The value range is 
from 1 to 255. 
Repeat this command for each set of IP precedence 
values that share WRED parameters.
Command Purpose7-33
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
Verifying the Precedence-Based Aggregate WRED Configuration
To verify a precedence-based aggregate WRED configuration, use the show policy-map interface 
command. Note that the statistics for IP precedence values 0 through 3 and 4 and 5 have been aggregated 
into one line each.
Router# show policy-map interface a4/1/0.10
 ATM4/1/0.10: VC 10/110 -
 Service-policy output: prec-aggr-wred
    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any 
        Exp-weight-constant: 9 (1/512)
Step 5 Router(config-pmap-c)# interface atm
slot/subslot/port.subinterface point-to-point
Creates the specified point-to-point subinterface on 
the given port on the specified ATM SPA, and enters 
subinterface configuration mode.
• slot—Chassis slot number where the SIP is 
installed.
• subslot—Secondary slot of the SIP where the 
SPA is installed.
• port —Number of the individual interface port 
on the SPA.
• .subinterface—Subinterface number. The 
number that precedes the period must match the 
number to which this subinterface belongs. The 
range is 1 to 4,294,967,293.
Step 6 Router(config-subif)# ip address address mask Assigns the specified IP address and subnet mask to 
the interface.
• address—IP address.
• mask—Subnet mask.
Step 7 Router(config-subif)# pvc [name] vpi/vci [ilmi | qsaal] Configures a new ATM PVC by assigning an 
optional name and its VPI/VCI numbers.
• name—(Optional) An arbitrary string that 
identifies this PVC.
• vpi—VPI ID. The range is 0 to 255.
• vci—VCI ID. The valid range is 1 to 65535. 
Values 1 to 31 are reserved and should not be 
used, except 5 for the QSAAL PVC and 16 for 
the ILMI PVC.
Step 8 Router(config-subif)# service-policy output
policy-map-name
Attaches the specified policy map to the 
subinterface.
• policy-map-name—Name of a service policy 
map to be attached. The name can be a 
maximum of 40 alphanumeric characters.
Command Purpose7-34
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
        Mean queue depth: 0
        class       Transmitted     Random drop      Tail drop     Minimum   Maximum  Mark
                  pkts/bytes       pkts/bytes       pkts/bytes    thresh  thresh  prob
        
        0  1  2  3       0/0               0/0              0/0           10     100  1/10
        4  5             0/0               0/0              0/0           40     400  1/10
        6                0/0               0/0              0/0           60     600  1/10
        7                0/0               0/0              0/0           70     700  1/10
Configuring Aggregate WRED Based on DSCP
To configure aggregate WRED to drop packets based on the differentiated services code point (DSCP) 
value, use the following commands beginning in global configuration mode:
Command Purpose
Step 1 Router(config)# policy-map policy-map-name Creates or modifies a policy map that can be 
attached to one or more interfaces to specify a 
service policy.
• policy-map-name—Name of a service policy 
map to be created. The name can be a maximum 
of 40 alphanumeric characters.
Step 2 Router(config-pmap)# class {class-name | class-default} Specifies the class policy to be configured.
• class-name—Name of class you want to 
configure. Note that WRED can be defined for a 
user-defined class only if the class has the 
bandwidth/shape feature enabled.
• class-default—Default class.
Step 3 Router(config-pmap-c)# random-detect dscp-based 
aggregate [minimum-thresh min-thresh maximum-thresh
max-thresh mark-probability mark-prob]
Enables aggregate WRED based on DSCP values. If 
optional parameters for a default aggregate class are 
not defined, these parameters will be set based on 
interface (VC) bandwidth.
• min-thresh—(Optional) Minimum threshold in 
number of packets. The value range of this 
argument is from 1 to 12288. 
• max-thresh—(Optional) Maximum threshold in 
number of packets. The value range of this 
argument is from the value of the minimum 
threshold argument to 12288. 
• mark-prob—(Optional) Denominator for the 
fraction of packets dropped when the average 
queue depth is at the maximum threshold. The 
value range is from 1 to 255. 7-35
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
Step 4 Router(config-pmap-c)# random-detect dscp values 
sub-class-val1 [...[sub-class-val8]] minimum-thresh
min-thresh maximum-thresh max-thresh 
[mark-probability mark-prob]
Configures the WRED parameters for packets with 
one or more specific DSCP values. 
• sub-class-val1 [...[sub-class-val8]]—One or 
more DSCP values to which the following 
WRED parameter specifications are to apply. [A 
maximum of 8 subclasses (IP precedence 
values) can be specified per CLI entry.] The 
DSCP value can be a number from 0 to 63, or it 
can be one of the following keywords: ef, af11, 
af12, af13, af21, af22, af23, af31, af32, af33, af41, 
af42, af43, cs1, cs2, cs3, cs4, cs5, or cs7
• min-thresh—Specifies the minimum threshold in 
number of packets. The value range of this 
argument is from 1 to 12288. 
• max-thresh—Specifies the maximum threshold 
in number of packets. The value range of this 
argument is from the value of the minimum 
threshold argument to 12288. 
• mark-prob—Specifies the denominator for the 
fraction of packets dropped when the average 
queue depth is at the maximum threshold. The 
value range is from 1 to 255. 
Repeat this command for each set of DSCP values 
that share WRED parameters.
Step 5 Router(config-pmap-c)# interface atm
slot/subslot/port.subinterface point-to-point
Creates the specified point-to-point subinterface on 
the given port on the specified ATM SPA, and enters 
subinterface configuration mode.
• slot—Chassis slot number where the SIP is 
installed.
• subslot—Secondary slot of the SIP where the 
SPA is installed.
• port—Number of the individual interface port 
on the SPA.
• .subinterface—subinterface number. The 
number that precedes the period must match the 
number to which this subinterface belongs. The 
range is 1 to 4,294,967,293.
Step 6 Router(config-subif)# ip address address mask Assigns the specified IP address and subnet mask to 
the interface.
• address—IP address.
• mask—Subnet mask.
Command Purpose7-36
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
Verifying the DSCP-Based Aggregate WRED Configuration
To verify a DSCP-based aggregate WRED configuration, use the show policy-map interface command. 
Note that the statistics for DSCP values 0 through 3, 4 through 7, and 8 through 11 have been aggregated 
into one line each.
Router# show policy-map interface a4/1/0.11
 ATM4/1/0.11: VC 11/101 -
  Service-policy output: dscp-aggr-wred
    Class-map: class-default (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any 
        Exp-weight-constant: 0 (1/1)
        Mean queue depth: 0
        class       Transmitted     Random drop      Tail drop     Minimum   Maximum  Mark
                  pkts/bytes       pkts/bytes       pkts/bytes    thresh  thresh  prob
        default          0/0               0/0              0/0            1      10  1/10
        0  1  2  3 
        4  5  6  7       0/0               0/0              0/0           10      20  1/10
        8  9  10 11      0/0               0/0              0/0           10      40  1/10
Configuring Non-aggregate WRED 
Prior to 15.0(1)S release ATM SPA supported only aggregate Weighted Random Early Detection 
(WRED), where a set of subclass (IP precedence or DSCP) values is aggregated on a single hardware 
WRED resource on the SPA. ATM SPA has 8 queues per class of which one is reserved for priority traffic 
and the others for default traffic. Remaining 6 queues is used for user-defined queues. 
From 15.0(1)S Release, ATM SPA also supports Non-aggregate Weighted Random Early Detection 
(WRED) on a SIP-200 and SIP-400.
ATM SPA supports limited non-aggregate WRED for the specified DSCP or precedence values 
(maximum of 6) and the rest non-specified DSCP or precedence goes to default profile.
Step 7 Router(config-subif)# pvc [name] vpi/vci [ilmi | qsaal] Configures a new ATM PVC by assigning an 
optional name and its VPI/VCI numbers.
• name—(Optional) An arbitrary string that 
identifies this PVC.
• vpi—VPI ID. The range is 0 to 255.
• vci—VCI ID. The valid range is 1 to 65535. 
Values 1 to 31 are reserved and should not be 
used, except 5 for the QSAAL PVC and 16 for 
the ILMI PVC.
Step 8 Router(config-subif)# service-policy output
policy-map-name
Attaches the specified policy map to the 
subinterface.
• policy-map-name—Name of a service policy 
map to be attached. The name can be a 
maximum of 40 alphanumeric characters
Command Purpose7-37
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
Non-aggregate WRED Configuration Guidelines
When configuring non-aggregate WRED on an ATM SPA interface, consider the following guidelines:
• The Non-aggregate WRED feature is supported on a SIP-200 and SIP-400 requires that the ATM 
SPAs are installed in a SIP-200 or a SIP-400.
• Non-aggregate WRED has maximum of 6 user-defined WRED queues.
Configuring Non-aggregate WRED Based on IP Precedence
To configure non-aggregate WRED to drop packets based on IP precedence values, use the following 
commands in the global configuration mode:
Command Purpose
Step 1 Router(config)# policy-map policy-map-name Creates or modifies a policy map that can be 
attached to one or more interfaces to specify a 
service policy.
• policy-map-name—Name of a service policy 
map to be created. The name can be a maximum 
of 40 alphanumeric characters.
Step 2 Router(config-pmap)# class {class-name | class-default} Specifies the class policy to be configured.
• class-name—Name of class you want to 
configure. Note that WRED can be defined for 
a user-defined class only if the class has the 
bandwidth/shape feature enabled.
• class-default—Default class.
Step 3 Router(config-pmap-c)# random-detect 
[precedence-based]
Enables non-aggregate WRED based on IP 
precedence values. If optional parameters for a 
default non-aggregate class are not defined, these 
parameters will be set based on interface (VC) 
bandwidth.
• precedence-based—(Optional) Specifies that 
non-aggregate WRED is to drop packets based 
on IP precedence values. This is the default.7-38
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
Step 4 Router(config-pmap-c)# random-detect precedence values 
sub-class-val1 [...[sub-class-val8]] min-thresh max-thresh 
[mark-prob]
Configures the WRED parameters for packets with 
one or more specific IP precedence values. 
• sub-class-val1 [...[sub-class-val8]]—One or 
more specific IP precedence values to which the 
following WRED profile parameter 
specifications are to apply. A maximum of 8 
subclasses (IP precedence values) can be 
specified per CLI entry. The IP precedence 
value can be a number from 0 to 7.
• min-thresh—Minimum threshold in number of 
packets. The value range of this argument is from 
1 to 12288. 
• max-thresh—Maximum threshold in number of 
packets. The value range of this argument is from 
the value of the minimum threshold argument to 
12288. 
• mark-prob—Denominator for the fraction of 
packets dropped when the average queue depth is 
at the maximum threshold. The value for 
maximum mark probability configurable is 31.
Repeat this command for each set of IP precedence 
values that share WRED parameters.
Step 5 Router(config-pmap-c)# interface atm
slot/subslot/port.subinterface point-to-point
Creates the specified point-to-point subinterface on 
the given port on the specified ATM SPA, and enters 
subinterface configuration mode.
• slot—Chassis slot number where the SIP is 
installed.
• subslot—Secondary slot of the SIP where the 
SPA is installed.
• port —Number of the individual interface port 
on the SPA.
• .subinterface—Subinterface number. The 
number that precedes the period must match the 
number to which this subinterface belongs. The 
range is 1 to 4,294,967,293.
Step 6 Router(config-subif)# ip address address mask Assigns the specified IP address and subnet mask to 
the interface.
• address—IP address.
• mask—Subnet mask.
Command Purpose7-39
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
Verifying the Precedence-Based Non-aggregate WRED Configuration
To verify a precedence-based non-aggregate WRED configuration, use the show policy-map interface 
command. Note that the statistics for IP precedence values 0 through 3 and 4 and 5 have been aggregated 
into one line each.
Router# show policy-map interface atm 3/0/2
ATM3/0/2: VC 1/100 - 
Service-policy output: non-agg-prec
Counters last updated 00:00:02 ago
Class-map: prec012 (match-any)  
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: ip precedence 0 
      Match: ip precedence 1 
      Match: ip precedence 2 
      Queueing
      queue limit 11009 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 0/0
      bandwidth 42% (62899 kbps)
        Exp-weight-constant: 9 (1/512)
        Mean queue depth: 0 packets
class       Transmitted         Random drop      Tail drop    Minimum    Maximum     Mark
            pkts/bytes           pkts/bytes       pkts/bytes  thresh      thresh     prob
          
default         0/0               0/0              0/0         3096        5504      1/10
        0       0/0               0/0              0/0          12          324      1/10
        1       N/A               N/A              N/A          N/A         N/A      N/A
        2       N/A               N/A              N/A          N/A         N/A      N/A
        3       N/A               N/A              N/A          N/A         N/A      N/A
        4       N/A               N/A              N/A          N/A         N/A      N/A
        5       N/A               N/A              N/A          N/A         N/A      N/A
        6       N/A               N/A              N/A          N/A         N/A      N/A
        7       N/A               N/A              N/A          N/A         N/A      N/A
Step 7 Router(config-subif)# pvc [name] vpi/vci [ilmi | qsaal] Configures a new ATM PVC by assigning an 
optional name and its VPI/VCI numbers.
• name—(Optional) An arbitrary string that 
identifies this PVC.
• vpi—VPI ID. The range is 0 to 255.
• vci—VCI ID. The valid range is 1 to 65535. 
Values 1 to 31 are reserved and should not be 
used, except 5 for the QSAAL PVC and 16 for 
the ILMI PVC.
Step 8 Router(config-subif)# service-policy output
policy-map-name
Attaches the specified policy map to the 
subinterface.
• policy-map-name—Name of a service policy 
map to be attached. The name can be a 
maximum of 40 alphanumeric characters.
Command Purpose7-40
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
Configuring Non-aggregate WRED Based on DSCP
To configure Non-aggregate WRED to drop packets based on the differentiated services code point 
(DSCP) value, use the following commands beginning in global configuration mode:
Command Purpose
Step 1 Router(config)# policy-map policy-map-name Creates or modifies a policy map that can be 
attached to one or more interfaces to specify a 
service policy.
• policy-map-name—Name of a service policy 
map to be created. The name can be a maximum 
of 40 alphanumeric characters.
Step 2 Router(config-pmap)# class {class-name | class-default} Specifies the class policy to be configured.
• class-name—Name of class you want to 
configure. Note that WRED can be defined for 
a user-defined class only if the class has the 
bandwidth/shape feature enabled.
• class-default—Default class.
Step 3 Router(config-pmap-c)# random-detect dscp-based  Enables non-aggregate WRED based on DSCP 
values. 
Step 4 Router(config-pmap-c)# random-detect dscp values 
sub-class-val1 [...[sub-class-val8]] min-thresh max-thresh 
[mark-prob]
Configures the WRED parameters for packets with 
one or more specific DSCP values. 
• sub-class-val1 [...[sub-class-val8]]—One or 
more DSCP values to which the following 
WRED parameter specifications are to apply. [A 
maximum of 8 subclasses (IP precedence 
values) can be specified per CLI entry.] The 
DSCP value can be a number from 0 to 63, or it 
can be one of the following keywords: ef, af11, 
af12, af13, af21, af22, af23, af31, af32, af33, af41, 
af42, af43, cs1, cs2, cs3, cs4, cs5, or cs7
• min-thresh—Specifies the minimum threshold in 
number of packets. The value range of this 
argument is from 1 to 12288. 
• max-thresh—Specifies the maximum threshold 
in number of packets. The value range of this 
argument is from the value of the minimum 
threshold argument to 12288. 
• mark-prob—Specifies the denominator for the 
fraction of packets dropped when the average 
queue depth is at the maximum threshold. The 
value range is from 1 to 255. 
Repeat this command for each set of DSCP values 
that share WRED parameters.7-41
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Tasks
Verifying the DSCP-Based Non-aggregate WRED Configuration
To verify a DSCP-based Non-aggregate WRED configuration, use the show policy-map interface
command. Note that the statistics for DSCP values 0 through 3, 4 through 7, and 8 through 11 have been 
aggregated into one line each.
Router# show policy-map interface a4/1/0.11
ATM3/0/2: VC 1/100 - 
Service-policy output: non-agg
Class-map: DSCP-OUT-D1 (match-any)
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: ip dscp cs3 (24) af31 (26) af32 (28) cs4 (32)
      Queueing
      queue limit 15724 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
Step 5 Router(config-pmap-c)# interface atm
slot/subslot/port.subinterface point-to-point
Creates the specified point-to-point subinterface on 
the given port on the specified ATM SPA, and enters 
subinterface configuration mode.
• slot—Chassis slot number where the SIP is 
installed.
• subslot—Secondary slot of the SIP where the 
SPA is installed.
• port—Number of the individual interface port 
on the SPA.
• .subinterface—subinterface number. The 
number that precedes the period must match the 
number to which this subinterface belongs. The 
range is 1 to 4,294,967,293.
Step 6 Router(config-subif)# ip address address mask Assigns the specified IP address and subnet mask to 
the interface.
• address—IP address.
• mask—Subnet mask.
Step 7 Router(config-subif)# pvc [name] vpi/vci [ilmi | qsaal] Configures a new ATM PVC by assigning an 
optional name and its VPI/VCI numbers.
• name—(Optional) An arbitrary string that 
identifies this PVC.
• vpi—VPI ID. The range is 0 to 255.
• vci—VCI ID. The valid range is 1 to 65535. 
Values 1 to 31 are reserved and should not be 
used, except 5 for the QSAAL PVC and 16 for 
the ILMI PVC.
Step 8 Router(config-subif)# service-policy output
policy-map-name
Attaches the specified policy map to the 
subinterface.
• policy-map-name—Name of a service policy 
map to be attached. The name can be a 
maximum of 40 alphanumeric characters
Command Purpose7-42
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
      (pkts output/bytes output) 0/0
      bandwidth 42% (62899 kbps)
        Mean queue depth: 0 packets
dscp       Transmitted         Random drop      Tail drop     Minimum  Maximum     Mark
           pkts/bytes         pkts/bytes       pkts/bytes    thresh    thresh     prob
default    0/0               0/0              0/0           2752    5504      1/10 
cs3        0/0               0/0              0/0           118      235      1/20
af31       0/0               0/0              0/0           123      5243     1/34
Creating and Configuring Switched Virtual Circuits
A switched virtual circuit (SVC) is created and released dynamically, providing user bandwidth on 
demand. To enable the use of SVCs, you must configure a signaling protocol to be used between the 
Cisco 7600 series router and the ATM switch. The ATM SPA supports versions 3.0, 3.1, and 4.0 of the 
User-Network Interface (UNI) signaling protocol, which uses the Integrated Local Management 
Interface (ILMI) to establish, maintain, and clear the ATM connections at the UNI. 
The Cisco 7600 series router does not perform ATM-level call routing when configured for UNI/ILMI 
operation. Instead, the ATM switch acts as the network and performs the call routing, while the 
Cisco 7600 series router acts only as the user end-point of the call circuit and only routes packets through 
the resulting circuit.
Note The 1-Port OC-48c/STM-16 ATM SPA does not support SVCs.
To use UNI/ILMI signaling, you must create an ILMI PVC and a signaling PVC to be used for the SVC 
call-establishment and call-termination messages between the ATM switch and Cisco 7600 series router. 
This also requires configuring the ATM interface with a network service access point (NSAP) address 
that uniquely identifies itself across the network.
The NSAP address consists of a network prefix (13 hexadecimal digits), a unique end station identifier 
(ESI) of 6 hexadecimal bytes, and a selector byte. If an ILMI PVC exists, the Cisco 7600 series router 
can obtain the NSAP prefix from the ATM switch, and you must manually configure only the ESI and 
selector byte. If an ILMI PVC does not exist, or if the ATM switch does not support this feature, you 
must configure the entire address manually. 
To create and configure an SVC, use the following procedure beginning in global configuration mode: 7-43
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Command or Action Purpose
Step 1 Router(config)# interface atm slot/subslot/port Enters interface configuration mode for the indicated port 
on the specified ATM SPA. 
Step 2 Router(config-subif)# pvc [name] 0/5 qsaal Configures a new ATM PVC to be used for SVC signaling: 
• name—(Optional) An arbitrary string that identifies 
this PVC. 
• vpi—Specifies the VPI ID. The valid range is 0 to 255, 
but the recommended value for vpi for the signaling 
PVC is 0. 
• vci—Specifies the VCI ID. The valid range is 1 to 
65535, but the recommended value for vci for the 
QSAAL signaling PVC is 5. 
Note The ATM switch must be configured with the same 
VPI and VCI values for this PVC. 
• qsaal—Configures the signaling PVC to use QSAAL 
encapsulation. 
Step 3 Router(config-subif)# pvc [name] 0/16 ilmi Creates a new ATM PVC to be used for ILMI signaling: 
• name—(Optional) An arbitrary string to identify the PVC. 
• vpi—Specifies the VPI ID. The valid range is 0 to 255, 
but the recommended value for vpi for the ILMI PVC 
is 0. 
• vci—Specifies the VCI ID. The valid range is 1 to 
65535, but the recommended value for vci for the ILMI 
PVC is 16. 
• ilmi—Configures the PVC to use ILMI encapsulation. 
Note The signaling and ILMI PVCs must be set up on the main ATM interface, not on a subinterface. 
Step 4 Router(config-if-atm-vc)# exit  Exits ATM PVC configuration mode and returns to interface 
configuration mode. 
Step 5 Router(config-if)# atm ilmi-keepalive [seconds] 
[retry counts] 
(Optional) Enables ILMI keepalive messages and sets the 
interval between them. ILMI keepalive messages are 
disabled by default. 
• seconds—(Optional) The amount of time, in seconds, 
between keepalive messages between the Cisco 7600 
series router and the ATM switch. The valid range is 1 
to 65535, with a default of 3 seconds. 
• retry counts—(Optional) Specifies the number of 
times the router should resend a keepalive message if 
the first message is unacknowledged. The valid range is 
2 to 5, with a default of 4. 7-44
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Step 6 Router(config-if)# atm esi-address esi.selector Specifies the end station ID (ESI) and selector fields for the 
local portion of the interface’s NSAP address, and 
configures the interface to get the NSAP prefix from the 
ATM switch. 
• esi—Specifies a string of 12 hexadecimal digits, in 
dotted notation, for the ATM interface’s ESI value. This 
value must be unique across the network.
• selector—Specifies a string of 2 hexadecimal digits for 
the selector byte for this ATM interface. 
To configure the ATM address, you need to enter only the 
ESI (12 hexadecimal digits) and the selector byte 
(2 hexadecimal digits). The NSAP prefix (26 hexadecimal 
digits) is provided by the ATM switch.
 or 
Router(config-if)# atm nsap-address nsap-address Assigns a complete NSAP address (40 hexadecimal digits) 
to the interface. The address consists of a network prefix, 
ESI, and selector byte, and must be in the following format: 
XX.XXXX.XX.XXXXXX.XXXX.XXXX.XXXX.XXXX.XXXX.XXXX.XX
Note The above dotted hexadecimal format provides 
some validation that the address is a legal value. If 
you know that the NSAP address is correct, you may 
omit the dots. 
Note The atm esi-address and atm nsap-address commands are mutually exclusive. Configuring the Cisco 7600 
series router with one of these commands automatically negates the other. Use the show interface atm
command to display the NSAP address that is assigned to the interface. 
Step 7 Router(config-if)# interface atm
slot/subslot/port.subinterface [multipoint | 
point-to-point] 
(Optional) Creates the specified subinterface on the 
specified ATM interface, and enters subinterface 
configuration mode. 
Note You can create SVCs on either the main ATM 
interface or on a multipoint subinterface. 
Step 8 Router(config-subif)# svc [name] nsap address Creates an SVC and specifies the destination NSAP address 
(40 hexadecimal digits in dotted notation). You can also 
configure the following option: 
• name—(Optional) An arbitrary string that identifies 
this SVC. 
Step 9 Router(config-if-atm-vc)# oam-svc [manage]
[frequency] 
Enables end-to-end Operation, Administration, and 
Maintenance (OAM) loopback cell generation and 
management of the SVC. 
• manage—(Optional) Enables OAM management of the 
SVC. 
• frequency—(Optional) Specifies the delay between 
transmitting OAM loopback cells. The valid range is 0 
to 600 seconds, with a default of 10 seconds. 
Command or Action Purpose7-45
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Verifying the SVC Configuration
Use the show atm svc and show atm ilmi-status commands to verify the configuration of the SVCs that 
are currently configured on the Cisco 7600 series router. 
Router# show atm svc
           VCD /                                        Peak  Avg/Min Burst
Interface  Name         VPI   VCI  Type   Encaps   SC   Kbps   Kbps   Cells  Sts
4/0/0      1              0     5  SVC    SAAL     UBR  155000                UP
4/0/2      4              0    35  SVC    SNAP     UBR  155000                UP
4/1/0      16             0    47  SVC    SNAP     UBR  155000                UP 
4/1/0.1    593            0    80 SVC    SNAP    UBR 155000 UP 
Tip To display all SVCs on a particular ATM interface or subinterface, use the show atm svc interface atm 
command. 
To display detailed information about a particular SVC, specify its VPI and VCI values: 
Router# show atm svc 0/35
ATM5/1/0.200: VCD: 3384, VPI: 0, VCI: 35, Connection Name: SVC00
UBR, PeakRate: 155000
AAL5-MUX, etype:0x800, Flags: 0x44, VCmode: 0x0
OAM frequency: 10 second(s), OAM retry frequency: 1 second(s)
OAM up retry count: 3, OAM down retry count: 5
OAM Loopback status: OAM Received
OAM VC status: Verified
ILMI VC status: Not Managed
VC is managed by OAM.
InARP DISABLED
Transmit priority 6
InPkts: 0, OutPkts: 4, InBytes: 0, OutBytes: 400
Step 10 Router(config-if-atm-vc)# protocol protocol 
{protocol-address | inarp} [[no] broadcast] 
Configures the SVC for a particular protocol and maps it to 
a specific protocol-address. 
• protocol—Typically set to either ip or ppp, but other 
values are possible. 
• protocol-address—Destination address or virtual 
interface template for this SVC (if appropriate for the 
protocol). 
• inarp—Specifies that the SVC uses Inverse ARP to 
determine its address. 
• [no] broadcast—(Optional) Specifies that this 
mapping should (or should not) be used for broadcast 
packets. 
Step 11 Router(config-if-atm-vc)# encapsulation aal5snap (Optional) Configures the ATM adaptation layer (AAL) and 
encapsulation type. The default and only supported type is 
aal5snap. 
Note Repeat Step 7 through Step 11 for each SVC to be created. 
Step 12 Router(config-if-atm-vc)# end Exits SVC configuration mode and returns to privileged 
EXEC mode. 
Command or Action Purpose7-46
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
InPRoc: 0, OutPRoc: 4, Broadcasts: 0
InFast: 0, OutFast: 0, InAS: 0, OutAS: 0
InPktDrops: 0,  OutPktDrops: 0
CrcErrors: 0, SarTimeOuts: 0, OverSizedSDUs: 0, LengthViolation: 0, CPIErrors: 0
Out CLP=1 Pkts: 0
OAM cells received: 10
F5 InEndloop: 10, F5 InSegloop: 0, F5 InAIS: 0, F5 InRDI: 0
F4 InEndloop: 0, F4 InSegloop: 0, F4 InAIS: 0, F4 InRDI: 0
OAM cells sent: 10
F5 OutEndloop: 10, F5 OutSegloop: 0, F5 OutRDI: 0
F4 OutEndloop: 0, F4 OutSegloop: 0, F4 OutRDI: 0
OAM cell drops: 0
Status: UP
TTL: 4      
interface =  ATM5/1/0.200, call locally initiated, call reference = 8094273
vcnum = 3384, vpi = 0, vci = 35, state = Active(U10)
, point-to-point call
Retry count: Current = 0
timer currently inactive, timer value = 00:00:00
Remote Atm Nsap address: 47.00918100000000107B2B4B01.111155550001.00 
, VC owner: ATM_OWNER_SMAP
To display information about the ILMI status and NSAP addresses being used for the SVCs on an ATM 
interface, use the show atm ilmi-status command: 
Router# show atm ilmi-status atm 4/1/0
Interface : ATM4/1/0 Interface Type : Private UNI (User-side) 
ILMI VCC : (0, 16) ILMI Keepalive : Enabled/Up (5 Sec 4 Retries)
ILMI State:       UpAndNormal
Peer IP Addr:     10.10.13.1       Peer IF Name:     ATM 3/0/3
Peer MaxVPIbits:  8               Peer MaxVCIbits:  14
Active Prefix(s) :
47.0091.8100.0000.0010.11b8.c601
End-System Registered Address(s) :
47.0091.8100.0000.0010.11b8.c601.2222.2222.2222.22(Confirmed)
47.0091.8100.0000.0010.11b8.c601.aaaa.aaaa.aaaa.aa(Confirmed)
Tip To display information about the SVC signaling PVC and ILMI PVC, use the show atm pvc 0/5 and 
show atm pvc 0/16 commands. 
Configuring Traffic Parameters for PVCs or SVCs
After creating a PVC or SVC, you can also configure it for the type of traffic quality of service (QoS) 
class to be used over the circuit:
• Constant Bit Rate (CBR)—Configures the CBR service class and specifies the average cell rate for 
the PVC or SVC. 
• Unspecified Bit Rate (UBR)—Configures the UBR service class and specifies the output peak rate 
(PCR) for the PVC or SVC. This is the default configuration. SVCs can also be configured with 
similar input parameters. 
• Unspecified Bit Rate Plus (UBR+)—Configures the UBR+ service class and specifies the output 
peak cell rate (PCR) and minimum cell rate (MCR) for the SVC. SVCs can also be configured with 
similar input parameters.
Note The 1-Port OC-48c/STM-16 ATM SPA does not support UBR+.7-47
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
• Variable Bit Rate–Non-real Time (VBR-nrt)—Configures the VBR-nrt service class and specifies 
the output PCR, output sustainable cell rate (SCR), and output maximum burst size (MBS) for the 
PVC or SVC. SVCs can also be configured with similar input parameters. 
• Variable Bit Rate–Real Time (VBR-rt)—Configures the VBR-rt service class and the peak rate and 
average rate burst for the PVC or SVC. 
Each service class is assigned a different transmit priority, which the Cisco 7600 series router uses to 
determine which queued cell is chosen to be transmitted out of an interface during any particular cell 
time slot. This process ensures that real-time QoS classes have a higher likelihood of being transmitted 
during periods of congestion. Table 7-1 lists the ATM QoS classes and their default transmit priorities.
Note When using a CBR VC that exceeds half of the interface line rate, it is possible in some cases that the 
shaping accuracy for the CBR traffic can drop from 99 percent to 98 percent when the interface is also 
configured for UBR VCs that are oversubscribed (that is, the UBR VCs are configured for a total line 
rate that exceeds the interface line rate). If this small drop in accuracy is not acceptable, then we 
recommend using VBR-rt or VBR-nrt instead of CBR when oversubscribing UBR traffic. 
You can configure a PVC or SVC for only one QoS service class. If you enter more than one type, only 
the most recently configured QoS class takes effect on the circuit. 
To configure the traffic parameters for a PVC or SVC, perform the following procedure beginning in 
global configuration mode:
Table 7-1 ATM Classes of Service and Default Transmit Priorities
Service Category Transmit Priority
1
1. The default priorities can be changed for individual VCs using the transmit-priority VC configuration 
command. 
Signaling, Operation, Administration, and Maintenance (OAM) 
cells, and other control cells 
0 (highest) 
CBR when greater than 5 percent of the line rate 1
CBR when less than 5 percent of the line rate 2
Voice traffic 3
VBR-rt 4
VBR-nrt 5
UBR 6 
Unused and not available or configurable 7 (lowest) 
Command or Action Purpose
Step 1 Router(config)# interface atm slot/subslot
or 
Router(config)# interface atm
slot/subslot/port.subinterface [multipoint | 
point-to-point] 
Enters interface or subinterface configuration mode for the 
indicated port on the specified ATM SPA. 
Step 2 Router(config-if)# pvc [name] vpi/vci
or 
Router(config-if)# svc [name] nsap-address
Specifies the PVC or SVC to be configured, and enters 
PVC/SVC configuration mode. 7-48
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Note When using the pvc command, remember that the vpi/vci combination forms a unique identifier for the 
interface and all of its subinterfaces. If you specify a vpi/vci combination that has been used on another 
subinterface, the Cisco IOS software assumes that you want to modify that PVC’s configuration and 
automatically switches to its parent subinterface. 
Step 3 Router(config-if-atm-vc)# cbr rate Configures constant bit rate (CBR) quality of service (QoS) 
and average cell rate for the PVC or SVC: 
• rate—Average cell rate in kbps. The valid range is 48 
to 149760 (OC-3) or 599040 (OC-12). 
or 
Router(config-if-atm-vc)# ubr output-pcr [input-pcr] Configures unspecified bit rate (UBR) quality of service 
(QoS) and peak cell rate (PCR) for the PVC or SVC: 
• output-pcr—Output PCR in kbps. The valid range is 48 
to 149760 (OC-3), 599040 (OC-12), or 2396160 
(1-Port OC-48c/STM-16 ATM SPA). 
• input-pcr—(Optional for SVCs only) Input PCR in 
kbps. If omitted, input-pcr equals output-pcr.
or 
Router(config-if-atm-vc)# vbr-nrt output-pcr
output-scr output-mbs [input-pcr] [input-scr] 
[input-mbs] 
Configures the variable bit rate–nonreal time (VBR-nrt) 
QoS, the peak cell rate (PCR), sustainable cell rate (SCR), 
and maximum burst cell size (MBS) for the PVC or SVC: 
• output-pcr—Output PCR in kbps. The valid range is 48 
to 149760 (OC-3), 599040 (OC-12), or 2396160 
(1-Port OC-48c/STM-16 ATM SPA).
• output-scr—Output SCR in kbps. The valid range is 48 
to PCR, and typically is less than the PCR value. 
• output-mbs—Output MBS in number of cells. The valid 
range is 1 to 65535, depending on the PCR and SCR 
values. If the PCR and SCR are configured to the same 
value, the only valid value for MBS is 1. 
• input-pcr—(Optional for SVCs only) Input PCR in 
kbps.
• input-scr—(Optional for SVCs only) Input SCR in 
kbps.
• input-mbs—(Optional for SVCs only) Input MBS in 
number of cells. 
or
Command or Action Purpose7-49
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Verifying the Traffic Parameter Configuration
Use the show atm vc command to verify the configuration of the traffic parameters for a PVC or SVC: 
Router# show atm vc 20
   ATM1/1/0.200: VCD: 20, VPI: 2, VCI: 200 
   UBR, PeakRate: 44209 
   AAL5-LLC/SNAP, etype:0x0, Flags: 0xC20, VCmode: 0x0 
   OAM frequency: 0 second(s) 
   InARP frequency: 5 minutes(s) 
   Transmit priority 4 
   InPkts: 10, OutPkts: 11, InBytes: 680, OutBytes: 708 
   InPRoc: 10, OutPRoc: 5, Broadcasts: 0 
   InFast: 0, OutFast: 0, InAS: 0, OutAS: 6 
   InPktDrops: 0, OutPktDrops: 0 
   CrcErrors: 0, SarTimeOuts: 0, OverSizedSDUs: 0 
   OAM cells received: 0 
   OAM cells sent: 0 
   Status: UP
To verify the configuration of all PVCs or SVCs on an interface, use the show atm vc interface atm
command: 
Router# show atm vc interface atm 2/1/0
ATM2/1/0.101: VCD: 201, VPI: 20, VCI: 101
UBR, PeakRate: 149760
AAL5-LLC/SNAP, etype:0x0, Flags: 0xC20, VCmode: 0x0
OAM frequency: 0 second(s)
InARP frequency: 15 minutes(s)
Transmit priority 4
Router(config-if-atm-vc)# vbr-rt pcr scr burst Configures the variable bit rate–real time (VBR-rt) QoS, 
and the PCR, average cell rate (ACR), and burst cell size 
(BCS) for the PVC or SVC: 
• pcr—PCR in kbps. The valid range is 48 to 149760 
(OC-3), 599040 (OC-12), or 2396160 (1-Port 
OC-48c/STM-16 ATM SPA). 
• scr—SCR in kbps. The valid range is 48 to PCR, and 
typically is less than the PCR value. 
• burst—Burst size in number of cells. The valid range is 
1 to 65535, depending on the PCR and SCR values. If 
the PCR and SCR are configured to the same value, the 
only valid value for burst is 1. 
Step 4 Router(config-if-atm-vc)# transmit-priority level (Optional) Configures the PVC for a new transmit priority 
level. 
• level—Priority level from 1 to 6. The default value is 
determined by the PVC’s configured service class (see 
Table 7-1 on page 7-47 for the default levels). 
Note Repeat Step 2 through Step 4 for each PVC or SVC to be configured. 
Step 5 Router(config-if-atm-vc)# end Exits PVC/SVC configuration mode and returns to 
privileged EXEC mode. 
Command or Action Purpose7-50
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
InPkts: 3153520, OutPkts: 277787, InBytes: 402748610, OutBytes: 191349235
InPRoc: 0, OutPRoc: 0, Broadcasts: 0
InFast: 211151, OutFast: 0, InAS: 0, OutAS: 0
InPktDrops: 0, OutPktDrops: 17 
CrcErrors: 0, SarTimeOuts: 0, OverSizedSDUs: 0
OAM cells received: 0
OAM cells sent: 0
Status: UP
Configuring Virtual Circuit Classes
When multiple PVCs or SVCs use the same or similar configurations, you can simplify the Cisco 7600 
series router’s configuration file by creating virtual circuit (VC) classes. Each VC class acts as a 
template, which you can apply to an ATM interface or subinterface, or to individual PVCs or SVCs. 
When you apply a VC class to an ATM interface or subinterface, all PVCs and SVCs created on that 
interface or subinterface inherit the VC class configuration. When you apply a VC class to an individual 
PVC or SVC, that particular PVC or SVC inherits the class configuration. 
You can then customize individual PVCs and SVCs with further configuration commands. Any 
commands that you apply to individual PVCs and SVCs take precedence over those of the VC class that 
were applied to the interface or to the PVC/SVC. 
To create and configure a VC class, and then apply it to an interface, subinterface, or individual PVC or 
SVC, use the following procedure beginning in global configuration mode:
Command or Action Purpose
Step 1 Router(config)# vc-class atm vc-class-name Creates an ATM virtual circuit (VC) class and enters 
VC-class configuration mode. 
• vc-class-name—Arbitrary name to identify this 
particular VC class. 
Step 2 Router(config-vc-class)# configuration-commands Enter any PVC or SVC configuration commands for this VC 
class. See the “Creating a Permanent Virtual Circuit” 
section on page 7-8 and the “Creating and Configuring 
Switched Virtual Circuits” section on page 7-42 for 
additional information. 
Note You can specify both PVC and SVC configuration 
commands in the same VC class. If a command is 
not appropriate for a PVC or SVC, it is ignored 
when the VC class is assigned to the PVC or SVC. 
Step 3 Router(config-vc-class)# interface atm
slot/subslot/port
or 
Router(config-vc-class)# interface atm
slot/subslot/port.subinterface [multipoint | 
point-to-point] 
Enters subinterface configuration mode for the specified 
ATM interface or subinterface. 
Step 4 Router(config-if)# class-int vc-class-name (Optional) Applies a VC class on the ATM main interface 
or subinterface. This class then applies to all PVCs or SVCs 
that are created on that interface. 
• vc-class-name—Name of the VC class that was created 
in Step 1. 7-51
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Verifying the Virtual Circuit Class Configuration
To verify the virtual circuit class configuration, use the show atm vc command: 
Router# show atm vc
            VCD /                                      Peak  Avg/Min Burst
Interface   Name       VPI   VCI  Type   Encaps   SC   Kbps   Kbps   Cells  Sts
6/1/0       1            0     5  PVC    SAAL     UBR  155000                UP
6/1/0       2            0    16  PVC    ILMI     UBR  155000                UP
6/1/0.1     3            1    32  PVC-D  SNAP     UBR  155000                UP
6/1/0.2     4            2    32  PVC-D  SNAP     UBR  155000                UP
Configuring Virtual Circuit Bundles
Virtual circuit bundles are similar to VC classes, in that they allow you to configure a large group of 
PVCs by configuring a template (the VC bundle). The main difference between a VC bundle and a VC 
class is that the VC bundle management allows you to configure multiple VCs that have different QoS 
characteristics between any pair of ATM-connected routers. 
Using VC bundles, you first create an ATM VC bundle and then add VCs to it, and each VC in the bundle 
can have its own ATM traffic class and ATM traffic parameters. You can configure the VCs collectively 
at the bundle level, or you can configure the individual VC bundle members. You can also apply a VC 
class to a bundle to apply the VC class configuration to all of the VCs in the bundle. 
You can therefore create differentiated service by mapping one or more MPLS EXP levels to each VC 
in the bundle, thereby enabling individual VCs in the bundle to carry packets marked with different 
MPLS EXP levels. The ATM VC bundle manager determines which VC to use for a particular packet by 
matching the MPLS EXP level of the packet to the MPLS EXP levels assigned to the VCs in the bundle. 
The bundle manager can also use Weighted Random Early Detection (WRED) or distributed WRED 
(dWRED) to further differentiate service across traffic that has different MPLS EXP levels.
Step 5 Router(config-if)# pvc [name] vpi/vci
or 
Router(config-if)# svc [name] nsap-address
Specifies the PVC or SVC to be configured, and enters ATM 
VC configuration mode. 
Note When using the pvc command, remember that the vpi/vci combination forms a unique identifier for the 
interface and all of its subinterfaces. If you specify a vpi/vci combination that has been used on another 
subinterface, the Cisco IOS software assumes that you want to modify that PVC’s configuration and 
automatically switches to its parent subinterface. 
Step 6 Router(config-if-atm-vc)# class-vc vc-class-name Assigns the specified VC class to this PVC or SVC. 
• vc-class-name—Name of the VC class that was created 
in Step 1. 
Step 7 Router(config-if-atm-vc)# configuration-commands Any other VC configuration commands to be applied to this 
particular PVC or SVC. Commands that are applied to the 
individual PVC or SVC supersede any conflicting 
commands that were specified in the VC class. 
Step 8 Router(config-if)# end Exits interface configuration mode and returns to privileged 
EXEC mode. 
Command or Action Purpose7-52
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Virtual Circuit Bundles Configuration Guidelines
• VC bundles are supported only on ATM SPAs in a Cisco 7600 SIP-200. Bundles are not supported 
for ATM SPAs in a Cisco 7600 SIP-400.
• VC bundles can be used only for PVCs, not SVCs. 
• VC bundles require ATM PVC management, as well as Forwarding Information Base (FIB) and Tag 
Forwarding Information Base (TFIB) switching functionality.
• The Cisco 7600 series router at the remote end of the network must be using a version of Cisco IOS 
that supports MPLS and ATM PVC management.
Virtual Circuit Bundles Configuration Task
To create and configure a VC bundle and then apply it to an ATM interface or subinterface, perform the 
following procedure beginning in global configuration mode: 
Command or Action Purpose
Step 1 Router(config)# ip cef [distributed] Enables Cisco Express Forwarding (CEF) Layer 3 
switching on the Cisco 7600 series router. The Cisco 7600 
series router enables CEF by default.
• distributed—(Optional) Enables distributed CEF 
(dCEF). 
Step 2 Router(config)# mpls label protocol ldp Specifies the default label distribution protocol for a 
platform. 
Step 3 Router(config)# interface atm slot/subslot/port
or 
Router(config)# interface atm
slot/subslot/port.subinterface [multipoint | 
point-to-point] 
Enters interface configuration mode for the specified ATM 
interface or subinterface. 
Step 4 Router(config-if)# mpls ip Enables MPLS forwarding of IPv4 packets along normally 
routed paths for the interface.
Step 5 Router(config-if)# bundle bundle-name Creates an ATM virtual circuit (VC) bundle and enters 
bundle configuration mode. 
• bundle-name—Arbitrary name to identify this 
particular VC bundle. 
Step 6 Router(config-if-atm-bundle)# class-bundle 
vc-class-name
(Optional) Applies a VC class to this bundle. The class 
configuration is then applied to all VCs in the bundle. 
• vc-class-name—Name of the VC class to be applied to 
this bundle and its PVCs or SVCs. See the “Configuring 
Virtual Circuit Classes” section on page 7-50 for 
information on creating VC classes. 
Step 7 Router(config-if-atm-bundle)# 
configuration-commands
Enter any other PVC or SVC configuration commands for 
this VC bundle. See the “Creating a Permanent Virtual 
Circuit” section on page 7-8 and the “Creating and 
Configuring Switched Virtual Circuits” section on 
page 7-42 for additional information. 7-53
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Verifying the Virtual Circuit Bundles Configuration
To verify the configuration of the virtual circuit bundles and display the configuration for its interface 
or subinterface, use the show running-config interface atm command, as in the following example: 
Note Configuration commands applied directly to the VC bundle supersede a configuration that is applied through 
a VC class. 
Step 8 Router(config-if-atm-bundle)# pvc-bundle [name] 
vpi/vci 
Creates a member PVC of the bundle and enters PVC 
bundle configuration mode. 
Step 9 Router(config-if-atm-member)# mpls experimental 
[level | other | range] 
(Optional) Configures the MPLS EXP levels for the PVC 
bundle member. 
• level—MPLS EXP level for the PVC bundle member. 
The valid range is 0 to 7. 
• other—Any MPLS EXP levels in the range from 0 to 7 
that are not explicitly configured (default). 
• range—A range of MPLS EXP levels between 0 and 7, 
separated by a hyphen. 
Step 10 Router(config-if-atm-member)# bump {implicit | 
explicit precedence-level | traffic} 
(Optional) Configures the bumping rules for the PVC 
bundle member. 
• implicit—Bumped traffic is carried by a VC with a 
lower precedence (default). 
• explicit precedence-level—Specifies the precedence 
level of the traffic that should be bumped when the PVC 
member goes down. The precedence-level can range 
from 0 to 9. 
• traffic—The PVC member accepts bumped traffic 
(default). Use no bump traffic to specify that the PVC 
member does not accept bumped traffic. 
Step 11 Router(config-if-atm-member)# protect {group | vc} (Optional) Specifies that the PVC bundle member is 
protected.
• group—Specifies that the PVC bundle member is part 
of a protected group. When all members of a protected 
group go down, the bundle goes down.
• vc—Specifies that the PVC bundle member is 
individually protected. When a protected VC goes 
down, it also takes the bundle down. 
By default, PVC bundle members are not protected. 
Step 12 Router(config-if-atm-member)# 
configuration-commands
Any other VC configuration commands to be applied to this 
particular VC bundle member. Commands that are applied 
to a bundle member supersede any conflicting commands 
that were specified in the VC class or VC bundle. 
Note Repeat Step 8 through Step 12 for each PVC member of the bundle to be created. 
Step 13 Router(config-if-atm-member)# end Exits PVC bundle configuration mode and returns to 
privileged EXEC mode. 
Command or Action Purpose7-54
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Router# show running-config interface atm 4/1/0.2
interface ATM4/1/0.2 point-to-point
 ip address 10.10.10.1 255.255.255.0
 no ip directed-broadcast
 no atm enable-ilmi-trap
 bundle ABC
  class-bundle bundle-class
  pvc-bundle ABC-high 1/107 
   class-vc high
  pvc-bundle ABC-med 1/105 
   class-vc med
  pvc-bundle ABC-low 1/102 
   class-vc low
 !
!
To verify the operation and current status of a virtual circuit bundle, specify the bundle name with the 
show atm bundle command:
Router# show atm bundle ABC
ABC on ATM4/1/0.2: UP 
                       Config    Current   Bumping  PG/ Peak Avg/Min Burst
VC Name      VPI/ VCI  Prec/Exp  Prec/Exp  PrecExp/ PV  Kbps   kbps  Cells Sts
                                           Accept
ABC-high       1/107   7         7         - / Yes  PV  10000   5000   32   UP
ABC-med        1/105   6         6         - / Yes  PV  10000               UP
ABC-low        1/102   5-0       5-0       - / Yes  -   10000               UP
Configuring Multi-VLAN to VC Support
For information on configuring multi-VLAN to VC support, see the “Configuring QoS for ATM VC 
Access Trunk Emulation” topic at http://www.cisco.rw/univercd/cc/td/doc/product/ 
core/cis7600/cfgnotes/flexport/combo/flexqos.htm#wp1162305.
Configuring Link Fragmentation and Interleaving with Virtual Templates
The ATM SPA supports Link Fragmentation and Interleaving (LFI) with the distributed Compressed 
Real-Time Protocol (dCRTP). This allows the ATM interfaces, which are cell-based, to efficiently 
transport packet-based IP traffic without an excessive amount of bandwidth being used for packet 
headers and other overhead. 
The LFI/dCRTP feature requires the use of multilink PPP (MLP), which can be implemented either by 
using virtual templates or dialer templates. 
Note Stateful Switch Over(SSO) is not supported with distributed Link Fragmentation and Interleaving (dLFI) 
over ATM.
Link Fragmentation and Interleaving with Virtual Templates Configuration Guidelines
• The 1-Port OC-48c/STM-16 ATM SPA does not support LFI.7-55
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
• A functional multilink PPP (MLP) bundle requires one virtual access interface operating as a PPP 
interface, and a second virtual access interface operating as a multilink PPP bundle interface. 
• The Cisco IOS software supports a maximum of 1,000 virtual template interfaces per Cisco 7600 
series router. 
• When LFI is configured on a PVC, the output packets counter in the show atm pvc command counts 
all fragments of a packet as a single packet, and does not display the actual number of fragmented 
packets that were output. For example, if a packet is fragmented into four fragments, the output 
packets counter shows only one packet, not four. The output bytes counter is accurate, however, and 
you can also display the total number of fragmented packets on all PVCs on the interface with the 
show interface atm command. 
• LFI supports three protocol formats: AAL5CISCOPP, AAL5MUX, and AAL5SNAP
• For fragmentation to function, a QoS service policy having a minimum of two QoS queues needs to 
be applied to the virtual template interface.
• In order for dLFI to work properly and to be supported, the following commands must be already 
be configured on the Virtual Template interface:
– ppp multilink
– ppp multilink interleave
– service-policy output policy name
Note The service-policy attached to the Virtual-Template must have at least two queues, one of which 
contains the priority CLI. 
Note
When dLFI is correctly configured on an ATM SPA PVC, which includes ppp multilink, ppp multilink 
interleave, and service-policy output on the Virtual-Template, the following MLP behavior occurs: 
1. Packets with a smaller fragment size are sent without MLP headers as straight PPP frames
2. Packets with a greater fragment size that are classified in priority LLQ are sent straight without 
MLP headers as PPP frames and are interleaved between fragmented packets.
3. Packets with a greater fragment size are fragmented and sent with MLP headers.
Link Fragmentation and Interleaving with Virtual Templates Configuration Task
To configure LFI with virtual templates, perform the following procedure beginning in global 
configuration mode:7-56
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Command or Action Purpose
Step 1 Router(config)# interface virtual-template number  Creates a virtual template and enters interface configuration 
mode.
• number—Arbitrary value to identify this virtual 
template. 
Step 2 Router(config-if)# bandwidth value Specifies the bandwidth, in kbps, for the interfaces that use 
this virtual template:
• value—Bandwidth, in kilobits per second, for the 
interface. 
Step 3 Router(config-if)# service-policy input policy-name Attaches the specified policy map to the input interface that 
uses this virtual template:
• policy-name—Name of the policy map that was created 
by the policy-map command to be used. 
Step 4 Router(config-if)# service-policy output policy-name Attaches the specified policy map to the output interface 
that uses this virtual template:
• policy-name—Name of the policy map that was created 
by the policy-map command to be used. 
Step 5 Router(config-if)# ppp multilink [bap] Enables multilink PPP (MLP) on the interfaces that use this 
virtual template: 
• bap—(Optional) Enables bandwidth allocation control 
negotiation and dynamic allocation of bandwidth on a 
link, using the bandwidth allocation protocol (BAP). 
Step 6 Router(config-if)# ppp multilink fragment delay
max-delay
(Optional) Configures the maximum delay for the 
transmission of a packet fragment on an MLP bundle.
• max-delay—Maximum amount of time, in 
milliseconds, that should be required to transmit a 
fragment. The range is from 1 to 1000, with a default 
value of 30 for MLP bundles. 
Step 7 Router(config-if)# ppp multilink interleave Enables interleaving of the fragments of larger packets on 
an MLP bundle.
Step 8 Router(config-if)# interface atm
slot/subslot/port.subinterface point-to-point
Creates the specified point-to-point subinterface and enters 
interface configuration mode. 7-57
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Verifying the Link Fragmentation and Interleaving with Virtual Templates Configuration
To verify a virtual template configuration, display the running configuration for the configured ATM and 
virtual interfaces: 
Router# show running-config interface virtual-template 1
!
interface Virtual-Template1
Current configuration : 373 bytes
!
interface Virtual-Template1
bandwidth 300
ip address 23.0.0.1 255.255.255.0
ppp chap hostname template1
ppp multilink
ppp multilink fragment-delay 8
ppp multilink interleave
service-policy output lfiqos 
!
Router# show running-config interface atm 6/0/1 
!
interface ATM6/0/1 
 atm idle-cell-format itu
 atm enable-payload-scrambling
Step 9 Router(config-if)# pvc [name] vpi/vci [ilmi | qsaal] Configures a new ATM PVC by assigning its VPI/VCI 
numbers and enters ATM VC configuration mode. The valid 
values for vpi/vci are:
• vpi—Specifies the VPI ID. The valid range is 0 to 255. 
• vci—Specifies the VCI ID. The valid range is 1 to 
65535. Values 1 to 31 are reserved and should not be 
used, except for 5 for the QSAAL PVC and 16 for the 
ILMI PVC. 
You can also configure the following options: 
• name—(Optional) An arbitrary string that identifies 
this PVC. 
• ilmi—(Optional) Configures the PVC to use ILMI 
encapsulation (default). 
• qsaal—(Optional) Configures the PVC to use QSAAL 
encapsulation. 
Note When using the pvc command, remember that the vpi/vci combination forms a unique identifier for the 
interface and all of its subinterfaces. If you specify a vpi/vci combination that has been used on another 
subinterface, the Cisco IOS software assumes that you want to modify that PVC’s configuration and 
automatically switches to its parent subinterface. 
Step 10 Router(config-if-atm-vc)# protocol ppp 
virtual-template number
Configures the PVC for PPP with the parameters from the 
specified virtual template. 
Step 11 Router(config-if-atm-vc)# end Exits ATM VC configuration mode and returns to privileged 
EXEC mode. 
Command or Action Purpose7-58
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
 no atm ilmi-keepalive
 pvc 32/32 
  vbr-rt 640 640 256
  encapsulation aal5snap
  protocol ppp Virtual-Template1
To display run-time statistics and other information about the currently configured multilink PPP 
bundles, use the show ppp multilink command: 
Router# show ppp multilink
Virtual-Access3, bundle name is north-2
  Bundle up for 00:01:51 
  Bundle is Distributed
  0 lost fragments, 0 reordered, 0 unassigned
  0 discarded, 0 lost received, 1/255 load
  0x0 received sequence, 0x0 sent sequence
  Member links: 1 (max not set, min not set)
    Vi1, since 00:01:38, no frags rcvd, 62 weight, 54 frag size
dLFI statistics:
            DLFI Packets    Pkts In             Pkts Out
              Fragmented 4294967288              3129990
            UnFragmented    1249071                    0
             Reassembled    1249071              1564994
        Reassembly Drops          0
     Fragmentation Drops          0
        Out of Seq Frags          0
Note The show ppp multilink command displays only the packet counters, and not byte counters, for a dLFI 
configuration on an ATM SPA interface. Also, the number of fragmented packets shows the number of 
fragments sent to the SAR assembly, not the number of fragments that are placed on the ATM line. It is 
possible that the SAR assembly might drop some of these fragments on the basis of Layer 3 QoS limits. 
Configuring the Distributed Compressed Real-Time Protocol
The distributed Compressed Real-Time Protocol (dCRTP) compresses the 40 bytes of the IP/UDP/RTP 
packet headers down to between only two and four bytes in a distributed fast-switching and distributed 
Cisco Express Forwarding (dCEF) network. This compression reduces the packet size, improves the 
speed of packet transmission, and reduces packet latency, especially on cell-based interfaces, such as 
ATM interfaces. 
Distributed Compressed Real-Time Protocol Configuration Guidelines
When configuring dCRTP, consider the following guidelines:
• Distributed CEF switching or distributed fast switching must be enabled on the interface.
• PPP must be used on the interface or subinterface. 7-59
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Distributed Compressed Real-Time Protocol Configuration Task
To enable and configure dCRTP on an ATM interface, virtual template interface, or a dialer template 
interface, perform the following procedure beginning in global configuration mode:
Verifying the Distributed Compressed Real-Time Protocol Configuration
To verify the dCRTP of an ATM interface, use the show running-config interface interface 
virtual-template command: 
Router# show running-config interface interface virtual-template 1
!
interface Virtual-Template1
 bandwidth 2320
 ip unnumbered Loopback2
 max-reserved-bandwidth 100
Command or Action Purpose
Step 1 Router(config)# interface atm slot/subslot/port
or 
Router(config)# interface virtual-template number
or 
Router(config)# interface dialer number
Enters interface configuration mode for an interface on the 
ATM SPA, or for a virtual template or dialer template 
interface. 
Step 2 Router(config-if)# ip rcp header-compression
[passive] 
Enables RCP header compression. 
• passive—(Optional) Compresses outgoing RCP 
packets only if incoming RCP packets on the same 
interface are compressed. The default compresses all 
RCP packets on the interface. 
Step 3 Router(config-if)# ip tcp header-compression
[passive] 
Enables TCP header compression. 
• passive—(Optional) Compresses outgoing TCP 
packets only if incoming TCP packets on the same 
interface are compressed. The default compresses all 
TCP packets on the interface. 
Note By default, RCP and TCP header compression are enabled on ATM interfaces when they are configured with 
an IP address. You do not need to give the ip rcp header-compression and ip tcp header-compression
commands unless you have previously disabled these features, or you want to use the passive options. 
Step 4 Router(config-if)# ip rcp compression-connections
number
Specifies the total number of RCP header compression 
connections that can be supported on the interface.
• number—Number of RCP header compression 
connections. The valid range is 3 to 1000, with a default 
of 32 connections (16 calls).
Step 5 Router(config-if)# ip tcp compression-connections
number
Specifies the total number of TCP header compression 
connections that can be supported on the interface.
• number—Number of TCP header compression 
connections. The valid range is 3 to 1000, with a default 
of 32 connections (16 calls).
Step 6 Router(config-if)# end Exits interface configuration mode and returns to privileged 
EXEC mode. 7-60
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
 ip tcp header-compression 
 ppp multilink
 ppp multilink fragment delay 4
 ppp multilink interleave
 ip rtp header-compression 
Configuring Automatic Protection Switching
The ATM SPAs support 1+1 Automatic Protection Switching (APS) on PVCs as described in section 5.3 
of the Telcordia publication GR-253-CORE SONET Transport Systems: Common Generic Criteria. APS 
redundancy is supported at the line layer, so that when an OC-3c, OC-12c, or OC-48c link fails, all of 
the PVCs that are carried by that link are switched simultaneously. 
Note APS is not supported for SVCs. 
In an APS configuration, a redundant ATM interface (the Protect interface) is configured for every active 
ATM interface (the Working interface). If the Working interface goes down, the Protect interface 
automatically switches over and continues communication over the interface’s PVCs. 
The APS Protect Group Protocol (PGP), which runs on top of User Datagram Protocol (UDP), provides 
communication between the Working and Protect interfaces. This communication occurs over a separate 
out-of-band (OOB) communication channel, such as an Ethernet link. 
In the case of degradation, loss of channel signal, or manual intervention, the APS software on the 
Protect interface sends APS PGP commands to activate or deactivate the Working interface as necessary. 
If the communication channel between the Working and Protect interfaces is lost, the Working interface 
assumes full control, as if no Protect interface existed.
The performance enhancement of PPP/MLPPP APS does not impact the original PPP/MLPPP scalability 
on Cisco 7600. 
Figure 7-4 shows a simple example of a pair of Working and Protect interfaces on a single router. 
Figure 7-4 Basic Automatic Protection Switching Configuration
Tip If possible, use separate SPAs to provide the Working and Protect interfaces, as shown in Figure 7-4. 
This technique removes the SPA as a potential single point of failure, which would be the case if the 
same SPA provided both the Working and Protect interfaces. 
Multiple routers can be using APS at the same time. For example, Figure 7-5 shows a simple example 
of two routers that each have one pair of Working and Protect interfaces. In this configuration, the two 
routers are independently configured. 
Router A
ATM3/0/0
Working interface
ATM4/0/0
Protect interface
SONET
network
equiptment
Add Drop Multiplexer (ADM) 1178527-61
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Figure 7-5 Sample Automatic Protection Switching Configuration with Multiple Routers
You can also configure multiple routers with APS so that interfaces on one router can provide protection 
for the interfaces on another router. This provides protection in case a router experiences a major system 
problem, such as a processor fault.
Figure 7-6 shows a basic example of two routers that each have one Working ATM interface. Each router 
also has one Protect interface that provides protection for the other router’s Working interface. Note that 
this configuration requires a separate out-of-band (OOB) communication link between the two routers, 
which in this case is provided by the Ethernet network. 
Figure 7-6 Sample Multiple Router Protection with Automatic Protection Switching
An APS configuration requires the following steps:
• Configure the Working interface with the desired IP addresses, subinterfaces, and PVCs. Also assign 
the interface to an APS group and designate it as the Working interface. 
• Create a loopback circuit for communication between the Working and Protect interfaces. This is 
optional, because you can also use any valid IP address on the router. However, we recommend using 
a loopback interface because it is always up and provides connectivity between the two interfaces 
as long as any communication path exists between them. 
• Configure the Protect interface with the same subinterfaces and PVCs that were configured on the 
Working interface. The Protect interface should also be configured with an IP address that is on the 
same subnet as the Working interface. 
Tip Always configure the Working interface before the Protect interface, so as to prevent the Protect 
interface from becoming active and disabling the circuits on the Working interface. 
ADM
Router-A Router-B
ATM 4/0/0
(working)
ATM 4/0/1
(protect)
ATM 3/1/0
(working)
ATM 3/1/1
(protect)
117547
Router A
E1/0/0
ATM2/0/0
Working interface 10
SONET
network
equipment
Add Drop Multiplexer (ADM)
E1/0/0
Router B
ATM2/0/0
Working interface 20
117853
ATM3/0/0
Protect interface 20
ATM3/0/0
Protect interface 107-62
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Automatic Protection Switching Configuration Guidelines
When configuring APS, consider the following guidelines:
• The Working and Protect interfaces must be compatible (that is, both OC-3c or both OC-12c 
interfaces). The interfaces can be on the same SPA, different SPAs in the same router, or different 
SPAs in different routers. 
• If using interfaces on different routers, the two routers must have a network connection other than 
the ATM connection (such as through an Ethernet LAN). Because the APS PGP is UDP traffic, this 
network connection should be reliable with a minimum number of hops. 
• Configure the Working ATM interface with the desired IP addresses and other parameters, as 
described in the “Required Configuration Tasks” section on page 7-2 and the “Configuring SONET 
and SDH Framing” section on page 7-76. 
• Configure the desired PVCs on the Working interface, as described in the different procedures that 
are listed in the “Creating a Permanent Virtual Circuit” section on page 7-8. 
• The IP addresses on the Working and Protect interfaces should be in the same subnet. 
• APS is not supported on SVCs. 
Automatic Protection Switching Configuration Task
To configure the Working and Protect interfaces on the ATM SPAs for basic APS operation, perform the 
following procedure beginning in global configuration mode. For complete information on APS, 
including information on additional APS features, refer to the “Configuring ATM Interfaces” chapter in 
the Cisco IOS Interface Configuration Guide, Release 12.2.
Command or Action Purpose
Step 1 Router(config)# interface loopback interface-number Creates a loopback interface and enters interface 
configuration mode: 
• interface-number—An arbitrary value from 0 to 
2,147,483,647 that uniquely identifies this loopback 
interface. 
Step 2 Router(config-if)# ip address ip-address mask
[secondary] 
Specifies the IP address and subnet mask for this loopback 
interface. If the Working and Protect interfaces are on the 
same router, this IP address should be in the same subnet as 
the Working interface. If the Working and Protect interfaces 
are on different routers, this IP address should be in the 
same subnet as the Ethernet interface that provides the 
connectivity between the two routers. 
Repeat this command with the secondary keyword to 
specify additional IP addresses to be used for this interface. 
Step 3 Router(config-if)# interface atm slot/subslot/port Enters interface configuration mode for the Working 
interface on the ATM SPA. 
Step 4 Router(config-if)# ip address ip-address mask
[secondary] 
Specifies the IP address and subnet mask for the Working 
interface. 
Repeat this command with the secondary keyword to 
specify additional IP addresses to be used for the interface. 7-63
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Step 5 Router(config-if)# aps group group-number Enables the use of the APS Protect Group Protocol for this 
Working interface. 
• group-number—Unique number identifying this pair of 
Working and Protect interfaces. 
Note The aps group command is optional if this is the 
only pair of Working and Protect interfaces on the 
router, but is required when you configure more 
than one pair of Working and Protect interfaces on 
the same router. 
Step 6 Router(config-if)# aps working circuit-number Identifies the interface as the Working interface.
• circuit-number—Identification number for this 
particular channel in the APS pair. Because only 1+1 
redundancy is supported, the only valid values are 0 or 
1, and the Working interface defaults to 1. 
Step 7 Router(config-if)# aps authentication security-string (Optional) Specifies a security string that must be included 
in every OOB message sent between the Working and 
Protect interfaces.
• security-string—Arbitrary string to be used as a 
password between the Working and Protect interfaces. 
This string must match the one configured on the 
Protect interface. 
Step 8 Router(config-if)# interface atm slot/subslot/port Enters interface configuration mode for the Protect 
interface on the ATM SPA. 
Step 9 Router(config-if)# ip address ip-address mask
[secondary] 
Specifies the IP address and subnet mask for the Protect 
interface. 
Note This should be the same address that was configured 
on the Working interface in Step 4. 
Repeat this command with the secondary keyword to 
specify additional IP addresses to be used for the interface. 
These should match the secondary IP addresses that are 
configured on the Working interface. 
Step 10 Router(config-if)# aps group group-number Enables the use of the APS Protect Group Protocol for this 
Protect interface. 
• group-number—Unique number identifying this pair of 
Working and Protect interfaces. 
Note The aps group command is optional if this is the 
only pair of Working and Protect interfaces on the 
router, but is required when you configure more 
than one pair of Working and Protect interfaces on 
the same router. 
Command or Action Purpose7-64
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Verifying the Automatic Protection Switching Configuration
To verify the APS configuration on the router, use the show aps command without any options. The 
following example shows a typical configuration in which the Working interface is the active interface: 
Router# show aps
ATM4/0/1 APS Group 1: protect channel 0 (inactive)
        bidirectional, revertive (2 min) 
        PGP timers (default): hello time=1; hold time=3
        state: 
        authentication = (default)
Step 11 Router(config-if)# aps protect circuit-number
ip-address
Identifies this interface as the Protect interface:
• circuit-number—Identification number for this 
particular channel in the APS pair. Because only 1+1 
redundancy is supported, the only valid values are 0 or 
1, and the Protect interface defaults to 0. 
• ip-address—IP address for the loopback interface that 
was configured in Step 2. The Protect interface uses 
this IP address to communicate with the Working 
interface. 
Note If you do not want to use a loopback interface for 
this configuration, this IP address should be the 
address of the Working interface if the Protect and 
Working interfaces are on the same router. If the 
Working and Protect interfaces are on different 
routers, this should be the IP address of the Ethernet 
interface that provides interconnectivity between 
the two routers. 
Step 12 Router(config-if)# aps authentication security-string (Optional) Specifies a security string that must be included 
in every OOB message sent between the Working and 
Protect interfaces.
• security-string—Arbitrary string to be used as a 
password between the Working and Protect interfaces. 
This string must match the one configured on the 
Working interface. 
Step 13 Router(config-if)# aps revert minutes (Optional) Enables the Protect interface to automatically 
switch back to the Working interface after the Working 
interface has been up for a specified number of minutes. 
• minutes—Number of minutes until the interface is 
switched back to the Working interface after the 
Working interface comes back up.
Note If this command is not given, you must manually 
switch back to the Working interface using either 
the aps force circuit-number or the aps manual 
circuit-number command. 
Step 14 Router(config-if)# end Exits interface configuration mode and returns to privileged 
EXEC mode. 
Command or Action Purpose7-65
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
        PGP versions (native/negotiated): 2/2
        SONET framing; SONET APS signalling by default
        Received K1K2: 0x00 0x05
                No Request (Null)
        Transmitted K1K2: 0x20 0x05
                Reverse Request (protect)
        Working channel 1 at 10.10.10.41 Enabled 
        Remote APS configuration: (null)
ATM4/0/0 APS Group 1: working channel 1 (active)
        PGP timers (from protect): hello time=3; hold time=6
        state: Enabled 
        authentication = (default)
        PGP versions (native/negotiated): 2/2
        SONET framing; SONET APS signalling by default
        Protect at 10.10.10.41 
        Remote APS configuration: (null)
The following sample output is for the same interfaces, except that the Working interface has gone down 
and the Protect interface is now active: 
Router# show aps
ATM4/0/1 APS Group 1: protect channel 0 (active)
        bidirectional, revertive (2 min) 
        PGP timers (default): hello time=1; hold time=3
        state: 
        authentication = (default)
        PGP versions (native/negotiated): 2/2
        SONET framing; SONET APS signalling by default
        Received K1K2: 0x00 0x05
                No Request (Null)
        Transmitted K1K2: 0xC1 0x05
                Signal Failure - Low Priority (working)
        Working channel 1 at 10.10.10.41 Disabled SF 
        Pending local request(s): 
                0xC (, channel(s) 1)
        Remote APS configuration: (null)
ATM4/0/0 APS Group 1: working channel 1 (Interface down)
        PGP timers (from protect): hello time=3; hold time=6
        state: Disabled 
        authentication = (default)
        PGP versions (native/negotiated): 2/2
        SONET framing; SONET APS signalling by default
        Protect at 10.10.10.41 
        Remote APS configuration: (null)
Tip To obtain APS information for a specific ATM interface, use the show aps atm slot/subslot/port
command. To display information about the APS groups that are configured on the router, use the show 
aps group command. 
Configuring Access Circuit Redundancy on SIP-400 ATM SPA s7-66
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
The ATM Automatic Protection Switching (APS) mechanism takes a longer switchover time with 
pseudowire configuration, as the pseudowire needs to come UP on switchover. To reduce the switchover 
time, ATM provides Access Circuit Redundancy for ATM clients in a single router APS (SR APS ) 
environment. This ensures low data traffic downtime in case of switchover. 
QoS support on an ATM SPA with ACR configured supports all the QoS features allowed on Layer 2 
transport PVCs on ATM SPAs.
ATM Asynchronous functionality
Additionally when there is a local attachment circuit fault, the data plane needs to be UP. ATM VCs and 
VPs are provided with an enable and disable functionality, so that the they remain provisioned even when 
the interface is configured with shutdown or no shutdown respectively. 
Earlier a fasulty scenario led to a teardown of the ATM VC/VP. This resulted in blocking all types of 
traffic. With the new feature a complete teardown of the the VC/VP is not executed. The VC/ VP remains 
provisioned in the hardware. Thhis feature supports AAL5 and AAL0 encapsulation with cell packing. 
The enabling and disabling of ATM VC/VP is done asynchronously. To enable the async feature, you 
must configure atm asynchronous under the atm interface. Local switching and pseudowire redundancy 
are not supported.
Restrictions
The following restrictions apply while configuring ACR and QoS support on ACR on the Cisco 7600 
SIP-400 ATM SPAs:
• The pseudowire should not have a data loss of more than 100 ms when the APS switchover is done 
on the physical layer.
• ACR supports 4000 pseudowire configurations per chassis.
• ATM interfaces that are part of an ACR group can be configured only using the virtual interface. 
However, there are some configurations allowed under the physical ACR members, such as the 
Layer 1 configuration commands
• PVC or PVP and xconnect configuration are visible only under the virtual ATM interfaces.
• Service-policy is supported only on PVC under an ACR interface.  
• Currently the interface counters on the route processor are updated by choosing incremental 
statistics corresponding to the active interface at any point of time. The ATM PVC statistics are also 
updated similarly. Given this approach, the receiving interface statistics are always accurate, but the 
transmitting statistics show a difference, which moves it away from the actual value for every APS 
switchover done. 
The inaccuracy reflected in the transmission interface statistics per APS switchover is 
approximately about 5 to 8 seconds of traffic. The MPLS counters for the ACR MPLS show accurate 
statistics in both directions and are reliable independent of switchover. 
• When the protect interface of an ACR group is active and the protect LC is hard-OIRed, APS 
switchover time is close to 1 second. You must do a manual APS switchover, using manual, force, 
or shut options on the member, and bring up the other member interface before the physical OIR of 
the line card or SPA.7-67
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Configuring the ACR Interface
SUMMARY STEPS
Step 1 interface atm interface
aps group acr acr no
aps working circuit number 
Step 2 interface atm interface
aps group acr acr no
aps protect circuit number ip-address
aps revert minutes7-68
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
DETAILED STEPS
The following commands configure the ACR Interface:
Command or Action Purpose
Step 1 Router (config)# interface
atm interface
Router(config-if)# aps group 
acr acr no
Router (config-if)# aps 
working circuit number
This command enters the ATM interface mode. 
aps group- This command configures the APS group for an interface.
acr- This command configures the ACR group on top of APS.
acr no—This specifies a group number between 0-255. An ACR virtual interface is 
created.
circuit-number—Identification number for this particular channel in the APS pair. 
Because only 1+1 redundancy is supported, the only valid values are 0 or 1, and the 
Working interface defaults to 1.
Step 2 Router(config-if)#interface 
atm interface
Router(config-if)#aps group 
acr acr no
Router(config-if)#aps protect 
circuit number ip-address
Router(config-if)#aps revert 
minutes
This command enters the ATM interface mode. 
aps group- This command configures the APS group for an interface.
acr- This command configures the ACR group on top of APS.
acr no— This specifies a group number between 0-255. An ACR virtual interface is 
created.
circuit-number—Identification number for this particular channel in the APS pair. 
Because only 1+1 redundancy is supported, the only valid values are 0 or 1, and the 
Working interface defaults to 1.
Note When the virtual interface is created, apart from APS no other configuration 
is possible under the corresponding physical interface. All interface 
configurations must be applied under the virtual ACR interface.
aps protect- Identifies this interface as the Protect interface:
• circuit-number—Identification number for this particular channel in the APS 
pair. Because only 1+1 redundancy is supported, the only valid values are 0 or 1, 
and the Protect interface defaults to 0. 
• ip-address—IP address for the loopback interface. The Protect interface uses this 
IP address to communicate with the working interface. 
Note The APS group can be active or inactive. 
Active-The interface that is currently sending and receiving data.
Inactive-The interface which is currently standing by to take over when the 
active fails.
aps revert- This command configures the ACR interface as revert. The value of the 
minutes argument specifies the time, in minutes, after which the revert process 
begins.
Note Use the revert command only under the protect member of the ACR group.
Note To create an ACR interface without any members attached, use the interface 
acr acr no command.7-69
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Enabling or Disabling the ATM Asynchronous functionality
SUMMARY STEPS
To Enable the Async Feature
Step 1 int atm slot/bay/port
Step 2 atm asynchronous
To Set MCPT Timers
Step 1 int atm slot/bay/port
Step 2 atm mcpt-timers 100 1000 1000
To Configure Cell-Packing
Step 1 int atm slot/bay/port
Step 2 pvc 1/100 l2transport 
Step 3 atm mcpt-timers 100 1000 1000
Step 4 cell-packing 20 mcpt-timer timer value
Xconnect Configuration
Step 1 int atm slot/bay/port
Step 2 pvc pvc id l2transport
Step 3 xconnect ip_address vc_id encapsulation mpls | l2tpv3
DETAILED STEPS
The following commands enable or disable the ATM Asynchronous functionality and configure the 
interface with MCPT timers and encapsulation type using the xconnect commands:
Command or Action Purpose
Step 1 Router(config)# int atm slot/bay/port This command enters the ATM interface mode. 
Step 2 Router(config-if)# atm asynchronous This command enables or disables the asynchronous functionality on the 
ATM interface
Step 3 Router(config-if)#atm mcpt-timers 100 
1000 1000 
This command sets the mcpt-timers on the ATM interface7-70
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Examples
Configuration of ACR interface and policy attachment
interface ATM4 /0 /0 
aps group acr 1 
aps working 1
!
interface ATM4 /0 /1
 aps group acr 1
 aps revert 2
 aps protect 1 10.7.7.7
!
This will create the virtual ATM interface. 
The following commands can be configured under the PVC of the virtual interface: 
• pvc
• atm pvp 
• cell-packing
• class-int 
• map-group 
• service-policy 
• atm asynchronous 
• atm mcpt-timers 
• shut
interface ACR 1
no ip address
The following configuration on the ATM interface enables the asynchronous functionality.
Step 4 Router(config-if)#pvc 1/100 l2transport
Router(config-if)#atm mcpt-timers 100 
1000 1000
Router(cfg-if-atm-l2trans-pvc)#cell-pac
king 20 mcpt-timer 2
Configures cell-packing on the ATM interface
Step 5 Router(cfg-if-atm-l2trans-pvc)#xconnec
t ip_address vc_id encapsulation mpls | 
l2tpv3
Sets the encapsulation method on the ATM interface using the xconnect 
command
Command or Action Purpose7-71
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
int atm 3/0/0
  atm asynchronous
Other configurations supported with respect to L2VPN with this feature are:
MCPT timer:
conf t
int atm 4/0/0
atm mcpt-timers 100 1000 1000
Cell packing:
conf t
int atm 4/0/0
pvc 1/100 l2transport 
atm mcpt-timers 100 1000 1000
cell-packing 20 mcpt-timer 2
Xconnect configuration:
conf t
int atm 4/0/0
pvc 1/100 l2transport
xconnect 22.22.22.22 101 encapsulation mpls
conf t
int atm 4/0/0
pvc 1/100 l2transport
xconnect 22.22.22.22 101 encapsulation l2tpv3
Configuration in VP /VC Mode 
interface ACR 1
pvc 1/100 l2transport
xconnect 100 2.2.2.2 encapsulation mpls
service-policy out foo
service-policy in foo
Show commands
show acr group acr group no.
Example:
Router# show acr group 10 
ACR Group Working I/f Protect I/f Currently Active Status 7-72
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
-------------------------------------------------------------------------- 
10 ATM2/1/1 ATM2/1/2 ATM2/1/1
show acr group acr group no. detail
Example:
PE2# show acr group 10 detail 
ACR Group Working I/f Protect I/f Currently Active Status 
-------------------------------------------------------------------------- 
10 ATM2/1/1 ATM2/1/2 ATM2/1/1 
ATM PVC Detail 
VPI VCI State on Working State on Protect 
16 100 Provision Success Provision Success
show acr group
ACR Group      Working I/f     Protect I/f     Currently Active    Status
--------------------------------------------------------------------------
99             ATM4/0/0       ATM4/1/0       ATM4/1/0 
The following new show commands have been added in Release 12.2(33)SRE, for QoS support:
show policy-map int ?
ACR interface
show policy-map int ACR ?
<0-255> ACR interface number
When the ATM interface is shut down the VC goes into inactive state:
show atm vc
Codes: DN - DOWN, IN - INACTIVE 
Details of the VC states can be found by:
show atm vc detail
ATM4/0/0: VCD: 1, VPI: 2, VCI: 200
Interface VCD/Name VPI VCI Type Encaps SC Peak 
Kbps
Av/Min Kbps Burst Cells St
4/0/0 2 1 100 PVC SNAP UBR 149760 IN
4/0/0 1 2 200 PVC AAL5 UBR 149760 IN7-73
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
::
Status: INACTIVE
Async Status: SETUP_COMP, Admin Status: DISABLED, Flags: Setup 
ATM4/0/0: VCD: 1, VPI: 2, VCI: 200
::
Status: UP
Async Status: SETUP_COMP, Admin Status: ENABLED, Flags: Enable 
ACR and APS Co-existence
Configuring APS with the same group number as that of ACR is allowed, but members cannot be added 
to it. However, you can configure a working member in APS and the protect member in ACR, and vice 
versa.
Sample:
PE1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
PE1(config)#int atm 2/0/0
PE1(config-if)#do sh runn int atm 2/0/0
Building configuration...
Current configuration : 66 bytes
!
interface ATM2/0/0
 no ip address
 no atm enable-ilmi-trap
end
PE1(config-if)#aps gr acr 99
% Unconfigure one of the acr groups already configured before configuring here
PE1(config-if)#aps gr 99
PE1(config-if)#aps work 1
i/f 2/0: APS: Group 99 : already has a working member; command ignored
PE1(config-if)#aps prot 1 2.2.2.2
i/f 2/0: APS: Group 99 : already has a protect member; command ignored
PE1(config-if)#do sh runn int atm 2/0/0
Building configuration...
Current configuration : 80 bytes
!
interface ATM2/0/0
 no ip address
 no atm enable-ilmi-trap
 aps group 99
end
PE1(config-if)#do sh aps
ATM4/1/0 APS Group 99: protect channel 0 (Active) (HA)
        Working channel 1 at 2.2.3.2 (Disabled)  (HA)
        bidirectional, non-revertive 
        PGP timers (extended for HA): hello time=1; hold time=10
                hello fail revert time=120
        SONET framing; SONET APS signalling by default
        Received K1K2: 0x11 0x157-74
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
                Do Not Revert (working); Bridging working
        Transmitted K1K2: 0x21 0x15
                Reverse Request (working); Bridging working
        Remote APS configuration: (null)
ATM4/0/0 APS Group 99: working channel 1 (Inactive) (HA)
        Protect at 2.2.3.2
        PGP timers (from protect): hello time=1; hold time=10
        SONET framing
        Remote APS configuration: (null)
PE1(config-if)#end     
PE1#
*Mar 16 12:02:59.471 IST: %SYS-5-CONFIG_I: Configured from console by console
PE1#sh runn int atm 4/0/0
Building configuration...
Current configuration : 74 bytes
!
interface ATM4/0/0
 no ip address
 aps group acr 99
 aps working 1
end
PE1#sh runn int atm 4/1/0
Building configuration...
Current configuration : 82 bytes
!
interface ATM4/1/0
 no ip address
 aps group acr 99
 aps protect 1 2.2.3.2
end
PE1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
PE1(config)#default int atm 4/0/0
WARNING: use of this command will result in reset of the interface. This  will cause 
traffic outage.
Are you sure you want to continue? [no]: yes
Interface ATM4/0/0 set to default configuration
PE1(config)#
*Mar 16 12:03:57.923 IST: %SONET-4-ALARM:  ATM4/0/0: APS enabling channel
*Mar 16 12:03:57.927 IST: %SONET-6-APSREMSWI: ATM4/0/0 (grp 99 chn 1: ACTIVE): Remote APS 
status now non-aps
PE1(config)#do sh runn int atm 4/0/0
Building configuration...
Current configuration : 66 bytes
!
interface ATM4/0/0
 no ip address
 no atm enable-ilmi-trap
end
PE1(config)#
*Mar 16 12:04:07.539 IST: %SONET-3-APSCOMMLOST: ATM4/1/0 (grp 99 chn 0: ACTIVE): Link to 
working channel lostdo sh aps
ATM4/1/0 APS Group 99: protect channel 0 (Active) (HA)
        Working channel 1 at 2.2.3.2 (no contact) (HA)
        bidirectional, non-revertive 7-75
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
        PGP timers (extended for HA): hello time=1; hold time=10
                hello fail revert time=120
        SONET framing; SONET APS signalling by default
        Received K1K2: 0x11 0x15
                Do Not Revert (working); Bridging working
        Transmitted K1K2: 0x21 0x15
                Reverse Request (working); Bridging working
        Remote APS configuration: (null)
PE1(config)#int atm 4/0/0
PE1(config-if)#aps gr 99    
PE1(config-if)#aps work 1
PE1(config-if)#
*Mar 16 12:04:34.063 IST: %SONET-4-ALARM:  ATM4/0/0: APS disabling channel
*Mar 16 12:04:34.063 IST: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM4/0/0, 
changed state to down
*Mar 16 12:04:34.543 IST: %SONET-3-APSCOMMEST: ATM4/1/0 (grp 99 chn 0: ACTIVE): Link to 
working channel established - PGP protocol version 4
PE1(config-if)#end    
PE1#
*Mar 16 12:04:44.991 IST: %SYS-5-CONFIG_I: Configured from console by console
PE1#sh acr gr
ACR Group      Working I/f     Protect I/f     Currently Active    Status
--------------------------------------------------------------------------
99                            ATM4/1/0       ATM4/1/0       
PE1#sh aps
ATM4/1/0 APS Group 99: protect channel 0 (Active) (HA)
        Working channel 1 at 2.2.3.2 (Disabled)  (HA)
        bidirectional, non-revertive 
        PGP timers (extended for HA): hello time=1; hold time=10
                hello fail revert time=120
        SONET framing; SONET APS signalling by default
        Received K1K2: 0x11 0x15
                Do Not Revert (working); Bridging working
        Transmitted K1K2: 0x21 0x15
                Reverse Request (working); Bridging working
        Remote APS configuration: (null)
ATM4/0/0 APS Group 99: working channel 1 (Inactive) (HA)
        Protect at 2.2.3.2
        PGP timers (from protect): hello time=1; hold time=10
        SONET framing
        Remote APS configuration: (null)7-76
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Configuring SONET and SDH Framing
The default framing on the ATM OC-3c and OC-12c SPAs is SONET, but the interfaces also support 
SDH framing. 
Note In ATM environments, the key difference between SONET and SDH framing modes is the type of cell 
transmitted when no user or data cells are available. The ATM forum specifies the use of idle cells when 
unassigned cells are not being generated. More specifically, in Synchronous Transport Module-X 
(STM-X) mode, an ATM interface sends idle cells for cell-rate decoupling. In Synchronous Transport 
Signal-Xc (STS-Xc) mode, the ATM interface sends unassigned cells for cell-rate decoupling. 
Note The interface configuration command atm sonet stm-1 is not supported from 12.2(33)SRC release. If 
you are using 12.2(33)SRC and later versions, you should use the atm framing sdh command instead 
of the atm sonet stm-1 command.
To change the framing type and configure optional parameters, perform the following procedure 
beginning in global configuration mode:
Command or Action Purpose
Step 1 Router(config)# interface atm slot/subslot/port Enters interface configuration mode for the indicated port 
on the specified ATM SPAs. 
Step 2 Router(config-if)# atm clock internal  (Optional) Configures the interface to use its own internal 
(onboard) clock to clock transmitted data. The default (no 
atm clock internal) configures the interface to use the 
transmit clock signal that is recovered from the receive data 
stream, allowing the switch to provide the clocking source. 
Step 3 Router(config-if)# atm framing {sdh | sonet} (Optional) Configures the interface for either SDH or 
SONET framing. The default is SONET. 
Step 4 Router(config-if)# [no] atm sonet report {all | b1-tca
| b2-tca | b3-tca | default | lais | lrdi | pais | plop | 
pplm | prdi | ptim | puneq | sd-ber | sf-ber | slof | slos} 
(Optional) Enables ATM SONET alarm reporting on the 
interface. The default is for all reports to be disabled. You 
can enable an individual alarm, or you can enable all alarms 
with the all keyword. 
Note This command also supports a none [ignore] 
option, which cannot be used with any of the other 
options. See the “Configuring for Transmit-Only 
Mode” section on page 7-78 for details. 7-77
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Verifying the SONET and SDH Framing Configuration
To verify the framing configuration, use the show controllers atm command: 
Router# show controllers atm 5/0/1
Interface ATM5/0/1 is up
 Framing mode: SONET OC3 STS-3c 
SONET Subblock:
SECTION
  LOF = 0          LOS    = 0                            BIP(B1) = 603
LINE
  AIS = 0          RDI    = 2          FEBE = 2332       BIP(B2) = 1018
PATH
  AIS = 0          RDI    = 1          FEBE = 28         BIP(B3) = 228
  LOP = 0          NEWPTR = 0          PSE  = 1          NSE     = 2
Active Defects: None
Active Alarms:  None
Alarm reporting enabled for: LOF LOS B1-TCA B2-TCA SF LOP B3-TCA
ATM framing errors:
  HCS (correctable):   0
  HCS (uncorrectable): 0
APS
  COAPS = 0          PSBF = 0
  State: PSBF_state = False
  Rx(K1/K2): 00/00  Tx(K1/K2): 00/00
  Rx Synchronization Status S1 = 00
  S1S0 = 00, C2 = 00
PATH TRACE BUFFER : STABLE 
BER thresholds:  SF = 10e-3  SD = 10e-6
TCA thresholds:  B1 = 10e-7 B2 = 10e-6  B3 = 10e-6
  Clock source:  line
The following example verifies the framing configuration for 1-Port and 3-Port Clear Channel OC-3 
ATM SPA using the show controllers atm command:
Step 5 Router(config-if)# [no] atm sonet-threshold {b1-tca 
value | b2-tca value | b3-tca value | sd-ber value | 
sf-ber value} 
(Optional) Configures the BER threshold values on the 
interface. The value specifies a negative exponent to the 
power of 10 (10 to the power of minus value) for the 
threshold value. The default values are the following:
• b1-tca = 6 (10e–6) 
• b2-tca = 6 (10e–6) 
• b3-tca = 6 (10e–6) 
• sd-ber = 6 (10e–6) 
• sf-ber = 3 (10e–3) 
Step 6 Router(config-if)# end Exits interface configuration mode and returns to privileged 
EXEC mode. 
Command or Action Purpose7-78
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Router# show controllers atm 0/2/2
Interface ATM0/2/2 (SPA-3XOC3-ATM-V2[0/2]) is up
 Framing mode: SONET OC3 STS-3c
SONET Subblock:
SECTION
  LOF = 0          LOS    = 1                            BIP(B1) = 0
LINE
  AIS = 0          RDI    = 1          FEBE = 55         BIP(B2) = 0
PATH
  AIS = 0          RDI    = 1          FEBE = 21         BIP(B3) = 0
  LOP = 1          NEWPTR = 0          PSE  = 0          NSE     = 0
Active Defects: None
Active Alarms:  None
Alarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP B3-TCA 
ATM framing errors:
  HCS (correctable):   0
  HCS (uncorrectable): 0
APS
 not configured
  COAPS = 0          PSBF = 0         
  State: PSBF_state = False
  Rx(K1/K2): 00/00  Tx(K1/K2): 00/00
  Rx Synchronization Status S1 = 00
  S1S0 = 00, C2 = 13
PATH TRACE BUFFER : STABLE 
BER thresholds:  SF = 10e-3  SD = 10e-6
TCA thresholds:  B1 = 10e-6  B2 = 10e-6  B3 = 10e-6
  Clock source:  line
Configuring for Transmit-Only Mode
The ATM SPAs support operation in a transmit-only mode, where a receive fiber does not need to be 
connected. This mode is typically used for one-way applications, such as video-on-demand.
By default, the lack of a receive path generates continuous framing errors, which bring the ATM 
interface down. To prevent this, you must configure the ATM interface to disable and ignore all ATM 
SONET alarms. The 1-Port OC-48c/STM-16 ATM SPA default framing is SONET.
Note This configuration violates the ATM specifications for alarm reporting.
Transmit-Only Mode Configuration Guidelines
When an ATM interface has been configured to ignore ATM SONET alarms, you cannot configure an IP 
address (or other Layer 3 parameter) on the interface. Similarly, you must remove all IP addresses (and 
all other Layer 3 parameters) from the interface before beginning this procedure. 
Transmit-Only Mode Configuration Task
To configure the ATM interface to disable and ignore all ATM SONET alarms, perform the following 
procedure beginning in global configuration mode: 7-79
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Configuring AToM Cell Relay VP Mode
Transporting of ATM data not framed using AAL5 requires relaying individual celss over the MPLS 
cloud. Cells can be transported over the MPLS cloud using Single Cell Relay (SCR) or Packed Cell 
Relay (PCR) forms. Cell Relay may be based on the VP mode. This VP mode transports cells belonging 
to a VP (cells with the same VPI) over the MPLS cloud, either in Single or Packed form. 
For more information on AToM configuration, see the feature documentation for Any Transport over 
MPLS at: 
http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_any_transport.html#wp1046670
To configure Any Transport over MPLS (AToM) Cell Relay in VP Mode, perform the following 
procedure beginning in global configuration mode:
VP Mode Configuration Guidelines
When configuring ATM Cell Relay over MPLS in VP mode, use the following guidelines:
• You do not need to enter the encapsulation aal0 command in VP mode.
Command or Action Purpose
Step 1 Router(config)# interface atm
slot/subslot/port[.subinterface] 
Enters interface (or subinterface) configuration mode for 
the indicated port on the specified ATM SPA. 
Step 2 Router(config-if)# no ip address ip-address mask Removes the IP address that is assigned to this interface (if 
one has been configured). All IP and other Layer 3 
configurations must be removed from the interface before 
ATM SONET alarms can be ignored. 
Step 3 Router(config-if)# atm sonet report none ignore Disables the generation of all ATM SONET alarms, and 
instructs the ATM interface to remain up and operational 
when such alarm conditions exist. 
Step 4 Router(config-if)# end Exits interface configuration mode and returns to privileged 
EXEC mode. 
Command or Action Purpose
Step 1 Router(config)# interface atm slot/subslot/port Enters interface configuration mode for the 
indicated port on the specified ATM SPA.
Step 2 Router(config-if)# no ip address ip-address mask Removes the IP address that is assigned to this 
interface (if one has been configured).
Step 3 Router(config-if)# atm pvp vpi l2transport Creates a permanent virtual path (PVP) used to 
multiplex (or bundle) one or more virtual circuits 
(VCs).
Step 4 Router(config-if)# xconnect peer-router-id vcid 
encapsulation mpls 
Routes a Layer 2 packets over a specified 
point-to-point VC by using Ethernet over 
multiprotocol label switching (EoMPLS).
Step 5 Router(config-if)# end Exits interface configuration mode and returns to 
privileged EXEC mode. 7-80
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
• One ATM interface can accommodate multiple types of ATM connections. VP cell relay, VC cell 
relay, and ATM AAL5 over MPLS can coexist on one ATM interface. 
• If a VPI is configured for VP cell relay, you cannot configure a PVC using the same VPI.
• VP trunking (mapping multiple VPs to one emulated VC label) is not supported in this release. 
Each VP is mapped to one emulated VC.
• Each VP is associated with one unique emulated VC ID. The AToM emulated VC type is ATM VP 
Cell Transport.
• The AToM control word is supported. However, if a peer PE does not support the control word, it is 
disabled. This negotiation is done by LDP label binding.
• VP mode (and VC mode) drop idle cells.
VP Mode Configuration Example
The following example transports single ATM cells over a virtual path:
Router# pseudowire-class vp-cell-relay
  encapsulation mpls
int atm 1/0/0
  xconnect 10.0.0.1 123 pw-class vp-cell-relay
Verifying ATM Cell Relay VP Mode
The following show atm vp command shows that the interface is configured for VP mode cell relay:
Router# show atm vp 1
ATM5/0  VPI: 1, Cell Relay, PeakRate: 149760, CesRate: 0, DataVCs: 1, CesVCs: 0, Status: 
ACTIVE
VCD    VCI   Type   InPkts   OutPkts   AAL/Encap     Status
6      3     PVC    0        0         F4 OAM        ACTIVE  
7      4     PVC    0        0         F4 OAM        ACTIVE  
TotalInPkts: 0, TotalOutPkts: 0, TotalInFast: 0, TotalOutFast: 0,
TotalBroadcasts: 0 TotalInPktDrops: 0, TotalOutPktDrops: 0
Configuring Packed Cell Relay over Multi-Protocol Label Switching 
(PCRoMPLS) on SIP-400 for CeOP and 1-Port OC-48c/STM-16 ATM SPA
Interconnecting ATM Networks require relay of individual cells over the MPLS cloud. Transport of ATM 
data not framed using AAL5 framing also requires transport of individual cells over the MPLS cloud. 
Cell Relay has two versions:
• Single Cell Relay 
• Packed Cell Relay
These are available through three modes 
• VC mode
• VP mode, and 
• Port mode7-81
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Configuration Steps
To configure PCRoMPLS on SIP-400 for CeOP and 1-Port OC-48c/STM-16 ATM SPA, run the 
commands listed in the following sections.
SUMMARY STEPS
Step 1 atm mcpt-timers timer-values
Step 2 cell-packing 2 mcpt-timer 1
Step 3 xconnect 11.11.11.11 72337 encapsulation mpls
DETAILED STEPS
Configuration Example
interface ATM1/1/1
no ip address
logging event link-status
 atm clock INTERNAL
 atm mcpt-timers 100 200 300 
no atm enable-ilmi-trap
 cell-packing 2 mcpt-timer 1
no snmp trap link-status
xconnect 11.11.11.11 72337 encapsulation mpls
Or on a CHOC port:
controller SONET 8/3/0
 framing sonet
 clock source line
 !
sts-1 1
  mode vt-15
vtg 1 t1 1 atm
 !
!
interface ATM8/3/0.1/1/1
no ip address
atm mcpt-timers 500 1000 1500 
no atm enable-ilmi-trap
cell-packing 2 mcpt-timer 1
Command or Action Purpose
Step 1 Router(config-if)# atm mcpt-timers timer-values Defines the value of three Maximum Cell Packing 
Timeout (MCPT) timers under the main ATM 
interface
Step 1 Router(config-if)# cell-packing 2 mcpt-timer 1 Enables cell packing with the maximum number of 
cells allowed to be packed in a packet with the 
MCPT timer
Step 2 Router(config-if)# xconnect 11.11.11.11 72337 
encapsulation mpls
Routes a Layer 2 packets over a specified 
point-to-point VC7-82
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
xconnect 11.11.11.11 72338 encapsulation mpls
!
Sample of PCRoMPLS using pseudowire pw-class
!
pseudowire-class pw_mpls
 encapsulation mpls
!
interface ATM8/3/0.1/1/1
 interface ATM8/3/0.1/1/1
 no ip address
atm mcpt-timers 500 1000 1500 
 no atm enable-ilmi-trap
 xconnect 11.11.11.11 72338 pw-class pw_mpls
!
PCRoMPLS using the cell-packing command
interface ATM8/3/0.1/1/1
 no ip address
 atm mcpt-timers 500 1000 1500 
 no atm enable-ilmi-trap
 cell-packing 2 mcpt-timer 1
 xconnect 11.11.11.11 72338 encapsulation mpls
!
Or,
PE1(config)#interface ATM2/1/0
PE1(config-if)#at mc
PE1(config-if)#atm mcpt-timers 
 shutdown interface before modify mcpt values
PE1(config-if)#shutdown
PE1(config-if)#at
PE1(config-if)#atm mc
PE1(config-if)#atm mcpt-timers
PE1(config-if)# pvc 3/100 l2transport
PE1(cfg-if-atm-l2trans-pvc)#  cell-packing 20 mcpt-timer 3
PE1(cfg-if-atm-l2trans-pvc)#  encapsulation aal0
PE1(cfg-if-atm-l2trans-pvc)#  xconnect 10.0.0.5 100 encapsulation mpls
PE1(cfg-if-atm-l2trans-pvc-xconn)# !
PE1(cfg-if-atm-l2trans-pvc-xconn)#end
Sample configuration on a SONET interface using xconnect:
osr3(config)#Controller SONET 8/3/0
osr3(config-controller)#sts-1 ?
  <1-3>  sts-1 number
osr3(config-ctrlr-sts1)#vtg ?
  <1-7>  vtg number <1-7>
osr3(config-ctrlr-sts1)#vtg 1 t1 ?
  <1-4>  t1 line number <1-4>
Controller SONET 8/3/0
 framing sonet
 clock source line
 !
 sts-1 1
  mode vt-15
  vtg 1 t1 1 atm
 !
 interface ATM8/3/0.1/1/1
 no ip address
 atm mcpt-timers 500 1000 1500 
 no atm enable-ilmi-trap7-83
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
 cell-packing 28 mcpt-timer 3
xconnect 11.11.11.11 72338 encapsulation mpls
!
Send bidirectional traffic from end to end with all different framing types
 (config-controller)#framing ?
  esf       Extended Superframe
  sf        Superframe
  unframed  Clear T1
Verifying the PCRoMPLS configuration 
Use the show atm cell-packing and show atm pvc slot/bay/port commands to verify the connectivity 
and configuration.
Sample Show Command Output
Sample output for the show atm cell-packing command is given below:
osr3#show atm cell-packing
                                 average                average
       circuit            local  nbr of cells     peer  nbr of cells     MCPT
       type               MNCP   rcvd in one pkt  MNCP  sent in one pkt  (us)
ATM1/1/0       vc 246/246   2         0            1         1           30   
ATM1/1/1       port        2         0            2         0           100  
ATM8/3/0.1/1/1 port        28        0            1         0           1500 
osr3#sh xconnect all
Legend:    XC ST=Xconnect State  S1=Segment1 State  S2=Segment2 State
  UP=Up       DN=Down            AD=Admin Down      IA=Inactive
  SB=Standby  RV=Recovering      NH=No Hardware
XC ST  Segment 1                         S1 Segment 2                         S2
------+---------------------------------+--+---------------------------------+--
UP     ac   Gi8/0/0(Ethernet)            UP mpls 11.11.11.11:3                UP
DN     ac   Gi7/0/2(Ethernet)            DN mpls 11.11.11.11:4                DN
UP     ac   AT1/1/1(ATM CELL)            UP mpls 11.11.11.11:72337            UP
AD     ac   AT8/3/0.1/1/1(ATM CELL)      AD mpls 11.11.11.11:72338            DN
DN     ac   AT1/1/0:123/123(ATM VCC CEL  UP mpls 11.11.11.11:88001            DN
DN     ac   AT1/1/0:0/300(ATM VCC CELL)  UP mpls 44.44.44.44:77001            DN
DN     ac   AT1/1/0:246/246(ATM VCC CEL  UP mpls 44.44.44.44:99001            DN
osr3#
A sample output for the show xconnect all command is given below:
Legend:    XC ST=Xconnect State  S1=Segment1 State  S2=Segment2 State
  UP=Up       DN=Down            AD=Admin Down      IA=Inactive
  SB=Standby  RV=Recovering      NH=No Hardware
XC ST  Segment 1                         S1 Segment 2                         S2
------+---------------------------------+--+---------------------------------+--
UP     ac   Gi8/0/0(Ethernet)            UP mpls 11.11.11.11:3                UP
DN     ac   Gi7/0/2(Ethernet)            DN mpls 11.11.11.11:4                DN
UP     ac   AT1/1/1(ATM CELL)            UP mpls 11.11.11.11:72337            UP
AD     ac   AT8/3/0.1/1/1(ATM CELL)      AD mpls 11.11.11.11:72338            DN
DN     ac   AT1/1/0:123/123(ATM VCC CEL  UP mpls 11.11.11.11:88001            DN
DN     ac   AT1/1/0:0/300(ATM VCC CELL)  UP mpls 44.44.44.44:77001            DN
DN     ac   AT1/1/0:246/246(ATM VCC CEL  UP mpls 44.44.44.44:99001            DN7-84
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
A sample output for show mpls l2transport vc is given below:
osr3#show mpls l2transport vc ?
<1-4294967295>  VC ID or min VC ID value
  destination     Destination address of the VC
  detail          Detailed information
  interface       Local interface of the VC
  vcid            VC ID or min-max range of the VC IDs
  |               Output modifiers
Local intf     Local circuit              Dest address    VC ID      Status    
-------------  -------------------------- --------------- ---------- ----------
AT1/1/1        ATM CELL ATM1/1/1          11.11.11.11     72337      UP        
AT8/3/0.1/1/1  ATM CELL ATM8/3/0.1/1/1    11.11.11.11     72338      ADMIN DOWN
AT1/1/0        ATM VCC CELL 123/123       11.11.11.11     88001      DOWN      
AT1/1/0        ATM VCC CELL 0/300         44.44.44.44     77001      DOWN      
AT1/1/0        ATM VCC CELL 246/246       44.44.44.44     99001      DOWN      
A more detailed output of the command is shown below:
PE17#show mpls l2 vc destination 11.11.11.11 detail | begin AT1/1/1
Local interface: AT1/1/1 up, line protocol up, ATM CELL ATM1/1/1 up
  Destination address: 11.11.11.11, VC ID: 72337, VC status: up
    Output interface: Gi7/0/1, imposed label stack {59 1301}
    Preferred path: not configured  
    Default path: active
    Next hop: 47.0.0.4
  Create time: 01:31:35, last status change time: 01:30:56
  Signaling protocol: LDP, peer 11.11.11.11:0 up
    Targeted Hello: 39.39.39.39(LDP Id) -> 11.11.11.11
    Status TLV support (local/remote)   : enabled/supported
      Label/status state machine        : established, LruRru
      Last local dataplane   status rcvd: no fault
      Last local SSS circuit status rcvd: no fault
      Last local SSS circuit status sent: no fault
      Last local  LDP TLV    status sent: no fault
      Last remote LDP TLV    status rcvd: no fault
    MPLS VC labels: local 1309, remote 1301 
    Group ID: local 0, remote 0
    MTU: local n/a, remote n/a
    Remote interface description: 
  Sequencing: receive disabled, send disabled
  VC statistics:
    packet totals: receive 368219176, send 379593764
    byte totals:   receive 39767653888, send 40996127808
    packet drops:  receive 0, seq error 0, send 0
Local interface: AT8/3/0.1/1/1 admin down, line protocol down, ATM CELL ATM8/3/0.1/1/1 
admin down
  Destination address: 11.11.11.11, VC ID: 72338, VC status: down
    Output interface: if-?(0), imposed label stack {}
    Preferred path: not configured  
    Default path: no route
    No adjacency
  Create time: 00:44:02, last status change time: 00:33:44
  Signaling protocol: LDP, peer 11.11.11.11:0 up
    Targeted Hello: 39.39.39.39(LDP Id) -> 11.11.11.11
    Status TLV support (local/remote)   : enabled/unknown (no remote binding)
      Label/status state machine        : ldp ready, LndRnd
      Last local dataplane   status rcvd: no fault
      Last local SSS circuit status rcvd: DOWN(Hard-down)
      Last local SSS circuit status sent: not sent7-85
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
      Last local  LDP TLV    status sent: not sent
      Last remote LDP TLV    status rcvd: unknown (no remote binding)
    MPLS VC labels: local unassigned, remote unassigned 
    Group ID: local unknown, remote unknown
    MTU: local unknown, remote unknown
    Remote interface description: 
  Sequencing: receive disabled, send disabled
  VC statistics:
    packet totals: receive 0, send 0
    byte totals:   receive 0, send 0
    packet drops:  receive 0, seq error 0, send 0
Configuring AToM Cell Relay Port Mode
Transporting of ATM data not framed using AAL5 requires relaying individual cells over the MPLS 
cloud. Cells can be transported over the MPLS cloud using Single Cell Relay (SCR) or Packed Cell 
Relay (PCR) forms. Cell Relay may be based on the Port mode. The Port mode involves transporting all 
the cells arriving on an ATM port over the MPLS cloud, separately or packed together. 
Note that AToM cell relay port mode is supported only on SIP-200 and SIP-400 line cards for the 
12.2(33)SRD release. 
For more detailed information on AToM configuration, including procedures “Configuring ATM Single 
Cell Relay over MPLS” and “Configuring ATM Packed Cell Relay over MPLS” refer to the Any 
Transport over MPLS documentation on: 
http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_any_transport.html#wp1046670
Command or Action Purpose
Step 1 enable
Example: 
Router# enable
Enables privileged EXEC mode. 
Enter your password if prompted.
Step 2 configure terminal
Example: 
Router# configure terminal 
Enters global configuration mode. 
Step 3 interface atm slot/bay/port
Example: 
Router(config)# interface atm 1/1/0
Specifies an ATM interface and enters interface 
configuration mode.7-86
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Port Mode Configuration Guidelines
When configuring ATM cell relay over MPLS in port mode, use the following guidelines:
• The pseudowire VC type is set to ATM transparent cell transport (AAL0). 
• The AToM control word is supported. However, if the peer PE does not support a control word, the 
control word is disabled. This negotiation is done by LDP label binding. 
• Port mode and VP and VC mode are mutually exclusive. If you enable an ATM main interface for 
cell relay, you cannot enter any PVP or PVC commands. 
• If the pseudowire VC label is withdrawn due to an MPLS core network failure, the PE router sends 
a line AIS to the CE router. 
Port Mode Configuration Example
The following example transports single ATM cells over a virtual path:
Router# pseudowire-class vp-cell-relay
encapsulation mpls
int atm 1/0/0
xconnect 10.0.0.1 123 pw-class vp-cell-relay
Verifying ATM Cell Relay Port Mode
The following show atm route and show mpls l2transport vc commands shows that the interface is 
configured for port mode cell relay:
Router# show atm route
ATM5/0  VPI: 1, Cell Relay, PeakRate: 149760, CesRate: 0, DataVCs: 1, CesVCs: 0, Status: 
ACTIVE
VCD    VCI   Type   InPkts   OutPkts   AAL/Encap     Status
6      3     PVC    0        0         F4 OAM        ACTIVE  
7      4     PVC    0        0         F4 OAM        ACTIVE  
TotalInPkts: 0, TotalOutPkts: 0, TotalInFast: 0, TotalOutFast: 0,
TotalBroadcasts: 0 TotalInPktDrops: 0, TotalOutPktDrops: 0
Router# show mpls l2transport vc
Local intf     Local circuit        Dest address    VC ID      Status    
-------------  -------------------- --------------- ---------- ----------
AT1/1/0          ATM CELL ATM1/1/0      10.1.1.121     1121       UP      
Step 4 xconnect peer-router-id vcid encapsulation mpls 
Example: 
Router(config-if)# xconnect 10.0.0.1 123 
encapsulation mpls
Binds the attachment circuit to the interface. 
Step 5 end
Example: 
Router(config-if)# end
Exits interface configuration mode and returns to 
privileged EXEC mode. 
Command or Action Purpose7-87
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Configuring QoS Features on ATM SPAs
The SIPs and SPAs support many QoS features using modular QoS CLI (MQC) configuration. For 
information about the QoS features supported by the ATM SPAs, see the “Configuring QoS Features on 
a SIP” section on page 4-94 of Chapter 4, “Configuring the SIPs and SSC.”
ATM SPA QoS Configuration Guidelines
For the 2-Port and 4-Port OC-3c/STM-1 ATM SPA, the following applies:
• In the ingress direction, all Quality of Service (QoS) features are supported by the Cisco 7600 
SIP-200 and SIP-400:
• The following features are not supported on a ATM SPA:
– Hierarchical policy maps with queuing features.
– Traffic Shaping
• The following features are supported on a ATM SPA:
– Strict priority
– Ingress, no queueing is supported.
• VC QoS on VP-PW feature works only with Single Cell Relay and does not work with Packed Cell 
Relay.
• In the egress direction:
– All queueing-based features (such as class-based weighted fair queueing [CBWFQ], and ATM 
per-VC WFQ, WRED, and shaping) are implemented on the segmentation and reassembly 
(SAR) processor on the SPA.
– Policing, classification, policing and marking are implemented on the SIP.
– Class queue shaping is not supported.
– For detailed support information, see “QoS Congestion Management and Avoidance Feature 
Compatibility by SIP and SPA Combination”
Phase 2 Local Switching Redundancy
Phase 2 Local Switching Redundancy provides a backup attachment circuit (AC) when the primary 
attachment circuit fails. All the ACs must be on same Cisco 7600 series router. 
The following combinations of ATM ACs are supported:
• ATM ACs on the same SPA
• ATM ACs on different SPAs on the same SIP
• ATM ACs on different SIPs on the same Cisco 7600 series router
Note For Cisco IOS release 12.2(33)SRC, this feature is supported on the 24-Port Channelized T1/E1 ATM 
CEoP SPA and the 1-Port Channelized OC-3 STM1 ATM CEoP SPA, as well as the 2-Port and 4-Port 
OC-3c/STM-1 ATM SPA, the 1-Port OC-12c/STM-4 ATM SPA, and the 1-Port OC-48c/STM-16 ATM 
SPA.7-88
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Guidelines
• Autoconfiguration of ATM interfaces is supported.
• Only the tail end AC can be backed up, if head end fails there is no protection. 
• The circuit type of the primary and backup AC must be identical (failover operation will not switch 
between different types of interfaces or different CEM circuit types). 
• Only one backup AC is allowed for each connection.
• Autoconfiguration is allowed for backup ATM Permanent Virtual Circuits (PVCs) or ATM 
Permanent Virtual Paths (PVPs) .
• The ATM circuit used as a backup in a local switching connection cannot be used for xconnect 
configurations.
• Dynamic modification of parameters in a local switching connection is not supported in the case 
where the tail-end segment is backed up to a segment using the backup command. If you want to 
modify the parameters in any of the three segments (head-end, tail-end, or backup segment), you 
must first unconfigure with the backup command, make the changes in the individual segments, and 
then re-configure the backup with the backup command.
Configuration
Configuration Example
Router(config)# connect ATM atm2/0/0 0 atm3/0/0 0
Router(config-connection)# backup interface atm4/0/0 1
Verifying
Use the show xconnect all command to check the status of the backup and primary circuits.
Saving the Configuration
To save your running configuration to nonvolatile random-access memory (NVRAM), use the following 
command in privileged EXEC configuration mode:
Note To permanently save your configuration changes, you must write them to the nonvolatile RAM 
(NVRAM) by entering the copy running-config startup-config command in privileged EXEC mode. 
Command or Action Purpose
Step 1 Router(config)# [no] connect name atma/b/c vpi/vci
atmx/y/z vpi/vci
Configures a local switching connection between 
two ATM interfaces.
The no form of this command unconfigures a local 
switching connection between two ATM interfaces.
Router(config-connection)# backup interface atm
x/y/z vpi/vci
Backs up a locally switched ATM connection.7-89
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
For more information about managing configuration files, refer to the Cisco IOS Configuration 
Fundamentals Configuration Guide, Release 12.2 and Cisco IOS Configuration Fundamentals 
Command Reference, Release 12.2 publications.
Multi Router Automatic Protection Switching (MR-APS) Integration with Hot 
Standby Pseudowire 
The multi router automatic protection switching (MR-APS) enables interface connections to switch from 
one circuit to another if a circuit fails. Interfaces can be switched in response to a router failure, 
degradation or loss of channel signal, or manual intervention. In a multi router environment, the 
MR-APS allows the protected SONET interface to reside in a different router from the working SONET 
interface.
Service providers are migrating to ethernet networks from their existing SONET or SDH equipment to 
reduce cost. Any transport over MPLS (AToM) pseudowires (PWs) help service providers to maintain 
their investment in asynchronous transfer mode (ATM) or time division multiplexing (TDM) network 
and change only the core from SONET or SDH to ethernet. When the service providers move from 
SONET or SDH to ethernet, network availability is always a concern. Therefor to enhance the network 
availability, service providers use PWs. 
The hot-standby PW support for ATM and TDM access circuits (ACs) allow the backup PW to be in a 
hot- standby state, so that it can immediately take over if the primary PW fails. The present hot-standby 
PW solution does not support access circuits (ACs) as part of the APS group. The PWs which are 
configured over the protected interface, remains in the down state. This increases the PW switchover 
time in case of an APS switchover. MR-APS integration with a hot standby pseudowire is an integration 
of APS with ATM or TDM hot standby PWs created over the SIP 400 line card for the Cisco 7600 
platform and improves the switchover time.
Figure 7-7 explains MR-APS integration with hot standby PW feature implementation.
Command Purpose
Router# copy running-config startup-config Writes the new configuration to NVRAM.7-90
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Figure 7-7 MR- APS Integration with Hot Standby Pseudowire Implementation
In this example routers P1 and PE1 are in the same APS group G1, and routers P2 and PE2 are in the 
same APS group G2. In group G1, P1 is the working router and PE1 is the protected router. Similarly in 
group G2, P2 is the working router and PE2 is the protected router. 
The MR-APS integration with hot standby pseudowire deployment involves cell sites connected to the 
provider network using bundled T1/E1 connections. These T1/E1 connections are aggregated into the 
optical carrier 3 (OC3) or optical carrier 12 (OC12) links using the add-drop multiplexers (ADMs).
For more information on APS, see the Automatic Protection Switching section in the Cisco 7600 Series 
Router SIP, SSC, and SPA Software Configuration Guide at the following link:
http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/7600series/
76cfstm1.html#wp1216498
Failover Operations
MR-APS integration with hot standby pseudowire feature handles the following failures.
• Failure 1, where the link between ADM and P1 goes down, or the connecting ports at ADM or P1 
go down. 
• Failure 2, where the router P1 fails.
• Failure 3, where the router P1 is isolated from the core.
246928
CE1
P1
PE1
P2
PE2
ADM
CE2
ADM7-91
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Figure 7-8 explains the failure points in the network.
Figure 7-8 Failure Points in a Network
In case of failure 1, where either port at the ADM goes down, or the port at the router goes down or the 
link between ADM and router fails, the APS switchover triggers the pseudowires at the protect interface 
to become active. The same applies to failure 2 as well where the complete router fails over. 
In case of failure 3, where all the links carrying primary and backup traffic lose the connection, a new 
client is added to the inter chassis redundancy manager (ICRM) infrastructure to handle the core 
isolation. The client listens to the events from the ICRM. Upon receiving the core isolation event from 
the ICRM, the client either initiates the APS switchover, or initiates the alarm based on the peer core 
isolation state. If APS switchover occurs, it changes the APS inactive interface to active and hence 
activates the PWs at the interface. Similarly, when core connectivity goes up based upon the peer core 
isolation state, it clears the alarms or triggers the APS switchover. ICRM monitors the directly connected 
interfaces only. Hence only those failures in the directly connected interfaces can cause a core isolation 
event. 
Restrictions 
Following restrictions apply to the MR-APS integration with hot standby pseudowire feature:
• MR-APS integration with hot standby PW is supported only on the SIP 400 line cards.
• For ATM pseudowires only ATM asynchronous mode is supported.
• Revertive APS mode should not be configured on the interfaces.
• MR-APS integration with hot standby pseudowire is supported only on 1-port channelized OC-3 
STM1 ATM CEoP SPA and 2-port and 4-port OC-3c/STM-1 ATM SPA.
• APS group number should be greater than zero. 
• Do not configure the backup delay value command if the MR-APS integration with hot standby 
pseudowire feature is configured.
ADM ADM
CE1 CE2
P1
3
1
2
P2
PE1 PE27-92
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
• Unconfiguring mpls ip command on the core interface is not supported. 
• The hspw force switch command is not supported.
Configuring MR-APS Integration with Hot Standby Pseudowire on an ATM Interface
Complete these steps to configure the MR-APS integration with hot standby pseudowire. This involves 
configuring the working routers and protect routers that are part of the APS group.
SUMMARY STEPS
1. enable
2. configure terminal
3. pseudo wire-class pw-class-name
4. encapsulation mpls
5. status peer topology dual-homed
6. exit 
7. redundancy
8. interchassis group group-id pw-class-name
9. member ip ip-address
10. backbone interface interface ip-address
11. backbone interface interface ip-address
12. exit
13. interface atm slot/subslot/port
14. atm asynchronous
15. aps group group_id
16. aps [working | protect] aps-group-number [ip-address]
17. aps hspw-icrm-grp icrm-group-number 
18. atm pvc vpi/vci l2transport
19. xconnect peer-ip-address vc-id pw-class pw-class-name
20. backup peer ip-address vc-id pw-class pw-class-name
21. end 7-93
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Detailed Steps
Command Purpose
Step 1 enable
Example:
Router> enable
Enables the privileged EXEC mode. If prompted, enter 
your password.
Step 2 configure terminal
Example:
Router# configure terminal
Enters the global configuration mode.
Step 3 pseudowire-class pw-class-name 
Example:
Router(config)# pseudowire-class hw_aps
Specifies the name of a pseudowire class and enters 
pseudowire class configuration mode.
Step 4 encapsulation mpls
Example:
Router(config-pw-class)# encapsulation 
mpls 
Specifies that MPLS is used as the data encapsulation 
method for tunneling Layer 2 traffic over the pseudowire. 
Step 5 status peer topology dual-homed
Example:
Router(config-pw-class)# status peer 
topology dual-homed 
Enables the reflection of the attachment circuit status on 
both the primary and secondary pseudowires. This configuration is necessary if the peer PEs are connected to a 
dual-homed device. 
Step 6 exit
Example:
Router(config-pw-class)# exit
Exits pseudowire class configuration mode.
Step 7 redundancy 
Example:
Router(config)# redundancy
Enters the redundancy configuration mode.
Step 8 interchassis group group-id
Example:
Router(config-red)# interchassis group 
50
Configures an interchassis group within the redundancy 
configuration mode and enters the interchassis 
redundancy mode.
Step 9 member ip ip-address
Example:
Router(config-r-ic)# member ip 
60.60.60.2
Configures the IP address of the peer member group.7-94
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Step 10 backbone interface interface
Example:
Router(config-r-ic)# backbone interface GigabitEthernet 2/3
Specifies the backbone interface.
Step 11 exit
Example:
Router(config-r-ic)# exit
Exits the redundancy mode.
Step 12 exit
Example:
Router(config-if)# exit
Exits the interface configuration mode.
Step 13 interface atm slot/subslot/port
Example:
Router(config)# interface atm 3/1/0
Enters interface configuration mode for the indicated port 
on the specified ATM SPA. 
slot/subslot/port—Specifies the location of the interface.
Step 14 atm asynchronous
Example:
Router(config-if)# atm asynchronous
Enables or disables the asynchronous functionality on the 
ATM interface
Step 15 aps group group_id
Example:
Router(config-if)# aps group 1
Configures the APS group for ATM.
Step 16 aps [working | protect]
aps-group-number 
Example:
Router(config-if)# aps working 1
Configures the APS group as the working interface.
Step 17 aps hspw-icrm-grp icrm-group-number
Example:
Router(config-if)# aps hspw-icrm-grp 1
Associates the APS group to an interchassis redundancy 
manager (ICRM) group number.
Command Purpose7-95
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Examples
Figure 7-9 is a sample configuration for MR-APS integration with hot standby pseudowire. 
Step 18 pvc vpi/vci l2transport
Example:
Router(config-if)# pvc 1/100 
l2transport 
Assigns a virtual path identifier (VPI) and VCI and enters 
ATM PVC l2transport configuration mode.
• vpi—ATM network virtual path identifier (VPI) of 
the VC to multiplex on the permanent virtual path. 
The range is from 0 to 255. 
• vci— VCI specifies the virtual channel identifier.
Note The l2transport keyword indicates that the PVC 
is a switched PVC instead of a terminated PVC.
Step 19 xconnect peer-ip-address vcid
pseudowire-class pw-class-name
Example:
Router(config-if)# xconnect 3.3.3.3 1 
pseudowire-class hw_aps
Specifies the IP address of the peer PE router and the 
32-bit virtual circuit identifier shared between the PEs at 
each end of the control channel. The peer router ID (IP 
address) and virtual circuit ID must be a unique 
combination on the router.
pw-class-name —The pseudowire class configuration 
from which the data encapsulation type is taken. 
Step 20 backup peer peer-id vc-id pseudowire-class pw-class-name
Example:
Router(config-if-srv)# backup peer 
4.3.3.3 90 pseudowire-class hw_aps
Specifies a redundant peer for a pseudowire virtual 
circuit. 
Step 21 end
Example:
Router(config-if-srv)# end
Exits the configuration session.
Command Purpose7-96
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Figure 7-9 Sample Configuration for MR-APS Integration with Hot Standby Pseudowire
This example shows how to configure the MR-APS integration with hot standby pseudowire on the 
working router P1 shown in Figure 7-9. 
RouterP1> enable
RouterP1# configure terminal
RouterP1(config)# pseudowire-class hspw_aps
RouterP1(config-pw-class)# encapsulation mpls
RouterP1(config-pw-class)# status peer topology dual-homed 
RouterP1(config-pw-class)# exit
RouterP1(config)# redundancy
RouterP1(config-red)# interchassis group 1
RouterP1(config-r-ic)# member ip 14.2.0.2
RouterP1(config-r-ic)# backbone interface GigabitEthernet 1/0/0
RouterP1(config-r-ic)# backbone interface GigabitEthernet 1/0/1
RouterP1(config-r-ic)# exit
RouterP1(config)# interface ATM 4/0/0
RouterP1(config-if)# atm asynchronous  
RouterP1(config-if)# aps group 3
RouterP1(config-if)# aps working 1
RouterP1(config-if)# aps hspw-icrm-grp 1
RouterP1(config-if)# pvc 1/100 l2transport
RouterP1(config-if)# xconnect 3.3.3.3 1 encapsulation mpls pw-class hspw_aps
RouterP1(config-if)# backup peer 4.4.4.4 2 pw-class hspw_aps
RouterP1(config-if)# exit
RouterP1(config)# end
This example shows how to configure the MR-APS  integration with hot standby pseudowire on the 
protect router PE1 shown in Figure 7-9.
RouterPE1> enable
RouterPE1# configure terminal
RouterPE1(config)# pseudowire-class hspw_aps
RouterPE1(config-pw-class)# encapsulation mpls
RouterPE1(config-pw-class)# status peer topology dual-homed 
RouterPE1(config-pw-class)# exit
RouterPE1(config)# redundancy
RouterPE1(config-red)# interchassis group 1
300153
ADM ADM
CE1 CE2
P1 P2
PE1 PE2
Gig1/0/1 Gig2/0/4
Gig3/2/0 Gig3/0/1
Gig1/0/0 Gig2/0/3
Gig3/2/0 Gig3/0/2
ATM4/0/0 ATM2/1/0
ATM3/1/1 ATM3/1/0
Gig1/2/0 Gig2/0/2
Gig2/2/0 Gig3/0/07-97
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
RouterPE1(config-r-ic)# member ip 14.2.0.1
RouterPE1(config-r-ic)# backbone interface GigabitEthernet 2/2/1
RouterPE1(config-r-ic)# backbone interface GigabitEthernet 3/2/0
RouterPE1(config-r-ic)# exit
RouterPE1(config)# interface ATM 3/1/1
RouterPE1(config-if)# atm asynchronous  
RouterPE1(config-if)# aps group 3
RouterPE1(config-if)# aps protect 1 14.2.0.2
RouterPE1(config-if)# aps hspw-icrm-grp 1
RouterPE1(config-if)# pvc 1/100 l2transport
RouterPE1(config-if)# xconnect 3.3.3.3 3 encapsulation mpls pw-class hspw_aps
RouterPE1(config-if)# backup peer 4.4.4.4 4 pw-class hspw_aps
RouterPE1(config-if)# exit
RouterPE1(config)# end
This example shows how to configure the MR-APS  integration with hot standby pseudowire on the 
working router P2 shown in Figure 7-9. 
RouterP2> enable
RouterP2# configure terminal
RouterP2(config)# pseudowire-class hspw_aps
RouterP2(config-pw-class)# encapsulation mpls
RouterP2(config-pw-class)# status peer topology dual-homed 
RouterP2(config-pw-class)# exit
RouterP2(config)# redundancy
RouterP2(config-red)# interchassis group 1
RouterP2(config-r-ic)# member ip 14.6.0.2
RouterP2(config-r-ic)# backbone interface GigabitEthernet 2/0/4
RouterP2(config-r-ic)# backbone interface GigabitEthernet 2/0/3
RouterP2(config-r-ic)# exit
RouterP2(config)# interface ATM 2/1/0
RouterP2(config-if)# atm asynchronous  
RouterP2(config-if)# aps group 4
RouterP2(config-if)# aps working 1
RouterP2(config-if)# aps hspw-icrm-grp 1
RouterP2(config-if)# pvc 1/100 l2transport
RouterP2(config-if)# xconnect 1.1.1.1 1 encapsulation mpls pw-class hspw_aps
RouterP2(config-if)# backup peer 2.2.2.2 3 pw-class hspw_aps
RouterP2(config-if)# exit
RouterP2(config)# end
This example shows how to configure the MR-APS  integration with hot standby pseudowire on the 
protect router PE2 shown in Figure 7-9.
RouterPE2> enable
RouterPE2# configure terminal
RouterPE2(config)# pseudowire-class hspw_aps
RouterPE2(config-pw-class)# encapsulation mpls
RouterPE2(config-pw-class)# status peer topology dual-homed 
RouterPE2(config-pw-class)# exit
RouterPE2(config)# redundancy
RouterPE2(config-red)# interchassis group 1
RouterPE2(config-r-ic)# member ip 14.6.0.1
RouterPE2(config-r-ic)# backbone interface GigabitEthernet 3/0/1
RouterPE2(config-r-ic)# backbone interface GigabitEthernet 3/0/2
RouterPE2(config-r-ic)# exit
RouterPE2(config)# interface ATM 3/1/0
RouterPE2(config-if)# atm asynchronous  
RouterPE2(config-if)# aps group 4
RouterPE2(config-if)# aps protect 1 14.6.0.2
RouterPE2(config-if)# aps hspw-icrm-grp 17-98
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
RouterPE2(config-if)# pvc 1/100 l2transport
RouterPE2(config-if)# xconnect 1.1.1.1 2 encapsulation mpls pw-class hspw_aps
RouterPE2(config-if)# backup peer 2.2.2.2 4 pw-class hspw_aps
RouterPE2(config-if)# exit
RouterPE2(config)# end
Verification
Use these commands to verify the MR-APS integration with hot standby pseudowire configuration.
Table 7-2 Verification
This example shows the output of show mpls l2transport vc command when routers P1 and P2 are in 
active APS status and PE1 and PE2 are in APS inactive status.
P1# show mpls l2 vc
Local intf     Local circuit              Dest address    VC ID      Status    
-------------  -------------------------- --------------- ---------- ----------
AT4/0/0        ATM AAL5 20/100            3.3.3.3         1          UP        
AT4/0/0        ATM AAL5 20/100            4.4.4.4         2          STANDBY   
P2# show mpls l2 vc
Local intf     Local circuit              Dest address    VC ID      Status    
-------------  -------------------------- --------------- ---------- ----------
AT2/1/0        ATM AAL5 20/100            1.1.1.1         1          UP        
AT2/1/0        ATM AAL5 20/100            2.2.2.2         3          STANDBY   
PE1# show mpls l2 vc
Local intf     Local circuit              Dest address    VC ID      Status    
-------------  -------------------------- --------------- ---------- ----------
AT3/1/1        ATM AAL5 20/100            3.3.3.3         3          STANDBY   
AT3/1/1        ATM AAL5 20/100            4.4.4.4         4          STANDBY   
PE2# show mpls l2 vc
Local intf     Local circuit              Dest address    VC ID      Status    
-------------  -------------------------- --------------- ---------- ----------
AT3/1/0        ATM AAL5 20/100            1.1.1.1         2          STANDBY   
AT3/1/0        ATM AAL5 20/100            2.2.2.2         4          STANDBY   
Command Purpose
show mpls l2transport vc Displays information about AToM VCs that have 
been enabled to route Layer 2 packets on a router.
show hspw-aps-icrm group group-id Displays information about a specified hot 
standby pseudowire APS group.
show hspw-aps-icrm all Displays information about all hot standby 
pseudowire APS and ICRM groups.
show redundancy interchassis Displays information about interchassis 
redundancy group configuration.
show xconnect all Displays information about all xconnect 
attachment circuits and pseudowires.7-99
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
This example shows the output of show hspw-aps-icrm group group-id command when routers P1 
and P2 are in active status and PE1 and PE2 are in APS inactive status.
P1# show hspw-aps-icrm group 1
ICRM group id 1, Flags : My core isolated No,Peer core isolated No, State Connect
         APS Group id 1 hw_if_index 35 APS valid:Yes
        Total aps grp attached to ICRM group 1 is 1
PE1# show hspw-aps-icrm group 1
ICRM group id 1, Flags : My core isolated No,Peer core isolated No, State Connect
         APS Group id 1 hw_if_index 41 APS valid:Yes
        Total aps grp attached to ICRM group 1 is 1
P2# show hspw-aps-icrm group 2
ICRM group id 2, Flags : My core isolated No,Peer core isolated No, State Connect
         APS Group id 2 hw_if_index 22 APS valid:Yes
        Total aps grp attached to ICRM group 2 is 1
PE2# show hspw-aps-icrm group 2 
ICRM group id 2, Flags : My core isolated No,Peer core isolated No, State Connect
         APS Group id 2 hw_if_index 15 APS valid:Yes
        Total aps grp attached to ICRM group 2 is 1
This example shows the output of show hspw-aps-icrm all command when routers P1 and P2 are in 
active status and PE1 and PE2 are in APS inactive status.
P1# show hspw-aps-icrm all
ICRM group id 1, Flags : My core isolated No,Peer core isolated No, State Connect
         APS Group id 1 hw_if_index 35 APS valid:Yes
        Total aps grp attached to ICRM group 1 is 1
ICRM group count attached to MR-APS HSPW feature is 1
PE1# show hspw-aps-icrm all
ICRM group id 1, Flags : My core isolated No,Peer core isolated No, State Connect
         APS Group id 1 hw_if_index 41 APS valid:Yes
        Total aps grp attached to ICRM group 1 is 1
ICRM group count attached to MR-APS HSPW feature is 1
P2# show hspw-aps-icrm all
ICRM group id 2, Flags : My core isolated No,Peer core isolated No, State Connect
         APS Group id 2 hw_if_index 22 APS valid:Yes
        Total aps grp attached to ICRM group 2 is 1
ICRM group count attached to MR-APS HSPW feature is 1
PE2# show hspw-aps-icrm all
ICRM group id 2, Flags : My core isolated No,Peer core isolated No, State Connect
         APS Group id 2 hw_if_index 15 APS valid:Yes
        Total aps grp attached to ICRM group 2 is 1
ICRM group count attached to MR-APS HSPW feature is 1
This example shows the output of the show redundancy interchassis command when routers P1 and 
P2 are in active status and PE1 and PE2 are in APS inactive status.
P1# show redundancy interchassis
Redundancy Group 1 (0x1)
  Applications connected: MR-APS with HSPW
  Monitor mode: Route-watch
  member ip: 14.2.0.2 “PE1", CONNECTED
    Route-watch for 14.2.0.2 is UP
    MR-APS with HSPW state: CONNECTED
  backbone int GigabitEthernet1/0/0: UP (IP)7-100
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
  backbone int GigabitEthernet1/0/1: UP (IP)
ICRM fast-failure detection neighbor table
  IP Address       Status Type Next-hop IP      Interface
  ==========       ====== ==== ===========      =========
  14.2.0.2         UP     RW   
PE1# show redundancy interchassis
Redundancy Group 1 (0x1)
  Applications connected: MR-APS with HSPW
  Monitor mode: Route-watch
  member ip: 14.2.0.1 “P1", CONNECTED
    Route-watch for 14.2.0.1 is UP
    MR-APS with HSPW state: CONNECTED
  backbone int GigabitEthernet2/2/1: UP (IP)
  backbone int GigabitEthernet3/2/0: UP (IP)
ICRM fast-failure detection neighbor table
  IP Address       Status Type Next-hop IP      Interface
  ==========       ====== ==== ===========      =========
  14.2.0.1         UP     RW 
This example shows the outputs of the show xconnect all command when routers P1 and P2 are in 
active status and PE1 and PE2 are in APS inactive status.
P1# show xconnect all
Legend:    XC ST=Xconnect State  S1=Segment1 State  S2=Segment2 State
  UP=Up       DN=Down            AD=Admin Down      IA=Inactive
  SB=Standby  HS=Hot Standby     RV=Recovering      NH=No Hardware
XC ST  Segment 1                         S1 Segment 2                         S2
------+---------------------------------+--+---------------------------------+--
UP pri ac   AT4/0/0:20/100(ATM AAL5)     UP mpls 3.3.3.3:1                    UP
IA sec ac   AT4/0/0:20/100(ATM AAL5)     UP mpls 4.4.4.4:2                    SB
PE1# show xconnect all
Legend:    XC ST=Xconnect State  S1=Segment1 State  S2=Segment2 State
  UP=Up       DN=Down            AD=Admin Down      IA=Inactive
  SB=Standby  HS=Hot Standby     RV=Recovering      NH=No Hardware
XC ST  Segment 1                         S1 Segment 2                         S2
------+---------------------------------+--+---------------------------------+--
SB pri ac   AT3/1/1:20/100(ATM AAL5)     UP mpls 3.3.3.3:3                    SB
IA sec ac   AT3/1/1:20/100(ATM AAL5)     UP mpls 4.4.4.4:4                    SB
P2# show xconnect all
Legend:    XC ST=Xconnect State  S1=Segment1 State  S2=Segment2 State
  UP=Up       DN=Down            AD=Admin Down      IA=Inactive
  SB=Standby  HS=Hot Standby     RV=Recovering      NH=No Hardware
XC ST  Segment 1                         S1 Segment 2                         S2
------+---------------------------------+--+---------------------------------+--
UP pri ac   AT2/1/0:20/100(ATM AAL5)     UP mpls 1.1.1.1:1                    UP
IA sec ac   AT2/1/0:20/100(ATM AAL5)     UP mpls 2.2.2.2:3                    SB
PE2# show xconnect all
Legend:    XC ST=Xconnect State  S1=Segment1 State  S2=Segment2 State
  UP=Up       DN=Down            AD=Admin Down      IA=Inactive
  SB=Standby  HS=Hot Standby     RV=Recovering      NH=No Hardware
XC ST  Segment 1                         S1 Segment 2                         S2
------+---------------------------------+--+---------------------------------+--
SB pri ac   AT3/1/0:20/100(ATM AAL5)     UP mpls 1.1.1.1:2                    SB
IA sec ac   AT3/1/0:20/100(ATM AAL5)     UP mpls 2.2.2.2:4                    SB7-101
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Troubleshooting Tips
Table 7-3 Troubleshooting Tips
N:1 PVC Mapping to Pseudowires with Non-Unique VPI
Asynchronous Transfer Mode (ATM) over Multi Protocol Label Switching (MPLS) pseudowire is used 
to carry ATM cells over an MPLS network. You can configure ATM over MPLS in N-to-1 cell mode or 
1-to-1 cell mode. N-to-1 cell mode maps one or more ATM Virtual Channel Connections (VCCs) or 
Permanent Virtual Circuits (PVCs) to a single pseudowire and 1-to-1 cell mode maps a single ATM VCC 
or PVC to a single pseudowire. Currently, Cisco 7600 supports N-to-one mode with N=1 only. Effective 
with Cisco IOS release 15.2(1)S, N-to-1 cell mode where N greater than 1 is also supported for ATM 
pseudowires.
Restrictions for N:1 PVC Mapping to Pseudowires with Non-Unique VPI
Following restrictions apply to the N:1 PVC mapping to pseudowires with non unique Virtual Path 
Identifier (VPI) feature. 
• Supported only on SIP 400 line cards with 1 GB memory, SPAs SPA-3XOC3-ATM-V2, 
SPA-1xOC12-ATM-V2 and all versions of RSP720 and SUP720.
• Ingress and egress queuing features like shaping, bandwidth and priority not supported.
• The following ingress QoS features are supported on the ATM multipoint subinterface:
– Classification based on the ATM Cell Loss Priority (CLP) bit
– Marking for the MPLS Experimental (EXP) bit
– Frame based policing
• The following egress QoS features are supported on the ATM multipoint subinterface:
– Marking for the ATM CLP bit
– Classification based on the MPLS EXP bit
• Operations, Administration, and Maintenance (OAM) is not supported for PVCs belonging to N:1 
pseudowire group.
• Up to 16000 pseudowires are supported per chassis and 4000 pseudowires per SIP 400. 
• Supports up to 32000 PVCs per router, 8000 PVCs per SIP400, and 4000 PVCs per SPA. 
• In the ingress direction, on the Provider Edge (PE) router, cell packs are packed per PVC and not 
per sub interface. Cells belonging to a single PVC are packed in a single frame. 
• A service policy can be applied at the sub interface level for N:1 PVC mapping to pseudowire 
configuration.
Command Purpose
debug hspw-aps errors Displays information about hot standby 
pseudowire APS group errors. 
debug hspw-aps events Displays information about events related to hot 
standby pseudowire APS group configuration.7-102
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
• ATM classes of service including Constant Bit Rate (CBR), Variable Bit Rate-real time (VBR-rt), 
and Variable Bit Rate-non-real time (VBR-nrt), that are currently supported are also supported on 
PVCs for N:1 PVC mapping to pseudowire configuration.
Configuring N:1 PVC Mapping to Pseudowires with Non-Unique VPI
Perform these steps to configure N:1 PVC mapping to pseudowires with non-unique VPI.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface atm slot/subslot/port
4. atm mcpt-timers timer-1 timer-2 timer-3 
5. exit
6. interface atm slot/subslot/port.subinterface multipoint 
7. no ip address 
8. cell-packing cells mcpt-timer timer 
9. xconnect ip_address vc_id encapsulation mpls
10. pvc pvc-id l2transport
11. exit
12. end 7-103
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Detailed Steps
Command Purpose
Step 1 enable
Example:
Router> enable
Enables the privileged EXEC mode and enter your 
password if prompted.
Step 2 configure terminal
Example:
Router# configure terminal
Enters the global configuration mode.
Step 3 interface atm slot/subslot/port
Example:
Router(config)# interface atm 3/1/0
Enters interface configuration mode for the indicated port 
on the specified ATM SPA. 
slot/subslot/port—Specifies the location of the interface.
Step 4 atm mcpt-timers timer1 timer2 timer3
Example:
Router(config-if)# atm mcpt-timers 100 
1000 1000 
Sets the Martini Cell Packing Timer (MCPT) values in 
microseconds. MCPT timer sets the time that the router 
waits for the raw cells to be packed into a single packet.
The range for timer1 and timer2 is 10 to 4095. The range 
for timer 3 is 20 to 4095.
Step 5 exit
Example:
Router(config-if)# exit
Exits the interface configuration mode.
Step 6 interface atm slot/subslot/port.subslot 
multipoint
Example:
Router(config)# interface atm 9/1/1.1 
multipoint
Creates the specified point-to-multipoint subinterface on 
the given port on the specified ATM SPA, and enters the 
subinterface configuration mode. 
Step 7 cell-packing cells mcpt-timer timer-number
Example:
Router(config-subif)# cell-packing 20 
mcpt-timer 2 
Enables ATM over MPLS to pack multiple ATM cells into 
each MPLS packet within the MCPT timing. 
Step 8 xconnect peer-ipaddress vc-id
encapsulation mpls 
Example:
Router(config-subif)# xconnect 2.2.2.2 
100 encapsulation mpls 
Enables the attachment circuit. 
• peer-ipaddress - Specify the IP address of the peer 
router. 
• vc-id- Specifies the virtual circuit identifier. The 
range of the VC ID is from 1 to 4294967295. 7-104
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Examples
This example shows how to configure the N:1 ATM PVC mapping to pseudowires with a non unique VPI 
on the Cisco 7600 router. Also, a service policy p-map is applied in the ingress direction.
Router> enable
Router# configure terminal
Router(config)# class-map match all c-map
Router(config-cmap)# match atm clp
Router(config-cmap)# exit
Router(config)# policy-map p-map
Router(config-pmap)# class c-map
Router(config-pmap-c)# set mpls experimental imposition 5
Router(config-pmap-c)# exit
Router(config-pmap)# exit
Router(config)# interface atm 9/1/1
Router(config-if)# atm mcpt-timers 20 30 40
Router(config-if)# exit
Router(config)# interface atm 9/1/1.1 multipoint
Router(config-subif)# no ip address 
Router(config-subif)# xconnect 2.2.2.2 100 encapsulation mpls 
Router(config-subif)# service-policy input p-map
Router(config-subif)# pvc 10/100 l2transport
Router(config-subif)# pvc 11/122 l2transport
Router(config-subif)# pvc 19/231 l2transport
Router(config-subif)# exit
Router(config)# end
This example shows how to configure the N:1 ATM PVC mapping to pseudowires with non unique VPI 
on a Cisco 7600 router with a service policy p-map applied in the egress direction.
Router> enable
Router# configure terminal
Router(config)# class-map match all c-map
Router(config-cmap)# mpls experimental topmost 5
Step 9 pvc vpi/vci l2transport
Example:
Router(config-subif)# pvc 10/100 
l2transport
Assigns a VPI and VCI and enters ATM PVC l2transport 
configuration mode.
• vpi— Specifies the ATM network virtual path 
identifier (VPI) of the VC to multiplex on the 
permanent virtual path. The accepted range is from 0 
to 255. 
• vci— VCI specifies the virtual circuit identifier.
The l2transport keyword indicates that the PVC is a 
switched PVC instead of a terminated PVC.
Step 10 exit
Example:
Router(config-subif)# exit
Exits the interface configuration mode.
Step 11 end
Example:
Router(config-subif)# end
Exits the configuration session.
Command Purpose7-105
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Router(config-cmap)# exit
Router(config)# policy-map p-map
Router(config-pmap)# class c-map
Router(config-pmap-c)# set atm clp
Router(config-pmap-c)# exit
Router(config-pmap)# exit
Router(config)# interface atm 9/1/1
Router(config-if)# atm mcpt-timers 20 30 40
Router(config-if)# exit
Router(config)# interface atm 9/1/1.1 multipoint
Router(config-subif)# no ip address 
Router(config-subif)# xconnect 3.3.3.3 100 encapsulation mpls 
Router(config-subif)# service-policy output p-map
Router(config-subif)# pvc 10/100 l2transport
Router(config-subif)# pvc 11/122 l2transport
Router(config-subif)# pvc 19/231 l2transport
Router(config-subif)# exit
Router(config)# end
Verification
Use these commands to verify the N:1 ATM PVC mapping to pseudowires with non unique VPI 
configuration.
The show mpls l2 transport vc-id command displays information about Any Transport over MPLS 
(AToM) Virtual Circuits (VCs) that are enabled to route layer 2 packets on a router. This example shows 
the output of the show mpls transport vc-id command for a specified AToM virtual circuit.
Router# show mpls l2transport 100
Local intf     Local circuit              Dest address    VC ID      Status    
-------------  -------------------------- --------------- ---------- --------
AT9/1/1.1        ATM CELL ATM9/1/1.1          2.2.2.2         100        UP 
The show atm cell-packing command displays information about cell packing related information for 
the layer 2 attachment circuits (ACs) configured on the router.
Router# show atm cell-packing
                                   average                   average
circuit                   local    nbr of cells     peer     nbr of cells        MCPT
type                       MNCP    rcvd in one pkt  MNCP     sent in one pkt     (us)
-------------             ----- ---------------    -------   --------------      ----
ATM1/0/1.1     vc   1/100   30        0              1             0              30  
ATM1/0/1.1     vc   2/100   30        0              1             0              30 
Shutting Down and Restarting an Interface on a SPA
Shutting down an interface puts it into the administratively down mode and takes it offline, stopping all 
traffic that is passing through the interface. Shutting down an interface, though, does not change the 
interface configuration. 7-106
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
As a general rule, you do not need to shut down an interface if you are removing it and replacing it with 
the same exact model of SPA in an online insertion and removal (OIR) operation. However, we 
recommend shutting down an interface whenever you are performing one of the following tasks: 
• When you do not need to use the interface in the network. 
• Preparing for future testing or troubleshooting. 
• Changing the interface configuration in a way that would affect the traffic flow, such as changing 
the encapsulation. 
• Changing the interface cables. 
• Removing a SPA that you do not expect to replace. 
• Replacing the SIP with another type of SIP (such as replacing a Cisco 7600 SIP-200 with a 
Cisco 7600 SIP-400). 
• Replacing an interface card with a different model of card. 
Shutting down the interface in these situations prevents anomalies from occurring when you reinstall the 
new card or cables. It also reduces the number of error messages and system messages that might 
otherwise appear. 
Tip If you are planning on physically removing the SPA from the SIP, also shut down the SPA, using the 
procedure given in the “Shutting Down an ATM Shared Port Adapter” section on page 7-107. 
Note If you plan to replace an existing ATM port adapter with an ATM SPA in the Cisco 7600 series router 
and want to use the same configuration, save the slot’s configuration before physically replacing the 
hardware. This is because all slot configuration is lost when you replace one card type with another card 
type, even if the two cards are functionally equivalent. You can then re-enter the previous configuration 
after you have inserted the ATM SPA. 
To shut down an interface, perform the following procedure beginning in global configuration mode: 
Tip When you shut down an interface, the show interface command indicates that the interface is 
administratively down until the SPA is physically removed from the chassis or until the SPA is 
re-enabled. 
The following shows a typical example of shutting down an ATM SPA interface: 
Router> enable
Router# configure terminal
Router(config)# interface atm 4/0/0
Router(config-if)# shutdown
Command or Action Purpose
Step 1 Router(config)# interface atm slot/subslot/port Enters interface configuration mode for the indicated port 
on the specified ATM SPA. 
Step 2 Router(config-if)# shutdown Shuts down the interface. 
Note Repeat Step 1 and Step 2 for each interface to be shut down. 
Step 3 Router(config-if)# end Exits interface configuration mode and returns to privileged 
EXEC mode. 7-107
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Creating and Configuring Switched Virtual Circuits
Router(config-if)# end
Router# show interface atm 4/0/0
ATM4/0/0 is administratively down, line protocol is down
  Hardware is SPA-4XOC3-ATM, address is 000d.2959.d5ca (bia 000d.2959.d5ca)
  Internet address is 10.10.10.16/24
  MTU 4470 bytes, sub MTU 4470, BW 599040 Kbit, DLY 80 usec, 
     reliability 255/255, txload 42/255, rxload 1/255
  Encapsulation ATM, loopback not set
  Encapsulation(s): AAL5
  4095 maximum active VCs, 1 current VCCs
  VC idle disconnect time: 300 seconds
  0 carrier transitions
  Last input 01:01:16, output 01:01:16, output hang never
  Last clearing of "show interface" counters 01:10:21
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  30 second input rate 0 bits/sec, 0 packets/sec
  30 second output rate 702176000 bits/sec, 1415679 packets/sec
     1000 packets input, 112000 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     2948203354 packets output, 182788653886 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
Shutting Down an ATM Shared Port Adapter
Shutting down an ATM SPA shuts down all ATM interfaces on the SPA, and puts the SPA and its 
interfaces into the administratively down state. This takes all interfaces offline, stopping all traffic that 
is passing through the SPA. Shutting down an ATM SPA, though, does not change the configuration of 
the SPA and its interfaces. 
As a general rule, you do not need to shut down an ATM SPA if you are removing it and replacing it with 
the same exact model of SPA in an online insertion and removal (OIR) operation. However, you should 
shut down the ATM SPA whenever you are performing one of the following tasks:
• Removing an interface that you do not expect to replace. 
• Replacing the SIP with another type of SIP (such as replacing a Cisco 7600 SIP-200 with a 
Cisco 7600 SIP-400). 
• Replacing the ATM SPA with a different model of SPA. 
To shut down the ATM SPA, use the following procedure beginning in global configuration mode:7-108
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Verifying the Interface Configuration
The following shows a typical example of shutting down ATM SPAs. In this example, the SPA in subslot 
0 is put into reset mode, while the SPA in subslot 1 is powered down. 
Router> enable
Router# hw-module subslot 4/0 shutdown powered
Router# hw-module subslot 4/1 shutdown unpowered
Tip The ATM SPA remains shut down, even after a new SPA is installed or after a reset of the Cisco 7600 
series router, until you re-enable the SPA using the no hw-module subslot shutdown command. 
Verifying the Interface Configuration
See the following sections to obtain configuration and operational information about the ATM SPA and 
its interfaces: 
• Verifying Per-Port Interface Status, page 7-109
• Monitoring Per-Port Interface Statistics, page 7-110
For additional information on using these and other commands to obtain information about the 
configuration and operation of the ATM SPAs and interfaces, see Chapter 8, “Troubleshooting the ATM 
Shared Port Adapter.”
Command or Action Purpose
Step 1 Router(config)# hw-module subslot slot/subslot
shutdown [powered | unpowered] 
Shuts down the ATM SPA. 
• powered—(Optional) Shuts down the ATM SPA and 
leaves it in the reset state. This is the default and is 
typically done when you want to shut down the SPA but 
leave it physically installed and cabled in the 
Cisco 7600 series router. 
• unpowered—(Optional) Shuts down the ATM SPA and 
leaves it in the unpowered state. Typically, this is done 
before removing the ATM SPA from the chassis. 
Note Repeat this step for each ATM SPA to be shut down. 
Note The hw-module subslot shutdown command can be given in both the global configuration and privileged 
EXEC modes. If this command is given in global configuration mode, it can be saved to the startup 
configuration so that it is automatically executed after each reload of the router. If given in privileged EXEC 
mode, the command takes effect immediately, but it is not saved to the configuration. In either case, the 
hw-module subslot shutdown command remains in effect during the current session of the Cisco 7600 
series router until it is reversed using the no form of the command. 
Step 2 Router(config)# end Exits configuration mode and returns to privileged EXEC 
mode. 7-109
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Verifying the Interface Configuration
Verifying Per-Port Interface Status
Use the show interfaces atm command to display detailed status information about an interface port in 
an ATM SPA that is installed in the Cisco 7600 series router. The following example provides sample 
output for interface port 1 (the second port) on the ATM SPA that is located in subslot 0 (the left-most 
subslot), of the SIP that is installed in slot 3 of a Cisco 7600 series router:
Router# show interface atm 3/0/1
ATM3/0/1 is up, line protocol is up 
  Hardware is SPA-4XOC3-ATM, address is 000a.f330.7dc0 (bia 000a.f330.7dca)
  Internet address is 10.13.21.31/24 
  MTU 4470 bytes, sub MTU 4470, BW 599040 Kbit, DLY 80 usec, 
     reliability 255/255, txload 140/255, rxload 129/255
  Encapsulation ATM, loopback not set
  Encapsulation(s): AAL5
  4095 maximum active VCs, 1 current VCCs
  VC idle disconnect time: 300 seconds
  0 carrier transitions
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 00:45:35
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 304387000 bits/sec, 396342 packets/sec
  5 minute output rate 329747000 bits/sec, 396334 packets/sec
     1239456438 packets input, 118987818048 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicast)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     1239456287 packets output, 128903453848 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
The following example displays detailed status information about an interface port in 3-Port Clear 
Channel OC-3 ATM SPA that is installed on the Cisco 7600 series router:
Router# show interfaces atm 0/2/2
ATM0/2/2 is up, line protocol is up 
  Hardware is SPA-3XOC3-ATM-V2, address is 001a.3044.7522 (bia 001a.3044.7522)
  MTU 4470 bytes, sub MTU 4470, BW 149760 Kbit, DLY 80 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ATM, loopback not set
  Keepalive not supported 
  Encapsulation(s): AAL5 AAL0
  4095 maximum active VCs, 1 current VCCs
  VC Auto Creation Disabled.
  VC idle disconnect time: 300 seconds
  4 carrier transitions
  Last input never, output 00:04:11, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     5 packets input, 540 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles 
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     5 packets output, 540 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 output buffer failures, 0 output buffers swapped out7-110
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Verifying the Interface Configuration
Monitoring Per-Port Interface Statistics
Use the show controllers atm command to display detailed status and statistical information on a 
per-port basis for an ATM SPA. The following example provides sample output for interface port 0 (the 
first port) on the ATM SPA that is located in subslot 0 (the left-most subslot) of the SIP that is installed 
in slot 4 of a Cisco 7600 series router:
Router# show controllers atm 4/0/0
Interface ATM4/0/0 is up
 Framing mode: SONET OC3 STS-3c 
SONET Subblock:
SECTION
  LOF = 0          LOS    = 0                            BIP(B1) = 603
LINE
  AIS = 0          RDI    = 2          FEBE = 2332       BIP(B2) = 1018
PATH
  AIS = 0          RDI    = 1          FEBE = 28         BIP(B3) = 228
  LOP = 0          NEWPTR = 0          PSE  = 1          NSE     = 2
Active Defects: None
Active Alarms:  None
Alarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP B3-TCA
ATM framing errors:
  HCS (correctable):   0
  HCS (uncorrectable): 0
APS
  COAPS = 0          PSBF = 0
  State: PSBF_state = False
  Rx(K1/K2): 00/00  Tx(K1/K2): 00/00
  Rx Synchronization Status S1 = 00
  S1S0 = 00, C2 = 00
PATH TRACE BUFFER : STABLE 
  Remote hostname : fecao7609_2
  Remote interface: ATM9/0/0
  Remote IP addr  : 0.0.0.0
  Remote Rx(K1/K2): 00/00  Tx(K1/K2): 00/00
BER thresholds:  SF = 10e-3  SD = 10e-6
TCA thresholds:  B1 = 10e-6  B2 = 10e-6  B3 = 10e-6
  Clock source:  line
The following examples displays detailed status and statistical information on a per-port basis for 3-Port 
Clear Channel OC-3 ATM SPAs.
Router# show controllers atm 0/2/2 
Interface ATM0/2/2 (SPA-3XOC3-ATM-V2[0/2]) is up
 Framing mode: SONET OC3 STS-3c
SONET Subblock:
SECTION
  LOF = 0          LOS    = 1                            BIP(B1) = 0
LINE
  AIS = 0          RDI    = 1          FEBE = 55         BIP(B2) = 0
PATH
  AIS = 0          RDI    = 1          FEBE = 21         BIP(B3) = 0
  LOP = 1          NEWPTR = 0          PSE  = 0          NSE     = 07-111
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Examples
Active Defects: None
Active Alarms:  None
Alarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP B3-TCA 
ATM framing errors:
  HCS (correctable):   0
  HCS (uncorrectable): 0
APS
 not configured
  COAPS = 0          PSBF = 0         
  State: PSBF_state = False
  Rx(K1/K2): 00/00  Tx(K1/K2): 00/00
  Rx Synchronization Status S1 = 00
  S1S0 = 00, C2 = 13
PATH TRACE BUFFER : STABLE 
BER thresholds:  SF = 10e-3  SD = 10e-6
TCA thresholds:  B1 = 10e-6  B2 = 10e-6  B3 = 10e-6
  Clock source:  line
Configuration Examples
This section includes the following configuration examples for the ATM SPAs: 
• Basic Interface Configuration Example, page 7-112
• MTU Configuration Example, page 7-112
• Permanent Virtual Circuit Configuration Example, page 7-112
• PVC on a Point-to-Point Subinterface Configuration Example, page 7-113
• PVC on a Multipoint Subinterface Configuration Example, page 7-114
• RFC 1483 Bridging for PVCs Configuration Example, page 7-115
• RFC 1483 Bridging for PVCs with IEEE 802.1Q Tunneling Configuration Example, page 7-116
• ATM RFC 1483 Half-Bridging Configuration Example, page 7-116
• ATM Routed Bridge Encapsulation Configuration Example, page 7-116
• Precedence-Based Aggregate WRED Configuration Example, page 7-116
• DSCP-Based Aggregate WRED Configuration Example, page 7-118
• Switched Virtual Circuits Configuration Example, page 7-118
• Traffic Parameters for PVCs or SVCs Configuration Example, page 7-119
• Virtual Circuit Classes Configuration Example, page 7-120
• Virtual Circuit Bundles Configuration Example, page 7-120
• Link Fragmentation and Interleaving with Virtual Templates Configuration Example, page 7-121
• Distributed Compressed Real-Time Protocol Configuration Example, page 7-122
• Automatic Protection Switching Configuration Example, page 7-123
• SONET and SDH Framing Configuration Example, page 7-123
• Layer 2 Protocol Tunneling Topology with a Cisco 7600, Catalyst 5500, and Catalyst 6500 
Configuration Example, page 7-124
• Layer 2 Protocol Tunneling Topology with a Cisco 7600 and Cisco 7200 Configuration Example, 
page 7-125
• Cisco 7600 Basic Back-to-Back Scenario Configuration Example, page 7-1267-112
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Examples
• Catalyst 5500 Switch and Cisco 7600 Series Routers in Back-to-Back Topology Configuration 
Example, page 7-126
• Cisco 7600 and Cisco 7200 in Back-to-Back Topology Configuration Example, page 7-127
Basic Interface Configuration Example
!
interface ATM5/1/0
 mtu 9216
 no ip address
 atm clock INTERNAL
!
interface ATM5/1/0.1 point-to-point
 mtu 9216
 ip address 70.1.1.1 255.255.0.0
 pvc 52/100 
!
!
interface ATM5/1/1
 mtu 9216
 no ip address
 atm clock INTERNAL
!
interface ATM5/1/1.1 point-to-point
 mtu 9216
 ip address 70.2.1.1 255.255.0.0
 pvc 53/100 
!
!
interface ATM5/1/2
 no ip address
 atm clock INTERNAL
!
interface ATM5/1/3
 no ip address
 atm clock INTERNAL
!
MTU Configuration Example
!
interface ATM4/1/0
 ip address 192.168.100.13 255.255.255.0 
 mtu 9216
 ip mtu 9188 
 mpls mtu 9288 
 atm clock INTERNAL
!
Permanent Virtual Circuit Configuration Example
!
interface ATM5/0/0
 no ip address
 pvc 1/100 
  protocol ip 1.1.1.37-113
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Examples
  protocol ip 20.1.1.1
  broadcast
!
!
interface ATM5/0/1
 no ip address
!
interface ATM5/1/1
 ip address 1.1.1.1 255.255.255.0
 load-interval 30
 pvc 1/100 
  protocol ip 1.1.1.3
  protocol ip 20.1.1.1
  cbr 140000
  broadcast
  oam-pvc manage
!
 pvc 1/101 
  protocol ip 9.9.9.2
  encapsulation aal5ciscoppp Virtual-Template1
 !
PVC on a Point-to-Point Subinterface Configuration Example 
The following example shows a simple configuration of several PVCs that are configured on 
point-to-point subinterfaces: 
interface ATM3/1/0
 no ip address
!
interface ATM3/1/0.1 point-to-point
 pvc 4/44 l2transport
  mpls l2transport route 22.22.22.22 400 
!
!
interface ATM3/1/0.2 point-to-point
 pvc 5/55 l2transport
  encapsulation aal0
  mpls l2transport route 22.22.22.22 500 
 !
!
interface ATM3/1/0.3 point-to-point
 ip address 99.0.0.2 255.0.0.0
 pvc 9/99 
 !
!
interface ATM5/0/0
 description flexwan_6_0_0
 no ip address
 logging event link-status
 atm clock INTERNAL
!
interface ATM5/0/0.1 point-to-point
 ip address 50.1.1.1 255.255.255.0
 pvc 50/11 
!
!
interface ATM5/0/0.2 point-to-point
 ip address 50.2.2.1 255.255.255.0
 pvc 50/12 
!7-114
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Examples
!
interface ATM5/0/0.3 point-to-point
 ip address 50.3.3.1 255.255.255.0
 pvc 50/13 
 !
!
interface ATM5/0/0.4 point-to-point
 ip address 50.4.4.1 255.255.255.0
 pvc 50/14 
 !
!
interface ATM5/0/0.5 point-to-point
 ip address 50.5.5.1 255.255.255.0
 pvc 50/15 
 !
!
interface ATM5/1/0.1 point-to-point
 ip address 2.0.0.2 255.255.255.0
!
interface ATM5/1/0.2 point-to-point
 ip address 2.0.1.2 255.255.255.0
!
interface ATM5/1/0.3 point-to-point
 ip address 39.0.0.1 255.0.0.0
!
PVC on a Multipoint Subinterface Configuration Example
!
interface ATM4/1/0
 no ip address
 atm clock INTERNAL
!
interface ATM4/1/0.2 multipoint
 ip address 1.1.1.1 255.0.0.0
 pvc 0/121 
  protocol ip 1.1.1.23 broadcast
  vbr-nrt 2358 2358
  encapsulation aal5snap
!
 pvc 0/122 
  protocol ip 1.1.1.24 broadcast
  vbr-nrt 2358 2358
  encapsulation aal5snap
 !
 pvc 0/123 
  protocol ip 1.1.1.25 broadcast
  vbr-nrt 2358 2358
  encapsulation aal5snap
!
 pvc 0/124 
  protocol ip 1.1.1.26 broadcast
  vbr-nrt 2358 2358
  encapsulation aal5snap
!
 pvc 0/125 
  protocol ip 1.1.1.27 broadcast
!
...
interface ATM5/1/1
 ip address 1.1.1.1 255.255.255.07-115
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Examples
 load-interval 30
 pvc 1/100 
  protocol ip 1.1.1.3
  protocol ip 20.1.1.1
  cbr 140000
  broadcast
  oam-pvc manage
!
 pvc 1/101 
  protocol ip 9.9.9.2
  encapsulation aal5ciscoppp Virtual-Template1
!
!
interface ATM5/1/1.200 multipoint
 ip address 7.7.7.1 255.255.255.0
 bundle bundle
  pvc-bundle high 2/100 
   class-vc high
  pvc-bundle med 2/101 
   class-vc med
  pvc-bundle low 2/102 
   class-vc low
!
!
interface ATM5/1/2
 no ip address
!
interface ATM5/1/3
 no ip address
!
RFC 1483 Bridging for PVCs Configuration Example
The following shows a simple example of an ATM interface and PVC that have been configured for 
RFC 1483 bridging with a Fast Ethernet interface: 
vlan 30 
! 
interface FastEthernet7/1 
 no ip address 
 duplex full 
 speed 100 
 switchport 
 switchport access vlan 30 
switchport mode access 
! 
interface ATM9/1/0 
 no ip address  
 mtu 4096
  bandwidth 2000 
  pvc 0/39  
bridge-domain 30 
 encapsulation aal5snap 
! 
interface ATM9/1/0.2 point-to-point
 ip address 10.10.12.2 255.255.255.0
 ip access-group rbe-list in
 atm route-bridged ip
 no mls ip
 pvc 10/200
! 7-116
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Examples
router rip 
 network 10.0.0.0 
 network 30.0.0.0 
! 
RFC 1483 Bridging for PVCs with IEEE 802.1Q Tunneling Configuration Example
The following shows a simple example of an ATM interface that has been configured for RFC 1483 
bridging using IEEE 802.1Q tunneling: 
interface ATM6/2/0 
 no ip address
 shutdown
 atm clock INTERNAL
 atm mtu-reject-call
 no atm ilmi-keepalive
 pvc 2/101
  bridge-domain 99 dot1q-tunnel
!
 mls qos trust dscp
 spanning-tree bpdufilter enable
ATM RFC 1483 Half-Bridging Configuration Example
The following simple example shows an ATM subinterface configured for half-bridging: 
!
interface ATM5/1/0.100 multipoint 
  ip address 192.168.100.14 255.255.0.0 
  mtu 1500
  pvc 10/200
   encapsulation aal5snap bridge 
!
ATM Routed Bridge Encapsulation Configuration Example
The following simple example shows an ATM subinterface configured for RBE, also known as 
RFC 1483 half-bridging: 
!
interface ATM5/1/0.100 point-to-point 
  ip address 10.10.10.121 255.255.0.0 
  mtu 1500
  atm route-bridged ip 
  pvc 100/100
   encapsulation aal5snap 
!
Precedence-Based Aggregate WRED Configuration Example
The following example shows a precedence-based aggregate WRED configuration:
! Create a policy map named prec-aggr-wred.
!7-117
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Examples
Router(config)# policy-map prec-aggr-wred
!
! Configure a default class for the policy map.
!
Router(config-pmap)# class class-default
!
! Enable precedence-based (the default setting) aggregate WRED for the default class.
!
Router(config-pmap-c)# random-detect aggregate
!
! Define an aggregate subclass for packets with IP Precedence values of 0-3 and assign the 
! WRED profile parameter values for this subclass.
!
Router(config-pmap-c)# random-detect precedence values 0 1 2 3 minimum thresh 10 
maximum-thresh 100 mark-prob 10
!
! Define an aggregate subclass for packets with IP Precedence values of 4 and 5 and assign 
! the WRED profile parameter values for this subclass.
!
Router(config-pmap-c)# random-detect precedence values 4 5 minimum-thresh 40 
maximum-thresh 400 mark-prob 10
!
! Define an aggregate subclass for packets with an IP Precedence value of 6 and assign the 
! WRED profile parameter values for this subclass.
!
Router(config-pmap-c)# random-detect precedence values 6 minimum-thresh 60 maximum-thresh 
600 mark-prob 10
!
! Define an aggregate subclass for packets with an IP Precedence value of 7 and assign the 
! WRED profile parameter values for this subclass.
!
Router(config-pmap-c)# random-detect precedence values 7 minimum-thresh 70 maximum-thresh 
700 mark-prob 10
!
! Attach the policy map prec-aggr-wred to the interface. Note all ATM SPA service policies
! are applied at the atm vc level.
!
Router(config-pmap-c)# interface ATM4/1/0.10 point-to-point
Router(config-subif)# ip address 10.0.0.2 255.255.255.0
Router(config-subif)# pvc 10/110
Router(config-subif)# service policy output prec-aggr-wred7-118
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Examples
DSCP-Based Aggregate WRED Configuration Example
The following example shows a DSCP-based aggregate WRED configuration:
! Create a policy map named dscp-aggr-wred.
!
Router(config)# policy-map dscp-aggr-wred
!
! Configure a default class for the policy map.
!
Router(config-pmap)# class class-default
!
! Enable dscp-based aggregate WRED for the default class and assign the 
! default WRED profile parameter values to be used for all subclasses that have not been 
! specifically configured..
!
Router(config-pmap-c)# random-detect dscp-based aggregate minimum-thresh 1 maximum-thresh 
10 mark-prob 10
!
! Define an aggregate subclass for packets with DSCP values of 0-7 and assign the WRED
! profile parameter values for this subclass
!
Router(config-pmap-c)# random-detect dscp values 0 1 2 3 4 5 6 7 minimum-thresh 10 
maximum-thresh 20 mark-prob 10
!
! Define an aggregate subclass for packets with DSCP values of 8-11 and assign the WRED
! profile parameter values for this subclass.
!
Router(config-pmap-c)random-detect dscp values 8 9 10 11 minimum-thresh 10 maximum-thresh 
40 mark-prob 10
!
! Attach the policy map dscp-aggr-wred to the interface. Note all ATM SPA service policies
! are applied at the atm vc level.
!
Router(config)# interface ATM4/1/0.11 point-to-point
Router(config-subif)# ip address 10.0.0.2 255.255.255.0
Router(config-subif) pvc 11/101
Router(config-subif)# service policy output dscp-aggr-wred
Switched Virtual Circuits Configuration Example
interface ATM4/0/2
 ip address 10.23.33.2 255.255.255.0
 atm clock INTERNAL
 atm pvp 244 
 atm esi-address 111111111111.11
 pvc 0/5 qsaal
!
 pvc 0/16 ilmi
!
!
interface ATM4/0/2.1 multipoint
 ip address 10.20.0.2 255.0.0.0
 atm esi-address 333333333333.33
!
 svc nsap 47.009181000000001011B8C601.222222222222.22
  protocol ip 10.20.0.1
  ubr 1000
!
!7-119
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Examples
interface ATM4/0/2.2 multipoint
 ip address 10.13.3.1 255.255.255.0
 atm esi-address 510211111111.11
!
 svc nsap 47.009181000000001011B8C601.410233333333.33
  protocol ip 10.13.3.3
!
interface ATM4/0/2.3 multipoint
 svc SVC1 nsap 47.009181000000BBBBBB000001.222222222222.22
  protocol ip 33.33.33.1
  broadcast
  encapsulation aal5snap
Traffic Parameters for PVCs or SVCs Configuration Example
!
interface ATM5/1/1.100 point-to-point
 ip address 10.1.1.1 255.255.255.0
 load-interval 30
 pvc 1/100 
  protocol ip 1.1.1.3
  protocol ip 20.1.1.1
  cbr 100
  broadcast
!
!
interface ATM5/1/1.110 point-to-point
 ip address 10.2.2.2 255.255.255.0
 pvc 1/110 
  ubr 1000
!
!
interface ATM5/1/1.120 point-to-point
 ip address 10.3.3.3 255.255.255.0
 no ip directed-broadcast
 pvc 1/120 
  vbr-nrt 50000 50000
  encapsulation aal5snap
!
!
interface ATM5/1/1.130 point-to-point
 ip address 10.4.4.4 255.255.255.0
 pvc 1/130 
  vbr-rt 445 445
  encapsulation aal5snap
! 
!
interface ATM5/1/1.140 point-to-point
 ip address 10.5.5.5 255.255.255.0
 atm arp-server nsap 47.00918100000000107B2B4B01.111155550000.00
 atm esi-address 111155550001.00
!
 svc SVC00 nsap 47.00918100000000107B2B4B01.222255550001.00
  protocol ip 10.5.5.6 broadcast
  oam-svc manage
  encapsulation aal5mux ip
 ubr 1000 
!7-120
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Examples
Virtual Circuit Classes Configuration Example
vc-class atm high-class
  ilmi manage
  oam-pvc manage 5
  oam retry 10 7 3
!
vc-class atm low-class
!
interface ATM4/1/0
 no ip address
 class-int high-class 
 atm ilmi-pvc-discovery subinterface
 pvc 0/5 qsaal 
!
 pvc 0/16 ilmi 
!
!
interface ATM4/1/0.1 multipoint
 pvc 1/110 
  protocol 10.10.10.14 
! 
interface ATM4/1/1
 ip address 10.10.11.2 255.255.255.0
 class-int low-class 
 atm uni-version 4.0
 atm pvp 1 
 atm esi-address AAAAAAAAAAAA.AA
interface ATM4/1/1.2 multipoint
 pvc 2/100 
  protocol ip 10.10.11.1 
!
Virtual Circuit Bundles Configuration Example
!
interface ATM5/1/1
 ip address 1.1.1.1 255.255.255.0
 load-interval 30
 pvc 1/100 
  protocol ip 1.1.1.3
  protocol ip 20.1.1.1
  cbr 140000
  broadcast
  oam-pvc manage
!
 pvc 1/101 
  protocol ip 9.9.9.2
  encapsulation aal5ciscoppp Virtual-Template1
!
!
interface ATM5/1/1.200 multipoint
 ip address 7.7.7.1 255.255.255.0
 bundle atm-bundle
  pvc-bundle high 2/100 
   class-vc high
  pvc-bundle med 2/101 
   class-vc med
  pvc-bundle low 2/102 
   class-vc low
!7-121
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Examples
Link Fragmentation and Interleaving with Virtual Templates Configuration 
Example
The following simple example shows a sample LFI configuration using a virtual template interface: 
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
!
class-map match-all prec4
  match ip precedence 4 
class-map match-all prec5
  match ip precedence 5 
class-map match-all prec6
  match ip precedence 6 
class-map match-all prec7
  match ip precedence 7 
class-map match-all prec0
  match ip precedence 0 
class-map match-all prec1
  match ip precedence 1 
class-map match-all prec2
  match ip precedence 2 
class-map match-all dscp2
  match dscp 2 
class-map match-all prec3
  match ip precedence 3 
class-map match-all prec8
  match precedence 0  2  4  6 
class-map match-any all
class-map match-all any
  match any 
!
!
policy-map pmap1
  class prec1
    bandwidth percent 10
  class prec2
     police 100000000 3125000 3125000 conform-action transmit exceed-action drop
    priority
!
!
!
interface ATM2/1/0
 no ip address
 atm clock INTERNAL
!
interface ATM2/1/0.1 point-to-point
 pvc 0/100 
  encapsulation aal5snap
  protocol ppp Virtual-Template1
!
!
interface ATM2/1/0.1000 point-to-point
 pvc 1/1000 
  encapsulation aal5ciscoppp Virtual-Template2 
!
!
interface ATM2/1/0.1001 point-to-point
 pvc 1/1001 
  protocol ip 10.10.11.12 
  encapsulation aal5ciscoppp Virtual-Template3 7-122
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Examples
!
interface ATM2/1/1
 no ip address
 shutdown
!
interface ATM2/1/2
 no ip address
 shutdown
!
interface ATM2/1/3
 no ip address
!
interface Virtual-Template1
 bandwidth 100
 ip address 10.34.0.2 255.255.255.0 
 no keepalive
 ppp chap hostname north-21 
 ppp multilink
 ppp multilink fragment-delay 5
 ppp multilink interleave
 multilink max-fragments 16
 service-policy output pmap1 
!
interface Virtual-Template2
 ip address 10.36.0.2 255.255.255.0
 no keepalive
 ppp chap hostname north-22 
 ppp multilink
 ppp multilink fragment-delay 5
 ppp multilink interleave
 service-policy output pmap1 
!
interface Virtual-Template3 
 ppp chap hostname north-23 
 ppp multilink
 ppp multilink fragment-delay 5
 ppp multilink interleave
 service-policy output pmap1  
!
interface Vlan1
 no ip address
 shutdown
!
Distributed Compressed Real-Time Protocol Configuration Example
!
interface ATM5/1/0.200 point-to-point
 pvc 10/300 
  encapsulation aal5mux ppp Virtual-Template200 
!
... 
!
interface Virtual-Template200
 bandwidth 2000
 ip address 10.1.200.2 255.255.255.0
 ip rcp header-compression passive 
 ip tcp header-compression passive 
 ppp chap hostname template200
 ppp multilink
 ppp multilink fragment-delay 8
 ppp multilink interleave7-123
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Examples
 ip rtp header-compression passive 
 ip tcp compression-connections 64 
!
Automatic Protection Switching Configuration Example
!
interface ATM4/0/0
 description working
 ip address 10.5.5.1 255.255.255.0
 no shutdown
 aps group 1
 aps working 1
 pvc 1/100 
  protocol ip 10.5.5.2
!
interface ATM4/0/1
 description protect
 ip address 10.5.5.1 255.255.255.0
 aps group 1
 aps revert 2
 aps protect 0 10.7.7.7
 pvc 1/100 
  protocol ip 10.5.5.2
!
interface Loopback1
 ip address 10.7.7.7 255.255.255.0
SONET and SDH Framing Configuration Example
!
interface ATM2/0/0
 description Example of SONET framing-“atm framing sonet” is default and doesn’t appear
 ip address 10.16.2.2 255.255.255.0
 logging event link-status
 atm sonet report all
 atm sonet threshold sd-ber 3
 atm sonet threshold sf-ber 6
 atm sonet overhead c2 0x00
!
interface ATM2/0/1 
 description Example of SDH framing-”atm framing sdh” appears in configuration 
 ip address 10.16.3.3 255.255.255.0
 logging event link-status
 atm framing sdh
 atm sonet report all
 atm sonet overhead c2 0x00
!7-124
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Examples
Layer 2 Protocol Tunneling Topology with a Cisco 7600, Catalyst 5500, and 
Catalyst 6500 Configuration Example
Figure 7-10 shows one sample network topology in which data packets are sent between a Catalyst 6500 
series switch and a Cisco 7600 series router.
Figure 7-10 Catalyst 5500 Switch, 6500 Switch, and Cisco 7600 Series Router in an L2PT Topology
As shown in Figure 7-10, Layer 2 Protocol Tunneling (L2PT) is configured at the Cisco 7600 ATM 6/1/0 
interface and also at the Catalyst 6500 switch Gig 2/1 interface. 
PVST packets are sent from the Catalyst 5500 switch to the Cisco 7600 series router. The Cisco 7600 
series router transports those BPDUs by way of L2PT and sends them to the Catalyst 6500 series switch. 
Those BPDUs are decapsulated and restored before sending the packets out to the customer network.
The Cisco 7600 series router and the Catalyst 6500 series switch are provider edge (PE) devices and the 
rest are customer edge (CE) devices.
ATM Configuration Example
Any traffic coming in must be sent via a dot1q-tunnel. If the PE VLAN is 200 and the CE VLAN is 100, 
you have the following configuration:
Router(config)# interface atm 6/1/0
Router(config-if)# pvc 6/200
Router(config-if-atm-vc)# bridge-domain 200 dot1q-tunnel ignore-bpdu-pid pvst-tlv 100
Ethernet Configuration Example
An example of the Ethernet configuration follows:
Router(config)# interface gig2/1
Router(config-if)# switchport
Router(config-if)# switchport access vlan 200 
Router(config-if)# switchport mode dot1q-tunnel
Router(config-if)# l2protocol-tunnel
CE VLAN 100 is what is used at the customer sites. The Catalyst 5500 switch sends the IEEE BPDU in 
data format. The Cisco 7600 series router receives the BPDU and first converts it to PVST+ format. Then 
the destination address (DA) MAC of the frame is changed to the protocol tunnel MAC address and sent 
out into the Layer 2 cloud.
At the other end, when the frame leaves the Gig 2/1 interface, the DA MAC is changed back to the 
PVST+ DA MAC and the PVST+ BPDU is sent to the customer premises equipment (CPE) device.
Catalyst 5500 switch
Customer
 LAN
Customer
 LAN
Catalyst 6500 switch
Cisco 7600 router
L2PT
ATM 6/1/0 interface
(Layer 2
protocol tunneling
enabled)
Gig2/1
interface
(L2PT enabled)
Service
provider ATM
network
Service
provider ATM
network
1462247-125
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Examples
Layer 2 Protocol Tunneling Topology with a Cisco 7600 and Cisco 7200 
Configuration Example
Figure 7-11 shows how a Cisco 7600 series router needs to communicate with a Cisco 7200 series router.
Figure 7-11 Cisco 7600 and Cisco 7200 Routers in an L2PT Topology
PE Configuration
On the PE routers, the configuration appears as follows:
!On PE 1
interface ATM2/0/0
no ip address
atm mtu-reject-call
pvc 7/101
bridge-domain 200 dot1q-tunnel
!
end
!On PE 2
interface ATM3/0/0
no ip address
pvc 2/101
bridge-domain 200 dot1q-tunnel pvst-tlv 100
!
end
Cisco 7600 CE Configuration
The configuration for the Cisco 7600 CE 1 router would be as follows:
!On CE 1
interface ATM1/1/0
no ip address
atm mtu-reject-call
pvc 7/101
bridge-domain 101
!
end
Cisco 7200 CE Configuration
The configuration for the Cisco 7200 CE 2 router would be as follows:
!On CE 2
interface ATM4/0
no ip address
no atm ilmi-keepalive
pvc 2/101
!
bridge-group 101
end
CE 1
ATM 1/1/0
Cisco 7600
ATM
network
ATM
network
ATM
network
146225
PE 1
Cisco 7600
PE 2
Cisco 7600
CE 2
Cisco 7200
ATM 2/0/0 ATM 3/0/0 ATM 4/07-126
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Examples
Data Transmission Sequence from the Cisco 7200 CE to the Cisco 7600 CE
Given the configurations and topologies shown in these examples, the data transmission sequence from 
the Cisco 7200 CE to the Cisco 7600 CE is as follows:
1. The Cisco 7200 CE 2 router sends BPDUs without the MAC header in RFC 1483 format. 
2. The Cisco 7600 PE router receives the packets and then translates the IEEE BPDU into PVST+ 
BPDU format. 
3. VLAN 100 is inserted into the PVST+ BPDU.
4. The frame’s destination address (DA) MAC value is rewritten to use the protocol tunnel DA MAC 
and is sent out into the ATM network cloud.
5. The L2PT BPDU must go out of the PE 1 ATM 2/0/0 interface. The DA MAC is restored to the 
PVST+ DA MAC. 
6. Finally, the PVST+ BPDU is sent to the Cisco 7600 CE 1 router.
Cisco 7600 Basic Back-to-Back Scenario Configuration Example
Figure 7-12 shows an example of a basic back-to-back scenario.
Figure 7-12 Cisco 7600 Routers in Basic Back-to-Back Topology
The PDUs exchanged are PVST+ BPDUs. The PVST+ BPDUs are sent using a PID of 0x00-07. The 
configuration is set as follows:
Router(config)# interface atm 2/1/0
Router(config-if)# pvc 2/202
Router(config-if-atm-vc)# bridge-domain 101
Catalyst 5500 Switch and Cisco 7600 Series Routers in Back-to-Back Topology 
Configuration Example
Figure 7-13 shows another sample topology with a simple back-to-back setup, which serves to test basic 
Catalyst 5500 and Cisco 7600 interoperability. 
Figure 7-13 Catalyst 5500 Switch and Cisco 7600 Routers in Back-to-Back Topology
ATM 2/1/0
Cisco 7600
Service provider
ATM network
Cisco 7600 146226
ATM 4/1/0
Customer
 network
Customer
 network
Catalyst 5500 switch
Cisco 7600 router
ATM network
ATM 2/1/0 1462277-127
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration Examples
When connected to a device that sends and receives IEEE BPDUs in data format (PID 0x00-07) such as 
the Catalyst 5000’s ATM module, the configuration must be something like this:
Router(config)# interface atm 2/1/0
Router(config-if)# pvc 2/202
Router(config-if-atm-vc)# bridge-domain 101 ignore-bpdu-pid pvst-tlv 101
The Cisco 7600 series router translates its outgoing PVST+ BPDUs into IEEE BPDUs. Because the 
ignore-bpdu-pid keyword is also enabled, the BPDU uses a PID of 0x00-07, which is exactly what the 
Catalyst 5500 switch requires.
Cisco 7600 and Cisco 7200 in Back-to-Back Topology Configuration Example
When connecting to a device that is completely RFC 1483-compliant, in which the IEEE BPDUs are sent 
using a PID of 0x00-0E, you must use the new ignore-bpdu-pid keyword in the bridge-domain
command. Figure 7-14 shows an example of such a configuration. 
Figure 7-14 Cisco 7600 Router Series and Cisco 7200 Router Series in Back-to-Back Topology
For example, when a Cisco 7600 series router is connected to a Cisco 7200 series router, the 
configuration would be as follows:
Router(config)# interface atm 2/1/0
Router(config-if)# pvc 2/202
Router(config-if-atm-vc)# bridge-domain 101 pvst-tlv 101
Note In this configuration scenario, the CE’s VLAN number must be identical to the bridge-domain VLAN 
number.
An example of the Ethernet configuration is shown in the “Ethernet Configuration Example” section on 
page 7-124. 
Cisco 7600 router
ATM network
146228
Cisco 7200 router
ATM 4/0 ATM 2/1/07-128
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 7      Configuring the ATM SPAs
  Configuration ExamplesC H  A  P  T  E  R
8-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
8
Troubleshooting the ATM SPAs
This chapter describes how to monitor and troubleshoot the asynchronous transfer mode (ATM) shared 
port adapters (SPAs) in a Cisco 7600 series router. This document covers the 1-Port OC-48c/STM-16 
ATM SPA, 1-Port OC-12c/STM-4 ATM SPA, and the 2-Port and 4-Port OC-3c/STM-1 ATM SPA.
• General Troubleshooting Information, page 8-1
• Monitoring the ATM SPA, page 8-2
• Troubleshooting the ATM Shared Port Adapter, page 8-15
• Preparing for Online Insertion and Removal of a SPA, page 8-27
For more information about troubleshooting your hardware installation, refer to the Cisco 7600 Series 
Router SIP, SSC, and SPA Hardware Installation Guide.
General Troubleshooting Information
This section provides the following general information for troubleshooting ATM SPA cards and their 
SPA interface processor (SIP) carrier cards: 
• Interpreting Console Error and System Messages, page 8-1
• Using debug Commands, page 8-2
• Using show Commands, page 8-2
Interpreting Console Error and System Messages
To view the explanations and recommended actions for Cisco 7600 series router error messages, 
including messages related to Cisco 7600 series router SIPs and SPAs, refer to the Cisco 7600 Series 
Cisco IOS System Message Guide, Cisco IOS Release 12.2 SX.
System error messages are organized in the documentation according to the particular system facility 
that produces the messages. The SIP and SPA error messages use the following facility names:
• Cisco 7600 SIP-200
• Cisco 7600 SIP-400
• 1-Port OC-12c/STM-4 ATM SPA
• 1-Port OC-48c/STM-16 ATM SPA
• 2-Port and 4-Port OC-3c/STM-1 ATM SPA8-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 8      Troubleshooting the ATM SPAs
  Monitoring the ATM SPA
Using debug Commands
Along with the other debug commands supported on the Cisco 7600 series router, you can obtain specific 
debug information for SPAs on the Cisco 7600 series router using the debug hw-module subslot
privileged exec command.
Caution Because debugging output is assigned high priority in the CPU process, it can render the system 
unusable. For this reason, use debug commands only to troubleshoot specific problems or during 
troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands 
during periods of lower network traffic and fewer users. Debugging during these periods decreases the 
likelihood that increased debug command processing overhead can affect system use.
The debug hw-module subslot command is intended for use by Cisco Systems technical support 
personnel. For more information about the debug hw-module subslot command and about other debug 
commands that can be used on a Cisco 7600 series router, refer to the Cisco 7600 Series Cisco IOS 
Command Reference, 12.2 SXand to the Cisco IOS Debug Command Reference, Release 12.2 SR.
Using show Commands
There are several show commands that you can use to monitor and troubleshoot the SIP and SPA cards 
on a Cisco 7600 series router. For more information on these commands, see the “Monitoring the ATM 
SPA” section on page 8-2. 
Also see the following chapters in this guide for additional information about these show commands:
• Chapter 7, “Configuring the ATM SPAs”
Monitoring the ATM SPA
This section contains the following subsections that describe commands that can be used to display 
information about the ATM SPA hardware, interfaces, PVCs, SVCs, and APS configuration: 
• Displaying Hardware Information, page 8-2
• Displaying Information About ATM Interfaces, page 8-5
• Displaying Information About PVCs and SVCs, page 8-7
• Displaying Information About Automatic Protection Switching, page 8-13
Note The outputs in this document are samples only. The actual output that appears on your router depends 
on the model of router, type of cards that are installed, and their configuration. 
Displaying Hardware Information
Use the following commands to display different types of hardware and system information:
• show version—Displaying System Information, page 8-3
• show hw-module subslot fpd and show idprom module—Displaying Information About the ATM 
SPA Hardware Revision Levels, page 8-38-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 8      Troubleshooting the ATM SPAs
  Monitoring the ATM SPA
• show controllers atm—Displaying Information About the ATM Controller Hardware, page 8-4
• show diag—Displaying Information About ATM Ports, page 8-5
Displaying System Information
To display information about the router, its system hardware and software, and the number of each type 
of interface that is installed, use the show version command. The following sample output shows a 
Cisco 7606 router that has two four-port OC-3c ATM SPA cards installed in a Cisco 7600 SIP-400 
carrier card, along with a number of Gigabit Ethernet interfaces: 
Router# show version
Cisco Internetwork Operating System Software 
IOS (tm) c6sup2_rp Software (c6sup2_rp-JSV-M), Released Version 12.2(XX) [BLD-sipedon2 
187]
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Tue 16-Mar-04 05:13 by jrstu 
Image text-base: 0x40020F94, data-base: 0x424B0000
ROM: System Bootstrap, Version 12.2(14r)S1, RELEASE SOFTWARE (fc1)
sup2_7606 uptime is 44 minutes
Time since sup2_7606 switched to active is 43 minutes
System returned to ROM by power-on (SP by power-on)
System image file is "disk0:c6k222-jsv-mz_022204"
cisco CISCO7606 (R7000) processor (revision 1.0) with 458752K/65536K bytes of memory.
Processor board ID TBM06402027
SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2, 2048KB L3 Cache
Last reset from power-on
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
1 FlexWAN controller (2 ATM).
2 SIP-400 controllers (7 ATM).
1 Dual-port OC12c ATM controller (2 ATM).
1 Virtual Ethernet/IEEE 802.3 interface(s)
8 Gigabit Ethernet/IEEE 802.3 interface(s)
11 ATM network interface(s)
1917K bytes of non-volatile configuration memory.
8192K bytes of packet buffer memory.
65536K bytes of Flash internal SIMM (Sector size 512K).
Configuration register is 0x2102
Displaying Information About the ATM SPA Hardware Revision Levels
To display information about the hardware revision of the SPA, as well as the version of the 
field-programmable device (FPD) that is onboard the SPA, use the show hw-module subslot fpd
command. Cisco technical engineers might need this information to debug or troubleshoot problems 
with a SPA installation. 
Router# show hw-module subslot fpd
==== ====================== ====== =============================================
                             H/W   Field Programmable   Current   Min. Required
Slot Card Type               Ver.  Device: "ID-Name"    Version      Version
==== ====================== ====== ================== =========== ==============
 5/0 4xOC-3 ATM SPA          1.0   1-I/O FPGA             0.70        0.70     
---- ---------------------- ------ ------------------ ----------- --------------8-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 8      Troubleshooting the ATM SPAs
  Monitoring the ATM SPA
 5/1 4xOC-3 ATM SPA          1.0   1-I/O FPGA             0.70        0.70     
==== ====================== ====== =============================================
In addition, the show idprom module command also displays the serial number and board revisions for 
the ATM SPA. 
Router# show idprom module 5/2
IDPROM for SPA module #5/2 
        (FRU is '4-port OC3/STM1 ATM Shared Port Adapter') 
        Product Identifier (PID) : SPA-4XOC3-ATM 
        Version Identifier (VID) : V01 
        PCB Serial Number        : PRTA0304088 
        Top Assy. Part Number    : 68-2177-01
        73/68 Board Revision     : 04  
        73/68 Board Revision     : 10  
        Hardware Revision        : 0.17 
        CLEI Code                : UNASSIGNED 
Displaying Information About the ATM Controller Hardware
To display information about the controller hardware for an ATM interface, including framing and alarm 
configuration, as well as port, packet, and channel performance statistics, use the show controllers atm
command, which has the following syntax:
show controllers atm slot/sublot/port
The following example shows typical output for an ATM SPA interface:
Router# show controllers atm 5/1/0
Interface ATM5/1/0 is up
 Framing mode: SONET OC3 STS-3c 
SONET Subblock:
SECTION
  LOF = 0          LOS    = 0                            BIP(B1) = 603
LINE
  AIS = 0          RDI    = 2          FEBE = 2332       BIP(B2) = 1018
PATH
  AIS = 0          RDI    = 1          FEBE = 28         BIP(B3) = 228
  LOP = 0          NEWPTR = 0          PSE  = 1          NSE     = 2
Active Defects: None
Active Alarms:  None
Alarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP B3-TCA
ATM framing errors:
  HCS (correctable):   0
  HCS (uncorrectable): 0
APS
  COAPS = 0          PSBF = 0
  State: PSBF_state = False
  Rx(K1/K2): 00/00  Tx(K1/K2): 00/00
  Rx Synchronization Status S1 = 00
  S1S0 = 00, C2 = 00
PATH TRACE BUFFER : STABLE 
BER thresholds:  SF = 10e-3  SD = 10e-68-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 8      Troubleshooting the ATM SPAs
  Monitoring the ATM SPA
TCA thresholds:  B1 = 10e-6  B2 = 10e-6  B3 = 10e-6
  Clock source:  line
Note The ATM SPA does not support automatic updates of the remote host information, if any, in the Path 
Trace Buffer section of the show controllers atm command. 
Displaying Information About ATM Ports
To display information about the type of port adapters that are installed in the router, use the show diag
command, which has the following syntax:
show diag slot
where slot is the slot number that contains the port adapter. The following example shows typical output 
for a 4-port OC-3c ATM SPA that is in slot 4 in the router: 
Router# show diag 4
Slot 4: Logical_index 8
        4-adapter SIP-200 controller
        Board is analyzed ipc ready 
        HW rev 0.300, board revision 08
        Serial Number:  Part number: 73-8272-03
        Slot database information:
        Flags: 0x2004   Insertion time: 0x1961C (01:16:54 ago)
        Controller Memory Size:
                384 MBytes CPU Memory
                128 MBytes Packet Memory
                512 MBytes Total on Board SDRAM
        IOS (tm) cwlc Software (sip1-DW-M), Released Version 12.2(17)SX [BLD-sipedon2 107]
        SPA Information:
        subslot 4/0: 4xOC-3 ATM SPA (0x3E1), status: ok
        subslot 4/1: 4xOC-3 ATM SPA (0x3E1), status: ok
Displaying Information About ATM Interfaces
Use the following commands to display information about ATM interfaces:
• show interface atm—Displaying Layer 2 Information About an ATM Interface, page 8-5
• show atm interface atm—Displaying ATM-Specific Information About an ATM Interface, page 
8-6
• show ip interface—Displaying Layer 3 IP Information About an ATM Interface, page 8-7
Displaying Layer 2 Information About an ATM Interface
To display Layer 2 information about an ATM interface or subinterface, along with the current status and 
packet counters, use the show interface atm command. The following example shows sample output for 
an ATM interface on an ATM SPA: 
Router# show interface atm 5/1/08-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 8      Troubleshooting the ATM SPAs
  Monitoring the ATM SPA
ATM5/1/0 is up, line protocol is up 
  Hardware is ATM SPA, address is 000a.f330.2a80 (bia 000a.f330.2a80)
  MTU 4470 bytes, sub MTU 4470, BW 149760 Kbit, DLY 80 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ATM, loopback not set
  Encapsulation(s): AAL5
  4095 maximum active VCs, 21 current VCCs
  VC idle disconnect time: 300 seconds
  Signalling vc = 1, vpi = 0, vci = 5
         UNI Version = 4.0, Link Side = user
  6 carrier transitions
  Last input 01:47:05, output 00:00:01, output hang never
  Last clearing of "show interface" counters 01:03:35 
  Input queue: 0/75/33439/80 (size/max/drops/flushes); Total output drops: 963306
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     9502306 packets input, 6654982829 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicast)
     0 runts, 0 giants, 0 throttles
     45011 input errors, 131042 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     27827569 packets output, 21072150159 bytes, 0 underruns
     0 output errors, 0 collisions, 3 interface resets
     0 output buffer failures, 0 output buffers swapped out
The following example shows sample output for a subinterface on this same ATM interface:
Router# show interface atm 5/1/0.200
ATM5/1/0.200 is up, line protocol is up 
  Hardware is ATM SPA, address is 000a.f330.2a80 (bia 000a.f330.2a80)
  Internet address is 10.10.10.16/24
  MTU 4470 bytes, BW 149760 Kbit, DLY 80 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  NSAP address: 47.00918100000000107B2B4B01.222255550001.00
  Encapsulation ATM
  12630 packets input, 10521156 bytes
  4994 packets output, 4176213 bytes
  3753 OAM cells input, 4366 OAM cells output
  AAL5 CRC errors : 0
  AAL5 SAR Timeouts : 0
  AAL5 Oversized SDUs : 0
Note The value for “packets output” in the default version of the show interfaces atm command includes the 
bytes used for ATM AAL5 padding, trailer and ATM cell header. To see the packet count without the 
padding, header, and trailer information, use the show interfaces atm statistics or show atm pvc
commands. 
Displaying ATM-Specific Information About an ATM Interface
To display Layer 2 ATM-specific information about an ATM interface or subinterface, use the show atm 
interface atm command:
Router# show atm interface atm 3/1/0
Interface ATM3/1/0:
AAL enabled:  AAL5  , Maximum VCs: 1023, Current VCCs: 1
Maximum Transmit Channels: 648-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 8      Troubleshooting the ATM SPAs
  Monitoring the ATM SPA
Max. Datagram Size: 4528
PLIM Type: SONET - 155000Kbps, TX clocking: LINE
Cell-payload scrambling: ON
sts-stream scrambling: ON
0 input, 0 output, 0 IN fast, 0 OUT fast, 0 out drop
 Avail bw = 155000 
Config. is ACTIVE
Displaying Layer 3 IP Information About an ATM Interface
To display Layer 3 (IP-layer) information about an ATM interface, use the show ip interface command. 
To display a brief summary about all interfaces, use the following command: 
show ip interface brief
To display information about a specific ATM interface, use the following command: 
show ip interface atm slot/subslot/port
The following output shows a typical example for the brief version of the show ip interface command: 
Router# show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
Vlan1                      unassigned      YES NVRAM  down                  down    
GigabitEthernet1/1         172.18.76.57    YES NVRAM  up                    up      
GigabitEthernet1/2         unassigned      YES NVRAM  administratively down down    
ATM3/0/0                   unassigned      YES manual up                    up      
ATM3/0/0.1                 unassigned      YES manual up                    up      
ATM3/0/0.2                 10.1.1.1        YES manual up                    up      
ATM3/1/0                   unassigned      YES manual up                    up      
ATM3/1/0.1                 unassigned      YES manual up                    up      
ATM3/1/0.2                 unassigned      YES unset  up                    up      
ATM3/1/0.3                 11.1.1.1        YES manual up                    up 
Displaying Information About PVCs and SVCs
Use the following commands to display information about PVCs and SVCs, including mapping, traffic, 
and VLAN configuration information: 
• show atm vp—Displaying Information About Virtual Paths, page 8-8
• show atm vc—Displaying Information About Virtual Channels, page 8-8
• show atm pvc—Displaying Information About PVCs, page 8-9
• show atm svc and show atm ilmi-status—Displaying Information About SVCs, page 8-10
• show atm map—Displaying Information About Layer 2/Layer 3 Mappings, page 8-11
• show atm traffic—Displaying Information About ATM Traffic, page 8-12
• show atm vlan—Displaying Information About VLAN Mappings, page 8-12
• show atm class-links—Displaying Information About VC Bundles, page 8-138-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 8      Troubleshooting the ATM SPAs
  Monitoring the ATM SPA
Displaying Information About Virtual Paths
To display information about the virtual paths (VPs) that are configured on the router’s ATM interfaces, 
use the show atm vp command: 
Router# show atm vp
                    Data  CES    Peak    CES 
Interface    VPI    VCs   VCs    Kbps    Kbps     Status
ATM5/0/3     1      1     0      149760  0        ACTIVE  
ATM5/0/3     1      2     0      299520  299000   ACTIVE 
ATM5/0/3     2      0     0      1000    0        ACTIVE 
Router# 
To display detailed information about a specific virtual path, including its current PVCs and SVCs, 
specify the VPI with the show atm vp command: 
Router# show atm vp 30
ATM8/1/0 VPI: 30, 
ATM8/1/0 VPI: 30, PeakRate: 149760, CesRate: 0, DataVCs: 1, CesVCs: 0, Status: ACTIVE
  VCD    VCI   Type   InPkts   OutPkts   AAL/Encap     Status
  2      3     PVC    0        0         F4 OAM        ACTIVE  
  3      4     PVC    0        0         F4 OAM        ACTIVE  
  4      300   PVC    5        5         AAL5-SNAP     ACTIVE  
  6      11    PVC    12       1         AAL5-SNAP     ACTIVE  
TotalInPkts: 17, TotalOutPkts: 6, TotalInFast: 0, TotalOutFast: 6, TotalBroadcasts: 0
TotalInPktDrops: 0, TotalOutPktDrops: 0
Displaying Information About Virtual Channels
To display information about all of the virtual channels that are currently configured on the ATM 
interfaces, use the show atm vc command without any options: 
Router# show atm vc
           VCD /                                        Peak  Avg/Min Burst
Interface  Name         VPI   VCI  Type   Encaps   SC   Kbps   Kbps   Cells  Sts
3/0/0      1              1   100  PVC    SNAP     UBR  149760                UP
3/0/1      1              2   100  PVC    SNAP     UBR  149760                UP
3/0/2      1              3   100  PVC    SNAP     UBR  149760                UP
3/0/2      2              3   300  PVC    SNAP     UBR  149760                UP
3/0/3      1              4   100  PVC    SNAP     UBR  149760                UP
To display detailed information about a specific virtual connection, specify its VC descriptor (VCD) 
along with the command: 
Router# show atm vc 20
   ATM1/1/0.200: VCD: 20, VPI: 2, VCI: 200 
   UBR, PeakRate: 44209 
   AAL5-LLC/SNAP, etype:0x0, Flags: 0xC20, VCmode: 0x0 
   OAM frequency: 0 second(s) 
   InARP frequency: 5 minutes(s) 
   Transmit priority 4 
   InPkts: 10, OutPkts: 11, InBytes: 680, OutBytes: 708 
   InPRoc: 10, OutPRoc: 5, Broadcasts: 0 
   InFast: 0, OutFast: 0, InAS: 0, OutAS: 6 
   InPktDrops: 0, OutPktDrops: 0 8-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 8      Troubleshooting the ATM SPAs
  Monitoring the ATM SPA
   CrcErrors: 0, SarTimeOuts: 0, OverSizedSDUs: 0 
   OAM cells received: 0 
   OAM cells sent: 0 
   Status: UP
You can also display information about the VCs on a specific ATM interface and its subinterfaces: 
Router# show atm vc interface atm 2/1/0
ATM2/0.101: VCD: 201, VPI: 20, VCI: 101
UBR, PeakRate: 149760
AAL5-LLC/SNAP, etype:0x0, Flags: 0xC20, VCmode: 0x0
OAM frequency: 0 second(s)
InARP frequency: 15 minutes(s)
Transmit priority 4
InPkts: 3153520, OutPkts: 277787, InBytes: 402748610, OutBytes: 191349235
InPRoc: 0, OutPRoc: 0, Broadcasts: 0
InFast: 211151, OutFast: 0, InAS: 0, OutAS: 0
InPktDrops: 0, OutPktDrops: 17 
CrcErrors: 0, SarTimeOuts: 0, OverSizedSDUs: 0
OAM cells received: 0
OAM cells sent: 0
Status: UP
To display information about the traffic over a particular VC, use the show atm vc command with the 
following syntax:
show atm vc traffic interface atm slot/subslot/port vpi vci
Router# show atm vc traffic interface atm 1/0/1 1 101
Interface         VPI  VCI   Type      rx-cell-cnts     tx-cell-cnts
ATM1/0/1          1    101   PVC            9345              7231
Displaying Information About PVCs
Use the show atm pvc command to provide information about the PVCs that are currently configured 
on the router. To display all PVCs that are currently configured on the router’s ATM interfaces and 
subinterfaces, use the show atm pvc command: 
Router# show atm pvc
           VCD /                                        Peak  Avg/Min Burst
Interface  Name         VPI   VCI  Type   Encaps   SC   Kbps   Kbps   Cells  Sts
2/1/0      1              2    32  PVC    SNAP     UBR     0                  UP
2/1/0.1    0              0    33  PVC    MUX      UBR 599040 UP
2/1/0.2    2              0    34  PVC    MUX      UBR 599040 INAC
2/1/0.3    3              0    35  PVC    MUX      UBR 599040 INAC
2/1/0.4    4              0    36  PVC    MUX      UBR 599040 INAC
2/1/1.1    0              0    33  PVC    MUX      UBR 599040 UP
2/1/1.2    2              0    34  PVC    MUX      UBR 599040 INAC
2/1/1.3    3              0    35  PVC    MUX      UBR 599040 INAC
2/1/1.4    4              0    36  PVC    MUX      UBR 599040 INAC
Tip To display all PVCs on a particular ATM interface or subinterface, use the show atm pvc interface atm 
command. 
To display detailed information about a particular PVC, specify its VPI/VCI values: 
Router# show atm pvc 1/1008-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 8      Troubleshooting the ATM SPAs
  Monitoring the ATM SPA
ATM3/0/0: VCD: 1, VPI: 1, VCI: 100
UBR, PeakRate: 149760
AAL5-LLC/SNAP, etype:0x0, Flags: 0xC20, VCmode: 0x0
OAM frequency: 0 second(s), OAM retry frequency: 1 second(s)
OAM up retry count: 3, OAM down retry count: 5
OAM Loopback status: OAM Disabled
OAM VC status: Not Managed
ILMI VC status: Not Managed
InARP frequency: 15 minutes(s)
Transmit priority 6
InPkts: 94964567, OutPkts: 95069747, InBytes: 833119350, OutBytes: 838799016
InPRoc: 1, OutPRoc: 1, Broadcasts: 0
InFast: 0, OutFast: 0, InAS: 94964566, OutAS: 95069746
InPktDrops: 0,  OutPktDrops: 0 
CrcErrors: 0, SarTimeOuts: 0, OverSizedSDUs: 0, LengthViolation: 0, CPIErrors: 0
Out CLP=1 Pkts: 0
OAM cells received: 0
F5 InEndloop: 0, F5 InSegloop: 0, F5 InAIS: 0, F5 InRDI: 0
F4 InEndloop: 0, F4 InSegloop: 0, F4 InAIS: 0, F4 InRDI: 0
OAM cells sent: 0
F5 OutEndloop: 0, F5 OutSegloop: 0, F5 OutRDI: 0
F4 OutEndloop: 0, F4 OutSegloop: 0, F4 OutRDI: 0
OAM cell drops: 0
Status: UP
VC 1/100 doesn't exist on 7 of 8 ATM interface(s)
Displaying Information About SVCs
Use the show atm vc and show atm ilmi-status commands to provide information about the SVCs that 
are currently configured on the router. To display all SVCs that are currently configured on the router’s 
ATM interfaces and subinterfaces, use the show atm svc command: 
Router# show atm svc
           VCD /                                        Peak  Avg/Min Burst
Interface  Name         VPI   VCI  Type   Encaps   SC   Kbps   Kbps   Cells  Sts
4/0/0      1              0     5  SVC    SAAL     UBR  155000                UP
4/0/2      4              0    35  SVC    SNAP     UBR  155000                UP
4/1/0      16             0    47  SVC    SNAP     UBR  155000                UP 
4/1/0.1    593            0    80  SVC    SNAP     UBR  599040                UP 
Tip To display all SVCs on a particular ATM interface or subinterface, use the show atm svc interface atm 
command. 
To display detailed information about a particular SVC, specify its VPI/VCI values: 
Router# show atm svc 0/35
ATM5/1/0.200: VCD: 3384, VPI: 0, VCI: 35, Connection Name: SVC00
UBR, PeakRate: 155000
AAL5-MUX, etype:0x800, Flags: 0x44, VCmode: 0x0
OAM frequency: 10 second(s), OAM retry frequency: 1 second(s)
OAM up retry count: 3, OAM down retry count: 5
OAM Loopback status: OAM Received
OAM VC status: Verified
ILMI VC status: Not Managed
VC is managed by OAM.
InARP DISABLED
Transmit priority 6
InPkts: 0, OutPkts: 4, InBytes: 0, OutBytes: 4008-11
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 8      Troubleshooting the ATM SPAs
  Monitoring the ATM SPA
InPRoc: 0, OutPRoc: 4, Broadcasts: 0
InFast: 0, OutFast: 0, InAS: 0, OutAS: 0
InPktDrops: 0,  OutPktDrops: 0
CrcErrors: 0, SarTimeOuts: 0, OverSizedSDUs: 0, LengthViolation: 0, CPIErrors: 0
Out CLP=1 Pkts: 0
OAM cells received: 10
F5 InEndloop: 10, F5 InSegloop: 0, F5 InAIS: 0, F5 InRDI: 0
F4 InEndloop: 0, F4 InSegloop: 0, F4 InAIS: 0, F4 InRDI: 0
OAM cells sent: 10
F5 OutEndloop: 10, F5 OutSegloop: 0, F5 OutRDI: 0
F4 OutEndloop: 0, F4 OutSegloop: 0, F4 OutRDI: 0
OAM cell drops: 0
Status: UP
TTL: 4      
interface =  ATM5/1/0.200, call locally initiated, call reference = 8094273
vcnum = 3384, vpi = 0, vci = 35, state = Active(U10)
, point-to-point call
Retry count: Current = 0
timer currently inactive, timer value = 00:00:00
Remote Atm Nsap address: 47.00918100000000107B2B4B01.111155550001.00 
, VC owner: ATM_OWNER_SMAP
To display information about the ILMI status and NSAP addresses being used for the SVCs on an ATM 
interface, use the show atm ilmi-status command: 
Router# show atm ilmi-status atm 4/1/0
Interface : ATM4/1/0 Interface Type : Private UNI (User-side) 
ILMI VCC : (0, 16) ILMI Keepalive : Enabled/Up (5 Sec 4 Retries)
ILMI State:       UpAndNormal
Peer IP Addr:     10.10.13.1       Peer IF Name:     ATM 3/0/3
Peer MaxVPIbits:  8               Peer MaxVCIbits:  14
Active Prefix(s) :
47.0091.8100.0000.0010.11b8.c601
End-System Registered Address(s) :
47.0091.8100.0000.0010.11b8.c601.2222.2222.2222.22(Confirmed)
47.0091.8100.0000.0010.11b8.c601.aaaa.aaaa.aaaa.aa(Confirmed)
Tip To display information about the SVC signaling PVC and ILMI PVC, use the show atm pvc 0/5 and 
show atm pvc 0/16 commands. 
Displaying Information About Layer 2/Layer 3 Mappings
To display the mapping between the mappings between virtual circuits and Layer 3 IP addresses, use the 
show atm map command: 
Router# show atm map
Map list ATM3/1/0.100_ATM_INARP : DYNAMIC 
ip 10.11.11.2 maps to VC 19, VPI 2, VCI 100, ATM3/1/0.100
ip 10.11.11.1 maps to VC 4, VPI 0, VCI 60, ATM3/1/0.102 
ip 10.11.13.4 maps to VC 1, VPI 5, VCI 33, ATM3/1/0 
ip 10.10.9.20 maps to bundle vc-group1, 0/32, 0/33, 0/34, ATM3/1/0.1, broadcast
Map list ATM3/1/1.200_ATM_INARP : DYNAMIC 
ip 10.2.3.2 maps to VC 20, VPI 2, VCI 200, ATM1/1/0.200
ip 10.2.3.10 maps to bundle vc-group2, 0/32, 0/33, 0/34, ATM3/1/1.1, broadcast
Map list ATM4/0/3.95_pvc1 : PERMANENT
ip 10.4.4.4 maps to NSAP CD.CDEF.01.234567.890A.BCDE.F012.3456.7890.1234.12, broadcast,  
aal5mux, multipoint connection up, VC 68-12
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 8      Troubleshooting the ATM SPAs
  Monitoring the ATM SPA
ip 10.4.4.6 maps to NSAP DE.CDEF.01.234567.890A.BCDE.F012.3456.7890.1234.12, broadcast,  
aal5mux, connection up, VC 15, multipoint connection up, VC 6
ip 10.4.4.16 maps to VC 1, VPI 13, VCI 95, ATM4/0/3.95, aal5mux
Displaying Information About ATM Traffic
To display general information about the traffic over the ATM interfaces, use the show atm traffic
command: 
Router# show atm traffic
276875 Input packets 
272965 Output packets 
2 Broadcast packets 
0 Packets received on non-existent VC 
6 Packets attempted to send on non-existent VC 
272523 OAM cells received 
F5 InEndloop: 272523, F5 InSegloop: 0, F5 InAIS: 0, F5 InRDI: 0 
F4 InEndloop: 0, F4 InSegloop: 0, F4 InAIS: 0, F4 InRDI: 0 
272963 OAM cells sent 
F5 OutEndloop: 272963, F5 OutSegloop: 0, F5 OutRDI: 0 
0 OAM cell drops
To display information about traffic shaping on the ATM interfaces in a particular slot, use the show atm 
traffic shaping slot command: 
Router# show atm traffic shaping slot 3
Traffic Shaping CAM State : ACTIVE
Shaper Configuration Status :
    Shapers In Use By Config : 3, Shapers Available for Config : 3 
Shaper Status in Hardware :
    Shaper 0 : In Use - Port : 0/0/0  Class : best-effort
    Shaper 1 : Not In Use
    Shaper 2 : Not In Use
    Shaper 3 : Not In Use
Statistics :
    Total cell discards : 0, clp0 discards : 0,  clp1 discards : 0
    Free cell buffers : 262143
    Total cells queued : 0
Tip You can also use the show atm vc traffic command to display traffic information for a particular VC. 
Displaying Information About VLAN Mappings
To display the mappings of VLAN IDs to VCs, use the show atm vlan command: 
Router# show atm vlan
        VCD     VLAN-ID
        101     1     
        102     2     
        103     3     
        104     4     
        105     5     
        106     6     
        107     7     
        108     8     
        109     9     
        110     10    8-13
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 8      Troubleshooting the ATM SPAs
  Monitoring the ATM SPA
        111     11    
        112     12    
        113     13    
        114     14    
        115     15    
        116     16    
        117     17    
        118     18    
        119     19    
        120     20    
        121     21    
        122     22    
...
        800     11
        801     11
        802     11
        803     11
        804     326
        805     326
        806     326
        807     326
        808     327
        809     327
        810     327
        811     327
Tip To display the ports being used by a VLAN, use the show vlan id command. 
Displaying Information About VC Bundles
To display the relationship between a particular VC and its parent VC class, including the parameters 
that were inherited from the class and those that were set manually, use the show atm class-link
command: 
Router# show atm class-links 0/66
Displaying vc-class inheritance for ATM2/0.3, vc 0/66: 
broadcast - VC-class configured on main-interface 
encapsulation aal5mux ip - VC-class configured on subinterface 
no ilmi manage - Not configured - using default 
oam-pvc manage 3 - VC-class configured on vc 
oam retry 3 5 1 - Not configured - using default 
ubr 10000 - Configured on vc directly
Displaying Information About Automatic Protection Switching
When you have configured automatic protection switching (APS) on one or more router, you can show 
the current APS configuration and status with the show aps command, which has the following syntax: 
show aps [atm interface | controller | group [number] ] 
You can display information about the overall APS configuration and about the specific APS groups that 
include interfaces that are present in the router. 8-14
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 8      Troubleshooting the ATM SPAs
  Monitoring the ATM SPA
Displaying the Current APS Status
The show aps command, without any options, displays information for all interfaces in the router that 
are configured as Working or Protect APS interfaces. The following shows sample output for a router 
with one Working interface and one Protect interface: 
Router# show aps
ATM4/0/1 APS Group 1: protect channel 0 (inactive)
        bidirectional, revertive (2 min) 
        PGP timers (default): hello time=1; hold time=3
        state: 
        authentication = (default)
        PGP versions (native/negotiated): 2/2
        SONET framing; SONET APS signalling by default
        Received K1K2: 0x00 0x05
                No Request (Null)
        Transmitted K1K2: 0x20 0x05
                Reverse Request (protect)
        Working channel 1 at 10.10.10.41 Enabled 
        Remote APS configuration: (null)
ATM4/0/0 APS Group 1: working channel 1 (active)
        PGP timers (from protect): hello time=3; hold time=6
        state: Enabled 
        authentication = (default)
        PGP versions (native/negotiated): 2/2
        SONET framing; SONET APS signalling by default
        Protect at 10.10.10.41 
        Remote APS configuration: (null)
The following sample output is for the same interfaces, except that the Working interface has gone down 
and the Protect interface is now active: 
Router# show aps
ATM4/0/1 APS Group 1: protect channel 0 (active)
        bidirectional, revertive (2 min) 
        PGP timers (default): hello time=1; hold time=3
        state: 
        authentication = (default)
        PGP versions (native/negotiated): 2/2
        SONET framing; SONET APS signalling by default
        Received K1K2: 0x00 0x05
                No Request (Null)
        Transmitted K1K2: 0xC1 0x05
                Signal Failure - Low Priority (working)
        Working channel 1 at 10.10.10.41 Disabled SF 
        Pending local request(s): 
                0xC (, channel(s) 1)
        Remote APS configuration: (null)
ATM4/0/0 APS Group 1: working channel 1 (Interface down)
        PGP timers (from protect): hello time=3; hold time=6
        state: Disabled 
        authentication = (default)
        PGP versions (native/negotiated): 2/2
        SONET framing; SONET APS signalling by default
        Protect at 10.10.10.41 
        Remote APS configuration: (null)8-15
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 8      Troubleshooting the ATM SPAs
  Troubleshooting the ATM Shared Port Adapter
Tip To display the same information for a specific ATM interface, use the show aps atm slot/subslot/port
command. 
Displaying Information About APS Groups
To display information about the APS groups that are configured on the router, use the show aps group
command. You can display information for all groups or for a single group. For example, the following 
example shows a typical display for an individual group:
Router# show aps group 2
ATM4/0/0 APS Group 2: working channel 1 (active)
        PGP timers (from protect): hello time=3; hold time=6
        SONET framing; SONET APS signalling by default
        Protect at 10.10.10.7 
        Remote APS configuration: (null)
ATM4/0/1 APS Group 2: protect channel 0 (inactive)
        bidirectional, revertive (2 min) 
        PGP timers (default): hello time=1; hold time=3
        SONET framing; SONET APS signalling by default
        Received K1K2: 0x00 0x05
                No Request (Null)
        Transmitted K1K2: 0x20 0x05
                Reverse Request (protect)
        Working channel 1 at 10.10.10.7  Enabled 
        Remote APS configuration: (null)
Note In the above example, both the Working and Protect interfaces in the APS group are on the same router. 
If the two interfaces are on different routers, the show aps group command shows information only for 
the local interface that is a member of the APS group. 
Troubleshooting the ATM Shared Port Adapter
This section describes the following commands and messages that can provide information in 
troubleshooting the ATM SPA and its interfaces: 
• Understanding Line Coding Errors, page 8-16
• Using the Ping Command to Verify Network Connectivity, page 8-16
• Using the Ping Command to Verify Network Connectivity, page 8-16
• Using Loopback Commands, page 8-17
• Using ATM Debug Commands, page 8-26
• Using the Cisco IOS Event Tracer to Troubleshoot Problems, page 8-26
Tip For additional information on troubleshooting specific problems related to PVCs and SVCs, see the TAC 
tech note web page, at the following URL:
http://www.cisco.com/en/US/tech/tk39/tk48/tech_tech_notes_list.html8-16
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 8      Troubleshooting the ATM SPAs
  Troubleshooting the ATM Shared Port Adapter
Understanding Line Coding Errors
This section provides a brief description of line coding and of the types of errors and alarms that can 
occur on a line: 
• Alarm Indication Signal (AIS)—An AIS alarm indicates that an alarm was raised by a device on a 
line upstream to the ATM interface. Typically, the device creating the alarm is the adjacent network 
neighbor, but the AIS signal could also be generated by a device in the service provider’s ATM 
cloud. 
• Loss of Frame (LOF)—An LOF alarm occurs when the local interface is using a framing format that 
does not match the framing format being used on the line. LOF errors could also occur when the line 
or a device on the line is generating bit errors that are corrupting frames. 
• Rx Cell HCS Error (HCSE)—The interface detected an error in the cell’s header checksum (HCS) 
field, which indicates that one or more header bits were corrupted. (This field does not indicate 
whether any errors occurred in the cell’s 48-bit payload.) 
• Remote Alarm Indication (RAI) and Far-end Receive Failure (FERF)—An RAI/FERF error 
indicates that a problem exists between the local ATM interface and the far end, and that the error 
might not be in the local segment between the local interface and adjacent node. 
Using the Ping Command to Verify Network Connectivity
The ping command is a convenient way to test the ability of an interface to send and receive packets over 
the network. The ping command sends ICMP echo request packets to a specified destination address, 
which should send an equal number of ICMP echo reply packets in reply. By measuring the numbering 
of packets that are successfully returned, as well as how long each packet takes to be returned, you can 
quickly obtain a rough idea of the Layer 3 to Layer 3 connectivity between two interfaces. 
The IP ping command has the following syntax: 
ping
or 
ping ip-address [repeat count] [data hex] [size datagram-size] 
If you enter just ping, the command interactively prompts you for all other parameters. Otherwise, you 
must specify at least a specific IP address as the destination for the ping. You can also optionally specify 
the following parameters:
• repeat count—Number of ICMP echo request packets to send. The default is five packets. 
• data hex—The data pattern, in hexadecimal, to be sent in the ICMP echo request packets. 
• size datagram-size—Specifies the size, in bytes, of the ICMP echo request packets to be sent. The 
range is 40 to 18024 bytes, with a default of 100 bytes. 
Examples
The following shows a typical example of the ping command: 
Router# ping 10.10.10.10 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echoes to 10.10.10.10, timeout is 2 seconds:8-17
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 8      Troubleshooting the ATM SPAs
  Troubleshooting the ATM Shared Port Adapter
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/15/64 ms
Note You must have at least one PVC or SVC defined on an ATM interface before it can respond to an ICMP 
ping packet. 
Using Loopback Commands
The loopback commands place an interface in loopback mode, which enables you to use the ping
command to send packets through the local interface and line, so as to test connectivity. These commands 
are especially useful when an interface is experiencing a high number of cyclic redundancy check (CRC) 
errors, so that you can pinpoint where the errors are occurring. 
Use the following procedures to perform the different loopback tests: 
• Using loopback diagnostic to Create a Local Loopback, page 8-17
• Using loopback line, page 8-22
Tip For more information about using loopbacks to troubleshoot CRC errors on an interface, see the CRC 
Troubleshooting Guide for ATM Interfaces tech note, at the following URL:
http://www.cisco.com/en/US/tech/tk39/tk48/technologies_tech_note09186a00800c93ef.shtml
Using loopback diagnostic to Create a Local Loopback
To perform a local loopback test, in which the transmit data is looped back to the receive data at the 
physical (PHY) layer, use the loopback diagnostic command on an ATM interface. This loopback tests 
connectivity on the local ATM interface, verifying that the interface’s framing circuitry and 
segmentation and reassembly (SAR) circuitry is operating correctly. This loopback, however, does not 
test the interface’s optics circuitry and ports. 
Tip If an ATM interface is currently connected to another ATM interface and passing traffic, shut down the 
remote ATM interface before giving the loopback diagnostic command on the local ATM interface. 
Otherwise, the remote interface continues to send traffic to the local interface, and the remote network 
could also start reporting interface and network errors. 
Figure 8-1 shows a router-level diagram of a local loopback. Figure 8-2 shows a block-level diagram of 
a local loopback, as it is performed within the ATM interface circuitry. 
Figure 8-1 Performing a Local Loopback—Router Level
Router 1 Router 2
TX
RX
Loopback
cells
117335
ATM cloud8-18
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 8      Troubleshooting the ATM SPAs
  Troubleshooting the ATM Shared Port Adapter
Figure 8-2 Performing a Local Loopback—Block Level
FPGA ATM SAR SONET/SDH
Framer
ATM
optics
TX
RX 1173368-19
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 8      Troubleshooting the ATM SPAs
  Troubleshooting the ATM Shared Port Adapter
DETAILED STEPS
Command or Action Purpose
Step 1 Router# configure terminal Enters global configuration mode.
Step 2 Router(config)# interface atm slot/subslot/port Enters interface configuration mode for the indicated port 
on the specified ATM SPA card. 
Step 3 Router(config-if)# loopback diagnostic Puts the ATM interface into the local loopback mode, so 
that data that is transmitted out the interface is internally 
routed back into the receive data line. 
Step 4 Router(config-if)# atm clock internal Specifies that the AMT interface should derive its clocking 
from its local oscillator, which is required, because the 
loopback command isolates the interface from the network 
and from the clocking signals that are derived from the 
network line. 
Step 5 Router(config-if)# end Exits interface configuration mode and returns to privileged 
EXEC mode. 
Step 6 Router# show interface atm slot/subslot/port (Optional) Verifies that the interface has been configured 
for loopback mode. The output should show the words 
“loopback set” when the interface is operating in loopback 
mode. 
Step 7 Router# debug atm packet interface atm 
slot/subslot/port 
(Optional) Enables packet debugging on the ATM interface. 
Note This command generates several lines of debug 
output for each packet transmitted and received on 
the interface. Do not use it on a live network, or you 
could force the processor to 100% utilization. 
Step 8 Router(config-if)# ping ip-address [repeat count] 
[data hex] [size datagram-size] 
Sends an ICMP echo request packet to the specified IP 
address. 
• ip-address—Destination IP address for the ICMP echo 
request packet. Because the interface has been put into 
loopback mode, the exact IP address does not 
matter—any valid IP address can be specified. 
• repeat count—(Optional) Specifies the number of 
ICMP echo request packets to be sent. The default is 5. 
• data hex—(Optional) The data pattern, in hexadecimal, 
to be sent in the ICMP echo request packets. 
• size datagram-size—(Optional) Specifies the size, in 
bytes, of the ICMP echo request packets to be sent. The 
range is 40 to 18024 bytes, with a default of 100 bytes. 
Note Because the interface is in loopback mode, the ping 
command will report that it failed. This is to be 
expected. 8-20
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 8      Troubleshooting the ATM SPAs
  Troubleshooting the ATM Shared Port Adapter
Examples
The following sample output shows a local loopback being set with the loopback diagnostic command. 
The ping command then sends two PING packets, and the resulting output from the show interface
command shows that two CRC errors occurred. 
Router# configure terminal
Router(config)# interface atm 4/1/0
Router(config-if)# loopback diagnostic
Router(config-if)# atm clock internal
Router(config-if)# end
Router# show interface atm 4/1/0
ATM4/1/0 is up, line protocol is up 
  Hardware is ATM SPA, address is 000a.f330.2a80 (bia 000a.f330.2a80)
  MTU 4470 bytes, sub MTU 4470, BW 149760 Kbit, DLY 80 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ATM, loopback set
  Encapsulation(s): AAL5
  4095 maximum active VCs, 21 current VCCs
  VC idle disconnect time: 300 seconds
  Signalling vc = 1, vpi = 0, vci = 5
         UNI Version = 4.0, Link Side = user
  6 carrier transitions
  Last input 01:47:05, output 00:00:01, output hang never
  Last clearing of "show interface" counters 01:03:35 
  Input queue: 0/75/33439/80 (size/max/drops/flushes); Total output drops: 963306
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     9502306 packets input, 6654982829 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicast)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     27827569 packets output, 21072150159 bytes, 0 underruns
     0 output errors, 0 collisions, 3 interface resets
     0 output buffer failures, 0 output buffers swapped out
Step 9 Router# show interface atm slot/subslot/port Displays interface statistics, including whether any CRC or 
other errors occurred during the ping test. For example: 
Router# show interface atm 5/0/1
...
Received 0 broadcasts, 0 runts, 0 giants, 0 
throttles
5 input errors, 5 CRC, 0 frame, 0 overrun, 0 
ignored, 0 abort
... 
Router# 
Step 10 Router(config)# interface atm slot/subslot/port Enters interface configuration mode for the indicated port 
on the specified ATM SPA card. 
Step 11 Router(config-if)# no loopback diagnostic Removes the local loopback and return the ATM interface 
to normal operations. 
Note Also remember to restore the proper clocking on the local ATM interface and to reenable the remote ATM 
interface. 
Command or Action Purpose8-21
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 8      Troubleshooting the ATM SPAs
  Troubleshooting the ATM Shared Port Adapter
Router# debug atm packet interface atm 4/1/0
ATM packets debugging is on
Displaying packets on interface ATM4/1/0 
Router# ping 10.10.10.10 count 2
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
1w1d: ATM4/1/0(O):
VCD:0x5 VPI:0x0 VCI:0x55 DM:0x100 SAP:AAAA CTL:03 OUI:000000 TYPE:0800 Length:0x70
1w1d: 4500 0064 001A 0000 FF01 B77A 0101 0102 0101 0101 0800 119A 13A2 07C5 0000
1w1d: 0000 2D41 2408 ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD
1w1d: ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD
1w1d: ABCD ABCD ABCD ABCD ABCD
1w1d:
1w1d: ATM4/1/0(I):
VCD:0x5 VPI:0x0 VCI:0x55 Type:0x0 SAP:AAAA CTL:03 OUI:000000 TYPE:0800 Length:0x70
1w1d: 4500 0064 001A 0000 0101 B57B 0101 0102 0101 0101 0800 119A 13A2 07C5 0000
1w1d: 0000 2D41 2408 ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD
1w1d: ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD
1w1d: ABCD ABCD ABCD ABCD ABCD
1w1d: .
1w1d: ATM4/1/0(O):
VCD:0x5 VPI:0x0 VCI:0x55 DM:0x100 SAP:AAAA CTL:03 OUI:000000 TYPE:0800 Length:0x70
1w1d: 4500 0064 001B 0000 FF01 B779 0101 0102 0101 0101 0800 09C9 13A3 07C5 0000
1w1d: 0000 2D41 2BD8 ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD
1w1d: ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD
1w1d: ABCD ABCD ABCD ABCD ABCD
1w1d:
1w1d: ATM4/1/0(I):
VCD:0x5 VPI:0x0 VCI:0x55 Type:0x0 SAP:AAAA CTL:03 OUI:000000 TYPE:0800 Length:0x70
1w1d: 4500 0064 001B 0000 0101 B57A 0101 0102 0101 0101 0800 09C9 13A3 07C5 0000
1w1d: 0000 2D41 2BD8 ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD
1w1d: ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD
1w1d: ABCD ABCD ABCD ABCD ABCD
1w1d: .
Success rate is 0 percent (0/2)
Router# configure terminal
Router(config)# interface atm 4/1/0
Router(config-if)# no loopback diagnostic
Router(config-if)# end
Router# show interface atm 4/1/0
ATM4/1/0 is up, line protocol is up 
  Hardware is ATM SPA, address is 000a.f330.2a80 (bia 000a.f330.2a80)
  MTU 4470 bytes, sub MTU 4470, BW 149760 Kbit, DLY 80 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ATM, loopback not set
  Encapsulation(s): AAL5
  4095 maximum active VCs, 21 current VCCs
  VC idle disconnect time: 300 seconds
  Signalling vc = 1, vpi = 0, vci = 5
         UNI Version = 4.0, Link Side = user
  6 carrier transitions
  Last input 01:47:05, output 00:00:01, output hang never
  Last clearing of "show interface" counters 01:03:35 
  Input queue: 0/75/33439/80 (size/max/drops/flushes); Total output drops: 963306
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     9502306 packets input, 6654982829 bytes, 0 no buffer8-22
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 8      Troubleshooting the ATM SPAs
  Troubleshooting the ATM Shared Port Adapter
     Received 0 broadcasts (0 IP multicast)
     0 runts, 0 giants, 0 throttles
     2 input errors, 2 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     27827569 packets output, 21072150159 bytes, 0 underruns
     0 output errors, 0 collisions, 3 interface resets
     0 output buffer failures, 0 output buffers swapped out
Using loopback line
If an ATM interface can perform a local loopback successfully, without reporting errors, you can next 
try a line loopback (loopback line command) to determine if packet errors are being generated by the 
ATM network between the local and remote router. In a line loopback, the interface on the remote router 
is configured with the loopback line command, so that it reflects every packet that it receives back to the 
originating router. The local router then generates traffic with the ping command to determine whether 
the line through the network is generating the packet errors. 
Figure 8-3 shows a router-level diagram of a line loopback. Figure 8-4 shows a block-level diagram of 
a line loopback, as it is performed within the ATM interface circuitry. 
Figure 8-3 Performing a Local Loopback—Router Level
Figure 8-4 Performing a Line Loopback—Block Level
Router 1 Router 2
TX
RX
Loopback
cells
117337
ATM cloud
FPGA ATM SAR SONET/SDH
Framer
ATM
Optics
TX
RX
1173388-23
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 8      Troubleshooting the ATM SPAs
  Troubleshooting the ATM Shared Port Adapter
DETAILED STEPS
Command or Action Purpose
Perform the following steps on the remote router: 
Step 1 Router# configure terminal Enters global configuration mode.
Step 2 Router(config)# interface atm slot/subslot/port Enters interface configuration mode for the indicated port 
on the specified ATM SPA card. 
Step 3 Router(config-if)# loopback line  Puts the ATM interface into the line loopback mode, so that 
it reflects any data it receives back to the originator. 
Step 4 Router(config-if)# end Exits interface configuration mode and returns to privileged 
EXEC mode. 
Step 5 Router# show interface atm slot/subslot/port (Optional) Verifies that the interface has been configured 
for loopback mode. The output should show the words 
“loopback set” when the interface is operating in loopback 
mode. 
Perform the following steps on the local router: 
Step 1 Router# debug atm packet interface atm 
slot/subslot/port 
(Optional) Enables packet debugging on the ATM interface. 
Note This command generates several lines of debug 
output for each packet transmitted and received on 
the interface. Do not use it on a live network, or you 
could force the processor to 100% utilization. 
Step 2 Router(config-if)# ping ip-address [repeat count] 
[data hex] [size datagram-size] 
Sends an ICMP echo request packet to the specified IP 
address. 
• ip-address—Destination IP address for the ICMP echo 
request packet. Because the interface has been put into 
loopback mode, the exact IP address does not 
matter—any valid IP address can be specified. 
• repeat count—(Optional) Specifies the number of 
ICMP echo request packets to be sent. The default is 5. 
• data hex—(Optional) The data pattern, in hexadecimal, 
to be sent in the ICMP echo request packets. The 
default is 0x0000. 
• size datagram-size—(Optional) Specifies the size, in 
bytes, of the ICMP echo request packets to be sent. The 
range is 40 to 18024 bytes, with a default of 100 bytes. 
Note Because the interface is in loopback mode, the ping 
command will report that it failed. This is to be 
expected. 
Step 3 Router(config-if)# end Exits interface configuration mode and returns to privileged 
EXEC mode. 8-24
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 8      Troubleshooting the ATM SPAs
  Troubleshooting the ATM Shared Port Adapter
Examples
The following shows typical output when performing a line loopback. The following is the output on the 
remote router:
Router# configure terminal
Router(config)# interface atm 3/1/2
Router(config)# loopback line
Router(config)# end
Router# show interface atm 3/1/2
ATM3/1/2 is up, line protocol is up 
  Hardware is ATM SPA, address is 000a.330e.2b08 (bia 000a.330e.2b08)
  MTU 4470 bytes, sub MTU 4470, BW 149760 Kbit, DLY 80 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ATM, loopback set
  Encapsulation(s): AAL5
  4095 maximum active VCs, 103 current VCCs
  VC idle disconnect time: 300 seconds
  Signalling vc = 1, vpi = 0, vci = 5
         UNI Version = 4.0, Link Side = user
  6 carrier transitions
  Last input 00:00:02, output 00:00:01, output hang never
  Last clearing of "show interface" counters 01:03:35 
  Input queue: 0/75/13/80 (size/max/drops/flushes); Total output drops: 37 
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     932603 packets input, 6798282 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicast)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     387275 packets output, 371031501 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
On the Local Router
Perform the following on the local router: 
Router# debug atm packet interface atm 4/0/0
ATM packets debugging is on
Displaying packets on interface ATM4/0/0 
Step 4 Router# show interface atm slot/subslot/port Displays interface statistics, including whether any CRC or 
other errors during the ping test. For example: 
Router# show interface atm 5/0/1
...
Received 0 broadcasts, 0 runts, 0 giants, 0 
throttles
5 input errors, 5 CRC, 0 frame, 0 overrun, 0 
ignored, 0 abort
... 
Router# 
Note Also remember to remove the loopback mode on the remote ATM interface, using the no loopback line
command. 
Command or Action Purpose8-25
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 8      Troubleshooting the ATM SPAs
  Troubleshooting the ATM Shared Port Adapter
Router# ping 192.168.100.13 repeat 2 size 128
Type escape sequence to abort.
Sending 2, 128-byte ICMP Echos to 192.168.100.13, timeout is 2 seconds:
..
Success rate is 0 percent (0/2)
00:52:00: ATM4/0/0(O):
VCD:0x1 VPI:0x0 VCI:0x55 DM:0x100 SAP:AAAA CTL:03 OUI:000000 TYPE:0800 Length:0x70
00:52:00: 4500 0064 000F 0000 FF01 B785 0101 0102 0101 0101 0800 CE44 121D 0009 0000
00:52:00: 0000 002F 9DB0 ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD
00:52:00: ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD
00:52:00: ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD 
00:52:00: ABCD ABCD ABCD ABCD  
00:52:00: 
00:52:00: ATM4/0/0(I):
VCD:0x1 VPI:0x0 VCI:0x55 Type:0x0 SAP:AAAA CTL:03 OUI:000000 TYPE:0800 Length:0x70
00:52:00: 4500 0064 000F 0000 0101 B586 0101 0102 0101 0101 0800 CE44 121D 0009 0000
00:52:00: 0000 002F 9DB0 ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD
00:52:00: ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD
00:52:00: ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD 
00:52:00: ABCD ABCD ABCD ABCD  
00:52:00: 
00:52:02: ATM4/0/0(O):
VCD:0x1 VPI:0x0 VCI:0x55 DM:0x100 SAP:AAAA CTL:03 OUI:000000 TYPE:0800 Length:0x70
00:52:02: 4500 0064 0010 0000 FF01 B784 0101 0102 0101 0101 0800 C673 121E 0009 0000
00:52:02: 0000 002F A580 ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD
00:52:02: ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD
00:52:00: ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD 
00:52:00: ABCD ABCD ABCD ABCD  
00:52:02:
00:52:02: ATM4/0/0(I):
VCD:0x1 VPI:0x0 VCI:0x55 Type:0x0 SAP:AAAA CTL:03 OUI:000000 TYPE:0800 Length:0x70
00:52:02: 4500 0064 0010 0000 0101 B585 0101 0102 0101 0101 0800 C673 121E 0009 0000
00:52:02: 0000 002F A580 ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD
00:52:02: ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD
00:52:00: ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD 
00:52:00: ABCD ABCD ABCD ABCD  
Router# show interface atm 4/0/0
ATM4/0/0 is up, line protocol is up 
  Hardware is ATM SPA, address is 000a.12f0.80b1 (bia 000a.12f0.80b1)
  MTU 4470 bytes, sub MTU 4470, BW 149760 Kbit, DLY 80 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ATM, loopback not set
  Encapsulation(s): AAL5
  4095 maximum active VCs, 103 current VCCs
  VC idle disconnect time: 300 seconds
  Signalling vc = 1, vpi = 0, vci = 5
         UNI Version = 4.0, Link Side = user
  6 carrier transitions
  Last input 00:00:02, output 00:00:01, output hang never
  Last clearing of "show interface" counters 01:03:35 
  Input queue: 0/75/13/80 (size/max/drops/flushes); Total output drops: 37 
  Queueing strategy: fifo
  Output queue 0/40, 0 drops; input queue 0/75, 0 drops
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
    94917 packets input, 1638383 bytes, 0 no buffer
    Received 0 broadcasts, 0 runts, 0 giants, 0 throttles8-26
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 8      Troubleshooting the ATM SPAs
  Troubleshooting the ATM Shared Port Adapter
    0 input errors, 2 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    102898 packets output, 2042785 bytes, 0 underruns
   0 output errors, 0 collisions, 5 interface resets
   0 ouput buffer failures, 0 output buffers swapped out 
Using ATM Debug Commands
The following debug commands can be useful when troubleshooting problems on an ATM interface or 
subinterface:
• debug atm bundle errors—Displays information about VC bundle errors. 
• debug atm bundle events—Displays information about events related to the configuration and 
operation of VC bundles, such as VC bumping, when bundles are brought up, when they are taken 
down, and so forth. 
• debug atm errors—Displays errors that occur on an ATM interface, such as encapsulation and 
framing errors, as well as any errors that might occur during configuration of the ATM interfaces. 
• debug atm events—Displays information about events that occur on the ATM interfaces, such as 
changes to the ATM SPA and ATM interface configuration, card and interface resets, and PVC or 
SVC creation. 
Note The output of debug atm events can be extremely verbose and can cause problems if large numbers of 
ATM VCs are configured. The command should only be used when a few VCs are configured.
• debug atm oam—Displays the contents of ATM operation and maintenance (OAM) cells as they 
arrive from the ATM network. 
• debug atm packet—Displays a hexadecimal dump of each packet’s SNAP/NLPID/SMDS header, 
followed by the first 40 bytes of the packet. 
Tip Use the no debug all command to turn off all debugging displays.
For more information about these commands, see the Cisco IOS Debug Command Reference, 
Release 12.2.
Using the Cisco IOS Event Tracer to Troubleshoot Problems
Note This feature is intended for use as a software diagnostic tool and should be configured only under the 
direction of a Cisco Technical Assistance Center (TAC) representative.
The Event Tracer feature provides a binary trace facility for troubleshooting Cisco IOS software. This 
feature gives Cisco service representatives additional insight into the operation of the Cisco IOS 
software and can be useful in helping to diagnose problems in the unlikely event of an operating system 
malfunction or, in the case of redundant systems, route processor switchover. 
Event tracing works by reading informational messages from specific Cisco IOS software subsystem 
components that have been preprogrammed to work with event tracing, and by logging messages from 
those components into system memory. Trace messages stored in memory can be displayed on the screen 
or saved to a file for later analysis. 8-27
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 8      Troubleshooting the ATM SPAs
  Preparing for Online Insertion and Removal of a SPA
The SPAs currently support the “spa” component to trace SPA OIR-related events.
Preparing for Online Insertion and Removal of a SPA
The Cisco 7600 series router supports online insertion and removal (OIR) of the SIP, in addition to each 
of the SPAs. Therefore, you can remove a SIP with its SPAs still intact, or you can remove a SPA 
independently from the SIP, leaving the SIP installed in the router.
This means that a SIP can remain installed in the router with one SPA remaining active, while you 
remove another SPA from one of the SIP subslots. If you are not planning to immediately replace a SPA 
into the SIP, then be sure to install a blank filler plate in the subslot. The SIP should always be fully 
installed with either functional SPAs or blank filler plates.
For more information about activating and deactivating SPAs in preparation for OIR, see the “Preparing 
for Online Insertion and Removal of SIPs and SPAs” topic in the “Troubleshooting a SIP” chapter in this 
guide.8-28
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 8      Troubleshooting the ATM SPAs
  Preparing for Online Insertion and Removal of a SPA   
P A R  T  4
CEoP Shared Port Adapters   C H  A  P  T  E  R
9-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
9
Overview of the CEoP and Channelized ATM 
SPAs
This chapter provides an overview of the release history, features, and MIB support for the Circuit 
Emulation over Packet (CEoP) shared port adapters (SPAs) that are available for Cisco 7600 series 
routers. This chapter includes the following sections:
• Release History, page 9-1
• Overview, page 9-2
• Supported Features, page 9-9
• Unsupported Features, page 9-15
• Prerequisites, page 9-15
• Restrictions, page 9-16
• Supported MIBs, page 9-16
• Displaying the SPA Hardware Type, page 9-17
Release History
Release Modification
12.2(33) SRE3 Added new CLI options for configuring hardware timer to bring up the 
controller.
15.0(1)S Support was added for the following features:
• Network Clocking and SSM functionality support was added
• VC QoS on VP-PW
12.2(33)SRE Support was added for VP and VC mode on CeOP and 1-Port 
OC-48c/STM-16 ATM SPA
12.2(33)SRC Support was added for the following features:
• Support was introduced for the 2-Port Channelized T3/E3 ATM CEoP 
SPA.
• Support was added for Inverse multiplexing over ATM (IMA).
• KEOPS Phase 2 Local Switching Redundancy
• KEOPS Phase 2 TDM Local Switching9-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 9      Overview of the CEoP and Channelized ATM SPAs
  Overview
Overview
The CEoP SPAs are single-width, single-height, cross-platform Circuit Emulation over Packet (CEoP) 
shared port adapters (SPAs) for Cisco 7600 series routers. CEoP SPAs come in the following models:
• 24-Port Channelized T1/E1 ATM CEoP SPA (SPA-24CHT1-CE-ATM=) 
• 2-Port Channelized T3/E3 ATM CEoP SPA (SPA-2CHT3-CE-ATM=)
• 1-Port Channelized OC-3 STM1 ATM CEoP SPA (SPA-1CHOC3-CE-ATM=) 
The 24-Port Channelized T1/E1 ATM CEoP SPA and 1-Port Channelized OC-3 STM1 ATM CEoP SPA 
must be installed in a Cisco 7600 SIP-400 SPA interface processor (SIP) before they can be used in the 
Cisco 7600 series router. A maximum of four CEoP SPAs can be installed in each SIP, and these SPAs 
can be different models. You can install the SPA in the SIP before or after you insert the SIP into the 
router chassis. This allows you to perform online insertion and removal (OIR) operations either by 
removing individual SPAs from the SIP, or by removing the entire SIP (and its contained SPAs) from the 
router chassis. 
Pseudowire Emulation over Packet (PWEoP) is one of the key components to migrate customers to a 
packet-based multi-service network. Circuit Emulation over Packet (CEoP) is a subset of PWEoP and is 
a technology to migrate to all-packet networks from legacy TDM networks, yet providing transport for 
legacy applications transparently over a packet network. CEoP is the imitation of a physical connection. 
Many service providers and enterprises operate both packet switched networks and time division 
multiplexed (TDM) networks. These service providers and enterprises have moved many of their data 
services from the TDM network to their packet network for scalability and efficiency. Cisco provides 
routing and switching solutions capable of transporting Layer 2 and Layer 3 protocols such as Ethernet, 
IP, and Frame Relay. While most applications and services have been migrated to the packet-based 
network, some, including voice and legacy applications, still rely on a circuit or leased line for transport. 
CEoP SPAs implement Circuit Emulation over Packet by transporting circuits over a packet-based 
network. CEoP SPAs help service providers and enterprises migrate to one packet network capable of 
efficiently delivering both data and circuit services. CEoP SPAs also support ATM and ATM 
pseudowire. For an overview of ATM, see the “ATM Overview” section on page 6-4.
Note In Cisco IOS Release 12.2(33)SRC, the 2-Port Channelized T3/E3 ATM CEoP SPA does not support 
Circuit Emulation (CEM) mode. The SPA supports ATM mode only. 
CEoP Frame Formats
The CEoP SPAs support the structured or Circuit Emulation Service over Packet Switched Networks 
(CESoPSN) and the Structure-Agnostic TDM over Packet (SAToP) encapsulations.
12.2(33)SRB1 Support was added for the following new features:
• ATM pseudowire redundancy.
• Out-of-band clocking. 
12.2(33)SRB Support was introduced for the 1-Port Channelized OC-3 STM1 ATM 
CEoP SPA and 24-Port Channelized T1/E1 ATM CEoP SPA.9-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 9      Overview of the CEoP and Channelized ATM SPAs
  Overview
Circuit Emulation Services over Packet Switched Network (CESoPSN) mode
Circuit Emulation Services over Packet Switched Network (CESoPSN) mode is used to encapsulate 
T1/E1 structured (channelized) services over PSN. Structured mode (CESoPSN) identifies framing and 
sends only payload, which can be channelized T1s within DS3 and DS0s within T1. DS0s can be bundled 
to the same packet. This mode is based on IETF RFC 5086. 
SPAs can aggregate individual interfaces and flexibly bundle them together. They can be configured to 
support either structured or unstructured CES modes of operation per each T1/E1/J1 as well as clear 
channel DS3 interfaces. Note that DS3 does not support CESoPSN/SAToP currently. It is only supported 
on 1-Port Channelized OC-3 STM1 ATM CEoP SPA channelized to T1/E1, or on 24-Port Channelized 
T1/E1 ATM CEoP SPA.
Each supported interface can be configured individually to any supported mode. The supported services 
comply with IETF and ITU drafts and standards. 
Figure 9-1 shows the frame format in CESoPSN mode. 
Figure 9-1 Structured Mode Frame Format
''For CESoPSN, Table 9-1 shows the payload and jitter for DS0 lines.
Table 9-1 CESoPSN DS0 Lines: Payload and Jitter Limits
Encapsulation header
CE Control (4Bytes)
RTP (optional 12B)
Frame#1
Timeslots 1-N
Frame#2
CEoP Timeslots 1-N
Payload
Frame#3
Timeslots 1-N
Frame#m
Timeslots 1-N
230546
DS0
Maximum 
Payload
Maximum 
Jitter
Minimun 
Jitter
Minimum 
Payload
Maximum 
Jitter 
Minimun 
Jitter
1 40 320 10 32 256 8
2 80 320 10 32 128 4
3 120 320 10 33 128 4
4 160 320 10 32 64 2
5 200 320 10 40 64 2
6 240 320 10 48 64 2
7 280 320 10 56 64 29-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 9      Overview of the CEoP and Channelized ATM SPAs
  Circuit Emulation Services over Packet Switched Network (CESoPSN) over UDP
Circuit Emulation Services over Packet Switched Network 
(CESoPSN) over UDP
Circuit Emulation Services over Packet Switched Network (CESoPSN) provides the infrastructure for 
the emulation of TDM circuits like T1/E1 unstructured and structured over Packet Switched Network 
(PSN) infrastructure. Existing Pseudowire Emulation over Packet (PWE) solution on the Cisco 7600 
series router only supports MPLS as the transport for circuit emulation whereas Circuit Emulation 
Services over Packet Switched Network over User Datagram Protocol (CESoUDP) extends the support 
adding UDP over Internet Protocol (IP) as the transport mechanism for circuit emulation over PSN.
8 320 320 10 64 64 2
9 360 320 10 72 64 2
10 400 320 10 80 64 2
11 440 320 10 88 64 2
12 480 320 10 96 64 2
13 520 320 10 104 64 2
14 560 320 10 112 64 2
15 600 320 10 120 64 2
16 640 320 10 128 64 2
17 680 320 10 136 64 2
18 720 320 10 144 64 2
19 760 320 10 152 64 2
20 800 320 10 160 64 2
21 840 320 10 168 64 2
22 880 320 10 176 64 2
23 920 320 10 184 64 2
24 960 320 10 192 64 2
25 1000 320 10 200 64 2
26 1040 320 10 208 64 2
27 1080 320 10 216 64 2
28 1120 320 10 224 64 2
29 1160 320 10 232 64 2
30 1200 320 10 240 64 2
31 1240 320 10 248 64 2
32 1280 320 10 256 64 2
DS0
Maximum 
Payload
Maximum 
Jitter
Minimun 
Jitter
Minimum 
Payload
Maximum 
Jitter 
Minimun 
Jitter9-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 9      Overview of the CEoP and Channelized ATM SPAs
  Circuit Emulation Services over Packet Switched Network (CESoPSN) over UDP
Restrictions and Usage Guidelines
• CESoUDP supports all the existing modes of HA (RPR and SSO).
• CESoUDP is supported on 24-Port Channelized T1/E1 ATM CEoP SPA, 2-Port Channelized T3/E3 
ATM CEoP SPA, and 1-Port Channelized OC-3 STM1 ATM CEoP SPA.
• CESoPSN on Cisco 7600 series router is supported only with SIP400 on the CE facing side. Both 
the decapsulation and the encapsulation are done by the CE facing line card.
• The Cisco 7600 series router supports up to 8192 CESoUDP pseudowires. But a SIP400 supports 
only maximum of 2304 pseudowires.
• Since CLI on RP is used to install the Access Control List (ACL) entry, the ACL programming is 
decoupled from the L2VPN control plane update. As a result, when a pseudowire circuit goes down, 
the ACL is still present. Any traffic coming in from the core which matches the ACL is redirected 
to the egress line card, where it is dropped due to the absence of appropriate entries in the disposition 
table.
• Pseudowires redundancy is not supported.
• Fragmentation of IP packets is not supported. The DF bit is set when the IP header is inserted. 
• Path MTU is not supported.
• Differential synchronization mode is not supported. 
• The supported pseudowires, payload size ranges from 40 to 1312 Bytes. 
• The Time To Live (TTL) value in the IP header is configurable under the pseudowire class. The 
default value is 255.
• Only thebasic CESoPSN over UDP/IP encapsulation without the optional Real-Time Protocol 
(RTP) header is supported.
Configuring CESoPSN with UDP Encapsulation 
Complete the following steps to configure CESoPSN with UDP encapsulation on the Cisco 7600 series 
router.
SUMMARY STEPS
Step 1 enable
Step 2 configure terminal
Step 3 interface loopback interface-number
Step 4 ip address ip-address mask [secondary]
Step 5 mls cemoudp reserve slot <slot no>
Step 6 pseudowire-class pseudowire-class-name
Step 7 encapsulation udp
Step 8 ip local interface loopback interface-number
Step 9 ip tos value value number
Step 10 ip ttl number
Step 11 exit9-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 9      Overview of the CEoP and Channelized ATM SPAs
  Circuit Emulation Services over Packet Switched Network (CESoPSN) over UDP
Step 12 controller {e1|t1} slot/subslot/port
Step 13 clock source {internal | line| loop}
Step 14 cem-group number timeslots number
Step 15 exit
Step 16 interface cem slot/subslot/port
Step 17 cem group-number
Step 18 xconnect peer-router-id vcid {pseudowire-class name}
Step 19 udp port local <local_udp_port> remote <remote_udp_port>
Step 20 exit
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode. 
Enter your password if prompted.
Step 2 configure terminal Enters global configuration mode.
Step 3 interface loopback interface-number Creates a loopback interface and enters interface configuration mode:
interface-number: An arbitrary value from 0 to 2,147,483,647 that 
uniquely identifies this loopback interface.
Step 4 ip address ip-address mask [secondary] Specifies the IP address and subnet mask for this loopback interface.
Step 5 mls cemoudp reserve slot <slot no> Used to reserve a loopback interface used as source for the CESoPSN 
circuit for a particular line card.
Slot number refers to the module number of the line card where the CEoP 
SPA resides.
Step 6 pseudowire-class 
pseudowire-class-name
Creates a new pseudowire class.
Step 7 encapsulation udp Specifies the UDP transport protocol.
Step 8 ip local interface loopback 
interface-number
Configures the IP address of the provider edge (PE) router interface as the 
source IP address for sending tunneled packets.
Step 9 ip tos value value number Specifies the type of service (ToS) level for IP traffic in the pseudowire.
Step 10 ip ttl number Specifies a value for the time-to-live (TTL) byte in the IP headers of 
Layer 2 tunneled packets.
Step 11 exit Exits pseudowire-class configuration mode.
Step 12 controller {e1|t1} slot/subslot/port Enters E1/T1 controller configuration mode.9-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 9      Overview of the CEoP and Channelized ATM SPAs
  Circuit Emulation Services over Packet Switched Network (CESoPSN) over UDP
Configuration Examples
This is an example for configuring CESoPSN with UDP encapsulation on the Cisco 7600 series router:
Router> enable
Router# configure terminal
Router(config)# interface loopback 0
Router(config-if)# ip address 2.2.2.8 255.255.255.255
Router(config-if)# mls cemoudp reserve slot 2
Router(config)# pseudowire-class udpClass
Router(config-pw-class)# encapsulation udp
Router(config-pw-class)# ip local interface loopback 0
Router(config-pw-class)# ip tos value 100
Router(config-pw-class)# ip ttl 100
Router(config-pw-class)# exit
Router(config)# controller e1 2/0/0
Router(config-controller)# clock source internal
Router(config-controller)# cem-group 5 timeslots 1-24
Router(config-controller)# exit
Step 13 clock source {internal | line| loop} Sets the clock source on the interface to:
• Internal: The system clock selection process does not select clock 
source as the interface but it uses the system clock for TX.
• Line: The system clock selection process selects the clock source line 
as the interface and uses the system clock for TX.
• Loop: The system clock selection process selects the clock source 
line as the interface. For TX clock the interface uses the clock source 
received on the same interface.
Note By default, the clock source on the interface is set to internal.
Step 14 cem-group number timeslots number Assigns channels on the T1/E1 circuit to the circuit emulation (CEM) 
channel. This example uses the timeslots parameter to assign specific 
timeslots to the CEM channel.
Step 15 exit Exits controller configuration.
Step 16 interface cem slot/subslot/port Selects the CEM interface where the CEM circuit (group) is located 
(where slot/subslot is the SPA slot and subslot and port is the SPA port 
where the interface exists).
Step 17 cem group-number Defines a CEM channel.
Step 18 xconnect peer-router-id vcid
{pseudowire-class name}
Binds an attachment circuit to the CEM interface to create a pseudowire. 
This example creates a pseudowire by binding the CEM circuit 5 to the 
remote peer 30.30.30.2.
Note When creating IP routes for a pseudowire configuration, we 
recommend that you build a route from the cross-connect address 
(LDP router-ID or loopback address) to the next hop IP address, 
such as ip route 30.30.30.2 255.255.255.255 1.2.3.4.
Step 19 udp port local <local_udp_port> 
remote <remote_udp_port>
Specifies a local and remote UDP port for the connection. Valid port 
values for CESoPSN pseudowires using UDP are from 49152–57343.
Step 20 exit Exits the CEM interface.
Command Purpose9-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 9      Overview of the CEoP and Channelized ATM SPAs
  Circuit Emulation Services over Packet Switched Network (CESoPSN) over UDP
Router(config)# interface cem 2/0/0
Router(config-if)# cem 5
Router(config-if-cem)# xconnect 30.30.30.2 305 pw-class udpClass
Router(config-if-cem)# udp port local 50000 remote 55000
Router(config-if-cem)# exit
Verifying the Configuration
This section provides the commands to verify the configuration of CESoPSN with UDP encapsulation 
on the Cisco 7600 series router:
Router# show xcon all
Legend:    XC ST=Xconnect State  S1=Segment1 State  S2=Segment2 State
  UP=Up       DN=Down            AD=Admin Down      IA=Inactive
  SB=Standby  HS=Hot Standby     RV=Recovering      NH=No Hardware
XC ST  Segment 1                         S1 Segment 2                         S2
------+---------------------------------+--+---------------------------------+--
UP     ac   CE3/0/0:1(CESoPSN Basic)     UP udp  66.66.66.66:180              UP
UP     ac   CE3/0/0:6(CESoPSN Basic)     UP udp  66.66.66.66:181              UP
Router# show pw vc
Local intf     Local circuit              VC ID      Status
-------------- -------------------------- ---------- --------
CE3/0/0        CESoPSN Basic              180        established
  LAddr: 55.55.55.55     LPort: 50002 
  RAddr: 66.66.66.66     RPort: 50002 
CE3/0/0        CESoPSN Basic              181        established
  LAddr: 55.55.55.55     LPort: 50004 
  RAddr: 66.66.66.66     RPort: 50004 
Troubleshooting the CESoPSN with UDP Encapsulation Configuration
Use these debug commands to troubleshoot CESoPSN with UDP encapsulation when the pseudowire is 
down:
• debug pw-udp event: Provides details on all events occurring on the pseudowire UDP.
• debug pw-udp error: Provides debugging information on pseudowire UDP error.
• debug pw-udp fsm: Debugs the pseudowire UDP finite state machine (FSM).
Structure-Agnostic TDM over Packet (SAToP) mode
Structure-Agnostic TDM over Packet (SAToP) mode is used to encapsulate T1/E1 or T3/E3 unstructured 
(unchannelized) services over packet switched networks. In unstructured (SAToP) mode, bytes are sent 
out as they arrive on the TDM line. Bytes do not have to be aligned with any framing. 
In this mode the interface is considered as a continuous framed bit stream. The packetization of the 
stream is done according to IETF RFC 4553. All signaling is carried transparently as a part of a bit 
stream. 9-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 9      Overview of the CEoP and Channelized ATM SPAs
  Supported Features
Figure 9-2 Unstructured Mode Frame Format
For SAToP  frame format the following table shows the payload and jitter limits for the T1 lines.
Table 9-2 SAToP T1 Frame: Payload and Jitter Limits
For SAToP  frame format the following table shows the payload and jitter limits for the E1 lines.
Table 9-3 SAToP E1 Frame: Payload and Jitter Limits
Supported Features
This section provides a list of some of the primary features supported by the CEoP hardware and 
software:
• Basic Features, page 9-9
• SONET/SDH Error, Alarm, and Performance Monitoring, page 9-11
• Layer 2 Features, page 9-13
• Layer 3 Features, page 9-14
• High Availability Features, page 9-15
Basic Features
• Circuit emulation compliant with IETF standards for CESoPSN and SAToP 
• The 24-Port Channelized T1/E1 ATM CEoP SPA supports T1 or E1, which can be channelized to 
DS0 for circuit emulation (CEM).
Maximum 
Payload
Maximum 
Jitter
Minimun 
Jitter
Minimum 
Payload
Maximum 
Jitter
Minimun 
Jitter
 960 320 10 192 64 2
Maximum 
Payload
Maximum 
Jitter
Minimun 
Jitter
Minimum 
Payload
Maximum 
Jitter
Minimun 
Jitter
 1280 320 10 256 64 2
Encapsulation header
CE Control (4Bytes)
RTP (optional 12B)
Bytes 1-N
CEoP
Payload
2305479-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 9      Overview of the CEoP and Channelized ATM SPAs
  Supported Features
• The 2-Port Channelized T3/E3 ATM CEoP SPA is supported in Cisco IOS Release 12.2(33)SRC and 
later releases. 
• The 1-Port Channelized OC-3 STM1 ATM CEoP SPA supports VT1.5 SONET channelization, and 
VC-11 and VC-12 SDH channelizations. ATM can be configured on T1s, while CEM can be 
configured down to DS0.
• Maintenance Digital Link (MDL) and Far End Alarm Control (FEAC) features (T3/E3) 
• Facility Data Link (FDL) support (T1/E1) 
• Adaptive clock recovery compliant with G.823 and G.824 Traffic interface ITU specification
• Compliant with Y.1411 ATM-MPLS network interworking—cell mode user plane interworking
• Compliant with Y.1413 TDM-MPLS network interworking—user plane interworking
• Compliant with Y.1453 TDM-IP network interworking—user plane interworking
• ATM MPLS encapsulation IETF RFC and drafts
• ATM over channelized T1 lines
• Full channelization down to DS0 (CEM only)
• Simultaneous multiple interface support (for example, ATM and circuit emulation)
• Bellcore GR-253-CORE SONET/SDH compliance (ITU-T G.707, G.783, G.957, G.958) 
• Supports both permanent virtual circuits (PVCs) and switched virtual circuits (SVCs) 
• The absolute maximum for the sum of VPs at VCs is 2048 per CEoP SPA. Each interface can have 
a maximum of 2047 VCs with the following recommended limitations: 
– On a Cisco 7600 SIP-400, 8000 PVCs are supported on multipoint subinterfaces.
– A recommended maximum number of 2048 PVCs on all point-to-point subinterfaces for all 
CEoP SPAs in a SIP. 
– A recommended maximum number of 16,380 PVCs on all multipoint subinterfaces for all CEoP 
SPAs in a SIP, and a recommended maximum number of 200 PVCs per each individual 
multipoint subinterface. 
– A recommended maximum number of 400 SVCs for all CEoP SPAs in a SIP. 
– A recommended maximum number of 1024 PVCs or 400 SVCs using service policies for all 
CEoP SPAs in a SIP. 
• Up to 4096 simultaneous segmentations and reassemblies (SARs) per interface 
• Supports a maximum number of 200 PVCs or SVCs using Link Fragmentation and Interleaving 
(LFI) for all CEoP ATM SPAs (or other ATM modules) in a Cisco 7600 series router
• Up to 1000 maximum virtual templates per router 
• ATM adaptation layer 5 (AAL5) for data traffic
• Hardware switching of multicast packets for point-to-point subinterfaces
• The 1-Port Channelized OC-3 STM1 ATM CEoP SPA uses small form-factor pluggable (SFP) 
optical transceivers, allowing the same CEoP SPA hardware to support multimode (MM), short 
reach (SR), intermediate reach (IR1), and long reach (LR1 and LR2) fiber, depending on the 
capabilities of the SPA. 
• ATM section, line, and path alarm indication signal (AIS) cells, including support for F4 and F5 
flows, loopback, and remote defect indication (RDI) 
• Operation, Administration, and Maintenance (OAM) cells 9-11
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 9      Overview of the CEoP and Channelized ATM SPAs
  Supported Features
• Online insertion and removal (OIR) of individual CEoP SPAs from the SIP, as well as OIR of the 
SIPs with CEoP SPAs installed 
Cisco IOS Release 12.2SRC adds support for the following new features:
• 2-Port Channelized T3/E3 ATM CEoP SPA (supports clear-channel T3 ATM mode only)
• Inverse multiplexing over ATM (IMA)
• CEM local switching and local switching redundancy
• ATM cell packing (VC and VP modes) (both SCR and PCR) on 2-Port and 4-Port OC-3c/STM-1 
ATM SPA on both SIP-200 and SIP-400, and for SCR on CEoP SPAs (24xT1/E1-CE, 2xT3/E3-CE 
and 1xCHOC3-CE) on SIP-400.
• ATM local switching and local switching redundancy
In Cisco IOS Release 12.2(33)SRD support was added for PMCRoMPLS-single or packed-cell relay for 
the 2-Port and 4-Port OC-3c/STM-1 ATM SPA on SIP-200 and SIP-400, and single cell relay for the 
CEoP SPAs (24xT1/E1-CE, 2xT3/E3-CE, 1xCHOC3-CE) on the SIP400. 
In Cisco IOS Release 12.2(33)SRE support was added for VP and VC mode on CeOP and 1-Port 
OC-48c/STM-16 ATM SPA. 
• Cisco IOS Release 15.0(1)S adds support for Network Clocking and Synchronization Status 
Message(SSM) functionality for the CEoP SPAs in a Cisco 7600 SIP-400 only. The supported CEoP 
SPAs are:
– -SPA-1CHOC3-CE-ATM
– -SPA-24CHT1-CE-ATM
For more information on configuring the network clock see, Configuring Boundary Clock for 2-Port 
Gigabit Synchronous Ethernet SPA on Cisco 7600 SIP-400, page 12-29
Beginning in Cisco IOS Release12.2(33)SRE support is added for: 
• Modular QoS CLI (MQC) policy support existing on ATM VC is extended to the ATM PVP on 
2-Port and 4-Port OC-3c/STM-1 ATM SPA and the below three flavors of CEoP SPA:
– SPA-24XT1E1-CE
– SPA-1XOC3-CE
– SPA-2XT3E3-CE
• ATM VCI (match atm-vci command)—Input ATM PVP Interface is added to the ATM VP.
SONET/SDH Error, Alarm, and Performance Monitoring
• To configure variable soak period for line, use delay alarm triggers line.
• To configure path alarm reporting, use path msecs command.
• To configure clearing on 1Port Channelized OC-3 STM1 ATM CEoP SPA, use delay alarm clear 
line/path msecs.
• Fiber removed and reinserted 
• Signal failure bit error rate (SF-BER)
• Signal degrade bit error rate (SD-BER)
• Signal label payload construction (C2)
• Path trace byte (J1)9-12
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 9      Overview of the CEoP and Channelized ATM SPAs
  Supported Features
• Section Diagnostics:
– Loss of signal (SLOS)
– Loss of frame (SLOF)
– Error counts for B1 
– Threshold crossing alarms (TCA) for B1 (B1-TCA) 
• Line Diagnostics:
– Line alarm indication signal (LAIS)
– Line remote defect indication (LRDI)
– Line remote error indication (LREI)
– Error counts for B2
– Threshold crossing alarms for B2 (B2-TCA) 
• Path Diagnostics:
– Path alarm indication signal (PAIS)
– Path remote defect indication (PRDI)
– Path remote error indication (PREI)
– Error counts for B3
– Threshold crossing alarms for B3 (B3-TCA) 
– Loss of pointer (PLOP)
– New pointer events (NEWPTR)
– Positive stuffing event (PSE)
– Negative stuffing event (NSE)
• The following loopback tests are supported:
– Network (line) loopback 
– Internal (diagnostic) loopback 
• Supported SONET/SDH synchronization:
– Local (internal) timing (for inter-router connections over dark fiber or wave division 
multiplexing [WDM] equipment) 
– Loop (line) timing (for connecting to SONET/SDH equipment) 
– +/– 4.6 ppm clock accuracy over full operating temperature 
T1/E1 Errors and Alarms
The 24-Port Channelized T1/E1 ATM CEoP SPA reports the following types of T1/E1 errors and alarms:
• Cyclic redundancy check (CRC) errors 
• Far end block error (FEBE) 
• Alarm indication signal (AIS) 
• Remote alarm indication (RAI) 
• Loss of signal (LOS) 
• Out of frame (OOF) 9-13
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 9      Overview of the CEoP and Channelized ATM SPAs
  Supported Features
• Failed seconds
• Bursty seconds 
• Bipolar violations 
• Error events 
• Failed signal rate 
• Line and Path Diagnostics:
– Errored Second–Line (ES-L) 
– Severely Errored Second–Line (SES-L) 
– Coding violation–Line (CV-L) 
– Failure Count–Path (FC-P)  
– Errored Second–Path (ES-P) 
– Severely Errored Second–Path (SES-P) 
– Unavailable Seconds–Path (UAS-P) 
T3/E3 Errors and Alarms
The 2-Port Channelized T3/E3 ATM CEoP SPA reports the following errors and alarms: 
• AIS (Alarm Indication Signal) 
• Far end bit error (FEBE) 
• Far end receive failure (FERF) 
• Frame error 
• Out of frame (OOF) 
• Path parity error 
• Parity bit (P-bit) disagreements 
• Receive Alarm Indication Signal (RAIS) 
• Yellow alarm bit (X-bits) disagreements 
Layer 2 Features
• Supports the following encapsulation types:
– AAL5SNAP (LLC/SNAP)
– LLC encapsulated bridged protocol
– AAL5MUX (VC multiplexing)
– AAL5CISCOPPP 
• Supports the following ATM traffic classes and per-VC traffic shaping modes:
– Constant bit rate (CBR) with peak rate 
– Unspecified bit rate (UBR) with peak cell rate (PCR) 
– Non-real-time variable bit rate (VBR-nrt)
– Variable bit rate real-time (VBR-rt) 9-14
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 9      Overview of the CEoP and Channelized ATM SPAs
  Supported Features
Note ATM shaping is supported, but class queue-based shaping is not. 
• ATM point-to-point and multipoint connections 
• Explicit Forward Congestion Indication (EFCI) bit in the ATM cell header 
• Integrated Local Management Interface (ILMI) operation, including keepalive, PVC discovery, and 
address registration and deregistration 
• Link Fragmentation and Interleaving (LFI) performed in hardware 
• VC–to–VC local switching and cell relay 
• VP–to–VP local switching and cell relay
• AToM VP Mode Cell Relay support
• RFC 1755, ATM Signaling Support for IP over ATM
• ATM User-Network Interface (UNI) signalling V3.0, V3.1, and V4.0 only 
• RFC 2225, Classical IP and ARP over ATM (obsoletes RFC 1577) 
• Unspecified bit rate plus (UBR+) traffic service class on SVCs and PVCs
Layer 3 Features
• ATM VC Access Trunk Emulation (multi-VLAN to VC) 
• ATM over MPLS (AToM) in AAL5 mode (except for AToM cell packing) 
• ATM over MPLS (AToM) in AAL5/AAL0 VC mode
• Distributed Link Fragmentation and Interleaving (dLFI) for ATM (dLFI packet counters are 
supported, but dLFI byte counters are not supported) 
• 2047 is the maximum number of VCs per interface (assuming no VPs). Each AToM L2transport 
PVP reduces the total number of VCs by 3 per CEoP SPA.
• OAM flow connectivity using OAM ping for segment or end-to-end loopback
• Multicast SVCs are supported if there is only one VC on the subinterface
• PVC multicast (Protocol Independent Multicast [PIM] dense and sparse modes) 
• Quality of Service (QoS):
– Policing
– IP-to-ATM class of service (IP precedence and DSCP)
– ATM CLP bits matching for ingress and set ATM CLP bits for egress through MQC for PVC
• RFC 1483, Multiprotocol Encapsulation over ATM Adaptation Layer 5:
– PVC bridging (full-bridging)
• Routing protocols: 
– Border Gateway Protocol (BGP)
– Enhanced Interior Gateway Routing Protocol (EIGRP) 
– Interior Gateway Routing Protocol (IGRP) 
– Integrated Intermediate System-to-Intermediate System (IS-IS) 9-15
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 9      Overview of the CEoP and Channelized ATM SPAs
  Unsupported Features
– Open Shortest Path First (OSPF) 
– Routing Information Protocol version 1 and version 2 (RIPv1 and RIPv2) 
High Availability Features
• 1+1 Automatic Protection Switching (APS) redundancy (PVC circuits only) 
• Route Processor Redundancy (RPR) 
• RPR Plus (RPR+) 
• OSPF Nonstop Forwarding (NSF) 
Cisco IOS Release 12.2SRC adds support for the following high-availability feature:
• NonStop Forwarding and Stateful switchover (NSF/SSO) support for CEM and ATM pseudowires 
Unsupported Features
• MLPPP and MLFR are not supported
• Primary surge protection for the 24-Port Channelized T1/E1 ATM CEoP SPA
• The following High Availability features are not supported: 
– APS 1:N redundancy is not supported.
– APS redundancy is not supported on SVCs.
– APS reflector mode (aps reflector interface configuration command) is not supported. 
• PVC autoprovisioning (create on-demand VC class configuration command) is not supported. 
• Creating SVCs with UNI signalling version 4.1 is not supported (UNI signalling v 3.0, v 3.1, and 
v 4.0 are supported). 
• Enhanced Remote Defect Indication–Path (ERDI-P) is not supported. 
• Fast Re-Route (FRR) over ATM is not supported. 
• LAN Emulation (LANE) is not supported. 
• Available Bit Rate (ABR) traffic service class is not supported. 
• Oversubscription of the Cisco 7600 SIP-400 is not supported (in either CEM or ATM mode).
Prerequisites
• The Cisco 7600 SIP-400 requires a Cisco 7600 series router using either of the following processors 
running the Cisco IOS Release 12.2(33)SRB or a later release:
– Supervisor Engine 720 (SUP-720) processor, or
– Route Switch Processor 720 (RSP720-GE and RSP720-10GE), or 
– Supervisor Engine 32 (SUP-32) processor9-16
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 9      Overview of the CEoP and Channelized ATM SPAs
  Restrictions
Note Before configuring the CEoP SPA, have the following information available:
IP addresses for all ports on the new interfaces, including subinterfaces.
Restrictions
• The 1-Port Channelized OC-3 STM1 ATM CEoP SPA and 24-Port Channelized T1/E1 ATM CEoP 
SPA do not support mixed line modes (for example, T1 or E1, or T3). A reset of the SPA is required 
to change modes.
• The 1-Port Channelized OC-3 STM1 ATM CEoP SPA,the 2-Port Channelized T3/E3 ATM CEoP 
SPA, and the 24-Port Channelized T1/E1 ATM CEoP SPA do not support the following features: 
BRE, LFI, RBE, or bridging. 
• The 2-Port Channelized T3/E3 ATM CEoP SPA can receive data over distances of up to 1350 ft 
(411.5 meters). 
• When a pseudowire is configured on an interface, APS for the interface is useful only in conjunction 
with pseudowire redundancy.
• VC QoS on VP-PW feature works only with Single Cell Relay and does not work with Packed Cell 
Relay.
Supported MIBs
The following MIBs are supported in Cisco IOS Release 12.2(33)SRB and later releases for the CEoP 
SPAs on the Cisco 7600 series router. 
Common MIBs
• ENTITY-MIB 
• IF-MIB 
• MIB-II
• MPLS-CEM-MIB
Cisco-Specific MPLS MIBs
• CISCO-IETF-PW-MIB
• CISCO-IETF-PW-MPLS-MIB
Cisco-Specific Common MIBs
• CISCO-ENTITY-EXT-MIB 
• OLD-CISCO-CHASSIS-MIB 
• CISCO-CLASS-BASED-QOS-MIB 
• CISCO-ENTITY-FRU-CONTROL-MIB 
• CISCO-ENTITY-ASSET-MIB 
• CISCO-ENTITY-SENSOR-MIB
• CISCO-MQC-MIB 9-17
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 9      Overview of the CEoP and Channelized ATM SPAs
  Displaying the SPA Hardware Type
For more information about MIB support on a Cisco 7600 series router, refer to the Cisco 7600 Series 
Internet Router MIB Specifications Guide at the following URL:
http://www.cisco.com/en/US/docs/routers/7600/technical_references/7600_mib_guides/MIB_Guide_v
er_6/7600mib2.html
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use 
Cisco MIB Locator at the following URL:
http://tools.cisco.com/ITDIT/MIBS/servlet/index
If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of 
supported MIBs and download MIBs from the Cisco MIBs page at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost 
your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will 
verify that your e-mail address is registered with Cisco.com. If the check is successful, account details 
with a new random password will be e-mailed to you. 
Displaying the SPA Hardware Type
To verify the SPA hardware type that is installed in your Cisco 7600 series router, use the show 
interfaces or show diag commands. A number of other show commands also provide information about 
the SPA hardware. 
Table 9-4 shows the hardware description that appears in the show command output for each type of 
CEoP SPA that is supported on the Cisco 7600 series router: 
Example of the show interfaces cem Command
The following example shows output from the show interfaces cem command on a Cisco 7600 series 
router with an CEoP SPA installed in the first subslot of a SIP that is installed in slot 2:
Router# show interfaces cem 2/1/3
CEM2/1/3 is up, line protocol is up 
  Hardware is Circuit Emulation Interface
  MTU 1500 bytes, BW 10000000 Kbit, DLY 0 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation CEM, loopback not set
  Keepalive set (10 sec)
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
Table 9-4 CEoP SPA Hardware Descriptions in show Commands
SPA 
Description in show interfaces 
Command
SPA-24CHT1-CE-ATM “Hardware is SPA-24CHT1-CE-ATM”
SPA-1CHOC3-CE-ATM “Hardware is SPA-1CHOC3-CE-ATM”
SPA-2CHT3-CE-ATM “Hardware is SPA-2CHT3-CE-ATM”9-18
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 9      Overview of the CEoP and Channelized ATM SPAs
  Displaying the SPA Hardware Type
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped outC H  A  P  T  E  R
10-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
10
Configuring the CEoP and Channelized ATM 
SPAs
This chapter provides information about configuring the Circuit Emulation over Packet (CEoP) shared 
port adapters (SPAs) on the Cisco 7600 series router. It contains the following sections: 
• Configuration Tasks, page 10-2
• Configuring Circuit Emulation, page 10-13
• Configuring ATM, page 10-20
• Configuring Pseudowire Redundancy (Optional), page 10-23
• Configuring T1, page 10-24
• Configuring E1, page 10-24
• Configuring T3, page 10-25
• Configuring SONET (OC-3), page 10-28
• Configuring Inverse Multiplexing over ATM, page 10-29
• Configuring Clocking, page 10-37
• Configuring CEM Parameters, page 10-50
• Configuring Access Circuit Redundancy on CEoP and ATM SPAs, page 10-51
• Configuring Layer 3 QoS on CEoP SPAs, page 10-57
• Configuring AIS and RAI Alarm Forwarding in CESoPSN Mode on CEoP SPAs, page 10-61
• Verifying the Interface Configuration, page 10-82
For information about managing your system images and configuration files, see the Cisco IOS 
Configuration Fundamentals Configuration Guide and Cisco IOS Configuration Fundamentals 
Command Reference publications for your Cisco IOS software release.
For more information about the commands used in this chapter, refer to the Cisco IOS Software Releases 
12.2SR Command References and to the Cisco IOS Software Releases 12.2SX Command References. 
Also refer to the related Cisco IOS Release 12.2 software command reference and master index 
publications. For more information, see the “Related Documentation” section on page xlvii.10-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuration Tasks
Configuration Tasks
This section describes the most common configurations for the CEoP SPAs on a Cisco 7600 series 
router. It contains procedures for the following: 
• Specifying the Interface Address on a SPA, page 10-2
• Configuring Port Usage (Overview), page 10-2
Specifying the Interface Address on a SPA
Four CEoP SPAs can be installed in a SPA interface processor (SIP). Ports are numbered from left to right, 
beginning with 0. Single-port SPAs use only the port number 0. To configure or monitor SPA interfaces, 
you need to specify the physical location of the SIP, SPA, and interface in the command-line-interface 
(CLI). The interface address format is slot/subslot/port, where: 
• slot—Specifies the chassis slot number in the Cisco 7600 series router where the SIP is installed 
• subslot—Specifies the secondary slot of the SIP where the SPA is installed 
• port—Specifies the number of the individual interface port on a SPA 
The following example shows how to specify the first interface (0) on a SPA installed in subslot 1 of the 
SIP in chassis slot 3:
Router(config)# interface cem 3/1/0
For more information about how to identify slots and subslots, see the “Identifying Slots and Subslots 
for SIPs, SSCs, and SPAs” section on page 4-2.
Configuring Port Usage (Overview)
The 24-Port Channelized T1/E1 ATM CEoP SPA and 1-Port Channelized OC-3 STM1 ATM CEoP SPA 
can be configured to run in the following modes: 
• Circuit emulation (CEM)
• Channelized Asynchronous Transfer Mode (ATM) 
• Inverse Multiplexing over ATM (IMA) 
The 2-Port Channelized T3/E3 ATM CEoP SPA, introduced in Cisco IOS Release 12.2(33)SRC, can be 
configured to run in ATM mode. The SPA does not currently support CEM or IMA mode. 
The following tables show the commands to configure each of the SPAs for CEM or ATM. 
Detailed configuration instructions are provided in the sections that follow. 
Configuring the 24-Port Channelized T1/E1 ATM CEoP SPA
To configure the 24-Port Channelized T1/E1 ATM CEoP SPA, perform the following steps: 
Command or Action Purpose
Step 1 Router(config)# card type {t1 | e1} slot subslot Selects a card type.
Step 2 Router(config)# controller {t1 | e1} slot/subslot/port Selects the controller for the SPA port to configure.10-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuration Tasks
Configuring the 2-Port Channelized T3/E3 ATM CEoP SPA
To configure the 2-Port Channelized T3/E3 ATM CEoP SPA, complete these steps: 
SUMMARY STEPS
Step 1 enable
Step 2 configure terminal
Step 3 card type {t3 | e3} slot subslot
Step 4 controller {t3 | e3} slot/subslot/port
Step 5 channelized mode {t1 | e1}
Step 6 cem-group group unframed
or
{t1} 1-28 cem-group group timeslots 1-24
{e1} 1-21 cem-group group timeslots 1-31
or
atm
or
{t1} 1-28 ima-group group-number
{e1} 1-21 ima-group group-number
Step 7 exit
DETAILED STEPS
Step 3 Router(config-controller)# cem-group group
unframed
Creates a SAToP CEM group and configures the port 
for clear-channel CEM mode. 
Router(config-controller)# cem-group group 
timeslots 1-24
Creates a CESoPSN CEM group and configures the 
port for channelized CEM mode. 
Router(config-controller)# atm Configures the port for ATM and creates an ATM 
interface.
Router(config-controller)# ima-group group-number Configures the interface to run in IMA mode, and 
assigns the interface to an IMA group. 
Command or Action Purpose
Command or Action Purpose
Step 4 Router # enable Enables privileged EXEC mode.
Step 5 Router# configure terminal Enters global configuration mode.
Step 6 Router(config)# card type {t3 | e3} slot subslot
or 
Router(config)# [no] card type {t3 | e3} slot subslot
Selects a card type.
or
Use no command to remove the card type.10-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuration Tasks
Note See “Configuring T3” section on page 10-25 for information about the features that are not supported on 
the CEoP SPA in Cisco IOS Release 12.2SRC. 
Restrictions and Usage Guidelines
Follow these restrictions and usage guidelines while configuring 2-Port Channelized T3/E3 CEoP SPA:
• CEoP SPAs does not support Layer 3QoS. 
• Bridging featues such as bridging routed encapsulations (BRE), multipoint bridging(MPB), routed 
bridge encapsulation(RBE), and multi VLAN are not supported on CEoP.
• E3 Channelization to E1 is not supported.
Step 7 Router(config)# controller {t3 | e3} slot/subslot/port Selects the controller for the SPA port to configure.
Note Effective from Cisco IOS Release 15.1(1)S 
release, T3 and E3 card types are supported.
Step 8 Router(config-controller)# channelized mode {t1 | 
e1}
Swaps between the CT3-T1 and CT3-E1 modes. This 
is applicable only if the card type is T3.
Step 9 Router(config-controller)# cem-group group
unframed
or 
Router(config-controller)# [no] cem-group group
unframed
Creates a SAToP CEM group and configures the port 
for clear-channel CEM mode. 
or
To delete the CEM circuit and release the time slots, 
use the no cem-group group-number command.
Router(config-controller)# {t1} 1-28 cem-group 
group timeslots 1-24
Router(config-controller)# {e1} 1-21 cem-group 
group timeslots 1-31
Creates a CESoPSN CEM group and configures the 
port for channelized CEM mode. 
Group number range is from 0 to 671.
Router(config-controller)# atm
or 
Router(config-controller)# [no] atm
Configures the port to run in clear-channel ATM mode 
and creates an ATM interface to represent the port.
or
Use the no form of the command remove the link from 
the ATM.
Router(config-controller)# {t1} 1-28 ima-group
group-number
Router(config-controller)# {e1} 1-21 ima-group
group-number
or
Router(config-controller)# [no] {t1} 1-28 ima-group
group-number
Router(config-controller)# [no] {e1} 1-21 ima-group
group-number
Configures the interface to run in IMA mode, and 
assigns the interface to an IMA group.
Group number range is from 0 to 41.
or
Use the no form of the command remove the link from 
the IMA group.
Step 10 Router (config-if)# exit Exits interface configuration mode and returns to 
privileged EXEC mode.
Command or Action Purpose10-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuration Tasks
• Maintenance Digital Link (MDL) is supported only for DSX3-C bit framing. 
• CEoP SPAs simultaneously supports multiple interface types.
• Adaptive clock recovery is supported on 2-Port Channelized T3/E3 CEoP SPA.
• Out-of-Band(OOB) clock recovery for CEM is not supported.
• E3 or T3 ATM  is not supported.
Sample Configuration for 2-Port Channelized T3/E3 CEoP SPA on Clear channel T3
Configure SPA in a T3 mode
Router(config)# card type T3 5 0
Router(config)# controller T3 5/0/0
Create an T3 ATM interface
Router(config-controller)# atm
Create CEM group
Router(config-controller)# cem-group 0 unframed
Sample Configuration for 2-Port Channelized T3/E3 CEoP SPA on Clear channel E3 mode
Configure SPA in a E3 mode
Router(config)# card type E3 5 0
Router(config)# controller E3 5/0/0
Create an E3 ATM interface
Router(config-controller)# atm
Create CEM group
Router(config-controller)# cem-group 0 unframed
Sample Configuration for 2-Port Channelized T3/E3 CEoP SPA on CT3-T1 Channelization mode
Configure SPA in a T3 mode
Router(config)# card type T3 5 0
Router(config)# controller T3 5/0/0
Create an T3 ATM interface
Router(config-controller)# t1 1 atm
Create a NxDS0 T1 CEM group
router(config-controller)# t1 2 cem-group 0 timeslots 1-12
Create two IMA groups (1 with two T1 members)
Router(config-controller)# t1 3 ima-group 5
Router(config-controller)# t1 4 ima-group 5
Sample Configuration for 2-Port Channelized T3/E3 CEoP SPA on CT3-E1 Channelization mode
Configure SPA in a T3 mode10-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuration Tasks
Router(config)# card type T3 5 0
Router(config)# controller T3 5/0/0
Changing channelization to E1
Router(config)# controller T3 5/0/0
router(config-controller)# channelized mode e1
Create an E1 ATM interface
Router(config-controller)# e1 1 atm
Create a NxDS0 E1 CEM group
Router(config-controller)# e1 2 cem-group 0 timeslots 1-12
Create two IMA groups (1 with two E1 members)
Router(config-controller)# e1 3 ima-group 5
Router(config-controller)# e1 4 ima-group 5
Verifying 2-Port Channelized T3/E3 CEoP SPA configuration
Router# show controller t3 2/1/0
T3 2/1/0 is up.
  Hardware is SPA-2CHT3-CE-ATM
Applique type is Clearchannel T3 ATM
  No alarms detected.
  Framing is M23, Line Code is B3ZS, Cablelength is 224
  Clock Source is internal
  Equipment customer loopback
  Data in current interval (827 seconds elapsed):
     0 Line Code Violations, 7 P-bit Coding Violation
     0 C-bit Coding Violation, 2 P-bit Err Secs
     0 P-bit Severely Err Secs, 3 Severely Err Framing Secs
     17 Unavailable Secs, 0 Line Errored Secs
     0 C-bit Errored Secs, 0 C-bit Severely Errored Secs
     0 Severely Errored Line Secs
     0 Far-End Errored Secs, 0 Far-End Severely Errored Secs
     0 CP-bit Far-end Unavailable Secs
     0 Near-end path failures, 2 Far-end path failures
     0 Far-end code violations, 10 FERF Defect Secs
     0 AIS Defect Secs, 4 LOS Defect Secs
Router# show ip interface br
ATM2/1/0               unassigned      YES unset  up                    up      
ATM2/1/1/1             unassigned      YES unset  up                    up      
ATM2/1/ima0            unassigned      YES unset  up                    up
Router# show interface atm2/1/0
ATM2/1/0 is up, line protocol is up 
  Hardware is SPA-2CHT3-CE-ATM, address is 000c.862c.4d40 (bia 000c.862c.4d40)
  MTU 4470 bytes, sub MTU 4470, BW 44209 Kbit/sec, DLY 0 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ATM, loopback not set
  Keepalive not supported 
  Encapsulation(s): AAL5 AAL0
  2047 maximum active VCs, 0 current VCCs
  VC Auto Creation Disabled.
  VC idle disconnect time: 300 seconds
  1 carrier transitions
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 010-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuration Tasks
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
Router# show interface ATM2/1/0
ATM2/1/0 is up, line protocol is up 
  Hardware is SPA-2CHT3-CE-ATM, address is 000c.862c.4d40 (bia 000c.862c.4d40)
  MTU 4470 bytes, sub MTU 4470, BW 44209 Kbit/sec, DLY 0 usec, 
    reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ATM, loopback not set
  Keepalive not supported 
  Encapsulation(s): AAL5 AAL0
  2047 maximum active VCs, 0 current VCCs
  VC Auto Creation Disabled.
  VC idle disconnect time: 300 seconds
  1 carrier transitions
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
Router# show atm int atm2/1/0
Interface ATM2/1/0:
AAL enabled:  AAL5, AAL0, Maximum VCs: 2047, Current VCCs: 0
Max. Datagram Size: 4528
PLIM Type: DS3 - 45000Kbps, Framing is C-bit ADM,
DS3 lbo: short, TX clocking: LINE
Cell-payload scrambling: OFF
0 input, 0 output, 0 IN fast, 0 OUT fast
 Avail bw = 44209 
Config. is ACTIVE
Router# show atm pvc
           VCD /                                            Peak Av/Min Burst
Interface  Name         VPI   VCI Type    Encaps     SC     Kbps   Kbps Cells St
2/1/0      1              1    33 PVC     SNAP       UBR   44209              UP
Router# show interface atm2/1/ima0
ATM2/1/ima0 is up, line protocol is up 
  Hardware is ATM IMA, address is 000c.862c.4d40 (bia 000c.862c.4d40)
  MTU 4470 bytes, sub MTU 4470, BW 1523 Kbit/sec, DLY 0 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ATM, loopback not set10-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuration Tasks
  Keepalive not supported 
  Encapsulation(s): AAL5 AAL0
  2047 maximum active VCs, 0 current VCCs
  VC Auto Creation Disabled.
  VC idle disconnect time: 300 seconds
  7 carrier transitions
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
Router#show ima int atm2/1/ima0
ATM2/1/ima0 is up, ACTIVATION COMPLETE
Slot 2 Slot Unit 65 unit 256, CTRL VC 256, Vir -1, VC 4097
IMA Configured BW 1523, Active BW 1523
IMA version 1.1, Frame length 128 
Link Test: Disabled 
Auto-Restart: Disabled
        ImaGroupState: NearEnd = operational, FarEnd = operational
        ImaGroupFailureStatus = noFailure
IMA Group Current Configuration:
        ImaGroupMinNumTxLinks = 1    ImaGroupMinNumRxLinks = 1   
        ImaGroupDiffDelayMax  = 25   ImaGroupNeTxClkMode   = common(ctc)
        ImaGroupFrameLength   = 128  ImaTestProcStatus     = disabled
        ImaGroupTestLink      = None ImaGroupTestPattern   = 0x0   
        ImaGroupConfLink      = 1    ImaGroupActiveLink    = 1   
IMA Link Information:
 ID       Link      Link State - Ctlr/Chan/Prot      Test Status  
---- -------------- ------------------------------ ---------------
0    T3 2/1/1 T1 2  Up           Up   Up   Up      disabled 
Router# show cem cir 100
CEM2/2/0, ID: 100, Line: UP, Admin: UP, Ckt: ACTIVE
Controller state: up, T1/E1 state: up
Idle Pattern: 0xFF, Idle CAS: 0x8
Dejitter: 8 (In use: 4)
Payload Size: 32
Framing: Framed (DS0 channels: 5)
CEM Defects Set
None
Signalling: No CAS
RTP: No RTP
Ingress Pkts:    2500                 Dropped:             0                   
Egress Pkts:     2500                 Dropped:             0                   
CEM Counter Details
Input Errors:    0                    Output Errors:       0                   
Pkts Missing:    0                    Pkts Reordered:      0                   
Misorder Drops:  0                    JitterBuf Underrun:  0                   
Error Sec:       0                    Severly Errored Sec: 0                   
Unavailable Sec: 0                    Failure Counts:      0                   10-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuration Tasks
Pkts Malformed:  0                    JitterBuf Overrun:   0
Router# show cem cir detail | b 100
CEM2/2/0, ID: 100, Line: UP, Admin: UP, Ckt: ACTIVE
Controller state: up, T1/E1 state: up
Idle Pattern: 0xFF, Idle CAS: 0x8
Dejitter: 8 (In use: 4)
Payload Size: 32
Framing: Framed (DS0 channels: 5)
CEM Defects Set
None
Signalling: No CAS
RTP: No RTP
Ingress Pkts:    15000                Dropped:             0                   
Egress Pkts:     15000                Dropped:             0                   
CEM Counter Details
Input Errors:    0                    Output Errors:       0                   
Pkts Missing:    0                    Pkts Reordered:      0                   
Misorder Drops:  0                    JitterBuf Underrun:  0                   
Error Sec:       0                    Severly Errored Sec: 0                   
Unavailable Sec: 0                    Failure Counts:      0                   
Pkts Malformed:  0                    JitterBuf Overrun:   0 
Router# show cem circuit interface CEM2/2/0 100
CEM2/2/0, ID: 100, Line: UP, Admin: UP, Ckt: ACTIVE
Controller state: up, T1/E1 state: up
Idle Pattern: 0xFF, Idle CAS: 0x8
Dejitter: 8 (In use: 4)
Payload Size: 32
Framing: Framed (DS0 channels: 5)
CEM Defects Set
None
Signalling: No CAS
RTP: No RTP
Ingress Pkts:    27500                Dropped:             0                   
Egress Pkts:     27500                Dropped:             0                   
CEM Counter Details
Input Errors:    0                    Output Errors:       0                   
Pkts Missing:    0                    Pkts Reordered:      0                   
Misorder Drops:  0                    JitterBuf Underrun:  0                   
Error Sec:       0                    Severly Errored Sec: 0                   
Unavailable Sec: 0                    Failure Counts:      0                   
Pkts Malformed:  0                    JitterBuf Overrun:   0                   
Router# show cem circuit summary
CEM Int.       Total Active  Inactive
--------------------------------------
CEM2/0/0       13    13      0
CEM2/1/0       7     7       0
CEM2/2/0       576   576     0
Router# show cem circuit 
CEM Int.       ID   Ctrlr     Admin     Circuit         AC  
-------------------------------------------------------------- 
CEM2/0/0       0    UP        UP        Active           UP  
CEM2/0/0       1    UP        UP        Active           UP  
CEM2/0/0       2    UP        UP        Active           UP  
CEM2/0/0       3    UP        UP        Active           UP  10-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuration Tasks
CEM2/0/0       4    UP        UP        Active           UP  
CEM2/0/0       5    UP        UP        Active           UP  
CEM2/0/0       6    UP        UP        Active           UP  
CEM2/0/0       7    UP        UP        Active           UP  
CEM2/0/0       8    UP        UP        Active           UP  
CEM2/0/0       9    UP        UP        Active           UP  
CEM2/0/0       21   UP        UP        Active           UP  
CEM2/0/0       22   UP        UP        Active           UP  
CEM2/0/0       23   UP        UP        Active           UP  
Router# show class cem TDM-class-B
Class: TDM-class-B    
Dejitter: 320, Payload Size: 40
Router# show class cem all
Class: TDM-class-A    
Dejitter: 10, Payload Size: 40
Class: TDM-class-B    
Dejitter: 320, Payload Size: 40
Router# show class cem detail
*Oct 26 05:43:12.846 IST: %SYS-5-CONFIG_I: Configured from console by console
-Traceback= 4084BB0Cz 40856A84z 41CAF9ACz 41CAF990z
Class: TDM-class-A    
Dejitter: 10, Payload Size: 40
Circuits inheriting this Class:
 None
Interfaces inheriting this Class:
 None
Class: TDM-class-B    
Dejitter: 320, Payload Size: 40
Circuits inheriting this Class:
CEM2/2/0: Circuit 100
CEM2/2/0: Circuit 50
Interfaces inheriting this Class:
 None
Note See the “Configuring T3” section on page 10-25 for information about the features that are not supported 
on the SPA in Cisco IOS Release 12.2SRC. 
Configuring the 1-Port Channelized OC-3 STM1 ATM CEoP SPA for SONET VT1.5 
To configure the 1-Port Channelized OC-3 STM1 ATM CEoP SPA for SONET VT 1.5, perform the 
following steps: 
Command or Action Purpose
Step 1 Router(config)# controller sonet 5/1/0 Selects the controller to configure.
Step 2 Router(config-controller)# framing sonet Specifies SONET framing.
Step 3 Router(config-controller)# sts-1 2 Specifies the STS identifier.
Step 4 Router(config-ctrlr-sts1)# mode vt-15 Specifies VT-15 as the STS-1 mode of operation.10-11
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuration Tasks
Configuring the 1-Port Channelized OC-3 STM1 ATM CEoP SPA for SDH AU-4 C-12 
To configure the 1-Port Channelized OC-3 STM1 ATM CEoP SPA for SDH AU-4 C-12, perform the 
following steps:
Configuring the 1-Port Channelized OC-3 STM1 ATM CEoP SPA for SDH AU-3 C-11
To configure the 1-Port Channelized OC-3 STM1 ATM CEoP SPA for SDH AU-3 C-11, perform the 
following steps:
Step 5
Router(config-ctrlr-sts1)# vtg 3 t1 2 atm  Creates a T1 (VT1.5) ATM interface.
OR,
Router(config-ctrlr-sts1)# vtg 1 t1 1 ima-group 
group-number
Configures the interface to run in IMA mode and 
assigns the interface to an IMA group. 
OR,
Router(config-ctrlr-sts1)# vtg 2 t1 1 cem-group 1 unframed
Creates a single SAToP CEM group.
OR,
Router(config-ctrlr-sts1)# vtg 2 t1 4 cem-group 2 timeslots
1-5,14 
Creates a CESoPSN CEM group.
Command or Action Purpose
Command or Action Purpose
Step 1 Router(config)# controller sonet 5/1/0 Selects the controller to configure.
Step 2 Router(config-controller)# framing sdh Specifies SDH as the framing mode.
Step 3 Router(config-controller)# aug mapping au-4 Specifies AUG mapping.
Step 4 Router(config-controller)# au-4 1 tug-3 2 Selects the AU-4, TUG-3 to configure.
Step 5 Router(config-ctrlr-tug3)# mode c-12 Specifies the channelization mode for the TUG-3.
Step 6
Router(config-ctrlr-tug3)# tug-2 7 e1 3 atm Creates an ATM interface.
Router(config-ctrlr-tug3)# tug-2 1 e1 1 ima-group
group-number
Configures the interface to run in IMA mode and 
assigns the interface to an IMA group. 
Router(config-ctrlr-tug3)# tug-2 1 e1 1 cem-group 1
unframed
Creates a SAToP CEM group.
Router(config-ctrlr-tug3)# tug-2 1 e1 1 cem-group 1
timeslots 1-31
Creates a CESoPSN CEM group.
Command or Action Purpose
Step 1 Router(config)# controller sonet 5/1/0 Selects the controller to configure.
Step 2 Router(config-controller)# framing sdh Specifies the framing mode.
Step 3 Router(config-controller)# aug mapping au-3 Specifies AUG mapping.
Step 4 Router(config-controller)# au-3 3 Selects the AU-3 to configure.
Step 5 Router(config-ctrlr-au3)# mode c-11 Specifies the channelization mode for the link.10-12
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuration Tasks
Step 6 Router(config-ctrlr-au3)# tug-2 7 t1 4 atm Creates an ATM interface.
Router(config-ctrlr-tug3)# tug-2 1 e1 1 ima-group
group-number
Configures the interface to run in IMA mode and 
assigns the interface to an IMA group. 
Router(config-ctrlr-au3)# tug-2 1 t1 2 cem-group 1
unframed
Creates a SAToP CEM group.
Router(config-ctrlr-au3)# tug-2 1 t1 2 cem-group 2015
timeslots 1-12 
Creates a CESoPSN CEM group.
Command or Action Purpose10-13
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Circuit Emulation
Configuring Circuit Emulation
This section provides information about how to configure circuit emulation on a CEoP SPA. Circuit 
emulation provides a bridge between a time division multiplexed (TDM) network and a packet network 
(such as Multiprotocol Label Switching [MPLS]). The router encapsulates TDM data in MPLS packets 
and sends the data over a CEM pseudowire to the remote provider edge (PE) router. Thus, circuit 
emulation acts like a physical communication link across the packet network.
To configure circuit emulation on a CEoP SPA port, you must do the following:
1. Configure one or more CEM groups on the port. Each CEM group represents a set of time slots 
from the TDM circuit attached to the port. When you configure a CEM group on the port, the router 
creates an interface that has the same slot/subslot/port number as the port (for example, cem2/1/0). 
2. Configure a pseudowire for each CEM group. The router maps the data from the time slots in each 
group onto its pseudowire and sends the data over the MPLS network to the remote PE router. 
Use the xconnect command with encap mpls to create a pseudowire for each CEM group. 
Figure 10-1 shows the following sample configuration for a CEoP SPA: 
• A TDM circuit is connected to port 0 on a SPA installed in slot 1, subslot 0 (T1 controller 1/0/0). 
• Two pseudowires (PW10 and PW20) are configured to carry TDM data across the MPLS network. 
• Two CEM groups (2 and 3) are configured for the data in the TDM time slots: 
– Time slots 1 through 6 are sent over pseudowire 10 to the remote PE router at 10.0.0.0.
– Time slots 8 through 13 are sent to PE router 11.0.0.0 over pseudowire 20. 
Figure 10-1 TDM Time Slots to Pseudowire Mappings 
MPLS network
PW10
PW20
191977
controller T1 1/0/0
  cem-group 2 timeslots 1–6
  cem-group 3 timeslots 8–13
interface cem 1/0/0
  cem 2
    xconnect 10.0.0.0 10 encap mpls
  cem 3
    xconnect 11.0.0.0 20 encap mpls   
CEM group 2
time slots 1 – 6 
CEM group 3
time slots 8 – 13 
TDM data stream
10.0.0.0
11.0.0.010-14
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Circuit Emulation
Table 10-1lists the number of CEM groups you can configure for each CEoP SPA on the SIP 400.
Table 10-1 Number of CEM Groups Supported for Each CEoP SPA
Configuration Guidelines and Restrictions
Not all combinations of payload-size and dejitter-buffer size are supported. Payload size, or dejitter 
configurations are rejected at the CLI level in CEM circuit mode on the SPA if they are not compatible. 
Any incompatible parameter modifications will be rejected and the configuration will fall back to the old 
dejitter and payload parameters if the parameters are being applied through the cem class template.
For relation between the payload size and the dejitter buffer size on CeoPSN and SaToP T1/E1 frames 
see Table 9- 1, CESoPSN DS0 Lines: Payload and Jitter Limits, Table 9- 2, SAToP T1 Frame: Payload 
and Jitter Limits and Table 9-3, SAToP E1 Frame: Payload and Jitter Limits.
Configuring a CEM Group
To configure a CEM group to represent a CEM circuit on a SPA port, use the following procedure. 
Note • The first cem-group command under the controller creates a CEM interface that has the same 
slot/subslot/port information as the controller. The CEM interface is removed when all of the 
CEM groups under the interface have been deleted.
• The CEM interface is always up, even if the controller state is down. This allows the CEM 
pseudowire to carry alarm information to the remote end.
CEoP SPA Number of Supported CEM Groups
24 T1/E1 Channelized ATM CEoP SPA 191
2-Port Channelized T3/E3 ATM CEoP SPA 576
1-Port Channelized OC-3 STM1 ATM CEoP SPA 57610-15
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Circuit Emulation
Configuring a CEM Class (Optional)
To assign CEM parameters to one or more CEM interfaces, you can create a CEM class (template) that 
defines the parameters and then apply the class to the interfaces. 
CEM class parameters can be configured directly on the CEM circuit. The inheritance is as follows:
• CEM circuit (highest level)
• Class attached to CEM circuit
• Class attached to the CEM interface
Command or Action Purpose
Step 1 Router(config)# controller type slot/subslot/port
Examples
Router(config)# controller t1 3/1/
Router(config)# controller sonet 2/0/1
Selects the controller for the port being configured:
• type identifies the port type. Depending on the 
card type, valid values are t1, e1, t3, e3, or 
sonet. For additional information, see the 
sections for configuring those port types. 
• slot/subslot/port identifies the SPA slot, subslot, 
and port. 
Step 2 Router(config-controller)# [no] cem-group group-number
{unframed | timeslots timeslot} 
Examples
Router(config)# controller t1 3/2/0
Router(config-controller)# cem-group 1 unframed
Router(config)# controller t1 3/2/1
Router(config-controller)# cem-group 1 timeslots 1,3,5-11
Router(config-controller)# cem-group 2 timeslots 12-24
Router(config)#controller t3 3/2/0
Router(config-controller)# t1 1 cem-group 1 timeslots 1
Router(config)# controller t3 3/2/1
Router(config-controller)# e1 1 cem-group 1 unframed
Creates a CEM circuit (group) from one or more 
time slots of the line connected to this port. To delete 
the CEM circuit and release the time slots, use the 
no cem-group group-number command. 
• group-number assigns a CEM circuit number: 
– For 24 T1/E1 Channelized ATM CEoP 
SPA, you can configure up to 191 CEM 
groups.
– For 2-Port Channelized T3/E3 ATM CEoP 
SPA, you can configure up to 576 CEM 
groups.
– For 1-Port Channelized OC-3 STM1 ATM 
CEoP SPA, you can configure up to 576 
CEM groups.
• unframed creates a single CEM circuit from all 
of the time slots, and uses the framing on the 
line. Use this keyword for SAToP mode. 
• timeslots timeslot specifies the time slots to 
include in the CEM circuit. Use this keyword 
for CESoPSN mode. The list of time slots can 
include commas and hyphens with no spaces 
between the numbers, commas, and hyphens. 
Note Each time slot operates at 64 kilobits per 
second (kbps).
Step 3 Router(config-controller)# exit Exits interface configuration mode. 10-16
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Circuit Emulation
If the same parameter is configured on the CEM interface and CEM circuit, the value on the CEM circuit 
takes precedence.
To configure a CEM class, use the following procedure:
In the following example, a CEM class (TDM-Class-A) is configured to set the payload-size and 
dejitter-buffer parameters:
class cem TDM-Class-A 
payload-size 512
dejitter-buffer 80
exit
In the next example, the CEM parameter settings from TDM-Class-A are applied to CEM interface 2/1/0. 
Any CEM circuits created under this interface inherit these parameter settings. 
int cem 2/1/0
class int TDM-Class-A
cem 6
xconnect 10.10.10.10 2 encap mpls
exit
Command or Action Purpose
Step 1 Router(config)# class cem name Creates a CEM class to help in configuring 
parameters in a template and applying parameters at 
the CEM interface level. 
• name argument is a string of up to 80 characters 
that identifies the CEM class. Note that the 
name is truncated to the first 15 characters.
Step 2 Router(config-cem-class)# command Configure CEM parameters by issuing the 
appropriate commands. See the “Configuring CEM 
Parameters” section on page 10-50 for commands. 10-17
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Circuit Emulation
Configuring a CEM Pseudowire
To configure a pseudowire to transport a CEM circuit across the MPLS network, follow this procedure. 
Note When the T1 controller that carries a particular CEM circuit traffic goes down, a message is sent about 
a failure between PE and CE routers. This results in pseudowire status as down, but the data plane is kept 
up for the alarms to be carried over.
The following sample configuration shows a T1 port on which two CEM circuits (groups) are configured. 
Each CEM circuit carries data from time slots of the TDM circuit attached to the port. 
The two xconnect commands create pseudowires to carry the TDM data across the MPLS network. 
Pseudowire 2 carries the data from time slots 1, 2, 3, 4, 9, and 10 to the remote PE router at 10.10.10.10. 
Pseudowire 5 carries the data in time slots 5, 6, 7, 8, and 11 to the remote PE router at 10.10.10.11. 
controller t1 2/1/0
 cem-group 6 timeslots 1-4,9,10 
 cem-group 7 timeslots 5-8,11 
framing esf
 linecode b8zs
 clock source adaptive 6
 cablelength long -15db
 crc-threshold 512
 description T1 line to 3rd floor PBX
 loopback network
 no shutdown
Command or Action Purpose
Step 1 Router(config)# interface cemslot/subslot/port Selects the CEM interface where the CEM circuit (group) is 
located (where slot/subslot is the SPA slot and subslot and 
port is the SPA port where the interface exists). 
Step 2 Router(config-if)# cem group-number Selects the CEM circuit (group) to configure a pseudowire for. 
Step 3 Router(config-if-cem)# command (Optional) Defines the operating characteristics for the CEM 
circuit. For command details, see the “Configuring CEM 
Parameters” section on page 10-50. 
Step 4 Router(config-if)# xconnect peer-router-id vcid
{encapsulation mpls | pseudowire-class name} 
Configures a pseudowire to transport TDM data from the 
CEM circuit across the MPLS network. 
• peer-router-id is the IP address of the remote PE peer 
router.
• vcid is a 32-bit identifier to assign to the pseudowire. The 
same vcid must be used for both ends of the pseudowire. 
• encapsulation mpls sets MPLS for tunneling mode. 
• pseudowire-class name specifies a pseudowire class that 
includes the encapsulation mpls command. 
Note The peer-router-id and vcid combination must be 
unique on the router. 
Step 5 Router(config-if)# exit Exits interface configuration mode. 10-18
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Circuit Emulation
int cem2/1/0
  cem 6
xconnect 10.10.10.10 2 encap mpls
cem 7
xconnect 10.10.10.11 5 encap mpls
Configuring TDM Local Switching
TDM Local Switching allows switching of Layer 2 data between two CEM interfaces on the same router. 
The two CEM groups can be on the same physical interface or different physical interfaces; they can be 
on the same SPA, the same line card, or different line cards. 
Note For Cisco IOS Release 12.2(33)SRC, this feature is supported on the 24-Port Channelized T1/E1 ATM 
CEoP SPA and the 1-Port Channelized OC-3 STM1 ATM CEoP SPA.
Use the following guidelines for CEoP Phase 2 TDM Local Switching:
• Autoprovisioning is not supported.
• Out-of-band signaling is not supported.
• Port mode local switching is not supported on the CEM interface.
• Interworking with other interface types is not supported.
• The same CEM circuit cannot be used for both local switching and xconnect.
• You can use CEM local switching between two CEM circuits on the same CEM interface.
• CEM local switching can be across a 24-Port Channelized T1/E1 ATM CEoP SPA and a 1-Port 
Channelized OC-3 STM1 ATM CEoP SPA.
Use the following procedure to configure CEoPS Phase 2 TDM Local Switching:
Configuration Example
The following is an example:
Router(config)# interface CEM4/3/0
Router(config)# connect cem cem2/1/0 1 cem4/2/0 2
Command or Action Purpose
Step 1 Router(config)# interface cemslot/subslot/port Selects the CEM interface to configure the 
pseudowire for. This is the interface that the TDM 
circuit is attached to.  
Step 2 Router(config)# [no] connect name cemx/y/z cemckt1
cema/b/c cemckt2
Configures a local switching connection between 
cemckt1 of the CEM interface x/y/z and cemckt2 of 
the CEM interface a/b/c.
The no form of this command unconfigures a local 
switching connection between cemckt1 of the CEM 
interface x/y/z and cemckt2 of the CEM interface 
a/b/c.10-19
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Circuit Emulation
Verifying
Use the show connection, show connection all, show connection id conn id, and show connection
conn name commands to verify.
Local Switching Redundancy
Local Switching Redundancy provides a backup attachment circuit (AC) when the primary attachment 
circuit fails. All the ACs must be on same Cisco 7600 series router. 
Note For Cisco IOS Release 12.2(33)SRC, this feature is supported on the 24-Port Channelized T1/E1 ATM 
CEoP SPA and the 1-Port Channelized OC-3 STM1 ATM CEoP SPA, as well as the 2-Port and 4-Port 
OC-3c/STM-1 ATM SPA, the 1-Port OC-12c/STM-4 ATM SPA, and the 1-Port OC-48c/STM-16 ATM 
SPA.
The following combinations of CEM ACs are supported:
• CEM ACs on the same SPA
• CEM ACs on different SPAs on the same SIP
• CEM ACs on different SIPs on the same Cisco 7600 series router
Guidelines
Local Switching Redundancy guidelines are as follows:
• Autoconfiguration of CEM interfaces is not supported.
• Only the tail end AC can be backed up, if head end fails, there is no protection. 
• The circuit type of the primary and backup AC must be identical (failover operation will not switch 
between different types of interfaces or different CEM circuit types). 
• Backs up a local switching connection to cem-ckt3 of CEM interface cem3.Only one backup AC is 
allowed for each connection.
• Autoconfiguration of backup CEM circuits is not allowed. Autoconfiguration is allowed for backup 
ATM Permanent Virtual Circuits (PVCs) or ATM Permanent Virtual Paths (PVPs) .
• The CEM circuit used as a backup in a local switching connection cannot be used for xconnect 
configurations.
• Dynamic modification of parameters in a local switching connection is not supported in the case 
where the tail-end segment is backed up to a segment using the backup command. If you want to 
modify the parameters in any of the three segments (head-end, tail-end, or backup segment), you 
must first unconfigure with the backup command, make the changes in the individual segments, and 
then reconfigure the backup with the backup command.10-20
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring ATM
Configuration
Configuration Example
The following is a configuration example for Local Switching Redundancy:
Router(config)# connect cem cem2/1/0 1 cem4/2/0 2
Router(config)# backup interface cem 3/0/0 3
Verifying
Use the show xconnect all command to check the status of the backup and primary circuits.
Configuring ATM
In addition to CEM mode, CEoP SPAs support ATM. When configured to operate in ATM mode, CEoP 
SPAs support the ATM features listed in Chapter 9, “Overview of the CEoP and Channelized ATM 
SPAs.”
CEoP SPAs also support inverse multiplexing over ATM (IMA), which allows you to combine multiple 
ATM links into a single high-bandwidth logical link. For more information on IMA, see the “Configuring 
Inverse Multiplexing over ATM” section on page 10-29. 
CEoP SPAs support ATM operation in clear-channel or channelized mode: 
• In clear-channel mode, each SPA port provides a single high-speed ATM connection operating at the 
line rate of the port. 
• In channelized mode, each port can be divided into multiple logical channels, each providing a 
separate ATM connection operating at the channelized line rate (for example, T3 channelized to T1). 
Note ATM does not support DS0s.  ATM can only be channelized down to T1s. 
ATM Connections Per SPA
Use the following guidelines:
Command or Action Purpose
Step 1 Router(config)# [no] connect name cema/b/c cemckt1
cemx/y/z cemckt2
Configures a local switching connection between 
cemckt1 of the CEM interface x/y/z and cemckt2 of 
the CEM interface a/b/c.
The no form of this command unconfigures a local 
switching connection between cemckt1 of the CEM 
interface x/y/z and cemckt2 of the CEM interface 
a/b/c.
Step 2 Router(config-connection)# backup interface cemx/y/z 
cemckt
Backs up a locally switched CEM connection.10-21
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring ATM
• The 24-Port Channelized T1/E1 ATM CEoP SPA provides 24 ATM connections (one for each port) 
operating at T1 or E1 line rates. 
• The 1-Port Channelized OC-3/STM-1 ATM CEoP SPA cannot be configured for clear-channel 
(OC-3) ATM. Instead, you must channelize the port to T1s or E1s. The number of ATM connections 
available depends on the configuration mode:
– Channelized T1 mode provides 84 ATM connections (3 T3 x 28 T1 = 84). 
– Channelized E1 mode provides 63 ATM connections (3 TUG-3/AU-3 x 7 TUG-2 x 3 E1 = 63). 
• In clear-channel mode, each port in the 2-Port Channelized T3/E3 ATM CEoP SPA provides a single 
ATM connection operating at T3 line rate. 
ATM Configuration Overview
To configure a port on a CEoP SPA for ATM operation, you must:
1. Set the port to ATM mode. You can also configure IMA (optional). 
2. Configure an ATM permanent virtual circuit (PVC) for the port.
3. Configure a pseudowire for the ATM or IMA interface. 
ATM and IMA Interfaces
IMA interfaces may consist of groups of T1s or E1s. IMA is not supported on the 2-Port Channelized 
T3/E3 ATM CEoP SPA.
The router creates an ATM interface for each T3 or E3 port (or channelized T1 or E1) that is configured 
for ATM mode. The interface has the format atmslot/subslot/port (where slot/subslot identifies the 
SPA slot and subslot and /port identifies the port [for example, atm2/1/0]). 
If you configure IMA, the router creates an interface to represent each IMA group (link bundle). The 
interface has the format atmslot/subslot/imagroup-id (where slot/subslot identifies the SPA slot and 
subslot and group-id identifies the IMA group number [for example, atm2/1/ima0]).
Configuring VC QoS on VP-PW CEoP SPAs
The SIPs and SPAs support many QoS features using modular QoS CLI (MQC) configuration. For 
configuration information on Modular QoS CLI (MQC) policy support and ATM VCI (match atm-vci 
command), see the “Configuring QoS Features on a SIP” section on page 4-94 of Chapter 4, 
“Configuring the SIPs and SSC.”
Restriction
VC QoS on VP-PW feature works only with Single Cell Relay and does not work with Packed Cell 
Relay.10-22
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring ATM
Configuring an ATM Pseudowire
To configure a pseudowire for an ATM connection or an IMA link bundle, perform these steps. The 
pseudowire is used to carry the ATM data across the MPLS network. 
Command or Action Purpose
Step 1 Router(config)# interface atmslot/subslot/port
or 
Router(config)# interface atmslot/subslot/imagroup-id
Selects the ATM interface to configure the pseudowire for 
(where slot/subslot is the SPA slot and subslot, and /port
is the SPA port where the interface exists). 
For IMA, the format is atmslot/subslot/imagroup-id
(where slot/subslot/ identifies the SPA slot and subslot and 
group-id is the IMA group number). 
Step 2 Router(config-if)# pvc vpi/vci Creates a permanent virtual circuit for the ATM or IMA 
interface and assigns the PVC a VPI and VCI: 
• vpi specifies the virtual path identifier (0 to 255). 
• vci specifies the virtual channel identifier. Valid 
values are 32 to 1 less than the value specified by 
the atm vc-per-vp command. 
Note Do not specify 0 for both the VPI and VCI. 
Step 3 Router(config-if-atm-vc)# encapsulation {aal0 | aal5 | 
aal5snap}
Specifies the ATM adaptation layer (AAL) for the PVC: 
• aal0—Selects ATM adaptation layer 0 (cell mode). 
• aal5—Selects ATM adaptation layer 5 (packet mode). 
• aal5snap—Supports Inverse Address Resolution 
Protocol (ARP). Logical link control/Subnetwork 
Access Protocol (LLC/SNAP) precedes protocol 
datagram. 
Step 4 Router(config-if-atm-vc)# command Configures the ATM operating characteristics of the PVC. 
CEoP SPAs support the ATM features in Chapter 9.
Step 5 Router(config-if-atm-vc)# exit Returns you to interface configuration mode. 
Step 6 Router(config-if)# xconnect peer-router-id vcid
{encapsulation mpls | pseudowire-class name} 
Configures a pseudowire to transport data from the ATM 
or IMA interface across the MPLS network. 
• peer-router-id is the IP address of the remote PE peer 
router.
• vcid is a 32-bit identifier to assign to the pseudowire. 
The same vcid must be used for both ends of the 
pseudowire. 
• encapsulation mpls sets MPLS for tunneling mode. 
• pseudowire-class name specifies a pseudowire class 
that includes the encapsulation mpls command. 
Note The peer-router-id and vcid combination must be 
unique on the router. 
Step 7 Router(config-if)# exit Exits interface configuration mode. 10-23
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Pseudowire Redundancy (Optional)
Configuring Pseudowire Redundancy (Optional)
CEoP SPAs support the L2VPN Pseudowire Redundancy feature, which provides backup service for 
ATM and circuit emulation (CEM) pseudowires. The L2VPN Pseudowire Redundancy feature enables 
the network to detect a failure and reroute the Layer 2 (L2) service to another endpoint that can continue 
to provide service. This feature provides the ability to recover from a failure either of the remote PE 
router or of the link between the PE and CE routers. 
You configure pseudowire redundancy by configuring two pseudowires for an ATM or CEM interface: 
a primary pseudowire and a backup (standby) pseudowire. If the primary pseudowire goes down, the 
router uses the backup pseudowire in its place. When the primary pseudowire comes back up, the backup 
pseudowire is brought down and the router resumes using the primary. 
Figure 10-2 shows an example of pseudowire redundancy. 
Figure 10-2 Pseudowire Redundancy
Following is a summary of the steps to perform to configure pseudowire redundancy on a CEoP SPA. 
Although an ATM interface is shown, the configuration is the same for CEM. 
Note You must configure the backup pseudowire to connect to a different router than the primary pseudowire.
1. enable
2. configure terminal
3. interface atmslot/subslot/port
4. xconnect peer-router-id vcid {encapsulation mpls | pw-class pw-class-name} 
5. backup peer peer-router-ip-addr vcid [pw-class pw-class-name] 
6. backup delay enable-delay {disable-delay | never} 
The following example shows pseudowire redundancy configured for a CEM circuit (group). In the 
example, the xconnect command configures a primary pseudowire for CEM group 0. The backup peer
command creates a redundant pseudowire for the group. 
int cem8/1/1
no ip address
cem 0
xconnect 10.10.10.1 1 encap mpls
backup peer 10.10.10.2 200 
exit
Primary
pseudowire
CE1 PE1 PE2 CE2
Backup
pseudowire
135058
Redundant
attachment
circuits10-24
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring T1
Configuring T1
To configure T1 on a 24-Port Channelized T1/E1 ATM CEoP SPA, use the following procedure and 
observe these guidelines:
• There can be 0 to 23 channels under a T1 controller, one for each T1 time slot.
• Each channel can be configured as a CEM group.
• Maximum channels under a CEM group is 24.
• Each CEM group number under a controller must be unique.
• A maximum of 191 CEM circuits can be configured.
Configuring E1
To configure E1 on a 24-Port Channelized T1/E1 ATM CEoP SPA, use the following procedure:
Command or Action Purpose
Step 1 Router(config)# controller t1 slot/subslot/port Selects the T1 controller.
Step 2 Router(config-controller)# [no] cem-group group-number
{unframed | timeslots timeslot}
Creates a CEM interface and assigns it a CEM group 
number.
Step 3 Router(config-controller)# framing {sf | esf} Selects the T1 framing type.
Step 4 Router(config-controller)# exit Exits controller configuration mode and returns you 
to global configuration mode.
Step 5 Router(config)# interface cemslot/subslot/port Selects the CEM interface.
Step 6 Router(config-controller)# cem group-number Selects the specified CEM group.
Step 7 Router(config-controller)# xconnect peer-ip-address encap 
mpls
Configures a pseudowire for the T1 time slots 
identified by the CEM group. 
Step 8 Router(config-controller)# exit Exits controller configuration mode.
Command or Action Purpose
Step 1 Router(config)# controller e1 slot/subslot/port Selects the controller for the E1 port being 
configured.
Step 2 Router(config-controller)# [no] cem-group group-number
{unframed | timeslots timeslot}
Creates a CEM interface and assigns a CEM group 
number.
Step 3 Router(config-controller)# framing {crc4 | no-crc4} Selects the framing type.
Step 4 Router(config-controller)# exit Exits controller configuration mode and returns you 
to global configuration mode.
Step 5 Router(config)# interface cemslot/subslot/port Selects the CEM interface.
Step 6 Router(config-controller)# cem group-number Selects the specified CEM group.
Step 7 Router(config-controller)# xconnect peer-ip-address encap 
mpls
Configures a pseudowire for the E1 time slots 
identified by the CEM group. 
Step 8 Router(config-controller)# exit Exits controller configuration mode.10-25
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring T3
Configuring T3 
This section describes how to configure the 2-Port Channelized T3/E3 ATM CEoP SPA. The SPA can be 
configured to operate in the following modes:
• T3 (clear-channel)
• ATM
The router creates a logical interface to represent the mode that the SPA port is configured to run in. An 
ATM interface is created for each T3 port that is configured for ATM mode. The interface has the format 
atm slot/subslot/port (where slot/subslot identifies the SPA slot and subslot and /port identifies the port). 
An example is atm2/1/0. 
The following sections provide instructions for configuring the SPA: 
• T3 Configuration Guidelines, page 10-25
• Configuring Port Usage, page 10-25
• Configuring the SPA for Clear-Channel ATM, page 10-27
T3 Configuration Guidelines
This section lists the guidelines for configuring the 2-Port Channelized T3/E3 ATM CEoP SPA. 
For information about supported features, see Chapter 9, “Overview of the CEoP and Channelized ATM 
SPAs.”
Note For a list of features that are not supported in Cisco IOS Release 12.2SRC, see the “Unsupported 
Features” section on page 9-15. 
T3 Mode
In clear-channel T3 mode, each SPA port provides a single high-speed data channel operating at 44210 
kilobits per second (kbps). 
ATM Mode
For ATM mode up to 4000 point-to-point ATM VCs (per SIP) are supported. 
Configuring Port Usage 
Perform the following steps to configure a SPA port for T3: 
Note E3 is not supported with Cisco IOS Release 12.2(33)SRC.10-26
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring T3
Command or Action Purpose
Step 1 Router(config)# controller {t3} slot/subslot/port Selects the T3 controller for the port you are 
configuring (where slot/subslot identifies the SPA 
slot and subslot and /port identifies the port). 
Step 2 Router(config-controller)# [no] framing {auto-detect | 
c-bit | m23} 
For the clear-channel ATM mode, configure framing 
as: 
• auto-detect—Detects the framing type at the 
device at the end of the line and switches to that 
framing type. If both devices are set to 
auto-detect, c-bit framing is used.
• c-bit—Specifies C-bit parity framing. 
• m23—Specifies M23 framing. 
Step 3 Router(config-controller)# clock source {internal | line} (Optional) Specifies the clock source.
• internal—Selects the internal clock. 
• line—Selects the network clock.
Step 4 Router(config-controller)# cablelength feet (Optional) Specifies the length of the cable attached 
to the port (in feet). Valid values are 0 to 450 ft. 
The default is 224 ft. 
Step 5 Router(config-controller)# [no] loopback {local | network | 
remote {line | payload}} 
(Optional) Runs a loopback test, which is useful for 
troubleshooting problems. The no form of the 
command stops the test. The default is no loopback.
• local—Loops the signal from Tx to Rx path. 
Sends alarm indication signal (AIS) to network. 
• network—Loops the signal from Rx to Tx path.
• remote {line | payload}—(C-bit framing only) 
Sends a loopback request to the remote end: 
line loops back the unframed signal and 
payload loops back the framed signal. 
Step 6 Router(config-controller)# [no] bert pattern
[2^11 | 2^15 | 2^20 O.153 | 2^20 QRSS | 2^23 | 0s | 1s | 
alt-0-1] interval [1-1440]
(Optional) Configures bit-error-rate (BER) testing. 10-27
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring T3
Configuring the SPA for Clear-Channel ATM
To configure a T3/E3 SPA port for clear-channel ATM, follow these steps: 
Step 7 Router(config-controller)# mdl {string {eic | fic | generator 
| lic | pfi | port | unit} string} | {transmit {idle-signal | path 
| test-signal}} 
Example
Router(config-controller)# mdl string eic ID 
Router(config-controller)# mdl string fic Building B 
Router(config-controller)# mdl string unit ABC 
Router(config-controller)# mdl string pfi Facility Z 
Router(config-controller)# mdl string port Port 7 
Router(config-controller)# mdl transmit path
Router(config-controller)# mdl transmit idle-signal
(Optional) Configures maintenance data link (MDL) 
messages, which communicate information between 
local and remote ports. Valid only with C-bit framing.
• mdl string specifies the type of identification 
information to include in MDL messages: 
– eic string specifies the Equipment 
Identification Code, up to 10 characters.
– fic string specifies the Frame Identification 
Code, up to 10 characters.
– generator string specifies the Generator 
Number for test-signal messages, up to 
38 characters. 
– lic string is the Location Identification 
Code, up to 11 characters. 
– pfi string specifies the Path Facility 
Identification Code for path messages, 
up to 38 characters. 
– port string is the port number for 
idle-signal messages, up to 38 characters. 
– unit string—Specifies the Unit 
Identification Code, up to 6 characters.
• mdl transmit specifies the type of MDL 
messages to transmit: 
– idle-signal—Enables idle-signal messages. 
– path—Enables path messages.
– test-signal—Enables test-signal messages. 
Step 8 Router(config-controller)# exit Returns you to global configuration mode.
Command or Action Purpose
Command or Action Purpose
Step 1 Router(config)# controller {t3} slot/subslot/port Selects the T3 controller for the port you are configuring 
(where slot/subslot identifies the SPA location and /port
identifies the port). 
Step 2  Router(config-controller)# atm  Configures the port (interface) for clear-channel ATM. 
The router creates an ATM interface whose format is 
atm/slot/subslot/port (where slot/subslot identifies the 
SPA slot and subslot and /port is the SPA port).
Step 3 Router(config-controller)# exit Returns you to global configuration mode. 
Step 4 Router(config)# interface atmslot/subslot/port Selects the ATM interface for the SPA port in Step 1. 10-28
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring SONET (OC-3)
Configuring SONET (OC-3)
To configure SONET (OC-3) on the1-Port Channelized OC-3 STM1 ATM CEoP SPA, use the following 
procedure and observe these guidelines:
• One OC-3 has three SONET paths, each of which can have a T3. Each T3 has 28 T1s.
• Each T3 has a submode for T1 configuration. 
• Each T1 can be configured to operate in CEM, ATM, or IMA mode. 
• ATM can be configured on T1s only. These modes cannot be configured on T1s that are channelized 
to DS0s.
• CEM groups can be configured on a T1 directly.
• CEM groups can be channelized to DS0s.
• A maximum of 2016 DS0s can be configured.
• A maximum of 576 CEM circuits can be configured.
SONET Controller Configuration 
To configure the SONET controller, perform this task: 
Step 5 Router(config-if)# pvc vpi/vci Configures a PVC for the interface and assigns the PVC a 
VPI and VCI. Do not specify 0 for both the VPI and VCI. 
See the “Configuring an ATM Pseudowire” section on 
page 10-22 for details on this command and the next. 
Step 6 Router(config-if)# xconnect peer-router-id vcid
{encapsulation mpls | pseudowire-class name} 
Configures a pseudowire to carry data from the 
clear-channel ATM interface over the MPLS network. 
Step 7 Router(config-if)# end Exits configuration mode. 
Command or Action Purpose
Command or Action Purpose
Step 1 Router(config)# controller sonet slot/subslot/port
Example
Router(config)# controller sonet 5/1/0
Enters the SONET controller configuration 
submode.
Step 2 Router(config-controller)# framing sonet Configures the controller framing for SONET 
framing (default).
Step 3 Router(config-controller)# sts-1 number Specifies the STS identifier.
Step 4 Router(config-ctrlr-sts1)# mode vt-15 Specifies VT-15 as the STS-1 mode of operation.
Step 5 Router(config-controller-stsl)# vtg 5 t1 1 cem-group 15
timeslots 1-5,20-23
Creates a virtual tributary group carrying a T1.
Step 6 Router(config-controller-stsl)# exit Exits controller configuration mode.10-29
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Inverse Multiplexing over ATM
SDH Configuration for AU-4 C-12 
This section describes how to enable an interface under SDH framing with AU-4 mapping after 
configuring the SONET controller. 
SDH Configuration for AU-3 C-11
This section describes how to enable an interface under SDH framing with AU-3 mapping after 
configuring the SONET controller. 
Configuring Inverse Multiplexing over ATM
Inverse multiplexing over ATM (IMA) allows multiple T1 or E1 links to be bundled together into a 
high-bandwidth logical link. The rate of the logical IMA link is approximately the sum of the rate of the 
physical links in the IMA group, although some overhead is required for ATM header and control cells. 
Command or Action Purpose
Step 1 Router(config)# controller sonet 5/1/0 Selects the controller to configure.
Step 1 Router(config-controller)# framing sdh Specifies SDH as the framing mode.
Step 2 Router(config-controller)# aug mapping au-4 Specifies AUG mapping.
Step 3 Router(config-controller)# au-4 1 tug-3 2 Selects the AU-4, TUG-3 to configure.
Step 4 Router(config-ctrlr-tug3)# mode c-12 Specifies the channelization mode for the TUG-3.
Step 5 Router(config-ctrlr-tug3)# tug-2 7 e1 3 atm Creates an ATM interface.
Step 6 Router(config-ctrlr-tug3)# tug-2 1 e1 1 ima-group
group-number
Configures the interface to run in IMA mode and 
assigns the interface to an IMA group. 
Step 7 Router(config-ctrlr-tug3)# tug-2 1 e1 1 cem-group 1
unframed
Creates a SAToP CEM group.
Router(config-ctrlr-tug3)# tug-2 1 e1 1 cem-group 1
timeslots 1-31
Creates a CESoPSN CEM group.
Command or Action Purpose
Step 1 Router(config)# controller sonet 5/1/0 Selects the controller to configure.
Step 2 Router(config-controller)# framing sdh Specifies the framing mode.
Step 3 Router(config-controller)# aug mapping au-3 Specifies AUG mapping.
Step 4 Router(config-controller)# au-3 3 Selects the AU-3 to configure.
Step 5 Router(config-ctrlr-au3)# mode c-11 Specifies the channelization mode for the link.
Step 6 Router(config-ctrlr-au3)# tug-2 7 t1 4 atm Creates an ATM interface.
Step 7 Router(config-ctrlr-au3)# tug-2 1 t1 2 cem-group 1
unframed 
Creates a SAToP CEM group.
Router(config-ctrlr-au3)# tug-2 1 t1 2 cem-group 2015
timeslots 1-12 
Creates a CESoPSN CEM group.10-30
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Inverse Multiplexing over ATM
Note IMA is available in Cisco IOS Release 12.2SRC and later releases and is supported on the 24-Port 
Channelized T1/E1 ATM CEoP SPA and the 1-Port Channelized OC-3 STM1 ATM CEoP SPA. 
The inverse multiplexing operation is transparent to the ATM layer protocols, and therefore the ATM 
layer can operate normally, as if only a single physical interface is being used. In the transmit direction, 
IMA takes cells from the ATM layer and sends them in round-robin manner over the individual T1 or E1 
links in the IMA group. At the receiving end, the cells are recombined to form the original cell stream 
and are passed up the ATM layer. An IMA device always sends a continuous stream. If no ATM layer 
cells are being sent, an IMA filler cell is transmitted to provide a constant stream at the physical layer.
IMA Control Protocol (ICP) cells are periodically transmitted between IMA interfaces. ICP cells control 
the inverse multiplexing function, provide sequencing for the ATM cell stream, and define the IMA 
frame. Using an IMA frame length of 128 cells, one out of every 128 cells on each link is an ICP cell. 
Figure 10-3 shows how IMA works. In the figure, IMA performs inverse multiplexing and 
demultiplexing with four bundled links, providing 5.52 Mbps of bandwidth for T1s for packet traffic, 
after subtracting the overhead of ATM cell headers and ICP cells. The transmitting side, from which cells 
are distributed across the links, is referred to as Tx, and the receiving side, where cells are recombined, 
is called Rx.
Figure 10-3 IMA Operation
IMA Configuration Guidelines
Follow these guidelines as you configure the CEoP SPA for inverse multiplexing ATM:
• IMA is supported on the Cisco 7600 SIP-400 with the following CEoP SPAs:
– 24-Port Channelized T1/E1 ATM CEoP SPA (24 IMA groups per SPA) 
– 1-Port Channelized OC-3 STM1 ATM CEoP SPA (42 IMA groups per SPA) 
– 2-Port T3/E3 ATM CEoP SPA (42 IMA groups per SPA)
• When a T1 or E1 interface is configured for IMA mode, the interface no longer operates as an 
individual ATM link. 
• IMA group numbers (IDs) must be unique on the SPA. 
• You cannot mix T1 and E1 lines in the same IMA group. 
• The T1 or E1 lines in an IMA group must be on the same CEoP SPA. An IMA group cannot contain 
T1 or E1 lines from different SPAs. 
• Both ends of the T1 or E1 link must be in IMA mode. 
23260
Single stream
from ATM layer
Data distribution over
links in IMA group
(Tx direction)
Data reassembled
according to IMA group
(Rx direction)
T1 or E1 links
Single stream
to ATM layer
Incoming
ATM cells
Outgoing
ATM cells10-31
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Inverse Multiplexing over ATM
• IMA is compliant with nonstop forwarding with stateful switchover (NSF/SSO). This means that 
when a switchover occurs, IMA connections remain up and continue to pass traffic, with no 
interruption in service. 
• IMA Control Protocol (ICP) cells and filler cells are discarded by the receiving end; therefore, any 
counters displayed in show command output do not include these cells. 
• The Cisco 7600 SIP-400 supports a maximum transmission unit (MTU) size of 4470 bytes. 
To ensure that IMA groups synchronize correctly after a restart, observe the following guidelines as you 
configure IMA links. For information about restarts, see the description of ima autorestart in the 
“Configuring IMA Group Parameters” section on page 10-34. 
• Each end of an IMA link should have a different IMA group ID. This way, after a restart the router 
can detect links in loopback mode, which means that a link is communicating with itself instead of 
the remote end. When both ends of a link have the same group ID, the link is in loopback mode. 
• If both ends of an IMA link have the same group ID, loopbacked links might be the first to respond 
after a restart, in which case the IMA group could be communicating with itself instead of the far end. 
• Effective from Cisco IOS release 15.1(01)S, the number of IMA groups supported on the different 
flavours of the CEoP SPA are:
– 24 T1/E1/J1 port SPA (12 IMA groups per SPA)
– 2XT3/E3 port SPA (42 IMA groups per SPA)
– 1xOC3 port SPA (42 IMA groups per SPA)
• When the atm bandwidth dynamic command is enabled, all of the permanent virtual circuits 
(PVCs) configured on an IMA group interface are re-created if the total available IMA group 
bandwidth changes.
• Maximum of 16 links can be configured on an IMA group.
IMA Link Bundle Configuration Overview 
You bundle T1 or E1 links together by assigning the links to the same IMA group and configuring a PVC 
for the links in the group to use. 
To assign a T1 or E1 link to an IMA group, issue the ima group group-number command under the T1 
or E1 controller for the port that the link is attached to. Bundle a set of links together by issuing ima 
group under the controller for each of the links that you want to add to the bundle, and specify the same 
group number for each. 
The router creates an IMA interface to represent the IMA group (link bundle). The interface has the same 
slot/subslot information as the SPA, followed by the IMA group ID, as shown here (for example, 
atm2/1/ima0): 
interface atmslot/subslot/imagroup-id
The IMA interface has all of the characteristics of an ATM interface and supports any currently 
supported ATM features. 
When all of the T1/E1 interfaces are removed from an IMA group, the IMA interface that represents the 
group is removed. 
To configure the IMA group for operation, you must: 
• Configure a PVC for the links in the IMA group to use. 
• Define the operating characteristics of the IMA link bundle by configuring IMA group parameters. 
(See the “Configuring IMA Group Parameters” section on page 10-34.) 10-32
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Inverse Multiplexing over ATM
Configuration Example
The following steps provide an example of the steps to configure an IMA link bundle on the 24-Port 
Channelized T1/E1 ATM CEoP SPA. Detailed steps are provided in the section that follows.
1. Bundle T1 or E1 links together by creating an IMA group and adding each link to the group. In this 
example, the T1 links attached to ports 0, 1, and 2 of the CEoP SPA in chassis slot 2, SPA subslot 1, 
are assigned to the same IMA link bundle (IMA group 0). Likewise, the E1 links attached to ports 0 
and 1 of the SPA in chassis slot 5, SPA subslot 1 are assigned to another bundle (IMA group 1). 
controller t1 2/1/0
 ima-group 0
exit
controller t1 2/1/1
 ima-group 0
exit
controller t1 2/1/2
 ima-group 0
exit
controller e1 5/1/0
 ima-group 1
exit
controller e1 5/1/1
 ima-group 1
exit
2. Configure a PVC and MPLS pseudowire for the links in the IMA group to use. In the following 
example, PVC 0/100 is configured for the T1 links in IMA group 0 and PVC 0/101 is configured for 
the E1 links in IMA group 1:
interface  atm2/1/ima0
   pvc 0/100 l2transport
xconnect 10.2.0.1 10 encapsulation mpls
exit
interface  atm5/1/ima1
   pvc 0/101 l2transport
xconnect 10.20.0.4 11 encapsulation mpls
exit
3. Configure IMA group parameters to define how the links in the group are to operate. In the following 
example, IMA group 0 is being configured to operate with a minimum of 2 active links, independent 
clock mode, and a frame length of 256: 
interface  atm2/1/ima0
   ima active-links-minimum 2
ima clock-mode independent
ima frame-length 256
exit10-33
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Inverse Multiplexing over ATM
Configuring an IMA Link Bundle
To configure an IMA link bundle on a 24-Port Channelized T1/E1 ATM CEoP SPA, perform the 
following steps from global configuration mode: 
Command or Action Purpose
Step 1 Router(config)# controller {t1 | e1} slot/subslot/port  Selects the controller for the link you want to add to an 
IMA link bundle (an IMA group). 
• slot/subslot/port identifies the chassis slot, SPA 
subslot, and port being configured. 
Step 2 Router(config-controller)# [no] ima-group group-number Creates an IMA group and adds the link to the group. 
Use the no form of the command remove the link from 
the IMA group. 
• group-number is a unique ID to assign to the group. 
Valid values are 0 through 41.
Note The group number must be unique for the SPA. 
The 24-Port Channelized T1/E1 ATM CEoP 
SPA supports 24 IMA groups. 
Step 3 Router(config-controller)# exit Returns to global configuration mode.
Repeat steps 1 through 3 to add additional links to the IMA link bundle. 
Note All links in an IMA group must be located on the same CEoP SPA.
Step 4 Router(config)# 
interface atmslot/subslotimagroup-number
Selects the IMA interface for the link bundle you just 
created and enters interface configuration mode.
• atmslot/subslot specifies the location of the 
interface. 
• imagroup-number identifies the IMA group.
Step 5 Router(config-if)# pvc vpi/vci Configures a PVC for the IMA group and assigns the 
PVC a VPI and VCI. 
• vpi is the VPI of the PVC. Valid values are 0 to 255.
• vci is the VCI of the PVC. Valid values are 32 to 1 
less than the value set by the atm vc-per-vp
command. 
Note Do not specify 0 for both the VPI and VCI. 
Step 6 Router(config-if)# xconnect peer-router-id vcid
{encapsulation mpls | pseudowire-class name} 
Configures a pseudowire to carry data from the IMA 
link bundle over the MPLS network. See the 
“Configuring an ATM Pseudowire” section on 
page 10-22 for details on the command. 
Step 7 Router(config-if)# ima command Configures parameters for the IMA interface. See 
Table 10-2 for the configuration commands. 
Step 8 Router(config-if)# end Returns you to privileged EXEC mode. 10-34
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Inverse Multiplexing over ATM
Configuring IMA Group Parameters
Use the commands in Table 10-2 to configure parameters for an IMA group. Issue the commands in 
interface configuration mode under the IMA interface of the IMA group being configured. Use the no
form of each command to turn off a feature or to revert to its default setting. 
Note If you modify parameters on an IMA interface, the interface is automatically restarted. 
Table 10-2 IMA Interface Parameters
Command Name Description
[no] ima version {1.0 | 1.1} Selects which version of IMA to use. The default is version 1.1. 
[no] ima active-links-minimum number Specifies the minimum number of IMA links that must be active for 
the IMA group to be active, where:
• number is the number of links. Valid values are 1 through 16. 
The default is 1.
The IMA group is active as long as the specified number of links is 
active; otherwise, the group is brought down and remains out of 
service until the minimum number of links becomes active again. To 
determine an appropriate value, consider your application needs and 
performance requirements, and the number of links in the group. 
[no] ima clock-mode {common | independent} Sets the transmit clock mode for the links in the IMA group. The 
default is common. 
• common—All links use the same clock (which is derived from 
the specified port). 
• independent—Each link uses a different clock. 
[no] ima frame-length {32 | 64 | 128 | 256} Specifies the number of cells in an IMA frame. The default is 128. 
Because each IMA frame contains an ICP cell, this parameter also 
controls how often ICP cells are sent over the links in the IMA 
group. For example, with a frame length of 64, 1 out of every 64 
cells on the link is an ICP cell. 
The smaller the IMA frame length, the more often ICP cells are sent, 
which reduces the amount of link bandwidth that is available for data. 
[no] ima test [link link number] pattern pattern-id Sends a continuous test pattern over an IMA link to verify that the 
link is operational. The pattern is looped back at the receiving end, 
which is useful for troubleshooting the physical link or 
configuration problems at the remote end. Use the no form of the 
command to stop the test. 
• link link number identifies the IMA link to test. For link 
number, specify the link ID that is displayed by the show ima 
interface interface command. Valid values are 0 through 15. 
• pattern pattern-id specifies the pattern to use. Valid values are 
0 through 255 (0 to 0xFF), although 255 is not recommended. 
Note If you do not specify a link, the test pattern is sent over the 
first available link. 10-35
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Inverse Multiplexing over ATM
[no] ima differential-delay-maximum milliseconds Specifies the maximum allowable differential delay (in 
milliseconds) among links in the IMA group. If the delay on any 
link exceeds this value, that link is dropped from the IMA group. 
IMA sends cells round-robin over the T1 or E1 links in an IMA group, 
and every link adds some delay. To enable the router to correctly 
reconstruct the original data stream, IMA adjusts for differences in 
link delay. However, if a link’s delay is greater than the specified 
maximum, the data stream cannot be reconstructed correctly.
Valid values for milliseconds are: 
• 25 to 250 milliseconds (T1) 
• 25 to 190 milliseconds (E1) 
A shorter delay allows less adjustment among link delay variations. 
However, a longer delay can affect overall group performance by 
adding more latency to traffic or causing retransmission. 
[no] ima autorestart {near-end-id near-end-group-id 
[far-end-id far-end-group-id]} 
Enables the auto restart feature, which controls how IMA groups sync 
up after a restart. The no form of the command disables auto restart if 
it is enabled. See “IMA Auto Restart Examples” for examples. 
When an IMA group stops operating correctly (for example, due to 
a failure with the CEoP SPA, an IMA link, or the router), the group 
must be restarted. When a restart occurs, the local IMA group must 
sync up with an IMA group at the remote end:
• If auto restart is disabled (the default), IMA learns the ID of the 
remote group each time a restart occurs. In this case, the remote 
IMA group ID might change between restarts. 
• If auto restart is enabled, you can specify which remote IMA 
group the local group should sync up with. This allows you to 
keep an IMA group from syncing up with any group ID. 
The near-end-id and far-end-id keywords identify the IMA groups. 
Valid values for near-end-id is 0-41. Valid values for far-end-id are 
0-255 . 
• near-end-id near-end-group-id is the local IMA group. 
• far-end-id far-end-group-id is the remote IMA group. 
If you specify near-end-id only, the local IMA group learns the 
ID of the remote group to sync up with (which will be the first 
remote IMA group to become active). This learned remote group ID 
remains active until the SPA is reloaded. 
If you specify both near-end-id and far-end-id, the local IMA 
group will only synchronize with this remote IMA group. Both the 
near-end and far-end IDs must be the same. 
ima restart Manually restarts an IMA group. When an IMA group stops operating 
correctly (for example, due to a link failure), you can use this command 
to restart the group after the problem has been corrected. 
Table 10-2 IMA Interface Parameters (continued)
Command Name Description10-36
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Inverse Multiplexing over ATM
Verifying the IMA Configuration
To display information about all configured IMA groups, or a specific group, use the show ima interface 
command in privileged EXEC mode: 
show ima interface atmslot/subslot/imagroup-number [detail] 
In the following example, information is displayed for IMA group 1 (on the SPA in slot 5, subslot 0): 
Router# show ima interface atm5/0/ima1
ATM5/0/ima1 is up, ACTIVATION COMPLETE
Slot 5 Slot Unit 0 unit 257, CTRL VC 257, Vir 0, VC -1
IMA Configured BW 12186, Active BW 3046
IMA version 1.0, Frame length 128 
Link Test: Disabled 
Auto-Restart: Disabled
        ImaGroupState: NearEnd = operational, FarEnd = operational
        ImaGroupFailureStatus = noFailure
IMA Group Current Configuration:
        ImaGroupMinNumTxLinks = 1    ImaGroupMinNumRxLinks = 1   
        ImaGroupDiffDelayMax  = 25   ImaGroupNeTxClkMode   = common(ctc)
        ImaGroupFrameLength   = 128  ImaTestProcStatus     = disabled
        ImaGroupTestLink      = None ImaGroupTestPattern   = 0x0   
        ImaGroupConfLink      = 8    ImaGroupActiveLink    = 2   
IMA Link Information:
 ID       Link               Link Status             Test Status  
---- -------------- ------------------------------ ---------------
0    T1 5/0/0       Up   - controller Up           disabled       
1    T1 5/0/1       Up   - controller Up           disabled       
2    T1 5/0/2       Down - controller Up           disabled       
3    T1 5/0/3       Down - controller Up           disabled       
4    T1 5/0/4       Down - controller Up           disabled       
5    T1 5/0/5       Down - controller Up           disabled       
6    T1 5/0/6       Down - controller Up           disabled       
7    T1 5/0/7       Down - controller Up           disabled 
IMA Auto Restart Examples
IMA auto restart is disabled by default, which means that IMA learns the ID of the remote IMA group 
each time a restart occurs. To see the current settings for auto restart, issue the show ima interface
command and view the Auto-Restart section of the command output. 
Following are several examples of different ways to enable auto restart: 
• To enable auto restart so that the local IMA group synchronizes with the first remote IMA group that 
becomes active, issue the command as follows (where near-end-group-id identifies the local IMA 
group). The learned remote group ID remains active until the SPA is reloaded. 
ima autorestart near-end-id near-end-group-id
• To specify which remote IMA group the local IMA group should sync up with, issue the command 
as follows (where near-end-group-id identifies the local IMA group and far-end-group-id identifies 
the remote IMA group). Both near-end and far-end IDs must be the same. 
ima autorestart near-end-id near-end-group-id far-end-id far-end-group-id
• To disable auto restart and have IMA learn the remote IMA group ID after each restart, issue the 
command as follows:
no ima autorestart10-37
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Clocking
Configuring Clocking
This section provides information about how to configure clocking on the 24-Port Channelized T1/E1 
ATM CEoP SPA and the 1-Port Channelized OC-3 STM1 ATM CEoP SPA. It describes the following 
topics: 
• BITS Clock Support—Receive and Distribute—CEoP SPA on SIP-400, page 10-37
• Configuring Clock Recovery, page 10-40
• Verifying Clock Recovery, page 10-41
• Configuring Out-of-Band Clocking, page 10-42
BITS Clock Support—Receive and Distribute—CEoP SPA  on SIP-400
You can use the BITS Clock Support—Receive and Distribute—CEoP SPA  on SIP-400 feature to select 
and configure a clock and distribute it across the chassis to be used as the Transmit reference on all SPA 
ports. 
The BITS Clock support - Receive and Distribute - CEoP SPA on SIP-400 feature is supported on Cisco 
IOS Release 12.2SRB on the SPA-24CHT1-CE-ATM and the SPA-1CHOC3-CE-ATM, SPA-4XOC3 
ATM, SPA-1xOC12/STM4 POS SPAs. 
The line card operates in three different modes, dependiing on the configuration and the configured 
source state.
• Free-running—A line card that is not participating in network-clocking or a line card that is actively 
sourcing the clock operates in free-running mode. In this mode, the line card internal oscillator 
generates the reference clock to the backplane.
Note In a nonpartcipating mode or a disabled mode, the line card distributes a Stratum 3-quality 
timing signal to an external reference clock. Other interfaces on different line cards receive 
either the backplane reference clock or the external reference clock depending on their 
configurations.
• Normal—In normal mode, the module synchronizes with an externally supplied network timing 
reference, sourced from one of the chassis BITS inputs or recovered from a network interface.  In 
this mode, the accuracy and stability of the output signal is determined by the accuracy and stability 
of the input reference.
Note Line card operation is in free-running mode only if the SIP-400 is configured as the active 
sources; otherwise the line cards operate in normal mode.
• Holdover—In holdover mode, the network timing module generates a timing signal based on the 
stored timing reference used when operating in normal mode. Holdover mode is automatically 
selected when the recovered reference is lost or has drifted excessivley.
Note You cannot configure the drift range; it is set internally on the line card to +/-9.2 phase shifts per 
minute (ppm) by default.10-38
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Clocking
Note All line cards operate in the free-running mode until network clock is configured.
Guidelines
Use the following guidelines:
• The SIP-400 operates in free-running mode until network clock is configured.
• When the network clocking configuration is present in the startup configuration, the clocking 
configuration is not applied until five minutes after the configuration has been parsed. This prevents 
clocking instability on the backplane when the interfaces/controllers come up out of order.
• Network clocking is enabled by default for the SIP-400.  
• Cisco IOS Release 12.2SRB does not support local network clock configurations or synchronization 
status messaging (SSM).
• If there is a source flap, there is an interval of 180 seconds before the source becomes valid and 
active.
• In the event of an Out-of-Range (OOR) switchover (revertive mode), the source switchover occurs 
when the clock offset crosses the -9.2 ppm or +9.2 ppm threshold. If this occurs, you must 
reconfigure the source.
Configuration Tasks
To configure Network Clocking for the Cisco 7600/SIP-400, use the following commands:
Command or Action Purpose
Router# [no] network-clock select priority interface | 
controller | slot | system interface name [global][local] 
Selects an interface, controller, and configures it as a network 
clock source at a particular priority. 
• system—Required for platforms that have an internal 
clock generator. Not applicable for the Cisco 7600 series 
routers.
• priority—Configures the priority of network clock source. 
Values range from 1 to 6.
• interface name—Configures the network-clock-source to 
the selected interface.
• global—Configures the network clock to use a global 
configuration.
• local—Configures the network clock to use a local 
configuration. 
Note Configure only one source at a time. 
Router# [no] network-clock participate slotnum Enables a line card to participate in network clocking feature. 
This is default mode. The no form of this command prevents a 
line card from participating in network clocking feature. When 
a slot is disabled, it can neither source nor take the clock from 
the backplane.10-39
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Clocking
Verifying
Use the show platform hardware network-clocks command to verify.
SIP-400-4# show plat hardware network-clocks
SONET Clock Register = 0x20CA8000
SONET Clock Interrupt Enable Register = 0x0
SONET Clock Interrupt Status Register = 0x0
MT90401 Reference : Primary  Free Running
        Primary   : SPA 0
        Secondary : SPA 0
Backplane Reference
        Primary   DISABLED  : SPA 0
        Secondary DISABLED  : SPA 0
Status :
        Lock : 0  HoldOver : 0  SecOOR : 1 PriOOR : 1
        CLK_2M_OK : 1
Router# [no] network-clock revertive Configures revertive behavior on the network clock.
When revertive mode is configured and a previously 
unavailable higher priority source comes up, then this source 
becomes the active clock and the previous active source 
becomes the standby clock. Revertive mode is the default 
mode and is applicable for all types of interface failures. The 
alternate source is selected only if there is an interface failure, 
the alternate source is not selected when a source is supplying 
the bad clock.
The no form of this command configures nonrevertive mode.
Router(config)# [no] network-clock switchover 
marginal-source
Prevents an interface from sending an OOR clock. A clock that 
exceeds the +/-9.2 ppm threshold goes into an OOR state and 
next alternate source is selected as active. Use the no form of 
this command to disable it. The default is that switchover 
occurs on a bad clock.
Router# clock source {line | internal | network} Enables network clocking and configures clocking on the 
interface. 
• line—Specifies clock recovered from line 
• internal—Specifies SPA internal clock or clock from the 
host 
• network—Specifies network clock or the host card’s 
internal oscillator 
Router# show network-clocks Displays details about the configured clocks and the current 
operational clocks and provides status information. 
Router# show platform hardware network-clocks Shows the mode of operation of the line cards along with 
relevant SONET clock register settings.
This command is available for line card consoles only.
Router# debug network-clock This command when enabled helps in debugging network 
clocking feature operation.
Router# debug network-clock redundancy Enables high availability (HA) related debugging.
Command or Action Purpose10-40
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Clocking
Config :
        PCCI : 0  FLOCK : 0  ModeSel : 2
        SI5321 CAL Signal : 0 SI5321 LOS Signal : 0
        SI5321 HoldOver : 0
SIP-400-4#
use the show network-clock command to verify output on RP
Router# show network-clocks 
 Active source = SONET 1/3/0
 Active source backplane reference line = Primary Backplane Clock
 All Network Clock Configuration
---------------------------------
 Priority    Clock Source             State                            Reason
 1           SONET 1/3/0              Valid                         
 Current operating mode is Revertive 
 Current OOR Switchover mode is Switchover 
There are no slots disabled from participating in network clocking
Configuring Clock Recovery
When configuring clock recovery, consider the following guidelines:
Adaptive Clock Recovery
• Clock source: 
– In Cisco IOS Release 12.2(33)SRC and later, both the 1-Port Channelized OC-3 STM1 ATM 
CEoP SPA and the 24-Port Channelized T1/E1 ATM CEoP SPA can be used as a clock source.   
– In earlier releases, only the 24-Port Channelized T1/E1 ATM CEoP SPA can be a clock source.
– Effective from Cisco IOS Release 15.1(1)S release, 2XT3E3 CE/ATM SPA supports adaptive 
clock recovery for T3/E3 CEM. Out of Band (OOB) Clocking for T3/E3 CEM is not supported 
due to lack of hardware support.
• Number of clock sources allowed: 
– In Cisco IOS Release 12.2(33)SRC and later, multiple clocks can be sourced for the router: 
one clock for each SPA.  
– In earlier releases, only a single clock can be sourced for a router. 
• The clock must be the same as used by the router as the network clock. Any pseudowire in this case 
can carry the clock.
• The minimum bundle size of CEM pseudowires on the network that delivers robust clock recovery 
is 4 DS0s.
• The minimum packet size of CEM pseudowires on the network that delivers robust clock recovery 
is 64 bytes.
Differential Clocking
• The maximum number of differential clocks sourced from a 24-Port Channelized T1/E1 ATM CEoP 
SPA is 24.
• The 24-Port Channelized T1/E1 ATM CEoP SPA can recover up to 24 T1/E1 clocks.10-41
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Clocking
• There are several bundles sent from the same port. The bundle that is used for carryingthe clock of 
the port is the first created bundle of the port. Only pseudowires that include the first DS0 of a port 
can carry differential clock. 
To configure clock recovery on a 24-Port Channelized T1/E1 ATM CEoP SPA, use the following 
procedure: 
To apply the recovered clock to the controller, use the following procedure:
Verifying Clock Recovery
To verify clock recovery, use the show recovered-clock command. In Cisco IOS Release 12.2SRB1 and 
later, command output has been expanded to include the port number and CEM group number.
Router# show recovered-clock
Recovered clock status for subslot 3/0
----------------------------------------
Clock    Mode         Port CEM  Status     Frequency Offset(ppb)
1        ADAPTIVE     0    1    HOLDOVER   0       
Router# show recovered-clock
Recovered clock status for subslot 3/0
----------------------------------------
Clock    Mode         Port CEM  Status     Frequency Offset(ppb)
1 ADAPTIVE 0 1 ACQUIRING  -694    
Use the show platform network-clock command to display the contents of network clocking registers.
Router# show platform network-clock
SONET Clock Register = 0x20EB80C8
Command or Action Purpose
Step 1 Router(config)# controller {e1 | t1} slot/subslot/port Selects the controller.
Step 2 Router(config-controller)# recovered-clock slot/subslot Specifies the interface for the recovered clock.
Step 3 Router(config-controller)# clock recovered clock-id
{adaptive | differential} cem port cem-group
Specifies the recovered clock number and the clock 
recovery type.
Step 4 Router(config-controller)# clock reference {enhanced |
internal}
Specifies the clock reference.
Step 5 Router(config-controller)# clock master  Configures the clock master.
Step 6 Router(config-controller)# clock slave Configures the clock slave.
Command or Action Purpose
Step 1 Router(config)# controller {e1 | t1} slot/subslot/port Selects the controller.
Step 2 Router(config-controller)# clock source recovered number Assigns a number to the recovered clock.
Step 3 Router(config-controller)# cem-group number timeslots 
number
Creates a circuit emulation channel from one or 
more time slots of a T1 or E1.
Step 4 Router(config-controller)# recovered-clock slot/subslot Applies the recovered clock to the interface.
Step 5 Router(config-controller)# clock recovered clock-id
{adaptive | differential} cem port cem-group
Specifies the recovered clock number and the clock 
recovery type.10-42
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Clocking
SONET Clock Interrupt Enable Register = 0x0
SONET Clock Interrupt Status Register = 0x2
MT90401 Reference : Primary  Reserved
        Primary   : SPA 0
        Secondary : SPA 0
Backplane Reference
        Primary   ENABLE  : SPA 0
        Secondary ENABLE  : MT90401
Status :
        Lock : 0  HoldOver : 1  SecOOR : 1 PriOOR : 1
        CLK_2M_OK : 1
Config :
        PCCI : 0  FLOCK : 0  ModeSel : 3
        SI5321 CAL Signal : 0 SI5321 LOS Signal : 0
        SI5321 HoldOver : 0
Configuring Out-of-Band Clocking 
A TDM network requires a synchronized clock at each end of the connection (the source and 
destination). This means that the source and destination clock signals must be synchronized to each other 
in order to maintain data integrity on the communication link. 
On the other hand, a packet-switched network (PSN) does not use a clocking strategy, which means that 
the PSN does not provide frequency synchronization between source and destination routers. Therefore, 
to transmit TDM data across a PSN (such as an MPLS network), we need a way to deliver the clocking 
signal between the source and destination routers. 
Out-of-band clocking provides a way to deliver a clock signal between two CEoP SPAs, which allows 
TDM devices connected to the SPAs to communicate with each other. Dedicated pseudowires (called 
out-of-band clock channels) carry the timing signal between the sending and receiving SPAs. When a 
TDM device sends data to a destination TDM device, the receiving SPA uses the out-of-band clock 
channel to recover the clock signal that was used to send the data. 
By keeping the timing packets separate from data packets, out-of-band clocking delivers an extremely 
accurate timing signal. This timing accuracy is important for mobile wireless applications and other 
specialized applications that have very low tolerances for such things as packet delay variation (PDV), 
jitter, and latency in the network. In-band clocking (where timing information is derived from the data 
stream) does not provide a clock that is accurate enough for these applications. 
To set up out-of-band clock channels, you must configure a master clock interface and a slave clock 
interface on the SPAs and configure pseudowires to connect the master and slave clocks. Instructions for 
performing these steps are provided later in this section. 
Benefits
Out-of-band clocking provides the following benefits:
• Enables mobile wireless providers to migrate from TDM networks to PSNs in order to save on costs 
and improve scalability. 
• CEoP equipment can ignore the contents of the timing packets that are sent over the out-of-band 
clock channel because the packets do not contain data. 
• Allows the CEoP SPA to be used for applications that use something other than constant bit rate 
(CBR) data. For example, out-of-band clocking allows the SPA to be used for 3G (data) wireless 
applications, which use AAL2 in variable bit rate (VBR) mode. In addition, out-of-band clocking 
allows the SPA to be used for 2G (voice) applications. 10-43
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Clocking
• Provides recovered clock accuracy that complies with ITU-T specifications G.823 and G.824, which 
enables the CEoP SPA to be used in mobile and wireless applications (including voice) that require 
extreme synchronization accuracy. 
• Provides an alternative clock-recovery mechanism when adaptive clocking cannot be deployed. 
• Enables the CEoP SPA to be the master clock in a PSN. 
• Makes it possible to have two master clocks. Previously, only one master clock was possible. 
Configuration Guidelines
The following guidelines apply to out-of-band clocking on CEoP SPAs:
• The default packet size for out-of-band clock channels (CEM circuits) is 910 bytes. 
• Out-of-band clocking can co-exist with Stateful SwitchOver (SSO), but it is not SSO compliant. 
Therefore, if a switchover occurs, the out-of-band clocking functionality is not available for a brief 
period of time while the feature is brought back online. 
• A CEoP SPA cannot be configured as both a master and slave clock. To reconfigure a SPA’s clock 
type, you must first remove the existing clock configuration (master or slave). 
• Pseudowires for out-of-band clocking are configured under the virtual CEM interface that represents 
the recovered clock interface. This process differs from normal CEM pseudowires, which are 
configured under the port (controller interface). 
When no network clock is available, the virtual CEM interface goes down and the pseudowire is 
disabled. This process is reversed when a valid network clock becomes available again. Normal 
CEM interfaces never go down, even if the associated physical link is down.
• The master clock pseudowire and slave clock pseudowire should be on different CEoP SPAs. 
Router Sending Clock (Master Clock)
• You must select the common telecom 19.44MHz clock as the recovered clock to use for the 
master clock. 
• A maximum of 64 out-of-band clock channels can be configured from the CEoP SPA that provides 
the master clock signal.
• The out-of-band clock channel (pseudowire) is configured under the virtual CEM interface that 
represents the SPA from which the master clock is recovered. The xconnect command used to create 
the clock channel must specify the destination for the clock signal. 
• The out-of-band clock stream is sent in SAToP (unframed) format.
Router Recovering Clock (Slave Clock)
• The out-of-band clock signal is always recovered in adaptive mode. The clock signal can then be 
used to drive all of the ports on the CEoP SPA. 
• Two CEM circuits (a primary and a secondary out-of-band channel) can be configured under a slave 
clock interface, one for each of two master clock signals. This way, the SPA can receive a master 
clock signal from two separate sources (that is, two master clocks). 
• Under the slave clock interface, the xconnect command (used to create the out-of-band clock channel) 
must specify the router from which the master clock is recovered. 10-44
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Clocking
Configuration Overview
The following steps provide a high-level overview of the procedure for configuring out-of-band clocking 
between two CEoP SPAs. Detailed steps are provided in the sections that follow. 
Before you begin, determine which CEoP SPAs have TDM devices connected to them. You must 
configure an out-of-band clock channel to deliver the clock signal from each SPA that sends TDM data 
to every destination SPA that receives the data. 
1. Use the recovered clock command to identify the CEoP SPA that is to send TDM data across the 
MPLS network. This SPA’s clock is used as the master clock for out-of-band clocking. 
2. Configure master and slave clock interfaces to represent the source (clock master) and destination 
(clock slave) for the out-of-band clock signal. The master and slave clock interfaces (and 
pseudowires) should be configured on different SPAs. 
a. The master clock interface represents the master clock, which is distributed to all destination 
CEoP SPAs that receive data from the source TDM device connected to this SPA. (See the 
“Creating and Configuring the Master Clock Interface” section on page 10-45 for instructions.) 
b. Configure a slave clock interface on each of the SPAs connected to TDM devices that can 
receive data from the source TDM device. (See the “Configuring the Slave Clock Interface” 
section on page 10-46 for detailed instructions.) 
Note When you configure a master or slave clock interface, the router creates a virtual CEM interface 
to represent this out-of-band clock. The virtual CEM interface has the same slot and subslot 
information as the CEoP SPA from which the master clock is recovered. The port number is 
always 24. For example, if the clock signal is recovered from the SPA in slot 8, subslot 1 
(recovered-clock 8 1), the virtual CEM interface is virtual-cem8/1/24. 
3. Under both the master and slave clock interfaces, use the cem circuit-id command to configure CEM 
circuits to represent the out-of-band channels that will distribute the clock signal over the MPLS 
network. Each CEM circuit represents a separate out-of-band channel for delivering the clock signal 
from the source (master clock) to a destination TDM device (slave clock). The out-of-band clock 
channel is created when you issue the xconnect command in the next step. 
– Under the master clock interface, you can configure up to 64 CEM circuits, one for each of the 
destination TDM devices that will use this clock signal as its master clock. 
– Under the slave clock interface (on the destination TDM device), you can configure one or two 
CEM circuits. Two CEM circuits are allowed because the clock slave can receive a clock signal 
from two master clocks. 
Note Each out-of-band clock channel requires two CEM circuits (one on the master clock 
interface and one on the slave clock interface). Each CEM circuit represents the CEM 
attachment circuit at one end of the out-of-band clock channel. 
4. Create the out-of-band channel for the clock signal by using the xconnect command to configure 
two pseudowires between the CEM circuit on the master clock interface and the CEM circuit on the 
slave clock interface. The master clock pseudowire and slave clock pseudowire should be on 
different SPAs; however, you should use the same VCID for both pseudowires.
a. Under the master clock interface, configure a pseudowire to the destination device (slave clock). 
b. Under the slave clock interface (on the SPA that connects to the destination TDM device), 
configure a pseudowire to the router that contains the master clock interface. 10-45
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Clocking
Creating and Configuring the Master Clock Interface 
To create the master clock interface for out-of-band clocking, perform the following steps: 
To configure the out-of-band channel to use for the master clock signal, perform the following steps: 
Note A CEoP SPA cannot be configured as both master and slave at the same time. To reconfigure a SPA’s 
clock type, you must first remove the existing clock configuration. 
Command or Action Purpose
Step 1 Router(config)# recovered-clock slot/subslot Specifies the slot and subslot of the CEoP SPA to recover 
the master clock signal from. This is the SPA from which 
the TDM data will be sent. 
Note You must specify the 19.44MHz clock as the 
recovered clock to use as the clock master. 
Step 2 Router(config)# clock master Specifies that the recovered clock is to be used as the 
master clock signal for out-of-band clocking. 
The router creates a virtual CEM interface for the master 
clock. Go to the following steps to configure an 
out-of-band channel to use for the master clock. 
Command or Action Purpose
Step 1 Router(config)# int virtual-cem slot/subslot/port Selects the virtual CEM interface for the master clock 
and enters interface configuration mode. The interface 
has the same slot and subslot as the SPA from which the 
master clock was recovered (Step 1 in the preceding 
task), and the port number is always 24. 
Step 2 Router(config-if)# cem circuit-id Creates a CEM attachment circuit for the master clock 
signal. Valid values for circuit-id are 0 to 63.
Note You can configure up to 64 CEM circuits under 
the master clock interface. 
Step 3 Router(config-if-cem)# xconnect peer-router-id vcid
encapsulation mpls
Configures an out-of-band channel (pseudowire) to 
carry the master clock signal. 
• peer-router-id is the IP address of the router that is 
connected to the destination TDM device. 
• vcid is a 32-bit identifier for the pseudowire. 
• encapsulation mpls sets MPLS for the tunneling 
mode. 
Note Use the same vcid for the master and slave clock 
pseudowires; otherwise, the clock channel does 
not come up. 
Step 4 Router(config-if-cem-xconn)# end Exits CEM interface configuration mode and returns 
you to privileged EXEC mode. 10-46
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Clocking
Configuring the Slave Clock Interface
To configure the slave clock interface and out-of-band channel to use for out-of-band clocking, perform 
the following steps. Configure a slave clock interface on every CEoP SPA that receives TDM data from 
the SPA configured as the master clock in the preceding section. 
Command or Action Purpose
Step 1 Router(config)# recovered-clock slot/subslot Specifies the slot and subslot of the CEoP SPA from 
which the master clock is recovered. 
Step 2 Router(config)# clock slave Creates a virtual CEM interface to represent the clock 
slave for out-of-band clocking. 
Step 3 Router(config)# int virtual-cem slot/subslot/port Enters configuration mode for the virtual CEM 
interface that represents the clock slave. 
• slot/subslot is the slot and subslot of the SPA 
from which the master clock was recovered 
(Step 1 above). 
• port is always 24. 
Step 4 Router(config-if)# cem circuit-id Creates a CEM attachment circuit for the clock slave. 
The circuit-id value can be:
• 0—The primary clock source.
• 1—The secondary clock source. 
Note You can configure up to two CEM circuits, 
one for each of two master clock signals. 
Step 5 Router(config-if-cem)# xconnect peer-router-id vcid
encapsulation mpls
Configures an out-of-band channel (pseudowire) to 
carry the clock signal. 
• peer-router-id is the IP address of the router that 
is connected to the source TDM device. 
• vcid is a 32-bit identifier for the pseudowire. 
• encapsulation mpls sets MPLS for the tunneling 
mode. 
Note Use the same VCID for the master and slave 
clock pseudowires; otherwise, the clock 
channel does not come up. 
Step 6 Router(config-if-cem-xconn)# end Exits CEM interface configuration mode and returns 
you to privileged EXEC mode. 10-47
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Clocking
Verifying Out-of-Band Clocking
This section lists the show commands that you can use to verify the out-of-band clocking configuration. 
• Use the show ip interface brief command to display the virtual CEM interfaces that the router 
created to represent master and slave clock interfaces. The output in the following example shows 
only the virtual CEM interface. Information for all other interfaces is omitted from the display. 
Router# show ip int brief
. . .
Virtual-cem8/1/24      unassigned      YES unset  up                    up
. . .
• Use the show cem circuit command to display a list of CEM circuits configured on the SPA. 
The command displays both normal and out-of-band clocking CEM circuits. 
Router# show cem circuit
CEM Int.       ID   Line      Admin     Circuit         AC 
-------------------------------------------------------------- 
CEM8/1/1       1    DOWN      DOWN      Active          --/--
Virtual-cem8/1/1    DOWN      UP        Active           UP 
• Use the show cem interface virtual-cem slot/subslot/port command to display information about a 
particular virtual CEM interface: 
Router# show cem interface virtual-cem 8/1/24
(Virtual-cem8/1/24) State: CONFIG COMPLETE
Virtual CEM Slave Clock Interface
Slot 8, Slot Unit 88, VC -1
Total cem circuits:    1
Cem circuits up   :    1
Cem circuits down :    0
• Use the show run interface virtual-cem slot/subslot/port command to dislay the current running 
configuration for the specified interface: 
Router# show run int virtual-cem 8/1/24
Building configuration...
Current configuration : 117 bytes
!
interface Virtual-cem8/1/24
 no ip address
 cem 1
  rtp-present
  xconnect 20.0.0.1 300 encapsulation mpls
 !
end
• Use the show run | begin recovered command to display the recovered clock being used for 
out-of-band clocking: 
Router# show run | begin recovered
recovered-clock 8 1 
 clock master 
• On the clock slave, you can use the show recovered-clock command to display the status of the 
out-of-band clock:
Router# show recovered-clock
Recovered clock status for subslot 3/0
----------------------------------------
Clock    Mode         Port CEM  Status     Frequency Offset(ppb)      10-48
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Clocking
ENHANCED PRIMARY           0    HOLDOVER   0       
Removing the Out-of-Band Clocking Configuration
Use the following commands to delete the various components used for out-of-band clocking: 
• To remove a CEM circuit, use the no cem circuit-id command (where circuit-id is the number 
assigned to the circuit). Issue the command under the virtual CEM interface where the circuit exists. 
Router# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# int virtual-cem 8/1/24
Router(config-if)# no cem 1
Router(config-if)# end
• To remove a virtual CEM interface, use the no clock master or no clock slave command in 
recovered-clock configuration mode, as shown in the following examples. Note that the virtual CEM 
interface is not deleted when you remove the last CEM circuit under the interface. 
Router# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# recovered-clock 8 1
Router(config-clock)# no clock master
Router(config-clock)# end
Router#
In the following example, the no clock slave command deletes the slave clock interface for the 
recovered clock (which is 8/1): 
Router# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# recovered-clock 8 1
Router(config-clock)# no clock slave
Router(config-clock)# end
Router#
Out-of-Band Clocking Configuration Example
This section provides an example of how to configure out-of-band clocking between two CEoP SPAs. It 
is divided into several different configuration sections. 
Configuring the Master Clock Interface
The following example shows how to configure a CEoP SPA as a master clock and verify the 
configuration: 
Router# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router (config)# recovered-clock ?
  <0-14>  Slot number
Router (config)# recovered-clock 8 1
Router(config-clock)# clock ?
  master     Configure clock master on the card
  recovered  Configure recovered clock on the card
  reference  Configure reference clock on the card
  slave      Configure clock slave on the card
Router(config-clock)# clock master
Router(config-clock)# end
Router# show run | begin recovered10-49
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Clocking
recovered-clock 8 1
 clock master 
Configuring the Slave Clock Interface
Router# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# recovered-clock 8 1
Router(config-clock)# clock slave
Router(config-clock)# end
Router#
Router# show run | begin recovered-clock
recovered-clock 8 1
 clock slave
Verifying the Virtual CEM Interface Configuration
The router creates a virtual CEM interface when you configure either the master or slave clock interface. 
You can view the interface using the show ip interface brief command: 
Router# show ip int br
…
Virtual-cem8/1/24      unassigned      YES unset  up                    up
…
Router# sh run int Virtual-cem 8/1/24
Building configuration...
Current configuration : 50 bytes
!
interface Virtual-cem8/1/24
 no ip address
end
Configuring CEM Circuits for Out-of-Band Clocking Example
This section provides an example of how to configure CEM circuits and pseudowires for out-of-band 
clocking. The sample configuration shows the circuits and pseudowires configured on a CEoP SPA in 
PE1, which sends TDM data to another CEoP SPA in PE2. 
You configure CEM circuits for the master and slave clocks under the virtual CEM interface that 
represents the recovered clock that is being used for out-of-band clocking. This differs from normal 
CEM circuits, which are configured under the SPA controller through the cem-group command. 
Issuing the xconnect command under the master and slave CEM circuits configures an out-of-band clock 
channel to use to send the clock signal from the sending SPA to the receiving SPA. Note that normal 
CEM pseudowires are configured under the SPA controller interface. 
Out-of-Band Clocking (PE1)
PE1# conf t
PE1(config)# int virtual-cem 8/1/24
PE1(config-if)# cem 1
PE1(config-if-cem)# xconnect 20.0.0.1 200 encap mpls
PE1(cfg-if-cem-xconn)# end
PE1# show run int Virtual-CEM 8/1/24
Building configuration...
Current configuration : 117 bytes
!
interface Virtual-cem8/1/2410-50
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring CEM Parameters
 no ip address
 cem 1
  rtp-present
  xconnect 20.0.0.1 200 encapsulation mpls
 !
end
Out-of-Band Clocking (PE2)
PE2# conf t
PE2(config)# int virtual-cem 8/1/24
PE2(config-if)# cem 1
PE2(config-if-cem)# xconnect 10.0.0.1 200 encap mpls
PE2(cfg-if-cem-xconn)# end
PE2# show run int Virtual-CEM 8/1/24
Building configuration...
Current configuration : 117 bytes
!
interface Virtual-cem8/1/24
 no ip address
 cem 1
  rtp-present
  xconnect 10.0.0.1 200 encapsulation mpls
 !
end
Configuring CEM Parameters
The following sections describe the parameters you can configure for CEM circuits. 
Note The CEM parameters at the local and remote ends of a CEM circuit must match; otherwise, the 
pseudowire between the local and remote PE routers will not come up. 
Configuring Payload Size (Optional)
To specify the number of bytes encapsulated into a single IP packet, use the pay-load size command. 
The size argument specifies the number of bytes in the payload of each packet. The range is from 32 
to 1313 bytes.
Default payload sizes for an unstructured CEM channel are as follows:
• E1 = 56 bytes
• T1 = 192 bytes
• T3/E3 = 1024 bytes
Default payload sizes for a structured CEM channel depend on the number of time slots that constitute 
the channel. Payload size (L in bytes), number of time slots (N), and packetization delay (D in 
milliseconds) have the following relationship: L = 8*N*D. The default payload size is selected in such 
a way that the packetization delay is always 1 millisecond. For example, a structured CEM channel of 
16xDS0 has a default payload size of 128 bytes. 
The payload size must be an integer of the multiple of the number of time slots for structured CEM 
channels.10-51
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Access Circuit Redundancy on CEoP and ATM SPAs
Setting the Dejitter Buffer Size
To specify the size of the dejitter buffer used to compensate for the network filter, use the dejitter-buffer
size command. The configured dejitter buffer size is converted from milliseconds to packets and rounded 
up to the next integral number of packets. Use the size argument to specify the size of the buffer, in 
milliseconds. The range is from 1 to 500 ms; the default is 5 ms.
Setting the Idle Pattern (Optional)
To specify the idle pattern, use the [no] idle-pattern pattern1 command. The payload of each lost 
CESoPSN data packet must be replaced with the equivalent amount of the replacement data. The range 
for pattern is from 0x0 to 0xFF; the default idle pattern is 0xFF.
Enabling Dummy Mode
Dummy mode enables a bit pattern for filling in for lost or corrupted frames. To enable dummy mode, 
use the dummy-mode [last-frame | user-defined] command. The default is last-frame. The following 
is an example:
Router(config-cem)# dummy-mode last-frame
Setting the Dummy Pattern
If dummy mode is set to user defined, you must use the dummy-pattern pattern command to configure 
the dummy pattern. The range for pattern is from 0x0 to 0xFF. The default dummy pattern is 0xFF. 
The following is an example:
Router(config-cem)# dummy-pattern 0x55
Shutting Down a CEM Channel
To shut down a CEM channel, use the shutdown command in CEM configuration mode. The shutdown
command is supported only under CEM mode and not under the CEM class.
Configuring Access Circuit Redundancy on CEoP and ATM SPAs
Access Circuit Redundancy (ACR) is supported on CEoP and ATM SPAs. The support enables local 
switching for ATM, IMA and CEM interfaces. Similar to the virtual ACR interface for ATM SPAs, the 
virtual CEM-ACR, IMA-ACR and ATM-ACR interfaces are created depending on the configuration.
For configuring ACR and virtual ACR interface for ATM SPAs, see Configuring Access Circuit 
Redundancy on SIP-400 ATM SPA s, page 7-65.
Restrictions and Usage Guidelines
Follow these restrictions and usage guidelines while configuring ACR on CEoP and ATM SPAs: 10-52
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Access Circuit Redundancy on CEoP and ATM SPAs
• ACR support for CEoP SPAs is applicable for ATM, IMA, and CEM interfaces on the same router. 
The support is not extended for multi level routers.
• Configure the frame manually under the virtual controller and two physical member controllers. 
This is consistent across the interfaces.
• You can configure a maximum of 256 controllers on the  ACR groups on a single router. But the 
Cisco 7600 router can hold a maximum of 44 CEoP SPAs, which restricts the maximum number of 
ACR controllers to 22.
• You cannot configure ACRs within the physical ATM, CEM, or IMA interfaces that are part of the 
ACR group, but allowed on the ATM-ACR, CEM-ACR, IMA-ACR interfaces.
Configuring the ACR Group
This section provides the configuration for ACR in ATM, IMA, and CEM interfaces.
SUMMARY STEPS
Step 1 enable
Step 2 configure terminal
Step 3 controller sonet slot/subslot/port
Step 4 aps group acr acr no
Step 5 aps working circuit number 
Step 6 exit
Step 7 controller sonet slot/subslot/port
Step 8 aps group acr acr no
Step 9 aps protect circuit number ip-address
Step 10 aps revert minutes
Step 11 exit
DETAILED STEPS
Command or Action Purpose
Step 1 Router # enable Enables privileged EXEC mode..
Step 2 Router# configure terminal Enters global configuration mode.
Step 3 Router (config)# controller 
sonet slot/subslot/port
Select the controller to configure and enter controller configuration mode. 
Step 4 Router(config-controller)# 
aps group acr acr no
This command configures the APS group for the controller.
acr- This command configures the ACR group on top of APS.
acr no—This specifies a group number between 0 and 255. An ACR virtual controller 
is created.10-53
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Access Circuit Redundancy on CEoP and ATM SPAs
Step 5 Router (config-controller)# 
aps working circuit number
Identifies the interface as the Working interface.
circuit-number—Identification number for this particular channel in the APS pair. 
Since the interface only supports 1 + 1 redundancy, the valid values are 0 or 1, and 
the default value for working interface is 1.
Step 6 Router (config-controller)# 
exit
Exits interface configuration mode and returns to privileged EXEC mode.
Step 7 Router (config)# controller 
sonet slot/subslot/port
Select the controller to configure and enter controller configuration mode.
Step 8 Router(config-controller)# 
aps group acr acr no
Enables the use of the APS Protect Group Protocol for the working interface.
Step 9 Router(config-controller)#aps 
protect circuit number 
ip-address
aps protect- Identifies this interface as the Protect interface:
• circuit-number—Identification number for this particular channel in the APS 
pair. Because only 1+1 redundancy is supported, the only valid values are 0 or 1, 
and the Protect interface defaults to 0. 
• ip-address—IP address for the loopback interface. The Protect interface uses this 
IP address to communicate with the working interface. 
The APS group can be active or inactive. 
Active-The interface that is currently sending and receiving data.
Inactive-The interface which is currently standing by to take over when the active 
fails.
Step 10 Router(config-controller)#aps 
revert minutes
aps revert- This command configures the ACR interface as revert. The value of the 
minutes argument specifies the time, in minutes, after which the revert process 
begins.
Note Use the revert command only under the protect member of the ACR group.
To create an ACR interface without any members attached, use the interface acr acr 
no command.
Step 11 Router (config-controller)# 
exit
Exits interface configuration mode and returns to privileged EXEC mode.
Command or Action Purpose10-54
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Access Circuit Redundancy on CEoP and ATM SPAs
Example 10-1 Configuring ACR Interface
This is an example for configuring ACR interface:
ACR-PE2# Configure terminal
ACR-PE2(config)# Controller sonet 4/1/0
ACR-PE2(config-controller)# aps group acr 1
ACR-PE2(config-controller)# aps working 1
ACR-PE2(config-controller)# exit
ACR-PE2(config)# controller sonet 3/1/0
ACR-PE2(config-controller)# aps group acr 1
ACR-PE2(config-controller)# aps protect 1 4.1.1.1
ACR-PE2(config-controller)# do show ip interface br | incl Loop
Loopback0              4.1.1.1         YES NVRAM  up                    up
ACR-PE2(config-controller)#end
Verifying ACR Group
ACR-PE2# show acr group
ACR Group      Working I/f     Protect I/f     Currently Active    Status
--------------------------------------------------------------------------
1              SONET 4/1/0    SONET 3/1/0    SONET 4/1/0
Configuring CEM, ATM, and IMA Interfaces
This section provides the configuration for CEM, ATM, and IMA interfaces:
SUMMARY STEPS
Step 1 enable
Step 2 configure terminal
Step 3 controller sonet 5/1/0
Step 4 sts-1 2
Step 5 vtg 3 t1 2 atm
or
vtg 1 t1 1 ima-group group-number
or
vtg 2 t1 1 cem-group 1 unframed
or
vtg 2 t1 4 cem-group 2 timeslots 1-5,14
Step 6 exit10-55
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Access Circuit Redundancy on CEoP and ATM SPAs
DETAILED STEPS:
Example 10-2 Configuring CEM Interface
ACR-PE2# Configure terminal
ACR-PE2(config)# controller sonet-acr 1
ACR-PE2(config-ctrlr-sts1)# sts-1 1
ACR-PE2(config-ctrlr-sts1)# vtg 1 t1 1 cem-group 1 timeslots 1-10
ACR-PE2(config-ctrlr-sts1)# sts-1 2
ACR-PE2(config-ctrlr-sts1)# vtg 1 t1 2 atm
ACR-PE2(config-ctrlr-sts1)# vtg 1 t1 2 ima 10
ACR-PE2(config-ctrlr-sts1)# end
ACR-PE2# show run | sec SONET-ACR 1
controller SONET-ACR 1
framing sonet
!
sts-1 1
mode vt-15
vtg 1 t1 1 cem-group 1 timeslots 1-10   >>>> CEM configs
vtg 1 t1 2 ima-group 10 >>>>>>>>>>>>>>>>> IMA configs
!
sts-1 2
mode vt-15
vtg 1 t1 2 atm >>>>>>>>>>>>>>>>>>>>>>>> ATM configs
!
sts-1 3
mode vt-15
ACR-PE2# show ip int br | incl ACR
CEM-ACR1               unassigned      YES unset  up                    up
ATM-ACR1.2/1/2         unassigned      YES unset  down                  down
Command or Action Purpose
Step 1 Router # enable Enables privileged EXEC mode..
Step 2 Router# configure terminal Enters global configuration mode.
Step 3 Router(config)# controller sonet 5/1/0 Selects the controller to configure.
Step 4 Router(config-controller)# sts-1 2 Specifies the STS identifier.
Step 5
Router(config-ctrlr-sts1)# vtg 3 t1 2 atm  Creates a T1 (VT1.5) ATM interface.
OR,
Router(config-ctrlr-sts1)# vtg 1 t1 1 ima-group 
group-number
Configures the interface to run in IMA mode and 
assigns the interface to an IMA group. 
OR,
Router(config-ctrlr-sts1)# vtg 2 t1 1 cem-group 1 unframed
Creates a single SAToP CEM group.
OR,
Router(config-ctrlr-sts1)# vtg 2 t1 4 cem-group 2 timeslots
1-5,14 
Creates a CESoPSN CEM group.
Step 6 Router (config-controller)# exit Exits interface configuration mode and returns to 
privileged EXEC mode.10-56
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Access Circuit Redundancy on CEoP and ATM SPAs
IMA-ACR1/ima10         unassigned      YES unset  up                    up
Verifying CEM Interface
ACR-PE2# show cem circuit
CEM Int.       ID   Ctrlr     Admin     Circuit         AC
--------------------------------------------------------------
CEM-ACR1       1    UP        UP        Active          --/--
Configure IMA-ACR Interface
ACR-PE2# configure terminal
ACR-PE2(config)# int IMA-ACR1/ima10
ACR-PE2(config-controller)# pvc 89/90 l2trans
ACR-PE2(cfg-if-atm-l2trans-pvc)# end
Show Commands
This section includes show commands for ACR:
ACR-PE2# show acr group 1 detail cem
ACR Group      Working I/f     Protect I/f     Currently Active    Status
--------------------------------------------------------------------------
CE1            CEM4/1/0       CEM3/1/0       CEM4/1/0
CEM CKT Details
Cktid  State on Working    State on Protect
1      Provision Success   Provision Success
ACR-PE2# show acr group 1 detail atm
ACR Group      Working I/f     Protect I/f     Currently Active    Status
--------------------------------------------------------------------------
AT1.2/1/2      ATM4/1/0.2/1/2 ATM3/1/0.2/1/2 ATM4/1/0.2/1/2
ATM PVC Detail
VPI    VCI      State on Working     State on Protect
23      34                Unknown              Unknown
ACR-PE2# show acr group 1 detail ima
ACR Group      Working I/f     Protect I/f     Currently Active    Status
--------------------------------------------------------------------------
IM1/ima10      ATM4/1/ima10   ATM3/1/ima10   ATM4/1/ima10
ATM PVC Detail
VPI    VCI      State on Working     State on Protect
89      90      Provision Success    Provision Success
Troubleshooting the ACR configuration
This section provides the supported debug commands to troubleshoot the ACR configuration:
• debug acr events: Provides details on all events occurring on the ACR interface.
• debug acr errors: Provides debugging information on errors.
• debug acr state: Provides debugging information on state change – when there is a switchover.
• debug cem events: Debugging informationto create and delete CEM circuits.10-57
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Layer 3 QoS on CEoP SPAs
• debug cem errors: Debugging information about possible errors while creating and deleting of 
CEM circuits.
• debug cem states: Debugs to show the state changes of CEM circuits. 
Configuring Layer 3 QoS on CEoP SPAs
The SIPs and SPAs support many QoS features using modular QoS CLI (MQC) configuration. For more 
information about the QoS features supported by the CEoP SPAs, see the Configuring QoS Features on 
a SIP, page 4-94 of Chapter 4, “Configuring the SIPs and SSC.”
Restrictions and Guidelines
Follow these restrictions and guidelines for the 24-Port Channelized T1/E1 ATM CEoP SPA, the 2-Port 
Channelised T3/E3 ATM CEoP SPA, and the 1-Port Channelized OC-3 STM1 ATM CEoP SPA:
• In the ingress direction, all QoS features are supported by the Cisco 7600 SIP-400.
• The VC QoS on VP-PW feature works only with the single cell relay function and not with packed 
cell relay.
• In the egress direction:
– All queueing-based features such as class-based weighted fair queueing (CBWFQ), ATM 
per-VC weighted fair queueing (WFQ), Weighted Random Early Detection (WRED), and 
shaping are implemented on the SIP-400 unlike the ATM SPA.
– Policing, classification, and marking are also implemented on the SIP-400.
– Class based shaping is supported.
For more support information, see QoS Congestion Management and Avoidance Feature Compatibility 
by SIP and SPA Combination.
Supported Interface for CEoP SPA
The following interfaces are supported:
• P2P and Multipoint permanent virtual circuit (PVC) under the main interface
• P2P and Multipoint PVC under the sub-interface
• P2P and Multipoint L2 PVC under the main interface – AAL5 and AAL0 (sustainable cell rate 
(SCR) and peak cell rate (PCR))
• P2P and Multipoint L2PVC under the sub-interface – AAL5 and AAL0 (SCR and PCR)
• Any transport over MPLS (AToM) Interworking
• Inverse multiplexing (IMA)10-58
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Layer 3 QoS on CEoP SPAs
Configuration
To configure the QoS features on the CEoP SPA, complete these steps:
SUMMARY STEPS
Step 1 enable
Step 2 configure terminal
Step 3 interface atm slot/subslot/port subinterface point-to-point
Step 4 ip address address mask
Step 5 pvc vpi/vci
Step 6 service-policy in policy-map-name
Step 7 service-policy out policy-map-name
Step 8 end
DETAILED STEPS
Command or Action Purpose
Step 1 enable Enables privileged EXEC mode. Enter your 
password if prompted.
Step 2 configure terminal Enters global configuration mode. 
Step 3 interface atm slot/subslot/port subinterface point-to-point Specifies or creates a subinterface, and enters 
subinterface configuration mode. These are the 
parameters:
• slot—Specifies the chassis slot number where 
the SIP is installed.
• subslot—Specifies the secondary slot number 
on a SIP where a SPA is installed.
• port—Specifies the number of the interface port 
on the SPA.
• subinterface—Specifies the number of the 
subinterface on the interface port.
• point-to-point—Specifies a point-to-point 
subinterface.
Step 4 ip address address mask [secondary] (Optional) Assigns the specified IP address and 
subnet mask to the interface. Repeat the command 
with the optional secondary keyword to assign 
additional, secondary IP addresses to the port. 
Step 5 pvc vpi/vci Assigns a virtual path identifier (VPI) and a virtual 
circuit identifier (VCI).
Step 6 service-policy in policy-map-name Attaches ingress QoS to the configuration.10-59
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Layer 3 QoS on CEoP SPAs
Sample Configuration
This is an example for configuring layer 3 QOS on CEoP SPAs.
Router# configure terminal
Router(config)# interface ATM3/0/0.1/1/1 point-to-point
Router(config-if)# ip address 24.0.0.1 255.255.255.0
Router(config-if)# pvc 1/40 
Router(config-if-atm-vc)# service-policy in omni_flat_ingress10
Router(config-if-atm-vc)# service-policy out flat_brr10
Router(config-if-atm-vc)# end
Verifying the Configuration
This section provides the commands to verify the configuration.
Router# show run interface ATM3/0/0.1/1/1.1
interface ATM3/0/0.1/1/1.1 point-to-point
ip address 24.0.0.1 255.255.255.0
no atm enable-ilmi-trap
bfd interval 50 min_rx 100 multiplier 3
pvc 10/100
protocol ip 24.0.0.2
oam-pvc manage
service-policy in omni_flat_ingress11
service-policy out omni_flat11 !
end 
Router# show policy-map interface ATM3/0/0.1/1/1
ATM3/0/0.1/1/1: VC 1/40 - 
Service-policy input: omni_flat_ingress10
Counters last updated 00:00:03 ago
    Class-map: prec4 (match-all)  
      0 packets, 0 bytes
      30 second offered rate 0000 bps, drop rate 0000 bps
      Match:  precedence 4 
      police:
      cir 52500 bps, bc 4470 bytes
      conformed 0 packets, 0 bytes; actions:
      transmit 
      exceeded 0 packets, 0 bytes; actions:
      drop 
      conformed 0000 bps, exceeded 0000 bps
    Class-map: prec5 (match-all)  
      0 packets, 0 bytes
      30 second offered rate 0000 bps, drop rate 0000 bps
      Match:  precedence 5 
      police:
      cir 54000 bps, bc 4470 bytes
      conformed 0 packets, 0 bytes; actions:
      transmit 
      exceeded 0 packets, 0 bytes; actions:
      drop 
      conformed 0000 bps, exceeded 0000 bps
Step 7 service-policy out policy-map-name Attaches egress QoS to the configuration.
Step 8 end Exits interface configuration mode and returns to 
privileged EXEC mode. 
Command or Action Purpose10-60
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring Layer 3 QoS on CEoP SPAs
    Class-map: prec6 (match-all)  
      391 packets, 29584 bytes
      30 second offered rate 0000 bps, drop rate 0000 bps
      Match:  precedence 6 
      police:
      cir 56000 bps, bc 4470 bytes
      conformed 391 packets, 29584 bytes; actions:
      transmit 
      exceeded 0 packets, 0 bytes; actions:
      drop 
      conformed 0000 bps, exceeded 0000 bps
     Class-map: class-default (match-any)  
      255775 packets, 194214265 bytes
      30 second offered rate 1325000 bps, drop rate 1275000 bps
      Match: any 
      police:
      cir 51000 bps, bc 4470 bytes
      conformed 30423 packets, 7439395 bytes; actions:
      transmit 
      exceeded 225352 packets, 186774870 bytes; actions:
      drop 
      conformed 51000 bps, exceeded 1275000 bps
  Service-policy output: omni_flat10
  Counters last updated 00:00:03 ago
    queue stats for all priority classes:
    Queueing
    priority level 1
    queue limit 12 packets
    (queue depth/total drops/no-buffer drops) 0/0/0
    (pkts output/bytes output) 43602/7460616
    queue stats for all priority classes:
    Queueing
    priority level 2
    queue limit 14 packets
    (queue depth/total drops/no-buffer drops) 0/0/0
    (pkts output/bytes output) 0/0
    Class-map: prec4 (match-all)  
      0 packets, 0 bytes
      30 second offered rate 0000 bps, drop rate 0000 bps
      Match:  precedence 4 
      Queueing
      queue limit 13 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 0/0
      bandwidth 52 kbps
    Class-map: prec5 (match-all)  
      0 packets, 0 bytes
      30 second offered rate 0000 bps, drop rate 0000 bps
      Match:  precedence 5 
      Queueing
      queue limit 13 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 0/0
      bandwidth 54 kbps
    Class-map: prec6 (match-all)  
      393 packets, 29724 bytes
      30 second offered rate 0000 bps, drop rate 0000 bps10-61
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring AIS and RAI Alarm Forwarding in CESoPSN Mode on CEoP SPAs
      Match:  precedence 6 
      police:
      cir 56000 bps, bc 4470 bytes
      conformed 393 packets, 29724 bytes; actions:
      transmit 
      exceeded 0 packets, 0 bytes; actions:
      drop 
      conformed 0000 bps, exceeded 0000 bps
      Priority: Strict, b/w exceed drops: 0
      Priority Level: 2 
    Class-map: class-default (match-any)  
      1055920 packets, 803961420 bytes
      30 second offered rate 5452000 bps, drop rate 5401000 bps
      Match: any 
      police:
      cir 51000 bps, bc 4470 bytes
      conformed 43617 packets, 7433658 bytes; actions:
      transmit 
      exceeded 1012303 packets, 796527762 bytes; actions:
      drop 
      conformed 51000 bps, exceeded 5401000 bps
      Priority: Strict, b/w exceed drops: 0
Priority Level: 1 
Troubleshooting 
For specific troubleshooting information, contact Cisco Technical Assistance Center (TAC) at this 
location:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
Configuring AIS and RAI Alarm Forwarding in CESoPSN Mode 
on CEoP SPAs 
Cisco IOS Release 12.2(33)SRD3 introduces the ability to configure on a per-T1/E1 basis the 
forwarding of AIS and RAI alarms towards peer CE devices via the TDM attachment circuit. 
This feature allows grooming of traffic from several different cell-site fractional T1/E1s via CEM, 
through an MPLS cloud, onto a single aggregate T1/E1 going to the BSC. 
This feature provides the following functionality: 
• By default, AIS and RAI alarms are not forwarded on T1/E1s having CESoPSN mode configured 
on the 1-Port Channelized OC-3 STM1 ATM CEoP SPA and 24-Port Channelized T1/E1 ATM 
CEoP SPA, SIP-400 line cards, even if one or all CESoPSN groups terminating on the T1/E1 are 
receiving AIS or RAI from the corresponding remote CESoPSN peers across the PSN. 
• AIS forwarding can be enabled on a per-T1/E1 basis on the 1-Port Channelized OC-3 STM1 ATM 
CEoP SPA and 24-Port Channelized T1/E1 ATM CEoP SPA. This ensures that the PE transmits AIS 
on the T1/E1 whenever one or more CESoPSN groups configured on it are receiving AIS 
notification from remote CESoPSN peers across the PSN. 
• RAI forwarding can be enabled on a per-T1/E1 basis on the 1-Port Channelized OC-3 STM1 ATM 
CEoP SPA and 24-Port Channelized T1/E1 ATM CEoP SPA. This ensures that the PE will transmit 
RAI on the T1/E1 whenever one or more CESoPSN groups configured on it are receiving RAI 
notification from remote CESoPSN peers across the PSN.10-62
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring AIS and RAI Alarm Forwarding in CESoPSN Mode on CEoP SPAs
Configuring SONET Mode
Use the following commands to enable AIS/RAI forwarding on the CEoP SPAs on the SIP-400 line card 
interface for SONET mode: 
Configuring SDH AU-4 Mode 
Use the following commands to enable AIS/RAI forwarding on the CEoP SPAs on the SIP-400 line card 
interface for SDH AU-4 Mode:
Command or Action Purpose
R1(config)#controller sonet slot/bay/port
R1(config-controller)#sts-1 id
Router(config-controller-sts)#vtg identifier t1 identifier
forward-alarm ais/rai
Example:
R1(config)#controller sonet 2/2/0
R1(config-controller)#sts-1 1
R1(config-ctrlr-sts1)#vtg 1 t1 1 forward-alarm ais
Enables AIS/RAI alarm forwarding on the selected 
interface for SONET mode.
Command or Action Purpose
R1(config-controller)#au-4 id tug-3 id
R1(config-ctrlr-tug3)#tug-2 id e1 id forward-alarm
ais/rai
Example:
R1(config-controller)#au-4 1 tug-3 1
R1(config-ctrlr-tug3)#tug-2 1 e1 1 forward-alarm rai
Enables AIS/RAI alarm forwarding on the selected 
SDH mode for AU-4 mode.10-63
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Configuring AIS and RAI Alarm Forwarding in CESoPSN Mode on CEoP SPAs
Configuring SDH AU-3 Mode 
Use the following commands to enable AIS/RAI forwarding on the CEoP SPAs on the SIP-400 line card 
interface for SDH AU-3 Mode:
Configuring T1 Mode
Use the following commands to enable AIS/RAI forwarding on the CEoP SPAs on the SIP-400 line card 
interface for T1 mode:
Configuring E1 Mode
Use the following commands to enable AIS/RAI forwarding on the CEoP SPAs on the SIP-400 line card 
interface for E1 mode:
Command or Action Purpose
R1(config-controller)#au-3 id
R1(config-ctrlr-tug3)#tug-2 id t1 id forward-alarm
ais/rai
Example:
R1(config-controller)#au-3 1 
R1(config-ctrlr-au3)#tug-2 1 t1 1 forward-alarm ais
R1(config-ctrlr-au3)#tug-2 1 t1 1 forward-alarm rai
Enables AIS/RAI alarm forwarding on the selected 
SDH mode for AU-3 mode.
Command or Action Purpose
R1(config)#controller t1  slot/bay/port
R1(config-controller)#forward-alarm ais/rai
Example:
R1(config)#controller t1 2/0/0
R1(config-controller)#forward-alarm rai
Enables AIS/RAI alarm forwarding on the selected T1 
controller interface for the 24-Port Channelized T1/E1 
ATM CEo P S PA
Command or Action Purpose
R1(config)#controller e1  slot/bay/port
R1(config-controller)#forward-alarm ais/rai
Example:
R1(config)#controller e1 2/0/0
R1(config-controller)#forward-alarm ais
Enables AIS/RAI alarm forwarding on the selected E1 
controller interface for the 24-Port Channelized T1/E1 
ATM CEo P S PA10-64
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  MR-APS Integration with Hot Standby Pseudowire
Note These commands are available only for T1s that support CEM group configuration on them.
Configuration Restrictions
The following restrictions apply while configuring AIS/alarm RAI forwarding:
• Alarms cannot be suppressed in unframed CEM mode (SAToP). Alarms received from the remote 
SAToP peer across the PSN will always be propagated over the attachment circuit.
• Forward-alarm -ais/rai- is a hidden command and is not available in the option list. You must type 
the full command. 
• Starting Cisco IOS Release 12.233)SRD3 changing modes of the T1 or E1 from CEoPSN to ATM 
or IMA is not allowed
MR-APS Integration with Hot Standby Pseudowire 
The multi router automatic protection switching (MR-APS) enables interface connections to switch from 
one circuit to another if a circuit fails. Interfaces can be switched in response to a router failure, 
degradation or loss of channel signal, or manual intervention. In a multi router environment, the 
MR-APS allows the protected SONET interface to reside in a different router from the working SONET 
interface.
Service providers are migrating to ethernet networks from their existing SONET or SDH equipment to 
reduce cost. Any transport over MPLS (AToM) pseudowires (PWs) help service providers to maintain 
their investment in asynchronous transfer mode (ATM) or time division multiplexing (TDM) network 
and change only the core from SONET or SDH to ethernet. When the service providers move from 
SONET or SDH to ethernet, network availability is always a concern. Therefor to enhance the network 
availability, service providers use PWs. 
The hot-standby PW support for ATM and TDM access circuits (ACs) allow the backup PW to be in a 
hot- standby state, so that it can immediately take over if the primary PW fails. The present hot-standby 
PW solution does not support access circuits (ACs) as part of the APS group. The PWs which are 
configured over the protected interface, remains in the down state. This increases the PW switchover 
time in case of an APS switchover. MR-APS integration with a hot standby PW is an integration of APS 
with ATM or TDM hot standby PWs created over the SIP 400 line card for the Cisco 7600 platform and 
improves the switchover time.
Figure 10-4 explains MR-APS integration with hot standby PW feature implementation.10-65
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  MR-APS Integration with Hot Standby Pseudowire
Figure 10-4 MR-APS Integration with Hot Standby Pseudowire Implementation
In this example routers P1 and PE1 are in the same APS group G1, and routers P2 and PE2 are in the 
same APS group G2. In group G1, P1 is the working router and PE1 is the protected router. Similarly in 
group G2, P2 is the working router and PE2 is the protected router. 
The MR-APS integration with hot standby PW deployment involves cell sites connected to the provider 
network using bundled T1/E1 connections. These T1/E1 connections are aggregated into the optical 
carrier 3 (OC3) or optical carrier 12 (OC12) links using the add-drop multiplexers (ADMs).
For more information on APS, see the Automatic Protection Switching section in the Cisco 7600 Series 
Router SIP, SSC, and SPA Software Configuration Guide at the following link:
http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/7600series/
76cfstm1.html#wp1216498
Failover Operations
MR-APS integration with hot standby PW feature handles the following failures.
• Failure 1, where the link between ADM and P1 goes down, or the connecting ports at ADM or P1 
go down. 
• Failure 2, where the router P1 fails.
• Failure 3, where the router P1 is isolated from the core.
246928
CE1
P1
PE1
P2
PE2
ADM
CE2
ADM10-66
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  MR-APS Integration with Hot Standby Pseudowire
Figure 10-5 explains the failure points in the network.
Figure 10-5 Failure Points in the Network
In case of failure 1, where either port at the ADM goes down, or the port at the router goes down or the 
link between ADM and router fails, the APS switchover triggers the pseudowires at the protect interface 
to become active. The same applies to failure 2 as well where the complete router fails over. 
In case of failure 3, where all the links carrying primary and backup traffic lose the connection, a new 
client is added to the inter chassis redundancy manager (ICRM) infrastructure to handle the core 
isolation. The client listens to the events from the ICRM. Upon receiving the core isolation event from 
the ICRM, the client either initiates the APS switchover, or initiates the alarm based on the peer core 
isolation state. If APS switchover occurs, it changes the APS inactive interface to active and hence 
activates the PWs at the interface. Similarly, when core connectivity goes up based upon the peer core 
isolation state, it clears the alarms or triggers the APS switchover. ICRM monitors the directly connected 
interfaces only. Hence only those failures in the directly connected interfaces can cause a core isolation 
event. 
Restrictions 
Following restrictions apply to the MR-APS integration with hot standby PW feature:
• MR-APS integration with hot standby PW is supported only on the SIP 400 line cards.
• For ATM pseudowires only ATM asynchronous mode is supported.
• Revertive APS mode should not be configured on the interfaces.
• MR-APS integration with hot standby PW is supported only on 1-port channelized OC-3 STM1 
ATM CEoP SPA and 2-port and 4-port OC-3c/STM-1 ATM SPA.
• APS group number should be greater than zero. 
• Do not configure the backup delay value command if the MR-APS integration with hot standby PW 
feature is configured.
ADM ADM
CE1 CE2
P1
3
1
2
P2
PE1 PE210-67
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  MR-APS Integration with Hot Standby Pseudowire
• Unconfiguring mpls ip command on the core interface is not supported. 
• The hspw force switch command is not supported.
Configuring MR-APS Integration with Hot Standby Pseudowire 
MR-APS integration with hot standby PW can be configured on a CEM interface or IMA interface on 
the 1-port channelized OC-3 STM1 ATM CEoP SPA. Perform the steps in the corresponding section to 
configure the MR-APS integration with hot standby PW feature on a CEM or IMA interface.
Configuring MR-APS Integration with Hot Standby Pseudowire on a CEM Interface
Complete these steps to configure MR-APS integration with hot standby PW on a CEM interface. The 
configuration involves configuring the working routers and protect routers that are part of the APS 
group.
SUMMARY STEPS
1. enable
2. configure terminal
3. pseudowire-class pw-class-name
4. encapsulation mpls
5. status peer topology dual-homed
6. exit 
7. redundancy
8. interchassis group group-id pw-class-name
9. member ip ip-address
10. backbone interface interface 
11. backbone interface interface 
12. exit
13. controller sonet slot/bay/port
14. framing [sonet|sdh]
15. clock source line
16. sts-1 sts1-number
17. mode vt-15
18. vtg vtg_number t1 t1_line_number cem-group channel-number timeslots list-of-timeslots
19. exit
20. aps group group_id 
21. aps [working | protect] aps-group-number [ip-address] 
22. aps hspw-icrm-group icrm-group-number 
23. exit
24. interface cem slot/subslot/port 10-68
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  MR-APS Integration with Hot Standby Pseudowire
25. cem cem-group
26. xconnect peer-ip-address vc-id pw-class pw-class-name
27. backup peer ip-address vc-id pw-class pw-class-name
28. end 10-69
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  MR-APS Integration with Hot Standby Pseudowire
Detailed Steps
Command Purpose
Step 1 enable
Example:
Router> enable
Enables the privileged EXEC mode. If prompted, enter 
your password.
Step 2 configure terminal
Example:
Router# configure terminal
Enters the global configuration mode.
Step 3 pseudowire-class pw-class-name 
Example:
Router(config)# pseudowire-class hw_aps
Specifies the name of a PW class and enters PW class 
configuration mode.
Step 4 encapsulation mpls
Example:
Router(config-pw-class)# encapsulation 
mpls 
Specifies that MPLS is used as the data encapsulation 
method for tunneling Layer 2 traffic over the pseudowire. 
Step 5 status peer topology dual-homed
Example:
Router(config-pw-class)# status peer 
topology dual-homed 
Enables the reflection of the attachment circuit status on 
both the primary and secondary pseudowires. This configuration is necessary if the peer PEs are connected to a 
dual-homed device. 
Step 6 exit
Example:
Router(config-pw-class)# exit
Exits PW class configuration mode.
Step 7 redundancy 
Example:
Router(config)# redundancy
Enters the redundancy configuration mode.
Step 8 interchassis group group-id
Example:
Router(config-red)# interchassis group 
50
Configures an interchassis group within the redundancy 
configuration mode and enters the interchassis 
redundancy mode.
Step 9 member ip ip-address
Example:
Router(config-r-ic)# member ip 
60.60.60.2
Configures the IP address of the peer member group.10-70
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  MR-APS Integration with Hot Standby Pseudowire
Step 10 backbone interface interface
Example:
Router(config-r-ic)# backbone interface GigabitEthernet 2/3
Specifies the backbone interface.
Step 11 exit
Example:
Router(config-r-ic)# exit
Exits the redundancy mode.
Step 12 controller SONET slot/bay/port
Example:
Router(config)# controller SONET 1/1/0
Selects and configures a SONET controller and enters 
controller configuration mode.
slot/subslot/port—Specifies the location of the interface.
Step 13 framing [SDH|SONET]
Example:
Router(config-controller)# framing 
SONET
Configures the controller with framing type. SONET 
framing is the default option.
Step 14 clock source line
Example:
Router(config-controller)# clock source 
line
Sets the clocking for individual T1 or E1 links.
Step 15 sts-1 sts1-number
Example:
Router(config-controller)# sts-1 1
Specifies the STS identifier.
Step 16 mode vt-15
Example:
Router(config-ctrlr-sts1)#  mode vt-15
Specifies the STS-1 mode of operation.
Step 17 vtg vtg_number t1 t1_line_number
cem-group channel-number timeslots 
list-of-timesolts
Example:
Router(config-ctrlr-sts1)# vtg 1 t1 1 
cem-group 0 timeslots 1-24
Creates a Circuit Emulation Services over Packet 
Switched Network circuit emulation (CESoPSN) CEM 
group.
Step 18 exit
Example:
Working-Router(config-ctrlr-sts1)# exit
Exits from the STS configuration mode.
Command Purpose10-71
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  MR-APS Integration with Hot Standby Pseudowire
Step 19 aps group group_id
Example:
Router(config-controller)# aps group 1
Configures the APS group for CEM
Step 20 aps [working | protect]
aps-group-number 
Example:
Router(config-controller)# aps working 
1
Configures the APS group as working or protect interface.
Step 21 aps hspw-icrm-grp group-number
Example:
Router(config-controller)# aps 
hspw-icrm-group 1
Associates the APS group to an ICRM group number.
Step 22 exit
Example:
Router(config-ctrlr)# end
Ends the controller session and returns to the 
configuration mode.
Step 23 interface cem slot/subslot/port 
Example:
Router(config-if)# interface cem 1/1/0
Configures a serial interface and enter the interface 
configuration mode.
Step 24 cem group-number
Example:
Router(config-if)# cem 0
Selects the CEM circuit (group) to configure a PW for.
Step 25 xconnect peer-ip-address vcid pw-class
pw-class-name
Example:
Router(config-if-srv)# xconnect 3.3.3.3 
1 pw-class hspw_aps
Specifies the IP address of the peer PE router and the 
32-bit virtual circuit identifier shared between the PEs at 
each end of the control channel. 
pw-class-name —The PW class configuration from which 
the data encapsulation type is taken.
Note The peer router IP address and virtual circuit ID 
must be a unique combination on the router.
Command Purpose10-72
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  MR-APS Integration with Hot Standby Pseudowire
Example 
This example shows how to configure the MR-APS integration with hot standby PW on a CEM interface 
on the working router with framing mode as SONET on router P1. 
RouterP1> enable
RouterP1# configure terminal
RouterP1(config)# pseudowire-class hspw_aps
RouterP1(config-pw-class)# encapsulation mpls
RouterP1(config-pw-class)# status peer topology dual-homed 
RouterP1(config-pw-class)# exit
RouterP1(config)# redundancy
RouterP1(config-red)# interchassis group 1
RouterP1(config-r-ic)# member ip 14.2.0.2
RouterP1(config-r-ic)# backbone interface GigabitEthernet 1/0/0
RouterP1(config-r-ic)# backbone interface GigabitEthernet 1/0/1
RouterP1(config-r-ic)# exit
RouterP1(config)# controller SONET 1/1/0
RouterP1(config-controller)# framing sonet
RouterP1(config-controller)# clock source line
RouterP1(config-controller)# sts-1 1
RouterP1(config-ctrlr-sts1)# mode vt-15
RouterP1(config-ctrlr-sts1)# vtg 1 t1 1 cem-group 0 timeslots 1-24
RouterP1(config-ctrlr-sts1)# exit
RouterP1(config-controller)# aps group 3
RouterP1(config-controller)# aps working 1
RouterP1(config-controller)# aps hspw-icrm-grp 1
RouterP1(config-controller)# exit
RouterP1(config)# interface cem 1/1/0
RouterP1(config-if)# cem 0
RouterP1(config-if)# xconnect 3.3.3.3 1 encapsulation mpls pw-class hspw_aps
RouterP1(config-if)# backup peer 4.4.4.4 2 pw-class hspw_aps
RouterP1(config-if)# exit
RouterP1(config)# end
This example shows how to configure the MR-APS integration with hot standby PW on a CEM interface 
on the protect router with framing mode as SONET on router PE1.
RouterPE1> enable
RouterPE1# configure terminal
RouterPE1(config)# pseudowire-class hspw_aps
RouterPE1(config-pw-class)# encapsulation mpls
RouterPE1(config-pw-class)# status peer topology dual-homed 
RouterPE1(config-pw-class)# exit
RouterPE1(config)# redundancy
RouterPE1(config-red)# interchassis group 1
Step 26 backup peer peer-id vc-id pseudowire-class pw-classname
Example:
Router(config-if-srv)# backup peer 
4.3.3.3 90 pseudowire-class vpws
Specifies a redundant peer for a PW virtual circuit. 
Step 27 end
Example:
Router(config-controller)#end
Ends the configuration session and returns to the EXEC 
mode.
Command Purpose10-73
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  MR-APS Integration with Hot Standby Pseudowire
RouterPE1(config-r-ic)# member ip 14.2.0.1
RouterPE1(config-r-ic)# backbone interface GigabitEthernet 1/0/0
RouterPE1(config-r-ic)# backbone interface GigabitEthern
RouterPE1(config-r-ic)# exit
RouterPE1(config)# controller SONET 3/0/0
RouterPE1(config-controller)# framing sonet
RouterPE1(config-controller)# clock source line
RouterPE1(config-controller)# sts-1 1
RouterPE1(config-ctrlr-sts1)# mode vt-15
RouterPE1(config-ctrlr-sts1)# vtg 1 t1 1 cem-group 0 timeslots 1-24
RouterPE1(config-ctrlr-sts1)# exit
RouterPE1(config-controller)# aps group 3
RouterPE1(config-controller)# aps protect 1 14.2.0.2
RouterPE1(config-controller)# aps hspw-icrm-grp 1
RouterPE1(config-controller)# exit
RouterPE1(config)# interface cem 3/0/0
RouterPE1(config-if)# cem 0
RouterPE1(config-if)# xconnect 3.3.3.3 3 pw-class hspw_aps
RouterPE1(config-if)# backup peer 4.4.4.4 4 pw-class hspw_aps
RouterPE1(config-if)# exit
RouterPE1(config)# end
This example shows how to configure the MR-APS integration with hot standby PW on a CEM interface 
on the working router with framing mode as SONET on router P2.
RouterP2> enable
RouterP2# configure terminal
RouterP2(config)# pseudowire-class hspw_aps
RouterP2(config-pw-class)# encapsulation mpls
RouterP2(config-pw-class)# status peer topology dual-homed 
RouterP2(config-pw-class)# exit
RouterP2(config)# redundancy
RouterP2(config-red)# interchassis group 1
RouterP2(config-r-ic)# member ip 14.6.0.2
RouterP2(config-r-ic)# backbone interface GigabitEthernet 2/0/3
RouterP2(config-r-ic)# backbone interface GigabitEthernet 2/0/4
RouterP2(config-r-ic)# exit
RouterP2(config)# controller SONET 1/1/0
RouterP2(config-controller)# framing sonet
RouterP2(config-controller)# clock source line
RouterP2(config-controller)# sts-1 1
RouterP2(config-ctrlr-sts1)# mode vt-15
RouterP2(config-ctrlr-sts1)# vtg 1 t1 1 cem-group 0 timeslots 1-24
RouterP2(config-ctrlr-sts1)# exit
RouterP2(config-controller)# aps group 3
RouterP2(config-controller)# aps working 1
RouterP2(config-controller)# aps hspw-icrm-grp 1
RouterP2(config-controller)# exit
RouterP2(config)# interface cem 1/1/0
RouterP2(config-if)# cem 0
RouterP2(config-if)# xconnect 1.1.1.1 1 encapsulation mpls pw-class hspw_aps
RouterP2(config-if)# backup peer 2.2.2.2 3 pw-class hspw_aps
RouterP2(config-if)# exit
RouterP2(config)# end
This exampleshows how to configure the MR-APS Integration with hot standby PW on a CEM interface 
on the protect router PE2 with framing mode as SONET. 
RouterPE2> enable
RouterPE2# configure terminal
RouterPE2(config)# pseudowire-class hspw_aps
RouterPE2(config-pw-class)# encapsulation mpls10-74
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  MR-APS Integration with Hot Standby Pseudowire
RouterPE2(config-pw-class)# status peer topology dual-homed 
RouterPE2(config-pw-class)# exit
RouterPE2(config)# redundancy
RouterPE2(config-red)# interchassis group 1
RouterPE2(config-r-ic)# member ip 14.6.0.1
RouterPE2(config-r-ic)# backbone interface GigabitEthernet 1/0/0
RouterPE2(config-r-ic)# backbone interface GigabitEthern
RouterPE2(config-r-ic)# exit
RouterPE2(config)# controller SONET 3/2/0
RouterPE2(config-controller)# framing sonet
RouterPE2(config-controller)# clock source line
RouterPE2(config-controller)# sts-1 1
RouterPE2(config-ctrlr-sts1)# mode vt-15
RouterPE2(config-ctrlr-sts1)# vtg 1 t1 1 cem-group 0 timeslots 1-24
RouterPE2(config-ctrlr-sts1)# exit
RouterPE2(config-controller)# aps group 2
RouterPE2(config-controller)# aps protect 1 14.6.0.2
RouterPE2(config-controller)# aps hspw-icrm-grp 1
RouterPE2(config-controller)# exit
RouterPE2(config)# interface cem 3/2/0
RouterPE2(config-if)# cem 0
RouterPE2(config-if)# xconnect 1.1.1.1 2 pw-class hspw_aps
RouterPE2(config-if)# backup peer 2.2.2.2 4 pw-class hspw_aps
RouterPE2(config-if)# exit
RouterPE2(config)# end
Configuring MR-APS Integration with Hot Standby Pseudowire on an IMA interface
Perform these steps to configure MR-APS integration with hot standby PW on an IMA interface. The 
configuration includes configuring the working routers and protect routers that are part of the APS 
group.
SUMMARY STEPS
1. enable
2. configure terminal
3. pseudowire-class pw-class-name
4. encapsulation mpls
5. status peer topology dual-homed
6. exit 
7. redundancy
8. interchassis group group-id pw-class-name
9. member ip ip-address
10. backbone interface interface slot/bay/port
11. backbone interface interface slot/bay/port 
12. exit
13. controller sonet slot/bay/port
14. framing sonet | sdh
15. clock source line
16. sts-1 sts1-number 10-75
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  MR-APS Integration with Hot Standby Pseudowire
17. mode vt-15
18. vtg vtg_number t1 t1_line_number ima-group group-number 
19. exit
20. aps group group_id
21. aps [working | protect] aps-group-number [ip-address]
22. aps hspw-icrm -grp group-number 
23. interface atm slot/subslot/imagroup-id
24. atm asynchronous
25. pvc vpi/vci l2transport
26. xconnect peer-ip-address vc-id pw-class pw-class-name
27. backup peer ip-address vc-id pw-class pw-class-name
28. end 10-76
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  MR-APS Integration with Hot Standby Pseudowire
Detailed Steps
Command Purpose
Step 1 enable
Example:
Router> enable
Enables the privileged EXEC mode. If prompted, enter 
your password.
Step 2 configure terminal
Example:
Router# configure terminal
Enters the global configuration mode.
Step 3 pseudowire-class pw-class-name 
Example:
Router(config)# pseudowire-class hw_aps
Specifies the name of a PW class and enters PW class 
configuration mode.
Step 4 encapsulation mpls
Example:
Router(config-pw-class)# encapsulation 
mpls 
Specifies that MPLS is used as the data encapsulation 
method for tunneling layer 2 traffic over the pseudowire. 
Step 5 status peer topology dual-homed
Example:
Router(config-pw-class)# status peer 
topology dual-homed 
Enables the reflection of the attachment circuit status on 
both the primary and secondary pseudowires. This configuration is necessary if the peer PEs are connected to a 
dual-homed device. 
Step 6 exit
Example:
Router(config-pw-class)# exit
Exits PW class configuration mode.
Step 7 redundancy 
Example:
Router(config)# redundancy
Enters the redundancy configuration mode.
Step 8 interchassis group group-id
Example:
Router(config-red)# interchassis group 
50
Configures an interchassis group within the redundancy 
configuration mode and enters the interchassis 
redundancy mode.
Step 9 member ip ip-address
Example:
Router(config-r-ic)# member ip 
60.60.60.2
Configures the IP address of peer member.10-77
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  MR-APS Integration with Hot Standby Pseudowire
Step 10 backbone interface interface
Example:
Router(config-r-ic)# backbone interface GigabitEthernet 2/3
Specifies the backbone interface.
Step 11 exit
Example:
Router(config-r-ic)# exit
Exits the redundancy mode.
Step 12 controller sonet slot/subslot/port
Example:
Router(config)# controller sonet 1/1/0
Selects and configures a SONET controller and enters 
controller configuration mode.
slot/subslot/port—Specifies the location of the interface.
Step 13 framing [sonet|sdh]
Example:
Router(config-controller)# framing 
sonet
Configures the controller for SONET framing. SONET 
framing is the default option.
Step 14 clock source line
Example:
Router(config-controller)# clock source 
line
Sets the clocking for individual T1 or E1 links.
Step 15 sts-1 sts1-number
Example:
Router(config-controller)# sts-1 1
Specifies the STS identifier.
Step 16 mode vt-15
Example:
Router(config-ctrlr-sts1)#  mode vt-15
Specifies the STS-1 mode of operation.
Step 17 vtg vtg_number t1 t1_line_number
ima-group ima-group-number 
Example:
Router(config-ctrlr-sts1)# vtg 1 t1 1 
ima-group 0 
Configures the interface to run in IMA mode and assigns 
the interface to an IMA group.
Step 18 exit
Example:
Router(config-ctrlr-sts1)# exit
Exits from the interface configuration mode.
Command Purpose10-78
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  MR-APS Integration with Hot Standby Pseudowire
Step 19 aps group group_id
Example:
Router(config-controller)#aps group 1
Configures the APS group for IMA interface.
Step 20 aps [working | protect]
aps-group-number
Example:
Router(config-controller)# aps working 
1
Configures the APS group as working or protect interface.
Step 21 aps hspw-icrm-grp group-number
Example:
Router(config-controller)# aps 
hspw-icrm-grp 1
Associates the APS group to an hot standby PW ICRM 
group number.
Step 22 exit
Example:
Router(config-ctrlr)#end
Ends the controller session and returns to the 
configuration mode.
Step 23 interface atm 
slot/subslot/imagroup-number
Example:
Router(config-if)# interface atm 
1/1/ima0
Specifies the IMA interface and enters interface 
configuration mode.
Step 24 no ip address
Example:
Router(config-if)# no ip address
Removes the configured IP address from the interface.
Step 25 atm asynchronous
Example:
Router(config-if)# atm asynchronous
This command enables or disables the asynchronous 
functionality on the ATM interface.
Step 26 pvc vpi/vci l2transport
Example:
Router(config-if)# pvc 1/100 
l2transport 
Assigns a VPI and VCI and enters PVC l2transport 
configuration mode.
• vpi—ATM network virtual path identifier (VPI) of 
the VC to multiplex on the permanent virtual path. 
The range is from 0 to 255. 
• vci— VCI specifies the virtual channel identifier.
Note The l2transport keyword indicates that the PVC is 
a switched PVC instead of a terminated PVC.
Command Purpose10-79
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  MR-APS Integration with Hot Standby Pseudowire
Example 
This example shows how to configure the MR-APS integration with hot standby PW on an IMA interface 
on the working router P1. 
RouterP1> enable
RouterP1# configure terminal
RouterP1(config)# pseudowire-class hspw_aps
RouterP1(config-pw-class)# encapsulation mpls
RouterP1(config-pw-class)# status peer topology dual-homed 
RouterP1(config-pw-class)# exit
RouterP1(config)# redundancy
RouterP1(config-red)# interchassis group 1
RouterP1(config-r-ic)# member ip 14.2.0.2
RouterP1(config-r-ic)# backbone interface GigabitEthernet 1/0/0
RouterP1(config-r-ic)# backbone interface GigabitEthernet 1/0/1
RouterP1(config-r-ic)# exit
RouterP1(config)# controller sonet 1/1/0
RouterP1(config-controller)# framing sonet
RouterP1(config-controller)# clock source line
RouterP1(config-controller)# sts-1 1
RouterP1(config-ctrlr-sts1)# mode vt-15
RouterP1(config-ctrlr-sts1)# vtg 1 t1 1 ima-group 0
RouterP1(config-ctrlr-sts1)# exit
RouterP1(config-controller)# aps group 3
RouterP1(config-controller)# aps working 1
RouterP1(config-controller)# aps hspw-icrm-grp 1
RouterP1(config-controller)# exit
RouterP1(config)# interface atm 1/1/ima0
RouterP1(config-if)# atm asynchronous
RouterP1(config-if)# pvc 1/100 l2transport
RouterP1(config-if)# xconnect 3.3.3.3 1 encapsulation mpls pw-class hspw_aps
RouterP1(config-if)# backup peer 4.4.4.4 2 pw-class hspw_aps
RouterP1(config-if)# exit
RouterP1(config)# end
Step 27 xconnect peer-ip-address vcid pw-class
pw-class-name
Example:
Router(config-if-srv)# xconnect 3.3.3.3 
1 pw-class hspw_aps
Specifies the IP address of the peer PE router and the 
32-bit virtual circuit identifier shared between the PEs at 
each end of the control channel. 
pw-class-name —The PW class configuration from which 
the data encapsulation type is taken.
Note The peer router ID (IP address) and virtual circuit 
ID must be a unique combination on the router.
Step 28 backup peer peer-id vc-id pseudowire-class pw-classname
Example:
Router(config-if-srv)# backup peer 
4.3.3.3 90 pseudowire-class vpws
Specifies a redundant peer for a PW virtual circuit. 
Step 29 end
Example:
Working-Router(config-controller)# end
Ends the configuration session and returns to the EXEC 
mode.
Command Purpose10-80
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  MR-APS Integration with Hot Standby Pseudowire
This example shows how to configure the MR-APS integration with hot standby PW on an IMA interface 
on the protect router PE1.
RouterPE1> enable
RouterPE1# configure terminal
RouterPE1(config)# pseudowire-class hspw_aps
RouterPE1(config-pw-class)# encapsulation mpls
RouterPE1(config-pw-class)# status peer topology dual-homed 
RouterPE1(config-pw-class)# exit
RouterPE1(config)# redundancy
RouterPE1(config-red)# interchassis group 1
RouterPE1(config-r-ic)# member ip 14.2.0.2
RouterPE1(config-r-ic)# backbone interface GigabitEthernet 1/0/0
RouterPE1(config-r-ic)# backbone interface GigabitEthernet 1/0/1
RouterPE1(config)# controller sonet 1/1/0
RouterPE1(config-controller)# framing sonet
RouterPE1(config-controller)# clock source line
RouterPE1(config-controller)# sts-1 1
RouterPE1(config-ctrlr-sts1)# mode vt-15
RouterPE1(config-ctrlr-sts1)# vtg 1 t1 1 ima-group 0 
RouterPE1(config-ctrlr-sts1)# exit
RouterPE1(config-controller)# aps group 3
RouterPE1(config-controller)# aps protect 1 14.2.0.1
RouterPE1(config-controller)# aps hspw-icrm-grp 1
RouterPE1(config-controller)# exit
RouterPE1(config)# interface atm 1/1/ima0
RouterPE1(config-if)# atm asynchronous
RouterPE1(config-if)# pvc 1/100 l2transport
RouterPE1(config-if)# xconnect 3.3.3.3 1 encapsulation mpls pw-class hspw_aps
RouterPE1(config-if)# backup peer 4.4.4.4 2 pw-class hspw_aps
RouterPE1(config-if)# exit
RouterPE1(config)# end
This example shows how to configure the MR-APS integration with hot standby PW on an IMA 
interface on the working router P2. 
RouterP2> enable
RouterP2# configure terminal
RouterP2(config)# pseudowire-class hspw_aps
RouterP2(config-pw-class)# encapsulation mpls
RouterP2(config-pw-class)# status peer topology dual-homed 
RouterP2(config-pw-class)# exit
RouterP2(config)# redundancy
RouterP2(config-red)# interchassis group 1
RouterP2(config-r-ic)# member ip 14.6.0.2
RouterP2(config-r-ic)# backbone interface GigabitEthernet 2/0/3
RouterP2(config-r-ic)# backbone interface GigabitEthernet 2/0/4
RouterP2(config-r-ic)# exit
RouterP2(config)# controller sonet 1/1/0
RouterP2(config-controller)# framing sonet
RouterP2(config-controller)# clock source line
RouterP2(config-controller)# sts-1 1
RouterP2(config-ctrlr-sts1)# mode vt-15
RouterP2(config-ctrlr-sts1)# vtg 1 t1 1 ima-group 0
RouterP2(config-ctrlr-sts1)# exit
RouterP2(config-controller)# aps group 2
RouterP2(config-controller)# aps working 1
RouterP2(config-controller)# aps hspw-icrm-grp 1
RouterP2(config-controller)# exit
RouterP2(config)# interface atm 1/1/ima0
RouterP2(config-if)# atm asynchronous
RouterP2(config-if)# pvc 1/100 l2transport
RouterP2(config-if)# xconnect 1.1.1.1 1 encapsulation mpls pw-class hspw_aps
RouterP2(config-if)# backup peer 2.2.2.2 3 pw-class hspw_aps10-81
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  MR-APS Integration with Hot Standby Pseudowire
RouterP2(config-if)# exit
RouterP2(config)# end
This example shows how to configure the MR-APS integration with hot standby PW on an IMA 
interface on the working router PE2. 
RouterPE2> enable
RouterPE2# configure terminal
RouterPE2(config)# pseudowire-class hspw_aps
RouterPE2(config-pw-class)# encapsulation mpls
RouterPE2(config-pw-class)# status peer topology dual-homed 
RouterPE2(config-pw-class)# exit
RouterPE2(config)# redundancy
RouterPE2(config-red)# interchassis group 1
RouterPE2(config-r-ic)# member ip 14.6.0.1
RouterPE2(config-r-ic)# backbone interface GigabitEthernet 3/0/1
RouterPE2(config-r-ic)# backbone interface GigabitEthernet 3/0/2
RouterPE2(config-r-ic)# exit
RouterPE2(config)# controller sonet 1/1/0
RouterPE2(config-controller)# framing sonet
RouterPE2(config-controller)# clock source line
RouterPE2(config-controller)# sts-1 1
RouterPE2(config-ctrlr-sts1)# mode vt-15
RouterPE2(config-ctrlr-sts1)# vtg 1 t1 1 ima-group 0
RouterPE2(config-ctrlr-sts1)# exit
RouterPE2(config-controller)# aps group 3
RouterPE2(config-controller)# aps protect 1 14.6.0.2
RouterPE2(config-controller)# aps hspw-icrm-grp 1
RouterPE2(config-controller)# exit
RouterPE2(config)# interface atm 3/2/ima0
RouterPE2(config-if)# atm asynchronous
RouterPE2(config-if)# pvc 1/100 l2transport
RouterPE2(config-if)# xconnect 1.1.1 1 2 encapsulation mpls pw-class hspw_aps
RouterPE2(config-if)# backup peer 2.2.2.2 4 pw-class hspw_aps
RouterPE2(config-if)# exit
RouterPE2(config)# end
Verification
Use these commands to verify the MR-APS integration with hot standby PW configuration.
Table 10-3 Verification
Command Purpose
show mpls l2transport vc Displays information about Any Transport over 
MPLS (AToM) virtual circuits (VCs) that have 
been enabled to route layer 2 packets on a router.
show hspw-aps-icrm group group-id Displays information about a specified hot 
standby PW APS group.
show hspw-aps-icrm all Displays information about all hot standby PW 
APS and ICRM groups.10-82
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Verifying the Interface Configuration
Troubleshooting Tips
Table 10-4 Troubleshooting Tips
Verifying the Interface Configuration
The show cem circuit command shows information about the circuit state, administrative state, the 
CEM ID of the circuit, and the interface on which it is configured. If xconnect is configured under the 
circuit, the command output also includes information about the attached circuit. 
Router# show cem circuit ?
  <0-504>    CEM ID
  detail     Detailed information of cem ckt(s)
  interface  CEM Interface
  summary    Display summary of CEM ckts
  |          Output modifiers
Router# show cem circuit
CEM Int.       ID   Line      Admin     Circuit         AC  
-------------------------------------------------------------- 
CEM1/1/0       1    UP        UP        ACTIVE          --/--
CEM1/1/0       2    UP        UP        ACTIVE          --/--
CEM1/1/0       3    UP        UP        ACTIVE          --/--
CEM1/1/0       4    UP        UP        ACTIVE          --/--
CEM1/1/0       5    UP        UP        ACTIVE          --/--
The show cem circuit 0-504 command displays the detailed information about that particular circuit.
Router# show cem circuit 1
CEM1/1/0, ID: 1, Line State: UP, Admin State: UP, Ckt State: ACTIVE
Idle Pattern: 0xFF, Idle cas: 0x8, Dummy Pattern: 0xFF
Dejitter: 5, Payload Size: 40
Framing: Framed, (DS0 channels: 1-5)
Channel speed: 56
CEM Defects Set
Excessive Pkt Loss RatePacket Loss 
show redundancy interchassis Displays information about interchassis 
redundancy group configuration.
show xconnect all Displays information about all xconnect 
attachment circuits and pseudowires.
Command Purpose
Command Purpose
debug hspw-aps errors Displays information about hot standby PW APS 
group errors. 
debug hspw-aps events Displays information about events related to hot 
standby PW APS group configuration.10-83
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Verifying the Interface Configuration
Signalling: No CAS
RTP: No RTP
Ingress Pkts:    25929                Dropped:             0                   
Egress Pkts:     0                    Dropped:             0                   
CEM Counter Details
Input Errors:    0                    Output Errors:       0                   
Pkts Missing:    25927                Pkts Reordered:      0                   
Misorder Drops:  0                    JitterBuf Underrun:  1                   
Error Sec:       26                   Severly Errored Sec: 26                  
Unavailable Sec: 5                    Failure Counts:      1                   
Pkts Malformed:  0
The show cem circuit summary command displays the number of circuits which are up or down per 
interface basis.
Router# show cem circuit summary
CEM Int.       Total Active  Inactive
--------------------------------------
CEM1/1/0       5     5       0
The show running module command shows detail on each CEM group:
Router# show running module 1
Building configuration...
Current configuration : 1542 bytes
card type t1 1 1
!
Controller T1 1/1/0
 framing esf
 linecode b8zs
 cem-group 1 timeslots 1-5 speed 56
 cem-group 2 timeslots 6-10 speed 56
 cem-group 3 timeslots 11-15 speed 56
 cem-group 4 timeslots 16-20 speed 56
 cem-group 5 timeslots 21-24 speed 56
!
Controller T1 1/1/1
 framing esf
 linecode b8zs
!
Controller T1 1/1/2
 framing esf
 linecode b8zs
!
Controller T1 1/1/3
 framing esf
!
Controller T1 1/1/4
 framing esf
 linecode b8zs
!
Controller T1 1/1/5
 framing esf
 fdl both
 linecode b8zs
!
Controller T1 1/1/6
 framing esf
 linecode b8zs
!
Controller T1 1/1/710-84
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Verifying the Interface Configuration
 framing esf
 linecode b8zs
!
Controller T1 1/1/8
 framing esf
 linecode b8zs
!
Controller T1 1/1/9
 framing esf
 clock source internal
 linecode b8zs
!
Controller T1 1/1/10
 framing esf
 linecode b8zs
!
Controller T1 1/1/11
 framing esf
 linecode b8zs
!
Controller T1 1/1/12
 framing esf
 linecode b8zs
!
Controller T1 1/1/13
 framing esf
 linecode b8zs
!
Controller T1 1/1/14
 framing esf
 linecode b8zs
!
Controller T1 1/1/15
 framing esf
 linecode b8zs
!
Controller T1 1/1/16
 framing esf
 linecode b8zs
!
Controller T1 1/1/17
 framing esf
 linecode b8zs
!
Controller T1 1/1/18
 framing esf
 linecode b8zs
!
Controller T1 1/1/19
 framing esf
 linecode b8zs
!
Controller T1 1/1/20
 framing esf
 linecode b8zs
!
Controller T1 1/1/21
 framing esf
 linecode b8zs
!
Controller T1 1/1/22
 framing esf
 linecode b8zs
!10-85
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Verifying the Interface Configuration
Controller T1 1/1/23
 framing esf
 linecode b8zs
!
interface CEM1/1/0
 no ip address
 cem 1
 !
 cem 2
 !
 cem 3
 !
 cem 4    
 !
 cem 5
 !
end
Router# show int cem 2/1/3
CEM2/1/3 is up, line protocol is up 
  Hardware is Circuit Emulation Interface
  MTU 1500 bytes, BW 10000000 Kbit, DLY 0 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation CEM, loopback not set
  Keepalive set (10 sec)
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
Router# show class cem class1
Class: class1         
Idle Pattern: 0x9, Idle cas: 0xF
Dejitter: 5, Payload Size: 100
RTP: No RTP
Router# show class cem all
Class: abcdefghijklmn 
Idle Pattern: 0xF, Idle cas: 0x8
Dejitter: 200, Payload Size: 200
RTP: Configured, RTP-HDR Compression: Disabled
Class: class1         
Idle Pattern: 0x9, Idle cas: 0xF
Dejitter: 5, Payload Size: 100
RTP: No RTP
Class: 1234           
Idle Pattern: 0xF, Idle cas: 0x8
Dejitter: 5, Payload Size: 32
RTP: No RTP
Router# show class cem detail
Class: abcdefghijklmn 
Idle Pattern: 0xF, Idle cas: 0x810-86
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 10      Configuring the CEoP and Channelized ATM SPAs
  Verifying the Interface Configuration
Dejitter: 200, Payload Size: 200
RTP: Configured, RTP-HDR Compression: Disabled
Circuits inheriting this Class:
 None
Interfaces inheriting this Class:
 None
Class: class1         
Idle Pattern: 0x9, Idle cas: 0xF
Dejitter: 5, Payload Size: 100
RTP: No RTP
Circuits inheriting this Class:
 None
Interfaces inheriting this Class:
 None
Class: 1234           
Idle Pattern: 0xF, Idle cas: 0x8
Dejitter: 5, Payload Size: 32
RTP: No RTP
Circuits inheriting this Class:
 None
Router# show class cem class1
Class: class1         
Idle Pattern: 0x9, Idle cas: 0xF
Dejitter: 5, Payload Size: 100
RTP: No RTP   
P A R  T  5
Ethernet Shared Port Adapters   C H  A  P  T  E  R
11-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
11
Overview of the Ethernet SPAs
This chapter provides an overview of the release history, and feature and Management Information 
Base (MIB) support for the Fast Ethernet and Gigabit Ethernet SPAs on the Cisco 7600 series router.
This chapter includes the following sections:
• Release History, page 11-1
• Supported Ethernet SPA, page 11-2
• Restrictions, page 11-19
• Supported MIBs, page 11-20
• SPA Architecture, page 11-21
• Displaying the SPA Hardware Type, page 11-22
Release History
Release Modification
15.1(1)S Support for Time of Day(ToD) feature on a 2-Port Gigabit Synchronous 
Ethernet SPA was introduced.
15.0(1)S • Added support for 2-Port Gigabit Synchronous Ethernet SPA.
• Added restriction for 2-Port Gigabit Ethernet SPA regarding copper 
SFP.
12.2 (33) SRD • Added Support for SPA-8X1FE-TX-V2 and SPA-4X1FE-TX-V2 on 
SIP400
12.2(33)SRC • Added SFP-GE-T Support
• Added SPA-1X10GE-L-V2 support to the SIP-400
12.2(33)SRB1 The Any Transport over MPLS over GRE (AToMoGRE) feature was 
introduced on the Cisco 7600 SIP-400 on the Cisco 7600 series router.
The Backup Interface for Flexible UNI feature was introduced on the 
Cisco 7600 SIP-400 for Gigabit Ethernet SPAs.11-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 11      Overview of the Ethernet SPAs
  Supported Ethernet SPA
Supported Ethernet SPA
This section lists and describes the Ethernet SPA supported by the Cisco 7600 platform and the SIP line 
cards supporting these Ethernet SPAs.
2-Port Gigabit Synchronous Ethernet SPA
The2-Port Gigabit Synchronous Ethernet SPA provides time and frequency distribution across Ethernet 
networks. Synchronization is not traditionally present in all-packet networks. Synchronization is 
cost-effective, and especially important to service providers that migrated late to packet networks, and 
use an external time-division multiplexing (TDM) circuit to provide timing to remote networks. These 
remote networks constantly require synchronization for crucial voice services.
SPA-2X1GE-SYNCE also has the ability to interface with an external SSU/BITS interface or a GPS 
timing interface. The 2-Port Gigabit Synchronous Ethernet SPA comprises these clock interfaces:
• BITS In
• BITS Out
• GPS In
• GPS Out
The 2-Port Gigabit Synchronous Ethernet SPA (SPA-2X1GE-SYNCE) is compatible with 2-Port GigE 
SPA-v2, and provides additional services such as clock frequency and time of day synchronization, using 
the following technologies:
• Synchronous Ethernet (SyncE)
• Ethernet Synchronization Messaging Channel (ESMC)
12.2(33)SRA Support for the following SPAs was introduced on the Cisco 7600 SIP-200 
on the Cisco 7600 series router:
• 4-Port Fast Ethernet SPA
• 8-Port Fast Ethernet SPA
The Multipoint Bridging feature was introduced on the Cisco 7600 SIP-400 
on the Cisco 7600 series router.
The Scalable EoMPLS feature was increased from 4 K to 12 K on the 
Cisco 7600 SIP-400 on the Cisco 7600 series router.
Support for Ethernet Connectivity Fault Management and Ethernet 
Operations, Administration, and Maintenance was introduced.
12.2(18)SXF Support for the following SPAs was introduced on the Cisco 7600 SIP-600 
on the Cisco 7600 series router and Catalyst 6500 series switch:
• 1-Port 10-Gigabit Ethernet SPA
• 5-Port Gigabit Ethernet SPA
• 10-Port Gigabit Ethernet SPA
Support for the following SPA was introduced on the Cisco 7600 SIP-400 
on the Cisco 7600 series router and Catalyst 6500 series switch:
• 2-Port Gigabit Ethernet SPA11-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 11      Overview of the Ethernet SPAs
  Supported Features
• IEEE1588v2
There are two standard ways to deliver timing across networks:
• Synchronized Ethernet (SyncE): Synchronous Ethernet (SyncE) defined by the ITU-T standards 
such as G.8261, G.8262, G.8264, and G.781 leverages the PHY layer of Ethernet to transmit 
frequency to remote sites. SyncE provides a cost-effective alternative to the SONET networks. For 
SyncE to work, each network element along the synchronization path must support SyncE.
• IEEE 1588-2008 (PTPv2)
Supported Features
The following is a list of some of the significant hardware and software features supported by the Fast 
Ethernet and Gigabit Ethernet SPAs on the Cisco 7600 series router:
• Autonegotiation
• Full-duplex operation
• 802.1Q VLAN termination
• Jumbo frames support (9216 bytes)
• Support for command-line interface (CLI)-controlled OIR
• 802.3x flow control
• Up to 4000 VLANs per SPA
• Up to 5000 MAC accounting entries per SPA using Fugu hardware (source MAC accounting for the 
ingress direction and destination MAC accounting for the egress direction)
• Per-port byte and packet counters for policy drops, oversubscription drops, CRC error drops, packet 
sizes, unicast, multicast, and broadcast packets
• Per-VLAN byte and packet counters for policy drops, oversubscription drops, unicast, multicast, and 
broadcast packets
• Per-port byte counters for good bytes and dropped bytes
• Multiprotocol Label Switching (MPLS)
• Any Transport over MPLS over GRE (AToMoGRE)
• Ethernet over Multiprotocol Label Switching (EoMPLS)
• Quality of service (QoS)
• Hot Standby Router Protocol (HSRP)
• Virtual Router Redundancy Protocol (VRRP)
• User-set speed
• Hierarchal Virtual Private LAN Service (H-VPLS) (Gigabit Ethernet SPAs only)
• Multipoint Bridging (Gigabit Ethernet SPAs only)
• Connectivity Fault Management (CFM)
• IP Subscriber Awareness over Ethernet
• Generic SPA features such as FPD, LEDs, voltage margining, environment monitoring
• ETHERLIKE-MIB
• IP QoS parity between SIP-200 and SIP-400 FE SPAs11-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 11      Overview of the Ethernet SPAs
  Supported Features
• MAC address filtering
• Multicast feature parity between SIP-200 and SIP-400 SPAs
• IPv6 support
• Legacy protocols (IPX, CLNS)
• Address Resolution Protocol (ARP)/RARP
Additional features supported by the 2-Port Gigabit Synchronous Ethernet SPA on the Cisco 7600 series 
router: 
• L1 clock frequency distribution - In this mode the 2-Port Gigabit Synchronous Ethernet SPA 
recovers the received clock, synchronizes it to a traceable source, and uses it to transmit data to the 
next node.
• L2/L3 timing (event, phase, and frequency) is supported through IEEE 1588v2 PTP.
• A BITS interface for an external SSU/BITS device can be used as a clock source, or to clean up 
accumulated wander on a system or recovered clock.
• The GPS timing interface is used for external GPS devices and can be selected as an input or output 
reference. The GPS timing interface supports:
– connectivity to GPS clock
– translation of received GPS clock to IEEE1588v2 messages
• IEEE1558V2
• In order to maintain a communication channel in synchronous network connections, ethernet relies 
on a channel called Ethernet Synchronization Messaging Channel (ESMC) based on IEEE 802.3 
Organization Specific Slow Protocol. ESMC relays the SSM code that represents the quality level 
of the Ethernet Equipment Clock (EEC) in a physical layer.
1588V2 Overview
IEEE 1588-2008 is a protocol specification standard. It is also known as Precision Time Protocol Version 
2(PTPv2). It is a specifically designed to provide precise timing and synchronization over packet-based 
ethernet infrastructures. 
Timing over Packet
Timing over packet (ToP) works as a virtual interface on Route Processor which is the address for the 
2-Port Gigabit Synchronous Ethernet SPA’s PTP stack to outside world. Other PTP entities send and 
receive packets from the interface’s IP address.
When a packet is received on the router destined to ToP’s IP address, the router’s hardware redirects to 
use the 2-Port Gigabit Synchronous Ethernet SPA and not the route processor. ToP is configured with 32 
bit mask. ToP does not support QOS. CoPP is supported.
Basic Operation of 1588V2
This section describes how the PTP works. Figure 11-1 shows the message exchange between the PTPv2 
Master and Slave.11-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 11      Overview of the Ethernet SPAs
  Supported Features
Figure 11-1 PTPv2 Message Exchange
The message exchange occurs in this sequence:
• The master relays a SYNC message to the slave. The time at which this message is received is 
recorded by the hardware assist unit on the slave. In Figure 11-1, this is represented as t1.
• The master records the actual time the SYNC message was sent (t0) from its own hardware assist 
unit and relays a follow-up message containing the time stamp of the previous SYNC message to 
the salve.
• To calculate the network delay, the slave sends a “Delay Request” message (t2) to the master. The 
slave hardware assist unit records the time when the message is sent. 
• Upon receiving the delay request message, the master transmits a delay response message (t3), with 
the time stamp of t2, back to the slave. 
• The slave uses the timestamps, t0 through t3, to calculate the offset and propagation delay to correct 
its clock. 
1588V2 Supported Models
These are the two 1588V2 supported PTP models:
• Service SPA Model: 
In service SPA model, packets orginates and terminate on the 2-Port Gigabit Synchronous Ethernet 
SPA through SIP400. The service SPA model is simple, uses the existing infrastructure, and works 
with different encapsulations.
The 2-Port Gigabit Synchronous Ethernet SPA receives redirected PTP packets, processes and sends 
the reply packets to the central switching engine. These packets are forwarded based on the IP 
address of the client.
These are the restrictions for the service SPA model:
– The time is not stamped done at the exact packet entry or exit of the system.11-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 11      Overview of the Ethernet SPAs
  Supported Features
– The PTP packet does not remain constant, leading to delays called the packet delay variations 
(PDV). 
• Direct SPA Model: 
2-Port Gigabit Synchronous Ethernet SPA is capable of accurately timestamping the packet, on the 
receiver and transmitter for the existing line cards on 7600. So to meet the ideal requirements of 
1588v2, the PTP packets are received and transmitted on the same 2-Port Gigabit Synchronous 
Ethernet SPA. 
In the Direct SPA model, PTP packets are received or transmitted through the Ethernet port of the 
2-Port Gigabit Synchronous Ethernet SPA. The PTP packets coming on a 2-Port Gigabit 
Synchronous Ethernet SPA Ethernet interface are diverted to the PTP stack on the SPA by the FPGA. 
The PTP stack or the algorithm then takes necessary action based on the configuration (master or 
slave). The reply packets are sent out of the SPA’s Ethernet ports. 
These are the restrictions for the direct SPA model:
– Only Limited encapsulations are supported.
– The PTP packets are received only on 2-Port Gigabit Synchronous Ethernet SPA ports.
Supported Transport Modes 
These are the transport modes that 1588v2 supports:
• Unicast Mode: In unicast mode, the 1588v2 master transmits the Sync or Delay_Resp messages to 
the slave on the unicast IP address of the slave and the slave in turn transmits the Delay_Req to the 
master on the unicast IP address of the master. 
• Unicast Negotiation Mode: In unicast negotiation mode, Master does not know of any slave at the 
outset. The slave sends a negotiation message to the Master. Unicast Negotiation mode is good for 
scalability purpose as one master can have multiple slaves.
• Mix-multicast model: In Mix-multicast model, the master transmits messages in a multicast packet, 
to the IP address 224.0.1.129 (defined by the 1588v2 standard). The slave learns the IP address of 
the master in this process and transmits a delay request message. The master then transmits back a 
delay response message to the slave in unicast mode. 
To send messages in multicast mode, the master needs to explicitly specify the multicast egress 
interface. This enables the intermediate network to route the IP address 224.0.1.129 to the slave.
Time of Day (TOD)
2 port Gigabit synchronous Ethernet SPA provides two physical interfaces to retrieve or generate 
timestamp to the GPS signal. 
The physical interfaces are used to retrieve Time of Day(ToD) and estimated phase are:
• 1PPS interface 
• RJ45 interface
Figure 11-2 shows the Time of Day(ToD) and 1 PPS Synchronization using 1588V2:11-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 11      Overview of the Ethernet SPAs
  Supported Features
Figure 11-2 Block Diagram for Time of Day(ToD) and 1 PPS Synchronization using 1588V2
Time of Day on the 1588V2 Master
In 1588V2 master mode, Time of Day (TOD) enables 2-port Gigabit synchronous Ethernet SPA to 
receive the time from the GPS receiver through RJ45 interface and synchronizes with the SPA's current 
time. The 1588V2 master requires 1PPS input from the GPS device to read ToD correctly.
Time of Day on the 1588V2 Slave
In 1588V2 slave mode, 2-port Gigabit synchronous Ethernet SPA recovers ToD from the 1588v2 session. 
TOD and 1 PPS recovered from Precision Time Protocol (PTP) is replayed on the respective interfaces.
Restrictions
From 15.1(1)S release, these restrictions are applicable for the 1588V2 feature:
• The TOD recovered from the 1588v2 session is not in sync with the system clock.
• GPS interfaces can be used only for clock recovery. System clock cannot be transmitted out on the 
GPS interface.
• Only TOD format supported is UBOX, CISCO, and NTP.
To use the clock recovered form the 1588v2 session the ToP interface should be configured as the 
clock source.11-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 11      Overview of the Ethernet SPAs
  Supported Features
Precision Time Protocol (PTP)
The Cisco 7600 series router supports the Precision Time Protocol (PTP) as defined by the IEEE 
1588-2008 standard. PTP provides accurate time synchronization over packet-switched networks.
Table 11-1 provides the description of the nodes within a PTP network.
Table 11-1 Nodes within a PTP Network
PTP Redundancy
PTP redundancy is an implementation on different clock nodes. This helps the PTP slave clock node 
achieve the following:
• Interact with multiple master ports such as grand master, boundary clock nodes, and so on.
• Open PTP sessions.
• Select the best master from the existing list of masters (referred to as the primary PTP master port 
or primary clock source).
Network Element Description
Grandmaster A network device physically attached to the 
primary time source. All clocks are synchronized 
to the grandmaster clock.
Ordinary clock An ordinary clock is a 1588 clock with a single 
PTP port that can operate in one of the following 
modes:
• Master mode—Distributes timing information over the network to one or more slave 
clocks, thus allowing the slave to synchronize 
its clock to the master.
• Slave mode—Synchronizes its clock to a 
master clock. You can enable the slave mode 
on up to two interfaces simultaneously in 
order to connect to two different master 
clocks.
Boundary clock The device participates in selecting the best 
master clock and can act as the master clock if no 
better clocks are detected. 
Boundary clock starts its own PTP session with a 
number of downstream slaves. The boundary 
clock mitigates the number of network hops and 
results in packet delay variations in the packet 
network between the Grand Master and Slave.
Transparent clock A transparent clock is a device or a switch that 
calculates the time it requires to forward traffic 
and updates the PTP time correction field to 
account for the delay, making the device transparent in terms of time calculations.11-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 11      Overview of the Ethernet SPAs
  Supported Features
• Switch to the next best master available in case the primary master fails, or the connectivity to the 
primary master fails.
Note The PTP redundancy model available on the 2-Port Gigabit Synchronous Ethernet SPA is hot standby 
model.
Hot Standby Master Model
The Cisco 7600 series router selects the best clock source from the PTP master clocks, and switches 
dynamically between them if the clock quality of the standby clock is greater than that of the current 
master clock. The best master clock is selected based on the following parameters:
• Clock class
• Packet Timing Signal Fail (PTSF) announce failure status
• PTSF sync failure status
• PTSF unusable status (PDV)
• Local priority
Advantages of Hot Standby Master Model
The advantages of a hot standby master model are:
• Fast reference switching
• Monitor the PTSF unusable or PDV for the clock stream before selecting.
Disadvantages of Hot Standby Model
The disadvantages of hot standby model are:
• Full communication with all the PTP master ports injects more packets to the network.
• Require to monitor all the clock streams which increases CPU load on the SPA.
• Scales to only three master clocks as the clock source.
Restrictions
The maximum number of PTP master ports for 2-Port Gigabit Synchronous Ethernet SPA is limited to 
three.
Configuring PTP Redundancy
PTP Redundancy with 2-Port Gigabit Synchronous Ethernet SPA as Master
This section provides the configuration for the PTP redundancy with 2-Port Gigabit Synchronous 
Ethernet SPA as master.
Complete the following steps:11-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 11      Overview of the Ethernet SPAs
  Supported Features
SUMMARY STEPS
Step 1 enable
Step 2 configure terminal
Step 3 ptp clock ordinary/boundary domain domain-no
Step 4 clock-port word master
Step 5 transport ipv4 unicast interface gigabitethernet/top negotiation
Step 6 exit11-11
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 11      Overview of the Ethernet SPAs
  Supported Features
DETAILED STEPS
Configuration Example
This is an example for configuration of PTP redundancy as a master clock:
Router# enable
Router# configure terminal
Router(config)# ptp clock ordinary domain 0
Router(config-ptp-clk)# clock-port port master
Router(config-ptp-port)# transport ipv4 unicast interface gi 5/2/2 negotiation
Router(config-ptp-port)# exit
Command or Action Purpose
Step 1 enable
Example:
Router# enable
Enables privileged EXEC mode. 
Enter your password if prompted.
Step 2 configure terminal
Example:
Router# configure terminal
Enters global configuration mode.
Step 3 ptp clock 
ordinary/boundary domain 
domain-no
Example:
Router(config)# ptp clock 
ordinary domain 0
Configures PTP ordinary or boundary clock.
Step 4 clock-port word master
Example:
Router(config-ptp-clk)# 
clock-port port master
Sets the clock port to PTP master mode; the port exchanges timing packets with 
PTP slave devices. 
Step 5 transport ipv4 unicast 
interface gigabitethernet/top
negotiation
Example:
Router(config-ptp-port)# 
transport ipv4 unicast 
interface gi 5/2/2 
negotiation
Sets port transport parameters.
Note PTP redundancy is supported only on the unicast negotiation mode.
Step 6 exit
Example:
Router(config-ptp-port)# 
exit
Returns the command-line interface (CLI) to privileged EXEC mode.11-12
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 11      Overview of the Ethernet SPAs
  Supported Features
PTP Redundancy with 2-Port Gigabit Synchronous Ethernet SPA as Slave
This section provides the configuration for the PTP redundancy with 2-Port Gigabit Synchronous 
Ethernet SPA as slave.
Complete the following steps:
SUMMARY STEPS
Step 1 enable
Step 2 configure terminal
Step 3 ptp clock ordinary/boundary domain domain-no
Step 4 clock-port word slave
Step 5 transport ipv4 unicast interface gigabitethernet/top negotiation
Step 6 clock source ip local-priority
Step 7 exit
DETAILED STEPS
Command or Action Purpose
Step 1 enable
Example:
Router# enable
Enables privileged EXEC mode. 
Enter your password if prompted.
Step 2 configure terminal
Example:
Router# configure terminal
Enters global configuration mode.
Step 3 ptp clock 
ordinary/boundary domain 
domain-no
Example:
Router(config)# ptp clock 
ordinary domain 0
Configures PTP to either ordinary or boundary clock.
Step 4 clock-port word slave
Example:
Router(config-ptp-clk)# 
clock-port port slave
Sets the clock port to PTP slave mode; the port exchanges timing packets with a 
PTP master device. 11-13
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 11      Overview of the Ethernet SPAs
  Supported Features
Step 5 transport ipv4 unicast 
interface gigabitethernet/top
negotiation
Example:
Router(config-ptp-port)# 
transport ipv4 unicast 
interface gi 5/2/2 
negotiation
Sets port transport parameters.
Step 6 clock source ip local-priority
Example:
Router(config-ptp-port)# 
clock source 8.8.8.1
Sets IP address of the PTP slave device. 
Step 7 exit
Example:
Router(config-ptp-port)# 
exit
Returns the CLI to privileged EXEC mode.
Command or Action Purpose11-14
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 11      Overview of the Ethernet SPAs
  Supported Features
This is an example for configuration of PTP redundancy as a slave clock:
Router# enable
Router# configure terminal
Router(config)# ptp clock ordinary domain 0
Router(config-ptp-clk)# clock-port port slave
Router(config-ptp-port)# transport ipv4 unicast interface gi 5/2/2 negotiation
Router(config-ptp-port)# clock source 8.8.8.1
Router(config-ptp-port)# clock source 9.9.9.1 1
Router(config-ptp-port)# clock source 10.10.10.1 2
Router(config-ptp-port)# exit
Verifying PTP Redundancy on the 2-Port Gigabit Synchronous Ethernet SPA
This section provides show commands for verifying the PTP redundancy as slave:
Router# show ptp clock running 
                      PTP Ordinary Clock [Domain 0]
State          Ports          Pkts sent      Pkts rcvd      Redundancy Mode
ACQUIRING      1              7354           38543          Hot standby
PORT SUMMARY
PTP Master
Name Tx Mode      Role         Transport    State        Sessions     Port Addr
SLAVE unicast      slave        Gi3/3/0      -            1            2.2.2.1
Router# show ptp clock running domain 0
                      PTP Ordinary Clock [Domain 0]
State          Ports          Pkts sent      Pkts rcvd      Redundancy Mode
ACQUIRING      1              2065           11432          Hot standby
                               PORT SUMMARY
                                                                                    
