Cisco 10000 Series Router Software Configuration Guide June 21, 2010 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C O N T E N T S About This Guide xxv Guide Revision History Audience i-xxv i-xxx Document Organization i-xxx Document Conventions i-xxxii Related Documentation RFCs i-xxxiv i-xxxiii Obtaining Documentation, Obtaining Support, and Security Guidelines CHAPTER 1 Broadband Aggregation and Leased-Line Overview 1-1 Hardware Requirements 1-1 Checking Hardware and Software Compatibility 1-1 i-xxxiv Broadband Architecture Models 1-2 PPP Termination and Aggregation Architectures 1-2 PTA to Virtual
Contents Multiple Ingress and Multiple Egress Provider Edge Applications 1-15 New Features, Enhancements, and Changes 1-15 New Features in Cisco IOS Release 12.2(33)XNE3 1-16 New Features in Cisco IOS Release 12.2(33)XNE 1-16 New Features in Cisco IOS Release 12.2(33)SB3 1-18 New Features in Cisco IOS Release 12.2(33)SB2 1-18 New Features in Cisco IOS Release 12.2(33)SB 1-18 New Features in Cisco IOS Release 12.2(31)SB5 1-19 New Features in Cisco IOS Release 12.
Contents Monitoring PPP Sessions Using the SNMP Management Tools 2-13 SNMP Process and High CPU Utilization 2-13 CISCO-ATM-PVCTRAP-EXTN-MIB 2-14 Configuring the Trunk Interface Input Hold Queue 2-15 Configuring no atm pxf queuing 2-15 Configuring atm pxf queuing 2-16 Configuring keepalive 2-17 Enhancing Scalability of Per-User Configurations 2-17 Setting VRF and IP Unnumbered Interface Configurations in User Profiles 2-18 Setting VRF and IP Unnumbered Interface Configuration in a Virtual Interface Template
Contents Configuring PPPoE over Ethernet Virtual Connections and Applying Virtual Templates Configuring RBE over ATM Virtual Connections 3-22 Configuring and Associating Virtual Private Networks 3-28 Configuring Virtual Private Networks 3-28 Associating VPNs with a Virtual Template Interface 3-28 Configuring RADIUS User Profiles for RADIUS-Based AAA 3-30 Verifying VPN Operation 3-20 3-30 Configuration Examples for RA to MPLS VPN 3-30 PPPoA to MPLS VPN Configuration Example 3-31 PPPoE to MPLS VPN Configu
Contents eBGP and iBGP Multipath Load Sharing Configuration Example 4-6 Verifying eBGP and iBGP Multipath Load Sharing 4-6 Monitoring and Maintaining BGP Multipath Load Sharing for eBGP and iBGP 4-7 IPv6 VPN over MPLS 4-7 Feature History for IPv6 VPN over MPLS 4-8 Prerequisites for Implementing IPv6 VPN over MPLS 4-8 Restrictions for Implementing IPv6 VPN over MPLS 4-9 Configuration Tasks for Implementing IPv6 VPN over MPLS 4-9 BGP Features 4-10 IPv6 Internet Access 4-11 VRF-Aware Router Applications 4-1
Contents CHAPTER 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server IP Reassembly 5-1 Feature History for IP Reassembly 5-1 5-2 Layer 2 Access Concentrator 5-2 Tunnel Sharing 5-4 Tunnel Service Authorization 5-4 Tunnel Selection 5-4 Sessions per Tunnel Limiting 5-5 Session Load Balancing 5-6 Session Load Failover 5-6 Feature History for LAC 5-6 Restrictions for LAC 5-7 Required Configuration Tasks for LAC 5-7 Enabling the LAC to Look for Tunnel Definitions 5-7 Optional Co
Contents Configuring the Virtual Template Interface 5-29 Configuring the LNS to Initiate and Receive L2TP Traffic 5-29 Optional Configuration Tasks for LNS 5-30 Configuring per VRF AAA Services 5-31 Configuring a VRF on the LNS 5-36 Configuring Sessions per Tunnel Limiting on the LNS 5-36 Configuring RADIUS Attribute Accept or Reject Lists 5-37 Configuring the LNS for RADIUS Tunnel Accounting 5-39 Configuring the LNS for RADIUS Tunnel Authentication 5-42 Configuration Examples for LNS 5-45 Managed LNS Conf
Contents Feature History for TCP MSS Adjust 6-12 Information about TCP MSS Adjust 6-12 Restrictions for TCP MSS Adjust 6-13 Configuration Task for TCP MSS Adjust 6-13 TCP MSS Adjustment Configuration: Examples 6-14 VLAN Range 6-15 Feature History for VLAN Range 6-15 Restrictions for VLAN Range 6-16 Configuration Task for VLAN Range 6-16 Configuring a Range of VLAN Subinterfaces 6-16 Configuration Examples for VLAN Range 6-17 Verifying the Configuration of a Range of Subinterfaces CHAPTER 7 Configuring
Contents Configuration Example for ATM PVC Autoprovisioning 8-13 Variable Bit Rate Non-Real Time Oversubscription 8-14 Feature History for VBR-nrt Oversubscription 8-15 Restrictions for VBR-nrt Oversubscription 8-15 Configuration Tasks for VBR-nrt Oversubscription 8-17 Configuring VBR-nrt Oversubscription 8-17 Verifying ATM PVC Oversubscription 8-17 Configuration Example for ATM PVC Oversubscription 8-18 CHAPTER 9 Configuring Multihop 9-1 Feature History for Multihop Restrictions for Multihop 9-2
Contents Subnet Releasing 10-5 On-Demand Address Pools for MPLS VPNs 10-5 Benefits On-Demand Address Pool Manager 10-6 Prerequisites for On-Demand Address Pool Manager 10-6 Required Configuration Tasks for On-Demand Address Pool Manager 10-6 Defining DHCP ODAPs as the Global Default Pooling Mechanism 10-7 Configuring the DHCP Pool as an ODAP 10-7 Configuring the AAA Client 10-8 Configuring RADIUS 10-9 Optional Configuration Tasks for On-Demand Address Pool Manager 10-10 Defining ODAPs on an Interface 10-10
Contents Configuration Tasks for Local AAA Server, User Database—Domain to VRF Using Local Attributes 11-6 Defining AAA 11-6 Defining RADIUS and Enabling NAS-PORT 11-7 Defining a VRF 11-7 Applying AAA to a Virtual Template 11-7 Defining a Loopback Interface 11-8 Creating an IP Address Pool 11-8 Defining a Subscriber Profile 11-8 Defining an AAA Attribute List 11-8 Verifying Local AAA Server, User Database—Domain to VRF Using Local Attributes 11-9 Configuration Example for Local AAA Server, User Database—Do
Contents Monitoring and Maintaining uRPF 13-4 Configuration Examples of uRPF 13-6 Configuring Loose Mode uRPF 13-6 Configuring Loose Mode uRPF with the allow-self-ping Option 13-7 Configuring Loose Mode uRPF with the allow-default Option 13-8 CHAPTER 14 Configuring Automatic Protection Switching 14-1 Multirouter Automatic Protection Switching 14-1 Feature History for MR-APS 14-2 Restrictions for MR-APS 14-3 Configuration Tasks for MR-APS 14-3 Configuring MR-APS on Unchannelized Line Cards 14-3 Confi
Contents CHAPTER 16 Configuring RADIUS Features 16-1 RADIUS Attribute Screening 16-1 Feature History for RADIUS Attribute Screening 16-2 Restrictions for RADIUS Attribute Screening 16-2 Prerequisites for RADIUS Attribute Screening 16-2 Configuration Tasks for RADIUS Attribute Screening 16-3 Configuration Examples for RADIUS Attribute Screening 16-3 Authorization Accept Configuration Example 16-3 Accounting Reject Configuration Example 16-3 Authorization Reject and Accounting Accept Configuration Exampl
Contents Restrictions for RADIUS Packet of Disconnect 16-18 Related Documents for RADIUS Packet of Disconnect 16-19 Prerequisites for RADIUS Packet of Disconnect 16-19 Configuration Tasks for RADIUS Packet of Disconnect 16-19 Configuring AAA POD Server 16-20 Verifying AAA POD Server 16-20 Monitoring and Maintaining AAA POD Server 16-21 Configuration Example for RADIUS Packet of Disconnect 16-21 CHAPTER 17 Cisco 10000 Series Router PXF Stall Monitor 17-1 Feature History of Cisco 10000 Series Router PXF
Contents Configuration Examples for Link Noise Monitoring 19-4 Example of LNM Configuration on a Line Card 19-4 Example of LNM Configuration on a Shared Port Adapter Example of a Syslog Message 19-5 Verification Example for Link Noise Monitoring 19-5 CHAPTER 20 Configuring L2 Virtual Private Networks Feature History for L2VPN 19-5 20-1 20-3 Supported L2VPN Transport Types 20-3 Prerequisites for L2VPN: AToM 20-4 Supported Line Cards 20-4 Restrictions for L2VPN Standards and RFCs MIBs 20-5 20-5 20
Contents Configuring Ethernet over MPLS 20-19 Ethernet over MPLS Restrictions 20-20 Configuring Ethernet over MPLS in VLAN Mode 20-20 Configuring Ethernet over MPLS in Port Mode 20-21 IEEE 802.1Q Tunneling for AToM—QinQ 20-22 Prerequisites for IEEE 802.1Q Tunneling (QinQ) for AToM 20-23 Restrictions for IEEE 802.
Contents Ethernet to VLAN—Bridged Interworking 21-2 Configuring L2VPN Interworking 21-2 Verifying the Configuration 21-3 Configuration Examples of Ethernet to VLAN—Bridged 21-3 Ethernet to VLAN over LS—Bridged: Example 21-4 Ethernet to VLAN over AToM—Bridged: Example 21-4 Routed Interworking 21-4 Restrictions for Routed Interworking 21-5 Ethernet/VLAN to ATM AAL5 Interworking 21-5 Prerequisites of Ethernet/VLAN to ATM AAL5 Interworking 21-6 Restrictions of Ethernet/VLAN to ATM AAL5 Interworking 21-6 ATM
Contents MLP Bundles 22-3 Restrictions for MLP Bundles 22-3 MLP Bundles and PPP Links 22-3 System Limits for MLP Bundles 22-4 Types of MLP Bundle Interfaces 22-4 MLP Groups 22-5 MLP Group Interfaces and Virtual Template Interfaces How MLP Determines the Link a Bundle Joins IP Addresses on MLP-Enabled Links Valid Ranges for MLP Interfaces MLP Overhead 22-6 22-6 22-7 22-8 22-9 Configuration Commands for MLP 22-9 interface multilink Command 22-9 ppp multilink Command 22-10 ppp multilink fragment-delay
Contents MLPoE at PTA 22-25 ATM Overhead Accounting 22-26 Prerequisites of MLPoE at PTA 22-26 Restrictions of MLPoE at PTA 22-26 Memory and Performance Impact of MLPoE at PTA MLP-Based Link Fragmentation and Interleaving 22-27 22-27 Configuring MLP Bundles and Member Links 22-27 Creating an MLP Bundle Interface 22-28 Configuration Example for Creating an MLP Bundle Interface 22-29 Enabling MLP on a Virtual Template 22-30 Configuration Example for Enabling MLP on a Virtual Template 22-31 Adding a Serial
Contents Configuring QoS Service Policies on GEC Interfaces 23-3 Restrictions for QoS Service Policies on GEC Bundles 23-5 Configuration Examples 23-5 Configuration Example for Using the VLAN Group Feature to Apply QoS on Member Links Configuration Example for Applying QoS on GEC Bundle Subinterfaces 23-6 23-5 Configuring Policy Based Routing Support on a GEC Bundle 23-7 Restriction for Configuring PBR Support on a GEC Bundle 23-7 Configuring IEEE 802.