PTP Master
Name Tx Mode      Role         Transport    State        Sessions     Port Addr
SLAVE unicast      slave        Gi3/3/0      -            1            2.2.2.1
                             SESSION INFORMATION
SLAVE [Gi3/3/0] [Sessions 1]
 Peer addr          Pkts in    Pkts out   In Errs    Out Errs  
 1.1.1.1            7859       1444       0          0         
 2.2.2.1            3573       621        0          0         
Router# show ptp port running 
PORT [SLAVE] CURRENT PTP MASTER PORT
  Protocol Address: 2.2.2.1
  Clock Identity:  0x0:6:52:FF:FF:7C:6E:C0
  Local Priority: 1
  PTSF Status: PTSF_UNUSABLE 
  Alarm In Stream: 
  Clock Stream Id: 0
  Priority1: 12811-15
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 11      Overview of the Ethernet SPAs
  Supported Features
  Priority2: 128
  Class: 13
  Accuracy: Within 1s
  Offset (log variance): 52592
  Steps Removed: 0
Router# show ptp port running detail
PORT [SLAVE] CURRENT PTP MASTER PORT
  Protocol Address: 2.2.2.1
  Clock Identity: 0x0:6:52:FF:FF:7C:6E:C0
PORT [SLAVE] PREVIOUS PTP MASTER PORT
PORT [SLAVE] LIST OF PTP MASTER PORTS
LOCAL PRIORITY 0
  Protocol Address: 1.1.1.1
  Clock Identity:  0x0:8:7C:FF:FF:B2:3F:40
  PTSF Status: PTSF_UNUSABLE 
  Alarm In Stream: 
  Clock Stream Id: 1
  Priority1: 128
  Priority2: 128
  Class: 13
  Accuracy: Within 1s
  Offset (log variance): 52592
  Steps Removed: 0
LOCAL PRIORITY 1
  Protocol Address: 2.2.2.1
Clock Identity:  0x0:6:52:FF:FF:7C:6E:C0
  PTSF Status: PTSF_UNUSABLE 
  Alarm In Stream: 
  Clock Stream Id: 0
  Priority1: 128
  Priority2: 128
  Class: 13
  Accuracy: Within 1s
  Offset (log variance): 52592
  Steps Removed: 0
Router# show platform ptp all
Slave info  : [GigabitEthernet3/3/0][0x530EC0E8]
-----------
clock role          : 2
Slave Port hdl      : 3690987522
Tx Mode             : 2
Slave IP            : 1.1.1.2
Slave State Machine : 0x55EAEE0C
Slave state         : 3
Config Vector       : 0x457C1174
Selected Clk src    : 2.2.2.1
Max Clk Srcs        : 3
Boundary Clock      : FALSE
Lock status         : ACQUIRING
Refcnt              : 1
--------------------------------
PTP Engine Handle   : 1
Master IP           : 1.1.1.1
Route to Master     : GigabitEthernet3/3/0
N-H Mac address     : 0008.7cb2.3f40
N-H Route Handle    : 0x53C46628
N-H ARP Handle      : 0x562FB3C811-16
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 11      Overview of the Ethernet SPAs
  Supported Features
Local Priority      : 0
Set Master IP       : 1.1.1.1
Set route IDB       : GigabitEthernet3/3/0
Set route MAC       : 0008.7cb2.3f40
--------------------------------
PTP Engine Handle   : 0
Master IP           : 2.2.2.1
Route to Master     : GigabitEthernet3/3/1
N-H Mac address     : 0006.527c.6ec0
N-H Route Handle    : 0x53C465F4
N-H ARP Handle      : 0x562FB418
Local Priority      : 1
Set Master IP       : 2.2.2.1
Set route IDB       : GigabitEthernet3/3/1
Set route MAC       : 0006.527c.6ec0
--------------------------------
PTP Engine Handle   : -1
Master IP           : 0.0.0.0
Route to Master     : Not Set
N-H Mac address     : 0000.0000.0000
N-H Route Handle    : 0x0
N-H ARP Handle      : 0x0
Local Priority      : 0
Set Master IP       : 0.0.0.0
Set route IDB       : Not Set
Set route MAC       : 0000.0000.0000
This section includes show command to verify the PTP redundancy as master:
Router# show ptp clock running domain 0
                      PTP Ordinary Clock [Domain 0]
State          Ports          Pkts sent      Pkts rcvd      Redundancy Mode
FREQ_LOCKED    1              25077          4798           Hot standby
PORT SUMMARY
                                                                                    