Contents Applying the IPv6 ACL to an Interface 24-6 Verifying IPv6 ACLs 24-7 Create and Apply IPv6 ACL: Examples 24-8 CHAPTER 25 Configuring Template ACLs 25-1 Feature History for Template ACLs 25-2 Configuration Tasks for Template ACLs 25-3 Configuring the Maximum Size of Template ACLs (Optional) Configuring ACLs Using RADIUS Attribute 242 25-3 Monitoring and Maintaining the Template ACL Configuration 25-5 Configuration Examples for Template ACLs 25-5 access-list template Command 25-5 access-list
Contents Restrictions for GRE Tunnel IP Source and Destination VRF Membership How to Configure GRE Tunnel IP Source and Destination VRF Membership Configuring Tunnel VRF 27-3 Configuring VRF-Aware VPDN Tunnels 27-4 Configuration Examples 27-4 Configuration Example for Tunnel VRF 27-4 Configuration Examples for VRF-Aware VPDN Tunnels APPENDIX A RADIUS Attributes 27-3 27-3 27-5 A-1 RADIUS IETF Attributes A-1 Vendor-Proprietary RADIUS Attributes Vendor-Specific RADIUS IETF Attributes A-4 A-8 GLOSSA
About This Guide This guide provides configuration information for features that are platform-specific to the Cisco 10000 series router. Documentation is also provided for cross-platform features that function differently on the Cisco 10000 series router than on other supported platforms.
About This Guide Guide Revision History Cisco IOS Release Part Number Publication Date Release 12.2(33)SB3 OL-2226-21 December, 2008 Added the features listed in the “New Features in Cisco IOS Release 12.2(33)SB3” section on page 1-18 Cisco IOS Release Part Number Publication Date Release 12.2(33)SB2 OL-2226-20 September, 2008 Added the features listed in the “New Features in Cisco IOS Release 12.2(33)SB2” section on page 1-18 Cisco IOS Release Part Number Publication Date Release 12.
About This Guide Guide Revision History Cisco IOS Release Part Number Publication Date Release 12.2(31)SB2 OL-2226-15 November, 2006 Description Added the features listed in the “New Features in Cisco IOS Release 12.2(31)SB2” section on page 1-20. Cisco IOS Release Part Number Publication Date Release 12.2(28)SB OL-2226-14 July, 2006 Description Added the features listed in the New Features in Cisco IOS Release 12.2(28)SB, page 1-21. Cisco IOS Release Part Number Publication Date Release 12.
About This Guide Guide Revision History • MPLS QoS—See “Configuring Quality of Service for MPLS Traffic” • MPLS Traffic Engineering—Diffserv Aware—See “Configuring Quality of Service for MPLS Traffic” • Per VRF AAA (see Chapter 18, “Configuring Quality of Service for MPLS Traffic”) Added feature histories and mini tables of contents for each feature in this guide. Added the Static MAC Address for PPPoE feature in Chapter 6, “Configuring PPPoE over Ethernet and IEEE 802.
About This Guide Guide Revision History Relocated QoS features to the Cisco 10000 Series Router Quality of Service Configuration Guide, located at the following URL: http://www.cisco.com/en/US/products/hw/routers/ps133/products_configuration_guide_book09186a00 805b9497.html The chapter references in the following relocated features see the Cisco 10000 Series Router Quality of Service Configuration: • Modular QoS CLI Overview—See “Quality of Service Overview.
About This Guide Audience Cisco IOS Release Part Number Publication Date Release 12.3(7)XI1 OL-2226-07 August, 2004 Description Added the new features listed in the “New Features in Cisco IOS Release 12.3(7)XI1” section on page 1-26. Audience This guide is designed for system and network managers responsible for configuring broadband aggregation, leased-line, and MPLS services and on the Cisco 10000 series router.
About This Guide Document Organization Chapter Title Description Chapter 8 Configuring ATM Permanent Virtual Circuit Autoprovisioning Describes how to configure the ATM PVC autoprovisioning feature that enables DSL wholesale service providers to dynamically provision ATM service for subscribers using a local configuration. Also describes the VBR-nrt Oversubscription feature.
About This Guide Document Conventions Chapter Title Description Chapter 23 Protecting the Router from DoS Attacks Describes how to protect against denial of service (DoS) attacks. Chapter 24 IP Tunneling Describes the Generic Routing Encapsulation Tunnel IP Source and Destination VRF Membership feature. Appendix A RADIUS Attributes Lists RADIUS attributes that the Cisco 10000 series router supports. This guide also includes a Glossary and an Index.
About This Guide Related Documentation Related Documentation For more information about the Cisco 10000 series router, its features, and hardware, go to the Cisco 10000 series router documentation roadmap, located at the following URL: http://www.cisco.com/en/US/products/hw/routers/ps133/products_documentation_roadmap09186a008 04ba4f3.html For information about Cisco IOS Release 12.2, including command reference and system error messages, go to the Cisco IOS Release 12.