PTP Master
Name Tx Mode      Role         Transport    State        Sessions     Port Addr
MASTER1 unicast      master       Gi1/0/0      -            1            -
                             SESSION INFORMATION
MASTER1 [Gi1/0/0] [Sessions 1]
 Peer addr          Pkts in    Pkts out   In Errs    Out Errs 
1.1.1.2            4798       25077      0          0 
Synchronous Ethernet
Synchronous Ethernet (SyncE) is a procedure where we use a physical layer interface to pass timing 
from node to node in the same way timing is passed in SONET or SDH. SyncE, defined by the ITU-T 
standards such as G.8261, G.8262, G.8264, and G.781, leverages the PHY layer of Ethernet to transmit 
frequency to remote sites. SyncE over Ethernet provides a cost-effective alternative to the networks. For 
SyncE to work, each network element along the synchronization path must support SyncE.11-17
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 11      Overview of the Ethernet SPAs
  Supported Features
The 2-Port Gigabit Synchronous Ethernet SPA has a dedicated external interface known as BITs 
interface to recover clock from a Synchronization Supply Unit (SSU). The 7600 router uses this clock 
for SyncE. The BITS interface supports E1(European SSUs) and T1 (American BITS) framing. 
Table 11-2 lists the framing modes for the BITS port on a 2-Port Gigabit Synchronous Ethernet SPA.
Table 11-2 Framing Modes for BITS Port 
You can implement SyncE on 2-Port Gigabit Synchronous Ethernet SPA with four different 
configurations: 
• Clock Recovery from SyncE: System clock is recovered from the SyncE clocking source (gigabit 
and ten gigabit interfaces only). The router uses this clock as the Tx clock for other SyncE interfaces 
or ATM/CEoP interfaces. 
• Clock Recovery from External Interface: System clock is recovered from a BITS clocking source 
or a GPS interface.
• Line to External: The clock received from an Ethernet is forwarded to an external Synchronization 
Supply Unit (SSU). During a synchronization chain, the received clock may have unacceptable 
wander and jitter. The router recovers the clock from the SyncE interface, converts it to the format 
required for the BITS interface, and sends to a SSU through the BITS port. The SSU performs the 
cleanup and sends it back to the BITs interface. This clock is used as Tx clock for the SyncE ports. 
• System to External: The system clock is used as Tx clock for an external interface. By default the 
system clock is not transmitted on an external interface. 
Squelching
Squelching is a process in which an alarm indication signal (AIS) is sent to the Tx interfaces whenever 
the clock source goes down. The squelching functionality is implemented in two cases: 
• Line to external: If the line source goes down, an AIS is transmitted on the external interface to the 
SSU. 
• System to external: If the router loses all the clock sources, an AIS is transmitted on the external 
interface to the SSU. 
Squelching is performed only on an external device such as SSU or Primary Reference Clock (PRC). 
BITS/SSU port support Matrix Framing modes supported SSM/QL support Tx Port Rx Port
T1 T1 ESF Yes Yes Yes
T1 T1 SF No Yes Yes
E1 E1 CRC4 Yes Yes Yes
E1 E1 FAS No Yes Yes
E1 E1 CAS No No Yes
E1 E1 CAS CRC4 Yes No Yes
2048kHz 2048kHz No Yes Yes11-18
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 11      Overview of the Ethernet SPAs
  Supported Features
SSM and ESMC
Network Clocking uses these mechanisms to exchange the quality level of the clock between the network 
elements :
• Synchronization Status Message
• Ethernet Synchronization Messaging Channel
Synchronization Status Message
Network elements use Synchronization Status Messages (SSM) to inform the neighboring elements 
about the Quality Level (QL) of the clock. The non-ethernet interfaces such as optical interfaces and 
SONET/T1/E1 SPA framers uses SSM. The key benefits of the SSM functionality:
• Prevents timing loops.
• Provides fast recovery when a part of the network fails.
• Ensures that a node derives timing from the most reliable clock source.
Ethernet Synchronization Messaging Channel
In order to maintain a logical communication channel in synchronous network connections, ethernet 
relies on a channel called Ethernet Synchronization Messaging Channel (ESMC) based on IEEE 802.3 
Organization Specific Slow Protocol standards. ESMC relays the SSM code that represents the quality 
level of the Ethernet Equipment Clock (EEC) in a physical layer.
The ESMC packets are received only for those ports configured as clock sources and transmitted on all 
the SyncE interfaces in the system. These packets are then processed by the Clock selection algorithm 
on RP and are used to select the best clock. The Tx frame is generated based on the QL value of the 
selected clock source and sent to all the enabled SyncE ports. 
Clock Selection Algorithm 
Clock selection algorithm selects the best available synchronization source from the nominated sources. 
The clock selection algorithm has a non-revertive behavior among clock sources with same QL value 
and always selects the signal with the best QL value. For clock option 1, the default is revertive and for 
clock option 2, the default is non-revertive. 
The clock selection process works in the QL enabled and QL disabled modes. When multiple selection 
processes are present in a network element, all processes work in the same mode.
QL-enabled mode
In QL-enabled mode, the following parameters contribute to the selection process:
• Quality level
• Signal fail via QL-FAILED
• Priority
• External commands.
If no external commands are active, the algorithm selects the reference (for clock selection) with the 
highest quality level that does not experience a signal fail condition. If multiple inputs have the same 
highest quality level, the input with the highest priority is selected. For multiple inputs having the same 
highest priority and quality level, the existing reference is maintained (if it belongs to this group), 
otherwise an arbitrary reference from this group is selected.11-19
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 11      Overview of the Ethernet SPAs
  Restrictions
QL-disabled mode
In QL-disabled mode, the following parameters contribute to the selection process:
• Signal failure
• Priority
• External commands
If no external commands are active, the algorithm selects the reference (for clock selection) with the 
highest priority that does not experience a signal fail condition. For multiple inputs having the same 
highest priority, the existing reference is maintained (if it belongs to this group), otherwise an arbitrary 
reference from this group is selected. 
Hybrid mode
The SyncE feature requires that each network element along the synchronization path needs to support 
SyncE. Timing over Packet (ToP) enables transfer of timing over an asynchronous network. The hybrid 
mode uses the clock derived from 1588 (PTP) to drive the system clock. This is achieved by configuring 
the Timing over Packet (ToP) interface on the PTP slave as the input source.
For more information on 1588V2, please see1588V2 Overview, page 11-4 :
Note The ToP interface does not support QL and works only in the QL-disabled mode. 
For information on configuring the network clock, see Configuring Boundary Clock for 2-Port Gigabit 
Synchronous Ethernet SPA on Cisco 7600 SIP-400, page 12-29
Restrictions
Note For other SIP-specific features and restrictions see also Chapter 3, “Overview of the SIPs and SSC.”
These restrictions apply to the 2-Port Gigabit Synchronous Ethernet SPA introduced in Cisco IOS 
release 15.0(1)S:
• Synchronous SPA features are compatible with 2-Port Gigabit Synchronous Ethernet SPA.
• The maximum theoretical bandwidth of the 2-Port Gigabit Synchronous Ethernet SPA is 2 Gbps 
full-duplex. The actual performance is limited by the capability of the host or jacket card.
• In a failover scenario the SPA does not perform any autoswitchover to a secondary clock source, 
even if the secondary reference is configured on the same SPA. If the primary clock goes down then 
the platform explicitly sets the secondary clock as source.
• The 2-Port Gigabit Ethernet SPA has copper ports present and therfore does not allow the copper 
SFP to be enabled on it. Use the show hw-module subslot <slot/subslot> transceiver <port
number> status command to view the status of the transciever on the card.
Starting from the 12.2(33)SRD release SPA-8X1FE-TX-V2 and SPA-4X1FE-TX-V2 are supported on 
SIP-400
The following restrictions apply to Cisco IOS Release 12.2(18)SXF:
• EtherChannel is not supported on Fast Ethernet SPAs or the 2-Port Gigabit Ethernet SPA on the 
Cisco 7600 SIP-400. 11-20
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 11      Overview of the Ethernet SPAs
  Supported MIBs
• The Line to External configuration for clock clean up is supported only if the line interface and the 
external (BITS) interface are on the same 2-Port Gigabit Synchronous Ethernet SPA.
• A GPS cannot be used as an output source. 
• If there are more than two sources configured as clocks on the SIP400 and one of them goes Out of 
Range (OOR), then that clock is not selected unless it is configured again. 
• We recommend that you do not configure multiple input sources with the same priority as this may 
impact the TSM switching delay.
Hybrid Mode Restrictions
• When a 2-Port Gigabit Synchronous Ethernet SPA functions as the Master, the clock source can be 
system or a port such as GPS, BITS or Gigabitethernet on the SPA. But when the SPA functions as 
the Slave, clock recovery can only be through PTP and not from any other source.
• When a 2-Port Gigabit Synchronous Ethernet SPA functions as the Slave, and the external interface 
is on the SPA, the system to external command is not supported. 
Supported MIBs
The following MIBs are supported by the Fast Ethernet and Gigabit Ethernet SPAs on the Cisco 7600 
series router:
• ENTITY-MIB (RFC 2737) 
• CISCO-ENTITY-ASSET-MIB
• CISCO-ENTITY-FRU-CONTROL-MIB
• CISCO-ENTITY-ALARM-MIB 
• CISCO-ENTITY-SENSOR-MIB 
• IF-MIB
• ETHERLIKE-MIB (RFC 2665) 
• Remote Monitoring (RMON)-MIB (RFC 1757)
• CISCO-CLASS-BASED-QOS-MIB
• MPLS-related MIBs
• Ethernet MIB/RMON
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use 
Cisco MIB Locator found at the following URL:
http://tools.cisco.com/ITDIT/MIBS/servlet/index
If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of 
supported MIBs and download MIBs from the Cisco MIBs page at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml11-21
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 11      Overview of the Ethernet SPAs
  SPA Architecture
To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your 
account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify 
that your e-mail address is registered with Cisco.com. If the check is successful, account details with a 
new random password will be e-mailed to you. 
SPA Architecture
This section provides an overview of the architecture of the Fast Ethernet and Gigabit Ethernet SPAs and 
describes the path of a packet in the ingress and egress directions. Some of these areas of the architecture 
are referenced in the SPA software and can be helpful to understand when troubleshooting or interpreting 
some of the SPA CLI and show command output.
Every incoming and outgoing packet on the Fast Ethernet SPAs goes through the physical port (PHY 
RJ45), the Media Access Controller (MAC), and a Layer 2 Filtering/Accounting ASIC. Every incoming 
and outgoing packet on the Gigabit Ethernet SPAs goes through the physical (PHY) SFP optics, the 
Media Access Controller (MAC), and a Layer 2 Filtering/Accounting ASIC.
Path of a Packet in the Ingress Direction
The following steps describe the path of an ingress packet through the Fast Ethernet or Gigabit Ethernet 
SPAs:
1. For Fast Ethernet SPAs, each of the ports receives incoming frames from one of the RJ45 interface 
connectors. For Gigabit Ethernet SPAs, the SFP optics receive incoming frames on a per-port basis 
from one of the optical fiber interface connectors.
2. For Fast Ethernet SPAs, the PHY device processes the frame and sends it over a serial interface to 
the MAC device. For Gigabit Ethernet SPAs, the SFP PHY device processes the frame and sends it 
over a serial interface to the MAC device.
3. The MAC device receives the frame, strips the CRCs, and sends the packet via the SPI 4.2 bus to the 
ASIC.
4. The ASIC takes the packet from the MAC devices and classifies the Ethernet information. CAM 
lookups based on etype, port, VLAN, and source and destination address information determine 
whether the packet is dropped or forwarded to the SPA interface.
Path of a Packet in the Egress Direction
The following steps describe the path of an egress packet from the SIP through the Fast Ethernet and 
Gigabit Ethernet SPAs:
1. The packet is sent to the ASIC using the SPI 4.2 bus. The packets are received with Layer 2 and 
Layer 3 headers in addition to the packet data.
2. The ASIC uses port number, destination MAC address, destination address type, and VLAN ID to 
perform parallel CAM lookups. If the packet is forwarded, it is forwarded via the SPI 4.2 bus to the 
MAC device.
3. For Fast Ethernet SPAs, the MAC device forwards the packets to the PHY RJ45 interface, which 
transmits the packet. For Gigabit Ethernet SPAs, the MAC device forwards the packets to the PHY 
laser-optic interface, which transmits the packet.11-22
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 11      Overview of the Ethernet SPAs
  Displaying the SPA Hardware Type
Displaying the SPA Hardware Type
To verify the SPA hardware type that is installed in your Cisco 7600 series router, you can use the show 
interfaces command. 
Table 11-3 shows the hardware description that appears in the show command output for each type of 
Fast Ethernet and Gigabit Ethernet SPA that is supported on the Cisco 7600 series router.
Example of the show hw-module subslot transceiver Command
The following example shows output from the show hw-module subslot 1/1 transceiver 1 status
command on a Cisco 7600 series router with a 2-Port Gigabit Ethernet SPA installed in slot 1 and subslot 
1:
Router# show hw-module subslot 1/1 transceiver 1 status
The transceiver in slot 1 subslot 1 port 1
  has been disabled because:
  it is not supported by this card.
Sensor Data is not supported by this transceiver
Example of the show interfaces Command
The following example shows output from the show interfaces fastethernet command on a Cisco 7600 
series router with a 4-Port Fast Ethernet SPA installed in slot 3:
Router# show interfaces fastethernet3/2/3
FastEthernet3/2/3 is up, line protocol is up 
Hardware is FastEthernet SPA, address is 000e.d623.e840 (bia 000e.d623.e840)
Internet address is 33.1.0.2/16
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, 
reliability 255/255, txload 59/255, rxload 83/255
Encapsulation ARPA, loopback not set
Keepalive not supported
Full-duplex, 100Mb/s
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:11, output 00:00:08, output hang never
Last clearing of "show interface" counters 3d00h
Input queue: 0/75/626373350/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 32658000 bits/sec, 68032 packets/sec
5 minute output rate 23333000 bits/sec, 48614 packets/sec
17792456686 packets input, 1067548381456 bytes, 0 no buffer
Table 11-3 SPA Hardware Descriptions in show Commands
SPA Description in show interfaces Command
4-Port Fast Ethernet SPA Hardware is FastEthernet SPA
8-Port Fast Ethernet SPA Hardware is FastEthernet SPA
1-Port 10-Gigabit Ethernet SPA Hardware is TenGigEther SPA
2-Port Gigabit Ethernet SPA Hardware is GigEther SPA
5-Port Gigabit Ethernet SPA Hardware is GigEther SPA
10-Port Gigabit Ethernet SPA Hardware is GigEther SPA11-23
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 11      Overview of the Ethernet SPAs
  Displaying the SPA Hardware Type
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 130043940 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
12719598014 packets output, 763177809958 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
The following example shows output from the show interfaces gigabitethernet command on a 
Cisco 7600 series router with a 2-Port Gigabit Ethernet SPA installed in slot 2:
Router# show interfaces gigabitethernet 2/0/1
GigabitEthernet2/0/1 is down, line protocol is down 
  Hardware is GigEther SPA, address is 000a.f330.2e40 (bia 000a.f330.2e40)
  Internet address is 2.2.2.1/24
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
Full-duplex, 1000Mb/s, link type is force-up, media type is SX
  output flow-control is on, input flow-control is on
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 03:19:34, output 03:19:29, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     1703 packets input, 638959 bytes, 0 no buffer
     Received 23 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 1670 multicast, 0 pause input
     1715 packets output, 656528 bytes, 0 underruns
     0 output errors, 0 collisions, 4 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out
The following example shows output from the show interfaces tengigabitethernet command on a 
Cisco 7600 series router with a 1-Port 10-Gigabit Ethernet SPA installed in slot 7:
Router# show interfaces tengigabitethernet7/0/0
TenGigabitEthernet7/0/0 is up, line protocol is up (connected)
  Hardware is TenGigEther SPA, address is 0000.0c00.0102 (bia 000f.342f.c340)
  Internet address is 15.1.1.2/24
  MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not supported
  Full-duplex, 10Gb/s
  input flow-control is on, output flow-control is on 
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output 00:00:10, output hang never
  Last clearing of "show interface" counters 20:24:30
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec11-24
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 11      Overview of the Ethernet SPAs
  Displaying the SPA Hardware Type
  5 minute output rate 0 bits/sec, 0 packets/sec
  L2 Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes
  L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes mcast
  L3 out Switched: ucast: 0 pkt, 0 bytes mcast: 0 pkt, 0 bytes
     237450882 packets input, 15340005588 bytes, 0 no buffer
     Received 25 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     0 input packets with dribble condition detected
     1676 packets output, 198290 bytes, 0 underruns
     0 output errors, 0 collisions, 4 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out
The following example shows output from the show interfaces gigabitethernet command on a 
Cisco 7600 series router with a 2-Port Gigabit Synchronous Ethernet SPA installed in slot 2:
Router# show interfaces gigabitethernet 2/0/1
GigabitEthernet2/0/1 is down, line protocol is down
Hardware is GigEther SPA, address is 000a.f330.2e40 (bia 000a.f330.2e40)
Internet address is 2.2.2.1/24
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Full-duplex, 1000Mb/s, link type is force-up, media type is SX
output flow-control is on, input flow-control is on
ARP type: ARPA, ARP Timeout 04:00:00
Last input 03:19:34, output 03:19:29, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
1703 packets input, 638959 bytes, 0 no buffer
Received 23 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 1670 multicast, 0 pause input
1715 packets output, 656528 bytes, 0 underruns
0 output errors, 0 collisions, 4 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped outC H  A  P  T  E  R
12-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
12
Configuring the Fast Ethernet and Gigabit 
Ethernet SPAs
This chapter provides information about configuring the 4-Port Fast Ethernet SPA (shared port adapter), 
8-Port Fast Ethernet SPA, 1-Port 10-Gigabit Ethernet SPA, 2-Port Gigabit Ethernet SPA, 5-Port Gigabit 
Ethernet SPA, and 10-Port Gigabit Ethernet SPA on the Cisco 7600 series router. It includes the 
following sections:
• Configuration Tasks, page 12-1
• Verifying the Interface Configuration, page 12-104
• Configuration Examples, page 12-105
For more information about the commands used in this chapter, refer to the Cisco IOS Software Releases 
15.0SR Command References and to the Cisco IOS Software Releases 12.2SX Command References. 
Also refer to the related Cisco IOS Release 12.2 software command reference and master index 
publications. For more information, see the “Related Documentation” section on page xlvii.
For information about managing your system images and configuration files, refer to the Cisco IOS 
Configuration Fundamentals Configuration Guide and the Cisco IOS Configuration Fundamentals 
Command Reference publications that correspond to your Cisco IOS software release.
Configuration Tasks
This section describes how to configure the Fast Ethernet and Gigabit Ethernet SPAs and includes 
information about verifying the configuration.
This section includes the following topics:
• Required Configuration Tasks, page 12-2
• Specifying the Interface Address on a SPA, page 12-4
• Modifying the MAC Address on the Interface, page 12-5
• Gathering MAC Address Accounting Statistics, page 12-5
• Configuring HSRP, page 12-6
• Customizing VRRP, page 12-6
• Modifying the Interface MTU Size, page 12-9
• Configuring the Encapsulation Type, page 12-11
• Configuring Autonegotiation on an Interface, page 12-1112-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
• Configuring a Subinterface on a VLAN, page 12-13
• Configuring Layer 2 Switching Features, page 12-15
• Configuring Flow Control Support on the Link, page 12-21
• Configuring 2-Port Gigabit Synchronous Ethernet SPA in Unicast Mode, page 12-23
• Configuring 2-Port Gigabit Synchronous Ethernet SPA in Unicast Neg Mode, page 12-24
• Configuring 2-Port Gigabit Synchronous Ethernet SPA in Multicast Mode, page 12-25
• Configuring ToD on 1588V2 Master, page 12-26
• Configuring ToD on 1588V2 Slave, page 12-27
• Configuring Boundary Clock for 2-Port Gigabit Synchronous Ethernet SPA on Cisco 7600 SIP-400, 
page 12-29
• Configuring EtherChannels, page 12-46
• Configuring Virtual Private LAN Service (VPLS) and Hierarchical VPLS, page 12-46
• Configuring Connectivity Fault Management (CFM), page 12-46
• Troubleshooting CFM Features, page 12-58
• Configuring IP Subscriber Awareness over Ethernet, page 12-78
• Configuring a Backup Interface for Flexible UNI, page 12-79
• Flexible QinQ Mapping and Service Awareness on the 1-Port 10-Gigabit Ethernet SPA, page 12-85
• Configuring MultiPoint Bridging over Ethernet on the 1-Port 10-Gigabit Ethernet SPA, page 12-93
• Configuring QoS on Ethernet SPAs, page 12-99
• Saving the Configuration, page 12-103
• Shutting Down and Restarting an Interface on a SPA, page 12-103
Required Configuration Tasks
This section lists the required configuration steps to configure the Fast Ethernet and Gigabit Ethernet 
SPAs. The commands in the section are applicable for both Fast Ethernet and Gigabit Ethernet SPAs; 
however, the examples below are for configuring a Gigabit Ethernet SPA. If you are configuring a Fast 
Ethernet SPA, replace the gigabitethernet command with the fastethernet command.
Some of the required configuration commands implement default values that might be appropriate for 
your network. If the default value is correct for your network, then you do not need to configure the 
command. These commands are indicated by “(As Required)” in the Purpose column.
Note Cisco Discovery Protocol (CDP) is disabled by default on Cisco 7600 SIP-400 interfaces.12-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
To configure the Fast Ethernet or Gigabit Ethernet SPAs, complete the following steps:
Command Purpose
Step 1 Router# configure terminal Enters global configuration mode.
Step 2 Router(config)# interface fastethernet
slot/subslot/port[.subinterface-number]
or
Router(config)# interface gigabitethernet
slot/subslot/port[.subinterface-number]
or
Router(config)# interface tengigabitethernet
slot/subslot/port[.subinterface-number]
Specifies the Fast Ethernet, Gigabit Ethernet or 
Ten Gigabit Ethernet interface to configure, where:
• slot/subslot/port—Specifies the location of 
the interface. See the “Specifying the Interface 
Address on a SPA” section on page 12-4.
• .subinterface-number—(Optional) Specifies a 
secondary interface (subinterface) number.
Step 3 Router(config-if)# ip address [ip-address mask
{secondary} | dhcp {client-id
interface-name}{hostname host-name}]
Sets a primary or secondary IP address for an 
interface that is using IPv4, where:
• ip-address—Specifies the IP address for the 
interface.
• mask—Specifies the mask for the associated 
IP subnet.
• secondary—(Optional) Specifies that the 
configured address is a secondary IP address. 
If this keyword is omitted, the configured 
address is the primary IP address.
• dhcp—Specifies that IP addresses will be 
assigned dynamically using DHCP.
• client-id interface-name—Specifies the client 
identifier. The interface-name sets the client 
identifier to the hexadecimal MAC address of 
the named interface.
• hostname host-name—Specifies the 
hostname for the DHCP purposes. The 
host-name is the name of the host to be placed 
in the DHCP option 12 field.
Note The DHCP options with this command are 
not available for all Gigabit Ethernet SPAs 
and Fast Ethernet SPAs.
Step 4 Router(config-if)# ip accounting mac-address
{input | output}
(Optional) Enables MAC address accounting. 
MAC address accounting provides accounting 
information for IP traffic based on the source and 
destination MAC addresses of the LAN interfaces, 
where:
• input—Specifies MAC address accounting 
for traffic entering the interface.
• output—Specifies MAC address accounting 
for traffic leaving the interface.12-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Specifying the Interface Address on a SPA
SPA interface ports begin numbering with “0” from left to right. Single-port SPAs use only the port 
number 0. To configure or monitor SPA interfaces, you need to specify the physical location of the SPA 
interface processor (SIP), SPA, and interface in the command-line-interface (CLI.) The interface address 
format is slot/subslot/port, where: 
• slot—Specifies the chassis slot number in the Cisco 7600 series router where the SIP is installed. 
• subslot—Specifies the secondary slot of the SIP where the SPA is installed.
• port—Specifies the number of the individual interface port on a SPA. 
Step 5 Router(config-if)# mtu bytes (As Required) Specifies the maximum packet size 
for an interface, where:
• bytes—Specifies the maximum number of 
bytes for a packet. 
The default is 1500 bytes.
Step 6 Router(config-if)# standby [group-number] ip
[ip-address [secondary]]
(Required for Hot Standby Router Protocol 
[HSRP] Configuration Only) Creates (or enables) 
the HSRP group using its number and virtual IP 
address, where:
• group-number—(Optional) Specifies the 
group number on the interface for which 
HSRP is being enabled. The range is 0 to 255; 
the default is 0. If there is only one HSRP 
group, you do not need to enter a group 
number.
• ip-address—(Optional on all but one interface 
if configuring HSRP) Specifies the virtual IP 
address of the hot standby router interface. 
You must enter the virtual IP address for at 
least one of the interfaces; it can be learned on 
the other interfaces.
• secondary—(Optional) Specifies the IP 
address is a secondary hot standby router 
interface. If neither router is designated as a 
secondary or standby router and no priorities 
are set, the primary IP addresses are compared 
and the higher IP address is the active router, 
with the next highest as the standby router.
This command enables HSRP but does not 
configure it further. For additional information on 
configuring HSRP, refer to the HSRP section of the 
Cisco IP Configuration Guide publication that 
corresponds to your Cisco IOS software release.
Step 7 Router(config-if)# no shutdown Enables the interface.
Command Purpose12-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
The following example shows how to specify the first interface (0) on a SPA installed in the first subslot 
of a SIP (0) installed in chassis slot 3:
Router(config)# interface serial 3/0/0
This command shows a serial SPA as a representative example, however the same slot/subslot/port 
format is similarly used for other SPAs (such as Asynchronous Transfer Mode [ATM] and packet over 
SONET [POS]) and other non-channelized SPAs.
Modifying the MAC Address on the Interface
The Gigabit Ethernet SPAs use a default MAC address for each port that is derived from the base address 
that is stored in the electrically erasable programmable read-only memory (EEPROM) on the backplane 
of the Cisco 7600 series router.
To modify the default MAC address of an interface to some user-defined address, use the following 
command in interface configuration mode:
To return to the default MAC address on the interface, use the no form of the command.
Verifying the MAC Address
To verify the MAC address of an interface, use the show interfaces gigabitethernet privileged EXEC 
command and observe the value shown in the “address is” field. 
The following example shows that the MAC address is 000a.f330.2e40 for interface 1 on the SPA 
installed in subslot 0 of the SIP installed in slot 2 of the Cisco 7600 series router:
Router# show interfaces gigabitethernet 2/0/1
GigabitEthernet2/0/1 is up, line protocol is up 
  Hardware is GigEther SPA, address is 000a.f330.2e40 (bia 000a.f330.2e40)
  Internet address is 2.2.2.1/24
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not supported
  Full-duplex, 1000Mb/s, link type is force-up, media type is SX
  output flow-control is on, input flow-control is on
(Additional output removed for readability)
Gathering MAC Address Accounting Statistics
The ip accounting mac-address [input | output] command can be entered to enable MAC Address 
Accounting on an interface. After enabling MAC Address Accounting, MAC address statistics can be 
gathered by entering the show interfaces mac-accounting command.
Command Purpose
Router(config-if)# mac-address 
ieee-address
Modifies the default MAC address of an interface to 
some user-defined address, where:
• ieee-address—Specifies the 48-bit IEEE MAC 
address written as a dotted triple of four-digit 
hexadecimal numbers (xxxx.yyyy.zzzz).12-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Configuring HSRP
Hot Standby Router Protocol (HSRP) provides high network availability because it routes IP traffic from 
hosts without relying on the availability of any single router. HSRP is used in a group of routers for 
selecting an active router and a standby router. (An active router is the router of choice for routing 
packets; a standby router is a router that takes over the routing duties when an active router fails, or when 
preset conditions are met). 
HSRP is enabled on an interface by entering the standby [group-number] ip [ip-address [secondary]] 
command. The standby command is also used to configure various HSRP elements. This document does 
not discuss more complex HSRP configurations. For additional information on configuring HSRP, see 
the refer to the HSRP section of the Cisco IP Configuration Guide publication that corresponds to your 
Cisco IOS software release.
In the following HSRP configuration, standby group 2 on GigabitEthernet port 2/1/0 is configured at a 
priority of 110 and is also configured to have a preemptive delay should a switchover to this port occur:
Router(config)# interface GigabitEthernet 2/1/0
Router(config-if)# standby 2 ip 120.12.1.200
Router(config-if)# standby 2 priority 110
Router(config-if)# standby 2 preempt
Verifying HSRP 
To display HSRP information, use the show standby command in EXEC mode:
Router# show standby
Ethernet0 - Group 0 
Local state is Active, priority 100, may preempt 
Hellotime 3 holdtime 10 
Next hello sent in 0:00:00 
Hot standby IP address is 198.92.72.29 configured 
Active router is local 
Standby router is 198.92.72.21 expires in 0:00:07 
Standby virtual mac address is 0000.0c07.ac00 
Tracking interface states for 2 interfaces, 2 up: 
UpSerial0 
UpSerial1 
Customizing VRRP
Customizing the behavior of Virtual Router Redundancy Protocol (VRRP) is optional. Be aware that as 
soon as you enable a VRRP group, that group is operating. It is possible that if you first enable a VRRP 
group before customizing VRRP, the router could take over control of the group and become the master 
virtual router before you have finished customizing the feature. Therefore, if you plan to customize 
VRRP, it is a good idea to do so before enabling VRRP. 
To customize your VRRP configuration, use any of the following VRRP commands inTable 12-1 in 
interface configuration mode.12-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Table 12-1 VRRP Commands
Command Purpose
Router(config-if)# vrrp group
authentication text text-string
Authenticates VRRP packets received from other routers in 
the group. If you configure authentication, all routers 
within the VRRP group must use the same authentication 
string, where:
• group—Virtual router group number for which 
authentication is being configured. The group number 
is configured with the vrrp ip command.
• text text-string—Authentication string (up to eight 
alphanumeric characters) used to validate incoming 
VRRP packets.
Router(config-if)# vrrp group
description text
Assigns a text description to the VRRP group, where:
• group—Virtual router group number. 
• text—Text (up to 80 characters) that describes the 
purpose or use of the group. 
Router(config-if)# vrrp group priority 
level 
Sets the priority level of the router within a VRRP group. 
The default value is 100, where:
• group—Virtual router group number. 
• level —Priority of the router within the VRRP group. 
The range is from 1 to 254. The default is 100. 
Router(config-if)# vrrp group preempt 
[delay seconds]
Configures the router to take over as master virtual router 
for a VRRP group if it has a higher priority than the current 
master virtual router. This command is enabled by default. 
You can use it to change the delay, where:
• group—Virtual router group number of the group for 
which preemption is being configured. The group 
number is configured with the vrrp ip command. 
• delay seconds—(Optional) Number of seconds that the 
router will delay before issuing an advertisement 
claiming master ownership. The default delay is 0 
seconds. 12-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Enabling VRRP
To enable VRRP on an interface, use the following commands beginning in global configuration mode: 
Router(config-if)# vrrp group timers 
advertise [msec] interval
Configures the interval between successive advertisements 
by the master virtual router in a VRRP group, where:
• group—Virtual router group number to which the 
command applies. 
• msec—(Optional) Changes the unit of the advertisement 
time from seconds to milliseconds. Without this keyword, 
the advertisement interval is in seconds. 
• interval—Time interval between successive 
advertisements by the master virtual router. The unit of 
the interval is in seconds, unless the msec keyword is 
specified. The default is 1 second. 
Router(config-if)# vrrp group timers 
learn
Configures the router, when it is acting as backup virtual 
router for a VRRP group, to learn the advertisement 
interval used by the master virtual router, where:
• group—Virtual router group number to which the 
command applies. 
Command Purpose
Command Purpose
Step 1 Router(config)# interface type number Configures an interface, where:
• type—Interface type.
• number—Interface number.
Step 2 Router(config-if)# vrrp group ip 
ipaddress
Enables VRRP on an interface and identifies the primary IP 
address of the virtual router, where:
• group—Virtual router group number to which the 
command applies. 
• ipaddress—IP address of the virtual router.
Step 3 Router(config-if)# vrrp group ip 
ipaddress [secondary]
(Optional) Enables VRRP on an interface. After you 
identify a primary IP address, you can use the vrrp ip
command again with the secondary keyword to indicate 
additional IP addresses supported by this group, where:
• group—Virtual router group number to which the 
command applies. 
• ipaddress—IP address of the virtual router.
• secondary—(Optional) Indicates additional IP 
addresses supported by this group. 12-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Verifying VRRP
To verify VRRP, use either of the following commands in EXEC mode:
Modifying the Interface MTU Size
The Cisco IOS software supports three different types of configurable maximum transmission unit 
(MTU) options at different levels of the protocol stack: 
• Interface MTU—Checked by the SPA on traffic coming in from the network. Different interface 
types support different interface MTU sizes and defaults. The interface MTU defines the maximum 
packet size allowable (in bytes) for an interface before drops occur. If the frame is smaller than the 
interface MTU size, but is not smaller than the minimum frame size for the interface type (such as 
64 bytes for Ethernet), then the frame continues to process.
• IP MTU—Can be configured on an interface or subinterface and is used by the Cisco IOS software 
to determine whether fragmentation of a packet takes place. If an IP packet exceeds the IP MTU 
size, then the packet is fragmented. 
• Tag or Multiprotocol Label Switching (MPLS) MTU—Can be configured on an interface or 
subinterface and allows up to six different labels, or tag headers, to be attached to a packet. The 
maximum number of labels is dependent on your Cisco IOS software release.
Different encapsulation methods and the number of MPLS MTU labels add additional overhead to a 
packet. For example, Subnetwork Access Protocol (SNAP) encapsulation adds an 8-byte header, dot1q 
encapsulation adds a 2-byte header, and each MPLS label adds a 4-byte header (n labels x 4 bytes). 
For the Fast Ethernet and Gigabit Ethernet SPAs on the Cisco 7600 series router, the default MTU size 
is 1500 bytes. When the interface is being used as a Layer 2 port, the maximum configurable MTU is 
9216 bytes. The SPA automatically adds an additional 22 bytes to the configured MTU size to 
accommodate some of the additional overhead.
Command Purpose
Router# show vrrp [brief | group] Displays a brief or detailed status of one or all VRRP 
groups on the router, where:
• brief—(Optional) Provides a summary view of the 
group information. 
• group—(Optional) Virtual router group number of 
the group for which information is to be displayed. 
The group number is configured with the vrrp ip
command. 
Router# show vrrp interface type number
[brief] 
Displays the VRRP groups and their status on a 
specified interface, where:
• type—Interface type.
• number—Interface number.
• brief—(Optional) Provides a summary view of the 
group information.12-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Interface MTU Configuration Guidelines
When configuring the interface MTU size on a Fast Ethernet and Gigabit Ethernet SPA on a Cisco 7600 
series router, consider the following guidelines:
• The default interface MTU size accommodates a 1500-byte packet, plus 22 additional bytes to cover 
the following additional overhead:
– Layer 2 header—14 bytes
– Dot1q header—4 bytes
– CRC—4 bytes
Note Depending on your Cisco IOS software release, a certain maximum number of MPLS labels are 
supported. If you need to support more than two MPLS labels, then you need to increase the default 
interface MTU size.
• If you are using MPLS, be sure that the mpls mtu command is configured for a value less than or 
equal to the interface MTU. 
• If you are using MPLS labels, then you should increase the default interface MTU size to 
accommodate the number of MPLS labels. Each MPLS label adds 4 bytes of overhead to a packet.
Interface MTU Guidelines for Layer 2 Ports
On Layer 2 ports, it is important to understand the idea of the jumbo MTU. The jumbo MTU can be 
configured using the system jumbomtu command, although this command is only supported under the 
following scenarios:
• The port is a member of a Layer 2 EtherChannel.
• The new MTU size on the Layer 2 port is less than the currently configured maximum MTU for the 
port.
If neither of the above conditions applies to your configuration, neither does “jumbo MTU.”
Note Fast Ethernet SPAs cannot function as Layer 2 ports.
Interface MTU Configuration Task
To modify the MTU size on an interface, use the following command in interface configuration mode:
To return to the default MTU size, use the no form of the command.
Command Purpose
Router(config-if)# mtu bytes Configures the maximum packet size for an interface, 
where:
• bytes—Specifies the maximum number of bytes for 
a packet.
The default is 1500 bytes and the maximum 
configurable MTU is 9216 bytes.12-11
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Verifying the MTU Size
To verify the MTU size for an interface, use the show interfaces gigabitethernet privileged EXEC 
command and observe the value shown in the MTU field. 
The following example shows an MTU size of 1500 bytes for interface port 1 (the second port) on the 
Gigabit Ethernet SPA installed in the top subslot (0) of the SIP that is located in slot 2 of the Cisco 7600 
series router:
Router# show interfaces gigabitethernet 2/0/1
GigabitEthernet2/0/1 is up, line protocol is up 
  Hardware is GigEther SPA, address is 000a.f330.2e40 (bia 000a.f330.2e40)
  Internet address is 2.2.2.1/24
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not supported
Configuring the Encapsulation Type
By default, the interfaces on the Fast Ethernet and Gigabit Ethernet SPAs support Advanced Research 
Projects Agency (ARPA) encapsulation. They do not support configuration of service access point or 
SNAP encapsulation for transmission of frames; however, the interfaces will properly receive frames 
that use service access point and SNAP encapsulation.
The only other encapsulation supported by the SPA interfaces is IEEE 802.1Q encapsulation for virtual 
LANs (VLANs).
Configuring Autonegotiation on an Interface
Fast Ethernet and Gigabit Ethernet interfaces use a connection-setup algorithm called autonegotiation. 
Autonegotiation allows the local and remote devices to configure compatible settings for communication 
over the link. Using autonegotiation, each device advertises its transmission capabilities and then agrees 
upon the settings to be used for the link.
For the Fast Ethernet and Gigabit Ethernet interfaces on the Cisco 7600 series router, flow control is 
autonegotiated when autonegotiation is enabled. Autonegotiation is enabled by default.
The following guidelines should be followed regarding autonegotiation:
• If autonegotiation is disabled on one end of a link, it must be disabled on the other end of the link. 
If one end of a link has autonegotiation disabled while the other end of the link does not, the link 
will not come up properly on both ends.
• Autonegotiation is not supported on the 10-Port Gigabit Ethernet SPA on the Cisco 7600 SIP-600.
• Flow control can be configured separately of autonegotiation when Ethernet SPAs are installed in a 
Cisco 7600 SIP-600.
• Flow control is enabled by default.
• Flow control will be on if autonegotiation is disabled on both ends of the link.
• Flow control cannot be disabled on a Fast Ethernet SPA.12-12
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Disabling Autonegotiation
Autonegotiation is automatically enabled and can be disabled on the Fast Ethernet interfaces on the 
Cisco 7600 SIP-200, and the Gigabit Ethernet interfaces on the Cisco 7600 SIP-400 or Cisco 7600 
SIP-600. During autonegotiation, advertisement for flow control, speed, and duplex occurs. If the 
Gigabit Ethernet interface is connected to a link that has autonegotiation disabled, autonegotiation 
should either be re-enabled on the other end of the link or disabled on the Fast Ethernet or Gigabit 
Ethernet SPA, if possible. Both ends of the link will not come up properly if only one end of the link has 
disabled autonegotiation.
Note Speed and duplex configurations are negotiated using autonegotiation. However, the only values that are 
negotiated are 100 Mbps for speed and full-duplex for duplex for Fast Ethernet SPAs, and 1000 Mbps 
for speed and full-duplex for duplex for Gigabit Ethernet SPAs. Therefore, from a user’s perspective, 
these settings are not negotiated, but enabled using autonegotiation.
To disable autonegotiation on Fast Ethernet or Gigabit Ethernet SPAs, use the following commands in 
interface configuration mode:
Enabling Autonegotiation
Autonegotiation is automatically enabled and can be disabled unless it is on a SPA installed in a 
Cisco 7600 SIP-400, or on a 10-Port Gigabit Ethernet SPA, 5-Port Gigabit Ethernet SPA, or a 10-Port 
Gigabit Ethernet SPA when installed in a Cisco 7600 SIP-600. See the “Configuring Flow Control for 
an Ethernet SPA Interface on a Cisco 7600 SIP-600” section on page 12-22. To re-enable 
autonegotiation on a Fast Ethernet or Gigabit Ethernet interface, use the following commands in 
interface configuration mode:
SFP-GE-T Support
The SFP-GE-T supports speeds of 10 Mbps, 100 Mbps, and 1000 Mbps. Speed is not autonegotiated; 
you must configure it using the speed command. Only full-duplex mode is supported.
Command Purpose
Router(config-if)# no negotiation auto Disables autonegotiation on a Fast Ethernet SPA 
interface on the Cisco 7600 SIP-200 or a Gigabit 
Ethernet SPA interfaces on the Cisco 7600 SIP-400. No 
advertisement of flow control occurs.
Router(config-if)# speed nonegotiate Disables autonegotation of speed on Gigabit Ethernet 
SPA interfaces on the Cisco 7600 SIP-600.
Command Purpose
Router(config-if)# negotiation auto Enables autonegotiation on a Fast Ethernet SPA 
interface on a Cisco 7600 SIP-200 or a Gigabit Ethernet 
SPA interfaces on the Cisco 7600 SIP-400. 
Advertisement of flow control occurs. 
Router(config-if)# no speed nonegotiate Re-enables autonegotation on Gigabit Ethernet SPA 
interfaces on the Cisco 7600 SIP-600. 12-13
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Note Because autonegotiation of full-duplex is not supported, you must manually configure full-duplex mode. 
You can configure each Ethernet interface independently using any combination of 10 Mbps, 100 Mbps, 
or 1000 Mbps.
To set the interface speed, use the following command in the interface configuration mode:
Configuring an Ethernet VLAN
For information on configuring Ethernet VLANs, see the “Creating or Modifying an Ethernet VLAN” 
section of the “Configuring VLANs” chapter in the Cisco 7600 Series Cisco IOS Software Configuration 
Guide publication that corresponds to your Cisco IOS software release.
Configuring a Subinterface on a VLAN
You can configure subinterfaces on the Fast Ethernet SPA interfaces and Gigabit Ethernet SPA interfaces 
on a VLAN using IEEE 802.1Q encapsulation. Cisco Discovery Protocol (CDP) is disabled by default 
on the 2-Port Gigabit Ethernet SPA interfaces and subinterfaces on the Cisco 7600 SIP-400.
To configure a SPA subinterface on a VLAN, use the following commands beginning in interface 
configuration mode:
Note On any Cisco 7600 SIP-600 Ethernet port subinterface using VLANs, a unique VLAN ID must be 
assigned. This VLAN ID cannot be in use by any other interface on the Cisco 7600 series router.
Command Purpose
Router(config-if)# speed {10 | 100 | 1000 | 
auto}
Configures the interface speed.
Accepted values are:
• 10 for 10 Mbps operation
• 100 for 100 Mbps operation
• 1000 for 1000 Mbps operation12-14
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Command Purpose
Step 1 Router(config)# interface fastethernet
slot/subslot/port.subinterface-number
or
Router(config)# interface
gigabitethernet
slot/subslot/port.subinterface-number
or
Router(config)# interface 
tengigabitethernet
slot/subslot/port.subinterface-number
Specifies the Fast Ethernet, Gigabit Ethernet or Ten 
Gigabit Ethernet interface to configure, where:
• slot/subslot/port—Specifies the location of the 
interface. See the “Specifying the Interface Address on 
a SPA” section on page 12-4.
• .subinterface-number—Specifies a secondary 
interface (subinterface) number.
Step 2 Router(config-subif)# encapsulation 
dot1q vlan-id
Defines the encapsulation format as IEEE 802.1Q 
(“dot1q”), where vlan-id is the number of the VLAN 
(1–4094).
Step 3 Router(config-if)# ip address ip-address 
mask [secondary]
Sets a primary or secondary IP address for an interface, 
where:
• ip-address—Specifies the IP address for the interface.
• mask—Specifies the mask for the associated IP subnet.
• secondary—(Optional) Specifies that the configured 
address is a secondary IP address. If this keyword is 
omitted, the configured address is the primary IP 
address.12-15
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Verifying Subinterface Configuration on a VLAN 
To verify the configuration of a subinterface and its status on the VLAN, use the show vlans privileged 
EXEC command. 
The following example shows the status of subinterface number 1 on port 0 on the SPA in VLAN number 
200:
Router# show vlans
VLAN ID:200 (IEEE 802.1Q Encapsulation)
Protocols Configured:         Received:       Transmitted:
          IP                  0                  2
VLAN trunk interfaces for VLAN ID 200:
GigabitEthernet4/1/0.1 (200)
      IP:12.200.21.21
      Total 0 packets, 0 bytes input
      Total 2 packets, 120 bytes output
Configuring Layer 2 Switching Features
The Cisco 7600 series router supports simultaneous, parallel connections between Layer 2 Ethernet 
segments. After you review the SPA-specific guidelines described in this document, refer to the 
“Configuring Layer 2 Ethernet Interfaces” section of the Cisco 7600 Series Router Cisco IOS Software 
Configuration GuideCatalyst 6500 Series Switch Cisco IOS Software Configuration Guide, 12.2SX for 
more information about configuring the Layer 2 switching features.
Configuring Multipoint Bridging
Multipoint bridging (MPB) enables the connection of multiple ATM PVCs, Frame Relay permanent 
virtual circuits (PVCs), Bridging Control Protocol (BCP) ports, and WAN Gigabit Ethernet subinterfaces 
into a single broadcast domain (virtual LAN), together with the LAN ports on that VLAN. This enables 
service providers to add support for Ethernet-based Layer 2 services to the proven technology of their 
existing ATM and Frame Relay legacy networks. Customers can then use their current VLAN-based 
networks over the ATM or Frame Relay cloud. This also allows service providers to gradually update 
their core networks to the latest Gigabit Ethernet optical technologies, while still supporting their 
existing customer base.
For MPB configuration guidelines and restrictions and feature compatibility tables, see the “Configuring 
Multipoint Bridging” section on page 4-36.
Configuring the Bridging Control Protocol
The Bridging Control Protocol (BCP) enables forwarding of Ethernet frames over SONET networks and 
provides a high-speed extension of enterprise LAN backbone traffic through a metropolitan area. The 
implementation of BCP on the SPAs includes support for IEEE 802.1D, IEEE 802.1Q Virtual LAN 
(VLAN), and high-speed switched LANs.
For BCP configuration guidelines and restrictions and feature compatibility tables, see the “BCP Feature 
Compatibility” section on page 4-56 of Chapter 4, “Configuring the SIPs and SSC.”12-16
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Configuring AToM over GRE
MPLS over generic routing encapsulation (MPLSoGRE) encapsulates MPLS packets inside IP tunnels, 
creating a virtual point-to-point link across non-MPLS networks. This allows users of primarily MPLS 
networks to continue to use existing non-MPLS legacy networks until migration to MPLS is possible. 
AToM (any transport over MPLS) over GRE includes support the following transports:
• ATM over MPLS
• Frame Relay over MPLS (FRoMPLS)
• High-Level Data Link Control (HDLC) over MPLS
• Scalable Ethernet over MPLS (EoMPLS)
• Circuit Emulation over Packet (CEoP)
• Hardware-based EoMPLS
AToMoGRE is supported only on the following hardware:
• SIP-400, 5x1 GE SPA, 2x1 GE SPA (Core facing)
• ATM SPA (SPA-2xOC3-ATM, SPA-4xOC3-ATM, SPA-1xOC12-ATM, SPA-1xOC48-ATM, CEoPs 
SPA (such as OC3, 24T1/E1) with Inverse Multiplexing (IMA) support, and all Ethernet interfaces
• Sup32, Sup720, RSP720
AToMoGRE supports the following features:
• Provider edge (PE)-to-PE, P-to-PE, and P-to-P tunneling of MPLS packets (See Figure 12-1, 
Figure 12-2, and Figure 12-3.)
Figure 12-1 PE-to-PE GRE Tunnel 
Figure 12-2 P-to-PE GRE Tunnel 
IPv4
(No MPLS)
GRE Tunnel
PE1 PE2
MPLSoGRE
191890
IPv4
(No MPLS)
GRE Tunnel
P1
MPLSoGRE
191892
MPLS
PE1 PE212-17
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Figure 12-3 P-to-P GRE Tunnel 
• IPv4 on customer edge (CE) facing interfaces.
• IPv4 on core facing interfaces.
• GRE 4-byte headers (no option fields).
• Nondedicated physical interface supporting both tunneled and nontunneled traffic.
• Multiple routes for the tunnel between the Cisco 7600 SIP-400 physical interface or subinterface 
and the IP cloud may exist. The routing protocol will pick only one route for MPLSoGRE traffic.
• No software-imposed limit on the maximum number of tunnels. The Cisco 7600 SIP-400 supports 
a maximum number of 128 tunnels. Tunnel traffic can be routed through Cisco 7600 SIP-400 main 
interfaces or subinterfaces.
• The Cisco 7600 SIP-400 physical interface or subinterface used for the tunnel endpoint can be used 
to carry native MPLS and AToMoMPLS and its variations: Hardware-based EoMPLS, FRoMPLS, 
PPPoMPLS, HDLCoMPLS, Scalable EoMPLS, and CEoP. 
Note Switched Virtual Interfaces (SVI) are not supported with MPLSoGRE.
AToMoGRE Configuration Guidelines
The following guidelines apply to AToMoGRE:
• Ingress/egress features are not supported on the tunnel interface; they are supported on the physical 
interface or subinterface.
• Unsupported GRE options are: sequencing, checksum, key, source route.
• Some tunnel options are not supported: Carry Security Options of Client Packet, Unidirectional Link 
Routing, Mobile IP Path MTU Discovery.
• The Cisco 7600 SIP-400 physical interface or subinterface used for the tunnel endpoint cannot be 
used to carry Software-based EoMPLS and VPLS. Advanced features such as Carrier Supporting 
Carrier (CSC) and Inter-Autonomous Systems (Inter-AS) are not supported.
• AToM over GRE cannot be combined with the AToM Tunnel Select feature.
Configuring mVPNoGRE
The multicast Virtual Private Network over generic routing encapsulation (mVPNoGRE) provides a 
mechanism to send unicast and multicast packets across a non-MPLS network. This is accomplished by 
creating a GRE tunnel across the non-MPLS network. When MPLS (unicast VRF) or mVPN (multicast 
VRF) packets are sent across the non-MPLS network, they are encapsulated within a GRE packet and 
IPv4
(No MPLS)
GRE Tunnel
P1 P2
MPLSoGRE
191891
MPLS MPLS
PE1 PE212-18
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
transverse the non-MPLS network through the GRE tunnel. Upon receiving the GRE packet at the other 
side of the non-MPLS network, it removes the GRE header and forwards the inner MPLS or unicast VRF 
or mVPN packet to its final destination.
Note For mVPNoGRE, there is one outer packet and two inner packets. The outer packet is unicast GRE. The 
first inner packet is multicast GRE (mVPN), and the second inner packet is normal (customer) multicast. 
Note mVPNoGRE is not supported on Fast Ethernet SPAs on the Cisco 7600 SIP-200.
PE-to-PE Tunneling
mVPNoGRE uses the Provider Edge-to-Provider Edge (PE-to-PE) tunneling variation. mVPNoGRE 
provides a scalable way to connect multiple customer networks across a non-MPLS network. It does this 
by multiplexing traffic destined to multiple customer networks through a single GRE tunnel.
On each side of the non-MPLS network, each Customer Edge (CE) router is assigned a VPN Routing 
and Forwarding (VRF) number by the PE router. The IP networks behind the CE routers are learned by 
the PE router through a routing protocol such as BGP, OSPF or RIP. Routes to these networks are then 
stored in the VRF routing table for that CE router.
The PE router on one side of the non-MPLS network is learned by the PE router on the other side of the 
non-MPLS network though a routing protocol running within the non-MPLS network. Routes between 
the PE routers are stored in the main or default routing table.
Routes of the customer networks behind the PE router are learned by the other PE router through BGP 
and are not known to the non-MPLS network. This is accomplished by defining a static route to the BGP 
neighbor (the other PE router) through a GRE tunnel across the non-MPLS network. When routes are 
learned from the BGP neighbor, they will have the next-hop of the GRE tunnel and thus all customer 
network traffic will be sent using the GRE tunnel.
GRE Tunnel Attached to a Cisco 7600 SIP-400 Interface or Subinterface
For the Cisco 7600 series router to perform the MPLS and mVPN processing and have the Cisco 7600 
SIP-400 perform the GRE processing, interfaces or subinterfaces must have an IP address. The MPLS 
and protocol independent multicast (PIM) configuration must be on the tunnel interface. The Cisco 7600 
series router views the Cisco 7600 SIP-400 main interface or subinterface as an MPLS or PIM interface, 
so MPLS and mVPN processing is performed, and provides the Cisco 7600 SIP-400 with the correlation 
information needed to perform GRE processing.
Tunnel Interface Configuration
The ip pim sparse-mode command must be configured on the tunnel interface. It should not be 
configured on the physical interface or subinterface facing core. It is automatically configured on the 
Cisco 7600 SIP-400 interface or subinterface when a tunnel is attached to the interface or subinterface. 
The tunnel source IP address is typically a lookback address. 
Displaying Unicast Routes
The display of unicast routes (Main Routing Table) shows the next hop for the BGP neighbor to be the 
Cisco 7600 SIP-400 interface or subinterface. On a router that natively supports this feature, the next 
hop for the BGP neighbor is the tunnel interface.
The following example shows the output from the show ip route command:12-19
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
router# show ip route | inc Tunnel
S       4.4.4.4 is directly connected, Tunnel0
C       1.0.0.0 is directly connected, Tunnel0
Displaying Multicast Routes
The display of multicast routes (groups) shows the output interface for the 239.0.0.0/8 group to be the 
Cisco 7600 SIP-400 interface or subinterface. On a router that natively supports this feature, the output 
interface is the tunnel interface.
The following example shows the output from the show ip mroute command:
router# show ip mroute
IP Multicast Routing Table
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected,
       L - Local, P - Pruned, R - RP-bit set, F - Register flag,
       T - SPT-bit set, J - Join SPT, M - MSDP created entry,
       X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement,
       U - URD, I - Received Source Specific Host Report, 
       Z - Multicast Tunnel, z - MDT-data group sender, 
       Y - Joined MDT-data group, y - Sending to MDT-data group
       V - RD & Vector, v - Vector
Outgoing interface flags: H - Hardware switched, A - Assert winner
 Timers: Uptime/Expires
 Interface state: Interface, Next-Hop or VCD, State/Mode
(*, 224.0.1.40), 01:23:02/00:03:22, RP 2.2.2.2, flags: SJCL
  Incoming interface: Null, RPF nbr 0.0.0.0
  Outgoing interface list:
    Tunnel0, Forward/Sparse-Dense, 00:03:45/00:03:22
    Loopback0, Forward/Sparse-Dense, 01:23:02/00:02:30
(*, 239.1.1.2), 01:23:01/00:02:35, RP 2.2.2.2, flags: SJCZ
  Incoming interface: Null, RPF nbr 0.0.0.0
  Outgoing interface list:
    Tunnel0, Forward/Sparse-Dense, 00:03:45/00:02:34
    MVRF vpn1, Forward/Sparse-Dense, 01:23:01/00:02:12
(2.2.2.2, 239.1.1.2), 01:22:50/00:03:29, flags: T
  Incoming interface: Loopback0, RPF nbr 0.0.0.0, RPF-MFD
  Outgoing interface list:
    Tunnel0, Forward/Sparse-Dense, 00:03:45/00:02:54, H
(4.4.4.4, 239.1.1.2), 00:03:33/00:02:59, flags: TZ
  Incoming interface: Tunnel0, RPF nbr 1.0.0.2, RPF-MFD
  Outgoing interface list:
    MVRF vpn1, Forward/Sparse-Dense, 00:03:33/00:02:26, H
(*, 239.1.1.1), 01:23:01/stopped, RP 2.2.2.2, flags: SJCZ
  Incoming interface: Null, RPF nbr 0.0.0.0
  Outgoing interface list:
    MVRF vpn3, Forward/Sparse-Dense, 01:23:01/00:02:11
(2.2.2.2, 239.1.1.1), 01:22:50/00:02:59, flags: PT
  Incoming interface: Loopback0, RPF nbr 0.0.0.0, RPF-MFD
  Outgoing interface list: Null
router# show ip mroute vrf vpn1
IP Multicast Routing Table
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected,
       L - Local, P - Pruned, R - RP-bit set, F - Register flag,
       T - SPT-bit set, J - Join SPT, M - MSDP created entry,
       X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement,12-20
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
       U - URD, I - Received Source Specific Host Report, 
       Z - Multicast Tunnel, z - MDT-data group sender, 
       Y - Joined MDT-data group, y - Sending to MDT-data group
       V - RD & Vector, v - Vector
Outgoing interface flags: H - Hardware switched, A - Assert winner
 Timers: Uptime/Expires
 Interface state: Interface, Next-Hop or VCD, State/Mode
(*, 224.0.1.40), 01:23:11/00:02:24, RP 200.200.200.200, flags: SJCL
  Incoming interface: Null, RPF nbr 0.0.0.0
  Outgoing interface list:
    Loopback200, Forward/Sparse-Dense, 01:23:11/00:02:24
    Tunnel16, Forward/Sparse-Dense, 00:03:40/00:02:32
(*, 224.1.2.3), 00:02:43/stopped, RP 200.200.200.200, flags: S
  Incoming interface: Null, RPF nbr 0.0.0.0
  Outgoing interface list:
    Tunnel16, Forward/Sparse-Dense, 00:02:43/00:02:43
(100.0.1.2, 224.1.2.3), 00:00:17/00:03:20, flags: T
  Incoming interface: GigabitEthernet2/0/0.1, RPF nbr 0.0.0.0, RPF-MFD
  Outgoing interface list:
    Tunnel16, Forward/Sparse-Dense, 00:00:17/00:03:12, H
(*, 224.1.2.2), 00:02:43/stopped, RP 200.200.200.200, flags: S
  Incoming interface: Null, RPF nbr 0.0.0.0
  Outgoing interface list:
    Tunnel16, Forward/Sparse-Dense, 00:02:44/00:02:42
(100.0.1.2, 224.1.2.2), 00:00:18/00:03:20, flags: T
  Incoming interface: GigabitEthernet2/0/0.1, RPF nbr 0.0.0.0, RPF-MFD
  Outgoing interface list:
    Tunnel16, Forward/Sparse-Dense, 00:00:18/00:03:11, H
(*, 224.1.2.1), 00:02:44/stopped, RP 200.200.200.200, flags: S
  Incoming interface: Null, RPF nbr 0.0.0.0
  Outgoing interface list:
    Tunnel16, Forward/Sparse-Dense, 00:02:44/00:02:44
(100.0.1.2, 224.1.2.1), 00:00:19/00:03:19, flags: T
  Incoming interface: GigabitEthernet2/0/0.1, RPF nbr 0.0.0.0, RPF-MFD
  Outgoing interface list:
    Tunnel16, Forward/Sparse-Dense, 00:00:19/00:03:10, H
Displaying Tunnel-to-Interface Mappings
The show cwan mplsogre command displays the tunnel-to-interface mappings. The following example 
illustrates the output of the show cwan mplsogre command:
Router# show cwan mplsogre
gigabitethernet 2/0/0
  Tunnel1 is attached
    Interface
      VLAN: 1022, STATE: UP
      IP Address: 6.0.0.1          IP Mask: 255.0.0.0
    Tunnel
      VLAN: 1017, STATE: UP
      IP Address: 8.0.0.1          IP Mask: 255.0.0.0
      Src Address: 6.0.0.1, Dst Address: 7.0.0.1
      Static Routes to Tunnel: 1
        IP Address: 4.0.0.1          IP Mask: 255.255.255.25512-21
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Scalable EoMPLS
In Cisco IOS Release 12.2(33)SRA and later, Scalable EoMPLS now allows a Cisco 7600 SIP-400-based 
line card to face the CE. This configuration allows the platform to scale the number of EoMPLS virtual 
connections (VCs) that it can support from 4K to 12K. When AToM xconnect commands are placed on 
Cisco 7600 SIP-400 subinterfaces, the line card performs AToM imposition and disposition. Supervisor 
hardware will perform only MPLS switching on traffic from these interfaces. Additionally, configuring 
xconnect commands on Cisco 7600 SIP-400 subinterfaces will not consume globally significant VLANs 
on a per-xconnect basis. This change also provides the ability to support FRR on EoMPLS VCs with the 
same model as other CEF/MFI-based AToM configurations.
To achieve this scalability, Cisco 7600 SIP-400 must be the CE facing line card as opposed to the current 
model of a LAN line card facing the CE. With Cisco 7600 SIP-400 configured for Scalable EoMPLS, 
any line card capable of switching MPLS packets may be core facing.
On a Sup720 system, configuring EoMPLS under a non-VLAN interface is considered hardware-based 
EoMPLS. Configuring EoMPLS on a VLAN interface is considered to be software-based MPLS. 
Configuring EoMPLS on Cisco 7600 SIP-400 subinterfaces is considered to be Scalable EoMPLS.
Configuring Flow Control Support on the Link
Flow control is turned on or off based on the result of autonegotiation. Flow control is not supported on 
the Cisco 7600 SIP-200 and Cisco 7600 SIP-400, so it will always negotiate to off. Flow control can be 
configured independently of autonegotiation on the Cisco 7600 SIP-600. For information on this 
process, see the “Configuring Autonegotiation on an Interface” section on page 12-11.
This section discusses the following topics:
• Verifying Flow Control Status for an Ethernet SPA Interface on a Cisco 7600 SIP-200, page 12-21
• Verifying Flow Control Status for a Gigabit Ethernet SPA Interface on a Cisco 7600 SIP-400, page 
12-22
• Configuring Flow Control for an Ethernet SPA Interface on a Cisco 7600 SIP-600, page 12-22
Verifying Flow Control Status for an Ethernet SPA Interface on a Cisco 7600 SIP-200
The following example shows how to verify that flow control pause frames are being transmitted and received 
for a Fast Ethernet SPA on the Cisco 7600 SIP-200.
Router# show hw sub 2 counter mac
Show counters info for Subslot 2:
port:0
good_octets_received: 2046026640038
bad_octets_received: 0
good_frames_received: 31969140675
bad_frames_received: 0
broadcast_frames_received: 2
multicast_frames_received: 3562
good_octets_sent: 1373554315151
good_frames_sent: 22892514199
broadcast_frames_sent: 0
multicast_frames_sent: 0
mac_transfer_error: 0
excessive_collision: 0
unrecog_mac_control_received: 0
fc_sent: 11232431
good_fc_received: 012-22
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
rx_over_flow_events: 234082101
undersize: 0
fragments: 0
oversize: 0
jabber: 0
mac_rcv_error: 0
bad_crc: 0
collisions: 0
late_collision: 0
rate_limit_dropped: 0
tx_fifo_full_packet_drops : 0
spi4_rx_frames: 2814271686
spi4_tx_frames: 1328805298
Verifying Flow Control Status for a Gigabit Ethernet SPA Interface on a Cisco 7600 SIP-400
To verify flow control status on a Gigabit Ethernet interface on a SPA, use the show interfaces 
gigabitethernet privileged EXEC command and view the “output flow-control is” and “input 
flow-control is” output lines to see if input and output flow control is on or off. The “pause input” and 
“pause output” counters of the output of this command can be used to view the number of pause frames 
sent or received by the interface.
The following example shows that zero pause frames have been transmitted and received by the MAC 
device for interface port 1 (the second port) on the SPA located in subslot 0 of the SIP that is installed 
in slot 2 of the Cisco 7600 series router:
Router# show interfaces gigabitethernet 2/0/1
GigabitEthernet2/0/1 is up, line protocol is up 
  Hardware is GigEther SPA, address is 000a.f330.2e40 (bia 000a.f330.2e40)
  Internet address is 2.2.2.1/24
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not supported
  Full-duplex, 1000Mb/s, link type is force-up, media type is SX
 output flow-control is off, input flow-control is off
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 03:18:49, output 03:18:44, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     1703 packets input, 638959 bytes, 0 no buffer
     Received 23 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 1670 multicast, 0 pause input
     1715 packets output, 656528 bytes, 0 underruns
     0 output errors, 0 collisions, 4 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out
Configuring Flow Control for an Ethernet SPA Interface on a Cisco 7600 SIP-600
On the Cisco 7600 SIP-600, flow control can be configured on Ethernet SPA interfaces by entering the 
flowcontrol send command to configure the interface to transmit pause frames or the flowcontrol 
receive command to configure the interface to receive pause frames.12-23
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Note When a user configures flow control for either the transmit or receive direction, it is automatically 
enabled for both transmit and receive directions simultaneously.
Fast Ethernet SPAs have flow control enabled by default and it cannot be disabled.
Configuring 2-Port Gigabit Synchronous Ethernet SPA in Unicast Mode
In unicast mode, the slave port and the master port need to know each other’s IP address. Unicast mode 
has one to one mapping between the slave and the master. One master can have just one slave and 
vice-versa. Unicast mode is not a good option for scalability.
The command used for configuring 2-Port Gigabit Synchronous Ethernet SPA on unicast mode is 
clock-port. 
Command Purpose
Router(config-if)# flowcontrol send 
[desired | off | on]
Enables transmission of outgoing pause frames. The 
following options can be configured with this 
command:
• desired—Allows, but does not require, outgoing 
pause frames to leave the interface.
• off—Disables transmission of outgoing pause 
frames.
• on—Enables transmission of outgoing pause 
frames.
Router(config-if)# flowcontrol receive 
[desired | off | on]
Enables the interface to receive incoming pause frames. 
The following options can be configured with this 
command:
• desired—Allows, but does not require, the 
interface to receive incoming pause frames.
• off—Does not allow incoming pause frames to 
enter the interface.
• on—Allows incoming pause frames to enter the 
interface.
Command Purpose
Router(config-ptp-clk)#clock-port Configures 2-Port Gigabit Synchronous Ethernet SPA 
on unicast mode. The following options can be 
configured with this command:
• Word
• Port Name12-24
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Before configuring 2-Port Gigabit Synchronous Ethernet SPA on different modes, you need to configure 
the ToP 32 bit mask IP address. Note that ToP interface is addressed as ToP slot/subslot/2.
The following example shows the configuration of ToP 32 bit mask IP address:
Router(config)#int top2/0/2
Router(config-if)#ip address 8.8.8.2 255.255.255.255
Router(config-if)#no sh
Router#sh run int top2/0/2
Building configuration...
Current configuration : 72 bytes
!
interface ToP2/0/2
 ip address 8.8.8.2 255.255.255.255
 end
!
The following example shows the configuration of 2-Port Gigabit Synchronous Ethernet SPA on the 
unicast mode:
Router# configure terminal
Router(config)# ptp clock ordinary domain 0 
Router(config-ptp-clk) clock-port SLAVE slave
Router(config-ptp-port)# transport ipv4 unicast interface ToP5/2/2
Router(config-ptp-port)# clock-source 8.8.8.1
Router(config)# ptp clock ordinary domain 0 
Router(config-ptp-clk)# clock-port MASTER Master
Router(config-ptp-port)# transport ipv4 unicast interface ToP5/2/2
Router(config-ptp-port)#clock destination 8.8.8.2
Router(config-ptp-port)#sync interval  <>
Router (config-ptp-port)#announce interval <>
Configuring 2-Port Gigabit Synchronous Ethernet SPA in Unicast Neg Mode
In unicast neg mode, master port knows the slave port at the outset. Slave port sends negotiation TLV 
when active and master port figures out that there is some slave port for synchronization. Unicast neg 
mode is a good option for scalability as one master has multiple slaves.
The command used for configuring 2-Port Gigabit Synchronous Ethernet SPA on unicast neg mode is 
clock-port. 
The following example shows the configuration of 2-Port Gigabit Synchronous Ethernet SPA on the 
unicast neg mode:
Router# configure terminal
Router(config)# ptp clock ordinary domain 0 
Router(config-ptp-clk) clock-port SLAVE slave 
Router(config-ptp-port)# transport ipv4 unicast interface ToP5/2/2 negotiation
Command Purpose
Router(config-ptp-clk)#clock-port Configures 2-Port Gigabit Synchronous Ethernet SPA 
on unicast neg mode. The following options can be 
configured with this command:
• Word
• Port Name12-25
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Router(config-ptp-port)# clock-source 8.8.8.1    
Router(config)# ptp clock ordinary domain 0 
Router(config-ptp-clk)# clock-port MASTER Master
Router(config-ptp-port)# transport ipv4 unicast interface ToP5/2/2 negotiation
Router(config-ptp-port)#sync interval  <>
Router (config-ptp-port)#announce interval <>
Configuring 2-Port Gigabit Synchronous Ethernet SPA in Multicast Mode
In multicast mode, the master port sends sync message and announce on 224.0.1.129. The master port 
explicitly specifies multicast egress interface. The slave receives multicast message from the master port 
and gets to know master port’s IP address. To this IP address, slave port sends a unicast delay request. 
Master sends delay response back to slave port’s ip addreess in unicast mode. Multi cast mode is a good 
option for scalability as master needs to send just one set of sync messages instead of as many as number 
of slaves port.
The command used for configuring 2-Port Gigabit Synchronous Ethernet SPA on multicast mode is 
clock-port. 
The following example shows the configuration of 2-Port Gigabit Synchronous Ethernet SPA on the 
multicast mode:
Router# configure terminal
Router(config)# ptp clock ordinary domain 0 
Router(config-ptp-clk) clock-port SLAVE slave 
Router(config-ptp-port)# transport ipv4 multicast-mix interface ToP5/2/2 
negotiation
Router(config)# ptp clock ordinary domain 0 
Router(config)# multicast-source Gi3/3
Router(config)# multicast-source Vlan100
Router(config-ptp-clk)# clock-port MASTER Master
Router(config-ptp-port)# transport ipv4 multicast-mix interface ToP5/2/2 
negotiation
Router(config-ptp-port)#sync interval  <>
Router (config-ptp-port)#announce interval <>
Verifying the PTP modes
Use the show ptp clock dataset current command to display the sample output.
Router#show ptp clock dataset current
CLOCK [Ordinary Clock, domain 0]
Steps Removed: 1
Offset From Master: 757720306ns
Use the show ptp clock dataset default command to display the sample output.
Command Purpose
Router(config-ptp-clk)#clock-port Configures 2-Port Gigabit Synchronous Ethernet SPA 
on multicast mode. The following options can be 
configured with this command:
• Word
• Port Name12-26
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Router#show ptp clock dataset default
CLOCK [Ordinary Clock, domain 0]
Two Step Flag: No
Clock Identity: 0x0:A:8B:FF:FF:5C:A:80
Number Of Ports: 1
Priority1: 128
Priority2: 128
Domain Number: 0
Slave Only: Yes
Clock Quality:
Class: 13
Accuracy: Greater than 10s
Offset (log variance): 52592
Use the ptp clock dataset parent domain command to display the sample output.
Router# show ptp clock dataset parent domain 0
CLOCK [Ordinary Clock, domain 0]
Parent Stats: No
Observed Parent Offset (log variance): 65535
Observed Parent Clock Phase Change Rate: 0
Grandmaster Clock:
Identity: 0x0:D0:4:FF:FF:B8:6C:0
Priority1: 128
Priority2: 128
Clock Quality:
Class: 13
Accuracy: Within 1s
Offset (log variance): 52592
Use the show ptp clock dataset time-properties domain command to display the sample output.
Router# show ptp clock dataset time-properties domain 0
CLOCK [Ordinary Clock, domain 0]
Current UTC Offset Valid: TRUE
Current UTC Offset: 33
Leap 59: FALSE
Leap 61: FALSE
Time Traceable: TRUE
Frequency Traceable: TRUE
PTP Timescale: TRUE
Configuring ToD on 1588V2 Master
These commands are used to configure ToD on a 1588V2 master:
This example shows the configuration of ToD on 1588V2 Master:
Router# config terminal 
Router(config)# ptp clock ordinary domain 0
Router(config-ptp-clk)# tod 3/3 cisco
Router(config-ptp-clk)# input 1pps 3/3
Router(config-ptp-clk)# clock-port MASTER master
Command Purpose
Router(config-ptp-clk)# tod 
<slot>/<subslot> <Cisco/ntp/ubx>
Configures ToD on 1588V2. 
Router(config-ptp-clk)# input 1pps 
<slot>/<subslot>
Provides the input to the master. 12-27
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Router(config-ptp-clk)# transport ipv4 unicast interface Gi3/3/1 negotiation
Router(config-ptp-clk)# end
Verifying ToD Configuration on the 1588V2 Master
This example helps you verify the ToD configuration for 1588V2 Master. 
Router# show ptp clock runn dom 0
PTP Ordinary Clock [Domain 0]
State          Ports          Pkts sent      Pkts rcvd      
         FREQ_LOCKED    1              30052          5867  
                               PORT SUMMARY
Name               Tx Mode      Role         Transport    State        Sessions
MASTER             unicast      master       To3/1/2      -            1
                             SESSION INFORMATION
MASTER [To3/1/2] [Sessions 1]
 Peer addr          Pkts in    Pkts out   In Errs    Out Errs  
 4.4.4.4            5867       30052      0          1         
Use the show platform ptp tod all command to display the sample output.
Router# show platform ptp tod all
--------------------------------
ToD/1PPS Info for SPA 3/1
--------------------------------
ToD CONFIGURED        : YES
ToD FORMAT            : CISCO
ToD DELAY             : 0
1PPS MODE             : INPUT
1PPS STATE            : UP
ToD STATE             : UP
ToD CLOCK             : Mon Aug 30  09:36:47 UTC 2010
Configuring ToD on 1588V2 Slave
These commands are used to configure ToD on the 1588V2 slave:
This example shows the ToD configuration on the 1588V2 slave:
Router# config terminal 
Router(config)# ptp clock ordinary domain 0
Router(config-ptp-clk)# tod 3/3 cisco
Router(config-ptp-clk)# output 1pps 3/3
Router(config-ptp-clk)# clock-port SLAVE slave
Command Purpose
Router(config-ptp-clk)# tod 
<slot>/<subslot> <Cisco/ntp/ubx>
Configures ToD on 1588V2. 
Router(config-ptp-clk)# output 1pps 
<slot>/<subslot>
Provides the output from the slave. 12-28
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Router(config-ptp-clk)# transport ipv4 unicast interface Gi3/3/1 negotiation
Router(config-ptp-clk)# clock source 1.1.1.1
Router(config-ptp-clk)# end
Verifying ToD Configuration on the 1588V2 Slave
This example helps you verify the ToD configuration on the1588V2 slave.
Router# show ptp clock runn dom 0
                      PTP Ordinary Clock [Domain 0]
         State          Ports          Pkts sent      Pkts rcvd      
         ACQUIRING      1              5308           27185     
                               PORT SUMMARY
Name               Tx Mode      Role         Transport    State        Sessions
SLAVE              unicast      slave        To3/1/2      -            1
                             SESSION INFORMATION
SLAVE [To3/1/2] [Sessions 1]
 Peer addr          Pkts in    Pkts out   In Errs    Out Errs  
 3.3.3.3            27185      5308       0          0         
Use the show platform ptp tod all command to display the sample output.
Router# show ptp clock runn dom 0
                      PTP Ordinary Clock [Domain 0]
         State          Ports          Pkts sent      Pkts rcvd      
         PHASE_ALIGNED  1              21428          109772    
                               PORT SUMMARY
Name               Tx Mode      Role         Transport    State        Sessions
SLAVE              unicast      slave        To3/1/2      -            1
                             SESSION INFORMATION
SLAVE [To3/1/2] [Sessions 1]
Peer addr          Pkts in    Pkts out   In Errs    Out Errs  
Router# show platform ptp tod all
--------------------------------
ToD/1PPS Info for SPA 3/1
--------------------------------
ToD CONFIGURED        : YES
ToD FORMAT            : CISCO
ToD DELAY             : 0
1PPS MODE             : OUTPUT
OFFSET                : 0
PULSE WIDTH           : 0
ToD CLOCK             : Mon Aug 30  09:52:08 UTC 2010
--------------------------------12-29
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Configuring Boundary Clock for 2-Port Gigabit Synchronous Ethernet SPA on 
Cisco 7600 SIP-400
Use the following configuration to configure the 2-Port Gigabit Synchronous Ethernet SPA on the Cisco 
SIP-400:
ptp clock boundary domain 0
clock-port SLAVE slave 
transport ipv4 unicast interface To2/0/2 negotiation
clock source 133.133.133.133
clock-port MASTER master 
transport ipv4 unicast interface Top2/0/2 negotiation
Configuring Network Clock for 2-Port Gigabit Synchronous Ethernet SPA on 
Cisco 7600 SIP-400
The 2-Port Gigabit Synchronous Ethernet SPA supports time, phase and frequency awareness through 
Ethernet networks. The 2-Port Gigabit Synchronous Ethernet SPA on the Cisco SIP-400 enables clock 
selection and translation between the various clock frequencies. If the 2-Port Gigabit Synchronous 
Ethernet SPA interoperates with devices that do not support synchronization, synchronization features 
can be disabled or partially enabled to maintain backward compatibility.
The network clock can be configured in global configuration mode and interface configuration mode:
• Configuring Network Clock in Global Configuration Mode, page 12-29
• Configuring Network Clock in Interface Configuration Mode, page 12-33
Configuring Network Clock in Global Configuration Mode 
Use the following commands to configure the 2-Port Gigabit Synchronous Ethernet SPA on the Cisco 
SIP-400:
Command Purpose
Router(config)# [no] network-clock 
synchronization automatic
Enables G.781 based automatic clock selection process. 
G.781 is the ITU-T Recommendation that specifies the 
synchronization layer functions.
Router(config)# [no] network-clock eec {1 | 
2}
Example
Router(config)# network-clock eec 1
Configures the clocking system hardware with the 
desired parameters. These are the options:
• For option 1, the default value is EEC-Option 1 
(2048).
• For option 2, the default value is EEC-Option 2 
(1544).12-30
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Router(config)#[no] network-clock 
synchronization ssm option {1| 2 {GEN1 | 
GEN2}}
Example
Router(config)#network-clock 
synchronization ssm option 2 GEN1
Configures the router to work in a synchronized 
network mode as described in G.781. The following are 
the options:
• Option 1: refers to synchronization networks 
designed for Europe (SDH/ E1 framings are 
compatible with this option).
• Option 2: refers to synchronization networks 
designed for the US (SONET/T1 framings are 
compatible with this option). 
The default option is 1 and while choosing option 2, 
you need to specify the second generation message 
(GEN2) or first generation message (GEN1).
Note Network-clock configurations that are not 
common between options need to be configured 
again.
Router(config)#[no] network-clock 
synchronization mode QL-enabled
Configures the automatic selection process for quality 
level QL-enabled mode.
Note QL-enabled mode succeeds only if there are any 
synchronization interfaces that are capable of 
sending SSM.
Router(config)#[no] esmc process Enables or disables the ESMC process at system level.
Note This command fails if there is no SyncE capable 
interface installed in the platform.
Router(config)#network-clock hold-off  {0 | 
<50-10000>} global
Example
Router(config)#network-clock hold-off
75 global
Configures general hold-off timer in milliseconds. The 
default value is 300 milliseconds. 
Note Displays a warning message for values below 
300 ms and above 1800 ms.
Router(config)#network-clock external 
<slot/card/port> hold-off  {0 | <50-10000>}
Example
Router(config)#network-clock external
3/1/1 hold-off  300
Overrides hold-off timer value for external interface.
Note Displays a warning message for values above 
1800 ms, as waiting longer causes the clock to 
go into the holdover mode.
Router(config)#network-clock 
wait-to-restore <0-86400> global
Example
Router(config)#network-clock external
wait-to-restore 1000 global
Sets the value for the wait-to-restore timer globally. 
The wait to restore time is configurable in the range of 
0 to 86400 seconds. The default value is 300 seconds.
Caution Ensure that you set the wait-to-restore values 
above 50 seconds to avoid a timing flap.
Command Purpose12-31
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Router(config)# [no] network-clock 
input-source <priority> {interface
<interface_name> <slot/card/port> | top
<slot/card/port/session> | {external
<slot/card/port> [t1 {sf | efs | d4} | e1 [crc4| 
fas| cas [crc4]  | 2m | 10m]}}
Example
Router(config)# network-clock 
input-source 23 top 2/0/1/3
Example for GPS interface
Router(config)# network-clock 
input-source 1 external 3/0/0 10m 
Configures a clock source line interface, an external 
timing input interface, GPS interface, or a packet-based 
timing recovered clock as the input clock for the system 
and defines its priority. Priority is a number between 1 
and 250.
This command also configures the type of signal for an 
external timing input interface. These signals are:
• T1 with Standard Frame format or Extended 
Standard Frame format.
• E1 with or without CRC4
• 2 MHz signal
• Default for Europe or Option I is e1 crc4 if the 
signal type is not specified.
• Default for North America or Option II is t1 esf if 
signal type is not specified.
Note The no version of the command reverses the 
command configuration, implying that the 
priority has changed to undefined and the state 
machine is informed. 
Router(config)#[no] network-clock 
revertive
Specifies whether or not the clock source is revertive. 
Clock sources with the same priority are always 
non-revertive. The default value is non-revertive.
In non-revertive switching, a switch to an alternate 
reference is maintained even after the original reference 
recovers from the failure that caused the switch. In 
revertive switching, the clock switches back to the 
original reference after that reference recovers from the 
failure, independent of the condition of the alternate 
reference.
Command Purpose12-32
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Router(config)#network-clock 
quality-level {tx | rx} <value> {interface
<interface name> <slot/card/port> | 
external <slot/card/port> | controller
<slot/card/port>}
Example
Router(config)# network-clock 
quality-level rx QL-PRC external 4/0/0 
e1 crc4
Specifies the QL value for line or external timing input 
or output. The value is based on a global interworking 
Option.
• If Option 1 is configured, the available values are 
QL-PRC, QL-SSU-A, QL-SSU-B, QL-SEC, and 
QL-DNU.
• If Option 2 is configured with GEN 2, the available 
values are QL-PRS, QL-STU, QL-ST2, QL-TNC, 
QL-ST3, QL-SMC, QL-ST4 and QL-DUS.
• If option 2 is configured with GEN1, the available 
values are QL-PRS, QL-STU, QL-ST2,  QL-SMC, 
QL-ST4 and QL-DUS
Note This command is not supported for synchronous 
ethernet interfaces.
Router(config)#network-clock 
output-source line  <priority> {interface
<interface_name> | controller {t1 | e1} 
<slot/card/port>} {external
<slot/card/port> [t1 {sf | efs | d4} | e1 [crc4| 
fas| cas [crc4] | 2m | 10m] }
Example
Router(config)# network-clock 
output-source line 1 interface
GigabitEthernet3/0/0 
Transmits the line clock sources to external timing 
output interfaces.
Note A line can be configured to be the output source 
for only one external interface.
This command provides the station clock output as per 
G.781. We recommend that you use the interface level 
command instead of global commands. Global 
command should preferably be used for interfaces that 
do not have an interface sub mode. For more 
information on configuring network clock in interface 
level mode, see Configuring Network Clock in Interface 
Configuration Mode, page 12-33. 
Router(config)#network-clock 
output-source system <priority> {external
<slot/card/port> [t1 {sf | efs | d4} | e1 [crc4| 
fas| cas [crc4] | 2m | 10m] }
Example
Router(config)#network-clock 
output-source system 55 external 3/0/1 
t1 efs
Allows transmitting the system clock to external timing 
output interfaces.
This command provides station clock output as per 
G.781. We recommend that you use the interface level 
command instead of global commands. Global 
command should preferably be used for interfaces that 
do not have an interface sub mode. For more 
information on configuring network clock in interface 
level mode, see Configuring Network Clock in Interface 
Configuration Mode, page 12-33. 
Router(config)#[no] network-clock 
synchronization participate <slot number>
Example
Router(config)#[no] network-clock 
synchronization participate 2
Enables or disables a slot from participating in 
network-clock algorithm.
By default all slots are participating slots.
Note A slot cannot be disabled from participation if 
it's primary source, secondary source, or system 
to external is valid.
Command Purpose12-33
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Configuring Network Clock in Interface Configuration Mode 
Use the following commands in the interface configuration mode to configure the network clock and 
timers on the Cisco 7600 SIP-400, 2-Port Gigabit Synchronous Ethernet SPA.
Command Purpose
Router(config-if)#[no] clock cleanup bits
<slot> <subslot> [t1 {sf | esf} | e1 crc4 | 2m 
| japan]
Example:
Router(config-if)#clock cleanup bits 
2/0 t1 esf
Enables or disables clock clean up on 2-Port Gigabit 
Synchronous Ethernet SPA.
Router(config-if)#clock source {internal | 
line| loop}
Example:
Router(config-if)#clock source internal 
Sets the clock source on the interface to:
• Line: The system clock selection process selects the 
clock source line as the interface and uses the 
system clock for TX.
• Internal: The system clock selection process does 
not select clock source as the interface but it uses 
the system clock for TX.
• Loop: The system clock selection process selects 
the clock source line as the interface. For TX clock 
the interface uses the clock source received on the 
same interface. 
Note By default, the clock source on the interface is 
set to internal.
Router(config-if)#synchronous mode Configures the ethernet interface to synchronous mode 
and this automatically enables the ESMC and Quality 
Level process on the interface.
Note This command is applicable to Synchronous 
Ethernet capable interfaces. The default value is 
asynchronous mode.
Router(config-if)#esmc mode [tx | rx |<cr>]
Example:
Router(config-if)#esmc mode tx
Enables or disables ESMC process on the interface.
Note If the interface is configured as line source but 
does not receive ESMC message from peer node 
on the interface, then the interface is removed 
from selectable clock source list. By default this 
is enabled for synchronous mode and disabled 
for asynchronous mode.
Note This command is not supported for 
non-synchronous ethernet interfaces.12-34
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Managing Synchronization
You can manage the synchronization using the following management commands:
Router(config-if)#network-clock source 
quality-level <value> {tx | rx}
Example:
Router(config-if)#network-clock source 
quality-level QL-PRC
The command forces QL value to local clock selection 
process and it is considered by the clock selection 
process as a value from network. The value is based on 
global interworking Option.
• If Option 1 is configured, the available values are 
QL-PRC, QL-SSU-A, QL-SSU-B, QL-SEC, and 
QL-DNU.
• If Option 2 is configured with GEN 2, the available 
values are QL-PRS, QL-STU, QL-ST2, QL-TNC, 
QL-ST3, QL-SMC, QL-ST4 and QL-DUS.
• If option 2 is configured with GEN1, the available 
values are QL-PRS, QL-STU, QL-ST2,  QL-SMC, 
QL-ST4 and QL-DUS
Note This command is applicable to Synchronous 
Ethernet capable interfaces.
Router(config-if)#network-clock hold-off
<0 | 50-10000>
Example:
Router(config-if)#network-clock 
hold-off 1000
Configures hold-off timer for interface. The default 
value is 300 milliseconds. 
Note Displays a warning for values below 300 ms and 
above 1800 ms.
Router(config-if)#[no] network-clock 
wait-to-restore <0-86400>
Example:
Router(config-if)#network-clock 
wait-to-restore 1000
Configures the wait-to-restore timer on the SyncE 
interface.
Caution Ensure that you set the wait-to-restore values 
above 50 seconds to avoid timing flap.
Router(config-if)# [no] esmc mode 
ql-disabled
Disables the quality level mode. The default mode for 
synchronous ethernet is ql-enabled.
Note This command is not supported for 
non-synchronous ethernet interfaces.
Command Purpose12-35
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Sample configuration
Example 12-1 Configuration for QL-enabled mode clock selection.
network-clock synchronization automatic
network-clock synchronization mode QL-enabled
network-clock input-source 1 interface TenGigabitEthernet12/1
network-clock input-source 1 interface ATM6/0/0
!
Command Purpose
Router(config)# network-clock set lockout
{interface interface_name slot/card/port | 
external slot/card/port}
Example:
Router(config)#network-clock set 
lockout interface tenGigabitEthernet 
7/1
Router(config)#network-clock clear 
lockout interface tenGigabitEthernet 
7/1
Locks out a clock source. A clock source flagged as 
lock-out is not selected for SyncE. 
To clear the lock-out on a source, use network-clock 
clear lockout {interface interface_name slot/card/port
| external slot/card/port} command. 
Note Lockout takes precedence over force switch and 
force switch overrides the manual switch. 
Router(config)# network-clock switch 
force {interface interface_name
slot/card/port | external slot/card/port}
Example:
Router(config)#network-clock switch 
force interface tenGigabitEthernet 7/1 
t1
Forcefully selects a synchronization source irrespective 
of whether the source is available and is within the 
range.
Router(config)# network-clock switch 
manual {interface interface_name
slot/card/port | external slot/card/port}
Example:
Router(config)#network-clock switch 
manual interface tenGigabitEthernet 7/1 
t1 
Manually selects a synchronization source, provided the 
source is available and is within the range.
Router(config)#network-clock clear switch
{t0 | external <slot/card/port> [10m | 2m]}
Example:
Router(config)#network-clock clear 
switch t0
Clears the forced switch and manual switch commands. 12-36
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
interface TenGigabitEthernet12/1
 no ip address
 clock source line
 synchronous mode
end
!
interface ATM6/0/0
 no ip address
 atm framing sdh
 no atm enable-ilmi-trap
end
Example 12-2 Configuration for Line to External
network-clock synchronization automatic
network-clock synchronization mode QL-enabled
network-clock input-source 1 External 3/0/0
network-clock output-source line 1 interface GigabitEthernet3/0/0 External 3/0/0 e1 crc4
interface GigabitEthernet3/0/0
 no ip address
 no negotiation auto
 synchronous mode
Example 12-3 Configuration for Hybrid Mode Clock Selection
network-clock synchronization automatic
network-clock input-source 1 interface ToP3/0/2
network-clock quality-level rx QL-PRC interface ToP3/0/2
Example 12-4 GPS Configuration
10MHz signal
network-clock input-source 1 External 3/0/0 10m
2M signal
network-clock input-source 1 External 3/0/0 10m
Verifying the Synchronous Ethernet configuration
Use the show network-clock synchronization command to display the sample output.
Router#show network-clocks synchronization
Symbols:     En - Enable, Dis - Disable, Adis - Admin Disable 
             NA - Not Applicable 
             *  - Synchronization source selected 
             #  - Synchronization source force selected 
             &  - Synchronization source manually switched 
Automatic selection process : Enable
Equipment Clock : 2048 (EEC-Option1)
Clock Mode : QL-Enable
ESMC : Enabled
SSM Option : 1 
T0 : TenGigabitEthernet12/1 
Hold-off (global) : 300 ms
Wait-to-restore (global) : 300 sec
Tsm Delay : 180 ms12-37
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Revertive : No
Nominated Interfaces
 Interface            SigType     Mode/QL      Prio  QL_IN  ESMC Tx  ESMC Rx
 Internal             NA          NA/Dis       251   QL-SEC    NA        NA       
*Te12/1               NA          Sync/En      1     QL-PRC    -         -        
 AT6/0/0              NA          NA/En        1     QL-SSU-A  NA        NA 
Use the show network-clock synchronization detail command to display all details of network-clock 
synchronization parameters at the global and interface levels.
Router# show network-clocks synchronization detail
Symbols:     En - Enable, Dis - Disable, Adis - Admin Disable 
             NA - Not Applicable 
             *  - Synchronization source selected 
             #  - Synchronization source force selected 
             &  - Synchronization source manually switched 
Automatic selection process : Enable
Equipment Clock : 2048 (EEC-Option1)
Clock Mode : QL-Enable
ESMC : Enabled
SSM Option : 1 
T0 : TenGigabitEthernet12/1 
Hold-off (global) : 300 ms
Wait-to-restore (global) : 300 sec
Tsm Delay : 180 ms
Revertive : No
Force Switch: FALSE
Manual Switch: FALSE
Number of synchronization sources: 2
sm(netsync NETCLK_QL_ENABLE), running yes, state 1A
Last transition recorded: (sf_change)-> 1A (ql_change)-> 1A (sf_change)-> 1A (ql_change)-> 
1A (ql_change)-> 1A (sf_change)-> 1A (ql_change)-> 1A (sf_change)-> 1A (sf_change)-> 1A 
(ql_change)-> 1A 
Nominated Interfaces
 Interface            SigType     Mode/QL      Prio  QL_IN  ESMC Tx  ESMC Rx
 Internal             NA          NA/Dis       251   QL-SEC    NA        NA       
*Te12/1               NA          Sync/En      1     QL-PRC    -         -        
 AT6/0/0              NA          NA/En        1     QL-SSU-A  NA        NA       
Interface:
---------------------------------------------
Local Interface: Internal
Signal Type: NA
Mode: NA(Ql-enabled)
SSM Tx: Disable
SSM Rx: Disable
Priority: 251
QL Receive: QL-SEC
QL Receive Configured: -
QL Receive Overrided: -
QL Transmit: -
QL Transmit Configured: -
Hold-off: 0
Wait-to-restore: 0
Lock Out: FALSE
Signal Fail: FALSE
Alarms: FALSE 
Slot Disabled: FALSE12-38
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Local Interface: Te12/1
Signal Type: NA
Mode: Synchronous(Ql-enabled)
ESMC Tx: Enable
ESMC Rx: Enable
Priority: 1
QL Receive: QL-PRC
QL Receive Configured: -
QL Receive Overrided: -
QL Transmit: QL-DNU
QL Transmit Configured: -
Hold-off: 300
Wait-to-restore: 300
Lock Out: FALSE
Signal Fail: FALSE
Alarms: FALSE 
Slot Disabled: FALSE
Local Interface: AT6/0/0
Signal Type: NA
Mode: NA(Ql-enabled)
SSM Tx: Enable
SSM Rx: Enable
Priority: 1
QL Receive: QL-SSU-A
QL Receive Configured: -
QL Receive Overrided: -
QL Transmit: -
QL Transmit Configured: -
Hold-off: 300
Wait-to-restore: 300
Lock Out: FALSE
Signal Fail: FALSE
Alarms: FALSE 
Slot Disabled: FALSE
Use the show interface accounting command to display the sample output.
Router#show interfaces tenGigabitEthernet 12/1 accounting
TenGigabitEthernet12/1 
                Protocol    Pkts In   Chars In   Pkts Out  Chars Out
                 DEC MOP         14       1134         14       1806
                     ARP          0          0          2        224
                     CDP        145      55970        145      63049
                    ESMC       3246     194760       7099     823484
Use the show esmc command to display the sample output.
Router#show esmc
Interface: TenGigabitEthernet12/1
  Administative configurations:
    Mode: Synchronous
    ESMC TX: Enable
    ESMC RX: Enable
    QL TX: -
    QL RX: -
  Operational status:
    Port status: UP
    QL Receive: QL-PRC
    QL Transmit: QL-DNU
    QL rx overrided: -
    ESMC Information rate: 1 packet/second
    ESMC Expiry: 5 second12-39
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Interface: TenGigabitEthernet12/2
  Administative configurations:
    Mode: Synchronous
    ESMC TX: Enable
    ESMC RX: Enable
    QL TX: -
    QL RX: -
  Operational status:
    Port status: UP
    QL Receive: QL-DNU
    QL Transmit: QL-DNU
    QL rx overrided: QL-DNU
    ESMC Information rate: 1 packet/second
    ESMC Expiry: 5 second
Use the show esmc detail command to display all details of esmc parameters at the global and interface 
levels.
Router#show esmc detail
Interface: TenGigabitEthernet12/1
  Administative configurations:
    Mode: Synchronous
    ESMC TX: Enable
    ESMC RX: Enable
    QL TX: -
    QL RX: -
  Operational status:
    Port status: UP
    QL Receive: QL-PRC
    QL Transmit: QL-DNU
    QL rx overrided: -
    ESMC Information rate: 1 packet/second
    ESMC Expiry: 5 second
    ESMC Tx Timer: Running
    ESMC Rx Timer: Running
    ESMC Tx interval count: 1
    ESMC INFO pkts in: 2195
    ESMC INFO pkts out: 6034
    ESMC EVENT pkts in: 1
    ESMC EVENT pkts out: 16
Interface: TenGigabitEthernet12/2
  Administative configurations:
    Mode: Synchronous
    ESMC TX: Enable
    ESMC RX: Enable
    QL TX: -
    QL RX: -
  Operational status:
    Port status: UP
    QL Receive: QL-DNU
    QL Transmit: QL-DNU
    QL rx overrided: QL-DNU
    ESMC Information rate: 1 packet/second
    ESMC Expiry: 5 second
    ESMC Tx Timer: Running
    ESMC Rx Timer: Running
    ESMC Tx interval count: 1
    ESMC INFO pkts in: 0
    ESMC INFO pkts out: 2159
    ESMC EVENT pkts in: 0
    ESMC EVENT pkts out: 1012-40
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Troubleshooting the Synchronous Ethernet configuration
The following debug commands are available for troubleshooting the Synchronous Ethernet 
configuration on the Cisco 7600 ES+ Line Card:
Debug Command Purpose
debug platform ssm Debugs issues related to SSM such as Rx, Tx,QL 
values and so on.
debug platform network-clock Debugs issues related to network clock such as 
alarms, OOR, active-standby sources not selected 
correctly and so on.
debug esmc error
debug esmc event
debug esmc packet [interface <interface 
name>]
debug esmc packet rx [interface <interface 
name>]
debug esmc packet tx [interface <interface 
name>]
Verifies whether the ESMC packets are 
transmitted or received with proper quality level 
values.12-41
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Troubleshooting Scenarios
Note Before you troubleshoot, ensure that all the network clock synchronization configurations are complete.
Table 12-2 provides the troubleshooting scenarios encountered while configuring the synchronous 
ethernet.12-42
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Table 12-2 Troubleshooting scenarios12-43
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Problem Solution
Incorrect clock limit set or disabled queue limit 
mode
• Verify that there are no alarms on the 
interfaces. Use the show network-clock 
synchronization detail RP command to 
confirm.
Warning We suggest you do not use these 
debug commands without TAC 
supervision.
• Use the show network-clock 
synchronization command to confirm if the 
system is in revertive mode or non-revertive 
mode and verify the non-revertive 
configurations as shown in this example:
RouterB#show network-clocks 
synchronization 
Symbols:     En - Enable, Dis - Disable, 
Adis - Admin Disable NA - Not Applicable 
- Synchronization source selected 
             #  - Synchronization source 
force selected 
             &  - Synchronization source 
manually switched 
Automatic selection process : Enable
Equipment Clock : 1544 (EEC-Option2)
Clock Mode : QL-Enable
ESMC : Enabled
SSM Option : GEN1 
T0 : POS3/1/0 
Hold-off (global) : 300 ms
Wait-to-restore (global) : 0 sec
Tsm Delay : 180 ms
Revertive : Yes<<<<If it is non revertive 
then it will show NO here.
Nominated Interfaces
Interface            SigType     Mode/QL      
Prio  QL_IN  ESMC Tx  ESMC Rx
 Internal             NA          NA/Dis       
251   QL-ST3    NA        NA       
 SONET 3/0/0          NA          NA/En        
3     QL-ST3    NA        NA       
*PO3/1/0              NA          NA/En        
1     QL-ST3    NA        NA       12-44
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
SONET 2/3/0          NA          NA/En        
4     QL-ST3    NA        NA 
• Reproduce the current issue and collect the 
logs using the debug network-clock errors, 
debug network-clock event, and debug 
network-clock sm RP commands. 
Warning We suggest you do not use 
these debug commands 
without TAC supervision.
• Contact Cisco technical support if the issue 
persists.
Incorrect quality level (QL) values when you use 
the show network-clock synchronization detail 
command.
• Use the network clock synchronization 
SSM (option 1 |option 2) command to 
confirm that there is no framing mismatch. 
Use the show run interface command to 
validate the framing for a specific interface. 
For the SSM option 1 framing should be SDH 
or E1 and for SSM option 2, it should be 
SONET or T1.
• Reproduce the issue using the debug 
network-clock errors, debug 
network-clock event and debug platform 
ssm RP commands or enable the debug 
hw-module subslot command (this 
command is specific to SIP-400).
Warning We suggest you do not use 
these debug commands 
without TAC supervision.
Error message “%NETCLK-6-SRC_UPD: 
Synchronization source SONET 2/3/0 status 
(Critical Alarms(OOR)) is posted to all selection 
process" displayed.
• Interfaces with alarms or OOR cannot be the 
part of selection process even if it has higher 
queue limit or priority. Use the debug 
platform network-clock RP command to 
troubleshoot network clock issues.
• Reproduce the issue using the debug 
platform network-clock command enabled 
in a route processor or enable the debug 
network-clock event and debug 
network-clock errors RP commands.
Warning We suggest you do not use 
these debug commands 
without TAC supervision.
Problem Solution
Problem Solution12-45
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Incorrect clock limit set or disabled queue limit 
mode
• Verify that there are no alarms on the 
interfaces. Use the show network-clock 
synchronization detail RP command to 
confirm.
Warning We suggest you do not use these 
debug commands without TAC 
supervision.
• Use the show network-clock 
synchronization command to confirm if the 
system is in revertive mode or non-revertive 
mode and verify the non-revertive 
configurations as shown in this example:
RouterB#show network-clocks 
synchronization 
Symbols:     En - Enable, Dis - Disable, 
Adis - Admin Disable NA - Not Applicable 
- Synchronization source selected 
             #  - Synchronization source 
force selected 
             &  - Synchronization source 
manually switched 
Automatic selection process : Enable
Equipment Clock : 1544 (EEC-Option2)
Clock Mode : QL-Enable
ESMC : Enabled
SSM Option : GEN1 
T0 : POS3/1/0 
Hold-off (global) : 300 ms
Wait-to-restore (global) : 0 sec
Tsm Delay : 180 ms
Revertive : Yes<<<<If it is non revertive 
then it will show NO here.
Nominated Interfaces
Interface            SigType     Mode/QL      
Prio  QL_IN  ESMC Tx  ESMC Rx
 Internal             NA          NA/Dis       
251   QL-ST3    NA        NA       
 SONET 3/0/0          NA          NA/En        
3     QL-ST3    NA        NA       
*PO3/1/0              NA          NA/En        
1     QL-ST3    NA        NA       
Problem Solution12-46
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Configuring EtherChannels
An EtherChannel bundles individual Ethernet links into a single logical link that provides the aggregate 
bandwidth of up to eight physical links.
Note EtherChannel is only supported on the 10-Port Gigabit Ethernet SPA and the 1-Port 10-Gigabit Ethernet 
SPA on the Cisco 7600 SIP-600. EtherChannel is not supported on the Cisco 7600 SIP-400 or on a Fast 
Ethernet SPA on the Cisco 7600 SIP-200.
For additional information on EtherChannels, see the “Configuring EtherChannels” section in the 
“Configuring Layer 3 and Layer 2 EtherChannel” chapter of the Cisco 7600 Series Router Cisco IOS 
Software Configuration Guide publication that corresponds to your Cisco IOS software release.
Configuring Virtual Private LAN Service (VPLS) and Hierarchical VPLS
VPLS enables geographically separate LAN segments to be interconnected as a single bridged domain 
over a packet switched network, such as IP, MPLS, or a hybrid of both bridging techniques. 
VPLS with EoMPLS uses an MPLS-based provider core, where the PE routers have to cooperate to 
forward customer Ethernet traffic for a given VPLS instance in the core. VPLS uses the provider core to 
join multiple attachment circuits together to simulate a virtual bridge that connects the multiple 
attachment circuits together. From a customer point of view, there is no topology for VPLS. All of the 
CE devices appear to connect to a logical bridge emulated by the provider core.
For VPLS and hierarchical virtual private LAN service (H-VPLS) configuration guidelines, restrictions, 
and feature compatibility tables, see the “Configuring Virtual Private LAN Service” section on 
page 4-67.
Note H-VPLS is not available on Fast Ethernet SPAs.
Configuring Connectivity Fault Management (CFM)
A Metro Ethernet network consists of networks from multiple operators supported by one service 
provider and connects multiple customer sites to form a virtual private network (VPN). Networks 
provided and managed by multiple independent service providers have restricted access to each others 
equipment. Because of the diversity in these multiple-operator networks, failures must be isolated 
quickly. As a Layer 2 network, Ethernet needs to be capable of reporting network faults at Layer 2.
IEEE 802.3ah is a point-to-point and per physical wire OAM protocol that detects and isolates 
connectivity failures in the network. 
SONET 2/3/0          NA          NA/En        
4     QL-ST3    NA        NA 
Problem Solution12-47
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Ethernet Connectivity Fault Management (CFM) is an end-to-end per-service-instance Ethernet layer 
Operation, Administration, and Management (OAM) protocol. It includes proactive connectivity 
monitoring, fault verification, and fault isolation for large Ethernet metropolitan-area and wide-area 
networks (MANs and WANs). See the Ethernet Connectivity Fault Management document for more 
information on this feature.
CFM includes a family of protocols that provides capabilities to detect, verify, isolate, and report 
end-to-end Ethernet connectivity faults. The protocols employ regular Ethernet frames that travel 
in-band with the customer traffic. Devices that cannot interpret CFM Messages forward them as normal 
data frames. CFM frames are distinguishable by Ether-Type 89-02 (and MAC Address for multicast 
messages) . This technology was standardized by the IEEE standard 802.1ag-2007.
Connectivity Fault Management (CFM) is the indispensable capability service providers require to 
deploy large-scale multi-vendor Metro Ethernet services. This feature upgrades the implementation of 
CFM to be compliant with the IEEE 802.1ag with the current standard, 802.1ag-2007 and 
implementation of CFM over L2VFI (Layer 2 Virtual Forwarding Instance Information), Xconnect, 
EVC, and Switchport.
IEEE 802.1ag draft 8.1 Metro Ethernet Connectivity Fault Management (CFM) incorporates several 
OAM facilities that allow you to manage Metro Ethernet networks, including an Ethernet continuity 
check, end-to-end ethernet traceroute facilty using Linktrace message (LTM), Linktrace reply (LTR), 
ethernet ping facility using Loopback Message (LBM), and a Loopback Reply (LBR). These Metro 
Ethernet CFM protocol elements quickly identifies problems in the network.
CFM Concepts
An understanding of the following concepts is essential for configuring the CFM for Cisco 7600:
• A maintenance domain (MD) is an administrative domain used to manage and administer a network. 
A Domain is assigned a unique maintenance level, in the range of 0 to 7, by the administrator. This 
maintenance level is useful for defining the hierarchical relationship of domains. Maintenance 
Domains may nest or touch, but cannot intersect.  For two nested domains, the outer domain must 
have a higher maintenance level than the one it engulfs.  A maintenance domain is defined by 
provisioning bridge ports are interior to the domain.
• A Maintenance Association (MA) identifies a service that can be uniquely identified within the 
maintenance domains.  The CFM protocol runs within a particular Maintenance Association
• Maintenance association end points (MEPs) reside at the edge of the maintenance domains and are 
active elements of Ethernet CFM. They periodically transmit messages to and receive messages 
from other MEPs within a domain.
• Maintenance domain intermediate points (MIPs) are internal to the maintenance domain and are 
passive elements of Ethernet CFM. They catalog information received from MEPs, and only respond 
to particular CFM messages
• Protocols (Continuity Check, Loopback, and Linktrace) that are used to manage faults.
– Continuity Check Messages (CCM) are multicast heart-beat messages exchanged periodically 
between maintenance association End Points. They allow Maintenance association End Points 
to discover other Maintenance association End Points within a Maintenance Association, and 
allow Maintenance association Intermediate Points to discover Maintenance association End 
Points. They are transmitted frequently enough so that consecutive message can be lost without 
causing the information to time out in any of the receiving Maintenance association End Points.12-48
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
– Link Trace or Traceroute Messages (LTM) are multicast messages that are intercepted at the 
Maintenance Points along the path and processed, and either retransmitted or dropped.  Each 
hop where there is a Maintenance Point at the same level, an LTR message transmits back to the 
originating MEP.  It is similar in concept to IP Traceroute.
– Loopback Messages are sent by MEPs to indicate whether or not the destination is reachable. 
Loopback does not allow hop-by-hop discovery of the path. Loopback messages are destined 
for unicast addresses
• Fault alarms are unsolicited notifications generated when CFM detects a fault in a Maintenance 
Association and alert the system administrator.
• Y.1731 is an ITU-T standard that extends support for Ethernet loopback, multicast loopback, AIS, 
maintenance communication channel and performance measurements to the CFM frame format.
The following table highlights the support for Y1731 Loopback for SIP-600 on 7600 platform:
For more information on CFM, see Cisco IOS Carrier Ethernet Configuration Guide, Release 12.2SR at 
http://www.cisco.com/en/US/docs/ios/cether/configuration/guide/ce_cfm_ps6922_TSD_Products_Con
figuration_Guide_Chapter.html.
For more information about the commands used in this section, see Cisco IOS Ethernet Command 
Reference guide at  http://www.cisco.com/en/US/docs/ios/cether/command/reference/ce_book.html
Ethernet CFM Support on Cisco 7600 SIP Line Cards
The following guidelines apply to the Cisco 7600 series routers SIP line cards:
• Ethernet SPAs on SIP-400 cannot be configured as switchport..
• SIP-400 only supports CFM D8.1 over routed ports and L2 VFI. 
• SIP-600 supports CFM D8.1 over switchports and routed ports.
• SIP-200 does not support CFM D8.1.
• CFM D8.1 QinQ configuration is not supported on sub- interface.
LCK Type SIP-600
VLAN LCK Supported
PORT LCK Supported
EEP LCK Not Supported
VLAN LCK on L2 PC Not Supported
EFP LCK on EVC PC Not Supported
VLAN LCK on L3 PC Not Supported
PORT LCK on L2/L3/EVC PC Not Supported
PORT LCK on L2/L3/EVC PC 
member
Not Supported
VLAN/EFP LCK on L2/L3/EFP 
PC member
Not Supported
EFP LCK on xconnect Not Supported
LCK on VFI MEP Not Supported12-49
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
• Ping and traceroute do not work with OFM on supervisor and LAN ports.
• With lower CC intervals, CC packets are transmitted in bursts. Rate-limiters should be configured 
appropriately; otherwise, remote MEPs may flap.
• Port-mep ping and traceroute for Meps on trunk port native vlans, fails . This will work only on 
ES-20 and ES-40 LCs..
• 802.3ah E-OAM-The remote-loopback TEST status is not retained across switchovers and works 
with longer OAM timeout value greater than 10 secs.
• CFM D1.0 to D8.1 Migration works with reduced scale of 2k MEPs on routed ports.
• Null Maintenance Domain name is not supported
• You must explicitly configure Maintenance Associations that have services for VLAN for devices 
that have MPs. This is not required for EVC since the EVC name is used for MA implicitly
• Port Maintenance End Point is not supported for MEPs with no VLANs
• You cannot configure MIPs at a lower or an equal level to a MEP on port
• Scheduled linktrace is not supported
• Multiple domains with the same level can be configured, that is, different domain names at the same 
maintenance level. Associating a single domain name with multiple maintenance levels is not 
supported.
• Routed (Layer 3) ports may only have outward facing MEPs; no MIPs are allowed. MIP 
configuration on a routed port will be rejected and an error message will be generated.
• Configuring a MEP on an interface with a level higher than the MIP level will generate an error 
message.
• A single interface may belong to multiple domains, configuring multiple instances of the ethernet 
cfm mep level command for different domains is supported.
• A specified domain must be configured or an error message will be displayed.
• If an interface is provisioned to be a MIP for a certain maintenance level, and MEP is configured for 
a VLAN on the same level, an error message will be displayed.
• If the VLAN for which a MEP is configured gets removed from an interface, the MEP configuration 
will be removed as well, since the definition of the MEP is tied to the VLAN.
• Hardware EoMPLS is not supported.
Supported Line Cards
CFM is disabled by default; it must be enabled explicitly. Use the [no] ethernet cfm global command 
to enable or disable CFM D8.1 feature on the following line cards:
• ES20 and ES40:Switchports, routed ports, EVC BD and and Layer 2 Virtual Forwarding Instance 
(L2VFI). Refer to the Cisco 7600 Series Ethernet Services 20G Line Card Configuration Guide
• SIP400:Routed ports, and Layer 2 Virtual Forwarding Instance ( L2VFI).
• SIP600:Switchports, and routed ports.
Configuring Maintenance Domains and Maintenance Points
This section describes configuring maintenance domains and maintenance points. 12-50
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Configuring the Ethernet Domain
Use the following command to configure the Ethernet domain:
SUMMARY STEPS 
1. enable 
2. configure terminal 
3. ethernet cfm domain domain-name level 0 to 7 direction outward
DETAILED STEPS
Configuring Maintenance Points
To set a port as internal to a maintenance domain and define it as a MEP, use the following command.
SUMMARY STEPS 
1. enable 
2. configure terminal
3. interface interface
4. ethernet cfm mep level 0 to 7 inward | outward domain-name mpid id vlan vlan-id | any | 
vlan-id-vlan-id vlan-id-vlan-id
Command Purpose
enable 
Example:
Router> enable 
Enables privileged EXEC mode. 
• Enter your password if prompted. 
configure terminal 
Example:
Router# configure 
terminal 
Enters global configuration mode. 
Router(config)# 
ethernet cfm domain
domain-name level 0 to 
7 direction outward
Example
Router(config)# 
ethernet cfm domain
domain1 level 5 
direction outward
Defines a CFM Maintenance domain at a particular maintenance level. It 
sets the router into config-ether-cfm configuration mode, where parameters 
specific to the maintenance domain can be set. 
• Direction outward (optional)—Specifies the domain direction. 
Specifying a domain as outward allows for the creation of multiple 
outward domains at the same level containing an overlapping set of 
vlans. The set of vlans in an outward domain can also overlap with 
inward domains. Note that the set of vlans between inward domains at 
the same level must still be unique.12-51
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
DETAILED STEPS
\
Configuring CFM in the EVC
Use the commands in the following sections to configure CFM on the EVC.
SUMMARY STEPS 
1. enable 
2. configure terminal
3. ethernet cfm global 
4. ethernet cfm mip {autocreate|filter}
5. ethernet cfm mip  auto-create level 
6. ethernet cfm mip  auto-create level {evc|vlan}
Command Purpose
enable 
Example:
Router> enable 
Enables privileged EXEC mode. 
• Enter your password if prompted. 
configure terminal 
Example:
Router# configure terminal 
Enters global configuration mode. 
Router(config)# interface interface
Example
Router(config)# interface interface1
Enters the interface configuration mode
Router(config-interface)# ethernet cfm mep 
level 0 to 7 inward | outward domain-name
mpid id vlan vlan-id | any | vlan-id-vlan-id 
vlan-id-vlan-id
Example
Router(config-interface1)# ethernet cfm 
mep level 7 inward domain1 mpid 22718
vlan 32
• inward | outward—Indicates the direction of the 
MEP as either inward (towards the bridge) or 
outward (towards the wire). The default is inward 
facing.
• domain-name—A string of maximum length of 256 
characters.
• id—A string of maximum length of 256 characters.
• vlan-id—An integer from 1 to 4095.
Note A comma must be entered to separate each 
VLAN ID range from the next range.
Note Hyphen must be entered to separate the starting 
and ending VLAN ID values that are used to 
define a range of VLAN IDs.12-52
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
7. ethernet cfm mip  auto-create level evc name
8. ethernet cfm domain domain level
9. service {word|number|vlan-id |vpn-id}
10. service evc {evc|port}
11. service evc evc name
12. service evc {direction|vlan}
DETAILED STEPS 
Command Purpose 
Step 1 enable 
Example:
Router> enable 
Enables privileged EXEC mode.
• Enter your password if prompted. 
Step 2 configure terminal 
Example:
Router# configure terminal 
Enters global configuration mode. 
Step 3 ethernet cfm global 
Example:
PE1(config)#ethernet cfm global
Enables CFM globally.
Step 4 ethernet cfm mip {autocreate|filter}
Example:
PE1(config)#ethernet cfm mip
Creates a MaintenanceIntermediate Point (MIP) for every 
VLAN on an interface using the autocreate or the filter 
options. Ensure that you have created a domain using the
ethernet cfm domain command. If you do not have a 
domain configured at the same level, the ethernet cfm mip 
level command is rejected. 
You cannot configure a MIP at a level lower than the level 
of already configured maintenance end points (MEPs) on 
an interface. 
Step 5 ethernet cfm mip auto-create level 
Example:
PE1(config)#ethernet cfm mip 
auto-create level
Automatically creates a MIP in the ethernet interface and 
sets the maintenance level number. The acceptable range 
of maintenance levels are 0-7.12-53
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Sample Configuration
The following example shows the CFM configuration for an EVC interface.
interface GigabitEthernet3/0/10
description connec to CE1 GigabitEthernet0/0
ip arp inspection limit none
Step 6 ethernet cfm mip  auto-create level 
{evc|vlan} 
Example:
PE1(config)#ethernet cfm mip 
auto-create level 7 evc
PE1(config)#ethernet cfm mip  
auto-create level 7 vlan ?
  <1-4094>  VLAN id
Sets the EVC or the Vlan values based on the selected 
option. The acceptable range of vlan values are 1-4094.
Step 7 ethernet cfm domain domain level
Example:
PE1(config)#ethernet cfm domain 
DOMAIN_PROVIDER_L5_1 level 5
Defines a connectivity fault management (CFM) 
maintenance domain at a particular maintenance level and 
put the command-line interface (CLI) into Ethernet CFM 
configuration mode (config-ether-cfm), use the ethernet 
cfm domain level command in global configuration mode.
Step 8 service {word|number|vlan-id|vpn-id}
Example:
PE1(config-ecfm)#service vlan100
Sets a universally unique ID for a customer service 
instance (CSI) or the maintenance association number 
value, primary VLAN ID and VPN ID within a 
maintenance domain in Ethernet connectivity fault 
management (CFM) configuration mode.
Step 9 service evc {evc|port}
Example:
PE1(config-ecfm)#service vlan100 evc
Configures a service EVC or port before you configure a 
maintenance endpoint (MEP) for a domain. 
Step 10 service evc evc name
Example:
PE1(config-ecfm)#service vlan100 evc 
vlan100
Assigns a unique EVC name.
Step 11 service evc {direction|vlan}
Example:
PE1(config-ecfm)#service vlan100 evc 
vlan100
Specifies the service direction and the VLAN range of 
1-4094.
Step 12 service evc direction
Example:
PE1(config-ecfm)#service vlan100 evc 
vlan100 direction down
Sets the LAN direction to DOWN in the evc service 
instance.
Command Purpose 12-54
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
no ip address
mls qos trust dscp
ethernet uni id customer1
service instance 1 ethernet evc10
encapsulation dot1q 2
ethernet lmi ce-vlan map 1-10
bridge-domain 2
cfm mep domain L7 mpid 1502
The following example shows CFM configuration over a switchport interface configuration mode.
interface GigabitEthernet3/0/10 
switchport 
switchport mode trunk 
shutdown 
mls qos trust dscp 
no keepalive 
ethernet cfm mep domain L7 mpid 1001 vlan 10 
end 
The following example shows CFM configuration over a switchport interface configuration mode.
ethernet cfm domain L6 level 6 
service xconn evc xconn 
continuity-check12-55
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Verifying Ethernet CFM Configuration
The following commands can be used to verify CFM configuration:
The show ethernet cfm maintenance-points local displays the local maintenance points that are 
configured:
Router# show ethernet cfm maintenance-points local
MPID DomainName           Level Type  VLAN Port       CC-Status MAC
1522 DOMAIN_PROVIDER_L5_1 5     MEP I 2    Et2/0.1    Enabled   aabb.cc00.0100
1502 DOMAIN_PROVIDER_L5_1 5     MEP O 2    Et0/0.1    Enabled   aabb.cc00.0100
1523 DOMAIN_PROVIDER_L5_1 5     MEP O 3    Et2/0.2    Enabled   aabb.cc00.0100
1503 DOMAIN_PROVIDER_L5_1 5     MEP I 3    Et0/0.2    Enabled   aabb.cc00.0100
1302 DOMAIN_OPERATOR_L3_1 3     MEP I 2    Et0/0.1    Enabled   aabb.cc00.0100
1303 DOMAIN_OPERATOR_L3_1 3     MEP I 3    Et0/0.2    Enabled   aabb.cc00.0100
Level Type  Port                      MAC
7     MIP   Et2/0.2                   aabb.cc00.0100
7     MIP   Et2/0.1                   aabb.cc00.0100
7     MIP   Et0/0.2                   aabb.cc00.0100
7     MIP   Et0/0.1                   aabb.cc00.0100
Command Purpose
Router# show ethernet cfm maintenance-points 
local [mep | mip] [interface interface-name | 
domain domain-name | level {0 to 7}]
Displays the local maintenance points configured 
on the device. Allows filtering of output as 
follows:
• Displays all maintenance points independent 
of domain or interface.
• Displays all maintenance points on a 
particular interface independent of domain
• Displays all maintenance points on a 
particular interface belonging to a given 
domain
• Displays all maintenance points belonging to 
a given domain independent of interface
The display may also be restricted to either MEPs 
or MIPs.
• domain-name— (optional) A string of 
maximum length of 256 characters.12-56
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
The ping ethernet command shows loopback messages on the destination MAC address:
Router# ping ethernet
Sending 5, 100-byte Ethernet CFM Echoes to <mac-address>, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
The show ethernet cfm statistics command shows loopback messages on the destination MAC 
address:
Router-c7606# show ethernet cfm statistics MPID: 100
Last clearing of counters: 00:00:10
CCMs:
Transmitted:10Rcvd Seq Errors:0
LTRs:
Unexpected Rcvd:  0
LBRs:
Transmitted:  5Rcvd Seq Errors:0
Rcvd In Order:10Rcvd Bad MSDU:0
Debugging the Ethernet CFM Configuration
Use the following commands to debug the Ethernet CFM configuration:
Command Purpose
Router# ping ethernet <mac-address> {domain
domain-name | level {0 to 7}} vlan vlan-id
[source mpid]
Sends Ethernet CFM loopback messages to the 
destination MAC address. 
• mac-address—MAC Address of remote 
maintenance point, in the format 
abcd.abcd.abcd.
• domain-name—A string of maximum. length 
of 256 characters.
• vlan-id—An integer from 1 to 4095.
Command Purpose
Router# show ethernet cfm statistics mpid mpid Displays the CFM statistics.
Note The mpid is an integer value between 1 
and 8191.12-57
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Command Purpose
Router# debug ethernet cfm events domain
domain-name | vlan vlan-id | evc evc-name
Enables Ethernet CFM event debugging and 
provides the capability to filter out debug 
messages per:
• Maintenance Domain, or
• VLAN, or
• Combination of Maintenance Domain and 
VLAN, or
• EVC
Router# debug ethernet cfm errors  Enables Ethernet CFM error debugging. 
Router# debug ethernet-cfm packets domain
domain-name vlan vlan-id | evc evc-name
Enables Ethernet CFM message debugging and 
provides the capability to filter out debug 
messages per:
• Maintenance Domain, or
• VLAN, or
• Combination of Maintenance Domain and 
VLAN, or
• EVC
Router# debug ethernet cfm all domain
domain-name vlan vlan-id | evc evc-name
Enables all Ethernet CFM debug commands and 
provides the capability to filter out debug 
messages per:
• Maintenance Domain, or
• VLAN, or
• Combination of Maintenance Domain and 
VLAN, or
• EVC12-58
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Troubleshooting CFM Features
Table 12-3 provides troubleshooting solutions for the CFM features. 
Router# debug ethernet cfm diagnostic events | 
packets cc | filter | lb | lt
Enables Ethernet CFM diagnostic debugging. 
These debugging messages may or may not be 
tied to a particular service-instance, or they may 
be low-level platform-specific messages.
Packet diagnostics are further broken down into 
the following debugs:
• cc - Continuity Check
• filter - MIP and MEP filtering
• lb - Loopback
• lt - Linktrace 
Router# debug ethernet-cfm packets domain
domain-name vlan vlan-id | evc evc-name
Enables Ethernet CFM Messages debugging. and 
provides capability to filter out debug messages 
per:
• Maintenance Domain, or
• VLAN, or
• Combination of Maintenance Domain and 
VLAN, or
• EVC
Command Purpose12-59
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Table 12-3 Troubleshooting Scenarios
Problem Solution
When you configure CFM, the message “Match registers are 
not available” is displayed.
Use the show platform mrm info command on the SP console 
to verify the match registers. Based on the derived output, 
perform these tasks:
1. Check the hardware limitations on the affected ports.
2. Enable CFM across the system to allow co-existence with 
other protocols.
3. Ensure that no CFM traffic is present in any supervisor or 
ports. 
4. Configure STP mode to Multiple Spanning Tree (MST) 
and re-enable CFM or disable CFM completely. 
For more information on match registers, see Ethernet 
Connectivity Fault Management at 
http://www.cisco.com/en/US/docs/ios/12_2sr/12_2sra/feature
/guide/srethcfm.html.
CFM uses two match registers to identify the control packet 
type and each VLAN spanning tree also uses a match register 
to identify its control packet type. For both protocols to work 
on the same system, each line card should support three match 
registers, and at least one supporting only a 44 bit MAC 
match.
CFM configuration errors CFM configuration error occurs when when a MEP receives a 
continuity check with an overlapping MPID. To verify the 
source of the error, use the command show ethernet cfm 
errors configuration or show ethernet cfm errors.
CFM ping and traceroute result is "not found" Complete these steps:
1. Use show run ethernet cfm to view all CFM global 
configurations.
2. Use show ethernet cfm location main to view local 
MEPs and their CCM statistics
3. Use show ethernet cfm peer meps command to View 
CFM CCM received from Peer MEPs.
4. Use trace ethernet cfm command to start a CFM trace.
CFM connectivity is down and issues at the maintenance 
domain levels
Use the ping ethernet {mac-address | mpid id | multicast} 
domain domain-name { vlan vlan-id | port | evc evc-name } 
or traceroute ethernet {mac-address | mpid id } domain 
domain-name { vlan vlan-id | port | evc evc-name } 
commands to verify ethernet CFM connectivity. Share the 
output with TAC for further investigation.12-60
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Configuring Ethernet Operations, Administration, and Maintenance
The Gigabit Ethernet SPAs support OAM as defined by IEEE 802.3ah, Ethernet in the First Mile. 
IEEE 802.3ah operates on a single point-to-point link between two devices using slow protocol packets 
called OAM protocol data units (OAMPDUs) that are never forwarded. 
IEEE 802.3ah defines five functional areas, of which the Gigabit Ethernet SPAs on the Cisco 7600 series 
router support the following three:
• OAM discovery—Supports identification of OAM support and capabilities on a peer device.
• Link monitoring—Provides event notification and link information. It also supports polling and 
response (but not writing) of the 802.3ah MIB.
• Remote failure indication—Supports informing a peer device that the receive path is down. This 
requires support of unidirectional operation on the link.
Ethernet OAM Configuration Guidelines
When configuring Ethernet OAM on the SPAs, consider the following guidelines:
Loop trap error Use the show ethernet cfm error command to check for Loop 
Trap errors as shown here:
CE(config-if)#do sh ethernet cfm err
--------------------------------------------------
-----------------------------
Level Vlan MPID Remote MAC     Reason               
Service ID
--------------------------------------------------
-----------------------------
5     711  550  1001.1001.1001 Loop Trap Error      
OUT
PE#sh ethernet cfm err
--------------------------------------------------
-----------------------------
Level Vlan MPID Remote MAC     Reason               
Service ID
--------------------------------------------------
-----------------------------
5     711  550  1001.1001.1001 Loop Trap Error      
OUT 
Module has insufficient match registers Complete these steps:
1. Verify and confirm if a unsupported line card is inserted 
into the router.
2. If yes, perform a OIR to remove the unsupported line card.
CFM is deactivated Complete these steps:
1. Check if all the line cards have free match reagisters. 
2. Check if CFM is activated on supervisor cards. CFM is not 
supported on supervisor cards that has two match 
registers. In this scenario, CFM is automatically disabled 
on the SUP ports and enabled on rest of the line cards.
Problem Solution12-61
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
• See Table 12-4 for information about where the OAM features for SPA interfaces are supported.
• On Gigabit Ethernet links, the unidirectional fault signaling support in OAM and the autonegotiation 
capabilities of Gigabit Ethernet (IEEE 802.3z) are mutually exclusive. You must disable 
autonegotiation for OAM fault signaling to be sent over unidirectional links.
• Ethernet OAM requires point-to-point links where OAMPDUs are created and terminated. 
• When configuring Ethernet OAM interface modes, consider the following guidelines:
– At least one of the peer interfaces must be in active mode.
– The peer interfaces either can be both in active mode, or one can be in active mode and the other 
in passive mode. 
– You can change Ethernet OAM modes without disabling OAM. 
• When using templates to configure Ethernet OAM interfaces, consider the following guidelines:
– If you use a template to configure common or global OAM characteristics and apply it an 
interface, you can override any of the configuration statements in the template by configuring 
the same command at the interface with a different value.
– You can define multiple templates to create different sets of link monitoring characteristics.
– You can only apply one template to any single Ethernet OAM interface.
Table 12-4 provides information about where the OAM features for SPA interfaces are supported. 
Ethernet OAM Configuration Tasks
The following sections describe the Ethernet OAM configuration tasks:
• Enabling OAM on an Interface, page 12-62 (required)
• Enabling and Disabling a Link Monitoring Session, page 12-64 (optional)
• Starting and Stopping Link Monitoring Operation, page 12-64 (optional)
• Configuring Link Monitoring Options, page 12-65 (optional)
• Configuring Remote Failure Indication Actions, page 12-72 (optional)
• Configuring Global Ethernet OAM Options Using a Template, page 12-73 (optional)
• Verifying Ethernet OAM Configuration, page 12-74
Table 12-4 Ethernet OAM Feature Compatibility by SIP and SPA Combination
Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600
• OAM discovery
• Link monitoring
• Remote failure indication 
(Dying Gasp only)
Not supported. In Cisco IOS Release 
12.2(33)SRA:
• 2-Port Gigabit Ethernet SPA
In Cisco IOS Release 
12.2(33)SRA:
• 1-Port 10-Gigabit 
Ethernet SPA
• 5-Port Gigabit 
Ethernet SPA
• 10-Port Gigabit 
Ethernet SPA
Remote loopback Not supported. Not supported. Not supported.
MIB variable retrieval Not supported. Not supported. Not supported.12-62
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Enabling OAM on an Interface
OAM is disabled on an interface by default. When you enable OAM on an interface, the interface 
automatically advertises to the remote peer that it supports link monitoring during OAM discovery. Link 
monitoring support must be agreed upon by the peer interfaces for monitoring to operate across the link.
Once link monitoring support is achieved between the peer interfaces, the interface will start the link 
monitoring operation, and send event OAMPDUs when errors occur locally, and interpret event OAM 
PDUs received by the remote peer. 
You do not need to explicitly configure link monitoring support, or start the link monitoring operation 
on the link unless you have previously disabled monitoring support or operation on the interface.12-63
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
To enable OAM features on a Gigabit Ethernet interface, use the following commands beginning in 
global configuration mode: 
Command Purpose
Step 1 Router(config)# interface type slot/subslot/port Specifies the Ethernet SPA interface, where
• type—Specifies the type of Ethernet interface, 
such as gigabitethernet or 
tengigabitethernet.
• slot/subslot/port—Specifies the location of 
the interface. See the “Specifying the 
Interface Address on a SPA” section on 
page 12-4.
Note Ethernet OAM can be defined on a main 
Gigabit Ethernet interface only—not on 
subinterfaces.
Step 2 Router(config-if)# ethernet oam [max-rate 
oampdus | min-rate num-seconds | mode {active | 
passive} | timeout seconds]
Enables OAM on a Gigabit Ethernet interface, 
where:
• max-rate oampdus—(Optional) Specifies the 
maximum number of OAMPDUs that can be 
sent per second as an integer in the range of 1 
to 10. The default is 10.
• min-rate num-seconds—(Optional) Specifies 
the number of seconds (in the range 1–10) 
during which at least one OAMPDU must be 
sent. The default is 1 second.
• mode {active | passive}—(Optional) 
Specifies the client mode for OAM discovery 
and link negotiation, where:
– active— Specifies that the interface 
initiates OAMPDUs for protocol 
negotiation as soon as the interface 
becomes active. This is the default. At 
least one of the OAM peers must be 
configured in active mode.
– passive—Specifies that the interface 
waits in a listening mode to receive an 
incoming OAMPDU for protocol 
negotiation from a peer. The passive 
interface begins sending OAMPDUs once 
it receives OAMPDUs from the peer. 12-64
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Enabling and Disabling a Link Monitoring Session
The OAM peer interfaces must establish a link monitoring session before the actual operation of link 
monitoring can begin. If you have enabled OAM on the interface, and have not explicitly disabled link 
monitoring support on the interface, then you do not need to explicitly configure link monitoring support 
on the interface to establish a session. 
The ethernet oam link-monitor supported command automatically runs in the background when you 
configure the ethernet oam interface configuration command. Be sure that at least one of the Ethernet 
OAM peers is configured for active mode so that a session can be established.
To explicitly configure and enable a link monitoring session on an interface, use the following command 
in interface configuration mode:
To disable a link monitoring session on an interface, use the following command in interface 
configuration mode:
Starting and Stopping Link Monitoring Operation
If a link monitoring session is established among the Ethernet OAM peer interfaces, then sending and 
receiving of Event Notification OAMPDUs can begin between the peers. This link monitoring operation 
across the link automatically starts when you enable OAM on the interface. 
The ethernet oam link-monitor on command automatically runs in the background when you configure 
the ethernet oam interface configuration command.
You can stop and restart the operation of link monitoring (or, the sending and receiving of Event 
Notification OAMPDUs on a link). Stopping link monitoring operation is not the same thing as disabling 
link monitoring support. When you stop link monitoring operation, the interface is still configured to 
support link monitoring with its peer, but just is not actively sending and receiving Event Notification 
OAMPDUs.
Note If you configure an interface in passive 
mode, then you must be sure that the peer 
is in active mode for successful OAM 
operation.
• timeout seconds—Specifies the amount of 
time, in seconds (in the range 2–30), after 
which a device declares its OAM peer to be 
nonoperational and resets its state machine. 
The default is 5 seconds.
Command Purpose
Command Purpose
Router(config-if)# ethernet oam 
link-monitor supported
Enables link monitoring support on an Ethernet OAM 
interface.
Command Purpose
Router(config-if)# no ethernet oam 
link-monitor supported
Disables link monitoring support on an Ethernet OAM 
interface.12-65
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
To explicitly configure and start link monitoring operation on an interface, use the following command 
in interface configuration mode:
To stop link monitoring operation on an interface, use the following command in interface configuration 
mode:
Configuring Link Monitoring Options
When OAM link monitoring is active, Event Notification OAMPDUs are sent to a remote OAM client 
when errors are detected locally. You can configure certain windows and thresholds to define when these 
error event notifications are triggered. If you do not modify the link monitoring options, default values 
are used for the window periods and low thresholds. 
The Gigabit Ethernet SPAs support the following types of error events as defined by IEEE 802.3ah:
• Errored Symbol Period (errored symbols per second)—This event occurs when the number of 
symbol errors during a specified period exceeds a threshold. These are coding symbol errors (for 
example, a violation of 4B/5B coding).
• Errored Frame (errored frames per second)—This event occurs when the number of frame errors 
during a specified period exceeds a threshold.
• Errored Frame Period (errored frames per N frames)—This event occurs when the number of frame 
errors within the last N frames exceeds a threshold.
• Errored Frame Seconds Summary (errored seconds per M seconds)—This event occurs when the 
number of errored seconds (one second intervals with at least one frame error) within the last M 
seconds exceeds a threshold.
Cisco Systems adds the following types of vendor-specific error events:
• Receive CRC (errored frames per second)—This event occurs when the number of frames received 
with CRC errors during a specified period exceeds a threshold.
• Transmit CRC (errored frames per second)—This event occurs when the number of frames 
transmitted with CRC errors during a specified period exceeds a threshold.
The link monitoring options can be configured in a global template that can be applied to one or more 
interfaces, and also can be explicitly configured at the interface.
Specifying Errored Symbol Period Link Monitoring Options
The errored symbol period link monitoring options include the ability to specify the number of symbols 
to be tracked or counted for errors, and the high and low thresholds for triggering the Errored Symbol 
Period Link Event.
Command Purpose
Router(config-if)# ethernet oam 
link-monitor on
Starts link monitoring on an Ethernet OAM interface.
Command Purpose
Router(config-if)# no ethernet oam 
link-monitor on
Stops link monitoring on an Ethernet OAM interface.12-66
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
To specify errored symbol period link monitoring options, use the following commands in interface 
configuration or template configuration mode:
Specifying Errored Frame Link Monitoring Options
The errored frame link monitoring options include the ability to specify a period of time during which 
frame errors are tracked or counted, and the high and low thresholds for triggering the Errored Frame 
Link Event. The Gigabit Ethernet SPAs on the Cisco 7600 series router count general frame errors, such 
as CRC errors and corrupted packets, as errored frames.
To specify errored frame link monitoring options, use the following commands in interface configuration 
or template configuration mode:
Command Purpose
Router(config-if)# ethernet oam 
link-monitor symbol-period window 
million-symbol-units
(Optional) Specifies the number of symbols (in the 
range 1–65535, as a multiple of 1 million symbols) to 
be included in the error counting according to the 
specified thresholds. The default window unit is 100, or 
100 million symbols.
Router(config-if)# ethernet oam 
link-monitor symbol-period threshold low 
low-symbols
(Optional) Specifies the low errored symbol threshold 
as a number of symbol errors (in the range 0–65535). If 
the number of error symbols in the window period is 
equal to or greater than low-symbols, then the Errored 
Symbol Period Link Event will be generated. The 
default low threshold is 0 symbols.
Router(config-if)# ethernet oam 
link-monitor symbol-period threshold 
high {none | high-symbols}
(Optional) Specifies the high errored symbol threshold 
as a number of error symbols (in the range 1–65535). If 
the number of error symbols in the window period is 
equal to or greater than high-symbols, then a user 
defined action will be triggered. There is no default for 
the high threshold, so you must explicitly configure a 
value to enable it.
For more information about configuring a user-defined 
action, see “Specifying a High Threshold Action” 
section on page 12-71.
Command Purpose
Router(config-if)# ethernet oam 
link-monitor frame window 
100-millisecond-units
(Optional) Specifies a period of time (in the range 
10–600, as a multiple of 100 milliseconds) during 
which error counting occurs according to the specified 
thresholds. The default window unit is 10, or 1000 
milliseconds.12-67
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Specifying Errored Frame Period Link Monitoring Options
The errored frame period link monitoring options include the ability to specify the number of error 
frames to be tracked or counted for errors, and the high and low thresholds for triggering the Errored 
Frame Period Link Event. The Gigabit Ethernet SPAs on the Cisco 7600 series router count general 
frame errors, such as CRC errors and corrupted packets, as errored frames.
To specify errored frame period link monitoring options, use the following commands in interface 
configuration or template configuration mode:
Router(config-if)# ethernet oam 
link-monitor frame threshold low 
low-frames
(Optional) Specifies the low error frame threshold as a 
number of frames (in the range 0–65535). If the number 
of error frames in the window period is equal to or 
greater than low-frames, then the Errored Frame Link 
Event will be generated. The default low threshold is 0 
frame errors.
Router(config-if)# ethernet oam 
link-monitor frame threshold high {none | 
high-frames}
(Optional) Specifies the high error frame threshold as a 
number of error frames (in the range 1–65535). If the 
number of error frames in the window period is equal to 
or greater than high-frames, then a user defined action 
will be triggered. There is no default for the high 
threshold, so you must explicitly configure a value to 
enable it.
Use the none keyword to disable the high threshold.
For more information about configuring a user-defined 
action, see “Specifying a High Threshold Action” 
section on page 12-71.
Command Purpose
Command Purpose
Router(config-if)# ethernet oam 
link-monitor frame-period window 
10000-frame-units
(Optional) Specifies the number of frames (in the range 
1000–65535, as a multiple of 10000 frames) to be 
included in the error counting according to the specified 
thresholds. The default window unit is 1000, or 
10000000 frames.12-68
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Specifying Errored Frame Seconds Summary Link Monitoring Options
The errored frame seconds summary link monitoring options include the ability to specify a period of 
time during which tracking of a number of errored-seconds periods (one-second intervals with at least 
one frame error) occurs, and the high and low thresholds for triggering the Errored Frames Seconds 
Summary Link Event.
To specify errored frame seconds summary link monitoring options, use the following commands in 
interface configuration or template configuration mode:
Router(config-if)# ethernet oam 
link-monitor frame-period threshold low 
low-frames
(Optional) Specifies the low error frame threshold as a 
number of frames (in the range 0–65535). If the number 
of error frames in the window period is equal to or 
greater than low-frames, then the Errored Frame Period 
Link Event will be generated. The default low threshold 
is 0 frame errors.
Router(config-if)# ethernet oam 
link-monitor frame-period threshold high 
{none | high-frames}
(Optional) Specifies the high error frame threshold as a 
number of frames (in the range 1–65535). If the number 
of error frames in the window period is equal to or 
greater than high-frames, a user defined action will be 
triggered. There is no default for the high threshold, so 
you must explicitly configure a value to enable it.
Use the none keyword to disable the high threshold.
For more information about configuring a user-defined 
action, see “Specifying a High Threshold Action” 
section on page 12-71.
Command Purpose
Command Purpose
Router(config-if)# ethernet oam 
link-monitor frame-seconds window 
100-millisecond-units
(Optional) Specifies a period of time (in the range 
100–9000, as a multiple of 100 milliseconds) during 
which tracking of an errored-seconds period occurs 
according to the specified thresholds. The default 
window unit is 100, or 10000 milliseconds.12-69
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Specifying Receive CRC Link Monitoring Options
The receive CRC link monitoring options include the ability to specify a period of time during which 
tracking of frames received with CRC occurs, and the high and low thresholds for triggering the error. 
Receive CRC link monitoring is a Cisco-specific implementation and is only locally significant to the 
Ethernet OAM interface on the Cisco 7600 series router.
To specify receive CRC link monitoring options, use the following commands in interface configuration 
or template configuration mode:
Router(config-if)# ethernet oam 
link-monitor frame-seconds threshold low 
low-errored-seconds
(Optional) Specifies the low errored seconds threshold 
as a number of errored seconds (in the range 0–900). If 
the number of errored seconds in the window period is 
equal to or greater than low-errored-seconds, then the 
Errored Frame Seconds Summary Link Event will be 
generated. The default low threshold is 0 error seconds.
Router(config-if)# ethernet oam 
link-monitor frame-seconds threshold 
high {none | high-errored-seconds}
(Optional) Specifies the high errored seconds threshold 
as a number of errored seconds (in the range 1–900). If 
the number of errored seconds in the window period is 
equal to or greater than high-errored-seconds, then a 
user defined action will be triggered. There is no default 
for the high threshold, so you must explicitly configure 
a value to enable it.
Use the none keyword to disable the high threshold.
For more information about configuring a user-defined 
action, see “Specifying a High Threshold Action” 
section on page 12-71.
Command Purpose
Command Purpose
Router(config-if)# ethernet oam 
link-monitor receive-crc window 
100-millisecond-units
(Optional) Specifies a period of time (in the range 
10–1800, as a multiple of 100 milliseconds) during 
which tracking of frames received with CRC errors 
occurs according to the specified thresholds. The 
default window unit is 10, or 1000 milliseconds.12-70
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Specifying Transmit CRC Link Monitoring Options
The transmit CRC link monitoring options include the ability to specify a period of time during which 
tracking of frames transmitted with CRC occurs, and the high and low thresholds for triggering the error. 
Transmit CRC link monitoring is a Cisco-specific error event and is only locally significant to the 
Ethernet OAM interface on the Cisco 7600 series router.
To specify transmit CRC link monitoring options, use the following commands in interface configuration 
or template configuration mode:
Router(config-if)# ethernet oam 
link-monitor receive-crc threshold low 
low-frames
(Optional) Specifies the low CRC threshold as a number 
of frames (in the range 0–65535). If the number of 
frames received with CRC errors in the window period 
is equal to or greater than low-frames, then the Receive 
CRC error will be generated. The default low threshold 
is 1 frame.
Router(config-if)# ethernet oam 
link-monitor receive-crc threshold high 
{none | high-frames}
(Optional) Specifies the high CRC threshold as a 
number of frames (in the range 1–65535). If the number 
of frames received with CRC errors in the window 
period is equal to or greater than high-frames, a user 
defined action will be triggered. There is no default for 
the high threshold, so you must explicitly configure a 
value to enable it.
Use the none keyword to disable the high threshold.
For more information about configuring a user-defined 
action, see “Specifying a High Threshold Action” 
section on page 12-71.
Command Purpose
Command Purpose
Router(config-if)# ethernet oam 
link-monitor transmit-crc window 
100-millisecond-units
(Optional) Specifies a period of time (in the range 
10–1800, as a multiple of 100 milliseconds) during 
which tracking of frames received with CRC errors 
occurs according to the specified thresholds. The 
default window unit is 10, or 1000 milliseconds.12-71
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Specifying a High Threshold Action
When you configure high thresholds for OAM link monitoring, you can specify an action to be taken 
when the high threshold is exceeded. 
When configuring high threshold actions, consider the following guidelines:
• There is no default action. 
• If you configure a high threshold but do not configure any corresponding action, only a message 
appears on the syslog and no other action is taken on the interface.
• If you want to associate different high threshold actions for different kinds of link monitoring 
functions, you can use configuration templates. However, only one configuration template can be 
applied to any Ethernet OAM interface.
• Only one high threshold action can be configured for any Ethernet OAM interface.
Router(config-if)# ethernet oam 
link-monitor transmit-crc threshold low 
low-frames
(Optional) Specifies the low CRC threshold as a number 
of frames (in the range 0–65535). If the number of 
frames transmitted with CRC errors in the window 
period is equal to or greater than low-frames, then the 
Receive CRC error will be generated. The default low 
threshold is 1 frame.
Router(config-if)# ethernet oam 
link-monitor transmit-crc threshold high 
{none | high-frames}
(Optional) Specifies the high CRC threshold as a 
number of frames (in the range 1–65535). If the number 
of frames transmitted with CRC errors in the window 
period is equal to or greater than high-frames, a user 
defined action will be triggered. There is no default for 
the high threshold, so you must explicitly configure a 
value to enable it.
Use the none keyword to disable the high threshold.
For more information about configuring a user-defined 
action, see “Specifying a High Threshold Action” 
section on page 12-71.
Command Purpose12-72
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
To configure an action when a high threshold for an error is exceeded on an Ethernet OAM interface, use 
the following command in interface configuration or template configuration mode:
Configuring Remote Failure Indication Actions
When an RFI event occurs locally, the local client sends an Information OAMPDU to its peer with a bit 
selected that indicates the type of failure. The Gigabit Ethernet SPAs on the Cisco 7600 series router 
process all of the following types of Remote Failure Indication (RFI) conditions as defined by 
IEEE 802.3ah:
• Critical Event—This type of RFI is sent when an unspecified critical event has occurred. These 
events are vendor specific, and the failure indication might be sent immediately and continuously. 
• Dying Gasp—This type of RFI is sent when an unrecoverable condition (for example, a power 
failure) has occurred. The conditions for a dying gasp RFI are vendor specific, and the failure 
indication might be sent immediately and continuously. The Gigabit Ethernet SPAs on the 
Cisco 7600 series router generate a Dying Gasp RFI when an interface is error-disabled or 
administratively shut down. This is the only type of RFI that the Gigabit Ethernet SPAs on the 
Cisco 7600 series router generate.
• Link Fault—This type of RFI is sent when a loss of signal is detected by the receiver (for example, 
a peer's laser is malfunctioning). A link fault is sent once per second in the Information OAMPDU. 
The link fault RFI applies only when the physical sublayer is capable of independent transmit and 
receive.
When the Gigabit Ethernet SPAs receive an OAMPDU with an RFI bit selected, a syslog message is 
created providing the failure reason, as shown in the following example:
%ETHERNET_OAM-SP-6-RFI: The client on interface Gi1/1 has received a remote failure 
indication from its remote peer (failure reason = remote client administratively turned 
off)
Command Purpose
Router(config-if)# ethernet oam 
link-monitor high-threshold action 
{error-disable-interface | failover}
(Optional) Configures the action when a high threshold 
error is exceeded, where:
• error-disable-interface—Shuts down the Ethernet 
OAM interface.
• failover—(EtherChannel interface only) 
Configures the interface for an automatic failover 
of traffic from one port in an EtherChannel to 
another port in the same EtherChannel when one of 
the ports in the channel exceeds the high error 
threshold within the specified interval. The port 
failover only occurs if there is at least one 
operational port available in the EtherChannel.
The failed port will be put into an error disable 
state. If the failed port is the last port in the 
EtherChannel, the port will not be put into an error 
disable state and continues to pass traffic regardless 
of the type of errors being received. Single, 
nonchanneling ports go into the error disable state 
when the error threshold is exceeded within the 
specified interval.12-73
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
You can configure a response, or action, by the local client to shut down the OAM interface when it 
receives Information OAMPDUs with a Dying Gasp RFI bit selected.
To configure an error disable action for the local Ethernet OAM interface, use the following command 
in interface configuration or template configuration mode:
Configuring Global Ethernet OAM Options Using a Template
Create configuration templates when you have a common set of link-monitoring or remote-failure 
characteristics that you want to apply to multiple Ethernet OAM interfaces. This streamlines Ethernet 
OAM interface configuration.
Although you can configure multiple configuration templates, only one template can be associated with 
any single Ethernet OAM interface. You can override any commands defined within a template by 
explicitly configuring the same command (that is predefined by the template) in interface configuration 
mode.
To configure global Ethernet OAM interface options using a template, use the following command 
beginning in global configuration mode:
Command Purpose
Router(config-if)# ethernet oam 
remote-failure dying-gasp action 
error-disable-interface
(Optional) Specifies that the local Ethernet OAM 
interface is shut down upon receipt of an Information 
OAMPDU from its peer that indicates a Dying Gasp.
Command Purpose
Step 1 Router(config)# template template-name Creates or selects a template and enters template 
configuration mode, where template-name is an up 
to 32-character string defining the name of the 
template.
Step 2 Router(config-template)# ethernet oam 
link-monitor command
or
Router(config-template)# ethernet oam 
remote-failure command
Specify one or more ethernet oam configuration 
commands. Repeat this step for the number of 
commands that you want to configure. For 
information about link monitoring commands, see 
the “Configuring Link Monitoring Options” 
section on page 12-65.
Step 3 Router(config-template)# exit Exit template configuration mode and return to 
global configuration mode.12-74
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Verifying Ethernet OAM Configuration
To verify the Ethernet OAM configuration, use the following commands in privileged EXEC 
configuration mode:
Step 4 Router(config)# interface type slot/subslot/port Specifies the Ethernet SPA interface, where
• type—Specifies the type of Ethernet interface, 
such as gigabitethernet or 
tengigabitethernet.
• slot/subslot/port—Specifies the location of 
the interface. See the “Specifying the 
Interface Address on a SPA” section on 
page 12-4.
Note Ethernet OAM only can be defined on a 
main Gigabit Ethernet interface—not on 
subinterfaces.
Step 5 Router(config-if)# source template
template-name
Attaches the template called template-name and 
applies the set of configuration commands defined 
by the named template to the specified interface.
Command Purpose
Command Purpose
Router# show ethernet oam discovery 
[interface type slot/subslot/port]
Displays information about OAM functions negotiated 
during the OAM discovery phase of establishing an 
OAM session, where:
• type—Specifies the type of Ethernet interface, such 
as gigabitethernet or tengigabitethernet.
• slot/subslot/port—Specifies the location of the 
interface. See the “Specifying the Interface 
Address on a SPA” section on page 12-4.
Router# show ethernet oam statistics 
[interface type slot/subslot/port]
Displays statistics for information OAMPDUs and local 
and remote faults, where:
• type—Specifies the type of Ethernet interface, such 
as gigabitethernet or tengigabitethernet.
• slot/subslot/port—Specifies the location of the 
interface. See the “Specifying the Interface 
Address on a SPA” section on page 12-412-75
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
This section includes the following topics:
• Verifying an OAM Session, page 12-75
• Verifying OAM Discovery Status, page 12-75
• Verifying Information OAMPDU and Fault Statistics, page 12-76
• Verifying Link Monitoring Configuration and Status, page 12-77
Verifying an OAM Session
To verify an OAM session, use the show ethernet oam summary command. 
The following example shows that the local OAM client is established on the second Gigabit Ethernet 
SPA interface (1) located in subslot 1 of the SIP installed in chassis slot 6 of the Cisco 7600 series router 
(Gi6/1/1). 
The local client interface is in session with a remote client with MAC address 0012.7fa6.a700 and 
organizationally unique identifier (OUI) 00000C, which is the OUI for Cisco Systems. The remote client 
is in active mode, and has established capabilities for link monitoring and remote loopback for the OAM 
session.
Router# show ethernet oam summary
Symbols:          * - Master Loopback State,  # - Slave Loopback State
Capability codes: L - Link Monitor,  R - Remote Loopback
                  U - Unidirection,  V - Variable Retrieval
  Local                       Remote
Interface       MAC Address    OUI    Mode    Capability
  Gi6/1/1 0012.7fa6.a700 00000C active   L R
Verifying OAM Discovery Status
To verify OAM Discovery status on the local client and remote peer, use the show ethernet oam 
discovery command as shown in the following example:
Router# show ethernet oam discovery interface gigabitethernet6/1/1
GigabitEthernet6/1/1
Router# show ethernet oam status 
[interface type slot/subslot/port]
Displays information about link monitoring 
configuration and status on the local OAM client, 
where:
• type—Specifies the type of Ethernet interface, such 
as gigabitethernet or tengigabitethernet.
• slot/subslot/port—Specifies the location of the 
interface. See the “Specifying the Interface 
Address on a SPA” section on page 12-4
Router# show ethernet oam summary Displays information about the OAM session with the 
remote OAM client, where:
• type—Specifies the type of Ethernet interface, such 
as gigabitethernet or tengigabitethernet.
• slot/subslot/port—Specifies the location of the 
interface. See the “Specifying the Interface 
Address on a SPA” section on page 12-4
Command Purpose12-76
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Local client
------------
  Administrative configurations:
    Mode:              active
    Unidirection:      not supported
    Link monitor:      supported (on)
    Remote loopback:   not supported
    MIB retrieval:     not supported
    Mtu size:          1500
  Operational status:
Port status:       operational
    Loopback status:   no loopback
    PDU permission:    any
    PDU revision:      1
Remote client
-------------
  MAC address: 0030.96fd.6bfa
  Vendor(oui): 0x00 0x00 0x0C (cisco)
  Administrative configurations:
    Mode:              active
    Unidirection:      not supported
    Link monitor:      supported
    Remote loopback:   not supported
    MIB retrieval:     not supported
    Mtu size:          1500
Verifying Information OAMPDU and Fault Statistics
To verify statistics for information OAMPDUs and local and remote faults, use the show ethernet oam 
statistics command as shown in the following example:
Router# show ethernet oam statistics interface gigabitethernet6/1/1
GigabitEthernet6/1/1
Counters:
---------
Information OAMPDU Tx                   : 588806
  Information OAMPDU Rx                   : 988
  Unique Event Notification OAMPDU Tx     : 0
  Unique Event Notification OAMPDU Rx     : 0
  Duplicate Event Notification OAMPDU TX  : 0
  Duplicate Event Notification OAMPDU RX  : 0
  Loopback Control OAMPDU Tx              : 1
  Loopback Control OAMPDU Rx              : 0
  Variable Request OAMPDU Tx              : 0
  Variable Request OAMPDU Rx              : 0
  Variable Response OAMPDU Tx             : 0
  Variable Response OAMPDU Rx             : 0
  Cisco OAMPDU Tx                         : 4
  Cisco OAMPDU Rx                         : 0
  Unsupported OAMPDU Tx                   : 0
  Unsupported OAMPDU Rx                   : 0
  Frames Lost due to OAM                  : 0
Local Faults:
-------------
  0 Link Fault records
  2 Dying Gasp records
    Total dying gasps       : 4
    Time stamp              : 00:30:3912-77
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
    Total dying gasps       : 3
    Time stamp              : 00:32:39
  0 Critical Event records
Remote Faults:
--------------
  0 Link Fault records
  0 Dying Gasp records
  0 Critical Event records
Local event logs:
-----------------
  0 Errored Symbol Period records
  0 Errored Frame records
  0 Errored Frame Period records
  0 Errored Frame Second records
Remote event logs:
------------------
  0 Errored Symbol Period records
  0 Errored Frame records
  0 Errored Frame Period records
  0 Errored Frame Second records
Verifying Link Monitoring Configuration and Status
To verify link monitoring configuration and status on the local client, use the show ethernet oam status
command. The highlighted “Status” field in the following example shows that link monitoring status is 
supported and enabled (on). 
Router# show ethernet oam status interface gigabitethernet6/1/1
GigabitEthernet6/1/1
General
-------
  Mode:                  active
  PDU max rate:          10 packets per second
  PDU min rate:          1 packet per 1 second
  Link timeout:          5 seconds
  High threshold action: no action
Link Monitoring
---------------
  Status: supported (on)
  Symbol Period Error
    Window:              1 million symbols
    Low threshold:       1 error symbol(s)
    High threshold:      none
  Frame Error
    Window:              10 x 100 milliseconds
    Low threshold:       1 error frame(s)
    High threshold:      none
Frame Period Error
    Window:              1 x 100,000 frames
    Low threshold:       1 error frame(s)
    High threshold:      none
  Frame Seconds Error
    Window:              600 x 100 milliseconds
    Low threshold:       1 error second(s)
    High threshold:      none12-78
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Verifying Status of the Remote OAM Client
To verify the status of a remote OAM client, use the show ethernet oam summary and show ethernet 
oam status commands.
To verify the remote client mode and capabilities for the OAM session, use the show ethernet oam 
summary command and observe the values in the Mode and Capability fields. The following example 
shows that the local client (local interface Gi6/1/1) is connected to the remote client
Router# show ethernet oam summary
Symbols:          * - Master Loopback State,  # - Slave Loopback State
Capability codes: L - Link Monitor,  R - Remote Loopback
                  U - Unidirection,  V - Variable Retrieval
  Local                       Remote
Interface       MAC Address    OUI    Mode    Capability
  Gi6/1/1 0012.7fa6.a700 00000C active   L R
Configuring IP Subscriber Awareness over Ethernet
Container interfaces are used to apply hardware specific features like Security Access Control List 
(ACL) and Policy Based Routing (PBR) which then can be inherited to all IP session interfaces attached 
to a container interface.
To form the association between a container interface and an IP session interface/subinterface, use the 
container command under IP session interfaces/subinterfaces.
It is required to configure the VRF (not required in the case of global VRF) on the container and the 
subinterface in order to make an association between them using the container command.
Command Purpose
Step 1 Router(config)# interface
gigabitethernet
slot/subslot/port.subinterface-number 
access
Specifies the GigabitEthernet interface to configure, 
where:
• slot/subslot—Specifies the location of the interface. 
See the “Specifying the Interface Address on a SPA” 
section on page 12-4.
• port.subinterface-number—Specifies a secondary 
interface (subinterface) number.
• access—Indentifies the subscriber in the access-side 
network on subinterfaces.
Step 2 Router(config)# ip vrf forwarding
vrf-name
Defines the VRF.
Step 3 Router(config-subif)# container
container number
Defines the virtual interface and that would be allocated as 
the internal VLAN which would be shared by all the IP 
session interfaces which are tied with the container 
interface. 
Step 4 Router(config-subif)# encapsulation 
dot1q vlan-id
Defines the encapsulation format as IEEE 802.1Q 
(“dot1q”), where vlan-id is the number of the VLAN 
(1–4095).12-79
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
IP Subscriber Awareness over Ethernet Restrictions
There are restrictions being imposed because the internal VLAN is shared by multiple subinterfaces. The 
restrictions are as follows:
• IP Subscriber awareness over Ethernet is only supported on a Cisco 7600 SIP-400.
• Security ACL will not be supported on per IP subscriber interface basis. However, security ACL 
feature will be supported on a per group basis.
• Only single route-map policy can be applied on all subinterfaces that are sharing the Internal VLAN. 
If route-map is defined based on source IP address, then source IP address range should be easily 
definable and should not cause a configuration bloat.
• unicast Reverse Path Forwarding (uRPF) check can be done only on an internal VLAN level that is 
shared by subinterfaces, and not at subinterface level. Because of this restriction, a subscriber 
sharing the same internal VLAN may be able to spoof the IP address of some other subscribers.
• IPv4 multicast is not supported on IP session interfaces. IPv4 multicast does not have any 
functionality on a per-group basis, as replication is always required on a interface basis and not on 
a group basis.
There are also some configuration restrictions for link redundancy:
• There is no mechanism to synchronize the route installed by the DHCP to multiple routers; it will 
be difficult to use IP unnumbered' on and IP session interface. Instead, numbered IP addresses will 
be used on IP session interface and DHCP will assign IP addresses to the subscriber from the same 
subnet assigned to the IP session interface.
• It is required to configure the HSRP group for each IP session interface so the Cisco 7600 series 
router can scale to a 16K HSRP group.
Configuring a Backup Interface for Flexible UNI
The Backup Interface for Flexible UNI feature allows you to configure redundant user-to-network 
interface (UNI) connections for Ethernet interfaces, which provides redundancy for dual-homed devices. 
You can configure redundant (flexible) UNIs on a network provider-edge (N-PE) device in order to 
supply flexible services through redundant user provider-edge (U-PE) devices. The UNIs on the N-PEs 
are designated as primary and backup and have identical configurations. If the primary interface fails, 
the service is automatically transferred to the backup interface. 
Note The configurations on the primary and backup interfaces must be identical. 
The primary interface is the interface for which you configure a backup. During operation, the primary 
interface is active and the backup (secondary) interface operates in standby mode. If the primary 
interface goes down (due to loss of signal), the router begins using the backup interface. 
While the primary interface is active (up) the backup interface is in standby mode. If the primary 
interface goes down, the backup interface transitions to the up state and the router begins using it in place 
of the primary. When the primary interface comes back up, the backup interface transitions back to 
standby mode. While in standby mode, the backup interface is effectively down and the router does not 
monitor its state or gather statistics for it. 
This feature provides the following benefits:
• Supports the following Ethernet virtual circuit (EVC) features: 12-80
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
– Frame matching: EVC with any supported encapsulation (Dot1q, default, untagged)
– Frame rewrite: Any supported (ingress and egress with push, pop, and translate) 
– Frame forwarding: MultiPoint Bridging over Ethernet (MPB-E), xconnect, connect 
– Quality of Service (QoS) on EVC
• Supports Layer 3 (L3) termination and L3 VRF
• Supports several types of uplinks: MPLS, VPLS, and switchports
The Backup Interface for Flexible UNI feature makes use of these Ethernet components:
• Ethernet virtual circuit (EVC)—An association between two or more UNIs that identifies a 
point-to-point or point-to-multipoint path within the provider network. For more information about 
EVCs, see the description of “Flexible QinQ Mapping and Service Awareness” at the following URL:
http://www.cisco.com/en/US/docs/routers/7600/install_config/ES20_config_guide/baldcfg.html
• Ethernet flow point (EFP)—The logical demarcation point of an EVC on an interface. An EVC that 
uses two or more UNIs requires an EFP on the associated ingress interface and egress interface of 
every device that the EVC passes through. 
Configuration Guidelines
Observe these guidelines as you configure a backup interface for Flexible UNI on the router:
• Hardware and software support:
– Supported on the Cisco 7600-ES20-2x10G and 7600-ES20-20x1G line cards. 
– Supported on the Cisco 7600 SIP-400 with Gigabit Ethernet SPAs. In an EVC configuration, 
version 2 SPAs are required. For IP termination, the SPAs can be version 1 or version 2. 
– Supported with the Route Switch Processor 720, Supervisor Engine 720, and Supervisor Engine 32. 
– Requires Cisco IOS Release 12.2SRB1 or later. 
• You can use the same IP address on both the primary and secondary interfaces. This enables the 
interface to support L3 termination (single or double tagged). 
• The configurations on the primary and backup interfaces must match. The router does not check that 
the configurations match; however, the feature does not work if the configurations are not the same. 
Note If the configuration includes the xconnect command, you must specify a different VCID on 
the primary and backup interfaces. 
• The duplicate resources needed for the primary and secondary interfaces are taken from the total 
resources available on the router and thus affect available resources. For example, each xconnect
consumes resources on both the primary and backup interfaces. 
• Local switching (connect) between primary and backup interfaces uses twice the number of physical 
interfaces. This limitation is due to lack of support for local switching on EVCs on the same interface. 
• Any features configured on the primary and backup interfaces (such as bridge-domain, xconnect, 
and connect) transition up or down as the interface itself transitions between states. 
• Switchover time between primary and backup interfaces is best effort. The time it takes the backup 
interface to transition from standby to active mode depends on the link-state detection time and the 
amount of time needed for EVCs and their features to transition to the up state. 12-81
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
• Configuration changes and administrative actions made on the primary interface are automatically 
reflected on the backup interface. 
• The router monitors and gathers statistics for the active interface only, not the backup. During 
normal operation, the primary interface is active; however, if the primary goes down, the backup 
becomes active and the router begins monitoring and gathering statistics for it. 
• When the primary interface comes back up, the backup interface always transitions back to standby 
mode. Once the signal is restored on the primary interface, there is no way to prevent the interface 
from being restored as the primary. 
Configuration Instructions
To configure a backup interface for a flexible UNI on an Ethernet port, perform the following steps: 
Note You must apply the same configuration to both the primary and backup interfaces or the feature does not 
work. To configure EVC service instances on the interfaces, use the service instance, encapsulation, 
rewrite, bridge-domain, and xconnect commands. For information, see the following URLs: 
http://www.cisco.com/en/US/docs/routers/7600/install_config/ES20_config_guide/baldcfg.html
Command or Action Purpose
Step 1 Router(config)# interface type slot/subslot/port
Router(config)# interface gigabitethernet3/0/0
Selects the primary interface. This is the interface you are 
creating a backup interface for. For example, interface 
gigabitEthernet 3/0/0 selects the interface for port 0 of the 
Gigabit Ethernet card installed in slot 3, subslot 0. 
• type specifies the interface type. Valid values are 
gigabitethernet or tengigabitethernet. 
• slot/subslot/port specifies the location of the interface. 
Step 2 Router(config-if)# backup interface type interface
Router(config-if)# backup interface 
gigabitethernet4/0/1 
Selects the interface to serve as a backup interface. 
Step 3 Router(config-if)# backup delay enable-delay
disable-delay
Router(config-if)# backup delay 0 0
(Optional) Specifies a time delay (in seconds) for enabling 
or disabling the backup interface. 
• enable-delay is the amount of time to wait after the 
primary interface goes down before bringing up the 
backup interface. 
• disable-delay is the amount of time to wait after the 
primary interface comes back up before restoring the 
backup interface to the standby (down) state 
Note For the backup interface for Flexible UNI feature, 
do not change the default delay period (0 0) or the 
feature may not work correctly. 12-82
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
The following example shows a sample configuration in which: 
• gi3/0/1 is the primary interface and gi4/0/1 is the backup interface. 
• Each interface supports two service instances (2 and 4), and each service instance uses a different 
type of forwarding (bridge-domain and xconnect).
• The xconnect command for service instance 2 uses a different VCID on each interface.
int gi3/0/1
  backup interface gi4/0/1
  service instance 4 ethernet
    encapsulation dot1q 4
    rewrite ingress tag pop 1 symmetric
    bridge-domain 4
Step 4 Router(config-if)# backup load enable-percent
disable-percent
Router(config-if)# backup load 50 10 
(Optional) Specifies the thresholds of traffic load on the 
primary interface (as a percentage of the total capacity) at 
which to enable and disable the backup interface. 
• enable-percent—Activate the backup interface when 
the traffic load on the primary exceeds this percentage 
of its total capacity. 
• disable-percent—Deactivate the backup interface 
when the combined load of both primary and backup 
returns to this percentage of the primary’s capacity. 
Applying the settings from the example to a primary 
interface with 10-MB capacity, the router enables the 
backup interface when traffic load on the primary exceeds 
5 Mbytes (50%), and disables the backup when combined 
traffic on both interfaces falls below 1 MB (10%). 
Step 5 Router(config-if)# exit Exits interface configuration mode and returns to global 
configuration mode. 
Step 6 Router(config)# connect primary interface srv-inst
interface srv-inst
Router(config)# connect backup interface srv-inst
interface srv-inst
Router(config)# connect primary gi3/0/0 2 gi3/0/1 2
Router(config)# connect backup gi4/0/0 2 gi4/0/1 2
(Optional) Creates a local connection between a single 
service instance (srv-inst) on two different interfaces. 
The connect primary command creates a connection 
between primary interfaces, and connect backup creates a 
connection between backup interfaces. 
In the example, a local connection is configured between 
service instance 2 on primary interfaces (gi3/0/0 and gi3/0/1) 
and on backup interfaces (gi4/0/0 and gi4/0/1). 
Step 7 Router(config)# connect primary interface srv-inst1
interface srv-inst2
Router(config)# connect backup interface srv-inst1
interface srv-inst2
Router(config)# connect primary gi3/0/0 2 gi3/0/0 3
Router(config)# connect backup gi4/0/0 2 gi4/0/0 3 
(Optional) Enables local switching between different 
service instances (srv-inst1 and srv-inst2) on the same port. 
Use the connect primary command to create a connection 
on a primary interface, and connect backup to create a 
connection on a backup interface. 
In the example, we are configuring local switching between 
service instances 2 and 3 on both the primary (gi3/0/0) and 
backup interfaces (gi4/0/0). 
Step 8 Router(config-if)# exit Exits interface configuration mode. 
Command or Action Purpose12-83
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
  service instance 2 ethernet
    encapsulation dot1q 2
    rewrite ingress tag pop 1 symmetric
    xconnect 10.0.0.0 2 encap mpls
int gi4/0/1
service instance 4 ethernet
    encapsulation dot1q 4
    rewrite ingress tag pop 1 symmetric
    bridge-domain 4
  service instance 2 ethernet
    encapsulation dot1q 2
    rewrite ingress tag pop 1 symmetric
    xconnect 10.0.0.0 5 encap mpls
Verifying the Flexible UNI Backup Interface Configuration
This section lists the commands to display information about the primary and backup interfaces 
configured on the router. In the examples that follow, the primary interface is gi3/0/0 and the secondary 
(backup) interface is gi3/0/11. 
• To display a list of backup interfaces, use the show backup command in privileged EXEC mode. 
Our sample output shows a single backup (secondary) interface:
NPE-11# show backup
Primary Interface   Secondary Interface   Status
-----------------   -------------------   ------
GigabitEthernet3/0/0 GigabitEthernet3/0/11 normal operation
• To display information about a primary or backup interface, use the show interfaces command in 
privileged EXEC mode. Issue the command on the interface for which you want to display 
information. The following examples show the output displayed when the command is issued on the 
primary (gi3/0/0) and backup (gi3/0/11) interfaces: 
NPE-11# show int gi3/0/0
GigabitEthernet3/0/0 is up, line protocol is up (connected)
  Hardware is GigEther SPA, address is 0005.dc57.8800 (bia 0005.dc57.8800)
  Backup interface GigabitEthernet3/0/11, failure delay 0 sec, secondary disable delay 
0 sec, kickin load not set, kickout load not set
[…]
NPE-11# show int gi3/0/11
GigabitEthernet3/0/11 is standby mode, line protocol is down (disabled)
If the primary interface goes down, the backup (secondary) interface is transitioned to the up state, as 
shown in the command output that follows. Notice how the command output changes if you reissue the 
show backup and show interfaces commands at this time: the status retrieved by the show backup
status changes, the line protocol for gi3/0/0 is now down (notconnect), and the line protocol for gi3/0/11 
is now up (connected). 
NPE-11# !!! Link gi3/0/0 (active) goes down… 
22:11:11: %LINK-DFC3-3-UPDOWN: Interface GigabitEthernet3/0/0, changed state to down
22:11:12: %LINK-DFC3-3-UPDOWN: Interface GigabitEthernet3/0/11, changed state to up
22:11:12: %LINEPROTO-DFC3-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/0, 
changed state to down
22:11:13: %LINEPROTO-DFC3-5-UPDOWN: Line protocol on Interface GigabitEthernet3/0/11, 
changed state to up12-84
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
NPE-11# show backup      
Primary Interface   Secondary Interface   Status
-----------------   -------------------   ------
GigabitEthernet3/0/0 GigabitEthernet3/0/11 backup mode
NPE-11# show int gi3/0/0
GigabitEthernet3/0/0 is down, line protocol is down (notconnect)
  Hardware is GigEther SPA, address is 0005.dc57.8800 (bia 0005.dc57.8800)
  Backup interface GigabitEthernet3/0/11, failure delay 0 sec, secondary disable delay 
0 sec,
NPE-11# show int gi3/0/11
GigabitEthernet3/0/11 is up, line protocol is up (connected)
Troubleshooting
Table 12-5 provides troubleshooting solutions for the backup interface of the Flexible UNI feature. 
Table 12-5 Troubleshooting Scenarios12-85
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Flexible QinQ Mapping and Service Awareness on the 1-Port 10-Gigabit 
Ethernet SPA
The Flexible QinQ Mapping and Service Awareness on 1-Port 10-Gigabit Ethernet SPA feature allows 
service providers to offer triple-play services, residential Internet access from a digital subscriber line 
access multiplexer (DSLAM), and business Layer 2 and Layer 3 VPN by providing for termination of 
double-tagged dot1q frames onto a Layer 3 subinterface at the access node. 
The access node connects to the DSLAM through the 1-Port 10-Gigabit Ethernet SPA. This provides a 
flexible way to identify the customer instance by its VLAN tags, and to map the customer instance to 
different services.
Flexible QinQ Mapping and Service Awareness on the1-Port 10-Gigabit Ethernet SPA is supported only 
through Ethernet Virtual Connection Services (EVCS) service instances.
EVCS uses the concepts of EVCs (Ethernet virtual circuits) and service instances. An EVC is an 
end-to-end representation of a single instance of a Layer 2 service being offered by a provider to a 
customer. It embodies the different parameters on which the service is being offered. A service instance 
is the instantiation of an EVC on a given port on a given router.
Figure 12-4 shows a typical metro architecture where the access switch facing the DSLAM provides 
VLAN translation (selective QinQ) and grooming funcitonality and where the serivce routers (SR) 
provide QinQ termination into a Layer 2 or Layer 3 service.
Problem Solution
The backup interface is in a standby state or the line protocol 
is down
Use the show interfaces command on the specific interface in 
privileged EXEC mode to display interface and line protocol 
details. Share the output with TAC for further investigation.
This sample output of the command displayed when the 
command on the primary (gi3/0/0) and backup (gi3/0/11) 
interfaces: 
NPE-11# show int gi3/0/0 
GigabitEthernet3/0/0 is up, line protocol is up 
(connected)
  Hardware is GigEther SPA, address is 0005.dc57.8800 
(bia 0005.dc57.8800)
  Backup interface GigabitEthernet3/0/11, failure 
delay 0 sec, secondary disable delay 
0 sec, kickin load not set, kickout load not set
[...]
NPE-11# show int gi3/0/11 
GigabitEthernet3/0/11 is standby mode, line protocol 
is down (disabled)12-86
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Figure 12-4 Typical Metro Architecture
Flexible QinQ Mapping and Service Awareness on the 1-Port 10-Gigabit Ethernet SPA provides the 
following functionality:
• VLAN connect with local significance (VLAN local switching)
– Single tag Ethernet local switching where the received dot1q tag traffic from one port is 
cross-connected to another port by changing the tag. This is a 1-to-1 mapping service and there 
is no MAC learning involved. 
– Double tag Ethernet local switching where the received double tag traffic from one port is 
cross-connected to another port by changing both tags. The mapping to each double tag 
combination to the cross-connect is 1-to-1. There is no MAC learning involved.
• Selective QinQ (1-to-2 translation) 
– xconnect—Selective QinQ adds an outer tag to the received dot1q traffic and then tunnels it to 
the remote end with Layer 2 switching or EoMPLS.
– Layer 2 switching—Selective QinQ adds an outer tag to the received dot1q traffic and then 
performs Layer 2 switching to allow switch virtual interface (SVI) based on the outer tag for 
configuring additional services.
• Double tag translation (2-to-2 translation) Layer 2 switching—Two received tagged frames are 
popped and two new tags are pushed. 
• Double tag termination (2-to-1 tag translation) 
– Ethernet MultiPoint Bridging over Ethernet (MPBE)—The incoming double tag is uniquely 
mapped to a single dot1q tag that is then used to do MPBE
– Double tag MPBE—The ingress line uses double tags in the ingress packet to look up the 
bridging VLAN. The double tags are popped and the egress line card adds new double tags and 
sends the packet out. 
191299
POP
Single node
possible
L2/MPLS Access
Central
Office
Access
router
DSLAMs
L2 Access network
L2 Switches facing DSLAM
Service Router:
QinQ termination/L2/L3 VPN
L3 Multicast
Access Router:
Selective QinQ, L3 Multicast
DHCP Relay
DSLAM:
Dot1q Tag imposition
1:1 VLAN per sub
N:1 VLAN for Video
V V
IP Core
Central
Office
Access
router
DSLAMs
Qin Q
VIP
BRAS BRAS
Service
router
Service
router12-87
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
– Double tag routing—Same as regular dot1q tag routing except that double tags are used to 
identify the hidden VLAN.
• Local VLAN significance—VLAN tags are significant only to the port. 
• Scalable EoMPLS VC—Single tag packets are sent across the tunnel.
• QinQ policing and QoS
• Layer 2 protocol data unit (PDU) packet—If the Layer 2 PDUs are tagged, packets are forwarded 
transparently; if the Layer 2 PDUs are untagged, packets are treated per the physical port 
configuration.
Restrictions and Usage Guidelines
When configuring Flexible QinQ Mapping and Service Awareness on the 1-Port 10-Gigabit Ethernet 
SPA, follow these restrictions and usage guidelines:
• Service Scalability:
– Service Instances: 16, 000 
– Input matching pairs: 8,000 
– Bridge-domains: 16, 000 
– Local switching: 32,000
– Xconnect:16, 000 
– Subinterface: 2,000
• QoS Scalability: 
– Shaping: Parent queue is 2,000 and child queue is 16,000
– Marking: Parent queue is 2,000 and child queue is 16,000
• Modular QoS CLI (MQC) actions supported include:
– Shaping
– Bandwidth
– Two priority queues per policy
– The set cos command, set cos-inner command, set cos cos-inner command, and set cos-inner 
cos command
– WRED aggregate
– Queue-limit 
SUMMARY STEPS
1. enable
2. configure terminal
3. interface gigabitethernet slot/subslot/port[.subinterface-number] or interface tengigabitethernet
slot/subslot/port[.subinterface-number] 
4. [no] service instance id {Ethernet service-name}
5. encapsulation dot1q vlan-id12-88
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
6. rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q
vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad
vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q
vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} [symmetric]
DETAILED STEPS
Command Purpose
Step 1 enable
Router> enable
Enables privileged EXEC mode. 
• Enter your password if prompted.
Step 2 configure terminal
Router# configure terminal
Enters global configuration mode.
Step 3 interface gigabitethernet
slot/subslot/port[.subinterface-number] 
or 
interface tengigabitethernet
slot/subslot/port[.subinterface-number] 
Router(config)# interface gigabitethernet 
4/0/0
Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet 
interface to configure, where: 
• slot/subslot/port—Specifies the location of the 
interface. 
• subinterface-number—(Optional) Specifies a 
secondary interface (subinterface) number. 
Step 4 [no] service instance id {Ethernet
[service-name}
Router(config-if)# service instance 101 
ethernet
Creates a service instance (an instantiation of an EVC) on 
an interface and sets the device into the config-if-srv 
submode. 12-89
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Examples
Single Tag VLAN Connect
In this example, an incoming frame with a dot1q tag of 10 enters TenGigabitEthernet1/0/1.  It is index 
directed to TenGigabitEthernet1/0/2 and exits with a dot1q tag of 11.  No MAC learning is involved.
! DSLAM facing port
Router(config)# interface TenGigabitEthernet1/0/1
Router(config-if)# service instance 100 ethernet
Router(config-if-srv)# encapsulation dot1q 10
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
!L2 facing port
Router(config)# interface TenGigabitEthernet1/0/2
Router(config-if)# service instance 101 ethernet
Router(config-if-srv)# encapsulation dot1q 11
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
! connect service
Router# connect EVC1 TenGigabitEthernet1/0/1 100 TenGigabitEthernet1/0/2 101
Double Tag VLAN Connect
In this example, an incoming frame with an outer dot1q tag of 10 and inner tag of 20 enters 
TenGigabitEthernet1/0/1.  It is index directed to TenGigabitEthernet1/0/2 and exits with an outer dot1q 
tag of 11 and inner tag 21.  No MAC learning is involved.
! DSLAM facing port
Router(config)# interface TenGigabitEthernet1/0/1
Router(config-if)# service instance 100 ethernet
Router(config-if-srv)# encapsulation dot1q 10 second-dot1q 20
Router(config-if-srv)# rewrite ingress tag pop 2 symmetric
!L2 facing port
Step 5 encapsulation dot1q vlan-id
Router(config-if-srv)# encapsulation dot1q 
13
Defines the matching criteria to be used in order to map 
ingress dot1q frames on an interface to the appropriate 
service instance. 
Step 6 rewrite ingress tag {push {dot1q vlan-id | 
dot1q vlan-id second-dot1q vlan-id | dot1ad 
vlan-id dot1q vlan-id} | pop {1 | 2} | 
translate {1-to-1 {dot1q vlan-id | dot1ad
vlan-id}| 2-to-1 dot1q vlan-id | dot1ad
vlan-id}| 1-to-2 {dot1q vlan-id
second-dot1q vlan-id | dot1ad vlan-id dot1q
vlan-id} | 2-to-2 {dot1q vlan-id
second-dot1q vlan-id | dot1ad vlan-id dot1q
vlan-id}} [symmetric]
Router(config-if-srv)# rewrite ingress tag 
push dot1q 20
Specifies the tag manipulation that is to be performed on 
the frame ingress to the service instance.
Command Purpose12-90
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Router(config)# interface TenGigabitEthernet1/0/2
Router(config-if)# service instance 101 ethernet
Router(config-if-srv)# encapsulation dot1q 11 second-dot1q 21
Router(config-if-srv)# rewrite ingress tag pop 2 symmetric
! connect service
Router# connect EVC1 TenGigabitEthernet1/0/1 100 TenGigabitEthernet1/0/2 101
Selective QinQ with Connect
This configuration uses EoMPLS to perform packet forwarding.  This is index directed.
! DSLAM facing port - single tag packet from link
Router(config)# interface TenGigabitEthernet1/0/1
Router(config-if)# service instance 100 ethernet
Router(config-if-srv)# encapsulation dot1q 10-20,30,50-60
!L2/QinQ facing port double tag packets
Router(config)# interface TenGigabitEthernet1/0/2
Router(config-if)# service instance 101 ethernet
Router(config-if-srv)# encapsulation dot1q 11 second-dot1q any
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
! connecting service instances
! QinQ outer dot1q is 11
Router# connect EVC1 TenGigabitEthernet1/0/1 100 TenGigabitEthernet1/0/2 101
Selective QinQ with Xconnect
This configuration uses EoMPLS to perform packet forwarding.  This is not index directed.
! DSLAM facing port
Router(config)# interface TenGigabitEthernet1/0/1
Router(config-if)# service instance 100 ethernet
Router(config-if-srv)# encapsulation dot1q 10-20,30,50-60
Router(config-if-srv)# xconnect 2.2.2.2 999 pw-class vlan-xconnect
!
Router(config)# interface Loopback1
Router(config-if)# ip address 1.1.1.1 255.255.255.255
! MPLS core facing port
Router(config)# interface TenGigabitEthernet2/0/1
Router(config-if)# ip address 192.168.1.1 255.255.255.0
Router(config-if)# mpls ip
Router(config-if)# mpls label protocol ldp
! MPLS core facing port
Router(config)# interface TenGigabitEthernet2/0/1
Router(config-if)# ip address 192.169.1.1 255.255.255.0
Router(config-if)# mpls ip
Router(config-if)# mpls label protocol ldp
!
Router(config)# interface Loopback1
Router(config-if)# ip address 2.2.2.2 255.255.255.255
! CE facing EoMPLS configuration
Router(config)# interface TenGigabitEthernet1/0/2
Router(config-if)# service instance 1000
Router(config-if-srv)# encapsulation dot1q 1000 second-dot1q any
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config-if-srv)# xconnect 1.1.1.1 999 pw-class vlan-xconnect12-91
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Selective QinQ with Layer 2 Switching
This configuration uses Layer 2 Switching to perform packet forwarding.  The forwarding mechanism 
is the same as MPB-E, only the rewrites for each service instance are different.
! DSLAM facing port, single tag incoming
Router(config)# interface TenGigabitEthernet1/0/1
Router(config-if)# service instance 100 ethernet
Router(config-if-srv)# encapsulation dot1q 10-20
Router(config-if-srv)# bridge-domain 11
! QinQ VLAN
Router(config)# interface VLAN11
!QinQ facing port
Router(config)# interface TenGigabitEthernet1/0/2
Router(config-if)# switchport
Router(config-if)# switchport mode trunk
Router(config-if)# switchport trunk vlan allow 11
Double Tag Translation (2-to-2 Tag Translation)
In this case, double-tagged frames are received on ingress. Both tags are popped and two new tags are 
pushed. The packet is then Layer 2 switched to the bridge-domain VLAN. 
! QinQ facing port
Router(config)# interface TenGigabitEthernet1/0/1
Router(config-if)# service instance 100 ethernet
Router(config-if-srv)# encapsulation dot1q 100 second-dot1q 10
Router(config-if-srv)# rewrite ingress tag translate 2-to-2 dot1q 200 second-dot1q 20 
second-dot1q 10
Router(config-if-srv)# bridge-domain 200
! QinQ VLAN
Router(config)# interface VLAN200
! 
Router(config)# interface TenGigabitEthernet1/0/2
Router(config-if)# service instance 101 ethernet
Router(config-if-srv)# encapsulation dot1q 200 second-dot1q 20
Router(config-if-srv)# bridge-domain 200
Double Tag Termination (2 to 1 Tag Translation)
This example falls under the Layer 2 switching case.
! Double tag traffic
Router(config)# interface TenGigabitEthernet1/0/1
Router(config-if)# service instance 100 ethernet
Router(config-if-srv)# encapsulation dot1q 200 second-dot1q 20
Router(config-if-srv)# rewrite ingress tag pop 2 symmetric
Router(config-if-srv)# bridge-domain 10
!
Router(config)# interface TenGigabitEthernet1/0/2
Router(config-if)# service instance 101 ethernet
Router(config-if-srv)# encapsulation dot1q 10
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config-if-srv)# bridge-domain 10
!
Router(config)# interface TenGigabitEthernet1/0/3
Router(config-if)# service instance 101 ethernet
Router(config-if-srv)# encapsulation dot1q 3012-92
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config-if-srv)# bridge-domain 10
Verification
Use the following commands to verify operation.
Troubleshooting
Table 12-6 provides the troubleshooting solutions for the Flexible mapping feature.
Table 12-6 Troubleshooting
Command Purpose
Router# show ethernet service evc [id evc-id | interface
interface-id] [detail] 
Displays information pertaining to a specific EVC if an EVC 
ID is specified, or pertaining to all EVCs on an interface if an 
interface is specified. The detailed option provides additional 
information on the EVC.
Router# show ethernet service instance [id instance-id
interface interface-id | interface interface-id] [detail]
Displays information about one or more service instances: If a 
service instance ID and interface are specified, only data 
pertaining to that particular service instance is displayed. If 
only an interface ID is specified, displays data for all service 
instances s on the given interface.
Router# show ethernet service interface [interface-id] 
[detail]
Displays information in the Port Data Block (PDB).
Router# show mpls l2 vc detail Displays detailed information related to the virtual connection 
(VC). 
Router# show mpls forwarding Displays the contents of theMPLS Label Forwarding 
Information Base (LFIB).
Note Output should have the label entry l2ckt.
Router# show platform software efp-client Displays service instance details.
Problem Solution
Erroneous TCAM entries. Use the show hw-module subslot subslot tcam command to 
verify and the TCAM entries. Share the output with TAC for 
further investigation.
Incorrect virtual VLAN IDs on a QinQ subinterface. Use the test hw-mod subslot subslot command to verify the 
virtual VLAN ID values on a QinQ subinterface. Share the 
output with TAC for further investigation.
Wrong interface configured and tag manipulation incorrectly 
programmed.
Use the command show platform np interface detail to verfiy 
the interface and tag details. Share the output with TAC for 
further investigation.
VLAN ID is incorrectly programmed Use the command show hw-module subslot subslot tcam 
all_entries vlan to verify the VLAN ID details. Share the 
output with TAC for further investigation.12-93
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Configuring MultiPoint Bridging over Ethernet on the 1-Port 10-Gigabit Ethernet 
SPA 
The MultiPoint Bridging over Ethernet (MPBE) on the 1-Port 10-Gigabit Ethernet SPA feature provides 
Ethernet LAN switching with MAC learning, local VLAN significance, and full QoS support. MPBE 
also provides Layer 2 switchport-like features without the full switchport implementation. MPBE is 
supported only through Ethernet Virtual Connection Services (EVCS) service instances.
EVCS uses the concepts of EVCs (Ethernet virtual circuits) and service instances. An EVC is an 
end-to-end representation of a single instance of a Layer 2 service being offered by a provider to a 
customer. It embodies the different parameters on which the service is being offered. A service instance 
is the instantiation of an EVC on a given port on a given router.
For MPBE, an EVC packet filtering capability prevents leaking of broadcast/multicast bridge-domain 
traffic packets from one service instance to another. Filtering occurs before and after the rewrite to 
ensure that the packet goes only to the intended service instance.
You can use MPBE to:
• Simultaneously configure Layer 2 and Layer 3 services such as Layer 2 VPN, Layer 3 VPN, and 
Layer 2 bridging on the same physical port.
• Define a broadcast domain in a system. Customer instances that are part of a broadcast domain can 
be in the same physical port or in different ports.
• Configure mutltiple service instances with different encapuslations and map them to a single bridge 
domain.
• Perform local switching between service instances under the same bridge domain.
• Span across different physical interfaces using service instances that are part of the same bridge 
domain.
• Use encapsulation VLANs as locally significant (physical port).
• Replicate flooded packets from the core to all service instances under the bridge domain.
• Configure a Layer 2 tunneling service or Layer 3 terminating service under the bridge domain 
VLAN.
MPBE accomplishes this by manipulating VLAN tags for each service instance and mapping the 
manipulated VLAN tags to Layer 2 or Layer 3 services. Possible VLAN tag manipulations include:
• Single tag termination
• Single tag tunneling
• Single tag translation
• Double tag termination
• Double tag tunneling
Inner, outer start/end VLANs incorrectly programmed. Use the show platform np efp command to verify the VLAN 
details. Share the output with TAC for further investigation.
Erroneous TCAM entries on the platform Use the show plat soft qos tcamfeature and show plat soft 
qos tcamt commands to verify the TCAM entries. Share the 
output with TAC for further investigation.
Problem Solution12-94
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
• Double tag translation
• Selective QinQ translation
Restrictions and Usage Guidelines
When configuring the MultiPoint Bridging over Ethernet on the 1-Port 10-Gigabit Ethernet SPA, follow 
these restrictions and usage guidelines:
• Each service instance is considered as a separate circuit under the bridge-domain.
• Encapsulation can be dot1q or QinQ packets.
• 60 MPB VCs are supported under one bridge-domain.
• Internet Group Management Protocol (IGMP) snooping is supported with MPB VCs.
• Split Horizon is supported with MPB VCs.
• Bridge protocol data unit (BDPU) packets are either tunneled or dropped.
• For ingress policing, only the drop action and the accept action for the police command are 
supported. Marking is not supported as part of the policing.
• Ingress shaping is not supported.
• For ingress marking, supports match vlan command, match vlan-inner command, match cos
command, match cos-inner command, set cos command, and set cos-inner command.
• For egress marking, set cos command and set cos-inner command are supported; match inner-cos
command and match inner-vlan command are not supported.
SUMMARY STEPS
1. enable
2. configure terminal
interface gigabitethernet slot/subslot/port[.subinterface-number] or interface tengigabitethernet
slot/subslot/port[.subinterface-number]
3. [no] service instance id {Ethernet [service-name}
4. encapsulation dot1q vlan-id
5. rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q
vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad
vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q
vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} [symmetric]
6. [no] bridge-domain bridge-id12-95
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
DETAILED STEPS
Command Purpose
Step 1 enable
Router> enable
Enables privileged EXEC mode. 
• Enter your password if prompted.
Step 2 configure terminal
Router# configure terminal
Enters global configuration mode.
Step 3 interface gigabitethernet
slot/subslot/port[.subinterface-number] 
or 
interface tengigabitethernet
slot/subslot/port[.subinterface-number] 
Router(config)# interface 
gigabitethernet4/0/0
Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet 
interface to configure, where: 
• slot/subslot/port—Specifies the location of the 
interface. 
• subinterface-number—(Optional) Specifies a 
secondary interface (subinterface) number. 
Step 4 [no] service instance id {Ethernet
service-name}
Router(config-if)# service instance 101 
ethernet
Creates a service instance (an instantiation of an EVC) on 
an interface and sets the device into the config-if-srv 
submode.
Step 5 encapsulation dot1q vlan-id
Router(config-if-srv)# encapsulation dot1q 
10
Defines the matching criteria to be used in order to map 
ingress dot1q frames on an interface to the appropriate 
service instance. 
Step 6 [no] rewrite ingress tag {push {dot1q
vlan-id | dot1q vlan-id second-dot1q vlan-id
| dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} 
| translate {1-to-1 {dot1q vlan-id | dot1ad
vlan-id}| 2-to-1 dot1q vlan-id | dot1ad
vlan-id}| 1-to-2 {dot1q vlan-id 
second-dot1q vlan-id | dot1ad vlan-id dot1q
vlan-id} | 2-to-2 {dot1q vlan-id
second-dot1q vlan-id | dot1ad vlan-id dot1q
vlan-id}} [symmetric]
Router(config-if-srv)# rewrite ingress tag 
push dot1q 200
This command specifies the tag manipulation that is to be 
performed on the frame ingress to the service instance.
Note If this command is not configured, then the frame 
is left intact on ingress (the service instance is 
equivalent to a trunk port).
Step 7 [no] bridge-domain bridge-id
Router(config-subif)# bridge domain 12
Binds the service instance to a bridge domain instance 
where bridge-id is the identifier for the bridge domain 
instance.12-96
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Examples
Single Tag Termination Example
In this example, the single tag termination indentifies customers based on a single VLAN tag and maps 
the single-VLAN tag to the bridge-domain.
Router(config)# interface TenGigabitEthernet1/2/0
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# encapsulation dot1q 10 
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
Router(config-if-srv)# bridge domain 12
}
Single Tag Tunneling Example
In this single tag tunneling example, the incoming VLAN tag is not removed but continues with the 
packet.
Router(config)# interface TenGigabitEthernet1/2/0
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# encapsulation dot1q 10
Router(config-if-srv)# bridge-domain 200
Single Tag Translation Example
In this single-tag translation example, the incoming VLAN tag is removed and VLAN 200 is added to 
the packet.
Router(config)# interface TenGigabitEthernet3/0/0
Router(config-if)# service instance 10 ethernet
Router(config-if-srv)# encapsulation dot1q 10
Router(config-if-srv)# rewrite ingress tag translate 1-to-1 dot1q 200 symmetric
Router(config-if-srv)# bridge-domain 200
Double Tag Termination Configuration Example
In this double-tag termination example, the ingress receives double tags that indentify the bridge VLAN; 
the double tags are stripped (terminated) from the packet.
Router(config)# interface TenGigabitEthernet2/0/0
Router(config-if)# service instance 1 ethernet
Router(config-if-srv)# encapsulation dot1q 10 inner 20
Router(config-if-srv)# rewrite ingress tag pop 2 symmetric 
Router(config-if-srv)# bridge-domain 200
Router(config-if)# service instance 2
Router(config-if-srv)# encapsulation dot1q 40 inner 30
Router(config-if-srv)# rewrite ingress tag pop 2 symmetric
Router(config-if-srv)# bridge-domain 200
Double-Tag Translation Configuration Example
In this example, double tagged frames are received on ingress. Both tags are popped and two new tags 
are pushed. The packet is then Layer 2-switched to the bridge-domain VLAN. 
Router(config)# interface TenGigabitEthernet1/0/0
Router(config-if)# service instance 1 ethernet12-97
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Router(config-if-srv)# encapsulation dot1q 10 second-dot1q 20
Router(config-if-srv)# rewrite ingress tag translate 2-to-2 dot1q 40 second dot1q 30 
symmetric
Router(config-if-srv)# bridge-domain 200
Router(config-if)# service instance 2 ethernet
Router(config-if-srv)# encapsulation dot1q 40 second-dot1q 30
Router(config-if-srv)# rewrite ingress tag translate 2-to-2 dot1q 10 second dot1q 20 
symmetric
Router(config-if-srv)# bridge-domain 200
Selective QinQ Configuration Example
In this example, a range of VLANs is configured and plugged into a single MPB VC.
Router(config)# interface TenGigabitEthernet1/0/0
Router(config-if)# service instance 1 ethernet
Router(config-if-srv)# encapsulation dot1q 10-20
Router(config-if-srv)# bridge-domain 200
Router(config)# interface TenGigabitEthernet2/0/0
Router(config-if)# service instance 1 ethernet
Router(config-if-srv)# encapsulation dot1q 10-30
Router(config-if-srv)# bridge-domain 200
Untagged Traffic Configuration Example
In this example, untagged traffic is bridged to the bridge domain and forwarded to the switchport trunk.
Router(config)# interface GigabitEthernet2/0/1
Router(config-if)# no ip address
Router(config-if)# service instance 1 ethernet
Router(config-if-srv)# encapsulation untagged
Router(config-if-srv)# bridge-domain 11
Router(config)# interface TenGigabitEthernet1/0/0
Router(config-if)# switchport
Router(config-if)# switchport mode trunk
Router(config-if)# switchport allowed vlan 11
MPBE with Split Horizon Configuration Example
In this example, unknown unicast traffic is flooded on the bridge domain except for the interface from 
which the traffic originated.
Router(config)# interface GigabitEthernet2/0/0
Router(config-if)# no ip address
Router(config-if)# service instance 1000 ethernet
Router(config-if-srv)# encapsulation dot1q 100 second-dot1q 10-20
Router(config-if-srv)# bridge-domain 100 split-horizon
Router(config-if)# service instance 1001 ethernet
Router(config-if-srv)# encapsulation dot1q 101 second-dot1q 21-30
Router(config-if-srv)# bridge-domain 101 split-horizon
Router(config-if)# service instance 1010 ethernet
Router(config-if-srv)# encapsulation dot1q 100
Router(config-if-srv)# rewrite ingress tag symmetric translate 1-to-2 dot1q 10 
second-dot1q 100 symmetric
Router(config-if-srv)# bridge-domain 10 split-horizon
Router(config-if)# mls qos trust dscp12-98
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
In this example, service instances are configured on Ethernet interfaces and terminated on the bridge 
domain. 
Router(config)# interface GigabitEthernet2/0/0
Router(config-if)# service instance 100 ethernet
Router(config-if-srv)# encapsulation dot1q 1000
Router(config-if-srv)# bridge-domain 10
Router(config)# interface GigabitEthernet1/0/0
Router(config-if)# switchport
Router(config-if)# switchport mode trunk
Router(config-if)# switchport trunk allowed vlan 10
In this example, VPLS is configured in the core with multiple bridge domains. 
!
l2 vfi vpls10 manual
 vpn id 10
 neighbor 20.0.0.2 encapsulation mpls
!
l2 vfi vpls100 manual
 vpn id 100
 neighbor 20.0.0.2 encapsulation mpls
!
l2 vfi vpls11 manual
 vpn id 11
 neighbor 20.0.0.2 encapsulation mpls
!         
interface Vlan100
 mtu 9216
 no ip address
 xconnect vfi vpls1
end
Verification
Use the following commands to verify operation.
.
Command Purpose
Router# show ethernet service evc [id evc-id | interface
interface-id] [detail] 
Displays information pertaining to a specific EVC if an EVC 
ID is specified, or pertaining to all EVCs on an interface if an 
interface is specified. The detail option provides additional 
information on the EVC.
Router# show ethernet service instance [id instance-id
interface interface-id | interface interface-id] [detail]
Displays information about one or more service instances: If a 
service instance ID and interface are specified, only data 
pertaining to that particular service instance is displayed. If 
only an interface ID is specified, displays data for all service 
instances on the given interface.
Router# show ethernet service interface [interface-id] 
[detail]
Displays information in the Port Data Block (PDB).
Router# show mpls l2 vc detail Displays detailed information related to the virtual connection 
(VC). 12-99
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Configuring QoS on Ethernet SPAs
The SIPs and SPAs support many QoS features using modular QoS CLI (MQC) configuration. For 
information about the QoS features supported by the Ethernet SPAs, see the “Configuring QoS Features 
on a SIP” section on page 4-94.
For Fast Ethernet SPAs and the 2-Port Gigabit Ethernet SPA, the following QoS behavior applies:
• In both the ingress and egress directions, all QoS features calculate packet size similarly to how 
packet size calculation is performed by the FlexWAN and Enhanced FlexWAN modules on the 
Cisco 7600 series router. 
• Specifically, all features consider the IEEE 802.3 Layer 2 headers and the Layer 3 protocol payload. 
The CRC, interframe gap, and preamble are not included in the packet size calculations.
Note For Fast Ethernet SPAs, QoS cannot change the speed of an interface (for example, Fast Ethernet SPAs 
cannot change QoS settings whenever an interface speed is changed between 100M to 10M). When the 
speed is changed, the user must also adjust the QoS setting accordingly. 
Over-subscription on Gigabit Ethernet SPAs
Over-subscription on Gigabit Ethernet SPAs
Ethernet SPAs have the capability to classify incoming frames from the link to low or high priority 
queues.  This capability is used to provide oversubscription handling for SIP-400. This allows the 
SIP-400 to prioritize high-priority control traffic over lower priority traffic, providing greater connection 
stability during periods of over-subscription. 
Table 12-7 lists the incoming frames on the ingress side that can be prioritized into the following classes. 
If any packet is marked with the priority values listed in Table 12-7, it moves to a high priority queue; 
else, it moves to a low priority queue.
Router# show mpls forwarding (Output should have the 
label entry l2ckt)
Displays the contents of the MPLS Label Forwarding 
Information Base (LFIB).
Router# show platform software efp-client Displays service instance details.
Command Purpose12-100
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Table 12-7 Prioritization of Incoming Frames
Note The Gigabit Ethernet SPAs only look at the 802.1p bits to make the classification decision if the packet 
is tagged, L3 bits are ignored on tagged packets.
Supported Features and Restrictions
In 12.2(33) SRB and later releases, oversubscription is supported on the SIP-400 card with certain SPA 
combinations.  On the ingress side, oversubscription is supported on SPAs that :
• Have the capability to do packet classification, and 
• Use separate SPI4 queues for different priorities.
In Cisco IOS 12.2(33)SRB Release, oversubscription is only supported for two 2-Port Copper and 
Optical Gigabit Ethernet SPAs.  
In the Cisco IOS 12.2(33)SRC Release support for oversubscription is extended to the 1-Port 10-Gigabit 
Ethernet SPA.  Ingress oversubscription is only supported on Ethernet SPAs.
Cisco IOS 12.2(33)SRC Release supports the following specific SPA combinations:
• Any combination of POS, ATM, CEoPs, and serial or channelized SPAs up to OC-48 aggregate 
bandwidth
• One 2-Port Gigabit Ethernet SPA or 2-Port Copper and Optical Gigabit Ethernet SPA and up to 
OC-24 equivalents of POS, ATM, CEoPs, and serial or channelized SPAs.
• One2-Port Copper and Optical Gigabit Ethernet SPA or two 2-Port 5GEv2 SPAs. (These are the 
ingress oversubscription combinations. This is the only case where the SIP-400 is oversubscribed 
on ingress.
Except for the 1-Port 10 GE-v2 SPA, all of them are also supported in the Cisco IOS 12.2(33)SRB 
Release. If the combination of SPAs installed on the SIP-400 is not in accordance with the given list, the 
following console message is displayed:
Priority Usage
0 (Highest) Intelligent SPAs SPA IPC control traffic
1 Classified high priority traffic 
Note This includes frames with these attributes: 
• IPv4 TOS 6,7
• DSCP 48,56
• MPLS EXP 6,7
• IPV6 EF
• 802.1p (COS) 6,7: 802.1p (COS) marking preceedes 
all the other marking criteria. This is present only 
with VLAN-tagged packets.
2 Unclassified traffic
3 (Lowest) Classified low priority traffic12-101
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
Error Message Total SPA bandwidth exceeds line card capacity, installed combination 
of SPA interfaces  is not supported.
A maximum of 32 total ingress SPI4 ports are supported on the SIP-400.  All supported combinations 
listed in the previous section require fewer than 32 SPI4 ports.  However, if a SPA is inserted which 
causes the total required to exceed 32 SPI4 ports, that SPA will not be able to power up.  
Each ATM or POS SPA requires one ingress SPI4 port per physical port.  Each Gigabit Ethernet SPA 
interface requires two ingress SPI4 ports.  If the maximum ingress SPI4 ports required exceeds 32 
because of the SPA combination installed, the fourth GigE SPA will not be permitted to power up.  The 
following message is displayed on the console:
Error Message SPI4 port limit exceeded, SPA in subslot number has been powered down.
As long as the SPI port limits are not exceeded, the SPAs will be permitted to power up. 
Quality-of-Service (QoS) 
QoS on SIP-400 
The mls qos trust command is not supported on SIP-400 interfaces.  Instead, the bits are always be set 
in the DBUS header as follows:
• Packet Type Method used to set COS bits in DBUS header
• Untagged bridged packetCOS bits in DBUS header are cleared
• Tagged bridged packetCOS bits from tag header are copied to COS bits in DBUS header
• Routed packetIP precedence/DSCP value used to set COS bits in DBUS header
QoS on SIP-600
The SIP-600 line card supports the mls qos trust commands.  The packet fields from which the DBUS 
COS bits are derived depends on the packet type and whether the ingress port is trusted.
Ingress oversubscription performance
On SIP-400, when using a mix of low and high priority traffic, a maximum of 2.5 Gbps untagged or 
tagged high priority traffic can be forwarded with no high priority packet drops at any packet size.  When 
the amount of high priority traffic exceeds 2.5 Gbps, some high priority packet drops may occur. 
Egress oversubscription performance
On SIP-400, when using a mix of low and high priority traffic, a maximum of 3.0 Gbps worth of 
untagged or tagged high priority traffic can be forwarded with no high priority drops at any packet size.
Listed below are some circumstances where performance degradation can be seen:
• Performance degrades with smaller packets.
• Dot1q  tagged packets.  
If additional checks need to be performed on the dot1q packet to process MPB-E, MPLSoGRE, 
dot1q-tunneling or EoMPLS information.
• QOS features applied to the main Ethernet interface or a dot1q subinterface can degrade 
performance.
• Hierarchical searches of parent or child policies lower performance due to multiple key formation 
and searches.12-102
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
• When a single policer is applied to all the interfaces, packets from each interface have to contend 
for one SRAM lock for that policer, causing packets to wait for the lock before proceeding.
• Certain set actions causes recalculations of the CRC in the IP header, increasing the amount of 
cycles required for processing the newly formed IP packet.
QOS Configuration Example for SIP-400 Ethernet Interfaces
This example illustrates how to properly configure a SIP-400 linecard to ensure high priority traffic is 
not dropped on ingress or egress.
Step 1 First, a class map to select high priority traffic should be defined.   
The following class map is designed to match the SPA classification rules:
class-map match-any high
  match cos 5 6 7
match mpls experimental topmost 5 6 7
  match precedence 5 6 7
  match dscp ef
Step 2 Next, policy maps must be configured.  A child policy map is required since IOS does not support 
priority classes on the parent level for ingress.  A queue limit is set for all non-priority traffic to ensure 
a sufficient number of buffers are available for the high priority packets.
policy-map video-child
  class high
    priority
class class-default
    queue-limit 25000
In the parent policy map, the shape command is used since at least one QOS parameter must be 
configured.  However, this service policy is to be applied to Gigabit Ethernet interfaces so no shaping 
occurs with a shape value of  one Gbps.
policy-map video
  class class-default
    shape average 1000000000
service-policy video-child
Step 3 Finally, the parent service policy should be applied to each SIP-400 interface.  If high priority traffic is 
expected in both directions on the interface, the same service policy should be applied for both ingress 
and egress sides.
interface gi5/0/0
  service-policy input video
  service-policy output video
int gi5/0/1
  service-policy input video
  service-policy output video
int gi5/0/2
  service-policy input video
  service-policy output video
int gi5/0/3
  service-policy input video
  service-policy output video
int gi5/0/4
  service-policy input video
  service-policy output video
SIP-400-5#show hardware subslot 0 drops-rx spi4
Show receive drops info for Subslot 0:12-103
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Tasks
 Bad Pkt drop counter : 0x0
 Ingress EOP error pkt counter : 0x0
VLAN Rx Osub Drop       Counter SRAM:
Addr:0x5 Pkt:   4366664  Byte: 261999840
Addr:0x6 Pkt:   4366661  Byte: 261999660
Addr:0x7 Pkt:   4366661  Byte: 261999660
Addr:0x8 Pkt:   4366662  Byte: 261999720
Addr:0x9 Pkt:       264  Byte:     15840
ISAEDA Rx Osub Drop     Counter SRAM:
Addr:0x13FF Pkt:  17466912  Byte:1048014720
VLAN TCAM Catch All Drops:
VLAN Rx Hit            : Pkt:         0
VLAN Rx Unicast Send   : Pkt:         0  Byte:         0
VLAN Rx Mcast Send     : Pkt:         0  Byte:         0
VLAN Rx Bcast Send     : Pkt:         0  Byte:         0
VLAN Rx Osub Drop      : Pkt:         0  Byte:         0
HSRPDA TCAM Catch All Drops:
HSRPDA Rx Hit          : Pkt:         0
Saving the Configuration
To save your running configuration to nonvolatile random-access memory (NVRAM), use the following 
command in privileged EXEC configuration mode:
For information about managing your system image and configuration files, refer to the Cisco IOS 
Configuration Fundamentals Configuration Guide and Cisco IOS Configuration Fundamentals 
Command Reference publications that correspond to your Cisco IOS software release.
Shutting Down and Restarting an Interface on a SPA
You can shut down and restart any of the interface ports on a SPA independently of each other. Shutting 
down an interface stops traffic and enters the interface into an “administratively down” state.
There are no restrictions for online insertion and removal (OIR) on Fast Ethernet or Gigabit Ethernet 
SPAs. Fast Ethernet and Gigabit Ethernet SPAs can be removed from a SIP at any time. SIPs populated 
with any type of SPAs can be removed from the router at any time.
If you are preparing for an OIR of a SPA, it is not necessary to independently shut down each of the 
interfaces prior to deactivation of the SPA. The hw-module subslot [x/y] reload command 
automatically stops traffic on the interfaces and deactivates them along with the SPA in preparation for 
OIR.
In similar fashion, you do not need to independently restart any interfaces on a SPA after OIR of a SPA 
or SIP.
Command Purpose
Router# copy running-config startup-config Writes the new configuration to NVRAM.12-104
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Verifying the Interface Configuration
To shut down an interface on a SPA, use the following command in interface configuration mode:
To restart an interface on a SPA, use the following command in interface configuration mode:
Verifying the Interface Configuration
Besides using the show running-configuration command to display your router configuration settings, 
you can use the show interfaces gigabitethernet command to get detailed information on a per-port 
basis for your Gigabit Ethernet SPAs, and the show interfaces fastethernet command to get detailed 
information on a per-port basis for your Fast Ethernet SPAs.
The following example provides sample output for interface port 1 on the SPA located in the top subslot 
(0) of the SIP that is installed in slot 2 of the Cisco 7600 series router:
Router# show interfaces gigabitethernet 2/0/1
GigabitEthernet2/0/1 is up, line protocol is up 
  Hardware is GigEther SPA, address is 000a.f330.2e40 (bia 000a.f330.2e40)
  Internet address is 2.2.2.1/24
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not supported
  Full-duplex, 1000Mb/s, link type is force-up, media type is SX
  output flow-control is on, input flow-control is on
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 03:18:49, output 03:18:44, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     1703 packets input, 638959 bytes, 0 no buffer
     Received 23 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 1670 multicast, 0 pause input
     1715 packets output, 656528 bytes, 0 underruns
     0 output errors, 0 collisions, 4 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out 
Command Purpose
Router(config-if)# shutdown Disables an interface.
Command Purpose
Router(config-if)# no shutdown Restarts a disabled interface.12-105
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Examples
Configuration Examples
This section includes the following configuration examples:
• Basic Interface Configuration Example, page 12-105
• MAC Address Configuration Example, page 12-105
• MAC Address Accounting Configuration Example, page 12-106
• VLAN Configuration Example, page 12-108
• AToM over GRE Configuration Example, page 12-109
• mVPNoGRE Configuration Examples, page 12-110
• EoMPLS Configuration Example, page 12-111
• Backup Interface for Flexible UNI Configuration Example, page 12-111
• Changing the Speed of a Fast Ethernet SPA Configuration Example, page 12-114
• Ethernet OAM Configuration Example, page 12-116
Basic Interface Configuration Example
The following example shows how to enter global configuration mode to specify the interface that you 
want to configure, configure an IP address for the interface, and save the configuration. This example 
configures interface port 1 on the SPA that is located in subslot 0 of the SIP, that is installed in slot 3 of 
the Cisco 7600 series router:
! Enter global configuration mode.
!
Router# configure terminal
! Enter configuration commands, one per line. End with CNTL/Z.
!
! Specify the interface address.
!
Router(config)# interface gigabitethernet 3/0/1
!
! Configure an IP address.
!
Router(config-if)# ip address 192.168.50.1 255.255.255.0
!
! Start the interface.
!
Router(config-if)# no shut
!
! Save the configuration to NVRAM.
!
Router(config-if)# exit
Router# copy running-config startup-config
MAC Address Configuration Example
The following example changes the default MAC address on the interface to 1111.2222.3333:
! Enter global configuration mode.
!
Router# configure terminal
! Enter configuration commands, one per line. End with CNTL/Z.12-106
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Examples
! 
! Specify the interface address
!
Router(config)# interface gigabitethernet 3/0/1
!
! Modify the MAC address.
!
Router(config-if)# mac-address 1111.2222.3333
MAC Address Accounting Configuration Example
The following example enables MAC Address Accounting:
Enter global configuration mode.
!
Router# configure terminal
! Enter configuration commands, one per line. End with CNTL/Z.
! 
Enable MAC address accounting
Router(config)# ip accounting mac-address {input | output}
Router(config-if)# ip accounting ?
access-violations Account for IP packets violating access lists on this interface
mac-address Account for MAC addresses seen on this interface
output-packets Account for IP packets output on this interface
precedence Count packets by IP precedence on this interface
<cr> 
Router(config-if)# ip accounting mac
Router(config-if)# ip accounting mac-address ?
input Source MAC address on received packets
output Destination MAC address on transmitted packets
Router(config-if)# ip accounting mac-address ip
Router(config-if)# ip accounting mac-address input ?
<cr>
Specify MAC address accounting for traffic entering the interface.
!
Router(config-if)# ip accounting mac-address input
! Specify MAC address accounting for traffic leaving the interface.
!
Router(config-if)# ip accounting mac-address output
Router(config-if)# end
Ver if y th e MAC Ad d r ess on the interface.
!
Router# show interfaces GigabitEthernet 4/0/2 mac-accounting
GigabitEthernet4/0/2
Input (511 free)
000f.f7b0.5200(26 ): 124174 packets, 7450440 bytes, last: 1884ms ago
Total: 124174 packets, 7450440 bytes
Output (511 free)
000f.f7b0.5200(26 ): 135157 packets, 8109420 bytes, last: 1884ms ago
Total: 135157 packets, 8109420 bytes
HSRP Configuration Example
The following section provides a configuration example of Router A and Router B, each belonging to 
three VRRP groups: 12-107
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Examples
Router A 
Enter global configuration mode.
!
Router# configure terminal
! 
Enter configuration commands, one per line. End with CNTL/Z.
! 
Router# interface ethernet 1/0
ip address 10.1.0.2 255.0.0.0 
Router# vrrp 1 priority 120 
Router# vrrp 1 authentication cisco 
Router# vrrp 1 timers advertise 3 
Router# vrrp 1 timers learn
Router# vrrp 1 ip 10.1.0.10
Router# vrrp 5 priority 100
Router# vrrp 5 timers advertise 30
Router# vrrp 5 timers learn
Router# vrrp 5 ip 10.1.0.50 
Router# vrrp 100 timers learn
Router# no vrrp 100 preempt 
Router# vrrp 100 ip 10.1.0.100
no shutdown
Router B 
Enter global configuration mode.
!
Router# configure terminal
! 
Enter configuration commands, one per line. End with CNTL/Z.
! 
Router# interface ethernet 1/0
ip address 10.1.0.1 255.0.0.0 
Router# vrrp 1 priority 100
Router# vrrp 1 authentication cisco
Router# vrrp 1 timers advertise 3 
Router# vrrp 1 timers learn
Router# vrrp 1 ip 10.1.0.10
Router# vrrp 5 priority 200
Router# vrrp 5 timers advertise 30
Router# vrrp 5 timers learn
Router# vrrp 5 ip 10.1.0.50
Router# vrrp 100 timers learn
Router# no vrrp 100 preempt
Router# vrrp 100 ip 10.1.0.100
Router# no shutdown
In this configuration, each group has the following properties: 
• Group 1: 
– Virtual IP address is 10.1.0.10. 
– Router A will become the master for this group with priority 120. 
– Advertising interval is 3 seconds. 
– Preemption is enabled. 
• Group 5: 12-108
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Examples
– Router B will become master for this group with priority 200. 
– Advertising interval is 30 seconds. 
– Preemption is enabled. 
• Group 100: 
– –Router A will become master for this group first because it has a higher IP address (10.1.0.2). 
– –Advertising interval is the default 1 second. 
– –Preemption is disabled. 
MTU Configuration Example
The following example sets the interface MTU to 9216 bytes.
Note The SPA automatically adds an additional 38 bytes to the configured interface MTU size.
Enter global configuration mode.
!
Router# configure terminal
! 
Enter configuration commands, one per line. End with CNTL/Z.
! 
Specify the interface address
!
Router(config)# interface gigabitethernet 3/0/1
!
Configure the interface MTU.
!
Router(config-if)# mtu 9216
VLAN Configuration Example
The following example creates subinterface number 268 on SPA interface port 2 (the third port), and 
configures the subinterface on the VLAN with ID number 268, using IEEE 802.1Q encapsulation:
Note The SPA does not support ISL encapsulation.
Enter global configuration mode.
!
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
! 
Specify the interface address
!
Router(config)# interface gigabitethernet 3/0/1.268
!12-109
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Examples
Configure dot1q encapsulation and specify the VLAN ID.
!
Router(config-subif)# encapsulation dot1q 268
AToM over GRE Configuration Example
The following example illustrates an AToM over GRE tunnel configuration between PE1 and PE2.
PE1:
interface GigabitEthernet4/3/0
ip address 25.25.25.1 255.255.255.0
negotiation auto
end
interface Tunnel10
ip unnumbered Loopback1
mpls label protocol ldp
mpls ip
tunnel source 12.12.12.12
tunnel destination 6.6.6.6
end
interface Loopback1
ip address 13.13.13.13 255.255.255.255
end
interface Loopback10
ip address 12.12.12.12 255.255.255.255
end
ip route 2.2.2.2 255.255.255.255 Tunnel10
PE2:
interface GigabitEthernet2/3/0
ip address 26.26.26.2 255.255.255.0
negotiation auto
end
interface Tunnel10
ip unnumbered Loopback1
mpls ip
tunnel source 6.6.6.6
tunnel destination 12.12.12.12
end
interface Loopback1
ip address 7.7.7.7 255.255.255.255
end
interface Loopback0
ip address 6.6.6.6 255.255.255.255
end
ip route 3.3.3.3 255.255.255.255 Tunnel1012-110
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Examples
mVPNoGRE Configuration Examples
The following example shows the commands to configure the mVPNoGRE feature on a Cisco 7600 
SIP-400 interface or subinterface; however, this example uses a Cisco 7600 SIP-400 interface that does 
not support subinterfaces:
Enter global configuration mode.
!
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
! 
Specify the Gigabit Ethernet interface to configure.
!
Router(config)# interface gigabitethernet 2/0/0
Attach a GRE Tunnel to a Cisco 7600 SIP-400 subinterface.
!
Router(config-if)# tunnel-interface tu1
Define the IP traffic that should be tunneled.
!
Router(config-if-ti)# ip route 10.0.0.1 255.255.255.0
Router(config-if-ti)# exit
When the tunnel-interface command is configured on the Cisco 7600 SIP-400 interface or subinterface, 
ip pim sparse-mode and tag-switching ip are automatically added to the interface. A static route to IP 
address contained on the ip route command is internally created. The following example shows the 
output of a show running interface command after adding or configuring the tunnel-interface
command; however, this example uses a Cisco 7600 SIP-400 interface that does not support 
subinterfaces:
Router# show running interface gigabitethernet 2/0/0
!
interface gigabitethernet2/0/0
 ip address 10.1.0.1 255.255.255.0
 ip pim sparse-mode
 no keepalive
 tunnel-interface Tunnel1
    ip route 10.11.0.1 255.255.255.0
    exit-tunnel-interface
 tag-switching ip
 clock source internal
end
Note You do not need to configure a static route (globally or on the tunnel) to the BGP neighbor on the 
Cisco 7600 series router. This is automatically done by the ip route command under the 
tunnel-interface command on the Cisco 7600 SIP-400 interface or subinterface.
The following example illustrates the tunnel interface configuration on the Cisco 7600 series router:
interface Tunnel0
 ip address 10.0.0.1 255.255.255.0
 ip pim sparse-dense-mode
 mpls ip
 tunnel source 22.22.22.22
 tunnel destination 44.44.44.4412-111
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Examples
EoMPLS Configuration Example
The following example shows the commands to configure software-based EoMPLS:
Enter global configuration mode.
!
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router# vlan 101
! 
Router(config)# interface VLAN101
Router(config-if)# xconnect 7.7.7.7 73829 encapsulation MPLS
! 
Router(config)# interface gigabitethernet 4/1/0.1
Router(config-subif)# encapsulation dot1Q 100
The following example shows the commands to configure Scalable EoMPLS (only for a Cisco 7600 
SIP-400 Ethernet interface):
Router(config)# interface GigabitEthernet 1/2/1
Router(config-if)# no ip address
Router(config-if)# no cdp enable
!
Router(config-if)# interface GigabitEthernet 1/2/1.2
Router(config-subif)# encapsulation dot1Q 2
Router(config-subif)# xconnect 5.5.5.5 20002 encapsulation mpls
!
!
Router(config-if)# interface GigabitEthernet 1/2/1.4095
Router(config-subif)# encapsulation dot1Q 4095
Router(config-subif)# xconnect 5.5.5.5 24095 encapsulation mpls
The following example shows the commands to configure hardware EoMPLS (other ethernet interfaces):
Router(config)# interface GigabitEthernet 1/1
Router(config-if)# no ip address
Router(config-if)# no cdp enable
!
Router(config-subif)# interface GigabitEthernet 1/1.2
Router(config-subif)# encapsulation dot1Q 2
Router(config-subif)# xconnect 5.5.5.5 10002 encapsulation mpls
!
Router(config)# interface GigabitEthernet 1/1.3095
Router(config-subif)# encapsulation dot1Q 3095
Router(config-subif)# xconnect 5.5.5.5 13095 encapsulation mpls
!
Backup Interface for Flexible UNI Configuration Example
Figure 12-5 and the table that follows show a sample configuration that includes several EVCs (service 
instances), configured as follows: 
• Service instance EVC4 is configured on primary and backup interfaces (links) that terminate in a 
bridge domain, with a VPLS uplink onto NPE12.12-112
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Examples
• Service instance EVC2 is configured as scalable Ethernet over MPLS, peering with an SVI VPLS 
on NPE12. 
Figure 12-5 Backup Interface for Flexible UNI Configuration
NPE10
NPE14
191979
NPE11
72a
NPE12
Primary
Backup
ge2/4.4
ge2/4.2
ge1/3.4
ge1/3.2
gi3/0/0
fa1/0.4
fa1/0.2
gi3/0/1112-113
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Examples
NPE10 Configuration:
int ge2/4.4
description npe10 to npe11 gi3/0/11 – backup - bridged
encap dot1q 4
ip address 100.4.1.33 255.255.255.0
int ge2/4.2
description npe10 to npe11 gi3/0/11 – backup – xconnect
encap dot1q 2
ip address 100.2.1.33 255.255.255.0
U-PE2 Configuration:
int ge1/3.4
description npe14 to npe11 gi3/0/0 – primary - bridged
encap dot1q 4
ip address 100.4.1.22 255.255.255.0
int ge1/3.2
description npe14 to npe11 gi3/0/0 – primary - xconnect
encap dot1q 2
ip address 100.2.1.22 255.255.255.0 
U-PE2 Configuration:
int fa1/0.4
description 72a to npe12 – bridged
encap dot1q 4
ip address 100.4.1.12 255.255.255.0
int fa1/0.2
description 72a to npe12 - xconnect
encap dot1q 2
ip address 100.2.1.12 255.255.255.0 12-114
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Examples
Changing the Speed of a Fast Ethernet SPA Configuration Example
The following example shows the commands to change the speed of a Fast Ethernet SPA:
Note In order to change the speed of a Fast Ethernet SPA, autonegotiation must be disabled.
Router# show run interface fastethernet 5/0/1
Building configuration...
Current configuration : 86 bytes
!
Disable Autonegotiation
!
interface FastEthernet5/0/1
ip address 10.1.0.2 255.255.0.0
negotiation auto
end
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
interface gigabitEthernet3/0/0
backup interface gigabitEthernet3/0/11
service instance 2 ethernet
encapsulation dot1q 2
rewrite ingress tag pop 1 symmetric
xconnect 12.0.0.1 2 encapsulation mpls
service instance 4 ethernet
encapsulation dot1q 4
rewrite ingress tag pop 1 symmetric
bridge-domain 4
interface gigabitEthernet3/0/11
service instance 2 ethernet
encapsulation dot1q 2
rewrite ingress tag pop 1 symmetric
xconnect 12.0.0.1 21 encapsulation mpls
service instance 4 ethernet
encapsulation dot1q 4
rewrite ingress tag pop 1 symmetric
bridge-domain 4
interface GE-WAN 4/3
description npe11 to npe12
ip address 10.3.3.1 255.255.255.0
mpls ip
l2 vfi vlan4 manual
vpn id 4
neighbor 12.0.0.1 4 encapsulation mpls
interface Vlan 4
xconnect vfi vlan4 
l2 vfi vlan4 manual
vpn id 4
neighbor 11.0.0.1 4 encap mpls
interface Vlan4
description npe12 to npe11 xconnect
xconnect vfi vlan4
l2 vfi vlan2 manual
vpn id 2
neighbor 11.0.0.1 2 encap mpls
neighbor 11.0.0.1 21 encap mpls
Interface Vlan2
xconnect vfi vlan2
interface GE-WAN 9/4
description npe12 to npe11
ip address 10.3.3.2 255.255.255.0
mpls ip
interface fastEthernet 8/2
description npe12 to 72a
switchport
switchport trunk encap dot1q
switchport mode trunk
switchport trunk allowed vlan 2-412-115
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Examples
Router(config)# interface fastethernet 5/0/1
Router(config-if)# no negotiation auto 
Router(config-if)# speed 10
Router(config-if)# 
Router(config-if)# end
Router# show run interface fastethernet 5/01
Building configuration...
Current configuration : 112 bytes
!
interface FastEthernet 5/0/1
ip address 10.1.0.2 255.255.0.0
speed 10
duplex full
no negotiation auto
end
Router# show interface fastethernet 5/0/1
FastEthernet5/0/1 is up, line protocol is up 
Hardware is FastEthernet SPA, address is 000a.8b3e.cc00 (bia 000a.8b3e.cc00)
Internet address is 10.1.0.2/16
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, 
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not supported
Full-duplex, 10Mb/s
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:04, output 00:00:04, output hang never
Last clearing of "show interface" counters 1d00h
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
1608 packets input, 547102 bytes, 0 no buffer
Received 1 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
1606 packets output, 548403 bytes, 0 underruns
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# interface fastethernet 5/0/1
Router(config-if)# speed 100
Router(config-if)# end
Router# 
*Apr 25 21:10:36: %SYS-5-CONFIG_I: Configured from console by console
Router# show interface fastethernet 5/0/1
FastEthernet5/0/1 is down, line protocol is down 
Hardware is FastEthernet SPA, address is 000a.8b3e.cc00 (bia 000a.8b3e.cc00)
Internet address is 10.1.0.2/16
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, 
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not supported
Full-duplex, 100Mb/s
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:23, output 00:00:22, output hang never
Last clearing of "show interface" counters 1d00h
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec12-116
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 12      Configuring the Fast Ethernet and Gigabit Ethernet SPAs
  Configuration Examples
5 minute output rate 0 bits/sec, 0 packets/sec
1608 packets input, 547102 bytes, 0 no buffer
Received 1 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
Ethernet OAM Configuration Example
The following Ethernet OAM example shows configuration of Ethernet OAM options using a template, 
and overriding that configuration with direct configuration at an interface. In this example, the network 
supports a Gigabit Ethernet interface between the customer edge device and provider edge device:
Configure a global OAM template for both PE and CE configuration.
!
Router(config)# template oam
Router(config-template)# ethernet oam link-monitor symbol-period threshold low 10
Router(config-template)# ethernet oam link-monitor symbol-period threshold high 100
Router(config-template)# ethernet oam link-monitor frame window 100
Router(config-template)# ethernet oam link-monitor frame threshold low 10
Router(config-template)# ethernet oam link-monitor frame threshold high 100
Router(config-template)# ethernet oam link-monitor frame-period window 100
Router(config-template)# ethernet oam link-monitor frame-period threshold low 10
Router(config-template)# ethernet oam link-monitor frame-period threshold high 100
Router(config-template)# ethernet oam link-monitor frame-seconds window 1000
Router(config-template)# ethernet oam link-monitor frame-seconds threshold low 10
Router(config-template)# ethernet oam link-monitor frame-seconds threshold high 100
Router(config-template)# ethernet oam link-monitor receive-crc window 100
Router(config-template)# ethernet oam link-monitor receive-crc threshold high 100
Router(config-template)# ethernet oam link-monitor transmit-crc window 100
Router(config-template)# ethernet oam link-monitor transmit-crc threshold high 100
Router(config-template)# ethernet oam remote-failure dying-gasp action 
error-disable-interface
Router(config-template)# exit
!
! Enable Ethernet OAM on the CE interface
!
Router(config)# interface gigabitethernet 4/1/1
Router(config-if)# ethernet oam
!
! Apply the global OAM template named “oam” to the interface.
!
Router(config-if)# source template oam
!
! Configure any interface-specific link monitoring commands to 
! override the template configuration. The following example disables the high threshold
! link monitoring for receive CRC errors.
!
Router(config-if)# ethernet oam link-monitor receive-crc threshold high none
!
! Enable Ethernet OAM on the PE interface
!
Router(config)# interface gigabitethernet 8/1/1
Router(config-if)# ethernet oam
!
! Apply the global OAM template named “oam” to the interface.
!
Router(config-if)# source template oamC H  A  P  T  E  R
13-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
13
Troubleshooting the Fast Ethernet and Gigabit 
Ethernet SPAs
This chapter describes techniques that you can use to troubleshoot the operation of your Fast Ethernet 
or Gigabit Ethernet SPAs.
It includes the following sections:
• General Troubleshooting Information, page 13-1
• Performing Basic Interface Troubleshooting, page 13-2
• Understanding SPA Automatic Recovery, page 13-7
• Configuring the Interface for Internal and External Loopback, page 13-8
• Using the Cisco IOS Event Tracer to Troubleshoot Problems, page 13-9
• Preparing for Online Insertion and Removal of a SPA, page 13-10
The first section provides information about basic interface troubleshooting. If you are having a problem 
with your SPA, use the steps in the “Performing Basic Interface Troubleshooting” section to begin your 
investigation of a possible interface configuration problem.
To perform more advanced troubleshooting, see the other sections in this chapter.
General Troubleshooting Information
This section describes general information for troubleshooting SIPs and SPAs. It includes the following 
sections:
• Using debug Commands, page 13-1
• Using show Commands, page 13-2
Using debug Commands
Along with the other debug commands supported on the Cisco 7600 series router, you can obtain 
specific debug information for SPAs on the Cisco 7600 series router using the debug hw-module 
subslot privileged EXEC command.
The debug hw-module subslot command is intended for use by Cisco Systems technical support 
personnel. 13-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 13      Troubleshooting the Fast Ethernet and Gigabit Ethernet SPAs
  Performing Basic Interface Troubleshooting
Caution Because debugging output is assigned high priority in the CPU process, it can render the system 
unusable. For this reason, use debug commands only to troubleshoot specific problems or during 
troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands 
during periods of lower network traffic and fewer users. Debugging during these periods decreases the 
likelihood that increased debug command processing overhead will affect system use.
For information about other debug commands supported on the Cisco 7600 series router, refer to the 
Cisco IOS Debug Command Reference and any related feature documents for the applicable Cisco IOS 
release.
Using show Commands
There are several show commands that you can use to monitor and troubleshoot the SIPs and SPAs on 
the Cisco 7600 series router. This chapter describes using the show interfaces command to perform 
troubleshooting of your SPA.
For more information about show commands to verify and monitor SIPs and SPAs, see Chapter 12, 
“Configuring the Fast Ethernet and Gigabit Ethernet SPAs”
Performing Basic Interface Troubleshooting
You can perform most of the basic interface troubleshooting using the show interfaces fastethernet, 
show interfaces gigabitethernet, or show interfaces tengigabitethernet command and examining 
several areas of the output to determine how the interface is operating.
The following example shows output from both the show interfaces fastethernet, show interfaces 
gigabitethernet and show interfaces tengigabitethernet commands with some of the significant areas 
of the output to observe shown in bold:
Router# show interfaces fastethernet 3/2/3
FastEthernet3/2/3 is up, line protocol is up 
Hardware is FastEthernet SPA, address is 000e.d623.e840 (bia 000e.d623.e840)
Internet address is 33.1.0.2/16
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, 
reliability 255/255, txload 59/255, rxload 83/255
Encapsulation ARPA, loopback not set
Keepalive not supported
Full-duplex, 100Mb/sARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:11, output 00:00:08, output hang never
Last clearing of "show interface" counters 3d00h
Input queue: 0/75/626373350/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 32658000 bits/sec, 68032 packets/sec
5 minute output rate 23333000 bits/sec, 48614 packets/sec
17792456686 packets input, 1067548381456 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 130043940 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
12719598014 packets output, 763177809958 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collision, 0 deferred13-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 13      Troubleshooting the Fast Ethernet and Gigabit Ethernet SPAs
  Performing Basic Interface Troubleshooting
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
Router# show interfaces gigabitethernet 2/0/1
GigabitEthernet2/0/1 is down, line protocol is down 
  Hardware is GigEther SPA, address is 000a.f330.2e40 (bia 000a.f330.2e40)
  Internet address is 2.2.2.1/24
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not supported
 Full-duplex, 1000Mb/s, link type is force-up, media type is SX
  output flow-control is on, input flow-control is on
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 03:18:49, output 03:18:44, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     1703 packets input, 638959 bytes, 0 no buffer
     Received 23 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 1670 multicast, 0 pause input
     1715 packets output, 656528 bytes, 0 underruns
     0 output errors, 0 collisions, 4 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out
Router# show interfaces tengigabitethernet 7/0/0
TenGigabitEthernet7/0/0 is up, line protocol is up (connected)
  Hardware is TenGigEther SPA, address is 0000.0c00.0102 (bia 000f.342f.c340)
  Internet address is 15.1.1.2/24
  MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not supported
  Full-duplex, 10Gb/s
  input flow-control is on, output flow-control is on 
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output 00:00:10, output hang never
  Last clearing of "show interface" counters 20:24:30
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
  L2 Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes
  L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes mcast
  L3 out Switched: ucast: 0 pkt, 0 bytes mcast: 0 pkt, 0 bytes
     237450882 packets input, 15340005588 bytes, 0 no buffer
     Received 25 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     0 input packets with dribble condition detected
     1676 packets output, 198290 bytes, 0 underruns
     0 output errors, 0 collisions, 4 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out13-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 13      Troubleshooting the Fast Ethernet and Gigabit Ethernet SPAs
  Performing Basic Interface Troubleshooting
To verify that your interface is operating properly, complete the steps in Table 13-1:
Table 13-1 Basic Interface Troubleshooting Steps
Action Example
Step 1 From global configuration mode, enter the 
show interfaces fastethernet, show interfaces 
gigabitethernet or show interfaces 
tengigabitethernet command.
Router# show interfaces fastethernet 3/2/3
Router# show interfaces gigabitethernet 2/0/1
Router# show interfaces tengigabitethernet 7/0/0
Step 2 Verify that the interface is up. Router# show interfaces fastethernet 3/2/3
FastEthernet3/2/3 is up, line protocol is up
Router# show interfaces gigabitethernet 2/0/1
GigabitEthernet2/0/1 is up, line protocol is up 
Router# show interfaces tengigabitethernet 7/0/0
TenGigabitEthernet7/0/0 is up, line protocol is up 
(connected)
Step 3 Verify that the line protocol is up. Router# show interfaces fastethernet 3/2/3
FastEthernet3/2/3 is up, line protocol is up 
Router# show interfaces gigabitethernet 2/0/1
GigabitEthernet2/0/1 is up, line protocol is up
Router# show interfaces tengigabitethernet 7/0/0
TenGigabitEthernet7/0/0 is up, line protocol is up 
(connected)
Step 4 Verify that the interface duplex mode matches 
the remote interface configuration.
The following example shows that the local interface is currently 
operating in full-duplex mode:
Router# show interfaces fastethernet 3/2/3
[text omitted]
Keepalive not supported
Full-duplex, 100Mb/sARP type: ARPA, ARP Timeout 04:00:00
Router# show interfaces gigabitethernet 2/0/1
[text omitted]
Keepalive not supported
Full-duplex, 1000Mb/s, link type is force-up, media type 
is SX
Router# show interfaces tengigabitethernet 7/0/0
[text omitted]
Keepalive not supported
  Full-duplex, 10Gb/s13-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 13      Troubleshooting the Fast Ethernet and Gigabit Ethernet SPAs
  Performing Basic Interface Troubleshooting
For more information about the verification steps and possible responses to correct detected problems, 
see the following sections:
• Verifying the Interface Is Up, page 13-5
• Verifying the Line Protocol Is Up, page 13-6
• Verifying Output Hang Status, page 13-6
• Verifying the CRC Counter, page 13-6
• Verifying Late Collisions, page 13-6
• Verifying the Carrier Signal, page 13-7
Verifying the Interface Is Up
In the output from the show interfaces fastethernet, show interfaces gigabitethernet or show 
interfaces tengigabitethernet command, verify that the interface is up. If the interface is down, perform 
the following corrective actions: 
• If the interface is administratively down, use the no shutdown interface configuration command to 
enable the interface. 
• Be sure that the cable is fully connected. 
• Verify that the cable is not bent or damaged. If the cable is bent or damaged, the signal will be 
degraded. 
Step 5 Verify that the interface speed matches the 
speed on the remote interface.
The following example shows that the local interface is currently 
operating at 100 Mbps (Fast Ethernet and Gigabit Ethernet) or 10 
Gbps (Ten Gigabit Ethernet):
Router# show interfaces fastethernet 3/2/3
[text omitted]
Keepalive not supported
Full-duplex, 100Mb/sARP type: ARPA, ARP Timeout 04:00:00
Router# show interfaces gigabitethernet 2/0/1
[text omitted]
Keepalive not supported
Full-duplex, 1000Mb/s, link type is force-up, media type 
is SX
Router# show interfaces tengigabitethernet 7/0/0
[text omitted]
Full-duplex, 10Gb/s
Step 6 Observe the output hang status on the interface. ARP type: ARPA, ARP Timeout 04:00:00
Last input 03:18:49, output 03:18:44, output hang never
Step 7 Observe the CRC counter. 0 input errors, 0 CRC, 0 frame, 130043940 overrun, 0 
ignored
Step 8 Observe the late collision counter. 0 output errors, 0 collisions, 4 interface resets
0 babbles, 0 late collision, 0 deferred
Step 9 Observe the carrier signal counters. 0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
Table 13-1 Basic Interface Troubleshooting Steps (continued)
Action Example13-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 13      Troubleshooting the Fast Ethernet and Gigabit Ethernet SPAs
  Performing Basic Interface Troubleshooting
• Verify that a hardware failure has not occurred. Observe the LEDs to confirm the failure. See the 
other troubleshooting sections of this chapter, and refer to the Cisco 7600 Series Router SIP, SSC, 
and SPA Hardware Installation Guide. If the hardware has failed, replace the SPA as necessary. 
Verifying the Line Protocol Is Up
In the output from the show interfaces fastethernet, show interfaces gigabitethernet or show 
interfaces tengigabitethernet command, verify that the line protocol is up. If the line protocol is down, 
the line protocol software processes have determined that the line is unusable.
Perform the following corrective actions:
• Replace the cable. 
• Check the local and remote interface for misconfiguration.
• Verify that a hardware failure has not occurred. Observe the LEDs to confirm the failure. See the 
other troubleshooting sections of this chapter, and refer to the Cisco 7600 Series Router SIP, SSC, 
and SPA Hardware Installation Guide. If the hardware has failed, replace the SPA as necessary. 
Verifying Output Hang Status
In the output from the show interfaces fastethernet, show interfaces gigabitethernet or show 
interfaces tengigabitethernet command, observe the value of the output hang field.
The output hang provides the number of hours, minutes, and seconds since the last reset caused by a 
lengthy transmission. When the number of hours in the field exceeds 24 hours, the number of days and 
hours is shown. If the field overflows, asterisks are printed. The field shows a value of never if no output 
hangs have occurred.
Verifying the CRC Counter
In the output from the show interfaces fastethernet, show interfaces gigabitethernet or show 
interfaces tengigabitethernet command, observe the value of the CRC counter. Excessive noise will 
cause high CRC errors accompanied by a low number of collisions. 
Perform the following corrective actions if you encounter high CRC errors: 
• Check the cables for damage. 
• Verify that the correct cables are being used for the SPA interface. 
Verifying Late Collisions
In the output from the show interfaces fastethernet, show interfaces gigabitethernet or show 
interfaces tengigabitethernet command, observe the value of the late collision counter.
Perform the following corrective actions if you encounter late collisions on the interface:
• Verify that the duplex mode on the local and remote interface match. Late collisions occur when 
there is a duplex mode mismatch. 
• Verify the length of the Ethernet cables. Late collisions result from cables that are too long. 13-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 13      Troubleshooting the Fast Ethernet and Gigabit Ethernet SPAs
  Understanding SPA Automatic Recovery
Verifying the Carrier Signal
In the output from the show interfaces fastethernet, show interfaces gigabitethernet or show 
interfaces tengigabitethernet command, observe the value of the carrier signal counters. The lost 
carrier counter shows the number of times that the carrier was lost during transmission. The no carrier 
counter shows the number of times that the carrier was not present during transmission.
Carrier signal resets can occur when an interface is in loopback mode or shut down.
Perform the following corrective actions if you observe the carrier signal counter incrementing outside 
of these conditions:
• Check the interface for a malfunction.
• Check for a cable problem. 
Understanding SPA Automatic Recovery
When Fast Ethernet or Gigabit Ethernet SPAs encounter thresholds for certain types of errors and 
identify a fatal error, the SPAs initiate an automatic recovery process. 
You do not need to take any action unless the error counters reach a certain threshold, and multiple 
attempts for automatic recovery by the SPA fail.
The Gigabit Ethernet SPAs might perform automatic recovery for the following types of errors:
• SPI4 TX/RX out of frame
• SPI4 TX train valid
• SPI4 TX DIP4
• SPI4 RX DIP2
When Automatic Recovery Occurs
If the SPI4 errors occur more than 25 times within 10 milliseconds, the SPA automatically deactivates 
and reactivates itself. Error messages are logged on the console indicating the source of the error and the 
status of the recovery.
If Automatic Recovery Fails
If the SPA attempts automatic recovery more than five times in an hour, then the SPA deactivates itself 
and remains deactivated.
To troubleshoot automatic recovery failure for a SPA, perform the following steps:
Step 1 Use the show hw-module subslot slot/subslot oir command to verify the status of the SPA. The status 
is shown as “failed” if the SPA has been powered off due to five consecutive failures.
Step 2 If you verify that automatic recovery has failed, perform OIR of the SPA. For information about 
performing OIR, see the “Preparing for Online Insertion and Removal of a SPA” section on page 13-10.
Step 3 If reseating the SPA after OIR does not resolve the problem, replace the SPA hardware.13-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 13      Troubleshooting the Fast Ethernet and Gigabit Ethernet SPAs
  Configuring the Interface for Internal and External Loopback
Configuring the Interface for Internal and External Loopback
Loopback support is useful for testing the interface without connectivity to the network, or for 
diagnosing equipment malfunctions between the interface and a device. The Fast Ethernet and Gigabit 
Ethernet SPAs support both an internal and an external loopback mode. The external loopback mode 
requires the use of a loopback cable and implements a loopback through the transceiver on the SPA.
You can also configure an internal loopback without the use of a loopback cable that implements a 
loopback at the PHY device internally on a Fast Ethernet or Gigabit Ethernet interface port, or at the 
MAC device internally on a Fast Ethernet or Gigabit Ethernet interface port. By default, loopback is 
disabled.
Configuring the Interface for Internal Loopback
Different Fast Ethernet and Gigabit Ethernet interfaces use different loopback commands.
To enable internal loopback at the PHY device for an interface on a SPA, use one of the following 
commands beginning in interface configuration mode:
Configuring the Interface for External Loopback
Before beginning external loopback testing, remember that the external loopback mode requires the use 
of a loopback cable.
External loopback cannot be configured on Fast Ethernet SPAs. To enable external loopback on Gigabit 
Ethernet SPAs, use the following commands beginning in interface configuration mode:
Verifying Loopback Status
To verify whether loopback is enabled on an interface port on a SPA, use the show interfaces 
fastethernet, show interfaces gigabitethernet or show interfaces tengigabitethernet in privileged 
EXEC command and observe the value shown in the “loopback” field. 
Command or Action Purpose
Router(config-if)# loopback Enables an interface for internal loopback on the Gigabit Ethernet 
SPA.
Router(config-if)# loopback 
internal
Enables an interface for internal loopback on the Gigabit Ethernet 
SPA.
Router(config-if)# loopback mac Enables an interface for internal loopback at the MAC controller 
level on the Fast Ethernet SPA.
Router(config-if)# loopback 
driver
Enables an interface for internal loopback at the transceiver level 
on the Fast Ethernet SPA.
Command Purpose
Router(config-if)# loopback external Enables an interface for external loopback on the 
Gigabit Ethernet SPA.13-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 13      Troubleshooting the Fast Ethernet and Gigabit Ethernet SPAs
  Using the Cisco IOS Event Tracer to Troubleshoot Problems
The following example shows that loopback is disabled for interface port 3 on the Fast Ethernet SPA 
installed in subslot 2 of the SIP that is located in slot 3 of the Cisco 7600 series router:
Router# show interfaces fastethernet 3/2/3
FastEthernet3/2/3 is up, line protocol is up 
Hardware is FastEthernet SPA, address is 000e.d623.e840 (bia 000e.d623.e840)
Internet address is 33.1.0.2/16
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, 
reliability 255/255, txload 59/255, rxload 83/255
Encapsulation ARPA, loopback not set
The following example shows that loopback is disabled for interface port 0 (the first port) on the Gigabit 
Ethernet SPA installed in the top (0) subslot of the SIP that is located in slot 3 of the Cisco 7600 series 
router:
Router# show interfaces gigabitethernet 3/0/0
GigabitEthernet3/0/0 is up, line protocol is up 
  Hardware is GigMac 1 Port 10 GigabitEthernet, address is 0008.7db3.8dfe (bia )
  Internet address is 10.0.0.2/24
  MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec, rely 255/255, load 1/255
  Encapsulation ARPA, loopback not set
The following example shows that loopback is disabled for interface port 0 (the first port) on the Ten 
Gigabit Ethernet SPA installed in the top (0) subslot of the SIP that is located in slot 7 of the Cisco 7600 
series router:
Router# show interfaces tengigabitethernet 7/0/0
TenGigabitEthernet7/0/0 is up, line protocol is up (connected)
  Hardware is TenGigEther SPA, address is 0000.0c00.0102 (bia 000f.342f.c340)
  Internet address is 15.1.1.2/24
  MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
Using the Cisco IOS Event Tracer to Troubleshoot Problems
Note This feature is intended for use as a software diagnostic tool and should be configured only under the 
direction of a Cisco Technical Assistance Center (TAC) representative.
The Event Tracer feature provides a binary trace facility for troubleshooting Cisco IOS software. This 
feature gives Cisco service representatives additional insight into the operation of the Cisco IOS 
software and can be useful in helping to diagnose problems in the unlikely event of an operating system 
malfunction or, in the case of redundant systems, Route Processor switchover. 
Event tracing works by reading informational messages from specific Cisco IOS software subsystem 
components that have been preprogrammed to work with event tracing, and by logging messages from 
those components into system memory. Trace messages stored in memory can be displayed on the screen 
or saved to a file for later analysis. 
The SPAs currently support the “spa” component to trace SPA OIR-related events.
For more information about using the Event Tracer feature, refer to the following URL:
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/evnttrcr.html13-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 13      Troubleshooting the Fast Ethernet and Gigabit Ethernet SPAs
  Preparing for Online Insertion and Removal of a SPA
Preparing for Online Insertion and Removal of a SPA
The Cisco 7600 series router supports online insertion and removal (OIR) of the SIP, in addition to each 
of the SPAs. Therefore, you can remove a SIP with its SPAs still intact, or you can remove a SPA 
independently from the SIP, leaving the SIP installed in the router.
This means that a SIP can remain installed in the router with one SPA remaining active, while you 
remove another SPA from one of the SIP subslots. If you are not planning to immediately replace a SPA 
into the SIP, then be sure to install a blank filler plate in the subslot. The SIP should always be fully 
installed with either functional SPAs or blank filler plates.
For more information about activating and deactivating SPAs in preparation for OIR, see the “Preparing 
for Online Insertion and Removal of SIPs and SPAs” topic in the “Troubleshooting a SIP” chapter in this 
guide.   
P A R  T  6
Packet over SONET Shared Port Adapters   C H  A  P  T  E  R
14-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
14
Overview of the POS SPAs
This chapter provides an overview of the release history, and feature and Management Information Base 
(MIB) support for the Packet over SONET (POS) SPAs on the Cisco 7600 series router.
This chapter includes the following sections:
• Release History, page 14-1
• POS Technology Overview, page 14-2
• Supported Features, page 14-2
• Restrictions, page 14-5
• Supported MIBs, page 14-6
• SPA Architecture, page 14-7
• Displaying the SPA Hardware Type, page 14-10
Release History
Release Modification
15.1(1)S Support for Network Clocking and SSM functionality was extended.
15.0(1)S Support for Network Clocking and SSM functionality was added.
Cisco IOS Release 
12.2(33)SRA
Support for the following hardware was introduced on the 
Cisco 7600 series router:
• The 2-Port and 4-Port OC-48c/STM-16 POS SPA was introduced on 
the Cisco 7600 SIP-600.
• The 1-Port OC-48c/STM-16 POS SPA was introduced on the 
Cisco 7600 SIP-400.
Cisco IOS Release 
12.2(18)SXF2
Support for the 1-Port OC-192c/STM-64 POS/RPR VSR Optics SPA was 
introduced on the Cisco 7600 SIP-600 on the Cisco 7600 series router and 
Catalyst 6500 series switch.14-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 14      Overview of the POS SPAs
  POS Technology Overview
POS Technology Overview
Packet-over-SONET is a high-speed method of transporting IP traffic between two points. This 
technology combines the Point-to-Point Protocol (PPP) with Synchronous Optical Network (SONET) 
and Synchronous Digital Hierarchy (SDH) interfaces.
SONET is an octet-synchronous multiplex scheme defined by the American National Standards Institute 
(ANSI) standard (T1.1051988) for optical digital transmission at hierarchical rates from 51.840 Mbps 
to 2.5 Gbps (Synchronous Transport Signal, STS-1 to STS-48) and greater. SDH is an equivalent 
international standard for optical digital transmission at hierarchical rates from 155.520 Mbps 
(Synchronous Transfer Mode-1 [STM-1]) to 2.5 Gbps (STM-16) and greater. 
SONET specifications have been defined for single-mode fiber and multimode fiber. The POS SPAs on 
the Cisco 7600 series router allow transmission over both single-mode and multimode fiber at various 
optical carrier rates.
SONET/SDH transmission rates are integral multiples of 51.840 Mbps. The following transmission 
multiples are currently specified and used on the POS SPAs on the Cisco 7600 series router:
• OC-3c/STM-1—155.520 Mbps
• OC-12c/STM-4—622.080 Mbps
• OC-48—2.488 Gbps
• OC-192c/STM-64—9.953 Gbps
Supported Features
This section provides a list of some of the primary features supported by the POS SPA hardware and 
software:
• Jumbo frames (up to 9216 bytes)
• Online insertion and removal (OIR) from the SIP, or OIR of the SIP with the SPA inserted.
• Small form-factor pluggable (SFP) optics module OIR
• Field-programmable gate array (FPGA) upgrade support
The POS SPAs also support the following groups of features:
Cisco IOS Release 
12.2(18)SXF
Support for the following hardware was introduced on the Cisco 7600 
series router and Catalyst 6500 series switch:
• 1-Port OC-192c/STM-64 POS/RPR SPA
• 1-Port OC-192c/STM-64 POS/RPR XFP SPA
Cisco IOS Release 
12.2(18)SXE
Support for the following hardware was introduced on the Cisco 7600 
series router and Catalyst 6500 series switch:
• 2-Port OC-3c/STM-1 POS SPA
• 4-Port OC-3c/STM-1 POS SPA
• 1-Port OC-12c/STM-4 POS SPA14-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 14      Overview of the POS SPAs
  Supported Features
• SONET/SDH Compliance Features, page 14-3
• SONET/SDH Error, Alarm, and Performance Monitoring Features, page 14-3
• SONET/SDH Synchronization Features, page 14-4
• WAN Protocol Features, page 14-4
• Network Management Features, page 14-5
SONET/SDH Compliance Features
This section lists the SONET/SDH compliance features supported by the POS SPAs on the Cisco 7600 
series router:
• 1+1 SONET Automatic Protection Switching (APS) as per G.783 Annex A
• 1+1 SDH Multiplex Section Protection (MSP) as per G.783 Annex A
• American National Standards Institute (ANSI) T1.105
• ITU-T G.707, G.783, G.957, G.958
• Telcordia GR-253-CORE: SONET Transport Systems: Common Generic Criteria
• Telcordia GR-1244: Clocks for the Synchronized Network: Common Generic Criteria
SONET/SDH Error, Alarm, and Performance Monitoring Features
This section lists the SONET/SDH error, alarm, and performance monitoring features supported by the 
POS SPAs on the Cisco 7600 series router:
• Signal failure bit error rate (SF-BER)
• Signal degrade bit error rate (SD-BER)
• Signal label payload construction (C2)
• Path trace byte (J1)
• Section:
– Loss of signal (LOS)
– Loss of frame (LOF)
– Error counts for B1
– Threshold crossing alarms (TCA) for B1
• Line:
– Line alarm indication signal (LAIS)
– Line remote defect indication (LRDI)
– Line remote error indication (LREI)
– Error counts for B2
– Threshold crossing alarms (TCA) for B2
• Path:
– Path alarm indication signal (PAIS)
– Path remote defect indication (PRDI)14-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 14      Overview of the POS SPAs
  Supported Features
– Path remote error indication (PREI)
– Error counts for B3
– Threshold crossing alarms (TCA) for B3
– Loss of pointer (LOP)
– New pointer events (NEWPTR)
– Positive stuffing event (PSE)
– Negative stuffing event (NSE) 
SONET/SDH Synchronization Features
This section lists the SONET/SDH synchronization features supported by the POS SPAs on the 
Cisco 7600 series router:
• Local (internal) timing (for inter-router connections over dark fiber or Wavelength Division 
Multiplex [WDM] equipment)
• Loop (line) timing (for connecting to SONET/SDH equipment)
• +/– 20 ppm clock accuracy over full operating temperature 
• Network Clocking and the Synchronization Status Message(SSM) functionality for the Channelized 
SPAs in a Cisco 7600 SIP-400 only. The POS SPAs supporting this feature for Cisco IOS Release 
15.0(1)S are:
– SPA-2xOC3-POS
– SPA-4xOC3-POS
– SPA-1xOC12-POS
– SPA-2xOC12-POS
The POS SPA supporting this feature for Cisco IOS Release 15.1(1)S is:
– SPA-1XOC48-POS/RPR
For more information on configuring the network clock see, Configuring Boundary Clock for 2-Port 
Gigabit Synchronous Ethernet SPA on Cisco 7600 SIP-400, page 12-29
WAN Protocol Features
This section lists the WAN protocols supported by the POS SPAs on the Cisco 7600 series router:
• RFC 1661, The Point-to-Point Protocol (PPP)
• RFC 1662, PPP in HDLC framing
• RFC 2615, PPP over SONET/SDH (with 1+x43 self-synchronous payload scrambling)
• RFC 3518, Point-to-Point Protocol (PPP) Bridging Control Protocol (BCP)—See Table 14-1 for 
BCP feature restrictions on the Cisco 7600 series router
• Cisco Protect Group Protocol over UDP/IP (Port 1972) for APS and MSP
• Multiprotocol Label Switching (MPLS)14-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 14      Overview of the POS SPAs
  Restrictions
Network Management Features
This section lists the network management features supported by the POS SPAs on the Cisco 7600 series 
router:
• Simple Network Management Protocol (SNMP) Management Information Base (MIB) counters
• Local (diagnostic) loopback
• Network loopback
• NetFlow Data Export
• IP over the Section Data Communications Channel (SDCC)—See Table 14-1 for SDCC feature 
restrictions on the Cisco 7600 series router
• RFC 3592 performance statistics for timed intervals (current, 15-minute, multiple 15-minute, and 
1-day intervals):
– Regenerator section
– Multiplex section
– Path errored seconds
– Severely errored seconds
– Severely errored framed seconds 
Restrictions
Note For other SIP-specific features and restrictions see also Chapter 3, “Overview of the SIPs and SSC”
Table 14-1provides information about POS feature compatibility and restrictions by SIP and SPA 
combination.
Table 14-1 POS Feature Compatibility and Restrictions by SIP and SPA Combination
Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-600
Bridge Control Protocol (BCP) 2-Port and 4-Port 
OC-3c/STM-1 POS 
SPA—Supported.
• 1-Port OC-12c/STM-4 
POS SPA—Supported.
• 2-Port and 4-Port 
OC-3c/STM-1 POS 
SPA—Supported.
• 1-Port OC-48c/STM-16 
POS SPA—Supported.
Not supported on any POS 
SPAs.
Dynamic Packet Transport 
(DPT), which includes 
RPR/SRP
Not supported on any POS 
SPAs.
Not supported on any POS 
SPAs.
Not supported on any POS 
SPAs.
Frame Relay Supported on all POS 
SPAs.
Supported on all POS SPAs. Not supported on any POS 
SPAs.14-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 14      Overview of the POS SPAs
  Supported MIBs
Supported MIBs
The following MIBs are supported in Cisco IOS Release 12.2(18)SXF2 for the 2-Port and 4-Port 
OC-3c/STM-1 POS SPA, 1-Port OC-12c/STM-4 POS SPA, 1-Port OC-192c/STM-64 POS/RPR SPA, 
1-Port OC-192c/STM-64 POS/RPR XFP SPA, and 1-Port OC-192c/STM-64 POS/RPR VSR Optics SPA 
on the Cisco 7600 series router:
• CISCO-APS-MIB
• CISCO-ENTITY-ASSET-MIB
• CISCO-ENTITY-FRU-CONTROL-MIB
• CISCO-ENVMON-MIB (For NPEs, NSEs, line cards, and MSCs only)
• CISCO-EXTENDED-ENTITY-MIB
• CISCO-OPTICAL-MIB
• ENTITY-MIB 
• OLD-CISCO-CHASSIS-MIB
• IF-MIB
• SONET-MIB (RFC 2558, Definitions of Managed Objects for SONET/SDH Interface Type)
Multilink PPP Not supported on any OC-3 
POS SPAs.
Not supported on any OC-3 
POS SPAs.
Not supported on any OC-3 
POS SPAs.
Section Data Communications 
Channel (SDCC)
• 2-Port OC-3c/STM-1 
POS SPA—Supported.
• 4-Port OC-3c/STM-1 
POS SPA—SDCC is 
supported on up to two 
ports.
• 2-Port OC-3c/STM-1 
POS SPA—Supported.
• 4-Port OC-3c/STM-1 
POS SPA—SDCC is 
supported on up to two 
ports.
• 1-Port OC-12c/STM-4 
POS SPA—Supported.
• 1-Port OC-48c/STM-16 
POS SPA—Not 
supported.
Not supported on any POS 
SPAs.
Bandwidth-limited Priority 
Queuing
Not supported on any POS 
SPAs.
Not supported on any POS 
SPAs.
Not supported on any POS 
SPAs.
Note The POS SPAs do not support bandwidth-limited priority queueing, but support only strict priority 
policy maps, that is, the priority command without any parameters. 
Table 14-1 POS Feature Compatibility and Restrictions by SIP and SPA Combination (continued)
Feature Cisco 7600 SIP-200 Cisco 7600 SIP-400 Cisco 7600 SIP-60014-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 14      Overview of the POS SPAs
  SPA Architecture
For more information about MIB support on Cisco xxxx series routers, refer to the Cisco 7600 Series 
Internet Router MIB Specifications Guide, at the following URL:
http://www.cisco.com/en/US/products/hw/routers/ps368/prod_technical_reference_list.html
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use 
Cisco MIB Locator found at the following URL:
http://tools.cisco.com/ITDIT/MIBS/servlet/index
If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of 
supported MIBs and download MIBs from the Cisco MIBs page at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost 
your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will 
verify that your e-mail address is registered with Cisco.com. If the check is successful, account details 
with a new random password will be e-mailed to you. 
SPA Architecture
This section provides an overview of the architecture of the POS SPAs and describes the path of a packet 
in the ingress and egress directions. Some of these areas of the architecture are referenced in the SPA 
software and can be helpful to understand when troubleshooting or interpreting some of the SPA CLI 
and show command output.
4-Port OC-3c/STM-1 POS SPA Architecture
Figure 14-1 identifies some of the hardware devices that are part of the POS SPA architecture. The 
figure shows the four ports that are supported by the 4-Port OC-3c/STM-1 POS SPA only.
Figure 14-1 4-Port OC-3c/STM-1 POS SPA Architecture
Every incoming and outgoing packet on the 4-Port OC-3c/STM-1 POS SPA goes through the 
SONET/SDH framer and field-programmable gate array (FPGA) devices. 
Optics
SONET/SDH
Streams Packets
SONET/SDH
Framer
FPGA
Packets
SPA
Connector
To
Host
From
12928114-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 14      Overview of the POS SPAs
  SPA Architecture
Path of a Packet in the Ingress Direction
The following steps describe the path of an ingress packet through the 4-Port OC-3c/STM-1 POS SPA:
1. The framer receives SONET/SDH streams from the SFP optics, extracts clocking and data, and 
processes the section, line, and path overhead.
2. The framer extracts the POS frame payload and verifies the frame size and frame check sequence 
(FCS).
3. The framer passes valid frames to the field-programmable gate array (FPGA) on the SPA.
4. The FPGA on the SPA transfers frames to the host through the SPI4.2 bus for further processing and 
switching.
Path of a Packet in the Egress Direction
The following steps describe the path of an egress packet through the 4-Port OC-3c/STM-1 POS SPA:
1. The host sends packets to the FPGA on the SPA using the SPI4.2 bus.
2. The FPGA on the SPA stores the data in the appropriate channel’s first-in first-out (FIFO) queue.
3. The FPGA on the SPA passes the packet to the framer.
4. The framer accepts the data and stores it in the appropriate channel queue.
5. The framer adds the FCS and SONET/SDH overhead.
6. The framer sends the data to the SFP optics for transmission onto the network. 
1-Port OC-192c/STM-64 POS/RPR XFP SPA Architecture
Figure 14-2 identifies the primary hardware devices that are part of the POS SPA architecture. The figure 
shows a single optics transceiver supported by both of the POS SPAs. However, the 1-Port 
OC-192c/STM-64 POS/RPR SPA and 1-Port OC-192c/STM-64 POS/RPR VSR Optics SPA support 
fixed optics, while the 1-Port OC-192c/STM-64 POS/RPR XFP SPA supports XFP optics. The path of 
a packet remains the same except for where the optic transceiver support resides.
Figure 14-2 1-Port OC-192c/STM-64 POS/RPR XFP SPA Architecture
In POS mode, every incoming and outgoing packet on the OC-192 POS SPAs goes through the 
SONET/SDH framer and SPI4.2 interface. 
SONET/SDH
Streams
Optics
Transceiver
SPI4.2 Bus
Packets
SONET/SDH
Framer
SPA
Connector
To
Host
From
12979614-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 14      Overview of the POS SPAs
  SPA Architecture
Path of a Packet in the Ingress Direction
The following steps describe the path of an ingress packet through the 1-Port OC-192c/STM-64 
POS/RPR XFP SPA:
1. The framer receives SONET/SDH streams from the XFP optics, extracts clocking and data, and 
processes the section, line, and path overhead.
2. The framer extracts the POS frame payload and verifies the frame size and frame check sequence 
(FCS).
3. The framer passes valid frames to the System Packet Level Interface 4.2 (SPI4.2) interface on the 
SPA.
4. The SPI4.2 interface transfers frames to the host through the SPI4.2 bus for further processing and 
switching.
Path of a Packet in the Egress Direction
The following steps describe the path of an egress packet through the 1-Port OC-192c/STM-64 
POS/RPR XFP SPA:
1. The host sends packets to the SPA using the SPI4.2 bus.
2. The SPA stores the data in the appropriate channel’s first-in first-out (FIFO) queue.
3. The SPA passes the packet to the framer.
4. The framer accepts the data and stores it in the appropriate channel queue.
5. The framer adds the FCS and SONET/SDH overhead.
6. The framer sends the data to the XFP optics for transmission onto the network.
2-Port OC-48c/STM-16 POS SPA Architecture
Figure 14-3 identifies the primary hardware devices that are part of the 2-Port OC-48c/STM-16 POS 
SPA architecture.
Figure 14-3 2-Port OC-48c/STM-16 POS SPA Architecture
SONET/SDH
Framer
SONET/SDH
Streams
138848
POS
Processor
Ring
MAC
External
SDRAM
Optics
Transceivers
SONET/SDH
Streams
Host
To
From
SPA
Connector
Packets/
SPI4.2 Bus14-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 14      Overview of the POS SPAs
  Displaying the SPA Hardware Type
Path of a Packet in the Ingress Direction
The following steps describe the path of an ingress packet through the 2-Port OC-48c/STM-16 POS 
SPA:
1. The framer receives SONET/SDH streams from the SFP optics, extracts clocking and data, and 
processes the section, line, and path overhead.
2. The framer detects Loss of Signal (LOS), Loss of Frame (LOF), Severely Errored Frame (SEF), Line 
Alarm Indication Signal (AIS-L), Loss of Pointer (LOP), Line Remote Defect Indication Signal 
(Enhanced RDI-L), Path Alarm Indication Signal (AIS-P), Standard and Enhanced Path Remote 
Defect Indication Signal (RDI-P), Path Remote Error Indication (Enhanced REI-P). The framer 
extracts or inserts DCC bytes.
3. The framer processes the S1 synchronization status byte, the pointer action bytes (per Telcordia 
GR-253-CORE), and extracts or inserts DCC bytes.
4. The POS processor extracts the POS frame payload and verifies the frame size and frame check 
sequence (FCS).
5. The POS processor supports PPP, Frame Relay, or HDLC modes and optionally performs payload 
scrambling.
6. The POS processor passes valid frames to the System Packet Level Interface 4.2 (SPI4.2) interface 
on the SPA.
7. The SPI4.2 interface transfers frames to the host through the SPI4.2 bus for further processing and 
switching.
Path of a Packet in the Egress Direction
The following steps describe the path of an egress packet through the 2-Port OC-48c/STM-16 POS SPA:
1. The host sends packets to the SPA using the SPI4.2 bus. 
2. The SPA stores the data in the appropriate SPI4 channel’s first-in first-out (FIFO) queue.
3. The SPA passes the packet from the SPI4 interface to the POS processor where it is encapsulated in 
a POS frame and FCS is added. 
4. The POS frame is sent to the SONET/SDH framer where it is placed into the SONET payload.
5. The framer adds the FCS and SONET/SDH overhead.
6. The framer sends the data to the SFP optics for transmission onto the network.
Displaying the SPA Hardware Type
To verify the SPA hardware type that is installed in your Cisco 7600 series router, you can use the show 
idprom command. For other hardware information, you can also use the show interfaces or show 
controllers commands. There are several other commands on the Cisco 7600 series router that also 
provide SPA hardware information. For more information about these commands, see the “Command 
Summary for POS SPAs” and the “SIP and SPA Commands” chapters in this guide.
Table 14-2 shows the hardware description that appears in the show command output for each type of 
SPA that is supported on the Cisco 7600 series router.14-11
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 14      Overview of the POS SPAs
  Displaying the SPA Hardware Type
Example of the show idprom Command
The following example shows sample output for the show idprom module detail command for a 4-Port 
OC-3c/STM-1 POS SPA installed in subslot 3 of the SIP installed in slot 2 of the router:
Router# show idprom module 2/3 detail
IDPROM for SPA module #2/3
        (FRU is '4-port OC3/STM1 POS Shared Port Adapter')
        EEPROM version           : 4
        Compatible Type          : 0xFF
        Controller Type          : 1088
        Hardware Revision        : 0.230
        Boot Timeout             : 0 msecs
        PCB Serial Number        : PRTA0304155
        Part Number              : 73-9313-02
        73/68 Board Revision     : 04
        Fab Version              : 02
        RMA Test History         : 00
        RMA Number               : 0-0-0-0
        RMA History              : 00
        Deviation Number         : 0
        Product Identifier (PID) : SPA-4XOC3-POS
        Version Identifier (VID) : V01
.
.
Table 14-2 SPA Hardware Descriptions in show Commands
SPA
Description in show interfaces 
Command
Description in show idprom 
Command
2-Port OC-3c/STM-1 POS SPA Hardware is Packet over Sonet 2-port OC3/STM1 POS Shared 
Port Adapter / SPA-2XOC3-POS
4-Port OC-3c/STM-1 POS SPA Hardware is Packet over Sonet 4-port OC3/STM1 POS Shared 
Port Adapter / SPA-4XOC3-POS
1-Port OC-12c/STM-4 POS SPA Hardware is Packet over Sonet 1-port OC12/STM4 POS Shared 
Port Adapter / SPA-1XOC12-POS
1-Port OC-48c/STM-16 POS 
SPA
Hardware is Packet over Sonet 1-port OC48/STM16 POS/RPR 
Shared Port Adapter / 
SPA-1XOC48POS/RPR
2-Port OC-48c/STM-16 POS 
SPA
Hardware is Packet over Sonet 2-port OC48/STM16 POS/RPR 
Shared Port Adapter / 
SPA-2XOC48POS/RPR
4-Port OC-48c/STM-16 POS 
SPA
Hardware is Packet over Sonet 4-port OC48/STM16 POS/RPR 
Shared Port Adapter / 
SPA-4XOC48POS/RPR
1-Port OC-192c/STM-64 
POS/RPR SPA
Hardware is Packet over Sonet 1-port OC192/STM64 POS/RPR 
Shared Port Adapter / 
SPA-OC192POS-VSR / 
SPA-OC192POS-LR
1-Port OC-192c/STM-64 
POS/RPR XFP SPA
Hardware is Packet over Sonet 1-port OC192/STM64 POS/RPR 
XFP Optics Shared Port Adapter / 
SPA-OC192POS-XFP14-12
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 14      Overview of the POS SPAs
  Displaying the SPA Hardware Type
.
Example of the show interfaces Command
The following example shows output from the show interfaces pos command on a Cisco 7600 series 
router with a 4-Port OC-3c/STM-1 POS SPA installed in slot 5:
Router# show interfaces pos 5/0/1 
POS5/0/1 is up, line protocol is up 
Hardware is Packet over Sonet
Internet address is 10.5.5.5/8
MTU 4470 bytes, BW 155000 Kbit, DLY 100 usec, 
reliability 96/255, txload 1/255, rxload 1/255
Encapsulation HDLC, crc 16, loopback not set
Keepalive not set
Scramble disabled
Last input 00:00:11, output 00:00:11, output hang never
Last clearing of ''show interface'' counters 00:00:23
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
5 packets input, 520 bytes
Received 0 broadcasts (0 IP multicast)
0 runts, 0 giants, 0 throttles
0 parity
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
5 packets output, 520 bytes, 0 underruns
0 output errors, 0 applique, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
Example of the show controllers Command
The following example shows output from the show controllers pos command on a Cisco 7600 series 
router for the first interface (0) of a POS SPA installed in subslot 2 of a SIP installed in chassis slot 3:
Router# show controllers pos 3/2/0
POS3/2/0 
SECTION 
LOF = 0 LOS = 0 BIP(B1) = 0 
LINE 
AIS = 0 RDI = 0 FEBE = 0 BIP(B2) = 0 
PATH 
AIS = 0 RDI = 0 FEBE = 0 BIP(B3) = 0 
PLM = 0 UNEQ = 0 TIM = 0 TIU = 0 
LOP = 0 NEWPTR = 0 PSE = 0 NSE = 0 
Active Defects: None 
Active Alarms: None 
Alarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP B3-TCA 
Framing: SONET 
APS 
COAPS = 0 PSBF = 0 
State: PSBF_state = False 
Rx(K1/K2): 00/00 Tx(K1/K2): 00/00 
Rx Synchronization Status S1 = 00 14-13
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 14      Overview of the POS SPAs
  Displaying the SPA Hardware Type
S1S0 = 00, C2 = CF 
Remote aps status (none); Reflected local aps status (none) 
CLOCK RECOVERY 
RDOOL = 0 
State: RDOOL_state = False 
PATH TRACE BUFFER: STABLE 
Remote hostname : sip-sw-7600-2 
Remote interface: POS3/2/1 
Remote IP addr : 0.0.0.0 
Remote Rx(K1/K2): 00/00 Tx(K1/K2): 00/00 
BER thresholds: SF = 10e-3 SD = 10e-6 
TCA thresholds: B1 = 10e-6 B2 = 10e-6 B3 = 10e-6 
Clock source: internal 
  14-14
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 14      Overview of the POS SPAs
  Displaying the SPA Hardware TypeC H  A  P  T  E  R
15-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
15
Configuring the POS SPAs
This chapter provides information about configuring the Packet over SONET (POS) shared port adapters 
(SPAs) on the Cisco 7600 series router. This chapter includes the following sections:
• Configuration Tasks, page 15-1
• Verifying the Interface Configuration, page 15-15
• Configuration Examples, page 15-16
For information about managing your system images and configuration files, refer to the Cisco IOS 
Configuration Fundamentals Configuration Guide and Cisco IOS Configuration Fundamentals 
Command Reference publications that correspond to your Cisco IOS software release.
For more information about the commands used in this chapter, refer to the Cisco IOS Software Releases 
15.0SR Command References and to the Cisco IOS Software Releases 12.2SX Command References. 
Also refer to the related Cisco IOS Release 12.2 software command reference and master index 
publications. For more information, see the “Related Documentation” section on page xlvii.
Configuration Tasks
This section describes how to configure POS SPAs and includes information about verifying the 
configuration.
It includes the following topics:
• Specifying the Interface Address on a SPA, page 15-2
• Modifying the Interface MTU Size, page 15-2
• Modifying the POS Framing, page 15-3
• Modifying the Keepalive Interval, page 15-5
• Modifying the CRC Size, page 15-6
• Modifying the Clock Source, page 15-6
• Modifying SONET Payload Scrambling, page 15-8
• Configuring the Encapsulation Type, page 15-8
• Configuring APS, page 15-9
• Configuring POS Alarm Trigger Delays, page 15-10
• Configuring SDCC, page 15-13
• Saving the Configuration, page 15-1415-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 15      Configuring the POS SPAs
  Configuration Tasks
• Shutting Down and Restarting an Interface on a SPA, page 15-15
Specifying the Interface Address on a SPA
SPA interface ports begin numbering with “0” from left to right. Single-port SPAs use only the port 
number 0. To configure or monitor SPA interfaces, you need to specify the physical location of the SIP, 
SPA, and interface in the CLI. The interface address format is slot/subslot/port, where: 
• slot—Specifies the chassis slot number in the Cisco 7600 series router where the SIP is installed. 
• subslot—Specifies the secondary slot of the SIP where the SPA is installed.
• port—Specifies the number of the individual interface port on a SPA. 
The following example shows how to specify the first interface (0) on a SPA installed in the first subslot 
of a SIP (0) installed in chassis slot 3:
Router(config)# interface serial 3/0/0
This command shows a serial SPA as a representative example, however the same slot/subslot/port 
format is similarly used for other SPAs (such as ATM and POS) and other non-channelized SPAs.
Modifying the Interface MTU Size
The Cisco IOS software supports three different types of configurable maximum transmission unit 
(MTU) options at different levels of the protocol stack: 
• Interface MTU—Checked by the SPA on traffic coming in from the network. Different interface 
types support different interface MTU sizes and defaults. The interface MTU defines the maximum 
packet size allowable (in bytes) for an interface before drops occur. If the frame is smaller than the 
interface MTU size, but is not smaller than three bytes of payload size, then the frame continues to 
process.
• IP MTU—Can be configured on a subinterface and is used by the Cisco IOS software to determine 
whether fragmentation of a packet takes place. If an IP packet exceeds the IP MTU size, then the 
packet is fragmented. 
• Tag or Multiprotocol Label Switching (MPLS) MTU—Can be configured on a subinterface and 
allows up to six different labels, or tag headers, to be attached to a packet. The maximum number 
of labels is dependent on your Cisco IOS software release.
Different encapsulation methods and the number of MPLS MTU labels add additional overhead to a 
packet. For example, for an Ethernet packet, SNAP encapsulation adds an 8-byte header, dot1q 
encapsulation adds a 2-byte header, and each MPLS label adds a 4-byte header (n labels x 4 bytes). 
Interface MTU Configuration Guidelines
When configuring the interface MTU size on the POS SPAs, consider the following guidelines:
• If you are also using MPLS, be sure that the mpls mtu command is configured for a value less than 
or equal to the interface MTU.
• If you change the interface MTU size, the giant counter increments when the interface receives a 
packet that exceeds the MTU size that you configured, plus an additional 88 bytes for overhead, and 
an additional 2 or 4 bytes for the configured cyclic redundancy check (CRC). 
For example, with a maximum MTU size of 9216 bytes, the giant counter increments:15-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 15      Configuring the POS SPAs
  Configuration Tasks
– For a 16-bit CRC (or FCS), when receiving packets larger than 9306 bytes (9216 + 88 + 2). 
– For a 32-bit CRC, when receiving packets larger than 9308 bytes (9216 + 88 + 4).
• The Frame Relay Local Management Interface (LMI) protocol requires that all permanent virtual 
circuit (PVC) status reports fit into a single packet. Using the default MTU of 4470 bytes, this limits 
the number of data-link connection identifiers (DLCIs) to 890. The following formula demonstrates 
how to determine the maximum DLCIs for a configured interface MTU: 
– Maximum DLCIs = (MTU bytes – 20)/(5 bytes per DLCI)
– Maximum DLCIs for the default MTU = (4470 – 20)/5 = 890 DLCIs per interface
Interface MTU Configuration Task
To modify the MTU size on an interface, use the following command in interface configuration mode:
To return to the default MTU size, use the no form of the command.
Verifying the MTU Size
To verify the MTU size for an interface, use the show interfaces pos privileged EXEC command and 
observe the value shown in the “MTU” field. 
The following example shows an MTU size of 4470 bytes for interface port 0 (the first port) on the SPA 
installed in subslot 1 of the SIP that is located in slot 2 of the Cisco 7600 series router:
Router# show interfaces pos 2/1/0
POS2/1/0 is up, line protocol is up (APS working - active)
  Hardware is Packet over Sonet
  Internet address is 10.1.1.1/24
  MTU 4470 bytes, BW 155000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255.
.
Modifying the POS Framing
POS framing can be specified as SONET (Synchronous Optical Network) or SDH (Synchronous Digital 
Hierarchy). SONET and SDH are a set of related standards for synchronous data transmission over fiber- 
optic networks. SONET is the United States version of the standard published by the American National 
Standards Institute (ANSI). SDH is the international version of the standard published by the 
International Telecommunications Union (ITU).
To modify the POS framing, use the following command in interface configuration mode:
To return to the default, use the no form of the command.
Command Purpose
Router(config-if)# mtu bytes Configures the maximum packet size for an interface, 
where:
• bytes—Specifies the maximum number of bytes for 
a packet. The default is 4470 bytes.15-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 15      Configuring the POS SPAs
  Configuration Tasks
Verifying the POS Framing
To verify the POS framing, use the show controllers pos privileged EXEC command and observe the 
value shown in the “Framing” field. The following example shows that POS framing mode is set to 
SONET for the first interface (0) on the POS SPA installed in subslot 2 of a SIP installed in chassis slot 3:
Router# show controllers pos 3/2/0
POS3/2/0 
SECTION 
LOF = 0 LOS = 0 BIP(B1) = 0 
LINE 
AIS = 0 RDI = 0 FEBE = 0 BIP(B2) = 0 
PATH 
AIS = 0 RDI = 0 FEBE = 0 BIP(B3) = 0 
PLM = 0 UNEQ = 0 TIM = 0 TIU = 0 
LOP = 0 NEWPTR = 0 PSE = 0 NSE = 0 
Active Defects: None 
Active Alarms: None 
Alarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP B3-TCA 
Framing: SONET 
APS 
COAPS = 0 PSBF = 0 
State: PSBF_state = False 
Rx(K1/K2): 00/00 Tx(K1/K2): 00/00 
Rx Synchronization Status S1 = 00 
S1S0 = 00, C2 = CF 
Remote aps status (none); Reflected local aps status (none) 
CLOCK RECOVERY 
RDOOL = 0 
State: RDOOL_state = False 
PATH TRACE BUFFER: STABLE 
Remote hostname : sip-sw-7600-2 
Remote interface: POS3/2/1 
Remote IP addr : 0.0.0.0 
Remote Rx(K1/K2): 00/00 Tx(K1/K2): 00/00 
BER thresholds: SF = 10e-3 SD = 10e-6 
TCA thresholds: B1 = 10e-6 B2 = 10e-6 B3 = 10e-6 
Clock source: internal 15-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 15      Configuring the POS SPAs
  Configuration Tasks
Modifying the Keepalive Interval
When the keepalive feature is enabled, a keepalive packet is sent at the specified time interval to keep 
the interface active. The keepalive interval must be configured to be the same on both ends of the POS 
link.
To modify the keepalive interval, use the following command in interface configuration mode:
To disable keepalive packets, use the no form of this command.
Note If keepalives are enabled and you are trying to configure line loopback on a POS interface, the keepalive 
protocol will fail and periodically reset the  interface based on the keepalive timeout and cause Layer 1 
errors on the other end of the link that is trying to do the loopbacks.
You can avoid this by using the no keepalive command on the POS interface that is configured for line 
loopback. The side that is not in line loopback detects that its keepalive is being looped back and 
functions properly. An interface configured for internal loopback also functions properly with keepalives 
enabled.
Verifying the Keepalive Interval
To verify the keepalive interval, use the show interfaces pos privileged EXEC command and observe 
the value shown in the “Keepalive” field. 
The following example shows that keepalive is enabled for interface port 0 on the POS SPA installed in 
the SIP that is located in slot 2 of the Cisco 7600 series router:
Router# show interfaces pos 2/0/0
Hardware is Packet over Sonet
Internet address is 10.1.1.1.2
MTU 9216 bytes, BW 622000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, 
rxload 1/255
      Keepalive set (10 sec)
.
.
.
Command Purpose
Router(config-if)# keepalive [period [retries]] Specifies the frequency at which the Cisco IOS 
software sends messages to the other end of the link, 
to ensure that a network interface is alive, where:
• period—Specifies the time interval in seconds for 
sending keepalive packets. The default is 10 
seconds.
• retries—Specifies the number of times that the 
device will continue to send keepalive packets 
without response before bringing the interface 
down. The default is 5 retries.15-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 15      Configuring the POS SPAs
  Configuration Tasks
Modifying the CRC Size
CRC is an error-checking technique that uses a calculated numeric value to detect errors in transmitted 
data. The CRC size indicates the length in bits of the FCS. 
The CRC size must be configured to be the same on both ends of the POS link.
To modify the CRC size, use the following command in interface configuration mode:
To return to the default CRC size, use the no form of the command.
Verifying the CRC Size
To verify the CRC size, use the show interfaces pos privileged EXEC command and observe the value 
shown in the “CRC” field. 
The following example shows that the CRC size is 16 for interface port 0 on the POS SPA installed in 
the SIP that is located in slot 2 of the Cisco 7600 series router:
Router# show interfaces pos 2/0/0
Hardware is Packet over Sonet
Internet address is 10.1.1.2.1
MTU 9216 bytes, BW 622000 Kbit, DLY 100 usec reliability 255/255, txload 1/255, rxload 
1/255
Encapsulation HDLC, crc 16, loopback not set
.
.
.
Modifying the Clock Source
A clock source of internal specifies that the interface clocks its transmitted data from its internal clock. 
A clock source of line specifies that the interface clocks its transmitted data from a clock recovered from 
the line’s receive data stream. 
For information about the recommended clock source settings for POS router interfaces, refer to 
Configuring Clock Settings on POS Router Interfaces at the following URL:
http://www.cisco.com/en/US/tech/tk482/tk607/technologies_tech_note09186a0080094bb9.shtml
Command Purpose
Router(config-if)# crc [16 | 32] (As Required) Specifies the length of the cyclic 
redundancy check (CRC), where:
• 16—Specifies a 16-bit length CRC. This is the 
default.
• 32—Specifies a 32-bit length CRC.
The CRC size must be configured to be the same on 
both ends of the POS link.15-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 15      Configuring the POS SPAs
  Configuration Tasks
To modify the clock source, use the following command in interface configuration mode:
To return to the default clock source, use the no form of this command.
Verifying the Clock Source
To verify the clock source, use the show controllers pos privileged EXEC command and observe the 
value shown in the “Clock source” field. 
The following example shows that the clock source is internal for interface port 0 on the POS SPA 
installed in subslot 0 of the SIP that is located in slot 2 of the Cisco 7600 series router:
Router# show controllers pos 2/0/0
POS2/0/0
SECTION
LOF = 0 LOS = 1 BIP(B1) = 7
LINE
AIS = 0 RDI = 1 FEBE = 20 BIP(B2) = 9
PATH
AIS = 0 RDI = 0 FEBE = 0 BIP(B3) = 5
PLM = 0 UNEQ = 0 TIM = 0 TIU = 0
LOP = 0 NEWPTR = 0 PSE = 0 NSE = 0
Active Defects: None
Active Alarms: None
Alarm reporting enabled for: SF SLOS SLOF B1-TCA LAIS LRDI B2-TCA PAIS PLOP PRDI PUNEQ 
B3-TCA RDOOL 
APS
COAPS = 2 PSBF = 0 
State: PSBF_state = False
Rx(K1/K2): 00/00 Tx(K1/K2): 00/00
Rx Synchronization Status S1 = 00
S1S0 = 02, C2 = CF
CLOCK RECOVERY
RDOOL = 0 
State: RDOOL_state = False
PATH TRACE BUFFER: STABLE
Remote hostname : RouterTester. Port 102/1 
Remote interface: 
Remote IP addr : 
Remote Rx(K1/K2): / Tx(K1/K2): / 
BER thresholds: SF = 10e-5 SD = 10e-6
Command Purpose
Router(config-if)# clock source {line | internal} Specifies the clock source for the POS link, where:
• line—The link uses the recovered clock from 
the line. This is the default.
• internal—The link uses the internal clock 
source.15-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 15      Configuring the POS SPAs
  Configuration Tasks
TCA thresholds: B1 = 10e-6 B2 = 10e-6 B3 = 10e-6
Clock source: internal
.
Modifying SONET Payload Scrambling
SONET payload scrambling applies a self-synchronous scrambler (x43+1) to the Synchronous Payload 
Envelope (SPE) of the interface to ensure sufficient bit transition density. 
The default configuration is SONET payload scrambling disabled.
SONET payload scrambling must be configured to be the same on both ends of the POS link.
To modify SONET payload scrambling, use the following command in interface configuration mode:
To disable SONET payload scrambling, use the no form of this command.
Verifying SONET Payload Scrambling
To verify SONET payload scrambling, use the show interfaces pos privileged EXEC command and 
observe the value shown in the “Scramble” field. 
The following example shows that SONET payload scrambling is disabled for interface port 0 on the 
POS SPA installed in subslot 0 of the SIP that is located in slot 2 of the Cisco 7600 series router:
Router# show interfaces pos 2/0/0
Hardware is Packet over Sonet
Internet address is 10.0.0.1/24
MTU 9216 bytes, BW 622000 Kbit, DLY 100 usec, 
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation HDLC, crc 16, loopback not set
Keepalive not set
Scramble disabled
.
Configuring the Encapsulation Type
By default, the POS interfaces support High-Level Data Link Control (HDLC) encapsulation. The 
encapsulation method can be specified as HDLC, Point-to-Point Protocol (PPP) or Frame Relay. The 
encapsulation type must be configured to be the same on both ends of the POS link. 
To modify the encapsulation method, use the following command in interface configuration mode:
Command Purpose
Router(config-if)# pos scramble-atm Enables SONET payload scrambling.
Command Purpose
Router(config-if)# encapsulation 
encapsulation-type
Specifies the encapsulation method used by the 
interface, where:
• encapsulation-type—Can be HDLC, PPP, or 
Frame Relay. The default is HDLC.15-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 15      Configuring the POS SPAs
  Configuration Tasks
Verifying the Encapsulation Type
To verify the encapsulation type, use the show interfaces pos privileged EXEC command and observe 
the value shown in the “Encapsulation” field. 
The following example shows the encapsulation type is HDLC for port 0 on the POS SPA installed in 
subslot 0 of the SIP that is located in slot 2 of the Cisco 7600 series router:
Router# show interfaces pos 2/0/0
Hardware is Packet over Sonet
  Internet address is 10.0.0.1/24
  MTU 9216 bytes, BW 622000 Kbit, DLY 100 usec, 
  reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation HDLC, crc 16, loopback not set
Keepalive not set
Scramble disabled
.
.
.
Configuring APS
Automatic protection switching (APS) allows switchover of POS circuits in the event of circuit failure 
and is often required when connecting SONET equipment to telco equipment. APS refers to the 
mechanism of using a “protect” POS interface in the SONET network as the backup for a “working” POS 
interface. When the working interface fails, the protect interface quickly assumes its traffic load. 
Depending on the configuration, the two circuits may be terminated in the same router, or in different 
routers.
The performance enhancement of PPP/MLPPP APS does not impact the original PPP/MLPPP scalability 
on Cisco 7600. 
For more information about APS, refer to A Brief Overview of Packet Over SONET APS at the following 
URL:
http://www.cisco.com/en/US/tech/tk482/tk607/technologies_tech_note09186a0080093eb5.shtml
To configure the working POS interface, use the following command in interface configuration mode:
To remove the POS interface as a working interface, use the no form of this command.
Command Purpose
Router(config-if)# aps working 
circuit-number
Configures a POS interface as a working APS 
interface, where:
• circuit-number—Specifies the circuit number 
associated with this working interface.15-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 15      Configuring the POS SPAs
  Configuration Tasks
To configure the protect POS interface, use the following command in interface configuration mode:
To remove the POS interface as a protect interface, use the no form of this command.
Verifying the APS Configuration
To verify the APS configuration or to determine if a switchover has occurred, use the show aps
command.
The following is an example of a router configured with a working interface. In this example, POS 
interface 0/0/0 is configured as a working interface in group 1, and the interface is selected (that is, 
active).
Router# show aps
POS0/0/0 working group 1 channel 1 Enabled Selected 
The following is an example of a router configured with a protect interface. In this example, POS 
interface 2/1/1 is configured as a protect interface in group 1. The output also shows that the working 
channel is located on the router with the IP address 10.0.0.1 and that the interface currently selected is 
enabled.
Router# show aps
POS2/1/1 APS Group 1: protect channel 0 (inactive)
Working channel 1 at 10.0.0.1 (Enabled)
  SONET framing; SONET APS signalling by default
  Remote APS configuration: (null)
.
Configuring POS Alarm Trigger Delays
A trigger is an alarm that, when activated, causes the line protocol to go down. The POS alarm trigger 
delay helps to ensure uptime of a POS interface by preventing intermittent problems from disabling the 
line protocol. The POS alarm trigger delay feature delays the setting of the line protocol to down when 
trigger alarms are received. If the trigger alarm was sent because of an intermittent problem, the POS 
alarm trigger delay can prevent the line protocol from going down when the line protocol is functional.
Line-Level and Section-Level Triggers
The pos delay triggers line command is used for POS router interfaces connected to internally-protected 
Dense Wavelength Division Multiplexing (DWDM) systems. This command is invalid for interfaces that 
are configured as working or protect APS. Normally a few microseconds of line- or section-level alarms 
Command Purpose
Router(config-if)# aps protect circuit-number 
ip-address
Configures a POS interface as a protect APS 
interface, where:
• circuit-number—Specifies the number of the 
circuit to enable as a protect interface.
• ip-address—Specifies the IP address of the router 
that has the working POS interface.15-11
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 15      Configuring the POS SPAs
  Configuration Tasks
brings down the link until the alarm has been clear for ten seconds. If you configure holdoff, the 
link-down trigger is delayed for 100 milliseconds. If the alarm stays up for more than 100 milliseconds, 
the link is brought down. If the alarm clears before 100 milliseconds, the link remains up. 
The following line- and section-level alarms are triggers, by default, for the line protocol to go down: 
• Line alarm indication signal (LAIS)
• Section loss of signal (SLOS) 
• Section loss of frame (SLOF)
You can issue the pos delay triggers line command to delay a down trigger of the line protocol on the 
interface. You can set the delay from 50 to 10000 milliseconds. The default delay is 100 milliseconds.
To configure POS line- or section-level triggers, use the following commands beginning in interface 
configuration mode:
To disable alarm trigger delays, use the no form of the pos delay triggers line command.
To determine which alarms are reported on the POS interface, and to display the BER thresholds, use the 
show controllers pos command. 
Command Purpose
Step 1 Router(config-if)# pos delay 
triggers line ms
Specifies a delay for setting the line protocol to down when a 
line-level trigger alarm is received, where:
• ms—Specifies the delay in milliseconds. The default delay is 
100 milliseconds.
Step 2 Router(config-if)# pos threshold
{b1-tca | b2-tca | b3-tca | sd-ber | 
sf-ber} rate
Configures the POS bit error rate (BER) threshold values of the 
specified alarms, where:
• b1-tca rate—Specifies the B1 BER threshold crossing alarm. 
The default is 6.
• b2-tca rate—Specifies the B2 BER threshold crossing alarm. 
The default is 6.
• b3-tca rate—Specifies the B3 BER threshold crossing alarm. 
The default is 6.
• sd-ber rate—Specifies the signal degrade BER threshold. 
The default is 6.
• sf-ber rate—Specifies the signal failure BER threshold. The 
default is 3.
• rate—Specifies the bit error rate from 3 to 9 (10e-n). The 
default varies by the type of threshold that you configure.
Step 3 Router(config-if)# pos ais-shut Sends a line alarm indication signal (AIS-L) to the other end of 
the link after a shutdown command has been issued to the 
specified POS interface. AIS-L is also known as LAIS when 
alarm-related output is generated using the show controllers pos
command.
By default, the AIS-L is not sent to the other end of the link.
Stops transmitting the AIS-L by issuing either the no shutdown
or the no pos ais-shut commands.15-12
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 15      Configuring the POS SPAs
  Configuration Tasks
Path-Level Triggers
You can issue the pos delay triggers path command to configure various path alarms as triggers and to 
specify an activation delay between 50 and 10000 milliseconds. The default delay value is 100 
milliseconds. The following path alarms are not triggers by default. You can configure these path alarms 
as triggers and also specify a delay:
• Path alarm indication signal (PAIS)
• Path remote defect indication (PRDI)
• Path loss of pointer (PLOP)
• sd-ber (signal degrade [SD] bit error rate [BER])
• sf-ber (signal failure [SF] BER)
• b1-tca (B1 BER threshold crossing alarm [TCA])
• b2-tca (B2 BER TCA)
• b3-tca (B3 BER TCA)
The pos delay triggers path command can also bring down the line protocol when the higher of the B2 
and B3 error rates is compared with the signal failure (SF) threshold. If the SF threshold is crossed, the 
line protocol of the interface goes down. 
To configure POS path-level triggers, use the following command in interface configuration mode:
To disable path-level triggers, use the no form of this command.
Verifying POS Alarm Trigger Delays
To verify POS alarm trigger delays, use the show controllers pos privileged EXEC command and 
observe the values shown in the “Line alarm trigger delay” and “Path alarm trigger delay” fields. 
The following example shows the POS alarm trigger delays for interface port 0 on the POS SPA installed 
in the SIP that is located in slot 2 of the Cisco 7600 series router:
Router# show controllers pos 2/0/0 details
POS2/0/0
SECTION
LOF = 0 LOS = 1 BIP(B1) = 5
LINE
AIS = 0 RDI = 1 FEBE = 5790 BIP(B2) = 945
PATH
AIS = 0 RDI = 0 FEBE = 0 BIP(B3) = 5
PLM = 0 UNEQ = 0 TIM = 0 TIU = 0
LOP = 1 NEWPTR = 0 PSE = 0 NSE = 0
Active Defects: None
Command Purpose
Router(config-if)# pos delay triggers path ms Specifies that path-level alarms should act as triggers 
and specifies a delay for setting the line protocol to 
down when a path-level trigger alarm is received, 
where:
• ms—Specifies the delay in milliseconds. The 
default delay is 100 milliseconds.15-13
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 15      Configuring the POS SPAs
  Configuration Tasks
Active Alarms: None
Alarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP B3-TCA 
Line alarm trigger delay = 100 ms
Path alarm trigger delay = 100 ms
.
.
.
Configuring SDCC
Before any management traffic can traverse the section data communication channel (SDCC) links 
embedded in the POS SPA overhead, the SDCC interfaces must be configured and activated. 
SDCC Configuration Guidelines
When configuring SDCC on a POS SPA, consider the following guidelines:
• SDCC must be enabled on the main POS interfaces. 
• SDCC supports only HDLC and PPP encapsulation, not Frame Relay.
SDCC Configuration Task
To configure the POS SPAs for SDCC, complete the following steps:
Verifying the SDCC Interface Configuration
To verify the SDCC interface, use the show interfaces sdcc privileged EXEC command and observe the 
value shown in the “Hardware is” field.
The following example shows the SDCC interface port 1 on the POS SPA installed in subslot 0 of the 
SIP that is located in slot 5 of the Cisco 7600 series router:
Router# show interfaces sdcc 5/0/1
SDCC5/0/1 is up, line protocol is up 
Hardware is SDCC
Internet address is 10.14.14.14/8
MTU 1500 bytes, BW 155000 Kbit, DLY 20000 usec, 
reliability 5/255, txload 1/255, rxload 1/255
Encapsulation HDLC, crc 16, loopback not set
Keepalive not set
Last input 00:01:24, output never, output hang never
Last clearing of ''show interface'' counters 00:01:30
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
5 packets input, 520 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicast)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
5 packets output, 520 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions15-14
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 15      Configuring the POS SPAs
  Configuration Tasks
• The default mode for all SPA interfaces is POS. To change between POS and SRP modes, you must 
shut down the SPA interface.
• Whenever you change modes on a POS SPA, the SPA automatically reloads.
• To change the SRP mate configuration, you must shut down the SPA interfaces.
• You cannot configure subinterfaces on an SRP interface.
• To distinguish between the two rings, one is referred to as the “inner” ring and the other as the 
“outer” ring. SRP operates by sending data packets in one direction (downstream) and sending the 
corresponding control packets in the opposite direction (upstream) on the other fiber. An SRP node 
uses SRP side A to receive (RX) outer ring data and transmit (TX) inner ring data. The node uses 
SRP side B to receive (RX) inner ring data and transmit (TX) outer ring data. Side A on one node 
connects to Side B on an adjacent SRP node.
For configuration of SRP on POS SPAs in multiple slots on the same SIP, the lower-numbered slot 
and subslot combination hosts the SRP interface and becomes “Side A” of the SRP interface. The 
slot number of the side-A interface must be lower than the slot location of the SRP mate (side B) 
interface. 
• To configure SRP options, you must specify the slot and subslot location of the side-A interface, in 
addition to a port number.
SRP Mode Configuration Guidelines
When enabling SRP mode, consider the following guidelines:
• hw-module subslot srp command You only need to configure the hw-module subslot srp
command on the host SRP interface—not on the mate SRP interface.
• The host SRP interface becomes “Side A” of the SRP interface. When configuring SPAs that are 
installed in different slots on the same SIP for SRP, the slot number of the side-A interface must be 
lower than the slot location of the SRP mate (side B) interface. Also, you must specify the side-A 
interface location for configuration of any SRP options.
• The SIP reads the information it receives from the hardware cable mating to validate the mate cable 
connectivity with your software configuration.
• When you change the SPA mode, the SPA automatically reloads.
Saving the Configuration
To save your running configuration to nonvolatile random-access memory (NVRAM), use the following 
command in privileged EXEC configuration mode:
For more information about managing configuration files, refer to the Cisco IOS Configuration 
Fundamentals Configuration Guide, Release 12.2 and Cisco IOS Configuration Fundamentals 
Command Reference, Release 12.2 publications.
Command Purpose
Router# copy running-config startup-config Writes the new configuration to NVRAM.15-15
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 15      Configuring the POS SPAs
  Verifying the Interface Configuration
Shutting Down and Restarting an Interface on a SPA
You can shut down and restart any of the interface ports on a SPA independently of each other. Shutting 
down an interface stops traffic and then enters the interface into an “administratively down” state. 
If you are preparing for an OIR of a SPA, it is not necessary to independently shut down each of the 
interfaces prior to deactivation of the SPA. You do not need to independently restart any interfaces on a 
SPA after OIR of a SPA or SIP. 
To shut down an interface on a SPA, use the following command in interface configuration mode:
To restart an interface on a SPA, use the following command in interface configuration mode:
Verifying the Interface Configuration
Besides using the show running-configuration command to display your Cisco 7600 series router 
configuration settings, you can use the show interfaces pos and show controllers pos commands to get 
detailed information on a per-port basis for your POS SPAs.
Verifying Per-Port Interface Status
The following example provides sample output for interface port 0 (the first port) on the SPA located in 
the subslot 0 of the SIP that is installed in slot 3 of the Cisco 7600 series router:
Router# show interfaces pos 3/0/0
POS3/0/0 is up, line protocol is up 
  Hardware is Packet over Sonet
  MTU 4470 bytes, BW 622000 Kbit, DLY 100 usec, 
     reliability 194/255, txload 1/255, rxload 1/255
  Encapsulation FRAME-RELAY, crc 16, loopback not set
  Keepalive set (10 sec)
  Scramble disabled
  LMI enq sent  18, LMI stat recvd 0, LMI upd recvd 0
  LMI enq recvd 1473, LMI stat sent  1473, LMI upd sent  0, DCE LMI up
  LMI DLCI 1023  LMI type is CISCO  frame relay DCE
  FR SVC disabled, LAPF state down
  Broadcast queue 0/256, broadcasts sent/dropped 2223/1, interface
broadcasts 1977
  Last input 00:00:05, output 00:00:05, output hang never
  Last clearing of "show interface" counters 04:46:02
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     47019 packets input, 163195100 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicast)
Command Purpose
Router(config-if)# shutdown Disables an interface.
Command Purpose
Router(config-if)# no shutdown Restarts a disabled interface.15-16
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 15      Configuring the POS SPAs
  Configuration Examples
     14332 runts, 925 giants, 0 throttles
              0 parity
     17820 input errors, 1268 CRC, 0 frame, 0 overrun, 0 ignored, 10 abort
     49252 packets output, 170900767 bytes, 0 underruns
     0 output errors, 0 applique, 2 interface resets
     0 output buffer failures, 0 output buffers swapped out
     3 carrier transitions.
Monitoring Per-Port Interface Statistics
The following is sample output from the show controllers pos command on a Cisco 7600 series router 
for POS interface 4/3/0 (which is the interface for port 0 of the SPA in subslot 3 of the SIP in chassis 
slot 4):
Router# show controllers pos 4/3/0
POS4/3/0
SECTION
  LOF = 0          LOS    = 0                            BIP(B1) = 65535
LINE
  AIS = 0          RDI    = 0          FEBE = 65535      BIP(B2) = 16777215
PATH
  AIS = 0          RDI    = 0          FEBE = 65535      BIP(B3) = 65535
  PLM = 0          UNEQ   = 0          TIM  = 0          TIU     = 0
  LOP = 0          NEWPTR = 3          PSE  = 0          NSE     = 0
Active Defects: None
Active Alarms:  None
Alarm reporting enabled for: SF SLOS SLOF B1-TCA B2-TCA PLOP B3-TCA 
Framing: SONET
APS
  COAPS = 1          PSBF = 0         
  State: PSBF_state = False
  Rx(K1/K2): 00/00  Tx(K1/K2): 00/00
  Rx Synchronization Status S1 = 00
  S1S0 = 00, C2 = CF
  Remote aps status (none); Reflected local aps status (none)
CLOCK RECOVERY
  RDOOL = 0         
  State: RDOOL_state = False
PATH TRACE BUFFER: STABLE
  Remote hostname : woodson
  Remote interface: POS3/0/0
  Remote IP addr  : 0.0.0.0
  Remote Rx(K1/K2): 00/00  Tx(K1/K2): 00/00
BER thresholds:  SF = 10e-3  SD = 10e-6
TCA thresholds:  B1 = 10e-6  B2 = 10e-6  B3 = 10e-6
  Clock source:  internal
Configuration Examples
This section includes the following examples for configuring a POS SPA installed in a Cisco 7600 series 
router:
• Basic Interface Configuration Example, page 15-17
• MTU Configuration Example, page 15-1715-17
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 15      Configuring the POS SPAs
  Configuration Examples
• POS Framing Configuration Example, page 15-18
• Keepalive Configuration Example, page 15-18
• CRC Configuration Example, page 15-18
• Clock Source Configuration Example, page 15-19
• SONET Payload Scrambling Configuration Example, page 15-19
• Encapsulation Configuration Example, page 15-19
• APS Configuration Example, page 15-19
• POS Alarm Trigger Delays Configuration Example, page 15-21
• SDCC Configuration Example, page 15-21
Basic Interface Configuration Example
The following example shows how to enter global configuration mode to enter global configuration 
mode to specify the interface that you want to configure, configure an IP address for the interface, enable 
the interface, and save the configuration. This example configures interface port 0 (the first port) of the 
SPA located in subslot 0 of the SIP that is installed in slot 2 of the Cisco 7600 series router:
!Enter global configuration mode
!
Router# configure terminal
! 
! Specify the interface address
!
Router(config)# interface pos 2/0/0
!
! Configure an IP address
!
Router(config-if)# ip address 192.168.50.1 192.255.255.0
!
! Enable the interface
!
Router(config-if)# no shutdown
!
! Save the configuration to NVRAM
!
Router(config-if)# exit
Router# copy running-config startup-config
MTU Configuration Example
The following example sets the MTU to 4470 bytes on interface port 1 (the second port) of the SPA 
located in the bottom subslot (1) of the SIP that is installed in slot 2 of the Cisco 7600 series router:
!Enter global configuration mode
!
Router# configure terminal
! 
! Specify the interface address
!15-18
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 15      Configuring the POS SPAs
  Configuration Examples
Router(config)# interface pos 2/1/1
!
! Configure MTU
!
Router(config-if)# mtu 4470
POS Framing Configuration Example
The following example shows how to change from the default POS framing of SONET to SDH:
!Enter global configuration mode
!
Router# configure terminal
!
! Specify the interface address
!
Router(config)# interface pos 2/1/1
! (The default pos framing is sonet)
!
!Modify the framing type
!
Router(config-if)# pos framing sdh
Keepalive Configuration Example
The following example shows how to change from the default keepalive period of 10 seconds to 20 
seconds:
!Enter global configuration mode
!
Router# configure terminal
!
! Specify the interface address
!
Router(config)# interface pos 2/1/1
!
! Configure keepalive 20
!
Router(config-if)# keepalive 20 
CRC Configuration Example
The following example shows how to change the CRC size from 32 bits to the default 16 bits for POS 
SPAs:
!Enter global configuration mode
!
Router# configure terminal
! 
! Specify the interface address
!
Router(config)# interface pos 2/1/1
!
! Configure crc 16
!
Router(config-if)# crc 1615-19
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 15      Configuring the POS SPAs
  Configuration Examples
Clock Source Configuration Example
The following example shows how to change from the default clock source of internal to line:
!Enter global configuration mode
!
Router# configure terminal
! 
! Specify the interface address
!
Router(config)# interface pos 2/1/1
!
! Configure the clock source
!
Router(config-if)# clock source line
SONET Payload Scrambling Configuration Example
The following example shows how to change from a default SONET payload scrambling of disabled to 
enabled:
!Enter global configuration mode
! 
Router# configure terminal
!
! Specify the interface address
!
Router(config)# interface pos 2/1/1
!
! Configure the SONET payload scrambling
!
Router(config-if)# pos scramble-atm
Encapsulation Configuration Example
The following example shows how to change from the default encapsulation method of HDLC to PPP:
!Enter global configuration mode
!
Router# configure terminal
! Specify the interface address
Router(config)# interface pos 2/1/1
!
! Configure ppp
!
Router(config-if)# encapsulation ppp
APS Configuration Example
The following example shows the configuration of APS on router A and router B, and how to configure 
more than one protect or working interface on a router by using the aps group command. See 
Figure 15-1.15-20
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 15      Configuring the POS SPAs
  Configuration Examples
Figure 15-1 Basic APS Configuration
In this example, router A is configured with the working interface and router B is configured with the 
protect interface. If the working interface on router A becomes unavailable, the connection will 
automatically switch over to the protect interface on router B. The loopback interface is used as the 
interconnect. The aps group command is used even when a single protect group is configured.
The following example shows how to configure Router A for this scenario:
!Enter global configuration mode
!
Router# configure terminal
!
! Configure a loopback interface as the protect interconnect path
!
Router(config)# interface loopback 1 
Router(config-if)# ip address 10.10.10.10 255.0.0.0 
! Configure the POS interface address for the APS working interface
!
Router(config)# interface pos 2/0/0
!
! Configure the POS interface IP address and other interface parameters
!
Router(config-if)# ip address 172.16.1.8 255.255.0.0
Router(config-if)# no ip directed-broadcast
Router(config-if)# no keepalive
Router(config-if)# crc 32
!
! Configure the APS group number by which to associate APS interfaces
!
Router(config-if)# aps group 1
!
! Configure a circuit number for the APS working interface
!
Router(config-if)# aps working 1
The following example shows how to configure Router B for this scenario:
!Enter global configuration mode
!
Router# configure terminal
!
! Configure the POS interface address for the APS protect interface
!
Router(config)# interface pos 3/0/0 
!
! Configure the POS interface IP address and other interface parameters
!
Router A
E 0/0
POS 2/0/0
Working interface
SONET
network
equipment
Add Drop Multiplexer (ADM)
E 0/0
Router B
POS 3/0/0
Protect interface
11688315-21
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 15      Configuring the POS SPAs
  Configuration Examples
Router(config-if)# ip address 172.16.1.9 255.255.0.0
Router(config-if)# no ip directed-broadcast
Router(config-if)# no keepalive
Router(config-if)# crc 32
!
! Configure the APS group number by which to associate APS interfaces
!
Router(config-if)# aps group 1
!
! Configure a circuit number for the protect interface and an IP address for the router 
! that has the APS working interface. In this case, the loopback interface address is 
! used.
!
Router(config-if)# aps protect 1 10.10.10.10 
POS Alarm Trigger Delays Configuration Example
The following example shows how to change POS line-level and path-level alarm trigger delays from the 
default of 100 milliseconds to 200 milliseconds:
!Enter global configuration mode
!
Router# configure terminal
! 
! Specify the interface address
!
Router(config)# interface pos 2/1/1
!
Router(config-if)# pos delay triggers line 200
Router(config-if)# pos delay triggers path 200
SDCC Configuration Example
Router(config-if)# exit
Router(config))# hw-module subslot 1/0 srp mate 1/1
!
! Configure an SRP interface 
!
Router(config)# interface srp 1/0/0
Router(config-if)# mac-address 0003.0003.0003
Router(config-if)# ip address 10.4.4.1 255.255.255.0
Router(config-if)# no ip directed-broadcast
Router(config-if)# ipv6 address 10:4:4::1/64
Router(config-if)# service-policy output parent15-22
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 15      Configuring the POS SPAs
  Configuration Examples   
P A R  T  7
Serial Shared Port Adapters   C H  A  P  T  E  R
16-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
16
Overview of the Serial SPAs
This chapter provides an overview of the release history, features, and supported MIBs for the following 
SPAs:
• Cisco 7600 SIP-200 with the 2- and 4-Port T3/E3 SPAs, the 8-Port Channelized T1/E1 SPA, the 
1-Port Channelized OC-3/STM-1 SPA, and the -2 or 4-Port CT3 SPA
• Cisco 7600 SIP-400 with the 1-Port Channelized OC-12/STM-4 SPA
This chapter includes the following sections:
• Release History, page 16-1
• Supported Features, page 16-2
• Restrictions, page 16-2
• SPA Features, page 16-3
• Supported MIBs, page 16-6
• Displaying the SPA Hardware Type, page 16-8
Release History
Release Modification
15.1(1)S Support for Network Clocking and SSM functionality was extended.
15.0(1)S Support for Network Clocking and SSM functionality was added.
Cisco IOS Release 
12.2(33)SRD1
Support for 1-Port Channelized OC-12/STM-4 SPA
Cisco IOS Release 
12.2(33)SRC
Support for the following software features was introduced on the 
Cisco 7600 SIP-200 on the Cisco 7600 series router:
• Programmable BERT pattern enhancements for the 1-Port Channelized 
OC-3/STM-1 SPA and the 2- and 4-Port CT3 SPAs16-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 16      Overview of the Serial SPAs
  Supported Features
Supported Features
This section provides a list of some of the primary features supported by the Cisco 7600 SIP-200 and 
SPA hardware and software.
• Online insertion and removal (OIR).
• Supports up to four single-height or two double-height Shared Port Adaptors (SPAs).
• Field Programmable Gate Array (FPGA) upgrade support. 
• The SIP-200 supports the standard FPGA upgrade methods for the Cisco 7600 series router.
Restrictions
This section provides a list of Cisco 7600 SIP-200 configuration restrictions.
Note For other SIP-specific features and restrictions see also Chapter 3, “Overview of the SIPs and SSC” in 
this guide.
• On a 2-port or 4-port Channelized T3 SPA, when one of the T3 ports is configured as DS3 clear 
channel interface and the other T3s are configured with large number (greater than or equal to 400) 
of low bandwidth channels (NxDS0, N=1, 2, 3, or 4), the DS3 clear channel interface is not able to 
run at 100% DS3 line rate when those low bandwidth channels are idle (that is, not transmitting or 
receiving packets). This issue does not occur if those low bandwidth channels are not idle.
• On a 2-Port and 4-Port Channelized T3 SPA or 1-Port Channelized OC-3/STM-1 SPA, the maximum 
number of channels is limited to 1023 per SPA.
• On a 2-Port and 4-Port Channelized T3 SPA or 1-Port Channelized OC-3/STM-1 SPA, the maximum 
number of FIFO buffers is 4096. The FIFO buffers are shared among the interfaces; how they are 
shared is determined by speed. If all the FIFO buffers have been assigned to existing interfaces, a 
new interface cannot be created, and the "%Insufficient FIFOs to create channel group" error 
message is seen. FIFO allocation information is provided in Table 16-1.
To find the number of available FIFO buffers, use the show controller t3 command:
Router# show controller t3 3/0/0
Cisco IOS Release 
12.2(33)SRA
Support for the following hardware was introduced on the Cisco 7600 
SIP-200 on the Cisco 7600 series router:
• 1-Port Channelized OC-3/STM-1 SPA
Cisco IOS Release 
12.2(18)SXE
Support for the following hardware was introduced on the Cisco 7600 
SIP-200 on the Cisco 7600 series router and Catalyst 6500 series switch:
• 2-Port T3/E3 SPA (SPA-2XT3/E3)
• 4-Port T3/E3 SPA (SPA-4XT3/E3)
• 8-Port T1/E1 SPA (SPA-8XCHT1/E1)
• 2-Port CT3 SPA (SPA-2XCT3/DS0)
• 4-Port CT3 SPA (SPA-4XCT3/DS0)16-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 16      Overview of the Serial SPAs
  SPA Features
T3 3/0/0 is up.
  Hardware is SPA-4XCT3/DS0
  IO FPGA version: 2.6, HDLC Framer version: 0
  T3/T1 Framer(1) version: 2, T3/T1 Framer(2) version: 2
  SUBRATE FPGA version: 1.4
  HDLC controller available FIFO buffers 3112
• On the 1-Port Channelized OC-12/STM-4 SPA, the SDH, E1/E3 modes are not supported. 
• On the 1-Port Channelized OC-12/STM-4 SPA, the MFR, FRF.12 (in sync with other channelized 
SPAs on SIP400) is not supported.
Note Effective from Cisco IOS Release 15.1(3)S and 12.2(33)SRE05, the SPA-1xCHOC12/DS0 boots up with 
admin down status and the original SPA status is restored after one second of the SPA bootup. Please 
wait for a second after the log message "SPA_OIR-6-ONLINECARD: SPA (SPA-1XCHOC12/DS0) 
online in subslot" is displayed, to configure the SPA.
SPA Features
The following is a list of some of the significant software features supported by the 2- and 4-Port T3/E3 
SPA, the 8-Port Channelized T1/E1 SPA, the 1-Port Channelized OC-3/STM-1 SPA, and the 2- and 
4-Port CT3 SPAs.
• Software selectable between T1, E1, T3 or E3 framing on each card (ports are configured as all T1, 
E1, T3, or E3). Applies to the 2- and 4-Port T3/E3 SPA and 8-Port Channelized T1/E1 SPA.
• Layer 2 encapsulation support:
– Point-to-Point Protocol (PPP)
– High-level Data Link Control (HDLC)
– Frame Relay
• Internal or network clock (selectable per port)
Table 16-1 FIFO Allocation
Number of Timeslots Number of FIFO Buffers
1-6 DS0 4
7-8 DS0 6
9 DS0 6
10-12 DS0 8
13–23 DS0 12
1–6 E1 TS 4
7–9 E1 TS 6
11–16 E1 TS 8
17–31 E1 TS 16
T1 12
E1 16
DS3 33616-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 16      Overview of the Serial SPAs
  SPA Features
• Online insertion and removal (OIR)
• Hot standby router protocol (HSRP)
• Alarm reporting: 24-hour history maintained, 15-minute intervals on all errors
• 16- and 32-bit cyclic redundancy checks (CRC) supported (16-bit default)
• Local and remote loopback
• Bit error rate testing (BERT) pattern generation and detection per port
Note BERT is not supported on the 8-Port Channelized T1/E1 SPA.
• Programmable BERT patterns enhancements
Note The programmable BERT patterns enhancements are not supported on the 2- and 4-Port T3/E3 SPAs or 
the 8-Port Channelized T1/E1 SPA.
• Dynamic provisioning—Dynamic provisioning allows for the addition of new customer circuits 
within a channelized interface without affecting other customers.
• FPD (field programmable device upgrades)
• End-to-end FRF.12 fragmentation support
• Link Fragmentation and Interleaving (LFI) support
• Compressed Real-Time Protocol (cRTP)—8-Port Channelized T1/E1 SPA and 2-Port and 4-Port 
Channelized T3 SPA only. For more information about configuring cRTP, see the “Configuring 
Compressed Real-Time Protocol” section on page 4-5.
• Network Clocking and the Synchronization Status Message(SSM) functionality for the Channelized 
SPAs in a Cisco 7600 SIP-400 only. The Channelized SPAs supporting this feature for Cisco IOS 
Release 15.0(1)S are:
– 8-Port Channelized T1/E1 SPA
– 1-Port Channelized OC3/STM-1 SPA 
The Channelized SPA supporting this feature for Cisco IOS Release 15.1(1)S is:
– 1-Port Channelized OC-12/STM-4 SPA 
For more information on configuring the network clock see, Configuring Boundary Clock for 2-Port 
Gigabit Synchronous Ethernet SPA on Cisco 7600 SIP-400, page 12-29
• T1 features
– All ports can be fully channelized down to DS0
– Data rates in multiples of 56 Kbps or 64 Kbps per channel
– Maximum 1.536 Mbps for each T1 port
– D4 Superframe (SF) and Extended Superframe (ESF) support for each T1 port
– ANSI T1.403 and AT&T TR54016 CI FDL support
– Internal and receiver recovered clocking modes
– Short haul and long haul channel service unit (CSU) support
– Binary eight-zero substitution (B8ZS) and alternate mark inversion (AMI) line encoding16-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 16      Overview of the Serial SPAs
  SPA Features
Note B8ZS and AMI line encoding are not configurable for TW on the 2-Port and 4-Port Channelized 
T3 SPA.
– Support for Multilink Point to Point Protocol (MLPPP) for full T1s on the same SPA (hardware 
based) and across SPAs (software based)
– Support for Multilink Frame Relay (MLFR)
• E1 features
– Maximum 1.984 Mbps for each E1 port in framed mode and a 2.048 Mbps in unframed E1 mode
– All ports can be fully channelized down to DS0
– Compliant with ITU G7.03, G.704, ETSI and ETS300156
– Internal and receiver recovered clocking modes
– Hi-density bipolar with three zones (HDB3) and AMI line encoding
– Support for MLPPP for full E1s on the same SPA (hardware based) and across SPAs (software 
based).
– Support for MLFR
• E3 features
– Full-Duplex connectivity at E3 rate (34.368 MHz)
– Supports ITU-T G.751 or G.832 framing (software selectable)
– HD3B line coding
– Compliant with E3 pulse mask
– Line build-out: configured for up to 450 feet (135 m) of type 728A or equivalent coaxial cable
– Loopback modes: data terminal equipment (DTE), local, dual, and network
– E3 alarm/event detection (once per second polling)
- Alarm indication signal (AIS)
- Loss of frame (LOF)
- Remote alarm indication (RAI)
– Subrate and scrambling features for these data service unit (DSU) vendors:
- Digital Link
- ADC Kentrox
• T3 features
– Binary 3-zero substitution (B3ZS) line coding
– Compliant with DS3 pulse mask per ANSI T1.102-1993
– DS3 far-end alarm and control (FEAC) channel support
– Full-Duplex connectivity at DS3 rate (44.736 MHz)
– 672 DS0s per T3
– Loopback modes: DTE, local, remote, dual, and network
– C-bit or M23 framing (software selectable)
– Line build-out: configured for up to 450 feet (135 m) of type 734A or equivalent coaxial cable16-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 16      Overview of the Serial SPAs
  Supported MIBs
– DS3 alarm/event detection (once per second polling)
- AIS
- Out of frame (OOF)
- Far-end receive failure (FERF)
– Generation and termination of DS3 Maintenance Data Link (MDL) in C-bit framing
– Full FDL support and FDL performance monitoring
– Subrate and scrambling features for these DSU vendors:
- Digital Link
- ADC Kentrox
- Adtran
- Verilink
- Larscom
Note On a 2-port or 4-port Channelized T3 SPA, when one of the T3 ports is configured as DS3 clear channel 
interface and the other T3s are configured with large number (greater than or equal to 400) of low 
bandwidth channels (NxDS0, N=1, 2, 3, or 4), the DS3 clear channel interface is not able to run at 100% 
DS3 line rate when those low bandwidth channels are idle (that is, not transmitting or receiving packets). 
This issue does not occur if those low bandwidth channels are not idle.
The following features are supported on the 1-Port Channelized OC-12/STM-4 SPA:
• CCAT POS, DS3/E3, VCAT POS/Ethernet interfaces
• Maximum of 128 VCAT groups (VCG)
• Each VCG configurable for HDLC, GFP Framing (Layer 1)
• Each VCG can carry POS (hdlc/ppp/frame-relay) or Ethernet payload (Layer 2)
• Bandwidth on each VCG can be NxSTS-1/NxVT1.5/NxVT2
• Maximum of 48 high-order (STS-1) members in a VCG
• Maximum of 64 low-order (VT1.5/VT2) members in a VCG
• Maximum of 336 VT1.5/252 VT2 members per SPA
• Link Capacity Adjustment Scheme (LCAS)
Supported MIBs
The following MIBs are supported in Cisco IOS Release 12.2S for the serial SPAs on the Cisco 7600 
series router.
All serial SPAs:
• CISCO-ENTITY-ALARM-MIB
• CISCO-CLASS-BASED-QOS-MIB
• CISCO-ENVMON-MIB (For NPEs, NSEs, line cards, and SIPs only)16-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 16      Overview of the Serial SPAs
  Supported MIBs
• CISCO-ENTITY-ASSET-MIB
• CISCO-ENTITY-FRU-CONTROL-MIB
• CISCO-ENTITY-SENSOR-MIB
• ENTITY-MIB
• IF-MIB
• RMON-MIB
• MPLS-LDP-MIB
• MPLS-LSR-MIB
• MPLS-TE-MIB
• MPLS-VPN-MIB
2- and 4-Port T3/E3 SPAs:
• DS3/E3 MIB
8-Port Channelized T1/E1 SPA:
• DS1/E1 MIB
2- or 4-Port CT3 SPA:
• DS1-MIB
• DS3-MIB
• CISCO-FRAME-RELAY-MIB
• IANAifType-MIB
• RFC1381-MIB
1-Port Channelized OC-12/STM-4 SPA:
• Cisco Optical MIB
• SONET MIB (RFC 2558)
• Performance Statistics for Timed Intervals (RFC 1595)
• SONET/SDH MIB (RFC 1595)
• DS-3/E3 MIB (RFC 1407)
• DS1/E1 MIB (RFC1406)
• MIB-II
• Ethernet MIB
• Cisco Extended Asset MIB
For more information about MIB support on the Cisco 7600 series router, refer to the Cisco 7600 Series 
Internet Router MIB Specifications Guide found at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/core/cis7600/7600mibs/index.htm
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use 
Cisco MIB Locator found at the following URL:
http://tools.cisco.com/ITDIT/MIBS/servlet/index16-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 16      Overview of the Serial SPAs
  Displaying the SPA Hardware Type
If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of 
supported MIBs and download MIBs from the Cisco MIBs page at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your 
account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify 
that your e-mail address is registered with Cisco.com. If the check is successful, account details with a 
new random password will be e-mailed to you. 
Displaying the SPA Hardware Type
To verify the SPA hardware type that is installed in your Cisco 7600 series router, you can use the show 
diagbus command or the show interface command (once the interface has been configured). There are 
several other commands on the Cisco 7600 series router that also provide SPA hardware information.
Table 16-2 shows the hardware description that appears in the show command output for each type of 
SPA that is supported on the Cisco 7600 series router.
Virtual Tributary Alarms
Seven circuit emulation alarm types on the virtual tributary are introduced with the 
Cisco IOS Release 12.2(33)SRE and Cisco IOS Release 12.2(33)SRC4 on the 1-Port Channelized 
STM-1/OC-3 SPA . The alarm details are displayed with the show controller output on the 1-Port 
Channelized STM-1/OC-3 SPA .
These are described in the following table:
Table 16-2 SPA Hardware Descriptions in show Commands
SPA
Description in show interfaces and show 
controllers Commands
4-Port T3/E3 SPA “Hardware is SPA-4XT3/E3”
2-Port T3/E3 SPA “Hardware is SPA-2XT3/E3”
8-Port Channelized T1/E1 SPA “Hardware is SPA-T1E1”
2-Port CT3 SPA “Hardware is 2 ports CT3 SPA”
4-Port CT3 SPA “Hardware is 4 ports CT3 SPA” 
1-Port Channelized OC12/STM-4 SPA “Hardware is 1 port CHOC12/STM-4 SPA”
Alarm Description
LP-LOP Indicates an LOP on the virtual tributary level
LP-AIS Indicates an AIS on the virtual tributary level
LP-RFI Remote Defect Indication on the virtual tributary level
LP-UNEQ Indicates that the virtual tributary sizes are not the same, like VT-E1 and 
VT-T1
LP-MIS Indicates that there is a mismatch on the virtual tributaries16-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 16      Overview of the Serial SPAs
  Virtual Tributary Alarms
Examples of the show interface Command
The following example shows output from the show interface serial 5/0/0 command on a Cisco 7600 
series router with a 4-Port T3/E3 SPA installed in slot 5:
Serial5/0/0 is up, line protocol is up 
Hardware is SPA-4XT3/E3[3/0]
MTU 4470 bytes, BW 44210 Kbit, DLY 200 usec,
reliability 248/255, txload 1/255, rxload 1/255
Encapsulation HDLC, crc 16, loopback not set
Keepalive set (10 sec)
Last input 00:00:06, output 00:00:07, output hang never
Last clearing of ''show interface'' counters 00:00:01
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicast)
0 runts, 0 giants, 0 throttles
0 parity
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 applique, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions 
The following example shows output from the show interface serial 6/0/1 command on a Cisco 7600 
series router with a 8-Port Channelized T1/E1 SPA installed in slot 6:
Serial6/0/1:0 is up, line protocol is up 
  Hardware is SPA-T1E1
  MTU 1500 bytes, BW 1536 Kbit, DLY 20000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, crc 16, loopback not set
  Keepalive set (10 sec)
  LCP Open, multilink Open
  Last input 00:00:03, output 00:00:03, output hang never
  Last clearing of "show interface" counters 5d17h
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 3194905708
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  30 second input rate 0 bits/sec, 0 packets/sec
  30 second output rate 0 bits/sec, 0 packets/sec
     74223 packets input, 1187584 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicast)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     74227 packets output, 1187751 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 output buffer failures, 0 output buffers swapped out
     4 carrier transitions no alarm present
  Timeslot(s) Used:1-24, subrate: 64Kb/s, transmit delay is 0 flags
LP-T_MIS Indicates that there is a SONET trace mismatch on the virtual tributary 
level
LP-RDI Remote Failure Indication on the virtual tributary level 
Alarm Description16-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 16      Overview of the Serial SPAs
  Virtual Tributary Alarms
Examples of the show controllers Command
The following example shows output from the show controller serial command on a Cisco 7600 series 
router with a 4-Port T3/E3 SPA installed in slot 5:
Router# show controllers serial 5/0/2
Serial5/0/2 - 
   Framing is c-bit, Clock Source is Line
   Bandwidth limit is 44210, DSU mode 0, Cable length is 10
   rx FEBE since last clear counter 0, since reset 0
   Data in current interval (807 seconds elapsed):
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation
     0 P-bit Err Secs, 0 P-bit Sev Err Secs
     0 Sev Err Framing Secs, 306 Unavailable Secs
     500 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
  Data in Interval 1:
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation
     0 P-bit Err Secs, 0 P-bit Sev Err Secs
     0 Sev Err Framing Secs, 0 Unavailable Secs
     564 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
  Data in Interval 2:
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation
     0 P-bit Err Secs, 0 P-bit Sev Err Secs
     0 Sev Err Framing Secs, 0 Unavailable Secs
     564 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
[output omitted]
The following example shows output from the show controller command on a Cisco 7600 series router 
with a 8-Port Channelized T1/E1 SPA installed in slot 6:
Router# show controllers t1
T1 6/0/0 is up.
  Applique type is Channelized T1
  Cablelength is long gain36 0db
  No alarms detected.
  alarm-trigger is not set
  Framing is ESF, Line Code is B8ZS, Clock Source is Line.
  Data in current interval (394 seconds elapsed):
     0 Line Code Violations, 0 Path Code Violations
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs
  Total Data (last 24 hours)
     0 Line Code Violations, 0 Path Code Violations,
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins,
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs
T1 6/0/1 is up.
  Applique type is Channelized T1
  Cablelength is long gain36 0db
  No alarms detected.
  alarm-trigger is not set
  Framing is ESF, Line Code is B8ZS, Clock Source is Line.
  Data in current interval (395 seconds elapsed):
     0 Line Code Violations, 0 Path Code Violations
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs
  Total Data (last 24 hours)
     0 Line Code Violations, 0 Path Code Violations,
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins,
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs16-11
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 16      Overview of the Serial SPAs
  Virtual Tributary Alarms
The following example shows output from the show controllers command on a Cisco 7600 series router 
with a 4-Port CT3 SPA installed in slot 3:
Router# show controllers t3
T3 3/1/2 is up.  Hardware is 4 ports CT3 SPA
  ATLAS FPGA version: 0, FREEDM336 version: 0
  TEMUX84(1) version: 0, TEMUX84(1) version: 0
  SUBRATE FPGA version: 0
  Applique type is Channelized T3
  No alarms detected.
  Framing is M23, Line Code is B3ZS, Clock Source is Internal
  Equipment customer loopback
  Data in current interval (146 seconds elapsed):
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation, 0 P-bit Err Secs
     0 P-bit Severely Err Secs, 0 Severely Err Framing Secs
     0 Unavailable Secs, 0 Line Errored Secs
     0 C-bit Errored Secs, 0 C-bit Severely Errored Secs
     0 Severely Errored Line Secs
     0 Far-End Errored Secs, 0 Far-End Severely Errored Secs
     0 CP-bit Far-end Unavailable Secs
     0 Near-end path failures, 0 Far-end path failures
     0 Far-end code violations, 0 FERF Defect Secs
     0 AIS Defect Secs, 0 LOS Defect Secs
  T1 1 is up
  timeslots: 1-24
  FDL per AT&T 54016 spec.
  No alarms detected.
  Framing is ESF, Clock Source is Internal
  Data in current interval (104 seconds elapsed):
     0 Line Code Violations, 0 Path Code Violations
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs
     0 Unavail Secs, 0 Stuffed Secs
     0 Near-end path failures, 0 Far-end path failures, 0 SEF/AIS Secs
  Total Data (last 2 15 minute intervals):
     0 Line Code Violations,0 Path Code Violations,
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins,
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs
     0 Unavail Secs, 0 Stuffed Secs
     0 Near-end path failures, 0 Far-end path failures, 0 SEF/AIS Secs
The following example shows the output from the show controller sonet command on a Cisco 7600 
series router with a 1-Port Channelized OC-12/STM-4 SPA installed:
Router# show controllers sonet 2/0/0
Router#show controller sonet
SONET 2/0/0 is up.
  Hardware is SPA-1XCHOC12/DS0
Applique type is Channelized Sonet/SDH
Clock Source is Line
Medium info:
  Type: Sonet, Line Coding: NRZ,
 SECTION:
  LOS = 1          LOF = 0                           BIP(B1) = 234
SONET/SDH Section Tables
  INTERVAL       CV    ES   SES  SEFS
  04:30-04:40     0    72    72    72
LINE:
  AIS = 0          RDI = 0          REI = 12755371   BIP(B2) = 3062
Active Defects: None
Active Alarms: None16-12
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 16      Overview of the Serial SPAs
  Virtual Tributary Alarms
Alarm reporting enabled for: SLOS SLOF
Defect reporting enabled for: SF B1-TCA B2-TCA
BER thresholds:  SF = 10e-3  SD = 10e-6
TCA thresholds:  B1 = 10e-6  B2 = 10e-6
SONET/SDH Line Tables
  INTERVAL       CV    ES   SES   UAS
  04:30-04:40 19706    72     2     0
High Order Path:
PATH 1:
  AIS = 0          RDI = 0          REI = 238693     BIP(B3) = 65856
  LOP = 0          PSE = 248        NSE = 268        NEWPTR = 0
  LOM = 0          PLM = 0          UNEQ = 0
Active Alarms: None
Active Defects: None
Alarm/Defect reporting enabled for: PLOP LOM B3-TCA
TCA threshold:  B3 = 10e-6
Rx: S1S0 = 00, C2 = 02
    K1 = 00,   K2 = 00
    J0 = 01
Tx: S1S0 = 00, C2 = 02
    K1 = 00,   K2 = 00
    J0 = 01
PATH TRACE BUFFER : STABLE
PATH TRACE BUFFER : STABLE
STS-1 1, VTG 1, T1 1 (VT1.5 1/1/1) is down
 VT Receiver has LP-T_MIS.
  timeslots: 1-24
  FDL per AT&T 54016 spec.
  Transmitter is sending LOF Indication.
  Receiver is getting AIS.
  Framing is ESF, Clock Source is Internal
  Data in current interval (0 seconds elapsed):
     0 Line Code Violations, 0 Path Code Violations
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs
     0 Unavail Secs, 0 Stuffed Secs
The following example shows the output from the show controller sonet command on a Cisco 7600 series 
router with a 1-Port Channelized OC-12/STM-4 SPA installed: 
Router# show controllers sonet 2/0/0
Router#show controller sonet
SONET 2/0/0 is up.
  Hardware is SPA-1XCHOC12/DS0
Applique type is Channelized Sonet/SDH
Clock Source is Line
Medium info:
  Type: Sonet, Line Coding: NRZ,
 SECTION:
  LOS = 1          LOF = 0                           BIP(B1) = 234
SONET/SDH Section Tables
  INTERVAL       CV    ES   SES  SEFS
  04:30-04:40     0    72    72    72
LINE:
  AIS = 0          RDI = 0          REI = 12755371   BIP(B2) = 3062
Active Defects: None
Active Alarms: None
Alarm reporting enabled for: SLOS SLOF
Defect reporting enabled for: SF B1-TCA B2-TCA
BER thresholds:  SF = 10e-3  SD = 10e-6
TCA thresholds:  B1 = 10e-6  B2 = 10e-6
SONET/SDH Line Tables
  INTERVAL       CV    ES   SES   UAS
  04:30-04:40 19706    72     2     016-13
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 16      Overview of the Serial SPAs
  Virtual Tributary Alarms
High Order Path:
PATH 1:
  AIS = 0          RDI = 0          REI = 238693     BIP(B3) = 65856
  LOP = 0          PSE = 248        NSE = 268        NEWPTR = 0
  LOM = 0          PLM = 0          UNEQ = 0
Active Alarms: None
Active Defects: None
Alarm/Defect reporting enabled for: PLOP LOM B3-TCA
TCA threshold:  B3 = 10e-6
Rx: S1S0 = 00, C2 = 02
    K1 = 00,   K2 = 00
    J0 = 01
Tx: S1S0 = 00, C2 = 02
    K1 = 00,   K2 = 00
    J0 = 01
PATH TRACE BUFFER : STABLE
OC3.STS1 2/2/0.1 is down.
  Hardware is SPA-1CHOC3-CE-ATM
 Applique type is VT1.5
 STS-1 1, VTG 1, T1 1 (VT1.5 1/1/1)
STS-1 1, VTG 1, T1 2 (VT1.5 1/1/2)
   Not configured.
STS-1 1, VTG 1, T1 3 (VT1.5 1/1/3)
   Not configured.
STS-1 1, VTG 1, T1 4 (VT1.5 1/1/4)
   Not configured.
STS-1 1, VTG 5, T1 1 (VT1.5 1/5/1) is down
VT Receiver has no alarm.
  timeslots: 1-24
  FDL per AT&T 54016 spec.
  Transmitter is sending LOF Indication.
  Receiver is getting AIS.
  Framing is ESF, Clock Source is Internal
  Data in current interval (0 seconds elapsed):
     0 Line Code Violations, 0 Path Code Violations
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs
     0 Unavail Secs, 0 Stuffed Secs16-14
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 16      Overview of the Serial SPAs
  Virtual Tributary AlarmsC H  A  P  T  E  R
17-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
17
Configuring the 8-Port Channelized T1/E1 SPA
This chapter provides information about configuring the 8-Port Channelized T1/E1 SPA on the 
Cisco 7600 series router. It includes the following sections:
• Configuration Tasks, page 17-1
• Verifying the Interface Configuration, page 17-20
• Configuration Examples, page 17-21
For information about managing your system images and configuration files, refer to the Cisco IOS 
Configuration Fundamentals Configuration Guide, Release 12.2 and Cisco IOS Configuration 
Fundamentals Command Reference, Release 12.2 publications.
For more information about the commands used in this chapter, refer to the Cisco IOS Software Releases 
15.0SR Command References and to the Cisco IOS Software Releases 12.2SX Command References. 
Also refer to the related Cisco IOS Release 12.2 software command reference and master index 
publications. For more information, see the “Related Documentation” section on page xlvii.
Configuration Tasks
This section describes how to configure the 8-Port Channelized T1/E1 SPA for the Cisco 7600 series 
router and includes information about verifying the configuration.
It includes the following topics:
• Required Configuration Tasks, page 17-1
• Specifying the Interface Address on a SPA, page 17-6
• Optional Configurations, page 17-6
• Saving the Configuration, page 17-20
Required Configuration Tasks
This section lists the required configuration steps to configure the 8-Port Channelized T1/E1 SPA. Some 
of the required configuration commands implement default values that might be appropriate for your 
network. If the default value is correct for your network, then you do not need to configure the command.
• Setting the Card Type
• Enabling the Interfaces on the Controller
• Verifying Controller Configuration17-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 17      Configuring the 8-Port Channelized T1/E1 SPA
  Configuration Tasks
• Setting the IP Address
• Verifying Interface Configuration
Note To better understand the address format used to specify the physical location of the SIP, SPA, and 
interfaces, see the “Specifying the Interface Address on a SPA” section on page 17-6.
Setting the Card Type
The SPA is not functional until the card type is set. Information about the SPA is not indicated in the 
output of any show commands until the card type has been set. There is no default card type.
Note Mixing of interface types is not supported. All ports on a SPA must be of the same type.
To set the card type for the 8-Port Channelized T1/E1 SPA, complete these steps:
Command Purpose
Step 1 Router# configure terminal Enters global configuration mode.
Step 2 Router(config)# card type {e1 | t1} slot subslot Sets the serial mode for the SPA:
• t1—Specifies T1 connectivity of 1.536 Mbps. 
B8ZS is the default line code for T1.
• e1—Specifies a wide-area digital transmission 
scheme used predominantly in Europe that 
carries data at a rate of 1.984 Mbps in framed 
mode and a 2.048 Mbps in unframed E1 mode.
• slot subslot—Specifies the location of the 
SPA. See the “Specifying the Interface 
Address on a SPA” section on page 17-6.
Step 3 Router(config)# exit Exits configuration mode and returns to the EXEC 
command interpreter prompt.17-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 17      Configuring the 8-Port Channelized T1/E1 SPA
  Configuration Tasks
Enabling the Interfaces on the Controller
To create the interfaces for the 8-Port Channelized T1/E1 SPA, complete these steps:
Command Purpose
Step 1 Router(config)# controller {t1 | e1}
slot/subslot/port
Select the controller to configure and enter controller 
configuration mode.
• t1—Specifies the T1 controller.
• e1—Specifies the E1 controller.
• slot/subslot/port—Specifies the location of the 
interface. See the “Specifying the Interface Address 
on a SPA” section on page 17-6.
Step 2 Router(config-controller)# clock source 
{internal | line}
Sets the clock source.
Note The clock source is set to internal if the opposite 
end of the connection is set to line and the clock 
source is set to line if the opposite end of the 
connection is set to internal.
• internal—Specifies that the internal clock source is 
used. 
• line—Specifies that the network clock source is 
used. This is the default for T1 and E1.
Step 3 Router(config-controller)# linecode {ami |
b8zs | hdb3}
Selects the linecode type.
• ami—Specifies Alternate Mark Inversion (AMI) as 
the linecode type. Valid for T1 and E1 controllers. 
• b8zs—Specifies binary 8-zero substitution (B8ZS) 
as the linecode type. Valid for T1 controller only. 
This is the default for T1 lines.
• hdb3—Specifies high-density binary 3 (hdb3) as the 
linecode type. Valid for E1 controller only. This is 
the default for E1 lines. 
Step 4 For T1 controllers
Router(config-controller)# framing {sf |
esf}
For E1 controllers
Router(config-controller)# framing {crc4 |
no-crc4}
Selects the framing type.
• sf—Specifies Super Frame as the T1 frame type.
• esf—Specifies Extended Super Frame as the T1 
frame type. This is the default for T1.
• crc4—Specifies CRC4 as the E1 frame type. This is 
the default for E1.
• no-crc4—Specifies no CRC4 as the E1 frame type.17-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 17      Configuring the 8-Port Channelized T1/E1 SPA
  Configuration Tasks
Verifying Controller Configuration
Use the show controllers command to verify the controller configuration:
Router(config)# show controllers t1
T1 6/0/1 is up.
  Applique type is Channelized T1
  Cablelength is long gain36 0db
  No alarms detected.
  alarm-trigger is not set
  Framing is ESF, Line Code is B8ZS, Clock Source is Line.
  Data in current interval (395 seconds elapsed):
     0 Line Code Violations, 0 Path Code Violations
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs
  Total Data (last 24 hours)
Step 5 Router(config-controller)# channel-group 
t1 t1-number {timeslots range | 
unframed} [speed {56 | 64}]
Define the time slots that belong to each T1 or E1 circuit.
• t1 t1-number— Channel-group number. When 
configuring a T1 data line, channel-group numbers 
can be values from 1 to 28. When configuring an E1 
data line, channel-group numbers can be values from 
0 to 30.
• timeslots range— One or more time slots or ranges 
of time slots belonging to the channel group. The 
first time slot is numbered 1. For a T1 controller, the 
time slot range is from 1 to 24. For an E1 controller, 
the time slot range is from 1 to 31.
• unframed—Unframed mode (G.703) uses all 32 
time slots for data. None of the 32 time slots are used 
for framing signals.
• speed—(Optional) Speed of the underlying DS0s.
– 56—
– 64—
Note The default is 64 is speed is not mentioned in the 
config.
Note Each channel group is presented to the system as 
a serial interface that can be configured 
individually.
Note Once a channel group has been created with the 
channel-group command, the channel group 
cannot be changed without removing the channel 
group. To remove a channel group, see the 
section Changing a Channel Group 
Configuration, page 17-17.
Step 6 Router(config)# exit Exits configuration mode and returns to the EXEC 
command interpreter prompt.
Command Purpose17-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 17      Configuring the 8-Port Channelized T1/E1 SPA
  Configuration Tasks
     0 Line Code Violations, 0 Path Code Violations,
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins,
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs
Setting the IP Address
To set the IP address for the 8-Port Channelized T1/E1 SPA, complete these steps:
Verifying Interface Configuration
Use the show interfaces command to verify the interface configuration:
Router(config)# show interfaces
.
.
.
Serial6/0/1:0 is up, line protocol is up 
  Hardware is SPA-T1E1
  MTU 1500 bytes, BW 1536 Kbit, DLY 20000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, crc 16, loopback not set
  Keepalive set (10 sec)
  LCP Open, multilink Open
  Last input 00:00:03, output 00:00:03, output hang never
  Last clearing of "show interface" counters 5d17h
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 3194905708
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  30 second input rate 0 bits/sec, 0 packets/sec
  30 second output rate 0 bits/sec, 0 packets/sec
     74223 packets input, 1187584 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicast)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     74227 packets output, 1187751 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 output buffer failures, 0 output buffers swapped out
     4 carrier transitions no alarm present
  Timeslot(s) Used:1-24, subrate: 64Kb/s, transmit delay is 0 flags
.
.
Command Purpose
Step 1 Router(config)# interface serial 
slot/subslot/port:channel-group
Selects the interface to configure from global configuration 
mode.
• slot/subslot/port:channel-group—Specifies the location of 
the interface. See the “Specifying the Interface Address on a 
SPA” section on page 17-6.
Step 2 Router(config-if)# ip address 
address mask
Sets the IP address and subnet mask.
• address—IP address.
• mask—Subnet mask.
Step 3 Router(config)# exit Exits configuration mode and returns to the EXEC command 
interpreter prompt.17-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 17      Configuring the 8-Port Channelized T1/E1 SPA
  Configuration Tasks
Specifying the Interface Address on a SPA
SPA interface ports begin numbering with “0” from left to right. Single-port SPAs use only the port 
number 0. To configure or monitor SPA interfaces, you need to specify the physical location of the SIP, 
SPA, and interface in the CLI. The interface address format is slot/subslot/port, where: 
• slot—Specifies the chassis slot number in the Cisco 7600 series router where the SIP is installed. 
• subslot—Specifies the secondary slot of the SIP where the SPA is installed.
• port—Specifies the number of the individual interface port on a SPA. 
The following example shows how to specify the first interface (0) on a SPA installed in the first subslot 
of a SIP (0) installed in chassis slot 3:
Router(config)# interface serial 3/0/0
This command shows a serial SPA as a representative example, however the same slot/subslot/port 
format is similarly used for other SPAs (such as ATM and POS) and other non-channelized SPAs.
For the 8-Port Channelized T1/E1 SPA, the interface address format is slot/subslot/port:channel-group, 
where:
• channel-group—Specifies the logical channel group assigned to the timeslots within the T1 link.
For more information about identifying slots and subslots, see the “Identifying Slots and Subslots for 
SIPs, SSCs, and SPAs” section on page 4-2.
Optional Configurations
There are several standard, but optional, configurations that might be necessary to complete the 
configuration of your serial SPA.
• Configuring Framing, page 17-7
• Configuring Encapsulation, page 17-8
• Configuring the CRC Size for T1, page 17-9
• Configuring FDL, page 17-10
• Configuring Multilink Point-to-Point Protocol (Hardware-based), page 17-11
• Configuring MLFR for T1/E1, page 17-14
• Invert Data on the T1/E1 Interface, page 17-16
• Changing a Channel Group Configuration, page 17-17
• Configuring Multipoint Bridging, page 17-17
• Configuring Bridging Control Protocol Support, page 17-17
• Configuring BCP on MLPPP, page 17-17
• LFI Guidelines, page 17-19
• HW MLPPP LFI Guidelines, page 17-20
• FRF.12 LFI Guidelines, page 17-20
• Configuring QoS Features on Serial SPAs, page 17-2017-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 17      Configuring the 8-Port Channelized T1/E1 SPA
  Configuration Tasks
Configuring Framing
Framing is used to synchronize data transmission on the line. Framing allows the hardware to determine 
when each packet starts and ends. To configure framing, use the following commands.
Verifying Framing Configuration
Use the show controllers command to verify the framing configuration:
Router# show controllers t1
T1 6/0/0 is down.
  Applique type is Channelized T1
  Cablelength is long gain36 0db
  Receiver has loss of frame.
  alarm-trigger is not set
  Framing is ESF, Line Code is B8ZS, Clock Source is Line.
  Data in current interval (717 seconds elapsed):
     0 Line Code Violations, 0 Path Code Violations
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 717 Unavail Secs
  Total Data (last 24 hours)
     0 Line Code Violations, 0 Path Code Violations,
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins,
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 86400 Unavail Secs
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# controller {t1 | e1} 
slot/subslot/port
Selects the controller to configure.
• t1—Specifies the T1 controller.
• e1—Specifies the E1 controller.
• slot/subslot/port—Specifies the location of the 
controller. See the “Specifying the Interface 
Address on a SPA” section on page 17-6.
For T1 controllers
Router(config-controller)# framing {sf | esf}
For E1 controllers
Router(config-controller)# framing {crc4 |
no-crc4}
Set the framing on the interface.
• sf—Specifies Super Frame as the T1 frame 
type. 
• esf—Specifies extended Super Frame as the 
T1 frame type. This is the default. for T1.
• crc4—Specifies CRC4 frame as the E1 frame 
type. This is the default for E1.
• no-crc4—Specifies no CRC4 frame as the E1 
frame type.17-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 17      Configuring the 8-Port Channelized T1/E1 SPA
  Configuration Tasks
Configuring Encapsulation
When traffic crosses a WAN link, the connection needs a Layer 2 protocol to encapsulate traffic. To set 
the encapsulation method, use the following commands:
Verifying Encapsulation
Use the show interfaces serial command to verify encapsulation on the interface:
Router# show interfaces serial 6/0/0:0
Serial6/0/0:0 is down, line protocol is down 
  Hardware is SPA-T1E1
  MTU 1500 bytes, BW 1536 Kbit, DLY 20000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, crc 32, loopback not set
  Keepalive set (10 sec)
  LCP Closed, multilink Closed
  Last input 1w0d, output 1w0d, output hang never
  Last clearing of "show interface" counters 6d23h
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: weighted fair
  Output queue: 0/1000/64/0 (size/max total/threshold/drops) 
     Conversations  0/0/256 (active/max active/max total)
     Reserved Conversations 0/0 (allocated/max allocated)
     Available Bandwidth 1152 kilobits/sec
  30 second input rate 0 bits/sec, 0 packets/sec
  30 second output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicast)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface serial 
slot/subslot/port:channel-group
Selects the interface to configure.
• slot/subslot/port:channel-group—Specifies 
the location of the interface. See: “Specifying 
the Interface Address on a SPA” section on 
page 17-6
Router(config-if)# encapsulation 
encapsulation-type {hdlc | ppp | frame-relay}
Set the encapsulation method on the interface.
• hdlc—High-Level Data Link Control (HDLC) 
protocol for serial interface. This 
encapsulation method provides the 
synchronous framing and error detection 
functions of HDLC without windowing or 
retransmission. This is the default for 
synchronous serial interfaces.
• ppp—PPP (for serial interface).
• frame-relay—Frame Relay (for serial 
interface).17-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 17      Configuring the 8-Port Channelized T1/E1 SPA
  Configuration Tasks
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions alarm present
  Timeslot(s) Used:1-24, subrate: 64Kb/s, transmit delay is 0 flags
Configuring the CRC Size for T1
All 8-Port Channelized T1/E1 SPA interfaces use a 16-bit cyclic redundancy check (CRC) by default, 
but also support a 32-bit CRC. CRC is an error-checking technique that uses a calculated numeric value 
to detect errors in transmitted data. The designators 16 and 32 indicate the length (in bits) of the frame 
check sequence (FCS). A CRC of 32 bits provides more powerful error detection, but adds overhead. 
Both the sender and receiver must use the same setting.
CRC-16, the most widely used CRC throughout the United States and Europe, is used extensively with 
WANs. CRC-32 is specified by IEEE 802 and as an option by some point-to-point transmission 
standards. It is often used on Switched Multimegabit Data Service (SMDS) networks and LANs. 
To set the length of the cyclic redundancy check (CRC) on a T1 interface, use these commands:
Verifying the CRC Size
Use the show interfaces serial command to verify the CRC size set on the interface:
Router# show interfaces serial 6/0/0:0
Serial6/0/0:0 is up, line protocol is up 
  Hardware is SPA-T1E1
  MTU 1500 bytes, BW 1536 Kbit, DLY 20000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, crc 32, loopback not set
  Keepalive set (10 sec)
  LCP Open, multilink Open
  Last input 00:00:38, output 00:00:00, output hang never
  Last clearing of "show interface" counters 01:46:16
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  30 second input rate 0 bits/sec, 0 packets/sec
  30 second output rate 0 bits/sec, 0 packets/sec
     1272 packets input, 20396 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicast)
     0 runts, 0 giants, 0 throttles
     6 input errors, 3 CRC, 0 frame, 0 overrun, 0 ignored, 3 abort
     1276 packets output, 20460 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface serial 
slot/subslot/port:channel-group
Selects the interface to configure. 
• slot/subslot/port:channel-group—Specifies 
the location of the interface. See the 
“Specifying the Interface Address on a SPA” 
section on page 17-6.
Router(config-if)# crc {16 | 32} Selects the CRC size in bits.
• 16—16-bit CRC. This is the default
• 32—32-bit CRC.17-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 17      Configuring the 8-Port Channelized T1/E1 SPA
  Configuration Tasks
     0 carrier transitions no alarm present
  Timeslot(s) Used:1-24, subrate: 64Kb/s, transmit delay is 0 flags
Configuring FDL
Facility Data Link (FDL) is a 4-kbps channel provided by the Extended Super Frame (ESF) T1 framing 
format. The FDL performs outside the payload capacity and allows you to check error statistics on 
terminating equipment without intrusion.
Verifying FDL
Use the show controllers t1 command to verify the fdl setting:
Router# show controllers t1
T1 6/0/1 is up.
  Applique type is Channelized T1
  Cablelength is long gain36 0db
  No alarms detected.
  alarm-trigger is not set
  Framing is ESF, FDL is ansi, Line Code is B8ZS, Clock Source is Line.
  Data in current interval (742 seconds elapsed):
     0 Line Code Violations, 0 Path Code Violations
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs
  Total Data (last 73 15 minute intervals):
     1278491 Line Code Violations, 3 Path Code Violations,
     0 Slip Secs, 1 Fr Loss Secs, 177 Line Err Secs, 0 Degraded Mins,
     3 Errored Secs, 0 Bursty Err Secs, 1 Severely Err Secs, 227 Unavail Secs
.
.
.
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# controller t1 slot/subslot/port Selects the controller to configure. 
• slot/subslot/port—Specifies the location of the 
controller. See the “Specifying the Interface 
Address on a SPA” section on page 17-6.
Router(config-controller)# fdl [ansi | att | both] If the framing format was configured for esf, 
configures the format used for Facility Data Link 
(FDL). 
• ansi—Select ansi for FDL to use the ANSI 
T1.403 standard. 
• att—Select att for FDL to use the AT&T 
TR54016 standard.
• both—Specifies support for both AT&T 
technical reference 54016 and ANSI T1.403 
for ESF FDL exchange support.17-11
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 17      Configuring the 8-Port Channelized T1/E1 SPA
  Configuration Tasks
Configuring Multilink Point-to-Point Protocol (Hardware-based)
Multilink Point to Point Protocol (MLPPP) allows you to combine T1 or E1 lines into a bundle that has 
the combined bandwidth of multiple T1/E1 lines. You choose the number of bundles and the number of 
T1 or E1 lines in each bundle.
MLPPP for T1/E1 Configuration Guidelines
The required conditions are:
• Only T1 or E1 links in a bundle
• All links on the same SPA
• Maximum of 12 links in a bundle.
Note Some notes about hardware-based MLPPP:
Only 3 fragmentation sizes are possible 128, 256 and 512 bytes
Fragmentation is enabled by default, default size is 512 bytes
Fragmentation size is configured using the ppp multilink fragment-delay command after using the 
interface multilink command. The least of the fragmentation sizes (among the 3 sizes possible) 
satisfying the delay criteria is configured. (For example, a 192 byte packet causes a delay of 
1 millisecond on a T1 link, so the nearest fragmentation size is 128 bytes.)
The show ppp multilink command indicates the MLPPP type and the fragmentation size:
Router# show ppp multilink
Multilink1, bundle name is Patriot2
Bundle up for 00:00:13
Bundle is Distributed
0 lost fragments, 0 reordered, 0 unassigned
0 discarded, 0 lost received, 206/255 load
0x0 received sequence, 0x0 sent sequence 
Member links: 2 active, 0 inactive (max not set, min not set)
Se4/2/0/1:0, since 00:00:13, no frags rcvd
Se4/2/0/2:0, since 00:00:10, no frags rcvd
Distributed fragmentation on. Fragment size 512.  Multilink in Hardware.
Fragmentation is disabled explicitly by using the no ppp multilink fragmentation command after using 
the interface multilink command.17-12
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 17      Configuring the 8-Port Channelized T1/E1 SPA
  Configuration Tasks
Create a Multilink Bundle
To create a multilink bundle, use the following commands:
Assign an interface to a Multilink Bundle
To assign an interface to a multilink bundle, use the following commands:
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface multilink 
group-number
Creates a multilink interface and enters multilink 
interface mode.
• group-number—The group number for the 
multilink bundle.
Note Multilink interface creation is not 
supported beyond 65535. If you configure 
a multilink interface number that is more 
than 65535, on a switchover, you will 
experience a connectivity loss.
Router(config-if)# ip address address mask Sets the IP address for the multilink group.
• address—The IP address.
• mask—The IP netmask.
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface serial 
slot/subslot/port/t1-number:channel-group
Selects the interface to configure and enters interface 
configuration mode. See the “Specifying the Interface 
Address on a SPA” section on page 17-6.
• slot/subslot/port/t1-number:channel-group—Selects 
the interface to configure.
Router(config-if)# encapsulation ppp Enables PPP encapsulation.
Router(config-if)# multilink-group 
group-number
Assigns the interface to a multilink bundle.
• group-number—The multilink group number for 
the T1 or E1 bundle.
Router(config-if)# ppp multilink Enables multilink PPP on the interface.
Repeat these commands for each interface you 
want to assign to the multilink bundle.17-13
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 17      Configuring the 8-Port Channelized T1/E1 SPA
  Configuration Tasks
Configuring fragmentation size on an MLPPP Bundle (optional)
To configure the fragmentation size on a multilink PPP bundle, use the following commands:
Disabling the fragmentation on an MLPPP Bundle (optional)
To assign an interface to a multilink bundle, use the following commands:
Verifying Multilink PPP
Use the show ppp multilink command to verify the PPP multilinks:
Router# show ppp multilink
Multilink1, bundle name is mybundle
Bundle up for 01:40:50
Bundle is Distributed
0 lost fragments, 0 reordered, 0 unassigned
0 discarded, 0 lost received, 1/255 load
0x0 received sequence, 0x0 sent sequence
Member links: 5 active, 0 inactive (max not set, min not set)
Se6/0/0/1:0, since 01:40:50, no frags rcvd
Se6/0/1/1:0, since 01:40:09, no frags rcvd
Se6/0/3/1:0, since 01:15:44, no frags rcvd
Se6/0/4/1:0, since 01:03:17, no frags rcvd
Se6/0/6/1:0, since 01:01:06, no frags rcvd
Se6/0/6:0, since 01:01:06, no frags rcvd
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface multilink 
slot/subslot/port/t1-number:channel-group
Creates a multilink interface and enters multilink 
interface mode.
• channel-group—The group number for the 
multilink bundle. Range 1 to 2147483647. 
Router(config-if)# ppp multilink 
fragment-delay delay
Sets the fragmentation size satisfying the configured 
delay on the multilink bundle.
• delay—delay in milliseconds
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface multilink 
group-number
Creates a multilink interface and enters multilink 
interface mode.
• group-number—The group number for the 
multilink bundle. Range 1 to 2147483647.
Router(config-if)# no ppp multilink 
fragmentation
Disables the fragmentation on the multilink bundle.17-14
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 17      Configuring the 8-Port Channelized T1/E1 SPA
  Configuration Tasks
Configuring MLFR for T1/E1
Multilink Frame Relay (MLFR) allows you to combine T1/E1 lines into a bundle that has the combined 
bandwidth of multiple T1/E1 lines. You choose the number of bundles and the number of T1/E1 lines in 
each bundle. This allows you to increase the bandwidth of your network links beyond that of a single 
T1/E1 line.
MLFR for T1/E1 Configuration Guidelines
MLFR will function in hardware if all of the following conditions are met:
• Only T1 or E1 member links
• All links are on the same SPA
• Maximum of 12 links in a bundle
Create a Multilink Bundle
To create a multilink bundle, use the following commands:
Assign an Interface to a Multilink Bundle
To assign an interface to a multilink bundle, use the following commands:
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface mfr number Configures a multilink Frame Relay bundle 
interface.
• number—The number for the Frame Relay 
bundle.
Router(config-if)# frame-relay multilink bid 
name
(Optional) Assigns a bundle identification name to 
a multilink Frame Relay bundle.
• name—The name for the Frame Relay bundle.
Note The bundle identification (BID) will not go 
into effect until the interface has gone from 
the down state to the up state. One way to 
bring the interface down and back up again 
is by using the shut and no shut
commands in interface configuration 
mode.
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface serial 
slot/subslot/port:channel-group
Selects the interface to assign.
• slot/subslot/port:channel-group—Specifies 
the location of the interface. See the 
“Specifying the Interface Address on a SPA” 
section on page 17-6.17-15
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 17      Configuring the 8-Port Channelized T1/E1 SPA
  Configuration Tasks
Verifying Multilink Frame Relay
Use the show frame-relay multilink detailed command to verify the Frame Relay multilinks:
router# show frame-relay multilink detailed
Bundle: MFR49, State = down, class = A, fragmentation disabled
 BID = MFR49
 No. of bundle links = 1, Peer's bundle-id = 
 Bundle links:
  Serial6/0/0:0, HW state = up, link state = Add_sent, LID = test
    Cause code = none, Ack timer = 4, Hello timer = 10,
    Max retry count = 2, Current count = 0,
Router(config-if)# encapsulation frame-relay 
mfr number [name]
Creates a multilink Frame Relay bundle link and 
associates the link with a bundle.
• number—The number for the Frame Relay 
bundle.
• name—The name for the Frame Relay bundle.
Router(config-if)# frame-relay multilink lid 
name
(Optional) Assigns a bundle link identification 
name with a multilink Frame Relay bundle link.
• name—The name for the Frame Relay bundle.
Note The bundle link identification (LID) will 
not go into effect until the interface has 
gone from the down state to the up state. 
One way to bring the interface down and 
back up again is by using the shut and no
shut commands in interface configuration 
mode.
Router(config-if)# frame-relay multilink hello 
seconds
(Optional) Configures the interval at which a 
bundle link will send out hello messages. The 
default value is 10 seconds.
• seconds—Number of seconds between hello 
messages sent out over the multilink bundle.
Router(config-if)# frame-relay multilink ack 
seconds
 (Optional) Configures the number of seconds that 
a bundle link will wait for a hello message 
acknowledgment before resending the hello 
message. The default value is 4 seconds. 
• seconds—Number of seconds a bundle link 
will wait for a hello message acknowledgment 
before resending the hello message.
Router(config-if)# frame-relay multilink retry 
number
 (Optional) Configures the maximum number of 
times a bundle link will resend a hello message 
while waiting for an acknowledgment. The default 
value is 2 tries. 
• number—Maximum number of times a bundle 
link will resend a hello message while waiting 
for an acknowledgment.
Command Purpose17-16
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 17      Configuring the 8-Port Channelized T1/E1 SPA
  Configuration Tasks
    Peer LID = , RTT = 0 ms
    Statistics:
    Add_link sent = 21, Add_link rcv'd = 0,
    Add_link ack sent = 0, Add_link ack rcv'd = 0,
    Add_link rej sent = 0, Add_link rej rcv'd = 0,
    Remove_link sent = 0, Remove_link rcv'd = 0,
    Remove_link_ack sent = 0, Remove_link_ack rcv'd = 0,
    Hello sent = 0, Hello rcv'd = 0,
    Hello_ack sent = 0, Hello_ack rcv'd = 0,
    outgoing pak dropped = 0, incoming pak dropped = 0
Invert Data on the T1/E1 Interface
If the interface on the 8-Port Channelized T1/E1 SPA is used to drive a dedicated T1 line that does not 
have B8ZS encoding, you must invert the data stream on the connecting CSU/DSU or on the interface. 
Be careful not to invert data on both the CSU/DSU and the interface, as two data inversions will cancel 
each other out. To invert data on a T1/E1 interface, use the following commands:
Use the show running configuration command to verify that invert data has been set:
Router# show running configuration
.
.
.
interface Serial6/0/0:0
 no ip address
 encapsulation ppp
 logging event link-status
 load-interval 30
invert data
 no cdp enable
 ppp chap hostname group1
 ppp multilink
 multilink-group 1
! 
.
.
.
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface serial 
slot/subslot/port:channel-group
Selects the serial interface.
Router(config-if)# invert data Inverts the data stream.17-17
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 17      Configuring the 8-Port Channelized T1/E1 SPA
  Configuration Tasks
Changing a Channel Group Configuration
To alter the configuration of an existing channel group, the channel group needs to be removed first. To 
remove an existing channel group, use the following commands:
Configuring Multipoint Bridging
Multipoint bridging (MPB) enables the connection of multiple ATM PVCs, Frame Relay PVCs, BCP 
ports, and WAN Gigabit Ethernet subinterfaces into a single broadcast domain (virtual LAN), together 
with the LAN ports on that VLAN. This enables service providers to add support for Ethernet-based 
Layer 2 services to the proven technology of their existing ATM and Frame Relay legacy networks. 
Customers can then use their current VLAN-based networks over the ATM or Frame Relay cloud. This 
also allows service providers to gradually update their core networks to the latest Gigabit Ethernet 
optical technologies, while still supporting their existing customer base.
For MPB configuration guidelines and restrictions and feature compatibility tables, see the “Configuring 
Multipoint Bridging” section on page 4-36.
Configuring Bridging Control Protocol Support
The Bridging Control Protocol (BCP) enables forwarding of Ethernet frames over SONET networks and 
provides a high-speed extension of enterprise LAN backbone traffic through a metropolitan area. The 
implementation of BCP on the SPAs includes support for IEEE 802.1D, IEEE 802.1Q Virtual LAN 
(VLAN), and high-speed switched LANs.
For BCP configuration guidelines and restrictions and feature compatibility tables, see the “BCP Feature 
Compatibility by SIP and SPA Combination”. 
Configuring BCP on MLPPP
BCP on MLPPP Configuration Guidelines
• Only Distributed MLPPP is supported
• Only channelized interfaces allowed, and member links must be from the same controller card
• Only trunk port BCP is supported on MLPPP
• Bridging can be configured only on the bundle interface
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# controller {t1 | e1}
slot/subslot/port
Select the controller to configure and enter 
controller configuration mode.
• slot/subslot/port—Specifies the location of the 
interface. See: Specifying the Interface 
Address on a SPA, page 17-6. 
Router(config-controller)# no channel-group t1 
t1-number 
Select the channel group you want to remove.
• t1 t1-number—Channel-group number. 
Follow the steps in the section: Enabling the 
Interfaces on the Controller, page 17-3.
Create a new channel group with the new 
configuration.17-18
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 17      Configuring the 8-Port Channelized T1/E1 SPA
  Configuration Tasks
Note BCP on MLPPP operates only in trunk mode. For more inforation on trunk mode, see the “Configuring 
BCP in Trunk Mode” section on page 4-60.
Note When you manually configure the MTU and MRRU values on the bundle interface with BCP on MLPPP, 
you should set the MRRU value to atleast 20 bytes more than the MTU value. This configuration ensures 
that the packets wth size up to the configured MTU value on the multilink interface are not dropped 
because of the MRRU restrictions.
Configuring BCP on MLPPP Trunk Mode
To configure BCP on MLPPP trunk mode, perform these steps:
Command Purpose
Step 1 Router(config)# interface multilink Selects the multilink interface.
Step 2 Router(config-if)# switchport Puts an interface that is in Layer 3 mode into Layer 
2 mode for Layer 2 configuration.
Step 3 Router(config-if)# switchport trunk 
allowed vlan 100
By default, no VLANs are allowed. Use this 
command to explicitly allow VLANs; valid values 
for vlan-list are from 1 to 4094.
Step 4 Router(config-if)# switchport mode 
trunk
Configures the router port connected to the switch 
as a VLAN trunk port. 
Step 5 Router(config-if)# switchport 
nonegotiate
Puts the LAN port into permanent trunking mode 
but prevents the port from generating DTP frames
Step 6 Router(config-if)# no ip address Removes the assigned IP address.
Step 7 Router(config-if)# ppp multilink Enables this interface to support MLP.
Step 8 Router(config-if)# multilink-group 1 Assigns this interface to the multilink group.
Step 9 Router(config-if)# interface 
Serial1/0/0.1/1/1/1:0
Designates a serial interface as a multilink bundle.
Step 10 Router(config-if)# no ip address Unassigns the IP address.
Step 11 Router(config-if)# encapsulation ppp Enables PPP encapsulation.
Step 12 Router(config-if)# ppp multilink Enables this interface to support MLP.
Step 13 Router(config-if)# multilink-group 1 Assigns this interface to the multilink group 1.
Step 14 Router(config-if)# interface 
Serial1/0/0.1/1/1/2:0
Designates a serial interface as a multilink bundle.
Step 15 Router(config-if)# no ip address Unassigns the IP address. 
Step 16 Router(config-if)# encapsulation ppp Enables PPP encapsulation.
Step 17 Router(config-if)# ppp multilink Enables this interface to support MLP.
Step 18 Router(config-if)# multilink-group 1 Assigns this interface to the multilink group 2.
Step 19 Router(config-if)# shutdown Shuts down an interface.17-19
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 17      Configuring the 8-Port Channelized T1/E1 SPA
  Configuration Tasks
Verifying BCP on MLPPP Trunk Mode
To display information about Multilink PPP, use the show ppp multilink command in EXEC mode.
The following shows an example of show ppp multilink:
Router# show ppp multilink
Multilink1, bundle name is group 1
Bundle is Distributed
0 lost fragments, 0 reordered, 0 unassigned, sequence 0x0/0x0 rcvd/sent
0 discarded, 0 lost received, 1/255 load
Member links: 4 active, 0 inactive (max no set, min not set)
Serial1/0/0/:1
Serial1/0/0/:2
Serial1/0/0/:3
Serial1/0/0/:4
FRF.12 Guidelines
FRF.12 functions in hardware. Note the following:
• Only 3 fragmentation sizes are available: 128 bytes, 256 bytes, and 512 bytes. 
The supported fragment sizes - 128, 256 and 512 - include the FRF and NLPID headers in addition 
to the payload.
• If you have a configuration where a C7600 router acts as a Provider Edge(PE) router between 
Customer Edge(CE) routers, you can configure C7600 in plain Frame Relay or Frame Relay 
Fragmentation mode. If you enable Frame Relay Fragmentation only at the CE routers and C7600 
acts as a plain Frame Relay interface, the configuration works fine. In a configuration of C7600 with 
any of the three SPAs(8-Port Channelized T1/E1 SPA,1-Port Channelized OC-3/STM-1 SPA or 2 or 
4-Port CT3 SPA), where Frame Relay is configured on the serial interface and Frame Relay 
Fragmentation is enabled in any of the sub interfaces, the fragmented packets may be dropped in the 
transparant DLCIs. If you want such a configuration to work, you should set the fragment size value 
on the main interface larger than any CE router fragmentation size using the command frame-relay 
fragment x end-to-end, where x is the fragmentation size on the main interface.
LFI Guidelines
LFI can function two ways—using FRF.12 or MLPPP. MLPPP LFI can be done in both hardware and 
software while FRF.12 LFI is done only in hardware.
Step 20 Router(config-if)# no shutdown Reopens an interface.
Step 21 Router(config-if)# switchport trunk 
allowed vlan vlan-list 
By default, no VLANs are allowed. Use this 
command to explicitly allow VLANs; valid values 
for vlan-list are from 1 to 4094. 
Command Purpose
Command Purpose
Router(config-if)# show ppp multilink Displays information on a multilink group.17-20
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 17      Configuring the 8-Port Channelized T1/E1 SPA
  Verifying the Interface Configuration
HW MLPPP LFI Guidelines
LFI using MLPPP will function only in hardware if there is just one member link in the MLPPP bundle. 
The link can be a fractional T1 or full T1. Note the following:
• The ppp multilink interleave command needs to be configured to enable interleaving.
• Only three fragmentation sizes are supported: 128 bytes, 256 bytes, and 512 bytes.
• Fragmentation is enabled by default, the default size being 512 bytes.
• A policy-map having a priority class needs to applied to main interface.
• When hardware-based LFI is enabled, fragmentation counters are not displayed.
FRF.12 LFI Guidelines
LFI using FRF.12 is always done is hardware. Note the following:
• The fragmentation is configured at the main interface
• Only 3 fragmentation sizes are available: 128 bytes, 256 bytes, and 512 bytes.
• A policy-map having a priority class needs to applied to main interface.
Configuring QoS Features on Serial SPAs
The SIPs and SPAs support many QoS features using modular QoS CLI (MQC) configuration. For 
information about the QoS features supported by the serial SPAs, see the “Configuring QoS Features on 
a SIP” section on page 4-94. 
Saving the Configuration
To save your running configuration to nonvolatile random-access memory (NVRAM), use the following 
command in privileged EXEC configuration mode:
For more information about managing configuration files, refer to the Cisco IOS Configuration 
Fundamentals Configuration Guide, Release 12.2 and Cisco IOS Configuration Fundamentals 
Command Reference, Release 12.2 publications.
Verifying the Interface Configuration
Besides using the show running-configuration command to display your Cisco 7600 series router 
configuration settings, you can use the show interfaces serial and the show controllers serial 
commands to get detailed information on a per-port basis for your 8-Port Channelized T1/E1 SPA.
Command Purpose
Router# copy running-config startup-config Writes the new configuration to NVRAM.17-21
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 17      Configuring the 8-Port Channelized T1/E1 SPA
  Configuration Examples
Verifying Per-Port Interface Status
To find detailed interface information on a per-port basis for the 8-Port Channelized T1/E1 SPA, use the 
show interfaces serial command. 
The following example provides sample output for interface port 0 on the SPA located in the first subslot 
of the SIP installed in slot 6 of a Cisco 7609 router:
Router# show interface serial 6/0/0:0
Serial6/0/0:0 is up, line protocol is up 
  Hardware is SPA-T1E1
  MTU 1500 bytes, BW 1536 Kbit, DLY 20000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, crc 32, loopback not set
  Keepalive set (10 sec)
  LCP Open, multilink Open
  Last input 00:00:38, output 00:00:00, output hang never
  Last clearing of "show interface" counters 01:46:16
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  30 second input rate 0 bits/sec, 0 packets/sec
  30 second output rate 0 bits/sec, 0 packets/sec
     1272 packets input, 20396 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicast)
     0 runts, 0 giants, 0 throttles
     6 input errors, 3 CRC, 0 frame, 0 overrun, 0 ignored, 3 abort
     1276 packets output, 20460 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions no alarm present
  Timeslot(s) Used:1-24, subrate: 64Kb/s, transmit delay is 0 flags
Configuration Examples
This section includes the following configuration examples:
• Framing and Encapsulation Configuration Example, page 17-21
• CRC Configuration Example, page 17-22
• Facility Data Link Configuration Example, page 17-22
• MLPPP Configuration Example, page 17-23
• Invert Data on the T1/E1 Interface Example, page 17-24
• MFR Configuration Example, page 17-23
Framing and Encapsulation Configuration Example
The following example sets the framing and encapsulation for the controller and interface:
! Specify the controller and enter controller configuration mode
!
Router(config)# controller t1 6/0/0
!
! Specify the framing method
!
Router(config-controller)# framing esf17-22
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 17      Configuring the 8-Port Channelized T1/E1 SPA
  Configuration Examples
!
! Exit controller configuration mode and return to global configuration mode
!
Router(config-controller)# exit
!
! Specify the interface and enter interface configuration mode
!
Router(config)# interface serial 6/0/0:0
!
! Specify the encapsulation protocol
!
Router(config-if)# encapsulation ppp
!
! Exit interface configuratin mode
!
Router(config-if)# exit
!
! Exit global configuration mode
!
Router(config)# exit
CRC Configuration Example
The following example sets the CRC size for the interface:
! Specify the interface and enter interface configuration mode
!
Router(config)# interface serial 6/0/0:0
!
! Specify the CRC size
!
Router(config-if)# crc 32
!
! Exit interface configuration mode and return to global configuration mode
!
Router(config-if)# exit
!
! Exit global configuration mode
!
Router(config)# exit
Facility Data Link Configuration Example
The following example configures Facility Data Link:
! Specify the controller and enter controller configuration mode
!
Router(config)# controller t1 6/0/0
!
! Specify the FDL specification
!
Router(config-controller)# fdl ansi
!
! Exit controller configuration mode and return to global configuration mode
!
Router(config-controller)# exit
!
! Exit global configuration mode
!
Router(config)# exit17-23
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 17      Configuring the 8-Port Channelized T1/E1 SPA
  Configuration Examples
MLPPP Configuration Example
The following example creates a PPP Multilink bundle:
! Enter global configuration mode
!
Router# configure terminal
!
! Create a multilink bundle and assign a group number to the bundle
!
Router(config)# interface multilink 1
!
! Specify an IP address for the multilink group
!
Router(config-if)# ip addres 123.456.789.111 255.255.255.0
!
! Enable Multilink PPP
!
Router(config-if)# ppp multilink
!
! Leave interface multilink configuration mode
!
Router(config-if)# exit
!
! Specify the interface to assign to the multilink bundle
!
Router(config)# interface serial 3/1//0:1
!
! Enable PPP encapsulation on the interface
!
Router(config-if)# encapsulation PPP
!
! Assign the interface to a multilink bundle
!
Router(config-if)# multilink-group 1
!
! Enable Multilink PPP
!
Router(config-if)# ppp multilink
!
! Exit interface configuration mode
!
Router(config-if)# exit
!
! Exit global configuration mode
!
Router(config)# exit
MFR Configuration Example
The following example configures Multilink Frame Relay (MFR):
! Create a MFR interface and enter interface configuration mode
!
Router(config)# interface mfr 49
!
! Assign the bundle identification (BID) name ‘test’ to a multilink bundle.
!
Router(config-if)# frame-relay multilink bid test
!
! Exit interface configuration mode and return to global configuration mode17-24
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 17      Configuring the 8-Port Channelized T1/E1 SPA
  Configuration Examples
!
Router(config-if)# exit
!
! Specify the serial interface to assign to a multilink bundle
!
Router(config)# interface serial 5/1/3:0
!
! Creates a multilink Frame Relay bundle link and associates the link with a multilink 
bundle
!
Router(config-if)# encapsulation frame-relay mfr 49
!
! Assigns a bundle link identification (LID) name with a multilink bundle link
!
Router(config-if)# frame-relay multilink lid test
!
! Configures the interval at which the interface will send out hello messages
!
Router(config-if)# frame-relay multilink hello 15
!
! Configures the number of seconds the interface will wait for a hello message 
acknowledgement before resending the hello message
!
Router(config-if)# frame-relay multilink ack 6
!
! Configures the maximum number of times the interface will resend a hello message while 
waiting for an acknowledgement
!
Router(config-if)# frame-relay multilink retry 5
!
! Exit interface configuration mode and return to global configuration mode
!
Router(config-if)# exit
!
! Exit global configuration mode
!
Router(config)# exit
Invert Data on the T1/E1 Interface Example
The following example inverts the data on the serial interface:
! Enter global configuration mode
!
Router# configure terminal
!
! Specify the serial interface and enter interface configuration mode
!
Router(config)# interface serial 5/1/3:0
!
! Configure invert data
!
Router(config-if)# invert data
!
! Exit interface configuration mode and return to global configuration mode
!
Router(config-if)# exit
!
! Exit global configuration mode
!
Router(config)# exitC H  A  P  T  E  R
18-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
18
Configuring the 2-Port and 4-Port Clear Channel 
T3/E3 SPAs
This chapter provides information about configuring the 2-Port and 4-Port Clear Channel T3/E3 Shared 
Port Adapters (SPAs) on the Cisco 7600 series router. It includes the following sections:
• Configuration Tasks, page 18-1
• Verifying the Interface Configuration, page 18-17
• Configuration Examples, page 18-19
For information about managing your system images and configuration files, refer to the Cisco IOS 
Configuration Fundamentals Configuration Guide, Release 12.2 and Cisco IOS Configuration 
Fundamentals Command Reference, Release 12.2 publications.
For more information about the commands used in this chapter, refer to the Cisco IOS Software Releases 
15.0SR Command References and to the Cisco IOS Software Releases 12.2SX Command References. 
Also refer to the related Cisco IOS Release 12.2 software command reference and master index 
publications. For more information, see the “Related Documentation” section on page xlvii.
Configuration Tasks
This section describes how to configure the 2-Port Clear Channel T3/E3 SPA for the Cisco 7600 series 
router and includes information about verifying the configuration.
It includes the following topics:
• Required Configuration Tasks, page 18-2
• Specifying the Interface Address on a SPA, page 18-5
• Optional Configurations, page 18-5
• Saving the Configuration, page 18-1718-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 18      Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs
  Configuration Tasks
Required Configuration Tasks
This section lists the required configuration steps to configure the 2-Port and 4-Port Clear Channel 
T3/E3 SPA. Some of the required configuration commands implement default values that might be 
appropriate for your network. If the default value is correct for your network, then you do not need to 
configure the command.
• Setting the Card Type
• Configure the Interface
Note To better understand the address format used to specify the physical location of the Spa Interface 
Processor (SIP), SPA, and interfaces, see the: “Specifying the Interface Address on a SPA” section on 
page 18-5.
Setting the Card Type
The SPA is not functional until the card type is set. Information about the SPA is not indicated in the 
output of any show commands until the card type has been set. There is no default card type.
Note Mixing of interface types is not supported. All ports on a SPA will be the of the same type.
To set the card type for the 2-Port and 4-Port Clear Channel T3/E3 SPA, complete these steps:
Command Purpose
Step 1 Router# configure terminal Enters global configuration mode.
Step 2 Router(config)# card type {t3 | e3} slot subslot Sets the serial mode for the SPA:
• t3—Specifies T3 connectivity of 44210 kbps 
through the network, using B3ZS coding.
• e3—Specifies a wide-area digital transmission 
scheme used predominantly in Europe that 
carries data at a rate of 34010 kbps. 
• slot subslot—Specifies the location of the 
SPA. See the: “Specifying the Interface 
Address on a SPA” section on page 18-5
Step 3 Router(config)# exit Exit configuration mode and return to the EXEC 
command interpreter prompt.18-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 18      Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs
  Configuration Tasks
Configure the Interface
To set the ip address for the 2-Port and 4-Port Clear Channel T3/E3 SPA, complete these steps:
Verifying Controller Configuration
Use the show controllers command to verify the controller configuration:
Router# show controllers serial 6/0/0
Serial6/0/0 - 
   Framing is c-bit, Clock Source is Line
   Bandwidth limit is 44210, DSU mode 0, Cable length is 10
   rx FEBE since last clear counter 2, since reset 0
   Data in current interval (546 seconds elapsed):
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation
     0 P-bit Err Secs, 0 P-bit Sev Err Secs
     0 Sev Err Framing Secs, 0 Unavailable Secs
     0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
  Data in Interval 1:
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation
     0 P-bit Err Secs, 0 P-bit Sev Err Secs
     0 Sev Err Framing Secs, 0 Unavailable Secs
     0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
.
.
.
Data in Interval 44:
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation
     0 P-bit Err Secs, 0 P-bit Sev Err Secs
     0 Sev Err Framing Secs, 0 Unavailable Secs
     560 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
   Total Data (last 44 15 minute intervals):
     0 Line Code Violations, 0 P-bit Coding Violation, 
Command Purpose
Step 1 Router(config)# interface serial 
slot/subslot/port
Selects the interface to configure and enters interface 
configuration mode.
• slot/subslot/port—Specifies the location of the interface. See 
the: “Specifying the Interface Address on a SPA” section on 
page 18-5
Step 2 Router(config-if)# ip address 
address mask
Sets the IP address and subnet mask.
• address—IP address
• mask—Subnet mask
Step 3 Router(config-if)# clock source 
{internal | line}
Sets the clock source to internal.
• internal—Specifies that the internal clock source is used.
• line—Specifies that the network clock source is used. This is 
the default.
Step 4 Router(config-if)# no shut Enables the interface.
Step 5 Router(config)# exit Exits configuration mode and returns to the EXEC command 
interpreter prompt.18-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 18      Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs
  Configuration Tasks
     0 C-bit Coding Violation,
     0 P-bit Err Secs, 0 P-bit Sev Err Secs,
     0 Sev Err Framing Secs, 0 Unavailable Secs,
     24750 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
   Transmitter is sending AIS.
   Receiver has loss of signal.
    40434 Sev Err Line Secs, 0 Far-End Err Secs, 0 Far-End Sev Err Secs
    0 P-bit Unavailable Secs, 0 CP-bit Unavailable Secs
    0 CP-bit Far-end Unavailable Secs
    0 Near-end path failures, 0 Far-end path failures
   No FEAC code is being received
  MDL transmission is disabled
Use the show controllers brief command to view a subset of the show controllers output:
Router# show controllers serial 6/0/2 brief
Serial6/0/2 - 
   Framing is c-bit, Clock Source is Internal
   Bandwidth limit is 44210, DSU mode 0, Cable length is 10
   rx FEBE since last clear counter 0, since reset 22
   No alarms detected.
   No FEAC code is being received
  MDL transmission is disabled
Verifying Interface Configuration
Use the show interfaces command to verify the interface configuration:
Router# show interfaces serial 6/0/0
Serial6/0/0 is up, line protocol is up 
  Hardware is SPA-4T3E3
  MTU 4470 bytes, BW 44210 Kbit, DLY 200 usec, 
     reliability 255/255, txload 12/255, rxload 56/255
  Encapsulation FRAME-RELAY, crc 16, loopback not set
  Keepalive set (10 sec)
  LMI enq sent  13477, LMI stat recvd 13424, LMI upd recvd 0, DTE LMI up
  LMI enq recvd 19, LMI stat sent  0, LMI upd sent  0
  LMI DLCI 1023  LMI type is CISCO  frame relay DTE
  FR SVC disabled, LAPF state down
  Broadcast queue 0/256, broadcasts sent/dropped 0/0, interface broadcasts 0
  Last input 00:00:09, output 00:00:09, output hang never
  Last clearing of "show interface" counters 1d13h
  Input queue: 0/75/3/3891 (size/max/drops/flushes); Total output drops: 5140348
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 9716000 bits/sec, 28149 packets/sec
  5 minute output rate 2121000 bits/sec, 4466 packets/sec
     14675957334 packets input, 645694448563 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicast)
     0 runts, 0 giants, 0 throttles
              0 parity
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     14562482078 packets output, 640892196653 bytes, 0 underruns
     0 output errors, 0 applique, 4 interface resets
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions
   rxLOS inactive, rxLOF inactive, rxAIS inactive
   txAIS inactive, rxRAI inactive, txRAI inactive18-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 18      Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs
  Configuration Tasks
Serial6/0/0.16 is up, line protocol is up 
  Hardware is SPA-4T3E3
  Internet address is 110.1.1.2/24
  MTU 4470 bytes, BW 44210 Kbit, DLY 200 usec, 
     reliability 255/255, txload 11/255, rxload 53/255
  Encapsulation FRAME-RELAY
Specifying the Interface Address on a SPA
SPA interface ports begin numbering with “0” from left to right. Single-port SPAs use only the port 
number 0. To configure or monitor SPA interfaces, you need to specify the physical location of the SIP, 
SPA, and interface in the CLI. The interface address format is slot/subslot/port, where: 
• slot—Specifies the chassis slot number in the Cisco 7600 series router where the SIP is installed. 
• subslot—Specifies the secondary slot of the SIP where the SPA is installed.
• port—Specifies the number of the individual interface port on a SPA. 
The following example shows how to specify the first interface (0) on a SPA installed in the first subslot 
of a SIP (0) installed in chassis slot 3:
Router(config)# interface serial 3/0/0
This command shows a serial SPA as a representative example, however the same slot/subslot/port 
format is similarly used for other SPAs (such as ATM and POS) and other non-channelized SPAs.
For more information about identifying slots and subslots, see the “Identifying Slots and Subslots for 
SIPs, SSCs, and SPAs” section on page 4-2.
Optional Configurations
There are several standard, but optional configurations that might be necessary to complete the 
configuration of your serial SPA.
• Configuring Data Service Unit Mode, page 18-6
• Configuring Maintenance Data Link, page 18-8
• Configuring Scramble, page 18-10
• Configuring Framing, page 18-12
• Configuring Encapsulation, page 18-13
• Configuring Cable Length, page 18-14
• Configuring Invert Data, page 18-15
• Configuring the Trace Trail Buffer, page 18-16
• Configuring Multipoint Bridging, page 18-17
• Configuring Bridging Control Protocol Support, page 18-17
• Configuring QoS Features on Serial SPAs, page 18-17
• Saving the Configuration, page 18-1718-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 18      Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs
  Configuration Tasks
Configuring Data Service Unit Mode
Configure the SPA to connect with customer premise Data Service Units (DSUs) by setting the DSU 
mode. Subrating a T3 or E3 interface reduces the peak access rate by limiting the data transfer rate. To 
configure the DSU mode and bandwidth, use the following commands:
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface serial slot/subslot/port Selects the interface to configure and enters 
interface configuration mode.
• slot/subslot/port—Specifies the location of the 
interface. See the: “Specifying the Interface 
Address on a SPA” section on page 18-5
T3
Router(config-if)# dsu mode {0 | 1 | 2 | 3 | 4}
E3
Router(config-if)# dsu mode {0 | 1}
Specifies the interoperability mode used by a T3 
controller.
• 0—Connects a T3/E3 controller to another 
T3/E3 controller or to a Digital Link DSU 
(DL3100 in T3 mode and DL3100E in E3 
mode). This is the default.
• 1—Connects a T3/E3 controller to a Kentrox 
DataSMART T3/E3 IDSU.
• 2—Connects a T3 controller to a Larscom 
Access-T45 DS3 DSU.
• 3—Connects a T3 controller to an Adtran 
T3SU 300.
• 4—Connects a T3 controller to a Verilink 
HDM 2182.18-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 18      Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs
  Configuration Tasks
Verifying DSU Mode
Use the show controllers serial command to display the DSU settings:
Router# show controllers serial 6/0/0
Serial6/0/0 - 
   Framing is c-bit, Clock Source is Line
   Bandwidth limit is 44210, DSU mode 0, Cable length is 10
   rx FEBE since last clear counter 2, since reset 0
   Data in current interval (546 seconds elapsed):
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation
     0 P-bit Err Secs, 0 P-bit Sev Err Secs
     0 Sev Err Framing Secs, 0 Unavailable Secs
Router(config-if)# dsu bandwidth kbps Specifies the allowable bandwidth.
• kbps—The bandwidth range and increment 
values are based on the specific DSU. Default 
for T3 mode is 44010 kbps and 34010 kbps for 
E3 mode.
• Digital Link DL3100
– range: 300 to 44210 kbps
– increments: 300 kbps
• Digital Link DL3100E
– range: 358 to 34010 kbps
– increments: 358 kbps
• Kentrox DataSMART T3/E3 IDSU
– range: 1000 to 34000 kbps (E3 mode)
– range: 1500 to 44210 kbps (T3 mode)
– increments: 500 kbps
• Larscom Access-T45 DS3
– range: 3100 to 44210 kbps
– increments: 3100 kbps
• Adtran T3SU 300
– range: 80 to 44210 kbps
– increments: 80 kbps
• Verilink HDM 2182
– range: 1600 to 31600 kbps
– increments: 1600 kbps
Router(config-if)# remote {accept | fullrate} Specifies where the DSU bandwidth is set.
• accept—Accept incoming remote requests to 
reset the DSU bandwidth.
• fullrate—Set far end DSU to its fullrate 
bandwidth.
Command Purpose18-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 18      Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs
  Configuration Tasks
     0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
  Data in Interval 1:
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation
     0 P-bit Err Secs, 0 P-bit Sev Err Secs
     0 Sev Err Framing Secs, 0 Unavailable Secs
     0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
.
.
.
Configuring Maintenance Data Link
MDL messages are used to communicate identification information between local and remote ports. The 
type of information included in MDL messages includes the equipment identification code (EIC), 
location identification code (LIC), frame identification code (FIC), unit, Path Facility Identification 
(PFI), port number, and Generator Identification numbers.
Note C-bit framing has to be enabled in order to transport MDL messages between source and destination T3 
ports.
To configure Maintenance Data Link (MDL), use the following commands.
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface serial slot/subslot/port Selects the interface to configure.
• slot/subslot/port—Specifies the location of the 
interface. See the: “Specifying the Interface 
Address on a SPA” section on page 18-518-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 18      Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs
  Configuration Tasks
Router(config-if)# mdl [string {eic | fic | 
generator | lic | pfi | port | unit} string}] | 
[transmit {idle-signal | path | test-signal}]
Configures the Maintenance Data Link (MDL) 
message.
• eic string—Equipment identification code (up 
to 10 characters), which is a value used to 
describe a specific piece of equipment 
according to ANSI T1.107-1995.
• fic string—Frame identification code (up to 10 
characters), which is a value used to identify 
where the equipment is located within a 
building at a given location according to ANSI 
T1.107-1995.
• generator string—Specifies the Generator 
number string sent in the MDL Test Signal 
message; can be up to 38 characters. 
• lic string—Location identification code (up to 
11 characters), which is a value used to 
describe a specific location according to ANSI 
T1.107-1995.
• pfi string—Specifies the Path Facility 
Identification Code sent in the MDL Path 
message; can be up to 38 characters. 
• port string—Specifies the Port number string 
sent in the MDL Idle Signal message; can be 
up to 38 characters.
• unit string—Unit identification code (up to 6 
characters), which is a value that identifies the 
equipment location within a subslot according 
to ANSI T1.107-1995.
• transmit idle-signal—Enables transmission 
of the MDL idle signal message. An MDL idle 
signal message, as defined by ANSI T1.107, is 
distinguished from path and test signal 
messages in that it contains a port number as 
its final data element.
• transmit path—Enables transmission of the 
MDL path message. An MDL path message, 
as defined by ANSI T1.107, is distinguished 
from idle and test signal messages in that it 
contains a facility identification code as its 
final data element.
• transmit test-signal—Enables transmission 
of the MDL test signal message. An MDL test 
signal message, as defined by ANSI T1.107, is 
distinguished from path and idle signal 
messages in that it contains a generator 
number as its final data element.
Command Purpose18-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 18      Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs
  Configuration Tasks
Verifying MDL
Use the show controllers serial command to display the MDL settings:
Router# show controllers serial 6/0/0
Serial6/0/0 - 
   Framing is c-bit, Clock Source is Line
   Bandwidth limit is 44210, DSU mode 0, Cable length is 10
   rx FEBE since last clear counter 2, since reset 0
   Data in current interval (546 seconds elapsed):
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation
     0 P-bit Err Secs, 0 P-bit Sev Err Secs
     0 Sev Err Framing Secs, 0 Unavailable Secs
     0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
  Data in Interval 1:
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation
     0 P-bit Err Secs, 0 P-bit Sev Err Secs
     0 Sev Err Framing Secs, 0 Unavailable Secs
     0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
.
.
.
  Data in Interval 96:
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation
     0 P-bit Err Secs, 0 P-bit Sev Err Secs
     0 Sev Err Framing Secs, 0 Unavailable Secs
     0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
   Total Data (last 24 hours)
     0 Line Code Violations, 0 P-bit Coding Violation, 
     0 C-bit Coding Violation,
     0 P-bit Err Secs, 0 P-bit Sev Err Secs,
     0 Sev Err Framing Secs, 0 Unavailable Secs,
     0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
   No alarms detected.
    0 Sev Err Line Secs, 1 Far-End Err Secs, 0 Far-End Sev Err Secs
    0 P-bit Unavailable Secs, 0 CP-bit Unavailable Secs
    0 CP-bit Far-end Unavailable Secs
    0 Near-end path failures, 0 Far-end path failures
No FEAC code is being received
  MDL transmission is enabled
     EIC: tst, LIC: 67, 
     Test Signal GEN_NO: test
  Far-End MDL Information Received
     EIC: tst, LIC: 67, 
     Test Signal GEN_NO: test
Configuring Scramble
T3/E3 scrambling is used to assist clock recovery on the receiving end. Scrambling is designed to 
randomize the pattern of 1s and 0s carried in the physical layer frame. Randomizing the digital bits can 
prevent continuous, nonvariable bit patterns—in other words, long strings of all 1s or all 0s. Several 
physical layer protocols rely on transitions between 1s and 0s to maintain clocking.18-11
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 18      Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs
  Configuration Tasks
Scrambling can prevent some bit patterns from being mistakenly interpreted as alarms by switches 
placed between the Data Service Units (DSUs).
To configure scrambling, use the following commands:
Verifying Scramble Configuration
Use the show controllers serial command to display the scrambling setting:
Router# show controllers serial 6/0/0
Serial6/0/0 - 
   Framing is c-bit, Clock Source is Line
   Bandwidth limit is 44210, DSU mode 0, Cable length is 10
   rx FEBE since last clear counter 2, since reset 0
   Scrambling is enabled
   Data in current interval (356 seconds elapsed):
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation
     0 P-bit Err Secs, 0 P-bit Sev Err Secs
     0 Sev Err Framing Secs, 0 Unavailable Secs
     0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
  Data in Interval 1:
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation
     0 P-bit Err Secs, 0 P-bit Sev Err Secs
     0 Sev Err Framing Secs, 0 Unavailable Secs
     0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
.
.
.
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface serial slot/subslot/port Selects the interface to configure.
• slot/subslot/port—Specifies the location of the 
interface. See the: “Specifying the Interface 
Address on a SPA” section on page 18-5
Router(config-if)# [no] scramble  Enables scrambling. Scrambling is disabled by 
default.
• scramble—Enable scramble.
• no scramble—Disable scramble.
Note When using framing bypass, no 
scrambling must be configured.18-12
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 18      Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs
  Configuration Tasks
Configuring Framing
Framing is used to synchronize data transmission on the line. Framing allows the hardware to determine 
when each packet starts and ends. To configure framing, use the following commands.
Verifying Framing Configuration
Use the show controllers serial command to display the framing method:
Router# show controllers serial 6/0/0
Serial6/0/0 - 
   Framing is c-bit, Clock Source is Line
   Bandwidth limit is 44210, DSU mode 0, Cable length is 10
   rx FEBE since last clear counter 2, since reset 0
   Data in current interval (546 seconds elapsed):
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation
     0 P-bit Err Secs, 0 P-bit Sev Err Secs
     0 Sev Err Framing Secs, 0 Unavailable Secs
     0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
  Data in Interval 1:
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation
     0 P-bit Err Secs, 0 P-bit Sev Err Secs
     0 Sev Err Framing Secs, 0 Unavailable Secs
     0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
.
.
.
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface serial slot/subslot/port Selects the interface to configure.
• slot/subslot/port—Specifies the location of the 
T3/E3 interface. See the: “Specifying the 
Interface Address on a SPA” section on 
page 18-5
T3
Router(config-if)# framing {bypass | c-bit | m13}
E3
Router(config-if)# framing {bypass | g751| g832}
Sets the framing on the interface.
• bypass—Configure framing bypass to use the 
full T3 or E3 bandwidth
• c-bit—Specifies C-bit parity framing. This is 
the default for T3.
• m13—Specifies M13 framing.
• g751— Specifies g751 framing. This is the 
default for E3.
• g832—Specifies g832 framing.18-13
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 18      Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs
  Configuration Tasks
Configuring Encapsulation
When traffic crosses a WAN link, the connection needs a Layer 2 protocol to encapsulate traffic. To set 
the encapsulation method, use the following commands:
Verifying Encapsulation
Use the show interfaces command to display the encapsulation method:
Router# show interfaces serial 6/0/1
Serial6/0/1 is up, line protocol is up 
  Hardware is SPA-4T3E3
  MTU 4470 bytes, BW 44210 Kbit, DLY 200 usec, 
     reliability 255/255, txload 223/255, rxload 222/255
  Encapsulation FRAME-RELAY, crc 16, loopback not set
  Keepalive set (10 sec)
  LMI enq sent  13076, LMI stat recvd 13076, LMI upd recvd 0, DTE LMI up
  LMI enq recvd 0, LMI stat sent  0, LMI upd sent  0
  LMI DLCI 0  LMI type is ANSI Annex D  frame relay DTE
  FR SVC disabled, LAPF state down
  Broadcast queue 0/256, broadcasts sent/dropped 0/0, interface broadcasts 0
  Last input 00:00:04, output 00:00:04, output hang never
  Last clearing of "show interface" counters 1d12h
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 38579000 bits/sec, 109611 packets/sec
  5 minute output rate 38671000 bits/sec, 109852 packets/sec
     14374551065 packets input, 632486376132 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicast)
     0 runts, 0 giants, 0 throttles
              0 parity
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     14408526130 packets output, 633974757440 bytes, 0 underruns
     0 output errors, 0 applique, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions
   rxLOS inactive, rxLOF inactive, rxAIS inactive
   txAIS inactive, rxRAI inactive, txRAI inactive
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface serial slot/subslot/port Selects the interface to configure.
• slot/subslot/port—Specifies the location of the 
interface. See the: “Specifying the Interface 
Address on a SPA” section on page 18-5
Router(config-if)# encapsulation {hdlc | ppp | 
frame-relay}
Sets the encapsulation method on the interface.
• hdlc—High-Level Data Link Control (HDLC) 
protocol for serial interface. This is the 
default.
• ppp—PPP (for serial interface).
• frame-relay—Frame Relay (for serial 
interface).18-14
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 18      Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs
  Configuration Tasks
Configuring Cable Length
The cablelength command compensates for the loss in decibels based on the distance from the device 
to the first repeater in the circuit. A longer distance from the device to the repeater requires that the signal 
strength on the circuit be boosted to compensate for loss over that distance. To configure cable length, 
use the following commands:
Verify Cable Length Setting
Use the show interfaces serial command to verify the cable length setting:
Router# show interfaces serial 4/0/0
Serial4/0/0 - 
   Framing is c-bit, Clock Source is Internal
   Bandwidth limit is 44210, DSU mode 0, Cable length is 200
   rx FEBE since last clear counter 0, since reset 22
   Data in current interval (446 seconds elapsed):
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation
     0 P-bit Err Secs, 0 P-bit Sev Err Secs
     0 Sev Err Framing Secs, 0 Unavailable Secs
     0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
  Data in Interval 1:
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation
     0 P-bit Err Secs, 0 P-bit Sev Err Secs
     0 Sev Err Framing Secs, 0 Unavailable Secs
     0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
  Data in Interval 2:
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation
     0 P-bit Err Secs, 0 P-bit Sev Err Secs
     0 Sev Err Framing Secs, 0 Unavailable Secs
     0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
.
.
.
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface serial slot/subslot/port Selects the interface to configure and enters 
interface configuration mode.
• slot/subslot/port—Specifies the location of the 
interface. See the: “Specifying the Interface 
Address on a SPA” section on page 18-5
Router(config-if)# cablelength length Sets the cable length.
• length—Range is 0-450 feet. The default is 10 
feet.18-15
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 18      Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs
  Configuration Tasks
Configuring Invert Data
Delays between the TE clock and data transmission indicate that the transmit clock signal might not be 
appropriate for the interface rate and length of cable being used. Different ends of the wire may have 
variances that differ slightly. Invert the clock signal to compensate for these factors. To configure invert 
data, use the following commands:
Verify Invert Data Setting
Use the show running configuration command to verify that invert data was set on the interface:
Router# show running configuration
.
.
.
interface Serial6/0/0
 ip address 51.1.1.1 255.255.255.0
 logging event link-status
 dsu bandwidth 44210
 framing c-bit
 cablelength 10
 clock source internal
invert data
 mdl string eic tst
 mdl string lic 67
 mdl string generator test
 mdl transmit path
 mdl transmit test-signal
 no cdp enable
!
.
.
.
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface serial slot/subslot/port Selects the interface to configure and enters 
interface configuration mode.
• slot/subslot/port—Specifies the location of the 
interface. See the: “Specifying the Interface 
Address on a SPA” section on page 18-5
Router(config-if)# invert {data} Inverts the data.
• data—Invert the data stream.18-16
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 18      Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs
  Configuration Tasks
Configuring the Trace Trail Buffer
Configure TTB to send messages to the remote device. The TTB messages check for the continued 
presence of the transmitter. To configure TTB, use the following commands:
Verify TTB Settings
Use the show controllers serial command to display the TTB settings for the interface:
Router# show controllers serial 6/0/0
Serial6/0/0 - 
   Framing is c-bit, Clock Source is Line
   Bandwidth limit is 44210, DSU mode 0, Cable length is 10
   rx FEBE since last clear counter 2, since reset 0
   Data in current interval (546 seconds elapsed):
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation
     0 P-bit Err Secs, 0 P-bit Sev Err Secs
     0 Sev Err Framing Secs, 0 Unavailable Secs
     0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
  Data in Interval 1:
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation
     0 P-bit Err Secs, 0 P-bit Sev Err Secs
     0 Sev Err Framing Secs, 0 Unavailable Secs
     0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
.
.
.
No alarms detected. 
TTB transmission is disabled
TTB Rx: country: us soperator: s snode: sn rnode: rn x: x serial: 1
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface serial slot/subslot/port Selects the interface to configure and enters 
interface configuration mode.
• slot/subslot/port—Specifies the location of the 
interface. See the: “Specifying the Interface 
Address on a SPA” section on page 18-5
Router(config-if)# ttb {country | rnode | serial | 
snode | soperator | x} string
Sends a Trace Trail Buffer message in E3 g.832 
framing mode.
• country—Two character country code
• rnode—Receive node code
• serial—M.1400 serial
• snode—Sending location/Node ID code
• soperator—Sending operator code. (must be 
numeric)
• x—X0 
• string—TTB message.18-17
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 18      Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs
  Verifying the Interface Configuration
Configuring Multipoint Bridging
Multipoint bridging (MPB) enables the connection of multiple ATM PVCs, Frame Relay PVCs, BCP 
ports, and WAN Gigabit Ethernet subinterfaces into a single broadcast domain (virtual LAN), together 
with the LAN ports on that VLAN. This enables service providers to add support for Ethernet-based 
Layer 2 services to the proven technology of their existing ATM and Frame Relay legacy networks. 
Customers can then use their current VLAN-based networks over the ATM or Frame Relay cloud. This 
also allows service providers to gradually update their core networks to the latest Gigabit Ethernet 
optical technologies, while still supporting their existing customer base.
For MPB configuration guidelines and restrictions and feature compatibility tables, see the “Configuring 
Multipoint Bridging” section on page 4-36 of Chapter 4, “Configuring the SIPs and SSC.”
Configuring Bridging Control Protocol Support
The Bridging Control Protocol (BCP) enables forwarding of Ethernet frames over SONET networks and 
provides a high-speed extension of enterprise LAN backbone traffic through a metropolitan area. The 
implementation of BCP on the SPAs includes support for IEEE 802.1D, IEEE 802.1Q Virtual LAN 
(VLAN), and high-speed switched LANs.
For BCP configuration guidelines and restrictions and feature compatibility tables, see the “BCP Feature 
Compatibility” in Chapter 4, “Configuring the SIPs and SSC.”
Configuring QoS Features on Serial SPAs
The SIPs and SPAs support many QoS features using modular QoS CLI (MQC) configuration. For 
information about the QoS features supported by the serial SPAs, see the “Configuring QoS Features on 
a SIP” section on page 4-94 of Chapter 4, “Configuring the SIPs and SSC.”
Saving the Configuration
To save your running configuration to nonvolatile random-access memory (NVRAM), use the following 
command in privileged EXEC configuration mode:
For more information about managing configuration files, refer to the Cisco IOS Configuration 
Fundamentals Configuration Guide, Release 12.2 and Cisco IOS Configuration Fundamentals 
Command Reference, Release 12.2 publications.
Verifying the Interface Configuration
Besides using the show running-configuration command to display your Cisco 7600 series router 
configuration settings, you can use the show interfaces serial and the show controllers serial 
commands to get detailed information on a per-port basis for your 2-Port and 4-Port Clear Channel 
T3/E3 SPA.
Command Purpose
Router# copy running-config startup-config Writes the new configuration to NVRAM.18-18
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 18      Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs
  Verifying the Interface Configuration
Verifying Per-Port Interface Status
To find detailed interface information on a per-port basis for the 2-Port and 4-Port Clear Channel T3/E3 
SPA, use the show interfaces serial command. 
The following example provides sample output for interface port 1 on the SPA located in the first subslot 
of the SIP installed in slot 5 of a Cisco 7600 series router:
Router# show interface serial 5/0/1
Serial5/0/1 is up, line protocol is up 
  Hardware is SPA-4T3E3
  Internet address is 120.1.1.1/24
  MTU 4470 bytes, BW 44210 Kbit, DLY 200 usec, 
     reliability 255/255, txload 234/255, rxload 234/255
  Encapsulation HDLC, crc 16, loopback not set
  Keepalive set (10 sec)
  Last input 00:00:00, output 00:00:01, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 40685000 bits/sec, 115627 packets/sec
  5 minute output rate 40685000 bits/sec, 115624 packets/sec
     4652915554 packets input, 204728203496 bytes, 0 no buffer
     Received 4044 broadcasts (0 IP multicast)
     130 runts, 0 giants, 0 throttles
              0 parity
     1595 input errors, 543 CRC, 0 frame, 0 overrun, 0 ignored, 922 abort
     4653081242 packets output, 204735493748 bytes, 0 underruns
     0 output errors, 0 applique, 4 interface resets
     0 output buffer failures, 0 output buffers swapped out
     2 carrier transitions
Monitoring Per-Port Interface Statistics
To find detailed status and statistical information on a per-port basis for the 2-Port and 4-Port Clear 
Channel T3/E3 SPA, use the show controllers serial command. 
The following example provides sample output for interface port 1 on the SPA located in the first subslot 
of the SIP that is installed in slot 5 of the Cisco 7600 series router:
show controller serial 5/0/2
Serial5/0/2 - 
   Framing is c-bit, Clock Source is Line
   Bandwidth limit is 44210, DSU mode 0, Cable length is 10
   rx FEBE since last clear counter 0, since reset 0
   Data in current interval (807 seconds elapsed):
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation
     0 P-bit Err Secs, 0 P-bit Sev Err Secs
     0 Sev Err Framing Secs, 306 Unavailable Secs
     500 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
  Data in Interval 1:
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation
     0 P-bit Err Secs, 0 P-bit Sev Err Secs
     0 Sev Err Framing Secs, 0 Unavailable Secs
     564 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
  Data in Interval 2:
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation18-19
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 18      Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs
  Configuration Examples
     0 P-bit Err Secs, 0 P-bit Sev Err Secs
     0 Sev Err Framing Secs, 0 Unavailable Secs
     564 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
  Data in Interval 3:
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation
     0 P-bit Err Secs, 0 P-bit Sev Err Secs
     0 Sev Err Framing Secs, 0 Unavailable Secs
     562 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
  Data in Interval 4:
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation
     0 P-bit Err Secs, 0 P-bit Sev Err Secs
     0 Sev Err Framing Secs, 0 Unavailable Secs
     560 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
.
.
.
Total Data (last 44 15 minute intervals):
     0 Line Code Violations, 0 P-bit Coding Violation, 
     0 C-bit Coding Violation,
     0 P-bit Err Secs, 0 P-bit Sev Err Secs,
     0 Sev Err Framing Secs, 0 Unavailable Secs,
     24750 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
   Transmitter is sending AIS.
   Receiver has loss of signal.
    40434 Sev Err Line Secs, 0 Far-End Err Secs, 0 Far-End Sev Err Secs
    0 P-bit Unavailable Secs, 0 CP-bit Unavailable Secs
    0 CP-bit Far-end Unavailable Secs
    0 Near-end path failures, 0 Far-end path failures
   No FEAC code is being received
  MDL transmission is disabled
Configuration Examples
This section includes the following configuration examples:
• DSU Configuration Example, page 18-19
• MDL Configuration Example, page 18-20
• Scrambling Configuration Example, page 18-20
• Framing Configuration Example, page 18-20
• Encapsulation Configuration Example, page 18-21
• Cable Length Configuration Example, page 18-21
• Invert Data Configuration Example, page 18-21
• Trace Trail Buffer Configuration Example, page 18-21
DSU Configuration Example
The following example confgiures DSU on interface port 0 on slot 4, subslot 1.18-20
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 18      Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs
  Configuration Examples
! Specify the serial interface and enter interface configuration mode
! 
Router(config)# interface serial 4/1/0
!
! Specify the DSU mode
!
Router(config-if)# dsu mode 0
!
! Specify the DSU bandwidth
!
Router(config-if)# dsu bandwidth 10000
!
! Set the DSU bandwidth to accept or reject the incoming remote requests
!
Router(config-if)# dsu remote accept
MDL Configuration Example
The following example configures the MDL strings on interface port 0 on slot 4, subslot 1.
! Specify the serial interface and enter interface configuration mode
!
Router(config)# interface serial 4/1/0
!
! Specify the MDL strings
!
Router(config-if)# mdl string eic beic
Router(config-if)# mdl string lic beic
Router(config-if)# mdl string fic bfix
Router(config-if)# mdl string unit bunit
Router(config-if)# mdl string pfi bpfi
Router(config-if)# mdl string port bport
Router(config-if)# mdl string generator bgen
Router(config-if)# mdl transmit path
Router(config-if)# mdl transmit idle-signal
Router(config-if)# mdl transmit test-signal
Scrambling Configuration Example
The following example configures scrambling on the T3/E3 interface:
! Enter global configuration mode
!
Router# configure terminal
!
! Specify the serial interface and enter interface configuration mode
!
Router(config)# interface serial 4/1/3
!
! Enable scrambling
!
Router(config-if)# scrambling
Framing Configuration Example
The following example configures framing on interface port 1 on slot 4, subslot 1.
! Specify the serial interface and enter interface configuration mode18-21
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 18      Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs
  Configuration Examples
!
Router(config)# interface serial 4/1/1
!
! Specify the framing method
!
Router(config-if)# framing m13
Encapsulation Configuration Example
The following example configures encapsulation on interface port 1 on slot 4, subslot 1.
! Specify the serial interface and enter interface configuration mode
!
Router(config)# interface serial 4/1/1
!
! Specify the encapsulation method
!
Router(config-if)# encapsulation PPP
Cable Length Configuration Example
The following example configures sets the cable length to 200 feet:
! Enter global configuration mode
!
Router# configure terminal
!
! Specify the serial interface and enter interface configuration mode
!
Router(config)# interface serial 4/1/3
!
! Specify the cable length
!
Router(config-if)# cablelength 200
Invert Data Configuration Example
The following example enables invert data:
! Enter global configuration mode
!
Router# configure terminal
!
! Specify the serial interface and enter interface configuration mode
!
Router(config)# interface serial 4/1/3
!
! Enable invert data
!
Router(config-if)# invert data
Trace Trail Buffer Configuration Example
The following example configures the TTB attributes:
! Enter global configuration mode18-22
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 18      Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs
  Configuration Examples
!
Router# configure terminal
!
! Specify the serial interface and enter interface configuration mode
!
Router(config)# interface serial 4/1/3
!
! Specify the TTB attributes
!
Router(config-if)# ttb country ab
Router(config-if)# ttb soperator 56
Router(config-if)# ttb snode 34
Router(config-if)# ttb rnode cd
Router(config-if)# ttb x 7
Router(config-if)# ttb serial 12C H  A  P  T  E  R
19-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
19
Configuring the 2-Port and 4-Port Channelized T3 
SPAs
This chapter provides information about configuring the 2-Port and 4-Port Channelized T3 Shared Port 
Adapters (SPAs) on the Cisco 7600 series router. It includes the following sections:
• Configuration Tasks, page 19-1
• Verifying the Interface Configuration, page 19-25
• Configuration Examples, page 19-28
For information about managing your system images and configuration files, refer to the Cisco IOS 
Configuration Fundamentals Configuration Guide, Release 12.2 and Cisco IOS Configuration 
Fundamentals Command Reference, Release 12.2 publications.
For more information about the commands used in this chapter, refer to the Cisco IOS Software Releases 
15.0SR Command References and to the Cisco IOS Software Releases 12.2SX Command References. 
Also refer to the related Cisco IOS Release 12.2 software command reference and master index 
publications. For more information, see the “Related Documentation” section on page xlvii.
Configuration Tasks
This section describes how to configure the serial SPAs for the Cisco 7600 series router and includes 
information about verifying the configuration.
It includes the following topics:
• Required Configuration Tasks, page 19-2
• Specifying the Interface Address on a SPA, page 19-7
• Optional Configurations, page 19-8
• Saving the Configuration, page 19-2519-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 19      Configuring the 2-Port and 4-Port Channelized T3 SPAs
  Configuration Tasks
Required Configuration Tasks
This section lists the required configuration steps to configure the 2-Port and 4-Port Channelized T3 
SPA. Some of the required configuration commands implement default values that might be appropriate 
for your network.
• Configuring the T3 Controller, page 19-2
• Configuring the Logical T1 Interfaces, page 19-3
• Verifying T3 Controller Configuration, page 19-5
• Verifying Interface Configuration, page 19-6
Note To better understand the address format used to specify the physical location of the SPA Interface 
Processor (SIP), SPA, and interfaces, see the section Specifying the Interface Address on a SPA, 
page 19-7.
Configuring the T3 Controller
To configure the T3 controller for the 2-Port and 4-Port Channelized T3 SPA, complete these steps:
Command Purpose
Step 1 Router# configure terminal Enters global configuration mode.
Step 2 Router(config)# controller t3 slot/subslot/port Selects the controller to configure and enters 
controller configuration mode.
• slot/subslot/port—Specifies the location of the 
CT3 SPA port. See: “Specifying the Interface 
Address on a SPA” section on page 19-7.
Step 3 Router(config-controller)# [no] channelized (Optional) Specifies the channelization mode.
• channelized—In channelized mode, the T3 
link can be channelized into 28 T1s, and each 
T1 can be further channelized into 24 DS0s. 
This is the default.
• no channelized—In the unchannelized mode 
the T3 link provides a single high-speed data 
channel of 44210 kbps.19-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 19      Configuring the 2-Port and 4-Port Channelized T3 SPAs
  Configuration Tasks
Configuring the Logical T1 Interfaces
If channelized mode is configured for the T3 controller, use the following procedure to configure the 
logical T1 interfaces.
Step 4 Router(config-controller)# framing {auto-detect
| c-bit | m23}
(Optional) Specifies the framing type in 
channelized mode.
• auto-detect—Detects the framing type at the 
device at the end of the line and switches to 
that framing type. If both devices are set to 
auto-detect, c-bit framing is used.
• c-bit—Specifies C-bit parity framing. This is 
the default.
• m23—Specifies M23 framing.
Note To set the framing type for an 
un-channelized T3, see: “Configuring T3 
Framing” section on page 19-14.
Step 5 Router(config-controller)# clock source 
{internal | line}
(Optional) Specifies the clock source.
• internal—Specifies that the internal clock 
source is used. Default for channelized mode.
• line—Specifies that the network clock source 
is used. Default for un-channelized mode.
Step 6 Router(config-controller)# cablelength {0 - 450} (Optional) Specifies the cable length. The default 
is 224 ft.
• 0-450—Cable length in feet.
Command Purpose
Command Purpose
Step 1 Router# configure terminal Enters global configuration mode.
Step 2 Router(config)# controller t3 slot/subslot/port Selects the controller to configure and enters 
controller configuration mode.
• slot/subslot/port—Specifies the location of the 
CT3 SPA port. See: “Specifying the Interface 
Address on a SPA” section on page 19-719-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 19      Configuring the 2-Port and 4-Port Channelized T3 SPAs
  Configuration Tasks
Step 3 Router(config-controller)# t1 t1-number 
channel-group channel-number timeslots range
[speed {56 | 64}]
Specifies the T1 channel and timeslots to be 
mapped to each channel.
• t1-number—T1 number from 1–28.
• channel-number—Specifies a channel-group 
mapping(0–23) under the designated T1.
• range—List of timeslots under the 
channel-group. Timeslots assigned to this T1 
can be 1–24 or a combination of subranges 
within 1– 24. You can indicate a range using a 
hyphen, commas, or a combination of both. 
One timeslot equals one DS0.
• speed 56 or 64— Specifies the speed of a 
timeslot as either 56 or 64 kbps. The default 
speed of 64 kbps is not mentioned in the 
config. 
Step 4 Router(config-controller)# t1 t1-number framing
{esf | sf [hdlc-idle {0x7e | 0xff}] [mode {j1}]}
(Optional) Specifies the T1 framing type using the 
framing command.
• sf—Specifies Super Frame as the T1 frame 
type.
Note If you select sf framing, you should 
consider disabling yellow alarm 
detection because the yellow alarm 
can be incorrectly detected with sf 
framing.
• esf—Specifies Extended Super Frame as the 
T1 frame type. This is the default.
• hdlc-idle— The hdlc-idle option allows you to 
set the idle pattern for the T1 interface to 
either 0x7e (the default) or 0xff.
Command Purpose19-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 19      Configuring the 2-Port and 4-Port Channelized T3 SPAs
  Configuration Tasks
Verifying T3 Controller Configuration
Use the show controllers command to verify the controller configuration:
Router# show controllers t3
T3 3/1/0 is administratively down.
T3 3/1/1 is administratively down.
T3 3/1/2 is up.  Hardware is 4 ports CT3 SPA
  ATLAS FPGA version: 0, FREEDM336 version: 0
  TEMUX84(1) version: 0, TEMUX84(1) version: 0
  SUBRATE FPGA version: 0
  Applique type is Channelized T3
  No alarms detected.
  Framing is M23, Line Code is B3ZS, Clock Source is Internal
  Equipment customer loopback
  Data in current interval (746 seconds elapsed):
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation, 0 P-bit Err Secs
     0 P-bit Severely Err Secs, 0 Severely Err Framing Secs
     0 Unavailable Secs, 0 Line Errored Secs
     0 C-bit Errored Secs, 0 C-bit Severely Errored Secs
     0 Severely Errored Line Secs
     0 Far-End Errored Secs, 0 Far-End Severely Errored Secs
     0 CP-bit Far-end Unavailable Secs
     0 Near-end path failures, 0 Far-end path failures
     0 Far-end code violations, 0 FERF Defect Secs
     0 AIS Defect Secs, 0 LOS Defect Secs
  T1 1 is up
  timeslots: 1-24
  FDL per AT&T 54016 spec.
  No alarms detected.
  Framing is ESF, Clock Source is Internal
  Data in current interval (177 seconds elapsed):
     0 Line Code Violations, 0 Path Code Violations
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs
     0 Unavail Secs, 0 Stuffed Secs
     0 Near-end path failures, 0 Far-end path failures, 0 SEF/AIS Secs
Step 5 Router(config-controller)# t1 channel-number 
clock source {internal | line}
(Optional) Specifies the T1 clock source.
• internal—Specifies that the internal clock 
source is used. This is the default.
• line—Specifies that the network clock source 
is used. 
Step 6 Configure the serial interfaces.
Note After a T1 channel is configured, it appears to the Cisco IOS software as a serial interface; 
therefore, all the configuration commands for a serial interface are available. However, not all 
commands are applicable to the T1 interface. All the encapsulation formats, such as PPP, 
HDLC, and Frame Relay are applicable to the configured T1. Encapsulation can be set via the 
serial interface configuration commands.
For detailed interface configuration information, see the Cisco IOS Interface Configuration Guide, 
Release 12.2 at: 
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_book09186
a0080087098.html
Command Purpose19-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 19      Configuring the 2-Port and 4-Port Channelized T3 SPAs
  Configuration Tasks
  Total Data (last 2 15 minute intervals):
     0 Line Code Violations,0 Path Code Violations,
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins,
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs
     0 Unavail Secs, 0 Stuffed Secs
     0 Near-end path failures, 0 Far-end path failures, 0 SEF/AIS Secs
  T1 2
    Not configured.
  T1 3
    Not configured.
.
.
.
T3 3/1/3 is up.  Hardware is 4 ports CT3 SPA
  ATLAS FPGA version: 0, FREEDM336 version: 0
  TEMUX84(1) version: 0, TEMUX84(1) version: 0
  SUBRATE FPGA version: 0
  Applique type is Subrate T3
  No alarms detected.
  MDL transmission is disabled
    