About This Guide Obtaining Documentation, Obtaining Support, and Security Guidelines RFCs RFC Title RFC 791 Internet Protocol RFC 1163 A Border Gateway Protocol (BGP) RFC 1483 Multiprotocol Encapsulation over ATM RFC 1490 Multiprotocol Interconnect over Frame Relay RFC 1661 The Point-to-Point Protocol (PPP) RFC 1990 The PPP Multilink Protocol (MP) RFC 2373 IP Version 6 Addressing Architecture RFC 2516 A Method for Transmitting PPP Over Ethernet (PPPoE) RFC 2529 Transmission of IPv6 over
CH A P T E R 1 Broadband Aggregation and Leased-Line Overview The Cisco 10000 series router is a highly scalable and reliable IP edge platform, providing nonstop performance for service providers deploying IP services. With the rapid growth in broadband customers, the Cisco 10000 series router accommodates the service provider’s need for an expanding set of broadband aggregation features.
Chapter 1 Broadband Aggregation and Leased-Line Overview Broadband Architecture Models To see if a feature is supported by a Cisco IOS release, to locate the software document for that feature, or to check the minimum software requirements of Cisco IOS software with the hardware installed on your router, Cisco maintains the Software Advisor tool on Cisco.com at http://www.cisco.com/cgi-bin/Support/CompNav/Index.pl You must be a registered user on Cisco.com to access this tool.
Chapter 1 Broadband Aggregation and Leased-Line Overview Broadband Architecture Models Figure 1-1 PTA Architectural Model Client OC-3/OC-12 ATM PPPoX sessions Cisco 10000 ESR Client ATM network Client Routed subscribers ISP/corporate network GigEthernet or OC-12 POS IP routed traffic PPPoE sessions Client EMS/NMS 76099 AAA servers In the figure, an ATM network (with no routing capability) is between the clients and the Cisco 10000 series router.
Chapter 1 Broadband Aggregation and Leased-Line Overview Broadband Architecture Models Figure 1-2 PTA to VRF Architectural Model CPE Wholesale provider Retail provider Cisco 10000 ESR Provider 1 VRF 1 ATM access network L2 transport network VRF 2 Provider 2 VRF n Provider n PPPoX sessions 69866 Separate logical/physical interface, one per retail provider In this model, the Cisco 10000 series router terminates the sessions and places the sessions in the appropriate VRF.
Chapter 1 Broadband Aggregation and Leased-Line Overview Broadband Architecture Models In the figure, PPPoX sessions are placed in the proper virtual routing and forwarding (VRF) instance based on the virtual template to which they map. This model is identical to the one in Figure 1-2 on the access side. However, the two models differ on the network side. The model in Figure 1-3 uses MPLS and a tag interface on the network side and separates traffic at Layer 3.
Chapter 1 Broadband Aggregation and Leased-Line Overview Broadband Architecture Models Figure 1-5 L2TP to VRF Architectural Model AAA server NSP VRF 1 LNS (home gateway) DSL Cisco 10000 LNS IP network AAA, DHCP servers VRF 2 L2TP tunnel NSP 69997 PPP PPPoX Client In this model, the Cisco 10000 series router acts as the LNS with VRF 1 and VRF 2 configured on the router. PPPoX sessions are placed in an L2TP tunnel and terminated at the LNS where they are placed in the appropriate VRF.
Chapter 1 Broadband Aggregation and Leased-Line Overview Broadband Architecture Models L2TP Access Concentrator Architecture Figure 1-7 shows an L2TP access concentrator (LAC) model. LAC Topology Subscribers Retail providers Wholesale provider LNS provider 1 LAC Access network (ATM or Ethernet) IP transport network LNS provider n PPP in L2TP sessions, encapsulated in IP CPE LNS provider 2 Typically 1 tunnel per LAC per retail provider PPPoA PPPoE over ATM PPPoE natively on Ethernet/802.
Chapter 1 Broadband Aggregation and Leased-Line Overview Broadband Architecture Models Figure 1-8 RBE Architectural Model Client Typically OC-3/OC-12 ATM RBE sessions Cisco 10000 ESR Client ATM network ISP/corporate network Typically GigEthernet or OC-12 POS IP routed traffic RBE sessions DHCP servers EMS/NMS 76101 Client 100K routed subscribers Client In the figure, an ATM network (with no routing capability) is between the clients and the Cisco 10000 series router.
Chapter 1 Broadband Aggregation and Leased-Line Overview Broadband Architecture Models Figure 1-9 RBE to VRF Topology Subscribers Retail providers Wholesale provider VRF 1 ATM access network VRF 2 Provider 1 L2 transport network Provider 2 VRF n Provider n RFC 2684 bridged format PDUs 76268 Separate logical/physical interfaces. One per retail provider CPE In the figure, the wholesale provider uses physical or logical interfaces to separate the subscribers of different retail providers.
Chapter 1 Broadband Aggregation and Leased-Line Overview Leased-Line Architecture Models Leased-Line Architecture Models This section shows leased-line models for the following architectures and applications: • Channelized aggregation • Frame Relay aggregation • ATM aggregation • Ethernet aggregation • MPLS provider edge application • Combined Broadband and Leased-Line applications Channelized Aggregation The Cisco 10000 series router allows the aggregation of low-speed, very-high-density lea
Chapter 1 Broadband Aggregation and Leased-Line Overview Leased-Line Architecture Models Figure 1-12 shows an example of Frame Relay architecture. Figure 1-12 Business customer Frame Relay Architecture Clear Channel interface T1/E1 IP network Cisco 10000 series Frame Relay IP IP 119485 Frame Relay/DLC1 SONET/SDH ATM Aggregation ATM is used in many local exchange carrier (ILEC) and PTT access networks, and many providers use the technology as the foundation for multiservice platforms.