  FEAC code received: No code is being received
  Framing is C-BIT Parity, Line Code is B3ZS, Clock Source is Line
  Equipment customer loopback
  Data in current interval (657 seconds elapsed):
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation, 0 P-bit Err Secs
     0 P-bit Severely Err Secs, 0 Severely Err Framing Secs
     0 Unavailable Secs, 0 Line Errored Secs
     0 C-bit Errored Secs, 0 C-bit Severely Errored Secs
     0 Severely Errored Line Secs
     0 Far-End Errored Secs, 0 Far-End Severely Errored Secs
     0 CP-bit Far-end Unavailable Secs
     0 Near-end path failures, 0 Far-end path failures
     0 Far-end code violations, 0 FERF Defect Secs
     0 AIS Defect Secs, 0 LOS Defect Secs
Verifying Interface Configuration
Use the show interface serial command to verify the interface configuration. The following example 
shows the ouput for the serial interface for an un-channelized T3:
Router# show interface serial3/0/0
Serial3/0/0 is down, line protocol is down 
  Hardware is Channelized/ClearChannel CT3 SPA
  MTU 4470 bytes, BW 44210 Kbit, DLY 200 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation HDLC, crc 16, loopback not set
  Keepalive set (10 sec)
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicast)
     0 runts, 0 giants, 0 throttles
              0 parity19-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 19      Configuring the 2-Port and 4-Port Channelized T3 SPAs
  Configuration Tasks
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 applique, 2 interface resets
     0 output buffer failures, 0 output buffers swapped out
     1 carrier transitions alarm present
  DSU mode 0, bandwidth 44210 Kbit, scramble 0, VC 0
The following example shows the output for a serial interface for the first T1 on a channelized T3:
Router# show interface serial3/0/1/1:0
Serial3/0/1/1:0 is administratively down, line protocol is down 
  Hardware is Channelized/ClearChannel CT3 SPA
  MTU 1500 bytes, BW 832 Kbit, DLY 20000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation HDLC, crc 16, loopback not set
  Keepalive set (10 sec)
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicast)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions alarm present
  VC 1: timeslot(s): 2-14, Transmitter delay 0, non-inverted data
Specifying the Interface Address on a SPA
SPA interface ports begin numbering with “0” from left to right. Single-port SPAs use only the port 
number 0. To configure or monitor SPA interfaces, you need to specify the physical location of the SIP, 
SPA, and interface in the CLI. The interface address format is slot/subslot/port, where: 
• slot—Specifies the chassis slot number in the Cisco 7600 series router where the SIP is installed. 
• subslot—Specifies the secondary slot of the SIP where the SPA is installed.
• port—Specifies the number of the individual interface port on a SPA. 
The following example shows how to specify the first interface (0) on a SPA installed in the first subslot 
of a SIP (0) installed in chassis slot 3:
Router(config)# interface serial 3/0/0
This command shows a serial SPA as a representative example, however the same slot/subslot/port 
format is similarly used for other SPAs (such as ATM and POS) and other non-channelized SPAs.
For the 4-Port Channelized T3 SPA, the interface address format is 
slot/subslot/port/t1-number:channel-group, where:
• t1-number—Specifies the logical T1 number in channelized mode.
• channel-group—Specifies the logical channel group assigned to the timeslots within the T1 link.
For more information about identifying slots and subslots, see the “Identifying Slots and Subslots for 
SIPs, SSCs, and SPAs” section on page 4-2.19-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 19      Configuring the 2-Port and 4-Port Channelized T3 SPAs
  Configuration Tasks
Optional Configurations
There are several standard, but optional configurations that might be necessary to complete the 
configuration of your serial SPA.
• Configuring the Data Service Unit Mode, page 19-9
• Configuring Maintenance Data Link, page 19-10
• Configuring Encapsulation, page 19-13
• Configuring T3 Framing, page 19-14
• Configuring FDL, page 19-15
• Configuring Scramble, page 19-16
• Configuring Multilink Point-to-Point Protocol (Hardware-based), page 19-17
• .Configuring MLFR for T1/E1, page 19-20
• Configuring Multipoint Bridging, page 19-22
• Configuring Bridging Control Protocol Support, page 19-22
• Configuring BCP on MLPPP, page 19-22
• FRF.12 Guidelines, page 19-24
• LFI Guidelines, page 19-24
• Hardware MLPPP LFI Guidelines, page 19-25
• FRF.12 LFI Guidelines, page 19-25
• Configuring QoS Features on Serial SPAs, page 19-2519-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 19      Configuring the 2-Port and 4-Port Channelized T3 SPAs
  Configuration Tasks
Configuring the Data Service Unit Mode
Configure the SPA to connect with customer premise Data Service Units (DSUs) by setting the DSU 
mode. Subrating a T3 or E3 interface reduces the peak access rate by limiting the data transfer rate. To 
configure the Data Service Unit (DSU) mode, use the following commands.
z
Verifying DSU Mode
Use the show controllers serial command to display the DSU mode of the controller:
Router# show controllers serial
Serial3/1/0 - 
   Framing is c-bit, Clock Source is Internal
   Bandwidth limit is 44210, DSU mode 0, Cable length is 10
   rx FEBE since last clear counter 0, since reset 0
   Data in current interval (0 seconds elapsed):
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation
     0 P-bit Err Secs, 0 P-bit Sev Err Secs
     0 Sev Err Framing Secs, 0 Unavailable Secs
     0 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
     0 Severely Errored Line Secs
     0 Far-End Errored Secs, 0 Far-End Severely Errored Secs
     0 CP-bit Far-end Unavailable Secs
     0 Near-end path failures, 0 Far-end path failures
     0 Far-end code violations, 0 FERF Defect Secs
     0 AIS Defect Secs, 0 LOS Defect Secs
Command Purpose
Step 1 Router# configure terminal Enters global configuration mode.
Step 2 Router(config)# interface serial 
slot/subslot/port
Selects the controller to configure and enters controller 
configuration mode.
• slot/subslot/port—Specifies the location of the controller.
See: Specifying the Interface Address on a SPA, page 19-7
Step 3 Router(config-if)# dsu mode {0 |
1 | 2 | 3 | 4}
Specifies the interoperability mode used by the T3 controller.
• 0—Connects a T3 controller to another T3 controller or to a 
Digital Link DSU. Bandwidth range is from 300 to 44210 
kbps. This is the default.
• 1—Connects a T3 controller to a Kentrox DSU. Bandwidth 
range is from 1500 to 35000, or 44210 kbps.
Note If the bandwidth is set between 35000–44210 kbps, an 
error message is displayed.
• 2—Connects a T3 controller to a Larscom DSU. Bandwidth 
range is from 3100 to 44210 kbps.
• 3—Connects a T3 controller to an Adtran T3SU 300. 
Bandwidth range is from 75 to 44210 kbps.
• 4—Connects a T3 controller to a Verilink HDM 2182. 
Bandwidth range is from 1500 to 44210 kbps.
Step 4 Router(config-if)# dsu 
bandwidth kbps
Specifies the maximum allowable bandwidth.
• kbps—Bandwidth range is from 1 to 44210 kbps.19-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 19      Configuring the 2-Port and 4-Port Channelized T3 SPAs
  Configuration Tasks
   Transmitter is sending AIS.
.
.
.
Configuring Maintenance Data Link
MDL messages are used to communicate identification information between local and remote ports. The 
type of information included in MDL messages includes the equipment identification code (EIC), 
location identification code (LIC), frame identification code (FIC), unit, Path Facility Identification 
(PFI), port number, and Generator Identification numbers. To configure Maintenance Data Link (MDL), 
use the following commands:
Command Purpose
Router# configure terminal Enters global configuration mode.19-11
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 19      Configuring the 2-Port and 4-Port Channelized T3 SPAs
  Configuration Tasks
Router(config)# controller t3 slot/subslot/port Selects the controller to configure and enters 
controller configuration mode.
• slot/subslot/port—Specifies the location of the 
interface. See: Specifying the Interface 
Address on a SPA, page 19-7
Router(config-controller)# mdl [string {eic | fic | 
generator | lic | pfi | port | unit} string}] | 
[transmit {idle-signal | path | test-signal}]
Configures the MDL message.
• string eic—Specifies the Equipment 
Identification Code; can be up to 10 
characters.
• string fic—Specifies the Frame Identification 
Code; can be up to 10 characters.
• string generator—Specifies the Generator 
number string sent in the MDL Test Signal 
message; can be up to 38 characters. 
• string lic— Specifies the Location 
Identification Code; can be up to 11 
characters. 
• string pfi—Specifies the Path Facility 
Identification Code sent in the MDL Path 
message; can be up to 38 characters. 
• string port—Specifies the Port number string 
sent in the MDL Idle Signal message; can be 
up to 38 characters.
• string unit—Specifies the Unit Identification 
Code; can be up to 6 characters.
• transmit idle-signal—Enable MDL 
Idle-Signal message transmission
• transmit path—Enable MDL Path message 
transmission.
• transmit test-signal—Enable MDL 
Test-Signal message transmission.
Command Purpose19-12
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 19      Configuring the 2-Port and 4-Port Channelized T3 SPAs
  Configuration Tasks
Verifying MDL
Use the show controller command to display the MDL settings:
Router# show controller t3 3/0/0
T3 3/0/0 is down.  Hardware is 2 ports CT3 SPA
  ATLAS FPGA version: 0, FREEDM336 version: 0
  TEMUX84(1) version: 0, TEMUX84(1) version: 0
  SUBRATE FPGA version: 0
  Applique type is Subrate T3
  Receiver has loss of signal.
  MDL transmission is enabled
     EIC: new, LIC: US, FIC: 23, UNIT: myunit
     Path FI: test pfi
     Idle Signal PORT_NO: New-port
     Test Signal GEN_NO: test-message
  FEAC code received: No code is being received
  Framing is C-BIT Parity, Line Code is B3ZS, Clock Source is Line
  Equipment customer loopback
  Data in current interval (869 seconds elapsed):
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation, 0 P-bit Err Secs
     0 P-bit Severely Err Secs, 0 Severely Err Framing Secs
     869 Unavailable Secs, 0 Line Errored Secs
     0 C-bit Errored Secs, 0 C-bit Severely Errored Secs
     0 Severely Errored Line Secs
     0 Far-End Errored Secs, 0 Far-End Severely Errored Secs
     869 CP-bit Far-end Unavailable Secs
     0 Near-end path failures, 0 Far-end path failures
     0 Far-end code violations, 0 FERF Defect Secs
     0 AIS Defect Secs, 870 LOS Defect Secs19-13
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 19      Configuring the 2-Port and 4-Port Channelized T3 SPAs
  Configuration Tasks
Configuring Encapsulation
When traffic crosses a WAN link, the connection needs a Layer 2 protocol to encapsulate traffic. To set 
the encapsulation method, use the following commands:
Verifying Encapsulation
Use the show interface serial command to display the encapsulation method:
Router# show interface serial3/0/0
Serial3/0/0 is down, line protocol is down 
  Hardware is Channelized/ClearChannel CT3 SPA
  MTU 4470 bytes, BW 44210 Kbit, DLY 200 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation HDLC, crc 16, loopback not set
  Keepalive set (10 sec)
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicast)
     0 runts, 0 giants, 0 throttles
              0 parity
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 applique, 2 interface resets
Command Purpose
Router# configure terminal Enters global configuration mode.
Channelized
Router(config)# interface serial 
slot/subslot/port/t1-number:channel-group
Un-channelized
Router(config)# interface serial slot/subslot/port
Selects the interface to configure and enters 
interface configuration mode.
• Channelized:
slot/subslot/port/t1-number:channel-group—
Specifies the location of the interface. See: 
Specifying the Interface Address on a SPA, 
page 19-7
• Un-channelized:
slot/subslot/port—Specifies the location of the 
interface. See: Specifying the Interface 
Address on a SPA, page 19-7
Router(config-if)# encapsulation {hdlc | ppp | 
frame-relay}
Set the encapsulation method on the interface.
• hdlc—High-Level Data Link Control (HDLC) 
protocol for serial interface. This is the 
default.
• ppp—Point-to-Point Protocol (PPP) (for 
serial interface).
• frame-relay—Frame Relay (for serial 
interface).19-14
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 19      Configuring the 2-Port and 4-Port Channelized T3 SPAs
  Configuration Tasks
     0 output buffer failures, 0 output buffers swapped out
     1 carrier transitions alarm present
  DSU mode 0, bandwidth 44210 Kbit, scramble 0, VC 0
Configuring T3 Framing
To set the T3 framing type, use the following commands:
Verifying Framing
Use the show controller command to display the framing type:
Router# show controller t3 3/0/0
T3 3/0/0 is down.  Hardware is 2 ports CT3 SPA
  ATLAS FPGA version: 0, FREEDM336 version: 0
  TEMUX84(1) version: 0, TEMUX84(1) version: 0
  SUBRATE FPGA version: 0
  Applique type is Subrate T3
  Receiver has loss of signal.
  Framing is M13, Line Code is B3ZS, Clock Source is Line
  Equipment customer loopback
  Data in current interval (656 seconds elapsed):
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation, 0 P-bit Err Secs
     0 P-bit Severely Err Secs, 0 Severely Err Framing Secs
     666 Unavailable Secs, 0 Line Errored Secs
     0 C-bit Errored Secs, 0 C-bit Severely Errored Secs
     0 Severely Errored Line Secs
     0 Far-End Errored Secs, 0 Far-End Severely Errored Secs
     0 CP-bit Far-end Unavailable Secs
     0 Near-end path failures, 0 Far-end path failures
     0 Far-end code violations, 0 FERF Defect Secs
     0 AIS Defect Secs, 666 LOS Defect Secs
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface serial slot/subslot/port Selects the interface to configure and enters 
interface configuration mode.
• slot/subslot/port—Specifies the location of the 
interface. See: “Specifying the Interface 
Address on a SPA” section on page 19-7
Router(config-if)# framing {c-bit | m13} Specifies the framing type in unchannelized mode.
• c-bit—Specifies C-bit parity framing. This is 
the default.
• m13—Specifies DS3 Framing M13 (same as 
M23).19-15
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 19      Configuring the 2-Port and 4-Port Channelized T3 SPAs
  Configuration Tasks
Configuring FDL
Facility Data Link (FDL) is a far-end performance reporting tool. In ansi mode, you can enable 1-second 
transmissions of performance reports on both ends of the T1 connection. To configure FDL, use the 
following commands: 
Verifying FDL
Use the show controller command to display the FDL setting:
Router# show controller t3 3/0/1/1
T3 3/0/1 is down.  Hardware is 2 ports CT3 SPA
  ATLAS FPGA version: 0, FREEDM336 version: 0
  TEMUX84(1) version: 0, TEMUX84(1) version: 0
  SUBRATE FPGA version: 0
  Applique type is Channelized T3
  Receiver has loss of signal.
  Framing is M23, Line Code is B3ZS, Clock Source is Internal
  Equipment customer loopback
  Data in current interval (456 seconds elapsed):
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation, 0 P-bit Err Secs
     0 P-bit Severely Err Secs, 0 Severely Err Framing Secs
     456 Unavailable Secs, 0 Line Errored Secs
     0 C-bit Errored Secs, 0 C-bit Severely Errored Secs
     0 Severely Errored Line Secs
     0 Far-End Errored Secs, 0 Far-End Severely Errored Secs
     0 CP-bit Far-end Unavailable Secs
     0 Near-end path failures, 0 Far-end path failures
     0 Far-end code violations, 0 FERF Defect Secs
     0 AIS Defect Secs, 456 LOS Defect Secs
  T1 1 is down
  timeslots: 2-14
  FDL per ANSI T1.403 and AT&T 54016 spec.
  Configured for FDL remotely line looped (bell)
  Transmitter is sending LOF Indication.
  Receiver is getting AIS.
  Framing is ESF, Clock Source is Line
  BERT running on timeslots 2,3,4,5,6,7,8,9,10,11,12,13,14,
  BERT test result (running)
     Test Pattern : All 1's, Status : Not Sync, Sync Detected : 0
     Interval : 2 minute(s), Time Remain : 2 minute(s)
     Bit Errors (since BERT started): 0 bits, 
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# controller t3 slot/subslot/port Selects the controller to configure and enters 
controller configuration mode.
• slot/subslot/port—Specifies the location of the 
interface. See: “Specifying the Interface 
Address on a SPA” section on page 19-7
Router(config-controller)# t1 number fdl {ansi} (Optional) Enables FDL.
• number—Specifies the T1 channel number.
• ansi—Specifies the FDL bit per the ANSI 
T1.403 specification.19-16
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 19      Configuring the 2-Port and 4-Port Channelized T3 SPAs
  Configuration Tasks
     Bits Received (since BERT started): 0 Kbits
     Bit Errors (since last sync): 0 bits
     Bits Received (since last sync): 0 Kbits
  Data in current interval (703 seconds elapsed):
     0 Line Code Violations, 0 Path Code Violations
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs
     713 Unavail Secs, 0 Stuffed Secs
     357 Near-end path failures, 0 Far-end path failures, 0 SEF/AIS Secs
Configuring Scramble
T3 scrambling is used to assist clock recovery on the receiving end. Scrambling is designed to randomize 
the pattern of 1s and 0s carried in the physical layer frame. Randomizing the digital bits can prevent 
continuous, nonvariable bit patterns—in other words, long strings of all 1s or all 0s. Several physical 
layer protocols rely on transitions between 1s and 0s to maintain clocking.
Scrambling can prevent some bit patterns from being mistakenly interpreted as alarms by switches 
placed between the Data Service Units (DSUs).
To configure scrambling, use the following commands:
Verifying Scrambling
Use the show interface serial command to display the scramble setting:
Router# show interface serial3/0/0
Serial3/0/0 is down, line protocol is down 
  Hardware is Channelized/ClearChannel CT3 SPA
  MTU 4470 bytes, BW 44210 Kbit, DLY 200 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation HDLC, crc 16, loopback not set
  Keepalive set (10 sec)
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicast)
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface serial slot/subslot/port Selects the interface to configure and enters 
interface configuration mode.
• slot/subslot/port—Specifies the location of the 
interface. See: “Specifying the Interface 
Address on a SPA” section on page 19-7
Router(config-if)# scramble [0 | 1] Enables scrambling. Scrambling is disabled by 
default.
• Scramble settings:
1—enabled
0—disabled19-17
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 19      Configuring the 2-Port and 4-Port Channelized T3 SPAs
  Configuration Tasks
     0 runts, 0 giants, 0 throttles
              0 parity
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 applique, 4 interface resets
     0 output buffer failures, 0 output buffers swapped out
     1 carrier transitions alarm present
  DSU mode 0, bandwidth 44210 Kbit, scramble 1, VC 0
Configuring Multilink Point-to-Point Protocol (Hardware-based)
Multilink Point to Point Protocol (MLPPP) allows you to combine T1 or E1 lines into a bundle that has 
the combined bandwidth of multiple T1/E1 lines. You choose the number of bundles and the number of 
T1 or E1 lines in each bundle.
MLPPP for T1/E1 Configuration Guidelines
The required conditions are:
• Only T1 or E1 links in a bundle
• All links on the same SPA
• Maximum of 12 links in a bundle.
Note Some notes about hardware-based MLPPP:
Only 3 fragmentation sizes are possible 128, 256 and 512 bytes
Fragmentation is enabled by default, default size is 512 bytes
Fragmentation size is configured using the ppp multilink fragment-delay command after using the 
interface multilink command. The least of the fragmentation sizes (among the 3 sizes possible) 
satisfying the delay criteria is configured. (e.g., a 192 byte packet causes a delay of 1 millisecond on a 
T1 link, so the nearest fragmentation size is 128 bytes.
The show ppp multilink command will indicate the mlppp type and the fragmentation size:
Router# show ppp multilink
Multilink1, bundle name is Patriot2
Bundle up for 00:00:13
Bundle is Distributed
0 lost fragments, 0 reordered, 0 unassigned
0 discarded, 0 lost received, 206/255 load
0x0 received sequence, 0x0 sent sequence 
Member links: 2 active, 0 inactive (max not set, min not set)
Se4/2/0/1:0, since 00:00:13, no frags rcvd
Se4/2/0/2:0, since 00:00:10, no frags rcvd
Distributed fragmentation on. Fragment size 512.  Multilink in Hardware.
Fragmentation is disabled explicitly by using the no ppp multilink fragmentation command after using 
the interface multilink command.19-18
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 19      Configuring the 2-Port and 4-Port Channelized T3 SPAs
  Configuration Tasks
Create a Multilink Bundle
To create a multilink bundle, use the following commands:
Assign an interface to a Multilink Bundle
To assign an interface to a multilink bundle, use the following commands:
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface multilink 
group-number
Creates a multilink interface and enter multilink 
interface mode.
• group-number—The group number for the 
multilink bundle.
Router(config-if)# ip address address mask Sets the IP address for the multilink group.
• address—The IP address.
• mask—The IP netmask.
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface serial 
slot/subslot/port/t1-number:channel-group
Selects the interface to configure and enters interface 
configuration mode. See: “Specifying the Interface 
Address on a SPA” section on page 19-7
• slot/subslot/port/t1-number:channel-group—Selec
t the interface to configure.
Router(config-if)# encapsulation ppp Enables PPP encapsulation.
Router(config-if)# multilink-group 
group-number
Assigns the interface to a multilink bundle.
• group-number—The multilink group number for 
the T1 or E1 bundle.
Router(config-if)# ppp multilink Enables multilink PPP on the interface.
Repeat these commands for each interface you 
want to assign to the multilink bundle.19-19
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 19      Configuring the 2-Port and 4-Port Channelized T3 SPAs
  Configuration Tasks
Configuring fragmentation size on an MLPPP Bundle (optional)
To configure the fragmentation size on a multilink ppp bundle, use the following commands:
Disabling the fragmentation on an MLPPP Bundle (optional)
To assign an interface to a multilink bundle, use the following commands:
Verifying Multilink PPP
Use the show ppp multilink command to verify the PPP multilinks:
router# show ppp multilink
Multilink1, bundle name is mybundle
Bundle up for 01:40:50
Bundle is Distributed
0 lost fragments, 0 reordered, 0 unassigned
0 discarded, 0 lost received, 1/255 load
0x0 received sequence, 0x0 sent sequence
Member links: 5 active, 0 inactive (max not set, min not set)
Se6/0/0/1:0, since 01:40:50, no frags rcvd
Se6/0/1/1:0, since 01:40:09, no frags rcvd
Se6/0/3/1:0, since 01:15:44, no frags rcvd
Se6/0/4/1:0, since 01:03:17, no frags rcvd
Se6/0/6/1:0, since 01:01:06, no frags rcvd
Se6/0/6:0, since 01:01:06, no frags rcvd
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface multilink 
slot/subslot/port/t1-number:channel-group
Creates a multilink interface and enters multilink 
interface mode.
• group-number—The group number for the 
multilink bundle. Range 1-2147483647
Router(config-if)# ppp multilink 
fragment-delay delay
Sets the fragmentation size satisfying the configured 
delay on the multilink bundle.
• delay—delay in milliseconds
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface multilink 
group-number
Creates a multilink interface and enters multilink 
interface mode.
• group-number—The group number for the 
multilink bundle. Range 1-2147483647
Router(config-if)# no ppp multilink 
fragmentation
Disables the fragmentation on the multilink bundle.19-20
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 19      Configuring the 2-Port and 4-Port Channelized T3 SPAs
  Configuration Tasks
.Configuring MLFR for T1/E1
Multilink Frame Relay (MLFR) allows you to combine T1/E1 lines into a bundle that has the combined 
bandwidth of multiple T1/E1 lines. You choose the number of bundles and the number of T1/E1 lines in 
each bundle. This allows you to increase the bandwidth of your network links beyond that of a single 
T1/E1 line.
MLFR for T1/E1 Configuration Guidelines
MLFR will function in hardware if all of the following conditions are met:
• Only T1 or E1 member links
• All links are on the same SPA
• Maximum of 12 links in a bundle
Create a Multilink Bundle
To create a multilink bundle, use the following commands:
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface mfr number Configures a multilink Frame Relay bundle 
interface.
• number—The number for the Frame Relay 
bundle.
Router(config-if)# frame-relay multilink bid 
name
(Optional) Assigns a bundle identification name to 
a multilink Frame Relay bundle.
• name—The name for the Frame Relay bundle.
Note The bundle identification (BID) will not go 
into effect until the interface has gone from 
the down state to the up state. One way to 
bring the interface down and back up again 
is by using the shut and no shut
commands in interface configuration 
mode.19-21
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 19      Configuring the 2-Port and 4-Port Channelized T3 SPAs
  Configuration Tasks
Assign an Interface to a Multilink Bundle
To assign an interface to a multilink bundle, use the following commands:
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface serial 
slot/subslot/port:channel-group
Selects the interface to assign.
• slot/subslot/port:channel-group—Specifies 
the location of the interface.“Specifying the 
Interface Address on a SPA” section on 
page 19-7
Router(config-if)# encapsulation frame-relay 
mfr number [name]
Creates a multilink Frame Relay bundle link and 
associates the link with a bundle.
• number—The number for the Frame Relay 
bundle.
• name—The name for the Frame Relay bundle.
Router(config-if)# frame-relay multilink lid 
name
(Optional) Assigns a bundle link identification 
name with a multilink Frame Relay bundle link.
• name—The name for the Frame Relay bundle.
Note The bundle link identification (LID) will 
not go into effect until the interface has 
gone from the down state to the up state. 
One way to bring the interface down and 
back up again is by using the shut and no
shut commands in interface configuration 
mode.
Router(config-if)# frame-relay multilink hello 
seconds
(Optional) Configures the interval at which a 
bundle link will send out hello messages. The 
default value is 10 seconds.
• seconds—Number of seconds between hello 
messages sent out over the multilink bundle.
Router(config-if)# frame-relay multilink ack 
seconds
 (Optional) Configures the number of seconds that 
a bundle link will wait for a hello message 
acknowledgment before resending the hello 
message. The default value is 4 seconds. 
• seconds—Number of seconds a bundle link 
will wait for a hello message acknowledgment 
before resending the hello message.
Router(config-if)# frame-relay multilink retry 
number
 (Optional) Configures the maximum number of 
times a bundle link will resend a hello message 
while waiting for an acknowledgment. The default 
value is 2 tries. 
• number—Maximum number of times a bundle 
link will resend a hello message while waiting 
for an acknowledgment.19-22
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 19      Configuring the 2-Port and 4-Port Channelized T3 SPAs
  Configuration Tasks
Verifying Multilink Frame Relay
Use the show frame-relay multilink detailed command to verify the Frame Relay multilinks:
Router# show frame-relay multilink detailed
Bundle: MFR49, State = down, class = A, fragmentation disabled
 BID = MFR49
 No. of bundle links = 1, Peer's bundle-id = 
 Bundle links:
  Serial6/0/0:0, HW state = up, link state = Add_sent, LID = test
    Cause code = none, Ack timer = 4, Hello timer = 10,
    Max retry count = 2, Current count = 0,
    Peer LID = , RTT = 0 ms
    Statistics:
    Add_link sent = 21, Add_link rcv'd = 0,
    Add_link ack sent = 0, Add_link ack rcv'd = 0,
    Add_link rej sent = 0, Add_link rej rcv'd = 0,
    Remove_link sent = 0, Remove_link rcv'd = 0,
    Remove_link_ack sent = 0, Remove_link_ack rcv'd = 0,
    Hello sent = 0, Hello rcv'd = 0,
    Hello_ack sent = 0, Hello_ack rcv'd = 0,
    outgoing pak dropped = 0, incoming pak dropped = 0
Configuring Multipoint Bridging
Multipoint bridging (MPB) enables the connection of multiple ATM PVCs, Frame Relay PVCs, BCP 
ports, and WAN Gigabit Ethernet subinterfaces into a single broadcast domain (virtual LAN), together 
with the LAN ports on that VLAN. This enables service providers to add support for Ethernet-based 
Layer 2 services to the proven technology of their existing ATM and Frame Relay legacy networks. 
Customers can then use their current VLAN-based networks over the ATM or Frame Relay cloud. This 
also allows service providers to gradually update their core networks to the latest Gigabit Ethernet 
optical technologies, while still supporting their existing customer base.
For MPB configuration guidelines and restrictions and feature compatibility tables, see the “Configuring 
Multipoint Bridging” section on page 4-36 of Chapter 4, “Configuring the SIPs and SSC.”
Configuring Bridging Control Protocol Support
The Bridging Control Protocol (BCP) enables forwarding of Ethernet frames over SONET networks and 
provides a high-speed extension of enterprise LAN backbone traffic through a metropolitan area. The 
implementation of BCP on the SPAs includes support for IEEE 802.1D, IEEE 802.1Q Virtual LAN 
(VLAN), and high-speed switched LANs.
For BCP configuration guidelines and restrictions and feature compatibility tables, see the “BCP Feature 
Compatibility” section on page 4-56 of Chapter 4, “Configuring the SIPs and SSC.”
Configuring BCP on MLPPP
BCP on MLPPP Configuration Guidelines
• Only Distributed MLPPP is supported
• Only channelized interfaces allowed, and member links must be from the same controller card
• Only trunk port BCP is supported on MLPPP
• Bridging can be configured only on the bundle interface19-23
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 19      Configuring the 2-Port and 4-Port Channelized T3 SPAs
  Configuration Tasks
Note BCP on MLPPP operates only in trunk mode. 
Note When you manually configure the MTU and MRRU values on the bundle interface with BCP on 
dMLPPP, you should set the MRRU value to atleast 20 bytes more than the MTU value. This 
configuration ensures that the packets wth size up to the configured MTU value on the multilink interface 
are not dropped because of the MRRU restrictions.
Configuring BCP on MLPPP Trunk Mode
To configure BCP on MLPPP trunk mode, perform these steps:
Command Purpose
Step 1 Router(config)# interface multilink Selects the multilink interface.
Step 2 Router(config-if)# switchport Puts an interface that is in Layer 3 mode into Layer 
2 mode for Layer 2 configuration.
Step 3 Router(config-if)#switchport trunk 
allowed vlan 100
By default, no VLANs are allowed. Use this 
command to explicitly allow VLANs; valid values 
for vlan-list are from 1 to 4094.
Step 4 Router(config-if)#switchport mode 
trunk
Configures the router port connected to the switch 
as a VLAN trunk port. 
Step 5 Router(config-if)#switchport 
nonegotiate
Puts the LAN port into permanent trunking mode 
but prevents the port from generating DTP frames
Step 6 Router(config-if)#no ip address
Step 7 Router(config-if)#ppp multilink Enables this interface to support MLP.
Step 8 Router(config-if)#multilink-group 1 Assigns this interface to the multilink group.
Step 9 Router(config-if)# interface 
Serial1/0/0.1/1/1/1:0
Designates a serial interface as a multilink bundle.
Step 10 Router(config-if)# no ip address Unassigns the IP address.
Step 11 Router(config-if)#encapsulation ppp Enables PPP encapsulation.
Step 12 Router(config-if)#ppp multilink Enables this interface to support MLP.
Step 13 Router(config-if)# multilink-group 1 Assigns this interface to the multilink group 1.
Step 14 Router(config-if)#interface 
Serial1/0/0.1/1/1/2:0
Designates a serial interface as a multilink bundle.
Step 15 Router(config-if)#no ip address Unassigns the IP address. 
Step 16 Router(config-if)#encapsulation ppp Enables PPP encapsulation.
Step 17 Router(config-if)#ppp multilink Enables this interface to support MLP.
Step 18 Router(config-if)# multilink-group 1 Assigns this interface to the multilink group 2.
Step 19 Router(config-if)# shutdown Shuts down an interface.19-24
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 19      Configuring the 2-Port and 4-Port Channelized T3 SPAs
  Configuration Tasks
Verifying BCP on MLPPP Trunk Mode
To display information about Multilink PPP, use the show ppp multilink command in EXEC mode.
The following shows an example of show ppp multilink:
Router# show ppp multilink
Multilink1, bundle name is group 1
Bundle is Distributed
0 lost fragments, 0 reordered, 0 unassigned, sequence 0x0/0x0 rcvd/sent
0 discarded, 0 lost received, 1/255 load
Member links: 4 active, 0 inactive (max no set, min not set)
Serial1/0/0/:1
Serial1/0/0/:2
Serial1/0/0/:3
Serial1/0/0/:4
FRF.12 Guidelines
FRF.12 functions in hardware. Note the following:
• Only 3 fragmentation sizes are available - 128 bytes, 256 bytes, and 512 bytes. 
The supported fragment sizes - 128, 256 and 512 - include the FRF and NLPID headers in addition 
to the payload.
• If you have a configuration where a C7600 router acts as a Provider Edge(PE) router between 
Customer Edge(CE) routers, you can configure C7600 in plain Frame Relay or Frame Relay 
Fragmentation mode. If you enable Frame Relay Fragmentation only at the CE routers and C7600 
acts as a plain Frame Relay interface, the configuration works fine. In a configuration of C7600 with 
any of the three SPAs(8-Port Channelized T1/E1 SPA,1-Port Channelized OC-3/STM-1 SPA or 2 or 
4-Port CT3 SPA), where Frame Relay is configured on the serial interface and Frame Relay 
Fragmentation is enabled in any of the sub interfaces, the fragmented packets may be dropped in the 
transparant DLCIs. If you want such a configuration to work, you should set the fragment size value 
on the main interface larger than any CE router fragmentation size usingthe command frame-relay 
fragment x end-to-end, where x is the fragmentation size on the main interface.
LFI Guidelines
LFI can function two ways - using FRF.12 or MLPPP. MLPPP LFI can be done in both hardware and 
software while FRF.12 LFI is done only in hardware.
Step 20 Router(config-if)# no shutdown Reopens an interface.
Step 21 Router(config-if)# switchport trunk 
allowed vlan vlan-list 
By default, no VLANs are allowed. Use this 
command to explicitly allow VLANs; valid values 
for vlan-list are from 1 to 4094. 
Command Purpose
Command Purpose
Router(config-if)# show ppp multilink Displays information on a multilink group.19-25
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 19      Configuring the 2-Port and 4-Port Channelized T3 SPAs
  Saving the Configuration
Hardware MLPPP LFI Guidelines
LFI using MLPPP will function only in hardware if there is just one member link in the MLPPP bundle. 
The link can be a fractional T1 or full T1. Note the following:
• The ppp multilink interleave command needs to be configured to enable interleaving.
• Only three fragmentation sizes are supported - 128 bytes, 256 bytes, and 512 bytes.
• Fragmentation is enabled by default, the default size being 512 bytes.
• A policy-map having a priority class needs to applied to main interface.
• When hardware-based LFI is enabled, fragmentation counters are not displayed.
FRF.12 LFI Guidelines
LFI using FRF.12 is always done is hardware. Note the following:
• The fragmentation is configured at the main interface
• Only 3 fragmentation sizes are available - 128 bytes, 256 bytes, and 512 bytes.
• A policy-map having a priority class needs to applied to main interface.
Configuring QoS Features on Serial SPAs
The SIPs and SPAs support many QoS features using modular QoS CLI (MQC) configuration. For 
information about the QoS features supported by the serial SPAs, see the “Configuring QoS Features on 
a SIP” section on page 4-94 of Chapter 4, “Configuring the SIPs and SSC.”
Saving the Configuration
To save your running configuration to nonvolatile random-access memory (NVRAM), use the following 
command in privileged EXEC configuration mode:
For more information about managing configuration files, refer to the Cisco IOS Configuration 
Fundamentals Configuration Guide, Release 12.2 and Cisco IOS Configuration Fundamentals 
Command Reference, Release 12.2 publications.
Verifying the Interface Configuration
Besides using the show running-configuration command to display your Cisco 7600 series router 
configuration settings, you can use the show interfaces serial and the show controllers serial 
commands to get detailed information on a per-port basis for your 2-Port and 4-Port Clear Channel 
T3/E3 SPA.
Command Purpose
Router# copy running-config startup-config Writes the new configuration to NVRAM.19-26
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 19      Configuring the 2-Port and 4-Port Channelized T3 SPAs
  Verifying the Interface Configuration
Verifying Per-Port Interface Status
To find detailed interface information on a per-port basis for the 2-Port and 4-Port Channelized T3 SPA, 
use the show interfaces serial command. 
The following example provides sample output for the serial interface on an un-channelized T3:
Router# show interface serial3/0/0
Serial3/0/0 is down, line protocol is down 
  Hardware is Channelized/ClearChannel CT3 SPA
  MTU 4470 bytes, BW 44210 Kbit, DLY 200 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation HDLC, crc 16, loopback not set
  Keepalive set (10 sec)
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicast)
     0 runts, 0 giants, 0 throttles
              0 parity
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 applique, 4 interface resets
     0 output buffer failures, 0 output buffers swapped out
     1 carrier transitions alarm present
  DSU mode 0, bandwidth 44210 Kbit, scramble 1, VC 0
The following example provides sample output for the serial interface on a channelized T3:
Router# show interface serial3/0/1/1:0
Serial3/0/1/1:0 is down, line protocol is down 
  Hardware is Channelized/ClearChannel CT3 SPA
  MTU 1500 bytes, BW 832 Kbit, DLY 20000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation HDLC, crc 16, loopback not set
  Keepalive set (10 sec)
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicast)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions alarm present
  VC 1: timeslot(s): 2-14, Transmitter delay 0, non-inverted data
To find detailed status and statistical information on a per-port basis for the 2-Port and 4-Port Clear 
Channel T3/E3 SPA, use the show controllers serial command. 
The following example provides sample controller statistics for the third port on the SPA located in the 
first subslot of the SIP-200 that is installed in slot 5 of a Cisco 7609 router:19-27
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 19      Configuring the 2-Port and 4-Port Channelized T3 SPAs
  Verifying the Interface Configuration
show controller serial 5/0/2
Serial5/0/2 - 
   Framing is c-bit, Clock Source is Line
   Bandwidth limit is 44210, DSU mode 0, Cable length is 10
   rx FEBE since last clear counter 0, since reset 0
   Data in current interval (807 seconds elapsed):
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation
     0 P-bit Err Secs, 0 P-bit Sev Err Secs
     0 Sev Err Framing Secs, 306 Unavailable Secs
     500 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
  Data in Interval 1:
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation
     0 P-bit Err Secs, 0 P-bit Sev Err Secs
     0 Sev Err Framing Secs, 0 Unavailable Secs
     564 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
  Data in Interval 2:
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation
     0 P-bit Err Secs, 0 P-bit Sev Err Secs
     0 Sev Err Framing Secs, 0 Unavailable Secs
     564 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
  Data in Interval 3:
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation
     0 P-bit Err Secs, 0 P-bit Sev Err Secs
     0 Sev Err Framing Secs, 0 Unavailable Secs
     562 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
  Data in Interval 4:
     0 Line Code Violations, 0 P-bit Coding Violation
     0 C-bit Coding Violation
     0 P-bit Err Secs, 0 P-bit Sev Err Secs
     0 Sev Err Framing Secs, 0 Unavailable Secs
     560 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
.
.
.
Total Data (last 44 15 minute intervals):
     0 Line Code Violations, 0 P-bit Coding Violation, 
     0 C-bit Coding Violation,
     0 P-bit Err Secs, 0 P-bit Sev Err Secs,
     0 Sev Err Framing Secs, 0 Unavailable Secs,
     24750 Line Errored Secs, 0 C-bit Errored Secs, 0 C-bit Sev Err Secs
   Transmitter is sending AIS.
   Receiver has loss of signal.
    40434 Sev Err Line Secs, 0 Far-End Err Secs, 0 Far-End Sev Err Secs
    0 P-bit Unavailable Secs, 0 CP-bit Unavailable Secs
    0 CP-bit Far-end Unavailable Secs
    0 Near-end path failures, 0 Far-end path failures
   No FEAC code is being received
  MDL transmission is disabled19-28
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 19      Configuring the 2-Port and 4-Port Channelized T3 SPAs
  Configuration Examples
Configuration Examples
This section includes the following configuration examples:
• DSU Configuration Example, page 19-28
• MDL Configuration Example, page 19-28
• Encapsulation Configuration Example, page 19-29
• Framing—Unchannelized Mode Configuration Example, page 19-29
• Facility Data Link Configuration Example, page 19-29
• Scrambling Configuration Example, page 19-29
• Creating a Multilink Bundle Configuration Example, page 19-30
• Assigning a T1 Interface to a Multilink Bundle Configuration Example, page 19-30
DSU Configuration Example
The following example sets the DSU mode on interface port 0 on slot 4, subslot 1.
! Specify the interface and enter interface configuration mode.
!
Router(config-int)# interface t3 4/1/0
!
!Specifies the interoperability mode used by the T3 interface.
!
Router(config-int)# dsu mode 2
!
!Specifies the maximum allowable bandwidth.
Router(config-int)# dsu bandwidth 23000
MDL Configuration Example
The following example configures the MDL strings on controller port 0 on slot 4, subslot 1.
! Enter controller configuration mode.
!
Router(config)# controller t3 4/1/0
!
! Specify the mdl strings.
!
Router(config-controller)# mdl string eic beic
Router(config-controller)# mdl string lic beic
Router(config-controller)# mdl string fic bfix
Router(config-controller)# mdl string unit bunit
Router(config-controller)# mdl string pfi bpfi
Router(config-controller)# mdl string port bport
Router(config-controller)# mdl string generator bgen
Router(config-controller)# mdl transmit path
Router(config-controller)# mdl transmit idle-signal
Router(config-controller)# mdl transmit test-signal19-29
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 19      Configuring the 2-Port and 4-Port Channelized T3 SPAs
  Configuration Examples
Encapsulation Configuration Example
The following example configures encapsulation on a channelized T1 interface.
! Specify the interface to configure and enter interface configuration mode.
!
Router(config)# interface serial 4/1/1/1:0
!
! Specify the encapsulation method.
!
Router(config-if)# encapsulation ppp
The following example configures encapsulation and framing on a un-channelized T3 interface.
! Specify the interface to configure and enter interface configuration mode.
!
Router(config)# interface serial 4/1/1
!
! Specify the encapsulation method.
!
Router(config-if)# encapsulation ppp
Framing—Unchannelized Mode Configuration Example
The following example configures framing on an un-channelized T3 interface.
! Specify the interface to configure and enter interface configuration mode.
!
Router(config)# interface serial 4/1/1
!
! Specify the framing type.
!
Router(config-if)# framing m13
Facility Data Link Configuration Example
The following example configures FDL on a channelized T1 interface.
! Specify the controller to configure and enter controller configuration mode.
!
Router(config)# controller t3 3/1/0
!
! Specify the T1 controller and set the FDL bit.
!
Router(config-controller)# t1 1 fdl ansi
Scrambling Configuration Example
The following example configures scrambling on the T3 interface:
! Enter global configuration mode.
!
Router# configure terminal
!
! Specify the interface to configure and enter interface configuration mode.
!
Router(config)# interface serial 4/1/3
!19-30
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 19      Configuring the 2-Port and 4-Port Channelized T3 SPAs
  Configuration Examples
! Enable scrambling.
!
Router(config-if)# scrambling
Creating a Multilink Bundle Configuration Example
! ! Enter global configuration mode.
!
Router# configure terminal
!
! Create a multilink interface and enter interface configuration mode.
!
Router(config)# interface multilink 1
!
! Specify the IP address for the interface.
!
Router(config-if)# ip address 123.345.678.21 255.255.255.0
!
Assigning a T1 Interface to a Multilink Bundle Configuration Example
! ! Enter global configuration mode.
!
Router# configure terminal
!
! Specify the T1 interface and enter interface configuration mode.
!
Router(config)# interface serial 1/0/1/1:0
!
! Specify PPP encapsulation.
!
Router(config-if)# encapsulation ppp
!
! Specify the multilink bundle the T1 will belong to.
!
Router(config-if)# multilink-group 1
!C H  A  P  T  E  R
20-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
20
Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / 
STM-4 SPAs
This chapter provides information about configuring the 1-Port Channelized OC-3/STM-1 SPA on 
Cisco 7600 series routers and 1-Port Channelized OC-12/STM-4 SPA on SIP 400 introduced with IOS 
release 12.2(33) SRD 1. The new 1-Port Channelized OC-12/STM-4 SPA terminates channelized IP 
services on the service provider edge and maintains feature parity with 1-Port Channelized OC-3/STM-1 
SPA on Cisco 7600 series router SIP-200 line cardand the Channelized OC-12 OSM line card.
This chapter includes the following sections:
• Configuration Tasks, page 20-1
• Verifying the Interface Configuration, page 20-26
• Stateful MLPPP MR-APS, page 20-27
For information about managing your system images and configuration files, refer to the Cisco IOS 
Configuration Fundamentals Configuration Guide, Release 12.2 and Cisco IOS Configuration 
Fundamentals Command Reference, Release 12.2 publications.
For more information about the commands used in this chapter, refer to the Cisco IOS Software Releases 
15.0SR Command References and to the Cisco IOS Software Releases 12.2SX Command References. 
Also refer to the related Cisco IOS Release 12.2 software command reference and master index 
publications. For more information, see the Related Documentation, page -xlvii.
Configuration Tasks
This section describes how to configure the 1-Port Channelized OC-3/STM-1 SPA and 1-Port 
Channelized OC-12/STM-4 SPA for the Cisco 7600 series routers and includes information about 
verifying the configuration. 
Up to 3 STS-1 connections can be configured on the 1-Port Channelized OC-3/STM-1 SPA. Each STS-1 
connection can be configured as a T3 controller or as a VT controller. A maximum of 1023 interfaces 
can be configured.
Up to 12 STS-1 connections can be configured on the 1-Port Channelized OC-12/STM-4 SPA. Each 
STS-1 connection can be configured as a T3 controller or as a VT controller. STS-1 can be clubbed 
together to support the concatenated POS interface. A maximum of 2000 interfaces can be configured.
This document shows how to configure the 1-Port Channelized OC-3/STM-1 SPA and 1-Port 
Channelized OC-12/STM-4 SPAs in either SONET or SDH framing modes. SDH mode is not supported 
on1-Port Channelized OC-12/STM-4 SPA as of now.20-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Configuration Tasks
It includes the following topics:
• Use the show controllers command to verify the controller configuration., page 20-14
• Selection of Physical Port and Controller Configuration, page 20-2
• Optional Configurations, page 20-15
• Saving the Configuration, page 20-26
Required Configuration Tasks
This section lists the required steps to configure the 1-Port Channelized OC-3/STM-1 SPA and the 1-Port 
Channelized OC-12/STM-4 SPA. Some of the required configuration commands implement default 
values that might be appropriate for your network. If the default value is correct for your network, then 
you do not need to configure the command.
• Selection of Physical Port and Controller Configuration
• Interface Naming
• SONET mode Configuration
• SDH mode Configuration
• Configure Channelized DS3 in SONET Mode
• POS Interface Configuration
• Verifying Interface Configuration
Note To better understand the address format used to specify the physical location of the Cisco 7600 SIP-200, 
SPA, and interfaces, see the: “Selection of Physical Port and Controller Configuration” section on 
page 20-2.
Selection of Physical Port and Controller Configuration
To select the physical port and controller configuration on the 1-Port Channelized STM-1/OC-3 SPA or 
1-Port Channelized OC12/STM4 , use the following command:
controller sonet slot / subslot / port 
If the 1-Port Channelized OC-3/STM-1 SPA sits in subslot 0 of a Cisco 7600 SIP-200 / SIP-400(releases 
from SRC onwards) in slot3, the 1-Port Channelized OC-3/STM-1 SPA port would be identified as 
controller SONET 3/0/0. Since there is only 1 port on a 1-Port Channelized OC-3/STM-1 SPA, the port 
number is always 0.
If the 1-Port Channelized OC12/STM4 sits in subslot 0 of a 7600-SIP-400(releases from SRD1 onwards) 
in slot3, the 1-Port Channelized OC12/STM4 port would be identified as controller SONET 3/0/0. Since 
there is only 1 port on a 1-Port Channelized OC12/STM4, the port number is always 0.
Note The terms slot and bay are used interchangebly in this document.20-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Configuration Tasks
Interface Naming
Interface names are automatically generated, and the format will be dependent on the mode each 
particular line card is operating on. The name format of the serial interface created are listed below.
SONET mode
• If framing is SONET and mode is vt-15 where VTG range is 1-7 and DS1(T1) range is 1-4:
interface serial [slot / subslot / port].[sts-1#/ vtg/ ds1#]:[channel-group]
Note Based on the CLI configuration, channel-group value varies from 0 to 23 for DS1.
• If framing is SONET and mode is CT3 where DS1 range is 1-28:
interface serial [slot / subslot / port].[sts-1# / ds1#]:[channel-group]
Note Based on the CLI configuration, channel-group value varies from 0 to 23 for DS1.
• If framing is SONET and mode is CT3-E1 where E1 range is 1-21:
interface serial [slot / subslot / port].[sts-1# / e1#]:[channel-group]
Note Based on the CLI configuration, channel-group value varies from 0 to 30 for E1 and 0 to 23 for T1.
• If framing is SONET and mode is T3:
interface serial [slot / subslot / port.sts-1#]
SDH mode
• If SDH-AUG mapping is au-4 and if the tug-3 is mode t3/e3:
interface serial [slot / subslot /< port>.<au-4>/ <tug-3>]
Note Based on the CLI configuration, the STS range varies from 1 to 12, the AU-4 varies from 1 to 4, the 
TUG-3 varies from 1 to 3, and the TUG-2 varies from 1 to 7.
• If SDH-AUG mapping is au-3 in c-11 mode:
interface serial [slot / subslot / port.au-3 / <tug-2> / <ds1>]:[channel-group]
• If framing is SDH with c-12 mode:
interface serial [slot/ subslot / < port>.<au-4>/ <tug-3> / <tug-2> /< e1>]:[channel-group]
Note If the aug mapping is au-3, then the only supported mode is c-11 ( carrying a DS1(T1)). 
For POS mode
This configuration is only for 1-Port Channelized OC12/STM4 SPA and the only supported mode is 
SONET mode.
If framing is SONET :20-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Configuration Tasks
interface pos [slot / subslot / port]:[sts-1#]
Here sts-1# indicates the starting sts of the POS interface. 
For example, if the SPA is in 3/0/0 and the POS interface is created for the first 3 sts-1s, then the interface 
name is POS3/0/0:1. Also, if the the SPA is in 3/0/0 and the POS interface created for the all sts-1s, the 
interface name is still POS3/0/0:1, but the differentiating factor is the interface bandwidth. For OC3, the 
interface bandwidth is 15550 kbit and it is 622000 kbit for OC12 POS.
Selection of Physical Port and Controller Configuration—SONET mode
To create the interface for the 1-Port Channelized OC-3/STM-1 SPA or 1-Port Channelized OC12/STM4 
SPA, complete these steps:
SONET mode Configuration
To configure the SONET controller, complete these steps:
Command Purpose
Step 1 Router(config)# controller sonet 
slot/subslot/port
Select the controller to configure and enter controller 
configuration mode.
• slot/subslot/port—Specifies the location of the 
interface. See the: “Selection of Physical Port and 
Controller Configuration” section on page 20-2
Command Purpose
Step 1 For SONET controllers:
Router(config-controller)# framing 
sonet
Selects the framing type.
sonet—Specifies SONET as the frame type. This is the 
default. 
Step 2 Router(config-controller)# clock source 
{internal | line}
Sets the clock source.
Note The clock source is set to internal if the opposite 
end of the connection is set to line and the clock 
source is set to line if the opposite end of the 
connection is set to internal.
• internal—Specifies that the internal clock source is 
used. 
• line—Specifies that the network clock source is used. 
This is the default for T1 and E1.20-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Configuration Tasks
Step 3 Router(config-controller)# [no]
loopback {local | network ]
Enables or disables loopback mode on a sonet controller.
• local loopback—loops data from the transmit path to 
the receive path. 
• network loopback—loops data received on the 
receiving path to the transmiting path and back out the 
external port.
Default is disabled loopback.
Step 4 In SONET framing: 
Router(config-controller)#sts-1 sts-1#
sts-1 #—Specifies the SONET STS level.
Step 5 Router(config-ctrlr-sts1)# [no] mode
{vt-15 | ct3 | t3 | ct3-e1}
Specifies the mode of operation of a STS-1 path:
• vt-15—A STS-1 is divided into 7 VTGs. Each VTG is 
then divided into 4 VT1.5’s, each carrying a T1.
• ct3—A STS-1 carry a DS3 signal divided into 28 T1s 
(PDH)
• t3—STS-1 carries a unchannelized (clear channel) T3
• ct3-e1—The channelized T3 is carrying E1 circuits
Note Effective from Release 15.1(1)S, the CT3-E1 mode 
is supported on the 1-Port Channelized 
OC12/STM4 SPA.
Step 6 Router(config-ctrlr-sts1)# vtg?
<1-7>  vtg number <1-7>
vtg—Specifies the VTG number.
Step 7 RouterC(config-ctrlr-sts1)# vtg 1 t1 1
{bert |channel-group |clock |description 
|fdl |framing |loopback |shutdown |yellow
} 
RouterC(config-ctrlr-sts1)#vtg 1 t1 1 
channel-group 0-23  Channel group 
number
RouterC(config-ctrlr-sts1)# vtg 1 t1 1 
channel-group 0 timeslots  List of 
timeslots in the channel group
RouterC(config-ctrlr-sts1)# vtg 1 t1 1 
channel-group 0 timeslots 1-24  List of 
timeslots which comprise the channel
RouterC(config-ctrlr-sts1)# vtg 1 t1 1 
channel-group 0 timeslots 1 speed  
Specify the speed of the underlying 
DS0s 
RouterC(config-ctrlr-sts1)# vtg 1 t1 1 
channel-group 0 timeslots 1
Configures the T1s on the VTGs. For SONET framing, 
vtg# range is 1 to 7.
Command Purpose20-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Configuration Tasks
SDH mode Configuration
To configure SDH mode, complete the following steps:
Note Effective from Release 15.1(1)S, SDH mode is supported on the1-Port Channelized OC12/STM4 SPA.
Command Purpose
Step 1 For SDH controllers:
Router(config-controller)# framing 
sdh
Selects the framing type.
• sonet—Specifies SONET as the frame type. This is the 
default. 
• sdh—Specifies SDH as the frame type. 
Step 2 Router(config-controller)# aug 
mapping {au-3 | au-4}
Configures AUG mapping for SDH only. If the AUG mapping 
is configured to be au-4, then the following 
muxing/alignment/mapping will be used:
TUG-3 <--> VC-4 <--> AU-4 <--> AUG
If the mapping is configured to be au-3, then the following 
muxing/alignment/mapping will be used:
VC-3 <--> AU-3 <--> AUG 
This command will be available only when sdh framing is 
configured.
Default is au-4.
Step 3 Router(config-controller)# aug 
mapping(stm#) au-4
or 
Router(config-controller)# aug 
mapping (stm#) au-3
Router(config-controller)# aug 
mapping {au-3 | au-4}
Configures AUG mappings for SDH only20-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Configuration Tasks
Step 4 If AUG mapping is AU-4:
au-4 <au-4#> tug-3 <tug-3#>
If AUG mapping is AU-3:
au-3 <au-3#>
Enters the configuration submode for the given TUG-3.
Depending on currently configured AUG mapping setting, 
this command will further specify TUG-3, AU-3 or STS-1 
muxing. As the result, the CLI command parser enters into 
config-ctrlr-tug3, config-ctrlr-au3 or config-ctrlr-sts1# parser 
mode, which makes only relevant commands visible.
The AU-4 number rangess from 1 to 4 for OC12 SPA and 1 
for OC3.
The AU-3 number ranges from 1 to 12 for OC12 SPA and 
from 1 to 3 for OC3.
The STS-1 number ranges 1 to 12 for OC12 SPA and is from 
1 to 3 for OC3.
Step 5 In SDH framing in AU-4 mode:
[no] mode {c-12 | t3 | e3}
C-11 and c-12 are container level-n (SDH) Channelized T3s. 
They are types of T3 channels that are subdivided into 28 T1 
channels.
• c-12—Specifies a AU-4/TUG-3 is divided into 7 tug2. 
Each tug2 then divided into 3 TU12’s, each carrying an 
E1 (C-12).
• t3—Specifies a STS-1 or AU-4/TUG3 carries a 
unchannelized (clear channel) T3.
• e3—Specifies a AU-4/TUG3 carries a unchannelized 
(clear channel) E3 .
In CHOC-3/STM1 SPA, you cannot configure both T3 and E3 
at the same time.
Note Only c-11 is supported in AU-3.
Command Purpose20-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Configuration Tasks
Configure Channelized DS3 in SONET Mode
To configure channelized DS3 mode, complete the following steps:
Command Purpose
Step 1 Router(config)# controller sonet 
slot/subslot/port
Select the controller to configure and enter controller 
configuration mode.
• slot/subslot/port—Specifies the location of the interface. See 
the: “Selection of Physical Port and Controller 
Configuration” section on page 20-2
Step 2 Router(config-controller)#sts-1
sts1#
The sts-1# is from 1 to y, y being the Sonet STS level, such as in 
OC-3.
Step 3 Router(config)#mode ct3 Sets the interface in channelized DS3 mode.
Step 4 Router(config-ctrlr-sts)# t3 
framing {c-bit | m23 | 
auto-detect}
Specifies the framing mode.
• c-bit—Specifies C-bit parity framing. 
• m23—Specifies M23 framing.
• auto-detect
Step 5 Router(config-ctrlr-sts)# clock 
source {internal | line}
Sets the clock source for the given T3 controller under STS.
Note The clock source is set to internal if the opposite end of 
the connection is set to line and the clock source is set to 
line if the opposite end of the connection is set to internal.
• internal—Specifies that the internal clock source is used. 
• line—Specifies that the network clock source is used.
Step 6 Router(config-ctrlr-sts)# [no] t3
loopback {local | network [line | 
payload] | remote [line | payload]}
Enables or disables loopback mode on a SONET controller.
• local loopback—loops data from the transmit path to the 
receive path. 
• network loopback—loops data received on the external port 
to the transmit path and back out the external port.
Note Effective from Release 15.1(1)S, network loopback is 
supported on the 1-Port Channelized OC12/STM4 SPA.
• Remote loopback—Applicable only to c-bit framing. When 
you configure locally, this mode performs the remote end 
network loopback.
Default is no loopback.20-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Configuration Tasks
Step 7 Router(config-ctrlr-sts)# [no] t3 
mdl string [eic | fic | generator | 
lic | pfi | port | unit} string
[no] t3 mdl transmit {path | 
idle-signal | test-signal}
Configures MDL support. 
• eic—Specified equipment ID code
• fic— frame ID code
• generator—generator number in MDL test signal
• lic—location ID code
• pfi—facility ID code in MDL path message
• port— port number in MDL idle string message
• unit—unit code
Default is no mdl string and no mdl transmit.
Step 8 Router(config-ctrlr-sts)# t3 
equipment {customer | network} 
loopback
Equipment customer loopback enables the port to honor remote 
loopback request. Equipment network loopback disables this 
functionality.
Note Remote loopbacks are only available in c-bit framing 
mode.
Step 9 Router(config-ctrlr-sts)#t3 bert
pattern pattern interval 1-14400
Enables BERT testing.
Command Purpose20-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Configuration Tasks
POS Interface Configuration
To configure the OC-3 or OC 12 POS interfaces, complete the following steps:
Use the show interface pos command to verify the POS configurationand use the interface pos 
<slot>/<subslot>/<port>: sts-1# command to debug the POS configuration.
Following is a sample configuration for verifying the POS configuration:
Router#show interface pos 4/1/0:1
POS4/1/0:1 is down, line protocol is down 
  Hardware is SPA_1xCHOC12
  MTU 4470 bytes, BW 155000 Kbit/sec, DLY 100 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation HDLC, crc 16, loopback not set
  Keepalive set (10 sec)
Command Purpose
Step 1 Router(config-controller)# sts-1 
start-sts-1#-end-sts-1# pos
This commnad creates the POS interface.The 
start-sts-1 and end-sts-1 denotes the STS from 
which the PTS interface is created and ended.
Step 2 Router(config)#Interface pos 
[slot/subslot/port]: [sts-1]
This command configures the POS interface.
Step 3 Router(config-if)#[no] encap ?
bstun           Block Serial tunneling (BSTUN)
frame-relay     Frame Relay networks
hdlc            Serial HDLC synchronous
lapb            LAPB (X.25 Level 2)
ppp             Point-to-Point protocol
sdlc            SDLC
sdlc-primary    SDLC (primary)
sdlc-secondary  SDLC (secondary)
smds            Switched Megabit Data Service 
(SMDS)
stun            Serial tunneling (STUN)
x25             X.25
This command configures the encapsulation on 
the POS interface and sets it to the required 
value.
Step 4 Router(config-if)# [no] pos ?
delay         Delay POS alarm triggers
flag          Specify byte value
scramble-atm  Enable POS SPE scrambling
threshold     Set BER threshold values
This command enables or disables scrambling 
on the POS interface.
Step 5 Router(config-if)#CRC {crc16 |crc32} This command configures the CRC setting to 
crc16 or crc32 at both connected SPAs.
Step 6 Router(config-if)#invert data This command configures the Invert Data 
setting. This should be the same for both 
connected SPAs.20-11
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Configuration Tasks
  Scramble disabled
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions
  Non-inverted data
Note NSTS-1 is the number of the first STS-1 on the POS interface. The value of N can be 1,4,7 or 10.20-12
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Configuration Tasks
DS1 Configuration (Channelized T3 mode)
To configure DS1 complete the following steps:
E1 Configuration (Channelized T3/E3 mode)
E1 configuration must be done in channelized DS3 mode. To configure E1, complete the following steps:
Command Purpose
Step 1 Router(config-ctrlr-sts1)#[no] t1 
t1# clock source {internal | line}
Configures the clocking source.
Step 2 Router(config-ctrlr-sts1)#[no] t1 
t1# fdl ansi
Enables the one-second transmission of the remote performance 
reports via Facility Data Link (FDL) per ANSI T1.403.
Note FDL will run in ATT mode without this command. ATT 
mode is not mutually exclusive or different from ANSI 
mode, ANSI mode is a super-set of ATT mode.
Step 3 Router(config-ctrlr-sts1)#[no] t1 
t1# framing {sf | esf}
Router(config-ctrlr-sts1)#[no] t1 
t1# yellow {detection | 
generation}
Enables detection and generation of DS1 yellow alarms.
Step 4 Router(config-ctrlr-sts1)#[no] 
prefix t1 t1# shutdown
Shuts down the configured T1.
Step 5 Router(config-ctrlr-sts1)#[no] t1 
t1# channel-group 
channel-group# timeslots
list-of-timeslots speed [56 | 64]
Specifies the line speed in kilobits per second. Valid values are 56 
and 64.
Step 6 Router(config-ctrlr-sts1)#[no] t1 
t1# loopback {local | network 
line | remote {line fdl {ansi | 
bellcore} | payload fdl ansi}}
Note Local network payload loopback is not supported due to 
TEMUX-84/TEMUX-84E limitations. 
Note Only 6 E1 berts can be performed concurrently due to 
TEMUX-84/TEMUX-84E limitations.
Command Purpose
Step 1 Router(config-ctrlr-sts1)#[no] e1
e1# channel-group
channel-group# timeslots
list-of-timeslots speed [56 | 64]
• E1 range is 1-4.
• Timeslot range is 1-31.
• Speed is 64 by default. Speed as 56 denotes that each ds0 
speed will be 56kbps instead of 64 kbps to connect some 
legacy T1s.
Step 2 Router(config-ctrlr-sts1)#[no] e1
e1# [unframed | framing] {crc4 | 
no-crc4}
Cofiguration of crc/no-crc4 is applicable only for the framed 
E1configuration. Unframed E1 doesnt need the configuration.20-13
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Configuration Tasks
BERT Test Configuration
To configure BERT test, complete the following:
Unchannelized E3 Serial Interface Configuration 
To configure an unchannelized E3 serial interface, complete the following commnads. The commands 
are configurable under the serial interface only and not configurable under controller.
Step 3 Router(config-ctrlr-sts1)#[no] e1
e1# clock source {internal | line}
Configures clock source.
Step 4 Router(config-ctrlr-sts1)#[no] e1
e1# national bits pattern
Sets the national reserved bits on an E1 line. Pattern is the 
hexadecimal value in the range 0x0 to 0x1F (hexadecimal) or 0 to 
31 (decimal).
Step 5 Router(config-ctrlr-sts1)#[no] e1 
e1# loopback [local | network]
Router(config-ctrlr-sts1)#[no] e1 
e1# loopback [network] {line}
Local loopback is used to loop the data from the transmit path to 
the receive path.
Network loopback is used to loop the data received from the 
external port to the transmit path and back to the external port.
Step 6 Router(config-ctrlr-sts1)#[no] e1
e1# shutdown
Shuts the configured E1.
Command Purpose
Command Purpose
Step 1 Router(config-ctrlr-sts1)#[no] [ 
[e1 | t1] [e1# | t1#] bert pattern 
{2^11 | 2^15 || 2^20 QRSS } 
interval time
Send a BERT pattern on a DS1/E1 line.
Command Purpose
Step 1 Router(config)# interface serial 
[slot/subslot/port].<au-4#>/<tug
-3#>
• au-4 — Specifies the E3 interface under which AU-4 index. 
For OC3 SPA, since there is only one AU-4, this value is 
always 1. 
• Tug- 3— Specifies the index under which path the E3 is 
configured.
Step 2 Router(config-if)#[no] dsu mode
{ cisco | digital-link | kentrox }
• cisco—Specifies cisco as the DSU mode.
• digital-link—Specifies Digital link as the DSU mode. Range 
is from 300-34010.
• kentrox—Specifies kentrox as the DSU mode. Range is 
1000-24500, 34010.
Default is cisco.
Step 3 Router(config-if)#[no] dsu 
bandwidth number
Specifies the maximum allowed bandwidth in KBPS. 20-14
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Configuration Tasks
Use the show controllers command to verify the controller configuration. 
Following is a a sample configuration to display a T1 1 with VTG 1 in SONET VT-15 mode
Router(config)# show controllers sonet3/0/0.1/1/1
SONET 3/0/0 is down.
 Path mode VT15
STS-1 1, VTG 1, T1 1 (VT1.5 1/1/1) is down
  timeslots: 1-24
  FDL per AT&T 54016 spec.
  Receiver is getting AIS.
  Framing is ESF, Clock Source is Internal
  Data in current interval (623 seconds elapsed):
     0 Line Code Violations, 0 Path Code Violations
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs
     623 Unavail Secs, 0 Stuffed Secs
  Data in Interval 1:
     0 Line Code Violations, 0 Path Code Violations
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs
     900 Unavail Secs, 0 Stuffed Secs
Verifying Interface Configuration
Use the show interface serial command to verify the interface configuration:
Router(config)# show interface serial
Serial2/0/0.1/2 unassigned YES TFTP administratively down down 
Serial2/1/0.1/1/1:0 unassigned YES unset down down 
Serial2/1/0.1/2/4:0 unassigned YES unset down down 
Serial2/1/0.1/2/4:1 unassigned YES unset down down 
Serial2/1/0.2/1:0 unassigned YES unset down down 
Serial2/1/0.2/2:0 unassigned YES unset down down 
Serial2/1/0.2/3:0 unassigned YES unset down down 
Serial2/1/0.3 unassigned YES unset down down 
UUT#sh int Serial2/1/0.1/1/1:0
Serial2/1/0.1/1/1:0 is down, line protocol is down 
Hardware is Channelized-T3
MTU 1500 bytes, BW 192 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation HDLC, crc 16, loopback not set
Step 4 Router(config-if)#[no] national 
bit {0 | 1}
Default is 0.
Step 5 Router(config-if)#[no] crc {16 | 
32}
Default is 16 bit (CRC-CITT).
Step 6 Router(config-if)#[no] loopback 
{network | local | dte |dual}
Step 7 Router(config-if)#[no] shutdown
Command Purpose
Step 1 Router(config)# interface serial 
[slot/subslot/port].<au-4#>/<tug
-3#>
• au-4 — Specifies the E3 interface under which AU-4 index. 
For OC3 SPA, since there is only one AU-4, this value is 
always 1. 
• Tug- 3— Specifies the index under which path the E3 is 
configured.20-15
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Configuration Tasks
Keepalive set (10 sec)
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
Available Bandwidth 192 kilobits/sec
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions alarm present
VC 2: timeslot(s): 1-3, Transmitter delay 0, non-inverted data
Following is a sample configuration:
UUT#sh run | beg 2/1/0
controller SONET 2/1/0
ais-shut
framing sonet
clock source line
overhead j0 1
!
sts-1 1
mode vt-15
vtg 1 t1 1 channel-group 0 timeslots 1-3
vtg 2 t1 4 channel-group 0 timeslots 1-2,5-6
vtg 2 t1 4 channel-group 1 timeslots 3,7,9
!
sts-1 2
mode ct3
t1 1 channel-group 0 timeslots 1-24
t1 2 channel-group 0 timeslots 1-12
t1 3 channel-group 0 timeslots 1
!
sts-1 3
mode t3
!
controller T3 3/1/0
shutdown
cablelength 224
!
controller T3 3/1/1
shutdown
cablelength 224
!!
interface Loopback0
ip address 172.10.11.1 255.255.255.255
.
.
Optional Configurations
There are several standard, but optional, configurations that might be necessary to complete the 
configuration of your serial SPA.
• Configuring Encapsulation, page 20-1620-16
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Configuration Tasks
• Configuring the CRC Size for T1, page 20-17
• Configuring FDL, page 20-17
• Configuring Multilink Point-to-Point Protocol (Hardware-based), page 20-18
• Configuring APS, page 20-20
• Configuring MLFR, page 20-22
• FRF.12 Guidelines, page 20-25
• FRF.12 Guidelines, page 20-25
• LFI Guidelines, page 20-25
• HW MLPPP LFI Guidelines, page 20-25
• FRF.12 LFI Guidelines, page 20-25
• Configuring QoS Features on Serial SPAs, page 20-26
Configuring Encapsulation
When traffic crosses a WAN link, the connection needs a Layer 2 protocol to encapsulate traffic. To set 
the encapsulation method, use the following commands:
Command Purpose
Step 1 Router# configure terminal Enters global configuration mode.
Step 2 Router(config)# interface serial 
For addressing information, refer to the “Interface 
Naming” section on page 20-3.
Selects the interface to configure.
• slot/subslot/port:channel-group—Specifies 
the location of the interface.
Step 3 Router(config-if)# encapsulation 
encapsulation-type {hdlc | ppp | frame-relay}
Set the encapsulation method on the interface.
• hdlc—High-Level Data Link Control 
(HDLC) protocol for serial interface. This 
encapsulation method provides the 
synchronous framing and error detection 
functions of HDLC without windowing or 
retransmission. This is the default for 
synchronous serial interfaces.
• ppp—PPP (for serial interface).
• frame-relay—Frame Relay (for serial 
interface).
Step 4 Router(config-if)# crc {16 | 32} Selects the CRC size in bits.
• 16—16-bit CRC. This is the default
• 32—32-bit CRC.20-17
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Configuration Tasks
Configuring the CRC Size for T1
The 1-Port Channelized OC-3/STM-1 SPA interface uses a 16-bit cyclic redundancy check (CRC) by 
default, but also support a 32-bit CRC. CRC is an error-checking technique that uses a calculated 
numeric value to detect errors in transmitted data. The designators 16 and 32 indicate the length (in bits) 
of the frame check sequence (FCS). A CRC of 32 bits provides more powerful error detection, but adds 
overhead. Both the sender and receiver must use the same setting.
CRC-16, the most widely used CRC throughout the United States and Europe, is used extensively with 
WANs. CRC-32 is specified by IEEE 802 and as an option by some point-to-point transmission 
standards. It is often used on Switched Multimegabit Data Service (SMDS) networks and LANs. 
To set the length of the cyclic redundancy check (CRC) on a T1 interface, use these commands:
Configuring FDL
Facility Data Link (FDL) is a 4-kbps channel provided by the Extended Super Frame (ESF) T1 framing 
format. The FDL performs outside the payload capacity and allows you to check error statistics on 
terminating equipment without intrusion.
Verifying FDL
Use the show controllers command to verify the FDL setting:
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface serial
For addressing information, refer to the “Interface 
Naming” section on page 20-3.
Selects the interface to configure. 
• slot/subslot/port:channel-group—Specifies 
the location of the interface. 
Router(config-if)#crc {16|32} Configures the CRC based on the configuration 
value. If you do not set any value, the default value 
of 16 is assigned.
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# controller sonet 
slot/subslot/port
See the “Interface Naming” section on page 20-3. 
Selects the controller to configure. 
• slot/subslot/port—Specifies the location of the 
controller.
Router(config-controller)# sts-1 If the framing format was configured for esf, 
configures the format used for Facility Data Link 
(FDL). 
Router(config-controller)vtg 1 t1 1 fdl ansi • vtg—Specifies the VTG number
• t1— Specifies the T1 number for which FDL 
need to be configured.
• ansi—Select ANSI for FDL to use the ANSI 
T1.403 standard. 20-18
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Configuration Tasks
Router(config)# show controllers sonet3/0/0.1/1/1
SONET 3/0/0 is down.
 Path mode VT15
STS-1 1, VTG 1, T1 1 (VT1.5 1/1/1) is down
  timeslots: 1-24
 FDL per ANSI T1.403 and AT&T 54016 spec.
  Receiver is getting AIS.
  Framing is ESF, Clock Source is Internal
  Data in current interval (805 seconds elapsed):
     0 Line Code Violations, 0 Path Code Violations
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs
     805 Unavail Secs, 0 Stuffed Secs
  Data in Interval 1:
     0 Line Code Violations, 0 Path Code Violations
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs
     900 Unavail Secs, 0 Stuffed Secs
Configuring Multilink Point-to-Point Protocol (Hardware-based)
Multilink Point to Point Protocol (MLPPP) allows you to combine interfaces which correspond to an 
entire T1 or E1 multilink bundle. You choose the number of bundles and the number of T1 or E1 lines 
in each bundle.
MLPPP Configuration Guidelines
The required conditions are:
• Only T1 or E1 links in a bundle
• All links on the same SPA
• Maximum of 12 links in a bundle.
Note Some notes about hardware-based MLPPP:
Only 3 fragmentation sizes are possible 128, 256 and 512 bytes
Fragmentation is enabled by default, default size is 512 bytes
Fragmentation size is configured using the ppp multilink fragment-delay command after using the 
interface multilink command. The least of the fragmentation sizes (among the 3 sizes possible) 
satisfying the delay criteria is configured. (e.g., a 192 byte packet causes a delay of 1 millisecond on a 
T1 link, so the nearest fragmentation size is 128 bytes.
The show ppp multilink command will indicate the MLPPP type and the fragmentation size:
Router# show ppp multilink
Multilink1, bundle name is Patriot2
Bundle up for 00:00:13
Bundle is Distributed
0 lost fragments, 0 reordered, 0 unassigned
0 discarded, 0 lost received, 206/255 load
0x0 received sequence, 0x0 sent sequence 
Member links: 2 active, 0 inactive (max not set, min not set)20-19
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Configuration Tasks
Se4/2/0.1/1/1:0, since 00:00:13, no frags rcvd
Se4/2/0.1/1/2:0, since 00:00:10, no frags rcvd
Distributed fragmentation on. Fragment size 512.  Multilink in Hardware.
Fragmentation is disabled explicitly by using the no ppp multilink fragmentation command after using 
the interface multilink command.
Create a Multilink Bundle
To create a multilink bundle, use the following commands:
Assign an Interface to a Multilink Bundle
To assign an interface to a multilink bundle, use the following commands:
Configuring Fragmentation Size on an MLPPP Bundle (optional)
To configure the fragmentation size on a multilink ppp bundle, use the following commands:
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface multilink 
group-number
Creates a multilink interface and enter multilink 
interface mode.
• group-number—The group number for the 
multilink bundle.
Router(config-if)# ip address address mask Sets the IP address for the multilink group.
• address—The IP address.
• mask—The IP netmask.
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface serial
For addressing information, refer to the 
“Interface Naming” section on page 20-3.
Selects the interface to configure and enters interface 
configuration mode. 
Router(config-if)# encapsulation ppp Enables PPP encapsulation.
Router(config-if)# multilink-group 
group-number
Assigns the interface to a multilink bundle.
• group-number—The multilink group number for 
the T1 or E1 bundle.
Router(config-if)# ppp multilink Enables multilink PPP on the interface.
Repeat these commands for each interface you 
want to assign to the multilink bundle.20-20
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Configuration Tasks
Disabling the Fragmentation on an MLPPP Bundle (optional)
To assign an interface to a multilink bundle, use the following commands:
Configuring APS
Automatic protection switching (APS) allows switchover of the channelized OC3/OC12 channels in the 
event of failure. APS refers to the mechanism of using a protect interface in the network as the backup 
for a working interface. When the working interface fails, the protect interface quickly assumes its traffic 
load. Depending on the configuration, the two circuits may be terminated in the same router, or in 
different routers.
MLPPP MR-APS switchover time on all serial SPAs that support PPP encapsulation and APS  on the 
SIP 400 is enhanced in 12.2(33) SRD2 release. MLPPP APS switchover time on the Cisco 7600 platform 
is a combination of the time spent executing the software and the time required for LCP, IPCP 
negotiations by the newly forwarding MLP Bundle. In 12.2(33) SRD2, Cisco 7600 platform software is 
optimized to help faster MLPPP APS switchover time. 
Further, to help reduce the LCP, IPCP negotiation time, the granularity of the ppp timeout retry
command is also enhanced in 12.2(33)SRD2, to include millisecond values. The PPP timeout retry 
determines how long the PPP state machine for LCP waits for a response from the remote peer before 
transmitting the next configuration request packet. The first configuration request packet from the new 
active APS router is used by the APS unaware router to bring down the PPP sessions. The second 
configuration request packet from the new active APS router triggers LCP negotiation. 
There is no change in the Default PPP timeout retry value (2secs). In SRD2 release, minimum supported 
configurable ppp timeout retry value is 255msec.
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface multilink
For addressing information, refer to the 
“Interface Naming” section on page 20-3.
Creates a multilink interface and enters multilink 
interface mode.
• group-number—The group number for the 
multilink bundle. Range 1-65535
Router(config-if)# ppp multilink 
fragment-delay delay
Sets the fragmentation size satisfying the configured 
delay on the multilink bundle.
• delay—delay in milliseconds
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface multilink 
group-number
Creates a multilink interface and enters multilink 
interface mode.
• group-number—The group number for the 
multilink bundle. Range 1-65535
Router(config-if)# no ppp multilink 
fragmentation
Disables the fragmentation on the multilink bundle.20-21
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Configuration Tasks
Note Configuring the PPP retry timeout to be 250ms increases the CPU load on the router but the faster PPP 
retry timeout speeds up the PPP re-negotiation to help the overall switchover time
The performance enhancement of PPP/MLPPP APS does not impact the original PPP/MLPPP scalability 
on Cisco 7600. 
For more information about APS, refer to A Brief Overview of Packet Over SONET APS at the following 
URL:
http://www.cisco.com/en/US/tech/tk482/tk607/technologies_tech_note09186a0080093eb5.shtml
To configure the working interface, use the following command in interface configuration mode:
To remove the channelized interface as a working interface, use the no form of this command.
To configure the protect channelized interface, use the following command in interface configuration 
mode:
To revert the protect interfaceconfiguration on the channelized interface, use the no form of this 
command.
To configure the ppp timeout retry channelized interface, use the following command in interface 
configuration mode: 
Command Purpose
Router(config)# controller sonet
slot/subslot/port
Selects the interface to configure and enters 
controller configuration mode. 
slot/subslot/port—Specifies the location of the 
controller.
Router(config-if)# aps working  Configures a channelized OC3/OC12 interface as a 
working APS interface
Command Purpose
Router(config)# controller sonet
slot/subslot/port
Selects the interface to configure and enters 
controller configuration mode.
slot/subslot/port—Specifies the location of the 
interface.
Router(config-if)# aps protect  Configures a channelized OC3/OC12 interface as a 
protect APS interface
Command Purpose20-22
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Configuration Tasks
To remove thetimeout retry configuration on the interface, use the no form of this command.
Verifying the APS Configuration
To verify the APS configuration or to determine if a switchover has occurred, use the show aps
command.
The following is an example of the show aps command anda typical a configuration on the sonet 
controller for APS on 1-Port Channelized OC-12/STM-4 SPA and 1-Port Channelized OC-3/STM-1 SPA
Router#sh aps
SONET 3/0/0 APS Group 1: working channel 1 (Active)
Protect at 1.0.0.1
PGP timers (from protect): hello time=1; hold time=3
PGP timers (configured): hello time=1; hold time=3
SONET framing
Remote APS configuration: (null)
controller SONET 3/0/0
ais-shut
threshold sf-ber 3
framing sonet
clock source line
aps group 1
aps working 1
aps timers 1 3
Configuring MLFR
Multilink Frame Relay (MLFR) allows you to combine T1/E1 lines into a bundle that has the combined 
bandwidth of multiple T1/E1 lines. You choose the number of bundles and the number of T1/E1 lines in 
each bundle. This allows you to increase the bandwidth of your network links beyond that of a single 
T1/E1 line.
Router(config)# interface serial
slot/subslot/port:channel-group
Selects the interface to configure and enters interface 
configuration mode. 
slot/subslot/port:channel-group—Specifies the 
location of the interface.
Router(config-if)# ppp timeout retry <0-255> 
[<0-999>]
Configures the PPP Control Protocol retry timer on 
the channelized serial interface, in milliseconds
Note The msecs timer increases the load on the 
router and should not be used except for the 
APS retry timeout configuration.
Note This command is backward compatible with 
previous release trains up till12.2(33)SRC for 
the 1-Port Channelized OC-3/STM-1 SPA 
and up till 12.2(33)SRD for the 1-Port 
Channelized OC-12/STM-4 SPA.20-23
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Configuration Tasks
MLFR Configuration Guidelines
MLFR will function in hardware if all of the following conditions are met:
• Only T1 or E1 member links
• All links are on the same SPA
• Maximum of 12 links in a bundle
• Only supported on OC3/STM-1 SPA on SIP-200 
Create a Multilink Bundle
To create a multilink bundle, use the following commands:
Assign an Interface to a Multilink Bundle
To assign an interface to a multilink bundle, use the following commands:
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface mfr number Configures a multilink Frame Relay bundle 
interface.
• number—The number for the Frame Relay 
bundle.
Router(config-if)# frame-relay multilink bid 
name
(Optional) Assigns a bundle identification name to 
a multilink Frame Relay bundle.
• name—The name for the Frame Relay bundle.
Note The bundle identification (BID) will not go 
into effect until the interface has gone from 
the down state to the up state. One way to 
bring the interface down and back up again 
is by using the shut and no shut
commands in interface configuration 
mode.
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface serial
For addressing information, refer to the “Interface 
Naming” section on page 20-3.
Selects the interface to assign.
Router(config-if)# encapsulation frame-relay 
mfr number [name]
Creates a multilink Frame Relay bundle link and 
associates the link with a bundle.
• number—The number for the Frame Relay 
bundle.
• name—The name for the Frame Relay bundle.20-24
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Configuration Tasks
Verifying Multilink Frame Relay
Use the show frame-relay multilink detailed command to verify the Frame Relay multilinks:
router# show frame-relay multilink detailed
Bundle: MFR49, State = down, class = A, fragmentation disabled
 BID = MFR49
 No. of bundle links = 1, Peer's bundle-id = 
 Bundle links:
  Serial6/0/0:0, HW state = up, link state = Add_sent, LID = test
    Cause code = none, Ack timer = 4, Hello timer = 10,
    Max retry count = 2, Current count = 0,
    Peer LID = , RTT = 0 ms
    Statistics:
    Add_link sent = 21, Add_link rcv'd = 0,
    Add_link ack sent = 0, Add_link ack rcv'd = 0,
    Add_link rej sent = 0, Add_link rej rcv'd = 0,
    Remove_link sent = 0, Remove_link rcv'd = 0,
    Remove_link_ack sent = 0, Remove_link_ack rcv'd = 0,
Router(config-if)# frame-relay multilink lid 
name
(Optional) Assigns a bundle link identification 
name with a multilink Frame Relay bundle link.
• name—The name for the Frame Relay bundle.
Note The bundle link identification (LID) will 
not go into effect until the interface has 
gone from the down state to the up state. 
One way to bring the interface down and 
back up again is by using the shut and no
shut commands in interface configuration 
mode.
Router(config-if)# frame-relay multilink hello 
seconds
(Optional) Configures the interval at which a 
bundle link will send out hello messages. The 
default value is 10 seconds.
• seconds—Number of seconds between hello 
messages sent out over the multilink bundle.
Router(config-if)# frame-relay multilink ack 
seconds
 (Optional) Configures the number of seconds that 
a bundle link will wait for a hello message 
acknowledgment before resending the hello 
message. The default value is 4 seconds. 
• seconds—Number of seconds a bundle link 
will wait for a hello message acknowledgment 
before resending the hello message.
Router(config-if)# frame-relay multilink retry 
number
 (Optional) Configures the maximum number of 
times a bundle link will resend a hello message 
while waiting for an acknowledgment. The default 
value is 2 tries. 
• number—Maximum number of times a bundle 
link will resend a hello message while waiting 
for an acknowledgment.
Command Purpose20-25
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Configuration Tasks
    Hello sent = 0, Hello rcv'd = 0,
    Hello_ack sent = 0, Hello_ack rcv'd = 0,
    outgoing pak dropped = 0, incoming pak dropped = 0
FRF.12 Guidelines
FRF.12 functions in hardware and it is supported only onOC-3/STM-1 SPA with SIP200 only. Note the 
following:
• Only 3 fragmentation sizes are available - 128 bytes, 256 bytes, and 512 bytes.
The supported fragment sizes - 128, 256 and 512 - include the FRF and NLPID headers in addition 
to the payload. 
• If you have a configuration where a C7600 router acts as a Provider Edge(PE) router between 
Customer Edge(CE) routers, you can configure C7600 in plain Frame Relay or Frame Relay 
Fragmentation mode. If you enable Frame Relay Fragmentation only at the CE routers and C7600 
acts as a plain Frame Relay interface, the configuration works fine. In a configuration of C7600 with 
any of the three SPAs(8-Port Channelized T1/E1 SPA,1-Port Channelized OC-3/STM-1 SPA or 2 or 
4-Port CT3 SPA), where Frame Relay is configured on the serial interface and Frame Relay 
Fragmentation is enabled in any of the sub interfaces, the fragmented packets may be dropped in the 
transparant DLCIs. If you want such a configuration to work, you should set the fragment size value 
on the main interface larger than any CE router fragmentation size using the command frame-relay 
fragment x end-to-end, where x is the fragmentation size on the main interface.
LFI Guidelines
LFI can function two ways - using FRF.12 or MLPPP. MLPPP LFI can be done in both hardware and 
software while FRF.12 LFI is done only in hardware.
HW MLPPP LFI Guidelines
LFI using MLPPP will function only in hardware if there is just one member link in the MLPPP bundle. 
The link can be a fractional T1 or full T1. Note the following:
• The ppp multilink interleave command needs to be configured to enable interleaving.
• Only three fragmentation sizes are supported - 128 bytes, 256 bytes, and 512 bytes.
• Fragmentation is enabled by default, the default size being 512 bytes.
• A policy-map having a priority class needs to applied to main interface.
• Effective 12.2 SRB release, the bundle scale on a SIP200 is increased from 256 to 1024.
FRF.12 LFI Guidelines
LFI using FRF.12 is always done is hardware. Note the following:
• The fragmentation is configured at the main interface
• Only 3 fragmentation sizes are available - 128 bytes, 256 bytes, and 512 bytes.
• A policy-map having a priority class needs to applied to main interface.20-26
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Verifying the Interface Configuration
Configuring QoS Features on Serial SPAs
The SIPs and SPAs support many QoS features using modular QoS CLI (MQC) configuration. For 
information about the QoS features supported by the serial SPAs, see the Configuring QoS Features on 
Serial SPAs, page 20-26 of Chapter 4, “Configuring the SIPs and SSC.”
Saving the Configuration
To save your running configuration to nonvolatile random-access memory (NVRAM), use the following 
command in privileged EXEC configuration mode:
For more information about managing configuration files, refer to the Cisco IOS Configuration 
Fundamentals Configuration Guide, Release 12.2 and Cisco IOS Configuration Fundamentals 
Command Reference, Release 12.2 publications.
Verifying the Interface Configuration
Besides using the show running-configuration command to display your Cisco 7600 series router 
configuration settings, you can use the show interface serial and the show controllers serial commands 
to get detailed information on a per-port basis for your1-Port Channelized OC-3/STM-1 SPA.
Verifying Per-Port Interface Status
To find detailed interface information on a per-port basis for the 1-Port Channelized OC-3/STM-1 SPA 
use the show interface serial command.
The following example provides sample output for interface port 0 on the SPA located in the second 
subslot of the Cisco 7600 SIP-200 installed in slot 2 of a Cisco 7600 series router in ct3 mode of SONET 
framing:
Router# show interface serial 2/1/0.2/1:0
Serial2/1/0.2/1:0 is down, line protocol is down 
Hardware is Channelized-T3
MTU 1500 bytes, BW 1536 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation HDLC, crc 16, loopback not set
Keepalive set (10 sec)
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
Available Bandwidth 1536 kilobits/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 output buffer failures, 0 output buffers swapped out
Command Purpose
Router# copy running-config startup-config Writes the new configuration to NVRAM.20-27
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Configuration Tasks
0 carrier transitions alarm present
VC 5: timeslot(s): 1-24, Transmitter delay 0, non-inverted data
UUT#sh int Serial2/1/0.3 
Serial2/1/0.3 is down, line protocol is down 
Hardware is CHOCx SPA
MTU 4470 bytes, BW 44210 Kbit, DLY 200 usec, rely 255/255, load 1/255
Encapsulation HDLC, crc 16, loopback not set
Keepalive set (10 sec)
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
Available Bandwidth 44210 kilobits/sec
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 parity
(Remaining output omitted)
Configuration Tasks
This section describes common configurations for the 1-Port Channelized OC-3/STM-1 SPA on a 
Cisco 7600 series router. It contains procedures for the following configurations: 
• Configuring CRTP, page 20-27
Configuring CRTP
For information on configuring cRTP, see Configuring Distributed Compressed Real-Time Protocol at 
the following URL:
http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfdcrtp.html
Stateful MLPPP MR-APS
Multi Router-Automatic Protection Switching (MR-APS) provides Layer 1 switchover under 50 ms, 
across the two routers, for optical links . However, if the MLPPP/PPP sessions exist on the optical link 
during an MR-APS switchover, all the active Multilink Point to Point Protocol (MLPPP)/Point to Point 
Protocol (PPP) sessions need to renegotiate. The renegotiation process increases the switchover time and 
traffic loss. The Stateful MLPPP with MR-APS Inter-Chassis Redundancy feature provides the Inter 
Chassis-Stateful Switchover (IC-SSO) for MLPPP and PPP sessions across the two routers without the 
PPP/MLPPP session renegotiation.
The IC-SSO synchronizes the MLPPP sessions between the router hosting the active (working) MR-APS 
controllers and the router hosting the standby (protect) MR-APS controllers. Using the state information 
synchronized from the router hosting the active MR-APS controllers, the second router (with standby 
MR-APS controllers) maintains the forwarding plane in ready state to forward the traffic immediately 
after an MR-APS switchover occurs. 20-28
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Stateful MLPPP MR-APS
The Inter-chassis MR-APS MLPPP SSO combines existing IOS High Availability (HA) infrastructure 
that synchronizes PPP/MLPPPP states between the route processors on the same router chassis along 
with the Inter Chassis Redundancy Manager (ICRM), to provide stateful switchover of PPP/MLPPP 
sessions across the routers. This feature is supported on 1xCHOC3-STM1 SPA and 1xCHOC12-STM4 
SPA. The 1xCHOC12-STM4 SPA is supported on SIP400 line card only and 1xCHOC3-STM1 is 
supported on SIP200 and SIP400 line cards for Cisco 7600 Series Routers.
Note For platform independent information of this feature, see the Wide-Area Networking Configuration 
Guide at: http://www.cisco.com/en/US/docs/ios/wan/configuration/guide/15_1s/wan_15_1s_book.html
MR-APS Deployment
The MR-APS deployment involves multiple cell sites connected to the provider network using the 
bundled T1/E1 connections. The T1/E1 connections are aggregated into the Optical Carrier 3 (OC3) or 
Optical Carrier 12 (OC12) links using the Add-Drop Multiplexers (ADMs). 
Figure 20-1 shows the MR-APS deployment using the Cisco 7600 Routers.
Figure 20-1 MR-APS Deployment
To implement this feature, you need to configure the MR-APS IC-SSO on the two Cisco 7600 Routers, 
Working and Protect, as shown in this figure. 
Unlike the conventional SSO model, where one router is active and the other is in standby mode, 
MR-APS deployment involves both the routers (Working and Protect) in active state with synchronized 
SONET controllers on both the routers. The controllers running on one router are in the standby mode 
on the other router and vice versa. When the MR-APS detects a failure in a SONNET OC3 or OC12 
controller on the Working router, it activates the corresponding standby controller on the Protect router. 
This switchover from inactive to active state ensures minimum traffic outage and is achieved by ensuring 
that the MLPPP/PPP sessions per SONET controller (APS group) are stateful across the routers.
Inter Chassis Redundancy Manager
ICRM provides these capabilities for stateful MLPPP with MR-APS Inter-Chassis Redundancy 
implementation: 
• Node health monitoring for complete node, PE, or box failure detection. ICRM also communicates 
failures to the applications registered with an ICRM group.
• Reliable data channels to transfer the state information.
Cell Site
B
A
C PGP/ICRM
246767
Working
ADM
R2
Protect20-29
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Stateful MLPPP MR-APS
• Detects active RP failure as node failure and notifies the controllers.
• ICRM on the standby RP re-establishes the communication channel with peer node if the active RP 
fails.
Automatic Protection Switching
APS allows switchover of the OC3 or OC12 controllers in the event of a network failure. APS involves 
a protect interface in the network as the backup for an active (working) interface. When the active 
interface fails, the protect interface quickly takes care of the traffic load. Depending on the 
configuration, the two interfaces may be terminated on the same router, or on different routers. Based on 
where the interfaces terminates, APS is categorized into two types: Single Router-APS (SR-APS) and 
Multi Router-APS (MR-APS). Additionally, the APS is responsible for managing the active and standby 
progression events on the APS groups. Each APS group is a logical representation of a physical SONET 
controller redundancy state. 
For more information on APS, see Configuring APS.
Failure Protection Scenarios
The Stateful MLPPP feature provides network resiliency by protecting against:
• Active APS SONET controller, SPA, or Line card failure
• RP and Node failure
Active APS SONET controller, SPA, or Line card failure
Figure 20-2 shows MLPPP sessions in MR-APS configuration before an active APS group fails. On the 
Router A active RP, grp1 is the APS group1 and group2 is the APS group 2. All the sessions of the group1 
are active and all the sessions of group2 are standby on Router A. Similarly, on the Router B, all the 
sessions of the group2 are active and all the sessions of group1 are in the standby state. 20-30
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Stateful MLPPP MR-APS
Figure 20-2 MLPPP Sessions Before an Active APS Group Fails
When an APS group on Router A fails, the APS informs the corresponding standby APS group on the 
Router B to take over as active APS group. The standby APS group on Router B changes state to the 
active and all the sessions in the group become active. The APS group on Router A is re-initialize and 
moved to the standby state. Figure 20-3 shows how the MLPPP sessions switchover after an active APS 
(group1) fails:
Working
sonet
Protect
sonet
Router A Active RP
246765
Working
sonet
Protect
sonet
Router B Active RP
mlp sessions mlp sessions
group2
standby
group2
active
group1
standby
group1
active
ADM ADM ADM ADM20-31
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Stateful MLPPP MR-APS
Figure 20-3 MLPPP Sessions After an Active APS Group Fails
Route Processor and Node failure
The ICRM treats an active RP failure as a complete node failure. It sends the failure notification and 
communicates the go-active event to the standby APS groups. The standby APS groups move to active 
state on receiving the go-active event message. When the failed node comes up, the ICRM establishes 
fresh connection with all the APS groups on the node. All the APS groups are synchronized between the 
two routers, and the APS groups on the second router are moved to the standby state.
Figure 20-4 shows APS groups on the two peer nodes, Router A and Router B.
Working
sonet
Protect
sonet
Router A Active RP
246766
Working
sonet
Protect
sonet
mlp sessions mlp sessions
group2
standby
group2
active
group1
active
group1
standby
ADM ADM ADM ADM
Router B Active RP20-32
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Stateful MLPPP MR-APS
Figure 20-4 APS Groups on Peer Nodes
When the active RP of the Router A fails, the APS groups are switched over to the Router B making all 
the APS groups on the Router B active. All the APS groups on the standby RP of Router A are set to the 
initial state after the standby RP changes to active on the Router A. The applications that are RP SSO 
aware (non ICRM clients) switchover to the standby RP on Router A. Figure 20-5 shows the APS groups 
after the active RP on the Router A fails.
Figure 20-5 APS Groups After the Active RP on Router A Fails
The ICRM establishes fresh connections with the new active RP on the Router A and the APS 
synchronizes the group states from Router B to Router A (in standby state). This event triggers all the 
APS groups on Router A to move to standby state and the synchronization process is initiated from the 
Router B. On the Router A, the failed RP reboots as the new standby RP and RP SSO aware applications 
are synchronized to the new standby RP.
Router A
Active RP
246768
RPSSO aware
MLPPP/PPP
session-active
Standby RP
RPSSO aware
MLPPP/PPP
session-standby
PPP/MLPPP
sessiononactive
APS Group
icm
Router B
Active RP
Standby RP
PPP/MLPPP
sessiononstandby
Group
icm
Router A
Active RP
246769
RPSSO aware
MLPPP/PPP
session-active
Standby RP
RPSSO aware
MLPPP/PPP
session-standby
PPP/MLPPP
sessiononactive
APS Group
icm
Router B
Active RP
Standby RP
PPP/MLPPP
sessiononstandby
Group
icm20-33
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Stateful MLPPP MR-APS
Restrictions for Stateful MLPPP with MR-APS Inter-Chassis Redundancy
Following restrictions apply for Stateful MLPPP with MR-APS Inter-Chassis Redundancy:
• Both the routers should have same MR-APS configuration.
• The In-Service Software Upgrade (ISSU) functionality is not supported.
• Applications running over MLP/PPP sessions such as the Internet Group Management Protocol 
(IGMP) and Transmission Control Protocol (TCP) are not synchronized across the routers. On the 
APS switchover, IGMP joints and TCP sessions are re-established.
• APS session throttling for the groups is not supported.
• Broadband sessions such as Point-to-Point Protocol over X (PPPoX) and IP are not supported.
• Intelligent Services Gateway (ISG) features are not supported on APS groups.
• The Authentication, Authorization and Accounting (AAA) protocol is not supported for MR-APS 
switchover.
• APS revertive mode is not supported.
Configuring Stateful MLPPP with MR-APS Inter-Chassis Redundancy
To configure Stateful MLPPP with MR-APS Inter-Chassis Redundancy, you need to configure the two 
Cisco 7600 Series Routers with ICRM and MR-APS configuration. Figure 20-1 shows typical 
infrastructure for Stateful MLPPP with MR-APS Inter-Chassis Redundancy implementation.
The configuration involves these steps:
• Configuring MR-APS Inter-Chassis Redundancy on the Working Router
• Configuring MR-APS Inter-Chassis Redundancy on the Protect Router
Configuring MR-APS Inter-Chassis Redundancy on the Working Router
SUMMARY STEPS
1. enable
2. configure terminal
3. redundancy
4. interchassis group group-id
5. monitor peer bfd
6. member ip ip-address
7. end
8. configure terminal
9. interface gigabitethernet slot/port
10. ip address ip_address subnet_mask
11. no shutdown
12. load-interval seconds
13. negotiation {forced | auto}20-34
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Stateful MLPPP MR-APS
14. mpls ip
15. mpls label protocol {ldp | tdp | both}
16. bfd interval milliseconds min_rx milliseconds multiplier interval-multiplier
17. end
18. configure terminal
19. interface gigabitethernet slot/port
20. ip address ip_address subnet_mask
21. no shutdown
22. negotiation {forced | auto}
23. cdp {enable | disable}
24. end
25. configure terminal
26. controller sonet slot/bay/port
27. no ais-shut
28. framing sonet
29. clock source {line [primary | bits | independent] | internal [independent] | free-running}
30. sts-1 sts1-number
31. mode vt-15
32. vtg vtg_number t1 t1_line_number channel-group channel-number timeslots list-of-timesolts
33. end
34. configure terminal
35. interface multilink1
36. ip address ip_address subnet_mask
37. carrier-delay msec msec
38. ppp multilink
39. ppp multilink group group-number
40. ppp multilink endpoint {hostname | ip ip-address | mac lan-interface | none | phone
telephone-number | string char-string}
41. ppp timeout retry seconds
42. end
43. configure terminal
44. interface serial instance
45. no ip address
46. encapsulation ppp 
47. ppp multilink
48. ppp multilink group group-number
49. end
50. configure terminal20-35
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Stateful MLPPP MR-APS
51. controller sonet slot/bay/port
52. shutdown
53. aps group group_id
54. aps [working | protect] aps-group-number [ip_address_of_working]
55. aps interchassis group icrm-group-number
56. no shutdown
57. end
DETAILED STEPS
Command Purpose
Step 1 enable
Example:
Working-Router> enable
Enables the privileged EXEC mode. 
• Enter your password if prompted.
Step 2 configure terminal
Example:
Working-Router# configure terminal
Enters the global configuration mode.
Step 3 redundancy 
Example:
Working-Router(config)# redundancy
Enters the redundancy configuration mode.
Step 4 interchassis group group-id
Example:
Working-Router(config-red)# 
interchassis group 50
Configures an interchassis group within the redundancy 
configuration mode and enters the interchassis 
redundancy mode.
Step 5 monitor peer bfd
Example:
Working-Router(config-r-ic)# monitor 
peer bfd
Configures the BFD to monitor the state of the peer 
routers. The default option is route-watch.
Step 6 member ip ip-address
Example:
Working-Router(config-r-ic)# member 
ip 60.60.60.2
Configures the IP address of the Multichassis Link 
Aggregation Control Protocol (mLACP) peer member 
group.20-36
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Stateful MLPPP MR-APS
Step 7 end
Example:
Working-Router(config-r-ic)# end
Ends the configuration session and returns to the EXEC 
mode.
Step 8 configure terminal
Example:
Working-Router# configure terminal
Enters the global configuration mode.
Step 9 interface gigabitethernet 
slot/subslot/port
Example:
Working-Router(config)# interface 
GigabitEthernet3/1/0
Specifies the gigabit ethernet interface to configure 
ICRM connection, where: 
slot/subslot/port—Specifies the location of the interface.
Step 10 ip address ip_address subnet_mask
Example:
Working-Router(config-if)# ip address 
60.60.60.1 255.255.255.0
Configures the IP address of the interface.
Step 11 no shutdown
Example:
Working-Router(config-if)#no shutdown
Reverses the shutdown of an interface.
Step 12 load-interval seconds
Example:
Working-Router(config-if)# 
load-interval 30
Sets the duration to calculate the load.
Step 13 negotiation {forced | auto}
Example:
Working-Router(config-if)# negotiation 
auto
Enables the advertisement of speed, duplex mode, and 
flow control on a gigabit ethernet interface.
Step 14 mpls ip
Example:
Working-Router(config-if)# mpls ip
Enables Multi Protocol Label Switching (MPLS).
Step 15 mpls label protocol {ldp | tdp | both}
Example:
Working-Router(config-if)# mpls label 
protocol both
Specifies that both label distribution protocols are 
supported on the interface.
Command Purpose20-37
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Stateful MLPPP MR-APS
Step 16 bfd interval milliseconds min_rx 
milliseconds multiplier 
interval-multiplier
Example:
Working-Router(config-if)# bfd interval 
50 min_rx 150 multiplier 3
Enables BFD on the interface.
Step 17 end
Example:
Working-Router(config-if)# end
Ends the configuration session and returns to the EXEC 
mode.
Step 18 configure terminal
Example:
Working-Router# configure terminal
Enters the global configuration mode.
Step 19 interface gigabitethernet 
slot/subslot/port
Example:
Working-Router(config-if)# interface 
GigabitEthernet3/1/1
Specifies the gigabit ethernet interface to configure PGP 
link: 
slot/subslot/port—Specifies the location of the interface.
Step 20 ip address ip_address subnet_mask
Example:
Working-Router(config-if)# ip address 
12.2.1.2 255.255.255.0
Configures the IP address of the interface.
Step 21 no shutdown
Example:
Working-Router(config-if)#no shutdown
Reverses the shutdown of an interface.
Step 22 negotiation {forced | auto}
Example:
Working-Router(config-if)# negotiation 
auto
Enables the advertisement of speed, duplex mode, and 
flow control on a gigabit ethernet interface.
Step 23 cdp {enable|disable}
Example:
Working-Router(config-if)# cdp enable
Enables the Cisco Discovery Protocol on an interface
Step 24 end
Example:
Working-Router(config-if)# end
Ends the configuration session and returns to the EXEC 
mode.
Command Purpose20-38
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Stateful MLPPP MR-APS
Step 25 configure terminal
Example:
Working-Router# configure terminal
Enters the global configuration mode.
Step 26 controller sonet slot/bay/port
Example:
Working-Router(config)#controller SONET 
4/2/0
Selects and configures a SONET controller and enters 
controller configuration mode.
slot/subslot/port—Specifies the location of the interface.
Step 27 no ais-shut
Example:
Working-Router(config-controller)# no 
ais-shut
Disables automatic insertion of a Line Alarm Indication 
Signal (LAIS) in the SONET signal.
Step 28 framing sonet
Example:
Working-Router(config-controller)# 
framing sonet
Configures the controller for SONET framing. SONET 
framing is the default option.
Step 29 clock source {line [primary | bits | 
independent] | internal [independent] | 
free-running}
Example:
Working-Router(config-controller)# 
clock source line
Sets the clocking for individual T1 or E1 links. Specifies 
that the phase lock loop (PLL) on this controller derives 
its clocking from the external source connected to the 
controller (generally the telephone company’s central 
office).
Step 30 sts-1 sts1-number
Example:
Working-Router(config-controller)# 
sts-1 1
Specifies the STS identifier.
Step 31 mode vt-15
Example:
Working-Router(config-ctrlr-sts1)#  
mode vt-15
Specifies the STS-1 mode of operation.
Step 32 vtg vtg_number t1 t1_line_number
channel-group channel-number timeslots 
list-of-timesolts
Example:
Working-Router(config-ctrlr-sts1)# vtg 
1 t1 1 channel-group 0 timeslots 1-24
Creates a Circuit Emulation Services over Packet 
Switched Network circuit emulation (CESoPSN) CEM 
group.
Command Purpose20-39
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Stateful MLPPP MR-APS
Step 33 end
Example:
Working-Router(config-ctrlr-sts1)#end
Ends the configuration session and returns to the EXEC 
mode.
Step 34 configure terminal
Example:
Working-Router# configure terminal
Enters the global configuration mode.
Step 35 interface multilink1
Example:
Working-Router(config)#interface 
multilink1
Enters the multilink interface configuration mode.
Step 36 ip address ip_address subnet_mask
Example:
Working-Router(config-if)# ip address 
11.1.1.2 255.255.255.0
Configures the IP address of the interface.
Step 37 carrier-delay msec msec
Example:
Working-Router(config-if)# 
carrier-delay msec 1
Sets the duration to propagate the link status to other 
modules.
Step 38 ppp multilink
Example:
Working-Router(config-if)# ppp 
multilink
Enables MLPPP.
Step 39 ppp multilink group group-number
Example:
Working-Router(config-if)# ppp 
multilink group 1
Specifies the physical link to associate to a designated 
multilink group interface.
Command Purpose20-40
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Stateful MLPPP MR-APS
Step 40 ppp multilink endpoint {hostname | ip
ip-address | mac lan-interface | none 
| phone telephone-number | string
char-string}
Example:
Working-Router(config-if)# ppp 
multilink endpoint string mlp_aps_1
Overrides or changes the default endpoint discriminator 
that the system uses when negotiating the use of MLPPP 
with the peer system. The command attributes are:
• hostname: Indicates to use the hostname configured 
for the router. This is useful when multiple routers are 
using the same username to authenticate, but have 
different hostnames.
• ip: Indicates to use the supplied IP address.
• mac: Indicates to use the specified LAN interface 
whose MAC address is to be used.
• none: Causes negotiation of the Link Control 
Protocol (LCP) without requesting the endpoint 
discriminator option. This is useful when the router 
connects to a malfunctioning peer system that does 
not handle the endpoint discriminator option 
properly.
• phone: Indicates to use the specified telephone 
number. Accepts E.164-compliant, full international 
telephone numbers.
• string: Indicates to use the supplied character string.
Step 41 ppp timeout retry seconds
Example:
Working-Router(config-if)# ppp 
timeout retry 0 250
Sets the PPP timeout retry parameters.
Note Replace the seconds argument with the maximum 
time, in seconds, to wait for a response during 
PPP negotiation. Range is from 1 to 10 seconds. 
The default is 3 seconds.
Step 42 end
Example:
Working-Router(config-if)# end
Ends the configuration session and returns to the EXEC 
mode.
Step 43 configure terminal
Example:
Working-Router# configure terminal
Enters the global configuration mode.
Step 44 interface serial instance
Example:
Working-Router(config-if)# interface 
Serial4/2/0.1/1/1:0
Configures a serial interface and enter the interface 
configuration mode.
Command Purpose20-41
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Stateful MLPPP MR-APS
Step 45 no ip address
Example:
Working-Router(config-if)# no ip 
address
Removes the configured IP address from the interface.
Step 46 encapsulation ppp 
Example:
Working-Router(config-if)# 
encapsulation ppp
Enables PPP encapsulation of traffic on the specified 
interface.
Step 47 ppp multilink
Example:
Working-Router(config-if)# ppp 
multilink
Enables MLP.
Step 48 ppp multilink group group-number
Example:
Working-Router(config-if)# ppp 
multilink group 1
Specifies the physical link to attach to the designated 
multilink group interface.
Step 49 end
Example:
Working-Router(config-if)# end
Ends the configuration session and returns to the EXEC 
mode..
Step 50 configure terminal
Example:
Working-Router# configure terminal
Enters the global configuration mode.
Step 51 controller sonet slot/bay/port
Example:
Working-Router(config)# controller 
sonet 4/2/0
Selects and configures a SONET controller and enters the 
controller configuration mode. 
slot/subslot/port—Specifies the location of the interface.
Step 52 shutdown
Example:
Working-Router(config-controller)#shutd
own
Shuts down the SONET controller.
Step 53 aps group group_id
Example:
Working-Router(config-controller)#aps 
group 1
Configures the APS group for a SONET controller.
Command Purpose20-42
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Stateful MLPPP MR-APS
Configuration Example
This example describes how to configure MR-APS Inter-Chassis Redundancy on a Working router.
Working-Router>enable
Working-Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Working-Router(config)#redundancy 
Working-Router(config-red)#interchassis group 1
Working-Router(config-r-ic)#monitor peer bfd
Working-Router(config-r-ic)#member ip 60.60.60.2
Working-Router(config-r-ic)#end
Working-Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Working-Router(config)#interface GigabitEthernet3/1/0 <<<<<<< ICRM link >>>>>>>>
Working-Router(config-if)#ip address 60.60.60.1 255.255.255.0
Working-Router(config-if)#no shutdown
Working-Router(config-if)#load-interval 30
Working-Router(config-if)#negotiation auto
Working-Router(config-if)#mpls ip
Working-Router(config-if)#mpls label protocol both
Working-Router(config-if)#bfd interval 50 min_rx 150 multiplier 3
Working-Router(config-if)#end
Working-Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Working-Router(config-if)#interface GigabitEthernet3/1/1 <<<<< PGP Link>>>>>>>
Working-Router(config-if)#ip address 12.2.1.2 255.255.255.0
Step 54 aps [working | protect]
aps-group-number 
[ip_address_of_working]
Example:
Working-Router(config-controller)# aps 
working 1
Configures the APS group as the working interface.
Note The attribute, ip_address_of_working, is only 
required for configuring the Protect router 
configuration.
Step 55 aps interchassis group 
icrm-group-number
Example:
Working-Router(config-controller)# aps 
interchassis group 1
Associates the APS group to an ICRM group number.
Step 56 no shutdown
Example:
Working-Router(config-controller)#no 
shutdown
Reverses the shutdown of an interface.
Step 57 end
Example:
Working-Router(config-controller)#end
Ends the configuration session and returns to the EXEC 
mode.
Command Purpose20-43
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Stateful MLPPP MR-APS
Working-Router(config-if)no shutdown
Working-Router(config-if)#negotiation auto
Working-Router(config-if)#cdp enable
Working-Router(config-if)#end
Working-Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Working-Router(config)#controller SONET 4/2/0
Working-Router(config-controller)#no ais-shut
Working-Router(config-controller)#framing sonet
Working-Router(config-controller)#clock source line
Working-Router(config-controller)#sts-1 1
Working-Router(config-ctrlr-sts1)#mode vt-15
Working-Router(config-ctrlr-sts1)#vtg 1 t1 1 channel-group 0 timeslots 1-24
Working-Router(config-ctrlr-sts1)#end
Working-Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Working-Router(config)#interface Multilink1
Working-Router(config-if)#ip address 11.1.1.2 255.255.255.0
Working-Router(config-if)#carrier-delay msec 1
Working-Router(config-if)#ppp multilink
Working-Router(config-if)#ppp multilink group 1
Working-Router(config-if)#ppp multilink endpoint string mlp_aps_1
Working-Router(config-if)#ppp timeout retry 0 250
Working-Router(config-if)#end
Working-Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Working-Router(config)#interface Serial4/2/0.1/1/1:0
Working-Router(config-if)#no ip address
Working-Router(config-if)#encapsulation ppp
Working-Router(config-if)#ppp multilink
Working-Router(config-if)#ppp multilink group 1
Working-Router(config-if)#end
Working-Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Working-Router(config)#controller sonet 4/2/0
Working-Router(config-controller)#shutdown
Working-Router(config-controller)#aps group 1
Working-Router(config-controller)#aps working 1 
Working-Router(config-controller)#aps interchassis group 1
Working-Router(config-controller)#no shutdown
Working-Router(config-controller)#end
Configuring MR-APS Inter-Chassis Redundancy on Protect Router
SUMMARY STEPS
1. enable
2. configure terminal
3. redundancy
4. interchassis group group-id
5. monitor peer bfd
6. member ip ip-address
7. end
8. configure terminal
9. interface gigabitethernet slot/port20-44
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Stateful MLPPP MR-APS
10. ip address ip_address subnet_mask
11. no shutdown
12. load-interval seconds
13. negotiation {forced | auto}
14. mpls ip
15. mpls label protocol {ldp | tdp | both}
16. bfd interval milliseconds min_rx milliseconds multiplier interval-multiplier
17. end
18. configure terminal
19. interface gigabitethernet slot/port
20. ip address ip_address subnet_mask
21. no shutdown
22. negotiation {forced | auto}
23. cdp {enable|disable}
24. end
25. configure terminal
26. controller sonet slot/bay/port
27. no ais-shut
28. framing sonet
29. clock source {line [primary | bits | independent] | internal [independent] | free-running}
30. sts-1 sts1-number
31. mode vt-15
32. vtg vtg_number t1 t1_line_number channel-group channel-number timeslots list-of-timesolts
33. end
34. configure terminal
35. interface multilink1
36. ip address ip_address subnet_mask
37. carrier-delay msec msec
38. ppp multilink
39. ppp multilink group group-number
40. ppp multilink endpoint {hostname | ip ip-address | mac lan-interface | none | phone
telephone-number | string char-string}
41. ppp timeout retry seconds
42. end
43. configure terminal
44. interface serial instance
45. no ip address
46. encapsulation ppp 20-45
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Stateful MLPPP MR-APS
47. ppp multilink
48. ppp multilink group group-number
49. end
50. configure terminal
51. controller sonet slot/bay/port
52. shutdown
53. aps group group_id
54. aps [working | protect] aps-group-number [ip_address_of_working]
55. aps interchassis group icrm-group-number
56. no shutdown
57. end
DETAILED STEPS
Command Purpose
Step 1 enable
Example:
Protect-Router>enable
Enables the privileged EXEC mode. 
• Enter your password if prompted.
Step 2 configure terminal
Example:
Protect-Router#configure terminal
Enters the global configuration mode.
Step 3 redundancy 
Example:
Protect-Router(config)#redundancy
Enters the redundancy configuration mode.
Step 4 interchassis group group-id
Example:
Protect-Router(config-red)#interchassis 
group 1
Configures an interchassis group within the redundancy 
configuration mode and enters the interchassis 
redundancy mode.
Step 5 monitor peer bfd
Example:
Protect-Router(config-r-ic)#monitor 
peer bfd
Configures the BFD option to monitor the state of the 
peer. The default option is route-watch.20-46
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Stateful MLPPP MR-APS
Step 6 member ip ip-address
Example:
Protect-Router(config-r-ic)#member ip 
60.60.60.1
Configures the IP address of the mLACP peer member 
group.
Step 7 end
Example:
Protect-Router(config-r-ic)#end
Ends the configuration session and returns to the EXEC 
mode.
Step 8 configure terminal
Example:
Protect-Router#configure terminal
Enters the global configuration mode.
Step 9 interface gigabitethernet 
slot/subslot/port
Example:
Protect-Router(config)#interface 
GigabitEthernet2/1/0 
Specifies the gigabit ethernet interface to configure the 
ICRM connection, where: 
slot/subslot/port—Specifies the location of the interface.
Step 10 ip address ip_address subnet_mask
Example:
Protect-Router(config-if)#ip address 
60.60.60.2 255.255.255.0
Configures the the IP address of the interface.
Step 11 no shutdown
Example:
Working-Router(config-if)#no shutdown
Reverses the shutdown of an interface.
Step 12 load-interval seconds
Example:
Protect-Router(config-if)#load-interval 
30
Sets the duration to calculate the load.
Step 13 negotiation {forced | auto}
Example:
Protect-Router(config-if)#negotiation 
auto
Enables the advertisement of speed, duplex mode, and 
flow control on a the gigabit ethernet interface.
Step 14 mpls ip
Example:
Protect-Router(config-if)#mpls ip
Enables MPLS.
Command Purpose20-47
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Stateful MLPPP MR-APS
Step 15 mpls label protocol {ldp | tdp | both}
Example:
Protect-Router(config-if)#mpls label 
protocol both
Specifies that both label distribution protocols are 
supported on the interface.
Step 16 bfd interval milliseconds min_rx 
milliseconds multiplier 
interval-multiplier
Example:
Protect-Router(config-if)#bfd interval 
50 min_rx 150 multiplier 3
Enables BFD on the interface.
Step 17 end
Example:
Protect-Router(config-if)#end
Ends the configuration session and returns to the EXEC 
mode..
Step 18 configure terminal
Example:
Protect-Router#configure terminal
Enters the global configuration mode.
Step 19 interface gigabitethernet 
slot/subslot/port
Example:
Protect-Router(config-if)#interface 
GigabitEthernet2/1/1
Specifies the gigabit ethernet interface to configure the 
PGP link, where: 
slot/subslot/port—Specifies the location of the interface.
Step 20 ip address ip_address subnet_mask
Example:
Protect-Router(config-if)#ip address 
12.2.1.1 255.255.255.0
Configures the IP address of the interface.
Step 21 no shutdown
Example:
Working-Router(config-if)#no shutdown
Reverses the shutdown of an interface.
Step 22 negotiation {forced | auto}
Example:
Protect-Router(config-if)#negotiation 
auto
Enables the advertisement of speed, duplex mode, and 
flow control on a gigabit ethernet interface.
Step 23 end
Example:
Protect-Router(config-if)#end
Ends the configuration session and returns to the EXEC 
mode.
Command Purpose20-48
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Stateful MLPPP MR-APS
Step 24 configure terminal
Example:
Protect-Router#configure terminal
Enters the global configuration mode.
Step 25 controller sonet slot/bay/port
Example:
Protect-Router(config)#controller SONET 
3/2/0
Selects and configures a SONET controller and enters the 
controller configuration mode.
slot/subslot/port—Specifies the location of the interface.
Step 26 no ais-shut
Example:
Protect-Router(config-controller)#no 
ais-shut
Disables the automatic insertion of a LAIS in the SONET 
signal.
Step 27 framing sonet
Example:
Protect-Router(config-controller)#frami
ng sonet
Configures the controller for SONET framing. SONET 
framing is the default option.
Step 28 clock source {line [primary | bits | 
independent] | internal [independent] | 
free-running}
Example:
Protect-Router(config-controller)#clock 
source line
Sets clocking for individual T1 or E1 links. This 
command specifies that the PLL on this controller derives 
its clocking from the external source connected to the 
controller (generally the telephone company’s central 
office).
Step 29 sts-1 sts1-number
Example:
Protect-Router(config-controller)#sts-1 
1
Specifies the STS identifier.
Step 30 mode vt-15
Example:
Protect-Router(config-ctrlr-sts1)#  
mode vt-15
Specifies the STS-1 mode of operation.
Step 31 vtg vtg_number t1 t1_line_number
channel-group channel-number timeslots 
list-of-timesolts
Example:
Protect-Router(config-ctrlr-sts1)#vtg 1 
t1 1 channel-group 0 timeslots 1-24
Creates a Circuit Emulation Services over Packet 
Switched Network circuit emulation (CESoPSN) CEM 
group.
Command Purpose20-49
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Stateful MLPPP MR-APS
Step 32 end
Example:
Protect-Router(config-ctrlr-sts1)#end
Ends the configuration session and returns to the EXEC 
mode.
Step 33 configure terminal
Example:
Protect-Router#configure terminal
Enters the global configuration mode.
Step 34 interface multilink1
Example:
Protect-Router(config)#interface 
multilink1
Enters multilink interface configuration mode.
Step 35 ip address ip_address subnet_mask
Example:
Protect-Router(config-if)#ip address 
11.1.1.2 255.255.255.0
Configures the IP address for the interface.
Step 36 carrier-delay msec msec
Example:
Protect-Router(config-if)#carrier-delay 
msec 1
Sets the duration to propagate the link status to other 
modules.
Step 37 ppp multilink
Example:
Protect-Router(config-if)#ppp multilink
Enables MLPPP.
Step 38 ppp multilink group group-number
Example:
Protect-Router(config-if)#ppp multilink 
group 1
Specifies the physical link to associate to the designated 
multilink group interface. 
Command Purpose20-50
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Stateful MLPPP MR-APS
Step 39 ppp multilink endpoint {hostname | ip
ip-address | mac lan-interface | none 
| phone telephone-number | string
char-string}
Example:
Protect-Router(config-if)#ppp multilink 
endpoint string mlp_aps_1
Overrides or changes the default endpoint discriminator 
that the system uses while negotiating the use of MLP
with the peer system.
• hostname: Indicates to use the hostname configured 
for the router. This is useful when multiple routers are 
using the same username to authenticate, but have 
different hostnames.
• ip: Indicates to use the supplied IP address.
• mac: Indicates to use the specified LAN interface 
whose MAC address is to be used.
• none: Causes negotiation of the Link Control 
Protocol (LCP) without requesting the endpoint 
discriminator option. This is useful when the router 
connects to a malfunctioning peer system that does 
not handle the endpoint discriminator option 
properly.
• phone: Indicates to use the specified telephone 
number. Accepts E.164-compliant, full international 
telephone numbers.
• string: Indicates to use the supplied character string.
Step 40 ppp timeout retry seconds
Example:
Protect-Router(config-if)#ppp timeout 
retry 0 250
Sets the PPP timeout retry parameters.
Note Replace the seconds argument with the maximum 
time, in seconds, to wait for a response during 
PPP negotiation. Range is from 1 to 10 seconds. 
The default is 3 seconds.
Step 41 end
Example:
Protect-Router(config-if)#end
Ends the configuration session and returns to the EXEC 
mode.
Step 42 configure terminal
Example:
Protect-Router#configure terminal
Enters the global configuration mode.
Step 43 interface serial instance
Example:
Protect-Router(config-if)#interface 
Serial3/2/0.1/1/1:0
Configures the serial interface and enters the interface 
configuration mode.
slot/subslot/port—Specifies the location of the interface.
Step 44 no ip address
Example:
Protect-Router(config-if)#no ip address
Removes the configured IP address on the interface.
Command Purpose20-51
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Stateful MLPPP MR-APS
Step 45 encapsulation ppp 
Example:
Protect-Router(config-if)#encapsulation 
ppp
Enables PPP encapsulation of traffic on the specified 
interface.
Step 46 ppp multilink
Example:
Protect-Router(config-if)#ppp multilink
Enables MLPPP.
Step 47 ppp multilink group group-number
Example:
Protect-Router(config-if)#ppp multilink 
group 1
Specifies the physical link to attach to the designated 
multilink group interface.
Step 48 end
Example:
Protect-Router(config-if)#end
Ends the configuration session and returns to the EXEC 
mode.
Step 49 configure terminal
Example:
Protect-Router#configure terminal
Enters the global configuration mode.
Step 50 controller sonet slot/bay/port
Example:
Protect-Router(config)#controller sonet 
3/2/0
Selects and configures a SONET controller and enters the 
controller configuration mode. 
slot/subslot/port—Specifies the location of the interface.
Step 51 shutdown
Example:
Protect-Router(config-controller)#shutd
own
Shuts down the SONET controller.
Step 52 aps group group_id
Example:
Protect-Router(config-controller)#aps 
group 1
Configures the APS group for a SONET controller.
Command Purpose20-52
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Stateful MLPPP MR-APS
Example
This example displays the steps to configure MR-APS Inter-Chassis Redundancy on the Protect router.
Protect-Router>enable
Protect-Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Protect-Router(config)#redundancy 
Protect-Router(config-red)#interchassis group 1
Protect-Router(config-r-ic)#monitor peer bfd
Protect-Router(config-r-ic)#member ip 60.60.60.1
Protect-Router(config-r-ic)#end
Protect-Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Protect-Router(config)#interface GigabitEthernet2/1/0
Protect-Router(config-if)#ip address 60.60.60.2 255.255.255.0
Protect-Router(config-if)#no shutdown
Protect-Router(config-if)#load-interval 30
Protect-Router(config-if)#negotiation auto
Protect-Router(config-if)#mpls ip
Protect-Router(config-if)#mpls label protocol both
Protect-Router(config-if)#bfd interval 50 min_rx 150 multiplier 3
Protect-Router(config-if)#end
Protect-Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Protect-Router(config-if)#interface GigabitEthernet2/1/1 
Protect-Router(config-if)#ip address 12.2.1.1 255.255.255.0
Step 53 aps [working | protect]
aps-group-number 
[ip_address_of_working]
Example:
Protect-Router(config-controller)#aps 
protect 1 12.2.1.2
Configures the APS group as protect interface. The 
attribute, ip_address_of_working, is the ip address of the 
PGP link interface on the working router.
Step 54 aps interchassis group 
icrm-group-number
Example:
Protect-Router(config-controller)#aps 
interchassis group 1
Associates the APS group to an ICRM group number.
Step 55 no shutdown
Example:
Protect-Router(config-controller)#no 
shutdown
Reverses the shutdown of an interface.
Step 56 end
Example:
Protect-Router(config-controller)#end
Ends the configuration session and returns to the EXEC 
mode.
Command Purpose20-53
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Stateful MLPPP MR-APS
Protect-Router(config-if)#no shutdown
Protect-Router(config-if)#negotiation auto
Protect-Router(config-if)#end
Protect-Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Protect-Router(config)#controller SONET 3/2/0
Protect-Router(config-controller)#no ais-shut
Protect-Router(config-controller)#framing sonet
Protect-Router(config-controller)#clock source line
Protect-Router(config-controller)#sts-1 1
Protect-Router(config-ctrlr-sts1)#mode vt-15
Protect-Router(config-ctrlr-sts1)#vtg 1 t1 1 channel-group 0 timeslots 1-24
Protect-Router(config-ctrlr-sts1)#end
Protect-Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Protect-Router(config)#interface Multilink1
Protect-Router(config-if)#ip address 11.1.1.2 255.255.255.0
Protect-Router(config-if)#carrier-delay msec 1
Protect-Router(config-if)#ppp multilink
Protect-Router(config-if)#ppp multilink group 1
Protect-Router(config-if)#ppp multilink endpoint string mlp_aps_1
Protect-Router(config-if)#ppp timeout retry 0 250
Protect-Router(config-if)#end
Protect-Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Protect-Router(config)#interface Serial3/2/0.1/1/1:0
Protect-Router(config-if)#no ip address
Protect-Router(config-if)#encapsulation ppp
Protect-Router(config-if)#ppp multilink
Protect-Router(config-if)#ppp multilink group 1
Protect-Router(config-if)#end
Protect-Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Protect-Router(config)#controller sonet 3/2/0
Protect-Router(config-controller)#shut
Protect-Router(config-controller)#aps group 1
Protect-Router(config-controller)#aps protect 1 12.2.1.2 
Protect-Router(config-controller)#aps interchassis group 1
Protect-Router(config-controller)#no shutdown
Protect-Router(config-controller)#end
Removing Stateful MLPPP with MR-APS Inter-Chassis Redundancy
Complete these steps to remove Stateful MLPPP with MR-APS Inter-Chassis Redundancy 
implementation from the Working and Protect routers:
Summary Steps
1. enable
2. configure terminal
3. controller sonet slot|bay|port
4. shutdown
5. no aps interchassis group icrm-group-number
6. no aps group group_id
7. no aps [working | protect] aps-group-number [ip_address_of_working]20-54
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Stateful MLPPP MR-APS
8. no shutdown
9. configure terminal
10. redundancy
11. no interchassis group group-id
12. end
DETAILED STEPS
Command Purpose
Step 1 enable
Example:
Protect-Router>enable
Enables the privileged EXEC mode. 
• Enter your password if prompted.
Step 2 configure terminal
Example:
Protect-Router#configure terminal
Enters the global configuration mode.
Step 3 controller sonet slot/bay/port
Example:
Protect-Router(config)#controller SONET 
1/2/0
Configures a SONET controller and enters the controller 
configuration mode.
slot/subslot/port—Specifies the location of the interface.
Step 4 shutdown
Example:
Protect-Router(config)#shutdown
Shuts down the SONET controller.
Step 5 no aps interchassis group 
icrm-group-number
Example:
Protect-Router(config-controller)#no 
aps interchassis group 1
Removes an APS group from an ICRM group number.
Step 6 no aps group group_id
Example:
Protect-Router(config-controller)#no 
aps group 1
Unconfigures the APS group for a SONET controller.
Step 7 no aps [working | protect]
aps-group-number 
[ip_address_of_working]
Example:
Protect-Router(config-controller)#no 
aps working 1
Unconfigures the APS working or protect configuration.20-55
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Stateful MLPPP MR-APS
Configuration Example
This example describes how to remove MR-APS Inter-Chassis Redundancy configuration from a router.
Router>enable
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#controller SONET 3/2/0
Router(config-controller)#shutdown
Router(config-controller)#no aps interchassis group 1
Router(config-controller)#no aps group 1
Router(config-controller)#no aps working 1
Router(config-controller)#no shutdown
Router(config-controller)#exit
Router(config)#redundancy 
Router(config-red)#no interchassis group 1
Router(config-red)#end
Step 8 no shutdown
Example:
Protect-Router(config-controller)#no 
shutdown
Reverses the shutdown of an interface.
Step 9 end
Example:
Protect-Router(config-controller)#end
Ends the configuration session and returns to the EXEC 
mode.
Step 10 configure terminal
Example:
Protect-Router#configure terminal
Enters the global configuration mode.
Step 11 redundancy 
Example:
Protect-Router(config)#redundancy
Enters the redundancy configuration mode.
Step 12 no interchassis group group-id
Example:
Protect-Router(config-red)#no 
interchassis group 1
Unconfigures an interchassis group within the 
redundancy configuration mode.
Step 13 end
Example:
Protect-Router(config-controller)#end
Ends the configuration session and returns to the EXEC 
mode.
Command Purpose20-56
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Stateful MLPPP MR-APS
Verification
Use these commands to verify Stateful MLPPP with MR-APS Inter-Chassis Redundancy 
implementation:20-57
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Stateful MLPPP MR-APS
Command Purpose
Protect-Router# show aps
SONET 3/2/0 APS Group 1: protect channel 0 
(Inactive) (HA)
        Working channel 1 at 60.60.60.1 
(Enabled)  (HA)
        bidirectional, non-revertive 
        PGP timers (extended for HA): hello 
time=1; hold time=10
                hello fail revert time=120
        SONET framing; SONET APS signalling by 
default
        Received K1K2: 0x00 0x05
                No Request (Null)
        Transmitted K1K2: 0x00 0x05
                No Request (Null)
        Remote APS configuration: (null)
Working-Router#show aps
SONET 1/2/0 APS Group 1: working channel 1 
(Active) (HA)
        Protect at 60.60.60.2
        PGP timers (from protect): hello 
time=1; hold time=10
        SONET framing
        Remote APS configuration: (null)
Displays detailed information about the APS 
configuration. You can use this command on 
both the Protect and Working routers.20-58
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Stateful MLPPP MR-APS
Protect-Router#show rgf group
 Total RGF groups: 1
-----------------------------------------------
-----------
STANDBY RGF GROUP
 RGF Group ID     : 1
 RGF Peer Group ID: 0
 ICRM Group ID    : 1
 APS Group ID     : 1
RGF State information:
 My State Present  : Standby-hot
         Previous  : Standby-bulk
 Peer State Present: Active-fast
           Previous: Standby-cold
Misc: 
 Communication state Up
 aps_bulk:  0
 aps_stby:  0
 peer_stby: 0
 -> Driven Peer to [peer Standby Bulk] 
Progression
 -> We sent Bulk Sync start Progression to 
Active
  RGF GET BUF:   366       RGF RET BUF   366
Working-Router#show rgf group
 Total RGF groups: 1
-----------------------------------------------
-----------
ACTIVE RGF GROUP
 RGF Group ID     : 1
 RGF Peer Group ID: 0
 ICRM Group ID    : 1
 APS Group ID     : 1
RGF State information:
 My State Present  : Active-fast
         Previous  : Standby-cold
 Peer State Present: Standby-hot
           Previous: Standby-bulk
Misc: 
 Communication state Up
 aps_bulk:  0
 aps_stby:  0
 peer_stby: 0
 -> Driven Peer to [Peer Standby Hot] 
Progression
 -> Standby sent Bulk Sync start Progression
  RGF GET BUF:   366       RGF RET BUF   366
Displays information about state of the router 
and the peer. If the value of My State Present
is Standby-hot, the router is in standby state. 
If the value of My State Present is 
Active-fast, the router is in active state.
Command Purpose20-59
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Stateful MLPPP MR-APS
Troubleshooting Tips
Table 20-1 provides troubleshooting tips for the Stateful MLPPP with MR-APS Inter-Chassis 
Redundancy:
Table 20-1 Troubleshooting Stateful MLPPP with MR-APS Inter-Chassis Redundancy
Problem Solution
Unable to configure APS. Use the debug aps command on both the Working 
and Protect routers. You can use the debug aps
command to debug these issues:
• APS related issues
• Configuration problem
• Problem with APS state transition
• Problem with APS events .20-60
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-29
Chapter 20      Configuring 1-Port ChOC-3/STM-1 and ChOC-12 / STM-4 SPAs
  Stateful MLPPP MR-APSC H  A  P  T  E  R
21-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
21
Cisco 1-Port Channelized OC-48/DS3 STM-16 
SPA
The Cisco 1-Port Channelized OC-48/DS3 STM-16 (1xCHOC48/DS3) is a dual-hight high power SPA 
that provides channelized SONET or SDH router interface to the corresponding network. The Cisco 
1-Port Channelized OC-48/DS3 STM-16 SPA provide IP services engine technology on channelized 
packet over SONET (POS) or Synchronous Digital Hierarchy (SDH) interfaces. Each SPA provides up 
to 48 channelized POS/SDH, DS-3, or E3 interfaces. 
The Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA fits into SIP400 line card of the Cisco 7600 
series Routers. The SIP 400 line card has four half height bays; the 1-Port Channelized OC-48/DS3 
STM-16 occupies two bays of the SIP 400 line card. 
The Cisco 1-Port Channelized OC-48/STM-16 SPA provides the network scalability with low initial cost 
and ease of upgrades. It channels one OC-48 or STM-16 interface into DS-3, E3, OC-3c, STM-1c, 
OC-12c, or STM-4c channels and provides an extensive set of service-enabling features while providing 
equal line rate to all the ports. The Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA provides a 
minimum bandwidth of DS3 (T3 or E3). For the Optical Channel (OC), use either SONET or SDH 
framing. 
The basic unit of framing in SDH is STM-1 (Synchronous Transport Module, level 1), which operates 
at 155.52 Mbps. In case of SONET, the basic unit of framing is STS-3c (Synchronous Transport Signal 
3, concatenated) or OC-3c, depending on whether the signal is carried electrically (STS) or optically 
(OC). The bit-rate for STM-1 and STS-3c/OC-3c is same. SONET also provides an additional basic unit 
of transmission, the STS-1 (Synchronous Transport Signal 1) or OC-1, operating at 51.84 Mbps (one 
third of an STM-1/STS-3c/OC-3c carrier). 
Modes and Sub-modes Supported on the Cisco 1-Port 
Channelized OC-48/DS3 STM-16 SPA
Table 21-1 lists the modes and sub-modes supported on the Cisco 1-Port Channelized OC-48/DS3 
STM-16 SPA. 21-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 21      Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
  Interface Naming
Table 21-1 Modes and Sub-moodes Supported on the Cisco 1-Port Channelized OC-48/DS3 STM-16 
SPA
Interface Naming
The standard interface naming convention is used for naming the SONET/SDH interfaces. The interface 
names for SONET are:
• For T3/E3 mode:
interface serial <slot#>/<bay#>/<port#>.<sts#>
• For POS interface:
interface POS <slot#>/<bay#>/<port#>:<NSTS-1>
Here, the NSTS-1 is the identifier of the first STS-1 on the POS interface and the value of N ranges 
between 1 to 48.
The interface names for SDH are:
• For T3/E3 mode:
interface serial <slot#>/<bay#>/<port#>.<au3#>
• For serial interface:
interface serial <slot#>/<bay#>/<port#>.<au-4#>/<tug-3#>
• For POS interface:
interface serial <slot#>/<bay#>/<port#>
LED States
The Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA has three LEDs:
• CAR (Carrier/Alarm) LED
• ACT (Active Loopback) LED
• STATUS LED
Table 21-2 describes the various states of the LEDs on the Cisco 1-Port Channelized OC-48/DS3 
STM-16 SPA.
Table 21-2 States of the Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA LEDs
Framing Mode Sub-Mode SPA Capability Supported
SONET STS T3 Yes Yes
POS STS-3c Yes Yes
STS-12c Yes Yes
STS-48 c Yes Yes
SDH AU3 T3/E3 Yes Yes
AU4 T3/E3 Yes Yes
POS STM-1c Yes Yes
POS STM-4c Yes Yes
POS STM-16c Yes Yes21-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 21      Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
  Restrictions for Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
Restrictions for Cisco 1-Port Channelized OC-48/DS3 STM-16 
SPA
Following restrictions apply for the Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA:
• The Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA does not support ATM/Ethernet 
capabilities.
• While upgrading the FPD on the SPA, do not reload the SPA. Reloading the SPA might render it 
unusable.
• The Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA does not support Generic Framing Protocol 
(GFP) and Virtual Concatenated (VCAT) circuits.
• Network clock recovery is not supported. However, the system clock is transmitted on the SPA with 
the clock source internal configuration.
Configuring Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
You can configure SONET or SDH framing on the Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA:
• Configuring Interfaces Using SONET Framing
• Configuring Interfaces with SDH Framing
Configuring Interfaces Using SONET Framing 
When using SONET framing, you can channelize each port on the 1-Port Channelized OC-48/STM-16 
ISE line cards to have one of the following configurations:
• 1 STS-48c POS interface
LED Label Color State Description
CAR Off Off The port is not enabled by the software.
Green On The port is enabled by the software and there is a valid signal 
without any alarms.
Amber On The port is enabled by the software and there is at least one 
alarm. 
ACT Off Off The port is disabled.
Green On The port is enabled by the software and the loopback function 
is off.
Amber On The port is enabled by the software and the loopback function 
is on.
Status Off Off The SPA power is off.
Amber On The SPA power is on and SPA configuration is in progress.
Green On The SPA is ready and operational.21-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 21      Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
  Configuring Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
• 4 STS-12c POS interfaces
• 16 STS-3c POS interfaces
• 48 DS3 serial interfaces
• A combination of STS-12c POS interfaces, STS-3c POS interfaces, and DS3 interfaces, provided 
that the SONET time slot grouping rule is followed.
Configuring POS Interface (OC3/OC12/OC48) Using SONET Framing with STS-1 Mapping
SUMMARY STEPS
1. enable
2. configure terminal
3. controller sonet slot/bay/port
4. framing sonet | sdh
5. clock source line | internal
6. sts-1 start_sts-1_number - end_sts-1_number pos
7. end
DETAILED STEPS
Command Purpose
Step 1 enable
Example:
Working-Router> enable
Enables the privileged EXEC mode. 
• Enter your password when prompted.
Step 2 configure terminal
Example:
Working-Router# configure terminal
Enters the global configuration mode.
Step 3 controller sonet slot/bay/port
Example:
Working-Router(config)# controller 
sonet 4/0/0
Enters the SONET controller configuration sub-mode and 
specifies the SONET controller name and instance 
identifier using the slot/bay/port notation. 
Step 4 framing sonet | sdh
Example:
Working-Router(config-controller)# 
framing sonet
Configures the controller framing as either SDH or 
SONET (default). 21-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 21      Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
  Configuring Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
Configuration Example
This example describes how to configure POS interface using SONET framing with STS-1 mapping.
Router>enable
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#controller sonet 4/0/0
Router(config-controller)#framing sonet
Router(config-controller)#clock source line
Router(config-controller)#sts-1 1 - 3 pos
Router(config-controller)#end
Configuring Serial Interface (T3) Using SONET Framing with STS-1 Mapping
SUMMARY STEPS
1. enable
2. configure terminal
3. controller sonet slot/bay/port
4. framing sonet | sdh
5. clock source line | internal
6. sts-1 sts-1_number 
7. mode t3
8. end
Step 5 clock source [internal | line]
Example:
Working-Router(config-controller)# 
clock source line
Configures the SONET port Transmit (Tx) clock source 
where the keyword internal sets the internal clock and the 
keyword line sets the clock recovered from the line 
(default).
• The line keyword is used whenever the clocking is 
derived from the network; the internal keyword is 
used when two routers are connected back-to-back or 
over fiber and no clocking is available. 
Step 6 sts-1 start_sts-1_number - 
end_sts-1_number
Example:
Working-Router(config-controller)# 
sts-1 1 - 3 pos
Creates an OC3 POS interface using the SONET framing.
Step 7 end
Example:
Working-Router(config-controller)# end
Ends the configuration session and returns to the EXEC 
mode.
Command Purpose21-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 21      Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
  Configuring Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
DETAILED STEPS
Configuration Example
This example describes how to configure a serial interface using SONET framing with STS-1 mapping.
Command Purpose
Step 1 enable
Example:
Working-Router> enable
Enables the privileged EXEC mode. 
• Enter your password when prompted.
Step 2 configure terminal
Example:
Working-Router# configure terminal
Enters the global configuration mode.
Step 3 controller sonet slot/bay/port
Example:
Working-Router(config)# controller 
sonet 4/0/0
Enters the SONET controller configuration sub-mode and 
specifies the SONET controller name and instance 
identifier with the slot/bay/port notation. 
Step 4 framing sonet | sdh
Example:
Working-Router(config-controller)# 
framing sonet
Configures the controller framing as either SDH or 
SONET (default). 
Step 5 clock source [internal | line]
Example:
Working-Router(config-controller)# 
clock source line
Configures the SONET port Transmit (Tx) clock source 
where the keyword internal sets the internal clock and 
line sets the clock recovered from the line (default).
• The line keyword is used whenever the clocking is 
derived from the network; the internal keyword is 
used when two routers are connected back-to-back or 
over fiber and no clocking is available. 
Step 6 sts-1 sts-1_number
Example:
Working-Router(config-controller)# 
sts-1 1 
Configures the serial interface using SONET framing. 
The value of sts-1_number ranges from 1 to 48.
Step 7 mode t3
Example:
Working-Router(config-controller)# 
mode t3
Configures serial interface mode to T3.
Step 8 end
Example:
Working-Router(config-controller)# end
Ends the configuration session and returns to the EXEC 
mode.21-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 21      Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
  Configuring Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
Router>enable
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#controller sonet 4/0/0
Router(config-controller)#framing sonet
Router(config-controller)#clock source line
Router(config-controller)#sts-1 1 
Router(config-controller)#mode t3
Router(config-controller)#end
Configuring Interfaces with SDH Framing
When using SDH framing with AU-3/AU-4 mapping, you can channelize each port on the 1-Port 
Channelized OC-48/DS3 STM-16 SPA to have one of the following configuration:
• 1 STM-16 POS interface
• 4 STM-4 POS interfaces
• 16 STM-1 POS interfaces
• 48 DS3/E3 serial interfaces
• A combination of STM-4 POS interfaces, STM-1 POS interfaces, and DS3/E3 interfaces, provided 
the SONET time slot grouping rule is followed.
Configuring POS Interface (OC3/OC12/OC48) Using SDH Framing with AU-4 Mapping
SUMMARY STEPS
1. enable
2. configure terminal
3. controller sonet slot/bay/port_No
4. framing sonet | sdh
5. clock source line | internal
6. au-4 start_au-4_number - end_au-4_number 
7. end
DETAILED STEPS
Command Purpose
Step 1 enable
Example:
Working-Router> enable
Enables the privileged EXEC mode. 
• Enter your password when prompted.
Step 2 configure terminal
Example:
Working-Router# configure terminal
Enters the global configuration mode.21-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 21      Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
  Configuring Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
Configuration Example
This example describes how to configure POS Interface (OC3/OC12/OC48) using SDH framing with 
au-4 mapping.
Router>enable
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#controller sonet 4/0/0
Router(config-controller)#framing sonet
Router(config-controller)#clock source line
Router(config-controller)#au-4 1 - 4
Router(config-controller)#end
Configuring Serial Interface (T3/E3) Using SDH Framing with AU-4 Mapping
SUMMARY STEPS
1. enable
2. configure terminal
Step 3 controller sonet slot/bay/port
Example:
Working-Router(config)# controller 
sonet 4/0/0
Enters the SONET controller configuration sub-mode and 
specifies the SONET controller name and instance 
identifier with the slot/bay/port notation. 
Step 4 framing sonet | sdh
Example:
Working-Router(config-controller)# 
framing sdh
Configures the controller framing either SDH or SONET 
(default). 
Step 5 clock source [internal | line]
Example:
Working-Router(config-controller)# 
clock source line
Configures the SONET port Transmit (Tx) clock source 
where the keyword internal sets the internal clock and 
line sets the clock recovered from the line (default).
• The line keyword is used whenever the clocking is 
derived from the network; the internal keyword is 
used when two routers are connected back-to-back or 
over fiber, and no clocking is available. 
Step 6 au-4 start_au-4_number - 
end_au-4_number
Example:
Working-Router(config-controller)# 
au-4 1 - 4
Creates an OC12 POS interface using SDH framing.
Step 7 end
Example:
Working-Router(config-controller)# end
Ends the configuration session and returns to the EXEC 
mode.
Command Purpose21-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 21      Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
  Configuring Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
3. controller sonet slot/bay/port
4. framing sonet | sdh
5. clock source line | internal
6. au-4 au-4_number tug-3 tug-3_number
7. mode t3 | e3
8. end
DETAILED STEPS
Command Purpose
Step 1 enable
Example:
Working-Router> enable
Enables the privileged EXEC mode. 
• Enter your password when prompted.
Step 2 configure terminal
Example:
Working-Router# configure terminal
Enters the global configuration mode.
Step 3 controller sonet slot/bay/port
Example:
Working-Router(config)# controller 
sonet 4/0/0
Enters the SONET controller configuration sub-mode and 
specifies the SONET controller name and instance 
identifier with the slot/bay/port notation. 
Step 4 framing sonet | sdh
Example:
Working-Router(config-controller)# 
framing sdh
Configures the controller framing either SDH or SONET 
(default). 
Step 5 clock source [internal | line]
Example:
Working-Router(config-controller)# 
clock source line
Configures the SONET port Transmit (Tx) clock source 
where the keyword internal sets the internal clock and 
line sets the clock recovered from the line (default).
• The line keyword is used whenever the clocking is 
derived from the network; the internal keyword is 
used when two routers are connected back-to-back or 
over fiber, for which no clocking is available. 
Step 6 au-4 au-4_number tug-3 tug-3_number
Example:
Working-Router(config-controller)# 
au-4 1 tug-3 1
Configures the serial interface using SDH framing with 
AU-4 mapping. The value of au-4_number ranges 
between 1 and 16 and the value of tug-3_number ranges 
between 1 and 3.21-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 21      Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
  Configuring Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
Configuration Example
This example describes how to configure serial interface using SDH framing with AU-4 mapping.
Router>enable
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#controller sonet 4/0/0
Router(config-controller)#framing sonet
Router(config-controller)#clock source line
Router(config-controller)#au-4 1 tug-3 1 
Router(config-controller)#mode t3
Router(config-controller)#end
Configuring Serial Interface (T3/E3) Using SDH Framing with AU-3 Mapping
SUMMARY STEPS
1. enable
2. configure terminal
3. controller sonet slot/bay/port_No
4. framing sonet | sdh
5. clock source line | internal
6. aug-mapping [au-3 | au-4] 
7. au-3 au-3_number 
8. mode T3 | E3 (Configures the mode of serial interface)
9. end
Step 7 mode t3
Example:
Working-Router(config-controller)# 
mode t3
Configures the serial interface mode to T3.
Step 8 end
Example:
Working-Router(config-controller)# end
Ends the configuration session and returns to the EXEC 
mode.
Command Purpose21-11
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 21      Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
  Configuring Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
DETAILED STEPS
Command Purpose
Step 1 enable
Example:
Working-Router> enable
Enables the privileged EXEC mode. 
• Enter your password when prompted.
Step 2 configure terminal
Example:
Working-Router# configure terminal
Enters the global configuration mode.
Step 3 controller sonet slot/bay/port
Example:
Working-Router(config)# controller 
sonet 4/0/0
Enters the SONET controller configuration sub-mode and 
specifies the SONET controller name and instance 
identifier with the slot/bay/port notation. 
Step 4 framing sonet | sdh
Example:
Working-Router(config-controller)# 
framing sdh
Configures the controller framing either SDH or SONET 
(default). 
Step 5 clock source [internal | line]
Example:
Working-Router(config-controller)# 
clock source line
Configures the SONET port Transmit (Tx) clock source 
where the keyword internal sets the internal clock and 
line sets the clock recovered from the line (default).
• The line keyword is used whenever the clocking is 
derived from the network; the internal keyword is 
used when two routers are connected back-to-back or 
over fiber, and no clocking is available. 
Step 6 aug mapping [au-3 | au-4]
Example:
Working-Router(config-controller)# 
aug mapping au-3
Specifies the aug mapping.
Step 7 au-3 au-3_number
Example:
Working-Router(config-controller)# 
au-3 1
Configures the serial interface using the SDH framing 
with AU-3 mapping. The au3-number identifies the 
interface number.21-12
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 21      Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
  Configuring Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
Configuration Example
This example describes how to configure serial interface (T3/E3) using SDH framing with AU-3 
mapping.
Router>enable
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#controller sonet 4/0/0
Router(config-controller)#framing sonet
Router(config-controller)#clock source line
Router(config-controller)#aug mapping au-3
Router(config-controller)#au-3 1
Router(config-controller)#mode t3
Router(config-controller)#end
Configuring Interface Using SDH Framing with Mixed (au-3 and au-4) Mapping
You can configure an interface using SDH framing to have both the AU-3 and AU-4 mapping.
SUMMARY STEPS
1. enable
2. configure terminal
3. controller sonet slot/bay/port_No
4. aug mapping au-3 stm4 stmt4_number
5. aug mapping au-4 stm4 stmt4_number
6. aug mapping au-3 stm4 stmt4_number
7. aug mapping au-4 stm4 stmt4_number
8. au-3 au-3_number
9. mode t3 | e3
10. au-3 au-3_number
11. mode t3 | e3
12. au-3 au-3_number
13. mode t3 | e3
14. exit
Step 8 mode t3
Example:
Working-Router(config-controller)# 
mode t3
Configures the serial interface mode to T3.
Step 9 end
Example:
Working-Router(config-controller)# end
Ends the configuration session and returns to the EXEC 
mode.
Command Purpose21-13
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 21      Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
  Configuring Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
15. au-4 au-4_number pos
16. au-4 au-4_number pos
17. au-4 au-4_number pos
18. au-4 au-4_number pos
19. au-3 au-3_number
20. mode t3 | e3
21. au-3 au-3_number
22. mode t3 | e3
23. au-3 au-3_number
24. mode t3 | e3
25. exit
26. au-4 start_au-4_number - end_au-4_number pos
27. end
DETAILED STEPS
Command Purpose
Step 1 enable
Example:
Working-Router> enable
Enables the privileged EXEC mode. 
• Enter your password when prompted.
Step 2 configure terminal
Example:
Working-Router# configure terminal
Enters the global configuration mode.
Step 3 controller sonet slot/bay/port
Example:
Working-Router(config)# controller 
sonet 4/0/0
Enters the SONET controller configuration sub-mode and 
specifies the SONET controller name and instance 
identifier with the slot/bay/port notation. 
Step 4 aug mapping au-3 stm4 stm4_number
Example:
Working-Router(config-controller)# aug 
mapping au-3 stm4 1
Sets the aug mapping for stm4_number to au-3.
Step 5 aug mapping au-4 stm4 stm4_number
Example:
Working-Router(config-controller)# aug 
mapping au-4 stm4 2
Sets the aug mapping for stm4_number to au-4.21-14
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 21      Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
  Configuring Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
Step 6 aug mapping au-3 stm4 stm4_number
Example:
Working-Router(config-controller)# aug 
mapping au-3 stm4 3
Sets the aug mapping for stm4_number to au-3.
Step 7 aug mapping au-4 stm4 stm4_number
Example:
Working-Router(config-controller)# aug 
mapping au-4 stm4 4
Sets the aug mapping for stm4_number to au-4.
Step 8 au-3 au-3_number
Example:
Working-Router(config-controller)# 
au-3 1
Configures the serial interface using the SDH framing 
with au-3 mapping. The au3-number identifies the 
interface number.
Step 9 mode t3 | e3
Example:
Working-Router(config-ctrlr-au3)# 
mode t3
Configures the serial interface mode to T3.
Step 10 au-3 au-3_number
Example:
Working-Router(config-ctrlr-au3)# 
au-3 2
Configures the serial interface using the SDH framing 
with au-3 mapping. The variable, au3-number, identifies 
the interface number.
Step 11 mode t3 | e3
Example:
Working-Router(config-ctrlr-au3)# 
mode t3
Configures the serial interface mode to T3.
Step 12 au-3 au-3_number
Example:
Working-Router(config-ctrlr-au3)# 
au-3 12
Configures the serial interface using the SDH framing 
with au-3 mapping. The variable, au3-number, identifies 
the interface number.
Step 13 mode t3 | e3
Example:
Working-Router(config-ctrlr-au3)# 
mode t3
Configures serial interface mode to T3.
Step 14 exit
Example:
Working-Router(config-ctrlr-au3)# 
exit
Exits the aug configuration mode.
Command Purpose21-15
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 21      Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
  Configuring Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
Step 15 au-4 au-4_number pos
Example:
Working-Router(config-controller)# 
au-4 5 pos
Configures OC3 pos interface specified using the 
au-4_number attribute.
Step 16 au-4 au-4_number pos
Example:
Working-Router(config-controller)# 
au-4 6 pos
Configures OC3 pos interface specified using the 
au-4_number attribute.
Step 17 au-4 au-4_number pos
Example:
Working-Router(config-controller)# 
au-4 7 pos
Configures OC3 pos interface specified using the 
au-4_number attribute.
Step 18 au-4 au-4_number pos
Example:
Working-Router(config-controller)# 
au-4 8 pos
Configures OC3 pos interface specified using the 
au-4_number attribute.
Step 19 au-3 au-3_number
Example:
Working-Router(config-controller)# 
au-3 25
Configures the serial interface using the SDH framing 
with au-3 mapping. The au3-number identifies the 
interface number.
Step 20 mode t3 | e3
Example:
Working-Router(config-ctrlr-au3)# 
mode e3
Configures serial interface mode to E3.
Step 21 au-3 au-3_number
Example:
Working-Router(config-ctrlr-au3)# 
au-3 26
Configures the serial interface using the SDH framing 
with au-3 mapping. The variable, au3-number, identifies 
the interface number.
Step 22 mode t3 | e3
Example:
Working-Router(config-ctrlr-au3)# 
mode e3
Configures the serial interface mode to E3.
Step 23 au-3 au-3_number
Example:
Working-Router(config-ctrlr-au3)# 
au-3 36
Configures the serial interface using the SDH framing 
with au-3 mapping. The variable, au3-number, identifies 
the interface number.
Command Purpose21-16
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 21      Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
  Configuring Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
Configuration Example
This example describes how to configure an interface using SDH framing to have both the au-3 and au-4 
mapping.
Router>enable
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#controller sonet 3/0/0
Router(config-controller)#aug mapping au-3 stm4 1
Router(config-controller)#aug mapping au-4 stm4 2
Router(config-controller)#aug mapping au-3 stm4 3
Router(config-controller)#aug mapping au-4 stm4 4
Router(config-controller)#au-3 1
Router(config-ctrlr-au3)#mode t3
Router(config-ctrlr-au3)#au-3 2 
Router(config-ctrlr-au3)#mode t3
Router(config-ctrlr-au3)#au-3 2 
Router(config-ctrlr-au3)#au-3 3 
Router(config-ctrlr-au3)#mode t3
Router(config-ctrlr-au3)#au-3 12
Router(config-ctrlr-au3)#mode t3
Router(config-ctrlr-au3)#exit
Router(config-controller)#au-4 5 pos 
Router(config-controller)#au-4 6 pos 
Router(config-controller)#au-4 7 pos 
Router(config-controller)#au-4 8 pos 
Router(config-controller)#au-3 25    
Router(config-ctrlr-au3)#mode e3
Router(config-ctrlr-au3)#au-3 26 
Router(config-ctrlr-au3)#mode e3
Router(config-ctrlr-au3)#au-3 27
Router(config-ctrlr-au3)#mode e3
Step 24 mode t3 | e3
Example:
Working-Router(config-ctrlr-au3)# 
mode e3
Configures the serial interface mode to E3.
Step 25 exit
Example:
Working-Router(config-ctrlr-au3)# 
exit
Exits the aug configuration mode.
Step 26 au-4 start_au-4_number end_au-4_number 
pos
Example:
Working-Router(config-controller)# 
au-4 1 tug-3 1
Configures the serial interface using the SDH framing 
with au-4 mapping. 
Step 27 end
Example:
Working-Router(config-controller)# 
end
Ends the configuration session.
Command Purpose21-17
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 21      Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
  Configuring BER Testing
Router(config-ctrlr-au3)#au-3 36
Router(config-ctrlr-au3)#mode e3
Router(config-ctrlr-au3)#exit 
Router(config-controller)#au-4 13 - 16 pos
Router(config-controller)#exit
Configuring BER Testing
Bit error rate test (BERT) allow you to test cables and diagnose signal problems in the field. You can 
configure individual T1 channel groups to run an independent BER test. You set one local serial port to 
Bit error rate test (BERT) mode while the remaining local serial ports continue to transmit and receive 
normal traffic. The BER test checks communication between the local and the remote ports. When 
running a BER test, your system expects to receive the same pattern that it is transmitting. 
Bit error rate test (BERT) circuitry is built into the Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA. 
There is one pseudo-random binary sequence generator every 16 channels. For each group of 16 
channels, BER testing can be run on only one interface at a time.
You can set one local DS3 or E3 serial port to BERT mode while the remaining local serial ports continue 
to transmit and receive the normal traffic. The BERT checks the communication between the local and 
the remote DS3 or E3 ports. If traffic is not being transmitted or received, create a back-to-back loopback 
BER test and send out the specified stream to ensure that you receive the same data that was transmitted. 
To determine if the remote DS3/E3 serial port returns the same BERT pattern, you must manually enable 
network loopback at the remote DS3/E3 serial port, while you enter a bert pattern interface 
configuration command for specified time intervals on the local DS3/E3 serial port. 
With BER tests, you can accurately assess the number of errors on a DS3/E3 link and diagnose signal 
problems in the field. The Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA supports these 
pseudorandom test patterns:
• 2^15—Pseudorandom repeating pattern that is 32,767 bits long.
• 2^20—Pseudorandom repeating pattern that is 1,048,575 bits long.
• 2^23—Pseudorandom repeating pattern that is 8,388,607 bits long. This pattern is only available for 
an E3 interface.
• Unframed- 2^15—Pseudorandom repeating pattern that is 32,767 bits long, and the DS3 framing bit 
in the DS3 frame is overwritten when the pattern is inserted in the DS3 frame.
• Unframed-2^20—Pseudorandom repeating pattern that is 1,048,575 bits long, and the DS3 framing 
bit in the DS3 frame is overwritten when the pattern is inserted in the DS3 frame.
• Unframed-2^23—Pseudorandom repeating pattern that is 8,388,607 bits long, and the DS3 framing 
bit in the DS3 frame is overwritten when the pattern is inserted in the DS3 frame. This pattern is 
only available for an E3 interface.
Table 21-3 lists the BERT patterns, the pattern length, and the command. 
Table 21-3 DS3/E3-Supported BERT Patterns
BERT Pattern Pattern Length
1
Command
2^15 32,767 bits long bert pattern 2^15 interval minutes
2^20 1,048,575 bits long bert pattern 2^20 interval minutes
2^23
2
8,388,607 bits long bert pattern 2^23 interval minutes
unframed 2^15 32,767 bits long bert pattern unframed-2^15 interval minutes21-18
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 21      Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
  Configuring BER Testing
Both the total number of error bits transmitted and the total number of bits received are available for 
analysis. You can set the testing period from 1 minute to 1440 minutes (240 hours). You can also retrieve 
the error statistics any time during the BER test. 
Sending a BERT Pattern on a DS3/E3 Interface
To perform a BER test on a serial DS3/E3 interface, select an interface and configure the BERT pattern 
and test duration with the BERT pattern configuration command as follows:
router# configure terminal
router(config)# interface serial 5/0:2
router(config-if)# bert pattern 2^15 interval 3
router(config-if)# end
You can terminate a BER test during the specified test period with the no bert pattern interval time 
configuration command. (See the “Terminating a BERT” section on page 21-20.)
Inserting Errors in BERT 
To insert errors when BERT is in progress, select the interface and specify the number of errors to insert 
in the BER test pattern. You can then display the results while the test is in progress. (See the “Displaying 
a BERT” section on page 21-18.)
router# configure terminal
router(config)# interface serial 5/0:2
router(config-if)# bert errors 5
router(config-if)# end
Displaying a BERT 
The following sections discuss displaying BER tests using SONET or SDH with AU-3 mapping, or using 
SDH with AU-4 mapping.
Displaying a BER Test Using SONET or SDH with AU-3 Mapping
When framing is SONET or SDH with AU-3 mapping, you can display the results of a BERT anytime 
during or after the test, using the show controllers sonet command, as follows. See Table 21-4 for a 
description of the BER test display.
router# show controller sonet 5/0:2 bert
Interface Serial5/0:2 (DS3 channel 2)
 BERT information:
unframed 2^20 1,048,575 bits long bert pattern unframed-2^20 interval minutes
unframed 2^23
2
8,388,607 bits long bert pattern unframed-2^23 interval minutes
1. Pseudo-random repeating pattern.
2. This pattern is only available for an E3 interface.
Table 21-3 DS3/E3-Supported BERT Patterns (continued)
BERT Pattern Pattern Length
1
Command21-19
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 21      Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
  Configuring BER Testing
  State            :enabled (sync'd)
  Pattern          :2^15
  Interval         :3 minute
  Time remaining   :00:00:30
  Total errors     :5
  Time this sync   :00:02:30
  Errors this sync :5
  Sync count       :1
router(config-if)# end
Table 21-4 BERT Display Description
BERT Display Description
State: enabled (not synchronized) BERT is active, but the hardware is not synchronized. Errors 
are counted only when the hardware sunchronizes.
State: enabled (synchronized) BERT is active, but the hardware has synchronized. Any 
errors detected are counted.
State: disabled (synchronization 
failed)
BERT is completed and the test failed, either because 
hardware could not synchronize or the DS3/E3 alarms were 
detected on the interface.
State: disabled (synchronized 
completed)
BERT is completed because the interval expired.
State: disabled (synchronized aborted) BERT is completed as a result of user request.
Pattern One of the supported patterns.
Interval Value from 1 to 1440 in minutes.
Time remaining Test duration remaining, formatted in hours, minutes, and 
seconds (hh:mm:ss).
Total errors Total number of errors while the hardware is synchronized.
Time this sync If the hardware is currently synchronized, the amount of time 
since the synchronization began. If it is not currently 
synchronized but was synchronized earlier, indicates the 
amount of time the last or most recent synchronization period 
lasted. Formatted in hh:mm:ss.
Errors this sync If the hardware is currently synchronized, the number of 
errors displayed during the current synchronization period. If 
it is not currently synchronized but was synchronized earlier, 
the number of errors displayed during the last or most recent 
synchronization period.
Sync count The number of times the hardware synchronized.21-20
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 21      Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
  Verification
Displaying BER Test Results Using SDH with AU-4 Mapping
When the framing is SDH with AU-4 mapping, you can display the results of a BERT any time during 
or after the test using the show controllers sonet command. See Table 21-4 for a description of the BER 
test display.
router# show controller sonet 8/1.1:1 bert
Interface Serial8/1.1:1 (E3 channel 1)
 BERT information:
  State            :enabled (sync'd)
  Pattern          :2^20
  Interval         :5 minute
  Time remaining   :00:01:40
  Total errors     :9
  Time this sync   :00:03:20
  Errors this sync :9
  Sync count       :1
Terminating a BERT
You can terminate a BERT with the no bert configuration command:
router# configure terminal
router(config)# interface serial5/0:2
router(config-if)# no bert
router(config-if)# end
Verification
Use these commands to verify the Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA configuration and 
controllers and interface status.
• Use the show interfaces pos command to verify the link and line protocol information of the POS 
interface.
Bnet-I4#show interfaces pos4/0/0.1
POS4/0/0:1 is up, line protocol is up 
  Hardware is SPA_1xCHOC48
  Internet address is 43.1.0.1/24
  MTU 4470 bytes, BW 2488000 Kbit/sec, DLY 100 usec, 
     reliability 255/255, txload 255/255, rxload 99/255
  Encapsulation HDLC, crc 16, loopback not set
  Keepalive set (10 sec)
  Scramble disabled
  Last input 00:00:01, output 00:00:03, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  30 second input rate 970494000 bits/sec, 1234411 packets/sec
  30 second output rate 1905696000 bits/sec, 3598151 packets/sec
     317747877097 packets input, 30638397396316 bytes, 0 no buffer
     Received 59051 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles 
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     926944872678 packets output, 60782486122738 bytes, 0 underruns
     0 output errors, 0 collisions, 5 interface resets
     0 unknown protocol drops21-21
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 21      Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
  Verification
     0 output buffer failures, 0 output buffers swapped out
     3 carrier transitions
  Non-inverted data
• Use the show interfaces pos controller command to verify the link and line protocol of the POS 
interface. This command also displayes the packet counters and alarms asserted at each path.
Bnet-I4#show interfaces pos4/0/0.1 controller 
POS4/0/0:1 is up, line protocol is up 
  Hardware is SPA_1xCHOC48
  Internet address is 43.1.0.1/24
  MTU 4470 bytes, BW 2488000 Kbit/sec, DLY 100 usec, 
     reliability 255/255, txload 255/255, rxload 99/255
  Encapsulation HDLC, crc 16, loopback not set
  Keepalive set (10 sec)
  Scramble disabled
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  30 second input rate 970652000 bits/sec, 1234611 packets/sec
  30 second output rate 1906071000 bits/sec, 3598706 packets/sec
     317760222275 packets input, 30639610620098 bytes, 0 no buffer
     Received 59052 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles 
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     926980856434 packets output, 60784868694988 bytes, 0 underruns
     0 output errors, 0 collisions, 5 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
     3 carrier transitions
  Non-inverted data
POS4/0/0:1
PATH 1:
  AIS = 0          RDI = 1          REI = 16         BIP(B3) = 145       
  LOP = 2          PSE = 7          NSE = 0          NEWPTR = 0         
  LOM = 0          PLM = 0          UNEQ = 1         
Active Defects: None
Detected Alarms: None
Asserted/Active Alarms: None
Alarm reporting enabled for: PLOP LOM B3-TCA 
TCA threshold:  B3 = 10e-6
Rx: C2 = CF
Tx: C2 = CF
PATH TRACE BUFFER : STABLE 
  42 6E 65 74 2D 45 31 20 34 2F 30 2F 30 2E 31 00     Bnet-E1 4/0/0.1.
  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ................
  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ................
  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ................
  