Chapter 1 Broadband Aggregation and Leased-Line Overview Leased-Line Architecture Models Ethernet Aggregation Many enterprise customers use Ethernet technology for the “hub” site within a VPN network. “Spoke” sites are generally connected to the service provider infrastructure with lower speed fixed circuits. Customer connections are usually defined as 802.1Q virtual LAN (VLAN) logical interfaces under the main Ethernet interface.
Chapter 1 Broadband Aggregation and Leased-Line Overview Load Balancing Architecture Models Combined Broadband and Leased-Line Applications The demarcation between leased-line and broadband applications has become less clear over the past few years. DSL circuits are competing in the traditional leased-line space, with many service providers offering Internet and VPN services over these lower-cost alternatives to dedicated TDM.
Chapter 1 Broadband Aggregation and Leased-Line Overview Load Balancing Architecture Models Per-packet load balancing allows data traffic to be evenly distributed in an IP network over multiple equal-cost connections. Per-packet load balancing uses round-robin techniques to select the output path without basing the choice on the packet content.
Chapter 1 Broadband Aggregation and Leased-Line Overview New Features, Enhancements, and Changes Figure 1-19 Single Ingress and Two Egress PE Load Balancing P1 CE1 PE1 PE1 CE2 PE3 158659 P2 Dest prefix 10.1.1.1 You can set load balancing to work per-destination or per-packet. For per-destination load balancing, the packet arrives at the core router and the hash value is computed based on the source IP address, destination IP address, and router ID.
Chapter 1 Broadband Aggregation and Leased-Line Overview New Features, Enhancements, and Changes • New Features in Cisco IOS Release 12.2(33)SB3, page 1-18 • New Features in Cisco IOS Release 12.2(33)SB2, page 1-18 • New Features in Cisco IOS Release 12.2(33)SB, page 1-18 • New Features in Cisco IOS Release 12.2(31)SB5, page 1-19 • New Features in Cisco IOS Release 12.2(31)SB3, page 1-19 • New Features in Cisco IOS Release 12.2(31)SB2, page 1-20 • New Features in Cisco IOS Release 12.
Chapter 1 Broadband Aggregation and Leased-Line Overview New Features, Enhancements, and Changes • SSO - MPLS VPN 6VPE & 6PE SSO support For more information, see the NSF/SSO and ISSU - MPLS VPN 6VPE and 6PE guide at the following link: http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_6vpe_6pe_issu_sso.html • ISSU - MPLS VPN 6VPE & 6PE ISSU support For more information, see the NSF/SSO and ISSU - MPLS VPN 6VPE and 6PE guide at the following link: http://www.cisco.
Chapter 1 Broadband Aggregation and Leased-Line Overview New Features, Enhancements, and Changes New Features in Cisco IOS Release 12.2(33)SB3 In Cisco IOS Release 12.2(33)SB3 support was added on the Cisco 10000 series router for the following feature: • IGP Convergence Acceleration For more information, see IGP Convergence Acceleration, page 4-3 New Features in Cisco IOS Release 12.2(33)SB2 In Cisco IOS Release 12.
Chapter 1 Broadband Aggregation and Leased-Line Overview New Features, Enhancements, and Changes • IEEE 802.1Q Tunneling (QinQ) for AToM For more information, see the “IEEE 802.1Q Tunneling for AToM—QinQ” section on page 20-22 • IGP Convergence Acceleration This feature allows faster failover of IGP routes in load balanced situation.
Chapter 1 Broadband Aggregation and Leased-Line Overview New Features, Enhancements, and Changes • TCP MSS Adjust For more information, see the “Configuring PPPoE over Ethernet and IEEE 802.1Q VLAN” chapter in the Cisco 10000 Series Router Broadband Aggregation, Leased-Line, and MPLS Configuration Guide, located at the following URL: http://www.cisco.com/en/US/products/hw/routers/ps133/products_configuration_guide_book0918 6a00804d45ca.html New Features in Cisco IOS Release 12.
Chapter 1 Broadband Aggregation and Leased-Line Overview New Features, Enhancements, and Changes For more information, see the following URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122sb/newft/122sb31/extvpnsb.htm • Multicast VPN Extranet VRF Select For more information, see the following URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122sb/newft/122sb31/sbmexsel.htm • NSF/SSO (Nonstop Forwarding with Stateful Switchover) Support was added for the PRE3.
Chapter 1 Broadband Aggregation and Leased-Line Overview New Features, Enhancements, and Changes – Cisco 10000 Series Router Line Card Hardware Installation Guide, located at the following URL: http://www.cisco.com/en/US/products/hw/routers/ps133/products_installation_guide_book09 186a00804c9489.
Chapter 1 Broadband Aggregation and Leased-Line Overview New Features, Enhancements, and Changes • IP SLAs—LSP Health Monitor in the IP SLAs—LSP Health Monitor feature guide, located at the following URL: http://www.cisco.com/en/US/products/ps6566/products_feature_guide09186a0080528450.html • IPv6 in Chapter 24, “Configuring IP Version 6” • L2TP Congestion Avoidance in the L2TP Congestion Avoidance feature guide, located at the following URL: http://www.cisco.
Chapter 1 Broadband Aggregation and Leased-Line Overview New Features, Enhancements, and Changes http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a008029b 285.html • NSF/SSO—MPLS VPN in the NSF/SSO—MPLS VPN feature guide, located at the following URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a00805ad 34f.
Chapter 1 Broadband Aggregation and Leased-Line Overview New Features, Enhancements, and Changes • SSO—Multilink PPP (MLP) in the Stateful Switchover feature guide, located at the following URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_white_paper09186a00801ce6 f9.shtml Note In Cisco IOS Release 12.2(28)SB, the Cisco 10000 series supports Route Processor Redundancy Plus (RPR+) and Stateful Switchover (SSO).