SONET/SDH Path Tables
  INTERVAL       CV    ES   SES   UAS
  07:10-07:24     0     0     0     0
 Scramble: no, Width: 48
• Use the show controllers sonet command to display information about the Cisco 1-Port 
Channelized OC-48/DS3 STM-16 (1xCHOC48/DS3) SPA, including the information regarding all 
the configured channels.21-22
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 21      Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
  Verification
Bnet-I4# show controllers sonet 4/0/0
SONET 4/0/0 is up.
  Hardware is SPA-1XCHOC48/DS3
 Applique type is Channelized Sonet/SDH
 Clock Source is Internal
Medium info:
  Type: Sonet, Line Coding: NRZ, 
 SECTION:
  LOS = 2          LOF = 0                           BIP(B1) = 57
SONET/SDH Section Tables
  INTERVAL       CV    ES   SES  SEFS
  07:10-07:24     0     0     0     0
  06:55-07:10     0     0     0     0
  06:40-06:55     0     0     0     0
  06:25-06:40     0     0     0     0
  06:10-06:25     0     0     0     0
  05:55-06:10     0     0     0     0
  05:40-05:55     0     0     0     0
  05:25-05:40     0     0     0     0
  05:10-05:25     0     0     0     0
  04:55-05:10     0     0     0     0
  04:40-04:55     0     0     0     0
  04:25-04:40     0     0     0     0
  04:10-04:25     0     0     0     0
  03:55-04:10     0     0     0     0
  03:40-03:55     0     0     0     0
  03:25-03:40     0     0     0     0
  03:10-03:25     0     0     0     0
  02:55-03:10     0     0     0     0
  02:40-02:55     0     0     0     0
  02:25-02:40     0     0     0     0
  02:10-02:25     0     0     0     0
  01:55-02:10     0     0     0     0
  01:40-01:55     0     0     0     0
  01:25-01:40     0     0     0     0
  01:10-01:25     0     0     0     0
  00:55-01:10     0     0     0     0
  00:40-00:55     0     0     0     0
  00:25-00:40     0     0     0     0
  00:10-00:25     0     0     0     0
  23:55-00:10     0     0     0     0
  23:40-23:55     0     0     0     0
  23:25-23:40     0     0     0     0
  23:10-23:25     0     0     0     0
  22:55-23:10     0     0     0     0
  22:40-22:55     0     0     0     0
  22:25-22:40     0     0     0     0
  22:10-22:25     0     0     0     0
  21:55-22:10     0     0     0     0
  21:40-21:55     0     0     0     0
  21:25-21:40     0     0     0     0
  21:10-21:25     0     0     0     0
  20:55-21:10     0     0     0     0
  20:40-20:55     0     0     0     0
  20:25-20:40     0     0     0     0
  20:10-20:25     0     0     0     0
  19:55-20:10     0     0     0     0
  19:40-19:55     0     0     0     0
  19:25-19:40     0     0     0     0
  19:10-19:25     0     0     0     0
  18:55-19:10     0     0     0     0
  18:40-18:55     0     0     0     021-23
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 21      Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
  Verification
  18:25-18:40     0     0     0     0
  18:10-18:25     0     0     0     0
  17:55-18:10     0     0     0     0
  17:40-17:55     0     0     0     0
  17:25-17:40     0     0     0     0
  17:10-17:25     0     0     0     0
  16:55-17:10     0     0     0     0
  16:40-16:55     0     0     0     0
  16:25-16:40     0     0     0     0
  16:10-16:25     0     0     0     0
  15:55-16:10     0     0     0     0
  15:40-15:55     0     0     0     0
  15:25-15:40     0     0     0     0
  15:10-15:25     0     0     0     0
  14:55-15:10     0     0     0     0
  14:40-14:55     0     0     0     0
  14:25-14:40     0     0     0     0
  14:10-14:25     0     0     0     0
  13:55-14:10     0     0     0     0
  13:40-13:55     0     0     0     0
  13:25-13:40     0     0     0     0
  13:10-13:25     0     0     0     0
  12:55-13:10     0     0     0     0
  12:40-12:55     0     0     0     0
  12:25-12:40     1     1     0     0
  12:10-12:25     0     0     0     0
  11:55-12:10     0     0     0     0
  11:40-11:55     0     0     0     0
  11:25-11:40     0     0     0     0
  11:10-11:25     0     0     0     0
  10:55-11:10     0     0     0     0
  10:40-10:55     0     0     0     0
  10:25-10:40     0     0     0     0
  10:10-10:25     0     0     0     0
  09:55-10:10     0     0     0     0
  09:40-09:55     0     0     0     0
  09:25-09:40     0     0     0     0
  09:10-09:25     0     0     0     0
  08:55-09:10     0     0     0     0
  08:40-08:55     0     0     0     0
  08:25-08:40     0     0     0     0
  08:10-08:25     0     0     0     0
  07:55-08:10     0     0     0     0
  07:40-07:55     4     4     0     0
  07:25-07:40     0     0     0     0
  07:10-07:25     0     0     0     0
Total of Data in Current and Previous Intervals
  07:10-07:24     5     5     0     0
LINE:
  AIS = 0          RDI = 0          REI = 0          BIP(B2) = 55        
Active Defects: None
Detected Alarms: None
Asserted/Active Alarms: None
Alarm reporting enabled for: SLOS SLOF SF B1-TCA B2-TCA 
BER thresholds:  SF = 10e-3  SD = 10e-6
TCA thresholds:  B1 = 10e-6  B2 = 10e-6
Rx: S1S0 = 00
    K1 = 00,   K2 = 00
    J0 = 01 
Tx: S1S0 = 00
    K1 = 00,   K2 = 0021-24
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 21      Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
  Verification
    J0 = 01
SONET/SDH Line Tables
  INTERVAL       CV    ES   SES   UAS
  07:10-07:24     0     0     0     0
  06:55-07:10     0     0     0     0
  06:40-06:55     0     0     0     0
  06:25-06:40     0     0     0     0
  06:10-06:25     0     0     0     0
  05:55-06:10     0     0     0     0
  05:40-05:55     0     0     0     0
  05:25-05:40     0     0     0     0
  05:10-05:25     0     0     0     0
  04:55-05:10     0     0     0     0
  04:40-04:55     0     0     0     0
  04:25-04:40     0     0     0     0
  04:10-04:25     0     0     0     0
  03:55-04:10     0     0     0     0
  03:40-03:55     0     0     0     0
  03:25-03:40     0     0     0     0
  03:10-03:25     0     0     0     0
  02:55-03:10     0     0     0     0
  02:40-02:55     0     0     0     0
  02:25-02:40     0     0     0     0
  02:10-02:25     0     0     0     0
  01:55-02:10     0     0     0     0
  01:40-01:55     0     0     0     0
  01:25-01:40     0     0     0     0
  01:10-01:25     0     0     0     0
  00:55-01:10     0     0     0     0
  00:40-00:55     0     0     0     0
  00:25-00:40     0     0     0     0
  00:10-00:25     0     0     0     0
  23:55-00:10     0     0     0     0
  23:40-23:55     0     0     0     0
  23:25-23:40     0     0     0     0
  23:10-23:25     0     0     0     0
  22:55-23:10     0     0     0     0
  22:40-22:55     0     0     0     0
  22:25-22:40     0     0     0     0
  22:10-22:25     0     0     0     0
  21:55-22:10     0     0     0     0
  21:40-21:55     0     0     0     0
  21:25-21:40     0     0     0     0
  21:10-21:25     0     0     0     0
  20:55-21:10     0     0     0     0
  20:40-20:55     0     0     0     0
  20:25-20:40     0     0     0     0
  20:10-20:25     0     0     0     0
  19:55-20:10     0     0     0     0
  19:40-19:55     0     0     0     0
  19:25-19:40     0     0     0     0
  19:10-19:25     0     0     0     0
  18:55-19:10     0     0     0     0
  18:40-18:55     0     0     0     0
  18:25-18:40     0     0     0     0
  18:10-18:25     0     0     0     0
  17:55-18:10     0     0     0     0
  17:40-17:55     0     0     0     0
  17:25-17:40     0     0     0     0
  17:10-17:25     0     0     0     0
  16:55-17:10     0     0     0     0
  16:40-16:55     0     0     0     0
  16:25-16:40     0     0     0     021-25
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 21      Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
  Verification
  16:10-16:25     0     0     0     0
  15:55-16:10     0     0     0     0
  15:40-15:55     0     0     0     0
  15:25-15:40     0     0     0     0
  15:10-15:25     0     0     0     0
  14:55-15:10     0     0     0     0
  14:40-14:55     0     0     0     0
  14:25-14:40     0     0     0     0
  14:10-14:25     0     0     0     0
  13:55-14:10     0     0     0     0
  13:40-13:55     0     0     0     0
  13:25-13:40     0     0     0     0
  13:10-13:25     0     0     0     0
  12:55-13:10     0     0     0     0
  12:40-12:55     0     0     0     0
  12:25-12:40     1     1     0     0
  12:10-12:25     0     0     0     0
  11:55-12:10     0     0     0     0
  11:40-11:55     0     0     0     0
  11:25-11:40     0     0     0     0
  11:10-11:25     0     0     0     0
  10:55-11:10     0     0     0     0
  10:40-10:55     0     0     0     0
  10:25-10:40     0     0     0     0
  10:10-10:25     0     0     0     0
  09:55-10:10     0     0     0     0
  09:40-09:55     0     0     0     0
  09:25-09:40     0     0     0     0
  09:10-09:25     0     0     0     0
  08:55-09:10     0     0     0     0
  08:40-08:55     0     0     0     0
  08:25-08:40     0     0     0     0
  08:10-08:25     0     0     0     0
  07:55-08:10     0     0     0     0
  07:40-07:55     0     0     0     0
  07:25-07:40     0     0     0     0
  07:10-07:25     0     0     0     0
Total of Data in Current and Previous Intervals
  07:10-07:24     1     1     0     0
High Order Path:
PATH 1:
  AIS = 0          RDI = 1          REI = 16         BIP(B3) = 145       
  LOP = 2          PSE = 7          NSE = 0          NEWPTR = 0         
  LOM = 0          PLM = 0          UNEQ = 1         
Active Defects: None
Detected Alarms: None
Asserted/Active Alarms: None
Alarm reporting enabled for: PLOP LOM B3-TCA 
TCA threshold:  B3 = 10e-6
Rx: C2 = CF
Tx: C2 = CF
PATH TRACE BUFFER : STABLE 
  42 6E 65 74 2D 45 31 20 34 2F 30 2F 30 2E 31 00     Bnet-E1 4/0/0.1.
  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ................
  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ................
  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ................
  
SONET/SDH Path Tables21-26
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 21      Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
  Verification
  INTERVAL       CV    ES   SES   UAS
  07:10-07:24     0     0     0     0
  06:55-07:10     0     0     0     0
  06:40-06:55     0     0     0     0
  06:25-06:40     0     0     0     0
  06:10-06:25     0     0     0     0
  05:55-06:10     0     0     0     0
  05:40-05:55     0     0     0     0
  05:25-05:40     0     0     0     0
  05:10-05:25     0     0     0     0
  04:55-05:10     0     0     0     0
  04:40-04:55     0     0     0     0
  04:25-04:40     0     0     0     0
  04:10-04:25     0     0     0     0
  03:55-04:10     0     0     0     0
  03:40-03:55     0     0     0     0
  03:25-03:40     0     0     0     0
  03:10-03:25     0     0     0     0
  02:55-03:10     0     0     0     0
  02:40-02:55     0     0     0     0
  02:25-02:40     0     0     0     0
  02:10-02:25     0     0     0     0
  01:55-02:10     0     0     0     0
  01:40-01:55     0     0     0     0
  01:25-01:40     0     0     0     0
  01:10-01:25     0     0     0     0
  00:55-01:10     0     0     0     0
  00:40-00:55     0     0     0     0
  00:25-00:40     0     0     0     0
  00:10-00:25     0     0     0     0
  23:55-00:10     0     0     0     0
  23:40-23:55     0     0     0     0
  23:25-23:40     0     0     0     0
  23:10-23:25     0     0     0     0
  22:55-23:10     0     0     0     0
  22:40-22:55     0     0     0     0
  22:25-22:40     0     0     0     0
  22:10-22:25     0     0     0     0
  21:55-22:10     0     0     0     0
  21:40-21:55     0     0     0     0
  21:25-21:40     0     0     0     0
  21:10-21:25     0     0     0     0
  20:55-21:10     0     0     0     0
  20:40-20:55     0     0     0     0
  20:25-20:40     0     0     0     0
  20:10-20:25     0     0     0     0
  19:55-20:10     0     0     0     0
  19:40-19:55     0     0     0     0
  19:25-19:40     0     0     0     0
  19:10-19:25     0     0     0     0
  18:55-19:10     0     0     0     0
  18:40-18:55     0     0     0     0
  18:25-18:40     0     0     0     0
  18:10-18:25     0     0     0     0
  17:55-18:10     0     0     0     0
  17:40-17:55     0     0     0     0
  17:25-17:40     0     0     0     0
  17:10-17:25     0     0     0     0
  16:55-17:10     0     0     0     0
  16:40-16:55     0     0     0     0
  16:25-16:40     0     0     0     0
  16:10-16:25     0     0     0     0
  15:55-16:10     0     0     0     0
  15:40-15:55     0     0     0     021-27
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 21      Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
  Verification
  15:25-15:40     0     0     0     0
  15:10-15:25     0     0     0     0
  14:55-15:10     0     0     0     0
  14:40-14:55     0     0     0     0
  14:25-14:40     0     0     0     0
  14:10-14:25     0     0     0     0
  13:55-14:10     0     0     0     0
  13:40-13:55     0     0     0     0
  13:25-13:40     0     0     0     0
  13:10-13:25     0     0     0     0
  12:55-13:10     0     0     0     0
  12:40-12:55     0     0     0     0
  12:25-12:40     1     1     0     0
  12:10-12:25     0     0     0     0
  11:55-12:10     0     0     0     0
  11:40-11:55     0     0     0     0
  11:25-11:40     0     0     0     0
  11:10-11:25     0     0     0     0
  10:55-11:10     0     0     0     0
  10:40-10:55     0     0     0     0
  10:25-10:40     0     0     0     0
  10:10-10:25     0     0     0     0
  09:55-10:10     0     0     0     0
  09:40-09:55     0     0     0     0
  09:25-09:40     0     0     0     0
  09:10-09:25     0     0     0     0
  08:55-09:10     0     0     0     0
  08:40-08:55     0     0     0     0
  08:25-08:40     0     0     0     0
  08:10-08:25     0     0     0     0
  07:55-08:10     0     0     0     0
  07:40-07:55     0     0     0     0
  07:25-07:40     0     0     0     0
  07:10-07:25     0     0     0     0
Total of Data in Current and Previous Intervals
  07:10-07:24     1     1     0     0
sts-1 1 - 48 pos
POS4/0/0:1 is up, line protocol is up 
  Hardware is SPA_1xCHOC48
  Internet address is 43.1.0.1/24
  MTU 4470 bytes, BW 2488000 Kbit/sec, DLY 100 usec, 
     reliability 255/255, txload 255/255, rxload 99/255
  Encapsulation HDLC, crc 16, loopback not set
  Keepalive set (10 sec)
  Scramble disabled
  Last input 00:00:00, output 00:00:01, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  30 second input rate 970494000 bits/sec, 1234411 packets/sec
  30 second output rate 1905754000 bits/sec, 3598138 packets/sec
     317784911130 packets input, 30642036917424 bytes, 0 no buffer
     Received 59054 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles 
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     927052821884 packets output, 60789633235494 bytes, 0 underruns
     0 output errors, 0 collisions, 5 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
     3 carrier transitions
  Non-inverted data21-28
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 21      Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
  Verification
Path 2:
 configured as member of a concatenated POS interface
Path 3:
 configured as member of a concatenated POS interface
Path 4:
 configured as member of a concatenated POS interface
Path 5:
 configured as member of a concatenated POS interface
Path 6:
 configured as member of a concatenated POS interface
Path 7:
 configured as member of a concatenated POS interface
Path 8:
 configured as member of a concatenated POS interface
Path 9:
 configured as member of a concatenated POS interface
Path 10:
 configured as member of a concatenated POS interface
Path 11:
 configured as member of a concatenated POS interface
Path 12:
 configured as member of a concatenated POS interface
Path 13:
 configured as member of a concatenated POS interface
Path 14:
 configured as member of a concatenated POS interface
Path 15:
 configured as member of a concatenated POS interface
Path 16:
 configured as member of a concatenated POS interface
Path 17:  
 configured as member of a concatenated POS interface
Path 18:
 configured as member of a concatenated POS interface
Path 19:
 configured as member of a concatenated POS interface
Path 20:
 configured as member of a concatenated POS interface
Path 21:
 configured as member of a concatenated POS interface
Path 22:
 configured as member of a concatenated POS interface
Path 23:
 configured as member of a concatenated POS interface
Path 24:
 configured as member of a concatenated POS interface
Path 25:
 configured as member of a concatenated POS interface
Path 26:
 configured as member of a concatenated POS interface
Path 27:
 configured as member of a concatenated POS interface
Path 28:
 configured as member of a concatenated POS interface
Path 29:
 configured as member of a concatenated POS interface
Path 30:
 configured as member of a concatenated POS interface
Path 31:
 configured as member of a concatenated POS interface
Path 32:
 configured as member of a concatenated POS interface
Path 33:
 configured as member of a concatenated POS interface21-29
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 21      Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
  Verification
Path 34:
 configured as member of a concatenated POS interface
Path 35:
 configured as member of a concatenated POS interface
Path 36:
 configured as member of a concatenated POS interface
Path 37:
 configured as member of a concatenated POS interface
Path 38:
 configured as member of a concatenated POS interface
Path 39:
 configured as member of a concatenated POS interface
Path 40:
 configured as member of a concatenated POS interface
Path 41:
 configured as member of a concatenated POS interface
Path 42:
 configured as member of a concatenated POS interface
Path 43:
 configured as member of a concatenated POS interface
Path 44:
 configured as member of a concatenated POS interface
Path 45:
 configured as member of a concatenated POS interface
Path 46:
 configured as member of a concatenated POS interface
Path 47:
 configured as member of a concatenated POS interface
• Use the show interface serial command to verify the link and line protocol information of the serial 
interface.
Router#show interface Serial5/1/0.1
Serial5/1/0.1 is up, line protocol is up 
  Hardware is SPA-1XCHOC48/DS3
  Internet address is 27.1.1.2/24
  MTU 4470 bytes, BW 44210 Kbit/sec, DLY 200 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation FRAME-RELAY, crc 16, loopback not set
  Keepalive set (10 sec)
  LMI enq sent  0, LMI stat recvd 0, LMI upd recvd 0
  LMI enq recvd 1, LMI stat sent  1, LMI upd sent  0, DCE LMI up
  LMI DLCI 1023  LMI type is CISCO  frame relay DCE
  FR SVC disabled, LAPF state down
  Fragmentation type: end-to-end, size 128, PQ interleaves 0
  Broadcast queue 0/256, broadcasts sent/dropped 0/0, interface broadcasts 0
  Last input 00:00:01, output 00:00:01, output hang never
  Last clearing of "show interface" counters 00:00:02
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: Class-based queueing
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles 
              0 parity
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 applique, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions no alarm present
  DSU mode cisco, bandwidth 44210 Kbit, scramble 0, VC 0, non-inverted data21-30
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 21      Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
  VerificationC H  A  P  T  E  R
22-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
22
Configuring the 4-Port Serial Interface SPA
This chapter provides information about configuring the 4-Port Serial Interface Shared Port Adapter 
(SPA) on the Cisco 7600 series router. It includes the following sections:
• Configuration Tasks, page 22-1
• Verifying the Interface Configuration, page 22-22
• Configuration Examples, page 22-23
For information about managing your system images and configuration files, refer to the Cisco IOS 
Configuration Fundamentals Configuration Guide, Release 12.2 and Cisco IOS Configuration 
Fundamentals Command Reference, Release 12.2 publications.
For more information about the commands used in this chapter, refer to the Cisco IOS Software Releases 
15.0SR Command References and to the Cisco IOS Software Releases 12.2SX Command References. 
Also refer to the related Cisco IOS Release 12.2 software command reference and master index 
publications. For more information, see the “Related Documentation” section on page xlvii.
Configuration Tasks
This section describes how to configure the 4-Port Serial Interface SPA for the Cisco 7600 series router 
and includes information about verifying the configuration.
It includes the following topics:
• Configuring the 4-Port Serial Interface SPA, page 22-1
• Specifying the Interface Address on a SPA, page 22-2
• Verifying the Configuration, page 22-3
• Optional Configurations, page 22-9
• Saving the Configuration, page 22-22
Configuring the 4-Port Serial Interface SPA
To configure the 4-Port Serial Interface SPA, complete these steps:22-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 22      Configuring the 4-Port Serial Interface SPA
  Configuration Tasks
Note Each port should first be connected with the appropriate cable before attempting full configuration. 
Some commands are enabled only based upon the cable type connected to the port.
Note The bandwidth of each interface is 2 MB by default; setting the clock rate does not change the interface 
bandwidth. Cisco recommends that you configure the bandwidth value with the clock rate command at 
the DCE and DTE side.
Note A clock rate of 2016 does not appear in the configuration because it is the default value.
Specifying the Interface Address on a SPA
SPA interface ports begin numbering with “0” from left to right. Single-port SPAs use only the port 
number 0. To configure or monitor SPA interfaces, you need to specify the physical location of the SIP, 
SPA, and interface in the CLI (command-line-interface). The interface address format is 
slot/subslot/port, where: 
• slot—Specifies the chassis slot number in the Cisco 7600 series router where the SIP is installed. 
• subslot—Specifies the secondary slot of the SIP where the SPA is installed.
• port—Specifies the number of the individual interface port on a SPA. 
The following example shows how to specify the first interface (0) on a SPA installed in the first subslot 
of a SIP (0) installed in chassis slot 3:
Router(config)# interface serial 3/0/0
For more information about identifying slots and subslots, see the “Identifying Slots and Subslots for 
SIPs, SSCs, and SPAs” section on page 4-2.
Command Purpose
Step 1 Router# configure terminal Enters global configuration mode.
Step 2 Router(config)# interface serial 
slot/subslot/port
Selects the controller to configure and enters 
interface configuration mode.
• slot/subslot/port—Specifies the location of the 
4-Port Serial Interface SPA port. See: 
“Specifying the Interface Address on a SPA” 
section on page 22-2.
Step 3 Router(config-if)# ip address address mask Sets the IP address and subnet mask.
• address—IP address
• mask—Subnet mask 
Step 4 Router(config-if)# clock rate bps Configures the clock rate for the hardware to an 
acceptable bit rate per second (bps). 22-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 22      Configuring the 4-Port Serial Interface SPA
  Configuration Tasks
Verifying the Configuration
After configuring the new interface, use the show commands to display the status of the new interface 
or all interfaces, and use the ping and loopback commands to check connectivity. This section includes 
the following subsections:
• Show Commands, page 22-3
• Using the ping Command to Verify Network Connectivity, page 22-8
• Using loopback Commands, page 22-8
Show Commands 
The table below shows the show commands you can use to verify the operation of the 4-Port Serial 
Interface SPA. Sample displays of the output of selected show commands appear in the section that 
follows. For complete command descriptions and examples, refer to the publications listed in the 
“Obtaining Documentation, Obtaining Support, and Security Guidelines” section on page l.
Note The outputs that appear in this document may not match the output you receive when running these 
commands. The outputs in this document are examples only.
Verification Examples
The following is an example of a show version command with the 4-Port Serial Interface SPA:
Router# show version
Cisco IOS Software, s72033_rp Software (s72033_rp-ADVENTERPRISEK9_DBG-M), Version 
12.2(nightly.SR070910) NIGHTLY BUILD, synced to rainier 
RAINIER_BASE_FOR_V122_33_SRA_THROTTLE
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Command Purpose
Router# show version 
or
Router# show hardware
Displays system hardware configuration, the number 
of each interface type installed, Cisco IOS software 
version, names and sources of configuration files, and 
boot images. 
Router# show controllers Displays all the current interface processors and their 
interfaces.
Router# show controllers serial Displays serial line statistics.
Router# show diagbus slot Displays types of port adapters installed in your system 
and information about a specific port adapter slot, 
interface processor slot, or chassis slot.
Router# show interfaces type 
port-adapter-slot-number/
interface-port-number
Displays status information about a specific type of 
interface (for example, serial) in a Cisco 7600 series 
router.
Router# show protocols Displays protocols configured for the entire system and 
for specific interfaces.
Router# show running-config Displays the running configuration file.
Router# show startup-config Displays the configuration stored in NVRAM.22-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 22      Configuring the 4-Port Serial Interface SPA
  Configuration Tasks
Compiled Mon 10-Sep-07 22:48 by cuotran
ROM: System Bootstrap, Version 12.2(17r)S2, RELEASE SOFTWARE (fc1)
 PE1 uptime is 18 hours, 23 minutes
Uptime for this control processor is 18 hours, 23 minutes
System returned to ROM by reload at 13:30:48 IST Thu Sep 13 2007 (SP by reload)
System image file is "disk1:s72033-adventerprisek9_dbg-mz.autobahn76_091007"
Last reload type: Normal Reload
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
          
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
cisco WS-C6506 (R7000) processor (revision 3.0) with 983008K/65536K bytes of memory.
Processor board ID TBM06330552
SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache
Last reset from power-on
2 SIP-200 controllers (8 Serial)(2 ATM)(4 Channelized T3)(1 Channelized OC3/STM-1).
1 SIP-400 controller (1 POS)(2 Channelized OC3/STM-1).
2 Virtual Ethernet interfaces
74 Gigabit Ethernet interfaces
8 Serial interfaces
2 ATM interfaces
1 Packet over SONET interface
4 Channelized T3 ports
3 Channelized STM-1 ports
1917K bytes of non-volatile configuration memory.
8192K bytes of packet buffer memory.
65536K bytes of Flash internal SIMM (Sector size 512K).
Configuration register is 0x2102
The following is an example of a show hardware command with the 4-Port Serial Interface SPA:
Router# show hardware
Cisco IOS Software, s72033_rp Software (s72033_rp-ADVENTERPRISEK9_DBG-M), Version 
12.2(nightly.SR070910) NIGHTLY BUILD, synced to rainier 
RAINIER_BASE_FOR_V122_33_SRA_THROTTLE
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Mon 10-Sep-07 22:48 by cuotran
ROM: System Bootstrap, Version 12.2(17r)S2, RELEASE SOFTWARE (fc1)
 PE1 uptime is 18 hours, 23 minutes
Uptime for this control processor is 18 hours, 23 minutes
System returned to ROM by reload at 13:30:48 IST Thu Sep 13 2007 (SP by reload)
System image file is "disk1:s72033-adventerprisek9_dbg-mz.autobahn76_091007"
Last reload type: Normal Reload
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and22-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 22      Configuring the 4-Port Serial Interface SPA
  Configuration Tasks
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
          
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
cisco WS-C6506 (R7000) processor (revision 3.0) with 983008K/65536K bytes of memory.
Processor board ID TBM06330552
SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache
Last reset from power-on
2 SIP-200 controllers (8 Serial)(2 ATM)(4 Channelized T3)(1 Channelized OC3/STM-1).
1 SIP-400 controller (1 POS)(2 Channelized OC3/STM-1).
2 Virtual Ethernet interfaces
74 Gigabit Ethernet interfaces
8 Serial interfaces
2 ATM interfaces
1 Packet over SONET interface
4 Channelized T3 ports
3 Channelized STM-1 ports
1917K bytes of non-volatile configuration memory.
8192K bytes of packet buffer memory.
65536K bytes of Flash internal SIMM (Sector size 512K).
Configuration register is 0x2102
The following is an example of a show controllers serial command with the 4-Port Serial Interface 
SPA:
Router# show controller serial 3/1/1
Serial3/1/1 - (SPA-4XT-SERIAL) is up
 Encapsulation : Frame Relay
 Cable type: RS-232 DTE
 mtu 1500, max_buffer_size 1524, max_pak_size 1608 enc 84
 loopback: Off,  crc: 16, invert_data: Off
 nrzi: Off, idle char: Flag
 tx_invert_clk: Off, ignore_dcd: Off
 rx_clockrate: 552216, rx_clock_threshold: 0
 serial_restartdelay:60000,  serial_restartdelay_def:60000
     RTS up, CTS up, DTR up, DCD up, DSR up
Note The acronyms are defined as follows: RTS (Request to Send); CTS (Clear To Send); DTR (Data 
Transmit Ready); DCD (Data Carrier Detect); DSR (Data Set Ready).
The following is an example of a show diagbus command with the 4-Port Serial Interface SPA:
Router# show diagbus 4
Slot 4: Logical_index 8 
4-subslot SPA Interface Processor-200 controller 
Board is analyzed ipc ready 
HW rev 1.1, board revision A0 
Serial Number: JAB0929078S Part number: 73-8272-08 
Slot database information: 22-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 22      Configuring the 4-Port Serial Interface SPA
  Configuration Tasks
Flags: 0x2004 Insertion time: 0x2DC096C4 (07:47:58 ago) 
Controller Memory Size: 
384 MBytes CPU Memory 
127 MBytes Packet Memory 
511 MBytes Total on Board SDRAM 
Cisco IOS Software, cwlc Software (sip1-DW-M), Version 12.2(nightly.SR070820) NIGHTLY 
BUILD, synced to rainier RAINIER_BASE_FOR 
SPA Information: 
subslot 4/0: SPA-4XT-SERIAL (0x55A), status: ok 
The following is an example of a show interfaces serial command with the 4-Port Serial Interface SPA:
Router# show interfaces serial2/0/0
Serial 5/1/0 is up, line protocol is up 
  Hardware is SPA-4T
  Internet address is 192.168.33.1/29
  MTU 4470 bytes, BW 8000 Kbit, DLY 100 usec, rely 255/255, load 1/255
  Encapsulation HDLC, loopback not set, keepalive not set
         Clock Source Internal.
  Last input 00:00:01, output 00:00:00, output hang never
  Last clearing of "show interface" counters 1h
  Output queue 0/40, 0 drops; input queue 0/75, 0 drops
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 parity
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 applique, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions
The following are examples of the show protocol command with the 4-Port Serial Interface SPA:
Router# show protocol
Global values:
  Internet Protocol routing is enabled
POS1/2/0 is up, line protocol is up
GigabitEthernet3/1 is down, line protocol is down
GigabitEthernet3/2 is administratively down, line protocol is down
GigabitEthernet3/3 is down, line protocol is down
GigabitEthernet3/4 is administratively down, line protocol is down
GigabitEthernet3/5 is administratively down, line protocol is down
GigabitEthernet3/6 is administratively down, line protocol is down
GigabitEthernet3/7 is up, line protocol is up
  Internet address is 200.0.0.100/24
GigabitEthernet3/8 is administratively down, line protocol is down
GigabitEthernet3/9 is administratively down, line protocol is down
GigabitEthernet3/10 is administratively down, line protocol is down
GigabitEthernet3/11 is administratively down, line protocol is down
GigabitEthernet3/12 is administratively down, line protocol is down
GigabitEthernet3/13 is administratively down, line protocol is down
GigabitEthernet3/14 is administratively down, line protocol is down
GigabitEthernet3/15 is administratively down, line protocol is down
GigabitEthernet3/16 is administratively down, line protocol is down
GigabitEthernet3/17 is administratively down, line protocol is down
GigabitEthernet3/18 is administratively down, line protocol is down
GigabitEthernet3/19 is administratively down, line protocol is down
GigabitEthernet3/20 is administratively down, line protocol is down
GigabitEthernet3/21 is administratively down, line protocol is down
          
Router# show protocol | i Serial4/22-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 22      Configuring the 4-Port Serial Interface SPA
  Configuration Tasks
Serial4/0/0 is administratively down, line protocol is down
Serial4/0/1 is administratively down, line protocol is down
Serial4/0/2 is administratively down, line protocol is down
Serial4/0/3 is administratively down, line protocol is down
Serial4/2/0 is administratively down, line protocol is down
Serial4/2/1 is administratively down, line protocol is down
Serial4/2/2 is administratively down, line protocol is down
Serial4/2/3 is administratively down, line protocol is down
The following is an example of a show running-config command with the 4-Port Serial Interface 
SPA:
Router# show running-config serial
Router# show running interface ser4/0/0
Building configuration...
Current configuration : 54 bytes
!
interface Serial4/0/0
 no ip address
 shutdown
end
The following is an example of a show running interface command with the 4-Port Serial Interface 
SPA:
Router# show running interface ser4/0/1
Building configuration...
Current configuration : 54 bytes
!
interface Serial4/0/1
 no ip address
 shutdown
end
The following is an example of a show startup-config command with the 4-Port Serial Interface SPA:
Router# show startup-config | b Serial4/0/0
interface Serial4/0/0
 no ip address
 shutdown
!
interface Serial4/0/1
 no ip address
 shutdown
!
interface Serial4/0/2
 no ip address
 shutdown
!
interface Serial4/0/3
 no ip address
 shutdown
!22-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 22      Configuring the 4-Port Serial Interface SPA
  Configuration Tasks
Using the ping Command to Verify Network Connectivity
Using the ping command, you can verify that an interface port is functioning properly. This section 
provides a brief description of this command. Refer to the publications listed in the “Obtaining 
Documentation, Obtaining Support, and Security Guidelines” section on page l for detailed command 
descriptions and examples.
The ping command sends echo request packets out to a remote device at an IP address that you specify. 
After sending an echo request, the system waits a specified time for the remote device to reply. Each 
echo reply is displayed as an exclamation point (!) on the console terminal; each request that is not 
returned before the specified timeout is displayed as a period (.). A series of exclamation points (!!!!!) 
indicates a good connection; a series of periods (.....) or the messages [timed out] or [failed] indicate a 
bad connection. 
Following is an example of a successful ping command to a remote server with the address 10.0.0.10:
Router# ping 10.0.0.10 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echoes to 10.0.0.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/15/64 ms
Router#
If the connection fails, verify that you have the correct IP address for the destination and that the device 
is active (powered on), and repeat the ping command.
Proceed to the next section, “Using loopback Commands,” to finish checking network connectivity.
Using loopback Commands
With the loopback test, you can detect and isolate equipment malfunctions by testing the connection 
between the 4-Port Serial Interface SPA and a remote device such as a modem or a channel service unit 
(CSU) or a data service unit (DSU). The loopback command places an interface in loopback mode, 
which enables test packets that are generated from the ping command to loop through a remote device 
or compact serial cable. If the packets complete the loop, the connection is good. If not, you can isolate 
a fault to the remote device or compact serial cable in the path of the loopback test. 
Note You must configure a clock rate on the port before performing a loopback test. However, if no cable is 
attached to the port, the port is administratively up, and the port is in loopback mode; you do not have 
to configure a clock rate on the port before performing a loopback test. 
Depending on the mode of the port, issuing the loopback command checks the following path:
• When no compact serial cable is attached to the 4-Port Serial Interface SPA port, or if a data 
circuit-terminating equipment (DCE) cable is attached to a port that is configured as line protocol 
up, the loopback command tests the path between the network processing engine and the interface 
port only (without leaving the network processing engine and port adapter). 
• When a data terminal equipment (DTE) cable is attached to the port, the loopback command tests 
the path between the network processing engine and the near (network processing engine) side of 
the DSU or modem to test the 4-Port Serial Interface SPA and compact serial cable. (The X.21 DTE 
interface cable does not support this loopback test; see the following Note.)22-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 22      Configuring the 4-Port Serial Interface SPA
  Configuration Tasks
Note The X.21 interface definition does not include a loopback definition. On the 4-Port Serial Interface SPA 
port adapter, the X.21 DTE interface does not support the loopback function. Because of the internal 
clock signal present on the 4-Port Serial Interface SPAs, loopback will function on an X.21 DCE 
interface. 
This completes the configuration procedure for the new 4-Port Serial Interface SPA port adapter serial 
interfaces.
Optional Configurations
The following optional configurations may be necessary to complete the configuration of your serial 
SPA.
• Configuring Timing Signals, page 22-9
• Inverting the Clock Signal, page 22-10
• Configuring NRZI Format, page 22-11
• Configuring Cyclic Redundancy Checks, page 22-11
• Configuring Encapsulation, page 22-13
• Configuring Distributed Multilink PPP, page 22-14
• Configuring MLFR, page 22-17
• Configuring Multipoint Bridging, page 22-19
• Configuring Bridging Control Protocol Support, page 22-19
• Configuring BCP on MLPPP, page 22-19
• FRF.12 Guidelines, page 22-21
• LFI Guidelines, page 22-21
• FRF.12 LFI Guidelines, page 22-21
Configuring Timing Signals 
All interfaces support both DTE and DCE mode, depending on the mode of the compact serial cable 
attached to the port. To use a port as a DTE interface, you need only connect a DTE compact serial cable 
to the port. When the system detects the DTE mode cable, it automatically uses the external timing 
signal. To use a port in DCE mode, you must connect a DCE compact serial cable and set the clock speed 
with the clock rate configuration command. You must also set the clock rate to perform a loopback test. 
This section describes how to set the clock rate on a DCE port and, if necessary, how to invert the clock 
to correct a phase shift between the data and clock signals.
Use the following commands when configuring timing signals:
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface serial 
slot/subslot/port
Selects the controller to configure and enters 
interface configuration mode.22-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 22      Configuring the 4-Port Serial Interface SPA
  Configuration Tasks
Note Clock rates supported for EIA/TIA-232: 1.2K, 2.4K, 4.8K, 9.6K, 14.4K, 19.2K, 28.8K, 32K, 38.4K, 
56K, 64K, 128K.
Note Clock rates supported for EIA-530, EIA-530A, EIA-449, V.35(bps): 1.2K, 2.4K, 4.8K, 9.6K, 14.4K, 
19.2K, 28.8K, 32K, 38.4K, 56K, 64K, 72K, 115.2K, 128k, 230.4k, 252K, 504k, 1.008M, 2.016M, 
4.032M, 8.064M. The other ones are unconfigurable.
Note Clock rates supported for X.21: 1.2K, 2.4K, 4.8K, 9.6K, 14.4K, 19.2K, 28.8K, 32K, 38.4K, 56K, 64K, 
72K, 115.2K, 128k, 230.4k, 252K, 504k, 2.016M, 4.032M, 8.064M.
Inverting the Clock Signal 
Systems that use long cables or cables that are not transmitting the TxC (clock) signal might experience 
high error rates when operating at higher transmission speeds. If a SPA-4XT DCE port is reporting a 
high number of error packets, a phase shift might be the problem: inverting the clock might correct this 
phase shift.
Router(config-if)# invert txclock  Invert the transmit clock signal. When the 
EIA/TIA-232 interface is a DTE, the invert 
txclock command inverts the TxC signal the DTE 
receives from the remote DCE. When the 
EIA/TIA-232 interface is a DCE, the invert 
txclock command inverts the clock signal to the 
remote DTE port.
The no form of this command changes the clock 
signal back to its original phase.
Router(config-if)#clock rate bps Set standard clock rate, in bits per second: 1200, 
2400, 4800,9600, 14400, 19200, 28800, 32000, 
38400, 48000, 56000, 57600, 64000, 72000,  
115200, 128000, 230400, 252000, 504000, 
1008000, 2016000, 4032000, 8064000. 
Any nonstandard clock rates that are entered are 
rounded off to the nearest hardware supported 
clock rate. The actual clock rate is then displayed 
on console.
The no form of this command removes a clock rate 
that has been set.
Router(config-if)# invert data Invert the data signal.
The no form of this command disables the 
inversion of the data signal.
Command Purpose22-11
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 22      Configuring the 4-Port Serial Interface SPA
  Configuration Tasks
When the EIA/TIA-232 interface is a DTE, the invert-transmit-clock command inverts the TxC signal 
the DTE receives from the remote DCE. When the EIA/TIA-232 interface is a DCE, the invert-txclock 
command inverts the clock signal to the remote DTE port. Use the no invert-txclock command to 
change the clock signal back to its original phase.
Use the following commands when inverting the clock signal:
Configuring NRZI Format
All EIA/TIA-232 interfaces on the SPA-4XT support non-return-to-zero (NRZ) and non-return-to-zero 
inverted (NRZI) formats. Both formats use two different voltage levels for transmission. NRZ signals 
maintain constant voltage levels with no signal transitions—no return to a zero voltage level—during a 
bit interval and are decoded using absolute values: 0 and 1. NRZI uses the same constant signal levels 
but interprets the absence of data—a space—at the beginning of a bit interval as a signal transition and 
the presence of data—a mark—as no signal transition. NRZI uses relational encoding to interpret signals 
rather than determining absolute values. 
Configuring Cyclic Redundancy Checks
Cyclic redundancy checking (CRC) is an error-checking technique that uses a calculated numeric value 
to detect errors in transmitted data. All interfaces use a 16-bit CRC (CRC-CITT) by default but also 
support a 32-bit CRC. The sender of a data frame calculates the frame check sequence (FCS). Before it 
sends a frame, the sender appends the FCS value to the message. The receiver recalculates the FCS and 
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface serial 
slot/subslot/port
Selects the controller to configure and enters interface 
configuration mode.
Router(config-if)# invert txclock Invert the transmit clock signal. When the 
EIA/TIA-232 interface is a DTE, the invert txclock
command inverts the TxC signal the DTE receives 
from the remote DCE. When the EIA/TIA-232 
interface is a DCE, the invert txclock command inverts 
the clock signal to the remote DTE port.
The no version changes the clock signal back to its 
original phase.
Router(config-if)# invert data Invert the data signal.
The no version of this command disables inverting the 
data stream.
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface serial 
slot/subslot/port
Selects the controller to configure and enters interface 
configuration mode.
nrzi-encoding Enable NRZI encoding.
no nrzi-encoding Disable NRZI encoding.22-12
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 22      Configuring the 4-Port Serial Interface SPA
  Configuration Tasks
compares its calculation to the FCS from the sender. If there is a difference between the two calculations, 
the receiver assumes that a transmission error occurred and sends a request to the sender to resend the 
frame.
In the example that follows, the first serial port on a 4-Port Serial Interface SPA, installed on a versatile 
interface processor (VIP) in interface processor slot 3, is configured for 32-bit CRC:
Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# interface serial 3/1/0
Router(config-int)# crc 32 
Ctrl-Z
Router#
The preceding command example applies to all systems in which the 4-Port Serial Interface SPA is 
supported. 
Use the no crc 32 command to disable CRC-32 and return the interface to the default CRC-16 
(CRC-CITT) setting.
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface serial 
slot/subslot/port
Selects the controller to configure and enters interface 
configuration mode.
Router(config-if)# crc [16 | 32] Specifies the length of the CRC, where: 
• 16—Specifies a 16-bit length CRC. This is the 
default. 
• 32—Specifies a 32-bit length CRC. 
To set the CRC length to the default value, use the no
form of this command. 22-13
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 22      Configuring the 4-Port Serial Interface SPA
  Configuration Tasks
Configuring Encapsulation
When traffic crosses a WAN link, the connection needs a Layer 2 protocol to encapsulate traffic. To set 
the encapsulation method, use the following commands:
Verifying Encapsulation
Use the show interface serial command to display the encapsulation method:
Router# show interface serial3/1/1
Serial3/1/1 is up, line protocol is down 
  Hardware is SPA-4XT-SERIAL
  MTU 1500 bytes, BW 2016 Kbit, DLY 20000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation FRAME-RELAY, crc 16, loopback not set
  Keepalive set (10 sec)
  LMI enq sent  13698, LMI stat recvd 0, LMI upd recvd 0, DTE LMI down
  LMI enq recvd 0, LMI stat sent  0, LMI upd sent  0
  LMI DLCI 1023  LMI type is CISCO  frame relay DTE
  FR SVC disabled, LAPF state down
  Broadcast queue 0/64, broadcasts sent/dropped 0/0, interface broadcasts 0
  Last input never, output 00:00:05, output hang never
  Last clearing of "show interface" counters 1d14h
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 3
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     19344 packets output, 254168 bytes, 0 underruns
     0 output errors, 0 collisions, 2283 interface resets
     0 output buffer failures, 0 output buffers swapped out
     4566 carrier transitions
     RTS up, CTS up, DTR up, DCD up, DSR up
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface serial 
slot/subslot/port
Selects the interface to configure and enters 
interface configuration mode.
slot/subslot/port—Specifies the location of the 
interface. Seethe “Specifying the Interface 
Address on a SPA” section on page 22-2.
Router(config-if)# encapsulation {hdlc | 
ppp | frame-relay}
Set the encapsulation method on the interface.
• hdlc—High-Level Data Link Control (HDLC) 
protocol for serial interface. This is the 
default.
• ppp—Point-to-Point Protocol (PPP) (for 
serial interface).
• frame-relay—Frame Relay (for serial 
interface).22-14
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 22      Configuring the 4-Port Serial Interface SPA
  Configuration Tasks
Configuring Distributed Multilink PPP 
The Distributed Multilink Point-to-Point Protocol (dMLPPP) feature allows you to combine serial lines 
into a bundle that has the combined bandwidth of the multiple lines. This is done by using a dMLPPP 
link. You choose the number of bundles and the number of serial lines in each bundle. This allows you 
to increase the bandwidth of your network links beyond that of a single serial line without having to 
purchase a bigger line. 
This section includes the following topics:
• dMLPPP Configuration Guidelines, page 22-14
• dMLPPP Configuration Tasks, page 22-14
• Verifying dMLPPP, page 22-16
dMLPPP Configuration Guidelines
dMLPPP is supported under the following conditions:
• All links are on the same Cisco 7600 SIP-200.
• Member links in a bundle are recommended to have the same bandwidth and clock rate.
• Quality of Service (QoS) is implemented on the Cisco 7600 SIP-200 for dMLPPP.
• Bundle links are configurable across the multilinkSPA.
Note Because the bundles are done in software, performance is dependent on the line card CPU.
• To enable fragmentation for software-based dMLPPP, you must configure the ppp multilink 
interleave command. 
• You must use the ppp chap hostname command when you have more than one bundle between two 
routers.
When configuring dMLPPP on the Cisco 7600 SIP-200, consider the following restrictions:
• Data compression is supported for RTP traffic only (dCRTP) .
• Encryption is not supported.
• The maximum differential delay is 100 ms when supported in software.
dMLPPP Configuration Tasks
The following sections describe how to configure dMLPPP:
• Creating a dMLPPP Bundle, page 22-15 (required)
• Assigning an Interface to a dMLPPP Bundle, page 22-15 (required)
• Configuring LFI over dMLPPP, page 22-16 (optional)22-15
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 22      Configuring the 4-Port Serial Interface SPA
  Configuration Tasks
Creating a dMLPPP Bundle
To configure a dMLPPP bundle, use the following commands beginning in global configuration mode:
Assigning an Interface to a dMLPPP Bundle
To configure an interface PPP link and associate it as a member of a multilink bundle, use the following 
commands beginning in global configuration mode. Repeat these steps to assign multiple links to the 
dMLPPP bundle.
Command Purpose
Step 1 Router(config)# interface multilink 
group-number
Creates a multilink interface and enters interface 
configuration mode, where:
• group-number—Specifies the group number for 
the multilink bundle.
Step 2 Router(config-if)# ip address
ip-address mask
Sets the IP address for the multilink group, where:
• ip-address—Specifies the IP address for the 
interface.
• mask—Specifies the mask for the associated IP 
subnet.
Step 3 Router(config-if)# ppp multilink 
interleave
(Optional—Software-basedng link fragmentation and 
interleaving [LFI]) Enables fragmentation for the 
interfaces assigned to the multilink bundle. 
Fragmentation is disabled by default in software-based 
LFI.
Step 4 Router(config-if)# ppp multilink 
fragment-delay delay
(Optional) Sets the fragmentation size satisfying the 
configured delay on the multilink bundle, where:
• delay—Specifies the delay in milliseconds.
Command Purpose
Step 1 Router(config)# interface serial
slot/subslot/port
Specifies a serial interface and enters interface 
configuration mode, where:
• slot—Specifies the chassis slot number where the SIP 
is installed.
• subslot—Specifies the secondary slot number on a 
SIP where a SPA is installed.
• port—Specifies the number of the interface port on 
the SPA.
Note If you configure a fractional interface on the SPA 
using a channel group and specify that fractional 
channel group as part of this task, then 
software-based dMLPPP is implemented 
automatically by the Cisco 7600 SIP-200 when 
you assign the interface to the dMLPPP bundle.
Step 2 Router(config-if)# encapsulation ppp Enables PPP encapsulation.22-16
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 22      Configuring the 4-Port Serial Interface SPA
  Configuration Tasks
The following example uses the ppp chap hostname command.
Router(config)# interface Serial4/1/0
Router(config-if)# no ip address
Router(config-if)# encapsulation ppp
Router(config-if)# ppp chap hostname X1
Router(config-if)# ppp multilink group 1
end
Router(config-if)# ppp chap host
Router(config-if)# ppp chap hostname ?
  WORD  Alternate CHAP hostname
Router(config-if)# ppp chap hostname
Configuring LFI over dMLPPP
LFI over dMLPPP is supported in software on the Cisco 7600 SIP-200. This support is determined by 
your link configuration.
Guidelines
When configuring LFI over dMLPPP, consider the following guidelines for software-based LFI:
• LFI over dMLPPP will be configured in software if there is more than one link assigned to the 
dMLPPP bundle. 
• LFI is disabled by default in software-based LFI. To enable LFI on the multilink interface, use the 
ppp multilink interleave command.
• Fragmentation size is calculated from the delay configured and the member link bandwidth.
• You must configure a policy map with a priority class under the multilink interface.
• Compressed Real-Time Protocol (CRTP) should not be configured on a multilink interface when 
LFI is enabled on the multilink interface when the multilink bundle has more than one member link, 
or a QoS policy with a priority feature is enabled on the multilink interface.
• Using the using the shut and no shut commands in interface configuration mode is required when 
configuring interleave on the multilink interface.
Verifying dMLPPP
To verify dMLPPP configuration, use the show ppp multilink command, as shown in the following 
example:
Router# show ppp multilink
Multilink1
  Bundle name: X1
  Remote Endpoint Discriminator: [1] X1
  Local Endpoint Discriminator: [1] X1
  Bundle up for 00:00:08, total bandwidth 4032, load 1/255
  Receive buffer limit 24000 bytes, frag timeout 1000 ms
Step 3 Router(config-if)# ppp 
multilink-group group-number
Restricts a physical link to joining only a designated 
multilink group interface. 
• Enter the multilink group number. 
Step 4 Router(config-if)# ppp authentication 
chap
(Optional) Enables Challenge Handshake Authentication 
Protocol (CHAP) authentication.
Command Purpose22-17
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 22      Configuring the 4-Port Serial Interface SPA
  Configuration Tasks
  Bundle is Distributed
    0/0 fragments/bytes in reassembly list
    0 lost fragments, 0 reordered
    0/0 discarded fragments/bytes, 0 lost received
    0x2 received sequence, 0x2 sent sequence
  Member links: 2 active, 0 inactive (max not set, min not set)
    Se4/1/0, since 00:00:10
    Se4/1/1, since 00:00:07
Configuring MLFR
Multilink Frame Relay (MLFR) allows you to combine lines into a bundle that has the combined 
bandwidth of the multiple lines. You choose the number of bundles and the number of lines in each 
bundle. This allows you to increase the bandwidth of your network links beyond that of a single line.
MLFR Configuration Guidelines
MLFR will function in hardware if all of the following conditions are met:
• All links in the bundle are member links.
• All links are on the same SPA.
Creating a Multilink Bundle
To create a multilink bundle, use the following commands:
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface mfr number Configures a MLFR bundle interface.
• number—The number for the MLFR bundle.
Router(config-if)# frame-relay multilink 
bid name
(Optional) Assigns a bundle identification name to 
a multilink Frame Relay bundle.
• name—The name for the MLFR bundle.
Note The bundle identification (BID) will not go 
into effect until the interface has gone from 
the down state to the up state. One way to 
bring the interface down and back up again 
is by using the shut and no shut
commands in interface configuration 
mode.22-18
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 22      Configuring the 4-Port Serial Interface SPA
  Configuration Tasks
Assigning an Interface to a Multilink Bundle
To assign an interface to a multilink bundle, use the following commands:
Command Purpose
Router# configure terminal Enters global configuration mode.
Router(config)# interface serial 
slot/subslot/port:channel-group
Selects the interface to assign.
• slot/subslot/port:channel-group—Specifies 
the location of the interface. See the 
“Specifying the Interface Address on a SPA” 
section on page 22-2.
Router(config-if)# encapsulation 
frame-relay mfr number [name]
Creates a MLFR bundle link and associates the 
link with a bundle.
• number—The number for the MLFR bundle.
• name—(Optional) The name for the MLFR 
bundle.
Router(config-if)# frame-relay multilink 
lid name
(Optional) Assigns a bundle link identification 
name with a multilink Frame Relay bundle link.
• name—The name for the Frame Relay bundle.
Note The bundle link identification (LID) will 
not go into effect until the interface has 
gone from the down state to the up state. 
One way to bring the interface down and 
back up again is by using the shut and no
shut commands in interface configuration 
mode.
Router(config-if)# frame-relay multilink 
hello seconds
(Optional) Configures the interval at which a 
bundle link will send out hello messages. The 
default value is 10 seconds.
• seconds—Number of seconds between hello 
messages sent out over the multilink bundle.
Router(config-if)# frame-relay multilink 
ack seconds
 (Optional) Configures the number of seconds that 
a bundle link will wait for a hello message 
acknowledgment before resending the hello 
message. The default value is 4 seconds. 
• seconds—Number of seconds a bundle link 
will wait for a hello message acknowledgment 
before resending the hello message.
Router(config-if)# frame-relay multilink 
retry number
 (Optional) Configures the maximum number of 
times a bundle link will resend a hello message 
while waiting for an acknowledgment. The default 
value is 2 tries. 
• number—Maximum number of times a bundle 
link will resend a hello message while waiting 
for an acknowledgment.22-19
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 22      Configuring the 4-Port Serial Interface SPA
  Configuration Tasks
Verifying Multilink Frame Relay
Use the show frame-relay multilink detailed command to verify the Frame Relay multilinks:
Router# show frame-relay multilink detailed
Bundle: MFR49, State = down, class = A, fragmentation disabled
 BID = MFR49
 No. of bundle links = 1, Peer's bundle-id = 
 Bundle links:
  Serial6/0/0, HW state = up, link state = Add_sent, LID = test
    Cause code = none, Ack timer = 4, Hello timer = 10,
    Max retry count = 2, Current count = 0,
    Peer LID = , RTT = 0 ms
    Statistics:
    Add_link sent = 21, Add_link rcv'd = 0,
    Add_link ack sent = 0, Add_link ack rcv'd = 0,
    Add_link rej sent = 0, Add_link rej rcv'd = 0,
    Remove_link sent = 0, Remove_link rcv'd = 0,
    Remove_link_ack sent = 0, Remove_link_ack rcv'd = 0,
    Hello sent = 0, Hello rcv'd = 0,
    Hello_ack sent = 0, Hello_ack rcv'd = 0,
    outgoing pak dropped = 0, incoming pak dropped = 0
Configuring Multipoint Bridging
Multipoint bridging (MPB) enables the connection of multiple ATM permanent virtual circuist( PVCs), 
Frame Relay PVCs, Bridge Control Protocol (BCP) ports, and WAN Gigabit Ethernet subinterfaces into 
a single broadcast domain (virtual LAN), together with the LAN ports on that VLAN. This enables 
service providers to add support for Ethernet-based Layer 2 services to the proven technology of their 
existing ATM and Frame Relay legacy networks. Customers can then use their current VLAN-based 
networks over the ATM or Frame Relay cloud. This also allows service providers to gradually update 
their core networks to the latest Gigabit Ethernet optical technologies, while still supporting their 
existing customer base.
For MPB configuration guidelines and restrictions and feature compatibility tables, see the “Configuring 
Multipoint Bridging” section on page 4-36 of Chapter 4, “Configuring the SIPs and SSC.”
Configuring Bridging Control Protocol Support
The Bridging Control Protocol (BCP) enables forwarding of Ethernet frames over SONET networks and 
provides a high-speed extension of enterprise LAN backbone traffic through a metropolitan area. The 
implementation of BCP on the SPAs includes support for IEEE 802.1D, IEEE 802.1Q Virtual LAN 
(VLAN), and high-speed switched LANs.
For BCP configuration guidelines and restrictions and feature compatibility tables, see the “BCP Feature 
Compatibility” section on page 4-56 of Chapter 4, “Configuring the SIPs and SSC.”
Configuring BCP on MLPPP
BCP on MLPPP Configuration Guidelines
• Only Distributed MLPPP is supported.
• Only channelized interfaces are allowed, and member links must be from the same controller card.
• Only trunk port BCP is supported on MLPPP.
• Bridging can be configured only on the bundle interface.22-20
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 22      Configuring the 4-Port Serial Interface SPA
  Configuration Tasks
Note BCP on MLPPP operates only in trunk mode. 
Configuring BCP on MLPPP Trunk Mode
To configure BCP on MLPPP trunk mode, perform these steps:
Command Purpose
Step 1 Router(config)# interface multilink Selects the multilink interface.
Step 2 Router(config-if)# switchport Puts an interface that is in Layer 3 mode into 
Layer 2 mode for Layer 2 configuration.
Step 3 Router(config-if)# switchport trunk 
allowed vlan 100
By default, no VLANs are allowed. Use this 
command to explicitly allow VLANs; valid values 
for vlan-list are from 1 to 4094.
Step 4 Router(config-if)# switchport mode 
trunk
Configures the router port connected to the switch 
as a VLAN trunk port. 
Step 5 Router(config-if)# switchport 
nonegotiate
Puts the LAN port into permanent trunking mode 
but prevents the port from generating DTP frames.
Step 6 Router(config-if)# no ip address Unassigns the IP address.
Step 7 Router(config-if)# switchport trunk 
allowed vlan vlan-list
By default, no VLANs are allowed. Use this 
command to explicitly allow VLANs; valid values 
for vlan-list are from 1 to 4094. 
Step 8 Router(config-if)# ppp multilink Enables this interface to support MLP.
Step 9 Router(config-if)# multilink-group 
group-number
Assigns this interface to the multilink group.
Step 10 Router(config-if)# shutdown Shuts down an interface.
Step 11 Router(config-if)# no shutdown Reopens an interface.
Step 12 Router(config-if)# interface serial 
slot/subslot/port
Designates a serial interface as a multilink bundle.
Step 13 Router(config-if)# no ip address Unassigns the IP address.
Step 14 Router(config-if)# encapsulation 
ppp
Enables PPP encapsulation.
Step 15 Router(config-if)# ppp multilink Enables this interface to support MLP.
Step 16 Router(config-if)# multilink-group 
1
Assigns this interface to the multilink group 1.
Step 17 Router(config-if)#interface Serial 
slot/subslot/port
Designates a serial interface as a multilink bundle.
Step 18 Router(config-if)# no ip address Unassigns the IP address. 
Step 19 Router(config-if)# encapsulation 
ppp
Enables PPP encapsulation.
Step 20 Router(config-if)# ppp multilink Enables this interface to support MLP.
Step 21 Router(config-if)# multilink-group 
group-number
Assigns this interface to a multilink group.22-21
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 22      Configuring the 4-Port Serial Interface SPA
  Configuration Tasks
Verifying BCP on MLPPP Trunk Mode
To display information about Multilink PPP, use the show ppp multilink command in EXEC mode.
The following shows an example of show ppp multilink command:
Router# show ppp multilink
Multilink1, bundle name is group 1
Bundle is Distributed
0 lost fragments, 0 reordered, 0 unassigned, sequence 0x0/0x0 rcvd/sent
0 discarded, 0 lost received, 1/255 load
Member links: 4 active, 0 inactive (max no set, min not set)
Serial1/0/1
Serial1/0/2
Serial1/0/3
Serial1/0/4
FRF.12 Guidelines
For FRF.12, note the following:
• The fragmentation is configured at the main interface.
• Any fragmentation size is available.
For information on configuring FRF.12 on the Cisco SIP-200, see: 
• http://www.cisco.com/univercd/cc/td/doc/product/core/cis7600/76sipspa/sipspasw/76sipssc/76cfgsip
.htm#wp1135593
• http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fvvfax_c/vvfvofr.htm.
LFI Guidelines
LFI can function intwo ways—using FRF.12 or MLPPP. 
FRF.12 LFI Guidelines
For LFI using FRF.12, note the following:
• The fragmentation is configured at the main interface.
• Any fragmentation size is available.
Command Purpose
Router(config-if)# show ppp multilink Displays information on a multilink group.22-22
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 22      Configuring the 4-Port Serial Interface SPA
  Configuration Tasks
Saving the Configuration
To save your running configuration to nonvolatile random-access memory (NVRAM), use the following 
command in privileged EXEC configuration mode:
For more information about managing configuration files, refer to the Cisco IOS Configuration 
Fundamentals Configuration Guide, Release 12.2 and Cisco IOS Configuration Fundamentals 
Command Reference, Release 12.2 publications.
Verifying the Interface Configuration
Besides using the show running-configuration command to display your Cisco 7600 series router 
configuration settings, you can use the show interfaces serial and the show controllers serial 
commands to get detailed information on a per-port basis for your 2-Port and 4-Port Channelized T3 
SPA.
Verifying Per-Port Interface Status
To find detailed interface information on a per-port basis for the 2-Port and 4-Port Channelized T3 SPA, 
use the show interfaces serial command to display port-specific information. 
The following example provides sample output for the serial interface:
Router# show interface serial4/0/0
Serial4/0/0 is down, line protocol is down 
  Hardware is SPA-4T
  MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, 
     Reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation HDLC, crc 16, loopback not set
  Keepalive set (10 sec)
  Restart-Delay is 0 secs
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicast)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions
     RTS down, CTS down, DTR down, DCD down, DSR down
To find detailed status and statistical information on a per-port basis for the 4-Port Serial Interface SPA, 
use the show controller serial command. 
Command Purpose
Router# copy running-config startup-config Writes the new configuration to NVRAM.22-23
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 22      Configuring the 4-Port Serial Interface SPA
  Configuration Examples
The following example provides sample controller statistics:
Router# show controller serial 2/0/0
Serial2/0/0 - (SPA-4XT-SERIAL) is down
 Encapsulation : HDLC
 Cable type: RS-232 DTE
 mtu 1500, max_buffer_size 1524, max_pak_size 1656 enc 132
 loopback: Off,  crc: 16, invert_data: Off
 nrzi: Off, idle char: Flag
 tx_invert_clk: Off, ignore_dcd: Off
 rx_clockrate: 0, rx_clock_threshold: 0
 serial_restartdelay:60000,  serial_restartdelay_def:60000
     RTS up, CTS down, DTR up, DCD down, DSR down
Router#
Configuration Examples
This section includes the following configuration examples:
• Inverting the Clock Signal Configuration Example, page 22-23
• NRZI Format Configuration Example, page 22-23
• Cyclic Redundancy Checks Configuration Example, page 22-24
• Encapsulation Configuration Example, page 22-24
• Distributed Multilink PPP Configuration Example, page 22-24
• MLFR Configuration Example, page 22-24
• Bridging Control Protocol Support Configuration Example, page 22-24
• BCP on MLPPP Configuration Example, page 22-25
Inverting the Clock Signal Configuration Example
Router(config-if)# interface serial3/0/0
Router(config-if)# invert txclock ?
  <cr>
Router(config-if)# invert txclock
Router(config-if)# invert ?
  data     Invert data stream
  txclock  Invert transmit clock
Router(config-if)# invert data 
NRZI Format Configuration Example
Router(config-if)# nrzi-encoding ?
  <cr>22-24
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 22      Configuring the 4-Port Serial Interface SPA
  Configuration Examples
Cyclic Redundancy Checks Configuration Example
Router(config-if)# crc ?
  16  crc word-size
  32  crc word-size
Router(config-if)# crc 32
Encapsulation Configuration Example
Router(config-if)# interface 1
Router(config-if)# encapsulation ppp
Distributed Multilink PPP Configuration Example
Router(config)# interface multilink1
Router(config-if)# ip addr 10.0.0.1 255.255.255.0
Router(config)# interface serial3/2/0
Router(config-if)# encapsulation ppp
Router(config-if)# ppp chap hostname X1
Router(config-if)# ppp multilink gr 1
Router(config-if)#
MLFR Configuration Example
Router(config)# interface MFR1
Router(config-if)# frame-relay intf dce
Router(config-if)# frame-relay bid B1
Router(config-if)# interface MFR1.1 point-to-point
Router(config-if)# frame-relay interface-dlci 16
Router(config-if)# ip addr 10.0.0.1 255.255.255.0
Router(config-if)# interface serial3/2/0
Router(config-if)# encapsulation frame-relay MFR1
Router(config-if)# frame-relay multilnk lid X1
Router(config-if)# 
Bridging Control Protocol Support Configuration Example
Router(config-if)# Interface Serial3/2/0
Router(config-if)# switchport
%Serial3/2/0 - Bridge Domain configuration precludes IP routing on this interface.
%Bridging is enabled. The MTU should be at least 1524.
%Please shut/no shut Serial3/2/0  to bring up BCP
Router(config-if)# show
Router(config-if)# no show
Router(config-if)# switchport mode trunk ?
  <cr>
Router(config-if)# switchport mode trunk
Router(config-if)# sw
Router(config-if)# switchport trunk allowed vlan 10022-25
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 22      Configuring the 4-Port Serial Interface SPA
  Configuration Examples
BCP on MLPPP Configuration Example
Router(config)# interface multilink1
Router(config-if)# switchport
%Multilink1 - Bridge Domain configuration precludes IP routing on this interface.
%Bridging is enabled. The MTU should be at least 1524.
%Please shut/no shut Multilink1 to bring up BCP
Router(config-if)# show
Router(config-if)# no show
Router(config-if)# switchport mode trunk ?
  <cr>
Router(config-if)# switchport mode trunk
Router(config-if)# switchport trunk allowed vlan 10022-26
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 22      Configuring the 4-Port Serial Interface SPA
  Configuration ExamplesC H  A  P  T  E  R
23-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
23
Troubleshooting the Serial SPAs
This chapter describes techniques that you can use to troubleshoot the operation of your serial SPAs.
It includes the following sections:
• General Troubleshooting Information, page 23-1
• Performing Basic Interface Troubleshooting, page 23-2
• Using Bit Error Rate Tests, page 23-14
• Using loopback Commands, page 23-16
• Using the Cisco IOS Event Tracer to Troubleshoot Problems, page 23-18
• Preparing for Online Insertion and Removal of a SPA, page 23-18
The first section provides information about basic interface troubleshooting. If you are having a problem 
with your SPA, use the steps in the “General Troubleshooting Information” section on page 23-1 section 
to begin your investigation of a possible interface configuration problem.
To perform more advanced troubleshooting, see the other sections in this chapter.
For more information about troubleshooting serial lines, see the Internetwork Troubleshooting 
Handbook at http://www.cisco.com/univercd/cc/td/doc/cisintwk/itg_v1/index.htm.
General Troubleshooting Information
This section describes general information for troubleshooting SIPs and SPAs. It includes the following 
sections:
• Interpreting Console Error Messages, page 23-1
• Using debug Commands, page 23-2
• Using show Commands, page 23-2
Interpreting Console Error Messages
To view the explanations and recommended actions for Cisco 7600 series router error messages, 
including messages related to Cisco 7600 series router SIPs and SPAs, refer to the following document:
• Cisco 7600 Series Cisco IOS System Message Guide, 12.2SR 
• System Error Messages for Cisco IOS Release 12.2S (for error messages in Release 12.2S)23-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 23      Troubleshooting the Serial SPAs
  Performing Basic Interface Troubleshooting
System error messages are organized in the documentation according to the particular system facility 
that produces the messages. The SIP and SPA error messages use the following facility names:
• Cisco 7600 SIP-200—C7600_SIP200
• 2-Port and 4-Port Channelized T3 SPA—SPA_CHOC_DSX
Using debug Commands
Along with the other debug commands supported on the Cisco 7600 series router, you can obtain 
specific debug information for SPAs on the Cisco 7600 series router using the debug hw-module 
subslot privileged EXEC command.
The debug hw-module subslot command is intended for use by Cisco Systems technical support 
personnel. For more information about the debug hw-module subslot command, refer to the Cisco IOS 
Software Releases 12.2SR Command References and to the Cisco IOS Software Releases 12.2SX 
Command References.
Caution Because debugging output is assigned high priority in the CPU process, it can render the system 
unusable. For this reason, use debug commands only to troubleshoot specific problems or during 
troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands 
during periods of lower network traffic and fewer users. Debugging during these periods decreases the 
likelihood that increased debug command processing overhead will affect system use.
For information about other debug commands supported on the Cisco 7600 series router, refer to the 
Cisco IOS Debug Command Reference, Release 12.2 and any related feature documents for Cisco IOS 
Release 12.2 SX.
Using show Commands
There are several show commands that you can use to monitor and troubleshoot the SIPs and SPAs on 
the Cisco 7600 series router. This chapter describes using the show interfaces and show controllers
commands to perform troubleshooting of your SPA.
For more information about show commands to verify and monitor SIPs and SPAs, see the following 
chapters of this guide:
• Chapter 18, “Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs”
• Chapter 17, “Configuring the 8-Port Channelized T1/E1 SPA”
• Chapter 19, “Configuring the 2-Port and 4-Port Channelized T3 SPAs”
Performing Basic Interface Troubleshooting
You can perform most of the basic interface troubleshooting using the show interfaces serial command 
and examining several areas of the output to determine how the interface is operating.
The output of the show interfaces serial EXEC command displays information specific to serial 
interfaces. 23-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 23      Troubleshooting the Serial SPAs
  Performing Basic Interface Troubleshooting
Note The output of the show interfaces serial command will vary depending on the type of serial 
SPA.
This section describes how to use the show interfaces serial command to diagnose serial line 
connectivity problems in a wide-area network (WAN) environment. The following sections describe 
some of the important fields of the command output:
• Serial Lines: show interfaces serial Status Line Conditions, page 23-3
• Serial Lines: Increasing Output Drops on Serial Link, page 23-7
• Serial Lines: Increasing Input Drops on Serial Link, page 23-8
• Serial Lines: Increasing Input Errors in Excess of 1 Percent of Total Interface Traffic, page 23-9
• Serial Lines: Troubleshooting Serial Line Input Errors, page 23-9
• Serial Lines: Increasing Interface Resets on Serial Link, page 23-12
• Serial Lines: Increasing Carrier Transitions Count on Serial Link, page 23-13
Serial Lines: show interfaces serial Status Line Conditions
You can identify five possible problem states in the interface status line of the show interfaces serial
display:
• Serial x is down, line protocol is down
• Serial x is up, line protocol is down
• Serial x is up, line protocol is up (looped)
• Serial x is up, line protocol is down (disabled)
• Serial x is administratively down, line protocol is down
The following example shows the interface statistics on the first port of a T3/E3 SPA installed in 
subslot 0 of the SIP located in chassis slot 5.
Router# show interfaces serial
Serial5/0/0 is up, line protocol is up 
  Hardware is SPA-4T3E3
  Internet address is 110.1.1.2/24
  MTU 4470 bytes, BW 44210 Kbit, DLY 200 usec, 
     reliability 255/255, txload 234/255, rxload 234/255
  Encapsulation HDLC, crc 16, loopback not set
  Keepalive set (10 sec)
  Last input 00:00:05, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 40685000 bits/sec, 115624 packets/sec
  5 minute output rate 40685000 bits/sec, 115627 packets/sec
     4653081241 packets input, 204735493724 bytes, 0 no buffer
     Received 4044 broadcasts (0 IP multicast)
     0 runts, 0 giants, 0 throttles
              0 parity
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     4652915555 packets output, 204728203520 bytes, 0 underruns
     0 output errors, 0 applique, 4 interface resets23-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 23      Troubleshooting the Serial SPAs
  Performing Basic Interface Troubleshooting
     0 output buffer failures, 0 output buffers swapped out
     2 carrier transitions
Table 23-1 shows the interface status conditions, possible problems associated with the conditions, and 
solutions to those problems.
Table 23-1 Serial Lines: show interfaces serial Status Line Conditions
Status Line 
Condition Possible Problem Solution
Serial x is up, line 
protocol is up
— This is the proper status line condition. No action is 
required.
Serial x is down, 
line protocol is 
down
The router is not sensing a 
carrier detect (CD) signal 
(that is, the CD is not active).
The line is down or is not 
connected on the far end.
Cabling is faulty or incorrect.
Hardware failure has 
occurred in the channel 
service unit/data service uint 
(CSU/DSU).
1. Check the CD LEDs to see whether the CD is 
active, or insert a breakout box on the line to 
check for the CD signal.
2. Verify that you are using the proper cable (see 
your hardware installation documentation).
3. Insert a breakout box and check all control 
leads.
4. Contact your leased-line or other carrier service 
to see whether there is a problem.
5. Swap faulty parts.
6. If you suspect faulty router hardware, change 
the serial line to another port. If the connection 
comes up, the previously connected interface 
has a problem.23-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 23      Troubleshooting the Serial SPAs
  Performing Basic Interface Troubleshooting
Serial x is up, line 
protocol is down
A local or remote router is 
misconfigured.
Keepalives are not being sent 
by the remote router.
A leased-line or other carrier 
service problem has occurred 
(noisy line or misconfigured 
or failed switch).
A timing problem has 
occurred on the cable.
A local or remote CSU/DSU 
has failed.
Router hardware (local or 
remote) has failed.
1. Put the line in local loopback mode and use the 
show interfaces serial command to determine 
whether the line protocol comes up.
Note If the line protocol comes up, a failed 
remote device is the likely problem.
This solution will only work with 
High-Level Data Link Control (HDLC) 
encapsulation. For Frame Relay (FR) and 
Point-to-Point Protocol (PPP) 
encapsulation a looped interface will always 
have the line protocol down. In addition, 
you may need to change the encapsulation 
to HDLC to debug this issues. 
2. If the problem appears to be on the remote end, 
repeat Step 1 on the remote interface.
3. Verify all cabling. Make certain that the cable is 
attached to the correct interface, the correct 
CSU/DSU, and the correct remote termination 
point.
4. Enable the debug serial interface EXEC 
command.
Note First enable per interface debugging using 
the command ''debug interface serial x'', 
and depending on the encapsulation, enable 
the corresponding debug. 
• For HDLC: debug serial interface
For PPP: debug ppp negotiation
For FR: debug frame-relay lmi 
Caution Because debugging output is assigned 
high priority in the CPU process, it can 
render the system unusable. For this 
reason, use debug commands only to 
troubleshoot specific problems or during 
troubleshooting sessions with Cisco 
technical support staff. Moreover, it is 
best to use debug commands during 
periods of lower network traffic and 
fewer users. Debugging during these 
periods decreases the likelihood that 
increased debug command processing 
overhead will affect system use.
Table 23-1 Serial Lines: show interfaces serial Status Line Conditions (continued)
Status Line 
Condition Possible Problem Solution23-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 23      Troubleshooting the Serial SPAs
  Performing Basic Interface Troubleshooting
5. If the line protocol does not come up in local 
loopback mode, and if the output of the debug 
serial interface EXEC command shows that 
the keepalive counter is not incrementing, a 
router hardware problem is likely. Swap router 
interface hardware.
6. If the line protocol comes up and the keepalive 
counter increments, the problem is not in the 
local router. 
7. If you suspect faulty router hardware, change 
the serial line to an unused port. If the 
connection comes up, the previously connected 
interface has a problem.
Serial x is up, line 
protocol is up 
(looped)
A loop exists in the circuit. 
The sequence number in the 
keepalive packet changes to a 
random number when a loop 
is initially detected. If the 
same random number is 
returned over the link, a loop 
exists.
1. Use the show running-config privileged 
EXEC command to look for any loopback
interface configuration command entries.
2. If you find a loopback interface configuration 
command entry, use the no loopback interface 
configuration command to remove the loop.
3. If you do not find the loopback interface 
configuration command, examine the 
CSU/DSU to determine whether they are 
configured in manual loopback mode. If they 
are, disable manual loopback.
4. Reset the CSU or DSU, and inspect the line 
status. If the line protocol comes up, no other 
action is needed.
5. If the CSU or DSU is not configured in manual 
loopback mode, contact the leased-line or other 
carrier service for line troubleshooting 
assistance.
Table 23-1 Serial Lines: show interfaces serial Status Line Conditions (continued)
Status Line 
Condition Possible Problem Solution23-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 23      Troubleshooting the Serial SPAs
  Performing Basic Interface Troubleshooting
Serial Lines: Increasing Output Drops on Serial Link
Output drops appear in the output of the show interfaces serial command when the system is attempting 
to hand off a packet to a transmit buffer but no buffers are available.
Symptom: Increasing output drops on serial link
Table 23-2 outlines the possible problem that might cause this symptom and describes solutions to that 
problem.
Serial x is up, line 
protocol is down 
(disabled)
A high error rate has 
occurred due to a remote 
device problem.
A CSU or DSU hardware 
problem has occurred.
Router hardware (interface) 
is bad.
1. Troubleshoot the line with a serial analyzer and 
breakout box. 
Examine the output of 
show controller T1 or 
show controller T3 or 
show controller serial x depending on whether 
the SPA is a T1/E1, CT3, or T3/E3. 
2. Loop CSU/DSU (DTE loop). If the problem 
continues, it is likely that there is a hardware 
problem. If the problem does not continue, it is 
likely that there is a telephone company 
problem.
3. Swap out bad hardware, as required (CSU, 
DSU, switch, local or remote router).
Serial x is 
administratively 
down, line 
protocol is down
The router configuration 
includes the shutdown
interface configuration 
command.
A duplicate IP address exists.
1. Check the router configuration for the 
shutdown command.
2. Use the no shutdown interface configuration 
command to remove the shutdown command.
3. Verify that there are no identical IP addresses 
using the show running-config privileged 
EXEC command or the show interfaces EXEC 
command.
4. If there are duplicate addresses, resolve the 
conflict by changing one of the IP addresses.
Table 23-1 Serial Lines: show interfaces serial Status Line Conditions (continued)
Status Line 
Condition Possible Problem Solution23-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 23      Troubleshooting the Serial SPAs
  Performing Basic Interface Troubleshooting
Serial Lines: Increasing Input Drops on Serial Link
Input drops appear in the output of the show interfaces serial EXEC command when too many packets 
from that interface are still being processed in the system.
Symptom: Increasing number of input drops on serial link
Table 23-3 outlines the possible problem that might cause this symptom and describes solutions to that 
problem.
Table 23-2 Serial Lines: Increasing Output Drops on Serial Link
Possible Problem Solution
Input rate to serial 
interface exceeds 
bandwidth available on 
serial link
1. Minimize periodic broadcast traffic, such as routing and Service 
Advertising Protocol (SAP) updates, by using access lists or by other 
means. For example, to increase the delay between SAP updates, use 
the ipx sap-interval interface configuration command.
2. Increase the output hold queue size in small increments (for instance, 
25 percent), using the hold-queue out interface configuration 
command.
3. Implement priority queuing on slower serial links by configuring 
priority lists. For information on configuring priority lists, see the 
Cisco IOS configuration guides and command references.
Note Output drops are acceptable under certain conditions. For 
instance, if a link is known to be overused (with no way to remedy 
the situation), it is often considered more preferable to drop 
packets than to hold them. This is true for protocols that support 
flow control and can retransmit data (such as TCP/IP and Novell 
Internetwork Packet Exchange [IPX]). However, some protocols, 
such as DECnet and local-area transport, are sensitive to dropped 
packets and accommodate retransmission poorly, if at all.
Table 23-3 Serial Lines: Increasing Input Drops on Serial Link
Possible Problem Solution
Input rate exceeds 
the capacity of the 
router, or input 
queues exceed the 
size of output 
queues
Note Input drop problems are typically seen when traffic is being routed 
between faster interfaces (such as Ethernet, Token Ring, and Fiber 
Distributed Data Interface [FDDI]) and serial interfaces. When traffic is 
light, there is no problem. As traffic rates increase, backups start 
occurring. Routers drop packets during these congested periods.
1. Increase the output queue size on common destination interfaces for the 
interface that is dropping packets. Use the hold-queue number out interface 
configuration command. Increase these queues by small increments (for 
instance, 25 percent) until you no longer see drops in the show interfaces
command output. The default output hold queue limit is 40 packets.
2. Reduce the input queue size, using the hold-queue number in interface 
configuration command, to force input drops to become output drops. Output 
drops have less impact on the performance of the router than do input drops. 
The default input hold queue is 75 packets.23-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 23      Troubleshooting the Serial SPAs
  Performing Basic Interface Troubleshooting
Serial Lines: Increasing Input Errors in Excess of 1 Percent of Total Interface 
Traffic
If input errors appear in the show interfaces serial command output, there are several possible sources 
of those errors. The most likely sources, along with possible solutions, are summarized in Table 23-4.
Note Any input error value for cyclic redundancy check (CRC) errors, framing errors, or aborts 
above 1 percent of the total interface traffic suggests some kind of link problem that should 
be isolated and repaired.
Symptom: Increasing number of input errors in excess of 1 percent of total interface traffic.
Serial Lines: Troubleshooting Serial Line Input Errors
Table 23-5 describes the various types of input errors displayed by the show interfaces serial command, 
possible problems that might be causing the errors, and solutions to those problems.
Table 23-4 Serial Lines: Increasing Input Errors in Excess of 1 Percent of Total Interface Traffic
Possible Problem Solution
The following problems 
can result in this 
symptom:
• Faulty telephone 
company equipment
• Noisy serial line
• Incorrect clocking 
configuration
• Incorrect cable or 
cable that is too long
• Bad cable or 
connection
• Bad CSU or DSU
• Bad router hardware
• Data converter or 
other device being 
used between router 
and DSU
Note Cisco strongly recommends against the use of data converters 
when you are connecting a router to a WAN or a serial network.
1. Use a serial analyzer to isolate the source of the input errors. If you 
detect errors, there likely is a hardware problem or a clock mismatch 
in a device that is external to the router.
2. Use the loopback and ping tests to isolate the specific problem source. 
3. Look for patterns. For example, if errors occur at a consistent interval, 
they could be related to a periodic function, such as the sending of 
routing updates.23-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 23      Troubleshooting the Serial SPAs
  Performing Basic Interface Troubleshooting
Table 23-5 Serial Lines: Troubleshooting Serial Line Input Errors
Input Error Type
(Field Name) Possible Problem Solution
CRC errors 
(CRC)
CRC errors occur when the CRC 
calculation does not pass 
(indicating that data is 
corrupted) for one of the 
following reasons:
• The serial line is noisy.
• The serial cable is too long, 
or the cable from the 
CSU/DSU to the router is 
not shielded.
• Serial clock transmit 
external (SCTE) mode is not 
enabled on DSU.
• The CSU line clock is 
incorrectly configured.
• A ones density problem has 
occurred on the T1 link 
(incorrect framing or coding 
specification).
1. Ensure that the line is clean enough for 
transmission requirements. Shield the 
cable, if necessary.
2. Make sure that the cable is within the 
recommended length (no more than 50 feet 
[15.24 meters], or 25 feet [7.62 meters] for 
a T1 link).
3. Ensure that all devices are properly 
configured for a common line clock. Set 
SCTE on the local and remote DSU. If your 
CSU/DSU does not support SCTE, see the 
section “Inverting the Transmit Clock,” 
later in this chapter.
4. Make certain that the local and remote 
CSU/DSU are configured for the same 
framing and coding scheme as that used by 
the leased-line or other carrier service (for 
example, Extended Superframe 
Format/binary eight-zero substitution 
[ESF/B8ZS]).
5. Contact your leased-line or other carrier 
service, and have it perform integrity tests 
on the line.23-11
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 23      Troubleshooting the Serial SPAs
  Performing Basic Interface Troubleshooting
Framing errors 
(frame)
A framing error occurs when a 
packet does not end on an 8-bit 
byte boundary for one of the 
following reasons:
• The serial line is noisy.
• The cable is improperly 
designed, the serial cable is 
too long, or the cable from 
the CSU or DSU to the 
router is not shielded.
• SCTE mode is not enabled 
on the DSU, the CSU line 
clock is incorrectly 
configured, or one of the 
clocks is configured for 
local clocking.
• A ones density problem has 
occurred on the T1 link 
(incorrect framing or coding 
specification).
1. Ensure that the line is clean enough for 
transmission requirements. Shield the 
cable, if necessary. Make certain that you 
are using the correct cable.
2. Make sure that the cable is within the 
recommended length (no more than 50 feet 
[15.24 meters], or 25 feet [7.62 meters] for 
a T1 link).
3. Ensure that all devices are properly 
configured to use a common line clock. Set 
SCTE on the local and remote DSU. 
4. Make certain that the local and remote 
CSU/DSU is configured for the same 
framing and coding scheme as that used by 
the leased-line or other carrier service (for 
example, ESF/B8ZS).
5. Contact your leased-line or other carrier 
service, and have it perform integrity tests 
on the line.
Table 23-5 Serial Lines: Troubleshooting Serial Line Input Errors (continued)
Input Error Type
(Field Name) Possible Problem Solution23-12
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 23      Troubleshooting the Serial SPAs
  Performing Basic Interface Troubleshooting
Serial Lines: Increasing Interface Resets on Serial Link
Interface resets that appear in the output of the show interfaces serial EXEC command are the result of 
missed keepalive packets.
Symptom: Increasing interface resets on serial link
Table 23-6 outlines the possible problems that might cause this symptom and describes solutions to those 
problems.
Aborted 
transmission 
(abort)
Aborts indicate an illegal 
sequence of 1 bit (more than 
seven in a row).
The following are possible 
reasons for this to occur:
• SCTE mode is not enabled 
on DSU.
• The CSU line clock is 
incorrectly configured.
• The serial cable is too long, 
or the cable from the CSU or 
DSU to the router is not 
shielded.
• A ones density problem has 
occurred on the T1 link 
(incorrect framing or coding 
specification).
• A packet was terminated in 
the middle of transmission 
(typical cause is an interface 
reset or a framing error or a 
buffer overrun).
• A hardware problem has 
occurred (bad circuit, bad 
CSU/DSU, or bad sending 
interface on remote router).
1. Ensure that all devices are properly 
configured to use a common line clock. Set 
SCTE on the local and remote DSU. 
2. Shield the cable, if necessary. Make certain 
that the cable is within the recommended 
length (no more than 50 feet [15.24 meters], 
or 25 feet [7.62 meters] for a T1 link). 
Ensure that all connections are good.
3. Check the hardware at both ends of the link. 
Swap faulty equipment, as necessary.
4. Lower data rates and determine whether 
aborts decrease.
5. Use local and remote loopback tests to 
determine where aborts are occurring.
6. Contact your leased-line or other carrier 
service, and have it perform integrity tests 
on the line.
Table 23-5 Serial Lines: Troubleshooting Serial Line Input Errors (continued)
Input Error Type
(Field Name) Possible Problem Solution23-13
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 23      Troubleshooting the Serial SPAs
  Performing Basic Interface Troubleshooting
Serial Lines: Increasing Carrier Transitions Count on Serial Link
Carrier transitions appear in the output of the show interfaces serial EXEC command whenever there 
is an interruption in the carrier signal (such as an interface reset at the remote end of a link).
Symptom: Increasing carrier transitions count on serial link
Table 23-7 outlines the possible problems that might cause this symptom and describes solutions to those 
problems.
Table 23-6 Serial Lines: Increasing Interface Resets on Serial Link
Possible Problem Solution
The following problems 
can result in this 
symptom:
• Congestion on link 
(typically 
associated with 
output drops)
• Bad line causing 
CD transitions
• Possible hardware 
problem at the 
CSU, DSU, or 
switch
When interface resets are occurring, examine other fields of the show 
interfaces serial command output to determine the source of the problem. 
Assuming that an increase in interface resets is being recorded, examine the 
following fields:
1. If there is a high number of output drops in the show interfaces serial
output, see the “Serial Lines: Increasing Output Drops on Serial Link” 
section on page 23-7.
2. Check the Carrier Transitions field in the show interfaces serial
command display. If carrier transitions are high while interface resets 
are being registered, the problem is likely to be a bad link or a bad CSU 
or DSU. Contact your leased-line or carrier service, and swap faulty 
equipment, as necessary.
3. Examine the Input Errors field in the show interfaces serial command 
display. If input errors are high while interface resets are increasing, the 
problem is probably a bad link or a bad CSU/DSU. Contact your 
leased-line or other carrier service, and swap faulty equipment, as 
necessary.
Table 23-7 Serial Lines: Increasing Carrier Transitions Count on Serial Link
Possible Problem Solution
The following problems can result 
in this symptom:
• Line interruptions due to an 
external source (such as 
physical separation of cabling, 
red or yellow T1 alarms, or 
lightning striking somewhere 
along the network)
• Faulty switch, DSU, or router 
hardware
1. Check hardware at both ends of the link (attach a breakout 
box or a serial analyzer, and test to determine the source of 
problems).
2. If an analyzer or breakout box is incapable of identifying any 
external problems, check the router hardware.
3. Swap faulty equipment, as necessary.23-14
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 23      Troubleshooting the Serial SPAs
  Using Bit Error Rate Tests
Using Bit Error Rate Tests
BER test circuitry is built into most of the serial SPAs. With BER tests, you can test cables and signal 
problems in the field. You can configure individual T1 lines to run BER tests, but only one BER test 
circuit exists for all 28 T1 lines. Hence, only one BER test can be run on a single T3 port at any given 
time.
There are two categories of test patterns that can be generated by the onboard BER test circuitry: 
pseudorandom and repetitive. Pseudorandom test patterns are exponential numbers and conform to the 
CCITT/ITU O.151 and O.153 specifications; repetitive test patterns are all zeros, all ones, or alternating 
zeros and ones.
A description of the test patterns follows:
• Pseudorandom test patterns:
– 2^15 (per CCITT/ITU O.151)
– 2^20 (per CCITT/ITU O.153)
– 2^23 (per CCITT/ITU O.151)
– QRSS (quasi-ramdom signal sequence) (per CCIT/ITU O.151)
• Repetitive test patterns:
– All zeros (0s)
– All ones (1s)
– Alternating zeros (0s) and ones (1s)
Additional patterns are available as of Cisco IOS Release 12.2(SRC) on the 1-Port Channelized 
OC3/STM-1 and 2- and 4-Port Channelized T3 SPAs:
• 1-in-8—1-in-8 test pattern
• 3-in-24—3-in 24 test pattern
• 2^15-inverted—2^15-1 (inverted) O.151 test pattern
• 2^23-inverted—2^23-1 (inverted) O.151 test pattern
• 2^9—2^9-1 test pattern
• 2^11—2^11-1 test pattern
• 2^20-O153—2^20-1 O.153 test pattern
• 2^20-QRSS—2^20-1 QRSS O.151 test pattern
• 55Octet—55 Octet pattern
• 55Daly—55 Octet Daly pattern
• DS0-1, DS0-2, DS0-3, DS0-4—DS0 1, DS0 2, DS0 3, DS0 4 test patterns
Both the total number of error bits received and the total number of bits received are available for 
analysis. You can set the testing period from 1 minute to 14,400 minutes (240 hours), and you can also 
retrieve the error statistics anytime during the BER test.
When running a BER test, your system expects to receive the same pattern that it is transmitting. To help 
ensure this:
• Use a loopback at a location of your choice in the link or network. To see how to configure a 
loopback, go to the “Using loopback Commands” section on page 23-16.
• Configure remote testing equipment to transmit the same BER test pattern at the same time.23-15
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 23      Troubleshooting the Serial SPAs
  Using Bit Error Rate Tests
Configuring a BER Test
To send a BER test pattern on an interface, see the bert pattern command description in the Cisco IOS 
Release 12.2SR command reference documents.
Viewing a BER Test
You can view the results of a BER test with the show controllers command.
You can view the results of a BER test at the following times:
• After you terminate the test using the no bert command.
• After the test runs completely.
• Anytime during the test (in real time).
Router# show controllers serial T3 1/0/0
T3 1/0/0 is up.
C2T3 H/W Version : 3, C2T3 ROM Version : 0.79, C2T3 F/W Version : 0.29.0
T3 1/0/0 T1 1
No alarms detected.
Clock Source is internal.
BERT test result (running)
   Test Pattern : 2^15, Status : Sync, Sync Detected : 1
   Interval : 5 minute(s), Time Remain : 5 minute(s)
   Bit Errors(Since BERT Started): 6 bits,
   Bits Received(Since BERT start): 8113 Kbits
   Bit Errors(Since last sync): 6 bits
   Bits Received(Since last sync): 8113 Kbits 
Interpreting BER Test Results
Table 23-8 explains the output of the preceding command.
Table 23-8 Interpreting BER Test Results
Field Description
BERT test result (running) Indicates the current state of the test. In this case, “running” 
indicates that the BER test is still in progress. After a test is 
completed, “done” is displayed.
Test Pattern : 2^15, Status : Sync, Sync 
Detected : 1 
Indicates the test pattern you selected for the test (2^15), the 
current synchronization state (sync), and the number of times 
synchronization has been detected during this test (1). 23-16
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 23      Troubleshooting the Serial SPAs
  Using loopback Commands
Using loopback Commands
Loopback support is useful for testing the interface without connectivity to the network, or for 
diagnosing equipment malfunctions between the interface and a device. The 2-Port and 4-Port Clear 
Channel T3/E3 SPA supports both an internal and an external loopback mode. The external loopback 
mode requires the use of a loopback cable and implements a loopback through the transceiver on the 
SPA.
You can also configure an internal loopback without the use of a loopback cable that implements a 
loopback at the PHY device internally. By default, loopback is disabled.
Interval : 5 minute(s), Time Remain : 
5 minute(s) 
Indicates the time the test takes to run and the time remaining 
for the test to run.
If you terminate a BER test, you receive a message similar to 
the following:
Interval : 5 minute(s), Time Remain : 2 minute(s) 
(unable to complete)
"Interval: 5 minutes" indicates the configured run time for the 
test. "Time Remain : 2 minutes" indicates the time remaining 
in the test prior to termination. "(Unable to complete)" 
signifies that you interrupted the test.
Bit Errors(Since BERT Started): 6 bits
Bits Received(Since BERT start): 
8113 Kbits
Bit Errors(Since last sync): 6 bits 
Bits Received(Since last sync): 
8113 Kbits 
These four lines show the bit errors that have been detected 
versus the total number of test bits that have been received 
since the test started and since the last synchronization was 
detected. 
Table 23-8 Interpreting BER Test Results (continued)
Field Description23-17
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 23      Troubleshooting the Serial SPAs
  Using loopback Commands
To configure local loopback, use the following commands:
Verifying Loopback Mode
Router# show interfaces serial 6/0/0
Serial6/0/0 is up, line protocol is up (looped)
  Hardware is SPA-4T3E3
  MTU 4470 bytes, BW 44210 Kbit, DLY 200 usec, 
     reliability 255/255, txload 225/255, rxload 221/255
  Encapsulation FRAME-RELAY, crc 16, loopback set (local)
  Keepalive set (10 sec)
  LMI enq sent  13281, LMI stat recvd 13280, LMI upd recvd 0, DTE LMI up
  LMI enq recvd 1, LMI stat sent  0, LMI upd sent  0
  LMI DLCI 1023  LMI type is CISCO  frame relay DTE
  FR SVC disabled, LAPF state down
  Broadcast queue 0/256, broadcasts sent/dropped 0/0, interface broadcasts 0
  Last input 00:00:07, output 00:00:00, output hang never
  Last clearing of "show interface" counters 1d12h
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 612756
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 38446000 bits/sec, 109217 packets/sec
  5 minute output rate 39023000 bits/sec, 110854 packets/sec
     14601577951 packets input, 642478074437 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicast)
     0 runts, 0 giants, 0 throttles
              0 parity
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
Command Purpose
Router# configure terminal Enters global configuration mode.
T3/E3
Router(config)# interface serial 
slot/subslot/port
T1/E1
Router(config)# controller 
slot/subslot/port
Selects the interface to configure.
• slot/subslot/port—Specifies the location of 
the interface.
• slot/subslot/port—Specifies the location of 
the T1/E1 controller.
T3/E3
Router(config-if)# loopback {local | dte |
network {line | payload} | remote}
T1/E1
Router(config-controller)# loopback {local 
[line | payload] | diag}
Specifies the loopback mode.
• local—Loop back after going through the 
framer toward the terminal.
• dte—Loop back after the LIU towards the 
terminal.
• network—Loop back towards the network.
• remote—Send FEAC to set remote in 
loopback.
• line—Loop back toward network before 
going through framer.
• payload—Loop back toward network after 
going through framer.
• diag—Loop back after going through the 
HDLC controller towards the terminal.23-18
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 23      Troubleshooting the Serial SPAs
  Using the Cisco IOS Event Tracer to Troubleshoot Problems
     14545044296 packets output, 639982568049 bytes, 0 underruns
     0 output errors, 0 applique, 1 interface resets
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions
   rxLOS inactive, rxLOF inactive, rxAIS inactive
   txAIS inactive, rxRAI inactive, txRAI inactive
Using the Cisco IOS Event Tracer to Troubleshoot Problems
Note This feature is intended for use as a software diagnostic tool and should be configured only under the 
direction of a Cisco Technical Assistance Center (TAC) representative.
The Event Tracer feature provides a binary trace facility for troubleshooting Cisco IOS software. This 
feature gives Cisco service representatives additional insight into the operation of the Cisco IOS 
software and can be useful in helping to diagnose problems in the unlikely event of an operating system 
malfunction or, in the case of redundant systems, Route Processor switchover. 
Event tracing works by reading informational messages from specific Cisco IOS software subsystem 
components that have been preprogrammed to work with event tracing, and by logging messages from 
those components into system memory. Trace messages stored in memory can be displayed on the screen 
or saved to a file for later analysis. 
The SPAs currently support the “spa” component to trace SPA OIR-related events.
Preparing for Online Insertion and Removal of a SPA
The Cisco 7600 series router supports online insertion and removal (OIR) of the SIP, in addition to each 
of the SPAs. Therefore, you can remove a SIP with its SPAs still intact, or you can remove a SPA 
independently from the SIP, leaving the SIP installed in the router.
This means that a SIP can remain installed in the router with one SPA remaining active, while you 
remove another SPA from one of the SIP subslots. If you are not planning to immediately replace a SPA 
into the SIP, then be sure to install a blank filler plate in the subslot. The SIP should always be fully 
installed with either functional SPAs or blank filler plates.
For more information about activating and deactivating SPAs in preparation for OIR, see the “Preparing 
for Online Insertion and Removal of SIPs and SPAs” topic in the “Troubleshooting a SIP” chapter in this 
guide.P A R  T  8
IPSec VPN Shared Port AdapterC H  A  P  T  E  R
24-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
24
Overview of the IPSec VPN SPA
This chapter provides an overview of the release history, feature, and Management Information Base 
(MIB) support for the IPSec VPN SPAs. 
This chapter includes the following sections:
• Release History, page 24-1
• Overview of the IPSec VPN SPAs, page 24-4
• Overview of Basic IPSec and IKE Configuration Concepts, page 24-5
• Configuring VPNs with the IPSec VPN SPAs, page 24-7
• IPSec Feature Support, page 24-8
• Restrictions, page 24-23
• Supported MIBs, page 24-24
• IPSec VPN SPA Hardware Configuration Guidelines, page 24-25
• Displaying the SPA Hardware Type, page 24-25
Release History
Release Modification
Cisco IOS Release 
15.1(3)S1
Support for WS-IPSEC-3 SPA was added on the WS-SSC-600 line card on 
Cisco 7600 series router.24-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 24      Overview of the IPSec VPN SPA
  Release History
Cisco IOS Release 
12.2(33)SRA
For the IPSec VPN SPA, SPA-IPSEC-2G, the following changes were 
introduced:
• The following features were newly introduced :
– Front-side VRF
– IPSec Virtual Tunnel Interface (VTI)
– Certificate to ISAKMP Profile Mapping
– Call Admission Control
– Periodic Message Option (now supported in Dead Peer Detection)
– Reverse Route Injection (RRI)
– IPSec Anti-replay window size
– IPSec Preferred Peer
– Local Certificate Storage Location
– Persistent Self-signed Certificates
– Easy VPN Remote RSA Signature Storage
– IPSec and IKE MIB support for Cisco VRF-Aware IPSec 
• Tunnel capacity has been increased to 16,000 tunnels.
• Support has been added for the following commands:
– clear crypto engine accelerator counter command—To clear 
platform and network interface controller statistics.
– show crypto engine accelerator statistic command—To display 
platform and network interface controller statistics.
– show crypto eli command— To display how many IKE-SAs and 
IPSec sessions are active and how many Diffie-Hellman keys are 
in use for each IPSec VPN SPA.
• Cisco IOS Release 12.2(33)SRA is only supported on Supervisor 
Engine 32 and Supervisor Engine 720.
• Unlike previous releases, support is not included for IPSec stateful 
failover using HSRP and SSP. 
• The crypto engine subslot command has been replaced by the crypto 
engine slot command.
• The one large configuration chapter has been restructured into several 
smaller chapters, and a table has been added that describes 
release-dependent features. 
• The “IPSec Feature Support in VRF Mode for SPA-IPSEC-2G IPSEC 
VPN SPA” has been expanded to include tables that differentiate 
Supervisor and line card support by release.
Cisco IOS Release 
12.2(18)SXF6
For the SPA-IPSEC-2G IPSec VPN SPA, support was introduced for the 
IPSec anti-replay window size feature in the SX release train.
Cisco IOS Release 
12.2(18)SXF2
For the SPA-IPSEC-2G IPSec VPN SPA , support was introduced for 
Supervisor Engine 2, Supervisor Engine 32, and the configuration of IP 
multicast over a GRE tunnel.24-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 24      Overview of the IPSec VPN SPA
  Release History
Cisco IOS Release 
12.2(18)SXE5
For the SPA-IPSEC-2G IPSec VPN SPA, support was introduced for two 
new GRE takeover commands: 
• crypto engine gre supervisor command—To configure the router to 
process Generic Routing Encapsulation (GRE) using the Supervisor 
Engine hardware or the Route Processor (RP).
• crypto engine gre vpnblade command—To configure the router to 
process Generic Routing Encapsulation (GRE) using the IPSec VPN 
SPA.
Cisco IOS Release 
12.2(18)SXE2
For the SPA-IPSEC-2G IPSec VPN SPA, support was introduced on the 
Cisco 7600 SSC-400 on the Cisco 7600 series router.24-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 24      Overview of the IPSec VPN SPA
  Overview of the IPSec VPN SPAs
Overview of the IPSec VPN SPAs
The IPSec VPN SPAs are Gigabit Ethernet IP Security (IPSec) cryptographic SPAs that you can install 
in a Cisco 7600 series router to provide hardware acceleration for IPSec encryption and decryption, 
generic routing encapsulation (GRE), and Internet Key Exchange (IKE) key generation.
The IPSec SPAs come in the following models:
• SPA-IPSEC-2G
• WS-IPSEC-3 
The SPA-IPSEC-2G SPA was introduced in Cisco IOS release 12.2(18)SXE2 and supported on the Cisco 
SSC 400 line card. It is a 2 Gbps IPSec VPN SPA.
The WS-IPSEC-3 SPA is a 5 Gbps VPN Service Port Adapter (VSPA) introduced in Cisco IOS release 
15.1(3)S1, on the Cisco 7600 platform. This SPA should be installed on a WS-SSC-600 line card before 
it can be used on the Cisco 7600 series router. 
Note Software-based IPSec features are not supported in any Cisco IOS releases that support the IPSec VPN 
SPA.
The traditional software-based implementation of IPSec in Cisco IOS supports the entire suite of 
security protocols including Authentication Header (AH), Encapsulating Security Payload (ESP), and 
IKE. The resources consumed by these activities are significant and make it difficult to achieve line-rate 
transmission speeds over secure virtual private networks (VPNs). To address this problem, certain 
platforms with large VPN bandwidth requirements support bump-in-the-wire (BITW) IPSec hardware 
modules in conjunction with the hardware forwarding engines. These modules off-load policy 
enforcement, as well as bulk encryption and forwarding, from the route processor (RP) so that it is not 
required to look at each packet coming through the router. This frees up resources that can be used for 
session establishment, key management, and other features. The IPSec VPN SPA provides a 
bump-in-the-wire (BITW) IPSec implementation using virtual LANs (VLANs) for a Cisco 7600 series 
router.
Note BITW is an IPSec implementation that starts egress packet processing after the IP stack has finished with 
the packet and completes ingress packet processing before the IP stack receives the packet.
The IPSec VPN SPA can use multiple Fast Ethernet or Gigabit Ethernet ports on other Cisco 7600 series 
router modules to connect to the Internet through WAN routers. The physical ports may be attached to 
the IPSec VPN SPA through a VLAN called the port-VLAN (or pvlan). Packets that are received from 
the WAN routers pass through the IPSec VPN SPA for IPSec processing. The packets are output on a 
dedicated VLAN called the interface or inside VLAN (or ivlan). Depending on the configuration mode 
(VRF mode or crypto-connect mode), the ivlan or pvlan may be configured explicitly or may be allocated 
implicitly by the system.
On the LAN side, traffic between the LAN ports can be routed or bridged on multiple Fast Ethernet or 
Gigabit Ethernet ports. Because the LAN traffic is not encrypted or decrypted, it does not pass through 
the IPSec VPN SPA. 
The IPSec VPN SPA does not maintain routing information, route, or change the MAC header of a packet 
(except for the VLAN ID from one VLAN to another). 24-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 24      Overview of the IPSec VPN SPA
  Overview of Basic IPSec and IKE Configuration Concepts
Note GRE over IPSec over MPLS (GREoIPSecoMPLS ) through a loopback cable is not supported on the 
Cisco 7600 series router.
Overview of Basic IPSec and IKE Configuration Concepts
This subsection reviews some basic IPSec and IKE concepts that are used throughout the configuration 
of the IPSec VPN SPA, such as security associations (SAs), access lists (ACLs), crypto maps, transform 
sets, and IKE policies. The information presented here is introductory and should not be considered 
complete. 
Note For more detailed information on IPSec and IKE concepts and procedures, refer to the Cisco IOS 
Security Configuration Guide.
Information About IPSec Configuration
IPSec provides secure tunnels between two peers, such as two routers. More accurately, these tunnels 
are sets of security associations (SAs) that are established between two IPSec peers. The SAs define 
which protocols and algorithms should be applied to sensitive packets and specify the keying material 
to be used by the two peers. SAs are unidirectional and are established per security protocol 
(Authentication Header (AH) or Encapsulating Security Payload (ESP)). Multiple IPSec tunnels can 
exist between two peers to secure different data streams, with each tunnel using a separate set of SAs. 
For example, some data streams might be authenticated only while other data streams must both be 
encrypted and authenticated. 
Note The use of the term “tunnel” in this subsection does not refer to using IPSec in tunnel mode. 
With IPSec, you define what traffic should be protected between two IPSec peers by configuring ACLs 
and applying these ACLs to interfaces by way of crypto maps. (The ACLs used for IPSec are used only 
to determine which traffic should be protected by IPSec, not which traffic should be blocked or permitted 
through the interface. Separate ACLs define blocking and permitting at the interface.) 
If you want certain traffic to receive one combination of IPSec protection (for example, authentication 
only) and other traffic to receive a different combination of IPSec protection (for example, both 
authentication and encryption), you must create two different crypto ACLs to define the two different 
types of traffic. These different ACLs are then used in different crypto map entries, which specify 
different IPSec policies.
Crypto ACLs associated with IPSec crypto map entries have four primary functions: 
• Select outbound traffic to be protected by IPSec (permit = protect). 
• Indicate the data flow to be protected by the new SAs (specified by a single permit entry) when 
initiating negotiations for IPSec security associations. 
• Process inbound traffic in order to filter out and discard traffic that should have been protected by 
IPSec. 24-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 24      Overview of the IPSec VPN SPA
  Overview of Basic IPSec and IKE Configuration Concepts
• Determine whether or not to accept requests for IPSec security associations on behalf of the 
requested data flows when processing IKE negotiation from the IPSec peer. Negotiation is 
performed only for ipsec-isakmp crypto map entries. In order to be accepted, if the peer initiates the 
IPSec negotiation, it must specify a data flow that is “permitted” by a crypto ACL associated with 
an ipsec-isakmp crypto map entry.
Note ACLs applied to a crypto map also known as crypto ACLs are different from normal extended ip 
access-lists and do NOT provide or support logging.
Crypto map entries created for IPSec combine the various parts used to set up IPSec SAs, including: 
• Which traffic should be protected by IPSec (per a crypto ACL) 
• The granularity of the flow to be protected by a set of SAs 
• Where IPSec-protected traffic should be sent (the name of the remote IPSec peer) 
• The local address to be used for the IPSec traffic 
• What IPSec SA should be applied to this traffic (selecting from a list of one or more transform sets) 
• Whether SAs are manually established or are established via IKE 
• Other parameters that might be necessary to define an IPSec SA 
Crypto map entries are searched in order—the router attempts to match the packet to the access list 
specified in that entry. 
Crypto map entries also include transform sets. A transform set is an acceptable combination of security 
protocols, algorithms, and other settings to apply to IPSec-protected traffic. 
You can specify multiple transform sets, and then specify one or more of these transform sets in a crypto 
map entry. During IPSec security association negotiations with IKE, the peers search for a transform set 
that is the same at both peers. When such a transform set is found, it is selected and will be applied to 
the protected traffic as part of both peers’ IPSec SAs. (With manually established SAs, there is no 
negotiation with the peer, so both sides must specify the same transform set.) 
Note To minimize the possibility of packet loss during rekeying, we recommend using time-based rather than 
volume-based IPSec SA expiration. By setting the lifetime volume to the maximum value using the set 
security-association lifetime kilobytes 536870912 command, you can usually force time-based SA 
expiration. 
Information About IKE Configuration
IKE is a key management protocol standard that is used in conjunction with the IPSec standard. 
IKE is a hybrid protocol that implements the Oakley key exchange and Skeme key exchange inside the 
Internet Security Association and Key Management Protocol (ISAKMP) framework. (ISAKMP, Oakley, 
and Skeme are security protocols implemented by IKE.)
In Cisco IOS Release 12.2(33)SXF and earlier releases, IPSec can be configured without IKE, but IKE 
enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec 
standard. IKE is enabled by default.
You configure IKE by creating IKE policies at each peer using the crypto isakmp policy command. An 
IKE policy defines a combination of security parameters to be used during the IKE negotiation and 
mandates how the peers are authenticated.24-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 24      Overview of the IPSec VPN SPA
  Configuring VPNs with the IPSec VPN SPAs
You can create multiple IKE policies, each with a different combination of parameter values, but at least 
one of these policies must contain exactly the same encryption, hash, authentication, and Diffie-Hellman 
parameter values as one of the policies on the remote peer. For each policy that you create, you assign a 
unique priority (1 through 10,000, with 1 being the highest priority).
If you do not configure any policies, your router uses the default policy, which is always set to the lowest 
priority, and which contains each parameter’s default value.
There are five parameters to define in each IKE policy:
• Encryption algorithm
• Hash algorithm
• Authentication method
• Diffie-Hellman group identifier
• Security association lifetime
For more information about IKE, see the “Overview of IKE” section on page 28-2. 
Configuring VPNs with the IPSec VPN SPAs
To configure a VPN using the IPSec VPN SPA, you have two basic options: crypto-connect mode or 
Virtual Routing and Forwarding (VRF) mode. In either mode, you may also configure GRE tunneling to 
encapsulate a wide variety of protocol packet types, including multicast packets, inside the VPN tunnel.
Note Switching between crypto-connect mode and VRF mode requires a reload.
Note We recommend that you do not make changes to the VPN configuration while VPN sessions are active. 
To avoid system disruption, we recommend that you plan a scheduled maintenance time and clear all 
VPN sessions using the clear crypto sessions command before making VPN configuration changes.
Crypto-Connect Mode
Traditionally, VPNs are configured on the IPSec VPN SPA by attaching crypto maps to interface VLANs 
and then crypto-connecting a physical port to the interface VLAN. This method, known as 
crypto-connect mode, is similar to the method used to configure VPNs on routers running Cisco IOS 
software. When you configure VPNs on the IPSec VPN SPA using crypto-connect mode, you attach 
crypto maps to VLANs (using interface VLANs); when you configure VPNs on routers running Cisco 
IOS software, you configure individual interfaces.
Note With the IPSec VPN SPA, crypto maps are attached to individual interfaces but the set of interfaces 
allowed is restricted to interface VLANs. 
Crypto-connect mode VPN configuration is described in Chapter 25, “Configuring VPNs in 
Crypto-Connect Mode.”24-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 24      Overview of the IPSec VPN SPA
  IPSec Feature Support
VRF Mode
VRF mode, also known as VRF-aware IPSec, allows you to map IPSec tunnels to VPN routing and 
forwarding instances (VRFs) using a single public-facing address. A VRF instance is a per-VPN routing 
information repository that defines the VPN membership of a customer site attached to the Provider 
Edge (PE) router. A VRF comprises an IP routing table, a derived Cisco Express Forwarding (CEF) 
table, a set of interfaces that use the forwarding table, and a set of rules and routing protocol parameters 
that control the information that is included in the routing table. A separate set of routing and CEF tables 
is maintained for each VPN customer. 
When you configure a VPN on the IPSec VPN SPA using VRF mode, the model of interface VLANs is 
preserved, but the crypto connect vlan command is not used. Instead, a route must be installed so that 
packets destined for that particular subnet in that particular VRF are directed to that interface VLAN.
When configuring a VPN using VRF mode, you have these additional tunneling options: tunnel 
protection (TP) using GRE, and Virtual Tunnel Interface (VTI). With either of these options, you can 
terminate tunnels in VRFs (normal VRF mode) or in the global context.
VRF mode VPN configuration is described in Chapter 26, “Configuring VPNs in VRF Mode.”
IPSec Feature Support 
The tables in the following sections display supported and unsupported IPSec features of the IPsec VPN 
Module in each VPN mode according to the software release:
• IPSec Features Common To All VPN Modes, page 24-9
• IPSec Features in Crypto-Connect Mode, page 24-17
• IPSec Features in VRF Mode, page 24-18
Note This document describes IPSec VPN SPA features and applications that have been tested and are 
supported. Features and applications that do not explicitly appear in this table and in the following 
chapters should be considered unsupported. Contact your Cisco account team before implementing a 
configuration that is not described in this document.24-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 24      Overview of the IPSec VPN SPA
  IPSec Feature Support
IPSec Features Common To All VPN Modes
Table 24-1 lists the supported and unsupported IPSec features common to all VPN modes for IPSec VPN 
SPA, SPA-IPSEC-2G.
Table 24-1 IPSec Feature Support By Release in All VPN Modes for SPA-IPSEC-2G
Feature Name Cisco IOS Software Release 12.2
SXE SXF SRA SRB, 
SRC, 
SRD,SR
E
SXH
1
IPSec  tunnels  using  software  crypto N N N N N
Enhanced GRE takeover (if the 
supervisor engine cannot process)
Y Y Y Y Y
Multicast  over  GRE  N Y Y Y Y
Multicast over multipoint GRE (mGRE) / 
DMVPN
N N N N N
Multicast Scalability Enhancement 
(single SPA mode)
N Y Y Y Y
Advanced  Encryption  Standard  (AES)  Y Y Y Y Y
  ISAKMP  keyring  Y Y Y Y Y
SafeNet  Client  support  Y Y Y Y Y
Peer  filtering  (SafeNet  Client  support)  N N N N N
Certificate  to  ISAKMP  profile  mapping Y Y Y Y Y
Encrypted  preshared  key  Y Y Y Y Y
IKE  Aggressive  Mode  Initiation  N N N N N
Call  Admission  Control  (CAC)  for  IKE N N Y Y Y
Dead  Peer  Detection  (DPD)  on-demand Y Y Y Y Y
DPD  periodic  message  option  N N Y Y Y
IPSec prefragmentation 
(Look-Ahead Fragmentation, or LAF)
Y Y Y Y Y 
Reverse  Route  Injection  (RRI)  Y Y Y Y Y
Reverse  route  with  optional  parameters N N N N N
Adjustable  IPSec  anti-replay  window  size N Y Y Y Y
IPSec  preferred  peer  Y Y Y Y Y
Per-crypto map (and global) IPSec 
security association (SA) idle timers
Y Y Y Y Y 
Distinguished  name-based  crypto  maps Y Y Y Y Y 
Sequenced access control lists (ACLs) 
(crypto ACLs)
Y Y Y Y Y
Deny policy configuration enhancements 
(drop, jump, clear)
Y Y Y Y Y24-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 24      Overview of the IPSec VPN SPA
  IPSec Feature Support
Disable  volume  lifetime  per  interface N N N N N
IPSec VPN SPA quality of service (QoS) 
queueing
Y Y Y Y Y
Multiple  RSA  key  pair  support  N N Y Y Y
Protected  private  key  storage  N N Y Y Y
Trustpoint  CLI  N N Y Y Y
Query  mode  per  trustpoint  N N N N N
Local  certificate  storage  location  N N Y Y Y
Direct  HTTP  enroll  with  CA  servers Y Y Y Y Y
Manual certificate enrollment 
(TFTP and cut-and-paste)
N N Y Y Y
Certificate  autoenrollment  N N Y Y Y
Key rollover for Certificate Authority 
(CA) renewal
N N N N N
Public-key infrastructure (PKI) query 
multiple servers
N N N N N
Online Certificate Status Protocol 
(OCSP)
N N N N N
Optional  OCSP  nonces  N N N N N
Certificate security attribute-based access 
control
N N N N N
PKI AAA authorization using entire 
subject name
N N N N N
PKI local authentication using subject 
name
N N Y Y Y
Source interface selection for outgoing 
traffic with certificate authority
N N N N N
Persistent self-signed certificates as 
Cisco IOS CA server
N N N N N
Certificate  chain  verification  N N N N N
Multi-tier  certificate  support  Y Y Y Y Y
Easy  VPN  Server  enhanced  features  N N N N N
Easy  VPN  Server  basic  features  Y Y Y Y Y
Interoperate with Easy VPN Remote 
using preshared key
Y Y Y Y Y
Table 24-1 IPSec Feature Support By Release in All VPN Modes for SPA-IPSEC-2G (continued)
Feature Name Cisco IOS Software Release 12.2
SXE SXF SRA SRB, 
SRC, 
SRD,SR
E
SXH
124-11
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 24      Overview of the IPSec VPN SPA
  IPSec Feature Support
Interoperate with Easy VPN Remote 
using RSA signature
N N Y Y Y
Stateless failover using the Hot Standby 
Router Protocol (HSRP)
Y Y Y Y Y
Chassis-to-chassis stateful failover using 
HSRP and SSP in site-to-site IPSec using 
preshared keys with crypto maps
Y Y N N N 
Chassis-to-chassis failover (IPSec 
stateful failover) with DMVPN, GRE/TP, 
VTI, Easy VPN, or PKI
N N N N N 
Blade-to-Blade  stateful  failover  Y Y Y Y Y
IPSec VPN Monitoring (IPSec Flow 
MIB)
Y Y Y Y Y
IPSec VPN Accounting (start / stop / 
interim records)
Y Y Y Y Y
Crypto  Conditional  Debug  support  N Y Y Y Y
show crypto engine accelerator statistic 
command
N N Y Y Y
Other show crypto engine commands N N N N N 
clear crypto engine accelerator counter 
command
N N Y Y Y
Crypto commands applied to a loopback 
interface
N N N N N 
Policy Based Routing (PBR) 
on tunnel interface or interface VLAN
N N N N N 
ACL  on  tunnel  interface  N N N N N 
MQC QoS on tunnel interface (service 
policy)
N N N N N 
mls qos command on all tunnel 
interfaces: IPSec, GRE, mGRE
N N N N N
QoS  pre-classify  CLI  N N N N N
NAT on crypto VLAN or crypto protected 
tunnel interface 
N N N N N 
16  K  tunnels  (IKE  and  IPSec  tunnels) N N Y Y Y
Switching between VRF and 
crypto-connect modes requires reboot
Y Y Y Y Y
Table 24-1 IPSec Feature Support By Release in All VPN Modes for SPA-IPSEC-2G (continued)
Feature Name Cisco IOS Software Release 12.2
SXE SXF SRA SRB, 
SRC, 
SRD,SR
E
SXH
124-12
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 24      Overview of the IPSec VPN SPA
  IPSec Feature Support
GRE keepalives on tunnel protection (TP) 
tunnels
N N N N N
GRE keepalives on mGRE/DMVPN 
tunnels 
N N N N N
IPSec Network Address Translation 
Transparency (NAT-T)
(transport mode, ESP only)
Y Y Y Y Y
Dynamic Multipoint VPN Phase 2 
(DMVPN) (mGRE; TP & NHRP)
Y Y Y Y Y
DMVPN  Phase  3  N N N N N
DMVPN hub router behind a NAT 
gateway—tunnel mode
N N N N N
DMVPN hub router behind a NAT 
gateway—transport mode
(not spoke-to-spoke)
N N N N Y
DMVPN spoke router behind a NAT 
gateway—tunnel mode
N N N N N
DMVPN spoke router behind a NAT 
gateway—transport mode
(not spoke-to-spoke)
Y Y Y Y Y
Multicast transit traffic over DMVPN 
tunnels
N N N N N
Non-IP traffic over TP (DMVPN, 
point-to-point GRE, sVTI) tunnels
N N N N N
Support  for  the  VPNSM  Y Y N N N
All serial PPP interfaces with 
crypto-connect mode must have 
ip unnumber null 0 command
N N N Y Y
Manual  key  N Y N N N
Tunnel  Endpoint  Discovery  Y Y N N N
Transport adjacency and nested tunnels  N N N N N
Transit  IPSec  packets  N Y N N Y
IPSec VPN SPA supported with virtual 
switching system (VSS)
N N N N N
IP  header  options  through  IPSec  tunnels N N N N N
Invalid  SPI  recovery  N N Y Y Y
IPSec  compression  N N N N N
Table 24-1 IPSec Feature Support By Release in All VPN Modes for SPA-IPSEC-2G (continued)
Feature Name Cisco IOS Software Release 12.2
SXE SXF SRA SRB, 
SRC, 
SRD,SR
E
SXH
124-13
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 24      Overview of the IPSec VPN SPA
  IPSec Feature Support
Table 24-2 lists the supported and unsupported IPSec features common to all VPN modes for 
WS-IPSEC-3 IPSEC VSPA.
Multilink  or  dialer  interfaces  N N N N N
Group Encrypted Transport VPN 
(GETVPN) 
N N N N N
IPSec  Passive  Mode  N N N N N
1. The SXH software release is for the Catalyst 6500 series switch. This release does not apply to the Cisco 7600 
series router.
Table 24-1 IPSec Feature Support By Release in All VPN Modes for SPA-IPSEC-2G (continued)
Feature Name Cisco IOS Software Release 12.2
SXE SXF SRA SRB, 
SRC, 
SRD,SR
E
SXH
1
Table 24-2 IPSec Feature Support in All VPN Modes for WS-IPSEC-3 SPA
Feature Name Cisco IOS Release 15.1(3)S1
IPSec tunnels using software crypto N
Enhanced GRE takeover (if the supervisor engine cannot 
process)
Y
Multicast over GRE Y
Multicast over multipoint GRE (mGRE) / DMVPN N
Multicast Scalability Enhancement (single SPA mode) Y
Advanced Encryption Standard (AES) Y
Internet Security Association and Key Management 
Protocol (ISAKMP) keyring
Y
SafeNet Client support Y
Peer filtering (SafeNet Client support) N
Certificate to ISAKMP profile mapping Y
Encrypted preshared key Y
IKE Aggressive Mode Initiation N
Call Admission Control (CAC) for IKE Y
Dead Peer Detection (DPD) on-demand Y
DPD periodic message option Y
IPSec prefragmentation 
(Look-Ahead Fragmentation, or LAF)
Y
Reverse Route Injection (RRI) Y
Reverse route with optional parameters N
Adjustable IPSec anti-replay window size Y24-14
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 24      Overview of the IPSec VPN SPA
  IPSec Feature Support
IPSec preferred peer Y
Per-crypto map (and global) IPSec security association 
(SA) idle timers
Y
Distinguished name-based crypto maps Y
Sequenced access control lists (ACLs) or crypto ACLs Y
Deny policy configuration enhancements (drop, jump, 
clear)
Y
Disable volume lifetime per interface N
IPSec VPN SPA quality of service (QoS) queueing Y
Multiple RSA key pair support Y
Protected private key storage Y
Trustpoint CLI Y
Query mode per trustpoint N
Local certificate storage location Y
Direct HTTP enroll with CA servers Y
Manual certificate enrollment 
(TFTP and cut-and-paste)
Y
Certificate autoenrollment Y
Key rollover for Certificate Authority (CA) renewal N
Public-key infrastructure (PKI) query multiple servers N
Online Certificate Status Protocol (OCSP) N
Optional OCSP nonces N
Certificate security attribute-based access control N
PKI AAA authorization using entire subject name N
PKI local authentication using subject name Y
Source interface selection for outgoing traffic with 
certificate authority
N
Persistent self-signed certificates as Cisco IOS CA server N
Certificate chain verification N
Multi-tier certificate support Y
Easy VPN Server enhanced features N
Easy VPN Server basic features Y
Interoperate with Easy VPN Remote using preshared key Y
Interoperate with Easy VPN Remote using RSA signature Y
Stateless failover using the Hot Standby Router Protocol 
(HSRP)
Y
Table 24-2 IPSec Feature Support in All VPN Modes for WS-IPSEC-3 (continued) SPA
Feature Name Cisco IOS Release 15.1(3)S124-15
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 24      Overview of the IPSec VPN SPA
  IPSec Feature Support
Chassis-to-chassis stateful failover using HSRP and SSP 
in site-to-site IPSec using preshared keys with crypto 
maps
N
Chassis-to-chassis failover (IPSec stateful failover) with 
DMVPN, GRE/TP, VTI, Easy VPN, or PKI
N
Blade-to-Blade stateful failover Y
IPSec VPN Monitoring (IPSec Flow MIB) Y
IPSec VPN Accounting (start / stop / interim records) Y
Crypto Conditional Debug support Y
show crypto engine accelerator statistic command Y
clear crypto engine accelerator counter command Y
Crypto commands applied to a loopback interface N
Policy Based Routing (PBR) 
on tunnel interface or interface VLAN
N
ACL on tunnel interface N
MQC QoS on tunnel interface (service policy) N
mls qos command on all tunnel interfaces: IPSec, GRE, 
mGRE
N
QoS pre-classify CLI N
NAT on crypto VLAN or crypto protected tunnel 
interface 
N
16000 tunnels (IKE and IPSec tunnels) Y
Switching between VRF and crypto-connect modes 
requires reboot
Y
GRE keepalives on tunnel protection (TP) tunnels N
GRE keepalives on mGRE/DMVPN tunnels N
IPSec Network Address Translation Transparency 
(NAT-T)
(transport mode, ESP only)
Y
DMVPN Phase 2 (mGRE; TP & NHRP) Y
DMVPN Phase 3 N
DMVPN hub router behind a NAT gateway—tunnel mode N
DMVPN hub router behind a NAT gateway—transport 
mode
(not spoke-to-spoke)
N
DMVPN spoke router behind a NAT gateway—tunnel 
mode
N
DMVPN spoke router behind a NAT gateway—transport 
mode
(not spoke-to-spoke)
Y
Table 24-2 IPSec Feature Support in All VPN Modes for WS-IPSEC-3 (continued) SPA
Feature Name Cisco IOS Release 15.1(3)S124-16
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 24      Overview of the IPSec VPN SPA
  IPSec Feature Support
Multicast transit traffic over DMVPN tunnels N
Non-IP traffic over TP (DMVPN, point-to-point GRE, 
sVTI) tunnels
N
Support for the VPNSM N
All serial PPP interfaces with crypto-connect mode must 
have ip unnumber null 0 command
Y
Manual key N
Tunnel Endpoint Discovery N
Transport adjacency and nested tunnels N
Transit IPSec packets N
IPSec VPN SPA supported with virtual switching system 
(VSS)
N
IP header options through IPSec tunnels N
Invalid Security Parameter Index (SPI) recovery Y
IPSec compression N
Multilink or dialer interfaces N
Group Encrypted Transport VPN (GETVPN) N
IPSec Passive Mode N
Table 24-2 IPSec Feature Support in All VPN Modes for WS-IPSEC-3 (continued) SPA
Feature Name Cisco IOS Release 15.1(3)S124-17
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 24      Overview of the IPSec VPN SPA
  IPSec Feature Support
IPSec Features in Crypto-Connect Mode
Table 24-3 lists the supported and unsupported IPSec features in crypto-connect mode for 
SPA-IPSEC-2G.
Table 24-4 Supported and Unsupported IPSec Features in Crypto-Connect 
Mode for WS-IPSEC-3 SPA 
Table 24-3 IPSec Feature Support By Release in Crypto-Connect Mode for SPA-IPSEC-2G
Feature Name Cisco IOS Software Release 12.2
SXE SXF SRA SRB, 
SRC, 
SRD,SR
E
SXH
1
1. The SXH software release is for the Catalyst 6500 series switch. This release does not apply to the Cisco 7600 
series router.
Table 24-4 lists the supported and unsupported IPSec features in crypto-connect mode for 
the WS-IPSEC-3 SPA.
Point-to-point GRE with tunnel 
protection and VTI
N N N N N
Path  MTU  discovery  (PMTUD)  N N Y Y Y
PMTUD  with  NAT-T  N N N N N
IPSec static virtual tunnel interface 
(sVTI)
N N N N N
The use of VRFs in conjunction with 
crypto features
N N N N N
IPX and Appletalk over point-to-point 
GRE
Y Y Y Y Y
ip tcp adjust-mss command in GRE 
when taken over
N N N N N
Feature Name
Cisco IOS Software 
Release 15.1(3)S1
Point-to-point GRE with tunnel protection N
Path MTU discovery (PMTUD) Y
PMTUD with NAT-T N
IPSec static virtual tunnel interface (sVTI) N
The use of VRFs in conjunction with crypto features N
IPX and Appletalk over point-to-point GRE Y
ip tcp adjust-mss command in GRE when taken over N24-18
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 24      Overview of the IPSec VPN SPA
  IPSec Feature Support
IPSec Features in VRF Mode
Table 24-5 lists the supported and unsupported IPSec features in VRF mode for SPA-IPSEC-2G IPSEC 
VPN SPA.
Table 24-5 IPSec Feature Support in VRF Mode for SPA-IPSEC-2G IPSEC VPN SPA
Feature Name Cisco IOS Software Release 12.2
SXE SXF SRA SRB, 
SRC, 
SRD,SR
E
SXH
1
Global  VRF  Y Y Y Y Y 
Front-door  VRF  (FVRF)  N N Y Y Y
FVRF on an mGRE tunnel configured on 
a DMVPN hub
N N Y Y Y
FVRF on an mGRE tunnel configured on 
a DMVPN spoke
N N N N N
Overlapping  IP  address  space  in  VRFs Y Y Y Y Y
Secondary  IP  addresses  on  interfaces N N N N N
MPLS over GRE/IPSec (tag switching on 
tunnel interfaces)
N N N N N
PE-PE encryption (IPSec only) over 
MPLS
N N N N N
PE-PE encryption (tunnel protection) 
over MPLS
N N N N N 
MPLS PE-CE encryption (Tag2IP) with 
GRE/TP
N N N Y Y 
MPLS PE-CE encryption (Tag2IP) with 
sVTI 
N N N N N 
MPLS PE-CE encryption (Tag2IP) with 
crypto map
N N N N N 
Crypto  maps  in  VRF-lite  Y Y Y Y Y
Per-VRF  AAA  with  RADIUS  N N N Y Y
Per-VRF  AAA  with  TACACS  N N N Y N
IPSec static virtual tunnel interface 
(sVTI)
N N Y Y Y
Multicast  over  sVTI  N N N N N
ip tcp adjust-mss command on sVTI or 
GRE
N N N N N
Ingress and egress features (ACL, QOS) 
on sVTI, GRE/TP, and mGRE tunnel 
N N N N N
Ingress features (ACL, PBR, inbound 
service policy) on the outside interface
N N N N N24-19
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 24      Overview of the IPSec VPN SPA
  IPSec Feature Support
Table 24-6 Supported and Unsupported IPSec Features in VRF Mode for 
WS-IPSEC-3 IPSEC VSPA 
Outbound service policy on the outside 
interface
Y Y Y Y Y
TP  support  in  the  global  context  N N Y Y Y
IPSec SA using crypto map created in 
transport mode
N N N N N
Path  MTU  discovery  (PMTUD)  N N N N N
Non-IP  version  4  traffic  over  TP  tunnels N N N N N
IPv6  IPSec  sVTI  IPv6-in-IPv6  N N N N N
1. The SXH software release is for the Catalyst 6500 series switch. This release does not apply to the Cisco 7600 
series router.
Table 24-6 lists the supported and unsupported IPSec features in VRF mode for 
WS-IPSEC-3 IPSEC VSPA.
Table 24-5 IPSec Feature Support in VRF Mode (continued)for SPA-IPSEC-2G IPSEC VPN SPA
Feature Name Cisco IOS Software Release 12.2
SXE SXF SRA SRB, 
SRC, 
SRD,SR
E
SXH
1
Feature Name Cisco IOS Software Release 
15.1(3)S1
Global VRF Y
Front-door VRF (FVRF) Y
FVRF on an mGRE tunnel configured on a DMVPN 
hub
Y
FVRF on an mGRE tunnel configured on a DMVPN 
spoke
N
Overlapping IP address space in VRFs Y
Secondary IP addresses on interfaces N
MPLS over GRE/IPSec (tag switching on tunnel 
interfaces)
N
PE-PE encryption (IPSec only) over MPLS N
PE-PE encryption (tunnel protection) over MPLS N
MPLS PE-CE encryption (Tag2IP) with GRE/TP Y
MPLS PE-CE encryption (Tag2IP) with sVTI N
MPLS PE-CE encryption (Tag2IP) with crypto map N
Crypto maps in VRF-lite Y
Per-VRF AAA with RADIUS Y24-20
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 24      Overview of the IPSec VPN SPA
  IPSec Feature Support
Interoperability for SPA-IPSEC-2G IPSEC VPN SPA
Supervisor Engine support varies based on the release. Table 24-7 lists the supported Supervisor Engines 
for each release for the SPA-IPSEC-2G IPSec VPN SPA.
Line card module support varies based on the release.
Per-VRF AAA with Terminal Access Controller 
Access-Control System (TACACS)
Y
IPSec static virtual tunnel interface (sVTI) Y
Multicast over sVTI N
ip tcp adjust-mss command on sVTI or GRE N
Ingress and egress features (ACL, QOS) on sVTI, 
GRE/TP, and mGRE tunnel 
N
Ingress features (ACL, PBR, inbound service policy) on 
the outside interface
N
Outbound service policy on the outside interface Y
TP support in the global context Y
IPSec SA using crypto map created in transport mode N
Path MTU discovery (PMTUD) N
Non-IP version 4 traffic over TP tunnels N
IPv6 IPSec sVTI IPv6-in-IPv6 N
Feature Name Cisco IOS Software Release 
15.1(3)S1
Table 24-7 Supervisor Engine Support for the SPA-IPSEC-2G IPSec VPN SPA by Release 
Release Supervisor Supported
Cisco IOS Release 12.2(33)SRE Supervisor Engine RSP720-10GE
Cisco IOS Release 12.2(33)SRC Supervisor Engine RSP720-1GE
Supervisor Engine 720
Supervisor Engine 32
Cisco IOS Release 12.2(33)SRA Supervisor Engine 720
Supervisor Engine 32
Cisco IOS Release 12.2(18)SXF2 Supervisor Engine 720
Supervisor Engine 32
Supervisor Engine 2
Cisco IOS Release 12.2(18)SXE5 Supervisor Engine 720
Cisco IOS Release 12.2(18)SXE2 Supervisor Engine 72024-21
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 24      Overview of the IPSec VPN SPA
  IPSec Feature Support
The IPSec VPN SPA supports the following interoperability features:
• You may have an IPSec VPN SPA in the same chassis with the following service modules:
– Firewall Services Module (WS-SVC-FWM-1-K9)
– Network Analysis Module 2 (WS-SVC-NAM-2)
Table 24-8 lists the known supported line card modules for each release. Note the following guidelines 
when using this table:
• An “X” in the Qualified column indicates the module was tested; an “X” in the Supported column 
indicates that the module is supported. 
• If the module has a footnote beside the “X” in the Supported column, although the module is 
supported, some restrictions apply. See the footnote below the table for details of the restriction.
• If the module has an “X” in the Supported column but not in the Qualified column, although the 
module was not specifically tested, it is supported. 
Any line card modules not specifically listed in the table are not supported by TAC/BU.
Table 24-8 Line Card Module Support for the SPA-IPSEC-2G IPSec VPN SPA by Release 
Line Card Module Cisco IOS Release 12.2(18)SX Cisco IOS Release 12.2(33)SR
Qualified Supported Qualified Supported
7600-SIP-200
With the following SPAs:
SPA-2XOC3-ATM=
SPA-2XOC3-POS=
SPA-2XT3/E3
X X X X
7600-SIP-400
With the following SPAs:
SPA-1XOC12-ATM=
SPA-2X0C3-ATM=
SPA-2X1GE
X
1
X
2
X
7600-SIP-600
With the following SPAs:
SPA-1X10GE
SPA-10X1GE
X
3
X
7600-SSC-400 X X X X
OSM-2OC48/1DPT-SI X X
OSM-2OC48/1DPT-SL X X
OSM-2OC48/1DPT-SS X X X
OSM-8OC3-POS-MM X X X X
OSM-8OC3-POS-SI X X
OSM-8OC3-POS-SI+ X X
OSM-8OC3-POS-SL X X
OSM-16OC3-POS-MM+ X X X X
OSM-16OC3-POS-SI X X
OSM-16OC3-POS-SI+ X X24-22
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 24      Overview of the IPSec VPN SPA
  IPSec Feature Support
OSM-16OC3-POS-SL X X
OSM-2+4GE-WAN+ X X X
WS-6182-2PA X X X X
WS-6582-2PA X X X X
WS-6802-2PA
With the following PAs:
PA- A3- OC3MM
PA- A3- T3
PA- MC- T3
X X  X
WS-SVC-FWM-1 X X X
WS-SVC-IDSM2 X X
WS-SVC-IDSUPG X X
WS-SVC-NAM2 X X
WS-SVC-WEBVPN-K9 X X X
WS-X6148-GE-TX X X X X
WS-X6408A-GBIC X X X
WS-X6416-GBIC X X X
WS-X6416-GE-MT X X
WS-X6502-10GE X X X X
WS-X6516-GBIC X X X X
WS-X6516-GE-TX X X X X
WS-X6516A-GBIC X X X X
WS-X6548-GE-TX X X X X
WS-X6548V-GE-TX X X
WS-X6548-RJ-21 X X
WS-X6548-RJ-45 X X X X
WS-X6704-10GE X X X X
WS-X6724-SFP X X X X
WS-X6748-GE-TX X X X X
WS-X6748-SFP X X X X
1. Cisco IOS Release 12.2(18)SXF2: Switch port configurations are not supported when a Cisco 7600 SIP-400 is present in the chassis.
2. Cisco IOS Release 12.2(33)SRA: Switch port configurations are not supported when a Cisco 7600 SIP-400 is present in the chassis.
3. Cisco IOS Release 12.2(33)SRA: MPLS tunnel recirculation must be enabled when a Cisco 7600 SIP-600 is installed and VRF is to be enabled. That is, 
you must add the mls mpls tunnel-recir command before entering the crypto engine mode vrf command if a Cisco 7600 SIP-600 is present in the 
chassis.
Table 24-8 Line Card Module Support for the SPA-IPSEC-2G IPSec VPN SPA by Release  (continued)
Line Card Module Cisco IOS Release 12.2(18)SX Cisco IOS Release 12.2(33)SR24-23
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 24      Overview of the IPSec VPN SPA
  Restrictions
Restrictions
Note For other SSC-specific features and restrictions see also Chapter 3, “Overview of the SIPs and SSC”in 
this guide.
The IPSec VPN SPAs are subject to the following restrictions:
Restrictions for SPA-IPSEC-2G IPSEC VPN SPA
• The SPA-IPSEC-2G IPSec VPN SPA requires Cisco IOS Release 12.2(18)SXE2 or later releases.
• The SPA-IPSEC-2G IPSec VPN SPA is supported only on the Cisco 7600 SSC-400.
• The Cisco 7600 SSC-400 is not Route Processor Redundancy Plus (RPR+) or Stateful Switchover 
(SSO) aware. As a result, the Cisco 7600 SSC-400 will reset if RPR+ or SSO is configured.
• As of Cisco IOS Release 12.2(33)SRA, the SPA-IPSEC-2G IPSec VPN SPA is only supported on a 
Cisco 7600 series router using a Supervisor Engine 720 (MSFC3 and PFC3) with a minimum of 512 
MB memory or a Supervisor Engine 32. For a list of the Supervisor Engine support for each release, 
see Table 24-7 on page 24-20.
Note The IPSec VPN SPA MSFC DRAM requirements are as follows:
– Up to 8,000 tunnels with 512-MB DRAM
– Up to 16,000 tunnels with 1-GB DRAM
These numbers are chosen to leave some memory available for routing protocols and other 
applications. However, your particular use of the MSFC may demand more memory than the 
quantities that are listed above. In an extreme case, you could have one tunnel but still 
require 512-MB DRAM for other protocols and applications running on the MSFC. 
• Only the following Cisco 7600 series routers are supported:
– 7603 router (CISCO7603)
– 7604 router (CISCO7604)
– 7606 router (CISCO7606)
– 7609 router (CISCO7609)
– 7609 router (OSR-7609)
– 7613 router (CISCO7613)
Note Supervisor Engine RSP720-10GE is supported only on 7606 S-Chasis (CISCO7606-S) and is not 
supported on (CISCO7606).
• A maximum of 10 IPSec VPN SPAs per chassis are supported.
• As of Cisco IOS Release 12.2(33)SRA, a maximum number of 2000 IPSec tunnels is supported 
when PKI is configured with the SPA-IPSEC-2G IPSec VPN SPA.
• TCP ADJUST-MSS is NOT supported  on VTI tunnel in Cisco 7600 Release 12.2(33) SRB.24-24
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 24      Overview of the IPSec VPN SPA
  Supported MIBs
• GRE keepalives are not supported if crypto engine gre vpnblade is configured. 
Note In Cisco IOS Release 12.2(18)SXF2 and later releases, the crypto engine subslot command used in 
previous releases has been replaced with the crypto engine slot command (of the form crypto engine 
slot slot/subslot {inside | outside}). The crypto engine subslot command is no longer supported.
When upgrading, ensure that this command has been modified in your start-up configuration to avoid 
extended maintenance time. 
• Applying the crypto engine slot outside command on Port-Channel interface is not supported.
Restrictions for WS-IPSEC-3 IPSEC VSPA
Following restrictions apply for WS-IPSEC-3 IPSec VSPA with Cisco 7600:
• The WS-IPSEC-3 IPSec VSPA is supported only on the Cisco 7600 SSC-600 line card.
• The WS-IPSEC-3 IPSec VSPA is available on Cisco IOS Release 15.1(3)S1 or later releases.
• The WS-IPSEC-3 IPSec VSPA is supported only on the SUP 720 3BXL and RSP 720 line cards on 
the Cisco 7600 platform.
Supported MIBs
The following MIBs are supported as of Cisco IOS Release 12.2(18)SXE2 for the Cisco 7600 SSC-400 
and the SPA-IPSEC-2G IPSec VPN SPA on a Cisco 7600 series router:
• CISCO-IPSEC-FLOW-MONITOR-MIB
Note Gigabit Ethernet port SNMP statistics (for example, ifHCOutOctets and ifHCInOctets) are not provided 
for the internal IPSec VPN SPA trunk ports because these ports are not externally operational ports and 
are used only for configuration.
For more information about MIB support on a Cisco 7600 series router, refer to the Cisco 7600 Series 
Router MIB Specifications Guide, at the following URL:
http://www.cisco.com/en/US/docs/routers/7600/technical_references/7600_mib_guides/MIB_Guide_v
er_6/mibgde6.html
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use 
Cisco MIB Locator found at the following URL:
http://tools.cisco.com/ITDIT/MIBS/servlet/index
If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of 
supported MIBs and download MIBs from the Cisco MIBs page at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml24-25
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 24      Overview of the IPSec VPN SPA
  IPSec VPN SPA Hardware Configuration Guidelines
To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your 
account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify 
that your e-mail address is registered with Cisco.com. If the check is successful, account details with a 
new random password will be e-mailed to you. 
IPSec VPN SPA Hardware Configuration Guidelines
The configuration guidelines for IPSec VPN SPA hardware are as follows:
• For information about managing your system images and configuration files, refer to the Cisco IOS 
Configuration Fundamentals Configuration Guide, Release 12.2 and Cisco IOS Configuration 
Fundamentals Command Reference, Release 12.2 publications.
• Some CLI commands require you to specify the inside and outside ports of the IPsec VPN Module 
in the format slot/subslot/port. Although the IPsec VPN Module ports are not actual Gigabit 
Ethernet ports, and do not share all properties of external Gigabit Ethernet interfaces, they can be 
addressed for configuration as Gigabit Ethernet trunk ports, using port numbers as follows:
– Port 1—Inside port, attached to interface VLAN
– Port 2—Outside port, attached to port VLAN
For example, to configure the outside port of a IPsec VPN Module in the first subslot (subslot 0) of 
an Cisco 7600 SSC-400 in slot 6 of a Cisco 7600 series router, enter the following command:
Router(config)# interface GigabitEthernet6/0/2
• The show crypto engine configuration command does not show the IPSec VPN SPA subslot 
number when there is no crypto connection even if the adapter is installed in the chassis.
• When you remove an IPSec VPN SPA that has some ports participating in crypto connections, the 
crypto configuration remains intact. When you reinsert the same type of IPSec VPN SPA into the 
same slot, the crypto connections will be reestablished. To move the IPSec VPN SPA to a different 
slot, you must first manually remove the crypto connections before removing the IPSec VPN SPA. 
You can enter the no crypto connect vlan command from any interface when the associated 
physical port is removed.
• When you reboot an IPSec VPN SPA that has crypto connections, the existing crypto configuration 
remains intact. The crypto connections will be reestablished after the IPSec VPN SPA reboots. 
When a crypto connection exists but the associated interface VLAN is missing from the IPSec VPN 
SPA inside port, the crypto connection is removed after the IPSec VPN SPA reboots.
• When you remove a port VLAN or an interface VLAN with the no interface vlan command, the 
associated crypto connection is also removed.
Displaying the SPA Hardware Type
There are several commands on the Cisco 7600 series router that provide IPSec VPN SPA hardware 
information.
• To verify the SPA hardware type that is installed in your router, use the show module command.
• To display hardware information for the IPSec VPN SPA, use the show crypto eli command.
For more information about these commands, see the Cisco 7600 Series Router Command Reference, 
12.2SR.24-26
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 24      Overview of the IPSec VPN SPA
  Displaying the SPA Hardware Type
Example of the show module Command
The following example shows output from the show module command on a Cisco 7600 series router 
with an IPSec VPN SPA installed in subslot 0 of a Cisco 7600 SSC-400 that is installed in slot 4:
Router# show module 4
Mod Ports Card Type                              Model              Serial No.
--- ----- -------------------------------------- ------------------ -----------
  4    0  2-subslot Services SPA Carrier-400     7600-SSC-400       JAB1104013N
Mod MAC addresses                       Hw    Fw           Sw           Status
--- ---------------------------------- ------ ------------ ------------ -------
  4  001a.a1aa.95f0 to 001a.a1aa.962f   2.0   12.2(33)SXH  12.2(33)SXH  Ok
Mod  Sub-Module                  Model              Serial       Hw     Status
---- --------------------------- ------------------ ----------- ------- -------
 4/0 2 Gbps IPSec SPA            SPA-IPSEC-2G       JAB1048075L  1.0    Ok
Mod  Online Diag Status
---- -------------------
  4  Pass
 4/0 Pass
The following is a sample output from the show module command on a Cisco 7600 series router with 
a WS-IPSEC-3 IPSec VSPA installed in subslot 1 of a Cisco 7600 SSC-600 that is installed in slot 2:
Router# show module 2
Mod Ports Card Type                              Model              Serial No.
--- ----- -------------------------------------- ------------------ -----------
  2    0  2-subslot Services SPA Carrier-600     WS-SSC-600         SAL144705A5
Mod MAC addresses                       Hw   Fw            Sw           Status
--- ---------------------------------- ----- ------------- ------------ -------
  2  e05f.b9a1.5b50 to e05f.b9a1.5b57  1.0   15.1(NTLYIND_ 15.1(NTLYIND Ok
Mod  Sub-Module                  Model              Serial       Hw     Status 
---- --------------------------- ------------------ ----------- ------- -------
 2/1 IPSec Accelerator 3         WS-IPSEC-3         SAL150353Y7  1.1    Ok
Mod  Online Diag Status 
---- -------------------
  2  Pass
 2/1 Pass
Example of the show crypto eli Command
The following example shows output from the show crypto eli command on a Cisco 7600 series router 
with IPSec VPN SPAs installed in subslots 0 and 1 of a Cisco 7600 SSC-400 that is installed in slot 3. 
The output displays how many IKE-SAs and IPSec sessions are active and how many Diffie-Hellman 
keys are in use for each IPSec VPN SPA.
Router# show crypto eli
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 2
CryptoEngine SPA-IPSEC-2G[3/0] details: state = Active
Capability      : 
    IPSEC: DES, 3DES, AES, RSA
IKE-Session   :     0 active, 16383 max, 0 failed24-27
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 24      Overview of the IPSec VPN SPA
  Displaying the SPA Hardware Type
DH            :     0 active,  9999 max, 0 failed
IPSec-Session :     0 active, 65534 max, 0 failed
CryptoEngine SPA-IPSEC-2G[3/1] details: state = Active
Capability      : 
    IPSEC: DES, 3DES, AES, RSA
IKE-Session   :     1 active, 16383 max, 0 failed
DH            :     0 active,  9999 max, 0 failed
IPSec-Session :     2 active, 65534 max, 0 failed
Router#
The following is a sample output from the show crypto eli command on a Cisco 7600 series router with 
IPSec VSPA installed in subslot 1 of a Cisco 7600-SSC-600 that is installed in slot 2. The output displays 
how many IKE-SAs and IPSec sessions are active and how many Diffie-Hellman keys are in use for each 
IPSec VSPA. 
Router# show crypto eli
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1
CryptoEngine WS-IPSEC-3[2/1] details: state = Active
Capability    : DES, 3DES, AES, RSA
 IKE-Session   :     0 active, 16383 max, 0 failed
 DH            :     0 active,  9999 max, 0 failed
 IPSec-Session :     0 active, 65534 max, 0 failed24-28
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 24      Overview of the IPSec VPN SPA
  Displaying the SPA Hardware TypeC H  A  P  T  E  R
   
25-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
25
Configuring VPNs in Crypto-Connect Mode
This chapter provides information about configuring IPSec VPNs in crypto-connect mode, one of the 
two VPN configuration modes supported by the IPSec VPN SPA. For information on the other VPN 
mode, Virtual Routing and Forwarding (VRF) mode, see Chapter 26, “Configuring VPNs in VRF 
Mode.”
This chapter includes the following topics:
• Configuring Ports in Crypto-Connect Mode, page 25-2
• Configuring GRE Tunneling in Crypto-Connect Mode, page 25-21
• Configuration Examples, page 25-28
For general information on configuring IPSec VPNs with the IPSec VPN SPA, see the “Overview of 
Basic IPSec and IKE Configuration Concepts” section on page 24-5. 
Note The procedures in this chapter assume you have familiarity with security configuration concepts, such 
as VLANs, ISAKMP policies, preshared keys, transform sets, access control lists, and crypto maps. For 
detailed information on configuring these features, refer to the following Cisco IOS documentation:
Cisco IOS Security Configuration Guide, Release 12.2, at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/fsecur_c.html
Cisco IOS Security Command Reference, Release 12.2, at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/fsecur_r.html
For additional information about the commands used in this chapter, see the Cisco IOS Software 
Releases 12.2SR Command References and to the Cisco IOS Software Releases 12.2SX Command 
References. Also refer to the related Cisco IOS Release 12.2 software command reference and master 
index publications. For more information about accessing these publications, see the “Related 
Documentation” section on page xlvii.
Tip To ensure a successful configuration of your VPN using the IPSec VPN SPA, read all of the 
configuration summaries and guidelines before you perform any configuration tasks.   
25-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuring Ports in Crypto-Connect Mode
Configuring Ports in Crypto-Connect Mode
Before beginning your crypto-connect mode port configurations, you should read the following 
subsections:
• Understanding Port Types in Crypto-Connect Mode, page 25-2
• Crypto-Connect Mode Configuration Guidelines and Restrictions, page 25-5
Then perform the procedures in the following subsections: 
• Configuring the IPSec VPN SPA Inside Port and Outside Port, page 25-7
• Configuring an Access Port, page 25-8
• Configuring a Routed Port, page 25-11
• Configuring a Trunk Port, page 25-15
• Configuring IPSec VPN SPA Connections to WAN Interfaces, page 25-20
• Displaying the VPN Running State, page 25-21
Note The configuration procedures in this section do not provide GRE tunneling support. For information on 
how to configure GRE tunneling support in crypto-connect mode, see the “Configuring GRE Tunneling 
in Crypto-Connect Mode” section on page 25-21.
Note The procedures in this section do not provide detailed information on configuring the following Cisco 
IOS features: IKE policies, preshared key entries, Cisco IOS ACLs, and crypto maps. For detailed 
information on configuring these features, refer to the following Cisco IOS documentation:
Cisco IOS Security Configuration Guide, Release 12.2, at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/fsecur_c.html
Cisco IOS Security Command Reference, Release 12.2, at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/fsecur_r.html
Understanding Port Types in Crypto-Connect Mode
To configure IPSec VPNs in crypto-connect mode, you should understand the following concepts: 
• Router Outside Ports and Inside Ports, page 25-3
• IPSec VPN SPA Outside Port and Inside Port, page 25-3
• Port VLAN and Interface VLAN, page 25-3
• Access Ports, Trunk Ports, and Routed Ports, page 25-4   
25-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuring Ports in Crypto-Connect Mode
Router Outside Ports and Inside Ports
The Fast Ethernet or Gigabit Ethernet ports on the Cisco 7600 series router that connect to the WAN 
routers are referred to as router outside ports. These ports connect the LAN to the Internet or to remote 
sites. Cryptographic policies are applied to the router outside ports.
The Fast Ethernet or Gigabit Ethernet ports on the Cisco 7600 series router that connect to the LAN are 
referred to as router inside ports. 
The IPSec VPN SPA sends encrypted packets to the router outside ports and decrypted packets to the 
Policy Feature Card (PFC) for Layer 3 forwarding to the router inside ports.
IPSec VPN SPA Outside Port and Inside Port
The IPSec VPN SPA appears to the CLI as a SPA with two Gigabit Ethernet ports. The IPSec VPN SPA 
has no external connectors; the Gigabit Ethernet ports connect the IPSec VPN SPA to the router 
backplane and Switch Fabric Module (SFM) (if installed). 
One Gigabit Ethernet port handles all the traffic going to and coming from the router outside ports. This 
port is referred to as the IPSec VPN SPA outside port. The other Gigabit Ethernet port handles all traffic 
going to and coming from the LAN or router inside ports. This port is referred to as the IPSec VPN SPA 
inside port. 
Port VLAN and Interface VLAN
Your VPN configuration can have one or more router outside ports. To handle the packets from multiple 
router outside ports, you must direct the packets from multiple router outside ports to the IPSec VPN 
SPA outside port by placing the router outside ports in a VLAN with the outside port of the IPSec VPN 
SPA. This VLAN is referred to as the port VLAN. The port VLAN is a Layer 2-only VLAN. You do not 
configure Layer 3 addresses or features on this VLAN; the packets within the port VLAN are bridged 
by the PFC.
Before the router can forward the packets using the correct routing table entries, the router needs to know 
which interface a packet was received on. For each port VLAN, you must create another VLAN so that 
the packets from every router outside port are presented to the router with the corresponding VLAN ID. 
This VLAN contains only the IPSec VPN SPA inside port and is referred to as the interface VLAN. The 
interface VLAN is a Layer 3-only VLAN. You configure the Layer 3 address and Layer 3 features, such 
as ACLs and the crypto map, to the interface VLAN. 
You associate the port VLAN and the interface VLAN together using the crypto engine slot command 
on the interface VLAN followed by the crypto connect vlan command on the port VLAN. Figure 25-1
shows an example of the port VLAN and interface VLAN configurations.   
25-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuring Ports in Crypto-Connect Mode
Figure 25-1 Port VLAN and Interface VLAN Configuration Example
Port VLAN 502 and port VLAN 503 are the port VLANs that are associated with two router outside 
ports. 
Interface VLAN 2 and interface VLAN 3 are the interface VLANs that correspond to port VLAN 502 
and port VLAN 503, respectively.
You configure the IP address, ACLs, and crypto map that apply to one router outside port on interface 
VLAN 2. You configure the features that apply to another router outside port on interface VLAN 3.
Packets coming from the WAN through the router outside port belonging to VLAN 502 are directed by 
the PFC to the IPSec VPN SPA outside port. The IPSec VPN SPA decrypts the packets and changes the 
VLAN to interface VLAN 2 and then presents the packet to the router through the IPSec VPN SPA inside 
port. The PFC then routes the packet to the proper destination. 
Packets going from the LAN to the outside ports are first routed by the PFC. Based on the route, the PFC 
routes the packets to one of the interface VLANs and directs the packet to the IPSec VPN SPA inside 
port. The IPSec VPN SPA applies the cryptographic policies that are configured on the corresponding 
interface VLAN, encrypts the packet, changes the VLAN ID to the corresponding port VLAN, and sends 
the packet to the router outside port through the IPSec VPN SPA outside port.
Access Ports, Trunk Ports, and Routed Ports
When you configure VPNs on the IPSec VPN SPA using crypto-connect mode, you attach crypto maps 
to interface VLANs. Using the crypto connect vlan command, you then attach an interface VLAN either 
to a Layer 2 port VLAN associated with one or more physical ports, or directly to a physical port. The 
physical ports can be ATM, POS, serial, or Ethernet ports. 
When you crypto-connect an interface VLAN to a port VLAN that is attached to one or more Ethernet 
ports configured in switchport mode, the Ethernet ports can be configured as either access ports or trunk 
ports: 
• Access ports—Access ports are switch ports that have an external or VLAN Trunk Protocol (VTP) 
VLAN associated with them. You can associate more than one port to a defined VLAN.
Outside Port
Inside Port
Interface VLAN
2
Interface VLAN
3
IPSec VPN SPA
MSFC/PFC
Outside Port Outside Port
Port VLAN
502
Port VLAN
503
186140   
25-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuring Ports in Crypto-Connect Mode
• Trunk ports—Trunk ports are switch ports that carry many external or VTP VLANs, on which all 
packets are encapsulated with an 802.1Q header.
When you crypto-connect an interface VLAN to a physical Ethernet port without defining a port VLAN, 
a hidden port VLAN is automatically created and associated with the port. In this configuration, the 
Ethernet port is a routed port:
• Routed ports—By default, every Ethernet port is a routed port until it is configured as a switch port. 
A routed port may or may not have an IP address assigned to it, but its configuration does not include 
the switchport command. 
Crypto-Connect Mode Configuration Guidelines and Restrictions
Follow these guidelines and restrictions to prevent IPSec VPN SPA misconfigurations when configuring 
VPN ports in crypto-connect mode:
• Ethernet ports installed in a Cisco 7600 SIP-400 in the chassis cannot be configured as switch ports.
• When attaching a crypto VLAN to an outside port VLAN or to a physical interface with the 
crypto connect vlan command, do not apply Layer 3 configurations to that physical interface or 
port VLAN. 
Note Layer 3 configurations (for example, IP address, PIM, et alia), are supported only on the crypto 
VLAN interface. For WAN PPP & MLPPP interfaces the ip unnumbered Null0 command is 
added automatically to the interface configuration for internal Cisco purposes. 
• Removing a line in a crypto ACL causes all crypto maps using that ACL to be removed and 
reattached to the IPSec VPN SPA. This action causes intermittent connectivity problems for all the 
security associations (SAs) derived from the crypto maps that reference that ACL.
• Do not attach a crypto map set to a loopback interface. However, you can maintain an IPSec security 
association database independent of physical ingress and egress interfaces with the IPSec VPN SPA 
by entering the crypto map local-address command. 
If you apply the same crypto map set to each secure interface and enter the crypto map
local-address command with the interface as a loopback interface, you will have a single security 
association database for the set of secure interfaces. If you do not enter the crypto map
local-address command, the number of IKE security associations is equal to the number of 
interfaces attached.
• You can attach the same crypto map to multiple interfaces only if the interfaces are all bound to the 
same crypto engine.
• If you configure a crypto map with an empty ACL (an ACL that is defined but has no lines) and 
attach the crypto map to an interface, all traffic goes out of the interface in the clear (unencrypted) 
state.
• Do not convert existing crypto-connected port characteristics. When the characteristics of a 
crypto-connected access port or a routed port change (switch port to routed port or vice versa), the 
associated crypto connection is deleted.
• Do not remove the interface VLAN or port VLAN from the VLAN database. All interface VLANs 
and port VLANs must be in the VLAN database. When you remove these VLANs from the VLAN 
database, the running traffic stops.
When you enter the crypto connect vlan command and the interface VLAN or port VLAN is not in 
the VLAN database, this warning message is displayed:   
25-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuring Ports in Crypto-Connect Mode
VLAN id 2 not found in current VLAN database. It may not function correctly unless
VLAN 2 is added to VLAN database.
• When replacing a crypto map on an interface, always enter the no crypto map command before 
reapplying a crypto map on the interface.
• Inbound and outbound traffic for the same tunnel must use the same outside interface.  Asymmetric 
routing, in which encrypted traffic uses a different outside interface than decrypted traffic for the 
same tunnel, is not supported.
• After a supervisor engine switchover, the installed SPAs reboot and come back online. During this 
period, the IPSec VPN SPA’s established security associations (SAs) are temporarily lost and are 
reconstructed after the SPA comes back online. The reconstruction is through IKE (it is not 
instantaneous).
• Crypto ACLs support only the EQ operator. Other operators, such as GT, LT, and NEQ, are not 
supported.
• Noncontiguous subnets in a crypto ACL, as in the following example, are not supported:
deny ip   10.0.5.0   0.255.0.255   10.0.175.0   0.255.0.255
deny ip   10.0.5.0   0.255.0.255   10.0.176.0   0.255.0.255
• ACL counters are not supported for crypto ACLs.
• An egress ACL is not applied to packets generated by the route processor. An ingress ACL is not 
applied to packets destined for the route processor. 
• Do not apply an IP ACL to the crypto-connect interface or port VLAN. Instead, you can apply IP 
ACLs to the interface VLAN, as in the following example:
interface GigabitEthernet1/2
 ! switch outside port
 switchport
 switchport access vlan 502
 switchport mode access
 ip access-group TEST_INBOUND in  <--- do not apply IP ACL here
!
interface Vlan2
 ! interface VLAN
 ip address 11.0.0.2 255.255.255.0
 crypto map testtag
 crypto engine slot 4/0
 ip access-group TEST_INBOUND in  <--- apply IP ACL here
!
interface Vlan502
 ! port VLAN
 no ip address
 crypto connect vlan 2
 ip access-group TEST_INBOUND in  <--- do not apply IP ACL here
!
Note An IP ACL on the interface VLAN will not block inbound encrypted traffic from reaching the 
VSPA, but can prevent traffic from being routed further after decryption.
• In Cisco IOS Release 12.2(33)SXF and earlier releases, IPsec can be configured with manual keying 
instead of IKE. If you configure manual keying, you must configure SPI to be greater than 4096.   
25-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuring Ports in Crypto-Connect Mode
Supported and Unsupported Features in Crypto-Connect Mode
A list of the supported and unsupported features in crypto-connect mode can be found in the “IPSec 
Feature Support” section on page 24-8. 
Configuring the IPSec VPN SPA Inside Port and Outside Port
In most cases, you do not explicitly configure the IPSec VPN SPA inside and outside ports. Cisco IOS 
software configures these ports automatically. 
IPSec VPN SPA Inside and Outside Port Configuration Guidelines and Restrictions
When configuring the IPSec VPN SPA inside and outside ports, follow these guidelines:
• Do not change the port characteristics of the IPSec VPN SPA inside or outside port unless it is 
necessary to set the trusted state. Cisco IOS software configures the ports automatically.
Note Although the default trust state of the inside port is trusted, certain global settings may cause 
the state to change. To preserve the ToS bytes for VPN traffic in both directions, configure 
the mls qos trust command on both the inside and outside ports to set the interface to the 
trusted state. For information on the mls qos trust command, see the “Configuring QoS on 
the SPA-IPSEC-2G IPSEC VPN SPA” section on page 29-15.
If you accidentally change the inside port characteristics, enter the following commands to return 
the port characteristics to the defaults:
Router(config-if)# switchport
Router(config-if)# no switchport access vlan
Router(config-if)# switchport trunk allowed vlan 1,1002-1005
Router(config-if)# switchport trunk encapsulation dot1q
Router(config-if)# switchport mode trunk
Router(config-if)# mtu 9216
Router(config-if)# flow control receive on
Router(config-if)# flow control send off
Router(config-if)# span portfast trunk
• Do not configure allowed VLANs on the inside trunk port. Cisco IOS software configures the VLAN 
list on the inside port automatically based on the crypto engine slot command.  These VLANs are 
visible in the port configuration using the show run command.
• Do not configure allowed VLANs on the outside trunk port. Cisco IOS software configures these 
VLANs automatically as hidden VLANs.  These VLANs are not visible in the port configuration 
using the show run command.
• Do not remove a VLAN from the IPSec VPN SPA inside port. The running traffic stops when you 
remove an interface VLAN from the IPSec VPN SPA inside port while the crypto connection to the 
interface VLAN exists. The crypto connection is not removed and the crypto connect vlan 
command still shows up in the show running-config command display. If you enter the write 
memory command with this running configuration, your startup-configuration file would be 
misconfigured.   
25-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuring Ports in Crypto-Connect Mode
Note It is not possible to remove an interface VLAN from the IPSec VPN SPA inside port while 
the crypto connection to the interface VLAN exists. You must first remove the crypto 
connection.
• Do not remove a VLAN from the IPSec VPN SPA outside port. The running traffic stops when you 
remove a port VLAN from the IPSec VPN SPA outside port while the crypto connection to the 
interface VLAN exists. The crypto connection is not removed and the crypto connect vlan 
command still shows up in the show running-config command display. Removing a VLAN from 
the IPSec VPN SPA outside port does not affect anything in the startup-configuration file because 
the port VLAN is automatically added to the IPSec VPN SPA outside port when the crypto connect 
vlan command is entered. 
Configuring an Access Port 
This section describes how to configure the IPSec VPN SPA with an access port connection to the WAN 
router (see Figure 25-2).
Figure 25-2 Access Port Configuration Example
Note Ethernet ports installed in a Cisco 7600 SIP-400 in the chassis cannot be configured as switch ports.
GigabitEthernet 1/2
WAN interface access port
Port VLAN 502
Crypto-connect VLAN 2
Interface VLAN 2
192.168.100.254
MSFC/PFC
Outside port
Gi4/0/2
IPSec VPN SPA in slot 4 subslot 0
Inside port
Gi4/0/1
186141   
25-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuring Ports in Crypto-Connect Mode
To configure an access port connection to the WAN router, perform the following task beginning in 
global configuration mode:
Command Purpose
Step 1 Router(config)# crypto isakmp policy priority
...
Router(config-isakmp) # exit
Defines an ISAKMP policy and enters ISAKMP 
policy configuration mode.
• priority—Identifies the IKE policy and assigns 
a priority to the policy. Use an integer from 1 to 
10000, with 1 being the highest priority and 
10000 the lowest.
For details on configuring an ISAKMP policy, see 
the Cisco IOS Security Configuration Guide.
Step 2 Router(config)# crypto isakmp key keystring address
peer-address
Configures a preshared authentication key.
• keystring—Preshared key.
• peer-address—IP address of the remote peer.
For details on configuring a preshared key, see the 
Cisco IOS Security Configuration Guide.
Step 3 Router(config)# crypto ipsec transform-set
transform-set-name 
transform1[transform2[transform3]] 
...
Router(config-crypto-tran)# exit
Defines a transform set (an acceptable combination 
of security protocols and algorithms) and enters 
crypto transform configuration mode.
• transform-set-name—Name of the transform 
set.
• transform1[transform2[transform3]]—Defines 
IPSec security protocols and algorithms. 
For accepted transformx values, and more details on 
configuring transform sets, see the Cisco IOS 
Security Command Reference.
Step 4 Router(config)# access list access-list-number {deny 
| permit} ip source source-wildcard destination 
destination-wildcard 
Defines an extended IP access list.
• access-list-number—Number of an access list. 
This is a decimal number from 100 to 199 or 
from 2000 to 2699.
• {deny | permit}—Denies or permits access if 
the conditions are met.
• source—Address of the host from which the 
packet is being sent.
• source-wildcard—Wildcard bits to be applied to 
the source address.
• destination—Address of the host to which the 
packet is being sent.
• destination-wildcard—Wildcard bits to be 
applied to the destination address.
For details on configuring an access list, see the 
Cisco IOS Security Configuration Guide.   
25-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuring Ports in Crypto-Connect Mode
Step 5 Router(config)# crypto map map-name seq-number 
ipsec-isakmp
...
Router(config-crypto-map)# exit
Creates or modifies a crypto map entry and enters 
the crypto map configuration mode.
• map-name—Name that identifies the crypto 
map set.
• seq-number—Sequence number you assign to 
the crypto map entry. Lower values have higher 
priority.
• ipsec-isakmp—Indicates that IKE will be used 
to establish the IPSec security associations.
For details on configuring a crypto map, see the 
Cisco IOS Security Configuration Guide.
Step 6 Router(config)# vlan inside-vlan-id Adds the VLAN ID into the VLAN database.
• inside-vlan-id—VLAN identifier.
Step 7 Router(config)# vlan outside-vlan-id Adds the VLAN ID into the VLAN database.
• outside-vlan-id—VLAN identifier.
Step 8 Router(config)# interface vlan inside-vlan-id Enters interface configuration mode for the 
specified VLAN interface.
• inside-vlan-id—VLAN identifier. 
Step 9 Router(config-if)# description 
inside_interface_vlan_for_crypto_map
(Optional) Adds a comment to help identify the 
interface.
Step 10 Router(config-if)# ip address address mask Specifies the IP address and subnet mask for the 
interface.
• address—IP address.
• mask—Subnet mask.
Step 11 Router(config-if)# crypto map map-name Applies a previously defined crypto map set to the 
interface. 
• map-name—Name that identifies the crypto 
map set. Enter the map-name value you created 
in Step 5.
Step 12 Router(config-if)# no shutdown Enables the interface as a Layer 3 inside interface 
VLAN.
Step 13 Router(config-if)# crypto engine slot slot/subslot Assigns the crypto engine to the crypto interface 
VLAN. 
• slot/subslot—Enter the slot and subslot where 
the IPSec VPN SPA is located.
Step 14 Router(config)# interface vlan outside-vlan-id Enters interface configuration mode for the 
specified VLAN interface. 
• outside-vlan-id—VLAN identifier.
Step 15 Router(config-if)# description outside_access_vlan (Optional) Adds a comment to help identify the 
interface.
Step 16 Router(config-if)# no shutdown Enables the interface as an outside access port 
VLAN.
Command Purpose   
25-11
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuring Ports in Crypto-Connect Mode
For access port configuration examples, see the “Access Port in Crypto-Connect Mode Configuration 
Example” section on page 25-29.
Verifying the Access Port Configuration
To verify an access port configuration, enter the show crypto vlan command. 
Router# show crypto vlan
Interface VLAN 2 on IPSec Service Module port Gi4/0/1 connected to VLAN 502 with crypto 
map set MyMap
Configuring a Routed Port 
This section describes how to configure the IPSec VPN SPA with a routed port connection to the WAN 
router (see Figure 25-3). 
Note When a routed port without an IP address is crypto-connected to an interface VLAN, a hidden port 
VLAN is created automatically. This port VLAN is not explicitly configured by the user and does not 
appear in the running configuration.
Step 17 Router(config-if)# crypto connect vlan 
inside-vlan-id
Connects the outside access port VLAN to the inside 
interface VLAN and enters crypto-connect mode.
• inside-vlan-id—VLAN identifier.
Step 18 Router(config-if)# interface gigabitethernet 
slot/subslot/port
Enters interface configuration mode for the secure 
port.
Step 19 Router(config-if)# description outside_secure_port (Optional) Adds a comment to help identify the 
interface.
Step 20 Router(config-if)# switchport Configures the interface for Layer 2 switching.
Step 21 Router(config-if)# switchport access vlan 
outside-vlan-id
Specifies the default VLAN for the interface. 
• outside-vlan-id—VLAN identifier. 
Step 22 Router(config-if)# exit Exits interface configuration mode.
Command Purpose   
25-12
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuring Ports in Crypto-Connect Mode
Figure 25-3 Routed Port Configuration Example
Routed Port Configuration Guidelines
When configuring a routed port using the IPSec VPN SPA, follow these configuration guidelines:
• When a routed port has a crypto connection, IP ACLs cannot be attached to the routed port. Instead, 
you can apply IP ACLs to the attached interface VLAN.
• Unlike an access port or trunk port, the routed port does not use the switchport command in its 
configuration.
GigabitEthernet 1/2
WAN interface routed port
Crypto-connect VLAN 2
Port VLAN
Interface VLAN 2
192.168.100.254
MSFC/PFC
Outside port
Gi4/0/2
IPSec VPN SPA in slot 4 subslot 0
Inside port
Gi4/0/1
186142   
25-13
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuring Ports in Crypto-Connect Mode
To configure a routed port connection to the WAN router, perform this task beginning in global 
configuration mode:
Command Purpose
Step 1 Router(config)# crypto isakmp policy priority
...
Router(config-isakmp) # exit
Defines an ISAKMP policy and enters ISAKMP 
policy configuration mode.
• priority—Identifies the IKE policy and assigns 
a priority to the policy. Use an integer from 1 to 
10000, with 1 being the highest priority and 
10000 the lowest.
For details on configuring an ISAKMP policy, see 
the Cisco IOS Security Configuration Guide.
Step 2 Router(config)# crypto isakmp key keystring address
peer-address
Configures a preshared authentication key.
• keystring—Preshared key.
• peer-address—IP address of the remote peer.
For details on configuring a preshared key, see the 
Cisco IOS Security Configuration Guide.
Step 3 Router(config)# crypto ipsec transform-set
transform-set-name
transform1[transform2[transform3]]
...
Router(config-crypto-tran)# exit
Defines a transform set (an acceptable combination 
of security protocols and algorithms) and enters 
crypto transform configuration mode.
• transform-set-name—Name of the transform 
set.
• transform1[transform2[transform3]]—Defines 
IPSec security protocols and algorithms. 
For accepted transformx values, and more details on 
configuring transform sets, see the Cisco IOS 
Security Command Reference.
Step 4 Router(config)# access list access-list-number {deny 
| permit} ip source source-wildcard destination 
destination-wildcard 
Defines an extended IP access list.
• access-list-number—Number of an access list. 
This is a decimal number from 100 to 199 or 
from 2000 to 2699.
• {deny | permit}—Denies or permits access if 
the conditions are met.
• source—Address of the host from which the 
packet is being sent.
• source-wildcard—Wildcard bits to be applied to 
the source address.
• destination—Address of the host to which the 
packet is being sent.
• destination-wildcard—Wildcard bits to be 
applied to the destination address.
For details on configuring an access list, see the 
Cisco IOS Security Configuration Guide.   
25-14
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuring Ports in Crypto-Connect Mode
Step 5 Router(config)# crypto map map-name seq-number 
ipsec-isakmp
...
Router(config-crypto-map)# exit
Creates or modifies a crypto map entry and enters 
the crypto map configuration mode.
• map-name—Name that identifies the crypto 
map set.
• seq-number—Sequence number you assign to 
the crypto map entry. Lower values have higher 
priority.
• ipsec-isakmp— Indicates that IKE will be used 
to establish the IPSec security associations.
For details on configuring a crypto map, see the 
Cisco IOS Security Configuration Guide.
Step 6 Router(config)# vlan inside-vlan-id Adds the VLAN ID into the VLAN database.
• inside-vlan-id—VLAN identifier.
Step 7 Router(config)# interface vlan inside-vlan-id Enters interface configuration mode for the 
specified VLAN interface. 
• inside-vlan-id—VLAN identifier. 
Step 8 Router(config-if)# description 
inside_interface_vlan_for_crypto_map
(Optional) Adds a comment to help identify the 
interface.
Step 9 Router(config-if)# ip address address mask Specifies the IP address and subnet mask for the 
interface.
• address—IP address.
• mask—Subnet mask.
Step 10 Router(config-if)# crypto map map-name Applies a previously defined crypto map set to the 
interface. 
• map-name—Name that identifies the crypto 
map set. Enter the map-name value you created 
in Step 5.
Step 11 Router(config-if)# no shutdown Enables the interface as a Layer 3 crypto interface 
VLAN.
Step 12 Router(config-if)# crypto engine slot slot/subslot Assigns the crypto engine to the crypto interface 
VLAN. 
• slot/subslot—Enter the slot and subslot where 
the IPSec VPN SPA is located.
Step 13 Router(config-if)# interface gigabitethernet 
slot/subslot/port
Enters interface configuration mode for the secure 
port.
Step 14 Router(config-if)# description outside_secure_port (Optional) Adds a comment to help identify the 
interface.
Step 15 Router(config-if)# crypto connect vlan 
inside-vlan-id
Connects the routed port to the crypto interface 
VLAN and enters crypto-connect mode. 
• inside-vlan-id—VLAN identifier.
Step 16 Router(config-if)# exit Exits interface configuration mode.
Command Purpose   
25-15
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuring Ports in Crypto-Connect Mode
For routed port configuration examples, see the “Routed Port in Crypto-Connect Mode Configuration 
Example” section on page 25-31.
Verifying a Routed Port Configuration
To verify a route port configuration, enter the show crypto vlan command. In the following example, 
Gi 1/2 is the crypto-connected port:
Router# show crypto vlan
Interface VLAN 2 on IPSec Service Module port Gi4/0/1 connected to Gi1/2 with crypto map 
set MyMap
Configuring a Trunk Port 
Caution When you configure an Ethernet port as a trunk port, all the VLANs are allowed on the trunk port by 
default. This default configuration does not work well with the IPSec VPN SPA and causes network 
loops. To avoid this problem, you must explicitly specify only the desirable VLANs.
This section describes how to configure the IPSec VPN SPA with a trunk port connection to the WAN 
router (see Figure 25-4). 
Figure 25-4 Trunk Port Configuration Example
Note Ethernet ports installed in a Cisco 7600 SIP-400 in the chassis cannot be configured as switch ports.
GigabitEthernet 1/2
WAN interface trunk port
Port VLAN 502
Crypto-connect VLAN 2
Interface VLAN 2
192.168.100.254
MSFC/PFC
Outside port
Gi4/0/2
IPSec VPN SPA in slot 4 subslot 0
Inside port
Gi4/0/1
186143   
25-16
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuring Ports in Crypto-Connect Mode
Trunk Port Configuration Guidelines
When configuring a trunk port using the IPSec VPN SPA, follow these configuration guidelines:
• When you configure a trunk port for cryptographic connection, do not use the “all VLANs allowed” 
default. You must explicitly specify all the desirable VLANs using the switchport trunk allowed 
vlan command.
• Due to an incorrect startup configuration or through the default trunk port configuration, an interface 
VLAN might be associated with a trunk port. When you try to remove the interface VLAN from the 
VLAN list, you might receive an error message similar to the following:
Command rejected:VLAN 2 is crypto connected to V502.
To remove the interface VLAN from the VLAN list, enter the following commands:
Router# configure terminal
Router(config)# interface g1gabitethernet1/2
Router(config-if)# no switchport mode trunk
Router(config-if)# switchport trunk allowed vlan 1
Router(config-if)# switchport mode trunk
Router(config-if)# switchport trunk allowed vlan 1,502,1002-1005
Note VLANs in the VLAN list must not include any interface VLANs.
• To ensure that no interface VLANs are associated when you put an Ethernet port into the trunk 
mode, enter the following commands in the exact order given:
Router# configure terminal
Router(config)# interface g1gabitethernet1/2
Router(config)# no shut
Router(config-if)# switchport
Router(config-if)# switchport trunk allowed vlan 1
Router(config-if)# switchport trunk encapsulation dot1q
Router(config-if)# switchport mode trunk
Router(config-if)# switchport trunk allowed vlan 1,502,1002-1005
Note VLANs in the VLAN list must not include any interface VLANs.
• A common mistake when configuring a trunk port occurs when you use the add option as follows:
Router(config-if)# switchport trunk allowed vlan add 502
If the switchport trunk allowed vlan command has not already been used, the add option does not 
make VLAN 502 the only allowed VLAN on the trunk port; all VLANs are still allowed after 
entering the command because all the VLANs are allowed by default. After you use the switchport 
trunk allowed vlan command to add a VLAN, you can then use the switchport trunk allowed vlan 
add command to add additional VLANs. 
• To remove unwanted VLANs from a trunk port, use the switchport trunk allowed vlan remove
command.
Caution Do not enter the switchport trunk allowed vlan all command on a secured trunk port. In addition, do 
not set the IPSec VPN SPA inside and outside ports to “all VLANs allowed.”   
25-17
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuring Ports in Crypto-Connect Mode
To configure a trunk port connection to the WAN router, perform this task beginning in global 
configuration mode:
Command Purpose
Step 1 Router(config)# crypto isakmp policy priority
...
Router(config-isakmp) # exit
Defines an ISAKMP policy and enters ISAKMP 
policy configuration mode.
• priority—Identifies the IKE policy and assigns 
a priority to the policy. Use an integer from 1 to 
10000, with 1 being the highest priority and 
10000 the lowest.
For details on configuring an ISAKMP policy, see 
the Cisco IOS Security Configuration Guide.
Step 2 Router(config)# crypto isakmp key keystring address
peer-address
Configures a preshared authentication key.
• keystring—Preshared key.
• peer-address—IP address of the remote peer.
For details on configuring a preshared key, see the 
Cisco IOS Security Configuration Guide.
Step 3 Router(config)# crypto ipsec transform-set 
transform-set-name
transform1[transform2[transform3]] 
...
Router(config-crypto-tran)# exit
Defines a transform set (an acceptable combination 
of security protocols and algorithms) and enters 
crypto transform configuration mode.
• transform-set-name—Name of the transform 
set.
• transform1[transform2[transform3]]—Defines 
IPSec security protocols and algorithms. 
For accepted transformx values, and more details on 
configuring transform sets, see the Cisco IOS 
Security Command Reference.
Step 4 Router(config)# access list access-list-number {deny 
| permit} ip source source-wildcard destination 
destination-wildcard 
Defines an extended IP access list.
• access-list-number—Number of an access list. 
This is a decimal number from 100 to 199 or 
from 2000 to 2699.
• {deny | permit}—Denies or permits access if 
the conditions are met.
• source—Address of the host from which the 
packet is being sent.
• source-wildcard—Wildcard bits to be applied to 
the source address.
• destination—Address of the host to which the 
packet is being sent.
• destination-wildcard—Wildcard bits to be 
applied to the destination address.
For details on configuring an access list, see the 
Cisco IOS Security Configuration Guide.   
25-18
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuring Ports in Crypto-Connect Mode
Step 5 Router(config)# crypto map map-name seq-number 
ipsec-isakmp
...
Router(config-crypto-map)# exit
Creates or modifies a crypto map entry and enters 
the crypto map configuration mode.
• map-name—Name that identifies the crypto 
map set.
• seq-number—Sequence number you assign to 
the crypto map entry. Lower values have higher 
priority.
• ipsec-isakmp—Indicates that IKE will be used 
to establish the IPSec security associations.
For details on configuring a crypto map, see the 
Cisco IOS Security Configuration Guide.
Step 6 Router(config)# vlan inside-vlan-id Adds the VLAN ID into the VLAN database.
• inside-vlan-id—VLAN identifier.
Step 7 Router(config)# vlan outside-vlan-id Adds the VLAN ID into the VLAN database.
• outside-vlan-id—VLAN identifier.
Step 8 Router(config)# interface vlan inside-vlan-id Enters interface configuration mode for the 
specified VLAN interface. 
• inside-vlan-id—VLAN identifier.
Step 9 Router(config-if)# description 
inside_interface_vlan_for_crypto_map
(Optional) Adds a comment to help identify the 
interface.
Step 10 Router(config-if)# ip address address mask Specifies the IP address and subnet mask for the 
interface.
• address—IP address.
• mask—Subnet mask.
Step 11 Router(config-if)# crypto map map-name Applies a previously defined crypto map set to the 
interface.
• map-name—Name that identifies the crypto 
map set. Enter the map-name value you created 
in Step 5.
Step 12 Router(config-if)# no shutdown Enables the interface as a Layer 3 crypto interface 
VLAN.
Step 13 Router(config-if)# crypto engine slot slot/subslot Assigns the crypto engine to the crypto interface 
VLAN. 
• slot/subslot—Enter the slot and subslot where 
the IPSec VPN SPA is located.
Step 14 Router(config)# interface vlan outside-vlan-id Adds the specified VLAN interface as an outside 
trunk port VLAN and enters interface configuration 
mode for the specified VLAN interface. 
• outside-vlan-id—VLAN identifier. 
Step 15 Router(config-if)# description 
outside_trunk_port_vlan
(Optional) Adds a comment to help identify the 
interface.
Command Purpose   
25-19
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuring Ports in Crypto-Connect Mode
For trunk port configuration examples, see the “Trunk Port in Crypto-Connect Mode Configuration 
Example” section on page 25-34.
Verifying the Trunk Port Configuration
To verify the VLANs allowed by a trunk port, enter the show interfaces trunk command. The following 
display shows that all VLANs are allowed:
Router# show interfaces GigabitEthernet 1/2 trunk
Port      Mode         Encapsulation  Status        Native vlan
Gi1/2     on           802.1q         trunking      1
Port      Vlans allowed on trunk
Gi1/2     1-4094
Port      Vlans allowed and active in management domain
Gi1/2     1-4,7-8,513,1002-1005
Port      Vlans in spanning tree forwarding state and not pruned
Gi1/2     1-4,7-8,513,1002-1005
Step 16 Router(config-if)# crypto connect vlan 
inside-vlan-id
Connects the outside trunk port VLAN to the inside 
(crypto) interface VLAN and enters crypto-connect 
mode. 
• inside-vlan-id—VLAN identifier. 
Step 17 Router(config-if)# no shutdown Enables the interface as a Layer 3 crypto interface 
VLAN.
Step 18 Router(config-if)# interface gigabitethernet 
slot/subslot/port
Enters interface configuration mode for the secure 
port.
Step 19 Router(config-if)# description outside_secure_port (Optional) Adds a comment to help identify the 
interface.
Step 20 Router(config-if)# switchport Configures the interface for Layer 2 switching.
Step 21 Router(config-if)# no switchport access vlan  Resets the access VLAN to the appropriate default 
VLAN for the device. 
Step 22 Router(config-if)# switchport trunk encapsulation 
dot1q
Sets the trunk encapsulation to 802.1Q.
Step 23 Router(config-if)# switchport mode trunk Specifies a trunk VLAN Layer 2 interface.
Step 24 Router(config-if)# switchport trunk allowed vlan 
remove vlan-list
Removes the specified list of VLANs from those 
currently set to transmit from this interface.
vlan-list—List of VLANs that transmit the interface 
in tagged format when in trunking mode. Valid 
values are from 1 to 4094.
Step 25 Router(config-if)# switchport trunk allowed vlan add 
outside-vlan-id
Adds the specified VLAN to the list of VLANs 
currently set to transmit from this interface. 
outside-vlan-id—VLAN identifier from Step 14.
Step 26 Router(config-if)# exit Exits interface configuration mode.
Command Purpose   
25-20
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuring Ports in Crypto-Connect Mode
Configuring IPSec VPN SPA Connections to WAN Interfaces
The configuration of IPSec VPN SPA connections to WAN interfaces is similar to the configuration of 
Ethernet-routed interfaces.
IPSec VPN SPA Connections to WAN Interfaces Configuration Guidelines and Restrictions
When configuring a connection to a WAN interface using an IPSec VPN SPA, follow these guidelines 
and note these restrictions:
• To configure an IPSec VPN SPA connection to a WAN interface, make a crypto connection from the 
WAN subinterface to the interface VLAN as follows:
Router(config)# interface Vlan101
Router(config-if)# ip address 192.168.101.1 255.255.255.0
Router(config-if)# no mop enabled
Router(config-if)# crypto map cwan
Router(config-if)# crypto engine slot 4/0
Router(config)# interface ATM6/0/0.101 point-to-point
Router(config-subif)# pvc 0/101
Router(config-subif)# crypto connect vlan 101
• You must configure a crypto connection on subinterfaces for ATM and Frame Relay. 
• For ATM, there is no SVC support, no RFC-1483 bridging, and no point-to-multipoint support.
• For Frame Relay, there is no SVC support, no RFC-1490 bridging, and no point-to-multipoint 
support.
• For Point-to-Point Protocol (PPP) and Multilink PPP (MLPPP), you must make the physical 
interface passive for routing protocols, as follows: 
Router(config)# router ospf 10
Router(config-router)# passive-interface multilink1
• For PPP and MLPPP, when the crypto connect vlan command is configured on an interface, an ip 
unnumbered Null0 command is automatically added to the port configuration to support IPCP 
negotiation. If you configure a no ip address command on the WAN port in the startup 
configuration, the no ip address command will be automatically removed in the running 
configuration so that it does not conflict with the automatic configuration. 
• For PPP and MLPPP, there is no Bridging Control Protocol (BCP) support.
• When enabled on an inside VLAN, OSPF will be configured in broadcast network mode by default, 
even when a point-to-point interface (such as T1, POS, serial, or ATM) is crypto-connected to the 
inside VLAN. In addition, if OSPF is configured in point-to-point network mode on the peer router 
(for example, a transit router with no crypto card), OSPF will not establish full adjacency. In this 
case, you can manually configure OSPF network point-to-point mode in the inside VLAN:
Router(config)# interface vlan inside-vlan
Router(config-if)# ip ospf network point-to-point
For IPSec VPN SPA connections to WAN interfaces configuration examples, see the “IPSec VPN SPA 
Connections to WAN Interfaces Configuration Examples” section on page 25-36   
25-21
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuring GRE Tunneling in Crypto-Connect Mode
Displaying the VPN Running State 
Use the show crypto vlan command to display the VPN running state. The following examples show 
the show crypto vlan command output for a variety of IPSec VPN SPA configurations.
In the following example, the interface VLAN belongs to the IPSec VPN SPA inside port: 
Router# show crypto vlan
  Interface VLAN 2 on IPSec Service Module port Gi4/0/1 connected to Fa8/3
In the following example, VLAN 2 is the interface VLAN and VLAN 2022 is the hidden VLAN:
Router# show crypto vlan
Interface VLAN 2 on IPSec Service Module port Gi4/0/1 connected to VLAN 2022 with crypto 
map set coral2
In the following example, the interface VLAN is missing on the IPSec VPN SPA inside port, the IPSec 
VPN SPA is removed from the chassis, or the IPSec VPN SPA was moved to a different subslot:
Router# show crypto vlan
  Interface VLAN 2 connected to VLAN 502 (no IPSec Service Module attached)
Configuring GRE Tunneling in Crypto-Connect Mode
This section contains the following GRE configuration topics:
• Understanding GRE Tunneling in Crypto-Connect Mode, page 25-21
• Configuring the GRE Takeover Criteria, page 25-23
• Configuring IP Multicast over a GRE Tunnel, page 25-26
Understanding GRE Tunneling in Crypto-Connect Mode
Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate a wide variety of 
protocol packet types inside IP tunnels, creating a virtual point-to-point link to routers at remote points 
over an IP network. 
Note The IPSec VPN SPA is able to accelerate packet processing for up to 2048 GRE tunnels per chassis. Any 
tunnels not taken over by the IPSec VPN SPA, or any tunnels in excess of 2048, are handled in platform 
hardware or by the route processor. The router supports any number of GRE tunnels, but adding more 
IPSec VPN SPAs does not increase the 2048 tunnels per-chassis maximum that will be handled by IPSec 
VPN SPAs. If you configure more than 2048 tunnels per chassis, you could overload the route processor. 
Monitor the route processor CPU utilization when configuring more than 2048 tunnels per chassis.
Note Beginning with Cisco IOS Release 12.2(18)SXF, the GRE fragmentation behavior of the VPN module 
is changed to be consistent with the fragmentation behavior of the route processor. If GRE encapsulation 
is performed by the VPN module, prefragmentation of outbound packets will be based on the IP MTU    
25-22
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuring GRE Tunneling in Crypto-Connect Mode
of the tunnel interface. After GRE encapsulation is performed by the VPN module, depending on the 
IPSec prefragmentation settings, further fragmentation may occur. The IPSec fragmentation behavior is 
unchanged in this release, and is based on the IPSec MTU configuration of the egress interface. 
GRE Tunneling Configuration Guidelines and Restrictions
When configuring point-to-point GRE tunneling in crypto-connect mode using the IPSec VPN SPA, 
follow these guidelines:
• In a Cisco 7600 series router, GRE encapsulation and decapsulation is traditionally performed by 
the route processor or the supervisor engine hardware. When routing indicates that encapsulated 
packets for a GRE tunnel will egress through an interface VLAN that is attached to an IPSec VPN 
SPA inside port, the IPSec VPN SPA attempts to take over the GRE tunnel interface only if the 
supervisor engine is unable to process the GRE tunnel interface in hardware. If the supervisor engine 
cannot process the GRE tunnel interface in hardware, the IPSec VPN SPA will determine if it can 
take over the interface. By seizing the tunnel, the IPSec VPN SPA takes the GRE encapsulation and 
decapsulation duty from the route processor. No explicit configuration changes are required to use 
this feature; configure GRE as you normally would. As long as routing sends the GRE-encapsulated 
packets over an interface VLAN, the IPSec VPN SPA will seize the GRE tunnel.
• If the same source address is used for more than one GRE tunnel, the supervisor engine hardware 
will not take over the tunnel. The IPSec VPN SPA will take over the tunnel if it meets the criteria 
discussed in the previous bullet item.
• Point-to-point GRE with tunnel protection is not supported in crypto-connect mode, but DMVPN is 
supported.
• If routing information changes and the GRE-encapsulated packets no longer egress through an 
interface VLAN, the IPSec VPN SPA yields the GRE tunnel. After the IPSec VPN SPA yields the 
tunnel, the route processor resumes encapsulation and decapsulation, which increases CPU 
utilization on the route processor. 
Caution Ensure that your GRE tunnel configuration does not overload the route processor.
• A delay of up to 10 seconds occurs between routing changes and the IPSec VPN SPA seizing the 
GRE tunnel.
• The crypto map must only be applied to the interface VLAN and not to the tunnel interface. 
• The following options are supported on the tunnel interface: ACLs, service policy, TTL, and ToS. 
• The following options arenot supported on the tunnel interface: checksum enabled, sequence check 
enabled, tunnel key, IP security options, policy-based routing (PBR), traffic shaping (can be applied 
to the crypto engine configuration within the tunnel interface configuration), QoS preclassification, 
and NAT. 
• In crypto-connect mode, to avoid fragmentation after encryption, set the tunnel IP MTU to be equal 
to or less than the egress interface MTU minus the GRE and IPSec overheads. 
• When applied to the GRE tunnel interface, the ip tcp adjust-mss command is ignored. Apply the 
command to the ingress LAN interface instead.   
25-23
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuring GRE Tunneling in Crypto-Connect Mode
To configure a GRE tunnel, perform this task beginning in global configuration mode:
Verifying the GRE Tunneling Configuration
To verify that the IPSec VPN SPA has seized the GRE tunnel, enter the show crypto vlan command:
Router# show crypto vlan
Interface VLAN 101 on IPSec Service Module port 7/1/1 connected to AT4/0/0.101
    Tunnel101 is accelerated via IPSec SM in subslot 7/1
Router#
For complete configuration information about GRE tunneling, refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_tos.html
For GRE tunneling configuration examples, see the “GRE Tunneling in Crypto-Connect Mode 
Configuration Example” section on page 25-40.
Configuring the GRE Takeover Criteria
You can configure the takeover criteria for Generic Routing Encapsulation (GRE) processing by using 
the crypto engine gre supervisor or crypto engine gre vpnblade commands. These two commands 
allow you to specify whether the GRE processing should be done by the supervisor engine hardware or 
the route processor or the IPSec VPN SPA. 
Command Purpose
Step 1 Router(config)# interface tunnel number Creates the tunnel interface if it does not exist and 
enters interface configuration mode.
• number—Number of the tunnel interface to be 
configured.
Step 2 Router(config-if)# ip address address Sets the IP address of the tunnel interface.
• address—IP address.
Step 3 Router(config-if)# tunnel source {ip-address | type
number}
Configures the tunnel source. The source is the 
router where traffic is received from the customer 
network.
• ip-address—IP address to use as the source 
address for packets in the tunnel. 
• type number—Interface type and number; for 
example, VLAN1.
Step 4 Router(config-if)# tunnel destination {hostname | 
ip-address}
Sets the IP address of the destination of the tunnel 
interface. The destination address is the router that 
transfers packets into the receiving customer 
network. 
• hostname—Name of the host destination.
• ip-address—IP address of the host destination 
expressed in decimal in four-part, dotted 
notation.
Step 5 Router(config-if)# exit Exits interface configuration mode.   
25-24
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuring GRE Tunneling in Crypto-Connect Mode
Note The GRE takeover criteria commands are supported only in Cisco IOS Release 12.2(18)SXE5 and later. 
In releases prior to Cisco IOS Release 12.2SXE1, the crypto-related GRE tunnels are always taken over 
by the VPN SPA. In Cisco IOS Release 12.2SXE1, the GRE tunnels are taken over by the VPN SPA only 
if the supervisor engine hardware cannot do the processing.
To configure a router to process GRE using the supervisor engine hardware or the route processor (RP), 
use the crypto engine gre supervisor command. When this command is specified, GRE processing by 
the supervisor engine hardware takes precedence over processing by the route processor (unless the 
tunnels are from duplicate sources); the RP only takes over GRE processing if the supervisor engine 
hardware cannot do the processing. If this command is configured, duplicate source GREs will be 
processed by the route processor. 
To configure a router to process GRE using the IPSec VPN SPA, use the crypto engine gre vpnblade
command. If the IPSec VPN SPA cannot take over the GRE processing, the GRE processing will be 
handled either by supervisor engine hardware (which has precedence) or the route processor. 
Both of these commands can be configured globally or at an individual tunnel. 
Individual tunnel configuration takes precedence over the global configuration. For example, when the 
crypto engine gre supervisor command is configured at the global configuration level, the command 
will apply to all tunnels except those tunnels that have been configured individually using either a crypto 
engine gre supervisor command or a crypto engine gre vpnblade command. 
At any time, only one of the two commands (crypto engine gre supervisor or crypto engine gre 
vpnblade) can be configured globally or individually at a tunnel. If either command is already 
configured, configuring the second command will overwrite the first command, and only the 
configuration applied by the second command will be used. 
GRE Takeover Configuration Guidelines and Restrictions 
When configuring GRE takeover on the IPSec VPN SPA, follow these guidelines and restrictions: 
• For a GRE tunnel to be taken over by the IPSec VPN SPA, it must first satisfy the following criteria: 
– The GRE tunnel interface must be up. 
– The route to the tunnel destination must go through the IPSec VPN SPA. 
– The Address Resolution Protocol (ARP) entry for the next hop must exist. 
– The tunnel mode must be GRE. 
– The only supported options are tunnel ttl and tunnel tos. If any of the following command 
options are configured, then the tunnel will not be taken over: 
• tunnel key
• tunnel sequence-datagrams
• tunnel checksum
All other options configured are ignored.
• If the GRE tunnels have the same source and destination addresses, then the IPSec VPN SPA will, 
at most, take over only one of them, and the determination of which specific tunnel is taken over is 
random. 
• The IPSec VPN SPA will not take over GRE processing if any of the following features are 
configured on the tunnel interface: 
– DMVPN    
25-25
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuring GRE Tunneling in Crypto-Connect Mode
– NAT 
• In crypto-connect mode, the IPSec VPN SPA will not take over GRE processing when the interface 
VLAN has no crypto map attached. The crypto map must be applied to the interface VLAN and not 
to the tunnel interface.
• If the IPSec VPN SPA cannot take over the GRE processing, the GRE processing will be handled 
either by the supervisor engine hardware (which has precedence) or the route processor. 
• When neither the crypto engine gre supervisor command nor the crypto engine gre vpnblade
command is specified globally or individually for a tunnel, the IPSec VPN SPA will only attempt to 
take over GRE processing if the following conditions apply: 
– The supervisor engine hardware does not take over GRE processing. 
– Protocol Independent Multicast (PIM) is configured on the tunnel. 
– Multiple tunnels share the same tunnel source interface and more than one tunnel is up. (If only 
one tunnel is up, the supervisor engine hardware can still perform the GRE processing.) 
• When a new configuration file is copied to the running configuration, the new configuration will 
overwrite the old configuration for the crypto engine gre vpnblade and crypto engine gre 
supervisor commands. If the new configuration does not specify a GRE takeover criteria globally 
or for an individual tunnel, the existing old configuration will be used. 
• GRE keepalives are not supported if crypto engine gre vpnblade is configured. 
Configuring the GRE Takeover Criteria Globally 
To configure the GRE takeover criteria globally (so that it affects all tunnels except those tunnels that 
have been configured individually using either a crypto engine gre supervisor command or a crypto 
engine gre vpnblade command), perform this task beginning in global configuration mode:
Command Purpose
Step 1 Router(config)# crypto engine gre supervisor
or
Router(config)# crypto engine gre vpnblade
Configures a router to process GRE using the 
supervisor engine hardware or the route processor.
Configures a router to process GRE using the IPSec 
VPN SPA.   
25-26
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuring GRE Tunneling in Crypto-Connect Mode
Configuring the GRE Takeover Criteria at an Individual Tunnel 
To configure the GRE takeover criteria at an individual tunnel (so that it affects only a specific tunnel), 
perform this task beginning in global configuration mode:
For GRE takeover criteria configuration examples, see the “GRE Takeover Criteria Configuration 
Examples” section on page 25-42. 
Configuring IP Multicast over a GRE Tunnel 
IP multicast is a bandwidth-conserving technology that reduces traffic by simultaneously delivering a 
single stream of information to multiple recipients. GRE is a tunneling protocol developed by Cisco and 
commonly used with IPSec that encapsulates a wide variety of protocol packet types inside IP tunnels, 
creating a virtual point-to-point link to Cisco routers at remote points over an IP network.
In some network scenarios, you might want to configure your network to use GRE tunnels to send 
Protocol Independent Multicast (PIM) and multicast traffic between routers. Typically, this occurs when 
the multicast source and receiver are separated by an IP cloud that is not configured for IP multicast 
routing. In such network scenarios, configuring a tunnel across an IP cloud with PIM-enabled transports 
multicast packets toward the receiver. The configuration of IP multicast over a GRE tunnel using the 
IPSec VPN SPA involves three key steps:
• Configuring single-SPA mode (if supported) for multicast traffic
• Configuring multicast globally 
• Configuring PIM at the tunnel interfaces
IP Multicast over a GRE Tunnel Configuration Guidelines and Restrictions
When configuring IP multicast over a GRE tunnel, follow these guidelines:
• When the hw-module slot subslot only command is executed, it automatically resets the 
Cisco 7600 SSC-400 card and displays the following prompt on the console:
Module n will be reset? Confirm [n]:
The prompt will default to N (no). You must type Y (yes) to activate the reset action.
Command Purpose
Step 1 Router(config)# interface tunnel number Creates the tunnel interface if it does not exist and 
enters interface configuration mode.
• number—Number of the tunnel interface to be 
configured.
Step 2 Router(config-if)# crypto engine gre supervisor
or
Router(config-if)# crypto engine gre vpnblade
Configures a router to process GRE using the 
supervisor engine hardware or the route processor. 
or 
Configures a router to process GRE using the IPSec 
VPN SPA.    
25-27
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuring GRE Tunneling in Crypto-Connect Mode
• When in single-SPA mode, if you manually plug in a second SPA, or if you attempt to reset the SPA 
(by entering a no hw-module subslot shutdown command, for example), a message is displayed on 
the router console that refers you to the customer documentation.
• If PIM is configured, and the GRE tunnel interface satisfies the rest of the tunnel takeover criteria, 
the GRE processing of the multicast packets will be taken over by the IPSec VPN SPA.
• GRE processing of IP multicast packets will be taken over by the IPSec VPN SPA if the GRE tunnel 
interface satisfies the following tunnel takeover criteria:
– The tunnel is up.
– There are no other tunnels with the same source destination pair.
– The tunnel is not an mGRE tunnel.
– PIM is configured on the tunnel.
– None of the following features are configured on the tunnel: tunnel key, tunnel 
sequence-datagrams, tunnel checksum, tunnel udlr address-resolution, tunnel udlr receive-only, 
tunnel udlr send-only, ip proxy-mobile tunnel reverse, or NAT. If any of these options are 
specified, the IPSec VPN SPA will not seize the GRE tunnel.
• When a tunnel is configured for multicast traffic, the crypto engine gre supervisor command 
should not be applied to the tunnel. 
Configuring Single-SPA Mode for IP Multicast Traffic 
Before you configure IP multicast on the IPSec VPN SPA, you should change the mode of the 
Cisco 7600 SSC-400 card to allocate full buffers to the specified subslot using the Before you configure 
IP multicast on the IPSec VPN SPA, you should change the mode of the Cisco 7600 SSC-400 card to 
allocate full buffers to the specified subslot using the hw-module slot subslot only command. If this 
command is not used, the total amount of buffers available is divided between the two subslots on the 
Cisco 7600 SSC-400 card.
To allocate full buffers to the specified subslot, use the hw-module slot subslot only command as 
follows:
Router(config)# hw-module slot slot subslot subslot only
slot specifies the slot where the Cisco 7600 SSC-400 card is located.
subslot specifies the subslot where the IPSec VPN SPA is located.
If the hw-module slot subslot only command is not used, the total amount of buffers available is divided 
between the two subslots on the Cisco 7600 SSC-400 card.
Configuring IP Multicast Globally
You must enable IP multicast routing globally before you can enable PIM on the router interfaces.
To enable IP multicast routing globally, use the ip multicast-routing command.
Configuring PIM at the Tunnel Interfaces
You must enable PIM on all participating router interfaces before IP multicast will function. 
To enable PIM, use the ip pim command as follows:
Router(config-if)# ip pim {dense-mode | sparse-mode | sparse-dense-mode}   
25-28
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuration Examples
dense-mode enables dense mode of operation.
sparse-mode enables sparse mode of operation.
sparse-dense-mode enables the interface in either sparse mode or dense mode of operation, depending 
on which mode the multicast group operates in.
For IP multicast over GRE tunnels configuration examples, see the “IP Multicast over a GRE Tunnel 
Configuration Example” section on page 25-43.
Verifying the IP Multicast over a GRE Tunnel Configuration 
To verify the IP multicast over a GRE tunnel configuration, enter the show crypto vlan and show ip 
mroute commands.
To verify that the tunnel has been taken over by the IPSec VPN SPA, enter the show crypto vlan 
command:
Router(config)# show crypto vlan
Interface VLAN 100 on IPSec Service Module port Gi7/0/1 connected to Po1 with crypto map 
set map_t3
Tunnel15 is accelerated via IPSec SM in subslot 7/0
To verify that the IP multicast traffic is hardware-switched, enter the show ip mroute command and look 
for the H flag:
Router# show ip mroute 230.1.1.5
IP Multicast Routing Table
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected,
L - Local, P - Pruned, R - RP-bit set, F - Register flag,
T - SPT-bit set, J - Join SPT, M - MSDP created entry,
X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement,
U - URD, I - Received Source Specific Host Report, Z - Multicast Tunnel
Y - Joined MDT-data group, y - Sending to MDT-data group
Outgoing interface flags: H - Hardware switched, A - Assert winner
Timers: Uptime/Expires
Interface state: Interface, Next-Hop or VCD, State/Mode
(*, 230.1.1.5), 01:23:45/00:03:16, RP 15.15.1.1, flags: SJC
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Tunnel15, Forward/Sparse-Dense, 00:25:47/00:03:16
(120.1.0.3, 230.1.1.5), 01:23:46/00:03:25, flags: T
Incoming interface: GigabitEthernet8/1, RPF nbr 0.0.0.0, RPF-MFD
Outgoing interface list:
Tunnel15, Forward/Sparse-Dense, 00:25:47/00:03:16, H
For IP multicast over GRE tunnels configuration examples, see the “IP Multicast over a GRE Tunnel 
Configuration Example” section on page 25-43.
Configuration Examples
This section provides examples of the following configurations:
• Access Port in Crypto-Connect Mode Configuration Example, page 25-29
• Routed Port in Crypto-Connect Mode Configuration Example, page 25-31
• Trunk Port in Crypto-Connect Mode Configuration Example, page 25-34   
25-29
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuration Examples
• IPSec VPN SPA Connections to WAN Interfaces Configuration Examples, page 25-36
• GRE Tunneling in Crypto-Connect Mode Configuration Example, page 25-40
• GRE Takeover Criteria Configuration Examples, page 25-42
• IP Multicast over a GRE Tunnel Configuration Example, page 25-43
Note The following examples use commands at the level of Cisco IOS Release 12.2(33)SRA.
As of Cisco IOS Release 12.2(33)SRA, the crypto engine subslot command used in previous releases 
has been replaced with the crypto engine slot command (of the form crypto engine slot slot/subslot
{inside | outside}). The crypto engine subslot command is no longer supported. When upgrading, 
ensure that this command has been modified in your start-up configuration to avoid extended 
maintenance time.
Access Port in Crypto-Connect Mode Configuration Example
This section provides an example of the access port configuration with router 1 shown in Figure 25-2 on 
page 25-8:
Router 1 (Access Port)
!
hostname router-1
!
vlan 2,502
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
crypto isakmp key 12345 address 11.0.0.1
!
!
crypto ipsec transform-set proposal1 esp-3des esp-md5-hmac 
!
crypto map testtag 10 ipsec-isakmp 
 set peer 11.0.0.1
 set transform-set proposal1 
 match address 101
!
!
interface GigabitEthernet1/1
!switch inside port
  ip address 13.0.0.1 255.255.255.0
!
interface GigabitEthernet1/2
!switch outside port
 switchport
 switchport access vlan 502
 switchport mode access
!
interface GigabitEthernet4/0/1
!IPSec VPN SPA inside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
 mtu 9216   
25-30
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuration Examples
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
!IPSec VPN SPA outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,502,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
interface Vlan2
!interface vlan
 ip address 11.0.0.2 255.255.255.0
 crypto map testtag
 crypto engine slot 4/0
!
interface Vlan502
!port vlan
 no ip address
 crypto connect vlan 2
!
ip classless
ip route 12.0.0.0 255.0.0.0 11.0.0.1
!
access-list 101 permit ip host 13.0.0.2 host 12.0.0.2
!
end
Router 2 (Access Port)
!
hostname router-2
!
vlan 2,502
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
crypto isakmp key 12345 address 11.0.0.2
!
!
crypto ipsec transform-set proposal1 esp-3des esp-md5-hmac 
!
crypto map testtag 10 ipsec-isakmp 
 set peer 11.0.0.2
 set transform-set proposal1 
 match address 101
!
!
interface GigabitEthernet1/1
!switch inside port
  ip address 12.0.0.1 255.255.255.0
!
interface GigabitEthernet1/2
!switch outside port
 switchport
 switchport access vlan 502
 switchport mode access   
25-31
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuration Examples
!
interface GigabitEthernet4/0/1
!IPSec VPN SPA inside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
!IPSec VPN SPA outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,502,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan2
!interface vlan
 ip address 11.0.0.1 255.255.255.0
 crypto map testtag
 crypto engine slot 4/0
!
interface Vlan502
!port vlan
 no ip address
 crypto connect vlan 2
!
ip classless
ip route 13.0.0.0 255.0.0.0 11.0.0.2
!
access-list 101 permit ip host 12.0.0.2 host 13.0.0.2
!
end
Routed Port in Crypto-Connect Mode Configuration Example
This section provides an example of the routed port configuration with router 1 shown in Figure 25-3 on 
page 25-12:
Router 1 (Routed Port)
!
hostname router-1
!
vlan 2
! 
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 crypto isakmp key 12345 address 11.0.0.2
!
!
crypto ipsec transform-set proposal1 esp-3des esp-md5-hmac    
25-32
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuration Examples
!
crypto map testtag 10 ipsec-isakmp 
 set peer 11.0.0.2
 set transform-set proposal1 
 match address 101
!
!
interface GigabitEthernet1/1
!switch inside port
 ip address 12.0.0.1 255.255.255.0
!
interface GigabitEthernet1/2
!switch outside port
 no ip address
 crypto connect vlan 2
!
interface GigabitEthernet4/0/1
!IPSec VPN SPA inside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
!IPSec VPN SPA outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan2
!interface vlan
 ip address 11.0.0.1 255.255.255.0
 no mop enabled
 crypto map testtag
 crypto engine slot 4/0
!
ip classless
ip route 13.0.0.0 255.0.0.0 11.0.0.2
!
access-list 101 permit ip host 12.0.0.2 host 13.0.0.2
!
end
Router 2 (Routed Port)
!
hostname router-2
!
vlan 2 
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share   
25-33
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuration Examples
crypto isakmp key 12345 address 11.0.0.1
!
!
crypto ipsec transform-set proposal1 esp-3des esp-md5-hmac 
!
crypto map testtag 10 ipsec-isakmp 
 set peer 11.0.0.1
 set transform-set proposal1 
 match address 101
!
!
interface GigabitEthernet1/1
!switch inside port
 ip address 13.0.0.1 255.255.255.0
!
interface GigabitEthernet1/2
!switch outside port
 no ip address
 crypto connect vlan 2
!
interface GigabitEthernet4/0/1
!IPSec VPN SPA inside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
!IPSec VPN SPA outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan2
!interface vlan
 ip address 11.0.0.2 255.255.255.0
 no mop enabled
 crypto map testtag
 crypto engine slot 4/0
!
ip classless
ip route 12.0.0.0 255.0.0.0 11.0.0.1
!
access-list 101 permit ip host 13.0.0.2 host 12.0.0.2
!
end   
25-34
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuration Examples
Trunk Port in Crypto-Connect Mode Configuration Example
This section provides an example of the trunk port configuration with router 1 shown in Figure 25-4 on 
page 25-15:
Router 1 (Trunk Port) 
!
hostname router-1
!
vlan 2,502
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
crypto isakmp key 12345 address 11.0.0.2
!
!
crypto ipsec transform-set proposal1  esp-3des esp-md5-hmac 
!
crypto map testtag 10 ipsec-isakmp 
 set peer 11.0.0.2
 set transform-set proposal1 
 match address 101
!
!
interface GigabitEthernet1/1
!switch inside port
  ip address 12.0.0.1 255.255.255.0
!
interface GigabitEthernet1/2
!switch outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 502
 switchport mode trunk
!
interface GigabitEthernet4/0/1
!IPSec VPN SPA inside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
!IPSec VPN SPA outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,502,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan2
!interface vlan
 ip address 11.0.0.1 255.255.255.0
 crypto map testtag   
25-35
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuration Examples
 crypto engine slot 4/0
!
interface Vlan 502
!port vlan
 no ip address
 crypto connect vlan 2
!
ip classless
ip route 13.0.0.0 255.0.0.0 11.0.0.2
!
access-list 101 permit ip host 12.0.0.2 host 13.0.0.2
!
end
Router 2 (Trunk Port) 
!
hostname router-2
!
vlan 2,502
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
crypto isakmp key 12345 address 11.0.0.1
!
!
crypto ipsec transform-set proposal1  esp-3des esp-md5-hmac 
!
crypto map testtag 10 ipsec-isakmp 
 set peer 11.0.0.1
 set transform-set proposal1 
 match address 101
!
!
interface GigabitEthernet1/1
!switch inside port
  ip address 13.0.0.1 255.255.255.0
!
interface GigabitEthernet1/2
!switch outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 502
 switchport mode trunk
!
interface GigabitEthernet4/0/1
!IPSec VPN SPA inside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
!IPSec VPN SPA outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,502,1002-1005
 switchport mode trunk   
25-36
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuration Examples
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
interface Vlan2
!interface vlan
 ip address 11.0.0.2 255.255.255.0
 crypto map testtag
 crypto engine slot 4/0
! 
interface Vlan502
!port vlan
 no ip address
 crypto connect vlan 2
!
ip classless
ip route 12.0.0.0 255.0.0.0 11.0.0.1
!
access-list 101 permit ip host 13.0.0.2 host 12.0.0.2
!
end
IPSec VPN SPA Connections to WAN Interfaces Configuration Examples
The following are configuration examples of IPSec VPN SPA connections to WAN interfaces:
• IPSec VPN SPA Connection to an ATM Port Adapter Configuration Example, page 25-36
• IPSec VPN SPA Connection to a POS Port Adapter Configuration Example, page 25-37
• IPSec VPN SPA Connection to a Serial Port Adapter Configuration Example, page 25-38
IPSec VPN SPA Connection to an ATM Port Adapter Configuration Example
The following example shows the configuration of an IPSec VPN SPA connection to an ATM port 
adapter:
!
hostname router-1
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key 12345 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set proposal esp-3des esp-sha-hmac 
!
crypto map testtag_1 10 ipsec-isakmp 
 set peer 11.0.0.2
 set transform-set proposal 
 match address acl_1
!
interface GigabitEthernet1/1
 ip address 12.0.0.2 255.255.255.0
!
interface ATM2/0/0
 no ip address   
25-37
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuration Examples
 atm clock INTERNAL
 no atm enable-ilmi-trap
 no atm ilmi-keepalive
!
interface ATM2/0/0.1 point-to-point
 atm pvc 20 0 20 aal5snap
 no atm enable-ilmi-trap
 crypto connect vlan 2
!
interface GigabitEthernet4/0/1
!IPSec VPN SPA inside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
!IPSec VPN SPA outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan2
 ip address 11.0.0.1 255.255.255.0
 crypto map testtag_1
 crypto engine slot 4/0
!
ip classless
ip route 13.0.0.1 255.255.255.255 11.0.0.2
!
ip access-list extended acl_1
 permit ip host 12.0.0.1 host 13.0.0.1
!
IPSec VPN SPA Connection to a POS Port Adapter Configuration Example
The following example shows the configuration of an IPSec VPN SPA connection to a POS port adapter:
!
hostname router-1
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key 12345 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set proposal esp-3des esp-sha-hmac 
!
crypto map testtag_1 10 ipsec-isakmp 
 set peer 11.0.0.2   
25-38
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuration Examples
 set transform-set proposal 
 match address acl_1
!
interface GigabitEthernet1/1
!switch inside port
 ip address 12.0.0.2 255.255.255.0
!
interface POS2/0/0
 no ip address
 encapsulation frame-relay
 clock source internal
!
interface POS2/0/0.1 point-to-point
 frame-relay interface-dlci 16   
 crypto connect vlan 2
!
interface GigabitEthernet4/0/1
!IPSec VPN SPA inside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
!IPSec VPN SPA outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan2
 ip address 11.0.0.1 255.255.255.0
 crypto map testtag_1
 crypto engine slot 4/0
!
ip classless
ip route 13.0.0.1 255.255.255.255 11.0.0.2
!
ip access-list extended acl_1
 permit ip host 12.0.0.1 host 13.0.0.1
IPSec VPN SPA Connection to a Serial Port Adapter Configuration Example
The following example shows the configuration of an IPSec VPN SPA connection to a serial port 
adapter:
!
hostname router-1
!
controller T3 2/1/0
 t1 1 channel-group 0 timeslots 1
 t1 2 channel-group 0 timeslots 1
 t1 3 channel-group 0 timeslots 1   
25-39
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuration Examples
 t1 4 channel-group 0 timeslots 1
 t1 5 channel-group 0 timeslots 1
 t1 6 channel-group 0 timeslots 1
 t1 7 channel-group 0 timeslots 1
 t1 8 channel-group 0 timeslots 1
 t1 9 channel-group 0 timeslots 1
 t1 10 channel-group 0 timeslots 1
 t1 11 channel-group 0 timeslots 1
 t1 12 channel-group 0 timeslots 1
 t1 13 channel-group 0 timeslots 1
 t1 14 channel-group 0 timeslots 1
 t1 15 channel-group 0 timeslots 1
 t1 16 channel-group 0 timeslots 1
 t1 17 channel-group 0 timeslots 1
 t1 18 channel-group 0 timeslots 1
 t1 19 channel-group 0 timeslots 1
 t1 20 channel-group 0 timeslots 1
 t1 21 channel-group 0 timeslots 1
 t1 22 channel-group 0 timeslots 1
 t1 23 channel-group 0 timeslots 1
 t1 24 channel-group 0 timeslots 1
 t1 25 channel-group 0 timeslots 1
 t1 26 channel-group 0 timeslots 1
 t1 27 channel-group 0 timeslots 1
 t1 28 channel-group 0 timeslots 1
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key 12345 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set proposal esp-3des esp-sha-hmac 
!
crypto map testtag_1 10 ipsec-isakmp 
 set peer 11.0.0.2
 set transform-set proposal 
 match address acl_1
!
interface GigabitEthernet1/1
!switch inside port
 ip address 12.0.0.2 255.255.255.0
!
interface Serial2/1/0/1:0
 ip unnumbered Null0
 encapsulation ppp
 no fair-queue
 no cdp enable
 crypto connect vlan 2
!
!
interface GigabitEthernet4/0/1
!IPSec VPN SPA inside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2   
25-40
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuration Examples
!IPSec VPN SPA outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan2
 ip address 11.0.0.1 255.255.255.0
 crypto map testtag_1
 crypto engine slot 4/0
!
ip classless
ip route 13.0.0.1 255.255.255.255 11.0.0.2
!
ip access-list extended acl_1
 permit ip host 12.0.0.1 host 13.0.0.1
GRE Tunneling in Crypto-Connect Mode Configuration Example
This section provides an example of GRE tunneling configurations:
Router 1 (GRE Tunneling) 
The following example shows the configuration of GRE tunneling for router 1:
!
hostname router-1
!
vlan 2,502
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
crypto isakmp key 12345 address 11.0.0.2
!
!
crypto ipsec transform-set proposal1 ah-md5-hmac 
!
crypto map testtag 10 ipsec-isakmp 
 set peer 11.0.0.2
 set transform-set proposal1 
 match address 101
!
!
!
!
interface Tunnel1
 ip address 1.0.0.1 255.255.255.0
 tunnel source Vlan2
 tunnel destination 11.0.0.2
!
interface GigabitEthernet1/1
!switch inside port
 ip address 12.0.0.1 255.255.255.0
!
interface GigabitEthernet1/2
!switch outside port   
25-41
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuration Examples
 switchport
 switchport access vlan 502
 switchport mode access
!
interface GigabitEthernet4/0/1
!IPSec VPN SPA inside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
!IPSec VPN SPA outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,502,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan2
 ip address 11.0.0.1 255.255.255.0
 no mop enabled
 crypto map testtag
 crypto engine slot 4/0
!
interface Vlan502
 no ip address
 crypto connect vlan 2
!
!
ip classless
ip route 13.0.0.0 255.0.0.0 Tunnel1
!
!
access-list 101 permit gre host 11.0.0.1 host 11.0.0.2
!
Router 2 (GRE Tunneling)
!
hostname router-2
!
vlan 2,502
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
crypto isakmp key 12345 address 11.0.0.1
!
!
crypto ipsec transform-set proposal1 ah-md5-hmac 
!
crypto map testtag 10 ipsec-isakmp 
 set peer 11.0.0.1
 set transform-set proposal1 
 match address 101
!   
25-42
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuration Examples
!
!
!
interface Tunnel1
 ip address 1.0.0.2 255.255.255.0
 tunnel source Vlan2
 tunnel destination 11.0.0.1
!
interface GigabitEthernet1/1
!switch inside port
 ip address 13.0.0.1 255.255.255.0
!
interface GigabitEthernet1/2
!switch outside port
 switchport
 switchport access vlan 502
 switchport mode access
!
interface GigabitEthernet4/0/1
!IPSec VPN SPA inside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
!IPSec VPN SPA outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,502,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan2
 ip address 11.0.0.2 255.255.255.0
 no mop enabled
 crypto map testtag
 crypto engine slot 4/0
!
interface Vlan502
 no ip address
 crypto connect vlan 2
!
ip classless
ip route 12.0.0.0 255.0.0.0 Tunnel1
!
access-list 101 permit gre host 11.0.0.2 host 11.0.0.1
!
GRE Takeover Criteria Configuration Examples 
The following examples show how to configure the GRE takeover criteria: 
• GRE Takeover Criteria Global Configuration Example, page 25-43   
25-43
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuration Examples
• GRE Takeover Criteria Tunnel Configuration Example, page 25-43
• GRE Takeover Verification Example, page 25-43
GRE Takeover Criteria Global Configuration Example 
The following example shows that the GRE takeover criteria has been set globally and the supervisor 
engine hardware or RP always does the GRE processing: 
Router(config)# crypto engine gre supervisor
GRE Takeover Criteria Tunnel Configuration Example 
The following example shows that the GRE takeover criteria has been set individually for tunnel 
interface 3 and the IPSec VPN SPA always does the GRE processing for this tunnel: 
Router(config)# interface tunnel 3
Router(config-if)# crypto engine gre vpnblade
GRE Takeover Verification Example 
The following example shows how to verify that the tunnel has been taken over by the IPSec VPN SPA:
Router(config)# show crypto vlan 100
Interface VLAN 100 on IPSec Service Module port GigabitEthernet4/0/1 connected to POS8/0/0 
with crypto map set MAP_TO_R2
    Tunnel1 is accelerated via IPSec SM in subslot 4/0
The following example shows that the tunnel has not been taken over by the IPSec VPN SPA:
Router(config)# show crypto vlan 100
Interface VLAN 100 on IPSec Service Module port GigabitEthernet4/0/1 connected to POS8/0/0 
with crypto map set MAP_TO_R2
IP Multicast over a GRE Tunnel Configuration Example
The following example shows how to configure IP multicast over GRE:
hostname router-1
!
vlan 2-1001 
ip multicast-routing
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key 12345 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set proposal esp-3des 
!
!
crypto map cm_spoke1_1 10 ipsec-isakmp    
25-44
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuration Examples
 set peer 11.1.1.1
 set transform-set proposal 
 match address spoke1_acl_1
!
!
interface Tunnel1
 ip address 20.1.1.1 255.255.255.0
 ip mtu 9216
 ip pim sparse-mode
 ip hold-time eigrp 1 3600
 tunnel source 1.0.1.1
 tunnel destination 11.1.1.1
 crypto engine slot 4/0
!
interface GigabitEthernet1/1
!switch inside port
 mtu 9216
 ip address 50.1.1.1 255.0.0.0
 ip pim sparse-mode
!
interface GigabitEthernet1/2
!switch outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,252,1002-1005
 switchport mode trunk
 mtu 9216
!
interface GigabitEthernet4/0/1
!IPSec VPN SPA inside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
!IPSec VPN SPA outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,252,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan2
 mtu 9216
 ip address 1.0.1.1 255.255.255.0
 crypto map cm_spoke1_1
 crypto engine slot 4/0
!
interface Vlan252
 mtu 9216
 no ip address
 crypto connect vlan 2
!
router eigrp 1
 network 20.1.1.0 0.0.0.255
 network 50.1.1.0 0.0.0.255   
25-45
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuration Examples
 no auto-summary
 no eigrp log-neighbor-changes
!
ip classless
ip route 11.1.1.0 255.255.255.0 1.0.1.2
!
ip pim bidir-enable
ip pim rp-address 50.1.1.1
!
ip access-list extended spoke1_acl_1
 permit gre host 1.0.1.1 host 11.1.1.1
!   
25-46
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 25      Configuring VPNs in Crypto-Connect Mode
  Configuration ExamplesC H  A  P  T  E  R
   
26-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
26
Configuring VPNs in VRF Mode
This chapter provides information about configuring IPSec VPNs in Virtual Routing and Forwarding 
(VRF) mode, one of the two VPN configuration modes supported by the IPSec VPN SPA. For 
information on the other VPN mode, crypto-connect mode, see Chapter 25, “Configuring VPNs in 
Crypto-Connect Mode.”
This chapter includes the following topics:
• Configuring VPNs in VRF Mode, page 26-1
• Configuring an IPSec Virtual Tunnel Interface, page 26-16
• Configuration Examples, page 26-21
For general information on configuring IPSec VPNs with the IPSec VPN SPA, see the “Overview of 
Basic IPSec and IKE Configuration Concepts” section on page 24-5. 
Note The procedures in this chapter assume you have familiarity with security configuration concepts, such 
as VLANs, ISAKMP policies, preshared keys, transform sets, access control lists, and crypto maps. For 
detailed information on configuring these features, refer to the following Cisco IOS documentation:
Cisco IOS Security Configuration Guide, Release 12.2, at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/fsecur_c.html
Cisco IOS Security Command Reference, Release 12.2, at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/fsecur_r.html
For additional information about the commands used in this chapter, see the Cisco 7600 Series Router 
Command Reference, 12.2SR, the related Cisco IOS Release 12.2 software configuration guide and 
master index publications. For more information about accessing these publications, see the “Related 
Documentation” section on page xlvii.
Tip To ensure a successful configuration of your VPN using the IPSec VPN SPA, read all of the 
configuration summaries and guidelines before you perform any configuration tasks.
Configuring VPNs in VRF Mode
VRF mode, also known as VRF-Aware IPSec, allows you to map IPSec tunnels to VPN routing and 
forwarding instances (VRFs) using a single public-facing address.   
26-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuring VPNs in VRF Mode
A VRF instance is a per-VPN routing information repository that defines the VPN membership of a 
customer site attached to the Provider Edge (PE) router. A VRF comprises an IP routing table, a derived 
Cisco Express Forwarding (CEF) table, a set of interfaces that use the forwarding table, and a set of rules 
and routing protocol parameters that control the information that is included in the routing table. A 
separate set of routing and CEF tables is maintained for each VPN customer. 
Each IPSec tunnel is associated with two VRF domains. The outer encapsulated packet belongs to one 
VRF domain, called the front door VRF (FVRF), while the inner, protected IP packet belongs to another 
domain called the Inside VRF (IVRF). Stated another way, the local endpoint of the IPSec tunnel belongs 
to the FVRF while the source and destination addresses of the inside packet belong to the IVRF, the 
unprotected (LAN) side.
Note Front door VRF (FVRF) is only supported as of Cisco IOS Release 12.2(33)SRA and later.
One or more IPSec tunnels can terminate on a single interface. The FVRF of all these tunnels is the same 
and is set to the VRF that is configured on that interface. The IVRF of these tunnels can be different and 
depends on the VRF that is defined in the ISAKMP profile that is attached to a crypto map entry. 
With VRF mode, packets belonging to a specific VRF are routed through the IPSec VPN SPA for IPSec 
processing. Through the CLI, you associate a VRF with an interface VLAN that has been configured to 
point to the IPSec VPN SPA. An interface VLAN must be created for each VRF. Packets traveling from 
an MPLS cloud to the Internet that are received from an inside VRF are routed to an interface VLAN, 
and then to the IPSec VPN SPA for IPSec processing. The IPSec VPN SPA modifies the packets so that 
they are placed on a special Layer 3 VLAN for routing to the WAN-side port after they leave the IPSec 
VPN SPA. 
Packets traveling in the inbound direction from a protected port on which the crypto engine slot
command has been entered are redirected by a special ACL to the IPSec VPN SPA, where they are 
processed according to the Security Parameter Index (SPI) contained in the packet’s IPSec header. 
Processing on the IPSec VPN SPA ensures that the decapsulated packet is mapped to the appropriate 
interface VLAN corresponding to the inside VRF. This interface VLAN has been associated with a 
specific VRF, so packets are routed within the VRF to the correct inside interface.
Note Tunnel protection is supported in VRF mode. For information on configuring tunnel protection, see the 
“Configuring VPNs in VRF Mode with Tunnel Protection (GRE)” section on page 26-11 and the “VRF 
Mode Tunnel Protection Configuration Example” section on page 26-32.
When configuring a VPN using VRF mode, you have these additional tunneling options: tunnel 
protection (TP) using GRE, and Virtual Tunnel Interface (VTI). With either of these options, you can 
terminate tunnels in VRFs (normal VRF mode) or in the global context.
The following subsections describe how to configure a VPN in VRF mode on the IPSec VPN SPA:
• Understanding VPN Configuration in VRF Mode, page 26-3
• VRF Mode Configuration Guidelines and Restrictions, page 26-4
• Configuring VPNs in VRF Mode without Tunnel Protection, page 26-6
• Configuring VPNs in VRF Mode with Tunnel Protection (GRE), page 26-11   
26-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuring VPNs in VRF Mode
Understanding VPN Configuration in VRF Mode
In the traditional crypto-connect mode, a VPN is configured by attaching crypto maps to interface 
VLANs and then crypto-connecting a physical port to the interface VLAN. When configuring a VPN in 
VRF mode using the IPSec VPN SPA, the model of interface VLANs is preserved, but the crypto 
connect vlan CLI command is not used. When a packet comes into an interface on a specific VRF, the 
packet must get to the proper interface VLAN. A route must be installed so that packets destined for that 
particular subnet in that particular VRF are directed to that interface VLAN. This function can be 
achieved through the following configuration options:
• Configuring an IP address on the interface VLAN that is in the same subnet as the packets’ 
destination IP address. For example, packets are trying to reach subnet 10.1.1.x and their destination 
IP address is 10.1.1.1 as follows:
int vlan 100
 ip vrf forwarding coke
 ip address 10.1.1.254  255.255.255.0 <-- same subnet as 10.1.1.x that we are trying 
to reach.
 crypto map mymap
 crypto engine slot 4/1
• Configuring a static route as follows:
ip route vrf coke 10.1.1.0 255.255.255.0 vlan 100
• Configuring routing protocols. You configure BGP, OSPF, or other routing protocols so that remote 
routers broadcast their routes.
Note Do not configure routing protocols unless you are using tunnel protection.
• Configuring Reverse Route Injection (RRI). You configure RRI so that a route gets installed when 
the remote end initiates an IPSec session (as in remote access situations).
With VRF mode, the router sees the interface VLAN as a point-to-point connection; the packets are 
placed directly onto the interface VLAN. Each VRF has its own interface VLAN. 
When a crypto map is attached to an interface VLAN and the ip vrf forwarding command has associated 
that VLAN with a particular VRF, the software creates a point-to-point connection so that all routes 
pointing to the interface VLAN do not attempt to run the Address Resolution Protocol (ARP). Through 
normal routing within the VRF, packets to be processed by the IPSec VPN SPA are sent to the interface 
VLAN. You may configure features on the interface VLAN. The IP address of the interface VLAN must 
be on the same subnet as the desired destination subnet for packets to be properly routed.
When you enter the ip vrf forwarding command on an inside interface, all packets coming in on that 
interface are routed correctly within that VRF.
When you enable the crypto engine mode vrf command and enter the crypto engine slot outside
command on an interface, a special ACL is installed that forces all incoming Encapsulating Security 
Payload (ESP)/Authentication Header (AH) IPSec packets addressed to a system IP address to be sent 
to the IPSec VPN SPA WAN-side port. NAT Traversal (NAT-T) packets are also directed to the IPSec 
VPN SPA by the special ACL.
Note You must enter the vrf vrf_name command from within the context of an ISAKMP profile. This 
command does not apply to the VRF-aware crypto infrastructure; it applies only to generic crypto 
processing. When the ISAKMP profile is added to a crypto map set, the VRF becomes the default VRF 
for all of the crypto maps in the list. Individual crypto maps may override this default VRF by specifying    
26-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuring VPNs in VRF Mode
another policy profile that contains a different VRF. If no profile is applied to a crypto map tag, it inherits 
the VRF from the interface if you have configured the interface with the ip vrf forwarding command.
All packets destined for a protected outside interface received in this VRF context are placed on the 
associated interface VLAN. Similarly, all decapsulated ingress packets associated with this VRF are 
placed on the appropriate interface VLAN so that they may be routed in the proper VRF context.
VRF Mode Configuration Guidelines and Restrictions
Follow these guidelines and restrictions when configuring a VPN for the IPSec VPN SPA using VRF 
mode:
Note After enabling or disabling VRF mode using the [no] crypto engine mode vrf command, you must 
reload the supervisor engine. In addition, MPLS tunnel recirculation must be enabled for VRF mode. 
That is, you must add the mls mpls tunnel-recir command before entering the crypto engine mode vrf
command.
• The procedure for configuring a VPN in VRF mode varies based on whether you are using tunnel 
protection or not.
• Unlike IPSec VPN SPA crypto-connect mode configurations, when configuring VPNs in VRF mode, 
you do not use the crypto connect vlan command.
• In Cisco IOS Release 12.2(33)SRA and later releases, the crypto engine subslot command used in 
previous releases has been replaced with the crypto engine slot command (of the form crypto 
engine slot slot/subslot {inside | outside}). The crypto engine subslot command is no longer 
supported. In Cisco IOS Release 12.2(33)SRA and later releases, it is not necessary to specify the 
slot slot/subslot information with the outside keyword. When upgrading, ensure that the crypto 
engine command has been modified in your start-up configuration to avoid extended maintenance 
time.
• As of Cisco IOS Release 12.2(33)SRA, the ip vrf forwarding command is no longer required when 
configuring GRE with tunnel protection.
• Crypto ACLs support only the EQ operator. Other operators, such as GT, LT, and NEQ, are not 
supported.
• Noncontiguous subnets in a crypto ACL, as in the following example, are not supported:
deny ip   10.0.5.0   0.255.0.255   10.0.175.0   0.255.0.255
deny ip   10.0.5.0   0.255.0.255   10.0.176.0   0.255.0.255
• ACL counters are not supported for crypto ACLs.
• An egress ACL is not applied to packets generated by the route processor. An ingress ACL is not 
applied to packets destined for the route processor.
• When you create an ISAKMP profile, note the following guidelines regarding the use of the vrf
command:
– You must use the vrf command if you are using the ISAKMP profile with a crypto map.
– You are not required to use the vrf command if you are using the ISAKMP profile with tunnel 
protection.
– You should not use the vrf command if you are using the ISAKMP profile with DMVPN.   
26-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuring VPNs in VRF Mode
• When the ip vrf forwarding command is applied to a VLAN, any previously existing IP address 
assigned to that VLAN is removed. To assign an IP address to the VLAN, enter the ip address
command after the ip vrf forwarding command, not preceding it.
• Although more than one IPSec VPN SPA in a chassis is supported beginning with Cisco IOS 
Release 12.2(18) SXE, in VRF mode, there is no configuration difference between multiple IPSec 
VPN SPA operation and single IPSec VPN SPA operation. For multiple IPSec VPN SPA operation, 
the only change is to the output of the show crypto vlan command. The following is an example:
Interface Tu1 on IPSec Service Module port Gi7/1/1 connected to VRF vrf1
Interface VLAN 2 on IPSec Service Module port Gi7/1/1 connected to VRF vrf2
• Applying an ACL to the ingress interface will interfere with the packet flow. 
Note Do not apply an ACL during the configuration of VRF mode. 
• The number of outside interfaces supported by the IPSec VPN SPA is determined by your system 
resources. 
• Inbound and outbound traffic for the same tunnel must use the same outside interface.  Asymmetric 
routing, in which encrypted traffic uses a different outside interface than decrypted traffic for the 
same tunnel, is not supported.
• In VRF mode, crypto map interfaces that share the same local address must be bound to the same 
crypto engine.
• When two tunnels share the same tunnel source address, they will be taken over by the IPSec VPN 
SPA only if one of the following two conditions are met:
– Both tunnels share the same FVRF.
– The crypto engine gre vpnblade command is entered.
• You can configure the FVRF to be the same as the IVRF.
• In VRF mode, ingress ACLs are installed on crypto engine outside interfaces. In combination with 
other configured ACLs, these ACLs may cause the ACL-TCAM usage to become excessive. To 
reduce the TCAM usage, share the TCAM resources by entering the mls acl tcam share-global
command in the configuration. You can view the ACL usage using the show tcam counts command.
Supported and Unsupported Features in VRF Mode
A list of the supported and unsupported features in VRF mode can be found in the “IPSec Feature 
Support” section on page 24-8. Additional details are as follows:
• Remote access into a VRF (provider edge [PE]) is supported with the following:
– Reverse Route Injection (RRI) only with crypto maps
– Proxy AAA (one VRF is proxied to a dedicated AAA)
• Customer edge-provider edge (CE-PE) encryption using tunnel protection is supported with the 
following:
– Routing update propagation between CEs
– IGP/eBGP routing update propagation between the PE and CEs   
26-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuring VPNs in VRF Mode
Configuring VPNs in VRF Mode without Tunnel Protection
To configure a VPN in VRF mode with crypto maps and without tunnel protection, perform this task 
beginning in global configuration mode:
Command Purpose
Step 1 Router(config)# mls mpls tunnel-recir Enables tunnel-MPLS recirculation.
Step 2 Router(config)# crypto engine mode vrf Enables VRF mode for the IPSec VPN SPA.
Note After enabling or disabling VRF mode using 
the crypto engine mode vrf command, you 
must reload the supervisor engine.
Step 3 Router(config)# ip vrf vrf-name Configures a VRF routing table and enters VRF 
configuration mode.
• vrf-name—Name assigned to the VRF.
Step 4 Router(config-vrf)# rd route-distinguisher  Creates routing and forwarding tables for a VRF.
• route-distinguisher—Specifies an autonomous 
system number (ASN) and an arbitrary number 
(for example, 101:3) or an IP address and an 
arbitrary number (for example, 
192.168.122.15:1).
Step 5 Router(config-vrf)# route-target export
route-target-ext-community
Creates lists of export route-target extended 
communities for the specified VRF. 
• route-target-ext-community—Specifies an 
autonomous system number (ASN) and an 
arbitrary number (for example, 101:3) or an IP 
address and an arbitrary number (for example, 
192.168.122.15:1). Enter the 
route-distinguisher value specified in Step 4.
Step 6 Router(config-vrf)# route-target import 
route-target-ext-community 
Creates lists of import route-target extended 
communities for the specified VRF. 
• route-target-ext-community—Specifies an 
autonomous system number (ASN) and an 
arbitrary number (for example, 101:3) or an IP 
address and an arbitrary number (for example, 
192.168.122.15:1). Enter the 
route-distinguisher value specified in Step 4.
Step 7 Router(config-vrf)# exit Exits VRF configuration mode.   
26-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuring VPNs in VRF Mode
Step 8 Router(config)# crypto keyring keyring-name [vrf 
fvrf-name]
Defines a crypto keyring to be used during IKE 
authentication and enters keyring configuration 
mode.
• keyring-name—Name of the crypto keyring.
• fvrf-name—(Optional) Front door virtual 
routing and forwarding (FVRF) name to which 
the keyring will be referenced. fvrf-name must 
match the FVRF name that was defined during 
virtual routing and forwarding (VRF) 
configuration
Step 9 Router(config-keyring)# pre-shared-key {address
address [mask] | hostname hostname} key key
Defines a preshared key to be used for IKE 
authentication.
• address [mask]—IP address of the remote peer 
or a subnet and mask.
• hostname—Fully qualified domain name of the 
peer.
• key—Specifies the secret key.
Step 10 Router(config-keyring)# exit Exits keyring configuration mode.
Step 11 Router(config)# crypto ipsec transform-set
transform-set-name
transform1[transform2[transform3]] 
Defines a transform set (an acceptable combination 
of security protocols and algorithms) and enters 
crypto transform configuration mode.
• transform-set-name—Name of the transform 
set.
• transform1[transform2[transform3]]—Defines 
IPSec security protocols and algorithms. 
Accepted values are described in the Cisco IOS 
Security Command Reference.
Step 12 Router(config-crypto-trans)# exit Exits crypto transform configuration mode
Step 13 Router(config)# crypto isakmp policy priority Defines an IKE policy and enters ISAKMP policy 
configuration mode.
• priority—Identifies the IKE policy and assigns 
a priority to the policy. Use an integer from 1 to 
10000, with 1 being the highest priority and 
10000 the lowest.
Step 14 Router(config-isakmp)# authentication pre-share Specifies the authentication method with an IKE 
policy.
• pre-share—Specifies preshared keys as the 
authentication method.
Step 15 Router(config-isakmp)# lifetime seconds Specifies the lifetime of an IKE SA.
• seconds—Number of seconds each SA should 
exist before expiring. Use an integer from 60 to 
86,400 seconds. Default is 86,400 (one day).
Step 16 Router(config-isakmp)# exit Exits ISAKMP policy configuration mode.
Command Purpose   
26-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuring VPNs in VRF Mode
Step 17 Router(config)# crypto isakmp profile profile-name Defines an ISAKMP profile and enters ISAKMP 
profile configuration mode.
• profile-name—Name of the user profile.
Step 18 Router(config-isa-prof)# vrf ivrf Defines the VRF to which the IPSec tunnel will be 
mapped.
• ivrf—Name of the VRF to which the IPSec 
tunnel will be mapped. Enter the same value 
specified in Step 3.
Step 19 Router(config-isa-prof)# keyring keyring-name  Configures a keyring within an ISAKMP profile.
• keyring-name—Keyring name. This name must 
match the keyring name that was defined in 
global configuration. Enter the value specified 
in Step 8.
Step 20 Router(config-isa-prof)# match identity address 
address [mask] [vrf]
Matches an identity from a peer in an ISAKMP 
profile.
• address [mask]—IP address of the remote peer 
or a subnet and mask.
• [vrf]—(Optional) This argument is only 
required when configuring a front door VRF 
(FVRF). This argument specifies that the 
address is an FVRF instance.
Step 21 Router(config-isa-prof)# exit Exits ISAKMP profile configuration mode.
Step 22 Router(config)# access list access-list-number {deny 
| permit} ip host source host destination
Defines an extended IP access list.
• access-list-number—Number of an access list. 
This is a decimal number from 100 to 199 or 
from 2000 to 2699.
• {deny | permit}—Denies or permits access if 
the conditions are met.
• source—Number of the host from which the 
packet is being sent.
• destination—Number of the host to which the 
packet is being sent.
Step 23 Router(config)# crypto map map-name seq-number 
ipsec-isakmp
Creates or modifies a crypto map entry and enters 
the crypto map configuration mode.
• map-name—Name that identifies the crypto 
map set.
• seq-number—Sequence number you assign to 
the crypto map entry. Lower values have higher 
priority.
• ipsec-isakmp—Indicates that IKE will be used 
to establish the IPSec security associations.
Command Purpose   
26-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuring VPNs in VRF Mode
Step 24 Router(config-crypto-map)# set peer {hostname | 
ip-address} 
Specifies an IPSec peer in a crypto map entry.
• {hostname | ip-address}—IPSec peer host name 
or IP address. Enter the value specified in 
Step 20.
Step 25 Router(config-crypto-map)# set transform-set
transform-set-name
Specifies which transform sets can be used with the 
crypto map entry.
• transform-set-name—Name of the transform 
set. Enter the value specified in Step 11.
Step 26 Router(config-crypto-map)# set isakmp-profile
profile-name 
Sets the ISAKMP profile name.
• profile-name—Name of the ISAKMP profile. 
Enter the value entered in Step 17.
Step 27 Router(config-crypto-map)# match address 
[access-list-id | name]
Specifies an extended access list for the crypto map 
entry.
• access-list-id—Identifies the extended access 
list by its name or number. Enter the value 
specified in Step 22.
• name—(Optional) Identifies the named 
encryption access list. This name should match 
the name argument of the named encryption 
access list being matched.
Step 28 Router(config-crypto-map)# exit Exits crypto map configuration mode.
Step 29 Router(config)# crypto map map-name local-address
interface-id
Specifies and names an identifying interface to be 
used by the crypto map for IPSec traffic.
• map-name—Name that identifies the crypto 
map set. Enter the value specified in Step 23.
• local-address interface-id—Name of interface 
that has the local address of the router.
Note The local address must belong to the FVRF.
Note In VRF mode, the VPN feature supports up 
to 1024 local addresses. This limit is across 
the chassis (not per VPN module).
Step 30 Router(config)# interface fastethernet slot/port Configures a Fast Ethernet interface and enters 
interface configuration mode.
Step 31 Router(config-if)# ip vrf forwarding vrf-name Associates a VRF with an interface or subinterface.
• vrf-name—Name assigned to the VRF. Enter the 
value specified in Step 3.
Step 32 Router(config-if)# ip address address mask Sets a primary or secondary IP address for the 
interface.
• address—IP address.
• mask—Subnet mask.
Step 33 Router(config-if)# no shutdown Enables the interface.
Command Purpose   
26-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuring VPNs in VRF Mode
Step 34 Router(config-if)# interface gigabitethernet
slot/subslot/port
Configures a Gigabit Ethernet interface. Match the 
value specified as the interface-id in Step 29.
Step 35 Router(config-if)# ip vrf forwarding vrf-name (Optional) Associates a VRF with an interface or 
subinterface.
• vrf-name—Name assigned to the VRF.
Step 36 Router(config-if)# ip address address mask Sets a primary or secondary IP address for an 
interface.
• address—IP address.
• mask—Subnet mask.
Step 37 Router(config-if)# crypto engine slot slot/subslot 
outside
Assigns the specified crypto engine to the interface.
• slot/subslot—The slot where the IPSec VPN 
SPA is located.
Step 38 Router(config-if)# no shutdown Enables the interface.
Step 39 Router(config-if)# exit Exits interface configuration mode.
Step 40 Router(config)# interface vlan-id Configures a VLAN interface and enters interface 
configuration mode.
• vlan-id—VLAN identifier.
Step 41 Router(config-if)# ip vrf forwarding vrf-name Associates a VRF with an interface or subinterface.
• vrf-name—Name assigned to the VRF. Enter the 
value specified in Step 3.
Step 42 Router(config-if)# ip address address mask  Sets a primary or secondary IP address for the 
interface.
• address—IP address.
• mask—Subnet mask.
Step 43 Router(config-if)# crypto map map-name Applies a previously defined crypto map set to an 
interface.
• map-name—Name that identifies the crypto 
map set. Enter the value specified in Step 23.
Step 44 Router(config-if)# crypto engine slot slot/subslot
inside
Assigns the specified crypto engine to the interface.
• slot/subslot—The slot where the IPSec VPN 
SPA is located.
Step 45 Router(config-if)# exit Exits interface configuration mode.
Command Purpose   
26-11
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuring VPNs in VRF Mode
For complete configuration information for VRF-Aware IPSec, refer to this URL:
http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_vrf_aware_ips
ec_ps10591_TSD_Products_Configuration_Guide_Chapter.html
For a configuration example, see the “VRF Mode Basic Configuration Example” section on page 26-22.
Configuring VPNs in VRF Mode with Tunnel Protection (GRE)
This section describes how to configure a VPN in VRF mode with tunnel protection (TP). Tunnel 
protection is GRE tunneling in VRF mode.
When you configure IPSec, a crypto map is attached to an interface to enable IPSec. With tunnel 
protection, there is no need for a crypto map or ACL to be attached to the interface. A crypto policy is 
attached directly to the tunnel interface. Any traffic routed by the interface is encapsulated in GRE and 
then encrypted using IPSec. The tunnel protection feature can be applied to point-to-point GRE. 
VRF Mode Using Tunnel Protection Configuration Guidelines and Restrictions
When configuring tunnel protection on theIPSec VPN SPA follow these guidelines and restrictions:
• Do not configure any options (such as sequence numbers or tunnel keys) that prevent the IPSec VPN 
SPA from seizing the GRE tunnel.
• Do not configure the GRE tunnel keepalive feature.
• When applied to the GRE tunnel interface, the ip tcp adjust-mss command is ignored. Apply the 
command to the ingress LAN interface instead. (CSCsl27876)
• Do not use crypto maps to protect GRE traffic in VRF mode.
• When a crypto map interface and a tunnel protection interface (either VTI or GRE/TP) share the 
same outside interface, they cannot share the same local source address.
• To avoid fragmentation after encryption, set the tunnel IP MTU to be equal to or less than the egress 
interface MTU minus the GRE and IPSec overheads. The egress interface MTU must be the smallest 
MTU of all the active crypto outside interfaces.
Step 46 Router(config)# ip route vrf vrf-name prefix mask 
interface-number 
Establishes static routes for a VRF.
• vrf-name—Name of the VRF for the static 
route. Enter the value specified in Step 3.
• prefix—IP route prefix for the destination, in 
dotted-decimal format.
• mask—Prefix mask for the destination, in dotted 
decimal format.
• interface-number—Number identifying the 
network interface to use. Enter the vlan-id value 
specified in Step 40.
Step 47 Router(config)# end Returns to privileged EXEC mode.
Command Purpose   
26-12
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuring VPNs in VRF Mode
To configure a VPN in VRF mode using tunnel protection, perform this task beginning in global 
configuration mode:
Command Purpose
Step 1 Router(config)# mls mpls tunnel-recir Enables tunnel-MPLS recirculation.
Step 2 Router(config)# crypto engine mode vrf Enables VRF mode for the IPSec VPN SPA.
Note After enabling or disabling VRF mode using 
the crypto engine mode vrf command, you 
must reload the supervisor engine.
Step 3 Router(config)# ip vrf vrf-name  Configures a VRF routing table and enters VRF 
configuration mode.
• vrf-name—Name assigned to the VRF.
Step 4 Router(config-vrf)# rd route-distinguisher Creates routing and forwarding tables for a VRF.
• route-distinguisher—Specifies an autonomous 
system number (ASN) and an arbitrary number 
(for example, 101:3) or an IP address and an 
arbitrary number (for example, 
192.168.122.15:1).
Step 5 Router(config-vrf)# route-target export
route-target-ext-community
Creates lists of export route-target extended 
communities for the specified VRF. 
• route-target-ext-community—Specifies an 
autonomous system number (ASN) and an 
arbitrary number (for example, 101:3) or an IP 
address and an arbitrary number (for example, 
192.168.122.15:1). Enter the 
route-distinguisher value specified in Step 4.
Step 6 Router(config-vrf)# route-target import 
route-target-ext-community 
Creates lists of import route-target extended 
communities for the specified VRF. 
• route-target-ext-community—Specifies an 
autonomous system number (ASN) and an 
arbitrary number (for example, 101:3) or an IP 
address and an arbitrary number (for example, 
192.168.122.15:1). Enter the 
route-distinguisher value specified in Step 4.
Step 7 Router(config-vrf)# exit Exits VRF configuration mode.
Step 8 Router(config)# crypto keyring keyring-name [vrf 
fvrf-name]
Defines a crypto keyring to be used during IKE 
authentication and enters keyring configuration 
mode.
• keyring-name—Name of the crypto keyring.
• fvrf-name—(Optional) Front door virtual 
routing and forwarding (FVRF) name to which 
the keyring will be referenced. fvrf-name must 
match the FVRF name that was defined during 
virtual routing and forwarding (VRF) 
configuration.   
26-13
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuring VPNs in VRF Mode
Step 9 Router(config-keyring)# pre-shared-key {address
address [mask] | hostname hostname} key key
Defines a preshared key to be used for IKE 
authentication.
• address [mask]—IP address of the remote peer 
or a subnet and mask.
• hostname—Fully qualified domain name of the 
peer.
• key—Specifies the secret key.
Step 10 Router(config-keyring)# exit Exits keyring configuration mode.
Step 11 Router(config)# crypto ipsec transform-set 
transform-set-name
transform1[transform2[transform3]] 
Defines a transform set (an acceptable combination 
of security protocols and algorithms) and enters 
crypto transform configuration mode.
• transform-set-name—Name of the transform 
set.
• transform1[transform2[transform3]]—Defines 
IPSec security protocols and algorithms. 
Accepted values are described in the Cisco IOS 
Security Command Reference.
Step 12 Router(config-crypto-trans)# exit Exits crypto transform configuration mode
Step 13 Router(config)# crypto isakmp policy priority Defines an IKE policy and enters ISAKMP policy 
configuration mode.
• priority—Identifies the IKE policy and assigns 
a priority to the policy. Use an integer from 1 to 
10000, with 1 being the highest priority and 
10000 the lowest.
Step 14 Router(config-isakmp)# authentication pre-share Specifies the authentication method with an IKE 
policy.
• pre-share—Specifies preshared keys as the 
authentication method.
Step 15 Router(config-isakmp)# lifetime seconds Specifies the lifetime of an IKE SA.
• seconds—Number of seconds each SA should 
exist before expiring. Use an integer from 60 to 
86,400 seconds. Default is 86,400 (one day.)
Step 16 Router(config-isakmp)# exit Exits ISAKMP policy configuration mode.
Step 17 Router(config)# crypto isakmp profile profile-name Defines an ISAKMP profile and enters ISAKMP 
profile configuration mode
• profile-name—Name of the user profile.
Step 18 Router(config-isa-prof)# keyring keyring-name Configures a keyring within an ISAKMP profile.
• keyring-name—Keyring name. This name must 
match the keyring name that was defined in 
global configuration. Enter the value specified 
in Step 8.
Command Purpose   
26-14
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuring VPNs in VRF Mode
Step 19 Router(config-isa-prof)# match identity address 
address [mask]
Matches an identity from a peer in an ISAKMP 
profile.
• address [mask]—IP address of the remote peer 
or a subnet and mask.
Step 20 Router(config-isa-prof)# exit Exits ISAKMP profile configuration mode.
Step 21 Router(config)# access list access-list-number {deny 
| permit} ip host source host destination
Defines an extended IP access list.
• access-list-number—Number of an access list. 
This is a decimal number from 100 to 199 or 
from 2000 to 2699.
• {deny | permit}—Denies or permits access if 
the conditions are met.
• source—Number of the host from which the 
packet is being sent.
• destination—Number of the host to which the 
packet is being sent.
Step 22 Router(config)# crypto ipsec profile profile-name Defines an IPSec profile and enters IPSec profile 
configuration mode.
• profile-name—Name of the user profile.
Step 23 Router(config-ipsec-profile)# set transform-set
transform-set-name
Specifies which transform sets can be used with the 
crypto map entry.
• transform-set-name—Name of the transform 
set. Enter the value specified in Step 11.
Step 24 Router(config-ipsec-profile)# set isakmp-profile
profile-name
Sets the ISAKMP profile name.
• profile-name—Name of the ISAKMP profile. 
Enter the value entered in Step 17.
Step 25 Router(config-ipsec-profile)# exit Exits IPSec profile configuration mode.
Step 26 Router(config)# interface tunnel-number Configures a tunnel interface and enters interface 
configuration mode.
• tunnel-number—Name assigned to the tunnel 
interface.
Step 27 Router(config-if)# ip vrf forwarding vrf-name (Optional) Associates a VRF with an interface or 
subinterface.
• vrf-name—Name assigned to the VRF. Enter the 
value specified in Step 3.
Step 28 Router(config-if)# ip address address mask  Sets a primary or secondary IP address for the 
interface.
• address—IP address.
• mask—Subnet mask.
Step 29 Router(config-if)# tunnel source ip-address  Sets the source address of a tunnel interface.
• ip-address—IP address to use as the source 
address for packets in the tunnel.
Command Purpose   
26-15
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuring VPNs in VRF Mode
Step 30 Router(config-if)# tunnel vrf vrf-name (Optional) Associates a VPN routing and 
forwarding instance (VRF) with a specific tunnel 
destination, interface or subinterface. This step is 
only required when configuring a front door VRF 
(FVRF).
• vrf-name—Name assigned to the VRF.
Step 31 Router(config-if)# tunnel destination ip-address Sets the destination address of a tunnel interface.
• ip-address—IP address to use as the destination 
address for packets in the tunnel.
Step 32 Router(config-if)# tunnel protection ipsec 
crypto-policy-name
Associates a tunnel interface with an IPSec profile.
• crypto-policy-name—The value as specified in 
Step 22.
Step 33 Router(config-if)# crypto engine slot slot/subslot 
inside
Assigns the specified crypto engine to the interface.
• slot/subslot—The slot where the IPSec VPN 
SPA is located.
Step 34 Router(config-if)# interface fastethernet
slot/subslot
Configures a Fast Ethernet interface.
Step 35 Router(config-if)# ip vrf forwarding vrf-name (Optional) Associates a VRF with an interface or 
subinterface.
• vrf-name—Name assigned to the VRF.
Step 36 Router(config-if)# ip address address mask Sets a primary or secondary IP address for an 
interface.
• address—IP address.
• mask—Subnet mask.
Step 37 Router(config-if)# no shutdown Enables the interface.
Step 38 Router(config-if)# interface type slot/subslot/port Configures the physical egress interface.
Step 39 Router(config-if)# ip vrf forwarding vrf-name (Optional) Associates a VRF with an interface or 
subinterface.
• vrf-name—Name assigned to the VRF.
Step 40 Router(config-if)# ip address address mask Sets a primary or secondary IP address for an 
interface.
• address—IP address. Enter the value specified 
in Step 29.
• mask—Subnet mask.
Step 41 Router(config-if)# crypto engine slot slot/subslot 
outside
Assigns the crypto engine to the interface.
• slot/subslot—The slot where the IPSec VPN 
SPA is located.
Step 42 Router(config-if)# no shutdown Enables the interface.
Step 43 Router(config-if)# exit Exits interface configuration mode.
Command Purpose   
26-16
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuring an IPSec Virtual Tunnel Interface
For a configuration example, see the “VRF Mode Tunnel Protection Configuration Example” section on 
page 26-32.
Configuring an IPSec Virtual Tunnel Interface
The IPSec Virtual Tunnel Interface (VTI) provides a routable interface type for terminating IPSec 
tunnels that greatly simplifies the configuration process when you need to provide protection for remote 
access, and provides a simpler alternative to using GRE tunnels and crypto maps with IPSec. In addition, 
the IPSec VTI simplifies network management and load balancing. 
Note IPSec VTI is supported in Cisco IOS Release 12.2(33)SRA and later releases, and is not supported in 
crypto-connect mode. 
Note the following details about IPSec VTI routing and traffic encryption:
• You can enable routing protocols on the tunnel interface so that routing information can be 
propagated over the virtual tunnel. The router can establish neighbor relationships over the virtual 
tunnel interface. Interoperability with standard-based IPSec installations is possible through the use 
of the IP ANY ANY proxy. The static IPSec interface will negotiate and accept IP ANY ANY 
proxies. 
• The IPSec VTI supports native IPSec tunneling and exhibits most of the properties of a physical 
interface. 
• In the IPSec VTI, encryption occurs in the tunnel. Traffic is encrypted when it is forwarded to the 
tunnel interface. Traffic forwarding is handled by the IP routing table, and dynamic or static IP 
routing can be used to route the traffic to the virtual tunnel interface. Using IP routing to forward 
the traffic to encryption simplifies the IPSec VPN configuration because the use of ACLs with a 
crypto map in native IPSec configurations is not required. When IPSec VTIs are used, you can 
separate applications of NAT, ACLs, and QoS, and apply them to clear text or encrypted text, or 
both. When crypto maps are used, there is no easy way to specify forced encryption features. 
IPSec Virtual Tunnel Interface Configuration Guidelines and Restrictions
When configuring IPSec VTI, follow these guidelines and restrictions:
• A VTI tunnel can terminate either in a VRF (normal VRF mode) or in the global context (with no 
ip vrf forwarding command on the tunnel interface).
• Only static VTI is supported.
• Only strict IP ANY ANY proxy is supported. 
• The IPSec transform set must be configured only in tunnel mode. 
• The IKE security association (SA) is bound to the virtual tunnel interface. Because it is bound to the 
virtual tunnel interface, the same IKE SA cannot be used for a crypto map. 
• When the mls mpls tunnel-recir command is applied in a VTI configuration, one reserved VLAN 
is allocated to each tunnel. As a result, there will be a maximum limit of 1000 VTI tunnels.
• In releases earlier than Cisco IOS Release 12.2(33)SRE, the following guidelines apply:
– The IPSec virtual tunnel interface is limited to IP unicast, as opposed to GRE tunnels, which 
have a wider application for IPSec implementation.    
26-17
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuring an IPSec Virtual Tunnel Interface
– Multicast over VTI is not supported except for control plane traffic such as routing protocol 
updates.
• In Cisco IOS Release 12.2(33)SRE and later releases, the following guidelines apply:
– A static VTI tunnel interface supports multicast traffic.
– ACLs can be applied to GRE and static VTI tunnel interfaces participating in multicast traffic.
– Platform QoS features can be applied to GRE and static VTI tunnel interfaces participating in 
multicast traffic.
Configuring an IPSec Static Tunnel
To configure a static IPSec virtual tunnel interface, perform this task beginning in global configuration 
mode:
Command Purpose
Step 1 Router(config)# mls mpls tunnel-recir Enables tunnel-MPLS recirculation.
Step 2 Router(config)# crypto engine mode vrf Enables VRF mode for the IPSec VPN SPA.
Note After enabling or disabling VRF mode using 
the crypto engine mode vrf command, you 
must reload the supervisor engine.
Step 3 Router(config)# ip vrf vrf-name  Configures a VRF routing table and enters VRF 
configuration mode.
• vrf-name—Name assigned to the VRF.
Step 4 Router(config-vrf)# rd route-distinguisher Creates routing and forwarding tables for a VRF.
• route-distinguisher—Specifies an autonomous 
system number (ASN) and an arbitrary number 
(for example, 101:3) or an IP address and an 
arbitrary number (for example, 
192.168.122.15:1).
Step 5 Router(config-vrf)# route-target export
route-target-ext-community
Creates lists of export route-target extended 
communities for the specified VRF. 
• route-target-ext-community—Specifies an 
autonomous system number (ASN) and an 
arbitrary number (for example, 101:3) or an IP 
address and an arbitrary number (for example, 
192.168.122.15:1). Enter the 
route-distinguisher value specified in Step 4.
Step 6 Router(config-vrf)# route-target import 
route-target-ext-community 
Creates lists of import route-target extended 
communities for the specified VRF. 
• route-target-ext-community—Specifies an 
autonomous system number (ASN) and an 
arbitrary number (for example, 101:3) or an IP 
address and an arbitrary number (for example, 
192.168.122.15:1). Enter the 
route-distinguisher value specified in Step 4.   
26-18
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuring an IPSec Virtual Tunnel Interface
Step 7 Router(config-vrf)# exit Exits VRF configuration mode.
Step 8 Router(config)# crypto keyring keyring-name [vrf 
fvrf-name]
Defines a crypto keyring to be used during IKE 
authentication and enters keyring configuration 
mode.
• keyring-name—Name of the crypto keyring.
• fvrf-name—(Optional) Front door virtual 
routing and forwarding (FVRF) name to which 
the keyring will be referenced. fvrf-name must 
match the FVRF name that was defined during 
virtual routing and forwarding (VRF) 
configuration.
Step 9 Router(config-keyring)# pre-shared-key {address
address [mask] | hostname hostname} key key
Defines a preshared key to be used for IKE 
authentication.
• address [mask]—IP address of the remote peer 
or a subnet and mask.
• hostname—Fully qualified domain name of the 
peer.
• key—Specifies the secret key.
Step 10 Router(config-keyring)# exit Exits keyring configuration mode.
Step 11 Router(config)# crypto ipsec transform-set 
transform-set-name
transform1[transform2[transform3]] 
Defines a transform set (an acceptable combination 
of security protocols and algorithms) and enters 
crypto transform configuration mode.
• transform-set-name—Name of the transform 
set.
• transform1[transform2[transform3]]—Defines 
IPSec security protocols and algorithms. 
Accepted values are described in the Cisco IOS 
Security Command Reference.
Step 12 Router(config-crypto-trans)# exit Exits crypto transform configuration mode
Step 13 Router(config)# crypto isakmp policy priority Defines an IKE policy and enters ISAKMP policy 
configuration mode.
• priority—Identifies the IKE policy and assigns 
a priority to the policy. Use an integer from 1 to 
10000, with 1 being the highest priority and 
10000 the lowest.
Step 14 Router(config-isakmp)# authentication pre-share Specifies the authentication method with an IKE 
policy.
• pre-share—Specifies preshared keys as the 
authentication method.
Step 15 Router(config-isakmp)# lifetime seconds Specifies the lifetime of an IKE SA.
• seconds—Number of seconds each SA should 
exist before expiring. Use an integer from 60 to 
86,400 seconds. Default is 86,400 (one day.)
Command Purpose   
26-19
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuring an IPSec Virtual Tunnel Interface
Step 16 Router(config-isakmp)# exit Exits ISAKMP policy configuration mode.
Step 17 Router(config)# crypto ipsec profile profile-name Defines an IPSec profile and enters IPSec profile 
configuration mode. The IPSec profile defines the IP 
Security (IPSec) parameters that are to be used for 
IPSec encryption between two IPSec routers.
• profile-name—Name of the user profile.
Step 18 Router(config-ipsec-profile)# set transform-set
transform-set-name [transform-set-name2
...transform-set-name6] 
Specifies which transform sets can be used with the 
crypto map entry.
• transform-set-name—Name of the transform 
set. 
Step 19 Router(config)# interface type slot/[subslot]/port Configures an interface type. 
• type—Type of interface being configured.
• slot/[subslot]/ port—Number of the slot, subslot 
(optional), and port to be configured.
Step 20 Router(config-if)# ip vrf forwarding vrf-name (Optional) Associates a VRF with an interface or 
subinterface.
• vrf-name—Name assigned to the VRF.
Step 21 Router(config-if)# ip address address mask Sets a primary or secondary IP address for an 
interface.
• address—IP address. 
• mask—Subnet mask.
Step 22 Router(config-if)# tunnel mode ipsec ipv4 Defines the mode for the tunnel as IPSec and the 
transport as IPv4. 
Step 23 Router(config-if)# tunnel source ip-address  Sets the source address of a tunnel interface.
• ip-address—IP address to use as the source 
address for packets in the tunnel.
Step 24 Router(config-if)# tunnel destination ip-address Sets the destination address of a tunnel interface.
• ip-address—IP address to use as the destination 
address for packets in the tunnel.
Step 25 Router(config-if)# tunnel vrf vrf-name (Optional) Associates a VPN routing and 
forwarding instance (VRF) with a specific tunnel 
destination. This step is only required when 
configuring a front door VRF (FVRF).
• vrf-name—Name assigned to the VRF.
Step 26 Router(config-if)# tunnel protection ipsec profile
name 
Associates a tunnel interface with an IPSec profile. 
• name—Name of the IPSec profile; this value 
must match the name specified in the crypto 
ipsec profile command in Step 1.
Step 27 Router(config-if)# crypto engine slot slot/subslot 
inside
Assigns the specified crypto engine to the interface.
• slot/subslot—The slot where the IPSec VPN 
SPA is located.
Step 28 Router(config-if)# interface type slot/subslot/port Configures the physical egress interface.
Command Purpose   
26-20
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuring an IPSec Virtual Tunnel Interface
Verifying the IPSec Virtual Tunnel Interface Configuration 
To confirm that your IPSec virtual tunnel interface configuration is working properly, enter the show 
interfaces tunnel, show crypto session, and show ip route commands. 
The show interfaces tunnel command displays tunnel interface information, the show crypto session
command displays status information for active crypto sessions, and the show ip route command 
displays the current state of the routing table.
In this display the Tunnel 0 is up and the line protocol is up. If the line protocol is down, the session is 
not active. 
Router1# show interfaces tunnel 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 10.0.51.203/24
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 103/255, rxload 110/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 10.0.149.203, destination 10.0.149.217
Tunnel protocol/transport IPSEC/IP, key disabled, sequencing disabled
Tunnel TTL 255
Checksumming of packets disabled, fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "P1")
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 1/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
30 second input rate 13000 bits/sec, 34 packets/sec
30 second output rate 36000 bits/sec, 34 packets/sec
191320 packets input, 30129126 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
59968 packets output, 15369696 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
Step 29 Router(config-if)# ip vrf forwarding vrf-name (Optional) Associates a VRF with an interface or 
subinterface.
• vrf-name—Name assigned to the VRF.
Step 30 Router(config-if)# ip address address mask Sets a primary or secondary IP address for an 
interface.
• address—IP address. Enter the value specified 
in Step 23.
• mask—Subnet mask.
Step 31 Router(config-if)# crypto engine outside Assigns the crypto engine to the interface.
Step 32 Router(config-if)# no shutdown Enables the interface.
Step 33 Router(config-if)# exit Exits interface configuration mode.
Command Purpose   
26-21
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuration Examples
Router1# show crypto session
Crypto session current status
Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 10.0.149.217 port 500
IKE SA: local 10.0.149.203/500 remote 10.0.149.217/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 4, origin: crypto map
Router1# show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.0.35.0/24 is directly connected, Ethernet3/3
S 10.0.36.0/24 is directly connected, Tunnel0
C 10.0.51.0/24 is directly connected, Tunnel0
C 10.0.149.0/24 is directly connected, Ethernet3/0
For more complete information about IPSec Virtual Tunnel Interface, refer to the following URL:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html
For IPSec Virtual Tunnel Interface configuration examples, see the “IPSec Virtual Tunnel Interfaces 
Configuration Examples” section on page 26-35.
Configuring VTI in the Global Context
With Cisco IOS Release 12.2(33)SRA and later releases, you can configure IPSec VTI without having 
to configure VRFs. Although VRF mode must be configured globally using the crypto engine mode vrf
command, tunnels can be terminated in the global context rather than in VRFs. 
The configuration steps for VTI in the global context are similar to the steps for IPSec VTI shown in the 
“Configuring an IPSec Static Tunnel” section on page 26-17 with the exception that the ip vrf 
forwarding vrf-name command and the tunnel vrf vrf-name command are not required.
For a configuration example of IPSec VTI in the global context, see the “IPSec Virtual Tunnel Interfaces 
Configuration Examples” section on page 26-35.
Configuration Examples
The following sections provide examples of VRF mode configurations:
• VRF Mode Basic Configuration Example, page 26-22
• VRF Mode Remote Access Using Easy VPN Configuration Example, page 26-25
• VRF Mode PE Configuration Example, page 26-27
• VRF Mode CE Configuration Example, page 26-30
• VRF Mode Tunnel Protection Configuration Example, page 26-32
• IP Multicast in VRF Mode Configuration Example, page 26-33   
26-22
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuration Examples
• IPSec Virtual Tunnel Interfaces Configuration Examples, page 26-35
Note When the ip vrf forwarding command is applied to a VLAN, any previously existing IP address 
assigned to that VLAN is removed. To assign an IP address to the VLAN, enter the ip address command 
after the ip vrf forwarding command, not preceding it.
Note The following examples use commands at the level of Cisco IOS Release 12.2(33)SRA.
In Cisco IOS Release 12.2(33)SRA and later releases, the crypto engine subslot command used in 
previous releases has been replaced with the crypto engine slot command (of the form crypto engine 
slot slot/subslot {inside | outside}). The crypto engine subslot command is no longer supported. When 
upgrading, ensure that this command has been modified in your start-up configuration to avoid extended 
maintenance time.
VRF Mode Basic Configuration Example 
The following example shows a basic IPSec VPN SPA configuration using VRF mode:
Router 1 Configuration 
hostname router-1
!
ip vrf ivrf
 rd 1000:1
 route-target export 1000:1
 route-target import 1000:1
!
crypto engine mode vrf
!
vlan 2,3 
!
crypto keyring key0 
  pre-shared-key address 11.0.0.2 key 12345
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
!
crypto isakmp profile prof1
   vrf ivrf
   keyring key0
   match identity address 11.0.0.2 255.255.255.255
!
!
crypto ipsec transform-set proposal1  esp-3des esp-sha-hmac 
!
crypto map testtag local-address Vlan3
crypto map testtag 10 ipsec-isakmp 
 set peer 11.0.0.2
 set transform-set proposal1 
 set isakmp-profile prof1
 match address 101
!
interface GigabitEthernet1/1   
26-23
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuration Examples
!switch inside port
 ip vrf forwarding ivrf
 ip address 12.0.0.1 255.255.255.0
!
!
interface GigabitEthernet1/2
!switch outside port
 switchport
 switchport access vlan 3
 switchport mode access
!
interface GigabitEthernet4/0/1
!IPSec VPN SPA inside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
!IPSec VPN SPA outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan2
 ip vrf forwarding ivrf
 ip address 13.0.0.252 255.255.255.0
 crypto map testtag
 crypto engine slot 4/0 inside
!
interface Vlan3
 ip address 11.0.0.1 255.255.255.0
 crypto engine slot 4/0 outside
!
access-list 101 permit ip host 12.0.0.2 host 13.0.0.2
Router 2 Configuration 
hostname router-2
!
ip vrf ivrf
 rd 1000:1
 route-target export 1000:1
 route-target import 1000:1
!
crypto engine mode vrf
!
vlan 2,3 
!
crypto keyring key0 
  pre-shared-key address 11.0.0.1 key 12345
!
crypto isakmp policy 1   
26-24
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuration Examples
 encr 3des
 hash md5
 authentication pre-share
!
crypto isakmp profile prof1
   vrf ivrf
   keyring key0
   match identity address 11.0.0.1 255.255.255.255
!
!
crypto ipsec transform-set proposal1  esp-3des esp-sha-hmac 
!
crypto map testtag local-address Vlan3
crypto map testtag 10 ipsec-isakmp 
 set peer 11.0.0.1
 set transform-set proposal1 
 set isakmp-profile prof1
 match address 101
!
interface GigabitEthernet1/1
!switch inside port
 ip vrf forwarding ivrf
 ip address 13.0.0.1 255.255.255.0
!
interface GigabitEthernet1/2
!switch outside port
 switchport
 switchport access vlan 3
 switchport mode access
!
interface GigabitEthernet4/0/1
!IPSec VPN SPA inside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
!IPSec VPN SPA outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan2
 ip vrf forwarding ivrf
 ip address 12.0.0.252 255.255.255.0
 crypto map testtag
 crypto engine slot 4/0 inside
!
interface Vlan3
 ip address 11.0.0.2 255.255.255.0
 crypto engine slot 4/0 outside
!
access-list 101 permit ip host 13.0.0.2 host 12.0.0.2   
26-25
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuration Examples
VRF Mode Remote Access Using Easy VPN Configuration Example
The following examples show VRF mode configurations for remote access using Easy VPN, first using 
RADIUS authentication, then using local authentication:
Using RADIUS Authentication 
aaa group server radius acs-vrf1
 server-private 192.1.1.251 auth-port 1812 acct-port 1813 key allegro
 ip vrf forwarding vrf1
!
aaa authentication login test_list group acs-vrf1
aaa authorization network test_list group acs-vrf1 
aaa accounting network test_list start-stop group acs-vrf1
!
ip vrf ivrf
 rd 1:1
 route-target export 1:1
 route-target import 1:1
!
!
crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
crypto isakmp client configuration group test
 key world
 pool pool1
!
crypto isakmp profile test_pro
   vrf ivrf
   match identity group test
   client authentication list test_list
   isakmp authorization list test_list
   client configuration address respond
   accounting test_list
crypto ipsec transform-set t3 esp-3des esp-sha-hmac 
!
crypto dynamic-map remote 1
 set transform-set t3 
 set isakmp-profile test_pro
 reverse-route
!
!
crypto map map-ra local-address GigabitEthernet2/1
crypto map map-ra 10 ipsec-isakmp dynamic remote 
!
interface GigabitEthernet2/1
  mtu 9216
 ip address 120.0.0.254 255.255.255.0
 ip flow ingress
 logging event link-status
 mls qos trust ip-precedence
 crypto engine slot 1/0 outside
!
interface GigabitEthernet1/0/1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,100,1002-1005
 switchport mode trunk
 mtu 9216   
26-26
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuration Examples
 mls qos trust ip-precedence
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet1/0/2
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 mls qos trust ip-precedence
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan100
 ip vrf forwarding vrf1
 ip address 120.0.0.100 255.255.255.0
 no mop enabled
 crypto map map-ra
 crypto engine slot 1/0 inside
ip local pool pool1 100.0.1.1 100.0.5.250
Using Local Authentication 
username t1 password 0 cisco
aaa new-model
!
aaa authentication login test_list local
aaa authorization network test_list local 
!
aaa session-id common
!
ip vrf ivrf
 rd 1:2
 route-target export 1:2
 route-target import 1:2
!
crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group test
 key world
 pool pool1
crypto isakmp profile test_pro
   vrf ivrf
   match identity group test
   client authentication list test_list
   isakmp authorization list test_list
   client configuration address respond
   accounting test_list
crypto ipsec transform-set t3 esp-3des esp-sha-hmac 
!
crypto dynamic-map remote 10
 set transform-set t3    
26-27
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuration Examples
 set isakmp-profile test_pro
 reverse-route
!
!
crypto map map-ra local-address GigabitEthernet2/1
crypto map map-ra 11 ipsec-isakmp dynamic remote 
!
!
!
interface GigabitEthernet2/1
  mtu 9216
 ip address 120.0.0.254 255.255.255.0
 ip flow ingress
 logging event link-status
 mls qos trust ip-precedence
 crypto engine slot 1/0 outside
!
!
interface GigabitEthernet1/0/1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,100,1002-1005
 switchport mode trunk
 mtu 9216
 mls qos trust ip-precedence
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet1/0/2
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 mls qos trust ip-precedence
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan100
 ip vrf forwarding ivrf
 ip address 120.0.0.100 255.255.255.0
 ip flow ingress
 crypto map map-ra
 crypto engine slot 1/0 inside
!
!
ip local pool pool1 100.0.1.1 100.0.5.250
VRF Mode PE Configuration Example
The following example shows a VRF mode configuration for a provider edge (PE):
!
version 12.2
!
hostname EXAMPLE-PE
!   
26-28
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuration Examples
no aaa new-model
ip subnet-zero
!
ip vrf vrf1
 rd 1000:1
 route-target export 1000:1
 route-target import 1000:1
!
crypto engine mode vrf
!
redundancy
 mode sso
 main-cpu
  auto-sync running-config
  auto-sync standard
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
power redundancy-mode combined
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
! 
crypto keyring key0 
  pre-shared-key address 11.0.0.1 key mykey
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 lifetime 500
crypto isakmp profile prof1
   vrf vrf1
   keyring key0
   self-identity user-fqdn a@example.com
   match identity address 11.0.0.1 255.255.255.255 
!
crypto ipsec transform-set proposal1 ah-sha-hmac esp-3des esp-sha-hmac 
!
crypto map testtag local-address Vlan3
crypto map testtag 10 ipsec-isakmp 
 set peer 11.0.0.1
 set security-association lifetime seconds 1000
 set transform-set proposal1 
 set pfs group2
 set isakmp-profile prof1
 match address 101
!
interface GigabitEthernet1/1
 no ip address
 shutdown
!
interface GigabitEthernet1/2
 switchport
 switchport access vlan 3
 switchport mode access
 no ip address
!
interface GigabitEthernet1/14
 ip vrf forwarding vrf1
 ip address 13.0.0.1 255.255.255.0
!
interface GigabitEthernet6/0/1   
26-29
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuration Examples
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 2
 switchport mode trunk
 mtu 9216
 no ip address
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet6/0/2
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan none
 switchport mode trunk
 mtu 9216
 no ip address
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet7/1
 no ip address
 shutdown
!
interface GigabitEthernet7/2
 ip address 17.1.5.4 255.255.0.0
 media-type rj45
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan2
 ip vrf forwarding vrf1
 ip address 12.0.0.252 255.255.255.0
 crypto map testtag
 crypto engine subslot 6/0
!
interface Vlan3
 ip address 11.0.0.2 255.255.255.0
 crypto engine subslot 6/0
!
ip classless
ip route 223.255.254.0 255.255.255.0 17.1.0.1
!
no ip http server
!
access-list 101 permit ip host 13.0.0.2 host 12.0.0.2
!
control-plane
!
dial-peer cor custom
!
line con 0
 exec-timeout 0 0
line vty 0 4
 login
!
end   
26-30
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuration Examples
VRF Mode CE Configuration Example
The following example shows a VRF mode configuration for a customer edge (CE):
!
version 12.2
!
hostname EXAMPLE-CE
!
no aaa new-model
ip subnet-zero
!
redundancy
 mode sso
 main-cpu
  auto-sync running-config
  auto-sync standard
spanning-tree mode pvst
!
power redundancy-mode combined
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 lifetime 500
crypto isakmp key mykey address 11.0.0.2
!
crypto ipsec transform-set proposal1 ah-sha-hmac esp-3des esp-sha-hmac 
!
crypto map testtag 10 ipsec-isakmp 
 set peer 11.0.0.2
 set security-association lifetime seconds 1000
 set transform-set proposal1 
 set pfs group2
 match address 101
!
interface GigabitEthernet1/1
 ip address 12.0.0.1 255.255.255.0
 load-interval 30
 no keepalive
!
interface GigabitEthernet1/2
 switchport
 switchport access vlan 3
 switchport mode access
 no ip address
!
interface GigabitEthernet5/2
 ip address 17.1.5.3 255.255.0.0
 media-type rj45
!
interface GigabitEthernet6/0/1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 2
 switchport mode trunk
 mtu 9216
 no ip address
 flowcontrol receive on   
26-31
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuration Examples
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet6/0/2
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 3
 switchport mode trunk
 mtu 9216
 no ip address
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet6/1/1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan none
 switchport mode trunk
 mtu 9216
 no ip address
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet6/1/2
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan none
 switchport mode trunk
 mtu 9216
 no ip address
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan2
 ip address 11.0.0.1 255.255.255.0
 no mop enabled
 crypto map testtag
 crypto engine subslot 6/0
!
interface Vlan3
 no ip address
 crypto connect vlan 2
!
ip classless
ip route 13.0.0.0 255.0.0.0 11.0.0.2
ip route 223.255.254.0 255.255.255.0 17.1.0.1
!
no ip http server
!
access-list 101 permit ip host 12.0.0.2 host 13.0.0.2
!
control-plane
!
dial-peer cor custom
!
line con 0
 exec-timeout 0 0   
26-32
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuration Examples
line vty 0 4
 login
!
end
VRF Mode Tunnel Protection Configuration Example
The following example shows a VRF mode configuration with tunnel protection:
ip vrf coke
rd 1000:1
route-target export 1000:1
route-target import 1000:1
!
crypto keyring key1 
pre-shared-key address 100.1.1.1 key happy-eddie
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp profile prof1
keyring key1
match identity address 100.1.1.1 255.255.255.255 
!
crypto ipsec transform-set TR esp-des esp-md5-hmac
mode transport 
!
crypto ipsec profile tp
set transform-set TR 
set isakmp-profile prof1
!
!
crypto engine mode vrf
!
interface Tunnel1
ip vrf forwarding coke
ip address 10.1.1.254 255.255.255.0
tunnel source 172.1.1.1
tunnel destination 100.1.1.1
tunnel protection ipsec profile tp
crypto engine slot 4/0 inside
!
interface GigabitEthernet4/0/1
!IPSec VPN SPA inside port
flowcontrol receive on
flowcontrol send off
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,1002-1005
switchport mode trunk
cdp enable
spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
!IPSec VPN SPA outside port
no ip address
flowcontrol receive on
flowcontrol send off
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,1002-1005   
26-33
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuration Examples
switchport mode trunk
cdp enable
spanning-tree portfast trunk
!
interface GigabitEthernet6/1
ip address 172.1.1.1 255.255.255.0
crypto engine slot 4/0 outside
!
interface FastEthernet7/13
ip vrf forwarding coke
ip address 13.1.1.2 255.255.255.0
!
ip route 100.1.1.1 255.255.255.255 Tunnel1
IP Multicast in VRF Mode Configuration Example
Note If two IPSec VPN SPAs are present in the Cisco 7600 SSC-400, one will be shut down if the hw-module 
slot X subslot Y only command is in the configuration. In this case, the IPSec VPN SPA in subslot Y 
will be active, and the IPSec VPN SPA in the other subslot will be disabled.
The following example shows how to configure IP multicast over GRE:
hostname router-1
!
ip vrf ivrf
 rd 1000:1
 route-target export 1000:1
 route-target import 1000:1
!
!
!
ip multicast-routing vrf ivrf 
!
crypto engine mode vrf
!
!
hw-module slot 4 subslot 0 only
!
crypto keyring key1 
  pre-shared-key address 11.0.0.0 255.0.0.0 key 12345
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp profile isa_prof
   keyring key1
   match identity address 11.0.0.0 255.0.0.0 
!
crypto ipsec transform-set proposal esp-3des 
mode transport 
!
crypto ipsec profile vpnprof
 set transform-set proposal 
 set isakmp-profile isa_prof
!
!   
26-34
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuration Examples
!
interface Tunnel1
 ip vrf forwarding ivrf
 ip address 20.1.1.1 255.255.255.0
 ip mtu 9216
 ip hold-time eigrp 1 3600
 ip pim sparse-mode
 tunnel source 1.0.1.1
 tunnel destination 11.1.1.1
 tunnel protection ipsec profile vpnprof
 crypto engine slot 4/0 inside
!
interface Loopback1
 ip address 1.0.1.1 255.255.255.0
!
interface GigabitEthernet1/1
 mtu 9216
 ip vrf forwarding ivrf
 ip address 50.1.1.1 255.0.0.0
 ip pim sparse-mode
!
interface GigabitEthernet1/2
 mtu 9216
 ip address 9.1.1.1 255.255.255.0
 crypto engine slot 4/0 outside
!
!
interface GigabitEthernet4/0/1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
router eigrp 1
 !
 address-family ipv4 vrf ivrf
  autonomous-system 1
  network 20.1.1.0 0.0.0.255
  network 50.1.1.0 0.0.0.255
  no auto-summary
  no eigrp log-neighbor-changes
 exit-address-family
!
router ospf 1
 log-adjacency-changes
 network 1.0.0.0 0.255.255.255 area 0
 network 9.0.0.0 0.255.255.255 area 0
!
ip pim vrf ivrf rp-address 50.1.1.1
!   
26-35
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuration Examples
IPSec Virtual Tunnel Interfaces Configuration Examples
The following examples show VRF mode configurations that use VTI:
• IPSec Virtual Tunnel Interface FVRF Configuration Example, page 26-35
• IPSec Virtual Tunnel Interface in the Global Context Configuration Example, page 26-36
• IPsec Virtual Tunnel Interface Multicast Configuration Example, page 26-37
IPSec Virtual Tunnel Interface FVRF Configuration Example
The following example configuration shows an FVRF VTI configuration: 
hostname router-1
!
!
ip vrf fvrf
 rd 2000:1
 route-target export 2000:1
 route-target import 2000:1
!
ip vrf ivrf
 rd 1000:1
 route-target export 1000:1
 route-target import 1000:1
!
crypto engine mode vrf
! 
crypto keyring key1 vrf fvrf
  pre-shared-key address 11.1.1.1 key cisco47
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
!
crypto isakmp profile isa_prof
   keyring key1
   match identity address 11.1.1.1 255.255.255.255 fvrf
   
crypto ipsec transform-set proposal esp-3des esp-sha-hmac
!
!
crypto ipsec profile vpnprof
 set transform-set proposal 
 set isakmp-profile isa_prof
!
!
!
!
!
interface Tunnel1
 ip vrf forwarding ivrf
 ip address 20.1.1.1 255.255.255.0
 ip pim sparse-mode
 ip ospf network broadcast
 ip ospf priority 2
 tunnel source 1.0.0.1   
26-36
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuration Examples
 tunnel destination 11.1.1.1
 tunnel mode ipsec ipv4
 tunnel vrf fvrf
 tunnel protection ipsec profile vpnprof
 crypto engine slot 4/0 inside
!
interface Loopback1
 ip vrf forwarding fvrf
 ip address 1.0.0.1 255.255.255.0
!
interface GigabitEthernet1/1
!switch inside port
 ip vrf forwarding ivrf
 ip address 50.0.0.1 255.255.255.0
!
interface GigabitEthernet1/2
!switch outside port
 ip vrf forwarding fvrf
 ip address 9.1.1.1 255.255.255.0
 crypto engine slot 4/0 outside
!
interface GigabitEthernet4/0/1
!IPSec VPN SPA inside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
!IPSec VPN SPA outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
router ospf 1 vrf ivrf
 log-adjacency-changes
 network 20.1.1.0 0.0.0.255 area 0
 network 21.1.1.0 0.0.0.255 area 0
 network 50.0.0.0 0.0.0.255 area 0
!
ip classless
ip route vrf fvrf 11.1.1.0 255.255.255.0 9.1.1.254
IPSec Virtual Tunnel Interface in the Global Context Configuration Example 
The following example configuration shows IPSec VTI configuration in the global context: 
!
crypto engine mode vrf
!
crypto keyring key1 
  pre-shared-key address 14.0.0.2 key 12345 
!   
26-37
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuration Examples
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
!
crypto isakmp profile prof1
   keyring key1
   match identity address 14.0.0.2 255.255.255.255 
!
crypto ipsec transform-set t-set1 esp-3des esp-sha-hmac 
!
crypto ipsec profile prof1
 set transform-set t-set1 
 set isakmp-profile prof1
!
!
interface Tunnel1
 ip address 122.0.0.2 255.255.255.0
 tunnel source 15.0.0.2
 tunnel destination 14.0.0.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile prof1
 crypto engine slot 2/0 inside
!
interface Loopback2
 ip address 15.0.0.2 255.255.255.0
!
interface GigabitEthernet1/3
 ip address 172.2.1.1 255.255.255.0
 crypto engine slot 2/0 outside
!
interface GigabitEthernet2/0/1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet2/0/2
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
!
ip route 14.0.0.0 255.0.0.0 172.2.1.2
ip route 172.0.0.0 255.0.0.0 172.2.1.2
IPsec Virtual Tunnel Interface Multicast Configuration Example
The following example shows how to configure multicast over VTI:   
26-38
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuration Examples
hostname router-1
!
ip vrf ivrf
 rd 1000:1
 route-target export 1000:1
 route-target import 1000:1
!
!
!
ip multicast-routing vrf ivrf 
!
crypto engine mode vrf
!
!
!
crypto keyring key1 
  pre-shared-key address 11.0.0.0 255.0.0.0 key 12345
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp profile isa_prof
   keyring key1
   match identity address 11.0.0.0 255.0.0.0 
!
crypto ipsec transform-set proposal esp-3des 
!
crypto ipsec profile vpnprof
 set transform-set proposal 
 set isakmp-profile isa_prof
!
!
!
interface Tunnel1
 ip vrf forwarding ivrf
 ip address 20.1.1.1 255.255.255.0
 ip mtu 9216
 ip hold-time eigrp 1 3600
 ip pim sparse-mode
 tunnel source 1.0.1.1
 tunnel destination 11.1.1.1
tunnel mode ipsec ipv4
 tunnel protection ipsec profile vpnprof
 crypto engine slot 4/0 inside
!
interface Loopback1
 ip address 1.0.1.1 255.255.255.0
!
interface GigabitEthernet1/1
 mtu 9216
 ip vrf forwarding ivrf
 ip address 50.1.1.1 255.0.0.0
 ip pim sparse-mode
!
interface GigabitEthernet1/2
 mtu 9216
 ip address 9.1.1.1 255.255.255.0
 crypto engine slot 4/0 outside
!
!
interface GigabitEthernet4/0/1
 switchport
 switchport trunk encapsulation dot1q   
26-39
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuration Examples
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
router eigrp 1
 !
 address-family ipv4 vrf ivrf
  autonomous-system 1
  network 20.1.1.0 0.0.0.255
  network 50.1.1.0 0.0.0.255
  no auto-summary
  no eigrp log-neighbor-changes
 exit-address-family
!
router ospf 1
 log-adjacency-changes
 network 1.0.0.0 0.255.255.255 area 0
 network 9.0.0.0 0.255.255.255 area 0
!
ip pim vrf ivrf rp-address 50.1.1.1
!   
26-40
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 26      Configuring VPNs in VRF Mode
  Configuration ExamplesC H  A  P  T  E  R
   
27-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
27
Configuring IPSec VPN Fragmentation and MTU
This chapter provides information about configuring IPSec VPN fragmentation and the maximum 
transmission unit (MTU). It includes the following sections:
• Understanding IPSec VPN Fragmentation and MTU, page 27-1
• Configuring IPSec Prefragmentation, page 27-9
• Configuring MTU Settings, page 27-12
For more information about the commands used in this chapter, see the Cisco 7600 Series Cisco IOS 
Command Reference, 12.2 SR publication. Also refer to the related Cisco IOS Release 12.2 software 
command reference and master index publications. For more information about accessing these 
publications, see the “Related Documentation” section on page xlvii.
Understanding IPSec VPN Fragmentation and MTU 
This section includes the following topics:
• Overview of Fragmentation and MTU, page 27-1
• IPSec Prefragmentation, page 27-3
• Fragmentation in Different Modes, page 27-3
Overview of Fragmentation and MTU
When a packet is nearly the size of the maximum transmission unit (MTU) of the physical egress port 
of the encrypting router, and it is encapsulated with IPSec headers, it probably will exceed the MTU of 
the egress port. This condition causes the packet to be fragmented after encryption (post-fragmentation), 
which requires the IPSec peer to perform reassembly before decryption, degrading its performance. To 
minimize post-fragmentation, you can set the MTU in the upstream data path to ensure that most 
fragmentation occurs before encryption (prefragmentation). Prefragmentation for IPSec VPNs avoids 
performance degradation by shifting the reassembly task from the receiving IPSec peer to the receiving 
end hosts.
Note In this document, prefragmentation refers to fragmentation prior to any type of encapsulation, such as 
IPSec or GRE. IPSec prefragmentation refers to fragmentation prior to IPSec encryption.   
27-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 27      Configuring IPSec VPN Fragmentation and MTU
  Understanding IPSec VPN Fragmentation and MTU
To ensure prefragmentation in most cases, we recommend the following MTU settings:
• The crypto interface VLAN MTU associated with the IPSec VPN SPA should be set to be equal or 
less than the egress interface MTU.
• For GRE over IPSec, the IP MTU of the GRE tunnel interface should be set below the egress 
interface MTU by at least the overhead of IPSec encryption and the 24-byte GRE+IP header 
(20-byte IP header plus 4-byte GRE header). Because options such as tunnel key (RFC 2890) are 
not supported, the GRE+IP IP header will always be 24 bytes.
Note The crypto interface VLAN MTU, the egress interface MTU, and the IP MTU of the GRE tunnel 
interface are all Layer 3 parameters. 
The following are additional guidelines for IPSec prefragmentation and MTU in crypto-connect mode:
• If a packet’s DF (Don’t Fragment) bit is set and the packet exceeds the MTU at any point in the data 
path, the packet will be dropped. To prevent a packet drop, clear the DF bit by using either 
policy-based routing (PBR) or the crypto df-bit clear command.
• In Cisco IOS Release and 12(33)SRA, SRB, and SRC, and earlier releases, the IPSec VPN SPA does 
not support path MTU discovery (PMTUD) on GRE tunnels using the tunnel path-mtu-discovery
command. In Cisco IOS Release SXI and later releases, PMTUD is supported on GRE tunnels.
• If GRE encapsulation is not taken over by the IPSec VPN SPA, and if the packets exceed the IP MTU 
of the GRE tunnel interface, the route processor will fragment and encapsulate the packets. 
Note If the supervisor engine performs GRE encapsulation, the encapsulated packets will have the DF 
bit set.
The IPSec and GRE prefragmentation feature differs based on the Cisco IOS release, as described in 
Table 27-1.
Table 27-1 IPSec and GRE Prefragmentation based on Cisco IOS Release
Cisco IOS Release Prefragmentation Feature
12.2(18)SXE A single prefragmentation process occurs for both IPSec and GRE, based on 
the smaller of the IP MTU and the egress interface MTU. To prevent 
fragmentation or packet loss, configure the VLAN MTU as the largest 
predicted GRE packet size (IP length plus GRE overhead), and the egress 
interface MTU as the largest predicted GRE/IPSec packet size (IP length 
plus GRE overhead plus IPSec overhead).
12.2(18)SXF GRE fragmentation and IPSec fragmentation are separate processes. If GRE 
encapsulation is performed by the IPSec VPN SPA, prefragmentation of 
outbound packets will be based on the IP MTU of the tunnel interface. After 
GRE encapsulation is performed by the IPSec VPN SPA, depending on the 
IPSec prefragmentation settings, further fragmentation may occur. The 
IPSec fragmentation behavior is unchanged from Cisco IOS Release 
12.2(18)SXE, and is based on the IPSec MTU configuration of the egress 
interface.
12.2SRA Path MTU discovery (PMTUD) is supported in crypto-connect mode.   
27-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 27      Configuring IPSec VPN Fragmentation and MTU
  Understanding IPSec VPN Fragmentation and MTU
For general information on fragmentation and MTU issues, see “Resolve IP Fragmentation, MTU, MSS, 
and PMTUD Issues with GRE and IPSec” at this URL:
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml
IPSec Prefragmentation
In the IPSec prefragmentation process (also called Look-Ahead Fragmentation, or LAF), the encrypting 
router can predetermine the encapsulated packet size from information available in transform sets, which 
are configured as part of the IPSec security association (SA). IPSec prefragmentation avoids reassembly 
by the receiving router before decryption and helps improve overall IPSec traffic throughput by shifting 
the reassembly task to the end hosts.
A packet will be fragmented before encryption if it is predetermined that the encrypted packet will 
exceed the MTU of the output interface. 
Fragmentation in Different Modes
The fragmentation process differs depending on the IPSec VPN mode and whether GRE or VTI are used, 
as described in the following sections:
• Fragmentation in Crypto-Connect Mode, page 27-3
• Fragmentation of IPSec (Using Crypto Maps) Packets in VRF Mode, page 27-5
• Fragmentation of GRE Packets with Tunnel Protection in VRF Mode, page 27-6
• Fragmentation in VTIs, page 27-8
In the following fragmentation descriptions, we assume that the DF (Don’t Fragment) bit is not set for 
packets entering the flowchart. If a packet requires fragmentation and the DF bit is set, the packet will 
be dropped.
Fragmentation in Crypto-Connect Mode
The following are the relevant MTU settings for fragmentation of packets in crypto-connect mode:
• The MTU of the interface VLAN.
Prefragmentation of non-GRE traffic by the RP will be based on this MTU.
• The IP MTU of the GRE tunnel.
Prefragmentation of GRE traffic will be based on this MTU.
• The MTU of the physical egress interface. 
Pre- and post-fragmentation by the IPSec VPN SPA will be based on this MTU.
Fragmentation will be performed as follows:
• If any packets to be sent to the IPSec VPN SPA exceed the MTU of the interface VLAN, the RP will 
perform prefragmentation before sending the packets to the IPSec VPN SPA.
• If packets to be GRE encapsulated exceed the IP MTU of the GRE tunnel:
– The RP will perform prefragmentation when the tunnel is not taken over by the IPSec VPN SPA.
– The IPSec VPN SPA will perform prefragmentation when the tunnel is taken over by the IPSec 
VPN SPA.   
27-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 27      Configuring IPSec VPN Fragmentation and MTU
  Understanding IPSec VPN Fragmentation and MTU
• If packets to be encrypted will exceed the MTU of the physical egress interface:
– If IPSec prefragmentation is enabled, the IPSec VPN SPA will perform prefragmentation of the 
packets. The IPSec VPN SPA will not perform post-fragmentation. 
– If IPSec prefragmentation is disabled, the IPSec VPN SPA will perform post-fragmentation of 
the encrypted packets. The IPSec VPN SPA will not perform prefragmentation.
• If unencrypted egress packets will exceed the MTU of the physical egress interface, the IPSec VPN 
SPA will perform fragmentation of the packets. 
Figure 27-1 shows the fragmentation process for packets in crypto-connect mode. 
Figure 27-1 Fragmentation of Packets in Crypto-Connect Mode
PS > e_MTU
(VPN SPA)
Fragment
 By VPN
SPA
RP
Generated
PFC
Accelerated
Prefrag 
enabled
To be GRE
encapsulated
?
Cleartext Packet
L3 size = PS
Requires
encryption
?
RP
Encapsulated
DF=0
Y Y Y Y
N PS > iv_MTU N N N
N
VPN SPA
Accelerated
(no mGRE)
N
PFC
Encapsulated
DF=1*
Y PS > t_MTU N
Y N
Y
PS > t_MTU
VPN SPA
Encapsulated
DF=0
PS > e_MTU
(VPN SPA)
RP
Fragmented
if DF=0;
else drop
Encrypt
Prefrag
By
VPN SPA
Encrypt
Postfrag
By
VPN SPA
Y
N Y
Prefrag
By
VPN SPA
RP
Encapsulated
DF=0
N
N
Y
Packet Sent
Y
PS = layer 3 packet size
iv_MTU = interface VLAN MTU
t_MTU = tunnel IP MPU
e_MTU = egress physical interface MTU 281048
*3B/3BXL behavior   
27-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 27      Configuring IPSec VPN Fragmentation and MTU
  Understanding IPSec VPN Fragmentation and MTU
Fragmentation of IPSec (Using Crypto Maps) Packets in VRF Mode
The following are the relevant MTU settings for fragmentation of IPSec traffic in VRF mode:
• The MTU of the interface VLAN.
Prefragmentation by the RP will be based on this MTU.
• The MTU of the physical egress interface. 
Pre- and post-fragmentation by the IPSec VPN SPA will be based on this MTU.
Fragmentation will be performed as follows:
• If packets exceed the MTU of the interface VLAN, the RP will perform prefragmentation.
• If encrypted egress packets will exceed the lowest MTU of any physical egress interface on the 
FVRF:
– If IPSec prefragmentation is enabled, the IPSec VPN SPA will perform prefragmentation of the 
packets. The IPSec VPN SPA will not perform post-fragmentation. 
– If IPSec prefragmentation is disabled, the IPSec VPN SPA will perform post-fragmentation of 
the encrypted packets. The IPSec VPN SPA will not perform prefragmentation.   
27-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 27      Configuring IPSec VPN Fragmentation and MTU
  Understanding IPSec VPN Fragmentation and MTU
The fragmentation process for IPSec packets in VRF mode is shown in Figure 27-2. 
Figure 27-2 Fragmentation of IPSec Packets in VRF Mode
Fragmentation of GRE Packets with Tunnel Protection in VRF Mode
The following are the relevant MTU settings for fragmentation of GRE traffic with tunnel protection in 
VRF mode:
• The IP MTU of the GRE tunnel.
Prefragmentation will be based on this MTU.
• The lowest MTU of any physical egress interface on the FVRF. 
Pre- and post-fragmentation by the IPSec VPN SPA will be based on this MTU.
Fragmentation will be performed as follows:
• If packets to be encapsulated exceed the IP MTU of the GRE tunnel:
– The RP will perform prefragmentation when the tunnel is not taken over by the IPSec VPN SPA.
Cleartext Packet
L3 size = PS
To be
encrypted
?
Y
PS > iv_MTU N
N
RP
Fragmented
if DF=0;
Else drop
Drop by
VPN SPA
PS = layer 3 packet size
iv_MTU = interface VLAN MTU
e_MTU = egress physical interface MTU 281050
Encrypt
Prefrag
By
VPN SPA
Encrypt
Postfrag
By
VPN SPA
Y
N Y
N
Packet Sent
PS >
lowest e_MTU
(of FVRF)
Prefrag 
enabled   
27-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 27      Configuring IPSec VPN Fragmentation and MTU
  Understanding IPSec VPN Fragmentation and MTU
– The IPSec VPN SPA will perform prefragmentation when the tunnel is taken over by the IPSec 
VPN SPA.
• If encrypted GRE-encapsulated packets will exceed the lowest MTU of any physical egress interface 
on the FVRF:
– If IPSec prefragmentation is enabled, the IPSec VPN SPA will perform prefragmentation of the 
GRE-encapsulated packets. The IPSec VPN SPA will not perform post-fragmentation. 
– If IPSec prefragmentation is disabled, the IPSec VPN SPA will perform post-fragmentation of 
the encrypted GRE-encapsulated packets. The IPSec VPN SPA will not perform 
prefragmentation.
The fragmentation process for GRE packets with tunnel protection in VRF mode is shown in 
Figure 27-3. 
Figure 27-3 Fragmentation of GRE Packets with Tunnel Protection in VRF Mode
RP
Generated
PFC
Accelerated
Cleartext Packet
L3 size = PS
RP
Encapsulated
DF=0
N
VPN SPA
Accelerated
(no mGRE)
N
PFC
Encapsulated
DF=1*
Y PS > t_MTU N
Y N
Y
PS > t_MTU
VPN SPA
Encapsulated
DF=0
PS > e_MTU
(VPN SPA)
Encrypt
Prefrag
By
VPN SPA
Encrypt
Postfrag
By
VPN SPA
Y
N Y
Prefrag
By
VPN SPA
RP
Encapsulated
DF=0
N
N
Y
Packet Sent
Y
PS = layer 3 packet size
t_MTU = tunnel IP MPU
e_MTU = egress physical interface MTU
281049
*3B/3BXL behavior Prefrag 
enabled   
27-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 27      Configuring IPSec VPN Fragmentation and MTU
  Understanding IPSec VPN Fragmentation and MTU
Fragmentation in VTIs
The following are the relevant MTU settings for fragmentation of VTI packets:
• The IP MTU of the VTI tunnel interface.
Prefragmentation will be based on this MTU.
Note We recommend that the IP MTU of the VTI tunnel interface be left at its default value. If you 
change it, be sure that it does not exceed the MTU of the physical egress interface minus the 
IPSec overhead.
• The MTU of the physical egress interface. 
Post-fragmentation by the IPSec VPN SPA will be based on this MTU.
Fragmentation will be performed as follows:
• If IPSec prefragmentation is enabled, the IPSec VPN SPA will perform prefragmentation of packets 
that exceed the IP MTU of the VTI tunnel interface. The IPSec VPN SPA will not perform 
post-fragmentation. 
Note The RP will perform post-fragmentation of packets that exceed the MTU of the egress interface. 
This is considered a misconfiguration.
• If IPSec prefragmentation is disabled, the IPSec VPN SPA will perform post-fragmentation of 
packets that exceed the MTU of the egress interface. The IPSec VPN SPA will not perform 
prefragmentation.   
27-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 27      Configuring IPSec VPN Fragmentation and MTU
  Configuring IPSec Prefragmentation
The fragmentation process for VTI packets is shown in Figure 27-4. 
Figure 27-4 Fragmentation of VTI Packets
Configuring IPSec Prefragmentation 
IPSec prefragmentation can be configured globally or at the interface level. By default, IPSec 
prefragmentation is enabled globally. Enabling or disabling IPSec prefragmentation at the interface will 
override the global configuration.
IPSec Prefragmentation Configuration Guidelines
When configuring IPSec prefragmentation, follow these guidelines:
• To configure IPSec prefragmentation at the interface level, apply it on the interface to which the 
crypto map is applied. 
• If an IPSec peer is experiencing high CPU utilization with large packet flows, verify that IPSec 
prefragmentation is enabled (the peer may be reassembling large packets).
• IPSec prefragmentation for IPSec VPNs operates in IPSec tunnel mode. It does not apply in IPSec 
transport mode. 
Cleartext Packet
L3 size = PS
vti_MTU = VTI tunnel interface IP MTU
e_MTU = egress physical interface MTU
281051
Encrypt
Prefrag
By VPN SPA
on vti_MTU
Encrypt
N
Packet Sent
Y
Postfrag
By VPN SPA
on e_MTU
Prefrag 
enabled?   
27-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 27      Configuring IPSec VPN Fragmentation and MTU
  Configuring IPSec Prefragmentation
• IPSec prefragmentation for IPSec VPNs functionality depends on the crypto ipsec df-bit
configuration of the interface to which the crypto map is applied, and on the incoming packet “do 
not fragment” (DF) bit state. For general information about prefragmentation, see the following 
URL:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftprefrg.html
• The GRE fragmentation behavior differs according to the software release as follows:
– In Cisco IOS Release 12.2(18)SXE, the GRE fragmentation behavior of the IPSec VPN SPA is 
determined by the lower of the IP MTU of the GRE interface and the Layer 2 MTU of the egress 
interface. In order to prevent fragmentation or packet loss, the VLAN MTU should be 
configured as the largest predicted GRE packet size (IP length plus GRE overhead), and the 
egress interface MTU should be configured as the largest predicted GRE/IPSec packet size (IP 
length plus GRE overhead plus IPSec overhead).
– In Cisco IOS Releases 12.2(18)SXF and 12(33)SRA and later releases, GRE fragmentation and 
IPSec fragmentation are separate processes. If GRE encapsulation is performed by the IPSec 
VPN SPA, prefragmentation of outbound packets will be based on the IP MTU of the tunnel 
interface. After GRE encapsulation is performed by the IPSec VPN SPA, depending on the 
IPSec LAF (look ahead fragmentation) settings, further fragmentation may occur. The IPSec 
fragmentation behavior is unchanged from Cisco IOS Release 12.2(18)SXE, and is based on the 
IPSec MTU configuration of the egress interface. GRE+IP encapsulation adds 24 bytes to the 
packet size. When configuring for prefragmentation based on anticipated GRE overhead, use 
this value.
• GRE+IP encapsulation adds 24 bytes to the packet size. When configuring for prefragmentation 
based on anticipated GRE overhead, use this value.
• IPSec encryption adds a number of bytes to the packet size depending on the configured IPSec 
transform set. When configuring for prefragmentation based on anticipated IPSec overhead, use the 
following table of worst-case IPSec overhead bytes for various IPSec transform sets:
Configuring IPSec Prefragmentation Globally
IPSec prefragmentation is globally enabled by default. To enable or disable prefragmentation for IPSec 
VPNs at the global level, perform this task beginning in global configuration mode:
IPSec Transform Set
IPSec Overhead, 
Maximum Bytes
esp-aes-(256 or 192 or 128) esp-sha-hmac or md5 73
esp-aes (256 or 192 or 128) 61
esp-3des, esp-des 45
esp-(des or 3des) esp-sha-hmac or md5 57
esp-null esp-sha-hmac or md5 45
ah-sha-hmac or md5 44
Command Purpose
Step 1 Router(config)# crypto ipsec fragmentation 
before-encryption
Enables prefragmentation for IPSec VPNs globally.
Step 2 Router(config)# crypto ipsec fragmentation 
after-encryption
Disables prefragmentation for IPSec VPNs globally.    
27-11
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 27      Configuring IPSec VPN Fragmentation and MTU
  Configuring IPSec Prefragmentation
Configuring IPSec Prefragmentation at the Interface
IPSec prefragmentation is globally enabled by default. To enable or disable prefragmentation for IPSec 
VPNs at the interface level, perform this task beginning in interface configuration mode for the interface 
to which the crypto map is attached:
Note Enabling or disabling IPSec prefragmentation at the interface will override the global configuration.
Verifying the IPSec Prefragmentation Configuration
To verify that IPSec prefragmentation is enabled, consult the interface statistics on the encrypting router 
and the decrypting router. If fragmentation occurs on the encrypting router, and no reassembly occurs 
on the decrypting router, fragmentation is occurring before encryption, which means that the packets are 
not being reassembled before decryption and the feature is enabled. 
To verify that the IPSec prefragmentation feature is enabled, enter the show running-configuration
command on the encrypting router. If the feature is enabled, no fragmentation feature will appear in the 
command output: 
Router# show running-configuration
crypto isakmp policy 10
authentication pre-share
crypto isakmp key abcd123 address 25.0.0.7
crypto ipsec transform-set fooprime esp-3des esp-sha-hmac
!!! the postfragmentation feature appears here if IPSec prefragmentation is disabled
crypto map bar 10 ipsec-isakmp
set peer 25.0.0.7
set transform-set fooprime
match address 102
If IPSec prefragmentation has been disabled, the postfragmentation feature will appear in the command 
output: 
Router# show running-configuration
crypto isakmp policy 10
authentication pre-share
crypto isakmp key abcd123 address 25.0.0.7
crypto ipsec transform-set fooprime esp-3des esp-sha-hmac
crypto ipsec fragmentation after-encryption
crypto map bar 10 ipsec-isakmp
set peer 25.0.0.7
set transform-set fooprime
match address 102
Command Purpose
Step 1 Router(config-if)# crypto ipsec fragmentation 
before-encryption
Enables prefragmentation for IPSec VPNs on the 
interface.
Step 2 Router(config-if)# crypto ipsec fragmentation 
after-encryption
Disables prefragmentation for IPSec VPNs on the 
interface.    
27-12
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 27      Configuring IPSec VPN Fragmentation and MTU
  Configuring MTU Settings
To display the configuration of the encrypting router interface VLAN, enter the show 
running-configuration interface command. If the IPSec prefragmentation feature is enabled, a 
prefragmentation statement will appear in the command output: 
Router# show running-configuration interface vlan2
interface Vlan2
 ip address 15.0.0.2 255.255.255.0
 crypto map testtag
 crypto engine slot 1/0
crypto ipsec fragmentation before-encryption
If the IPSec prefragmentation feature has been disabled at the interface VLAN, a postfragmentation 
statement will appear in the command output: 
Router# show running-configuration interface vlan2 
interface Vlan2
 ip address 15.0.0.2 255.255.255.0
 crypto map testtag
 crypto engine slot 1/0
crypto ipsec fragmentation after-encryption end
Configuring MTU Settings
The Cisco IOS software allows the configuration of the Layer 3 maximum transmission unit (MTU) of 
interfaces and VLANs. You should ensure that all MTU values are consistent to avoid unnecessary 
fragmentation of packets. 
Note When configuring MTU, note that the ip mtu command applies only to IP protocol traffic. Other Layer 3 
protocol traffic will observe the MTU configured by the mtu command.
MTU Settings Configuration Guidelines and Restrictions
When configuring MTU settings for an IPSec VPN SPA, follow these guidelines and note these 
restrictions:
• The MTU value used by the IPSec VPN SPA for fragmentation decisions is based on the MTU value 
of the secure port as follows:
– Routed ports—Use the MTU value of their associated secure port.
– Access ports—Use the MTU value of the secure port associated with their interface VLAN.
– Trunk ports—Use the MTU value of the secure port associated with their interface VLAN.
• If you have GRE tunneling configured, see the “IPSec Prefragmentation” section on page 27-3 for 
information on the recommended MTU settings.
Note For additional information on fragmentation of packets, see the “Configuring IPSec Prefragmentation” 
section on page 27-9.   
27-13
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 27      Configuring IPSec VPN Fragmentation and MTU
  Configuring MTU Settings
Changing the Physical Egress Interface MTU
You can configure either the Layer 3 MTU or the IP MTU of the physical egress interface. To change 
the MTU value on a physical egress interface, perform this task beginning in global configuration mode:
Changing the Tunnel Interface MTU
You can configure the IP MTU of the tunnel interface, but you cannot configure the Layer 3 MTU. To 
change the IP MTU value on a tunnel, perform this task beginning in global configuration mode:
Changing the Interface VLAN MTU
You can configure the Layer 3 MTU of the interface VLAN. To change the MTU value on an interface 
VLAN, perform this task beginning in global configuration mode:
Verifying the MTU Size
To verify the MTU size for an interface, enter the show interface command or the show ip interface 
command, as shown in the following examples: 
To display the MTU value for a secure port, enter the show interface command:
Router# show interface g1/1
Command Purpose
Step 1 Router(config)# interface type
1
slot/port
1. type = fastethernet, gigabitethernet, or tengigabitethernet
Enters interface configuration mode for the 
interface.
Step 2 Router(config-if)# mtu bytes Configures the maximum transmission unit (MTU) 
size for the interface.
• bytes—The range is 1500 to 9216; the default is 
1500.
Command Purpose
Step 1 Router(config)# interface tunnel_name Enters interface configuration mode for the tunnel.
Step 2 Router(config-if)# ip mtu bytes Configures the IP MTU size for the tunnel.
• bytes—The minimum is 68; the maximum and 
the default depend on the interface medium. 
Command Purpose
Step 1 Router(config)# interface vlan_ID Enters interface configuration mode for the VLAN.
Step 2 Router(config-if)# mtu bytes Configures the MTU size for the interface VLAN.
• bytes—The range is 64 to 9216; the default is 
1500.   
27-14
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 27      Configuring IPSec VPN Fragmentation and MTU
  Configuring MTU Settings
GigabitEthernet1/1 is up, line protocol is up (connected)
Hardware is C6k 1000Mb 802.3, address is 000a.8ad8.1c4a (bia 000a.8ad8.1c4a)
MTU 9216 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
...
To display the MTU size for an interface VLAN, enter the show interface command.
Router# show interface vlan2
Vlan2 is up, line protocol is up
  Hardware is EtherSVI, address is 000e.39ad.e700 (bia 000e.39ad.e700)
  Internet address is 192.168.1.1/16
  MTU 1000 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
...
To display the IP MTU value for a GRE tunnel, enter the show ip interface command:
Router# show ip interface tunnel 2
Tunnel2 is up, line protocol is up
Internet address is 11.1.0.2/16
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1450 bytes
...C H  A  P  T  E  R
   
28-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
28
Configuring IKE Features Using the IPSec VPN 
SPA
This chapter provides information about configuring Internet Key Exchange (IKE) related features using 
the IPSec VPN SPA on the Cisco 7600 series router. It includes the following sections:
• Overview of IKE, page 28-2
• Configuring Advanced Encryption Standard in an IKE Policy Map, page 28-2
• Configuring ISAKMP Keyrings, page 28-4
• Configuring Certificate to ISAKMP Profile Mapping, page 28-6
• Configuring an Encrypted Preshared Key, page 28-13
• Configuring Call Admission Control for IKE, page 28-15
• Configuring Dead Peer Detection, page 28-17
• Understanding IPSec NAT Transparency, page 28-19
• Configuration Examples, page 28-22
Note For detailed information on Internet Key Exchange (IKE), refer to the following Cisco IOS 
documentation:
Cisco IOS Security Configuration Guide, Release 12.2, at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/fsecur_c.html
Cisco IOS Security Command Reference, Release 12.2, at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/fsecur_r.html
For information about managing your system images and configuration files, refer to the Cisco IOS 
Configuration Fundamentals Configuration Guide and Cisco IOS Configuration Fundamentals 
Command Reference publications.
For more information about the commands used in this chapter, refer to the Cisco IOS Software Releases 
15.0SR Command References and to the Cisco IOS Software Releases 12.2SX Command References. 
Also refer to the related Cisco IOS Release 12.2 software command reference and master index 
publications. For more information, see the “Related Documentation” section on page xlvii.
Tip To ensure a successful configuration of your VPN using the IPSec VPN SPA, read all of the 
configuration summaries and guidelines before you perform any configuration tasks.   
28-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 28      Configuring IKE Features Using the IPSec VPN SPA
  Overview of IKE
Overview of IKE
Internet Key Exchange (IKE) is a key management protocol standard that is used in conjunction with the 
IPSec standard. IPSec can be configured without IKE, but IKE enhances IPSec by providing additional 
features, flexibility, and ease of configuration for the IPSec standard. 
Note For more detailed information on IKE, refer to the Cisco IOS Security Configuration Guide.
IKE automatically negotiates IPSec security associations (SAs) and enables IPSec secure 
communications without costly manual preconfiguration. Specifically, IKE provides the following 
benefits: 
• Eliminates the need to manually specify all the IPSec security parameters in the crypto maps at both 
peers.
Note Beginning in Cisco IOS Release 12.2SRA, manual keying is no longer supported.
• Allows you to specify a lifetime for the IPSec security association (SA). 
• Allows encryption keys to change during IPSec sessions. 
• Allows IPSec to provide anti-replay services. 
• Permits certification authority (CA) support for a manageable, scalable IPSec implementation. 
• Allows dynamic authentication of peers. 
Because IKE negotiations must be protected, each IKE negotiation begins by agreement of both peers 
on a common (shared) IKE policy. This policy states which security parameters will be used to protect 
subsequent IKE negotiations and mandates how the peers are authenticated. You must create an IKE 
policy at each peer participating in the IKE negotiation.
If you do not configure any IKE policies, your router will use the default policy, which is always set to 
the lowest priority and contains the default value of each parameter. 
After the two peers agree upon a policy, the security parameters of the policy are identified by an SA 
established at each peer, and these SAs apply to all subsequent IKE traffic during the negotiation. 
You can configure multiple, prioritized policies on each peer, each with a different combination of 
parameter values. However, at least one of these policies must contain exactly the same encryption, hash, 
authentication, and Diffie-Hellman parameter values as one of the policies on the remote peer. For each 
policy that you create, you assign a unique priority (1 through 10,000, with 1 being the highest priority).
Configuring Advanced Encryption Standard in an IKE Policy Map
The Advanced Encryption Standard (AES) is a privacy transform for IPSec and Internet Key Exchange 
(IKE) that has been developed to replace the Data Encryption Standard (DES). AES is designed to be 
more secure than DES. AES offers a larger key size, while ensuring that the only known approach to 
decrypt a message is for an intruder to try every possible key. AES has a variable key length. The 
algorithm can specify a 128-bit key (the default), a 192-bit key, or a 256-bit key.    
28-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 28      Configuring IKE Features Using the IPSec VPN SPA
  Configuring Advanced Encryption Standard in an IKE Policy Map
To configure the AES encryption algorithm within an IKE policy map, perform this task beginning in 
global configuration mode:
Verifying the AES IKE Policy
To verify the configuration of the AES IKE policy, enter the show crypto isakmp policy command:
Router# show crypto isakmp policy
Protection suite of priority 1
encryption algorithm:  AES - Advanced Encryption Standard (256 bit keys).
hash algorithm:        Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group:  #1 (768 bit)
lifetime: 3600 seconds, no volume limit 
Default protection suite
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit
For an AES configuration example, see the “Advanced Encryption Standard Configuration Example” 
section on page 28-22.
Command Purpose
Step 1 Router(config)# crypto isakmp policy priority Defines an ISAKMP policy and enters ISAKMP 
policy configuration mode.
• priority—Identifies the IKE policy and assigns 
a priority to the policy. Use an integer from 1 to 
10000, with 1 being the highest priority and 
10000 the lowest.
Step 2 Router(config-isakmp)# encryption {aes | aes 192 | 
aes 256}
Specifies the encryption algorithm within an IKE 
policy.
• aes—Specifies 128-bit AES as the encryption 
algorithm.
• aes 192—Specifies 192-bit AES as the 
encryption algorithm.
• aes 256—Specifies 256-bit AES as the 
encryption algorithm.
Step 3 ...
Router(config-isakmp)# exit
Specifies any other policy values appropriate to your 
configuration, and then exits ISAKMP policy 
configuration mode.
For details on configuring an ISAKMP policy, see 
the Cisco IOS Security Configuration Guide.   
28-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 28      Configuring IKE Features Using the IPSec VPN SPA
  Configuring ISAKMP Keyrings
Configuring ISAKMP Keyrings
A crypto keyring is a collection of preshared and RSA public keys. You can configure a keyring and then 
associate it with the Internet Security Association and Key Management Protocol (ISAKMP) profile. 
The crypto ISAKMP profile may contain zero, one, or more than one keyring. 
The ISAKMP keyrings feature (also known as the SafeNet IPSec VPN Client Support feature) allows 
you to use the local-address command to limit the scope of an ISAKMP profile or ISAKMP keyring 
configuration to a local termination address or interface. The benefit of this feature is that different 
customers can use the same peer identities and ISAKMP keys by using different local termination 
addresses. 
ISAKMP Keyrings Configuration Guidelines and Restrictions
When configuring ISAKMP keyrings, follow these guidelines and restrictions:
• The local address option works only for the primary address of an interface.
• If an IP address is provided, the administrator must ensure that the connection of the peer terminates 
to the address that is provided. 
• If the IP address does not exist on the device, or if the interface does not have an IP address, the 
ISAKMP profile or ISAKMP keyring will be effectively disabled.
Limiting an ISAKMP Profile to a Local Termination Address or Interface 
To configure an ISAKMP profile and limit it to a local termination address or interface, perform this task 
beginning in global configuration mode:
Command Purpose
Step 1 Router(config)# crypto isakmp profile profile-name Defines an ISAKMP profile and enters ISAKMP 
profile configuration mode.
• profile-name—Name of the ISAKMP profile. 
Step 2 Router(conf-isa-profile)# keyring keyring-name (Optional) Configures a keyring with an ISAKMP 
profile.
• keyring-name—Name of the crypto keyring.
Note A keyring is not needed inside an ISAKMP 
profile for local termination to work. Local 
termination works even if Rivest, Shamir, 
and Adelman (RSA) certificates are used.   
28-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 28      Configuring IKE Features Using the IPSec VPN SPA
  Configuring ISAKMP Keyrings
Limiting a Keyring to a Local Termination Address or Interface 
To configure an ISAKMP keyring and limit its scope to a local termination address or interface, perform 
this task beginning in global configuration mode:
For complete configuration information for SafeNet IPSec VPN Client Support, refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_scse.html
For ISAKMP keyrings configuration examples, see the “ISAKMP Keyrings Configuration Examples” 
section on page 28-22.
Step 3 Router(conf-isa-profile)# match identity address
address
Matches an identity from a peer in an ISAKMP 
profile.
• address—IP address of the remote peer.
Step 4 Router(conf-isa-profile)# local-address
{interface-name | ip-address [vrf-tag]}
Limits the scope of an ISAKMP profile or an 
ISAKMP keyring configuration to a local 
termination address or interface. 
• interface-name—Name of the local interface. 
• ip-address—Local termination address. 
• vrf-tag—(Optional) Scope of the IP address will 
be limited to the VRF. 
Command Purpose
Command Purpose
Step 1 Router(config)# keyring keyring-name Defines a crypto keyring to be used during IKE 
authentication and enters keyring configuration 
mode.
• keyring-name—Name of the crypto keyring.
Step 2 Router(conf-keyring)# local-address {interface-name
| ip-address [vrf-tag]}
Limits the scope of an ISAKMP profile or an 
ISAKMP keyring configuration to a local 
termination address or interface. 
• interface-name—Name of the local interface. 
• ip-address—Local termination address. 
• vrf-tag—(Optional) Scope of the IP address will 
be limited to the VRF. 
Step 3 Router(conf-keyring)# pre-shared-key address address Defines a preshared key to be used for IKE 
authentication.
• address—IP address.   
28-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 28      Configuring IKE Features Using the IPSec VPN SPA
  Configuring Certificate to ISAKMP Profile Mapping
Configuring Certificate to ISAKMP Profile Mapping
The Certificate to ISAKMP Profile Mapping feature enables you to assign an Internet Security 
Association and Key Management Protocol (ISAKMP) profile to a peer on the basis of the contents of 
arbitrary fields in the certificate. In addition, this feature allows you to assign a group name to those 
peers that are assigned an ISAKMP profile.
Note Certificate to ISAKMP Profile Mapping is only supported as of Cisco IOS Release 12.2(33)SRA.
Certificate to ISAKMP Profile Mapping Configuration Guidelines and 
Restrictions
Follow these guidelines and restrictions when configuring Certificate to ISAKMP Profile Mapping:
• This feature will not be applicable if you use Rivest, Shamir, and Adelman (RSA)- signature or 
RSA-encryption authentication without certificate exchange. ISAKMP peers must be configured to 
do RSA-signature or RSA-encryption authentication using certificates. 
Mapping the Certificate to the ISAKMP Profile 
To map the certificate to the ISAKMP profile, perform the following task beginning in global 
configuration mode: 
Verifying the Certificate to ISAKMP Profile Mapping Configuration
To verify that the subject name of the certificate map has been properly configured, enter the show 
crypto pki certificates and the debug crypto isakmp commands.
The show crypto pki certificates command displays all current IKE security associations (SAs) at a 
peer. The debug crypto isakmp command displays messages about IKE events.
The following examples show that a certificate has been mapped to an ISAKMP profile. The examples 
include the configurations for the responder and initiator, the show crypto pki certificates command 
output verifying that the subject name of the certificate map has been configured, and the debug crypto 
isakmp command output showing that the certificate has gone through certificate map matching and 
been matched to the ISAKMP profile. 
Responder Configuration
crypto pki certificate map cert_map 10
! The above line is the certificate map definition.
Command Purpose
Step 1 Router(config)# crypto isakmp profile profile-name Defines an ISAKMP profile and enters ISAKMP 
profile configuration mode
• profile-name—Name of the user profile.
Step 2 Router(config-isa-prof)# match certificate
certificate-map
Accepts the name of a certificate map. 
• certificate-map—Name of the certificate map.    
28-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 28      Configuring IKE Features Using the IPSec VPN SPA
  Configuring Certificate to ISAKMP Profile Mapping
 subject-name co ou = green
! The above line shows that the subject name must have "ou = green."
! 
crypto isakmp profile certpro
! The above line shows that this is the ISAKMP profile that will match if the certificate 
of the peer matches cert_map (shown on third line below).
   ca trust-point 2315
   ca trust-point LaBcA
   match certificate cert_map 
Initiator Configuration
crypto ca trustpoint LaBcA
 enrollment url http://10.76.82.20:80/cgi-bin/openscep
 subject-name ou=green,c=IN
! The above line ensures that the subject name "ou = green" is set.
 revocation-check none
Command Output for show crypto pki certificates for the Initiator
Router# show crypto pki certificates
Certificate
  Status: Available
  Certificate Serial Number: 21
  Certificate Usage: General Purpose
  Issuer: 
    cn=blue-lab CA
    o=CISCO
    c=IN
  Subject:
    Name: Router.cisco.com
    c=IN
    ou=green
! The above line is a double check that "ou = green" has been set as the subject name.
    hostname=Router.cisco.com
  Validity Date: 
    start date: 14:34:30 UTC Mar 31 2004
    end   date: 14:34:30 UTC Apr 1 2009
    renew date: 00:00:00 UTC Jan 1 1970
  Associated Trustpoints: LaBcA
Command Output for debug crypto isakmp for the Responder 
Router# debug crypto isakmp
*Nov  6 19:31:25.010: ISAKMP:(0): SA request profile is prof2
*Nov  6 19:31:25.010: ISAKMP: Found a peer struct for 14.0.0.2, peer port 500
*Nov  6 19:31:25.010: ISAKMP: Locking peer struct 0x13884FB8, refcount 349 for 
isakmp_initiator
*Nov  6 19:31:25.010: ISAKMP[I]: sa->swdb: Vlan3
*Nov  6 19:31:25.010: ISAKMP: local port 500, remote port 500
*Nov  6 19:31:25.010: ISAKMP: set new node 0 to QM_IDLE      
*Nov  6 19:31:25.010: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa 
= 13C041E8
*Nov  6 19:31:25.010: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Nov  6 19:31:25.010: ISAKMP:(0):Profile has no keyring, aborting key search
*Nov  6 19:31:25.010: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Nov  6 19:31:25.010: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Nov  6 19:31:25.010: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Nov  6 19:31:25.010: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Nov  6 19:31:25.010: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1    
28-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 28      Configuring IKE Features Using the IPSec VPN SPA
  Configuring Certificate to ISAKMP Profile Mapping
*Nov  6 19:31:25.010: ISAKMP:(0): beginning Main Mode exchange
*Nov  6 19:31:25.010: ISAKMP:(0): sending packet to 14.0.0.2 my_port 500 peer_port 500 (I) 
MM_NO_STATE
*Nov  6 19:31:25.018: ISAKMP (0): received packet from 14.0.0.2 dport 500 sport 500 fvrf 
(N) NEW SA
*Nov  6 19:31:25.018: ISAKMP: Found a peer struct for 14.0.0.2, peer port 500
*Nov  6 19:31:25.018: ISAKMP: Locking peer struct 0x13884FB8, refcount 350 for 
crypto_isakmp_process_block
*Nov  6 19:31:25.018: ISAKMP[R]: sa->swdb: Vlan2
*Nov  6 19:31:25.018: ISAKMP: local port 500, remote port 500
*Nov  6 19:31:25.018: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa 
= 148C68D8
*Nov  6 19:31:25.018: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Nov  6 19:31:25.018: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1 
*Nov  6 19:31:25.018: ISAKMP:(0): processing SA payload. message ID = 0
*Nov  6 19:31:25.018: ISAKMP:(0): processing vendor id payload
*Nov  6 19:31:25.018: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Nov  6 19:31:25.018: ISAKMP (0): vendor ID is NAT-T v7
*Nov  6 19:31:25.018: ISAKMP:(0): processing vendor id payload
*Nov  6 19:31:25.018: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Nov  6 19:31:25.018: ISAKMP:(0): vendor ID is NAT-T v3
*Nov  6 19:31:25.018: ISAKMP:(0): processing vendor id payload
*Nov  6 19:31:25.018: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Nov  6 19:31:25.018: ISAKMP:(0): vendor ID is NAT-T v2
*Nov  6 19:31:25.038: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Nov  6 19:31:25.038: ISAKMP:      encryption 3DES-CBC
*Nov  6 19:31:25.038: ISAKMP:      hash MD5
*Nov  6 19:31:25.038: ISAKMP:      default group 1
*Nov  6 19:31:25.038: ISAKMP:      auth RSA sig
*Nov  6 19:31:25.038: ISAKMP:      life type in seconds
*Nov  6 19:31:25.038: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
*Nov  6 19:31:25.042: ISAKMP:(0):atts are acceptable. Next payload is 3
*Nov  6 19:31:25.042: ISAKMP:(0): processing vendor id payload
*Nov  6 19:31:25.042: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Nov  6 19:31:25.042: ISAKMP (0): vendor ID is NAT-T v7
*Nov  6 19:31:25.042: ISAKMP:(0): processing vendor id payload
*Nov  6 19:31:25.042: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Nov  6 19:31:25.042: ISAKMP:(0): vendor ID is NAT-T v3
*Nov  6 19:31:25.042: ISAKMP:(0): processing vendor id payload
*Nov  6 19:31:25.042: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Nov  6 19:31:25.042: ISAKMP:(0): vendor ID is NAT-T v2
*Nov  6 19:31:25.042: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Nov  6 19:31:25.042: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1 
*Nov  6 19:31:25.046: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Nov  6 19:31:25.046: ISAKMP:(0): sending packet to 14.0.0.2 my_port 500 peer_port 500 (R) 
MM_SA_SETUP
*Nov  6 19:31:25.046: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Nov  6 19:31:25.046: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2 
*Nov  6 19:31:25.046: ISAKMP (0): received packet from 14.0.0.2 dport 500 sport 500 fvrf 
(I) MM_NO_STATE
*Nov  6 19:31:25.046: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Nov  6 19:31:25.046: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2 
*Nov  6 19:31:25.046: ISAKMP:(0): processing SA payload. message ID = 0
*Nov  6 19:31:25.046: ISAKMP:(0): processing vendor id payload
*Nov  6 19:31:25.046: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Nov  6 19:31:25.046: ISAKMP (0): vendor ID is NAT-T v7
*Nov  6 19:31:25.046: ISAKMP : Looking for xauth in profile prof2
*Nov  6 19:31:25.046: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Nov  6 19:31:25.046: ISAKMP:      encryption 3DES-CBC   
28-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 28      Configuring IKE Features Using the IPSec VPN SPA
  Configuring Certificate to ISAKMP Profile Mapping
*Nov  6 19:31:25.046: ISAKMP:      hash MD5
*Nov  6 19:31:25.046: ISAKMP:      default group 1
*Nov  6 19:31:25.046: ISAKMP:      auth RSA sig
*Nov  6 19:31:25.050: ISAKMP:      life type in seconds
*Nov  6 19:31:25.050: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
*Nov  6 19:31:25.050: ISAKMP:(0):atts are acceptable. Next payload is 0
*Nov  6 19:31:25.050: ISAKMP:(0): processing vendor id payload
*Nov  6 19:31:25.050: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Nov  6 19:31:25.050: ISAKMP (0): vendor ID is NAT-T v7
*Nov  6 19:31:25.050: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Nov  6 19:31:25.050: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2 
*Nov  6 19:31:25.050: ISAKMP (0): constructing CERT_REQ for issuer 
cn=mscavpn1,ou=isbu,o=cisco
*Nov  6 19:31:25.054: ISAKMP:(0): sending packet to 14.0.0.2 my_port 500 peer_port 500 (I) 
MM_SA_SETUP
*Nov  6 19:31:25.054: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Nov  6 19:31:25.054: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3 
*Nov  6 19:31:25.058: ISAKMP (0): received packet from 14.0.0.2 dport 500 sport 500 fvrf 
(R) MM_SA_SETUP
*Nov  6 19:31:25.062: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Nov  6 19:31:25.062: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM3 
*Nov  6 19:31:25.062: ISAKMP:(0): processing KE payload. message ID = 0
*Nov  6 19:31:25.062: ISAKMP:(0): processing NONCE payload. message ID = 0
*Nov  6 19:31:25.062: ISAKMP:(83727): processing CERT_REQ payload. message ID = 0
*Nov  6 19:31:25.062: ISAKMP:(83727): peer wants a CT_X509_SIGNATURE cert
*Nov  6 19:31:25.066: ISAKMP:(83727): peer want cert issued by cn=mscavpn1,ou=isbu,o=cisco
*Nov  6 19:31:25.066: ISAKMP:(83727): Choosing trustpoint MSCA as issuer
*Nov  6 19:31:25.066: ISAKMP:(83727): processing vendor id payload
*Nov  6 19:31:25.066: ISAKMP:(83727): vendor ID is DPD
*Nov  6 19:31:25.066: ISAKMP:(83727): processing vendor id payload
*Nov  6 19:31:25.066: ISAKMP:(83727): speaking to another IOS box!
*Nov  6 19:31:25.066: ISAKMP:(83727): processing vendor id payload
*Nov  6 19:31:25.066: ISAKMP:(83727): vendor ID seems Unity/DPD but major 230 mismatch
*Nov  6 19:31:25.066: ISAKMP:(83727): vendor ID is XAUTH
*Nov  6 19:31:25.066: ISAKMP (83727): His hash no match - this node outside NAT
*Nov  6 19:31:25.066: ISAKMP (83727): No NAT Found for self or peer
*Nov  6 19:31:25.066: ISAKMP:(83727):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Nov  6 19:31:25.066: ISAKMP:(83727):Old State = IKE_R_MM3  New State = IKE_R_MM3 
*Nov  6 19:31:25.066: ISAKMP (83727): constructing CERT_REQ for issuer 
cn=mscavpn1,ou=isbu,o=cisco
*Nov  6 19:31:25.066: ISAKMP:(83727): sending packet to 14.0.0.2 my_port 500 peer_port 500 
(R) MM_KEY_EXCH
*Nov  6 19:31:25.070: ISAKMP:(83727):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Nov  6 19:31:25.070: ISAKMP:(83727):Old State = IKE_R_MM3  New State = IKE_R_MM4 
*Nov  6 19:31:25.070: ISAKMP (0): received packet from 14.0.0.2 dport 500 sport 500 fvrf 
(I) MM_SA_SETUP
*Nov  6 19:31:25.070: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Nov  6 19:31:25.070: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4 
*Nov  6 19:31:25.070: ISAKMP:(0): processing KE payload. message ID = 0
*Nov  6 19:31:25.074: ISAKMP:(0): processing NONCE payload. message ID = 0
*Nov  6 19:31:25.098: ISKAMP: growing send buffer from 1024 to 3072
*Nov  6 19:31:25.118: ISAKMP (83727): received packet from 14.0.0.2 dport 500 sport 500 
fvrf (R) MM_KEY_EXCH
*Nov  6 19:31:25.122: ISAKMP:(83727):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Nov  6 19:31:25.122: ISAKMP:(83727):Old State = IKE_R_MM4  New State = IKE_R_MM5 
*Nov  6 19:31:25.122: ISAKMP:(83727): processing ID payload. message ID = 0   
28-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 28      Configuring IKE Features Using the IPSec VPN SPA
  Configuring Certificate to ISAKMP Profile Mapping
*Nov  6 19:31:25.122: ISAKMP (83727): ID payload 
        next-payload : 6
        type         : 3 
        USER FQDN    : a@vrf2.com 
        protocol     : 17 
        port         : 500 
        length       : 18
*Nov  6 19:31:25.134: ISAKMP:(83727):: peer matches prof2 profile
*Nov  6 19:31:25.134: ISAKMP:(83727): processing CERT payload. message ID = 0
*Nov  6 19:31:25.134: ISAKMP:(83727): processing a CT_X509_SIGNATURE cert
*Nov  6 19:31:25.142: ISAKMP:(83727): peer's pubkey isn't cached
*Nov  6 19:31:25.158: %CRYPTO-6-IKMP_NO_ID_CERT_USER_FQDN_MATCH: ID of a@vrf2.com (type 3) 
and certificate user fqdn with empty
*Nov  6 19:31:25.158: ISAKMP (83727): adding peer's pubkey to cache
*Nov  6 19:31:25.158: ISAKMP:(83727): processing SIG payload. message ID = 0
*Nov  6 19:31:25.162: ISAKMP:(83727):SA authentication status:
        authenticated
*Nov  6 19:31:25.162: ISAKMP:(83727):SA has been authenticated with 14.0.0.2
*Nov  6 19:31:25.162: ISAKMP:(83727):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Nov  6 19:31:25.162: ISAKMP:(83727):Old State = IKE_R_MM5  New State = IKE_R_MM5 
*Nov  6 19:31:25.170: ISAKMP:(83727):SA is doing RSA signature authentication using id 
type ID_USER_FQDN
*Nov  6 19:31:25.170: ISAKMP (83727): ID payload 
        next-payload : 6
        type         : 3 
        USER FQDN    : a@vrf2.com 
        protocol     : 17 
        port         : 500 
        length       : 18
*Nov  6 19:31:25.170: ISAKMP:(83727):Total payload length: 18
*Nov  6 19:31:25.182: ISAKMP (83727): constructing CERT payload for 
cn=HUB,ou=isbu,o=cisco,hostname=HUB.cisco.com,serialNumber=1234D
*Nov  6 19:31:25.182: ISKAMP: growing send buffer from 1024 to 3072
*Nov  6 19:31:25.186: ISAKMP:(83727): using the MSCA trustpoint's keypair to sign
*Nov  6 19:31:25.194: ISAKMP:(83727): sending packet to 14.0.0.2 my_port 500 peer_port 500 
(R) MM_KEY_EXCH
*Nov  6 19:31:25.198: ISAKMP:(83727):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Nov  6 19:31:25.198: ISAKMP:(83727):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE 
*Nov  6 19:31:25.198: ISAKMP:(83727):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Nov  6 19:31:25.198: ISAKMP:(83727):Old State = IKE_P1_COMPLETE  New State = 
IKE_P1_COMPLETE 
*Nov  6 19:31:25.238: ISAKMP (83727): received packet from 14.0.0.2 dport 500 sport 500 
fvrf (R) QM_IDLE      
*Nov  6 19:31:25.238: ISAKMP: set new node -134314170 to QM_IDLE      
*Nov  6 19:31:25.242: ISAKMP:(83727): processing HASH payload. message ID = -134314170
*Nov  6 19:31:25.242: ISAKMP:(83727): processing SA payload. message ID = -134314170
*Nov  6 19:31:25.242: ISAKMP:(83727):Checking IPSec proposal 1
*Nov  6 19:31:25.242: ISAKMP: transform 1, ESP_3DES
*Nov  6 19:31:25.242: ISAKMP:   attributes in transform:
*Nov  6 19:31:25.242: ISAKMP:      encaps is 1 (Tunnel)
*Nov  6 19:31:25.242: ISAKMP:      SA life type in seconds
*Nov  6 19:31:25.242: ISAKMP:      SA life duration (basic) of 3600
*Nov  6 19:31:25.242: ISAKMP:      SA life type in kilobytes
*Nov  6 19:31:25.242: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 
*Nov  6 19:31:25.242: ISAKMP:      authenticator is HMAC-SHA
*Nov  6 19:31:25.242: ISAKMP:(83727):atts are acceptable.
*Nov  6 19:31:25.242: ISAKMP:(83727): processing NONCE payload. message ID = -134314170
*Nov  6 19:31:25.242: ISAKMP:(83727): processing ID payload. message ID = -134314170
*Nov  6 19:31:25.242: ISAKMP:(83727): processing ID payload. message ID = -134314170
*Nov  6 19:31:25.242: ISAKMP:(83727):QM Responder gets spi   
28-11
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 28      Configuring IKE Features Using the IPSec VPN SPA
  Configuring Certificate to ISAKMP Profile Mapping
*Nov  6 19:31:25.242: ISAKMP:(83727):Node -134314170, Input = IKE_MESG_FROM_PEER, 
IKE_QM_EXCH
*Nov  6 19:31:25.242: ISAKMP:(83727):Old State = IKE_QM_READY  New State = 
IKE_QM_SPI_STARVE
*Nov  6 19:31:25.242: ISAKMP:(83727): Creating IPSec SAs
*Nov  6 19:31:25.246:         inbound SA from 14.0.0.2 to 15.0.0.2 (f/i)  1/714
        (proxy 12.0.0.2 to 13.0.0.2)
*Nov  6 19:31:25.246:         has spi 0x917AD879 and conn_id 0
*Nov  6 19:31:25.246:         lifetime of 3600 seconds
*Nov  6 19:31:25.246:         lifetime of 4608000 kilobytes
*Nov  6 19:31:25.246:         outbound SA from 15.0.0.2 to 14.0.0.2 (f/i) 1/714
        (proxy 13.0.0.2 to 12.0.0.2)
*Nov  6 19:31:25.246:         has spi  0xC54A5A05 and conn_id 0
*Nov  6 19:31:25.246:         lifetime of 3600 seconds
*Nov  6 19:31:25.246:         lifetime of 4608000 kilobytes
*Nov  6 19:31:25.246:  ISAKMP: Failed to find peer index node to update peer_info_list
*Nov  6 19:31:25.250: ISAKMP:(83727): sending packet to 14.0.0.2 my_port 500 peer_port 500 
(R) QM_IDLE      
*Nov  6 19:31:25.250: ISAKMP:(83727):Node -134314170, Input = IKE_MESG_INTERNAL, 
IKE_GOT_SPI
*Nov  6 19:31:25.250: ISAKMP:(83727):Old State = IKE_QM_SPI_STARVE  New State = 
IKE_QM_R_QM2
*Nov  6 19:31:25.270: ISAKMP (83727): received packet from 14.0.0.2 dport 500 sport 500 
fvrf (R) QM_IDLE      
*Nov  6 19:31:25.274: ISAKMP:(83727):deleting node -134314170 error FALSE reason "QM done 
(await)"
*Nov  6 19:31:25.274: ISAKMP:(83727):Node -134314170, Input = IKE_MESG_FROM_PEER, 
IKE_QM_EXCH
*Nov  6 19:31:25.274: ISAKMP:(83727):Old State = IKE_QM_R_QM2  New State = 
IKE_QM_PHASE2_COMPLETE
*Nov  6 19:32:15.282: ISAKMP:(83727):purging node -134314170
Command Output for show crypto isakmp sa [detail] for the Responder 
Router# show crypto isakmp sa vrf vrf2
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
15.0.0.2        14.0.0.2        QM_IDLE          83727 ACTIVE prof2
IPv6 Crypto ISAKMP SA
Router# show crypto isakmp sa detail vrf vrf2
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime Cap.
83727 15.0.0.2        14.0.0.2        vrf2     ACTIVE 3des md5  rsig 1  23:59:15     
       Engine-id:Conn-id =  :15727
IPv6 Crypto ISAKMP SA   
28-12
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 28      Configuring IKE Features Using the IPSec VPN SPA
  Configuring Certificate to ISAKMP Profile Mapping
Assigning the Group Name to the Peer 
To associate a group name with an ISAKMP profile that will be assigned to a peer, perform the following 
steps beginning in global configuration mode: 
Verifying the Group Name to Peer Assignation Configuration
To verify that a group has been assigned to a peer, enter the debug crypto isakmp command.
The debug crypto isakmp command displays messages about IKE events.
The following debug crypto isakmp output shows that the peer has been matched to the ISAKMP 
profile named “certpro” and that it has been assigned a group named “new_group.” 
Initiator Configuration 
crypto isakmp profile certpro
   ca trust-point 2315
   ca trust-point LaBcA
   match certificate cert_map
   client configuration group new_group
! The statement on the above line will assign the group "new_group" to any peer that 
matches the ISAKMP profile "certpro." 
   initiate mode aggressive
Command Output for debug crypto isakmp for the Responder 
Router# debug crypto isakmp 
6d23h: ISAKMP (0:268435461): received packet from 192.0.0.2 dport 500 sport 500 Global (R) 
MM_KEY_EXCH
6d23h: ISAKMP: Main Mode packet contents (flags 1, len 892):
6d23h:           ID payload
6d23h:             FQDN <Router1.cisco.com> port 500 protocol 17
6d23h:           CERT payload
6d23h:           SIG payload
6d23h:           KEEPALIVE payload
6d23h:           NOTIFY payload
6d23h: ISAKMP:(0:5:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
6d23h: ISAKMP:(0:5:HW:2):Old State = IKE_R_MM4  New State = IKE_R_MM5 
6d23h: ISAKMP:(0:5:HW:2): processing ID payload. message ID = 0
6d23h: ISAKMP (0:268435461): ID payload 
        next-payload : 6
        type         : 2 
        FQDN name    : Router1.cisco.com 
        protocol     : 17 
        port         : 500 
Command Purpose
Step 1 Router(config)# crypto isakmp profile profile-name Defines an ISAKMP profile and enters ISAKMP 
profile configuration mode
• profile-name—Name of the user profile.
Step 2 Router (conf-isa-prof)# client configuration group
group-name
Accepts the name of a group that will be assigned to 
a peer when the peer is assigned this crypto 
ISAKMP profile.
• group-name—Name of the group to be 
associated with the peer.    
28-13
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 28      Configuring IKE Features Using the IPSec VPN SPA
  Configuring an Encrypted Preshared Key
        length       : 28
6d23h: ISAKMP:(0:5:HW:2):: peer matches *none* of the profiles
6d23h: ISAKMP:(0:5:HW:2): processing CERT payload. message ID = 0
6d23h: ISAKMP:(0:5:HW:2): processing a CT_X509_SIGNATURE cert
6d23h: ISAKMP:(0:5:HW:2): peer's pubkey isn't cached
6d23h: ISAKMP:(0:5:HW:2): OU = green
6d23h: ISAKMP:(0:5:HW:2): certificate map matches certpro profile
6d23h: ISAKMP:(0:5:HW:2): Trying to re-validate CERT using new profile
6d23h: ISAKMP:(0:5:HW:2): Creating CERT validation list: 2315, LaBcA, 
6d23h: ISAKMP:(0:5:HW:2): CERT validity confirmed.
6d23h: ISAKMP:(0:5:HW:2):Profile has no keyring, aborting key search
6d23h: ISAKMP:(0:5:HW:2): Profile certpro assigned peer the group named new_group
For complete configuration information for certificate to ISAKMP profile mapping, refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gt_isakp.html
For certificate to ISAKMP profile mapping configuration examples, see the “Certificate to ISAKMP 
Profile Mapping Configuration Examples” section on page 28-23.
Configuring an Encrypted Preshared Key 
The Encrypted Preshared Key feature allows you to securely store plain text passwords in type 6 
(encrypted) format in NVRAM. 
Encrypted Preshared Key Configuration Guidelines and Restrictions
Follow these guidelines and restrictions when configuring an encrypted preshared key:
• Old ROM monitors (ROMMONs) and boot images cannot recognize the new type 6 passwords. If 
you boot from an old ROMMON, you can expect errors.
• If the password (master key) is changed, or reencrypted, using the key config-key 
password-encryption command, the list registry passes the old key and the new key to the 
application modules that are using type 6 encryption.
• If the master key that was configured using the key config-key password-encryption command is 
deleted from the system, a warning is printed (and a confirm prompt is issued) that states that all 
type 6 passwords will become useless. As a security measure, after the passwords have been 
encrypted, they will never be decrypted in the Cisco IOS software. However, passwords can be 
reencrypted.
Caution If the password configured using the key config-key password-encryption command is lost, it cannot 
be recovered. The password should be stored in a safe location.
• If you later unconfigure password encryption using the no password encryption aes command, all 
existing type 6 passwords are left unchanged, and as long as the password (master key) that was 
configured using the key config-key password-encryption command exists, the type 6 passwords 
will be decrypted as and when required by the application. 
• Because no one can “read” the password (configured using the key config-key 
password-encryption command), there is no way that the password can be retrieved from the 
router. Existing management stations cannot “know” what it is unless the stations are enhanced to 
include this key somewhere, in which case the password needs to be stored securely within the 
management system. If configurations are stored using TFTP, the configurations are not standalone,    
28-14
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 28      Configuring IKE Features Using the IPSec VPN SPA
  Configuring an Encrypted Preshared Key
meaning that they cannot be loaded onto a router. Before or after the configurations are loaded onto 
a router, the password must be manually added (using the key config-key password-encryption
command). The password can be manually added to the stored configuration but is not 
recommended because adding the password manually allows anyone to decrypt all passwords in that 
configuration. 
• If you enter or cut and paste cipher text that does not match the master key, or if there is no master 
key, the cipher text is accepted or saved, but the following alert message is printed: 
ciphertext>[for username bar>] is incompatible with the configured master key
• If a new master key is configured, all the plain keys are encrypted and made type 6 keys. The existing 
type 6 keys are not encrypted. The existing type 6 keys are left as is. 
• If the old master key is lost or unknown, you have the option of deleting the master key using the no 
key config-key password-encryption command. Deleting the master key using the no key 
config-key password-encryption command causes the existing encrypted passwords to remain 
encrypted in the router configuration. The passwords will not be decrypted. 
Configuring an Encrypted Preshared Key
To configure an encrypted preshared key, perform the following task beginning global configuration 
mode:
Verifying the Encrypted Preshared Key Configuration
To verify that a new master key has been configured and that the keys have been encrypted with the new 
master key, enter the password logging command. The following is an example of its output:
Router(config)# password logging
Command Purpose
Step 1 Router(config)# key config-key password-encryption Stores a type 6 encryption key in private NVRAM.
Note the following:
• If you are entering the key interactively (using 
the Enter key) and an encrypted key already 
exists, you will be prompted for the following: 
Old key, New key, and Confirm key
• If you are entering the key interactively but an 
encryption key is not present, you will be 
prompted for the following: 
New key and Confirm key
• If you are removing a password that is already 
encrypted, you will see the following prompt:
WARNING: All type 6 encrypted keys will 
become unusable. Continue with master key 
deletion? [yes/no]:
Step 2 Router(config)# password-encryption aes Enables the encrypted preshared key.   
28-15
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 28      Configuring IKE Features Using the IPSec VPN SPA
  Configuring Call Admission Control for IKE
Router(config)# key config-key password-encrypt 
New key: 
Confirm key: 
Router(config)# 
01:40:57: TYPE6_PASS: New Master key configured, encrypting the keys with 
the new master keypas 
Router(config)# key config-key password-encrypt 
Old key: 
New key: 
Confirm key: 
Router (config)# 
01:42:11: TYPE6_PASS: Master key change heralded, re-encrypting the keys 
with the new master key 
01:42:11: TYPE6_PASS: Mac verification successful 
01:42:11: TYPE6_PASS: Mac verification successful 
01:42:11: TYPE6_PASS: Mac verification successful 
For complete configuration information for the Encrypted Preshared Key feature, refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_epsk.html
For an encrypted preshared key configuration example, see the “Encrypted Preshared Key Configuration 
Example” section on page 28-23.
Configuring Call Admission Control for IKE
Call Admission Control (CAC) for IKE allows you to limit the number of simultaneous IKE security 
associations (SAs) that a router can establish. 
Note Call Admission Control is supported in Cisco IOS Release 12.2(33)SRA and later releases.
There are two ways to limit the number of IKE SAs that a router can establish to or from another router: 
• Configure an absolute IKE SA limit by entering the crypto call admission limit command. 
When an IKE SA limit is defined, the router no longer accepts or initiates new IKE SA requests 
when this value has been reached as follows: When there is a new SA request from a peer router, 
IKE determines if the number of active IKE SAs plus the number of SAs being negotiated meets or 
exceeds the configured SA limit. If the number is greater than or equal to the limit, the new SA 
request is rejected and a syslog is generated. This log contains the source destination IP address of 
the SA request. 
• Configure a system resource limit by entering the call admission limit command. 
When a system resource limit is defined, the router no longer accepts or initiates new IKE SA 
requests when the specified level of system resources is being used as follows: Call Admission 
Control (CAC) polls a global resource monitor so that IKE knows when the router is running short 
of CPU cycles or memory buffers. You can configure a resource limit, from 1 to 100000, that 
represents a level of system resources. When that level of the system resources is being used, IKE 
no longer accepts or initiates new IKE SA requests. 
CAC is applied to new SAs (that is, when an SA does not already exist between the peers) and rekeying 
SAs. Every effort is made to preserve existing SAs. Only new SA requests will ever be denied due to a 
lack of system resources or because the configured IKE SA limit has been reached.    
28-16
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 28      Configuring IKE Features Using the IPSec VPN SPA
  Configuring Call Admission Control for IKE
Configuring the IKE Security Association Limit 
To configure an IKE Security Association limit, perform the following steps beginning in global 
configuration mode. When an IKE SA limit is defined, the router no longer accepts or initiates new IKE 
SA requests when the limit has been reached:
Configuring a System Resource Limit 
To configure a system resource limit, perform the following steps beginning in global configuration 
mode. When an IKE SA limit is defined, the router no longer accepts or initiates new IKE SA requests 
when the specified level of system resources is being used.
Clearing Call Admission Statistics
To clear the Call Admission Control counters that track the number of accepted and rejected Internet Key 
Exchange (IKE) requests, use the clear crypto call admission statistics command in global 
configuration mode: 
Router(config)# clear crypto call admission statistics
Command Purpose
Step 1 Router(config)# crypto call admission limit {ike {sa
number | in-negotiation-sa number}}
Specifies the maximum number of IKE SAs that the 
router can establish before IKE no longer accepts or 
initiates new SA requests.
• sa number—Number of active IKE SAs allowed 
on the router. The range is 0 to 99999.
• in-negotiation-sa number—Number of 
in-negotiation IKE SAs allowed on the router. 
The range is 10 to 99999.
Note An ISAKMP connection needs to be built in 
two directions. If you have 500 spokes in 
your network, you should set this value at a 
minimum of 1000 (500 x 2). 
Step 2 Router(config)# exit Returns to privileged EXEC mode.
Command Purpose
Step 1 Router(config)# call admission limit charge Instructs IKE to stop initiating or accepting new SA 
requests (that is, calls for CAC) when the specified 
level of system resources is being used.
• charge—Level of the system resources that, 
when used, causes IKE to stop accepting new 
SA requests. Valid values are 1 to 100000.
Step 2 Router(config)# exit Returns to privileged EXEC mode.   
28-17
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 28      Configuring IKE Features Using the IPSec VPN SPA
  Configuring Dead Peer Detection
Verifying the Call Admission Control for IKE Configuration
To verify that Call Admission Control has been configured, enter the show call admission statistics and 
the show crypto call admission statistics commands.
The show call admission statistics command monitors the global CAC configuration parameters and 
the behavior of CAC. 
Router# show call admission statistics
Total Call admission charges: 0, limit 25 
Total calls rejected 12, accepted 51
Load metric: charge 0, unscaled 0
The show crypto call admission statistics command monitors crypto CAC statistics. 
Router# show crypto call admission statistics
-----------------------------------------------------------
               Crypto Call Admission Control Statistics
-----------------------------------------------------------
System Resource Limit: 0    Max IKE SAs 0
Total IKE SA Count:    0    active:     0   negotiating: 0
Incoming IKE Requests: 0    accepted:   0   rejected:    0
Outgoing IKE Requests: 0    accepted:   0   rejected:    0
Rejected IKE Requests: 0    rsrc low:   0   SA limit:    0
For more complete configuration information for Call Admission Control for IKE, refer to the following 
URL:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gtcallik.html
For Call Admission Control for IKE configuration examples, see the “Call Admission Control for IKE 
Configuration Examples” section on page 28-24.
Configuring Dead Peer Detection
Dead Peer Detection (DPD), defined in RFC 3706, is a mechanism used to detect dead IPSec peers. 
IPSec is a peer-to-peer type of technology. It is possible that IP connectivity may be lost between peers 
due to routing problems, peer reloading, or some other situation. This lost connectivity can result in 
black holes where traffic is lost. DPD, based on a traffic-detection method, is one possible mechanism 
to remedy this situation.
Note The periodic option of the crypto isakmp keepalive command is only supported as of Cisco IOS 
Release 12.2(33)SRA; the on-demand option is supported in all releases.
DPD supports two options: on-demand or periodic. The on-demand approach is the default. With 
on-demand DPD, messages are sent on the basis of traffic patterns. For example, if a router must send 
outbound traffic and the liveliness of the peer is questionable, the router sends a DPD message to query 
the status of the peer. If a router has no traffic to send, it never sends a DPD message. If a peer is dead, 
and the router never has any traffic to send to the peer, the router will not find out until the IKE or IPSec 
security association (SA) has to be rekeyed (the liveliness of the peer is unimportant if the router is not 
trying to communicate with the peer). On the other hand, if the router has traffic to send to the peer, and 
the peer does not respond, the router will initiate a DPD message to determine the state of the peer.    
28-18
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 28      Configuring IKE Features Using the IPSec VPN SPA
  Configuring Dead Peer Detection
With the periodic option, you can configure your router so that DPD messages are “forced” at regular 
intervals. This forced approach results in earlier detection of dead peers. For example, if a router has no 
traffic to send, a DPD message is still sent at regular intervals, and if a peer is dead, the router does not 
have to wait until the IKE SA times out to find out. 
DPD is configured using the crypto isakmp keepalive command. DPD and Cisco IOS keepalives 
function on the basis of a timer. If the timer is set for 10 seconds, the router will send a “hello” message 
every 10 seconds (unless, of course, the router receives a “hello” message from the peer). The benefit of 
Cisco IOS keepalives and periodic DPD is earlier detection of dead peers. However, Cisco IOS 
keepalives and periodic DPD rely on periodic messages that have to be sent with considerable frequency. 
The result of sending frequent messages is that the communicating peers must encrypt and decrypt more 
packets. 
DPD and Cisco IOS keepalive features can be used in conjunction with multiple peers in the crypto map 
to allow for stateless failover. DPD allows the router to detect a dead IKE peer, and when the router 
detects the dead state, the router deletes the IPSec and IKE SAs to the peer. If you configure multiple 
peers, the router will switch over to the next listed peer for a stateless failover. 
DPD Configuration Guidelines and Restrictions
When configuring DPD, follow these guidelines and restrictions:
• When the crypto isakmp keepalive command is configured, the Cisco IOS software negotiates the 
use of Cisco IOS keepalives or DPD, depending on which protocol the peer supports.
• If you do not configure the periodic option using the crypto isakmp keepalive command, the router 
defaults to the on-demand approach.
• Before configuring periodic DPD, you should ensure that your IKE peer supports DPD. 
Implementations that support DPD include the Cisco VPN 3000 concentrator, Cisco PIX Firewall, 
Cisco VPN Client, and Cisco IOS software in all modes of operation—site-to-site, Easy VPN 
remote, and Easy VPN server.
• Using periodic DPD potentially allows the router to detect an unresponsive IKE peer with better 
response time when compared to on-demand DPD. However, use of periodic DPD incurs extra 
overhead. When communicating to large numbers of IKE peers, you should consider using 
on-demand DPD instead. 
• When you configure DPD using the crypto isakmp keepalive seconds command, the seconds
argument specifies the interval between DPD messages. In the case of on-demand DPD, the actual 
interval may be up to twice the configured value.   
28-19
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 28      Configuring IKE Features Using the IPSec VPN SPA
  Understanding IPSec NAT Transparency
Configuring a Dead Peer Detection Message
To allow the router to send DPD messages to the peer, perform the following task:
Note Because the on-demand option is the default, the on-demand keyword does not appear in configuration 
output.
Verifying the DPD Configuration
To verify that DPD is enabled, use the show crypto isakmp sa detail command in global mode: 
Router# show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
C-id  Local           Remote          I-VRF    Encr Hash Auth DH Lifetime Cap.
273   11.0.0.2        11.0.0.1        ivrf21   3des sha  psk  2  01:59:35 D   
       Connection-id:Engine-id =  273:2(hardware)
For more complete configuration information for Cisco IOS Dead Peer Detection (DPD) support, refer 
to the Cisco IOS Security Command Reference, Release 12.3.
For DPD configuration examples, see the “Dead Peer Detection Configuration Examples” section on 
page 28-24.
Understanding IPSec NAT Transparency
The IPSec NAT transparency feature introduces support for IP Security (IPSec) traffic to travel through 
Network Address Translation (NAT) or Port Address Translation (PAT) points in the network by addressing 
many known incompatibilities between NAT and IPSec.
Command Purpose
Router# crypto isakmp keepalive seconds [retries] 
[periodic | on-demand]
Converts Switch 1 to standalone mode.
• seconds—Specifies the number of seconds between DPD 
messages; the range is from 10 to 3600 seconds.
• retries—(Optional) Specifies the number of seconds 
between DPD retries if the DPD message fails; the range 
is from 2 to 60 seconds. If unspecified, the default is 2 
seconds.
• periodic—(Optional) Specifies that the DPD messages 
are sent at regular intervals.
• on-demand—(Optional) Specifies that DPD retries are 
sent on demand. This is the default behavior.    
28-20
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 28      Configuring IKE Features Using the IPSec VPN SPA
  Understanding IPSec NAT Transparency
Before the introduction of this feature, a standard IPSec virtual private network (VPN) tunnel would not 
work if there were one or more NAT or PAT points in the delivery path of the IPSec packet. This feature 
allows IPSec to operate through a NAT/PAT device.
For detailed information on NAT Transparency, refer to the following URL:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftipsnat.html
IPSec NAT Transparency Configuration Guidelines and Restrictions
When configuring IPSec NAT transparency, follow these guidelines and restrictions:
• For non-GRE over IPSec configurations, NAT transparency is supported in both tunnel and transport 
modes.
• For point-to-point GRE over IPSec configurations, NAT transparency is supported only in tunnel 
mode.
• For DMVPN configurations, NAT transparency is supported only in transport mode. 
Configuring NAT Transparency
NAT transparency is a feature that is auto-detected by the IPSec VPN SPA. There are no configuration 
steps. If both VPN devices are NAT transparency-capable, NAT transparency is auto-detected and 
auto-negotiated.
Disabling NAT Transparency
You might want to disable NAT transparency if you already know that your network uses 
IPSec-awareness NAT (SPI-matching scheme). To disable NAT transparency, use the following 
command in global configuration mode:
Router(config)# no crypto ipsec nat-transparency udp-encapsulation
Configuring NAT Keepalives
By default, the NAT keepalive feature is disabled. To configure your router to send NAT keepalive 
packets, enter the crypto isakmp nat keepalive command in global configuration mode:
Router(config)# crypto isakmp nat keepalive seconds
In this command, seconds specifies the number of seconds between keepalive packets; range is between 
5 to 3,600 seconds.
For a NAT keepalives configuration example, see the “ISAKMP NAT Keepalive Configuration Example” 
section on page 28-24.   
28-21
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 28      Configuring IKE Features Using the IPSec VPN SPA
  Understanding IPSec NAT Transparency
Verifying the NAT Configuration
To verify the NAT configuration, enter the show crypto ipsec sa command:
Note When you first enter the show crypto ipsec sa command, the packet counters may not show the correct 
values. Repeat the command to show the updated values.
Router# show crypto ipsec sa
interface:GigabitEthernet5/0/1 
Crypto map tag:testtag, local addr. 10.2.80.161 
local ident (addr/mask/prot/port):(10.2.80.161/255.255.255.255/0/0) 
remote ident (addr/mask/prot/port):(100.0.0.1/255.255.255.255/0/0) 
current_peer:100.0.0.1:4500 
PERMIT, flags={origin_is_acl,} 
#pkts encaps:109, #pkts encrypt:109, #pkts digest 109 
#pkts decaps:109, #pkts decrypt:109, #pkts verify 109 
#pkts compressed:0, #pkts decompressed:0 
#pkts not compressed:0, #pkts compr. failed:0, #pkts decompress failed:0 
#send errors 90, #recv errors 0 
local crypto endpt.:10.2.80.161, remote crypto endpt.:100.0.0.1:4500 
path mtu 1500, media mtu 1500 
current outbound spi:23945537 
inbound esp sas: 
spi:0xF423E273(4095992435) 
transform:esp-des esp-sha-hmac , 
in use settings ={Tunnel UDP-Encaps, } 
slot:0, conn id:200, flow_id:1, crypto map:testtag 
sa timing:remaining key lifetime (k/sec):(4607996/2546) 
IV size:8 bytes 
replay detection support:Y 
inbound ah sas: 
inbound pcp sas: 
outbound esp sas: 
spi:0x23945537(596923703) 
transform:esp-des esp-sha-hmac , 
in use settings ={Tunnel UDP-Encaps, } 
slot:0, conn id:201, flow_id:2, crypto map:testtag 
sa timing:remaining key lifetime (k/sec):(4607998/2519) 
IV size:8 bytes 
replay detection support:Y 
outbound ah sas: 
outbound pcp sas:
For complete configuration information for Cisco IOS IPSec NAT transparency support, refer to this 
URL:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftipsnat.html   
28-22
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 28      Configuring IKE Features Using the IPSec VPN SPA
  Configuration Examples
Configuration Examples
This section provides examples of the following configurations:
• Advanced Encryption Standard Configuration Example, page 28-22
• ISAKMP Keyrings Configuration Examples, page 28-22
• Certificate to ISAKMP Profile Mapping Configuration Examples, page 28-23
• Encrypted Preshared Key Configuration Example, page 28-23
• Call Admission Control for IKE Configuration Examples, page 28-24
• Dead Peer Detection Configuration Examples, page 28-24
• ISAKMP NAT Keepalive Configuration Example, page 28-24
Advanced Encryption Standard Configuration Example 
The following example configures the Advanced Encryption Standard (AES) 256-bit key: 
crypto isakmp policy 10
encr aes 256
authentication pre-share
ISAKMP Keyrings Configuration Examples
The following examples show how to limit the scope of an Internet Security Association and Key 
Management Protocol (ISAKMP) profile or ISAKMP keyring configuration to a local termination 
address or interface:
• ISAKMP Profile Bound to a Local Interface Configuration Example, page 28-22
• ISAKMP Keyring Bound to a Local Interface Configuration Example, page 28-22
• ISAKMP Keyring Bound to a Local IP Address Configuration Example, page 28-23
ISAKMP Profile Bound to a Local Interface Configuration Example 
The following example configures an ISAKMP profile bound to a local interface: 
crypto isakmp profile prof1
   keyring key0
   match identity address 11.0.0.2 255.255.255.255
   local-address serial2/0
ISAKMP Keyring Bound to a Local Interface Configuration Example 
The following example configures an ISAKMP keyring bound only to interface serial2/0: 
crypto keyring key0 
  local-address serial2/0
  pre-shared-key address 11.0.0.2 key 12345   
28-23
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 28      Configuring IKE Features Using the IPSec VPN SPA
  Configuration Examples
ISAKMP Keyring Bound to a Local IP Address Configuration Example 
The following example configures an ISAKMP keyring bound only to IP address 10.0.0.2: 
crypto keyring key0 
  local-address 11.0.0.1
  pre-shared-key address 11.0.0.2 key 12345
Certificate to ISAKMP Profile Mapping Configuration Examples
The following examples show how to configure Certificate to ISAKMP Profile Mapping:
• Certificates Mapped to the ISAKMP Profile on the Basis of Arbitrary Fields Configuration 
Example, page 28-23
• Group Name Assigned to a Peer Associated with an ISAKMP Profile Configuration Example, page 
28-23
Certificates Mapped to the ISAKMP Profile on the Basis of Arbitrary Fields Configuration Example 
The following example shows that whenever a certificate contains “ou = green,” the ISAKMP profile 
“cert_pro” will be assigned to the peer: 
crypto pki certificate map cert_map 10 
 subject-name co ou = green
!
crypto isakmp identity dn
crypto isakmp profile cert_pro 
   ca trust-point 2315 
   ca trust-point LaBcA 
   match certificate cert_map 
Group Name Assigned to a Peer Associated with an ISAKMP Profile Configuration Example 
The following example shows that the group “some_group” is to be associated with a peer that has been 
assigned an ISAKMP profile: 
crypto isakmp profile id_profile 
   ca trust-point 2315
   match identity host domain cisco.com
client configuration group some_group 
Encrypted Preshared Key Configuration Example
The following example shows a configuration for which a type 6 preshared key has been encrypted: 
Router(config)# password encryption aes 
Router(config)# key config-key password-encrypt 
New key: 
Confirm key: 
Router(config)# 
0:46:40: TYPE6_PASS: New Master key configured, encrypting the keys with 
the new master key 
Router(config)# exit    
28-24
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 28      Configuring IKE Features Using the IPSec VPN SPA
  Configuration Examples
Call Admission Control for IKE Configuration Examples
The following examples show how to configure Call Admission Control (CAC) for IKE:
• IKE Security Association Limit Configuration Example, page 28-24
• System Resource Limit Configuration Example, page 28-24
IKE Security Association Limit Configuration Example 
The following example shows how to specify that there can be a maximum of 25 SAs before IKE starts 
rejecting new SA requests: 
Router(config)# crypto call admission limit ike sa 25 
System Resource Limit Configuration Example 
The following example shows how to specify that IKE should drop SA requests when a given level of 
system resources are being used: 
Router(config)# call admission limit 50000 
Dead Peer Detection Configuration Examples
The following examples show how to configure Dead Peer Detection (DPD):
• On-Demand DPD Configuration Example, page 28-24
• Periodic DPD Configuration Example, page 28-24
On-Demand DPD Configuration Example
The following example shows how to configure on-demand DPD messages. In this example, DPD 
messages will be sent every 60 seconds and every 5 seconds between retries if the peer does not respond:
Router(config)# crypto isakmp keepalive 60 5
Periodic DPD Configuration Example 
The following example shows how to configure periodic DPD messages. In this example, DPD messages 
are to be sent at intervals of 10 seconds:
Router(config)# crypto isakmp keepalive 10 periodic 
ISAKMP NAT Keepalive Configuration Example
The following example shows how to enable NAT keepalives to be sent every 20 seconds:
crypto isakmp policy 1 
authentication pre-share 
crypto isakmp key 1234 address 56.0.0.1 
crypto isakmp nat keepalive 20 
! 
! 
crypto ipsec transform-set t2 esp-des esp-sha-hmac    
28-25
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 28      Configuring IKE Features Using the IPSec VPN SPA
  Configuration Examples
! 
crypto map test2 10 ipsec-isakmp 
set peer 56.0.0.1 
set transform-set t2 
match address 101   
28-26
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 28      Configuring IKE Features Using the IPSec VPN SPA
  Configuration ExamplesC H  A  P  T  E  R
   