Chapter 1 Broadband Aggregation and Leased-Line Overview New Features, Enhancements, and Changes New Features in Cisco IOS Release 12.3(7)XI3 The following features are new on the Cisco 10000 series router in Cisco IOS Release 12.3(7)XI3: • PPPoE Circuit-Tag Processing in the PPPoE Profiles feature guide, located at the following URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080154 1b8.
Chapter 1 Broadband Aggregation and Leased-Line Overview New Features, Enhancements, and Changes • 3-Level Hierarchical QoS Policies in the Cisco 10000 Series Router Quality of Service Configuration Guide, located at the following URL: http://www.cisco.com/en/US/products/hw/routers/ps133/products_configuration_guide_book0918 6a00805b9497.
Chapter 1 Broadband Aggregation and Leased-Line Overview New Features, Enhancements, and Changes • Per Precedence Weighted Random Early Detection Statistics in the Cisco 10000 Series Router Quality of Service Configuration Guide, located at the following URL: http://www.cisco.com/en/US/products/hw/routers/ps133/products_configuration_guide_book0918 6a00805b9497.html • PPPoE over Q-in-Q (PPPoEoQ-in-Q)—PPPoE packets that are double-tagged for Q-in-Q VLAN tag termination on the subinterface level.
CH A P T E R 2 Scalability and Performance The infrastructure of the service provider must be capable of supporting the services the enterprise customer or Internet service provider (ISP) wants to offer its subscribers. It must also be able to scale to an expanding subscriber base. You can configure the Cisco 10000 series router for high scalability.
Chapter 2 Scalability and Performance Line Card VC Limitations Table 2-1 ATM Service Categories Parameter CBR VBR-rt VBR-nrt Shaped UBR Unshaped UBR Priority 0 1 2 3 None The number of SAR priority levels and the service categories supported at each priority level vary from line card to line card.
Chapter 2 Scalability and Performance Limitations and Restrictions the 1-port OC-12 and 8192 VCs per priority level per port for the 4-port OC-3—a total of 16,384 VCs per priority level per port. If the number of VCs you configure exceeds the VC limit, the VCs get stuck in the SAR.
Chapter 2 Scalability and Performance Scaling Enhancements in Cisco IOS Release 12.2(33)XNE • For SSG (RADIUS) configurations on PRE2, the following limitations apply: – For Cisco IOS Release 12.3(7)XI, ACLs defined through SSG configuration (RADIUS) are restricted to mini-ACLs only. Turbo ACLs cannot be used in combination with SSG and RADIUS. If you apply a Turbo ACL to an SSG session, the following syslog error is generated: “%C10K_ACLS-3-SSG_TURBO_ACL: acl is a Turbo ACL and cannot be used for SSG.
Chapter 2 Scalability and Performance Scaling Enhancements in Cisco IOS Release 12.2(33)SB Scaling Enhancements in Cisco IOS Release 12.2(33)SB Cisco IOS Release 12.2(33)SB provides increased scalability for the Layer 4 Redirect feature. Layer 4 Redirect Scaling The Layer 4 Redirect feature allows redirection of users' TCP or UDP traffic to a server to control and increase performance. In Cisco IOS Release12.2(33)SB, the ISG L4R feature is implemented in the PXF.
Chapter 2 Scalability and Performance Scaling Enhancements in Cisco IOS Release 12.3(7)XI1 For more information on configuring L4R, see the “Redirecting Subscriber Traffic Using ISG Layer 4 Redirect” chapter in the Cisco IOS Intelligent Service Gateway Configuration Guide, Release 12.2 SB at the following URL: http://www.cisco.com/en/US/products/ps6566/products_configuration_guide_chapter09186a0080630d 65.
Chapter 2 Scalability and Performance Scaling Enhancements in Cisco IOS Release 12.3(7)XI2 Queue Scaling The Queue Scaling feature increases the total number of queues that VTMS supports to 131,072. Of the total number, 254 queues are available for high speed interfaces, and 130,816 queues are available for low speed interfaces. This increase allows the support of the 31,500 priority queues (of 131,072 total queues) on 31,500 sessions or interfaces.
Chapter 2 Scalability and Performance Scaling Enhancements in Cisco IOS Release 12.2(28)SB In Cisco IOS Release 12.3(7)XI2, the subinterfaces on a given main interface share the single system queue of the main interface, which allows for 32,000 subinterfaces with a three-queue model that supports assured forwarding (AF) queues and expedited forwarding (EF) queues, in addition to the default best effort (BE) queues.
Chapter 2 Scalability and Performance Configuring the Cisco 10000 Series Router for High Scalability Configuring Parameters for RADIUS Authentication If your network uses a RADIUS server for authentication, set the small, middle, and big buffers by using the buffers command. Table 2-4 lists the buffer sizes to configure (and see Example 2-3).
Chapter 2 Scalability and Performance Configuring the Cisco 10000 Series Router for High Scalability Note The No Session Timeout parameter indicates the length of time a tunnel persists when there are no sessions in the tunnel.
Chapter 2 Scalability and Performance Configuring the Cisco 10000 Series Router for High Scalability Disabling Gratuitous ARP Requests To maximize the performance of the router, disable gratuitous ARP requests, using the no ip gratuitous-arp command (Example 2-9).
Chapter 2 Scalability and Performance Configuring the Cisco 10000 Series Router for High Scalability Table 2-7 Interface-Specific Commands That Prevent PPP Scaling (continued) Command Function help Provides a description of the interactive help system. hold-queue Sets the hold queue depth. lan-name Specifies a name for the LAN that is attached to the interface. lapb X.25 Level 2 parameters (Link Access Procedure, Balanced).