29-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
29
Configuring Enhanced IPSec Features Using the 
IPSec VPN SPA
This chapter provides information about configuring enhanced IPSec features using the IPSec VPN SPA 
on the Cisco 7600 series router. It includes the following sections:
• Overview of Enhanced IPSec Features, page 29-2
• Configuring Advanced Encryption Standard in a Transform Set, page 29-2
• Configuring Reverse Route Injection, page 29-3
• Configuring the IPSec Anti-Replay Window Size, page 29-6
• Configuring an IPSec Preferred Peer, page 29-8
• Configuring IPSec Security Association Idle Timers, page 29-12
• Configuring Distinguished Name-Based Crypto Maps, page 29-13
• Configuring QoS on the SPA-IPSEC-2G IPSEC VPN SPA, page 29-15
• Configuring QoS on the WS-IPSEC-3 IPSEC VSPA, page 29-17
• Configuring Sequenced Crypto ACLs, page 29-33
• Configuring Deny Policy Enhancements for Crypto ACLs, page 29-33
• Configuration Examples, page 29-34
Note For detailed information on Cisco IOS IPSec cryptographic operations and policies, refer to the Cisco 
IOS Security Configuration Guide, Release 12.2 and Cisco IOS Security Command Reference, Release 
12.2.
For information about managing your system images and configuration files, refer to the Cisco IOS 
Configuration Fundamentals Configuration Guide and Cisco IOS Configuration Fundamentals 
Command Reference publications.
For more information about the commands used in this chapter, refer to the Cisco IOS Software Releases 
15.0SR Command References and to the Cisco IOS Software Releases 12.2SX Command References. 
Also refer to the related Cisco IOS Release 12.2 software command reference and master index 
publications. For more information, see the “Related Documentation” section on page xlvii.
Tip To ensure a successful configuration of your VPN using the IPSec VPN SPA, read all of the 
configuration summaries and guidelines before you perform any configuration tasks.   
29-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Overview of Enhanced IPSec Features
Overview of Enhanced IPSec Features
IPSec is a framework of open standards developed by the Internet Engineering Task Force (IETF). It 
provides security for transmission of sensitive information over unprotected networks such as the 
Internet. IPSec acts at the network layer, protecting and authenticating IP packets between participating 
IPSec devices (peers), such as Cisco routers. 
This chapter describes the advanced IPSec features that can be used to improve scalability and 
performance of your IPSec VPN.
Configuring Advanced Encryption Standard in a Transform Set
The Advanced Encryption Standard (AES) is a privacy transform for IPSec and Internet Key Exchange 
(IKE) that has been developed to replace the Data Encryption Standard (DES). AES is designed to be 
more secure than DES. AES offers a larger key size, while ensuring that the only known approach to 
decrypt a message is for an intruder to try every possible key. AES has a variable key length. The 
algorithm can specify a 128-bit key (the default), a 192-bit key, or a 256-bit key. 
To configure the AES encryption algorithm within a transform set, perform this task beginning in global 
configuration mode:
transform-set-name specifies the name of the transform set.
transform1[transform2[transform3]] defines IPSec security protocols and algorithms. To configure 
AES, you must choose from the following AES Encapsulating Security Payload (ESP) encryption 
transforms:
• esp-aes specifies ESP with the 128-bit AES encryption algorithm. 
• esp-aes 192 specifies ESP with the 192-bit AES encryption algorithm.
• esp-aes 256 specifies ESP with the 256-bit AES encryption algorithm. 
For other accepted transform values, and more details on configuring transform sets, see the Cisco IOS 
Security Command Reference.
Verifying the AES Transform Set
To verify the configuration of the transform set, enter the show crypto ipsec transform-set command:
Router# show crypto ipsec transform-set
Transform set transform-1:{esp-256-aes esp-md5-hmac}
will negotiate = {Tunnel, }
For more complete configuration information about AES support, refer to this URL: 
Command Purpose
Router(config)# crypto ipsec transform-set
transform-set-name 
transform1[transform2[transform3]] 
...
Specifies a transform set and IPSec security profiles 
and algorithms.   
29-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuring Reverse Route Injection
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ft_aes.html
For an AES configuration example, see the “Advanced Encryption Standard Configuration Example” 
section on page 29-34.
Configuring Reverse Route Injection
Reverse Route Injection (RRI) provides the ability for static routes to be automatically inserted into the 
routing process for those networks and hosts protected by a remote tunnel endpoint. These protected 
hosts and networks are known as remote proxy identities. 
Note RRI is supported in Cisco IOS Release 12.2(33)SRA and later releases.
Each route is created on the basis of the remote proxy network and mask, with the next hop to this 
network being the remote tunnel endpoint. By using the remote Virtual Private Network (VPN) router as 
the next hop, the traffic is forced through the crypto process to be encrypted. 
After the static route is created on the VPN router, this information is propagated to upstream devices, 
allowing them to determine the appropriate VPN router to which to send returning traffic in order to 
maintain IPSec state flows. Being able to determine the appropriate VPN router is particularly useful if 
multiple VPN routers are used at a site to provide load balancing or failover or if the remote VPN devices 
are not accessible via a default route. Routes are created in either the global routing table or the 
appropriate virtual routing and forwarding (VRF) table. 
RRI is applied on a per-crypto map basis, whether this is via a static crypto map or a dynamic crypto 
map template. For both dynamic and static maps, routes are created only at the time of IPSec SA 
creation. Routes are removed when the SAs are deleted. The static keyword can be added to the 
reverse-route command if routes are created on the basis of the content of the crypto ACLs that are 
permanently attached to the static crypto map. 
RRI Configuration Guidelines and Restrictions
Follow these guidelines and restrictions when configuring RRI:
Note When RRI is enabled, do not make changes to the crypto configuration while VPN sessions are active. 
Enter the clear crypto session command before making changes. 
• IP routing should be enabled and static routes should be redistributed if dynamic routing protocols 
are to be used to propagate RRI-generated static routes. 
• You can specify an interface or address as the explicit next hop to the remote VPN device. This 
functionality allows the overriding of a default route to properly direct outgoing encrypted packets. 
• You can add a route tag value to any routes that are created using RRI. This route tag allows 
redistribution of groups of routes using route maps, allowing you to be selective about which routes 
enter your global routing table. 
• RRI can be configured on the same crypto map that is applied to multiple router interfaces.    
29-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuring Reverse Route Injection
• The reverse-route remote-peer [static] command creates two routes. One route is the standard 
remote proxy ID and the next hop is the remote VPN client tunnel address. The second route is the 
actual route to that remote tunnel endpoint and is used when a recursive lookup requires that the 
remote endpoint be reachable by the next hop. Creation of the second route for the actual next hop 
is important in the VRF case in which a default route must be overridden by a more explicit route. 
To reduce the number of routes created and support some platforms that do not readily facilitate 
route recursion, the reverse-route {ip-address} [static] keyword can be used to create one route 
only.
• For devices using an IPSec VPN SPA, reverse route specifies the next hop to be the interface, 
subinterface, or virtual LAN (VLAN) with the crypto map applied to it. 
Configuring RRI Under a Static Crypto Map
To configure RRI under a static crypto map, perform the following steps beginning in global 
configuration mode:
Command Purpose
Step 1 Router(config)# crypto map map-name seq-name
ipsec-isakmp
Creates or modifies a crypto map entry and enters 
crypto map configuration mode. 
• map-name—Name that identifies the map set.
• seq-num—Sequence number assigned to the 
crypto map entry.
• ipsec-isakmp—Indicates that IKE will be used 
to establish the IPSec SAs for protecting the 
traffic specified by this crypto map entry. 
Step 2 Router(config-crypto-map)# reverse-route [[static] | 
tag tag-id [static] | remote-peer [static] | 
remote-peer ip-address [static]] 
Creates source proxy information for a crypto map 
entry. 
• static—(Optional) Creates permanent routes 
based on static ACLs. 
• tag tag-id—(Optional) Tag value that can be 
used as a match value for controlling 
redistribution via route maps. 
• remote-peer [static]—(Optional) Two routes 
are created, one for the remote endpoint and one 
for route recursion to the remote endpoint via 
the interface to which the crypto map is applied. 
The static keyword is optional. 
• remote-peer ip-address [static]—(Optional) 
One route is created to a remote proxy by way 
of a user-defined next hop. This next hop can be 
used to override a default route. The ip-address
argument is required. The static keyword is 
optional.    
29-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuring Reverse Route Injection
Configuring RRI Under a Dynamic Crypto Map
To configure RRI under a dynamic crypto map, perform the following steps beginning in global 
configuration mode:
For more complete configuration information for RRI, refer to the following URL:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_rrie.html
For RRI configuration examples, see the “Reverse Route Injection Configuration Examples” section on 
page 29-34.
Command Purpose
Step 1 Router(config)# crypto dynamic-map {dynamic-map-name} 
{dynamic-seq-name} 
Creates a dynamic crypto map entry and enters 
crypto map configuration mode. 
• dynamic-map-name—Name that identifies the 
map set.
• dynamic-seq-num—Sequence number assigned 
to the crypto map entry.
Step 2 Router(config-crypto-map)# reverse-route [tag tag-id
| remote-peer | remote-peer ip-address] 
Creates source proxy information for a crypto map 
entry. 
• tag tag-id—(Optional) Tag value that can be 
used as a match value for controlling 
redistribution via route maps. 
• remote-peer—(Optional) Two routes are 
created, one for the remote endpoint and one for 
route recursion to the remote endpoint via the 
interface to which the crypto map is applied. 
• remote-peer ip-address—(Optional) One route 
is created to a remote proxy by way of a 
user-defined next hop. This next hop can be 
used to override a default route. The ip-address
argument is required.    
29-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuring the IPSec Anti-Replay Window Size
Configuring the IPSec Anti-Replay Window Size
Cisco IPSec authentication provides anti-replay protection against an attacker duplicating encrypted 
packets by assigning a unique sequence number to each encrypted packet. (Security association (SA) 
anti-replay is a security service in which the receiver can reject old or duplicate packets to protect itself 
against replay attacks.) The decryptor checks off the sequence numbers that it has seen before. The 
encryptor assigns sequence numbers in an increasing order. The decryptor remembers the value (X) of 
the highest sequence number that it has already seen. N is the window size of the decryptor. Any packet 
with a sequence number less than X minus N is discarded. Currently, N is set at 64. 
Note The IPSec anti-replay window size feature is supported in Cisco IOS Release 12.2(18)SXF6 and later 
releases.
At times, the 64-packet window size is not sufficient. For example, Cisco quality of service (QoS) gives 
priority to high-priority packets, which could cause some low-priority packets to be discarded even 
though they are not replayed packets. The IPSec anti-replay window size feature allows you to expand 
the window size so that sequence number information can be kept for more than 64 packets.
Note A change in the anti-replay window size will not take effect until after the next rekeying.
Expanding the IPSec Anti-Replay Window Size Globally
To expand the IPSec anti-replay window globally so that it affects all SAs that are created (except for 
those that are specifically overridden on a per-crypto map basis), perform this task beginning in global 
configuration mode:
Command Purpose
Router(config)# crypto ipsec security-association replay 
window size [size]
Expands the IPSec anti-replay window globally to the 
specified size.
• size—(Optional) Size of the window. Values can be 
64, 128, 256, 512, or 1024. This value becomes the 
default value.   
29-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuring the IPSec Anti-Replay Window Size
Expanding the IPSec Anti-Replay Window at the Crypto Map Level
To expand the IPSec anti-replay window on a crypto map basis so that it affects those SAs that have been 
created using a specific crypto map or profile, perform this task beginning in global configuration mode:
Verifying the IPSec Anti-Replay Window Size Configuration at the Crypto Map 
Level 
To verify that IPSec anti-replay window size is enabled at a crypto map, enter the show crypto map
command for that particular map. If anti-replay window size is enabled, the display will indicate that it 
is enabled and indicate the configured window size. If anti-replay window size is disabled, the results 
will indicate that also. 
The following example indicates that IPSec anti-replay window size is enabled: 
Router# show crypto map tag TESTMAP
Crypto Map "TESTMAP" 10 ipsec-isakmp
        WARNING: This crypto map is in an incomplete state!
                (missing peer or access-list definitions)
        No matching address list set.
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={ 
        }
        Antireplay window size = 128
        Interfaces using crypto map TESTMAP:
For more complete configuration information for IPSec anti-replay window size, refer to the following 
URL:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_iarwe.html
For IPSec anti-replay window size configuration examples, see the “IPSec Anti-Replay Window Size 
Configuration Examples” section on page 29-36.
Command Purpose
Step 1 Router(config)# crypto map map-name seq-num
ipsec-isakmp
Enters crypto map configuration mode and creates a 
crypto profile that provides a template for 
configuration of dynamically created crypto maps.
• map-name—Name that identifies the map set.
• seq-num—Sequence number assigned to the 
crypto map entry.
• ipsec-isakmp—Indicates that IKE will be used 
to establish the IPSec SAs for protecting the 
traffic specified by this crypto map entry. 
Step 2 Router(config-crypto-map)# crypto ipsec 
security-association replay window size [size]
Controls the SAs that are created using the policy 
specified by a particular crypto map, dynamic crypto 
map, or crypto profile.
• size—(Optional) Size of the window. Values can 
be 64, 128, 256, 512, or 1024. This value 
becomes the default value.   
29-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuring an IPSec Preferred Peer
Note Anti-replay failures detected by the IPSec VPN SPA can be caused by reordering, requeueing, or 
fragmentation elsewhere in the network. As a defense against man-in-the-middle attacks, the IPSec VPN 
SPA will drop these packets. This is the expected behavior.
Disabling the IPSec Anti-Replay Checking 
To disable the IPSec anti-replay checking, enter the crypto ipsec security-association replay disable 
command in global configuration mode as follows:
To disable the IPSec anti-replay checking on a particular crypto map, enter the set security-association 
replay disable command in crypto map configuration mode as follows:
Configuring an IPSec Preferred Peer
The IP Security (IPSec) Preferred Peer feature allows you to control the circumstances by which multiple 
peers on a crypto map are tried in a failover scenario. If there is a default peer, the next time a connection 
is initiated, the connection is directed to the default peer instead of to the next peer in the peer list. If all 
connections to the current peer time out, the next time a connection is initiated, it is directed to the 
default peer.
Note The IPSec Preferred Peer feature is supported in Cisco IOS Release 12.2(33)SRA and later releases.
This feature includes the following capabilities: 
• Default peer configuration 
Command Purpose
Router(config)# crypto ipsec security-association replay 
disable 
Disables the IPSec anti-replay checking.
Command Purpose
Step 1 Router(config)# crypto map map-name seq-num
ipsec-isakmp
Enters crypto map configuration mode and creates a 
crypto profile that provides a template for 
configuration of dynamically created crypto maps.
• map-name—Name that identifies the map set.
• seq-num—Sequence number assigned to the 
crypto map entry.
• ipsec-isakmp—Indicates that IKE will be used 
to establish the IPSec SAs for protecting the 
traffic specified by this crypto map entry. 
Step 2 Router(config-crypto-map)# set security-association 
replay disable
Disables IPSec anti-replay checking by a particular 
crypto map, dynamic crypto map, or crypto profile.   
29-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuring an IPSec Preferred Peer
If a connection timeout occurs, the connection to the current peer is closed. The set peer command 
allows you to configure the first peer as the default peer. If there is a default peer, the next time a 
connection is initiated, the connection is directed to the default peer instead of to the next peer in 
the peer list. If the default peer is unresponsive, the next peer in the peer list becomes the current 
peer and future connections through the crypto map try that peer. 
This capability is useful when traffic on a physical link stops due to the failure of a remote peer. 
DPD indicates that the remote peer is unavailable, but that peer remains the current peer. 
A default peer facilitates the failover to a preferred peer that was previously unavailable, but has 
returned to service. Users can give preference to certain peers in the event of a failover. This is useful 
if the original failure was due to a network connectivity problem rather than failure of the remote 
peer. 
To configure a default peer, see the “Configuring a Default Peer” section on page 29-10.
• IPSec idle timer with default peer configuration
When a router running Cisco IOS software creates an IPSec security association (SA) for a peer, 
resources must be allocated to maintain the SA. The SA requires both memory and several managed 
timers. For idle peers, these resources are wasted. If enough resources are wasted by idle peers, the 
router could be prevented from creating new SAs with other peers. 
IPSec SA idle timers increase the availability of resources by deleting SAs associated with idle 
peers. Because IPSec SA idle timers prevent the wasting of resources by idle peers, more resources 
are available to create new SAs when required. (If IPSec SA idle timers are not configured, only the 
global lifetimes for IPSec SAs are applied. SAs are maintained until the global timers expire, 
regardless of peer activity.) 
When both an IPSec SA idle timer and a default peer are configured and all connections to the 
current peer time out, the next time a connection is initiated it is directed to the default peer 
configured in the set peer command. If a default peer is not configured and there is a connection 
timeout, the current peer remains the one that timed out. 
This enhancement helps facilitate a failover to a preferred peer that was previously unavailable but 
is in service now. 
To configure an IPSec idle timer, see the “Configuring the IPSec Idle Timer with a Default Peer” 
section on page 29-11.
IPSec Preferred Peer Configuration Guidelines and Restrictions
When configuring an IPSec preferred peer, follow these guidelines and restrictions:
• When configuring a default peer, follow these guidelines and restrictions:
– Only one peer can be designated as the default peer in a crypto map. 
– The default peer must be the first peer in the peer list.
Note The default peer feature must be used in conjunction with Dead Peer Detection (DPD). It is 
most effective on a remote site running DPD in periodic mode. DPD detects the failure of a 
device quickly and resets the peer list so that the default peer is tried for the next attempted 
connection. 
• When configuring IPSec idle timer usage with a default peer, follow these guidelines and 
restrictions:   
29-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuring an IPSec Preferred Peer
– The IPSec idle timer usage with a default peer feature works only on the crypto map for which 
it is configured. You cannot configure the capability globally for all crypto maps. 
– If there is a global idle timer, the crypto map idle timer value must be different from the global 
value; otherwise, the idle timer is not added to the crypto map.
Configuring a Default Peer 
To configure a default peer, perform this task beginning in global configuration mode:
Command Purpose
Step 1 Router(config)# crypto map map-name seq-num
[ipsec-isakmp] [dynamic dynamic-map-name] [discover] 
[profile profile-name] 
Enters crypto map configuration mode and creates a 
crypto profile that provides a template for 
configuration of dynamically created crypto maps.
• map-name—Name that identifies the map set.
• seq-num—Sequence number assigned to the 
crypto map entry.
• ipsec-isakmp—(Optional) Indicates that IKE 
will be used to establish the IPSec SAs for 
protecting the traffic specified by this crypto 
map entry. 
• dynamic dynamic-map-name—(Optional) 
Specifies the name of the dynamic crypto map 
set that should be used as the policy template. 
• discover—(Optional) Enables peer discovery. 
By default, peer discovery is not enabled. 
• profile profile-name—(Optional) Name of the 
crypto profile being created. 
Step 2 Router(config-crypto-map)# set peer {host-name
[dynamic] [default] | ip-address [default]}
Specifies an IPSec peer in a crypto map entry. 
Ensures that the first peer specified is defined as the 
default peer. 
• host-name—Specifies the IPSec peer by its host 
name. This is the peer’s host name concatenated 
with its domain name (for example, 
myhost.example.com). 
• dynamic—(Optional) The host name of the 
IPSec peer will be resolved via a domain name 
server (DNS) lookup right before the router 
establishes the IPSec tunnel. 
• default—(Optional) If there are multiple IPSec 
peers, designates that the first peer is the default 
peer. 
• ip-address—Specifies the IPSec peer by its IP 
address.
Step 3 Router(config-crypto-map)# exit Exits crypto map configuration mode and returns to 
global configuration mode.    
29-11
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuring an IPSec Preferred Peer
Configuring the IPSec Idle Timer with a Default Peer 
To configure the IPSec idle timer with a default peer, perform this task beginning in global configuration 
mode:
For complete configuration information for IPSec preferred peer, refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_ipspp.html
For IPSec preferred peer configuration examples, see the “IPSec Preferred Peer Configuration 
Examples” section on page 29-38.
Command Purpose
Step 1 Router(config)# crypto map map-name seq-num
[ipsec-isakmp] [dynamic dynamic-map-name] [discover] 
[profile profile-name] 
Enters crypto map configuration mode and creates a 
crypto profile that provides a template for 
configuration of dynamically created crypto maps.
• map-name—Name that identifies the map set.
• seq-num—Sequence number assigned to the 
crypto map entry.
• ipsec-isakmp—(Optional) Indicates that IKE 
will be used to establish the IPSec SAs for 
protecting the traffic specified by this crypto 
map entry. 
• dynamic dynamic-map-name—(Optional) 
Specifies the name of the dynamic crypto map 
set that should be used as the policy template. 
• discover—(Optional) Enables peer discovery. 
By default, peer discovery is not enabled. 
• profile profile-name—(Optional) Name of the 
crypto profile being created. 
Step 2 Router(config-crypto-map)# set security-association 
idle-time seconds [default]
Specifies the maximum amount of time for which 
the current peer can be idle before the default peer is 
used. 
• seconds—Number of seconds for which the 
current peer can be idle before the default peer 
is used. Valid values are 600 to 86400. 
• default—(Optional) Specifies that the next 
connection is directed to the default peer. 
Step 3 Router(config-crypto-map)# exit  Exits crypto map configuration mode and returns to 
global configuration mode.   
29-12
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuring IPSec Security Association Idle Timers
Configuring IPSec Security Association Idle Timers 
When a router running Cisco IOS software creates an IPSec SA for a peer, resources must be allocated 
to maintain the SA. The SA requires both memory and several managed timers. For idle peers, these 
resources are wasted. If enough resources are wasted by idle peers, the router could be prevented from 
creating new SAs with other peers. The IPSec security association idle timers feature introduces a 
configurable idle timer to monitor SAs for activity, allowing SAs for idle peers to be deleted. The idle 
timers can be configured either globally, on a per-crypto map basis, or through an ISAKMP profile. The 
benefits of this feature include the following:
• Increased availability of resources
• Improved scalability of Cisco IOS IPSec deployments
IPSec Security Association Idle Timer Configuration Guidelines
When configuring idle timers on a per-crypto map basis, follow these guidelines:
• The IPSec VPN SPA rounds up the CLI-configured interval to the nearest 10-minute interval. For 
example, if you configure 12 minutes for idle timeout, the IPSec VPN SPA uses a value of 20 
minutes for idle timeout. If you configure 5 minutes, the IPSec VPN SPA uses a value of 10 minutes 
for idle timeout.
• Because of the way the IPSec VPN SPA does idle timeout detection, it can take anywhere between 
one to three (ten-minute) intervals for idle timeout detection. For example, if you configured 12 
minutes for idle timeout, idle timeout could happen anywhere between 20 to 60 minutes.
• When the idle timer is configured globally, the idle timer configuration will be applied to all SAs.
• When the idle timer is configured for a crypto map, the idle timer configuration will be applied to 
all SAs under the specified crypto map.
Configuring the IPSec SA Idle Timer Globally 
To configure the IPSec SA idle timer globally, enter the crypto ipsec security-association idle-time
command in global configuration mode as follows:
Command Purpose
Router(config)# crypto ipsec security-association 
idle-time seconds
Specifies the time, in seconds, that the idle timer will 
allow an inactive peer to maintain an SA. The range is 
from 60 to 86400 seconds.   
29-13
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuring Distinguished Name-Based Crypto Maps
Configuring the IPSec SA Idle Timer per Crypto Map 
To configure the IPSec SA idle timer for a specified crypto map, use the set security-association 
idle-time command within a crypto map configuration:
For detailed information on configuring IPSec SA idle timers, refer to the following Cisco IOS 
documentation:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftsaidle.html
For IPSec SA idle timer configuration examples, see the “IPSec Security Association Idle Timer 
Configuration Examples” section on page 29-38.
Configuring Distinguished Name-Based Crypto Maps
The distinguished name-based crypto maps feature allows you to configure the router to restrict access 
to selected encrypted interfaces for those peers with specific certificates, especially certificates with 
particular distinguished names (DNs). 
Previously, if the router accepted a certificate or a shared secret from the encrypting peer, Cisco IOS did 
not have a method of preventing the peer from communicating with any encrypted interface other than 
the restrictions on the IP address of the encrypting peer. This feature allows you to configure which 
crypto maps are usable to a peer based on the DN that a peer used to authenticate itself, which enables 
you to control which encrypted interfaces a peer with a specified DN can access. You can configure a 
DN-based crypto map that can be used only by peers that have been authenticated by a DN or one that 
can be used only by peers that have been authenticated by a hostname.
Command Purpose
Step 1 Router(config)# crypto map map-name seq-number
ipsec-isakmp
Creates or modifies a crypto map entry and enters 
crypto map configuration mode.
• map-name—Name that identifies the crypto 
map set.
• seq-number—Sequence number you assign to 
the crypto map entry. Lower values have higher 
priority.
• ipsec-isakmp—Indicates that IKE will be used 
to establish the IPSec security associations.
Step 2 Router(config-crypto-map)# set security-association 
idle-time seconds
Specifies the time, in seconds, that the idle timer will 
allow an inactive peer to maintain an SA. The range 
is from 60 to 86400 seconds.   
29-14
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuring Distinguished Name-Based Crypto Maps
Distinguished Name-Based Crypto Map Configuration Guidelines and 
Restrictions
When configuring a distinguished name-based crypto map, follow these guidelines and restrictions:
• If you restrict access to a large number of DNs, we recommend that you specify a few number of 
crypto maps referring to large identity sections instead of specifying a large number of crypto maps 
referring to small identity sections. 
To configure a DN-based crypto map that can be used only by peers that have been authenticated by a 
DN, or one that can be used only by peers that have been authenticated by a hostname, perform this task 
beginning in global configuration mode:
Command Purpose
Step 1 Router(config)# crypto isakmp policy priority
...
Router(config-isakmp)# exit
Defines an ISAKMP policy and enters ISAKMP 
policy configuration mode.
• priority—Identifies the IKE policy and assigns 
a priority to the policy. Use an integer from 1 to 
10000, with 1 being the highest priority and 
10000 the lowest.
Creates an ISAKMP policy at each peer.
For details on configuring an ISAKMP policy, see 
the Cisco IOS Security Configuration Guide.
Step 2 Router(config)# crypto map map-name seq-number 
ipsec-isakmp
Creates or modifies a crypto map entry and enters 
the crypto map configuration mode.
• map-name—Name that identifies the crypto 
map set.
• seq-number—Sequence number you assign to 
the crypto map entry. Lower values have higher 
priority.
• ipsec-isakmp—Indicates that IKE will be used 
to establish the IPSec security associations.   
29-15
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuring QoS on the SPA-IPSEC-2G IPSEC VPN SPA
For complete configuration information for Distinguished Name-Based Crypto Maps, refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftdnacl.html
For a distinguished name based crypto map configuration example, see the “Distinguished Name-Based 
Crypto Maps Configuration Example” section on page 29-39.
Configuring QoS on the SPA-IPSEC-2G IPSEC VPN SPA 
The IPSec VPN SPA uses the Quality of Service (QoS) capabilities of the Cisco 7600 series router 
software to implement a two-level, strict-priority QoS. Before configuring QoS for the IPSec VPN SPA, 
refer to this URL:
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008014a29f.
shtml
Step 3 Router(config-crypto-map)# set identity name
...
Router(config-crypto-map)# exit
Applies the identity to the crypto map. 
• name—Identity of the router, which is 
associated with the given list of DNs.
When this command is applied, only the hosts that 
match a configuration listed within the identity 
name can use the specified crypto map. 
Note If the set identity command does not appear 
within the crypto map, the encrypted 
connection does not have any restrictions 
other than the IP address of the encrypting 
peer.
Specify any other policy values appropriate to your 
configuration.
For details on configuring a crypto map, see the 
Cisco IOS Security Configuration Guide.
Step 4 Router(config)# crypto identity name Configures the identity of a router with the given list 
of DNs in the certificate of the router and enters 
crypto identity configuration mode. 
• name—The name value specified in Step 3.
Step 5 Router(crypto-identity)# dn name=string
[,name=string]| fqdn name
Associates the identity of the router with either a DN 
or hostname (FQDN) to restrict access to peers with 
specific certificates.
• name=string—The DN in the certificate of the 
router. Optionally, you can associate more than 
one DN.
• fqdn name—The hostname that the peer used to 
authenticate itself (FQDN) or the DN in the 
certificate of the router.
The identity of the peer must match the identity in 
the exchanged certificate.
Command Purpose   
29-16
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuring QoS on the SPA-IPSEC-2G IPSEC VPN SPA
The IPSec VPN SPA implements a two-level, strict-priority QoS. The Cisco 7600 SSC-400 and the 
IPSec VPN SPA together implement two queues for each direction, inbound and outbound. Packets are 
dequeued in a two-to-one ratio, meaning that two packets are dequeued from the high-priority 
low-latency queue (LLQ) before one packet is dequeued from the low-priority queue. Packets are 
enqueued based on your priority-queue configuration settings. To take advantage of the IPSec VPN 
SPA’s QoS capability, you must use standard QoS commands to ensure that the class of service (CoS) 
of packets is marked on ingress. You must configure the CoS map for the inside and outside ports and 
you must also enable QoS globally for the IPSec VPN SPA to acknowledge the CoS mapping.
QoS Configuration Guidelines and Restrictions
When configuring QoS settings for an IPSec VPN SPA, follow these guidelines and note these 
restrictions:
• In VRF mode, service policies should not be applied on GRE and VTI tunnel interfaces. In 
crypto-connect mode, service policies should not be applied on GRE tunnel interfaces if the tunnel 
will be taken over by the IPSec VPN SPA.
• Packets are enqueued based on the mls qos command and the priority-queue configuration settings 
as follows:
– When the mls qos command is not configured, all data packets are enqueued into the 
high-priority queue.
– When the mls qos command is configured and no explicit priority-queue configuration is 
present on the IPSec VPN SPA Ethernet interfaces, only packets with a CoS value of 5 are 
enqueued into the high-priority queue; all other packets are enqueued into the low-priority 
queue. 
– When the mls qos command is configured and priority-queue configuration is present on the 
IPSec VPN SPA Ethernet interfaces, traffic is enqueued based on the priority-queue 
configuration. 
• A maximum of three CoS map values can be sent to the high-priority queue. Because the CoS value 
of 5 is preconfigured as high-priority, you can choose only two other values for high-priority 
queueing. 
Note Do not configure more than three CoS map values, because any additional values will overwrite 
previously configured values. If you overwrite the CoS value of 5, the system will restore it, 
overwriting one of your other configured values. To restore an overwritten CoS map value, you 
must first delete the new value and then reconfigure the earlier value.
• When the mls qos command is configured, you must also configure the mls qos trust command on 
the IPSec VPN SPA Ethernet interfaces, as in the following example:
!
Interface GigabitEthernet4/0/1
 mls qos trust cos
 priority-queue cos-map 1 0 1 5
!
Interface GigabitEthernet4/0/2
 mls qos trust cos
 priority-queue cos-map 1 0 1 5
!
In this example, the CoS values of 0, 1, and 5 are sent to the high-priority queue.
• In a blade failover group, both IPSec VPN SPAs must have matching platform QoS configurations.   
29-17
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuring QoS on the WS-IPSEC-3 IPSEC VSPA
• If the mls qos trust command is not configured, the QoS fields in all traffic will be cleared to the 
default level. If the mls qos trust command is configured, the QoS fields will be preserved.
For a QoS configuration example, see the “QoS Configuration Example” section on page 29-40.
Configuring QoS on the WS-IPSEC-3 IPSEC VSPA
Typical applications of quality of service (QoS) for VPN are the use of traffic policing to prevent a hub 
from overwhelming a lower-capacity spoke, and the prioritization over VPN of delay-sensitive traffic 
such as voice over IP (VoIP). In a system including the WS-IPSEC-3 IPSEC VSPA, QoS features for 
VPN traffic are provided by the WS-IPSEC-3 IPSEC VSPA module and its carrier card (SSC-600). 
• Module QoS—The WS-IPSEC-3 IPSEC VSPA provides traffic shaping, queuing, and bandwidth 
reservation services before encryption. Policies are attached to a crypto engine within the interface 
configuration.
• Carrier QoS—For each crypto engine, the SSC-600 provides a dual-priority queue for module 
traffic. Policies are attached to a crypto engine.
To activate the QoS capabilities of the module and carrier, you must enable QoS globally by entering the 
mls qos command. 
When QoS is disabled globally, the system behavior is as follows:
• All QoS fields are left intact in packets. 
• Packets flow through only one queue in the carrier card. 
When QoS is enabled globally, the default system behavior is as follows:
• The default state of all ports and VLANs is the untrusted state, causing ports to clear the QoS fields 
in all traffic to zero unless a QoS policy is configured on the port.
• Packets flow through two queues in the carrier card. Packets with a CoS value of 5 will use the higher 
priority queue, while all other packets will use the lower priority queue. 
Before configuring QoS for VPN, see the additional information provided in the following URLs: 
Configuring QoS on the Cisco 7600 series router:
http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/qos.html
Configuring QoS Features on a SIP:
http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/7600series/76cfgsip.ht
ml#wp1162382
Configuring QoS on the FlexWAN Modules:
http://www.cisco.com/en/US/docs/routers/7600/install_config/flexwan_config/flexqos.html
QoS Policing on the Cisco 7600 series router:
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00801c8c4b.shtml
QoS Output Scheduling on the Cisco 7600 series router:
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008015bf98.shtml
QoS Troubleshooting:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008074d6b1.shtml   
29-18
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuring QoS on the WS-IPSEC-3 IPSEC VSPA
Using the Module QoS Features of the WS-IPSEC-3 IPSEC VSPA
In VRF mode configurations using Virtual Tunnel Interface (VTI) or GRE with tunnel protection (TP), 
the WS-IPSEC-3 IPSEC VSPA can provide traffic shaping, queuing, and bandwidth reservation of 
outbound traffic before encryption, allowing you to prioritize traffic on a per-tunnel basis as well as to 
configure a shape rate for each tunnel. This section contains the following topics:
• Classifying, Marking, and Policing Traffic, page 29-18
• Setting Priority, page 29-18
• Shaping Traffic, page 29-18
• Reserving Bandwidth, page 29-19
• Setting the Queue Limit, page 29-19
• Failover, page 29-19
• Configuring Module QoS, page 29-19
Classifying, Marking, and Policing Traffic
To apply the WS-IPSEC-3 IPSEC VSPA’s QoS features, you must first ensure that the class of service 
(CoS) of packets is marked on ingress and that any necessary policing is performed before the packets 
are passed to the WS-IPSEC-3 IPSEC VSPA. 
The Cisco 7600 series router performs classification, marking, and policing of traffic to the 
WS-IPSEC-3 IPSEC VSPA. These functions are configured using the following commands:
• Use the class-map command to classify types of traffic.
• Use the set command to mark the CoS or DSCP bits for a traffic class.
• Use the police command to limit the rate of a traffic class. 
Setting Priority
For each tunnel, the WS-IPSEC-3 IPSEC VSPA provides one high-priority low-latency queue (LLQ) for 
latency-sensitive outbound traffic, such as VoIP. The high priority queue is served ahead of other queues 
in that tunnel. The priority policy-map class configuration command gives priority to a class of traffic 
belonging to a policy map, causing that traffic to be diverted to the high-priority queue. Only one priority 
level per tunnel is supported. When the priority command is used in a class map, no form of the 
bandwidth command is allowed in the same class map.
Shaping Traffic
The shape average policy-map class configuration command specifies a maximum data rate for a class 
of outbound traffic. While policing enforces a maximum rate by dropping or marking down excess 
packets, shaping queues the excess packets for sending at a later time. Packets exceeding the maximum 
rate will be delayed but will not be dropped unless excess traffic is sustained at rates higher than the 
configured shape rate for long periods of time, causing shape buffers to overflow. 
When shaping is applied to a tunnel, all traffic in the tunnel must be included in the default class. Any 
additional classes must be defined in a child policy.   
29-19
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuring QoS on the WS-IPSEC-3 IPSEC VSPA
To configure traffic shaping in the WS-IPSEC-3 IPSEC VSPA, use the shape average rate bc be
command, where the rate argument specifies the maximum average bit rate and the optional be argument 
is the allowed excess burst level. The optional bc argument (the committed burst size) is ignored, but if 
be is specified, then bc must be configured to a value of at least the number of bits transferred during 4 
milliseconds of traffic at the shape rate. The shape average command can be configured only for the 
tunnel top-level policy. It cannot be used in a child policy.
Reserving Bandwidth
The bandwidth policy-map class configuration command reserves a minimum bandwidth for a class of 
traffic. You can configure the bandwidth command in a child policy to reserve either an absolute rate 
or a percentage of the tunnel shape rate. If the priority command is configured on another class map 
within the same policy map, only the bandwidth remaining form of the bandwidth command (which 
is bandwidth remaining percent) can be used, since the higher priority traffic overrules any bandwidth 
guarantees. 
When you configure bandwidth reservation for a class, your settings are checked for capacity and 
oversubscription relative to the maximum shape rate. If a tunnel aggregate shaper is not configured, any 
configuration of bandwidth reservation will be rejected. 
Setting the Queue Limit
The queue-limit policy-map class configuration command specifies the maximum number of packets 
the queue can hold for a class policy configured in a policy map. The WS-IPSEC-3 IPSEC VSPA 
supports only a packet-based queue limiting, and supports queue-limit configuration only on a class map. 
Failover
If you deploy two WS-IPSEC-3 IPSEC VSPAs for intrachassis stateful failover using a blade failure 
group (BFG), the QoS configuration on the active WS-IPSEC-3 IPSEC VSPA is automatically reflected 
on the standby module. During a failover, packets in the queue are lost. The standby WS-IPSEC-3 IPSEC 
VSPA takes over, scheduling newly-received packets according to the QoS configuration. Interchassis 
failover is not supported.
Configuring Module QoS
Module QoS configuration in the WS-IPSEC-3 IPSEC VSPA uses the Cisco Modular QoS CLI (MQC) 
framework. You can define traffic classes, associate policies and actions to each traffic class, and attach 
these policies to interfaces by following these steps:
Step 1 Define traffic classes using match statements with the class-map command. 
Step 2 Configure policies using the defined traffic classes with the policy-map command. 
Step 3 Within the interface configuration, attach policies to a crypto engine with the service-policy command. 
For the module QoS, attach the service policy to the tunnel interface in the config-crypto-engine 
configuration mode after entering the crypto-engine interface level command.
The WS-IPSEC-3 IPSEC VSPA supports a hierarchical policy using two service policy levels:   
29-20
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuring QoS on the WS-IPSEC-3 IPSEC VSPA
• A parent policy, supporting only a single default class, to apply a QoS mechanism to a traffic 
aggregate. 
• A child policy to apply a QoS mechanism to a flow or subset of the aggregate. 
Logical interfaces, such as subinterfaces and tunnel interfaces, require a hierarchical policy with the 
traffic-shaping feature at the parent level and queuing at lower levels. While the traffic-shaping feature 
regulates the output rate, queuing may introduce additional latency or cause packet drops when the 
ingress traffic rate surpasses the configured queuing capacity.
For each tunnel, the WS-IPSEC-3 IPSEC VSPA supports a child policy with up to 8 classes, including 
the default-class. Only one of the 8 traffic classes can be configured as a priority class on a tunnel 
interface. You can configure bandwidth reservation on any class that is not configured as the priority 
class. You cannot configure shaping on a traffic class (a child shaper); a single aggregate shaper can be 
configured in the parent policy.
Module QoS Configuration Guidelines and Restrictions
When configuring QoS settings for the WS-IPSEC-3 IPSEC VSPA, follow these guidelines and note 
these restrictions:
• To use the QoS features of the WS-IPSEC-3 IPSEC VSPA, you must enable QoS globally by 
entering the mls qos command.
• Because the WS-IPSEC-3 IPSEC VSPA performs QoS functions only on tunnel interfaces 
associated with the WS-IPSEC-3 IPSEC VSPA, configuring module QoS on a tunnel interface will 
always result in the tunnel being taken over. 
• When module QoS is configured on a GRE/TP tunnel, the GRE processing is taken over by the 
WS-IPSEC-3 IPSEC VSPA.
• The WS-IPSEC-3 IPSEC VSPA performs QoS functions only on VTI or GRE/TP interfaces in VRF 
mode. The QoS functions are not supported with crypto connect mode or DMVPN.
• The QoS functions operate only on IPv4 traffic.
• QoS is supported for up to 2000 VTI tunnels or 1000 GRE/TP tunnels.
• The WS-IPSEC-3 IPSEC VSPA supports a maximum of 8 traffic classes per tunnel, including the 
default class. 
– We recommend that you configure one class as class-default.
– One traffic class can be configured as priority, to be processed ahead of all other classes. This 
class is typically used for voice or other latency-sensitive traffic.
– Each class can be configured separately for bandwidth reservation and a queue limit. 
– You cannot configure priority setting and bandwidth reservation within the same class map.
• When configuring bandwidth reservation, note the following guidelines:
– Bandwidth reservation means a minimum bandwidth guarantee when 100 percent of the 
configured shape rate is utilized. If less than 100 percent is used, any class may use the available 
bandwidth above its configured reservation.
– If no bandwidth is reserved for the default class, then 1 percent of the shape rate will be 
automatically reserved for the default class. 
• The WS-IPSEC-3 IPSEC VSPA supports one aggregate shaper per tunnel, to be defined at the tunnel 
(parent) level. All traffic within the tunnel must be included in the shaper. If a shaper is defined, only 
the class-default class should be defined at the tunnel level, with the shaper applied to it. All other 
traffic classes must be defined in child policies.   
29-21
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuring QoS on the WS-IPSEC-3 IPSEC VSPA
• Any tunnel that uses module QoS functions must have a shaping policy.
• Because the WS-IPSEC-3 IPSEC VSPA relies on the ToS/CoS bits to classify and queue the packets 
properly, you should ensure that packets arriving at the WS-IPSEC-3 IPSEC VSPA have already 
been properly classified and marked.
• The dropping policy is Random Early Detection (RED), and the RED parameters are not 
configurable. You cannot configure fair queueing.
• Bandwidth is reserved per class for each tunnel independently. The minimum bandwidth guarantee 
on a class level will not propagate to the tunnel level. There is no bandwidth guarantee on a tunnel. 
You cannot configure an explicit minimum rate at the tunnel level.
• You should avoid any policy that causes the reordering or dropping of post-encrypted packets. 
• The configuration of priority applies only within the tunnel in which it is configured, and does not 
affect other tunnels.
• Increasing the queue limit increases latency.
Configuring a Child and Parent Policy
To configure a child and parent policy, perform these steps:
Command Purpose
Step 1 Router(config)# policy-map child_policy_name Enters the policy map configuration for the specified 
child policy map.
Step 2 Router(config-pmap)# class [child_policy_name | 
class-default]
Enters the policy map class configuration for the 
default class map.
Step 3 Router(config-pmap-c)# priority (Optional) Enables strict-priority (low latency 
queuing) on the class.
Step 4 Router(config-pmap-c)# bandwidth {kbps | bandwidth 
percent percentage | bandwidth remaining percent
percentage}
(Optional) Enables minimum bandwidth reservation 
on a traffic class.
• bandwidth kbps — Specifies the reserved 
bandwidth as an absolute value in kbps that 
cannot exceed the configured tunnel shape rate.
• bandwidth percent percentage — Specifies the 
reserved bandwidth as a percentage of the 
configured tunnel shape rate.
• bandwidth remaining percent percentage — 
Specifies the reserved bandwidth as a 
percentage of the remaining tunnel bandwidth 
up to the configured tunnel shape rate after all 
LLQ packets have been served.
Step 5 Router(config-pmap-c)# queue-limit number_of_packets (Optional) Sets the maximum size (in packets) of the 
traffic queue for the class.
Step 6 Router(config-pmap-c)# exit  Exits the policy map class configuration.
Step 7 Router(config-pmap)# exit  Exits the policy map configuration.
Step 8 Router(config)# policy-map parent_policy_name Enters the policy map configuration for the specified 
parent policy map.   
29-22
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuring QoS on the WS-IPSEC-3 IPSEC VSPA
• The bandwidth and bandwidth percent commands cannot be configured in conjunction with the 
priority command. The bandwidth remaining percent command can be configured in conjunction 
with the priority command.
• By default, the queue limit is 1000 for all non-LLQ traffic classes; for LLQ classes, the default is 
the number of packets that can be transferred in 4 milliseconds at the configured shape rate.
• The shape rate can range from 128 Kbps to 1 Gbps. If a tunnel has a low shape rate, we recommend 
that you also configure a small excess burst size (be).
• The default excess burst size (be) is the number of bits transferred during 4 milliseconds of traffic 
at the shape rate. For example, for a 256000 bps shape rate, the default excess burst size will be 1024 
bits.
• If you configure be, then you must configure bc (the committed burst size) to a value of at least the 
number of bits transferred during 4 milliseconds of traffic at the shape rate. 
Note We recommend that you allow the system to determine settings for bc and be.
For QoS configuration examples, see the “QoS Configuration Examples” section on page 29-24.
Using the Carrier QoS Features of the SSC-600
The SSC-600 implements a two-level, strict-priority QoS with two queues for each direction, inbound 
and outbound. Packets are dequeued in a two-to-one ratio, meaning that two packets are dequeued from 
the high-priority low-latency queue (LLQ) before one packet is dequeued from the low-priority queue. 
Packets are enqueued based on your priority-queue configuration settings. To take advantage of the 
Step 9 Router(config-pmap)# class class-default Enters the policy map class configuration for the 
default class map.
Step 10 Router(config-pmap-c)# shape average rate [bc be] Enables average rate traffic shaping. 
• rate—Specifies the committed information rate 
(CIR), in bits per second (bps).
• bc—(Optional) Specifies the committed burst 
size, in bits. This field will be ignored, but must 
be set to a legal value if be is specified.
• be—(Optional) Specifies the excess burst size, 
in bits.
Step 11 Router(config-pmap-c)# service-policy 
child_policy_name
(Optional) Attaches a child policy map with up to 
seven additional class maps. Including the 
class-default class map, there can be a total of up to 
eight class maps.
Step 12 Router(config-pmap-c)# exit  Exits the policy map class configuration.
Step 13 Router(config-pmap)# exit  Exits the policy map configuration.
Command Purpose   
29-23
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuring QoS on the WS-IPSEC-3 IPSEC VSPA
SSC-600’s QoS capability, you must use standard QoS commands to ensure that the class of service 
(CoS) of packets is marked on ingress. You must configure the CoS map for the inside and outside ports 
and you must also enable QoS globally for the SSC-600 to acknowledge the CoS mapping.
Carrier QoS Configuration Guidelines and Restrictions
When configuring QoS settings for an SSC-600, follow these guidelines and note these restrictions:
• Packets are enqueued based on the mls qos command and the priority-queue configuration settings 
as follows:
– When the mls qos command is not configured, all data packets are enqueued into the 
high-priority queue.
– When the mls qos command is configured and no explicit priority-queue configuration is 
present on the WS-IPSEC-3 IPSEC VSPA ethernet interfaces, only packets with a CoS value of 
5 are enqueued into the high-priority queue; all other packets are enqueued into the low-priority 
queue. 
– When the mls qos command is configured and priority-queue configuration is present on the 
WS-IPSEC-3 IPSEC VSPA ethernet interfaces, traffic is enqueued based on the priority-queue 
configuration. 
• A maximum of three CoS map values can be sent to the high-priority queue. Because the CoS value 
of 5 is preconfigured as high-priority, you can choose only two other values for high-priority 
queueing. 
Note Do not configure more than three CoS map values because any additional values will overwrite 
previously configured values. If you overwrite the CoS value of 5, the system will restore it, 
overwriting one of your other configured values. To restore an overwritten CoS map value, you 
must first delete the new value and then reconfigure the earlier value.
• When the mls qos command is configured, you must also configure the mls qos trust command on 
the WS-IPSEC-3 IPSEC VSPA ethernet interfaces, as in the following example:
Interface GigabitEthernet4/0/1
 mls qos trust cos
 priority-queue cos-map 1 0 1 5
!
Interface GigabitEthernet4/0/2
 mls qos trust cos
 priority-queue cos-map 1 0 1 5
In this example, the CoS values of 0, 1, and 5 are sent to the high-priority queue.
• In a blade failover group, both WS-IPSEC-3 IPSEC VSPAs must have matching carrier QoS 
configurations.
• If the mls qos trust command is not configured, the QoS fields in all traffic will be cleared to the 
default level. If the mls qos trust command is configured, the QoS fields will be preserved.
For a configuration example of module QoS, see the “Module QoS Configuration Example” section on 
page 29-24.   
29-24
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuring QoS on the WS-IPSEC-3 IPSEC VSPA
QoS Configuration Examples
This section provides examples of the following configurations:
• Carrier QoS Configuration Example, page 29-24
• Module QoS Configuration Example, page 29-24
Carrier QoS Configuration Example
The following example shows how to configure carrier QoS:
mls qos
!
Interface GigabitEthernet4/0/1
 mls qos trust cos
 priority-queue cos-map 1 0 1 5
!
Interface GigabitEthernet4/0/2
 mls qos trust cos
 priority-queue cos-map 1 0 1 5
Module QoS Configuration Example
The following example shows how to configure module QoS:
upgrade fpd auto
version 
service timestamps debug datetime
service timestamps log datetime
no service password-encryption
service internal
service counters max age 10
!
hostname HUB2
!
boot-start-marker
boot system disk0:
boot-end-marker
!
logging buffered 1000000
!
no aaa new-model
clock timezone PST -8
ip subnet-zero
!
!
no ip domain-lookup
ip domain-name cisco.com
!
vtp domain same_domain
vtp mode off
mls qos
mls netflow interface
no mls flow ip
no mls flow ipv6
mls ip slb purge global
no mls acl tcam share-global
mls cef error action reset
mls mpls tunnel-recir   
29-25
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuring QoS on the WS-IPSEC-3 IPSEC VSPA
call admission limit 90
!
crypto pki trustpoint MSCA
 enrollment mode ra
 enrollment url http://43.0.111.111:80/certsrv/mscep/mscep.dll
 serial-number
 ip-address none
 subject-name cn=HUB2,ou=isbu,o=cisco
 revocation-check none
!
!
crypto pki certificate chain MSCA
 certificate 1C67C77C0000000004C4
 certificate ca 7C0299B7C394F789436EBEFCCEAED66D
crypto engine mode vrf
crypto engine gre vpnblade
!
!
!
!
!
fabric timer 15
!
power redundancy-mode combined
diagnostic bootup level minimal
diagnostic monitor syslog
diagnostic cns publish cisco.cns.device.diag_results
diagnostic cns subscribe cisco.cns.device.diag_commands
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
no spanning-tree vlan 2-7
!
!
!
redundancy
 main-cpu
  auto-sync running-config
 mode sso
!
vlan internal allocation policy descending
vlan access-log ratelimit 2000
!
vlan 1
 tb-vlan1 1002
 tb-vlan2 1003
!
vlan 2-1001
!
vlan 1002
 tb-vlan1 1
 tb-vlan2 1003
!
vlan 1003
 tb-vlan1 1
 tb-vlan2 1002
 parent 1005
 backupcrf enable
!
vlan 1004
 bridge 1
 stp type ibm
!   
29-26
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuring QoS on the WS-IPSEC-3 IPSEC VSPA
vlan 1005
 bridge 1
!
class-map match-any class7
  match  dscp cs7
class-map match-any class6
  match  dscp cs6
class-map match-any class5
  match  dscp cs5
class-map match-any class4
  match  dscp cs4
class-map match-any class3
  match  dscp cs3
class-map match-any class2
  match  dscp cs2
class-map match-any class1
  match  dscp cs1
class-map match-any class567
  match  dscp cs5  cs6  cs7
class-map match-any class34
  match  dscp cs3  cs4
class-map match-any class12
  match  dscp cs1  cs2
!
!
policy-map Tunnel0ChildPolicy
  class class567
    priority
    queue-limit 100 packets
  class class34
    bandwidth remaining percent 40
  class class12
    bandwidth remaining percent 40
  class class-default
    bandwidth remaining percent 20
!
policy-map Tunnel0ParentPolicy
  class class-default
    shape average 1544000
   service-policy Tunnel0ChildPolicy
!
policy-map Tunnel1ChildPolicy
  class class7
    bandwidth percent 20
    queue-limit 100 packets
  class class6
    bandwidth percent 20
    queue-limit 100 packets
  class class5
    bandwidth percent 10
    queue-limit 100 packets
  class class4
    bandwidth percent 10
  class class3
    bandwidth percent 10
  class class2
    bandwidth percent 10
  class class1
    bandwidth percent 10
  class class-default
    bandwidth percent 10
!
policy-map Tunnel1ParentPolicy
  class class-default   
29-27
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuring QoS on the WS-IPSEC-3 IPSEC VSPA
    shape average 34000000 136000 0
   service-policy Tunnel1ChildPolicy
!
policy-map Tunnel2ChildPolicy
  class class7
    bandwidth 20000
  class class6
    bandwidth 20000
  class class5
    bandwidth 10000
  class class4
    bandwidth 10000
  class class3
    bandwidth 10000
  class class2
    bandwidth 10000
  class class1
    bandwidth 10000
  class class-default
    bandwidth 10000
!
policy-map Tunnel2ParentPolicy
  class class-default
    shape average 100000000
   service-policy Tunnel2ChildPolicy
!
policy-map Tunnel3ChildPolicy
  class class567
    bandwidth percent 30
  class class34
    bandwidth percent 30
  class class12
    bandwidth percent 20
  class class-default
    bandwidth percent 20
!
policy-map Tunnel3ParentPolicy
  class class-default
    shape average 1000000000
   service-policy Tunnel3ChildPolicy
!
policy-map Tunnel4ChildPolicy
  class class7
    priority
  class class6
    bandwidth remaining percent 20
  class class5
    bandwidth remaining percent 20
  class class4
    bandwidth remaining percent 20
  class class3
    bandwidth remaining percent 10
  class class2
    bandwidth remaining percent 10
  class class1
    bandwidth remaining percent 10
  class class-default
    bandwidth remaining percent 10
!
policy-map Tunnel4ParentPolicy
  class class-default
    shape average 256000
   service-policy Tunnel4ChildPolicy
!   
29-28
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuring QoS on the WS-IPSEC-3 IPSEC VSPA
policy-map Tunnel5ParentPolicy
  class class-default
    shape average 128000 512 0
!
!
!
!
crypto isakmp policy 10
 encr aes
 group 2
 lifetime 7200
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set MyTranSet esp-aes 256 esp-sha-hmac
no crypto ipsec nat-transparency udp-encaps
!
crypto ipsec profile MyIpsecProf
 set transform-set MyTranSet
!
!
buffers small permanent 1024
buffers small max-free 1500
buffers small min-free 500
buffers middle permanent 512
buffers middle max-free 3000
buffers middle min-free 100
buffers big permanent 1000
buffers big max-free 1000
buffers big min-free 300
!
!
interface Tunnel0
 bandwidth 10000000
 ip address 3.0.0.1 255.255.255.0
 ip hello-interval eigrp 10 60
 ip hold-time eigrp 10 180
 tunnel source Loopback0
 tunnel destination 5.0.0.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile MyIpsecProf
 crypto engine slot 4/0 inside
 crypto-engine
     service-policy output Tunnel0ParentPolicy
!
interface Tunnel1
 bandwidth 10000000
 ip address 3.0.1.1 255.255.255.0
 ip hello-interval eigrp 10 60
 ip hold-time eigrp 10 180
 tunnel source Loopback1
 tunnel destination 5.0.1.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile MyIpsecProf
 crypto engine slot 4/0 inside
 crypto-engine
     service-policy output Tunnel1ParentPolicy
!
interface Tunnel2
 bandwidth 10000000
 ip address 3.0.2.1 255.255.255.0
 ip hello-interval eigrp 10 60
 ip hold-time eigrp 10 180
 tunnel source Loopback2   
29-29
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuring QoS on the WS-IPSEC-3 IPSEC VSPA
 tunnel destination 5.0.2.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile MyIpsecProf
 crypto engine slot 4/0 inside
 crypto-engine
     service-policy output Tunnel2ParentPolicy
!
interface Tunnel3
 bandwidth 10000000
 ip address 3.0.3.1 255.255.255.0
 ip hello-interval eigrp 10 60
 ip hold-time eigrp 10 180
 tunnel source Loopback3
 tunnel destination 5.0.3.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile MyIpsecProf
 crypto engine slot 4/0 inside
 crypto-engine
     service-policy output Tunnel3ParentPolicy
!
interface Tunnel4
 bandwidth 10000000
 ip address 3.0.4.1 255.255.255.0
 ip hello-interval eigrp 10 60
 ip hold-time eigrp 10 180
 tunnel source Loopback4
 tunnel destination 5.0.4.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile MyIpsecProf
 crypto engine slot 4/0 inside
 crypto-engine
     service-policy output Tunnel4ParentPolicy
!
interface Tunnel5
 bandwidth 10000000
 ip address 3.0.5.1 255.255.255.0
 ip hello-interval eigrp 10 60
 ip hold-time eigrp 10 180
 tunnel source Loopback5
 tunnel destination 5.0.5.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile MyIpsecProf
 crypto engine slot 4/0 inside
 crypto-engine
     service-policy output Tunnel5ParentPolicy
!
interface Loopback0
 ip address 4.0.0.1 255.255.255.255
!
interface Loopback1
 ip address 4.0.1.1 255.255.255.255
!
interface Loopback2
 ip address 4.0.2.1 255.255.255.255
!
interface Loopback3
 ip address 4.0.3.1 255.255.255.255
!
interface Loopback4
 ip address 4.0.4.1 255.255.255.255
!
interface Loopback5
 ip address 4.0.5.1 255.255.255.255
!   
29-30
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuring QoS on the WS-IPSEC-3 IPSEC VSPA
interface TenGigabitEthernet2/1
 description EGRESS INTERFACE
 mtu 9216
 ip address 6.0.0.1 255.255.255.0
 load-interval 30
 shutdown
 mls qos trust dscp
 crypto engine slot 4/0 outside
 hold-queue 4096 in
!
interface TenGigabitEthernet2/2
 no ip address
 shutdown
!
interface TenGigabitEthernet2/3
 description INGRESS INTERFACE
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 2-7
 switchport mode trunk
 mtu 9216
 load-interval 30
 mls qos trust dscp
 hold-queue 4096 in
!
interface TenGigabitEthernet2/4
 description TO TESTCENTER PORT 2/2 (NOT IN USE)
 mtu 9216
 no ip address
 load-interval 30
 shutdown
!
interface TenGigabitEthernet2/5
 no ip address
 shutdown
!
interface TenGigabitEthernet2/6
 no ip address
 shutdown
!
interface TenGigabitEthernet2/7
 no ip address
 shutdown
!
interface TenGigabitEthernet2/8
 no ip address
 shutdown
!
interface GigabitEthernet4/0/1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan none
 switchport mode trunk
 mtu 9216
 wrr-queue cos-map 2 1 4
 priority-queue cos-map 1 5 6 7
 rcv-queue cos-map 1 3 4
 mls qos trust dscp
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast edge trunk
!
interface GigabitEthernet4/0/2
 switchport   
29-31
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuring QoS on the WS-IPSEC-3 IPSEC VSPA
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan none
 switchport mode trunk
 mtu 9216
 wrr-queue cos-map 2 1 4
 priority-queue cos-map 1 5 6 7
 rcv-queue cos-map 1 3 4
 mls qos trust dscp
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast edge trunk
!
interface GigabitEthernet5/1
 no ip address
 shutdown
!
interface GigabitEthernet5/2
 description LABNET
 ip address 44.0.111.118 255.0.0.0
 media-type rj45
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan2
 mtu 9216
 ip address 1.0.0.1 255.255.255.0
!
interface Vlan3
 mtu 9216
 ip address 1.0.1.1 255.255.255.0
!
interface Vlan4
 mtu 9216
 ip address 1.0.2.1 255.255.255.0
!
interface Vlan5
 mtu 9216
 ip address 1.0.3.1 255.255.255.0
!
interface Vlan6
 mtu 9216
 ip address 1.0.4.1 255.255.255.0
!
interface Vlan7
 mtu 9216
 ip address 1.0.5.1 255.255.255.0
!
router eigrp 10
 network 3.0.0.0
 no auto-summary
 distribute-list T0000 out Tunnel0
 distribute-list T0001 out Tunnel1
 distribute-list T0002 out Tunnel2
 distribute-list T0003 out Tunnel3
 distribute-list T0004 out Tunnel4
 distribute-list T0005 out Tunnel5
 timers active-time 10
 redistribute connected metric 900 100 255 1 1400
!
router ospf 10
 log-adjacency-changes
 summary-address 4.0.0.0 255.0.0.0   
29-32
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuring QoS on the WS-IPSEC-3 IPSEC VSPA
 redistribute connected metric 10 subnets
 network 6.0.0.0 0.0.0.255 area 0
 distribute-list 10 out
!
ip default-gateway 44.0.100.1
ip classless
ip route 43.0.0.0 255.0.0.0 44.0.100.1
ip route 223.255.254.53 255.255.255.255 44.0.100.1
!
!
no ip http server
no ip http secure-server
!
!
ip access-list standard T0000
 permit 1.0.0.0 0.0.0.255
ip access-list standard T0001
 permit 1.0.1.0 0.0.0.255
ip access-list standard T0002
 permit 1.0.2.0 0.0.0.255
ip access-list standard T0003
 permit 1.0.3.0 0.0.0.255
ip access-list standard T0004
 permit 1.0.4.0 0.0.0.255
ip access-list standard T0005
 permit 1.0.5.0 0.0.0.255
logging alarm informational
logging 43.0.111.111
access-list 10 permit 4.0.0.0 0.255.255.255
!
!
!
!
no cdp run
!
!
control-plane
!
!
dial-peer cor custom
!
!
!
!
line con 0
 exec-timeout 0 0
line vty 0 4
 password cisco
 login
line vty 5 15
 login
!
exception core-file
mac-address-table aging-time 0
ntp clock-period 17219357
ntp update-calendar
ntp server 223.255.254.53
!
end   
29-33
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuring Sequenced Crypto ACLs
Configuring Sequenced Crypto ACLs
Access control lists (ACLs) are made up of access control entries (ACEs). With sequenced ACLs, ACEs 
can be entered with a sequence number in front of the ACE and the ACEs are then processed by sequence 
number. Additionally, ACEs can be deleted one at a time by using the sequence number in the front of 
the ACE that you want to delete. The sequence numbers do not appear in the configuration but they can 
be displayed using the show access-list command.
Note If an ACE is removed or modified, the ACL is reconfigured on the IPSec VPN SPA, which might result 
in tearing down existing sessions.
Configuring Deny Policy Enhancements for Crypto ACLs
Specifying a deny address range in an ACL results in “jump” behavior. When a denied address range is 
hit, it forces the search to “jump” to the beginning of the ACL associated with the next sequence in a 
crypto map and continue the search. If you want to pass clear traffic on these addresses, you must insert 
a deny address range for each sequence in a crypto map. In turn, each permit list of addresses inherits 
all the deny address ranges specified in the ACL. A deny address range causes the software to do a 
subtraction of the deny address range from a permit list, and creates multiple permit address ranges that 
need to be programmed in hardware. This behavior can cause repeated address ranges to be programmed 
in the hardware for a single deny address range, resulting in multiple permit address ranges in a single 
ACL. To avoid this problem, use the crypto ipsec ipv4-deny {jump | clear | drop} command set as 
follows:
• The jump keyword results in the standard “jump” behavior.
• The clear keyword allows a deny address range to be programmed in hardware. The deny addresses 
are then filtered out for encryption and decryption. If the VPN mode is crypto-connect, when a deny 
address is hit, the search is stopped and traffic is allowed to pass in the clear (unencrypted) state. If 
the VPN mode is VRF, the deny address matching traffic is dropped.
• The drop keyword causes traffic to be dropped when a deny address is hit. 
The clear and drop keywords can be used to prevent repeated address ranges from being programmed 
in the hardware, resulting in more efficient TCAM space utilization.
Deny Policy Enhancements for Crypto ACLs Configuration Guidelines and 
Restrictions
When configuring the deny policy enhancements, follow these guidelines and restrictions:
• The crypto ipsec ipv4-deny {jump | clear | drop} command is a global command that is applied 
to a single IPSec VPN SPA. The specified keyword (jump, clear, or drop) is propagated to the ACE 
software of the IPSec VPN SPA. The default behavior is jump. 
• When the clear keyword is used with VRF mode, deny address traffic is dropped rather than passed 
in the clear state. VRF mode does not pass traffic in the clear state.
• If you apply the specified keyword (jump, clear, or drop) when crypto maps are already configured 
on the IPSec VPN SPA, all existing IPSec sessions are temporarily removed and restarted, which 
impacts traffic on your network.
• The number of deny entries that can be specified in an ACL are dependent on the keyword specified:   
29-34
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuration Examples
– jump—Supports up to 8 deny entries in an ACL.
Note The limit of 8 deny jump entries in an ACL should be considered a guideline rather than 
a fixed limit. Depending on your configuration, the practical limit could be fewer than 8.
– clear—Supports up to 1000 deny entries in an ACL.
– drop—Supports up to 1000 deny entries in an ACL.
For a deny policy enhancements configuration example, see the “Deny Policy Enhancements for ACLs 
Configuration Example” section on page 29-40.
Configuration Examples
This section provides examples of the following configurations:
• Advanced Encryption Standard Configuration Example, page 29-34
• Reverse Route Injection Configuration Examples, page 29-34
• IPSec Anti-Replay Window Size Configuration Examples, page 29-36
• IPSec Preferred Peer Configuration Examples, page 29-38
• IPSec Security Association Idle Timer Configuration Examples, page 29-38
• Distinguished Name-Based Crypto Maps Configuration Example, page 29-39
• QoS Configuration Example, page 29-40
• Deny Policy Enhancements for ACLs Configuration Example, page 29-40
Note The following examples use commands at the level of Cisco IOS Release 12.2(33)SRA.
As of Cisco IOS Release 12.2(33)SRA, the crypto engine subslot command used in previous releases 
has been replaced with the crypto engine slot command (of the form crypto engine slot slot {inside | 
outside}). The crypto engine subslot command is no longer supported. When upgrading, ensure that 
this command has been modified in your start-up configuration to avoid extended maintenance time.
Advanced Encryption Standard Configuration Example 
The following example configures the Advanced Encryption Standard (AES) 256-bit key: 
crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac
mode transport
crypto map aesmap 10 ipsec-isakmp
set peer 10.0.110.1
set transform-set aesset
Reverse Route Injection Configuration Examples 
The following examples show how to configure RRI:    
29-35
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuration Examples
• RRI Under a Static Crypto Map Configuration Example, page 29-35
• RRI Under a Dynamic Crypto Map Configuration Example, page 29-35
• RRI with Existing ACLs Configuration Example, page 29-35
• RRI for Two Routes Configuration Example, page 29-35
• RRI Through a User-Defined Hop Configuration Example, page 29-35
RRI Under a Static Crypto Map Configuration Example 
The following example shows how to configure RRI under a static crypto map. In this example, the 
RRI-created route has been tagged with a tag number. This tag number can then be used by a routing 
process to redistribute the tagged route through a route map: 
Router(config)# crypto map mymap 1 ipsec-isakmp
Router(config-crypto-map)# reverse-route tag 5
RRI Under a Dynamic Crypto Map Configuration Example 
The following example shows how to configure RRI under a dynamic crypto map: 
Router(config)# crypto dynamic-map mymap 1 
Router(config-crypto-map)# reverse-route remote peer 10.1.1.1
RRI with Existing ACLs Configuration Example 
The following example shows how to configure RRI for a situation in which there are existing ACLs: 
Router(config)# crypto map mymap 1 ipsec-isakmp
Router(config-crypto-map)# set peer 172.17.11.1
Router(config-crypto-map)# reverse-route static
Router(config-crypto-map)# set transform-set esp-3des-sha
Router(config-crypto-map)# match address 101
access-list 101 permit ip 192.168.1.0 0.0.0.255 172.17.11.0 0.0.0.255
RRI for Two Routes Configuration Example 
The following example shows how to configure two routes, one for the remote endpoint and one for route 
recursion to the remote endpoint via the interface on which the crypto map is configured: 
Router(config-crypto-map)# reverse-route remote-peer
RRI Through a User-Defined Hop Configuration Example 
The following example shows that one route has been created to the remote proxy through a user-defined 
next hop. This next hop should not require a recursive route lookup unless it will recurse to a default 
route. 
Router(config-crypto-map)# reverse-route remote-peer 10.4.4.4   
29-36
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuration Examples
IPSec Anti-Replay Window Size Configuration Examples
The following examples show how to configure the IPSec anti-replay window size:
• IPSec Anti-Replay Window Global Configuration Example, page 29-36
• IPSec Anti-Replay Window per Crypto Map Configuration Example, page 29-37
IPSec Anti-Replay Window Global Configuration Example
The following example shows that the anti-replay window size has been set globally to 1024: 
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VPN-Gateway1
!
boot-start-marker
boot-end-marker
!
clock timezone EST 0
no aaa new-model
ip subnet-zero
!
ip audit po max-events 100
no ftp-server write-enable
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco123
address 192.165.201.2 
!
crypto ipsec security-association replay window-size 1024 
!
crypto ipsec transform-set basic esp-des esp-md5-hmac 
!
crypto map mymap 10 ipsec-isakmp
set peer 192.165.201.2
set transform-set basic
match address 101
!
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
!
interface Serial1/0
ip address 192.165.200.2 255.255.255.252  
serial restart-delay 0  
crypto map mymap 
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.165.200.1
no ip http server
no ip http secure-server
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 172.16.2.0 0.0.0.255 
!access-list 101 remark Crypto ACL
!
control-plane
!
line con 0
line aux 0   
29-37
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuration Examples
line vty 0 4
end
IPSec Anti-Replay Window per Crypto Map Configuration Example
The following example shows that anti-replay checking is disabled for IPSec connections to 
172.150.150.2, but enabled (and the default window size is 64) for IPSec connections to 172.150.150.3 
and 172.150.150.4: 
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname dr_whoovie
!
enable secret 5 $1$KxKv$cbqKsZtQTLJLGPN.tErFZ1 
enable password ww 
!
ip subnet-zero
cns event-service server
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco170 
address 172.150.150.2 
crypto isakmp key cisco180 
address 172.150.150.3 
crypto isakmp key cisco190 
address 172.150.150.4
crypto ipsec transform-set 170cisco esp-des esp-md5-hmac 
crypto ipsec transform-set 180cisco esp-des esp-md5-hmac 
crypto ipsec transform-set 190cisco esp-des esp-md5-hmac
crypto map ETH0 17 ipsec-isakmp
set peer 172.150.150.2
set security-association replay disable  
set transform-set 170cisco  
match address 170 
crypto map ETH0 18 ipsec-isakmp  
set peer 150.150.150.3  
set transform-set 180cisco  
match address 180 
crypto map ETH0 19 ipsec-isakmp  
set peer 150.150.150.4  
set transform-set 190cisco  
match address 190 
!
interface Ethernet0
ip address 172.150.150.1 255.255.255.0
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
no mop enabled
crypto map ETH0
!
interface Serial0
ip address 172.160.160.1 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
no fair-queue
!
ip classless
ip route 172.170.170.0 255.255.255.0 172.150.150.2    
29-38
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuration Examples
ip route 172.180.180.0 255.255.255.0 172.150.150.3 
ip route 172.190.190.0 255.255.255.0 172.150.150.4 
no ip http server 
!
access-list 170 permit ip 172.160.160.0 0.0.0.255 172.170.170.0 0.0.0.255 
access-list 180 permit ip 172.160.160.0 0.0.0.255 172.180.180.0 0.0.0.255 
access-list 190 permit ip 172.160.160.0 0.0.0.255 172.190.190.0 0.0.0.255 
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
line con 0
transport input none
line aux 0
line vty 0 4
password ww
login
end
IPSec Preferred Peer Configuration Examples
The following examples show how to configure an IPSec preferred peer:
• Default Peer Configuration Example, page 29-38
• IPSec Idle Timer with Default Peer Configuration Example, page 29-38
Default Peer Configuration Example
The following example shows how to configure a default peer. In this example, the first peer, at IP 
address 1.1.1.1, is the default peer: 
Router(config)# crypto map tohub 1 ipsec-isakmp 
Router(config-crypto-map)# set peer 1.1.1.1 default 
Router(config-crypto-map)# set peer 2.2.2.2 
Router(config-crypto-map)# exit
IPSec Idle Timer with Default Peer Configuration Example 
The following example shows how to configure an IPSec idle timer with a default peer. In the following 
example, if the current peer is idle for 600 seconds, the default peer 1.1.1.1 (which was specified in the 
set peer command) is used for the next attempted connection: 
Router (config)# crypto map tohub 1 ipsec-isakmp 
Router(config-crypto-map)# set peer 1.1.1.1 default 
Router(config-crypto-map)# set peer 2.2.2.2 
Router(config-crypto-map)# set security-association idle-time 600 default 
Router(config-crypto-map)# exit
IPSec Security Association Idle Timer Configuration Examples
The following examples show how to configure the IPSec SA idle timer:
• IPSec SA Idle Timer Global Configuration Example, page 29-39
• IPSec SA Idle Timer per Crypto Map Configuration Example, page 29-39   
29-39
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuration Examples
IPSec SA Idle Timer Global Configuration Example 
The following example globally configures the IPSec SA idle timer to drop SAs for inactive peers after 
600 seconds: 
Router(config)# crypto ipsec security-association idle-time 600
IPSec SA Idle Timer per Crypto Map Configuration Example 
The following example configures the IPSec SA idle timer for the crypto map named test to drop SAs 
for inactive peers after 600 seconds: 
Router(config) # crypto map test 1 ipsec-isakmp
Router(config-crypto-map)# set security-association idle-time 600
Distinguished Name-Based Crypto Maps Configuration Example
The following example shows how to configure distinguished name based crypto maps that have been 
authenticated by DN and hostname. Comments are included inline to explain various commands. 
! DN based crypto maps require you to configure an IKE policy at each peer. 
crypto isakmp policy 15 
encryption 3des 
hash md5 
authentication rsa-sig 
group 2 
lifetime 5000 
crypto isakmp policy 20 
authentication pre-share 
lifetime 10000 
crypto isakmp key 1234567890 address 171.69.224.33 
! 
!The following is an IPSec crypto map (part of IPSec configuration). It can be used only 
! by peers that have been authenticated by DN and if the certificate belongs to BigBiz. 
crypto map map-to-bigbiz 10 ipsec-isakmp 
set peer 172.21.114.196 
set transform-set my-transformset 
match address 124 
identity to-bigbiz 
! 
crypto identity to-bigbiz 
dn ou=BigBiz 
! 
! 
! This crypto map can be used only by peers that have been authenticated by hostname 
!and if the certificate belongs to little.com. 
crypto map map-to-little-com 10 ipsec-isakmp 
set peer 172.21.115.119 
set transform-set my-transformset 
match address 125 
identity to-little-com 
! 
crypto identity to-little-com 
fqdn little.com 
!    
29-40
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 29      Configuring Enhanced IPSec Features Using the IPSec VPN SPA
  Configuration Examples
QoS Configuration Example
The following example shows how to configure the dual-priority queue for module QoS:
mls qos
!
Interface GigabitEthernet4/0/1
 mls qos trust cos
 priority-queue cos-map 1 0 1 5
!
Interface GigabitEthernet4/0/2
 mls qos trust cos
 priority-queue cos-map 1 0 1 5
Deny Policy Enhancements for ACLs Configuration Example
The following example shows a configuration using the deny policy clear option. In this example, when 
a deny address is hit, the search will stop and traffic will be allowed to pass in the clear (unencrypted) 
state:
Router(config)# crypto ipsec ipv4-deny clearC H  A  P  T  E  R
   
30-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
30
Configuring PKI Using the IPSec VPN SPA
This chapter provides information about configuring PKI-related features using the IPSec VPN SPA on 
the Cisco 7600 series router. It includes the following sections:
• Overview of PKI, page 30-2
• Configuring Multiple RSA Key Pairs, page 30-3
• Configuring Protected Private Key Storage, page 30-5
• Configuring a Trustpoint CA, page 30-8
• Configuring Query Mode Definition Per Trustpoint, page 30-11
• Configuring a Local Certificate Storage Location, page 30-14
• Configuring Direct HTTP Enroll with CA Servers (Reenroll Using Existing Certificates), page 
30-16
• Configuring Manual Certificate Enrollment (TFTP and Cut-and-Paste), page 30-22
• Configuring Certificate Autoenrollment, page 30-26
• Configuring Key Rollover for Certificate Renewal, page 30-30
• Configuring PKI: Query Multiple Servers During Certificate Revocation Check, page 30-36
• Configuring the Online Certificate Status Protocol, page 30-37
• Configuring Optional OCSP Nonces, page 30-41
• Configuring Certificate Security Attribute-Based Access Control, page 30-41
• Configuring PKI AAA Authorization Using the Entire Subject Name, page 30-45
• Configuring Source Interface Selection for Outgoing Traffic with Certificate Authority, page 30-47
• Configuring Persistent Self-Signed Certificates, page 30-48
• Configuring Certificate Chain Verification, page 30-52
• Configuration Examples, page 30-53
Note The procedures in this chapter assume you have some familiarity with PKI configuration concepts. For 
detailed information about PKI configuration concepts, refer to the Cisco IOS Security Configuration 
Guide and the Cisco IOS Security Command Reference.
For information about managing your system images and configuration files, refer to the Cisco IOS 
Configuration Fundamentals Configuration Guide and Cisco IOS Configuration Fundamentals 
Command Reference publications.   
30-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Overview of PKI
For more information about the commands used in this chapter, refer to the Cisco IOS Software Releases 
15.0SR Command References and to the Cisco IOS Software Releases 15.0SX Command References. 
Also refer to the related Cisco IOS Release 12.2 software command reference and master index 
publications. For more information, see the “Related Documentation” section on page xlvii.
Tip To ensure a successful configuration of your VPN using the IPSec VPN SPA, read all of the 
configuration summaries and guidelines before you perform any configuration tasks.
Overview of PKI
Cisco IOS public key infrastructure (PKI) provides certificate management to support security protocols 
such as IP Security (IPSec), secure shell (SSH), and secure socket layer (SSL). 
A PKI is composed of the following entities: 
• Peers communicating on a secure network 
• At least one certificate authority (CA) that grants and maintains certificates 
• Digital certificates, which contain information such as the certificate validity period, peer identity 
information, encryption keys that are used for secure communications, and the signature of the 
issuing CA 
• An optional registration authority (RA) to offload the CA by processing enrollment requests 
• A distribution mechanism (such as Lightweight Directory Access Protocol (LDAP) or HTTP) for 
certificate revocation lists (CRLs) 
PKI provides customers with a scalable, secure mechanism for distributing, managing, and revoking 
encryption and identity information in a secured data network. Every entity (a person or a device) 
participating in the secured communications is enrolled in the PKI , a process where the entity generates 
a Rivest, Shamir, and Adelman (RSA) key pair (one private key and one public key) and has their identity 
validated by a trusted entity (also known as a CA or trustpoint). 
After each entity enrolls in a PKI, every peer (also known as an end host) in a PKI is granted a digital 
certificate that has been issued by a CA. When peers must negotiate a secured communication session, 
they exchange digital certificates. Based on the information in the certificate, a peer can validate the 
identity of another peer and establish an encrypted session with the public keys contained in the 
certificate. 
Configuring PKI involves the following tasks:
• Deploying Rivest, Shamir, and Adelman (RSA) keys within a public key infrastructure (PKI). An 
RSA key pair (a public and a private key) is required before you can obtain a certificate for your 
router; that is, the end host must generate a pair of RSA keys and exchange the public key with the 
certificate authority (CA) to obtain a certificate and enroll in a PKI. 
• Configuring authorization and revocation of certificates within a PKI. After a certificate is validated 
as a properly signed certificate, it is authorized using methods such as certificate maps, PKI-AAA, 
or a certificate-based access control list (ACL). The revocation status is checked by the issuing 
certificate authority (CA) to ensure that the certificate has not been revoked.    
30-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Multiple RSA Key Pairs
• Configuring certificate enrollment, which is the process of obtaining a certificate from a certificate 
authority (CA). Certificate enrollment occurs between the end host requesting the certificate and the 
CA. Each peer that participates in the public key infrastructure (PKI) must enroll with a CA. Various 
methods are available for certificate enrollment. 
• Storing public key infrastructure (PKI) credentials, such as Rivest, Shamir, and Adelman (RSA) 
keys and certificates. These credentials can be stored in the default location on the router, which is 
NVRAM, or other locations. 
Configuring Multiple RSA Key Pairs 
The multiple RSA key pair support feature allows you to configure a Cisco 7600 series router  to have 
multiple Rivest, Shamir, and Adelman (RSA) key pairs. The Cisco IOS software can maintain a different 
key pair for each identity certificate. 
Before this feature, Cisco IOS public key infrastructure (PKI) configurations allowed either one 
general-purpose key pair or a set of special-purpose key pairs (an encryption and a signing key pair). The 
scenarios in which the key pairs were deployed often required configurations that required the router to 
enroll with multiple certificate servers because each server has an independent policy and may also have 
different requirements regarding general-purpose versus special-purpose certificates or key length. With 
this feature, a user can configure different key pairs for each certification authority (CA) with which the 
router enrolls and can match policy requirements for each CA without compromising the requirements 
specified by the other CAs, such as key length, key lifetime, and general-purpose versus special-usage 
keys. 
Multiple RSA Key Pairs Configuration Guidelines and Restrictions
When configuring multiple RSA key pair support, follow these guidelines and restrictions:
• It is recommended that Secure Socket Layer (SSL) or other PKI clients do not attempt to enroll with 
the same CA multiple times. 
• Internet Key Exchange (IKE) will not work for any identity that is configured to use a named key 
pair. If an IKE peer requests a certificate from a PKI trustpoint that is using multiple key support, 
the initial portion of the exchange will work, that is, the correct certificate will be sent in the 
certificate response; however, the named keypair will not be used and the IKE negotiation will fail.
• Whenever you regenerate a key pair, you must always reenroll the certificate identities with that key 
pair.   
30-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Multiple RSA Key Pairs
To configure an RSA key pair, perform this task beginning in global configuration mode:
Removing RSA Key Pair Settings
To delete a specified RSA key pair or all RSA key pairs that have been generated by your router, enter 
the crypto key zeroize rsa command in global configuration mode as follows:
Router(config)# crypto key zeroize rsa [key-pair-label]
Ikey-pair-label specifies the name of the key pair to be deleted. If the key-pair-label argument is used, 
you will delete only the specified RSA key pair. If no argument is used, you will delete all the RSA key 
pairs from your router. 
Verifying RSA Key Information
To verify RSA key information, use at least one of the privileged EXEC commands used in the examples. 
Command Purpose
Step 1 Router(config)# crypto key generate rsa [usage-keys
| general-keys] [key-pair-label] 
Generates RSA key pairs.
• usage-keys—(Optional) Specifies that two 
special-usage key pairs should be generated, 
instead of one general-purpose key pair. 
• general-keys—(Optional) Specifies that the 
general-purpose key pair should be generated. 
• key-pair-label—(Optional) Specifies the name 
of the key pair that the router will use. (If this 
argument is enabled, you must specify either 
usage-keys or general-keys.) 
Step 2 Router(config)# crypto pki trustpoint name Declares the CA that the router should use and 
enters ca-trustpoint configuration mode.
• name—Name of the CA.
Step 3 Router(ca-trustpoint)# rsakeypair key-label
[key-size [encryption-key-size]]
Specifies which key pair to associate with the 
certificate. 
• key-label—The name of the key pair, which is 
generated during enrollment if it does not 
already exist or if the auto-enroll regenerate
command is configured. 
• key-size—(Optional) The size of the desired 
RSA key. If not specified, the existing key size 
is used. (The specified size must be the same as 
the encryption-key-size.) 
• encryption-key-size—(Optional) The size of the 
second key, which is used to request separate 
encryption, signature keys, and certificates. 
(The specified size must be the same as the 
key-size.)    
30-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Protected Private Key Storage
To display your router’s RSA public keys, use the show crypto key mypubkey rsa command:
Router# show crypto key mypubkey rsa
% Key pair was generated at: 06:07:50 UTC Jan 13 1996
Key name: myrouter.example.com
 Usage: Encryption Key
 Key Data:
  00302017 4A7D385B 1234EF29 335FC973 2DD50A37 C4F4B0FD 9DADE748 429618D5
  18242BA3 2EDFBDD3 4296142A DDF7D3D8 08407685 2F2190A0 0B43F1BD 9A8A26DB
  07953829 791FCDE9 A98420F0 6A82045B 90288A26 DBC64468 7789F76E EE21
To display a list of all the RSA public keys stored on your router (including the public keys of peers that 
have sent your router their certificates during peer authentication for IPSec), or to display details of a 
particular RSA public key stored on your router, use the show crypto key pubkey-chain rsa command:
Router# show crypto key pubkey-chain rsa
Codes: M - Manually Configured, C - Extracted from certificate
Code  Usage        IP-address     Name
M     Signature    10.0.0.l       myrouter.example.com
M     Encryption   10.0.0.1       myrouter.example.com
C     Signature    172.16.0.1     routerA.example.com
C     Encryption   172.16.0.1     routerA.example.com
C     General      192.168.10.3   routerB.domain1.com
For complete configuration information for Multiple RSA Key Pair Support, refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ftmltkey.html
For an RSA key pair configuration example, see the “Multiple RSA Key Pairs Configuration Example” 
section on page 30-53.
Configuring Protected Private Key Storage 
The protected private key storage feature allows a user to encrypt and lock the RSA private keys that are 
used on a Cisco 7600 series router, thereby preventing unauthorized use of the private keys.    
30-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Protected Private Key Storage
Protected Private Key Storage Configuration Guidelines and Restrictions
When configuring protected private key storage, follow these guidelines and restrictions:
• An encrypted key is not effective after the router boots up until you manually unlock the key (using 
the crypto key unlock rsa command). Depending on which key pairs are encrypted, this 
functionality may adversely affect applications such as IP Security (IPSec), Secure Shell (SSH) and 
Secure Socket Layer (SSL); that is, management of the router over a secure channel may not be 
possible until the necessary key pair is unlocked.
• If a passphrase is lost, you must regenerate the key, enroll with the CA server again, and obtain a 
new certificate. A lost passphrase cannot be recovered. 
• If you want to change a passphrase, you must decrypt the key with the current passphrase using the 
crypto key decrypt rsa command and encrypt the key once more to specify the new passphrase. 
Configuring Private Keys
To encrypt, decrypt, lock, and unlock private keys, perform this task beginning in global configuration 
mode:
Command Purpose
Step 1 Router(config)# crypto key encrypt [write] rsa [name
key-name] passphrase passphrase
Encrypts the RSA keys. After this command is 
entered, the router can continue to use the key; the 
key remains unlocked.
• write—(Optional) Router configuration is 
immediately written to NVRAM. If the write
keyword is not specified, the configuration must 
be manually written to NVRAM; otherwise, the 
encrypted key will be lost next time the router is 
reloaded. 
• name key-name—(Optional) Name of the RSA 
key pair that is to be encrypted. If a key name is 
not specified, the default key name, 
routername.domainname, is used. 
• passphrase passphrase—Passphrase that is 
used to encrypt the RSA key. To access the RSA 
key pair, the passphrase must be specified. 
Step 2 Router(config)# exit Exits global configuration mode.
Step 3 Router# show crypto key mypubkey rsa (Optional) Shows that the private key is encrypted 
(protected) and unlocked.   
30-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Protected Private Key Storage
Step 4 Router# crypto key lock rsa [name key-name] 
passphrase passphrase
(Optional) Locks the encrypted private key on a 
running router.
• name key-name—(Optional) Name of the RSA 
key pair that is to be locked. If a key name is not 
specified, the default key name, 
routername.domainname, is used. 
• passphrase passphrase—Passphrase that is 
used to lock the RSA key. To access the RSA 
key pair, the passphrase must be specified. 
Note After the key is locked, it cannot be used to 
authenticate the router to a peer device. This 
behavior disables any IPSec or SSL 
connections that use the locked key. Any 
existing IPSec tunnels created on the basis 
of the locked key will be closed. If all RSA 
keys are locked, SSH will automatically be 
disabled.
Step 5 Router# show crypto key mypubkey rsa (Optional) Shows that the private key is protected 
and locked. 
The output will also show failed connection attempts 
by applications such as IKE, SSH, and SSL. 
Step 6 Router# crypto key unlock rsa [name key-name] 
passphrase passphrase
(Optional) Unlocks the private key. 
• name key-name—(Optional) Name of the RSA 
key pair that is to be unlocked. If a key name is 
not specified, the default key name, 
routername.domainname, is used. 
• passphrase passphrase—Passphrase that is 
used to unlock the RSA key. To access the RSA 
key pair, the passphrase must be specified. 
Note After this command is entered, you can 
continue to establish IKE tunnels. 
Command Purpose   
30-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring a Trustpoint CA
Verifying the Protected and Locked Private Keys
To verify that the key is protected (encrypted) and locked, enter the show crypto key mypubkey rsa
command:
Router# show crypto key mypubkey rsa
% Key pair was generated at:20:29:41 GMT Jun 20 2003
Key name:pki1-72a.cisco.com
Usage:General Purpose Key
*** The key is protected and LOCKED. ***
Key is exportable.
Key Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D7808D C5FF14AC
0D2B55AC 5D199F2F 7CB4B355 C555E07B 6D0DECBE 4519B1F0 75B12D6F 902D6E9F
B6FDAD8D 654EF851 5701D5D7 EDA047ED 9A2A619D 5639DF18 EB020301 0001 
For complete configuration information for protected private key storage, refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gt_ppkey.html
For protected private key configuration examples, see the “Protected Private Key Storage Configuration 
Examples” section on page 30-54.
Configuring a Trustpoint CA
The crypto pki trustpoint command allows you to declare the certificate authority (CA) that your router 
should use and to specify characteristics for the CA. 
The crypto pki trustpoint command combines and replaces the functionality of the existing crypto ca 
identity command and the crypto ca trusted-root command. Although both of these existing commands 
allow you to declare the certification authority (CA) that your router should use, only the crypto ca 
identity command supports enrollment (the requesting of a router certificate from a CA). 
Step 7 Router# configure terminal Enters global configuration mode.
Step 8 Router(config)# crypto key decrypt [write] rsa [name
key-name] passphrase passphrase
(Optional) Deletes the encrypted key and leaves 
only the unencrypted key. 
• write—(Optional) Unencrypted key is 
immediately written to NVRAM. If the write
keyword is not specified, the configuration must 
be manually written to NVRAM; otherwise, the 
key will remain encrypted the next time the 
router is reloaded. 
• name key-name—(Optional) Name of the RSA 
key pair that is to be deleted. If a key name is not 
specified, the default key name, 
routername.domainname, is used. 
• passphrase passphrase—Passphrase that is 
used to delete the RSA key. To access the RSA 
key pair, the passphrase must be specified.
Command Purpose   
30-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring a Trustpoint CA
Trustpoint CA Configuration Guidelines and Restrictions
When configuring a trustpoint CA, follow these guidelines and restrictions:
• After the trustpoint CA has been configured, you can obtain the certificate of the CA by using the
crypto pki authenticate command or you can specify that certificates should not be stored locally 
but retrieved from a CA trustpoint by using the crypto pki certificate query command.
• Normally, certain certificates are stored locally in the router’s NVRAM, and each certificate uses a 
moderate amount of memory. To save NVRAM space, you can use the crypto pki certificate query
command to put the router into query mode, preventing certificates from being stored locally; 
instead, they are retrieved from a specified CA trustpoint when needed. This will save NVRAM 
space but could result in a slight performance impact.
To declare the CA that your router should use and specify characteristics for the trustpoint CA, perform 
this task beginning in global configuration mode:
Command Purpose
Step 1 Router(config)# crypto pki trustpoint name Declares the CA that your router should use. 
Enabling this command puts you in ca-trustpoint 
configuration mode. 
• name—Name for the trustpoint CA.
Step 2 Router(ca-trustpoint)# enrollment [[mode ra] | 
[retry period minutes] | [retry count number] | [url
url]] 
Specifies enrollment parameters for your CA. 
• mode ra—(Optional) Specifies registration 
authority (RA) mode if your CA system 
provides a RA. RA mode is turned off until you 
enable the mode ra keyword.
• minutes—(Optional) Specifies the wait period 
between certificate request retries. The default 
is 1 minute between retries. (Specify from 1 to 
60 minutes.)
• number—(Optional) Specifies the number of 
times a router will resend a certificate request 
when it does not receive a response from the 
previous request. The default is 10 retries. 
(Specify from 1 to 100 retries.)
• url—Specifies the URL of the CA where your 
router should send certificate requests; for 
example, http://ca_server. url must be in the 
form http://CA_name, where CA_name is the 
CA’s host Domain Name System (DNS) name 
or IP address.
Router(ca-trustpoint)# root tftp server-hostname
filename
Obtains the CA via TFTP.
• server-hostname—Name for the server that will 
store the trustpoint CA
• filename—Name for the file that will store the 
trustpoint CA.   
30-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring a Trustpoint CA
Verifying a Trustpoint CA
To verify information about your certificate, the certificate of the CA, and registration authority (RA) 
certificates, enter the show crypto pki certificates command:
Router# show crypto pki certificates
Step 3 Router(ca-trustpoint)# enrollment http-proxy
host-name port-num
Obtains the CA via HTTP through the proxy server. 
• host-name—Name of the proxy server used to 
get the CA.
• port-num—Port number used to access the CA.
Note This command can be used in conjunction 
only with the enrollment command. 
Step 4 Router(ca-trustpoint)# primary name (Optional) Assigns a specified trustpoint as the 
primary trustpoint of the router. 
• name—Name of the primary trustpoint of the 
router.
Step 5 Router(ca-trustpoint)# crl {query url | optional} (Optional) Queries the certificate revocation list 
(CRL) to ensure that the certificate of the peer has 
not been revoked. 
• url —Lightweight Directory Access Protocol 
(LDAP) URL published by the certificate 
authority (CA) server is specified to query the 
CRL; for example, ldap://another_server.
• optional—CRL verification is optional.
Note If the query url option is not enabled, the 
router will check the certificate distribution 
point (CDP) that is embedded in the 
certificate. 
Step 6 Router(ca-trustpoint)# default command-name (Optional) Sets the value of ca-trustpoint 
configuration mode to its default. 
• command-name—pki-trustpoint configuration 
subcommand. Default is off.
Step 7 Router(ca-trustpoint)# exit Exits ca-trustpoint configuration mode and enters 
global configuration mode.
Step 8 Router(config)# crypto pki authenticate name Authenticates the CA (by obtaining the certificate of 
the CA.) 
• name—Name of the CA. Enter the name value 
entered in Step 1.
Step 9 Router(config)# crypto pki trustpoint name Reenters ca-trustpoint configuration mode. 
• name—Name for the trustpoint CA.
Step 10 Router(ca-trustpoint)# crypto pki certificate query (Optional) Turns on query mode per specified 
trustpoint, causing certificates not to be stored 
locally. 
Command Purpose   
30-11
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Query Mode Definition Per Trustpoint
CA Certificate
  Status: Available
  Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F
  Key Usage: Not Set
RA Signature Certificate
  Status: Available
  Certificate Serial Number: 34BCF8A0
  Key Usage: Signature
RA KeyEncipher Certificate
  Status: Available
  Certificate Serial Number: 34BCF89F
  Key Usage: Encryption
To display the trustpoints that are configured in the router, enter the show crypto pki trustpoints
command:
Router# show crypto pki trustpoints
Trustpoint bo: 
Subject Name: 
CN = bomborra Certificate Manager 
O = cisco.com 
C = US 
Serial Number:01 
Certificate configured. 
CEP URL:http://bomborra 
CRL query url:ldap://bomborra 
For complete configuration information for the trustpoint CA, refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/fttrust.html
For a trustpoint CA configuration example, see the “Trustpoint CA Configuration Example” section on 
page 30-54.
Configuring Query Mode Definition Per Trustpoint
Certificates contain public key information and are signed by certificate authority (CA) as proof of 
identity. Normally, all certificates are stored locally in the router’s NVRAM, and each certificate uses a 
moderate amount of memory. The query mode definition per trustpoint feature allows you to define a 
query for a specific trustpoint so that the certificates associated with that specific trustpoint can be stored 
on a remote server. 
This feature is especially useful for environments where multiple trustpoints are configured on a router 
because it allows you more control over use of the trustpoint. Query mode can be activated on specific 
trustpoints rather than on all of the trustpoints on a router.   
30-12
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Query Mode Definition Per Trustpoint
Query Mode Definition Per Trustpoint Configuration Guidelines and 
Restrictions
When configuring query mode definition per trustpoint, follow these guidelines and restrictions:
• Normally, certain certificates are stored locally in the router’s NVRAM, and each certificate uses a 
moderate amount of memory. To save NVRAM space, you can use the query certificate command 
to prevent certificates from being stored locally; instead, they are retrieved from a remote server, 
such as a CA or LDAP server, during startup. This will save NVRAM space but could result in a 
slight performance impact. 
• Certificates associated with a specified trustpoint will not be written into NVRAM and the 
certificate query will be attempted during the next reload of the router. 
• When the global crypto pki certificate query command is used, the query certificate will be added 
to all trustpoints on the router. When the no crypto pki certificate query command is used, any 
previous query certificate configuration will be removed from all trustpoints and any query in 
progress will be halted and the feature disabled. 
To configure a trustpoint CA and initiate query mode for the trustpoint, perform this task beginning in 
global configuration mode:
Command Purpose
Step 1 Router(config)# crypto pki trustpoint name Declares the CA that your router should use. 
Enabling this command puts you in ca-trustpoint 
configuration mode. 
• name—Name for the trustpoint CA.
Step 2 Router(ca-trustpoint)# enrollment [[mode ra] | 
[retry period minutes] | [retry count number] | [url
url]] 
Specifies enrollment parameters for your CA. 
• mode ra—(Optional) Specifies registration 
authority (RA) mode if your CA system 
provides a RA. RA mode is turned off until you 
enable the mode ra keyword.
• minutes—(Optional) Specifies the wait period 
between certificate request retries. The default 
is 1 minute between retries. (Specify from 1 to 
60 minutes.)
• number—(Optional) Specifies the number of 
times a router will resend a certificate request 
when it does not receive a response from the 
previous request. The default is 10 retries. 
(Specify from 1 to 100 retries.)
• url—Specifies the URL of the CA where your 
router should send certificate requests; for 
example, http://ca_server. url must be in the 
form http://CA_name, where CA_name is the 
CA’s host Domain Name System (DNS) name 
or IP address.   
30-13
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Query Mode Definition Per Trustpoint
Verifying Query Mode Definition Per Trustpoint CA 
For query mode to operate correctly during the next reload, the certificates must be associated with the 
trustpoint. Use the show crypto pki certificates command to verify that each of the trustpoints has the 
needed certificates before storing the configuration and reloading the router:
Router# show crypto pki certificates status
Trustpoint yni:
  Issuing CA certificate pending:
    Subject Name:
     cn=nsca-r1 Cert Manager,ou=pki,o=cisco.com,c=US
    Fingerprint: C21514AC 12815946 09F635ED FBB6CF31 
Step 3 Router(ca-trustpoint)# enrollment http-proxy
host-name port-num
(Optional) Obtains the CA via HTTP through the 
proxy server. 
• host-name—Name of the proxy server used to 
get the CA.
• port-num—Port number used to access the CA.
Note This command can be used in conjunction 
only with the enrollment command. 
Step 4 Router(ca-trustpoint)# crl query url (Optional) Specifies the URL for the CA server if 
the CA server supports query mode through LDAP.
• url —Lightweight Directory Access Protocol 
(LDAP) URL published by the certificate 
authority (CA) server.
Step 5 Router(ca-trustpoint)# default command-name (Optional) Sets the value of ca-trustpoint 
configuration mode to its default. 
• command-name—pki-trustpoint configuration 
subcommand. Default is off.
Step 6 Router(ca-trustpoint)# query certificate Turns on query mode per specified trustpoint, 
causing certificates not to be stored locally and to be 
retrieved from a remote server. 
Step 7 Router(ca-trustpoint)# exit Exits ca-trustpoint configuration mode and enters 
global configuration mode.
Step 8 Router(config)# crypto pki authenticate name Authenticates the CA (by obtaining the certificate of 
the CA.) 
• name—Name of the CA. Enter the name value 
entered in Step 1.
Step 9 Router(config)# crypto key generate rsa (Optional) Generates RSA key pairs. 
Step 10 Router(config)# crypto pki enroll trustpoint-name  (Optional) Obtains router certificate.
• trustpoint-name—Name of the CA. Enter the 
name value entered in Step 1.
Command Purpose   
30-14
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring a Local Certificate Storage Location
  Router certificate pending:
    Subject Name:
     hostname=trance.cisco.com,o=cisco.com
  Next query attempt:
    52 seconds
For complete configuration information for Query Mode Definition Per Trustpoint, refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gt_qerym.html
For a query mode definition per trustpoint configuration example, see the “Query Mode Definition Per 
Trustpoint Configuration Example” section on page 30-54.
Configuring a Local Certificate Storage Location
The Local Certificate Storage Location feature enables you to store public key infrastructure (PKI) 
credentials, such as Rivest, Shamir, and Adelman (RSA) keys and certificates in a specific location. An 
example of a certificate storage location includes NVRAM, which is the default location, and other local 
storage locations as supported by your platform, such as flash.
Note The Local Certificate Storage Location feature is only supported as of Cisco IOS Release 12.2(33)SRA.
Local Certificate Storage Location Configuration Guidelines and Restrictions
Follow these guidelines and restrictions when configuring a local certificate storage location:
• Before you can specify the local certificate storage location, your system should meet the following 
requirements: 
– A Cisco IOS Release 12.4(2)T PKI-enabled image or a later image 
– A platform that supports storing PKI credentials as separate files 
– A configuration that contains at least one certificate 
– An accessible local file system 
• When storing certificates to a local storage location, the following restrictions are applicable: 
– Only local file systems may be used. An error message will be displayed if a remote file system 
is selected, and the command will not take effect. 
– A subdirectory may be specified if supported by the local file system. NVRAM does not support 
subdirectories. 
– Certificates are stored to NVRAM by default, however, some routers do not have the required 
amount of NVRAM to successfully store certificates. Introduced in Cisco IOS Release 12.4(2)T 
is the ability to specify where certificates are stored on a local file system. 
– During run time, you can specify what active local storage device you would like to use to store 
certificates.    
30-15
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring a Local Certificate Storage Location
Specifying a Local Storage Location for Certificates 
To specify the local storage location for certificates, perform the following steps beginning in global 
configuration mode:
Verifying the Local Certificate Storage Location Configuration
To verify a local certificate storage location configuration, enter the show crypto pki certificates 
storage command.
The show crypto pki certificates storage command displays the current setting for the PKI certificate 
storage location.
The following example shows that certificates are stored in the certs subdirectory of disk0: 
Router# show crypto pki certificates storage
Certificates will be stored in disk0:/certs/
For complete configuration information for local certificate storage location, refer to the Cisco IOS 
Security Configuration Guide or the following URL:
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/12_4/sec_12_4_book.html
For local certificate storage configuration examples, see the “Local Certificate Storage Location 
Configuration Example” section on page 30-55.
Command Purpose
Step 1 Router(config)# crypto pki certificate storage
location-name
Specifies the local storage location for certificates.
• location-name—Name of the storage location.
Step 2 Router (config)# exit Exits global configuration mode.
Step 3 Router# copy source-url destination-url (Optional) Saves the running configuration to the 
startup configuration. 
• source-url—The location URL (or alias) of the 
source file or directory to be copied. The source 
can be either local or remote, depending upon 
whether the file is being downloaded or 
uploaded. 
• destination-url—The destination URL (or alias) 
of the copied file or directory. The destination 
can be either local or remote, depending upon 
whether the file is being downloaded or 
uploaded.
Note Settings will only take effect when the 
running configuration is saved to the startup 
configuration.    
30-16
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Direct HTTP Enroll with CA Servers (Reenroll Using Existing Certificates)
Configuring Direct HTTP Enroll with CA Servers (Reenroll Using 
Existing Certificates) 
The direct HTTP enroll with CA servers feature allows users to bypass the registration authority (RA) 
when enrolling with a certification authority (CA) by configuring an enrollment profile. HTTP 
enrollment requests can be sent directly to the CA server. 
The reenroll using existing certificates functionality allows a router that is enrolled with a third-party 
vendor CA to use its existing certificate to enroll with the Cisco IOS certificate server so the enrollment 
request is automatically granted. 
Direct HTTP Enroll with CA Servers Configuration Guidelines and Restrictions
When configuring direct HTTP enroll with CA servers, follow these guidelines and restrictions:
• The CA certificate and router certificates must be returned in the privacy enhanced mail (PEM) 
format.
• If an enrollment profile is specified, an enrollment URL can not be specified in the trustpoint 
configuration. 
• Because there is no standard for the HTTP commands used by various CAs, the user is required to 
enter the command that is appropriate to the CA that is being used. 
• The newly created trustpoint can only be used one time (which occurs when the router is enrolled 
with the Cisco IOS CA). After the initial enrollment is successfully completed, the credential 
information will be deleted from the enrollment profile. 
• The Cisco IOS certificate server will automatically grant only the requests from clients who were 
already enrolled with the non-Cisco IOS CA. All other requests must be manually granted unless 
the server is set to be in auto grant mode (using the grant automatic command). 
• To configure direct HTTP enroll with CA servers, you must perform the following steps:
– Either configure a certificate enrollment profile for the client router (see the “Configuring an 
Enrollment Profile for a Client Router” section on page 30-17) or configure an enrollment 
profile for a client router that is already enrolled with a third-party vendor (see the “Configuring 
an Enrollment Profile for a Client Router Enrolled with a Third-Party Vendor CA” section on 
page 30-18).
– Configure the CA certificate server to accept enrollment requests only from clients who are 
already enrolled with the third-party vendor CA trustpoint (see the “Configuring the CA to 
Accept Enrollment Requests from Clients of a Third-Party Vendor CA” section on page 30-20).   
30-17
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Direct HTTP Enroll with CA Servers (Reenroll Using Existing Certificates)
Configuring an Enrollment Profile for a Client Router 
To configure a certificate enrollment profile, perform this task beginning in global configuration mode:
Command Purpose
Step 1 Router(config)# crypto pki trustpoint name Declares the trustpoint a given name and enters 
ca-trustpoint configuration mode.
• name—Name of the CA trustpoint.
Step 2 Router(ca-trustpoint)# enrollment profile label Specifies that an enrollment profile can be used for 
certificate authentication and enrollment.
• label—Name for the enrollment profile.
Step 3 Router(ca-trustpoint)# exit Exits ca-trustpoint configuration mode and enters 
global configuration mode.
Step 4 Router(config)# crypto pki profile enrollment label Defines an enrollment profile and enters 
ca-profile-enroll configuration mode. 
• label—Name for the enrollment profile; the 
enrollment profile name must match the name 
specified in the enrollment profile command. 
Step 5 Router(ca-profile-enroll)# authentication url url (Optional) Specifies the URL of the CA server to 
which to send certificate authentication requests.
• url—URL of the CA server to which your router 
should send authentication requests. If using 
HTTP, the URL should read “http://CA_name,” 
where CA_name is the host Domain Name 
System (DNS) name or IP address of the CA. 
If using TFTP, the URL should read 
“tftp://certserver/file_specification.” (If the 
URL does not include a file specification, the 
fully qualified domain name (FQDN) of the 
router will be used.
Router(ca-profile-enroll)# authentication terminal (Optional) Specifies manual cut-and-paste 
certificate authentication. 
Step 6 Router(ca-profile-enroll)# authentication command (Optional) Sends the HTTP request to the CA for 
authentication. 
This command should be used after the 
authentication url command has been entered.
Step 7 Router(ca-profile-enroll)# enrollment url url
or 
Specifies the URL of the CA server to which to send 
certificate enrollment requests via HTTP or TFTP.
• url—URL of the CA server.
Router(ca-profile-enroll)# enrollment terminal Specifies manual cut-and-paste certificate 
enrollment.
Step 8 Router(ca-profile-enroll)# enrollment command 
(Optional) Specifies the HTTP command is sent to 
the CA for enrollment.   
30-18
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Direct HTTP Enroll with CA Servers (Reenroll Using Existing Certificates)
Configuring an Enrollment Profile for a Client Router Enrolled with a Third-Party 
Vendor CA 
When a client router is already enrolled with a third-party vendor CA, but you want to reenroll that router 
with a Cisco IOS certificate server, perform the following procedures. Note that some prerequisite steps 
are required before beginning the configuration.
Prerequisites 
Before configuring a certificate enrollment profile for the client router enrolled with a third-party 
vendor, you should have already performed the following tasks at the client router: 
• Defined a trustpoint that points to a third-party vendor CA. 
• Authenticated and enrolled the client router with the third-party vendor CA.
Step 9 Router(ca-profile-enroll)# parameter number {value
value | prompt string}
(Optional) Specifies parameters for an enrollment 
profile. 
• number—User parameters. Valid values range 
from 1 to 18.
• value—To be used if the parameter has a 
constant value.
• string—To be used if the parameter is supplied 
after the crypto pki authenticate command or 
the crypto pki enroll command has been 
entered. 
Note The value of the string argument does not 
have an effect on the value that is used by the 
router. 
This command can be used multiple times to specify 
multiple values.
Step 10 Router(ca-profile-enroll config)# exit Exits ca-profile-enroll configuration mode and 
enters global configuration mode.
Step 11 Router(config)# exit Exits global configuration mode and enters 
Privileged EXEC mode.
Step 12 Router# show crypto pki certificates (Optional) Verifies information about your 
certificate, the certificate of the CA, and RA 
certificates.
Step 13 Router# show crypto pki trustpoints (Optional) Displays the trustpoints that are 
configured in the router.
Command Purpose   
30-19
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Direct HTTP Enroll with CA Servers (Reenroll Using Existing Certificates)
To configure a certificate enrollment profile for a client router that is already enrolled with a third-party 
vendor CA so that the router can reenroll with a Cisco IOS certificate server, perform this task beginning 
in global configuration mode:
Command Purpose
Step 1 Router(config)# crypto pki trustpoint name Declares the CA that your router should use and 
enters ca-trustpoint configuration mode. 
• name—Name of the Cisco IOS CA that is to be 
used.
Step 2 Router(ca-trustpoint)# enrollment profile label Specifies that an enrollment profile is to be used for 
certificate reenrollment.
• label—Name for the enrollment profile.
Step 3 Router(ca-trustpoint)# exit Exists ca-trustpoint configuration mode and enters 
global configuration mode.
Step 4 Router(config)# crypto pki profile enrollment label Defines an enrollment profile and enters 
ca-profile-enroll configuration mode. 
• label—Name for the enrollment profile; the 
enrollment profile name must match the name 
specified in the enrollment profile command in 
Step 2.
Step 5 Router(ca-profile-enroll)# enrollment url url Specifies the URL of the CA server to which to send 
certificate enrollment requests via HTTP. 
• url—The enrollment URL should point to the 
Cisco IOS CA.
Step 6 Router(ca-profile-enroll)# enrollment credential
label
Specifies the non-Cisco IOS CA trustpoint that is to 
be enrolled with the Cisco IOS CA.
• label—Name of the CA trustpoint of another 
vendor.
Step 7 Router(ca-profile-enroll)# exit Exits ca-profile-enroll configuration mode and 
enters global configuration mode. 
Step 8 Router(config)# exit Exits global configuration mode and enters 
Privileged EXEC mode. 
Step 9 Router# show crypto pki certificates (Optional) Verifies information about your 
certificate, the certificate of the CA, and RA 
certificates
Step 10 Router# show crypto pki trustpoints (Optional) Displays the trustpoints that are 
configured in the router.    
30-20
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Direct HTTP Enroll with CA Servers (Reenroll Using Existing Certificates)
Configuring the CA to Accept Enrollment Requests from Clients of a Third-Party 
Vendor CA 
To configure the CA certificate server to accept enrollment requests only from clients who are already 
enrolled with the third-party vendor CA trustpoint, perform this task beginning in global configuration 
mode:
Command Purpose
Step 1 Router(config)# ip http server Enables the HTTP server on your system.
Step 2 Router(config)# crypto pki server cs-label Enables the certificate server and enters certificate 
server configuration mode. 
• cs-label—The cs-label argument must match 
the name that was specified by the crypto pki 
trustpoint command for the client router.
Step 3 Router(cs-server)# database url root-url Specifies the location where all database entries for 
the certificate server will be written out. 
• root-url—Root URL.
Note If this command is not specified, all database 
entries will be written to NVRAM.
Step 4 Router(cs-server)# database level {minimal | names | 
complete} 
Controls what type of data is stored in the certificate 
enrollment database. 
• minimal—Enough information is stored only to 
continue issuing new certificates without 
conflict; the default value. 
• names—In addition to the information given in 
the minimal level, the serial number and subject 
name of each certificate. 
• complete—In addition to the information given 
in the minimal and names levels, each issued 
certificate is written to the database. 
Note The complete keyword produces a large 
amount of information; if it is specified, you 
should also specify an external TFTP server 
in which to store the data using the database 
url command. 
Step 5 Router(cs-server)# issuer-name DN-string Sets the CA issuer name to the specified DN-string.
• DN-string—The default value is as follows: 
issuer-name CN=cs-label.   
30-21
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Direct HTTP Enroll with CA Servers (Reenroll Using Existing Certificates)
For complete configuration information for direct HTTP enroll with CA servers, including the “reenroll 
using existing certificates” functionality, refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gthttpca.html
For direct HTTP enroll with CA servers configuration examples, see the “Direct HTTP Enrollment 
with CA Servers Configuration Examples” section on page 30-55.
Step 6 Router(cs-server)# grant auto trustpoint label Enables the certificate server to automatically grant 
only the requests from clients that are already 
enrolled with the specified non-Cisco IOS CA 
trustpoint.
• label—Name of the CA trustpoint of another 
vendor.
Note The label argument should match the 
trustpoint that was specified for the client 
router’s enrollment profile (using the 
enrollment credential command).
Step 7 Router(cs-server)# lifetime {ca-certificate | 
certificate} time
(Optional) Specifies the lifetime, in days, of a CA 
certificate or a certificate. 
• time—Valid values range from 1 day to 1825 
days. The default CA certificate lifetime is 3 
years; the default certificate lifetime is 1 year. 
The maximum certificate lifetime is 1 month 
less than the lifetime of the CA certificate.
Step 8 Router(cs-server)# lifetime crl time (Optional) Defines the lifetime, in hours, of the 
Certificate Revocation List (CRL) that is used by the 
certificate server. 
• time—Maximum lifetime value is 336 hours (2 
weeks). The default value is 168 hours (1 week).
Step 9 Router(cs-server)# cdp-url url (Optional) Defines a Certificate Distribution Point 
(CDP) to be used in the certificates that are issued by 
the certificate server.
• url—URL must be an HTTP URL.
Step 10 Router(cs-server)# shutdown Disables a certificate server without removing the 
configuration. 
You should enter this command only after you have 
completely configured your certificate server.
Step 11 Router(cs-server)# exit Exits certificate server configuration mode.
Step 12 Router(config)# exit Exits global configuration mode.
Step 13 Router# show crypto pki server (Optional) Displays the current state and 
configuration of the certificate server.
Command Purpose   
30-22
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Manual Certificate Enrollment (TFTP and Cut-and-Paste)
Configuring Manual Certificate Enrollment (TFTP and 
Cut-and-Paste)
The manual certificate enrollment (TFTP and cut-and-paste) feature allows users to generate a certificate 
request and accept certification authority (CA) certificates as well as the router’s certificates; these tasks 
are accomplished by a TFTP server or manual cut-and-paste operations. You might want to utilize TFTP 
or manual cut-and-paste enrollment in the following situations: 
• The CA does not support Simple Certificate Enrollment Protocol (SCEP) (which is the most 
commonly used method for sending and receiving requests and certificates). 
• A network connection between the router and CA is not possible (which is how a router running 
Cisco IOS software obtains its certificate).
Manual Certificate Enrollment (TFTP and Cut-and-Paste) Configuration 
Guidelines and Restrictions
When configuring nanualcertificate enrollment (TFTP and cut-and-paste), follow these guidelines and 
restrictions:
• You can switch between TFTP and cut-and-paste; for example, you can paste the CA certificate 
using the enrollment terminal command, then enter no enrollment terminal and enrollment url 
tftp://certserver/file_specification to switch to TFTP to send or receive requests and router 
certificates. However, Cisco does not recommend switching URLs if SCEP is used; that is, if the 
enrollment URL is http://, do not change the enrollment URL between fetching the CA certificate 
and enrolling the certificate.
Configuring Manual Enrollment Using TFTP
Before configuring manual enrollment using TFTP, you must meet the following prerequisites:
• You must know the correct URL to use if you are configuring certificate enrollment using TFTP.
• The router must be able to write a file to the TFTP server for the crypto pki enroll command.
• Some TFTP servers require that the file exist on the server before it may be written.
• Most TFTP servers require that the file be writeable by anyone. This requirement may pose a risk 
because any router or other device may write or overwrite the certificate request; thus, the router 
will not be able to use the certificate once it is granted by the CA because the request was modified.   
30-23
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Manual Certificate Enrollment (TFTP and Cut-and-Paste)
To declare the trustpoint CA that your router should use and configure that trustpoint CA for manual 
enrollment using TFTP, perform this task beginning in global configuration mode:
Command Purpose
Step 1 Router(config)# crypto pki trustpoint name Declares the CA that your router should use and 
enters ca-trustpoint configuration mode.
• name—Name of the CA.
Step 2 Router(ca-trustpoint)# enrollment [mode] [retry 
period minutes] [retry count number] url url
Specifies the enrollment parameters of your CA. 
• mode—Specifies registration authority (RA) 
mode if your CA system provides a RA. 
• minutes—Specifies the wait period between 
certificate request retries. The default is 1 
minute between retries. 
• number—Specifies the number of times a router 
will resend a certificate request when it does not 
receive a response from the previous request. 
(Specify from 1 to 100 retries.)
• url—Specifies the URL of the CA where your 
router should send certificate requests. 
If you are using SCEP for enrollment, the URL 
must be in the form http://CA_name, where 
CA_name is the CA’s host Domain Name 
System (DNS) name or IP address. 
If you are using TFTP for enrollment, the URL 
must be in the form 
tftp://certserver/file_specification. 
Step 3 Router(ca-trustpoint)# crypto pki authenticate name Authenticates the CA (by obtaining the certificate of 
the CA.) 
• name—Name of the CA. Enter the name value 
entered in Step 1.
Step 4 Router(ca-trustpoint)# exit  Exits ca-trustpoint configuration mode and returns 
to global configuration. 
Step 5 Router(config)# crypto pki enroll name Obtains your router’s certificates from the CA.
• name—Name of the CA. Enter the name value 
entered in Step 1.
Step 6 Router(config)# crypto pki import name certificate Imports a certificate using TFTP.
• name—Name of the CA. Enter the name value 
entered in Step 1.   
30-24
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Manual Certificate Enrollment (TFTP and Cut-and-Paste)
Configuring Certificate Enrollment Using Cut-and-Paste 
To declare the trustpoint CA that your router should use and configure that trustpoint CA for manual 
enrollment using cut-and-paste, perform this task:
Verifying the Manual Certificate Enrollment Configuration
To verify information about your certificate, the certificate of the CA, and RA certificates, enter the show 
crypto pki certificates command: 
Router# show crypto pki certificates
Certificate
Status:Available
Certificate Serial Number:14DECE05000000000C48
Certificate Usage:Encryption
  Issuer:
CN = msca-root
O = Cisco Systems
C = U
Command Purpose
Step 1 Router(config)# crypto pki trustpoint name Declares the CA that your router should use and 
enters ca-trustpoint configuration mode.
• name—Name of the CA.
Step 2 Router(ca-trustpoint)# enrollment terminal Specifies manual cut-and-paste certificate 
enrollment. 
Step 3 Router(ca-trustpoint)# crypto pki authenticate name Authenticates the CA (by obtaining the certificate of 
the CA.) 
• name—Specifies the name of the CA. Enter the 
name value entered in Step 1.
Step 4 Router(ca-trustpoint)# exit  Exits ca-trustpoint configuration mode and returns 
to global configuration. 
Step 5 Router(config)# crypto pki enroll name Obtains your router’s certificates from the CA.
• name—Specifies the name of the CA. Enter the 
name value entered in Step 1.
Step 6 Router(config)# crypto pki import name certificate Imports a certificate manually at the terminal.
• name—Specifies the name of the CA. Enter the 
name value entered in Step 1.
Note You must enter the crypto pki import
command twice if usage keys (signature and 
encryption keys) are used. The first time the 
command is entered, one of the certificates 
is pasted into the router; the second time the 
command is entered, the other certificate is 
pasted into the router. (It does not matter 
which certificate is pasted first.)    
30-25
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Manual Certificate Enrollment (TFTP and Cut-and-Paste)
Subject:
Name:Router.cisco.com
OID.1.2.840.113549.1.9.2 = Router.cisco.com
  CRL Distribution Point:
http://msca-root/CertEnroll/msca-root.crl
  Validity Date:
start date:18:16:45 PDT Jun 7 2002
end   date:18:26:45 PDT Jun 7 2003
renew date:16:00:00 PST Dec 31 1969
  Associated Trustpoints:MS
Certificate
Status:Available
Certificate Serial Number:14DEC2E9000000000C47
Certificate Usage:Signature
  Issuer:
CN = msca-root
O = Cisco Systems
C = US
  Subject:
Name:Router.cisco.com
OID.1.2.840.113549.1.9.2 = Router.cisco.com
  CRL Distribution Point:
http://msca-root/CertEnroll/msca-root.crl
  Validity Date:
start date:18:16:42 PDT Jun 7 2002
end   date:18:26:42 PDT Jun 7 2003
renew date:16:00:00 PST Dec 31 1969
  Associated Trustpoints:MS
CA Certificate
Status:Available
Certificate Serial Number:3AC0A65E9547C2874AAF2468A942D5EE
Certificate Usage:Signature
  Issuer:
CN = msca-root
O = Cisco Systems
C = US
  Subject:
CN = msca-root
O = Cisco Systems
C = US
  CRL Distribution Point:
http://msca-root/CertEnroll/msca-root.crl
  Validity Date:
start date:16:46:01 PST Feb 13 2002
end   date:16:54:48 PST Feb 13 2007
  Associated Trustpoints:MS   
30-26
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Certificate Autoenrollment
To display the trustpoints that are configured in the router, enter the show crypto pki trustpoints
command:
Router# show crypto pki trustpoints
Trustpoint bo:
    Subject Name:
    CN = bomborra Certificate Manager
     O = cisco.com
     C = US
          Serial Number:01
    Certificate configured.
    CEP URL:http://bomborra
    CRL query url:ldap://bomborra
For complete configuration information for manual certificate enrollment (TFTP and cut-and-paste), 
refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftmancrt.html
For manual certificate enrollment configuration examples, see the “Manual Certificate Enrollment 
Configuration Examples” section on page 30-56.
Configuring Certificate Autoenrollment 
The certificate autoenrollment feature allows you to configure your router to automatically request a 
certificate from the certification authority (CA) that is using the parameters in the configuration. Thus, 
operator convention is no longer required at the time the enrollment request is sent to the CA server. 
Automatic enrollment will be performed on startup for any trustpoint CA that is configured and does not 
have a valid certificate. When the certificate expires that is issued by a trustpoint CA that has been 
configured for autoenrollment, a new certificate is requested. Although this feature does not provide 
seamless certificate renewal, it does provide unattended recovery from expiration. 
Before the certificate autoenrollment feature, certificate enrollment required complicated, interactive 
commands that had to be executed on every router. This feature allows you to preload all of the necessary 
information into the configuration and cause each router to obtain certificates automatically when it is 
booted. Autoenrollment also checks for expired router certificates.
Note Before submitting an automatic enrollment request, all necessary enrollment information must be 
configured.   
30-27
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Certificate Autoenrollment
To configure autoenrollment with a CA on startup, perform this task beginning in global configuration 
mode:
Command Purpose
Step 1 Router(config)# crypto pki trustpoint name Declares the name of the CA that your router should 
use and enters ca-trustpoint configuration mode.
• name—Name of the CA.
Step 2 Router(ca-trustpoint)# enrollment url url Specifies the URL of the CA on which your router 
should send certificate requests; for example, 
http://ca_server.
• url—Must be in the form of http://CA_name, 
where CA_name is the name of the CA’s host 
Domain Name System or the IP address. 
Step 3 Router(ca-trustpoint)# subject-name [x.500-name] (Optional) Specifies the requested subject name that 
will be used in the certificate request. 
• x.500-name—If the x-500-name argument is not 
specified, the fully qualified domain name 
(FQDN), which is the default subject name, is 
used. 
Step 4 Router(ca-trustpoint)# ip-address {interface | none} Includes the IP address of the specified interface in 
the certificate request. 
• interface—IP address of the interface.
• none—Specify this keyword if no IP address 
should be included. 
If this command is enabled, you will not be 
prompted for an IP address during enrollment for 
this trustpoint.
Step 5 Router(ca-trustpoint)# serial-number [none]  Specifies the router serial number in the certificate 
request, unless the none keyword is specified. 
• none—Specify this keyword if no serial number 
should be included. 
Step 6 Router(ca-trustpoint)# auto-enroll [regenerate] Enables autoenrollment. This command allows you 
to automatically request a router certificate from the 
CA. By default, only the DNS name of the router is 
included in the certificate. 
• regenerate—Specify this keyword to generate a 
new key for the certificate even if a named key 
already exists.    
30-28
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Certificate Autoenrollment
Preloading Root CAs
After enabling automatic enrollment, you must authenticate the CA to establish a chain of trust. This can 
be done by implementing one of the following methods: 
• Obtaining the Certificate of the CA, page 30-28
• Adding the Certificate of the CA, page 30-29
Obtaining the Certificate of the CA
To obtain the certificate of the CA, enter the crypto pki authenticate command in global configuration 
mode.
Router(config)# crypto pki authenticate name
name specifies the name of the CA.
Step 7 Router(ca-trustpoint)# password string (Optional) Specifies the revocation password for the 
certificate. 
• string—Text of the password.
Note If this command is enabled, you will not be 
prompted for a password during enrollment 
for this trustpoint.
Step 8 Router(ca-trustpoint)# rsakeypair key-label
[key-size [encryption-key-size]]
Specifies which key pair to associate with the 
certificate. 
• key-label—Name of the key pair, which is 
generated during enrollment if it does not 
already exist or if the auto-enroll regenerate
command is configured.
• key-size—(Optional) Size of the desired RSA 
key. If not specified, the existing key size is 
used. (The specified size must be the same as 
the encryption-key-size.) 
• encryption-key-size—(Optional) Size of the 
second key, which is used to request separate 
encryption, signature keys, and certificates. 
(The specified size must be the same as the 
key-size.) 
If this command is not enabled, the FQDN key pair 
is used.
Command Purpose   
30-29
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Certificate Autoenrollment
Adding the Certificate of the CA
To add the certificate of the CA, perform this task beginning in global configuration mode:
Verifying CA Information
To display information about your certificates, the certificates of the CA, and registration authority (RA) 
certificates, enter the show crypto pki certificates command: 
Router# show crypto pki certificates
Certificate
  Subject Name
Name: myrouter.example.com
IP Address: 10.0.0.1
  Status: Available
  Certificate Serial Number: 428125BDA34196003F6C78316CD8FA95
  Key Usage: Signature
Certificate
  Subject Name
    Name: myrouter.example.com
IP Address: 10.0.0.1
  Status: Available
  Certificate Serial Number: AB352356AFCD0395E333CCFD7CD33897
  Key Usage: Encryption
CA Certificate
  Status: Available
  Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F
  Key Usage: Not Set
Command Purpose
Step 1 Router (config)# crypto pki certificate chain name Enters certificate chain configuration mode, which 
allows you to add or delete specified certificates. 
• name—Name of the CA. 
Step 2 Router (config-cert-chain)# certificate 
certificate-serial-number
Manually adds or deletes certificates.
• certificate-serial-number—Serial number of 
the CA to add.   
30-30
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Key Rollover for Certificate Renewal
To display the trustpoints configured in the router, enter the show crypto pki trustpoints command:
Router# show crypto pki trustpoints
Trustpoint bo:
    Subject Name:
    CN = bomborra Certificate Manager
     O = cisco.com
     C = US
Serial Number:01
    Certificate configured.
    CEP URL:http://bomborra
    CRL query url:ldap://bomborra
For complete configuration information for Certificate Autoenrollment, refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ftautoen.html
For a certificate autoenrollment configuration example, see the “Certificate Autoenrollment 
Configuration Example” section on page 30-59.
Configuring Key Rollover for Certificate Renewal
Automatic certificate enrollment was introduced to allow the router to automatically request a certificate 
from the certification authority (CA) server. By default, the automatic enrollment feature requests a new 
certificate when the old certificate expires. Connectivity can be lost while the request is being serviced 
because the existing certificate and key pairs are deleted immediately after the new key is generated. The 
new key does not have a certificate to match it until the process is complete, and incoming Internet Key 
Exchange (IKE) connections cannot be established until the new certificate is issued. The key rollover 
for certificate renewal feature allows the certificate renewal request to be made before the certificate 
expires and retains the old key and certificate until the new certificate is available. 
Key rollover can also be used with a manual certificate enrollment request. Using the same method as 
key rollover with certificate autoenrollment, a new key pair is created with a temporary name, and the 
old certificate and key pair are retained until a new certificate is received from the CA. When the new 
certificate is received, the old certificate and key pair are discarded and the new key pair is renamed with 
the name of the original key pair. Do not regenerate the keys manually; key rollover will occur whenyou 
enter the crypto pki enroll command. 
Key Rollover for Certificate Renewal Configuration Guidelines and Restrictions
When configuring key rollover for certificate renewal, follow these guidelines and restrictions:
• Trustpoints configured to generate a new key pair using the regenerate command or the regenerate
keyword of the auto-enroll command must not share key pairs with other trustpoints. To give each 
trustpoint its own key pair, use the rsakeypair command in ca-trustpoint configuration mode. 
Sharing key pairs among regenerating trustpoints is not supported and will cause loss of service on 
some of the trustpoints because of key and certificate mismatch.   
30-31
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Key Rollover for Certificate Renewal
Configuring Automatic Certificate Enrollment with Key Rollover
To configure key rollover with automatic certificate enrollment, perform this task beginning in global 
configuration mode:
Command Purpose
Step 1 Router(config)# crypto pki trustpoint name Declares the name of the CA that your router should 
use and enters ca-trustpoint configuration mode.
• name—Name of the CA.
Step 2 Router(ca-trustpoint)# enrollment url url Specifies the URL of the CA on which your router 
should send certificate requests; for example, 
http://ca_server. 
• url—Must be in the form of http://CA_name, 
where CA_name is the name of the CA’s host 
Domain Name System or the IP address. 
Step 3 Router(ca-trustpoint)# subject-name [x.500-name] (Optional) Specifies the requested subject name that 
will be used in the certificate request. 
• x.500-name—If the x-500-name argument is not 
specified, the fully qualified domain name 
(FQDN), which is the default subject name, is 
used. 
Step 4 Router(ca-trustpoint)# ip-address {interface | none} Includes the IP address of the specified interface in 
the certificate request. 
• interface—IP address of the interface.
• none—Specify this keyword if no IP address 
should be included. 
If this command is enabled, you will not be 
prompted for an IP address during enrollment for 
this trustpoint.
Step 5 Router(ca-trustpoint)# serial-number [none]  Specifies the router serial number in the certificate 
request, unless the none keyword is specified. 
• none—Specify this keyword if no serial number 
should be included.    
30-32
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Key Rollover for Certificate Renewal
Step 6 Router(ca-trustpoint)# auto-enroll 
[percent][regenerate]
Enables autoenrollment. This command allows you 
to automatically request a router certificate from the 
CA. By default, only the DNS name of the router is 
included in the certificate. 
• percent—Use the percent argument to specify 
that a new certificate will be requested after the 
percent lifetime of the current certificate is 
reached. 
• regenerate—Specify this keyword to generate a 
new key for the certificate even if a named key 
already exists.
Note If the key pair being rolled over is 
exportable, the new key pair will also be 
exportable. The following comment will 
appear in the trustpoint configuration to 
indicate whether the key pair is exportable:
! RSA key pair associated with trustpoint is exportable.
Step 7 Router(ca-trustpoint)# password string (Optional) Specifies the revocation password for the 
certificate. 
• string—Text of the password.
Note If this command is enabled, you will not be 
prompted for a password during enrollment 
for this trustpoint.
Step 8 Router(ca-trustpoint)# rsakeypair key-label
[key-size [encryption-key-size]]
Specifies which key pair to associate with the 
certificate. 
• key-label—Name of the key pair, which is 
generated during enrollment if it does not 
already exist or if the auto-enroll regenerate
command is configured.
• key-size—(Optional) Size of the desired RSA 
key. If not specified, the existing key size is 
used. (The specified size must be the same as 
the encryption-key-size.) 
• encryption-key-size—(Optional) Size of the 
second key, which is used to request separate 
encryption, signature keys, and certificates. 
(The specified size must be the same as the 
key-size.) 
Note If this command is not enabled, the FQDN 
key pair is used.
Step 9 Router(ca-trustpoint)# exit Exits ca-trustpoint configuration mode and returns 
to global configuration mode.
Command Purpose   
30-33
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Key Rollover for Certificate Renewal
Configuring Manual Certificate Enrollment with Key Rollover 
Note Do not regenerate the keys manually using the crypto key generate command; key rollover will occur 
when the crypto pki enroll command is entered. 
To configure key rollover with manual certificate enrollment, perform this task beginning in global 
configuration mode:
Step 10 Router(config)# crypto pki authenticate name Authenticates the CA (by obtaining the certificate 
of the CA.)
• name—Name of the CA. Enter the name value 
entered in Step 1.
Check the certificate fingerprint if prompted. 
Note This command is optional if the CA 
certificate is already loaded into the 
configuration.
Step 11 Router(config)# exit Exits global configuration mode and returns to 
privileged EXEC mode.
Step 12 Router# copy system:running-config 
nvram:startup-config
(Optional) Copies the running configuration to the 
NVRAM startup configuration. 
Command Purpose
Command Purpose
Step 1 Router(config)# crypto pki trustpoint name Declares the name of the CA that your router should 
use and enters ca-trustpoint configuration mode.
• name—Name of the CA.
Step 2 Router(ca-trustpoint)# enrollment url url Specifies the URL of the CA on which your router 
should send certificate requests; for example, 
http://ca_server. 
• url—Must be in the form of http://CA_name, 
where CA_name is the name of the CA’s host 
Domain Name System or the IP address. 
Step 3 Router(ca-trustpoint)# subject-name [x.500-name] (Optional) Specifies the requested subject name that 
will be used in the certificate request. 
• x.500-name—If the x-500-name argument is not 
specified, the fully qualified domain name 
(FQDN), which is the default subject name, is 
used.    
30-34
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Key Rollover for Certificate Renewal
Step 4 Router(ca-trustpoint)# ip-address {interface | none} Includes the IP address of the specified interface in 
the certificate request. 
• interface—IP address of the interface.
• none—Specify this keyword if no IP address 
should be included. 
If this command is enabled, you will not be 
prompted for an IP address during enrollment for 
this trustpoint.
Step 5 Router(ca-trustpoint)# serial-number [none]  Specifies the router serial number in the certificate 
request, unless the none keyword is specified. 
• none—Specify this keyword if no serial number 
should be included. 
Step 6 Router(ca-trustpoint)# regenerate Enables key rollover with certificate enrollment 
when the crypto pki enroll command is entered. 
Note This command generates a new key for the 
certificate even if a named key already 
exists. 
Do not use the crypto key generate
command with the key rollover feature. 
If the key pair being rolled over is 
exportable, the new key pair will also be 
exportable. The following comment will 
appear in the trustpoint configuration to 
indicate whether the key pair is exportable:
! RSA key pair associated with trustpoint is exportable.
Step 7 Router(ca-trustpoint)# password string (Optional) Specifies the revocation password for the 
certificate. 
• string—Text of the password.
Note If this command is enabled, you will not be 
prompted for a password during enrollment 
for this trustpoint.
Command Purpose   
30-35
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Key Rollover for Certificate Renewal
Step 8 Router(ca-trustpoint)# rsakeypair key-label
[key-size [encryption-key-size]]
Specifies which key pair to associate with the 
certificate. 
• key-label—Name of the key pair, which is 
generated during enrollment if it does not 
already exist or if the auto-enroll regenerate
command is configured.
• key-size—(Optional) Size of the desired RSA 
key. If not specified, the existing key size is 
used. (The specified size must be the same as 
the encryption-key-size.) 
• encryption-key-size—(Optional) Size of the 
second key, which is used to request separate 
encryption, signature keys, and certificates. 
(The specified size must be the same as the 
key-size.) 
Note If this command is not enabled, the FQDN 
key pair is used.
Step 9 Router(ca-trustpoint)# exit Exits ca-trustpoint configuration mode and enters 
global configuration mode.
Step 10 Router(config)# crypto pki authenticate name Authenticates the CA (by obtaining the certificate of 
the CA.)
• name—Name of the CA. Enter the name value 
entered in Step 1.
Check the certificate fingerprint if prompted. 
Note This command is optional if the CA 
certificate is already loaded into the 
configuration.
Step 11 Router(config)# crypto pki enroll name Requests certificates for all of your RSA key pairs.
• name—Name of the CA. This command causes 
your router to request as many certificates as 
there are RSA key pairs, so you need perform 
this command only once, even if you have 
special-usage RSA key pairs. When the 
regenerate configuration command is 
configured, this command will perform key 
rollover. 
Note This command requires you to create a 
challenge password that is not saved with the 
configuration. This password is required if 
your certificate needs to be revoked, so you 
must remember this password.
Step 12 Router(config)# exit Exits global configuration mode.
Command Purpose   
30-36
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring PKI: Query Multiple Servers During Certificate Revocation Check
For complete configuration information for key rollover for certificate renewal, refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtkyroll.html
For key rollover configuration examples, see the “Key Rollover for Certificate Renewal Configuration 
Examples” section on page 30-60.
Configuring PKI: Query Multiple Servers During Certificate 
Revocation Check
Before an X.509 certificate presented by a peer is validated, the certificate revocation list (CRL) is 
checked to make sure that the certificate has not been revoked by the issuing certification authority (CA). 
The certificate usually contains a certificate distribution point (CDP) in the form of a URL. Cisco IOS 
software uses the CDP to locate and retrieve the CRL. 
Previous versions of Cisco IOS software make only one attempt to retrieve the CRL, even when the 
certificate contains more than one CDP. If the CDP server does not respond, the Cisco IOS software 
reports an error, which may result in the peer’s certificate being rejected. 
The PKI:query multiple servers during certificate revocation check feature provides the ability for Cisco 
IOS software to make multiple attempts to retrieve the CRL by trying all of the available CDPs in a 
certificate. This allows operations to continue when a particular server is not available. In addition, the 
ability to override the CDPs in a certificate with a manually configured CDP is also provided. Manually 
overriding the CDPs in a certificate can be advantageous when a particular server is unavailable for an 
extended period of time. The certificate’s CDPs can be replaced with a URL or directory specification 
without reissuing all of the certificates that contain the original CDP.    
30-37
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring the Online Certificate Status Protocol
To manually override the existing CDPs for a certificate with a URL or directory specification, perform 
this task beginning in global configuration mode:
For complete configuration information for the PKI: Query Multiple Servers During Certificate 
Revocation Check feature, refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtcertrc.html
For a query multiple servers configuration example, see the “Local Certificate Storage Location 
Configuration Example” section on page 30-55.
Configuring the Online Certificate Status Protocol
The Online Certificate Status Protocol (OCSP) feature allows users to enable OCSP instead of certificate 
revocation lists (CRLs) to check certificate status. Unlike CRLs, which provide only periodic certificate 
status, OCSP can provide timely information regarding the status of a certificate. 
OCSP Configuration Guidelines and Restrictions
When configuring OCSP, follow these guidelines and restrictions:
• OCSP transports messages over HTTP, so there may be a time delay when you access the OCSP 
server. If the OCSP server is unavailable, certificate verification will fail. 
Command Purpose
Step 1 Router (config)# crypto pki trustpoint name Declares the CA that your router should use and 
enters ca-trustpoint configuration mode. 
• name—Name for the trustpoint CA.
Step 2 Router(ca-trustpoint)# match certificate
certificate-map-label override cdp {url | directory} 
string
Manually overrides the existing CDP entries for a 
certificate with a URL or directory specification. 
• certificate-map-label—A user-specified label 
that must match the label argument specified in 
a previously defined crypto pki certificate 
map command. 
• url—Specifies that the certificate’s CDPs will 
be overridden with an HTTP or LDAP URL. 
• directory—Specifies that the certificate’s CDPs 
will be overridden with an LDAP directory 
specification. 
• string—The URL or directory specification. 
Some applications may time out before all CDPs 
have been tried and will report an error message. 
This will not affect the router, and the Cisco IOS 
software will continue attempting to retrieve a CRL 
until all CDPs have been tried.    
30-38
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring the Online Certificate Status Protocol
• The increased certificate size may cause a problem for low-end routers when certificates are stored 
on NVRAM. Before you add the Authority Info Access (AIA) extension to a certificate, make sure 
that the increased size will not cause deployment problems.
• An OCSP server usually operates in either push or poll mode. You can configure a CA server to push 
revocation information to an OCSP server or configure an OCSP server to periodically download 
(poll) a CRL from the CA server. To ensure that timely certificate revocation status is obtained, you 
should carefully consider the push and poll interval. 
• When configuring an OCSP server to return the revocation status for a CA server, the OCSP server 
must be configured with an OCSP response signing certificate that is issued by that CA server. 
Ensure that the signing certificate is in the correct format, or the router will not accept the OCSP 
response. Refer to your OCSP manual for additional information.
To configure your router for OCSP to check certificate status, perform this task beginning in global 
configuration mode:
Verifying the OCSP Configuration
To display information about your certificate and the CA certificate, enter the show crypto pki 
certificates command:
Router# show crypto pki certificates
Certificate
Command Purpose
Step 1 Router(config)# crypto pki trustpoint name Declares the CA that your router should use and puts 
you in ca-trustpoint configuration mode. 
• name—Name for the trustpoint CA.
Step 2 Router(ca-trustpoint)# ocsp url url (Optional) Specifies the URL of an OCSP server so 
that the trustpoint can check the certificate status. 
This URL will override the URL of the OCSP server 
(if one exists) in the Authority Info Access (AIA) 
extension of the certificate. 
• url —Specifies the HTTP URL to be used.
Step 3 Router(ca-trustpoint)# revocation-check method1
[method2[method3]]
Checks the revocation status of a certificate.
• method1 [method2[method3]]—Specifies the 
method used by the router to check the 
revocation status of the certificate. Available 
methods are as follows: 
– crl—Certificate checking is performed by a 
CRL. This is the default option. 
– none—Certificate checking is ignored. 
– ocsp—Certificate checking is performed by 
an OCSP server. 
If a second and third method are specified, each 
method will be used only if the previous method 
returns an error, such as a server being down.   
30-39
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring the Online Certificate Status Protocol
Status: Available
Version: 3
Certificate Serial Number: 18C1EE03000000004CBD
Certificate Usage: General Purpose
Issuer:
cn=msca-root
ou=pki msca-root
o=cisco
l=santa cruz2
st=CA
c=US
ea=user@example.com
Subject:
Name: myrouter.example.com
hostname=myrouter.example.com
CRL Distribution Points:
http://msca-root/CertEnroll/msca-root.crl
Validity Date:
start date: 19:50:40 GMT Oct 5 2004
end   date: 20:00:40 GMT Oct 12 2004
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (360 bit)
Signature Algorithm: SHA1 with RSA Encryption
Fingerprint MD5: 2B5F53E6 E3E892E6 3A9D3706 01261F10
Fingerprint SHA1: 315D127C 3AD34010 40CE7F3A 988BBDA5 CD528824
X509v3 extensions:
X509v3 Key Usage: A0000000
Digital Signature
Key Encipherment
X509v3 Subject Key ID: D156E92F 46739CBA DFE66D2D 3559483E B41ECCF4
X509v3 Authority Key ID: 37F3CC61 AF5E7C0B 434AB364 CF9FA0C1 B17C50D9
Authority Info Access:
Associated Trustpoints: msca-root
Key Label: myrouter.example.com
CA Certificate
Status: Available
Version: 3
Certificate Serial Number: 1244325DE0369880465F977A18F61CA8
Certificate Usage: Signature
Issuer:
cn=msca-root
ou=pki msca-root
o=cisco
l=santa cruz2
st=CA
c=US
ea=user@example.com
Subject:
cn=msca-root
ou=pki msca-root
o=cisco   
30-40
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring the Online Certificate Status Protocol
l=santa cruz2
st=CA
c=US
ea=user@example.com
CRL Distribution Points:
http://msca-root.example.com/CertEnroll/msca-root.crl
Validity Date:
start date: 22:19:29 GMT Oct 31 2002
end   date: 22:27:27 GMT Oct 31 2017
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Signature Algorithm: SHA1 with RSA Encryption
Fingerprint MD5: 84E470A2 38176CB1 AA0476B9 C0B4F478
Fingerprint SHA1: 0F57170C 654A5D7D 10973553 EFB0F94F 2FAF9837
X509v3 extensions:
X509v3 Key Usage: C6000000
Digital Signature
Non Repudiation
Key Cert Sign
CRL Signature
X509v3 Subject Key ID: 37F3CC61 AF5E7C0B 434AB364 CF9FA0C1 B17C50D9
X509v3 Basic Constraints:
CA: TRUE
Authority Info Access:
Associated Trustpoints: msca-root
To display the trustpoints and configured trustpoint subcommands that are configured in the router, enter 
the show crypto pki trustpoints command:
Router# show crypto pki trustpoints
Trustpoint bo:
Subject Name:
CN = bomborra Certificate Manager
O = cisco.com
C = US
Serial Number:01
Certificate configured.
CEP URL:http://bomborra
CRL query url:ldap://bomborra
For complete configuration information for OCSP, refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_ocsp.html
For OCSP configuration examples, see the “Online Certificate Status Protocol Configuration Examples” 
section on page 30-61.   
30-41
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Optional OCSP Nonces
Configuring Optional OCSP Nonces
The Optional OCSP Nonces feature provides users with the ability to disable the sending of a nonce, or 
unique identifier for an Online Certificate Status Protocol (OCSP) request, during OCSP 
communications. 
Note The Optional OCSP Nonces feature is only supported as of Cisco IOS Release 12.2(33)SRA.
When using OCSP as your revocation method, unique identifiers, or nonces, are sent by default during 
peer communications with the OCSP server. The use of unique identifiers during OCSP server 
communications enables more secure and reliable communications. However, not all OCSP servers 
support the use of unique identifiers. (Refer to your OCSP manual for more information.) To disable the 
use of unique identifiers during OCSP communications, use the ocsp disable-nonce subcommand in the 
crypto pki trustpoint command. 
Disabling OCSP Nonces
By default, OCSP nonces are used. To disable the use of these nonces and specify that your router should 
not send unique identifiers, or nonces, during OCSP communication, use the ocsp disable-nonce 
subcommand in the crypto pki trustpoint command as follows beginning in global configuration mode:
For complete configuration information for optional OCSP nonces, refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/s_pkinon.html
For an optional OCSP nonces configuration example, see the “Optional OCSP Nonces Configuration 
Example” section on page 30-62.
Configuring Certificate Security Attribute-Based Access Control
Under the IPSec protocol, certificate authority (CA) interoperability permits Cisco IOS devices and a 
CA to communicate so that the Cisco IOS device can obtain and use digital certificates from the CA. 
Certificates contain several fields that are used to determine whether a device or user is authorized to 
perform a specified action. The certificate security attribute-based access control feature adds fields to 
the certificate to create a certificate-based ACL.
Command Purpose
Step 1 Router(config)# crypto pki trustpoint name  Declares the certificate authority (CA) that your 
router should use and enters ca-trustpoint 
configuration mode.
• name—Name of the CA.
Step 2 Router (ca-trustpoint)# ocsp disable-nonce Specifies that your router will not send unique 
identifiers, or nonces, during OCSP 
communications.
Step 3 Router(ca-trustpoint)# end (Optional) Exits ca-trustpoint configuration mode.    
30-42
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Certificate Security Attribute-Based Access Control
Certificate Security Attribute-Based Access Control Configuration Guidelines 
and Restrictions
When configuring certificate security attribute-based access control, follow these guidelines and 
restrictions:
• The certificate-based ACL specifies one or more fields within the certificate and an acceptable value 
for each specified field. You can specify which fields within a certificate should be checked and 
which values those fields may or may not have. There are six logical tests for comparing the field 
with the value: equal, not equal, contains, does not contain, less than, and greater than or equal. 
• If more than one field is specified within a single certificate-based ACL, the tests of all of the fields 
within the ACL must succeed to match the ACL. 
• The same field can be specified multiple times within the same ACL. 
• More than one ACL can be specified. Each ACL will be processed in turn until a match is found or 
all of the ACLs have been processed. 
• Memory is required to hold the ACLs as they are created and as they are loaded from the 
configuration file. The amount of memory depends on which fields within the certificate are being 
checked and how many ACLs have been defined. Certificate-based ACL support requires one or 
more compare operations when the fields in a certificate are being checked. Only the fields specified 
by the ACL are checked. The compare operations are a small part of certificate validation and will 
not have a noticeable effect on router performance when validating certificates.    
30-43
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Certificate Security Attribute-Based Access Control
To configure Certificate Security Attribute-Based Access Control, perform this task beginning in global 
configuration mode:
Command Purpose
Step 1 Router(config)# crypto pki certificate map label
sequence-number
Starts ca-certificate-map mode and defines 
certificate-based ACLs by assigning a label for the 
ACL that will also be referenced within the crypto 
pki trustpoint command. 
• label—An arbitrary string that identifies the 
ACL.
• sequence-number—A sequence number that 
orders ACLs with the same label. 
Step 2 Router(ca-certificate-map)# field-name
match-criteria match-value
In ca-certificate-map mode, you specify one or more 
certificate fields together with their matching 
criteria and the value to match.
• field-name—Specifies one of the following 
case-insensitive name strings or a date:
– subject-name
– issuer-name
– unstructured-subject-name
– alt-subject-name
– name
– valid-start
– expires-on
Note Date field format is dd mm yyyy hh:mm:ss or 
mmm dd yyyy hh:mm:ss. 
• match-criteria—Specifies one of the following 
logical operators: 
– eq—Equal (valid for name and date fields) 
– ne—Not equal (valid for name and date 
fields) 
– co—Contains (valid only for name fields) 
– nc—Does not contain (valid only for name 
fields) 
– lt —Less than (valid only for date fields) 
– ge —Greater than or equal (valid only for 
date fields) 
• match-value—Specifies the name or date to test 
with the logical operator assigned by 
match-criteria.
For example: 
Router(ca-certificate-map)# subject-name co Cisco   
30-44
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Certificate Security Attribute-Based Access Control
Verifying Certificate-Based ACLs 
To verify the certificate-based ACL configuration, enter the show crypto pki certificates command. The 
following example shows the components of the certificates (CA and router certificate) installed on the 
router when the router has both authenticated and enrolled with a trustpoint: 
Router# show crypto pki certificates
CA Certificate
Status: Available
Certificate Serial Number: 1244325DE0369880465F977A18F61CA8
Certificate Usage: Signature
Issuer: 
CN = new-user
OU = pki new-user
O = cisco
L = santa cruz2
ST = CA
C = US
EA = user@cysco.net
Subject:
CN = new-user
OU = pki new-user
O = cisco
L = santa cruz2
ST = CA
C = US
EA = user@cysco.net
CRL Distribution Point:
http://new-user.cysco.net/CertEnroll/new-user.crl
Validity Date:
start date: 14:19:29 PST Oct 31 2002
end date: 14:27:27 PST Oct 31 2017
Associated Trustpoints: MS
Certificate
Status: Available
Step 3 Router(ca-certificate-map)# exit Exits ca-certificate-map mode. 
Step 4 Router(config)# crypto pki trustpoint name Starts ca-trustpoint configuration mode and creates 
a name for the CA.
• name—Specifies a name for the CA.
Step 5 Router(ca-trustpoint)# match certificate
certificate-map-label
Associates the certificate-based ACL defined with 
the crypto pki certificate map command to the 
trustpoint. 
• certificate-map-label—Specifies the label 
argument specified in the previously defined 
crypto pki certificate map command in Step 1.
Step 6 Router(ca-trustpoint)# exit Exits ca-trustpoint configuration mode. 
Command Purpose   
30-45
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring PKI AAA Authorization Using the Entire Subject Name
Certificate Serial Number: 193E28D20000000009F7
Certificate Usage: Signature
Issuer:
 CN = new-user
 OU = pki new-user
 O = cisco
 L = santa cruz2
 ST = CA
C = US
 EA = user@cysco.net
  Subject:
Name: User1.Cysco.Net
OID.1.2.840.113549.1.9.2 = User1.Cysco.Net
  CRL Distribution Point:
http://new-user.cysco.net/CertEnroll/new-user.crl
  Validity Date:
start date: 12:40:14 PST Feb 26 2003
end   date: 12:50:14 PST Mar 5 2003
renew date: 16:00:00 PST Dec 31 1969
  Associated Trustpoints: MS
For complete configuration information for Certificate Security Attribute-Based Access Control, refer 
to this URL:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftcrtacl.html
For a certificate-based ACL example, see the “Certificate Security Attribute-Based Access Control 
Configuration Example” section on page 30-62.
Configuring PKI AAA Authorization Using the Entire Subject 
Name
When using public key infrastructure (PKI) and authentication, authorization, and accounting (AAA) 
functionality, users sometimes have attribute-value (AV) pairs that are different from those of every other 
user. As a result, a unique username is required for each user. The PKI AAA authorization using the 
entire subject name feature provides users with the ability to query the AAA server using the entire 
subject name from the certificate as a unique AAA username. 
PKI AAA Authorization Using the Entire Subject Name Configuration Guidelines 
and Restrictions
When configuring PKI AAA authorization using the entire subject name, follow these guidelines and 
restrictions:
• Some AAA servers limit the length of the username (for example, to 64 characters). As a result, the 
entire certificate subject name cannot be longer than the limitation of the server. 
• Some AAA servers limit the available character set that may be used for the username (for example, 
a space [ ] and an equal sign [=] may not be acceptable). This feature will not work for the AAA 
server having such a character-set limitation.    
30-46
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring PKI AAA Authorization Using the Entire Subject Name
• The subject-name command in the trustpoint configuration might not always be the final AAA 
subject name. If the fully qualified domain name (FQDN), serial number, or IP address of the router 
are included in a certificate request, the subject name field of the issued certificate will also have 
these components. To turn off the components, use the fqdn, serial-number, and ip-address
commands with the none keyword. 
• Certificate authority (CA) servers sometimes change the requested subject name field when they 
issue a certificate. For example, CA servers of some vendors switch the relative distinguished names 
(RDNs) in the requested subject names to the following order: CN, OU, O, L, ST, and C. However, 
another CA server might append the configured Lightweight Directory Access Protocol (LDAP) 
directory root (for example, O=cisco.com) to the end of the requested subject name. 
• Depending on the tools you choose for displaying a certificate, the printed order of the RDNs in the 
subject name could be different. Cisco IOS software always displays the least significant RDN first, 
but other software, such as Open Source Secure Socket Layer (OpenSSL), does the opposite. 
Therefore, if you are configuring the AAA server with a full DN (subject name) as the corresponding 
username, ensure that the Cisco IOS software style (that is, with the least-significant RDN first) is 
used. 
To configure the entire certificate subject name for PKI authentication, perform this task beginning in 
global configuration mode:
Command Purpose
Step 1 Router(config)# aaa new-model Enables the AAA access control model.
Step 2 Router config)# aaa authorization network listname
[method] 
Sets the parameters that restrict user access to a 
network.
• listname—Character string used to name the list 
of authorization methods.
• method—Specifies an authorization method to 
be used for authorization. The method argument 
can be group radius, group tacacs+, or group
group-name. 
Step 3 Router(config)# crypto pki trustpoint name Declares the CA that your router should use and 
enters ca-trustpoint configuration mode.
• name—Name of the CA.
Step 4 Router(ca-trustpoint)# enrollment url url Specifies the enrollment parameters of your CA.
• url—The url argument is the URL of the CA to 
which your router should send certificate 
requests.
Step 5 Router(ca-trustpoint)# revocation-check method (Optional) Checks the revocation status of a 
certificate.
• method—Method used by the router to check 
the revocation status. Available methods are 
ocsp, none, and crl.
Step 6 Router(ca-trustpoint)# exit Exits ca-truspoint configuration mode and enters 
global configuration mode.
Step 7 Router config)# authorization list {listname} Specifies the AAA authorization list.
• listname—Name of the list.   
30-47
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Source Interface Selection for Outgoing Traffic with Certificate Authority
For complete configuration information for the PKI AAA authorization using the entire subject name 
feature, refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t11/feature/guide/gt_dnall.html
For a PKI AAA Authorization Using the Entire Subject Name configuration example, see the “Local 
Certificate Storage Location Configuration Example” section on page 30-55.
Configuring Source Interface Selection for Outgoing Traffic with 
Certificate Authority
The source interface selection for outgoing traffic with certificate authority feature allows you to specify 
that the address of an interface be used as the source address for all outgoing TCP connections associated 
with that trustpoint when a designated trustpoint has been configured. 
To configure the interface that you want to use as the source address for all outgoing TCP connections 
associated with a trustpoint, perform this task beginning in global configuration mode:
Step 8 Router(config)# authorization username subjectname
all
Sets parameters for the different certificate fields 
that are used to build the AAA username. 
The all parameter specifies that the entire subject 
name of the certificate will be used as the 
authorization username. 
Step 9 Router(config)# tacacs-server host hostname [key
string]
or
Specifies a TACACS+ host. 
• name—Name of the host.
• string—(Optional) Character string specifying 
authentication and encryption key. 
Router (config)# radius-server host hostname [key
string]
Specifies a RADIUS host.
Command Purpose
Command Purpose
Step 1 Router(config)# crypto pki trustpoint name Declares the CA that your router should use and 
enters ca-trustpoint configuration mode. 
• name—Name for the trustpoint CA.
Step 2 Router(ca-trustpoint)# enrollment url url Specifies the enrollment parameters of your CA. 
• url—Specifies the URL of the CA where your 
router should send certificate requests; for 
example, http://ca_server. url must be in the 
form http://CA_name, where CA_name is the 
CA’s host Domain Name System (DNS) name 
or IP address.
Step 3 Router(ca-trustpoint)# source interface
interface-address
Specifies the interface to be used as the source 
address for all outgoing TCP connections associated 
with that trustpoint.
• interface-address—Interface address.   
30-48
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Persistent Self-Signed Certificates
For complete configuration information for source interface selection for outgoing traffic with certificate 
authority, refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_asish.html
For a source interface selection configuration example, see the “Source Interface Selection for Outgoing 
Traffic with Certificate Authority Configuration Example” section on page 30-63.
Configuring Persistent Self-Signed Certificates
The persistent self-signed certificates feature saves a certificate generated by a Secure HTTP (HTTPS) 
server for the Secure Sockets Layer (SSL) handshake in a router’s startup configuration. 
Note The persistent self-signed certificates feature is only supported as of Cisco IOS Release 12.2(33)SXH.
Step 4 Router(config)# interface type slot/[subslot]/port Configures an interface type and enters interface 
configuration mode.
• type—Type of interface being configured.
• slot/[subslot]/ port—Number of the slot, subslot 
(optional), and port to be configured.
Step 5 Router(config-if)# description string Adds a description to an interface configuration.
• string—Descriptive string.
Step 6 Router(config-if)# ip address ip-address mask Sets a primary or secondary IP address for an 
interface.
• address—IP address.
• mask—Subnet mask.
Step 7 Router(config-if)# interface type
slot/[subslot]/port
Configures an interface type. 
• type—Type of interface being configured.
• slot/[subslot]/ port—Number of the slot, subslot 
(optional), and port to be configured.
Step 8 Router(config-if)# description string Adds a description to an interface configuration.
• string—Descriptive string.
Step 9 Router(config-if)# ip address ip-address mask 
[secondary]
Sets a primary or secondary IP address for an 
interface.
• address—IP address.
• mask—Subnet mask.
• [secondary]—Secondary address.
Step 10 Router(config-if)# crypto map map-name Applies a previously defined crypto map set to the 
interface. 
• map-name—Name that identifies the crypto 
map set.
Command Purpose   
30-49
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Persistent Self-Signed Certificates
Cisco IOS software has an HTTPS server that allows access to web-based management pages using a 
secure SSL connection. SSL requires the server to have an X.509 certificate that is sent to the client (web 
browser) during the SSL handshake to establish a secure connection between the server and the client.
The client expects the SSL server’s certificate to be verifiable using a certificate the client already 
possesses. 
If Cisco IOS software does not have a certificate that the HTTPS server can use, the server generates a 
self-signed certificate by calling a public key infrastructure (PKI) application programming interface 
(API). When the client receives this self-signed certificate and is unable to verify it, intervention is 
needed. The client asks you if the certificate should be accepted and saved for future use. If you accept 
the certificate, the SSL handshake continues. 
Future SSL handshakes between the same client and the server use the same certificate. However, if the 
router is reloaded, the self-signed certificate is lost. The HTTPS server must then create a new 
self-signed certificate. This new self-signed certificate does not match the previous certificate, so you 
are once again asked to accept it. 
Requesting acceptance of the router’s certificate each time that the router reloads can be annoying and 
may present an opportunity for an attacker to substitute an unauthorized certificate during the time that 
you are being asked to accept the certificate. 
The persistent self-signed certificates feature overcomes all these limitations by saving a certificate in 
the router’s startup configuration, resulting in the following benefits:
• Having a persistent self-signed certificate stored in the router’s startup configuration (NVRAM) 
lessens the opportunity for an attacker to substitute an unauthorized certificate because the browser 
is able to compare the certificate offered by the router with the previously saved certificate and warn 
you if the certificate has changed. 
• Having a persistent self-signed certificate stored in the router’s startup configuration eliminates the 
user intervention that is necessary to accept the certificate every time that the router reloads. 
• Because user intervention is no longer necessary to accept the certificate, the secure connection 
process is faster. 
Persistent Self-Signed Certificates Configuration Guidelines and Restrictions
When configuring persistent self-signed certificates, follow these guidelines and restrictions:
• You must load an image that supports SSL. 
• You can configure only one trustpoint for a persistent self-signed certificate.    
30-50
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Persistent Self-Signed Certificates
Configuring a Trustpoint and Specifying Self-Signed Certificate Parameters 
Note This section is optional because if you enable the Secure HTTP (HTTPS) server, it generates a 
self-signed certificate automatically using default values. To specify parameters, you must create a 
trustpoint and configure it. To use default values, delete any existing self-signed trustpoints. Deleting all 
self-signed trustpoints causes the HTTPS server to generate a persistent self-signed certificate using 
default values as soon as it is enabled.
To configure a trustpoint and specify self-signed certificate parameters, perform this task beginning in 
global configuration mode:
Command Purpose
Step 1 Router(config)# crypto pki trustpoint name Declares the certificate authority (CA) that your 
router should use and enters ca-trustpoint 
configuration mode.
• name—Name of the CA.
Step 2 Router(ca-trustpoint)# enrollment selfsigned Specifies self-signed enrollment. 
Step 3 Router(ca-trustpoint)# subject-name [x.500-name]  (Optional) Specifies the requested subject name to 
be used in the certificate request. 
• x.500-name—If the x.500-name argument is not 
specified, the fully qualified domain name 
(FQDN), which is the default subject name, is 
used. 
Step 4 Router(ca-trustpoint)# rsakeypair key-label
[key-size [encryption-key-size]]
(Optional) Specifies which key pair to associate with 
the certificate. 
• key-label—Name of the key pair, which is 
generated during enrollment if it does not 
already exist or if the auto-enroll regenerate
command is configured.
• key-size—(Optional) Size of the desired RSA 
key. If not specified, the existing key size is 
used. (The specified size must be the same as 
the encryption-key-size.) 
• encryption-key-size—(Optional) Size of the 
second key, which is used to request separate 
encryption, signature keys, and certificates. 
(The specified size must be the same as the 
key-size.) 
Note If this command is not enabled, the FQDN 
key pair is used.
Step 5 Router(ca-trustpoint)# crypto pki enroll 
trustpoint-name
Tells the router to generate the persistent self-signed 
certificate. 
• trustpoint-name—Name of the CA. 
Step 6 Router(ca-trustpoint)# end (Optional) Exits ca-trustpoint configuration mode.    
30-51
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Persistent Self-Signed Certificates
Enabling the HTTPS Server 
To enable the HTTPS server, perform this task beginning in global configuration mode:
Note Yo u mu s t en te r a write memory command to save the configuration. This command also saves the 
self-signed certificate and the HTTPS server in enabled mode.
Verifying the Persistent Self-Signed Certificate Configuration
To verify that a self-signed certificate and a trustpoint have been created, use the show crypto pki 
certificates, show crypto mypubkey rsa, and the show crypto pki trustpoints commands.
The show crypto pki certificates command displays information about your certificate, the CA 
certificate, and any registration authority certificates:
Router# show crypto pki certificates
Router Self-Signed Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: General Purpose
Issuer: 
cn=IOS-Self-Signed-Certificate-3326000105
Subject:
Name: IOS-Self-Signed-Certificate-3326000105
cn=IOS-Self-Signed-Certificate-3326000105
Validity Date: 
start date: 19:14:14 GMT Dec 21 2004
end   date: 00:00:00 GMT Jan 1 2020
Associated Trustpoints: TP-self-signed-3326000105
Note The number 3326000105 above is the router’s serial number and varies depending on the router’s actual 
serial number. 
The show crypto mypubkey rsa command displays information about the key pair corresponding to the 
self-signed certificate: 
Router# show crypto mypubkey rsa
% Key pair was generated at: 19:14:10 GMT Dec 21 2004
Key name: TP-self-signed-3326000105
Usage: General Purpose Key
Key is not exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00B88F70 
Command Purpose
Step 1 Router(config)# ip http secure-server Enables the secure HTTP web server. 
Note A key pair (modulus 1024) and a certificate 
are generated. 
Step 2 Router(config)# end  Exits global configuration mode.   
30-52
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuring Certificate Chain Verification
6BC78B6D 67D6CFF3 135C1D91 8F360292 CA44A032 5AC1A8FD 095E4865 F8C95A2B 
BFD1C2B7 E64A3804 9BBD7326 207BD456 19BAB78B D075E78E 00D2560C B09289AE 
6DECB8B0 6672FB3A 5CDAEE92 9D4C4F71 F3BCB269 214F6293 4BA8FABF 9486BCFC 
2B941BCA 550999A7 2EFE12A5 6B7B669A 2D88AB77 39B38E0E AA23CB8C B7020301 0001
% Key pair was generated at: 19:14:13 GMT Dec 21 2004
Key name: TP-self-signed-3326000105.server
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00C5680E 89777B42 
463E5783 FE96EA9E F446DC7B 70499AF3 EA266651 56EE29F4 5B003D93 2FC9F81D 
8A46E12F 3FBAC2F3 046ED9DD C5F27C20 1BBA6B9B 08F16E45 C34D6337 F863D605 
34E30F0E B4921BC5 DAC9EBBA 50C54AA0 BF551BDD 88453F50 61020301 0001
Note The second key pair with the name TP-self-signed-3326000105.server is the SSH key pair and is 
generated once any key pair is created on the router and SSH starts up. 
The show crypto pki trustpoints command displays the trustpoints that are configured in the router:
Router# show crypto pki trustpoints
Trustpoint local:
Subject Name:
serialNumber=C63EBBE9+ipaddress=10.3.0.18+hostname=test.cisco.com
Serial Number: 01
Persistent self-signed certificate trust point
For complete configuration information for persistent self-signed certificates, refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtpsscer.html
For persistent self-signed certificates configuration examples, see the “Persistent Self-Signed 
Certificates Configuration Examples” section on page 30-64.
Configuring Certificate Chain Verification
To determine if a trustpoint has been successfully authenticated, a certificate has been requested and 
granted, and if the certificate is currently valid, enter the crypto pki cert validate command.
Note The crypto pki cert validate command is only supported as of Cisco IOS Release 12.2(33)SRA.
Certificate Chain Verification Configuration Guidelines and Restrictions
Follow these guidelines and restrictions when configuring certificate chain verification:
• The crypto pki cert validate command validates the router’s own certificate for a given trustpoint. 
Use this command after enrollment to verify that the trustpoint is properly authenticated, a 
certificate has been requested and granted for the trustpoint, and that the certificate is currently 
valid. A certificate is valid if it is signed by the trustpoint certificate authority (CA), not expired, 
and so on.    
30-53
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuration Examples
To allow the router to send dead peer detection (DPD) messages to the peer, enter the crypto pki cert 
validate command in global configuration mode as follows:
Router(config)# crypto pki cert validate trustpoint
In this command, trustpoint specifies the trustpoint to be validated.
For complete configuration information for certificate chain verification, refer to the Cisco IOS Security 
Command Reference.
For certificate chain verification configuration examples, see the “Certificate Chain Verification 
Configuration Examples” section on page 30-65.
Configuration Examples
This section provides examples of the following configurations:
• Multiple RSA Key Pairs Configuration Example, page 30-53
• Protected Private Key Storage Configuration Examples, page 30-54
• Trustpoint CA Configuration Example, page 30-54
• Query Mode Definition Per Trustpoint Configuration Example, page 30-54
• Local Certificate Storage Location Configuration Example, page 30-55
• Direct HTTP Enrollment with CA Servers Configuration Examples, page 30-55
• Manual Certificate Enrollment Configuration Examples, page 30-56
• Certificate Autoenrollment Configuration Example, page 30-59
• Key Rollover for Certificate Renewal Configuration Examples, page 30-60
• PKI: Query Multiple Servers During Certificate Revocation Check (CDP Override) Configuration 
Example, page 30-61
• Online Certificate Status Protocol Configuration Examples, page 30-61
• Optional OCSP Nonces Configuration Example, page 30-62
• Certificate Security Attribute-Based Access Control Configuration Example, page 30-62
• PKI AAA Authorization Using the Entire Subject Name Configuration Example, page 30-63
• Source Interface Selection for Outgoing Traffic with Certificate Authority Configuration Example, 
page 30-63
• Persistent Self-Signed Certificates Configuration Examples, page 30-64
• Certificate Chain Verification Configuration Examples, page 30-65
Multiple RSA Key Pairs Configuration Example
The following example is a sample trustpoint configuration that specifies the RSA key pair 
“exampleCAkeys”: 
Router(config)# crypto key generate rsa general-purpose exampleCAkeys
Router(config)# crypto pki trustpoint exampleCAkeys
Router(config)# enroll url http://exampleCAkeys/certsrv/mscep/mscep.dll
Router(config)# rsakeypair exampleCAkeys 1024 1024   
30-54
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuration Examples
Protected Private Key Storage Configuration Examples
This section contains the following configuration examples: 
• Encrypted Key Configuration Example, page 30-54
• Locked Key Configuration Example, page 30-54
Encrypted Key Configuration Example 
The following example shows how to encrypt the pki1-72a.cisco.com RSA key:
Router(config)# crypto key encrypt rsa name pki1-72a.cisco.com passphrase cisco1234
Router(config)# exit
Locked Key Configuration Example 
The following example shows how to lock the pki1-72a.cisco.com key:
Router# crypto key lock rsa name pki1-72a.cisco.com passphrase cisco1234
Trustpoint CA Configuration Example
The following example shows how to declare the CA named kahului and specify characteristics for the 
trustpoint CA: 
Router(config)# crypto pki trustpoint kahului 
Router(ca-trustpoint)# enrollment url http://kahului
Router(ca-trustpoint)# crl query ldap://kahului
Query Mode Definition Per Trustpoint Configuration Example
The following configuration example shows a trustpoint CA that uses query mode:
Router(config)# crypto pki trustpoint trustpoint1
Router(ca-trustpoint)# enrollment url http://ca-server1
Router(ca-trustpoint)# crl query http://ca-server1
Router(ca-trustpoint)# default query certificate
Router(ca-trustpoint)# query certificate
Router(ca-trustpoint)# exit
Router(config)# crypto pki authenticate trustpoint1
Router(config)# crypto key generate rsa
Router(config)# crypto pki enroll trustpoint1   
30-55
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuration Examples
Local Certificate Storage Location Configuration Example 
The following example shows how to store certificates to the certs subdirectory. Note that the certs 
subdirectory does not exist and is automatically created. 
Router(config)# crypto pki certificate storage disk0:/certs
Requested directory does not exist -- created
Certificates will be stored in disk0:/certs/
Router(config)# end
Router# write
*May 27 02:09:00:%SYS-5-CONFIG_I:Configured from console by consolemem
Building configuration...
[OK]
Router# directory disk0:/certs
Directory of disk0:/certs/
14  -rw-         707  May 27 2005 02:09:02 +00:00  ioscaroot#7401CA.cer
15  -rw-         863  May 27 2005 02:09:02 +00:00  msca-root#826E.cer
16  -rw-         759  May 27 2005 02:09:02 +00:00  msca-root#1BA8CA.cer
17  -rw-         863  May 27 2005 02:09:02 +00:00  msca-root#75B8.cer
18  -rw-        1149  May 27 2005 02:09:02 +00:00  storagename#6500CA.cer
19  -rw-         863  May 27 2005 02:09:02 +00:00  msca-root#83EE.cer
47894528 bytes total (20934656 bytes free)
! The certificate files are now on disk0/certs:
Direct HTTP Enrollment with CA Servers Configuration Examples
This section provides the following configuration examples: 
• Enrollment Profile for a Client Router Configuration Example, page 30-55
• Enrollment Profile for a Client Router Already Enrolled with a Third-Party Vendor CA Example, 
page 30-55
• Certificate Server Automatically Accepting Enrollment Requests Only from the Client Router 
Configuration Example, page 30-56
Enrollment Profile for a Client Router Configuration Example 
The following example show how to configure an enrollment profile for direct HTTP enrollment with a 
CA server: 
Router(config)# crypto pki trustpoint Entrust
Router(ca-trustpoint)# enrollment profile E
Router(ca-trustpoint)# exit
Router(config)# crypto pki profile enrollment E
Router(ca-profile-enroll)# authentication url  http://entrust:81
Router(ca-profile-enroll)# authentication command  GET /certs/cacert.der
Router(ca-profile-enroll)# enrollment url  http://entrust:81/cda-cgi/clientcgi.exe
Router(ca-profile-enroll)# enrollment command  POST reference_number=$P2&authcode=$P1
&retrievedAs=rawDER&action=getServerCert&pkcs10Request=$REQ
Router(ca-profile-enroll)# parameter 1 value aaaa-bbbb-cccc
Router(ca-profile-enroll)# parameter 2 value 5001
Enrollment Profile for a Client Router Already Enrolled with a Third-Party Vendor CA Example 
The following example shows how to configure the following tasks on the client router:    
30-56
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuration Examples
• Define the msca-root trustpoint that points to the third-party vendor CA and enroll and authenticate 
the client with the third-party vendor CA. 
• Define cs trustpoint for the Cisco IOS CA. 
• Define enrollment profile “cs1,” which points to Cisco IOS CA and mention (via the enrollment 
credential command) that msca-root is being initially enrolled with the Cisco IOS CA. 
! Define trustpoint "msca-root" for non-Cisco IOS CA.
Router(config)# crypto pki trustpoint msca-root 
Router(ca-trustpoint)# enrollment mode ra
Router(ca-trustpoint)# enrollment url http://msca-root:80/certsrv/mscep/mscep.dll
Router(ca-trustpoint)# ip-address FastEthernet2/0
Router(ca-trustpoint)# revocation-check crl
! Configure trustpoint "cs" for Cisco IOS CA.
Router(config)# crypto pki trustpoint cs 
Router(ca-trustpoint)# enrollment profile cs1
Router(ca-trustpoint)# revocation-check crl
! Define enrollment profile "cs1."
Router(config)# crypto pki profile enrollment cs1
Router(ca-profile-enroll)# enrollment url  http://cs:80
Router(ca-profile-enroll)# enrollment credential  msca-root
Certificate Server Automatically Accepting Enrollment Requests Only from the Client Router 
Configuration Example 
The following example shows how to configure the certificate server, and enter the grant auto 
trustpoint command to instruct the certificate server to accept enrollment requests only from clients 
who are already enrolled with msca-root trustpoint: 
Router(config)# crypto pki server cs
Router(cs-server)# database level minimum
Router(cs-server)# database url nvram:
Router(cs-server)# issuer-name CN=cs
Router(cs-server)# grant auto trustpoint msca-root
Router(config)# crypto pki trustpoint cs
Router(ca-trustpoint)# revocation-check crl
Router(ca-trustpoint)# rsakeypair cs
Router(ca-trustpoint)# crypto pki trustpoint msca-root
Router(ca-trustpoint)# enrollment mode ra
Router(ca-trustpoint)# enrollment url http://msca-root:80/certsrv/mscep/mscep.dll
Router(ca-trustpoint)# revocation-check crl
Manual Certificate Enrollment Configuration Examples
This section provides the following manual certificate enrollment configuration examples:
• Manual Certificate Enrollment Using TFTP Configuration Example, page 30-56
• Manual Certificate Enrollment Using Cut-and-Paste Configuration Example, page 30-57
Manual Certificate Enrollment Using TFTP Configuration Example
The following example shows the configuration of manual certificate enrollment using TFTP:
Router(config)# crypto pki trustpoint MS   
30-57
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuration Examples
Router(ca-trustpoint)# enrollment url tftp://CA-Server/TFTPfiles/router1
Router(ca-trustpoint)# crypto pki authenticate MS
Router(ca-trustpoint)# exit
Router(config)# crypto pki enroll MS
Router(config)# crypto pki import MS certificate
Manual Certificate Enrollment Using Cut-and-Paste Configuration Example 
The following example shows how to configure manual cut-and-paste certificate enrollment. In this 
example, the name of the trustpoint CA is MS, and the crypto pki import command is entered twice 
because usage keys (signature and encryption keys) are used. 
Router(config)# crypto pki trustpoint MS
Router(ca-trustpoint)# enrollment terminal
Router(ca-trustpoint)# crypto pki authenticate MS
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIICNDCCAd6gAwIBAgIQOsCmXpVHwodKryRoqULV7jANBgkqhkiG9w0BAQUFADA5
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNQ2lzY28gU3lzdGVtczESMBAGA1UEAxMJ
bXNjYS1yb290MB4XDTAyMDIxNDAwNDYwMVoXDTA3MDIxNDAwNTQ0OFowOTELMAkG
A1UEBhMCVVMxFjAUBgNVBAoTDUNpc2NvIFN5c3RlbXMxEjAQBgNVBAMTCW1zY2Et
cm9vdDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCix8nIGFg+wvy3BjFbVi25wYoG
K2N0HWWHpqxFuFhqyBnIC0OshIn9CtrdN3JvUNHr0NIKocEwNKUGYmPwWGTfAgMB
AAGjgcEwgb4wCwYDVR0PBAQDAgHGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYE
FKIacsl6dKAfuNDVQymlSp7esf8jMG0GA1UdHwRmMGQwL6AtoCuGKWh0dHA6Ly9t
c2NhLXJvb3QvQ2VydEVucm9sbC9tc2NhLXJvb3QuY3JsMDGgL6AthitmaWxlOi8v
XFxtc2NhLXJvb3RcQ2VydEVucm9sbFxtc2NhLXJvb3QuY3JsMBAGCSsGAQQBgjcV
AQQDAgEAMA0GCSqGSIb3DQEBBQUAA0EAeuZkZMX9qkoLHfETYTpVWjZPQbBmwNRA
oJDSdYdtL3BcI/uLL5q7EmODyGfLyMGxuhQYx5r/40aSQgLCqBq+yg==
-----END CERTIFICATE-----
Certificate has the following attributes:
Fingerprint:D6C12961 CD78808A 4E02193C 0790082A
% Do you accept this certificate? [yes/no]:y
Trustpoint CA certificate accepted.
% Certificate successfully imported
Router(config)#
Router(config)# crypto pki enroll MS
% Start certificate enrollment..
% The subject name in the certificate will be:Router.cisco.com
% Include the router serial number in the subject name? [yes/no]:n   
30-58
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuration Examples
% Include an IP address in the subject name? [no]:n
Display Certificate Request to terminal? [yes/no]:y
Signature key certificate request -
Certificate Request follows:
MIIBhTCB7wIBADAlMSMwIQYJKoZIhvcNAQkCFhRTYW5kQmFnZ2VyLmNpc2NvLmNv
bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxdhXFDiWAn/hIZs9zfOtssKA
daoWYu0ms9Fe/Pew01dh14vXdxgacstOs2Pr5wk6jLOPxpvxOJPWyQM6ipLmyVxv
ojhyLTrVohrh6Dnqcvk+G/5ohss9o9RxvONwx042pQchFnx9EkMuZC7evwRxJEqR
mBHXBZ8GmP3jYQsjS8MCAwEAAaAhMB8GCSqGSIb3DQEJDjESMBAwDgYDVR0PAQH/
BAQDAgeAMA0GCSqGSIb3DQEBBAUAA4GBAMT6WtyFw95POY7UtF+YIYHiVRUf4SCq
hRIAGrljUePLo9iTqyPU1Pnt8JnIZ5P5BHU3MfgP8sqodaWub6mubkzaohJ1qD06
O87fnLCNid5Tov5jKogFHIki2EGGZxBosUw9lJlenQdNdDPbJc5LIWdfDvciA6jO
Nl8rOtKnt8Q+
---End - This line not part of the certificate request---
Redisplay enrollment request? [yes/no]:
Encryption key certificate request -
Certificate Request follows:
MIIBhTCB7wIBADAlMSMwIQYJKoZIhvcNAQkCFhRTYW5kQmFnZ2VyLmNpc2NvLmNv
bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwG60QojpDbzbKnyj8FyTiOcv
THkDP7XD4vLT1XaJ409z0gSIoGnIcdFtXhVlBWtpq3/O9zYFXr1tH+BMCRQi3Lts
0IpxYa3D9iFPqev7SPXpsAIsY8a6FMq7TiwLObqiQjLKL4cbuV0Frjl0Yuv5A/Z+
kqMOm7c+pWNWFdLe9lsCAwEAAaAhMB8GCSqGSIb3DQEJDjESMBAwDgYDVR0PAQH/
BAQDAgUgMA0GCSqGSIb3DQEBBAUAA4GBACF7feURj/fJMojPBlR6fa9BrlMJx+2F
H91YM/CIiz2n4mHTeWTWKhLoT8wUfa9NGOk7yi+nF/F7035twLfq6n2bSCTW4aem
8jLMMaeFxwkrV/ceQKrucmNC1uVx+fBy9rhnKx8j60XE25tnp1U08r6om/pBQABU
eNPFhozcaQ/2
---End - This line not part of the certificate request---
Redisplay enrollment request? [yes/no]:
n
Router(config)#crypto pki import MS certificate
Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself
MIIDajCCAxSgAwIBAgIKFN7C6QAAAAAMRzANBgkqhkiG9w0BAQUFADA5MQswCQYD
VQQGEwJVUzEWMBQGA1UEChMNQ2lzY28gU3lzdGVtczESMBAGA1UEAxMJbXNjYS1y
b290MB4XDTAyMDYwODAxMTY0MloXDTAzMDYwODAxMjY0MlowJTEjMCEGCSqGSIb3
DQEJAhMUU2FuZEJhZ2dlci5jaXNjby5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBAMXYVxQ4lgJ/4SGbPc3zrbLCgHWqFmLtJrPRXvz3sNNXYdeL13cYGnLL
TrNj6+cJOoyzj8ab8TiT1skDOoqS5slcb6I4ci061aIa4eg56nL5Phv+aIbLPaPU
cbzjcMdONqUHIRZ8fRJDLmQu3r8EcSRKkZgR1wWfBpj942ELI0vDAgMBAAGjggHM
MIIByDALBgNVHQ8EBAMCB4AwHQYDVR0OBBYEFL8Quz8dyz4EGIeKx9A8UMNHLE4s
MHAGA1UdIwRpMGeAFKIacsl6dKAfuNDVQymlSp7esf8joT2kOzA5MQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNQ2lzY28gU3lzdGVtczESMBAGA1UEAxMJbXNjYS1yb290
ghA6wKZelUfCh0qvJGipQtXuMCIGA1UdEQEB/wQYMBaCFFNhbmRCYWdnZXIuY2lz
Y28uY29tMG0GA1UdHwRmMGQwL6AtoCuGKWh0dHA6Ly9tc2NhLXJvb3QvQ2VydEVu   
30-59
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuration Examples
cm9sbC9tc2NhLXJvb3QuY3JsMDGgL6AthitmaWxlOi8vXFxtc2NhLXJvb3RcQ2Vy
dEVucm9sbFxtc2NhLXJvb3QuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDA/BggrBgEF
BQcwAoYzaHR0cDovL21zY2Etcm9vdC9DZXJ0RW5yb2xsL21zY2Etcm9vdF9tc2Nh
LXJvb3QuY3J0MEEGCCsGAQUFBzAChjVmaWxlOi8vXFxtc2NhLXJvb3RcQ2VydEVu
cm9sbFxtc2NhLXJvb3RfbXNjYS1yb290LmNydDANBgkqhkiG9w0BAQUFAANBAJo2
r6sHPGBdTQX2EDoJpR/A2UHXxRYqVSHkFKZw0z31r5JzUM0oPNUETV7mnZlYNVRZ
CSEX/G8boi3WOjz9wZo=
% Router Certificate successfully imported
Router(config)#
Router(config)# crypto pki import MS certificate
Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself
MIIDajCCAxSgAwIBAgIKFN7OBQAAAAAMSDANBgkqhkiG9w0BAQUFADA5MQswCQYD
VQQGEwJVUzEWMBQGA1UEChMNQ2lzY28gU3lzdGVtczESMBAGA1UEAxMJbXNjYS1y
b290MB4XDTAyMDYwODAxMTY0NVoXDTAzMDYwODAxMjY0NVowJTEjMCEGCSqGSIb3
DQEJAhMUU2FuZEJhZ2dlci5jaXNjby5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBAMButEKI6Q282yp8o/Bck4jnL0x5Az+1w+Ly09V2ieNPc9IEiKBpyHHR
bV4VZQVraat/zvc2BV69bR/gTAkUIty7bNCKcWGtw/YhT6nr+0j16bACLGPGuhTK
u04sCzm6okIyyi+HG7ldBa45dGLr+QP2fpKjDpu3PqVjVhXS3vZbAgMBAAGjggHM
MIIByDALBgNVHQ8EBAMCBSAwHQYDVR0OBBYEFPDO29oRdlEUSgBMg6jZR+YFRWlj
MHAGA1UdIwRpMGeAFKIacsl6dKAfuNDVQymlSp7esf8joT2kOzA5MQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNQ2lzY28gU3lzdGVtczESMBAGA1UEAxMJbXNjYS1yb290
ghA6wKZelUfCh0qvJGipQtXuMCIGA1UdEQEB/wQYMBaCFFNhbmRCYWdnZXIuY2lz
Y28uY29tMG0GA1UdHwRmMGQwL6AtoCuGKWh0dHA6Ly9tc2NhLXJvb3QvQ2VydEVu
cm9sbC9tc2NhLXJvb3QuY3JsMDGgL6AthitmaWxlOi8vXFxtc2NhLXJvb3RcQ2Vy
dEVucm9sbFxtc2NhLXJvb3QuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDA/BggrBgEF
BQcwAoYzaHR0cDovL21zY2Etcm9vdC9DZXJ0RW5yb2xsL21zY2Etcm9vdF9tc2Nh
LXJvb3QuY3J0MEEGCCsGAQUFBzAChjVmaWxlOi8vXFxtc2NhLXJvb3RcQ2VydEVu
cm9sbFxtc2NhLXJvb3RfbXNjYS1yb290LmNydDANBgkqhkiG9w0BAQUFAANBAHaU
hyCwLirUghNxCmLzXRG7C3W1j0kSX7a4fX9OxKR/Z2SoMjdMNPPyApuh8SoT2zBP
ZKjZU2WjcZG/nZF4W5k=
% Router Certificate successfully imported
Certificate Autoenrollment Configuration Example
The following example shows how to configure the router to autoenroll with a CA on start-up: 
Router(config)# crypto pki trustpoint frog
Router(ca-trustpoint)# enrollment url http://frog.phoobin.com/
Router(ca-trustpoint)# subject-name OU=Spiral Dept., O=tiedye.com 
Router(ca-trustpoint)# ip-address ethernet-0
Router(ca-trustpoint)# auto-enroll regenerate 
Router(ca-trustpoint)# password revokeme
Router(ca-trustpoint)# rsa-key frog 2048
! 
Router(config)# crypto pki certificate chain frog
Router(config-cert-chain)# certificate ca 0B
30820293 3082023D A0030201 0202010B 300D0609 2A864886 F70D0101 04050030 
79310B30 09060355 04061302 5553310B 30090603 55040813 02434131 15301306 
0355040A 130C4369 73636F20 53797374 656D3120 301E0603 55040B13 17737562 
6F726420 746F206B 6168756C 75692049 50495355 31243022 06035504 03131B79    
30-60
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuration Examples
6E692D75 31302043 65727469 66696361 7465204D 616E6167 6572301E 170D3030 
30373134 32303536 32355A17 0D303130 37313430 31323834 335A3032 310E300C 
06035504 0A130543 6973636F 3120301E 06092A86 4886F70D 01090216 11706B69 
2D343562 2E636973 636F2E63 6F6D305C 300D0609 2A864886 F70D0101 01050003 
4B003048 024100B3 0512A201 3B4243E1 378A9703 8AC5E3CE F77AF987 B5A422C4 
15E947F6 70997393 70CF34D6 63A86B9C 4347A81A 0551FC02 ABA62360 01EF7DD2 
6C136AEB 3C6C3902 03010001 A381F630 81F3300B 0603551D 0F040403 02052030 
1C060355 1D110415 30138211 706B692D 3435622E 63697363 6F2E636F 6D301D06 
03551D0E 04160414 247D9558 169B9A21 23D289CC 2DDA2A9A 4F77C616 301F0603 
551D2304 18301680 14BD742C E892E819 1D551D91 683F6DB2 D8847A6C 73308185 
0603551D 1F047E30 7C307AA0 3CA03AA4 38303631 0E300C06 0355040A 13054369 
73636F31 24302206 03550403 131B796E 692D7531 30204365 72746966 69636174 
65204D61 6E616765 72A23AA4 38303631 0E300C06 0355040A 13054369 73636F31 
24302206 03550403 131B796E 692D7531 30204365 72746966 69636174 65204D61 
6E616765 72300D06 092A8648 86F70D01 01040500 03410015 BC7CECF9 696697DF 
E887007F 7A8DA24F 1ED5A785 C5C60452 47860061 0C18093D 08958A77 5737246B 
0A25550A 25910E27 8B8B428E 32F8D948 3DD1784F 954C70 
quit
Key Rollover for Certificate Renewal Configuration Examples
This section contains the following examples: 
• Certificate Autoenrollment with Key Rollover Configuration Example, page 30-60
• Manual Certificate Enrollment with Key Rollover Configuration Example, page 30-60
Certificate Autoenrollment with Key Rollover Configuration Example 
The following example shows how to configure the router to autoenroll with the CA named trustme1 on 
startup. In this example, the regenerate keyword is specified, so a new key will be generated for the 
certificate. The renewal percentage is configured as 90 so if the certificate has a lifetime of one year, a 
new certificate is requested 36.5 days before the old certificate expires. The changes made to the running 
configuration are saved to the NVRAM startup configuration because autoenrollment will not update 
NVRAM if the running configuration has been modified but not written to NVRAM. 
Router(config)# crypto pki trustpoint trustme1
Router(ca-trustpoint)# enrollment url http://trustme1.company.com/
Router(ca-trustpoint)# subject-name OU=Spiral Dept., O=tiedye.com
Router(ca-trustpoint)# ip-address ethernet0
Router(ca-trustpoint)# serial-number none
Router(ca-trustpoint)# auto-enroll 90 regenerate
Router(ca-trustpoint)# password revokeme
Router(ca-trustpoint)# rsakeypair trustme1 2048
Router(ca-trustpoint)# exit
Router(config)# crypto pki authenticate trustme1
Router(config)# copy system:running-config nvram:startup-config
Manual Certificate Enrollment with Key Rollover Configuration Example 
The following example shows how to configure key rollover to regenerate new keys with a manual 
certificate enrollment from the CA named trustme2. 
Router(config)# crypto pki trustpoint trustme2
Router(ca-trustpoint)# enrollment url http://trustme2.company.com/
Router(ca-trustpoint)# subject-name OU=Spiral Dept., O=tiedye.com
Router(ca-trustpoint)# ip-address ethernet0
Router(ca-trustpoint)# serial-number none   
30-61
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuration Examples
Router(ca-trustpoint)# regenerate
Router(ca-trustpoint)# password revokeme
Router(ca-trustpoint)# rsakeypair trustme2 2048
Router(ca-trustpoint)# exit
Router(config)# crypto pki authenticate trustme2
Router(config)# crypto pki enroll trustme2
Router(config)# exit
PKI: Query Multiple Servers During Certificate Revocation Check (CDP 
Override) Configuration Example 
The following example uses the match certificate override cdp command to override the CDPs for the 
certificate map named Group1 defined in a crypto pki certificate map command: 
Router(config)# crypto pki certificate map Group1 10
Router(ca-certificate-map)# subject-name co ou=WAN
Router(ca-certificate-map)# subject-name co o=Cisco
Router(config)# crypto pki trustpoint pki
Router(ca-trustpoint)# match certificate Group1 override cdp url http://server.cisco.com
Online Certificate Status Protocol Configuration Examples
This section provides the following configuration examples:
• OCSP Server Configuration Example, page 30-61
• CRL Then OCSP Server Configuration Example, page 30-61
• Specific OCSP Server Configuration Example, page 30-61
OCSP Server Configuration Example 
The following example shows how to configure the router to use the OCSP server that is specified in the 
AIA extension of the certificate: 
Router(config)# crypto pki trustpoint mytp
Router(ca-trustpoint)# revocation-check ocsp
CRL Then OCSP Server Configuration Example 
The following example shows how to configure the router to download the CRL from the certificate 
distribution point (CDP); if the CRL is unavailable, the OCSP server that is specified in the AIA 
extension of the certificate will be used. If both options fail, certificate verification will also fail. 
Router(config)# crypto pki trustpoint mytp
Router(ca-trustpoint)# revocation-check crl ocsp
Specific OCSP Server Configuration Example 
The following example shows how to configure your router to use the OCSP server at the HTTP URL 
http://myocspserver:81. If the server is down, revocation check will be ignored. 
Router(config)# crypto pki trustpoint mytp
Router(ca-trustpoint)# ocsp url http://myocspserver:81
Router(ca-trustpoint)# revocation-check ocsp none   
30-62
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuration Examples
Optional OCSP Nonces Configuration Example
The following example shows the unique identifier being disabled for OCSP communications for a 
previously created trustpoint named ts: 
Router(config)# crypto pki trustpoint ts 
Router (ca-truspoint)# ocsp disable-nonce
Router(ca-trustpoint)# end
Certificate Security Attribute-Based Access Control Configuration Example
The following example shows how to configure a certificate-based ACL:
Router(config)# crypto pki certificate map Group 10 
Router(ca-certificate-map)# subject-name co Cisco 
Router(config-cert-map)# exit
Router(config)# crypto pki trustpoint Access 
Router(ca-trustpoint)# match certificate Group 
Router(ca-trustpoint)# exit   
30-63
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuration Examples
PKI AAA Authorization Using the Entire Subject Name Configuration Example 
The following example shows that the entire subject name of the certificate is to be used for PKI AAA 
authorization: 
Router(config)# aaa new-model
Router(config)# aaa authorization network tac-o group tacacs+ 
Router(config)# crypto pki trustpoint test
Router(ca-trustpoint)# enrollment url http://caserver:80
Router(ca-trustpoint)# revocation-check crl
Router(ca-trustpoint)# exit
Router(config)# authorization list tac-o
Router(config)# authorization username subjectname all
Router(config)# tacacs-server host 20.2.2.2 key a_secret_ke
Source Interface Selection for Outgoing Traffic with Certificate Authority 
Configuration Example
In the following example, the router is located in a branch office. The router uses IP Security (IPSec) to 
communicate with the main office. Ethernet 1 is the outside interface that connects to the Internet 
Service Provider (ISP). Ethernet 0 is the interface connected to the LAN of the branch office. To access 
the CA server located in the main office, the router must send its IP datagrams out interface Ethernet 1 
(address 10.2.2.205) using the IPSec tunnel. Address 10.2.2.205 is assigned by the ISP. Address 
10.2.2.205 is not a part of the branch office or main office. 
The CA cannot access any address outside the company because of a firewall. The CA sees a message 
coming from 10.2.2.205 and cannot respond (that is, the CA does not know that the router is located in 
a branch office at address 10.1.1.1, which it is able to reach). 
Adding the source interface command tells the router to use address 10.1.1.1 as the source address of 
the IP datagram that it sends to the CA. The CA is able to respond to 10.1.1.1. 
This example is configured using the source interface command and the interface addresses as 
described above. 
Router(config)# crypto pki trustpoint ms-ca
Router(ca-trustpoint)# enrollment url http://ms-ca:80/certsrv/mscep/mscep.dll
Router(ca-trustpoint)# source interface ethernet0
Router(config)# interface ethernet 0
Router(config-if)# description inside interface
Router(config-if)# ip address 10.1.1.1 255.255.255.0
Router(config)# interface ethernet 1
Router(config-if)# description outside interface
Router(config-if)# ip address 10.2.2.205 255.255.255.0
Router(config-if)# crypto map main-office   
30-64
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuration Examples
Persistent Self-Signed Certificates Configuration Examples
The following examples show how to configure a persistent self-signed certificate:
• Trustpoint and Self-Signed Certificate Configuration Example, page 30-64
• Enabling the HTTPS Server Configuration Example, page 30-64
Trustpoint and Self-Signed Certificate Configuration Example 
The following example shows how to configure a trustpoint and a self-signed certificate. In this example, 
a trustpoint named local is declared, its enrollment is requested, and a self-signed certificate with an IP 
address is generated. 
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# crypto pki trustpoint local
Router(ca-trustpoint)# enrollment selfsigned
Router(ca-trustpoint)# end
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# crypto pki enroll local
Nov 29 20:51:13.067: %SSH-5-ENABLED: SSH 1.99 has been enabled
Nov 29 20:51:13.267: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair
% Include the router serial number in the subject name? [yes/no]: yes
% Include an IP address in the subject name? [no]: yes
Enter Interface name or IP Address[]: ethernet 0
Generate Self Signed Router Certificate? [yes/no]: yes
Router Self Signed Certificate successfully created
Note A router can have only one self-signed certificate. If you attempt to enroll a trustpoint configured for a 
self-signed certificate and one already exists, you receive a notification and are asked if you want to 
replace it. If so, a new self-signed certificate is generated to replace the existing one. 
Enabling the HTTPS Server Configuration Example 
In the following example, the HTTPS server is enabled and a default trustpoint is generated because one 
was not previously configured: 
Router(config)# ip http secure-server
% Generating 1024 bit RSA keys ...[OK]
*Dec 21 19:14:15.421:%PKI-4-NOAUTOSAVE:Configuration was modified. Issue "write memory" 
to save new certificate
Router(config)#
Note You must save the configuration to NVRAM if you want to keep the self-signed certificate and have the 
HTTPS server enabled following router reloads.    
30-65
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuration Examples
The following message also appears: 
*Dec 21 19:14:10.441:%SSH-5-ENABLED:SSH 1.99 has been enabled
Router(config)#
Note Creation of the key pair used with the self-signed certificate causes the Secure Shell (SSH) server to 
start. This behavior cannot be suppressed. You may want to modify your access control lists (ACLs) to 
permit or deny SSH access to the router. 
Certificate Chain Verification Configuration Examples 
The following examples show the possible output from the crypto pki cert validate command: 
Router(config)# crypto pki cert validate ka
Validation Failed: trustpoint not found for ka
Router(config)# crypto pki cert validate ka
Validation Failed: can't get local certificate chain
Router(config)# crypto pki cert validate ka
Certificate chain has 2 certificates.
Certificate chain for ka is valid
Router(config)# crypto pki cert validate ka
Certificate chain has 2 certificates.
Validation Error: no certs on chain
Router(config)# crypto pki cert validate ka
Certificate chain has 2 certificates.
Validation Error: unspecified error   
30-66
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 30      Configuring PKI Using the IPSec VPN SPA
  Configuration ExamplesC H  A  P  T  E  R
   
31-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
31
Configuring Advanced VPNs Using the IPSec 
VPN SPA 
This chapter provides information about configuring advanced IPSec VPNs on the IPSec VPN SPA on 
the Cisco 7600 series router. It includes the following sections:
• Overview of Advanced VPNs, page 31-2
• Configuring DMVPN, page 31-2
• Configuring the Easy VPN Server, page 31-15
• Configuring the Easy VPN Remote, page 31-16
• Configuring Easy VPN Remote RSA Signature Storage, page 31-16
• Configuration Examples, page 31-17
Note The procedures in this chapter assume you have familiarity with security configuration concepts, such 
as VLANs, ISAKMP policies, preshared keys, transform sets, access control lists, and crypto maps. For 
more information about these and other security configuration concepts, refer to the following Cisco IOS 
documentation:
Cisco IOS Security Configuration Guide, Release 12.2, at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/fsecur_c.html
Cisco IOS Security Command Reference, Release 12.2, at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/fsecur_r.html
For information about managing your system images and configuration files, refer to the Cisco IOS 
Configuration Fundamentals Configuration Guide and Cisco IOS Configuration Fundamentals 
Command Reference publications.
For more information about the commands used in this chapter, refer to the Cisco IOS Software Releases 
12.2SR Command References and to the Cisco IOS Software Releases 12.2SX Command References. 
Also refer to the related Cisco IOS Release 12.2 software command reference and master index 
publications. For more information, see the “Related Documentation” section on page xlvii.
Tip To ensure a successful configuration of your VPN using the IPSec VPN SPA, read all of the 
configuration summaries and guidelines before you perform any configuration tasks.   
31-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 31      Configuring Advanced VPNs Using the IPSec VPN SPA
  Overview of Advanced VPNs
Overview of Advanced VPNs
Configuring IP Security (IPSec) Virtual Private Networks (VPNs) in large, complicated networks can be 
quite complex. This chapter introduces Dynamic Multipoint VPN (DMVPN) and Easy VPN, two 
features that ease IPSec configuration in advanced environments.
Configuring DMVPN
The DMVPN feature allows users to better scale large and small IPSec VPNs by combining generic 
routing encapsulation (GRE) tunnels, IPSec encryption, and Next Hop Resolution Protocol (NHRP).
Figure 31-1 shows an example of a DMVPN configuration with a hub and two spokes.
Figure 31-1 DMVPN Configuration Example
DMVPN Configuration Guidelines and Restrictions
When configuring DMVPN, follow these guidelines and restrictions:
• A tunnel key should not be configured. If a tunnel key is configured, neither the PFC3 or the IPSec 
VPN SPA will take over the tunnel and the tunnel will be switched in software. 
• GRE tunnels in different Virtual Routing and Forwarding (VRF) instances cannot share the same 
tunnel source. 
Spoke1
80.0.0.0/24
ivrf
Int 
Tunnel 0
30.1.0.1
Tunnel Source
Loopback 0
11.0.0.1
G3/1
G3/1
G3/13
Spoke2
90.0.0.0/24
ivrf
Int 
Tunnel 0
30.2.0.1
Tunnel Source
21.0.0.1
G3/13
HUB
fvrf
Int 
Tunnel0
30.0.0.1
ivrf
G3/1
70.0.0.0/24
G3/13
Tunnel Source
     VLAN 10
VLAN10
10.0.0.1
186347   
31-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 31      Configuring Advanced VPNs Using the IPSec VPN SPA
  Configuring DMVPN
• In non-VRF mode, multipoint GRE tunnels should not share the same tunnel source.
• Multicast streaming is not supported across DMVPN on a Cisco 7600 series router. Only multicast 
packets from a control plane such as routing protocols are supported.
• In a VRF-Aware DMVPN configuration, the mls mpls tunnel-recir command must be configured 
globally on the PE/hub if the CE/DMVPN spokes need to talk to other CEs across the MPLS cloud.
• For the NAT-transparency aware enhancement to work with DMVPN, you must use IPSec transport 
mode on the transform set. Also, even though NAT-transparency (IKE and IPSec) can support two 
peers (IKE and IPSec) being translated to the same IP address (using the User Datagram Protocol 
[UDP] ports to differentiate them [this would be Peer Address Translation]), this functionality is not 
supported for DMVPN. All DMVPN spokes must have a unique IP address after they have been NAT 
translated. They can have the same IP address before they are NAT translated. 
• If you use the dynamic creation for spoke-to-spoke tunnels benefit of this feature, you must use IKE 
certificates or wildcard preshared keys for Internet Security Association and Key Management 
Protocol (ISAKMP) authentication. 
Note We recommend that you do not use wildcard preshared keys because access to the entire VPN is 
compromised if one spoke router is compromised.
• GRE tunnel keepalive (that is, the keepalive command under the GRE interface) is not supported on 
multipoint GRE tunnels
• FVRF is not supported on a multipoint GRE (mGRE) tunnel configured on a DMVPN spoke. FVRF 
is supported on an mGRE tunnel configured on a DMVPN hub.
To enable mGRE and IPSec tunneling for hub and spoke routers, configure your mGRE tunnel for IPSec 
encryption using the following procedures:
• DMVPN Prerequisites, page 31-3
• Configuring an IPSec Profile, page 31-4
• Configuring the Hub for DMVPN in VRF Mode, page 31-5
• Configuring the Hub for DMVPN in Crypto-Connect Mode, page 31-7
• Configuring the Spoke for DMVPN in VRF Mode, page 31-8
• Configuring the Spoke for DMVPN in Crypto-Connect Mode, page 31-10
• Verifying the DMVPN Configuration, page 31-12
• DMVPN Configuration Examples, page 31-18
For complete configuration information for DMVPN support, refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftgreips.html
DMVPN Prerequisites 
Before configuring an IPSec profile, you must define a transform set by using the crypto ipsec 
transform-set command.    
31-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 31      Configuring Advanced VPNs Using the IPSec VPN SPA
  Configuring DMVPN
Configuring an IPSec Profile 
The IPSec profile shares most of the same commands with the crypto map configuration, but only a 
subset of the commands are valid in an IPSec profile. Only commands that pertain to an IPSec policy 
can be issued under an IPSec profile; you cannot specify the IPSec peer address or the access control list 
(ACL) to match the packets that are to be encrypted. 
To configure an IPSec profile, perform this task beginning in global configuration mode:
Command Purpose
Step 1 Router(config)# crypto ipsec profile name Defines the IPSec parameters that are to be used for 
IPSec encryption between “spoke and hub” and 
“spoke and spoke” routers. This command enters 
crypto map configuration mode. 
• name—Name of the IPSec profile.
Step 2 Router(config-crypto-map)# set transform-set
transform-set-name
Specifies which transform sets can be used with the 
IPSec profile. 
• transform-set-name—Name of the transform 
set.
Step 3 Router(config-crypto-map)# set identity (Optional) Specifies identity restrictions to be used 
with the IPSec profile. 
Step 4 Router(config-crypto-map)# set security association 
lifetime {seconds seconds | kilobytes kilobytes} 
(Optional) Overrides the global lifetime value for 
the IPSec profile.
• seconds— Number of seconds a security 
association will live before expiring.
• kilobytes— Volume of traffic (in kilobytes) that 
can pass between IPSec peers using a given 
security association before that security 
association expires.
Step 5 Router(config-crypto-map)# set pfs [group1 | group14 
| group2 | group5]
(Optional) Specifies that IP Security should ask for 
perfect forward secrecy (PFS) when requesting new 
security associations for this IPSec profile. If this 
command is not specified, the default (group1) will 
be enabled. 
• group1—(Optional) Specifies that IPsec should 
use the 768-bit Diffie-Hellman (DH) prime 
modulus group when performing the new DH 
exchange.
• group14—(Optional) Specifies the 2048-bit 
DH prime modulus group.
• group2—(Optional) Specifies the 1024-bit DH 
prime modulus group.
• group5—(Optional) Specifies the 1536-bit DH 
prime modulus group.   
31-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 31      Configuring Advanced VPNs Using the IPSec VPN SPA
  Configuring DMVPN
Configuring the Hub for DMVPN in VRF Mode
In VPN routing and forwarding instance (VRF) mode, to configure the hub router for mGRE and IPSec 
integration (that is, to associate the tunnel with the IPSec profile configured in the previous procedure), 
perform this task beginning in global configuration mode:
Command Purpose
Step 1 Router(config)# interface tunnel tunnel-number Configures a tunnel interface and enters interface 
configuration mode. 
• tunnel-number—Number of the tunnel interface 
that you want to create or configure. There is no 
limit on the number of tunnel interfaces you can 
create.
Step 2 Router(config-if)# ip vrf forwarding inside-vrf-name (Optional) Associates a VRF with an interface or 
subinterface. This step is required only when 
configuring an inside VRF.
• inside-vrf-name—Name assigned to the VRF.
Step 3 Router(config-if)# ip address ip-address mask
[secondary] 
Sets a primary or secondary IP address for the tunnel 
interface.
• address—IP address.
• mask—Subnet mask.
• secondary—(Optional) Secondary IP address.
Step 4 Router(config-if)# ip mtu bytes (Optional) Sets the maximum transmission unit 
(MTU) size, in bytes, of IP packets sent on an 
interface. 
• bytes—MTU size in bytes.
Step 5 Router(config-if)# ip nhrp authentication string (Optional) Configures the authentication string for 
an interface using the Next Hop Resolution Protocol 
(NHRP).
• string—Text of the authentication string. This 
string must be identical for all tunnels belonging 
to the same DMVPN.
Step 6 Router(config-if)# ip nhrp map multicast dynamic Allows NHRP to automatically add spoke routers to 
the multicast NHRP mappings. 
Step 7 Router(config-if)# ip nhrp network-id number Enables NHRP on an interface. 
• number—A 32-bit network identifier, unique 
within this chassis, from a nonbroadcast 
multiaccess (NBMA) network. The range is 
from 1 to 4294967295.
Step 8 Router(config-if)# tunnel source {ip-address | type
number}
Sets source address for a tunnel interface.
• ip-address—IP address to use as the source 
address for packets in the tunnel. 
• type number—Interface type and number (for 
example, VLAN 2).   
31-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 31      Configuring Advanced VPNs Using the IPSec VPN SPA
  Configuring DMVPN
Step 9 Router(config-if)# tunnel mode gre multipoint Sets the encapsulation mode to mGRE for the tunnel 
interface.
Step 10 Router(config-if)# tunnel vrf front-door-vrf-name (Optional) Associates a VRF instance with a specific 
tunnel destination, interface, or subinterface. This 
step is required only when configuring a front door 
VRF (FVRF). 
• front-door-vrf-name—Name assigned to the 
VRF. This may or may not be the same as the 
inside-vrf-name.
Step 11 Router(config-if)# tunnel protection ipsec profile
name
Associates a tunnel interface with an IPSec profile. 
• name—Name of the IPSec profile; this value 
must match the name specified in the crypto 
ipsec profile command.
Step 12 Router(config-if)# crypto engine slot slot/subslot
inside
Assigns the specified crypto engine to the inside 
interface. 
• slot/subslot—The slot where the IPSec VPN 
SPA is located.
Step 13 Router(config-if)# interface type slot/subslot/port Configures the DMVPN physical egress interface.
Step 14 Router(config-if)# ip vrf forwarding
front-door-vrf-name
(Optional) Associates a VRF with an interface or 
subinterface. This step is required only when 
configuring a front door VRF (FVRF).
• front-door-vrf-name—Name assigned to the 
VRF. This is the same name used in Step 10.
Step 15 Router(config-if)# ip address address mask Sets a primary or secondary IP address for an 
interface.
• address—IP address. 
• mask—Subnet mask.
Step 16 Router(config-if)# crypto engine slot slot/subslot 
outside
Enables the crypto engine on the interface.
• slot/subslot—The slot where the IPSec VPN 
SPA is located.
Command Purpose   
31-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 31      Configuring Advanced VPNs Using the IPSec VPN SPA
  Configuring DMVPN
Configuring the Hub for DMVPN in Crypto-Connect Mode
In crypto-connect mode, to configure the hub router for mGRE and IPSec integration (that is, to associate 
the tunnel with the IPSec profile configured in the previous procedure), perform this task beginning in 
global configuration mode:
Command Purpose
Step 1 Router(config)# interface tunnel tunnel-number Configures a tunnel interface and enters interface 
configuration mode. 
• tunnel-number—Number of the tunnel interface 
that you want to create or configure. There is no 
limit on the number of tunnel interfaces you can 
create.
Step 2 Router(config-if)# ip address ip-address mask
[secondary] 
Sets a primary or secondary IP address for the tunnel 
interface.
• address—IP address.
• mask—Subnet mask.
• secondary—(Optional) Secondary IP address.
Step 3 Router(config-if)# ip mtu bytes (Optional) Sets the maximum transmission unit 
(MTU) size, in bytes, of IP packets sent on an 
interface.
• bytes—MTU size in bytes.
Step 4 Router(config-if)# ip nhrp authentication string (Optional) Configures the authentication string for 
an interface using the Next Hop Resolution Protocol 
(NHRP).
• string—Text of the authentication string. This 
string must be identical for all tunnels belonging 
to the same DMVPN.
Step 5 Router(config-if)# ip nhrp map multicast dynamic Allows NHRP to automatically add spoke routers to 
the multicast NHRP mappings. 
Step 6 Router(config-if)# ip nhrp network-id number Enables NHRP on an interface. 
• number—A 32-bit network identifier, unique 
within this chassis, from a nonbroadcast 
multiaccess (NBMA) network. The range is 
from 1 to 4294967295.
Step 7 Router(config-if)# tunnel source {ip-address | type
number}
Sets source address for a tunnel interface.
• ip-address—IP address to use as the source 
address for packets in the tunnel. 
• type number—Interface type and number (for 
example, VLAN 2).
Step 8 Router(config-if)# tunnel mode gre multipoint Sets the encapsulation mode to mGRE for the tunnel 
interface.   
31-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 31      Configuring Advanced VPNs Using the IPSec VPN SPA
  Configuring DMVPN
Configuring the Spoke for DMVPN in VRF Mode
In VRF mode, to configure spoke routers for mGRE and IPSec integration, perform this task beginning 
in global configuration mode:
Step 9 Router(config-if)# tunnel protection ipsec profile
name
Associates a tunnel interface with an IPSec profile. 
• name—Name of the IPSec profile; this value 
must match the name specified in the crypto 
ipsec profile command.
Step 10 Router(config-if)# crypto engine slot slot/subslot  Assigns the specified crypto engine to the interface.
• slot/subslot—The slot where the IPSec VPN 
SPA is located.
Step 11 Router(config)# interface vlan ifvlan Configures the DMVPN inside VLAN.
Step 12 Router(config-if)# ip address address mask Sets a primary or secondary IP address for an 
interface.
• address—IP address. Enter the value specified 
in Step 7. 
• mask—Subnet mask.
Step 13 Router(config-if)# crypto engine slot slot/subslot  Assigns the specified crypto engine to the interface.
• slot/subslot—The slot where the IPSec VPN 
SPA is located.
Step 14 Router(config-if)# interface type slot/subslot/port Configures the DMVPN physical egress interface.
Step 15 Router(config-if)# no ip address Assigns no IP address to the interface.
Step 16 Router(config-if)# crypto connect vlan ifvlan  Connects the outside access port VLAN to the inside 
(crypto) interface VLAN and enters crypto-connect 
mode.
• ifvlan—DMVPN inside VLAN identifier.
Command Purpose
Command Purpose
Step 1 Router(config)# interface tunnel tunnel-number Configures a tunnel interface and enters interface 
configuration mode 
• tunnel-number—Number of the tunnel interface 
that you want to create or configure. There is no 
limit on the number of tunnel interfaces you can 
create.
Step 2 Router(config-if)# ip vrf forwarding inside-vrf-name (Optional) Associates a VRF with an interface or 
subinterface. This step is required only when 
configuring an inside VRF.
• inside-vrf-name—Name assigned to the VRF.   
31-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 31      Configuring Advanced VPNs Using the IPSec VPN SPA
  Configuring DMVPN
Step 3 Router(config-if)# ip address ip-address mask
[secondary] 
Sets a primary or secondary IP address for the tunnel 
interface. 
• address—IP address.
• mask—Subnet mask.
• secondary—(Optional) Secondary IP address.
Step 4 Router(config-if)# ip mtu bytes (Optional) Sets the maximum transmission unit 
(MTU) size, in bytes, of IP packets sent on an 
interface.
• bytes—MTU size in bytes.
Step 5 Router(config-if)# ip nhrp authentication string Configures the authentication string for an interface 
using NHRP.
• string—Text of the authentication string. This 
string must be identical for all tunnels belonging 
to the same DMVPN.
Step 6 Router(config-if)# ip nhrp map hub-tunnel-ip-address 
hub-physical-ip-address
Statically configures the IP-to-NonBroadcast 
MultiAccess (NBMA) address mapping of IP 
destinations connected to an NBMA network. 
• hub-tunnel-ip-address—Defines the NHRP 
server at the hub, which is permanently mapped 
to the static public IP address of the hub. 
• hub-physical-ip-address—Defines the static 
public IP address of the hub.
Step 7 Router(config-if)# ip nhrp map multicast
hub-physical-ip-address
Enables the use of a dynamic routing protocol 
between the spoke and hub, and sends multicast 
packets to the hub router. 
• hub-physical-ip-address—Defines the static 
public IP address of the hub.
Step 8 Router(config-if)# ip nhrp nhs hub-tunnel-ip-address Configures the hub router as the NHRP next-hop 
server. 
• hub-tunnel-ip-address—Defines the NHRP 
server at the hub, which is permanently mapped 
to the static public IP address of the hub.
Step 9 Router(config-if)# ip nhrp network-id number Enables NHRP on an interface. 
• number—A 32-bit network identifier, unique 
within this chassis, from a nonbroadcast 
multiaccess (NBMA) network. The range is 
from 1 to 4294967295. 
Step 10 Router(config-if)# tunnel source {ip-address | type
number}
Sets source address for a tunnel interface. 
• ip-address—IP address to use as the source 
address for packets in the tunnel. 
• type number—Interface type and number; for 
example, VLAN 2.
Command Purpose   
31-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 31      Configuring Advanced VPNs Using the IPSec VPN SPA
  Configuring DMVPN
Configuring the Spoke for DMVPN in Crypto-Connect Mode 
In crypto-connect mode, to configure spoke routers for mGRE and IPSec integration, perform this task 
beginning in global configuration mode:
Step 11 Router(config-if)# tunnel mode gre multipoint Sets the encapsulation mode to mGRE for the tunnel 
interface. Use this command if data traffic can use 
dynamic spoke-to-spoke traffic. 
Step 12 Router(config-if)# tunnel protection ipsec profile
name
Associates a tunnel interface with an IPSec profile. 
• name—Name of the IPSec profile; this value 
must match the name specified in the crypto 
ipsec profile command.
Step 13 Router(config-if)# crypto engine slot slot/subslot
inside
Assigns the specified crypto engine to the inside 
interface. 
• slot/subslot—The slot where the VSPA is 
located.
Step 14 Router(config-if)# interface type slot/subslot/port Configures the DMVPN physical egress interface.
Step 15 Router(config-if)# ip address address mask Sets a primary or secondary IP address for an 
interface.
• address—IP address. 
• mask—Subnet mask.
Step 16 Router(config-if)# crypto engine slot slot/subslot 
outside
Enables the crypto engine on the interface.
• slot/subslot—The slot where the IPSec VPN 
SPA is located.
Command Purpose
Command Purpose
Step 1 Router(config)# interface tunnel tunnel-number Configures a tunnel interface and enters interface 
configuration mode 
• tunnel-number—Number of the tunnel interface 
that you want to create or configure. There is no 
limit on the number of tunnel interfaces you can 
create.
Step 2 Router(config-if)# ip address ip-address mask
[secondary] 
Sets a primary or secondary IP address for the tunnel 
interface. 
• address—IP address.
• mask—Subnet mask.
• secondary—(Optional) Secondary IP address.
Step 3 Router(config-if)# ip mtu bytes (Optional) Sets the maximum transmission unit 
(MTU) size, in bytes, of IP packets sent on an 
interface.
• bytes—MTU size in bytes.   
31-11
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 31      Configuring Advanced VPNs Using the IPSec VPN SPA
  Configuring DMVPN
Step 4 Router(config-if)# ip nhrp authentication string Configures the authentication string for an interface 
using NHRP.
• string—Text of the authentication string. This 
string must be identical for all tunnels belonging 
to the same DMVPN.
Step 5 Router(config-if)# ip nhrp map hub-tunnel-ip-address 
hub-physical-ip-address
Statically configures the IP-to-NonBroadcast 
MultiAccess (NBMA) address mapping of IP 
destinations connected to an NBMA network. 
• hub-tunnel-ip-address—Defines the NHRP 
server at the hub, which is permanently mapped 
to the static public IP address of the hub. 
• hub-physical-ip-address—Defines the static 
public IP address of the hub.
Step 6 Router(config-if)# ip nhrp map multicast
hub-physical-ip-address
Enables the use of a dynamic routing protocol 
between the spoke and hub, and sends multicast 
packets to the hub router. 
• hub-physical-ip-address—Defines the static 
public IP address of the hub.
Step 7 Router(config-if)# ip nhrp nhs hub-tunnel-ip-address Configures the hub router as the NHRP next-hop 
server. 
• hub-tunnel-ip-address—Defines the NHRP 
server at the hub, which is permanently mapped 
to the static public IP address of the hub.
Step 8 Router(config-if)# ip nhrp network-id number Enables NHRP on an interface. 
• number—A 32-bit network identifier, unique 
within this chassis, from a nonbroadcast 
multiaccess (NBMA) network. The range is 
from 1 to 4294967295. 
Step 9 Router(config-if)# tunnel source {ip-address | type
number}
Sets source address for a tunnel interface. 
• ip-address—IP address to use as the source 
address for packets in the tunnel. 
• type number—Interface type and number; for 
example, VLAN 2.
Step 10 Router(config-if)# tunnel mode gre multipoint Sets the encapsulation mode to mGRE for the tunnel 
interface. Use this command if data traffic can use 
dynamic spoke-to-spoke traffic. 
Step 11 Router(config-if)# tunnel protection ipsec profile
name
Associates a tunnel interface with an IPSec profile. 
• name—Name of the IPSec profile; this value 
must match the name specified in the crypto 
ipsec profile command.
Step 12 Router(config-if)# crypto engine slot slot/subslot  Assigns the specified crypto engine to the interface.
• slot/subslot—The slot where the IPSec VPN 
SPA is located.
Command Purpose   
31-12
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 31      Configuring Advanced VPNs Using the IPSec VPN SPA
  Configuring DMVPN
Verifying the DMVPN Configuration
To verify that your DMVPN configuration is working, use the show crypto isakmp sa, show crypto 
map, and show ip nhrp commands.
The show crypto isakmp sa command displays all current IKE security associations (SAs) at a peer.
The following sample output is displayed after IKE negotiations have successfully completed between 
a hub and two spokes and between the two spokes, as shown in Figure 31-1 on page 31-2: 
HUB# show crypto isakmp sa  
dst             src             state          conn-id slot status
10.0.0.1        11.0.0.1        QM_IDLE          68001 ACTIVE
10.0.0.1        21.0.0.1        QM_IDLE          68002 ACTIVE
SPOKE1# show crypto isakmp sa
dst             src             state          conn-id slot status
11.0.0.1        21.0.0.1        QM_IDLE          68002 ACTIVE
21.0.0.1        11.0.0.1        QM_IDLE          68003 ACTIVE
10.0.0.1        11.0.0.1        QM_IDLE          68001 ACTIVE
SPOKE2# show crypto isakmp sa
dst             src             state          conn-id slot status
10.0.0.1        21.0.0.1        QM_IDLE          68001 ACTIVE
11.0.0.1        21.0.0.1        QM_IDLE          68003 ACTIVE
21.0.0.1        11.0.0.1        QM_IDLE          68002 ACTIVE
The show crypto map command displays the crypto map configuration. 
The following sample output is displayed after a crypto map has been configured:
HUB# show crypto map
Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp
        Profile name: VPN-PROF
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={ 
Step 13 Router(config)# interface vlan ifvlan Configures the DMVPN inside VLAN.
Step 14 Router(config-if)# ip address address mask Sets a primary or secondary IP address for an 
interface.
• address—IP address. Enter the value specified 
in Step 7. 
• mask—Subnet mask.
Step 15 Router(config-if)# crypto engine slot slot/subslot  Assigns the specified crypto engine to the interface.
• slot/subslot—The slot where the IPSec VPN 
SPA is located.
Step 16 Router(config-if)# interface type slot/subslot/port Configures the DMVPN physical egress interface.
Step 17 Router(config-if)# no ip address Assigns no IP address to the interface.
Step 18 Router(config-if)# crypto connect vlan ifvlan  Connects the outside access port VLAN to the inside 
interface VLAN and enters crypto-connect mode.
• ifvlan—DMVPN inside VLAN identifier.
Command Purpose   
31-13
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 31      Configuring Advanced VPNs Using the IPSec VPN SPA
  Configuring DMVPN
                ts, 
        }
Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp
        Map is a PROFILE INSTANCE.
        Peer = 11.0.0.1
        Extended IP access list 
            access-list  permit gre host 10.0.0.1 host 11.0.0.1
        Current peer: 11.0.0.1
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={ 
                ts, 
        }
Crypto Map "Tunnel0-head-0" 65538 ipsec-isakmp
        Map is a PROFILE INSTANCE.
        Peer = 21.0.0.1
        Extended IP access list 
            access-list  permit gre host 10.0.0.1 host 21.0.0.1
        Current peer: 21.0.0.1
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={ 
                ts, 
        }
        Interfaces using crypto map Tunnel0-head-0:
                Tunnel0
 using crypto engine SPA-IPSEC-2G[4/0]
SPOKE1# show crypto map
Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp
        Profile name: VPN-PROF
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={ 
                ts, 
        }
Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp
        Map is a PROFILE INSTANCE.
        Peer = 10.0.0.1
        Extended IP access list 
            access-list  permit gre host 11.0.0.1 host 10.0.0.1
        Current peer: 10.0.0.1
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={ 
                ts, 
        }
Crypto Map "Tunnel0-head-0" 65538 ipsec-isakmp
        Map is a PROFILE INSTANCE.
        Peer = 21.0.0.1
        Extended IP access list 
            access-list  permit gre host 11.0.0.1 host 21.0.0.1
        Current peer: 21.0.0.1
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={ 
                ts, 
        }   
31-14
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 31      Configuring Advanced VPNs Using the IPSec VPN SPA
  Configuring DMVPN
        Interfaces using crypto map Tunnel0-head-0:
                Tunnel0
 using crypto engine SPA-IPSEC-2G[4/0]
SPOKE2# show crypto map
Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp
        Profile name: VPN-PROF
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={ 
                ts, 
        }
Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp
        Map is a PROFILE INSTANCE.
        Peer = 10.0.0.1
        Extended IP access list 
            access-list  permit gre host 21.0.0.1 host 10.0.0.1
        Current peer: 10.0.0.1
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={ 
                ts, 
        }
Crypto Map "Tunnel0-head-0" 65538 ipsec-isakmp
        Map is a PROFILE INSTANCE.
        Peer = 11.0.0.1
        Extended IP access list 
            access-list  permit gre host 21.0.0.1 host 11.0.0.1
        Current peer: 11.0.0.1
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={ 
                ts, 
        }
        Interfaces using crypto map Tunnel0-head-0:
                Tunnel0
 using crypto engine SPA-IPSEC-2G[4/0]
The show ip nhrp command displays the NHRP cache.
The following sample output shows that NHRP registration occurred. Note that NHRP between the hub 
and a spoke is static, while NHRP between spokes is dynamic:
Router# show ip nhrp 
HUB# show ip nhrp
30.1.0.1/32 via 30.1.0.1, Tunnel0 created 00:18:13, expire 01:41:46
  Type: dynamic, Flags: authoritative unique registered 
  NBMA address: 11.0.0.1 
30.2.0.1/32 via 30.2.0.1, Tunnel0 created 00:11:55, expire 01:48:04
  Type: dynamic, Flags: authoritative unique registered 
  NBMA address: 21.0.0.1 
SPOKE1# show ip nhrp
30.0.0.1/32 via 30.0.0.1, Tunnel0 created 00:23:39, never expire 
  Type: static, Flags: authoritative used 
  NBMA address: 10.0.0.1 
30.2.0.1/32 via 30.2.0.1, Tunnel0 created 00:04:27, expire 01:47:59
  Type: dynamic, Flags: router 
  NBMA address: 21.0.0.1    
31-15
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 31      Configuring Advanced VPNs Using the IPSec VPN SPA
  Configuring the Easy VPN Server
SPOKE2# show ip nhrp
30.0.0.1/32 via 30.0.0.1, Tunnel0 created 00:12:02, never expire 
  Type: static, Flags: authoritative used 
  NBMA address: 10.0.0.1 
30.1.0.1/32 via 30.1.0.1, Tunnel0 created 00:04:29, expire 01:41:40
  Type: dynamic, Flags: router 
  NBMA address: 11.0.0.1 
For DMVPN configuration examples, see the “DMVPN Configuration Examples” section on 
page 31-18.
Configuring the Easy VPN Server 
The Easy VPN server provides server support for the Cisco VPN Client Release 4.x and later software 
clients and Cisco VPN hardware clients. The feature allows a remote end user to communicate using IP 
Security (IPSec) with any Cisco IOS Virtual Private Network (VPN) gateway. Centrally managed IPSec 
policies are pushed to the client by the server, minimizing configuration by the end user.
Easy VPN Server features include:
• Mode configuration and Xauth support
• User-based policy control
• Session monitoring for VPN group access
• RADIUS server support
• backup-gateway command
• pfs command 
• Virtual IPSec interface support 
• Banner, auto-update, and browser proxy
• Configuration management enhancements (pushing a configuration URL through a 
mode-configuration exchange)
• Per-user AAA policy download with PKI 
• Syslog message enhancements 
• Network admission control support
Easy VPN Server Configuration Guidelines and Restrictions
When configuring the Easy VPN server, follow these guidelines and restrictions:
• The following IPSec protocol options and attributes currently are not supported by Cisco VPN 
clients, so these options and attributes should not be configured on the router for these clients: 
– Authentication with public key encryption
– Digital Signature Standard (DSS)
– Diffie-Hellman (DH) groups (1)
– IPSec Protocol Identifier (IPSEC_AH)
– IPSec Protocol Mode (Transport mode)   
31-16
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 31      Configuring Advanced VPNs Using the IPSec VPN SPA
  Configuring the Easy VPN Remote
– Manual keys 
– Perfect Forward Secrecy (PFS)
• Enhanced Easy VPN, which uses Dynamic Virtual Tunnel Interfaces (DVTI) instead of dynamic 
crypto maps, is not supported.
For complete configuration information about the Easy VPN Server feature and the enhancements, refer 
to this URL:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ftunity.html
Configuring the Easy VPN Remote
The Easy VPN remote feature allows Cisco routers and security appliances to establish a site-to-site VPN 
connection to a Cisco Easy VPN Server without complex remote-side configuration. Centrally managed 
IPSec policies are pushed to the client by the server, minimizing configuration by the end user.
Easy VPN Remote features include the following:
• Virtual IPSec interface support 
• Banner, auto-update, and browser proxy 
• Dual tunnel support 
• Configuration management enhancements (pushing a configuration URL through a 
mode-configuration exchange) 
• Reactivate primary peer 
Easy VPN Remote Configuration Guidelines
Follow these guidelines when configuring Easy VPN for the IPSec VPN SPA:
Caution You must clear all other crypto configurations from your running configuration on the Cisco IOS-based 
Easy VPN client that you are using to connect to the IPSec VPN SPA. If an ISAKMP policy is 
configured, it takes precedence over the preinstalled Easy VPN ISAKMP policies and the connection 
will fail. Other clients such as the VPN3000 and PIX systems running Easy VPN will prevent you from 
configuring Easy VPN unless all crypto configurations are removed. For complete configuration 
information for Easy VPN client support, refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftezvpnr.html
For an Easy VPN server configuration example, see the “Easy VPN Server (Router Side) Configuration 
Example” section on page 31-22.
Configuring Easy VPN Remote RSA Signature Storage
The Easy VPN remote RSA signature support feature provides for the support of Rivest, Shamir, and 
Adelman (RSA) signatures on Easy VPN remote devices. The support is provided through RSA 
certificates that can be stored on or off the remote device.    
31-17
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 31      Configuring Advanced VPNs Using the IPSec VPN SPA
  Configuration Examples
Note The Easy VPN remote RSA signature support feature supported in Cisco IOS Release 12.2(33)SRA and 
later releases.
Easy VPN Remote RSA Signature Support Configuration Guidelines and 
Restrictions
When configuring Easy VPN remote RSA signature support, follow these guidelines and restrictions:
• You must have a Cisco Virtual Private Network (VPN) remote device and be familiar with 
configuring the device. 
• You must have a certificate authority (CA) available to your network before you configure this 
interoperability feature. The CA must support the public key infrastructure (PKI) protocol of Cisco 
Systems, which is the Simple Certificate Enrollment Protocol (SCEP) (formerly called Certificate 
Enrollment Protocol [CEP]). 
• This feature should be configured only when you also configure both IPSec and Internet Key 
Exchange (IKE) in your network. 
• The Cisco IOS software does not support CA server public keys greater than 2048 bits. 
Configuring Easy VPN Remote RSA Signature Support 
The RSA signatures for an Easy VPN remote device are configured the same way that you would 
configure RSA signatures for any other Cisco device. 
For information about configuring RSA signatures, refer to the Cisco IOS Security Configuration Guide.
To enable the RSA signatures, when you are configuring the Easy VPN remote and assigning the 
configuration to the outgoing interface, you must omit the group command. The content of the first 
Organizational Unit (OU) field will be used as the group. 
For information about configuring Cisco Easy VPN remote devices, refer to the feature document, Easy 
VPN Remote RSA Signature Support, at the following location:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtevcrsa.html
Configuration Examples
This section provides examples of the following configurations:
• DMVPN Configuration Examples, page 31-18
• Easy VPN Server (Router Side) Configuration Example, page 31-22
Note The following examples use commands at the level of Cisco IOS Release 12.2(33)SRA.
As of Cisco IOS Release 12.2(33)SRA, the crypto engine subslot command used in previous releases 
has been replaced with the crypto engine slot command (of the form crypto engine slot slot {inside | 
outside}). The crypto engine subslot command is no longer supported. When upgrading, ensure that 
this command has been modified in your start-up configuration to avoid extended maintenance time.   
31-18
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 31      Configuring Advanced VPNs Using the IPSec VPN SPA
  Configuration Examples
DMVPN Configuration Examples
The following sections provide examples of DMVPN configuration:
• DMVPN Hub with VRF Mode Configuration Example, page 31-18
• DMVPN Spoke with VRF Mode Configuration Example, page 31-19
• DMVPN Spoke with Crypto-Connect Mode Configuration Example, page 31-21
The DMVPN examples are based on the implementation shown in Figure 31-1 on page 31-2, using the 
following configuration parameters:
• The hub router (HUB) is configured in VRF mode with inside VRF (IVRF) and front-door VRF 
(FVRF).
• One spoke router (SPOKE1) is configured in VRF mode with IVRF but no FVRF.
• One spoke router (SPOKE2) is configured in crypto-connect mode.
• EIGRP is configured to distribute routes over the tunnels.
• In all routers, interface gi3/1 is the interface to the provider network.
• In all routers, interface gi3/13 is the interface to the private LAN .
Note The tunnel source can be the same as the physical egress port. If the tunnel source is not the physical 
egress port, make sure that traffic to and from the tunnel source passes through the physical egress port.
DMVPN Hub with VRF Mode Configuration Example
The following is a configuration example of the IPSec VPN SPA serving as a DMVPN hub using VRF 
mode with inside VRF and front-door VRF (FVRF):
hostname HUB
!
ip vrf fvrf
 rd 1000:1
!
ip vrf ivrf
 rd 1:1
!
crypto engine mode vrf
! 
crypto keyring RING1 vrf fvrf
  pre-shared-key address 0.0.0.0 0.0.0.0 key abcdef
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
!
crypto ipsec transform-set ts esp-3des esp-md5-hmac 
mode transport
!
crypto ipsec profile VPN-PROF
 set transform-set ts 
!
!
interface Tunnel0
! EIGRP uses the configured bandwidth to allocate bandwidth for its routing update 
mechanism   
31-19
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 31      Configuring Advanced VPNs Using the IPSec VPN SPA
  Configuration Examples
 bandwidth 1000000
 ip vrf forwarding ivrf
 ip address 30.0.0.1 255.0.0.0
 ip nhrp authentication cisco123
 ip nhrp map multicast dynamic
 ip nhrp network-id 1000
! For a large number of tunnels, the following two commands are recommended
! EIGRP timers are adjusted to match the default timers for a WAN interface
 ip hello-interval eigrp 200 60
 ip hold-time eigrp 200 180
! The following two EIGRP commands are necessary to allow spoke-to-spoke communication
 no ip next-hop-self eigrp 200
 no ip split-horizon eigrp 200
 tunnel source Vlan10
 tunnel mode gre multipoint
 tunnel vrf fvrf
 tunnel protection ipsec profile VPN-PROF
 crypto engine slot 4/0 inside
!
interface Vlan10
 ip vrf forwarding fvrf
 ip address 10.0.0.1 255.255.255.0
 crypto engine outside
!
interface GigabitEthernet3/1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10
 switchport mode trunk
interface GigabitEthernet3/13
 description Local LAN interface
 ip vrf forwarding ivrf
 ip address 70.0.0.1 255.255.255.0
router eigrp 10
 no auto-summary
 !
 address-family ipv4 vrf ivrf
 redistribute connected
 network 30.0.0.0
network 70.0.0.0
no auto-summary
 autonomous-system 200
 exit-address-family
!
! In this example, tunnel destination reachability is provided by static routes
! A routing protocol could also be used
ip route vrf fvrf 11.0.0.0 255.0.0.0 10.0.0.2
ip route vrf fvrf 21.0.0.0 255.0.0.0 10.0.0.2
end
DMVPN Spoke with VRF Mode Configuration Example
The following is a configuration example of the IPSec VPN SPA serving as a DMVPN spoke using VRF 
mode with inside VRF but no front-door VRF:
hostname SPOKE1
!
ip vrf ivrf   
31-20
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 31      Configuring Advanced VPNs Using the IPSec VPN SPA
  Configuration Examples
 rd 1:1
!
crypto engine mode vrf
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key abcdef address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 60
!
!
crypto ipsec transform-set ts esp-3des esp-md5-hmac 
mode transport
!
crypto ipsec profile VPN-PROF
 set transform-set ts 
!
interface Tunnel0
 bandwidth 100000
 ip vrf forwarding ivrf
 ip address 30.1.0.1 255.0.0.0
 ip nhrp authentication cisco123
 ip nhrp map 30.0.0.1 10.0.0.1
 ip nhrp map multicast 10.0.0.1
 ip nhrp network-id 1000
 ip nhrp nhs 30.0.0.1
 ip hello-interval eigrp 200 60
 ip hold-time eigrp 200 180
 tunnel source Loopback0
 tunnel mode gre multipoint
 tunnel protection ipsec profile VPN-PROF
 crypto engine slot 4/0 inside
!
interface Loopback0
 ip address 11.0.0.1 255.255.255.0
!
interface GigabitEthernet3/1
 ip address 11.255.255.1 255.255.255.0
 crypto engine outside
!
interface GigabitEthernet3/13
 ip vrf forwarding ivrf
 ip address 80.0.0.1 255.255.255.0
router eigrp 10
 no auto-summary
 !
 address-family ipv4 vrf ivrf
 autonomous-system 200
 network 30.0.0.0
network 70.0.0.0
 no auto-summary
 redistribute connected
 exit-address-family
ip route 10.0.0.0 255.0.0.0 11.255.255.2
ip route 21.0.0.0 255.0.0.0 11.255.255.2
end   
31-21
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 31      Configuring Advanced VPNs Using the IPSec VPN SPA
  Configuration Examples
DMVPN Spoke with Crypto-Connect Mode Configuration Example
The following is a configuration example of the IPSec VPN SPA serving as a DMVPN spoke using 
crypto-connect mode:
hostname SPOKE2
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key abcdef address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 60
!
!
crypto ipsec transform-set ts esp-3des esp-md5-hmac 
mode transport 
!
crypto ipsec profile VPN-PROF
 set transform-set ts 
!
interface Tunnel0
 bandwidth 1000000
 ip address 30.2.0.1 255.0.0.0
 ip nhrp authentication cisco123
 ip nhrp map 30.0.0.1 10.0.0.1
 ip nhrp map multicast 10.0.0.1
 ip nhrp network-id 1000
 ip nhrp nhs 30.0.0.1
 ip hello-interval eigrp 200 60
 ip hold-time eigrp 200 180
 tunnel source Vlan10
 tunnel mode gre multipoint
 tunnel protection ipsec profile VPN-PROF
 crypto engine slot 4/0 inside
!
interface Vlan10
 ip address 21.0.0.1 255.255.255.0
 no mop enabled
 crypto engine slot 4/0 inside
!
interface GigabitEthernet3/1
 no ip address
 crypto connect vlan 10
!
interface GigabitEthernet3/13
 ip address 90.0.0.1 255.255.255.0
!
router eigrp 200
 redistribute connected
 network 30.0.0.0
 network 90.0.0.0
 no auto-summary
ip route 10.0.0.0 255.0.0.0 21.0.0.2
ip route 11.0.0.0 255.0.0.0 21.0.0.2
end   
31-22
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 31      Configuring Advanced VPNs Using the IPSec VPN SPA
  Configuration Examples
Easy VPN Server (Router Side) Configuration Example
The following is an example of an Easy VPN server router-side configuration:
!
version 12.2
!
hostname sanjose
!
logging snmp-authfail
logging buffered 1000000 debugging
aaa new-model
aaa authentication login authen local
aaa authorization network author local
!
username unity password 0 uc
ip subnet-zero
no ip source-route
!
mpls ldp logging neighbor-changes
mls flow ip destination
mls flow ipx destination
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key 12345 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 2
!
crypto isakmp client configuration group group1
 key 12345
 domain cisco.com
 pool pool1
!
crypto isakmp client configuration group default
 key 12345
 domain cisco.com
 pool pool2
!
crypto ipsec transform-set myset3 esp-3des esp-md5-hmac
!
crypto dynamic-map test_dyn 1
 set transform-set myset3
 reverse-route
!
! Static client mapping
crypto map testtag client authentication list authen
crypto map testtag isakmp authorization list author
crypto map testtag client configuration address respond
crypto map testtag 10 ipsec-isakmp
 set peer 10.5.1.4
 set security-association lifetime seconds 900
 set transform-set myset3
 match address 109
!
! Dynamic client mapping
crypto map test_dyn client authentication list authen
crypto map test_dyn isakmp authorization list author
crypto map test_dyn client configuration address respond
crypto map test_dyn 1 ipsec-isakmp dynamic test_dyn
!
!   
31-23
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 31      Configuring Advanced VPNs Using the IPSec VPN SPA
  Configuration Examples
no spanning-tree vlan 513
!
redundancy
main-cpu
  auto-sync running-config
  auto-sync standard
!
interface GigabitEthernet2/1
 no ip address
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,513,1002-1005
 switchport mode trunk
!
interface GigabitEthernet2/2
 no ip address
 shutdown
!
interface GigabitEthernet6/1/1
 no ip address
 flowcontrol receive on
 flowcontrol send off
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,513,1002-1005
 switchport mode trunk
 cdp enable
!
interface GigabitEthernet6/1/2
 no ip address
 flowcontrol receive on
 flowcontrol send off
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
 cdp enable
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan2
 no ip address
 crypto connect vlan 513
!
interface Vlan513
 ip address 10.5.1.1 255.255.0.0
 crypto map test_dyn
 crypto engine slot 6/1 inside
!
ip local pool pool1 22.0.0.2
ip local pool pool2 23.0.0.3
ip classless
ip pim bidir-enable
!
access-list 109 permit ip host 10.5.1.1 host 22.0.0.2
arp 127.0.0.12 0000.2100.0000 ARPA
!
snmp-server enable traps tty
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
!
line con 0
line vty 0 4   
31-24
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 31      Configuring Advanced VPNs Using the IPSec VPN SPA
  Configuration Examples
 password lab
 transport input lat pad mop telnet rlogin udptn nasi
!
endC H  A  P  T  E  R
   
32-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
32
Configuring Duplicate Hardware and IPSec 
Failover Using the IPSec VPN SPA
This chapter provides information about configuring duplicate hardware and IPSec failover using the 
IPSec VPN SPA on the Cisco 7600 series router. It includes the following sections:
• Overview of Duplicate Hardware Configurations and IPSec Failover, page 32-2
• Configuring IPSec Failover, page 32-4
• Verifying HSRP Configurations, page 32-18
• Configuring Intrachassis IPSec Stateful Failover Using a Blade Failure Group, page 32-22
• Configuration Examples, page 32-24
For information about managing your system images and configuration files, refer to the Cisco IOS 
Configuration Fundamentals Configuration Guide, Release 12.2 and Cisco IOS Configuration 
Fundamentals Command Reference, Release 12.2 publications.
For detailed information on Cisco IOS IPSec cryptographic operations and policies, refer to the Cisco 
IOS Security Configuration Guide, Release 12.2 and Cisco IOS Security Command Reference, Release 
12.2.
For more information about the commands used in this chapter, see the Cisco 7600 Series Router 
Command Reference, 12.2SR publication. Also refer to the related Cisco IOS Release 12.2 software 
command reference and master index publications. For more information about accessing these 
publications, see the “Related Documentation” section on page xlvii.
Tip To ensure a successful configuration of your VPN using the IPSec VPN SPA, read all of the 
configuration summaries and guidelines before you perform any configuration tasks.   
32-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Overview of Duplicate Hardware Configurations and IPSec Failover
Overview of Duplicate Hardware Configurations and IPSec 
Failover
For critical VPN communications, you can deploy redundant VPN hardware and configure your system 
for failover in case of hardware failure. The following topics provide information about configuring for 
IPSec failover using the IPSec VPN SPA:
• Configuring Multiple IPSec VPN SPAs in a Chassis, page 32-2
• Understanding Stateless Failover Using HSRP, page 32-3
• Understanding Stateful Failover Using HSRP and SSP, page 32-3.
Configuring Multiple IPSec VPN SPAs in a Chassis
You can deploy up to ten IPSec VPN SPAs in a single chassis, with the restriction that no more than one 
IPSec VPN SPA can be used to perform IPSec services for any given interface VLAN.
Multiple IPSec VPN SPAs in a Chassis Configuration Guidelines
When configuring multiple IPSec VPN SPAs in a chassis, follow these guidelines:
• If you enter the no switchport command followed by the switchport command, all VLANs are 
readded to a trunk port (this situation occurs when you are first switching to a routed port and then 
back to a switch port). For detailed information on configuring trunk ports, see the “Configuring a 
Trunk Port” section on page 25-15.
• As with single IPSec VPN SPA deployments, you must properly configure each IPSec VPN SPA’s 
inside and outside port. You can add an interface VLAN only to the inside port of one IPSec VPN 
SPA. Do not add the same interface VLAN to the inside port of more than one IPSec VPN SPA. 
Assigning interface VLANs to the inside ports of the IPSec VPN SPAs allows you to decide which 
IPSec VPN SPA can be used to provide IPSec services for a particular interface VLAN.
Note You do not need to explicitly add interface VLANs to the inside trunk ports of the IPSec 
VPN SPAs. Entering the crypto engine slot command achieves the same results. 
Note There is no support for using more than one IPSec VPN SPA to do IPSec processing for a 
single interface VLAN.
• SA-based load balancing is not supported.
• If you assign the same crypto map to multiple interfaces, then you must use the crypto map local 
address command, and all interfaces must be assigned to the same crypto engine.
For a configuration example of multiple IPSec VPN SPAs in a chassis, see the “Multiple IPSec VPN 
SPAs in a Chassis Configuration Example” section on page 32-24.   
32-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Overview of Duplicate Hardware Configurations and IPSec Failover
Understanding Stateless Failover Using HSRP
The IPSec failover (VPN high availability) feature allows you to employ a secondary (standby) router 
that automatically takes over the primary (active) router’s tasks in the event of an active router failure. 
IPSec failover, stateless or stateful, is designed to work in conjunction with the Hot Standby Routing 
Protocol (HSRP) and Reverse Route Injection (RRI). 
HSRP is used between the active and standby router in either stateless or stateful mode, tracking the state 
of router interfaces and providing a failover mechanism between primary and secondary devices. An 
HSRP group shares a single virtual IP address as its crypto peer address so that the remote crypto peer 
requires no reconfiguration after a failover. The configured HSRP timers determine the time that it takes 
for the standby router to take over. 
RRI uses information derived from the negotiated IPSec SAs to create static routes to the networks 
identified in those SAs. During an HSRP and IPSec failover, RRI allows dynamic routing information 
updates. 
In an IPSec stateless failover, the HSRP group’s virtual IP address transfers over to the standby router, 
but no IPSec or ISAKMP SA state information is transferred to the standby router. The remote crypto 
peer detects the failure using Dead Peer Detection (DPD) or a keepalive mechanism. The remote crypto 
peer then communicates with the standby router at the HSRP group address to renegotiate the dropped 
ISAKMP SAs and IPSec SAs before traffic transmission can resume.
When used together, HSRP and RRI provide a reliable network design for VPNs and reduce 
configuration complexity on remote peers.
Understanding Stateful Failover Using HSRP and SSP
Note Support for IPSec stateful failover using HSRP and SSP is removed in Cisco IOS Release 12.2(33)SRA 
and later releases. The feature is supported in Release 12.2SXF. 
IPSec stateful failover enables a router to continue processing and forwarding IPSec packets after a 
planned or unplanned outage. The failover process is transparent to users and to remote IPSec peers. 
As with IPSec stateless failover, IPSec stateful failover is designed to work with HSRP and RRI, but 
IPSec stateful failover also uses the State Synchronization Protocol (SSP). During an HSRP and IPSec 
failover, SSP transfers IPSec and ISAKMP SA state information between the active and standby routers, 
allowing existing VPN connections to be maintained after a router failover. 
IPSec Stateful Failover Configuration Guidelines and Restrictions
When configuring IPSec stateful failover, follow these guidelines and restrictions:
• When configuring IPSec stateful failover with the IPSec VPN SPA, all IPSec VPN SPA 
configuration rules apply. You must apply crypto maps to interface VLANs.
• When configuring IPSec stateful failover with an IPSec VPN SPA in two chassis, the hardware 
configurations of both chassis must be exactly the same. For example, in one chassis if the IPSec 
VPN SPA that is in slot 2 is used to protect interface VLAN 100 and the IPSec VPN SPA that is in 
slot 3 is used to protect interface VLAN 101, the exact same configuration must be reflected in the 
second chassis. An example of a misconfiguration would be if the IPSec VPN SPA in slot 3 of the 
second chassis is used to protect interface VLAN 100.   
32-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Configuring IPSec Failover
• Do not add nonexistent or inadequately configured HSRP standby groups to the State 
Synchronization Protocol (SSP) configuration because this action disables high-availability features 
until the configuration is corrected.
• The recommended HSRP timer values are one second for hello timers and three seconds for hold 
timers. These values should prevent an undesirable failover that is caused by temporary network 
congestion or transient, high CPU loads.
These timer values can be adjusted upward if you are running high loads or have a large number of 
HSRP groups. Temporary failures and load-related system stability can be positively affected by raising 
the timer values as needed. The hello timer value should be approximately a third of the hold timer 
value.
• Use the HSRP delay timers to allow a device to finish booting, initializing, and synchronizing before 
participating as a high-availability pair. Set the minimum delay at 30 seconds or more to help 
prevent active/standby flapping and set the reload delay at some value greater than the minimum. 
You can use the delay timers to reflect the complexity and size of a particular configuration on 
various hardware. The delay timers tend to vary from platform to platform.
• Sequence number updates from active to standby have a 20-second minimum interval per SA.
• The standby preempt command is required, and should be configured with no priority or delay
options.
• To allow dynamic routing information updates during the HSRP and IPSec failover, enable the 
Reverse Route Injection (RRI) feature using the reverse-route command.
• To verify that all processes are running properly after enabling both HSRP and IPSec stateful 
failover, use the show ssp, show standby, show crypto ipsec, and show crypto isakmp commands.
• The following features are not supported with IPSec stateful failover:
– The standby use-bia command—Always use a virtual HSRP MAC address for the router’s 
MAC address.
– Easy VPN clients or IKE keepalives— IPSec stateful failover can be used with peers when DPD 
is used.
– DMVPN or tunnel protection.
– Secured WAN ports (for example, IPSec over FlexWAN or SIP module port adapters)— This 
restriction is due to limitations of HSRP. 
Configuring IPSec Failover
The following sections describe how to configure IPSec stateless and stateful failover in crypto-connect 
and VRF modes:
• Configuring IPSec Stateless Failover Using HSRP with Crypto-Connect Mode, page 32-5
• Configuring IPSec Stateful Failover Using HSRP and SSP with Crypto-Connect Mode, page 32-11
• Configuring IPSec Stateless and Stateful Failover with VRF Mode, page 32-18   
32-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Configuring IPSec Failover
Configuring IPSec Stateless Failover Using HSRP with Crypto-Connect Mode
To configure IP stateful failover using HSRP and SSP, perform this task beginning in global 
configuration mode:
Command Purpose
Step 1 Router(config)# crypto isakmp policy priority
...
Router(config-isakmp) # exit
Defines an ISAKMP policy and enters ISAKMP 
policy configuration mode.
• priority—Identifies the IKE policy and assigns 
a priority to the policy. Use an integer from 1 to 
10000, with 1 being the highest priority and 
10000 the lowest.
For details on configuring an ISAKMP policy, see 
the Cisco IOS Security Configuration Guide.
Step 2 Router(config)# crypto isakmp key keystring address
peer-address
Configures a preshared authentication key.
• keystring—Preshared key.
• peer-address—IP address of the remote peer.
For details on configuring a preshared key, see the 
Cisco IOS Security Configuration Guide.
Step 3 Router(config)# crypto ipsec transform-set
transform-set-name
transform1[transform2[transform3]]
...
Router(config-crypto-tran)# exit
Defines a transform set (an acceptable combination 
of security protocols and algorithms) and enters 
crypto transform configuration mode.
• transform-set-name—Name of the transform 
set.
• transform1[transform2[transform3]]—Defines 
IPSec security protocols and algorithms. 
For accepted transformx values, and more details on 
configuring transform sets, see the Cisco IOS 
Security Command Reference.   
32-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Configuring IPSec Failover
Step 4 Router(config)# access-list access-list-number {deny 
| permit} ip source source-wildcard destination 
destination-wildcard 
Defines an extended IP access list.
• access-list-number—Number of an access list. 
This is a decimal number from 100 to 199 or 
from 2000 to 2699.
• {deny | permit}—Denies or permits access if 
the conditions are met.
• ip source—Address of the host from which the 
packet is being sent.
• source-wildcard—Wildcard bits to be applied to 
the source address.
• destination—Address of the host to which the 
packet is being sent.
• destination-wildcard—Wildcard bits to be 
applied to the destination address.
For details on configuring an access list, see the 
Cisco IOS Security Configuration Guide.
Step 5 Router(config)# crypto dynamic-map dynamic-map-name 
seq-number ipsec-isakmp
...
Router(config-crypto-map)# exit
Creates or modifies a dynamic crypto map template 
and enters the crypto map configuration mode.
• dynamic-map-name—Name that identifies the 
dynamic crypto map template.
• seq-number—Sequence number you assign to 
the crypto map entry. Lower values have higher 
priority.
• ipsec-isakmp—Indicates that IKE will be used 
to establish the IPSec security associations.
For details on configuring a crypto map, see the 
Cisco IOS Security Configuration Guide.
Step 6 Router(config)# crypto map map-name seq-number 
ipsec-isakmp dynamic dynamic-map-name
Creates a crypto map entry and binds it to the 
dynamic crypto map template.
• map-name—Name that identifies the crypto 
map set.
• seq-number—Sequence number you assign to 
the crypto map entry. Lower values have higher 
priority.
• ipsec-isakmp—Indicates that IKE will be used 
to establish the IPSec security associations.
• dynamic-map-name—Name that identifies the 
dynamic crypto map template.
Step 7 Router(config-if)# interface gigabitethernet 
slot/subslot/port
Enters interface configuration mode for the 
LAN-side Gigabit Ethernet interface.
Command Purpose   
32-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Configuring IPSec Failover
Step 8 Router(config-if)# ip address address mask Specifies the IP address and subnet mask for the 
interface.
• address—IP address.
• mask—Subnet mask.
Step 9 Router(config-if)# standby [group-number] ip
ip-address
Enables the HSRP.
• group-number—(Optional) Group number on 
the interface for which HSRP is being activated. 
The default is 0. The group number range is 
from 0 to 255 for HSRP version 1 and from 0 to 
4095 for HSRP version 2. 
• ip-address—(Optional) IP address of the 
standby router interface.
Step 10 Router(config-if)# standby [group-number] timers
[msec] hellotime [msec] holdtime
Configures the time between hello packets and the 
hold time before other routers declare the active 
router to be down. 
• group-number—(Optional) Group number to 
which the timers apply.
• msec—(Optional) Interval in milliseconds. 
Millisecond timers allow for faster failover.
• hellotime—Hello interval (in seconds). This is 
an integer from 1 to 254. The default is 3 
seconds. If the msec option is specified, 
hellotime is in milliseconds. This is an integer 
from 15 to 999.
• holdtime—Time (in seconds) before the active 
or standby router is declared to be down. This is 
an integer from x to 255. The default is 10 
seconds. If the msec option is specified, 
holdtime is in milliseconds. This is an integer 
from y to 3000.
Command Purpose   
32-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Configuring IPSec Failover
Step 11 Router(config-if)# standby [group-number] [priority
priority] preempt [delay [minimum | sync] seconds]
Sets the standby priority used in choosing the active 
router. 
• group-number—(Optional) Group number to 
which the priority applies.
• priority—(Optional) The priority value range is 
from 1 to 255, where 1 denotes the lowest 
priority and 255 denotes the highest priority. 
Specify that, if the local router has priority over 
the current active router, the local router should 
attempt to take its place as the active router. 
• delay—Specifies a preemption delay, after 
which the Hot Standby router preempts and 
becomes the active router.
• minimum—(Optional) Specifies the minimum 
delay period in seconds. 
• sync—(Optional) Specifies the maximum 
synchronization period for IP redundancy 
clients in seconds.
• seconds—(Optional) Causes the local router to 
postpone taking over the active role for a 
minimum number of seconds since that router 
was last restarted. The range is from 0 to 3600 
seconds (1 hour). The default is 0 seconds (no 
delay). 
Step 12 Router(config-if)# standby [group-number] track type
number [interface-priority]
Configures the interface to track other interfaces, so 
that if one of the other interfaces goes down, the 
device’s Hot Standby priority is lowered.
• group-number—(Optional) Group number on 
the interface for which HSRP is being activated.
• type—Interface type (combined with interface 
number) that will be tracked. 
• number—Interface number (combined with 
interface type) that will be tracked. 
• interface-priority—(Optional) Amount by 
which the Hot Standby priority for the router is 
decremented (or incremented) when the 
interface goes down (or comes back up). Range 
is from 0 to 255. Default is 10. 
Step 13 Router(config-if)# standby [group-number] name Configures the standby group name for the interface.
• group-number—(Optional) Group number to 
which the name is being applied.
• name—Name of the HSRP standby group.
Step 14 Router(config-if)# interface vlan vlan_ID Enters interface configuration mode for the 
specified crypto interface VLAN.
Command Purpose   
32-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Configuring IPSec Failover
Step 15 Router(config-if)# ip address address mask Specifies the IP address and subnet mask for the 
interface.
• address—IP address.
• mask—Subnet mask.
Step 16 Router(config-if)# standby [group-number] ip
ip-address
Enables the HSRP.
• group-number—(Optional) Group number on 
the interface for which HSRP is being activated. 
The default is 0. The group number range is 
from 0 to 255 for HSRP version 1 and from 0 to 
4095 for HSRP version 2. 
• ip-address—(Optional) Virtual IP address of the 
HSRP standby group.
Step 17 Router(config-if)# standby [group-number] timers
[msec] hellotime [msec] holdtime
Configures the time between hello packets and the 
hold time before other routers declare the active 
router to be down. 
• group-number—(Optional) Group number to 
which the timers apply.
• msec—(Optional) Interval in milliseconds. 
Millisecond timers allow for faster failover.
• hellotime—Hello interval (in seconds). This is 
an integer from 1 to 254. The default is 3 
seconds. If the msec option is specified, 
hellotime is in milliseconds. This is an integer 
from 15 to 999.
• holdtime—Time (in seconds) before the active 
or standby router is declared to be down. This is 
an integer from x to 255. The default is 10 
seconds. If the msec option is specified, 
holdtime is in milliseconds. This is an integer 
from y to 3000.
Command Purpose   
32-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Configuring IPSec Failover
Step 18 Router(config-if)# standby [group-number] [priority
priority] preempt [delay [minimum | sync] seconds]
Sets the standby priority used in choosing the active 
router. 
• group-number—(Optional) Group number to 
which the priority applies.
• priority—(Optional) The priority value range is 
from 1 to 255, where 1 denotes the lowest 
priority and 255 denotes the highest priority. 
Specify that, if the local router has priority over 
the current active router, the local router should 
attempt to take its place as the active router. 
• delay—(Optional) Specifies a preemption 
delay, after which the hot standby router 
preempts and becomes the active router.
• minimum—(Optional) Specifies the minimum 
delay period in seconds. 
• sync—(Optional) Specifies the maximum 
synchronization period for IP redundancy 
clients in seconds.
• seconds—(Optional) Causes the local router to 
postpone taking over the active role for a 
minimum number of seconds since that router 
was last restarted. The range is from 0 to 3600 
seconds (1 hour). The default is 0 seconds (no 
delay). 
Step 19 Router(config-if)# standby [group-number] track type
number [interface-priority]
Configures the interface to track other interfaces, so 
that if one of the other interfaces goes down, the 
device’s hot standby priority is lowered.
• group-number—(Optional) Group number on 
the interface for which HSRP is being activated.
• type—Interface type (combined with interface 
number) that will be tracked. 
• number—Interface number (combined with 
interface type) that will be tracked. 
• interface-priority—(Optional) Amount by 
which the Hot Standby priority for the router is 
decremented (or incremented) when the 
interface goes down (or comes back up). Range 
is from 0 to 255. Default is 10. 
Step 20 Router(config-if)# standby [group-number] name Configures the standby group name for the interface.
• group-number—(Optional) Group number to 
which the name is being applied.
• name—Name of the standby router.
Command Purpose   
32-11
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Configuring IPSec Failover
For examples of IPSec stateless failover configurations using HSRP, see the “IPSec Stateless Failover 
Using HSRP with Crypto-Connect Mode Configuration Examples” section on page 32-27.
Configuring IPSec Stateful Failover Using HSRP and SSP with Crypto-Connect 
Mode
The configuration of IPSec stateful failover using HSRP is very similar to the configuration of IPSec 
stateless failover using HSRP with the addition of the SSP-related commands.
To configure IP stateful failover using HSRP and SSP, perform this task beginning in global 
configuration mode:
Step 21 Router(config-if)# crypto map map-name redundancy
name
Defines a backup IPSec peer. Both routers in the 
standby group are defined by the redundancy 
standby name and share the same virtual IP address. 
• map_name—Name of the crypto map set. 
• name—Name of the HSRP standby group.
Step 22 Router(config-if)# crypto engine slot slot Assigns the crypto engine to the inside interface 
VLAN. 
• slot—The slot where the IPSec VPN SPA is 
located.
Step 23 Router(config-if)# interface gigabitethernet 
slot/subslot/port
Enters interface configuration mode for the outside 
Gigabit Ethernet interface.
Step 24 Router(config-if)# crypto connect vlan vlan_ID Connects the outside access port to the inside 
interface VLAN and enters crypto-connect mode.
• vlan_ID—Interface VLAN identifier.
Command Purpose
Command Purpose
Step 1 Router(config)# ssp group group Indicates channel used to communicate high 
availability (HA) information and enters SSP 
configuration mode.
• group—Integer between 1 and 100.
Step 2 Router(config-ssp)# redundancy name Identifies the HSRP group.
• name—Valid IP redundancy group name.
Step 3 Router(config-ssp)# remote ipaddr Identifies peer that will receive high availability 
transmissions. 
• ipaddr—IP address of the standby router.   
32-12
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Configuring IPSec Failover
Step 4 Router(config)# crypto isakmp policy priority
...
Router(config-isakmp) # exit
Defines an ISAKMP policy and enters ISAKMP 
policy configuration mode.
• priority—Identifies the IKE policy and assigns 
a priority to the policy. Use an integer from 1 to 
10000, with 1 being the highest priority and 
10000 the lowest.
For details on configuring an ISAKMP policy, see 
the Cisco IOS Security Configuration Guide.
Step 5 Router(config)# crypto isakmp key keystring address
peer-address
Configures a preshared authentication key.
• keystring—Preshared key.
• peer-address—IP address of the remote peer.
For details on configuring a preshared key, see the 
Cisco IOS Security Configuration Guide.
Step 6 Router(config)# crypto isakmp ssp id Enables ISAKMP state to be transferred by the SSP 
channel described by the ID. If this feature is 
disabled, all dormant SA entries bound to that ID on 
the standby router will be removed and any new state 
entries will not be added.
• id—Channel used to transfer SA entries.
Step 7 Router(config)# crypto ipsec transform-set
transform-set-name
transform1[transform2[transform3]]
...
Router(config-crypto-tran)# exit
Defines a transform set (an acceptable combination 
of security protocols and algorithms) and enters 
crypto transform configuration mode.
• transform-set-name—Name of the transform 
set.
• transform1[transform2[transform3]]—Defines 
IPSec security protocols and algorithms. 
For accepted transformx values, and more details on 
configuring transform sets, see the Cisco IOS 
Security Command Reference.
Step 8 Router(config)# crypto map name ha replay-interval
inbound inbound-interval outbound outbound-interval
(Optional) Specifies the intervals at which the active 
switch should update the standby switch with 
anti-replay sequence numbers.
• name—Tag name of the crypto map described in 
the configuration.
• inbound-interval—The interval at which the 
active switch sends packet sequence updates for 
incoming packets. The range is 0 to 10000 
(packets); the default is 1000.
• outbound-interval—The interval at which the 
active switch sends packet sequence updates for 
outgoing packets. The range is 1 to 10 (in 
millions of packets); the default is 1.
Command Purpose   
32-13
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Configuring IPSec Failover
Step 9 Router(config)# access-list access-list-number {deny 
| permit} ip source source-wildcard destination 
destination-wildcard 
Defines an extended IP access list.
• access-list-number—Number of an access list. 
This is a decimal number from 100 to 199 or 
from 2000 to 2699.
• {deny | permit}—Denies or permits access if 
the conditions are met.
• source—Address of the host from which the 
packet is being sent.
• source-wildcard—Wildcard bits to be applied to 
the source address.
• destination—Address of the host to which the 
packet is being sent.
• destination-wildcard—Wildcard bits to be 
applied to the destination address.
For details on configuring an access list, see the 
Cisco IOS Security Configuration Guide.
Step 10 Router(config)# crypto dynamic-map dynamic-map-name 
seq-number ipsec-isakmp
...
Router(config-crypto-map)# exit
Creates or modifies a dynamic crypto map template 
and enters the crypto map configuration mode.
• dynamic-map-name—Name that identifies the 
dynamic crypto map template.
• seq-number—Sequence number you assign to 
the crypto map entry. Lower values have higher 
priority.
• ipsec-isakmp—Indicates that IKE will be used 
to establish the IPSec security associations.
For details on configuring a crypto map, see the 
Cisco IOS Security Configuration Guide.
Step 11 Router(config)# crypto map map-name seq-number 
ipsec-isakmp dynamic dynamic-map-name
Creates a crypto map entry and binds it to the 
dynamic crypto map template.
• map-name—Name that identifies the crypto 
map set.
• seq-number—Sequence number you assign to 
the crypto map entry. Lower values have higher 
priority.
• ipsec-isakmp—Indicates that IKE will be used 
to establish the IPSec security associations.
• dynamic-map-name—Name that identifies the 
dynamic crypto map template.
Step 12 Router(config-if)# interface gigabitethernet 
slot/subslot/port
Enters interface configuration mode for the 
LAN-side Gigabit Ethernet interface.
Command Purpose   
32-14
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Configuring IPSec Failover
Step 13 Router(config-if)# ip address address mask Specifies the IP address and subnet mask for the 
interface.
• address—IP address.
• mask—Subnet mask.
Step 14 Router(config-if)# standby [group-number] ip
ip-address
Enables the HSRP.
• group-number—(Optional) Group number on 
the interface for which HSRP is being activated. 
The default is 0. The group number range is 
from 0 to 255 for HSRP version 1 and from 0 to 
4095 for HSRP version 2. 
• ip-address—(Optional) Virtual IP address of the 
HSRP standby group.
Step 15 Router(config-if)# standby [group-number] timers
[msec] hellotime [msec] holdtime
Configures the time between hello packets and the 
hold time before other routers declare the active 
router to be down. 
• group-number—(Optional) Group number to 
which the timers apply.
• msec—(Optional) Interval in milliseconds. 
Millisecond timers allow for faster failover.
• hellotime—Hello interval (in seconds). This is 
an integer from 1 to 254. The default is 3 
seconds. If the msec option is specified, 
hellotime is in milliseconds. This is an integer 
from 15 to 999.
• holdtime—Time (in seconds) before the active 
or standby router is declared to be down. This is 
an integer from x to 255. The default is 10 
seconds. If the msec option is specified, 
holdtime is in milliseconds. This is an integer 
from y to 3000.
Command Purpose   
32-15
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Configuring IPSec Failover
Step 16 Router(config-if)# standby [group-number] [priority
priority] preempt [delay [minimum | sync] seconds]
Sets the standby priority used in choosing the active 
router. 
• group-number—(Optional) Group number to 
which the priority applies.
• priority—(Optional) The priority value range is 
from 1 to 255, where 1 denotes the lowest 
priority and 255 denotes the highest priority. 
Specify that, if the local router has priority over 
the current active router, the local router should 
attempt to take its place as the active router. 
• delay—(Optional) Specifies a preemption 
delay, after which the Hot Standby router 
preempts and becomes the active router.
• minimum—(Optional) Specifies the minimum 
delay period in seconds. 
• sync—(Optional) Specifies the maximum 
synchronization period for IP redundancy 
clients in seconds.
• seconds—(Optional) Causes the local router to 
postpone taking over the active role for a 
minimum number of seconds since that router 
was last restarted. The range is from 0 to 3600 
seconds (1 hour). The default is 0 seconds (no 
delay). 
Step 17 Router(config-if)# standby [group-number] track type
number [interface-priority]
Configures the interface to track other interfaces, so 
that if one of the other interfaces goes down, the 
device’s Hot Standby priority is lowered.
• group-number—(Optional) Group number on 
the interface for which HSRP is being activated.
• type—Interface type (combined with interface 
number) that will be tracked. 
• number—Interface number (combined with 
interface type) that will be tracked. 
• interface-priority—(Optional) Amount by 
which the Hot Standby priority for the router is 
decremented (or incremented) when the 
interface goes down (or comes back up). Range 
is from 0 to 255. Default is 10. 
Step 18 Router(config-if)# standby [group-number] name Configures the standby group name for the interface.
• group-number—(Optional) Group number to 
which the name is being applied.
• name—Name of the HSRP standby group.
Step 19 Router(config-if)# interface vlan vlan_ID Enters interface configuration mode for the 
specified crypto interface VLAN.
Command Purpose   
32-16
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Configuring IPSec Failover
Step 20 Router(config-if)# ip address address mask Specifies the IP address and subnet mask for the 
interface.
• address—IP address.
• mask—Subnet mask.
Step 21 Router(config-if)# standby [group-number] ip
ip-address
Enables the HSRP.
• group-number—(Optional) Group number on 
the interface for which HSRP is being activated. 
The default is 0. The group number range is 
from 0 to 255 for HSRP version 1 and from 0 to 
4095 for HSRP version 2. 
• ip-address—(Optional) Virtual IP address of the 
HSRP standby group.
Step 22 Router(config-if)# standby [group-number] timers
[msec] hellotime [msec] holdtime
Configures the time between hello packets and the 
hold time before other routers declare the active 
router to be down. 
• group-number—(Optional) Group number to 
which the timers apply.
• msec—(Optional) Interval in milliseconds. 
Millisecond timers allow for faster failover.
• hellotime—Hello interval (in seconds). This is 
an integer from 1 to 254. The default is 3 
seconds. If the msec option is specified, 
hellotime is in milliseconds. This is an integer 
from 15 to 999.
• holdtime—Time (in seconds) before the active 
or standby router is declared to be down. This is 
an integer from x to 255. The default is 10 
seconds. If the msec option is specified, 
holdtime is in milliseconds. This is an integer 
from y to 3000.
Command Purpose   
32-17
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Configuring IPSec Failover
Step 23 Router(config-if)# standby [group-number] [priority
priority] preempt [delay [minimum | sync] seconds]
Sets the standby priority used in choosing the active 
router. 
• group-number—(Optional) Group number to 
which the priority applies.
• priority—(Optional) The priority value range is 
from 1 to 255, where 1 denotes the lowest 
priority and 255 denotes the highest priority. 
Specify that, if the local router has priority over 
the current active router, the local router should 
attempt to take its place as the active router. 
• delay—(Optional) Specifies a preemption 
delay, after which the hot standby router 
preempts and becomes the active router.
• minimum—(Optional) Specifies the minimum 
delay period in seconds. 
• sync—(Optional) Specifies the maximum 
synchronization period for IP redundancy 
clients in seconds.
• seconds—(Optional) Causes the local router to 
postpone taking over the active role for a 
minimum number of seconds since that router 
was last restarted. The range is from 0 to 3600 
seconds (1 hour). The default is 0 seconds (no 
delay). 
Step 24 Router(config-if)# standby [group-number] track type
number [interface-priority]
Configures the interface to track other interfaces, so 
that if one of the other interfaces goes down, the 
device’s hot standby priority is lowered.
• group-number—(Optional) Group number on 
the interface for which HSRP is being activated.
• type—Interface type (combined with interface 
number) that will be tracked. 
• number—Interface number (combined with 
interface type) that will be tracked. 
• interface-priority—(Optional) Amount by 
which the Hot Standby priority for the router is 
decremented (or incremented) when the 
interface goes down (or comes back up). Range 
is from 0 to 255. Default is 10. 
Step 25 Router(config-if)# standby [group-number] name Configures the standby group name for the interface.
• group-number—(Optional) Group number to 
which the name is being applied.
• name—Name of the HSRP standby group.
Command Purpose   
32-18
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Verifying HSRP Configurations
For an example of IPSec stateful failover configuration using HSRP and SSP, see the “IPSec Stateful 
Failover Using HSRP and SSP with Crypto-Connect Mode Configuration Example” section on 
page 32-29.
Configuring IPSec Stateless and Stateful Failover with VRF Mode
Note Support for IPSec stateful failover is removed in Cisco IOS Release 12.2(33)SRA. The feature is 
supported in Release 12.2SXF. 
Chassis-to- chassis failover with VRF mode is configured differently than in non-VRF (crypto-connect) 
mode. In VRF mode, the HSRP configuration goes on the physical interface, but the crypto map is added 
to the interface VLAN. In non-VRF mode, both the HSRP configuration and the crypto map are on the 
same interface. RRI dynamically inserts and removes routes from the active and standby router VRF 
routing tables. 
For a configuration example of VRF mode with stateless failover, see the “IPSec Stateless Failover Using 
HSRP with VRF Mode Configuration Example” section on page 32-33.
For a configuration example of VRF mode with stateful failover, see the “IPSec Stateful Failover Using 
HSRP with VRF Mode Configuration Example” section on page 32-34
Verifying HSRP Configurations
To verify the IPSec stateful failover HSRP configuration, use the show crypto isakmp ha standby, 
show crypto ipsec ha, show crypto ipsec sa, and show crypto ipsec sa standby commands.
To view your ISAKMP standby or active SAs, enter the show crypto isakmp ha standby command:
Router# show crypto isakmp ha standby
dst             src             state       I-Cookie           R-Cookie
172.16.31.100   20.3.113.1      QM_IDLE     796885F3 62C3295E  FFAFBACD EED41AFF
Step 26 Router(config-if)# crypto map map-name ssp id Enables IPSec state information to be transferred by 
the SSP channel described by the ID. If this feature 
is disabled, all standby entries bound to that 
interface will be removed. 
Step 27 Router(config-if)# crypto engine slot slot Assigns the crypto engine to the inside interface 
VLAN. 
• slot—The slot where the IPSec VPN SPA is 
located.
Step 28 Router(config-if)# interface gigabitethernet 
slot/subslot/port
Enters interface configuration mode for the outside 
Gigabit Ethernet interface.
Step 29 Router(config-if)# crypto connect vlan vlan_ID Connects the outside access port to the inside 
interface VLAN and enters crypto-connect mode.
• vlan_ID—interface VLAN identifier.
Command Purpose   
32-19
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Verifying HSRP Configurations
172.16.31.100   20.2.148.1      QM_IDLE     5B78D70F 3D80ED01  FFA03C6D 09FC50BE
172.16.31.100   20.4.124.1      QM_IDLE     B077D0A1 0C8EB3A0  FF5B152C D233A1E0
172.16.31.100   20.3.88.1       QM_IDLE     55A9F85E 48CC14DE  FF20F9AE DE37B913
172.16.31.100   20.1.95.1       QM_IDLE     3881DE75 3CF384AE  FF192CAB 795019AB
To view your IPSec HA Manager state, enter the show crypto ipsec ha command:
Router# show crypto ipsec ha
Interface              VIP              SAs     IPSec Ha State
GigabitEthernet5/0/1   172.16.31.100    1800    Active since 13:00:16 EDT Tue Oct 1 2002
To view HA status of the IPSec SA (standby or active), enter the show crypto ipsec sa command:
Router# show crypto ipsec sa
interface: GigabitEthernet5/0/1
Crypto map tag: mymap, local addr. 172.168.3.100
local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (5.6.0.0/255.255.0.0/0/0)
current_peer: 172.168.3.1
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.168.3.100, remote crypto endpt.: 172.168.3.1
path mtu 1500, media mtu 1500
current outbound spi: 132ED6AB
inbound esp sas:
spi: 0xD8C8635F(3637011295)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2006, flow_id: 3, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4499/59957)
IV size: 8 bytes
replay detection support: Y
HA Status: STANDBY
inbound ah sas:
spi: 0xAAF10A60(2867923552)
transform: ah-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2004, flow_id: 3, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4499/59957)
replay detection support: Y
HA Status: STANDBY
inbound pcp sas:
outbound esp sas:
spi: 0x132ED6AB(321836715)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2007, flow_id: 4, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4499/59957)   
32-20
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Verifying HSRP Configurations
IV size: 8 bytes
replay detection support: Y
HA Status: STANDBY
outbound ah sas:
spi: 0x1951D78(26549624)
transform: ah-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2005, flow_id: 4, crypto map: mymap
ssa timing: remaining key lifetime (k/sec): (4499/59957)
replay detection support: Y
HA Status: STANDBY
outbound pcp sas:
Enter the show crypto ipsec sa standby command to view your standby SAs: 
Router# show crypto ipsec sa standby
interface: GigabitEthernet5/0/1
Crypto map tag: mymap, local addr. 172.168.3.100
local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (5.6.0.0/255.255.0.0/0/0)
current_peer: 172.168.3.1
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.168.3.100, remote crypto endpt.: 172.168.3.1
path mtu 1500, media mtu 1500
current outbound spi: 132ED6AB
inbound esp sas:
spi: 0xD8C8635F(3637011295)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2006, flow_id: 3, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4499/59957)
IV size: 8 bytes
replay detection support: Y
HA Status: STANDBY
inbound ah sas:
spi: 0xAAF10A60(2867923552)
transform: ah-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2004, flow_id: 3, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4499/59957)
replay detection support: Y
HA Status: STANDBY
inbound pcp sas:
outbound esp sas:
spi: 0x132ED6AB(321836715)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2007, flow_id: 4, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4499/59957)
IV size: 8 bytes   
32-21
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Verifying HSRP Configurations
replay detection support: Y
HA Status: STANDBY
outbound ah sas:
spi: 0x1951D78(26549624)
transform: ah-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2005, flow_id: 4, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4499/59957)
replay detection support: Y
HA Status: STANDBY
outbound pcp sas:
Displaying SSP Information 
To verify the IPSec stateful failover SSP configuration, use the show ssp client, show ssp packet, show 
ssp peers, and show ssp redundancy commands.
To view SSP client information, enter the show ssp client command: 
Router# show ssp client
SSP Client Information
    DOI   Client Name                       Version   Running Ver
      1   IPSec HA Manager                   1.0       1.0
      2   IKE HA Manager                     1.0       1.0
To view SSP packet information, enter the show ssp packet command: 
Router# show ssp packet
SSP packet Information
    Socket creation time: 01:01:06
    Local port: 3249      Server port: 3249
    Packets Sent = 38559, Bytes Sent = 2285020
    Packets Received = 910, Bytes Received = 61472
To view SSP peer information, enter the show ssp peers command: 
Router# show ssp peers
SSP Peer Information
    IP Address      Connection State   Local Interface
    40.0.0.1        Connected          FastEthernet0/1
To view redundancy information, enter the show ssp redundancy command: 
Router# show ssp redundancy
SSP Redundancy Information
  Device has been ACTIVE for 02:55:34   
32-22
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Configuring Intrachassis IPSec Stateful Failover Using a Blade Failure Group
    Virtual IP      Redundancy Name             Interface
    172.16.31.100   KNIGHTSOFNI                 GigabitEthernet5/0/1GigabitEthernet0/0 
For complete configuration information for Cisco IOS IPSec stateful failover support, refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_2/12_2y/12_2yx11/feature/guide/ft_vpnha.html
For IPSec stateful failover configuration examples, see the “IPSec Stateful Failover Using HSRP and 
SSP with Crypto-Connect Mode Configuration Example” section on page 32-29.
Configuring Intrachassis IPSec Stateful Failover Using a Blade 
Failure Group
This section describes how to configure IPSec stateful failover within a chssis using a blade failure group 
(BFG). 
When one or more pairs of IPSec VPN SPAs are installed in a chassis, each pair can be configured as a 
blade failure group (BFG). The two modules do not need to reside within the same SSC. Within the BFG, 
each IPSec VPN SPA serves as a backup for the other IPSec VPN SPA. A BFG may be in either an 
active/active or an active/standby configuration. 
Each IPSec tunnel is associated with only one active IPSec VPN SPA. In a BFG, the other IPSec VPN 
SPA will act as a backup for that IPSec tunnel. For each IKE SA or IPSec tunnel, there is an active IPSec 
VPN SPA and its backup. For example, in a system that supports 1000 tunnels with two IPSec VPN 
SPAs, 500 of the tunnels may be active on one SPA and the remaining 500 may be active on the second 
SPA. Both SPAs then replicate data to each other so that either one can take over in the event of a failure. 
IPSec Stateful Failover Using a BFG Configuration Guidelines and Restrictions
When configuring IPSec stateful failover using a BFG, follow these guidelines and restrictions:
• You can install or remove one of the IPSec VPN SPAs comprising a BFG without disrupting any of 
the tunnels on the other IPSec VPN SPA.
• We recommend deploying a BFG in an active/standby configuration to avoid oversubscription in the 
case of a failover.
• When deploying a BFG in an active/active configuration, we recommend that you limit each IPSec 
VPN SPA to no more than 50% utilization to avoid oversubscription in the case of a failover.
• In Cisco IOS Release 12.2(33)SXH and earlier releases, the IPsec statistics may experience a slight 
disruption during a stateful BFG failover, but will resume from approximately the values before the 
failover.
• In Cisco IOS Release 12.2(33)SXI and later releases, the IPsec statistics are reset during a stateful 
BFG failover, and will resume from zero.   
32-23
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Configuring Intrachassis IPSec Stateful Failover Using a Blade Failure Group
Configuring a BFG for IPSec Stateful Failover 
To configure IPSec stateful failover using a BFG, perform this task beginning in global configuration 
mode:
For an IPSec stateful failover using a BFG configuration example, see the “IPSec Stateful Failover Using 
a Blade Failure Group Configuration Example” section on page 32-38.
Verifying the IPSec Stateful Failover Using a BFG Configuration 
To verify the IPSec stateful failover using a BFG configuration, use the show redundancy linecard 
group and show crypto ace redundancy commands.
To display the components of a Blade Failure Group, enter the show redundancy linecard group
command:
Router# show redundancy linecard-group 1
Line Card Redundancy Group:1 Mode:feature-card
Class:load-sharing
Cards:
Slot:3 Sublot:0
Slot:5 Sublot:0
To display information about a Blade Failure Group, enter the show crypto ace redundancy command:
Router# show crypto ace redundancy
--------------------------------------
LC Redundancy Group ID            :1
Pending Configuration Transactions:0
Current State                     :OPERATIONAL
Number of blades in the group     :2
Slots
--------------------------------------
Slot:3 subslot:0
Slot state:0x36
Booted
Received partner config
Command Purpose
Step 1 Router(config)# redundancy Enters redundancy configuration mode.
Step 2 Router(config-red)# linecard-group group-number
feature-card
Identifies the line card group ID for a Blade Failure 
Group and enters redundancy line card configuration 
mode.
• group-number—Specifies a group ID for the 
BFG.
Step 3 Router(config-r-lc)# subslot slot/subslot Adds the first SPA to the group.
• slot—Specifies the chassis slot number where 
the SSC is installed. 
• subslot—Specifies the secondary slot number 
on an SSC where a SPA is installed. 
Step 4 Router(config-r-lc)# subslot slot/subslot Adds the second SPA to the group.   
32-24
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Configuration Examples
Completed Bulk Synchronization
Crypto Engine in Service
Rebooted 22 times
Initialization Timer not running
Slot:5 subslot:0
Slot state:0x36
Booted
Received partner config
Completed Bulk Synchronization
Crypto Engine in Service
Rebooted 24 times
Initialization Timer not running
Configuration Examples
This section provides examples of the following configurations:
• Multiple IPSec VPN SPAs in a Chassis Configuration Example, page 32-24
• IPSec Stateless Failover Using HSRP with Crypto-Connect Mode Configuration Examples, page 
32-27
• IPSec Stateful Failover Using HSRP and SSP with Crypto-Connect Mode Configuration Example, 
page 32-29
• IPSec Stateless Failover Using HSRP with VRF Mode Configuration Example, page 32-33
• IPSec Stateful Failover Using HSRP with VRF Mode Configuration Example, page 32-34
• IPSec Stateful Failover Using a Blade Failure Group Configuration Example, page 32-38
Note The following examples use commands at the level of Cisco IOS Release 12.2(33)SRA.
As of Cisco IOS Release 12.2(33)SRA, the crypto engine subslot command used in previous releases 
has been replaced with the crypto engine slot command (of the form crypto engine slot slot {inside | 
outside}). The crypto engine subslot command is no longer supported. When upgrading, ensure that 
this command has been modified in your startup configuration to avoid extended maintenance time.
Multiple IPSec VPN SPAs in a Chassis Configuration Example
This section provides an example of a configuration using multiple IPSec VPN SPAs in a chassis as 
shown in Figure 32-1. Note the following in these examples:
• An IPSec VPN SPA is in slot 2, subslot 0 and slot 3, subslot 0 of router 1.
• In the configuration example, three exclamation points (!!!) precede descriptive comments.    
32-25
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Configuration Examples
Figure 32-1 Multiple IPSec VPN SPAs in a Chassis Configuration Example
crypto isakmp policy 1 
 encr 3des 
 hash md5 
 authentication pre-share 
 group 2 
crypto isakmp key mykey address 10.8.1.1 
crypto isakmp key mykey address 10.13.1.1 
! 
crypto ipsec transform-set xform1 ah-md5-hmac esp-des esp-sha-hmac 
crypto ipsec transform-set xform2 esp-3des esp-sha-hmac 
! 
!!! crypto map applied to VLAN 12, which is 
!!! assigned to "inside" port of IPSec VPN SPA in slot 3 
crypto map cmap2 10 ipsec-isakmp 
 set peer 10.8.1.1 
 set transform-set xform1 
 match address 102 
! 
!!! crypto map applied to VLAN 20, which is 
!!! assigned to "inside" port of IPSec VPN SPA in slot 2/0 
crypto map cmap3 10 ipsec-isakmp 
 set peer 10.13.1.1 
 set transform-set xform2 
 match address 103 
! 
!!! "port" VLAN, crypto connected to VLAN 12 by IPSec VPN SPA on slot 3/0 
interface Vlan11 
 no ip address 
 crypto connect vlan 12 
! 
!!! "interface" VLAN, assigned to IPSec VPN SPA on slot 3/0 
interface Vlan12 
 ip address 10.8.1.2 255.255.0.0 
 crypto map cmap2 
crypto engine slot 3/0 
! 
!!! "port" VLAN, crypto connected to VLAN 20 by IPSec VPN SPA on slot 2/0 
interface Vlan19 
 no ip address 
 crypto connect vlan 20 
! 
!!! "interface" VLAN, assigned to IPSec VPN SPA on slot 2/0 
interface Vlan20 
 ip address 10.13.1.2 255.255.0.0 
 crypto map cmap3 
crypto engine slot 2/0
! 
!!! connected to Host 1 
interface FastEthernet6/1 
Router 1 Router 2
138109
Host 1
(10.9.1.3/24)
FE 6/1
(10.9.1.2/24)
FE 6/2
(10.9.2.2/24)
Host 2
(10.9.2.1/24)
Host 3
(10.6.1.4)
Host 4
(10.6.2.1)
GE 5/4
GE 5/3   
32-26
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Configuration Examples
 ip address 10.9.1.2 255.255.255.0 
! 
!!! connected to Host 2 
interface FastEthernet6/2 
 ip address 10.9.2.2 255.255.255.0 
! 
!!! connected to Router 2 
interface GigabitEthernet5/3 
 switchport 
 switchport mode access 
 switchport access vlan 11 
! 
!!! connected to Router 2 
interface GigabitEthernet5/4 
 switchport 
 switchport mode access 
 switchport access vlan 19 
! 
interface GigabitEthernet2/0/1
 no ip address
 flowcontrol receive on
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 12,1002-1005
 switchport mode trunk
 cdp enable
!
interface GigabitEthernet2/0/2
 no ip address
 flowcontrol receive on
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 11,1002-1005
 switchport mode trunk
 cdp enable
!
interface GigabitEthernet3/0/1
 no ip address
 flowcontrol receive on
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 20,1002-1005
 switchport mode trunk
 cdp enable
!
interface GigabitEthernet3/0/2
 no ip address
 flowcontrol receive on
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 19,1002-1005
 switchport mode trunk
 cdp enable
!
ip classless 
! 
!!! packets from Host 1 to Host 3 are routed from FastEthernet6/1 
!!! to VLAN 12, encrypted with crypto map cmap2 
!!! using IPSec VPN SPA in slot 3/0, and forwarded to peer 10.8.1.1 
!!! through GigabitEthernet5/3 
ip route 10.6.1.4 255.255.255.255 10.8.1.1 
! 
!!! packets from Host 2 to Host 4 are routed from FastEthernet6/2 
!!! to VLAN 20, encrypted with crypto map cmap3    
32-27
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Configuration Examples
!!! using IPSec VPN SPA in slot 2/0, and forwarded to peer 10.13.1.1 
!!! through GigabitEthernet5/4 
ip route 10.6.2.1 255.255.255.255 10.13.1.1 
! 
!!! ACL matching traffic between Host 1 and Host 3 
access-list 102 permit ip host 10.9.1.3 host 10.6.1.4 
! 
!!! ACL matching traffic between Host 2 and Host 4 
access-list 103 permit ip host 10.9.2.1 host 10.6.2.1 
IPSec Stateless Failover Using HSRP with Crypto-Connect Mode Configuration 
Examples
This section provides the following configuration examples of IPSec stateless failover using HSRP:
• IPSec Stateless Failover for the Active Chassis Configuration Example, page 32-27
• IPSec Stateless Failover for the Remote Router Configuration Example, page 32-28
IPSec Stateless Failover for the Active Chassis Configuration Example
The following example shows the configuration for an active chassis that is configured for IPSec 
stateless failover using HSRP: 
hostname router-1
!
vlan 2-1001 
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key 1234567890 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set PYTHON esp-3des 
!
crypto dynamic-map dynamap_1 20
 set transform-set PYTHON 
 reverse-route
!
!
crypto map MONTY 1 ipsec-isakmp dynamic dynamap_1 
!
interface GigabitEthernet1/3
 switchport
 switchport access vlan 502
 switchport mode access
!
interface GigabitEthernet1/4
 ip address 50.0.0.3 255.0.0.0
!
interface GigabitEthernet4/0/1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 2
 switchport mode trunk
 mtu 9216
 flowcontrol receive on   
32-28
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Configuration Examples
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 502
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan2
 ip address 172.1.1.3 255.255.255.0
 standby ip 172.1.1.100
 standby preempt
 standby name KNIGHTSOFNI
 standby track GigabitEthernet1/3
 standby track GigabitEthernet1/4
 no mop enabled
 crypto map MONTY redundancy KNIGHTSOFNI 
 crypto engine slot 4/0
!
interface Vlan502
 no ip address
 crypto connect vlan 2
!
ip route 10.0.0.0 255.0.0.0 172.1.1.4
ip route 20.0.0.0 255.0.0.0 172.1.1.4
ip route 50.0.0.0 255.0.0.0 50.0.0.13
ip route 50.0.1.1 255.255.255.255 50.0.0.13
ip route 50.0.2.1 255.255.255.255 50.0.0.13
ip route 50.0.3.1 255.255.255.255 50.0.0.13
ip route 50.0.4.1 255.255.255.255 50.0.0.13
ip route 50.0.5.1 255.255.255.255 50.0.0.13
IPSec Stateless Failover for the Remote Router Configuration Example
The following example shows the configuration for a remote router that is configured for IPSec stateless 
failover using HSRP.
hostname router-remote
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key 12345 address 172.1.1.100
!
!
crypto ipsec transform-set ha_transform esp-3des 
!
crypto map test_1 local-address Vlan2
crypto map test_1 10 ipsec-isakmp 
 set peer 172.1.1.100
set security-association lifetime seconds 86400
 set transform-set ha_transform 
 set pfs group2
 match address test_1   
32-29
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Configuration Examples
!
interface GigabitEthernet1/1
 ip address 10.0.0.2 255.255.255.0
!
interface GigabitEthernet1/2
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,502,1002-1005
 switchport mode trunk
!
interface GigabitEthernet4/0/1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1-2,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,502,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan2
 ip address 20.0.1.1 255.255.255.0
 crypto map test_1
 crypto engine slot 4/0
!
interface Vlan502
 no ip address
 crypto connect vlan 2
!
ip route 10.0.0.0 255.0.0.0 10.0.0.13
ip route 50.0.1.0 255.255.255.0 20.0.1.2
ip route 172.1.1.0 255.255.255.0 20.0.1.2
!
ip access-list extended test_1
 permit ip host 10.0.1.1 host 50.0.1.1
IPSec Stateful Failover Using HSRP and SSP with Crypto-Connect Mode 
Configuration Example
Note Support for IPSec stateful failover using HSRP and SSP is removed in Cisco IOS Release 12.2(33)SRA 
and later releases. The feature is supported in Release 12.2SXF.    
32-30
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Configuration Examples
Note This configuration example does not protect the SSP traffic. To protect the SSP traffic, you will need to 
define a new crypto map and attach it to the SSP interface without the ssp tag. The ACL for this crypto 
map can be derived from the remote IP address and the TCP port that are defined in the SSP group.
The following example shows the configuration for an IPSec stateful failover using HSRP and SSP: 
hostname router-1
!
ssp group 100
 remote 50.0.0.6
 redundancy PUBLIC
 redundancy PRIVATE
!
vlan 502
! 
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key 1234567890 address 0.0.0.0 0.0.0.0
crypto isakmp ssp 100
!
!
!
crypto ipsec transform-set ha_transform esp-3des 
!
crypto dynamic-map ha_dynamic 10
 set security-association lifetime seconds 86400
 set transform-set ha_transform 
 set pfs group2
!
!
crypto map ha_dynamic 10 ipsec-isakmp dynamic ha_dynamic 
!
!
!
interface GigabitEthernet1/1
 no ip address
 crypto connect vlan 502
!
interface GigabitEthernet1/2
 ip address 50.0.0.5 255.255.255.0
 load-interval 30
 no keepalive
 standby delay minimum 30 reload 60
 standby 2 ip 50.0.0.100
 standby 2 preempt
 standby 2 name PRIVATE
 standby 2 track GigabitEthernet1/1
 standby 2 track Vlan502
!
interface GigabitEthernet4/0/1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,502,1002-1005
 switchport mode trunk
 mtu 9216
 no ip address
 flowcontrol receive on   
32-31
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Configuration Examples
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 no ip address
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan502
 ip address 172.1.1.5 255.255.255.0
 no mop enabled
 standby delay minimum 30 reload 60
 standby 1 ip 172.1.1.100
 standby 1 preempt
 standby 1 name PUBLIC
 standby 1 track GigabitEthernet1/1
 standby 1 track GigabitEthernet1/2
 crypto map ha_dynamic ssp 100
 crypto engine slot 4/0
!
ip route 10.0.0.0 255.0.0.0 172.1.1.4
ip route 20.0.0.0 255.0.0.0 172.1.1.4
ip route 50.0.0.0 255.0.0.0 50.0.0.13
The following example shows the configuration for a remote peer router that is configured for IPSec 
stateful failover using HSRP and SSP: 
hostname router-remote
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key 12345 address 172.1.1.100
!
!
crypto ipsec transform-set ha_transform esp-3des 
!
crypto map test_1 local-address Vlan2
crypto map test_1 10 ipsec-isakmp 
 set peer 172.1.1.100
 set security-association lifetime seconds 86400
 set transform-set ha_transform 
 set pfs group2
 match address test_1
!
crypto map test_2 local-address Vlan3
crypto map test_2 10 ipsec-isakmp 
 set peer 172.1.1.100
 set security-association lifetime seconds 86400
 set transform-set ha_transform 
 set pfs group2
 match address test_2
!
interface GigabitEthernet1/1   
32-32
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Configuration Examples
 ip address 10.0.0.2 255.255.255.0
!
interface GigabitEthernet1/2
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,502,503,1002-1005
 switchport mode trunk
 no ip address
!
interface GigabitEthernet4/0/1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1-3,1002-1005
 switchport mode trunk
 mtu 9216
 no ip address
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,502,503,1002-1005
 switchport mode trunk
 mtu 9216
 no ip address
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan2
 ip address 20.0.1.1 255.255.255.0
 crypto map test_1
 crypto engine slot 4/0
!
interface Vlan3
 ip address 20.0.2.1 255.255.255.0
 crypto map test_2
 crypto engine slot 4/0
interface Vlan502
 no ip address
 crypto connect vlan 2
!
interface Vlan503
 no ip address
 crypto connect vlan 3
!
ip route 10.0.0.0 255.0.0.0 10.0.0.13
ip route 50.0.1.0 255.255.255.0 20.0.1.2
ip route 50.0.2.0 255.255.255.0 20.0.2.2
ip route 172.1.1.0 255.255.255.0 20.0.1.2
!
ip access-list extended test_1
 permit ip host 10.0.1.1 host 50.0.1.1
ip access-list extended test_2
 permit ip host 10.0.2.1 host 50.0.2.1   
32-33
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Configuration Examples
IPSec Stateless Failover Using HSRP with VRF Mode Configuration Example
The following example shows a VRF mode configuration with HSRP chassis-to-chassis stateless 
failover with crypto maps:
!
hostname router-1
!
ip vrf ivrf
 rd 1000:1
 route-target export 1000:1
 route-target import 1000:1
!
crypto engine mode vrf
!
vlan 2,3 
!
crypto keyring key1 
  pre-shared-key address 14.0.1.1 key 12345
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp keepalive 10
crypto isakmp profile ivrf
   vrf ivrf
   keyring key1
   match identity address 14.0.1.1 255.255.255.255 
!
crypto ipsec transform-set ts esp-3des esp-sha-hmac 
!
crypto map map_vrf_1 local-address Vlan3
crypto map map_vrf_1 10 ipsec-isakmp 
 set peer 14.0.1.1
set transform-set ts 
 set isakmp-profile ivrf
 match address acl_1
!
interface GigabitEthernet1/1
!switch inside port
 ip address 13.254.254.1 255.255.255.0
!
interface GigabitEthernet1/1.1
 encapsulation dot1Q 2000
 ip vrf forwarding ivrf
 ip address 13.254.254.1 255.0.0.0
!
interface GigabitEthernet1/2
!switch outside port
 switchport
 switchport access vlan 3
 switchport mode access
!
interface GigabitEthernet4/0/1
!IPSec VPN SPA inside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on   
32-34
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Configuration Examples
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
!IPSec VPN SPA outside port
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan3
 ip address 15.0.0.2 255.255.255.0
 standby delay minimum 0 reload 0
 standby 1 ip 15.0.0.100
 standby 1 timers msec 100 1
 standby 1 priority 105
 standby 1 preempt
 standby 1 name std-hsrp
 standby 1 track GigabitEthernet1/2
 crypto engine slot 4/0 outside
!
interface Vlan2
 ip vrf forwarding ivrf
 ip address 15.0.0.252 255.255.255.0
 crypto map map_vrf_1 redundancy std-hsrp 
 crypto engine slot 4/0 inside
!
ip classless
ip route 12.0.0.0 255.0.0.0 15.0.0.1
ip route 13.0.0.0 255.0.0.0 13.254.254.2
ip route 14.0.0.0 255.0.0.0 15.0.0.1
ip route 223.255.254.0 255.255.255.0 17.1.0.1
ip route vrf ivrf 12.0.0.1 255.255.255.255 15.0.0.1
!
ip access-list extended acl_1
 permit ip host 13.0.0.1 host 12.0.0.1
!
!
arp vrf ivrf 13.0.0.1 0000.0000.2222 ARPA
IPSec Stateful Failover Using HSRP with VRF Mode Configuration Example
Note Support for IPSec stateful failover with HSRP is removed in Cisco IOS Release 12.2(33)SRA and later 
releases. The feature is supported in Release 12.2SXF. 
The following example shows a VRF mode configuration with HSRP chassis-to-chassis stateful failover 
with crypto maps:
hostname router-1
!
ip vrf vrf1
 rd 2000:1
 route-target export 2000:1   
32-35
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Configuration Examples
 route-target import 2000:1
!
ssp group 100
 remote 172.1.1.60
 redundancy PUBLIC
 redundancy PRIVATE
!
crypto engine mode vrf
!
vlan 2-1001 
! 
crypto keyring key1 
  pre-shared-key address 0.0.0.0 0.0.0.0 key 12345
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp ssp 100
!
crypto isakmp profile prof1
   vrf vrf1
   keyring key1
   match identity address 0.0.0.0 
!
!
crypto ipsec transform-set ha_transform esp-3des 
!
crypto dynamic-map ha_dynamic 10
 set security-association lifetime seconds 86400
 set transform-set ha_transform 
 set isakmp-profile prof1
 reverse-route
!
!
crypto map ha_dynamic local-address GigabitEthernet1/3
crypto map ha_dynamic 10 ipsec-isakmp dynamic ha_dynamic 
!
!
!
interface GigabitEthernet1/2
 no ip address
!
interface GigabitEthernet1/2.1
 encapsulation dot1Q 2500
 ip vrf forwarding vrf1
 ip address 50.0.0.5 255.0.0.0
 standby delay minimum 30 reload 90
 standby 2 ip 50.0.0.100
 standby 2 preempt
 standby 2 name PRIVATE
 standby 2 track GigabitEthernet1/3
 standby 2 track Vlan100
!
interface GigabitEthernet1/3
 ip address 172.1.1.50 255.255.255.0
 standby delay minimum 30 reload 90
 standby 1 ip 172.1.1.100
 standby 1 preempt
 standby 1 name PUBLIC
 standby 1 track GigabitEthernet1/2
 standby 1 track Vlan100
 crypto engine slot 2/0   
32-36
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Configuration Examples
!
interface GigabitEthernet2/0/1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,100,1002-1005
 switchport mode trunk
 mtu 9216
 no ip address
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet2/0/2
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 no ip address
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan100
 ip vrf forwarding vrf1
 ip address 172.1.1.6 255.255.255.0
 crypto map ha_dynamic ssp 100
 crypto engine slot 2/0
!
!
ip route 10.0.0.0 255.0.0.0 172.1.1.4
ip route 20.0.0.0 255.0.0.0 172.1.1.4
ip route vrf vrf1 50.0.1.1 255.255.255.255 50.0.0.13
!
The following example shows the configuration for a remote peer router that is configured for IPSec 
stateful failover in VRF mode: 
hostname router-remote
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key 12345 address 172.1.1.100
!
!
crypto ipsec transform-set ha_transform esp-3des 
!
crypto map test_1 local-address Vlan2
crypto map test_1 10 ipsec-isakmp 
 set peer 172.1.1.100
 set security-association lifetime seconds 86400
 set transform-set ha_transform
 match address test_1
!
crypto map test_2 local-address Vlan3
crypto map test_2 10 ipsec-isakmp 
 set peer 172.1.1.100
 set security-association lifetime seconds 86400
 set transform-set ha_transform 
 match address test_2   
32-37
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Configuration Examples
!
interface GigabitEthernet1/1
 ip address 10.0.0.2 255.255.255.0
!
interface GigabitEthernet1/2
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,502,503,1002-1005
 switchport mode trunk
 no ip address
!
interface GigabitEthernet4/0/1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1-3,1002-1005
 switchport mode trunk
 mtu 9216
 no ip address
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,502,503,1002-1005
 switchport mode trunk
 mtu 9216
 no ip address
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface Vlan2
 ip address 20.0.1.1 255.255.255.0
 crypto map test_1
 crypto engine slot 4/0
!
interface Vlan3
 ip address 20.0.2.1 255.255.255.0
 crypto map test_2
 crypto engine slot 4/0
!
interface Vlan502
 no ip address
 crypto connect vlan 2
!
interface Vlan503
 no ip address
 crypto connect vlan 3
!
ip route 10.0.0.0 255.0.0.0 10.0.0.13
ip route 50.0.1.0 255.255.255.0 20.0.1.2
ip route 50.0.2.0 255.255.255.0 20.0.2.2
ip route 172.1.1.0 255.255.255.0 20.0.1.2
!
ip access-list extended test_1
 permit ip host 10.0.1.1 host 50.0.1.1
ip access-list extended test_2
 permit ip host 10.0.2.1 host 50.0.2.1   
32-38
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 32      Configuring Duplicate Hardware and IPSec Failover Using the IPSec VPN SPA
  Configuration Examples
IPSec Stateful Failover Using a Blade Failure Group Configuration Example
The following example shows how to configure IPSec stateful failover using a blade failure group 
(BFG):
Router(config)# redundancy 
Router(config-red)# line-card-group 1 feature-card
Router(config-r-lc)# subslot 3/1
Router(config-r-lc)# subslot 5/1C H  A  P  T  E  R
   
33-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
33
Configuring Monitoring and Accounting for the 
IPSec VPN SPA
This chapter provides information about configuring monitoring and accounting using the IPSec VPN 
SPA on the Cisco 7600 series router. It includes the following sections:
• Overview of Monitoring and Accounting for the IPSec VPN SPA, page 33-2
• Monitoring and Managing IPSec VPN Sessions, page 33-2
• Configuring IPSec VPN Accounting, page 33-5
• Configuring IPSec and IKE MIB Support for Cisco VRF-Aware IPSec, page 33-9
• Configuration Examples, page 33-10
Note For detailed information on Cisco IOS IPSec cryptographic operations and policies, refer to the 
Cisco IOS Security Configuration Guide and Cisco IOS Security Command Reference.
For information about managing your system images and configuration files, refer to the Cisco IOS 
Configuration Fundamentals Configuration Guide and Cisco IOS Configuration Fundamentals 
Command Reference publications.
For more information about the commands used in this chapter, refer to the Cisco IOS Software Releases 
15.0SR Command References and to the Cisco IOS Software Releases 12.2SX Command References. 
Also refer to the related Cisco IOS Release 12.2 software command reference and master index 
publications. For more information, see the “Related Documentation” section on page xlvii.
Tip To ensure a successful configuration of your VPN using the IPSec VPN SPA, read all of the 
configuration summaries and guidelines before you perform any configuration tasks.   
33-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 33      Configuring Monitoring and Accounting for the IPSec VPN SPA
  Overview of Monitoring and Accounting for the IPSec VPN SPA
Overview of Monitoring and Accounting for the IPSec VPN SPA
This chapter describes some IPSec features that can be used to monitor and manage the IPSec VPN. 
These features include:
• The IPSec VPN monitoring feature, which provides VPN session monitoring enhancements that will 
allow you to troubleshoot the VPN and monitor the end-user interface.
• The IPSec VPN accounting feature, which enables session accounting records to be generated by 
indicating when the session starts and when it stops. 
• The IPSec and IKE MIB support for Cisco VRF-aware IPSec feature, which provides manageability 
of VPN routing and forwarding- (VRF-) aware IPSec using MIBs. 
Monitoring and Managing IPSec VPN Sessions 
The IPSec VPN monitoring feature provides VPN session monitoring enhancements that will allow you 
to troubleshoot the Virtual Private Network (VPN) and monitor the end-user interface. A crypto session 
is a set of IPSec connections (flows) between two crypto endpoints. If the two crypto endpoints use IKE 
as the keying protocol, they are IKE peers to each other. Typically, a crypto session consists of one IKE 
security association (for control traffic) and at least two IPSec security associations (for data traffic, one 
per each direction). There may be duplicated IKE security associations (SAs) and IPSec SAs or 
duplicated IKE SAs or IPSec SAs for the same session in the duration of rekeying or because of 
simultaneous setup requests from both sides.
Session monitoring enhancements include the following: 
• Ability to specify an Internet Key Exchange (IKE) peer description in the configuration file
• Summary listing of crypto session status
• Syslog notification for crypto session up or down status
• Ability to clear both IKE and IP Security (IPSec) security associations (SAs) using one 
command-line interface (CLI) 
Adding the Description of an IKE Peer
To add the description of an IKE peer to an IPSec VPN session, perform this task beginning in global 
configuration mode:
Command Purpose
Step 1 Router(config)# crypto isakmp peer {ip-address
ip-address}
Enables an IPSec peer for IKE querying of 
authentication, authorization, and accounting 
(AAA) for tunnel attributes in aggressive mode and 
enters ISAKMP peer configuration mode.
• ip-address—IP address of the peer.
Step 2 Router(config-isakmp-peer)# description description Adds a description for an IKE peer.
• description—Description identifying the peer.   
33-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 33      Configuring Monitoring and Accounting for the IPSec VPN SPA
  Monitoring and Managing IPSec VPN Sessions
Verifying Peer Descriptions
To verify peer descriptions, enter the show crypto isakmp peer command:
Router# show crypto isakmp peer
Peer: 10.2.2.9 Port: 500 
Description: connection from site A 
flags: PEER_POLICY 
When the peer at address 10.2.2.9 connects and the session comes up, the syslog status will be shown as 
follows: 
%CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP. Peer 10.2.2.9:500 Description: connection 
from site A Id: ezvpn
Getting a Summary Listing of Crypto Session Status
You can get a list of all the active VPN sessions by entering the show crypto session command. The 
listing will include the following: 
• Interface 
• IKE peer description, if available 
• IKE SAs that are associated with the peer by which the IPSec SAs are created 
• IPSec SAs serving the flows of a session 
Multiple IKE or IPSec SAs may be established for the same peer, in which case IKE peer descriptions 
will be repeated with different values for the IKE SAs that are associated with the peer and for the IPSec 
SAs that are serving the flows of the session. 
You can also use the show crypto session detail variant of this command to obtain more detailed 
information about the sessions. 
The following is sample output for the show crypto session command without the detail keyword: 
Router# show crypto session
Crypto session current status 
Interface: FastEthernet0/1 
Session status: UP-ACTIVE 
Peer: 172.0.0.2/500 
IKE SA: local 172.0.0.1/500 remote 172.0.0.2/500 Active 
IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 10.30.30.0/255.255.255.0 
Active SAs: 2, origin: crypto map
The following is sample output using the show crypto session command with the detail keyword: 
Router# show crypto session detail
Interface: Tunnel0 
Session status: UP-ACTIVE 
Peer: 10.1.1.3 port 500 fvrf: (none) ivrf: (none) 
Desc: this is my peer at 10.1.1.3:500 Green 
Phase1_id: 10.1.1.3 
IKE SA: local 10.1.1.4/500 remote 10.1.1.3/500 Active 
Capabilities:(none) connid:3 lifetime:22:03:24 
IPSEC FLOW: permit 47 host 10.1.1.4 host 10.1.1.3 
Active SAs: 0, origin: crypto map    
33-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 33      Configuring Monitoring and Accounting for the IPSec VPN SPA
  Monitoring and Managing IPSec VPN Sessions
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0 
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0 
IPSEC FLOW: permit ip host 10.1.1.4 host 10.1.1.3 
Active SAs: 4, origin: crypto map 
Inbound: #pkts dec'ed 4 drop 0 life (KB/Sec) 4605665/2949 
Outbound: #pkts enc'ed 4 drop 1 life (KB/Sec) 4605665/2949 
Syslog Notification for Crypto Session Up or Down Status
The syslog notification for crypto session up or down status function provides syslog notification every 
time the crypto session comes up or goes down. To enable syslog logging of the session status, enter the 
crypto logging session and crypto logging ezvpn commands in configuration mode.
The following is a sample syslog notification showing that a crypto session is up: 
%CRYPTO-5-SESSION_STATUS: Crypto session is UP. Peer 10.6.6.1:500 fvrf=name10 ivrf=name20 
Description: SJC24-2-VPN-Gateway Id: 10.5.5.2 
The following is a sample syslog notification showing that a crypto session is down: 
%CRYPTO-5-SESSION_STATUS: Crypto session is DOWN. Peer 10.6.6.1:500 fvrf=name10 
ivrf=name20 Description: SJC24-2-VPN-Gateway Id: 10.5.5.2
Clearing a Crypto Session
In previous Cisco IOS software releases, there was no single command to clear both IKE and IPSec 
security associations (SAs). Instead, you entered the clear crypto isakmp command to clear IKE and 
the clear crypto ipsec command to clear IPSec. The clear crypto session command allows you to clear 
both IKE and IPSec with a single command. To clear a specific crypto session or a subset of all the 
sessions (for example, a single tunnel to one remote site), you must provide session-specific parameters, 
such as a local or remote IP address, a local or remote port, a front-door VPN routing and forwarding 
(FVRF) name, or an inside VRF (IVRF) name. Typically, the remote IP address will be used to specify 
a single tunnel to be deleted. 
If a local IP address is provided as a parameter when you enter the clear crypto session command, all 
the sessions (and their IKE SAs and IPSec SAs) that share the IP address as a local crypto endpoint (IKE 
local address) will be cleared. If you do not provide a parameter when you enter the clear crypto session
command, all IPSec SAs and IKE SAs in the router will be deleted. 
To clear a crypto session, enter the clear crypto session command in privileged EXEC mode from the 
router command line. No configuration statements are required in the configuration file to use this 
command: 
Router# clear crypto session
For complete configuration information for IPSec VPN Monitoring, refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_ipsvm.html
For IPSec VPN monitoring configuration examples, see the “IPSec VPN Monitoring Configuration 
Example” section on page 33-11.   
33-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 33      Configuring Monitoring and Accounting for the IPSec VPN SPA
  Configuring IPSec VPN Accounting
Configuring IPSec VPN Accounting
The IPSec VPN accounting feature enables session accounting records to be generated by indicating 
when the session starts and when it stops. 
A VPN session is defined as an Internet Key Exchange (IKE) security association (SA) and the one or 
more SA pairs that are created by the IKE SA. The session starts when the first IP Security (IPSec) pair 
is created and stops when all IPSec SAs are deleted. If IPSec accounting is configured, after IKE phases 
are complete, an accounting start record is generated for the session. New accounting records are not 
generated during a rekeying.
Session-identifying information and session-usage information is passed to the Remote Authentication 
Dial-In User Service (RADIUS) server by standard RADIUS attributes and vendor-specific attributes 
(VSAs). 
To enable IPSec VPN accounting, perform this task beginning in global configuration mode:
Command Purpose
Step 1 Router(config)# aaa new-model Enables periodic interim accounting records to be 
sent to the accounting server.
Step 2 Router(config)# aaa authentication login list-name
group radius
Sets authentication, authorization, and accounting 
(AAA) authentication at login using RADIUS 
servers.
• list-name—Character string used to name the 
list of authentication methods activated when a 
user logs in. 
• group radius—Uses the list of all RADIUS 
servers for authentication. 
Step 3 Router(config)# aaa authorization network list-name
group radius
Runs authorization for all network-related service 
requests, including Serial Line Internet Protocol 
(SLIP), PPP, PPP Network Control Programs 
(NCPs), and AppleTalk Remote Access (ARA). 
• list-name—Character string used to name the 
list of authorization methods activated when a 
user logs in. 
• group radius—Uses the list of all RADIUS 
servers for authentication.   
33-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 33      Configuring Monitoring and Accounting for the IPSec VPN SPA
  Configuring IPSec VPN Accounting
Step 4 Router(config)# aaa accounting network list-name
start-stop [broadcast] group radius
Enables AAA accounting of network-related 
requested services for billing or security purposes 
when you use RADIUS.
• list-name—Character string used to name the 
list of the accounting methods.
• start-stop—Sends a start accounting notice at 
the beginning of a process and a stop accounting 
notice at the end of a process. The start 
accounting record is sent in the background. 
The requested user process begins regardless of 
whether the start accounting notice was received 
by the accounting server. 
• broadcast—(Optional) Enables sending 
accounting records to multiple AAA servers. 
Simultaneously sends accounting records to the 
first server in each group. If the first server is 
unavailable, failover occurs using the backup 
servers defined within that group. 
• group radius—Uses the list of all RADIUS 
servers for authentication as defined by the aaa 
group server radius command.
Step 5 Router(config)# aaa accounting update periodic
minutes
(Optional) Sends accounting updates to the 
accounting server while a session is up.
• minutes — Specifies the interval (in number of 
minutes) at which accounting records are to be 
sent to the accounting server.
Step 6 Router(config)# aaa session-id common Specifies whether the same session ID will be used 
for each AAA accounting service type within a call 
or whether a different session ID will be assigned to 
each accounting service type.
• common—Ensures that all session 
identification (ID) information that is sent out 
for a given call will be made identical. The 
default behavior is common. 
Step 7 Router(config)# crypto isakmp profile profile-name Audits IP security (IPSec) user sessions and enters 
isakmp-profile configuration mode.
• profile-name—Name of the user profile. To 
associate a user profile with the RADIUS 
server, the user profile name must be identified.
Step 8 Router(conf-isa-prof)# vrf ivrf Associates the on-demand address pool with a 
Virtual Private Network (VPN) routing and 
forwarding (VRF) instance name.
• ivrf—VRF to which the IPSec tunnel will be 
mapped. 
Command Purpose   
33-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 33      Configuring Monitoring and Accounting for the IPSec VPN SPA
  Configuring IPSec VPN Accounting
Step 9 Router(conf-isa-prof)# match identity group
group-name
Matches an identity from a peer in an ISAKMP 
profile. 
• group-name—A unity group that matches 
identification (ID) type ID_KEY_ID. If unity 
and main mode Rivest, Shamir, and Adelman 
(RSA) signatures are used, the group-name
argument matches the Organizational Unit (OU) 
field of the Distinguished Name (DN). 
Step 10 Router(conf-isa-prof)# client authentication list
list-name
Configures Internet Key Exchange (IKE) extended 
authentication (XAUTH) in an Internet Security 
Association and Key Management Protocol 
(ISAKMP) profile.
• list-name—Character string used to name the 
list of authentication methods activated when a 
user logs in. The list name must match the list 
name that was defined during the 
authentication, authorization, and accounting 
(AAA) configuration.
Step 11 Router(conf-isa-prof)# isakmp authorization list
list-name
Configures an IKE shared secret and other 
parameters using the AAA server in an ISAKMP 
profile. The shared secret and other parameters are 
generally pushed to the remote peer via mode 
configuration (MODECFG).
• list-name—AAA authorization list used for 
configuration mode attributes or preshared keys 
for aggressive mode. 
Step 12 Router(conf-isa-prof)# client configuration address
[initiate | respond]
Configures IKE mode configuration (MODECFG) 
in the ISAKMP profile.
• initiate—(Optional) Router will attempt to set 
IP addresses for each peer. 
• respond—(Optional) Router will accept 
requests for IP addresses from any requesting 
peer. 
Step 13 Router(conf-isa-prof)# accounting list-name Enables AAA accounting services for all peers that 
connect via this ISAKMP profile.
• list-name— Name of a client accounting list. 
Step 14 Router(conf-isa-prof)# exit Exits isakmp profile configuration mode and returns 
to global configuration mode. 
Step 15 Router(config)# crypto dynamic-map dynamic-map-name 
dynamic-seq-num
Creates a dynamic crypto map template and enters 
the crypto map configuration command mode.
• dynamic-map-name—Name of the dynamic 
crypto map set that should be used as the policy 
template. 
• dynamic-seq-num—Sequence number you 
assign to the dynamic crypto map entry. 
Command Purpose   
33-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 33      Configuring Monitoring and Accounting for the IPSec VPN SPA
  Configuring IPSec VPN Accounting
Step 16 Router(config-crypto-map)# set transform-set
transform-set-name
Specifies which transform sets can be used with the 
crypto map template. A transform set defines IPSec 
security protocols and algorithms. Transform sets 
and their accepted values are described in the Cisco 
IOS Security Command Reference.
• transform-set-name—Name of the transform 
set.
Step 17 Router(config-crypto-map)# set isakmp-profile
profile-name
Sets the ISAKMP profile name.
• profile-name—Name of the ISAKMP profile. 
Step 18 Router(config-crypto-map)# reverse-route
[remote-peer]
Allows routes (IP addresses) to be injected for 
destinations behind the VPN remote tunnel endpoint 
and may include a route to the tunnel endpoint itself 
(using the remote-peer keyword for the crypto 
map).
• remote-peer—(Optional) Routes of public IP 
addresses and IP security (IPSec) tunnel 
destination addresses are inserted into the 
routing table. 
Step 19 Router(config-crypto-map)# exit Exits crypto map configuration mode and returns to 
global configuration mode.
Step 20 Router(config)# crypto map map-name ipsec-isakmp
dynamic dynamic-map-name
Creates a crypto profile that provides a template for 
configuration of dynamically created crypto maps.
• map-name—Name that identifies the crypto 
map set.
• dynamic-map-name—Name of the dynamic 
crypto map set that should be used as the policy 
template. 
Step 21 Router(config)# radius-server host ip-address
[auth-port auth-port-number] [acct-port
acct-port-number]
Specifies a RADIUS server host.
• ip-address —IP address of the RADIUS server 
host. 
• auth-port-number—(Optional) UDP 
destination port number for authentication 
requests; the host is not used for authentication 
if set to 0. If unspecified, the port number 
defaults to 1645. 
• acct-port-number—(Optional) UDP destination 
port number for accounting requests; the host is 
not used for accounting if set to 0. If 
unspecified, the port number defaults to 1646. 
Step 22 Router(config)# radius-server key string Sets the authentication and encryption key for all 
RADIUS communications between the router and 
the RADIUS daemon. 
• string—The unencrypted (cleartext) shared key. 
Command Purpose   
33-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 33      Configuring Monitoring and Accounting for the IPSec VPN SPA
  Configuring IPSec and IKE MIB Support for Cisco VRF-Aware IPSec
For complete configuration information for IPSec VPN Accounting, refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_evpna.html
For IPSec VPN accounting configuration examples, see the “IPSec VPN Accounting Configuration 
Example” section on page 33-10.
Configuring IPSec and IKE MIB Support for Cisco VRF-Aware 
IPSec
The IPSec and IKE MIB Support for Cisco VRF-Aware IPSec feature provides manageability of Virtual 
Private Network routing and forwarding (VRF)-aware IP security (IPSec) using MIBs. The benefit of 
this feature is that VRF-aware IPSec MIBs provide the granular details of IPSec statistics and 
performance metrics on a VRF basis. 
Note The IPSec and IKE MIB Support for the Cisco VRF-Aware IPSec feature is only supported as of Cisco 
IOS Release 12.2(33)SRA and later releases.
MIBs Supported by the IPSec and IKE MIB Support for Cisco VRF-Aware IPSec 
Feature 
The following MIBs are supported by the IPSec and IKE MIB Support for the Cisco VRF-Aware IPSec 
feature: 
• CISCO-IPSEC-FLOW-MONITOR-MIB 
• ISCO-IPSEC-MIB 
• The CISCO-IPSEC-POLICY-MAP-MIB continues to be supported. However, because this MIB 
applies to the entire router rather than to a specific VPN VRF instance, it is not VRF-aware; 
therefore, polling of the object identifiers (OIDs) that belong to this MIB is accomplished with 
respect to the global VRF context. 
Configuring IPSec and IKE MIB Support for Cisco VRF-Aware IPSec 
No special configuration is needed for this feature. The SNMP framework can be used to manage 
VRF-aware IPSec using MIBs.
Step 23 Router(config)# interface type slot/[subslot]/port Configures an interface type and enters interface 
configuration mode.
• slot/[subslot]/ port—Number of the slot, subslot 
(optional), and port to be configured.
Step 24 Router(config-if)# crypto map map-name Applies a previously defined crypto map set to an 
interface.
• map-name—Name that identifies the crypto 
map set.
Command Purpose   
33-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 33      Configuring Monitoring and Accounting for the IPSec VPN SPA
  Configuration Examples
For complete information for IPSec and IKE MIB Support for Cisco VRF-Aware IPSec, refer to 
this URL:
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/ht_iimib.html
Configuration Examples
This section provide examples of the following configurations:
• IPSec VPN Accounting Configuration Example, page 33-10
• IPSec VPN Monitoring Configuration Example, page 33-11
Note The following examples use commands at the level of Cisco IOS Release 12.2(33)SRA.
As of Cisco IOS Release 12.2(33)SRA, the crypto engine subslot command used in previous releases 
has been replaced with the crypto engine slot command (of the form crypto engine slot slot {inside | 
outside}). The crypto engine subslot command is no longer supported. When upgrading, ensure that 
this command has been modified in your start-up configuration to avoid extended maintenance time.
IPSec VPN Accounting Configuration Example
The following example shows how to enable the IPSec VPN accounting feature: 
aaa new-model
!
!
aaa group server radius r1
 server-private 10.30.1.52 auth-port 1812 acct-port 1813 key allegro
!
aaa authentication login test_list group r1
aaa authorization network test_list group r1 
aaa accounting update periodic 10 jitter maximum 0
aaa accounting network test_list start-stop group r1!
!
ip vrf ivrf1
 rd 1:2
!
crypto engine mode vrf
!
crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
 lifetime 14400
!
crypto isakmp client configuration group test
 key world
 pool pool1
!
crypto isakmp profile test_pro
   vrf ivrf1
   match identity group test
   client authentication list test_list
   isakmp authorization list test_list
   client configuration address respond
   accounting test_list   
33-11
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 33      Configuring Monitoring and Accounting for the IPSec VPN SPA
  Configuration Examples
!
crypto ipsec transform-set t3 esp-3des esp-sha-hmac 
!
!
crypto dynamic-map dyn-ra 10
 set transform-set t3 
 set isakmp-profile test_pro
 reverse-route
!
!
crypto map map-ra local-address GigabitEthernet3/15
crypto map map-ra 1 ipsec-isakmp dynamic dyn-ra 
!
!
interface GigabitEthernet1/0/1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,100,1002-1005
 switchport mode trunk
 mtu 9216
 mls qos trust ip-precedence
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast edge trunk
!
interface GigabitEthernet1/0/2
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,1002-1005
 switchport mode trunk
 mtu 9216
 mls qos trust ip-precedence
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast edge trunk
!
!
interface GigabitEthernet3/15
 mtu 9216
 ip address 120.0.0.254 255.255.255.0
crypto engine outside
!
!
!
interface Vlan100
 ip vrf forwarding ivrf1
 ip address 120.0.0.100 255.255.255.0
 ip flow ingress
 crypto map map-ra 
crypto engine slot 1/0 inside
!
!         
!
ip local pool pool1 100.0.1.1 100.0.5.250
IPSec VPN Monitoring Configuration Example
The following example shows how to configure an IKE peer for IPSec VPN monitoring:
!   
33-12
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 33      Configuring Monitoring and Accounting for the IPSec VPN SPA
  Configuration Examples
upgrade fpd auto
version 12.2
service timestamps debug datetime
service timestamps log datetime
no service password-encryption
service counters max age 5
!
hostname Ez-DCM-CC
!
boot-start-marker
boot system disk1:s72033-adventerprisek9_wan-mz.122-33.SXH
boot-end-marker
!
logging buffered 1000000 debugging
enable secret 5 $1$i5FZ$47ybx5dEaUKc3eRaDIZ/z.
!
username cisco password 0 cisco
username t1 password 0 t1
username t2 password 0 t2
username t3 password 0 t3
username t4 password 0 t4
username t5 password 0 t5
username t6 password 0 t6
username t7 password 0 t7
username t8 password 0 t8
username user1 password 0 letmein
aaa new-model
aaa authentication login myuserlist local
aaa authorization network myuserlist local
!
aaa session-id common
clock timezone PST -7
call-home
  alert-group configuration
  alert-group diagnostic
  alert-group environment
  alert-group inventory
  alert-group syslog
 profile "CiscoTAC-1"
   no active
   no destination transport-method http
   destination transport-method email
   destination address email callhome@cisco.com
   destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
   subscribe-to-alert-group diagnostic severity minor
   subscribe-to-alert-group environment severity minor
   subscribe-to-alert-group syslog severity major pattern ".*"
   subscribe-to-alert-group configuration periodic monthly 10 15:08
   subscribe-to-alert-group inventory periodic monthly 10 14:53
ip subnet-zero
!
no ip domain-lookup
ip domain-name cisco.com
ipv6 mfib hardware-switching replication-mode ingress
vtp mode transparent
no mls acl tcam share-global
mls netflow interface
no mls flow ip
no mls flow ipv6
mls cef error action freeze
!
redundancy
 keepalive-enable
 mode sso   
33-13
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 33      Configuring Monitoring and Accounting for the IPSec VPN SPA
  Configuration Examples
 linecard-group 0 feature-card
  class load-sharing
  subslot 4/0
 main-cpu
  auto-sync running-config
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
diagnostic monitor syslog
diagnostic cns publish cisco.cns.device.diag_results
diagnostic cns subscribe cisco.cns.device.diag_commands
!
power redundancy-mode combined
port-channel per-module load-balance
!
vlan internal allocation policy descending
vlan access-log ratelimit 2000
!
vlan 2-3,16-17
!
crypto logging session
crypto logging ezvpn
!
crypto logging ezvpn group mygroup
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
 lifetime 43200
crypto isakmp key WorldCup2006 address 0.0.0.0 0.0.0.0
!
crypto isakmp client configuration group mygroup
 key mykey
 pool mypool
!
crypto isakmp peer address 16.0.0.3
 description first-ezvpn-client
!
crypto isakmp peer address 16.0.0.4
 description second-ezvpn-client
!
crypto ipsec security-association lifetime seconds 21600
!
crypto ipsec transform-set MyTranSet esp-aes esp-sha-hmac
no crypto ipsec nat-transparency udp-encaps
!
crypto call admission limit ike in-negotiation-sa 10
!
crypto dynamic-map DynMap1 10
 set transform-set MyTranSet
 reverse-route
!
crypto map MyMap1 client authentication list myuserlist
crypto map MyMap1 isakmp authorization list myuserlist
crypto map MyMap1 client configuration address respond
crypto map MyMap1 500 ipsec-isakmp dynamic DynMap1
!
interface GigabitEthernet1/25
 no ip address
 crypto connect vlan 16
!
interface GigabitEthernet1/27
 no ip address   
33-14
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 33      Configuring Monitoring and Accounting for the IPSec VPN SPA
  Configuration Examples
 crypto connect vlan 17
!
interface GigabitEthernet1/29
 ip address 26.0.0.2 255.255.255.0
!
interface GigabitEthernet4/0/1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 16,17,1002-1005
 switchport mode trunk
 mtu 9216
 mls qos vlan-based
 mls qos trust cos
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet4/0/2
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1002-1005
 switchport mode trunk
 mtu 9216
 mls qos trust cos
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet5/2
 ip address 44.0.111.114 255.0.0.0
 media-type rj45
!
interface Vlan1
 no ip address
 ip flow ingress
 ip igmp snooping querier
 shutdown
!
interface Vlan16
 ip address 16.0.0.2 255.255.224.0
 no mop enabled
 crypto map MyMap1
 crypto engine slot 4/0
!
interface Vlan17
 ip address 16.0.32.2 255.255.224.0
 no mop enabled
 crypto map MyMap1
 crypto engine slot 4/0
!
ip local pool mypool 36.0.0.1 36.0.15.254
ip local pool mypool 36.0.16.1 36.0.31.254
ip local pool mypool 36.0.32.1 36.0.47.254
ip local pool mypool 36.0.48.1 36.0.63.254
ip default-gateway 44.0.100.1
ip classless
ip route 43.0.0.0 255.0.0.0 44.0.100.1
ip route 45.0.0.0 255.0.0.0 44.0.100.1
ip route 223.255.254.53 255.255.255.255 44.0.100.1
ip route 223.255.254.54 255.255.255.255 44.0.100.1
!
no ip http server
no ip http secure-server
!   
33-15
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 33      Configuring Monitoring and Accounting for the IPSec VPN SPA
  Configuration Examples
radius-server source-ports 1645-1646
!
control-plane
!
dial-peer cor custom
!
line con 0
 exec-timeout 0 0
line vty 0 4
 password cisco
 transport input lat pad mop udptn telnet rlogin ssh nasi acercon
line vty 5 15
 transport input lat pad mop udptn telnet rlogin ssh nasi acercon
!
monitor event-trace platform cmfi lc agg-label
monitor event-trace platform cmfi lc error
ntp clock-period 17280219
ntp update-calendar
ntp server 223.255.254.254
ntp server 223.255.254.53
mac-address-table aging-time 0
!
end   
33-16
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 33      Configuring Monitoring and Accounting for the IPSec VPN SPA
  Configuration ExamplesC H  A  P  T  E  R
   
34-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
34
Troubleshooting the IPSec VPN SPA
This chapter describes techniques that you can use to troubleshoot the operation of your IPSec VPN 
SPAs in a Cisco 7600 series router.
It includes the following sections:
• General Troubleshooting Information, page 34-1
• Monitoring the IPSec VPN SPA, page 34-3
• Troubleshooting Specific Problems on the IPSec VPN SPA, page 34-24
• Using Crypto Conditional Debug, page 34-27
• Preparing for Online Insertion and Removal of a SPA, page 34-30
Note For detailed information on Cisco IOS IPSec cryptographic operations and policies, refer to the 
Cisco IOS Security Configuration Guide and Cisco IOS Security Command Reference.
For more information about the commands used in this chapter, refer to the Cisco IOS Software Releases 
12.2SR Command References and to the Cisco IOS Software Releases 12.2SX Command References. 
Also refer to the related Cisco IOS Release 12.2 software command reference and master index 
publications. For more information, see the “Related Documentation” section on page xlvii.
General Troubleshooting Information
This section describes general information for troubleshooting the IPSec VPN SPA and the Cisco 7600 
SSC-400 SIP. It includes the following sections:
• Interpreting Console Error Messages, page 34-2
• Using debug Commands, page 34-2
• Using show Commands, page 34-2
• Monitoring the IPSec VPN SPA, page 34-3   
34-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 34      Troubleshooting the IPSec VPN SPA
  General Troubleshooting Information
Interpreting Console Error Messages
The Cisco 7600 series router can generate error messages and other system messages to inform the 
operator of events that might require attention. These messages can be displayed on the console, or sent 
to a logging host using the System Logging (Syslog) protocol or Simple Network Management Protocol 
(SNMP). 
System error messages are organized in the documentation according to the particular system facility 
that produces the messages. The IPSec VPN SPA and Cisco 7600 SSC-400 SIP use the following facility 
names in error messages:
• IPSec VPN SPA—SPA_IPSEC_2G (also VPNSPA)
• Cisco 7600 SSC-400—CAT6000_SSC (also C7600_SSC400)
To view the explanations and recommended actions for Cisco 7600 series router error messages, 
including messages related to service modules, refer to the following documents:
• System Messages for 12.2S (for error messages in Release 12.2S) at this URL:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_system_message_guides_list.
html
Using debug Commands
For information about debug commands specific to the Cisco IOS software release 12.2SX, see the 
Cisco IOS Master Command List, Release 12.2SX at this URL:
http://www.cisco.com/en/US/docs/ios/mcl/122sxmcl/12_2sx_mcl_book.html
Caution Because debugging output is assigned high priority in the CPU process, it can render the system 
unusable. For this reason, use debug commands only to troubleshoot specific problems or during 
troubleshooting sessions with Cisco technical support personnel. We recommend that you use debug
commands during periods of lower network traffic and fewer users. Debugging during these periods 
decreases the likelihood that increased debug command processing overhead will affect system use.
For information about available crypto conditional debugging commands, see the “Using Crypto 
Conditional Debug” section on page 34-27.
For more information about other debug commands that can be used on a Cisco 7600 router see the Cisco 
IOS Debug Command Reference, Release 12.2 at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/debug/command/reference/122debug.html
Using show Commands
You can use several show commands to monitor and troubleshoot the IPSec VPN SPA on the Cisco 7600 
series router.    
34-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 34      Troubleshooting the IPSec VPN SPA
  Monitoring the IPSec VPN SPA
For more information about show commands to verify and monitor the IPSec VPN SPA, see the 
“Displaying IPSec VPN SPA Configuration Information” section on page 34-6 and the  Cisco 7600 
Series Cisco IOS Command Reference, 12.2 SR.
For more information about security-related show commands, see the Cisco IOS Security Command 
Reference.
Monitoring the IPSec VPN SPA
This section describes commands that can be used to display information about the IPSec VPN SPA 
hardware and configuration. It consists of the following subsections:
• Displaying IPSec VPN SPA Hardware and System Information, page 34-3
• Displaying IPSec VPN SPA Configuration Information, page 34-6
Displaying IPSec VPN SPA Hardware and System Information
To display hardware and system information, use the following commands: 
• show diagbus, show module, show crypto eli—See the “Displaying Information About IPSec VPN 
SPA Ports” section on page 34-3.
• show crypto engine accelerator statistic slot—See the “Displaying Platform and Network 
Interface Controller Statistics for the IPsec VPN SPA” section on page 34-4.
• show hw-module slot fpd—See the “Displaying Information About Hardware Revision Levels” 
section on page 34-6.
Displaying Information About IPSec VPN SPA Ports
To display information about the type of SPAs that are installed in the router, use the show diagbus
command. 
The following example shows output from the show diagbus command on a Cisco 7600 series router 
with an IPSec VPN SPA installed in subslot 1 of a Cisco 7600 SSC-400 that is installed in slot 5:
Router# show diagbus
Slot 5: Logical_index 10
        2-subslot Services SPA Carrier-400 controller
        Board is analyzed ipc ready 
        HW rev 0.3, board revision A01
        Serial Number: abc Part number: 73-6348-01
        Slot database information:
        Flags: 0x2004   Insertion time: 0x3DB5F4BC (4d20h ago)
        Controller Memory Size:
                248 MBytes CPU Memory
                8 MBytes Packet Memory
                256 MBytes Total on Board SDRAM
        IOS (tm) cwlc Software (smsc-DWDBG-M), Experimental Version 12.2(20050623:231413) 
        SPA Information:
        subslot 5/1: SPA-IPSEC-2G (0x3D7), status: ok   
34-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 34      Troubleshooting the IPSec VPN SPA
  Monitoring the IPSec VPN SPA
For information about the show module and show crypto eli commands, see the “Displaying the SPA 
Hardware Type” section on page 6-20.
Displaying Platform and Network Interface Controller Statistics for the IPsec VPN SPA
To display platform statistics and optionally display network interface controller statistics, use the show 
crypto engine accelerator statistic slot command. 
Note The show crypto engine accelerator statistic command is supported in Cisco IOS Release 
12.2(33)SRA and later releases.
The following example shows output from the show crypto engine accelerator statistic command on a 
Cisco 7600 series router with an IPSec VPN SPA in subslot 0 of a Cisco 7600 SSC-400 that is installed 
in slot 1. The output displays platform statistics for the IPSec VPN SPA and also displays the network 
interface controller statistics.
Router# show crypto engine accelerator statistic slot 1/0 detail
VPN module in slot 1/0
Decryption Side Data Path Statistics
====================================
Packets RX...............: 454260
Packets TX...............: 452480
IPSec Transport Mode.....: 0
IPSec Tunnel Mode........: 452470
AH Packets...............: 0
ESP Packets..............: 452470
GRE Decapsulations.......: 0
NAT-T Decapsulations.....: 0
Clear....................: 8
ICMP.....................: 0
Packets Drop.............: 193
Authentication Errors....: 0
Decryption Errors........: 0
Replay Check Failed......: 0
Policy Check Failed......: 0
Illegal CLear Packet.....: 0
GRE Errors...............: 0
SPD Errors...............: 0
HA Standby Drop..........: 0
Hard Life Drop...........: 0
Invalid SA...............: 191
SPI No Match.............: 0
Destination No Match.....: 0
Protocol No Match........: 0
Reassembly Frag RX.......: 0
IPSec Fragments..........: 0
IPSec Reasm Done.........: 0
Clear Fragments..........: 0
Clear Reasm Done.........: 0
Datagrams Drop...........: 0
Fragments Drop...........: 0   
34-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 34      Troubleshooting the IPSec VPN SPA
  Monitoring the IPSec VPN SPA
Decryption Side Controller Statistics 
=====================================
Frames RX................: 756088
Bytes RX.................: 63535848
Mcast/Bcast Frames RX....: 2341
RX Less 128Bytes.........: 756025
RX Less 512Bytes.........: 58
RX Less 1KBytes..........: 2
RX Less 9KBytes..........: 3
RX Frames Drop...........: 0
Frames TX................: 452365
Bytes TX.................: 38001544
Mcast/Bcast Frames TX....: 9
TX Less 128Bytes.........: 452343
TX Less 512Bytes.........: 22
TX Less 1KBytes..........: 0
TX Less 9KBytes..........: 0
Encryption Side Data Path Statistics
====================================
Packets RX...............: 756344
Packets TX...............: 753880
IPSec Transport Mode.....: 0
IPSec Tunnel Mode........: 753869
GRE Encapsulations.......: 0
NAT-T Encapsulations.....: 0
LAF prefragmented........: 0
Fragmented...............: 0
Clear....................: 753904
ICMP.....................: 0
Packets Drop.............: 123
IKE/TED Drop.............: 27
Authentication Errors....: 0
Encryption Errors........: 0
HA Standby Drop..........: 0
Hard Life Drop...........: 0
Invalid SA...............: 191
Reassembly Frag RX.......: 0
Clear Fragments..........: 0
Clear Reasm Done.........: 0
Datagrams Drop...........: 0
Fragments Drop...........: 0
Encryption Side Controller Statistics
=====================================
Frames RX................: 454065
Bytes RX.................: 6168274/
Mcast/Bcast Frames RX....: 1586
RX Less 128Bytes.........: 1562
RX Less 512Bytes.........: 452503
RX Less 1KBytes..........: 0
RX Less 9KBytes..........: 0
RX Frames Drop...........: 0
Frames TX................: 753558   
34-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 34      Troubleshooting the IPSec VPN SPA
  Monitoring the IPSec VPN SPA
Bytes TX.................: 100977246
Mcast/Bcast Frames TX....: 2
TX Less 128Bytes.........: 3
TX Less 512Bytes.........: 753555
TX Less 1KBytes..........: 0
TX Less 9KBytes..........: 0
Router# 
Displaying Information About Hardware Revision Levels
To display information about the hardware revision of the Cisco 7600 SSC-400 and the IPSec VPN SPA 
as well as the version of the field-programmable devices (FPDs) that are on the carrier card and the SPA, 
use the show hw-module slot fpd command. Cisco technical engineers might need this information to 
debug or troubleshoot problems with a SPA installation.
The following example shows output from the show hw-module slot command on a Cisco 7600 series 
router with an IPSec VPN SPA installed in subslot 0 of a Cisco 7600 SSC-400 that is installed in slot 6:
Router# show hw-module slot 2 fpd
==== ====================== ====== =============================================
                             H/W   Field Programmable   Current   Min. Required
Slot Card Type               Ver.  Device: "ID-Name"    Version      Version
==== ====================== ====== ================== =========== ==============
   2 7600-SSC-400              0.5 1-I/O FPGA             1.0         1.0
---- ---------------------- ------ ------------------ ----------- --------------
 2/0 SPA-IPSEC-2G              0.3 1-PROM                 1.1         1.1
==== ====================== ====== =============================================
Displaying IPSec VPN SPA Configuration Information
To display information about the IPSec VPN SPA configuration, use the following commands:
• show crypto vlan—See the “Displaying Information About Access and Routed Ports That Are 
Connected” section on page 34-7, “Displaying the VPN Running State” section on page 34-8, and 
“Displaying Information About IP Multicast Over a GRE Tunnel” section on page 34-23.
• show interfaces trunk—See the “Displaying Information About the VLANs Allowed by a Trunk 
Port” section on page 34-7.
• show crypto isakmp policy—See the “Displaying Information About IKE Policies” section on 
page 34-8.
• show crypto ipsec transform-set—See the “Displaying Information About IPsec Transform Sets” 
section on page 34-9.
• show crypto map—See the “Displaying Information About Crypto Maps” section on page 34-9.
• show crypto isakmp sa—See the “Displaying Information About SAs at a Peer” section on 
page 34-11.
• show crypto isakmp ha standby—See the “Displaying HSRP Information” section on page 34-11.
• show crypto ipsec ha—See the “Displaying HSRP Information” section on page 34-11.
• show crypto ipsec sa—See the “Displaying Information About IPsec Security Associations” 
section on page 34-9 and the “Displaying HSRP Information” section on page 34-11.
• show crypto ipsec sa standby—See the “Displaying HSRP Information” section on page 34-11.
• show ssp client—See the “Displaying SSP Information” section on page 34-14.   
34-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 34      Troubleshooting the IPSec VPN SPA
  Monitoring the IPSec VPN SPA
• show ssp packet—See the “Displaying SSP Information” section on page 34-14.
• show ssp peers—See the “Displaying SSP Information” section on page 34-14.
• show ssp redundancy—See the “Displaying SSP Information” section on page 34-14.
• show redundancy linecard-group—See the “Displaying Information About a BFG Configuration” 
section on page 34-15.
• show crypto ace redundancy—See the “Displaying Information About a BFG Configuration” 
section on page 34-15.
• show crypto key mypubkey rsa—See the “Displaying Information About RSA Public Keys” 
section on page 34-15.
• show crypto key pubkey-chain rsa—See the “Displaying Information About RSA Public Keys” 
section on page 34-15.
• show crypto pki certificates—See the “Displaying Information About Certificates” section on 
page 34-16.
• show crypto pki trustpoints—See the “Displaying Information About Trustpoints” section on 
page 34-17.
• show ip nhrp—See the “Displaying Information About the NHRP Cache” section on page 34-18.
• show crypto session—See the “Displaying Information About Crypto Sessions” section on 
page 34-18.
• show interfaces tunnel—See the “Displaying Tunnel Interface Information” section on page 34-19.
For a detailed description of the information displayed by the show commands, refer to the “IP Security 
and Encryption” chapter of the Cisco IOS Security Command Reference. 
Displaying Information About Access and Routed Ports That Are Connected
To verify that an access or routed port is connected, use the show crypto vlan command. The following 
is sample output from the command:
Router# show crypto vlan
Interface VLAN 2 on IPSec Service Module port GigabitEthernet2/0/1 connected to VLAN 502 
with crypto map set mymap1
Router# show crypto vlan
Interface VLAN 2 on IPSec Service Module port GigabitEthernet2/0/1 connected to Gi2/8 with 
crypto map set mymap2
Displaying Information About the VLANs Allowed by a Trunk Port
To display information about the VLANs allowed by a trunk port, use the show interfaces trunk 
command. The following is sample output from the command:
Router# show interfaces trunk
Port                Mode         Encapsulation  Status        Native vlan
Gi2/0/1             on           802.1q         trunking      1
Gi2/0/2             on           802.1q         trunking      1
Port                Vlans allowed on trunk   
34-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 34      Troubleshooting the IPSec VPN SPA
  Monitoring the IPSec VPN SPA
Gi2/0/1             2
Gi2/0/2             502
Port                Vlans allowed and active in management domain
Gi2/0/1             2
Gi2/0/2             502
Port                Vlans in spanning tree forwarding state and not pruned
Gi2/0/1             2
Gi2/0/2             502
Displaying the VPN Running State
To display the VPN running state, use the show crypto vlan command. The following is sample output 
from the command:
In the following example, the interface VLAN belongs to the IPSec VPN SPA inside port: 
Router# show crypto vlan
Interface VLAN 2 on IPSec Service Module port GigabitEthernet2/0/1 connected to Fa8/3
In the following example, VLAN 2 is the interface VLAN and VLAN 2022 is the hidden VLAN:
Router# show crypto vlan
Interface VLAN 2 on IPSec Service Module port GigabitEthernet2/0/1 connected to VLAN 2022 
with crypto map set mymap2
In the following example, either the interface VLAN is missing on the IPSec VPN SPA inside port, the 
IPSec VPN SPA is removed from the chassis, or the IPSec VPN SPA was moved to a different subslot:
Router# show crypto vlan
  Interface VLAN 2 connected to VLAN 3 (no IPSec Service Module attached)
Displaying Information About IKE Policies 
To display information about IKE policies, use the show crypto isakmp policy command. The following 
is sample output from the command: 
Router# show crypto isakmp policy 
Global IKE policy
Protection suite of priority 1
        encryption algorithm:   Three key triple DES
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit   
34-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 34      Troubleshooting the IPSec VPN SPA
  Monitoring the IPSec VPN SPA
Note If a user enters an IKE encryption method that the hardware does not support, a warning message will 
be displayed in the show crypto isakmp policy command output: 
WARNING:encryption hardware does not support the configured encryption method for ISAKMP 
policy value
Displaying Information About IPsec Transform Sets 
To display information about transform set configurations, use the show crypto ipsec transform-set
command. The following is sample output from the command:
Router# show crypto ipsec transform-set
Transform set combined-des-md5: {esp-des esp-md5-hmac} 
will negotiate = {Tunnel,}, 
Transform set t1: {esp-des esp-md5-hmac} 
will negotiate = {Tunnel,}, 
Transform set t100: {ah-sha-hmac} 
will negotiate = {Transport,}, 
Note If a user enters an IPsec transform that the hardware (the IPsec peer) does not support, a warning 
message will be displayed in the show crypto ipsec transform-set command output: 
WARNING:encryption hardware does not support transform.
Displaying Information About Crypto Maps 
To display information about crypto map configurations, use the show crypto map command. The 
following is sample output from the command:
Router# show crypto map
Crypto Map "test" 10 ipsec-isakmp
        Peer = 11.1.0.1
        Extended IP access list 101
            access-list 101 permit ip host 1.0.0.1 host 2.0.0.1
        Current peer: 11.1.0.1
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={ 
                tset:  { esp-3des  } , 
        }
        Interfaces using crypto map test:
                Vlan2
 using crypto engine SPA-IPSEC-2G[2/0]
Displaying Information About IPsec Security Associations
To display information about IPsec security associations, use the show crypto ipsec sa command.    
34-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 34      Troubleshooting the IPSec VPN SPA
  Monitoring the IPSec VPN SPA
Note When you first enter the show crypto ipsec sa command, the packet counters will not show the correct 
values. Subsequent instances of the command will display the correct values.
The following is sample output from the command:
Router# show crypto ipsec sa
interface: Ethernet0
Crypto map tag: router-alice, local addr. 172.21.114.123
local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0)
current_peer: 172.21.114.67
PERMIT, flags={origin_is_acl,}
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10
#send errors 10, #recv errors 0
local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67
path mtu 1500, media mtu 1500
current outbound spi: 20890A6F
inbound esp sas:
spi: 0x257A1039(628756537)
transform: esp-des esp-md5-hmac,
in use settings ={Tunnel,}
slot: 0, conn id: 26, crypto map: router-alice
sa timing: remaining key lifetime (k/sec): (4607999/90)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
outbound esp sas:
spi: 0x20890A6F(545852015)
transform: esp-des esp-md5-hmac,
in use settings ={Tunnel,}
slot: 0, conn id: 27, crypto map: router-alice
sa timing: remaining key lifetime (k/sec): (4607999/90)
IV size: 8 bytes
replay detection support: Y
 outbound ah sas:
interface: Tunnel0
Crypto map tag: router-alice, local addr. 172.21.114.123
local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0)
current_peer: 172.21.114.67
PERMIT, flags={origin_is_acl,}
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10
#send errors 10, #recv errors 0
local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67
path mtu 1500, media mtu 1500
current outbound spi: 20890A6F
inbound esp sas:
spi: 0x257A1039(628756537)
transform: esp-des esp-md5-hmac,
in use settings ={Tunnel,}   
34-11
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 34      Troubleshooting the IPSec VPN SPA
  Monitoring the IPSec VPN SPA
slot: 0, conn id: 26, crypto map: router-alice
sa timing: remaining key lifetime (k/sec): (4607999/90)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
outbound esp sas:
spi: 0x20890A6F(545852015)
transform: esp-des esp-md5-hmac,
in use settings ={Tunnel,}
slot: 0, conn id: 27, crypto map: router-alice
sa timing: remaining key lifetime (k/sec): (4607999/90)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
Displaying Information About SAs at a Peer
To display information about all current IKE SAs at a peer, use the show crypto isakmp sa command. 
The following is sample output from the command:
Router# show crypto isakmp sa
dst             src             state          conn-id slot status
11.0.0.1        21.0.0.1        QM_IDLE          68002 ACTIVE
21.0.0.1        11.0.0.1        QM_IDLE          68003 ACTIVE
10.0.0.1        11.0.0.1        QM_IDLE          68001 ACTIVE
Displaying HSRP Information
To display information about HSRP configurations, use the show crypto isakmp ha standby, show 
crypto ipsec ha, show ipsec sa, and show crypto ipsec sa standby commands.
Enter the show crypto isakmp ha standby command to view your ISAKMP standby or active SAs. The 
following is sample output from the command:
Router# show crypto isakmp ha standby
dst             src             state       I-Cookie           R-Cookie
172.16.31.100   20.3.113.1      QM_IDLE     796885F3 62C3295E  FFAFBACD
EED41AFF
172.16.31.100   20.2.148.1      QM_IDLE     5B78D70F 3D80ED01  FFA03C6D
09FC50BE
172.16.31.100   20.4.124.1      QM_IDLE     B077D0A1 0C8EB3A0  FF5B152C
D233A1E0
172.16.31.100   20.3.88.1       QM_IDLE     55A9F85E 48CC14DE  FF20F9AE
DE37B913
172.16.31.100   20.1.95.1       QM_IDLE     3881DE75 3CF384AE  FF192CAB
Enter the show crypto ipsec ha command to view your IPsec high availability (HA) manager state. The 
following is sample output from the command:   
34-12
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 34      Troubleshooting the IPSec VPN SPA
  Monitoring the IPSec VPN SPA
Router# show crypto ipsec ha
Interface           VIP                SAs   IPSec HA State
FastEthernet0/0     172.16.31.100     1800   Active since 13:00:16 EDT Tue Oct 1 2002
Enter the show crypto ipsec sa command to view HA status of the IPsec SA (standby or active). The 
following is sample output from the command:
Router# show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: mymap, local addr. 172.168.3.100
local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (5.6.0.0/255.255.0.0/0/0)
current_peer: 172.168.3.1
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.168.3.100, remote crypto endpt.: 172.168.3.1
path mtu 1500, media mtu 1500
current outbound spi: 132ED6AB
inbound esp sas:
spi: 0xD8C8635F(3637011295)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2006, flow_id: 3, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4499/59957)
IV size: 8 bytes
replay detection support: Y
HA Status: STANDBY
inbound ah sas:
spi: 0xAAF10A60(2867923552)
transform: ah-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2004, flow_id: 3, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4499/59957)
replay detection support: Y
HA Status: STANDBY
inbound pcp sas:
outbound esp sas:
spi: 0x132ED6AB(321836715)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2007, flow_id: 4, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4499/59957)
IV size: 8 bytes
replay detection support: Y
HA Status: STANDBY
outbound ah sas:
spi: 0x1951D78(26549624)
transform: ah-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2005, flow_id: 4, crypto map: mymap   
34-13
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 34      Troubleshooting the IPSec VPN SPA
  Monitoring the IPSec VPN SPA
sa timing: remaining key lifetime (k/sec): (4499/59957)
replay detection support: Y
HA Status: STANDBY
outbound pcp sas:
Enter the show crypto ipsec sa standby command to view your standby SAs. The following is sample 
output from the command:
Router# show crypto ipsec sa standby
interface: FastEthernet0/0
Crypto map tag: mymap, local addr. 172.168.3.100
local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (5.6.0.0/255.255.0.0/0/0)
current_peer: 172.168.3.1
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.168.3.100, remote crypto endpt.: 172.168.3.1
path mtu 1500, media mtu 1500
current outbound spi: 132ED6AB
inbound esp sas:
spi: 0xD8C8635F(3637011295)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2006, flow_id: 3, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4499/59957)
IV size: 8 bytes
replay detection support: Y
HA Status: STANDBY
inbound ah sas:
spi: 0xAAF10A60(2867923552)
transform: ah-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2004, flow_id: 3, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4499/59957)
replay detection support: Y
HA Status: STANDBY
inbound pcp sas:
outbound esp sas:
spi: 0x132ED6AB(321836715)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2007, flow_id: 4, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4499/59957)
IV size: 8 bytes
replay detection support: Y
HA Status: STANDBY
outbound ah sas:
spi: 0x1951D78(26549624)
transform: ah-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2005, flow_id: 4, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4499/59957)   
34-14
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 34      Troubleshooting the IPSec VPN SPA
  Monitoring the IPSec VPN SPA
replay detection support: Y
HA Status: STANDBY
outbound pcp sas:
Displaying SSP Information 
To display information about an SSP configuration, use the show ssp client, show ssp packet, show ssp 
peers, and show ssp redundancy commands.
Enter the show ssp client command to display the domain of interpretation (DOI), name, running version 
and available version of each client that is registered with SSP. The following is sample output from the 
command:
Router# show ssp client
SSP Client Information
    DOI   Client Name                       Version   Running Ver
      1   IPSec HA Manager                   1.0       1.0
      2   IKE HA Manager                     1.0       1.0
Enter the show ssp packet command to display the byte count and packet count for the current socket, 
the creation time of the socket, the server port number, and the port number used for SSP 
communication. The following is sample output from the command:
Router# show ssp packet
SSP packet Information
    Socket creation time: 01:01:06
    Local port: 3249      Server port: 3249
    Packets Sent = 38559, Bytes Sent = 2285020
    Packets Received = 910, Bytes Received = 61472
Enter the show ssp peers command to display the IP address of the remote peer, the interface used, and 
the connection state. The following is sample output from the command: 
Router# show ssp peers
SSP Peer Information
    IP Address      Connection State   Local Interface
    40.0.0.1        Connected          FastEthernet0/1
Enter the show ssp redundancy command to display the current SSP state, the HSRP group name, 
interface used, and the elapsed time since last state change. The following is sample output from the 
command:
Router# show ssp redundancy
SSP Redundancy Information
  Device has been ACTIVE for 02:55:34   
34-15
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 34      Troubleshooting the IPSec VPN SPA
  Monitoring the IPSec VPN SPA
    Virtual IP      Redundancy Name             Interface
    172.16.31.100   KNIGHTSOFNI                 FastEthernet0/0
Displaying Information About a BFG Configuration
To display information about a BFG configuration, use the show redundancy linecard-group and show 
crypto ace redundancy commands. The following is sample output from the commands:
Router# show redundancy linecard-group 1
Line Card Redundancy Group:1 Mode:feature-card
Class:load-sharing
Cards:
Slot:3 Subslot:0
Slot:5 Subslot:0
Router# show crypto ace redundancy
--------------------------------------
LC Redundancy Group ID            :1
Pending Configuration Transactions:0
Current State                     :OPERATIONAL
Number of blades in the group     :2
Slots
--------------------------------------
Slot:3 Subslot:0
Slot state:0x36
Booted
Received partner config
Completed Bulk Synchronization
Crypto Engine in Service
Rebooted 22 times
Initialization Timer not running
Slot:5 Subslot:0
Slot state:0x36
Booted
Received partner config
Completed Bulk Synchronization
Crypto Engine in Service
Rebooted 24 times
Initialization Timer not running
Displaying Information About RSA Public Keys
To display information the RSA public keys configured for your router, use the show crypto key 
mypubkey rsa command. The following is sample output from the command:
Router# show crypto key mypubkey rsa
% Key pair was generated at: 06:07:50 UTC Jan 13 1996
Key name: myrouter.example.com
 Usage: Encryption Key
 Key Data:
  00302017 4A7D385B 1234EF29 335FC973 2DD50A37 C4F4B0FD 9DADE748 429618D5   
34-16
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 34      Troubleshooting the IPSec VPN SPA
  Monitoring the IPSec VPN SPA
  18242BA3 2EDFBDD3 4296142A DDF7D3D8 08407685 2F2190A0 0B43F1BD 9A8A26DB
  07953829 791FCDE9 A98420F0 6A82045B 90288A26 DBC64468 7789F76E EE21
To display a list of all the RSA public keys stored on your router (including the public keys of peers that 
have sent your router their certificates during peer authentication for IPsec), or to display details of a 
particular RSA public key stored on your router, use the show crypto key pubkey-chain rsa command. 
The following is sample output from the command:
Router# show crypto key pubkey-chain rsa
Codes: M - Manually Configured, C - Extracted from certificate
Code  Usage        IP-address     Name
M     Signature    10.0.0.l       myrouter.example.com
M     Encryption   10.0.0.1       myrouter.example.com
C     Signature    172.16.0.1     routerA.example.com
C     Encryption   172.16.0.1     routerA.example.com
C     General      192.168.10.3   routerB.domain1.com
Displaying Information About Certificates
To display information about your certificate, the certificate of the CA, and any RA certificates, use the 
show crypto pki certificates command. The following is sample output from the command:
Router# show crypto pki certificates
CA Certificate
Status: Available
Certificate Serial Number: 1244325DE0369880465F977A18F61CA8
Certificate Usage: Signature
Issuer: 
CN = new-user
OU = pki new-user
O = cisco
L = santa cruz2
ST = CA
C = US
EA = user@example.com
Subject:
CN = new-user
OU = pki new-user
O = cisco
L = santa cruz2
ST = CA
C = US
EA = user@example.com
CRL Distribution Point:
http://new-user.example.com/CertEnroll/new-user.crl
Validity Date:
start date: 14:19:29 PST Oct 31 2002   
34-17
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 34      Troubleshooting the IPSec VPN SPA
  Monitoring the IPSec VPN SPA
end date: 14:27:27 PST Oct 31 2017
Associated Trustpoints: MS
Certificate
Status: Available
Certificate Serial Number: 193E28D20000000009F7
Certificate Usage: Signature
Issuer:
CN = new-user
OU = pki new-user
O = cisco
L = santa cruz2
ST = CA
C = US
EA = user@example.com
Subject:
Name: User1.Example.Com
CRL Distribution Point:
http://new-user.example.com/CertEnroll/new-user.crl
Validity Date:
start date: 12:40:14 PST Feb 26 2003
end   date: 12:50:14 PST Mar 5 2003
renew date: 16:00:00 PST Dec 31 1969
Associated Trustpoints: MS
Displaying Information About Trustpoints
To display the trustpoints that are configured in the router, use the show crypto pki trustpoints
command. The following is sample output from the command:
Router# show crypto pki trustpoints
Trustpoint bo:
    Subject Name:
    CN = ACSWireless Certificate Manager
     O = cisco.com
     C = US
          Serial Number:01
    Certificate configured.
    CEP URL:http://ACSWireless
    CRL query url:ldap://ACSWireless   
34-18
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 34      Troubleshooting the IPSec VPN SPA
  Monitoring the IPSec VPN SPA
Displaying Information About the NHRP Cache
To display information about the Next Hop Resolution Protocol (NHRP) cache, use the show ip nhrp
and the show crypto sockets commands. The following is sample output from the commands:
Router# show ip nhrp
10.10.1.75/32 via 10.10.1.75, Tunnel5 created 00:32:11, expire 00:01:46
  Type: dynamic, Flags: authoritative unique registered 
  NBMA address: 172.16.175.75 
10.10.1.76/32 via 10.10.1.76, Tunnel5 created 00:26:41, expire 00:01:37
  Type: dynamic, Flags: authoritative unique registered 
  NBMA address: 172.16.175.76 
10.10.1.77/32 via 10.10.1.77, Tunnel5 created 00:31:26, expire 00:01:33
  Type: dynamic, Flags: authoritative unique registered 
  NBMA address: 172.17.63.20
Router# show crypto sockets
Number of Crypto Socket connections 1
   Tu0 Peers (local/remote): 9.1.1.1/11.1.1.1 
       Local Ident  (addr/mask/port/prot): (9.1.1.1/255.255.255.255/0/47)
       Remote Ident (addr/mask/port/prot): (11.1.1.1/255.255.255.255/0/47)
       IPSec Profile: "MyIpsecProf"
       Socket State: Open
       Client: "TUNNEL SEC" (Client State: Active)
Crypto Sockets in Listen state:
Client: "TUNNEL SEC" Profile: "MyIpsecProf" Map-name: "Tunnel0-head-0"
Router#
Displaying Information About Crypto Sessions
To display status information for active crypto sessions, use the show crypto session command. The 
output will include the following: 
• Interface 
• IKE peer description, if available 
• IKE SAs that are associated with the peer by which the IPsec SAs are created 
• IPsec SAs serving the flows of a session 
The following is sample output from the command:
Router# show crypto session detail
Crypto session current status 
Code: C - IKE Configuration mode, D - Dead Peer Detection 
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication    
34-19
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 34      Troubleshooting the IPSec VPN SPA
  Monitoring the IPSec VPN SPA
Interface: Ethernet1/0 
Session status: UP-NO-IKE 
Peer: 10.2.80.179/500 fvrf: (none) ivrf: (none) 
Desc: My-manual-keyed-peer 
Phase1_id: 10.2.80.179 
IPSEC FLOW: permit ip host 10.2.80.190 host 10.2.80.179 
Active SAs: 4, origin: manual-keyed crypto map 
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0 
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0 
Interface: Ethernet1/2 
Session status: DOWN 
Peer: 10.1.1.1/500 fvrf: (none) ivrf: (none) 
Desc: SJC24-2-VPN-Gateway 
Phase1_id: 10.1.1.1 
IPSEC FLOW: permit ip host 10.2.2.3 host 10.2.2.2 
Active SAs: 0, origin: crypto map 
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0 
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0 
IPSEC FLOW: permit ip 10.2.0.0/255.255.0.0 10.4.0.0/255.255.0.0 
Active SAs: 0, origin: crypto map 
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0 
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0 
Interface: Serial2/0.17 
Session status: UP-ACTIVE 
Peer: 10.1.1.5/500 fvrf: (none) ivrf: (none) 
Desc: (none) 
Phase1_id: 10.1.1.5 
IKE SA: local 10.1.1.5/500 remote 10.1.1.5/500 Active 
Capabilities:(none) connid:1 lifetime:00:59:51 
IPSEC FLOW: permit ip host 10.1.1.5 host 10.1.2.5 
Active SAs: 2, origin: dynamic crypto map 
Inbound: #pkts dec'ed 4 drop 0 life (KB/Sec) 20085/171 
Outbound: #pkts enc'ed 4 drop 0 life (KB/Sec) 20086/171 
Displaying Tunnel Interface Information
To display tunnel interface information, use the show interfaces tunnel command. The following is 
sample output from the command:
Router# show interfaces tunnel 1
Tunnel4 is up, line protocol is down 
Hardware is Routing Tunnel 
Internet address is 10.1.1.1/24 
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, rely 255/255, load 1/255 
Encapsulation TUNNEL, loopback not set 
Keepalive set (10 sec) 
Tunnel source 9.2.2.1, destination 6.6.6.2 
Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled 
Tunnel TOS 0xF, Tunnel TTL 128 
Checksumming of packets disabled, fast tunneling enabled 
Last input never, output never, output hang never 
Last clearing of "show interface" counters never 
Queueing strategy, fifo 
Output queue 0/0, 1 drops; input queue 0/75, 0 drops 
30 second input rate 0 bits/sec, 0 packets/sec 
30 second output rate 0 bits/sec, 0 packets/sec 
0 packets input, 0 bytes, 0 no buffer 
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles    
34-20
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 34      Troubleshooting the IPSec VPN SPA
  Monitoring the IPSec VPN SPA
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 
0 packets output, 0 bytes, 0 underruns 
0 output errors, 0 collisions, 0 interface resets, 0 restarts 
Table 34-1 describes significant fields shown in the display. 
Table 34-1 show interfaces tunnel Field Descriptions 
Field Description
Tunnel is {up | down} Interface is currently active and inserted into ring 
(up) or inactive and not inserted (down).
line protocol is {up | down | administratively 
down}
Shows line protocol up if a valid route is available 
to the tunnel destination. Shows line protocol 
down if no route is available, or if the route would 
be recursive.
Hardware Specifies the hardware type.
MTU Maximum transmission unit of the interface.
BW Bandwidth of the interface in kilobits per second.
DLY Delay of the interface in microseconds.
rely Reliability of the interface as a fraction of 255 
(255/255 is 100 percent reliability), calculated as 
an exponential average over 5 minutes.
load Load on the interface as a fraction of 255 
(255/255 is completely saturated), calculated as 
an exponential average over 5 minutes.
Encapsulation Encapsulation method is always TUNNEL for 
tunnels.
loopback Indicates whether loopback is set or not.
Keepalive Indicates whether keepalives are set or not.
Tunnel source IP address used as the source address for the 
tunnel packets.
destination IP address of the tunnel destination.
Tunnel protocol Tunnel transport protocol (the protocol the tunnel 
is using). This is based on the tunnel mode
command, which defaults to GRE.
key (Optional) ID key for the tunnel interface.
sequencing (Optional) Indicates whether the tunnel interface 
drops datagrams that arrive out of order. 
Last input Number of hours, minutes, and seconds (or never) 
since the last packet was successfully received by 
an interface and processed locally on the router. 
Useful for knowing when a dead interface failed. 
This field is not updated by fast-switched traffic.
output Number of hours, minutes, and seconds (or never) 
since the last packet was successfully transmitted 
by an interface.   
34-21
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 34      Troubleshooting the IPSec VPN SPA
  Monitoring the IPSec VPN SPA
output hang Number of hours, minutes, and seconds (or never) 
since the interface was last reset because of a 
transmission that took too long. When the number 
of hours in any of the “last” fields exceeds 24 
hours, the number of days and hours is displayed. 
If that field overflows, asterisks are displayed.
Last clearing Time at which the counters that measure 
cumulative statistics (such as number of bytes 
transmitted and received) shown in this report 
were last reset to zero. Note that variables that 
might affect routing (for example, load and 
reliability) are not cleared when the counters are 
cleared. 
Three asterisks (***) indicate the elapsed time is 
too large to be displayed. 
0:00:00 indicates the counters were cleared more 
than 231 ms (and less than 232 ms) ago. 
Output queue, drops
Input queue, drops 
Number of packets in output and input queues. 
Each number is followed by a slash, the maximum 
size of the queue, and the number of packets 
dropped because of a full queue.
30 second input rate,
30 second output rate
Average number of bits and packets transmitted 
per second in the last 30 seconds. 
The 30-second input and output rates should be 
used only as an approximation of traffic per 
second during a given 30-second period. These 
rates are exponentially weighted averages with a 
time constant of 30 seconds. A period of four time 
constants must pass before the average will be 
within two percent of the instantaneous rate of a 
uniform stream of traffic over that period.
packets input Total number of error-free packets received by the 
system.
bytes Total number of bytes, including data and MAC 
encapsulation, in the error-free packets received 
by the system.
no buffer Number of received packets discarded because 
there was no buffer space in the main system. 
Compare with ignored count. Broadcast storms on 
Ethernet networks and bursts of noise on serial 
lines are often responsible for no input buffer 
events. 
broadcasts Total number of broadcast or multicast packets 
received by the interface. 
Table 34-1 show interfaces tunnel Field Descriptions  (continued)
Field Description   
34-22
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 34      Troubleshooting the IPSec VPN SPA
  Monitoring the IPSec VPN SPA
runts Number of packets that are discarded because 
they are smaller than the minimum packet size of 
the medium.
giants Number of packets that are discarded because 
they exceed the maximum packet size of the 
medium.
CRC Cyclic redundancy checksum generated by the 
originating LAN station or far-end device does 
not match the checksum calculated from the data 
received. On a LAN, this usually indicates noise 
or transmission problems on the LAN interface or 
the LAN bus itself. A high number of CRCs is 
usually the result of a station transmitting bad 
data.
frame Number of packets received incorrectly having a 
CRC error and a noninteger number of octets.
overrun Number of times the serial receiver hardware was 
unable to hand received data to a hardware buffer 
because the input rate exceeded the receiver’s 
ability to handle the data.
ignored Number of received packets ignored by the 
interface because the interface hardware ran low 
on internal buffers. These buffers are different 
than the system buffers mentioned previously in 
the buffer description. Broadcast storms and 
bursts of noise can cause the ignored count to be 
increased. 
abort Illegal sequence of one bits on a serial interface. 
This usually indicates a clocking problem 
between the serial interface and the data link 
equipment.
packets output Total number of messages transmitted by the 
system. 
bytes Total number of bytes, including data and MAC 
encapsulation, transmitted by the system.
underruns Number of times that the far-end transmitter has 
been running faster than the near-end router’s 
receiver can handle. This may never be reported 
on some interfaces.
output errors Sum of all errors that prevented the final 
transmission of datagrams out of the interface 
being examined. Note that this may not balance 
with the sum of the enumerated output errors, as 
some datagrams may have more than one error, 
and others may have errors that do not fall into 
any of the specifically tabulated categories.
Table 34-1 show interfaces tunnel Field Descriptions  (continued)
Field Description   
34-23
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 34      Troubleshooting the IPSec VPN SPA
  Monitoring the IPSec VPN SPA
Displaying Information About IP Multicast Over a GRE Tunnel
To display information about an IP multicast over a GRE tunnel configuration, enter the show crypto 
vlan and show ip mroute commands.
Enter the show crypto vlan command to check that the tunnel has been taken over by the IPSec VPN 
SPA. The following is sample output from the command:
Router# show crypto vlan
Interface VLAN 100 on IPSec Service Module port Gi7/0/1 connected to Po1 with crypto map 
set map_t3
Tunnel15 is accelerated via IPSec SM in subslot 7/0
Enter the show ip mroute command and look for the H flag to check that the IP multicast traffic is 
hardware-switched. The following is sample output from the command:
Router# show ip mroute 230.1.1.5
IP Multicast Routing Table
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected,
L - Local, P - Pruned, R - RP-bit set, F - Register flag,
T - SPT-bit set, J - Join SPT, M - MSDP created entry,
X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement,
U - URD, I - Received Source Specific Host Report, Z - Multicast Tunnel
Y - Joined MDT-data group, y - Sending to MDT-data group
Outgoing interface flags: H - Hardware switched, A - Assert winner
Timers: Uptime/Expires
Interface state: Interface, Next-Hop or VCD, State/Mode
(*, 230.1.1.5), 01:23:45/00:03:16, RP 15.15.1.1, flags: SJC
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Tunnel15, Forward/Sparse-Dense, 00:25:47/00:03:16
collisions Number of messages retransmitted because of an 
Ethernet collision. This usually is the result of an 
overextended LAN (Ethernet or transceiver cable 
too long, more than two repeaters between 
stations, or too many cascaded multiport 
transceivers). Some collisions are normal. 
However, if your collision rate climbs to around 4 
or 5 percent, you should consider verifying that 
there is no faulty equipment on the segment and 
moving some existing stations to a new segment. 
A packet that collides is counted only once in 
output packets.
interface resets Number of times an interface has been reset. The 
interface may be reset by the administrator or 
automatically when an internal error occurs.
restarts Number of times that the controller was restarted 
because of errors.
Table 34-1 show interfaces tunnel Field Descriptions  (continued)
Field Description   
34-24
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 34      Troubleshooting the IPSec VPN SPA
  Troubleshooting Specific Problems on the IPSec VPN SPA
(120.1.0.3, 230.1.1.5), 01:23:46/00:03:25, flags: T
Incoming interface: GigabitEthernet8/1, RPF nbr 0.0.0.0, RPF-MFD
Outgoing interface list:
Tunnel15, Forward/Sparse-Dense, 00:25:47/00:03:16, H
Troubleshooting Specific Problems on the IPSec VPN SPA
This section provides additional information about troubleshooting specific problems related to the 
IPSec VPN SPA. It includes the following subsections:
• Clearing IPsec Security Associations, page 34-24
• Troubleshooting Trunk Port Configurations, page 34-24
• Troubleshooting IPsec Stateful Failover (VPN High Availability), page 34-25
• Troubleshooting a Blade Failure Group, page 34-27
• Troubleshooting IKE Policy and Transform Sets, page 34-27
Clearing IPsec Security Associations
You can clear (and reinitialize) IPsec security associations by using the clear crypto sa command. 
Using the clear crypto sa command without parameters will clear out the full SA database, which will 
clear out active security sessions. You may also specify the peer, map, or entry keywords to clear out 
only a subset of the SA database. For more information, refer to the clear crypto sa command in the 
Cisco IOS Security Command Reference, Release 12.2. 
If you want to also remove the IKE (phase 1) SAs, follow the clear crypto sa command with the clear 
crypto isa command. Alternatively, you can use the clear crypto session command to achieve the same 
result as the clear crypto sa and the clear crypto isa commands. The clear crypto session command 
supports many of the same parameters as the clear crypto sa command.
Troubleshooting Trunk Port Configurations
Caution When you configure an Ethernet port as a trunk port, all the VLANs are allowed on the trunk port by 
default. This default configuration does not work well with the IPSec VPN SPA and causes network 
loops. To avoid this problem, you must explicitly specify only the desirable VLANs. 
For more information on trunk configuration guidelines, review the “Configuring a Trunk Port” section 
on page 25-15.
To verify which ports are assigned to the VLAN, enter the show vlan id number command, using the 
interface VLAN identifier. Following is an example of a trunk port configuration and the output of the 
show vlan id command:
Router# show run interface gi 1/3
Building configuration...
Current configuration : 175 bytes
!
interface GigabitEthernet1/3   
34-25
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 34      Troubleshooting the IPSec VPN SPA
  Troubleshooting Specific Problems on the IPSec VPN SPA
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,502-504,1002-1005
 switchport mode trunk
 no ip address
end
Router# show crypto vlan
Interface VLAN 2 on IPSec Service Module port Gi7/0/1 connected to VLAN 502 with crypto 
map set testtag_1
Interface VLAN 3 on IPSec Service Module port Gi7/0/1 connected to VLAN 503 with crypto 
map set testtag_2
Interface VLAN 4 on IPSec Service Module port Gi7/0/1 connected to VLAN 504 with crypto 
map set testtag_3
Router# show vlan id 2
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
2    VLAN0002                         active    Gi7/0/1
VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
2    enet  100002     1500  -      -      -        -    -        0      0   
Remote SPAN VLAN
----------------
Disabled
Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
Router# show vlan id 502
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
502  VLAN0502                         active    Gi1/3, Gi7/0/2
VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
502  enet  100502     1500  -      -      -        -    -        0      0   
Remote SPAN VLAN
----------------
Disabled
Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
Router#
Troubleshooting IPsec Stateful Failover (VPN High Availability)
If you find that either the active or standby IPsec stateful failover (VPN high availability) processes do 
not function as expected, you can perform the following checks: 
• Use the show ssp command to verify the SSP process is running. 
• Make sure that both routers share identical IPsec configurations. This is critical. If routers are 
configured differently, IPsec stateful failover (VPN high availability) will not work.    
34-26
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 34      Troubleshooting the IPSec VPN SPA
  Troubleshooting Specific Problems on the IPSec VPN SPA
Note Support for IPsec stateful failover is removed in Cisco IOS Release 12.2SRA. The feature is 
supported in Cisco IOS Release 12.2SXF.
• Verify that an IPsec connection can be formed with existing maps, transforms, and access lists. 
• Configure HSRP on the inside and outside interfaces and make the HSRP groups track one another. 
Verify this works properly by performing a shut command on either of the interfaces, then observe 
that the HSRP standby router takes active control from the active router. 
• Verify that SSP peers can see each other by performing a show ssp peer command on both the active 
and standby routers. 
• Bind the IKE and IPsec to SSP and send traffic over the tunnels. You can view high availability (HA) 
messages on the standby router as both the active and standby routers synchronize. 
• HSRP settings may require adjustments depending on the interface employed, such as Fast Ethernet 
or Gigabit Ethernet. 
Checking HSRP Settings 
To check HSRP settings, perform this task:
Clearing Dormant SAs on Standby Routers 
To clear associated SA entries, perform this task:
Command Purpose
Step 1 Router# show standby brief Ensures that the interfaces are synchronized.
Step 2 Router# no standby delay timer Leaves the delay timers at their default settings
Step 3 Router# show standby brief When the other router comes online, enter the show 
standby brief command once again. If the output 
shows an interface on standby, you must set the 
standby router’s delay timer. 
Command Purpose
Step 1 Router# clear crypto isakmp ha [standby][resync] Clears all dormant (standby) entries from the device. 
If the resync keyword is used, all standby IKE SAs 
will be removed, and a resynchronization of state 
will occur. 
Step 2 Router# clear crypto sa ha standby [peer ip address
| resync]
Clears all standby SAs for the device if peer is 
specified.   
34-27
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 34      Troubleshooting the IPSec VPN SPA
  Using Crypto Conditional Debug
Enabling Debugging for HA
To enable debugging for HA, perform this task:
Troubleshooting a Blade Failure Group
To enable IPSec VPN SPA debugging for a blade failure group, enter the debug crypto ace b2b 
command:
Router# debug crypto ace b2b
ACE B2B Failover debugging is on
Troubleshooting IKE Policy and Transform Sets 
Any IPsec transforms or IKE encryption methods that the current hardware does not support should be 
disabled; they are ignored whenever an attempt to negotiate with the peer is made. 
If a user enters an IPsec transform or an IKE encryption method that the hardware does not support, a 
warning message will be generated. These warning messages are also generated at boot time. When an 
encrypted card is inserted, the current configuration is scanned. If any IPsec transforms or IKE 
encryption methods are found that are not supported by the hardware, a warning message will be 
generated.
Using Crypto Conditional Debug
The crypto conditional debug feature provides three command-line interface (CLI) commands that allow 
you to debug an IP Security (IPsec) tunnel on the basis of predefined crypto conditions such as the peer 
IP address, connection-ID of a crypto engine, and security parameter index (SPI). By limiting debug 
messages to specific IPsec operations and reducing the amount of debug output, you can better 
troubleshoot a router with a large number of tunnels.
The crypto conditional debug commands (debug crypto condition, debug crypto condition 
unmatched, and show crypto debug-condition) allow you to specify conditions (filter values) in which 
to generate and display debug messages related only to the specified conditions. 
Table 34-2 lists the supported condition types.
Command Purpose
Step 1 Router# debug crypto isakmp ha [detail | fsm | 
update] 
Enables basic debug messages related to the IKE HA 
Manager. 
Step 2 Router# debug crypto ipsec ha [detail | fsm | 
update]
Enables IPsec HA debugging
Step 3 Router# debug ssp [fsm | socket | packet | peers | 
redundancy | config] 
Enables SSP debugging.   
34-28
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 34      Troubleshooting the IPSec VPN SPA
  Using Crypto Conditional Debug
Note If connid, flowid, or spi is used as a debug condition, the debug messages for a related IPsec flow are 
generated. An IPsec flow has two connection-IDs, flow-IDs, and SPI values—one inbound and one 
outbound. Either one of the two connection-IDs, flow-IDs, and SPI values can be used as the debug 
condition that triggers debug messages for the IPsec flow. 
Table 34-2 Supported Condition Types for Crypto Conditional Debug Commands
Condition Type (Keyword) Description
connid An integer between 1 and 32766. Relevant debug 
messages will be shown if the current IPsec 
operation uses this value as the connection-ID to 
interface with the crypto engine.
flowid An integer between 1 and 32766. Relevant debug 
messages will be shown if the current IPsec 
operation uses this value as the flow-ID to 
interface with the crypto engine.
fvrf The name string of a virtual private network 
(VPN) routing and forwarding (VRF) instance. 
Relevant debug messages will be shown if the 
current IPsec operation uses this VRF instance as 
its front-door VRF (FVRF).
ivrf The name string of a VRF instance. Relevant 
debug messages will be shown if the current IPsec 
operation uses this VRF instance as its inside 
VRF (IVRF).
peer group A Unity group name string. Relevant debug 
messages will be shown if the peer is using this 
group name as its identity.
peer hostname A fully qualified domain name (FQDN) string. 
Relevant debug messages will be shown if the 
peer is using this string as its identity.
peer ipv4 A single IP address. Relevant debug messages 
will be shown if the current IPsec operation is 
related to the IP address of this peer.
peer subnet A subnet and a subnet mask that specify a range 
of peer IP addresses. Relevant debug messages 
will be shown if the IP address of the current IPsec 
peer falls into the specified subnet range.
peer username A username string. Relevant debug messages will 
be shown if the peer is using this username as its 
identity. 
spi A 32-bit unsigned integer. Relevant debug 
messages will be shown if the current IPsec 
operation uses this value as the SPI.    
34-29
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 34      Troubleshooting the IPSec VPN SPA
  Using Crypto Conditional Debug
Crypto Conditional Debug Configuration Guidelines and Restrictions
When configuring crypto conditional debug, follow these guidelines and restrictions:
• This feature does not support debug message filtering for hardware crypto engines.
• Although conditional debugging is useful for troubleshooting peer-specific or functionality-related 
Internet Key Exchange (IKE) and IPsec problems, conditional debugging may not be able to define 
and check large numbers of debug conditions.
• Because extra space is needed to store the debug condition values, additional processing overhead 
is added to the CPU and memory usage is increased. Thus, enabling crypto conditional debugging 
on a router with heavy traffic should be used with caution. 
• Your router will perform conditional debugging only after at least one of the global crypto debug 
commands (debug crypto isakmp, debug crypto ipsec, or debug crypto engine) has been enabled. 
This requirement helps to ensure that the performance of the router will not be impacted when 
conditional debugging is not being used.
Enabling Crypto Conditional Debug Filtering
To enable crypto conditional debug filtering, perform the following tasks:
.
Disabling Crypto Conditional Debugging
Before you disable crypto conditional debugging, you must first disable any crypto global debug CLIs 
that you have issued. You can then disable crypto conditional debugging. To disable crypto conditional 
debugging, enter the following command:
Router# debug crypto condition reset
Command Purpose
Step 1 Router# enable Enables privileged EXEC mode.
Step 2 Router# debug crypto condition [connid integer 
engine-id integer] [flowid integer engine-id
integer] [fvrf string] [ivrf string] [peer [group
string] [hostname string] [ipv4 ipaddress] [subnet
subnet mask] [username string]] [spi integer] 
[reset]
Defines conditional debug filters. See Table 34-2 for 
descriptions of values.
Step 3 Router# show crypto debug-condition {[peer] [connid] 
[spi] [fvrf] [ivrf] [unmatched]}
Displays crypto debug conditions that have already 
been enabled in the router.
Step 4 Router# debug crypto isakmp Enables global IKE debugging.
Step 5 Router# debug crypto ipsec Enables global IPsec debugging.
Step 6 Router# debug crypto engine Enables global crypto engine debugging.
Step 7 Router# debug crypto condition unmatched [isakmp | 
ipsec | engine]
(Optional) Displays debug conditional crypto 
messages when no context information is available to 
check against debug conditions. If none of the 
optional keywords are specified, all crypto-related 
information will be shown.   
34-30
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 34      Troubleshooting the IPSec VPN SPA
  Preparing for Online Insertion and Removal of a SPA
Enabling Crypto Error Debug Messages
Enabling the debug crypto error command displays only error-related debug messages, which allows 
you to easily determine why a crypto operation, such as an IKE negotiation, has failed within your 
system. To enable crypto error debug messages, enter the following command from privileged EXEC 
mode:
Router# debug crypto {isakmp | ipsec | engine} error
Note When enabling this command, ensure that global crypto debug commands are not enabled; otherwise, 
the global commands will override any possible error-related debug messages.
For complete configuration information for crypto conditional debug support, refer to this URL:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_dbcry.html
Preparing for Online Insertion and Removal of a SPA
The Cisco 7600 series router supports online insertion and removal (OIR) of the SSC, in addition to each 
of the SPAs. You can remove an SSC with its SPAs still intact, or you can remove a SPA independently 
from the SSC, leaving the SSC installed in the router.
An SSC can remain installed in the router with one SPA remaining active while you remove another SPA 
from one of the SSC subslots. If you are not planning to immediately replace a SPA into the SSC, then 
be sure to install a blank filler plate in the subslot. The SSC should always be fully installed with either 
functional SPAs or blank filler plates.
For more information about activating and deactivating SPAs in preparation for OIR, see the “Preparing 
for Online Insertion and Removal of SIPs and SPAs” topic in the “Troubleshooting the SIPs and SSC” 
chapter in this guide.   
P A R  T  9
Field-Programmable Devices   C H  A  P  T  E  R
35-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
35
Upgrading Field-Programmable Devices
In general terms, field-programmable devices (FPDs) are hardware devices implemented on router cards 
that support separate upgrades. The term “FPD” has been introduced to collectively and generically 
describe any type of programmable hardware device on SIPs and SPAs. FPDs were introduced on the 
Cisco 7600 series router to support SPAs and SIPs.
This chapter describes the information that you need to know to verify image versions and to perform 
SIP and SPA FPD upgrades.
This chapter includes the following sections:
• Release History, page 35-1
• FPD Quick Upgrade, page 35-2
• Overview of FPD Images and Packages, page 35-3
• Upgrading FPD Images, page 35-3
• Optional FPD Procedures, page 35-6
• FPD Image Upgrade Examples, page 35-13
• Troubleshooting Problems with FPD Image Upgrades, page 35-16
Release History
Table 35-1 provides the release and modification history for all FPD-related features on the Cisco 7600 
series router.
Table 35-1 FPD Release History
Release Modification
Cisco IOS Release 
12.2(33)SRB 
The upgrade hw-module slot fpd file command was introduced. This 
command replaces the upgrade hw-module slot command. 
The upgrade hw-module subslot fpd file command was introduced. This 
command replaces the upgrade hw-module subslot command
Cisco IOS Release 
12.2(18)SXE
SIPs and SPAs were released on the Cisco 7600 series router and 
Catalyst 6500 series switch for the first time. FPD images were introduced 
to support these SPAs.
The Fast Software Upgrade (FSU) procedure supported by Route Processor 
Redundancy (RPR) for supervisor engines was added to the documentation.35-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 35      Upgrading Field-Programmable Devices
  FPD Quick Upgrade
FPD Quick Upgrade
This section provides information if you simply want to upgrade FPDs for SIPs and SPAs as quickly as 
possible. These instructions are not always feasible for operating network environments and are not the 
only methods available for upgrading FPDs. If these methods of upgrade are not suitable for your 
situation, see the various other sections of this document for other methods of upgrading FPDs.
This section addresses the following topics:
• FPD Quick Upgrade Before Upgrading your Cisco IOS Release (Recommended), page 35-2
• FPD Quick Upgrade After Upgrading your Cisco IOS Release, page 35-2
FPD Quick Upgrade Before Upgrading your Cisco IOS Release (Recommended)
Step 1 When getting your Cisco IOS image, download the FPD image package for the Cisco IOS release that 
you are upgrading to any Flash disk on your router before booting the new version of Cisco IOS. The 
FPD image package can be retrieved from the same site where you went to get your Cisco IOS image. 
Do not change the name of the FPD image package.
Step 2 Boot using the new version of Cisco IOS. When the new Cisco IOS boots, it by default searches for the 
FPD image package in the router flash file systems and the FPD images will be updated automatically 
as part of the IOS boot process.
FPD Quick Upgrade After Upgrading your Cisco IOS Release
Step 1 An FPD upgrade is not always necessary after Cisco IOS is reloaded. If you have already reloaded your 
Cisco IOS, enter the show hw-module all fpd command to see if all system FPDs are compatible. If the 
FPDs are compatible, no further action is necessary. If at least one FPD needs an upgrade, proceed to 
Step 2.
Step 2 Go to the cisco.com site where you downloaded your specific Cisco IOS software and locate the FPD 
image package, if you haven’t already.
Step 3 Download this FPD image package to a Flash disk on your router. Do not change the name of the FPD 
image package.
Do not change any FPD-related settings on your system (if upgrade fpd auto or upgrade fpd path has 
been changed, change the settings back to the default settings using the no form of the command). 
Reboot your Cisco IOS release software. When the new Cisco IOS boots, it by default searches for the 
FPD image package in the Flash file systems and the FPD images will be updated automatically as part 
of the IOS boot process.35-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 35      Upgrading Field-Programmable Devices
  Upgrading FPD Images
Overview of FPD Images and Packages
An FPD image package is used to upgrade FPD images. Whenever a Cisco IOS image is released that 
supports carrier cards and SPAs, a companion FPD image package is also released for that Cisco IOS 
software release. The FPD image package is available from Cisco.com and is accessible from the Cisco 
Software Center page where you also go to download your Cisco IOS software image. FPD packages are 
suffixed with a .pkg extension, and typically used to upgrade firmware images of the line card and 
supervisor programmable components. 
If you are running SIPs and SPAs on your router and are upgrading your Cisco IOS image, you should 
download the FPD image package file before booting the router using the new Cisco IOS release. If the 
SIP or SPA requires an FPD upgrade and the Cisco IOS image is unable to locate an FPD image package, 
the system messages will indicate that the FPD image is incompatible and you will need to go to the 
Cisco Software Center on Cisco.com to download the FPD image package for your Cisco IOS software 
release. An FPD incompatibility on a SPA disables all interfaces on that SPA until the incompatibility is 
addressed; an FPD incompatibility on a SIP disables all interfaces for all SPAs in the SIP until the 
incompatibility is addressed.
Note The FPD automatic upgrade feature only searches for the FPD image package file that is the same 
version number as the Cisco IOS release being used by the system. 
For example, if you are using the Cisco IOS Release 12.2(18)SXE, then the system will search for 
the FPD image package file (c7600-fpd-pkg.122-18.SXE.pkg) that supports this particular IOS 
release. Therefore, ensure that the FPD image package file on your system is compatible with your 
Cisco IOS release. It is important not to change the name of the FPD package file. 
Upgrading FPD Images
This section documents some of the common scenarios where FPD image updates are necessary. It 
discusses the following scenarios:
• Migrating to a Newer Cisco IOS Release, page 35-3
• Upgrading FPD Images in a Production System, page 35-5
Migrating to a Newer Cisco IOS Release
This section discusses the following topics:
• Upgrading FPD Images Before Upgrading Cisco IOS Release (Recommended), page 35-3
• Upgrading FPD Images in a Production System, page 35-5
• Upgrading FPD Images Using Fast Software Upgrade, page 35-6
Upgrading FPD Images Before Upgrading Cisco IOS Release (Recommended)
If you are still running your old Cisco IOS Release but are preparing to load a newer version of Cisco 
IOS, you can upgrade FPD for the new Cisco IOS Release using the following method:
• Placing FPD Image Package on Flash Disk Before Upgrading IOS (Recommended), page 35-435-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 35      Upgrading Field-Programmable Devices
  Upgrading FPD Images
Placing FPD Image Package on Flash Disk Before Upgrading IOS (Recommended)
Placing the FPD image package for the IOS release that you are upgrading to before upgrading IOS is 
the recommended method for upgrading FPD because it is simple in addition to being fast. To perform 
this type of FPD upgrade, follow these steps:
Step 1 While still running the Cisco IOS release that will be upgraded, place the FPD image package for the 
new version of Cisco IOS onto one of your router’s Flash file systems. For instance, if you are running 
Cisco IOS Release 12.2(18)SXE and are upgrading to Cisco IOS Release 12.2(19)SXE, place the FPD 
image package for Cisco IOS Release 12.2(19)SXE onto a Flash file system while still running Cisco 
IOS Release 12.2(18)SXE. You can locate the FPD image package for a specific IOS release on 
cisco.com from the same area where you download that Cisco IOS software image. Your router and SPAs 
should continue to operate normally since this action will have no impact on the current FPDs.
Caution Do not change the filename of the FPD image package file. The Cisco IOS searches for the FPD 
image package file by filename, so the FPD image package file cannot be found if it has been 
renamed.
Step 2 Reboot your router using the new upgraded Cisco IOS image. As part of the bootup process, the router 
will search for the FPD image package. Since the default settings for the FPD image package search are 
to check for the FPD image package for the specific Cisco IOS Release in a Flash file system, the FPD 
image package will be located during the bootup procedure and all FPDs that required upgrades will be 
upgraded.
Step 3 When the router has booted, verify the upgrade was successful by entering the show hw-module all fpd
command.
Upgrade FPD Images after Upgrading the New Cisco IOS Release
The following steps explain how to upgrade FPD images if you have already upgraded your Cisco IOS 
release but still need to upgrade your FPD images.
To perform an FPD upgrade after the new Cisco release has been booted, follow these steps:
Step 1 If you are unsure if your FPD images for your SIPs and SPAs are compatible, enter the show hw-module 
all fpd command to verify compatibility of all SIPs and SPAs. If all of your SIPs and SPAs are 
compatible, there is no reason to perform this upgrade.
Step 2 If an FPD upgrade is necessary, place the FPD image package for the new version of Cisco IOS onto the 
router’s Flash Disk or on an accessible FTP or TFTP server. You can locate the FPD image package on 
cisco.com from the same area where you downloaded your Cisco IOS software image.
Step 3 Enter the upgrade hw-module [slot slot-number | subslot slot-number/subslot-number] file-url [force] 
command. The file-url command should direct users to the location of the FPD image package. For 
instance, if you had placed the FPD image package for Release 12.2(18)SXE on the TFTP server 
abrick/muck/myfolder, you would enter upgrade hw-module [slot slot-number | subslot 
slot-number/subslot-number] tftp://abrick/muck/myfolder/c7600-fpd-pkg.122-18.SXE.pkg to 
complete this step.
If multiple SIPs or SPAs require upgrades, the different pieces of hardware will have to be updated 
individually.35-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 35      Upgrading Field-Programmable Devices
  Upgrading FPD Images
Note the force option is used in this command. This option will force an FPD upgrade even if no FPD 
mismatch is detected. In instances where the upgrade hw-module command is entered, this option is 
almost never necessary and should only be entered if requested by a technical support representative.
Step 4 Verify the upgrade was successful by entering the show hw-module all fpd command.
Upgrading FPD Images in a Production System
Adding a SIP or SPA to a production system presents the possibility that the SIP or SPA may contain 
versions of FPD images that are incompatible with the Cisco IOS release currently running the router. 
In addition, the FPD upgrade operation can be a very CPU-intensive operation and therefore the upgrade 
operation may take more time when it is performed on a production system. The performance impact 
will vary depending on various factors, including network traffic load, the type of processing engine 
used, type of SPA, and the type of service configured.
For these reasons, we recommend that one of the following alternatives be used to perform the FPD 
upgrade on a production system if possible:
• Using a Non-Production System to Upgrade the SIP or SPA FPD Image, page 35-5
• Verifying System Compatibility First, page 35-6
Using a Non-Production System to Upgrade the SIP or SPA FPD Image
Before beginning the upgrade, ensure:
• The spare system is running the same version of the Cisco IOS software release that the target 
production system is running.
• The automatic upgrade feature is enabled on the spare system (the automatic upgrade feature is 
enabled by default. It can also be enabled using the upgrade fpd auto command).
Use the following procedure to perform an upgrade on a spare system:
Step 1 Download the FPD image package file to the router’s flash file system or TFTP or FTP server accessible 
by the spare system. In most cases, it is preferable to place the file in a Flash file system since the router, 
by default, searches for the FPD image package in the Flash file systems. If the Flash file systems are 
full, use the upgrade fpd path command to direct the router to search for the FPD image package in the 
proper location.
Step 2 Insert the SIP or SPA into the spare system.
If an upgrade is required, the system will perform the necessary FPD image updates so that when this 
SIP or SPA is inserted to the target production system it will not trigger an FPD upgrade operation there.
Step 3 Verify the upgrade was successful by entering the show hw-module all fpd command.
Step 4 Remove the SIP or SPA from the spare system after the upgrade.
Step 5 Insert the SIP or SPA into the target production system.35-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 35      Upgrading Field-Programmable Devices
  Optional FPD Procedures
Verifying System Compatibility First
If a spare system is not available to perform an upgrade, you can check for system compatibility by 
disabling the automatic upgrade feature before inserting the SIP or SPA (the automatic upgrade feature 
is enabled by default. It can be disabled using the no upgrade fpd auto command).
• If the FPD images on the SIP or SPA are compatible with the system, you will only need to re-enable 
the automatic upgrade feature (the automatic upgrade feature can be re-enabled using the upgrade 
fpd auto command).
• If the FPD images on the SIP or SPA are not compatible with the system, the SIP or SPA is disabled 
but will not impact system performance by attempting to perform an automatic upgrade.
Use the following procedure to check the FPD images on the SIP or SPA for system compatibility:
Step 1 Disable the automatic upgrade feature using the no upgrade fpd auto global configuration command. 
Step 2 Insert the SIP or SPA into the system.
If the FPD images are compatible, the SIP or SPA will operate successfully after bootup.
If the FPD images are not compatible, the SIP or SPA is disabled. At this point we recommend that you 
wait for a scheduled maintenance when the system is offline to manually perform the FPD upgrade using 
one of the procedures outlined in the “Upgrading FPD Images” section on page 35-3.
Step 3 Re-enable the automatic upgrade feature using the upgrade fpd auto global configuration command. 
Upgrading FPD Images Using Fast Software Upgrade
The fast software upgrade (FSU) procedure supported by Route Processor Redundancy (RPR) allows 
you to upgrade the Cisco IOS image on supervisor engines without reloading the system.
When using FSU to upgrade the Cisco IOS image, remember that Cisco IOS software is configured, by 
default, to automatically load the new FPD images from a flash file system on the router. Therefore, if 
the FPD image package for the new Cisco IOS has not been downloaded to the router flash file system, 
the FPD image that needs to be upgraded will not get upgraded if the new supervisor engine with the 
upgraded Cisco IOS becomes the primary supervisor engine. To ensure FPD is upgraded at the time of 
the FSU, place the FPD image package for the new version of Cisco IOS onto the flash file system before 
upgrading the Cisco IOS and follow the instructions in the “Upgrading FPD Images Before Upgrading 
Cisco IOS Release (Recommended)” section on page 35-3. 
If a SIP or SPA is disabled after FSU is used to upgrade Cisco IOS and the supervisor engine with the 
upgraded Cisco IOS has become the primary supervisor engine, follow the instructions in the “Upgrade 
FPD Images after Upgrading the New Cisco IOS Release” section on page 35-4 to verify and, if 
necessary, upgrade FPD.
Optional FPD Procedures
This section provides information for optional FPD-related functions. None of the topics discussed in 
this section are necessary for completing FPD upgrades, but may be useful in some FPD-related 
scenarios. It covers the following topics:
• Manually Upgrading SIP and SPA FPD Images, page 35-735-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 35      Upgrading Field-Programmable Devices
  Optional FPD Procedures
• Upgrading FPD from an FTP or TFTP Server, page 35-7
• Modifying the Default Path for the FPD Image Package File Location, page 35-9
• Upgrading Multiple FPD Images, page 35-10
• Displaying Current and Minimum Required FPD Image Versions, page 35-10
• Displaying Information About the Default FPD Image Package, page 35-12
• Verifying the FPD Image Upgrade Progress, page 35-12
Manually Upgrading SIP and SPA FPD Images
To manually upgrade the current FPD version on a SIP or SPA, use the following command:
Router# upgrade hw-module [slot slot-number | subslot slot-number/subslot-number] file
file-url [force]
In this example, slot-number is the slot where the SIP is installed, subslot-number is the subslot number 
where the SPA is located, file-url is the location and name of the FPD image package file, and force is 
an option that forces the SPA to perform an FPD upgrade even if FPD is compatible (the force option is 
almost never necessary and should only be entered if requested by a technical support representative). 
Note that slot slot-number is entered to specify a SIP FPD upgrade, while subslot
slot-number/subslot-number is used to specify a SPA FPD upgrade. The SIP or SPA will automatically 
be reloaded to complete the FPD upgrade.
Caution An image upgrade can require a long period of time to complete depending on the SIP or SPA.
Upgrading FPD from an FTP or TFTP Server
The generally recommended method to perform an FPD image upgrade is to download the FPD image 
package to a Flash file system and use the FPD automatic upgrade. By default, the system searches the 
Flash file system for the FPD image package file when an FPD incompatibility is detected.
This default behavior of loading an FPD image from Flash can be changed using the upgrade fpd path 
global configuration command, which sets the path to search for the FPD image package file to a location 
other than the router’s Flash file systems.
For large deployments where all the systems are being upgraded to a specific Cisco IOS software release, 
we recommend that the FPD image package file be placed on an FTP or TFTP server that is accessible 
to all the affected systems, and then use the upgrade fpd path global configuration command to 
configure the routers to look for the FPD image package file from the FTP or TFTP server prior to the 
reloading of the system with the new Cisco IOS release.
Note This approach can also be used if there is not enough disk space on the system Flash card to hold the 
FPD image package file.
To download an FPD image package file to an FTP or TFTP server, use the following procedure:
Step 1 Copy the FPD image package file to the FTP or TFTP server.
Step 2 Access the router from a connection that does not use the SPA interface for access, if possible. We 
recommend not using the SPA interface as your connection to the router because an FPD incompatibility 
disables all interfaces on the SPA, making a manual FPD upgrade impossible through a SPA interface. 35-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 35      Upgrading Field-Programmable Devices
  Optional FPD Procedures
If access through one of the SPA ports is the only access to the router you have, do not use the TFTP or 
FTP upgrade method. Instead, copy the FPD image package to your router’s default Flash card before 
upgrading your Cisco IOS Release. This will allow the router to find the FPD image package during the 
first IOS bootup and upgrade FPD automatically.
Step 3 From global configuration mode, use the upgrade fpd path command to instruct the router to locate the 
FPD image package file from the FTP or TFTP server location.
For example, enter one of the following global configuration commands from the target system’s 
console:
Router(config)# upgrade fpd path tftp://my_tftpserver/fpd_pkg_dir/
or
Router(config)# upgrade fpd path ftp://login:password@my_ftpserver/fpd_pkg_dir/
Note The final “/” at the end of each of the above examples is required. If the path is specified without the 
trailing “/” character, the command will not work properly.
In these examples, my_tftpserver or my_ftpserver is the path to server name, fpd_pkg_dir is the directory 
on the TFTP server where the FPD image package is located, and login:password is your FTP login name 
and password.
Step 4 Make sure that the FPD automatic upgrade feature is enabled by examining the output of the show 
running-config command. (Look for the upgrade fpd auto configuration line in the output. If there are 
no upgrade commands in the output, then upgrade fpd auto is enabled because it is the default setting.) 
If automatic upgrades are disabled, use the upgrade fpd auto global configuration command to enable 
automatic FPD upgrades.
Step 5 Enter the show upgrade fpd file command to ensure your router is connecting properly to the default 
FPD image package. If you are able to generate output related to the FPD image package using this 
command, the upgrade should work properly.
In the following example, the router is able to generate FPD image package information for the FPD 
image package on the TFTP server.
Router# show upgrade fpd file 
tftp://mytftpserver/myname/myfpdpkg/c7600-fpd-pkg.122-18.SXE.pkg
Loading myname/myfpdpkg/c7600-fpd-pkg.122-18.SXE.pkg from 124.0.0.0 (via FastEthernet0): 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK]
Cisco Field Programmable Device Image Package for IOS
C7600 Family FPD Image Package (c7600-fpd-pkg.122-18.SXE.pkg), Version 12.2(SXE)
Copyright (c) 2004-2005 by cisco Systems, Inc.
Built Fri 25-Mar-2005 09:12 by integ
=============================== ================================================
                                        Bundled FPD Image Version Matrix
                                ================================================
                                                                       Min. Req.
Supported Card Types            ID  Image Name                Version  H/W Ver.
=============================== == ========================= ========= =========
2-port T3/E3 Serial SPA          1 T3E3 SPA ROMMON              2.12      0.0  
                                 2 T3E3 SPA I/O FPGA            0.24      0.0  
                                 3 T3E3 SPA E3 FPGA             0.6       0.0  
                                 4 T3E3 SPA T3 FPGA             0.14      0.0  
------------------------------- -- ------------------------- --------- ---------35-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 35      Upgrading Field-Programmable Devices
  Optional FPD Procedures
4-port T3/E3 Serial SPA          1 T3E3 SPA ROMMON              2.12      0.0  
                                 2 T3E3 SPA I/O FPGA            0.24      0.0  
                                 3 T3E3 SPA E3 FPGA             0.6       0.0  
                                 4 T3E3 SPA T3 FPGA             0.14      0.0  
------------------------------- -- ------------------------- --------- ---------
...<additional output removed for readability>
Step 6 Save the configuration and reload the system with the new Cisco IOS release.
During the system startup after the reload, the necessary FPD image version check for all the SIPs and 
SPAs will be performed and any upgrade operation will occur automatically if an upgrade is required. 
In each upgrade operation, the system extracts the necessary FPD images to the SIP or SPA from the 
FPD image package file located on the FTP or TFTP server. 
Modifying the Default Path for the FPD Image Package File Location
By default, the Cisco IOS software looks for the FPD image package file on a Flash file system when 
performing an automatic FPD image upgrade.
Note Be sure there is enough space on one of your Flash file systems to accommodate the FPD image 
package file.
Alternatively, you can store an FPD image package file elsewhere. However, because the system looks 
on the Flash file systems by default, you need to change the FPD image package file location so that the 
system is directed to search an alternate location (such an FTP or TFTP server) that is accessible by the 
Cisco IOS software. Enter the upgrade fpd path fpd-pkg-dir-url global configuration command, where 
fpd-pkg-dir-url is the alternate location, to instruct the router to search for the FPD image package 
elsewhere.
When specifying the fpd-pkg-dir-url, be aware of the following:
• The fpd-pkg-dir-url is the path to the FPD image package, but the FPD image package should not 
be specified as part of the fpd-pkg-dir-url. For instance, if the c7600-fpd-pkg.122-18.SXE.pkg file 
can be found on the TFTP server using the path 
mytftpserver/myname/myfpdpkg/c7600-fpd-pkg.122-18.SXE.pkg and you wanted the router to 
utilize this FPD image package for FPD upgrades, the upgrade fpd path 
tftp://mytftpserver/myname/myfpdpkg/ command should be entered so the router knows where 
to find the file. The actual filename should not be specified.
• The final “/” character in the fpd-pkg-dir-url is required. In the preceding example, note that the 
fpd-pkg-dir-url is tftp://mytftpserver/myname/myfpdpkg/. Entering 
tftp://mytftpserver/myname/myfpdpkg (note: the final “/” character is missing) as the 
fpd-pkg-dir-url in that scenario would not work.
If the upgrade fpd path global configuration command has not been entered to direct the router to locate 
an FPD image package file in an alternate location, the system searches the Flash file systems on the 
Cisco 7600 series router for the FPD image package file.
Failure to locate an FPD image package file when an upgrade is required will disable the SIP or SPA. 
Because SIPs and SPAs will not come online until FPD is compatible, the SIP or SPA will also be 
disabled if it requires an FPD upgrade and the automatic upgrade feature is disabled. 35-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 35      Upgrading Field-Programmable Devices
  Optional FPD Procedures
Upgrading Multiple FPD Images
A single piece of hardware can contain multiple FPD images. The Cisco 7600 series router can upgrade 
up to 4 FPD images simultaneously. However, only one FPD upgrade per router slot can occur at a time, 
so all FPD images on all SIPs and SPAs in a single slot will have to wait for another FPD upgrade to 
finish.
Users should note that some FPD images require the SIP or SPA to reload to complete. The FPD upgrade 
process will perform this step automatically, so users do not have to intervene. However, the other FPDs 
in the hardware of the specified slot will have to wait for this reload to complete before their upgrade 
process begins.
During an automatic upgrade, the Cisco 7600 series router will upgrade as many FPDs as possible at a 
time. No user intervention is possible or necessary. The upgrade process will not stop until all FPD 
images have been updated.
During manual upgrades, it is important to note that users can only specify upgrades for a single piece 
of hardware each time the upgrade hw-module [slot slot-number | subslot
slot-number/subslot-number] is entered. The up to 4 simultaneous upgrades applies to the manual 
upgrades as well; if you individually specify multiple manual FPD upgrades, only 4 FPDs can be 
upgraded simultaneously and that can only occur when the hardware is in different router slots. The FPD 
upgrade process will stop when all FPDs for the specified hardware have been upgraded.
Displaying Current and Minimum Required FPD Image Versions
To display the current version of FPD images on the SIPs and SPAs installed on your router, use the show 
hw-module [slot-number/subslot-number | all] fpd command, where slot-number is the slot number 
where the SIP is installed, and subslot-number is the number of the SIP subslot where a target SPA is 
located. Entering the all keyword shows information for hardware in all router slots.
The following examples show the output when using this show command.
The output display in this example shows that FPD versions on the SIPs and SPAs in the system meet 
the minimum requirements:
Router# show hw-module all fpd
==== ====================== ====== =============================================
                             H/W   Field Programmable   Current   Min. Required
Slot Card Type               Ver.  Device:"ID-Name"    Version      Version
==== ====================== ====== ================== =========== ==============
   1 7600-SIP-200            0.550 1-I/O FPGA             1.1         1.1     
                                   2-EOS FPGA             1.211       1.211   
                                   3-PEGASUS TX FPGA      1.129       1.129   
                                   4-PEGASUS RX FPGA      1.3         1.3     
                                   5-ROMMON               1.2         1.2     
---- ---------------------- ------ ------------------ ----------- --------------
 1/1 SPA-2XOC3-ATM           0.225 1-I/O FPGA             1.24        1.24    
---- ---------------------- ------ ------------------ ----------- --------------
   4 7600-SIP-200            0.550 1-I/O FPGA             1.1         1.1     
                                   2-EOS FPGA             1.211       1.211   
                                   3-PEGASUS TX FPGA      1.129       1.129   
                                   4-PEGASUS RX FPGA      1.3         1.3     
                                   5-ROMMON               1.2         1.2     
---- ---------------------- ------ ------------------ ----------- --------------
 4/0 SPA-2XT3/E3             1.0   1-ROMMON               2.12        2.12    
                                   2-I/O FPGA             0.24        0.24    
                                   3-E3 FPGA              0.6         0.6     
                                   4-T3 FPGA              0.14        0.14    
---- ---------------------- ------ ------------------ ----------- --------------35-11
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 35      Upgrading Field-Programmable Devices
  Optional FPD Procedures
 4/1 SPA-4XOC3-POS           0.209 1-I/O FPGA             3.4         3.4     
---- ---------------------- ------ ------------------ ----------- --------------
 4/2 SPA-8XCHT1/E1           0.117 1-ROMMON               2.12        2.12    
                                   2-I/O FPGA             1.2         1.2     
==== ====================== ====== =============================================
This example shows the output when verifying all the FPDs for the carrier card and all the SPAs in a 
specific slot:
Router# show hw-module slot 4 fpd
==== ====================== ====== =============================================
                             H/W   Field Programmable   Current   Min. Required
Slot Card Type               Ver.  Device:"ID-Name"    Version      Version
==== ====================== ====== ================== =========== ==============
   4 7600-SIP-200            0.550 1-I/O FPGA             1.1         1.1     
                                   2-EOS FPGA             1.211       1.211   
                                   3-PEGASUS TX FPGA      1.129       1.129   
                                   4-PEGASUS RX FPGA      1.3         1.3     
                                   5-ROMMON               1.2         1.2     
---- ---------------------- ------ ------------------ ----------- --------------
 4/0 SPA-2XT3/E3             1.0   1-ROMMON               2.12        2.12    
                                   2-I/O FPGA             0.24        0.24    
                                   3-E3 FPGA              0.6         0.6     
                                   4-T3 FPGA              0.14        0.14    
---- ---------------------- ------ ------------------ ----------- --------------
 4/1 SPA-4XOC3-POS           0.209 1-I/O FPGA             3.4         3.4     
---- ---------------------- ------ ------------------ ----------- --------------
 4/2 SPA-8XCHT1/E1           0.117 1-ROMMON               2.12        2.12    
                                   2-I/O FPGA             1.2         1.2     
==== ====================== ====== =============================================
This example shows the output when using the slot-number/subslot-number argument to identify a 
particular SPA:
Router# show hw-module subslot 4/2 fpd
==== ====================== ====== =============================================
                             H/W   Field Programmable   Current   Min. Required
Slot Card Type               Ver.  Device:"ID-Name"    Version      Version
==== ====================== ====== ================== =========== ==============
 4/2 SPA-8XCHT1/E1           0.117 1-ROMMON               2.12        2.12    
                                   2-I/O FPGA             1.2         1.2     
==== ====================== ====== =============================================
The output display in this example shows that the SIP in slot 4 is disabled because one of the 
programmable devices does not meet the minimum version requirements. The output also contains a 
“NOTES” section that provides the name of the FPD image package file needed to upgrade the disabled 
SIP’s FPD image.
Router#show hw-module all fpd
==== ====================== ====== =============================================
                             H/W   Field Programmable   Current   Min. Required
Slot Card Type               Ver.  Device:"ID-Name"    Version      Version
==== ====================== ====== ================== =========== ==============
   1 7600-SIP-200            0.550 1-I/O FPGA             1.1         1.1     
                                   2-EOS FPGA             1.211       1.211   
                                   3-PEGASUS TX FPGA      1.129       1.129   
                                   4-PEGASUS RX FPGA      1.3         1.3     
                                   5-ROMMON               1.2         1.2     35-12
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 35      Upgrading Field-Programmable Devices
  Optional FPD Procedures
---- ---------------------- ------ ------------------ ----------- --------------
 1/1 SPA-2XOC3-ATM           0.225 1-I/O FPGA             1.24        1.24    
---- ---------------------- ------ ------------------ ----------- --------------
   4 7600-SIP... <DISABLED>  0.550 1-I/O FPGA             1.1         1.1     
                                   2-EOS FPGA             1.211       1.211   
                                   3-PEGASUS TX FPGA      1.129       1.129   
                                   4-PEGASUS RX FPGA      1.3         1.3     
                                   5-ROMMON               1.1         1.2     *
==== ====================== ====== =============================================
 NOTES:
       - FPD images that are required to be upgraded are indicated with a '*'
         character in the "Minimal Required Version" field.
       - The following FPD image package file is required for the upgrade:
         "c7600-fpd-pkg.122-18.SXE.pkg"
Displaying Information About the Default FPD Image Package
You can use the show upgrade fpd package default command to find out which SIPs and SPAs are 
supported with your current Cisco IOS release and which FPD image package you need for an upgrade.
Router# show upgrade fpd package default
*************************************************************************
This IOS release requires the following default FPD Image Package for
the automatic upgrade of FPD images:
*************************************************************************
Version:12.2(SXE)
Package Filename:c7600-fpd-pkg.122-18.SXE.pkg
   List of card type supported in this package:
                                Minimal
         No. Card Type          HW Ver.
        ---- ------------------ -------
          1) 2 port adapter Enh   1.0 
          2) 2xCT3 SPA            0.100
          3) 2xCT3 SPA            0.200
          4) 4xCT3 SPA            0.100
          5) 4xCT3 SPA            0.200
<additional output removed for readability>
Verifying the FPD Image Upgrade Progress
You can use the show upgrade fpd progress command to view a “snapshot” of the upgrade progress 
while an FPD image upgrade is taking place. The following example shows the type of information this 
command displays:
Router#show upgrade fpd progress
FPD Image Upgrade Progress Table:
 ==== ===================
====================================================
                                               Approx.35-13
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 35      Upgrading Field-Programmable Devices
  FPD Image Upgrade Examples
                          Field Programmable    Time     Elapsed
 Slot Card Type           Device : "ID-Name"   Needed      Time    State
 ==== =================== ================== ========== =====================
  1/1 SPA-2XOC3-ATM       1-I/O FPGA          00:06:30   00:01:25 Updating...
 ---- ------------------- ------------------ ----------- --------------------
  4/0 SPA-2XT3/E3         1-ROMMON            00:00:30   00:00:02 Completed
                          2-I/O FPGA          00:01:00   00:00:01 Updating...
                          3-E3 FPGA           00:00:30   --:--:-- Waiting...
                          4-T3 FPGA           00:00:30   --:--:-- Waiting...
 ---- ------------------- ------------------ ----------- --------------------
  4/2 SPA-8XCHT1/E1       1-ROMMON            --:--:--   --:--:-- Waiting...
                          2-I/O FPGA          --:--:--   --:--:-- Waiting...
 ==== =======================================================================
FPD Image Upgrade Examples
This section provides examples of automatic and manual FPD image upgrades. It includes the following 
examples:
• System Cannot Locate FPD Image Package File for an Automatic FPD Image Upgrade Example, 
page 35-13
• Automatic FPD Image Upgrade Example, page 35-13
• Manual FPD Image Upgrade Example, page 35-14
• Pending FPD Upgrade Example, page 35-15
System Cannot Locate FPD Image Package File for an Automatic FPD Image Upgrade Example
The following example displays the output when a SIP-200 requires an FPD upgrade and the upgrade 
fpd auto command is enabled, but the system cannot find the FPD image package file.
Mar 25 16:14:13:%FPD_MGMT-3-INCOMP_IMG_VER:Incompatible ROMMON (FPD ID=5) image version 
detected for 7600-SIP-200 card in slot 1. Detected version = 1.1, minimum required version 
= 1.2. Current HW version = 0.550.
Mar 25 16:14:13:%FPD_MGMT-5-UPGRADE_ATTEMPT:Attempting to automatically upgrade the FPD 
image(s) for 7600-SIP-200 card in slot 1. Use 'show upgrade fpd progress' command to view 
the upgrade progress ...
Mar 25 16:14:14:%FPD_MGMT-3-PKG_FILE_SEARCH_FAILED:FPD image package 
(c7600-fpd-pkg.122-18.SXE.pkg) cannot be found in system's flash card or disk to do FPD 
upgrade.
Mar 25 16:14:14:%OIR-6-REMCARD:Card removed from slot 1, interfaces disabled
Mar 25 16:14:14:%FPD_MGMT-5-CARD_DISABLED:7600-SIP-200 card in slot 1 is being disabled 
because of an incompatible FPD image version. Note that the c7600-fpd-pkg.122-18.SXE.pkg 
package will be required if you want to perform the upgrade operation.
Mar 25 16:14:14:%C6KPWR-SP-4-DISABLED:power to module in slot 1 set off (FPD Upgrade 
Failed)
Automatic FPD Image Upgrade Example
The following example shows the output displayed when a SIP-200 requires an FPD image upgrade and 
the upgrade fpd auto command is enabled. In this example, the router has been configured to locate the 
FPD image package from a TFTP server, but most of the output would be similar regardless of the 
location of the FPD image package. The required FPD image is automatically upgraded.
Mar 25 16:22:48:%FPD_MGMT-3-INCOMP_IMG_VER:Incompatible ROMMON (FPD ID=5) image version 
detected for 7600-SIP-200 card in slot 1. Detected version = 1.1, minimum required version 
= 1.2. Current HW version = 0.550.35-14
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 35      Upgrading Field-Programmable Devices
  FPD Image Upgrade Examples
Mar 25 16:22:48:%FPD_MGMT-5-UPGRADE_ATTEMPT:Attempting to automatically upgrade the FPD 
image(s) for 7600-SIP-200 card in slot 1. Use 'show upgrade fpd progress' command to view 
the upgrade progress ...
Mar 25 16:22:48:%FPD_MGMT-6-BUNDLE_DOWNLOAD:Downloading FPD image bundle for 7600-SIP-200 
card in slot 1 ...
Loading muck/luislu/c7600-fpd-pkg.122-18.SXE.pkg from 223.255.254.254 (via 
GigabitEthernet5/1):!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Mar 25 16:23:17:%FPD_MGMT-6-UPGRADE_TIME:Estimated total FPD image upgrade time for 
7600-SIP-200 card in slot 1 = 00:02:00.
Mar 25 16:23:17:%FPD_MGMT-6-UPGRADE_START:ROMMON (FPD ID=5) image upgrade in progress for 
7600-SIP-200 card in slot 1. Updating to version 1.2. PLEASE DO NOT INTERRUPT DURING THE 
UPGRADE PROCESS (estimated upgrade completion time = 00:02:00) ...
Mar 25 16:23:25:%FPD_MGMT-6-UPGRADE_PASSED:ROMMON (FPD ID=5) image in the 7600-SIP-200 
card in slot 1 has been successfully updated from version 1.1 to version 1.2. Upgrading 
time = 00:00:08.452
Mar 25 16:23:25:%FPD_MGMT-6-OVERALL_UPGRADE:All the attempts to upgrade the required FPD 
images have been completed for 7600-SIP-200 card in slot 1. Number of successful/failure 
upgrade(s):1/0.
Mar 25 16:23:26:%FPD_MGMT-5-CARD_POWER_CYCLE:7600-SIP-200 card in slot 1 is being power 
cycled for the FPD image upgrade to take effect.
Mar 25 16:23:26:%OIR-6-REMCARD:Card removed from slot 1, interfaces disabled
Mar 25 16:23:26:%C6KPWR-SP-4-DISABLED:power to module in slot 1 set off (Reset)
Mar 25 16:24:16:%CWAN_RP-6-CARDRELOAD:Module reloaded on slot 1/0
Mar 25 16:24:18:%DIAG-SP-6-RUN_COMPLETE:Module 1:Running Complete Diagnostics...
Mar 25 16:24:18:%DIAG-SP-6-DIAG_OK:Module 1:Passed Online Diagnostics
Mar 25 16:24:19:%OIR-SP-6-INSCARD:Card inserted in slot 1, interfaces are now online
Manual FPD Image Upgrade Example
In the following example, FPD for the T1/E1 SPA in subslot 4/2 is upgraded manually from the FPD 
image package file that was placed on disk0:
Router# upgrade hw-module subslot 4/2 file disk0:c7600-fpd-pkg.122-18.SXE.pkg      
% The following FPD(s) will be upgraded for SPA-8XCHT1/E1 (H/W ver = 0.117) in subslot 
4/2:
    ================== =========== =========== ============
    Field Programmable   Current     Upgrade   Estimated
    Device:"ID-Name"    Version     Version   Upgrade Time
    ================== =========== =========== ============
    1-ROMMON               2.11        2.12      00:00:20
    2-I/O FPGA             1.1         1.2       00:01:00
    ================== =========== =========== ============
% Are you sure that you want to perform this operation? [no]:y
% Restarting the target card in subslot 4/2 for FPD image upgrade. Please wait ...
Router#
Mar 25 17:01:01:%FPD_MGMT-6-UPGRADE_TIME:Estimated total FPD image upgrade time for 
SPA-8XCHT1/E1 card in subslot 4/2 = 00:01:20.35-15
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 35      Upgrading Field-Programmable Devices
  FPD Image Upgrade Examples
Mar 25 17:01:01:%FPD_MGMT-6-UPGRADE_START:ROMMON (FPD ID=1) image upgrade in progress for 
SPA-8XCHT1/E1 card in subslot 4/2. Updating to version 2.12. PLEASE DO NOT INTERRUPT 
DURING THE UPGRADE PROCESS (estimated upgrade completion time = 00:00:20) ...
Router#
Mar 25 17:01:04:%FPD_MGMT-6-UPGRADE_PASSED:ROMMON (FPD ID=1) image in the SPA-8XCHT1/E1 
card in subslot 4/2 has been successfully updated from version 2.11 to version 2.12. 
Upgrading time = 00:00:03.092
Mar 25 17:01:04:%FPD_MGMT-6-UPGRADE_START:I/O FPGA (FPD ID=2) image upgrade in progress 
for SPA-8XCHT1/E1 card in subslot 4/2. Updating to version 1.2. PLEASE DO NOT INTERRUPT 
DURING THE UPGRADE PROCESS (estimated upgrade completion time = 00:01:00) ...
Router#
Mar 25 17:01:26:%FPD_MGMT-6-UPGRADE_PASSED:I/O FPGA (FPD ID=2) image in the SPA-8XCHT1/E1 
card in subslot 4/2 has been successfully updated from version 1.1 to version 1.2. 
Upgrading time = 00:00:22.580
Mar 25 17:01:26:%FPD_MGMT-6-OVERALL_UPGRADE:All the attempts to upgrade the required FPD 
images have been completed for SPA-8XCHT1/E1 card in subslot 4/2. Number of 
successful/failure upgrade(s):2/0.
Router#
Mar 25 17:01:26:%FPD_MGMT-5-CARD_POWER_CYCLE:SPA-8XCHT1/E1 card in subslot 4/2 is being 
power cycled for the FPD image upgrade to take effect.
Pending FPD Upgrade Example
In the following example, some FPD images are waiting for upgrades because the FPD upgrade process 
is upgrading another FPD on the same card (up to four FPD upgrades can occur at once, but the upgrades 
have to occur on hardware in different line card slots). In this particular example, the FPD upgrade 
process is happening on a SIP-200.
Mar 25 17:04:59:%FPD_MGMT-6-UPGRADE_TIME:Estimated total FPD image
upgrade time for 7600-SIP-200 card in slot 1 = 00:10:00.
Mar 25 17:04:59:%FPD_MGMT-6-UPGRADE_START:ROMMON (FPD ID=5) image
upgrade in progress for 7600-SIP-200 card in slot 1. Updating to version
1.2. PLEASE DO NOT INTERRUPT DURING THE UPGRADE PROCESS (estimated
upgrade completion time = 00:02:00) ...
Mar 25 17:05:08:%FPD_MGMT-6-UPGRADE_PASSED:ROMMON (FPD ID=5) image in
the 7600-SIP-200 card in slot 1 has been successfully updated from
version 1.1 to version 1.2. Upgrading time = 00:00:08.884
Mar 25 17:05:08:%FPD_MGMT-6-PENDING_UPGRADE:4 more FPD image upgrade
operation will be required on 7600-SIP-200 in slot 1 after additional
power-cycle operation on the target card.
Mar 25 17:05:08:%FPD_MGMT-5-CARD_POWER_CYCLE:7600-SIP-200 card in slot
1 is being power cycled for the FPD image upgrade to take effect.
Mar 25 17:05:08:%OIR-6-REMCARD:Card removed from slot 1, interfaces
disabled
Mar 25 17:05:08:%C6KPWR-SP-4-DISABLED:power to module in slot 1 set
off (Reset)
Mar 25 17:05:59:%CWAN_RP-6-CARDRELOAD:Module reloaded on slot 1/0
Mar 25 17:06:02:%FPD_MGMT-6-UPGRADE_TIME:Estimated total FPD image
upgrade time for 7600-SIP-200 card in slot 1 = 00:10:00.
Mar 25 17:06:02:%FPD_MGMT-6-UPGRADE_START:I/O FPGA (FPD ID=1) image
upgrade in progress for 7600-SIP-200 card in slot 1. Updating to version
1.1. PLEASE DO NOT INTERRUPT DURING THE UPGRADE PROCESS (estimated
upgrade completion time = 00:02:00) ...
Mar 25 17:06:21:%FPD_MGMT-6-UPGRADE_PASSED:I/O FPGA (FPD ID=1) image
in the 7600-SIP-200 card in slot 1 has been successfully updated from
version 1.0 to version 1.1. Upgrading time = 00:00:18.592
Mar 25 17:06:21:%FPD_MGMT-6-UPGRADE_START:EOS FPGA (FPD ID=2) image
upgrade in progress for 7600-SIP-200 card in slot 1. Updating to version
1.211. PLEASE DO NOT INTERRUPT DURING THE UPGRADE PROCESS (estimated
upgrade completion time = 00:02:00) ...
Mar 25 17:07:18:%FPD_MGMT-6-UPGRADE_PASSED:EOS FPGA (FPD ID=2) image
in the 7600-SIP-200 card in slot 1 has been successfully updated from35-16
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 35      Upgrading Field-Programmable Devices
  Troubleshooting Problems with FPD Image Upgrades
version 1.210 to version 1.211. Upgrading time = 00:00:56.812
Mar 25 17:07:18:%FPD_MGMT-6-UPGRADE_START:PEGASUS TX FPGA (FPD ID=3)
image upgrade in progress for 7600-SIP-200 card in slot 1. Updating to
version 1.129. PLEASE DO NOT INTERRUPT DURING THE UPGRADE PROCESS
(estimated upgrade completion time = 00:02:00) ...
Mar 25 17:08:17:%FPD_MGMT-6-UPGRADE_PASSED:PEGASUS TX FPGA (FPD ID=3)
image in the 7600-SIP-200 card in slot 1 has been successfully updated
from version 1.120 to version 1.129. Upgrading time = 00:00:59.188
Mar 25 17:08:17:%FPD_MGMT-6-UPGRADE_START:PEGASUS RX FPGA (FPD ID=4)
image upgrade in progress for 7600-SIP-200 card in slot 1. Updating to
version 1.3. PLEASE DO NOT INTERRUPT DURING THE UPGRADE PROCESS
(estimated upgrade completion time = 00:02:00) ...
Mar 25 17:09:03:%FPD_MGMT-6-UPGRADE_PASSED:PEGASUS RX FPGA (FPD ID=4)
image in the 7600-SIP-200 card in slot 1 has been successfully updated
from version 1.2 to version 1.3. Upgrading time = 00:00:45.396
Mar 25 17:09:03:%FPD_MGMT-6-OVERALL_UPGRADE:All the attempts to
upgrade the required FPD images have been completed for 7600-SIP-200
card in slot 1. Number of successful/failure upgrade(s):5/0.
Mar 25 17:09:03:%FPD_MGMT-5-CARD_POWER_CYCLE:7600-SIP-200 card in slot
1 is being power cycled for the FPD image upgrade to take effect.
Troubleshooting Problems with FPD Image Upgrades
This section contains information to help troubleshoot problems that can occur during the upgrade 
process.
Power Failure or Removal of a SIP or SPA During an FPD Image Upgrade
These instructions should only be used if a previous upgrade attempt has failed due to an external factor 
such as a power failure or a jacket card or SPA removal.
If the FPD upgrade operation is interrupted by a power failure or the removal of the SIP or SPA, it could 
corrupt the FPD image. This corruption of the FPD image file makes the SIP or SPA unusable by the 
router and the system will display the following messages when it tries to power up the SIP or SPA:
Note To find more information about FPD-related messages, check the system error messages guide for 
your Cisco IOS software release.
Mar 29 11:30:36:%SPA_OIR-3-RECOVERY_RELOAD:subslot 4/1:Attempting
recovery by reloading SPA
Mar 29 11:30:51:%SPA_OIR-3-HW_INIT_TIMEOUT:subslot 4/1
Mar 29 11:30:56:%SPA_OIR-3-RECOVERY_RELOAD:subslot 4/1:Attempting
recovery by reloading SPA
Mar 29 11:31:11:%SPA_OIR-3-HW_INIT_TIMEOUT:subslot 4/1
Mar 29 11:31:16:%SPA_OIR-3-RECOVERY_RELOAD:subslot 4/1:Attempting
recovery by reloading SPA
Mar 29 11:31:31:%SPA_OIR-3-HW_INIT_TIMEOUT:subslot 4/1
Mar 29 11:31:31:%SPA_OIR-3-SPA_POWERED_OFF:subslot 4/1:SPA 4xOC3 POS
SPA powered off after 5 failures within 600 seconds
The show hw-module all fpd command can be used to verify that the SIP or SPA is using a corrupted 
FPD image. In this example, the SPA in slot 4/1 is corrupted.
Router#show hw-module all fpd
==== ====================== ====== =============================================35-17
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 35      Upgrading Field-Programmable Devices
  Troubleshooting Problems with FPD Image Upgrades
                             H/W   Field Programmable   Current   Min. Required
Slot Card Type               Ver.  Device:"ID-Name"    Version      Version
==== ====================== ====== ================== =========== ==============
   4 7600-SIP-200            0.550 1-I/O FPGA             1.1         1.1     
                                   2-EOS FPGA             1.211       1.211   
                                   3-PEGASUS TX FPGA      1.129       1.129   
                                   4-PEGASUS RX FPGA      1.3         1.3     
                                   5-ROMMON               1.2         1.2     
---- ---------------------- ------ ------------------ ----------- --------------
 4/1 SPA-4XOC3<DISABLED>  ?.?   ???????????? ?.?         ?.?
==== ====================== ====== =============================================
Performing a FPD Recovery Upgrade
The recovery upgrade procedure can only be performed on a SIP or SPA that has been powered off by 
the system after it has failed all of the retries attempted to initialize the SIP or SPA. 
The following example displays the output of an attempt to perform a recovery upgrade before all the 
initialization retries have been attempted for the SPA in subslot 4/1.
Note Other factors can cause the system to ask “Do you want to perform the recovery upgrade operation?” 
Only answer y to this question if you have attempted an FPD upgrade that has failed due to a power 
failure or a SIP or SPA removal.
If you are prompted for this question without having previously had a failed upgrade attempt for one of 
the aforementioned reasons, contact Cisco Technical Support.
Mar 29 11:29:55:%SPA_OIR-3-RECOVERY_RELOAD:subslot 4/1:Attempting
recovery by reloading SPA
Mar 29 11:30:10:%SPA_OIR-3-HW_INIT_TIMEOUT:subslot 4/1
Mar 29 11:30:15:%SPA_OIR-3-RECOVERY_RELOAD:subslot 4/1:Attempting
recovery by reloading SPA
Mar 29 11:30:31:%SPA_OIR-3-HW_INIT_TIMEOUT:subslot 4/1
Router#upgrade hw-module subslot 4/1 file
disk0:c7600-fpd-pkg.122-18.SXE.pkg
% Cannot get FPD version information for version checking. If a previous
upgrade attempt has failed for the target card, then a recovery upgrade
would be required to fix the failure.
% The following FPD(s) will be upgraded for SPA-4XOC3-POS (H/W ver =
0.209) in subslot 4/1:
    ================== =========== =========== ============ 
    Field Programmable   Current     Upgrade   Estimated 
    Device:"ID-Name"    Version     Version   Upgrade Time 
    ================== =========== =========== ============ 
    1-I/O FPGA             ?.?         3.4       00:02:00
    ================== =========== =========== ============ 
% Do you want to perform the recovery upgrade operation? [no]:y
% Cannot perform recovery upgrade operation because the target card is
not in a failed state. Please try again later.
Once the following error message is displayed, you can perform the recovery upgrade:35-18
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 35      Upgrading Field-Programmable Devices
  Troubleshooting Problems with FPD Image Upgrades
Note You must wait to see this error message before you attempt the upgrade.
Mar 29 11:31:31:%SPA_OIR-3-SPA_POWERED_OFF:subslot 4/1:SPA 4xOC3 POS SPA powered off after 
5 failures within 600 seconds
Perform the manual FPD image upgrade method using the upgrade hw-module subslot command to 
recover from a corrupted image after the SIP or SPA has been powered off by the system. In this 
command, slot-number is the slot where the SIP is installed, subslot-number is the subslot of the SIP 
where the SPA is located, and file-url is the location of the FPD image package file.
Note Before proceeding with this operation, make sure that the correct version of the FPD image package 
file has been obtained for the corresponding Cisco IOS release that the system is using.
The following example displays the console output of a recovery upgrade operation:
Router#upgrade hw-module subslot 4/1 file
disk0:c7600-fpd-pkg.122-18.SXE.pkg
% Cannot get FPD version information for version checking. If a previous
upgrade attempt has failed for the target card, then a recovery upgrade
would be required to fix the failure.
% The following FPD(s) will be upgraded for SPA-4XOC3-POS (H/W ver =
0.209) in subslot 4/1:
    ================== =========== =========== ============ 
    Field Programmable   Current     Upgrade   Estimated 
    Device:"ID-Name"    Version     Version   Upgrade Time 
    ================== =========== =========== ============ 
    1-I/O FPGA             ?.?         3.4       00:02:00
    ================== =========== =========== ============ 
% Do you want to perform the recovery upgrade operation? [no]:y
% Proceeding with recovery upgrade operation ...
Router#
Mar 29 11:37:51:%FPD_MGMT-6-UPGRADE_TIME:Estimated total FPD image
upgrade time for SPA-4XOC3-POS card in subslot 4/1 = 00:02:00.
Mar 29 11:37:51:%FPD_MGMT-6-UPGRADE_START:Unknown FPD (FPD ID=1) image
upgrade in progress for SPA-4XOC3-POS card in subslot 4/1. Updating to
version 3.4. PLEASE DO NOT INTERRUPT DURING THE UPGRADE PROCESS
(estimated upgrade completion time = 00:02:00) ...
Router#
Mar 29 11:39:11:%FPD_MGMT-6-UPGRADE_PASSED:Unknown FPD (FPD ID=1)
image in the SPA-4XOC3-POS card in subslot 4/1 has been successfully
updated from version ?.? to version 3.4. Upgrading time = 00:01:19.528
Mar 29 11:39:11:%FPD_MGMT-6-OVERALL_UPGRADE:All the attempts to
upgrade the required FPD images have been completed for SPA-4XOC3-POS
card in subslot 4/1. Number of successful/failure upgrade(s):1/0.
Mar 29 11:39:11:%FPD_MGMT-5-CARD_POWER_CYCLE:SPA-4XOC3-POS card in
subslot 4/1 is being power cycled for the FPD image upgrade to take
effect. 35-19
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 35      Upgrading Field-Programmable Devices
  Troubleshooting Problems with FPD Image Upgrades
Verifying a Successful Upgrade
After the upgrade process is complete, you can use the show hw-module all fpd command to verify that 
the FPD image has been successfully upgraded:
Router#show hw-module all fpd
==== ====================== ====== =============================================
                             H/W   Field Programmable   Current   Min. Required
Slot Card Type               Ver.  Device:"ID-Name"    Version      Version
==== ====================== ====== ================== =========== ==============
   4 7600-SIP-200            0.550 1-I/O FPGA             1.1         1.1     
                                   2-EOS FPGA             1.211       1.211   
                                   3-PEGASUS TX FPGA      1.129       1.129   
                                   4-PEGASUS RX FPGA      1.3         1.3     
                                   5-ROMMON               1.2         1.2     
---- ---------------------- ------ ------------------ ----------- --------------
4/1 SPA-4XOC3-POS           0.209 1-I/O FPGA             3.4         3.4     
==== ====================== ====== ============================================= 35-20
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Chapter 35      Upgrading Field-Programmable Devices
  Troubleshooting Problems with FPD Image Upgrades   
P A R  T  1 0
Glossary   GL-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
G L O S S A R Y
B
blank filler plate An empty panel used to fill vacant subslots on a SIP. For proper operation, a SIP should be fully 
installed with either functional SPAs or blank filler plates.
D
double height Describes the dimension of a SPA that occupies two, vertically-aligned SIP subslots.
F
FPD Field-programmable device. General term for any hardware component implemented on router cards 
that supports separate software upgrades. SIPs and SPAs must have the right FPD version to function 
properly; an FPD incompatibility will disable all interfaces on the SPA or all SPAs within the SIP.
FPD image package An FPD image package is used to upgrade FPD images. Whenever a Cisco IOS image is released that 
supports SPAs, a companion SPA FPD image package is also released for that Cisco IOS software 
release.
O
OIR Online insertion and removal. Feature supported by SIPs and SPAs allowing removal of the cards while 
the router and the cards are activated, without affecting the operation of other cards or the router. 
Although this removal can be done while the SIP or SPA is activated, it is generally recommended that 
you gracefully deactivate the hardware using the appropriate commands for your platform prior to 
removal of the hardware.
S
SFP Small form-factor pluggable optical transceiver. A type of fiber optic receptacle device that mounts 
flush with the front panel to provide network connectivity. 
single height Describes the dimension of a SPA that occupies a single SIP subslot, or half of the SIP.Glossary
GL-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
SIP SPA interface processor. A SIP is a platform-specific carrier card that inserts into a router slot like a 
line card. A SIP can hold one or more SPAs in its subslots, depending on the SIP type. The SPA 
provides the network interface. The SIP provides the connection between the route processor (RP) and 
the SPA. 
SPA Shared port adapter. A SPA is a modular, platform-independent port adapter that inserts into a subslot 
of a compatible SIP carrier card to provide network connectivity and increased interface port density. 
The SPA provides the interface between the network and the SIP.
subslot Secondary slot on a SIP where a SPA is installed. The primary slot is the chassis slot on the router.   
IN-1
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
I N D E X
Symbols
<cr> 1-8
? command 1-8
Numerics
802.1D 6-12
A
AAL5CISCOPPP encapsulation 6-4
AAL5MUX encapsulation 6-4
AAL5NLPID encapsulation 6-4
AAL5SNAP encapsulation 6-5
access port
configuration (example) 25-29
configuring 25-8
activation
verifying for SIPs 5-5
verifying for SPAs 5-7
administratively down state 12-103
Advanced Encryption Standard. See AES.
AES
configuration (example) 28-22, 29-34
configuring 28-2, 29-2
AIS 8-16
alarm indication signal, see AIS
anti-replay window size, configuring 29-6
aps reflector command 6-15, 9-15
asymmetric routing 25-6, 26-5
ATM
AIS 8-16
encapsulation 6-4
FERF 8-16
HCSE 8-16
line coding errors 8-16
LOF 8-16
RAI 8-16
service classes 6-5
SPA system messages 8-16
ATM-ACCOUNTING-INFORMATION-MIB 3-24
atm bridge-enable command 6-15, 7-23
ATM-MIB 3-24
ATM-SOFT-PVC-MIB 3-24
ATMSPA system messages 8-16
ATM-TC-MIB 3-24
ATM-TRACE-MIB 3-24
AToM (Any Transport over ATM)
configuration guidelines, Cisco 7600 SIP-400 4-81
AToM (Any Transport over MPLS)
configuring on SIPs 4-80
AToM over GRE (configuration example) 12-109
automatic SPA FPD image upgrade
(example) 35-13
cannot locate FPD image package (example) 35-13
disabling 35-6
re-enabling 35-6
autonegotiation
configuring 12-11 to 12-12
disabling
on fiber interfaces 12-12
enabling on fiber interfaces 12-12
average cell rate 6-5   
Index
IN-2
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
B
bandwidths, modifying 4-116
BCP. See Bridging Control Protocol
BFG
configuration (example) 32-38
configuring 32-22
troubleshooting 34-27
blade failure group. See BFG.
blank filler plate 8-27, 13-10, 23-18, 34-30
for empty subslots in an SSC 2-2
for empty subslots in a SIP 2-1
single-height size 2-3
BPDU packet formats 6-13
bridge-domain (VC configuration) command 4-42, 4-45, 
4-48, 4-51
bridge-domain command 4-65, 12-95
Bridged Routed Encapsulation within an Automatic 
Protection Switching Group 7-28
Bridge Protocol Data Unit (BPDU) 6-12
Bridging Control Protocol
configuring 17-17, 18-17, 19-22, 22-19
Bridging Control Protocol (BCP) 12-15
C
CAC
configuration 28-15
configuration (examples) 28-24
Call Admission Control (CAC)
configuration (examples) 28-24
Call Admission Control. See CAC
carriage return (<cr>) 1-8
cautions, usage in text iii-xlix
CBR 6-5
CEF 6-1, 7-1, 8-1, 9-1, 10-1
CEF for PFC2
See CEF
certificate autoenrollment
configuration (example) 30-59
configuring 30-26
certificate chain verification
configuration (examples) 30-65
certificate chain verification, configuring 30-52
certificate security attribute-based access control
configuration (example) 30-62
configuring 30-41
certificate to ISAKMP profile mapping
configuration (examples) 28-23
certificate to ISAKMP profile mapping, configuring 28-6
Changing the speed of a Fast Ethernet SPA
configuration (example) 12-114
Cisco 7600 SIP-200
description 3-5
faceplate (figure) 4-5
features 3-5 to 3-10
MLFR, configuring 4-7 to 4-13
MLPPP, configuring 4-14 to 4-21, 22-14 to ??
restrictions 3-19
SPA compatibility (table) 2-4, 2-5, 2-6
subslot numbering 4-5
Cisco 7600 SIP-400
description 3-5
features 3-11 to 3-15
restrictions 3-20
SPA compatibility (table) 2-4, 2-5, 2-6
Cisco 7600 SIP-600
description 3-5
features 3-16 to 3-18
SPA compatibility (table) 2-4, 2-5, 2-6
Cisco 7600 SSC-400
restrictions 3-24
Cisco 7609 router (figure) 4-4
CISCO-AAL5-MIB 3-24
CISCO-ATM-CONN-MIB 3-25
CISCO-ATM-RM-MIB 3-25
CISCO-ATM TRAFFIC-MIB 3-25
CISCO-CLASS-BASED-QOS-MIB 3-25   
Index
IN-3
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
Cisco Discovery Protocol (CDP) 12-13
CISCO-ENTITY-ASSET-MIB 3-24, 3-25
CISCO-ENTITY-EXT-MIB 3-24, 3-25
CISCO-ENTITY-FRU-CONTROL-MIB 3-24, 3-25
Cisco IOS configuration changes, saving 1-12
Cisco MIB Locator 11-20, 11-21
clear crypto sa command 34-24
command line processing 1-6
command modes, understanding 1-6 to 1-7
commands
context-sensitive help for abbreviating 1-8
default form, using 1-11
no form, using 1-11
show interfaces serial
troubleshooting serial lines 23-4
command syntax
conventions iii-xlix
displaying (example) 1-8
common part convergence sublayer 6-13
conditions
status line, show interfaces serial command 23-3
configuration example
BRE on a PVC 7-26
configurations, saving 1-12
configuration tasks, required
for the Fast Ethernet SPA 12-2
for the Gigabit Ethernet SPA 12-2
configure terminal command 5-8, 12-3
Configuring Interfaces Using SDH Framing 21-7
configuring SPAs
Fast Ethernet 12-1
Gigabit Ethernet 12-1
console error messages
Cisco 7600 SSC-400 34-2
IPSec VPN SPA 34-2
constant bit rate, see CBR
copy command 12-103
CoS 29-16, 29-18, 29-23
create on-demand command 6-15, 9-15
CRTP (Compressed Real-Time Protocol)
configuring 4-5
crypto conditional debug support 34-27
crypto-connect mode
configuring ports 25-4
defined 24-7
guidelines and restrictions 25-5
D
deactivation
verifying for SIPs 5-5
verifying for SPAs 5-7
debug atm bundle errors command 8-26
debug atm bundle events command 8-26
debug atm errors command 8-26
debug atm events command 8-26
debug atm oam command 8-26
debug atm packet command 8-26
debug command 13-1
debug crypto ace b2b command 34-27
debug hw-module subslot command 13-1
deny policy enhancements
configuration (example) 29-40
configuring 29-33
direct HTTP enrollment with CA servers
configuration (examples) 30-55
configuring 30-16
distinguished name-based crypto maps
configuration (example) 29-39
configuring 29-13
dMLPPP (Multilink PPP)
with IPSec VPN SPA 25-20
DMVPN (Dynamic Multipoint VPN)
configuring 31-2
hub in configuration (example) 31-18
spoke configuration (example) 31-19, 31-21
dot1q encapsulation 12-11
configuration (example) 12-108   
Index
IN-4
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
configuring 12-13
DPD(Dead Peer Detection), configuring 28-17
DSS (Destination sensitive services) 3-21
E
Easy VPN client, configuring 31-16
Easy VPN remote RSA signature storage, 
configuring 31-16
Easy VPN server
configuring 31-15
enhanced 31-16
router-side configuration (example) 31-22
encapsulation
ARPA 12-11
configuring 12-11
dot1q 12-11
configuration (example) 12-108
configuring 12-13
SNAP 12-9, 12-11
encapsulation, ATM 6-4
encapsulation command 6-15
encapsulation dot1q command 12-14, 12-78, 12-95
encapsulation frame-relay ietf command 4-46, 4-51, 12-89
encapsulation frame-relay mfr command 4-11, 4-12
encapsulation ppp command 4-19, 4-65, 22-15
encrypted preshared key
configuration (example) 28-23
encrypted preshared key, configuring 28-13
ENTITY-ASSET-MIB 3-25
ENTITY-EXT-MIB 3-25
ENTITY-FRU-CONTROL-MIB 3-25
ENTITY-MIB 3-24, 3-25
EoMPLS
configuration (example) 12-111
EtherChannel
interface port-channel (command) 4-166, 4-167, 4-168, 
4-169
ETHER-MIB 3-25
ethernet oam command 12-63
ethernet oam link-monitor frame-period threshold high 
command 12-68
ethernet oam link-monitor frame-period threshold low 
command 12-68
ethernet oam link-monitor frame-period window 
command 12-67
ethernet oam link-monitor frame-seconds threshold high 
command 12-69
ethernet oam link-monitor frame-seconds threshold low 
command 12-69
ethernet oam link-monitor frame-seconds window 
command 12-68
ethernet oam link-monitor frame threshold high 
command 12-67
ethernet oam link-monitor frame threshold low 
command 12-67
ethernet oam link-monitor frame window command 12-66
ethernet oam link-monitor on command 12-65
ethernet oam link-monitor receive-crc threshold high 
command 12-70
ethernet oam link-monitor receive-crc threshold low 
command 12-70
ethernet oam link-monitor receive-crc window 
command 12-69
ethernet oam link-monitor supported command 12-64
ethernet oam link-monitor symbol-period threshold high 
command 12-66
ethernet oam link-monitor symbol-period threshold low 
command 12-66
ethernet oam link-monitor symbol-period window 
command 12-66
ethernet oam link-monitor transmit-crc threshold high 
command 12-71
ethernet oam link-monitor transmit-crc threshold low 
command 12-71
ethernet oam link-monitor transmit-crc window 
command 12-70
ethernet oam remote-failure dying-gasp action 
error-disable-interface command 12-73
event tracer feature 5-2, 8-26, 13-9, 23-18   
Index
IN-5
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
F
far-end receive failure, see FERF
FERF 8-16
filtering output, show and more commands 1-12
flow control
support 12-21
verifying 12-21, 12-22
flow control receive command 12-22
flow control send command 12-22
FPD image packages
cannot locate (example) 35-13
caution 35-4, 35-9
displaying default information 35-12
downloading 35-7 to 35-9
modifying the default path 35-9
overview 35-3
FPD images
displaying minimum and current versions 35-10
manually upgrading 35-7
troubleshooting upgrades 35-16 to 35-19
upgrade failure recovery (example) 35-17 to 35-18
upgrade scenarios 35-3
upgrading in production 35-5 to 35-6
verifying successful upgrade 35-19
verifying upgrade progress 35-12
FPDs (field-programmable devices)
description 35-1
Frame Relay
features, configuring on SIPs 4-7 to 4-32
frame-relay intf-type dce command 4-10, 4-11, 4-16, 4-19
frame-relay multilink ack command 4-13
frame-relay multilink bid command 4-10
frame-relay multilink hello command 4-13
frame-relay multilink lid command 4-12
frame-relay multilink retry command 4-13
FRF.16, See MLFR
front door VRF (FVRF), defined 26-2
FTP server, downloading FPD images to 35-7 to 35-9
FVRF
not supported on spoke 31-3
FVRF, defined 26-2
G
Generic Routing Encapsulation. See GRE tunneling.
giant packets 7-4
global configuration mode, summary of 1-7
GRE tunneling
configuration (example) 25-40
configuring 25-21
interfaces and subinterfaces, configuring 12-18
takeover criteria 25-23
H
hardware platforms
See platforms, supported
HCSE 8-16
help command 1-8
Hierarchical VPLS (H-VPLS) 12-46
Hot Standby Router Protocol (HSRP)
verifying configuration 12-6
http
//www.cisco.com/en/US/docs/general/whatsnew/what
snew.html iii-l
//www.cisco.com/en/US/docs/switches/lan/catalyst65
00/ios/12.2SXF/native/release/notes/OL_4164.html
3-12, 3-20, 3-23, 3-24
//www.cisco.com/en/US/support/tsd_cisco_worldwid
e_contacts.html 10-61
hw-module reset command 4-170
hw-module slot subslot only command 26-33
hw-module subslot command 12-103
hw-module subslot shutdown command 5-6, 5-7, 5-8
I
IC-SSO 20-27   
Index
IN-6
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
IEEE 802.1Q encapsulation 12-11
configuration (example) 12-108
configuring 12-13
IF-MIB 3-25
IKE policy
troubleshooting 34-27
inside port, configuring 25-7
inside VRF (IVRF), defined 26-2
Inter Chassis Redundancy Manager 20-28
Inter Chassis-Stateful Switchover 20-27
interface
basic configuration (example) 12-105
enabling 12-4
restarting 12-103
shutting down 12-103
verifying configuration 12-104
interface address, specifying 12-4
interface atm command 4-39, 4-40
interface configuration mode, summary of 1-7
interface fastethernet command 12-3, 12-14
interface gigabitethernet command 12-3, 12-14, 12-95
interface mfr command 4-10
interface multilink command 4-17, 22-15
interface port-channel (command) 4-166, 4-167, 4-168, 4-169
interface pos command 4-45, 4-46, 4-47, 4-61, 4-65
interface serial command 4-12, 4-19, 4-45, 4-46, 4-47, 4-50, 
4-61, 4-65, 22-15
interface status line
states, show interfaces serial command 23-3
interface tengigabitethernet command 12-3, 12-14
ip address command 4-16, 4-17, 12-3, 12-14, 22-15
ip cef distributed command 4-16
IP multicast over a GRE tunnel
configuration (example) 25-43, 26-33
configuring 25-26
IP multicast over a VTI tunnel
configuration (example) 26-37
ip pim smarse-mode command 12-18
IPSec and IKE MIB support for Cisco VRF-Aware IPSec
configuring 33-9
IPSec anti-replay window size
configuration (examples) 29-36
configuring 29-6
IPsec manual keying 25-6
IPSec NAT transparency, configuring 28-19
IPsec preferred peer
configuration (examples) 29-38
IPSec preferred peer, configuring 29-8
IPSec security association (SA) idle timer
configuration (examples) 29-38
IPsec security association (SA) idle timer
configuring 29-12
IPsec stateful failover
troubleshooting 34-25
IPSec stateful failover using a blade failure group (BFG)
configuration (example) 32-38
configuring 32-22
IPSec stateful failover using HSRP and SSP
active chassis configuration (example) 32-30
IPSec stateless failover using HSRP
active chassis configuration (example) 32-27
configuring 32-3
remote router configuration (example) 32-31, 32-36
IPsec stateless failover using HSRP
remote router configuration (example) 32-28
IPSec stateless failover using HSRP and RRI, 
configuring 32-3
IPSec VPN accounting
configuration (examples) 33-10
configuring 33-5
IPSec VPN monitoring
configuration (example) 33-11
configuring 33-2
IPSec VPN SPA
IPSec stateful failover using HSRP RRI and SSP, 
configuring 32-3
IPSec stateless failover using HSRP RRI, 
configuring 32-3
VPN running state, displaying 25-21   
Index
IN-7
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
ISAKMP keyrings and peer filtering
configuration (example) 28-22
configuring 28-4
IVRF, defined 26-2
K
keyboard shortcuts 1-6
key rollover for certificate renewal
configuration (examples) 30-60
configuring 30-30
L
LACP over EVC Port Channel
configuration commands, configuration steps 12-52
LAF 27-3
LFI (Link Fragmentation and Interleaving)
configuring on SIPs 4-21
over MLPPP, configuring 4-20, 22-16 to ??
lines
interface status
states, show interfaces serial command 23-3
serial
show interfaces serial command 23-4
local certificate storage location
configuration (example) 30-55
local certificate storage location, configuring 30-14
LOF 8-16
Look-Ahead Fragmentation. See LAF.
loopback
external 13-8
internal 13-8
loopback command 8-17, 13-8
loopback diagnostic command 8-17, 8-20
loopback driver command 13-8
loopback external command 13-8
loopback internal command 13-8
loopback line command 8-22
loopback mac command 13-8
loss of frame, see LOF
M
MAC address
configuration (example) 12-105
modifying 12-5
verifying 12-5
MAC address accounting
configuration (example) 12-106
Management Information Base (MIB)
downloading 11-20
supported on SPAs 11-20
manual certificate enrollment (TFTP and cut-and-paste)
configuration (examples) 30-56
configuring 30-22
manual keying 25-6
match as command 3-21
match bgp-community command 3-21
match class-map command 3-21
match cos inner command 3-21
match discard-class command 3-21
match dscp command 3-18
match fr-dlci command 3-21
match input interface command 6-16
match input-interface command 3-21
match input vlan command 3-18, 3-21
match ip precedence command 3-18
match ip rtp command 3-21
match mac command 3-21
match mpls experimental command 3-18
match packet length command 3-21
match protocol command 3-21
match qos-group command 3-18, 3-21
match vlan command 3-18, 3-21
match vlan inner command 3-21
MBS 6-5   
Index
IN-8
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
mGRE
enabling 31-3
MIB (Management Information Base)
on Cisco 7600 SIP-200 3-24
on Cisco 7600 SIP-400 3-24
minimum burst size, see MBS
MLFR (Multilink Frame Relay)
configuration guidelines
hardware-based 4-9
software-based 4-9
configuration tasks 4-10
overview 4-8
MLPPP (Multilink PPP)
configuration guidelines
hardware based 4-15
software based 4-15
configuration tasks 4-15, 22-14
LFI
configuring 4-20, 22-16
guidelines, software based 4-20
verifying 4-20, 22-16
modes
See command modes
MPB (Multipoint Bridging)
configuring 4-36
on Cisco 7600 SIP-200 ATM SPAs 3-5
on Cisco 7600 SIP-200 serial SPAs 3-6
on Cisco 7600 SIP-400 3-22
MPLS labels, and interface MTU size 12-10
mpls mtu command 12-10, 15-2
MPLSoGRE and mVPNoGRE 12-17
configuration (example) 12-110
MR-APS 20-27
MTU (maximum transmission unit)
configuration (example) 12-108
configuring 27-12
default size 12-9
interface MTU
additional overhead 12-10
and MPLS labels 12-10
configuration guidelines 12-10
configuring 12-10
description 12-9
verifying 12-11
IP MTU
description 12-9
maximum size 12-9
MPLS MTU
description 12-9
tag MTU
description 12-9
types 12-9
mtu command 12-4, 12-10
Multicast over a GRE tunnel
configuration (example) 25-43, 26-33
configuring 25-26
Multicast over a VTI tunnel
configuration (example) 26-37
multicast routes 12-19
multicast Virtual Private Network over generic routing 
encapsulation (mVPNoGRE) 12-17
multilink-group command 4-19, 22-16
Multilink PPP (MLPPP)
LFI
guidelines, hardware based 4-20
multiple RSA key pairs
configuration (example) 30-53
configuring 30-3
multiple SPAs in a chassis
configuration (example) 32-24
configuring 32-2
Multipoint Bridging (MPB) 12-15
multiPoint bridging over Ethernet 12-93
multipoint GRE
See mGRE 31-3
Multi Router-Automatic Protection Switching 20-27
mVPNoGRE 12-110   
Index
IN-9
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
N
NAT keepalives
configuration (example) 28-24
negotiation auto command 12-12, 12-13
no hw-module subslot shutdown command 5-7, 5-9
no negotiation auto command 12-12
no power enable module command 5-4, 5-8
no shut command 12-4
no shutdown command 4-62, 4-66
notes, usage in text iii-l
no upgrade fpd auto command 35-6
NVRAM (nonvolatile random-access memory) 12-103
O
OCSP (Online Certificate Status Protocol)
configuration (example) 30-61
configuring 30-37
OIR (online insertion and removal)
and shutting down or restarting interfaces 12-103
event tracing for SPAs 5-3, 8-27, 13-9, 23-18
for SIPs 2-1, 5-4
for SPAs 2-3, 5-6, 8-27, 13-10, 23-18, 34-30
for SSCs 2-2
troubleshooting 5-3, 8-27, 13-9, 23-18
OLD-CISCO-CHASSIS-MIB 3-24, 3-25
optics modules
qualified for SPAs (table) 2-6
optional OCSP nonces
configuration (example) 30-62
optional OCSP nonces, configuring 30-41
OSMs, OC-12 ATM
overview 6-4
OUI in MAC address 6-12
outside port, configuring 25-7
oversubscription
Cisco 7600 SIP-400 3-22, 5-3
P
packet flow, on Fast Ethernet or Gigabit Ethernet 
SPA 11-21
PCR 6-5
peak cell rate, see PCR
persistent self-signed certificates
configuration (examples) 30-64
configuring 30-48
Per VLAN Spanning Tree (PVST) 6-12
PIM 25-26
ping command 8-16
PKI AAA authorization using the entire subject name
configuration (example) 30-63
configuring 30-45
PKI query multiple servers during certificate revocation 
check
configuration (example) 30-61
configuring 30-36
platforms, supported
release notes, identify using 1-13
power enable module command 5-5, 5-8
PPP (Point-to-Point Protocol)
with IPSec VPN SPA 25-20
ppp authentication chap command 4-19, 22-16
ppp chap hostname command 4-19
ppp multilink command 4-19
ppp multilink fragment-delay command 4-18, 22-15
ppp multilink interleave command 4-16, 4-17, 4-20, 22-15, 
22-16
priority command 6-16
Private Hosts over Virtual Private LAN Service 4-54
privileged EXEC mode, summary of 1-7
prompts, system 1-7
protected private key storage
configuration (example) 30-54
configuring 30-5
Provider Edge to Provider Edge (PE-to-PE) 
tunneling 12-18
PVST+ 6-12   
Index
IN-10
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
PVST and PVST+ interoperability 6-12
802.1D 6-12
common part convergence sublayer 6-13
L2PT topologies 7-17
line cards supported 6-13
problem summarized 6-13
Q
QoS
carrier, configuration (example) 29-24
configuring 29-17
module, configuration (example) 29-24, 29-40
QoS (Quality of Service)
configuring on SIPs ?? to 4-129
QoS, configuring 29-15
quality of service. See QoS.
query mode definition per trustpoint
configuration (example) 30-54
configuring 30-11
query multiple servers during certificate revocation check
configuration (example) 30-61
configuring 30-36
question mark (?) command 1-8
R
RAI 8-16
release history
Fast Ethernet SPAs 11-1
Gigabit Ethernet SPAs 11-1
release notes
See platforms, supported
remote alarm indication, see RAI
Reverse Route Injection (RRI), configuring 29-3
rewrite ingress tag command 12-95
RFC 1483, Multiprotocol Encapsulation over ATM 
Adaptation Layer 5, Bridged and Routed 3-10, 3-15
RFC 1483, Multiprotocol Encapsulation over ATM 
Adaptation Layer 5, Multipoint Bridging 3-5, 3-10, 3-22
RFC 1490, Multiprotocol Interconnect over Frame Relay, 
Multipoint Bridging 3-6, 3-10
RFC 1663, PPP Reliable Transmission 3-19
RFC 1889, RTP
A Transport Protocol for Real-Time Applications 4-5
RFC 3518, Point-to-Point Protocol (PPP) Bridging 
Control Protocol (BCP) 3-10, 3-15, 4-56
ROM monitor mode, summary of 1-7
routed port
configuration (example) 25-31
configuring 25-11
RRI, configuring 29-3
RSA signature storage, configuring 31-16
running configuration, saving to NVRAM 12-103
Rx cell HCS error, see HCSE
S
Safenet IPSec client support
configuration (example) 28-22
configuring 28-4
SCR 6-5
security associations
clearing 34-24
sequenced ACLs, configuring 29-33
serial lines
troubleshooting
show interfaces serial command 23-4
service instance command 12-95
set identity command 29-15
set mpls experimental command 4-82
SFP (small form-factor pluggable) optics
Cisco Systems qualification check 2-6
qualified for SPAs (table) 2-6
shape adaptive command 6-16
shape average command 6-16
shape command 6-16   
Index
IN-11
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
shape fecn-adapt command 6-16
shape peak command 6-16
show aps command 8-13
show aps group command 8-15
show atm class-link command 8-13
show atm ilmi-status 8-10
show atm ilmi-status command 8-11
show atm interface atm command 7-6, 8-6
show atm map command 8-11
show atm pvc command 7-10, 8-9
show atm pvc interface atm command 8-9
show atm svc interface atm command 8-10
show atm traffic command 8-12
show atm traffic shaping slot command 8-12
show atm vc command 8-8, 8-9, 8-10
show atm vc interface atm command 7-10
show atm vlan command 8-12
show atm vp command 8-8
show command 13-2
show commands
for IPSec VPN SPA 34-6
show controllers atm command 6-17, 8-4, 8-5
example 6-21
show controllers command 6-20
show crypto ace redundancy 34-15
show crypto ace redundancy command 34-15
show crypto ca certificates 34-16
show crypto ca trustpoints command 34-17
show crypto engine accelerator statistic command 34-4
show crypto ipsec ha command 34-11
show crypto ipsec sa command 28-21, 34-9, 34-12
show crypto ipsec sa standby command 34-13
show crypto ipsec transform-set command 34-9
show crypto isakmp policy command 34-8
show crypto isakmp sa addr command 34-11
show crypto isakmp sa command 34-11
show crypto key mypublickey rsa command 34-15
show crypto key pubkey-chain rsa command 34-16
show crypto map command 34-9
show crypto redundancy linecard-group command 34-15
show crypto session 34-18
show crypto sockets command 34-18
show crypto vlan command 34-7, 34-8, 34-23
show cwan mplsogre command 12-20
show diagbus command 3-26, 4-4, 34-3
show diag command 6-20, 8-5, 9-17
example 6-21
show ethernet oam discovery command 12-74
show ethernet oam statistics command 12-74
show ethernet oam status command 12-75
show ethernet oam summary command 12-75
show frame-relay multilink command 4-13
show history command 1-6
show hw-module slot command 4-4
show hw-module slot fpd command 34-6
show hw-module subslot command 4-5, 35-10
show hw-module subslot fpd command 8-3, 35-16
show hw-module subslot oir command 5-7
show idprom command 3-26
show idprom module command 4-4, 4-5, 8-4
show interface atm command 8-5
show interface command 7-5, 7-7
show interfaces atm command 7-4
example 6-20, 9-17
show interfaces command 6-20, 9-17, 11-22, 13-2
show interfaces fastethernet 13-2
show interfaces fastethernet command 11-22
show interfaces gigabit ethernet command 12-11
show interfaces gigabitethernet command 11-23, 12-5, 
12-22, 13-2
show interfaces serial command
troubleshooting serial lines 23-4
show interfaces tengigabitethernet command 11-23, 13-2
show interfaces trunk command 4-63, 34-7
show interfaces tunnel 34-19
show ip interface command 5-7, 7-5, 7-7, 8-7
show ip mroute command 12-19, 34-23
show ip nhrp command 34-18   
Index
IN-12
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
show ip route command 12-18
show module command 3-26, 4-4, 5-5
show mpls interface command 7-5, 7-7
show ppp multilink command 4-20, 6-17, 22-16
show redundancy linecard-group command 34-15
show running-config command 35-8
show sip-disk command 4-4
show ssp client command 34-14
show ssp packet command 34-14
show ssp peers command 34-14
show ssp redundancy command 34-14
show standby command 12-6
show upgrade package default command 35-12
show upgrade progress command 35-12
show version command 8-3
show vlan id command 8-13
show vlans command 12-15
shutdown command 4-61, 4-66, 12-104
Simple Symmetric Transmission Protocol (SSTP) 6-12
single-SPA mode
configuring 25-27
SIP (SPA interface processor)
activation (example) 5-8
blank filler plates 2-1
chassis slot installation (figure) 4-4
deactivating 5-4
deactivation (example) 5-8
definition 2-1
features supported 3-5
general characteristics 2-1
hardware type, displaying 3-26 to 3-27
reactivating 5-4
release history 3-1
resetting 4-170
SPA compatiblity (table) 2-4, 2-5
subslots
description 2-1
numbering 4-5
specifying location in CLI 4-5
supervisor engine support 4-3
SNAP (Subnetwork Access Protocol) encapsulation 12-9, 
12-11
SONET MIB 3-25
source interface selection for outgoing traffic with 
certificate authority
configuration (example) 30-63
configuring 30-47
SPA
automatic recovery 13-7
SPA (shared port adapter)
activation (example) 5-8
chassis slot orientation (figure) 2-3
deactivating 5-6
deactivation (example) 5-8
definition 2-2
double-height description 2-2
FPD image packages
overview 35-3
heights supported
(figure) 2-2
description 2-2
interfaces 2-3
optics compatibility (table) 2-6
reactivating 5-7
single-height description 2-2
SIP compatibility (table) 2-4, 2-5
subslot numbering (figure) 4-4
SPA architecture
description 11-21
POS SPA description 14-7 to 14-10
SPA hardware type, displaying 11-22
Spanning-Tree Protocol (STP) 6-12
SSC (SPA services card)
blank filler plates 2-2
definition 2-2
general characteristics 2-2
states
interface status line, show interfaces serial 
command 23-3   
Index
IN-13
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
subinterfaces, configuring 12-13 to 12-14
subslots
description 2-1
numbering 4-5
specifying location in CLI 4-5
supervisor engines
supported by SIPs 4-3
sustained cell rate, see SCR
switchport command 4-40, 4-47, 4-61, 4-65
switchport trunk allowed vlan command 4-62
system error messages
Cisco 7600 SSC-400 34-2
IPSec VPN SPA 34-2
T
Tab key, command completion 1-8
TFTP server, downloading FPD images to 35-7 to 35-9
tips, usage in text iii-l
transform sets
troubleshooting 34-27
troubleshooting
Fast Ethernet SPA 13-1
Gigabit Ethernet SPA 13-1
trunk port
configuration (example) 25-34
configuring 25-15
trustpoint CA
configuration (example) 30-54
configuring 30-8
tunnel-to-interface mappings 12-20
U
UBR 6-5
unicast routes 12-18
unspecified bit rate, see UBR
upgrade fpd auto command 35-6, 35-8, 35-13
upgrade fpd path command 35-7, 35-9
upgrade hw-module subslot command 35-7
user EXEC mode, summary of 1-7
V
variable bit rate-non-real-time, see VBR-nrt
variable bit rate-real-time, see VBR-rt
VBR 6-5
VBR-nrt 6-5
Virtual Private LAN Service (VPLS) 12-46
Virtual Tunnel Interface. See VTI.
vlan command 4-65
VLANs (virtual LANs)
configuration (example) 12-108
configuring on a subinterface 12-13
verifying configuration 12-15
VPN Routing and Forwarding (VRF) number 12-18
VPN sessions, monitoring and managing 33-2
VRF-aware IPSec. See VRF mode.
VRF instance, defined 26-2
VRF-lite 24-18, 24-19
VRF mode
configuration (examples) 26-21
configuring VTI 26-16
defined 26-1
front door VRF (FVRF) 26-2
guidelines and restrictions 26-4
inside VRF (IVRF) 26-2
VRF instance 26-2
with chassis-to-chassis stateless failover
configuring 32-18
without tunnel protection 26-6
with tunnel protection 26-12
VTI
configuring in VRF mode 26-16
defined 26-16   
Index
IN-14
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
OL-5070-30
W
WAN interfaces
ATM configuration (example) 25-36
configuring 25-20
POS configuration (example) 25-37
serial port configuration (example) 25-38
X
xconnect command 3-21