Chapter 2 Scalability and Performance Configuring the Cisco 10000 Series Router for High Scalability Table 2-7 Interface-Specific Commands That Prevent PPP Scaling (continued) Command Function snmp Modifies Simple Network Management Protocol (SNMP) interface parameters. source Gets the configuration from another source. stun Serial Tunnel (STUN) interface subcommands. transmit-interface Assigns a transmit interface to a receive-only interface.
Chapter 2 Scalability and Performance Configuring the Cisco 10000 Series Router for High Scalability CISCO-ATM-PVCTRAP-EXTN-MIB The Cisco 10000 series router does not support the CISCO-ATM-PVCTRAP-EXTN-MIB for large numbers of permanent virtual circuits (for example, 32,000 PVCs).
Chapter 2 Scalability and Performance Configuring the Cisco 10000 Series Router for High Scalability Configuring the Trunk Interface Input Hold Queue To ensure high scalability, set the trunk interface input hold queue to a high value (Example 2-13). Note The default value for the OC-12 ATM line card trunk interface input hold queue is 27230. Cisco laboratory tests have shown this setting to result in the highest scalability for the OC-12 ATM line card.
Chapter 2 Scalability and Performance Configuring the Cisco 10000 Series Router for High Scalability Configuring atm pxf queuing The Cisco 10000 series router supports two ATM traffic classes when you configure atm pxf queuing: unshaped UBR and VBR-nrt. When you specify an output PCR for an unshaped UBR class, the Cisco 10000 series router accepts the PCR. However, the router does not use the PCR value and it does not notify you of this omission.
Chapter 2 Scalability and Performance Configuring the Cisco 10000 Series Router for High Scalability Configuring keepalive The keepalive command sets the keepalive timer for a specific interface. To ensure proper scaling and to minimize CPU utilization, set the timer for 30 seconds or longer (Example 2-14). The default value is 10 seconds.
Chapter 2 Scalability and Performance Configuring the Cisco 10000 Series Router for High Scalability Setting VRF and IP Unnumbered Interface Configurations in User Profiles Although the Cisco 10000 series router continues to support the lcp:interface-config VSA, the ip:vrf-id and ip:ip-unnumbered VSAs provide another way to set the VRF and IP unnumbered interface configurations in user profiles.
Chapter 2 Scalability and Performance Configuring the Cisco 10000 Series Router for High Scalability Placing PPPoA Sessions in Listening Mode For better scalability and faster convergence of PPPoA, PPPoEoA, or LAC sessions, set sessions to passive mode, using the atm pppatm passive command in ATM subinterface configuration mode. This command places PPP or L2TP sessions on an ATM subinterface into listening mode.
Chapter 2 Scalability and Performance Using the RADIUS Attribute cisco-avpair="lcp:interface-config" Using the RADIUS Attribute cisco-avpair="lcp:interface-config" When you use the lcp:interface-config RADIUS attribute to reconfigure the virtual-access subscriber interface, scaling on the Cisco 10000 series router decreases for the following reasons: • The lcp:interface-config command syntax includes an IOS interface configuration command.
Chapter 2 Scalability and Performance Preventing Full Virtual Access Interfaces Preventing Full Virtual Access Interfaces The lcp:interface-config RADIUS attribute is used to reconfigure the subscriber interface. To accommodate the requirements of this attribute, the per-user authorization process forces the router to create full VAIs. Cisco IOS Release 12.2(31)SB2, Release 12.
Chapter 2 Scalability and Performance Preventing Full Virtual Access Interfaces Cisco 10000 Series Router Software Configuration Guide 2-22 OL-2226-23
CH A P T E R 3 Configuring Remote Access to MPLS VPN TheCisco 10000 series router supports the IP virtual private network (VPN) feature for Multiprotocol Label Switching (MPLS). MPLS-based VPNs allow service providers to deploy a scalable and cost-effective VPN service that provides a stable and secure path through the network. An enterprise or Internet service provider (ISP) can connect to geographically dispersed sites through the service provider’s network.
Chapter 3 Configuring Remote Access to MPLS VPN MPLS VPN Architecture MPLS VPN Architecture The MPLS VPN architecture enables the service provider to build the MPLS VPN network one time and add VPNs for new customers as needed, including them in the already established network. The elements that comprise the MPLS VPN are: • Customer edge (CE) routers—The CPE devices to which subscribers in a customer’s network connect. The CE router connects to a service provider’s edge router (PE router).
Chapter 3 Configuring Remote Access to MPLS VPN Access Technologies Access Technologies The Cisco 10000 series router supports routed bridge encapsulation (RBE) protocol.
Chapter 3 Configuring Remote Access to MPLS VPN Access Technologies Figure 3-3 shows the topology of an RBE to MPLS VPN solution.
Chapter 3 Configuring Remote Access to MPLS VPN Access Technologies 4. The VHG/PE router forwards accounting records to the service provider’s proxy RADIUS server, which in turn logs the accounting records and forwards them to the appropriate customer RADIUS server. 5. The VHG/PE obtains an IP address for the CPE. The address is allocated from one of the following: 6.
Chapter 3 Configuring Remote Access to MPLS VPN Access Technologies Note For releases earlier than Cisco IOS Release 12.2(16)BX1, to map sessions to VRFs by using the RADIUS server, use the syntax lcp:interface-config. This configuration forces the Cisco 10000 series router to use full access virtual interfaces, which decreases scaling. We recommend that you do not use this configuration. Upgrading to Cisco IOS Release 12.2(16)BX1 or later releases will eliminate this restriction.
Chapter 3 Configuring Remote Access to MPLS VPN Access Technologies RBE over ATM to MPLS VPN The Cisco 10000 series router supports an ATM RBE to MPLS VPN connection. RBE is used to route IP over bridged RFC 1483 Ethernet traffic from a stub-bridged LAN. The ATM connection appears like a routed connection; however, the packets received on the interface are bridged IP packets. RBE looks at the IP header of the packets arriving at an ATM interface and routes the packets instead of bridging them.
Chapter 3 Configuring Remote Access to MPLS VPN Access Technologies You can configure a VRF instance for each VPN configured on the Cisco 10000 series router. By using the vpn id VRF configuration command, you can assign a VPN ID to a VPN. The router stores the VPN ID in the corresponding VRF structure for the VPN (see the “Configuring Virtual Routing and Forwarding Instances” section on page 3-13). Note The VPN ID is used for provisioning only. BGP routing updates do not include the VPN ID.
Chapter 3 Configuring Remote Access to MPLS VPN Access Technologies DHCP Relay Agent Information Option—Option 82 The Cisco 10000 series router supports the Dynamic Host Configuration Protocol (DHCP) relay agent information option (Option 82) feature when ATM routed bridge encapsulation (RBE) is used to configure DSL access. This feature communicates information to the DHCP server by using a suboption of the DHCP relay agent information option called agent remote ID.
Chapter 3 Configuring Remote Access to MPLS VPN Feature History for RA to MPLS VPN After adding these suboptions to the DHCP relay agent information option, the gateway address changes to the relay agent’s outgoing interface on the DHCP server side. The DHCP server uses this gateway address to send reply packets back to the relay agent. The relay agent then removes the relay agent information options and forwards the packets to the DHCP client on the correct VPN.
Chapter 3 Configuring Remote Access to MPLS VPN Prerequisites for RA to MPLS VPN Prerequisites for RA to MPLS VPN The RA to MPLS VPN feature has the following requirements: • Your network must be running the following Cisco IOS services before you configure VPN operation: – MPLS in the service provider backbone routers – Tag distribution protocol (TDP) or the label distribution protocol (LDP) – BGP in all routers providing a VPN service – Cisco Express Forwarding (CEF) switching in each MPLS-enabled rout
Chapter 3 Configuring Remote Access to MPLS VPN Configuration Tasks for RA to MPLS VPN Configuration Tasks for RA to MPLS VPN To configure the RA to MPLS VPN feature, perform the following configuration tasks: • Configuring the MPLS Core Network, page 3-12 • Configuring Access Protocols and Connections, page 3-16 • Configuring and Associating Virtual Private Networks, page 3-28 • Configuring RADIUS User Profiles for RADIUS-Based AAA, page 3-30 Configuring the MPLS Core Network To configure an MPL
Chapter 3 Configuring Remote Access to MPLS VPN Configuration Tasks for RA to MPLS VPN Configuring Virtual Routing and Forwarding Instances Configure VRF instances on each PE router in the provider network. Create one VRF for each VPN connected using the ip vrf command in global configuration mode or router configuration mode. To create the VRF, do the following: • Specify the correct route distinguisher (RD) used for that VPN using the rd command in VRF configuration submode.
Chapter 3 Configuring Remote Access to MPLS VPN Configuration Tasks for RA to MPLS VPN Command Purpose Step 4 Router(config)# interface virtual-template number Creates a virtual template interface and enters interface configuration mode. Step 5 Router(config-if)# ip vrf forwarding vrf-name Associates a VRF with a virtual template interface. Note Apply the ip vrf forwarding command and then the ip address command.
Chapter 3 Configuring Remote Access to MPLS VPN Configuration Tasks for RA to MPLS VPN Step 6 Command Purpose Router(config-router)# address-family ipv4 vrf vrf-name Enters address family configuration mode and configures the VRF routing table for BGP routing sessions that use standard IPv4 address prefixes. The vrf-name argument specifies the name of the virtual routing and forwarding (VRF) instance to associate with subsequent IPv4 address family configuration mode commands.
Chapter 3 Configuring Remote Access to MPLS VPN Configuration Tasks for RA to MPLS VPN address-family vpnv4 neighbor 10.1.1.4 activate neighbor 10.1.1.4 send-community both neighbor 10.3.1.4 activate neighbor 10.3.1.4 send-community both exit-address-family ! Note Typically, you enable BGP only on the PE routers. It is not necessary to enable BGP on all provider (P) core routers.
Chapter 3 Configuring Remote Access to MPLS VPN Configuration Tasks for RA to MPLS VPN • Configuring PPPoE over Ethernet Virtual Connections and Applying Virtual Templates, page 3-20 • Configuring RBE over ATM Virtual Connections, page 3-22 Configuring a Virtual Template Interface To create and configure a virtual template interface, enter the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# interface virtual-template number Creates a virtual templa
Chapter 3 Configuring Remote Access to MPLS VPN Configuration Tasks for RA to MPLS VPN peer default ip address pool vrf-1 ppp authentication chap end Note Virtual-access 1.1 is a PPPoE subinterface. Example 3-6 Clearing Live Sessions Router# clear interface virtual-access 1.
Chapter 3 Configuring Remote Access to MPLS VPN Configuration Tasks for RA to MPLS VPN Note For more information, see the “Configuring Broadband Access: PPP and Routed Bridge Encapsulation” chapter in the Cisco IOS Wide-Area Networking Configuration Guide, Release 12.2.
Chapter 3 Configuring Remote Access to MPLS VPN Configuration Tasks for RA to MPLS VPN Configuring PPPoE on ATM PVCs Using a Different MAC Address To change the way PPPoE selects a MAC address when PPPoE and RBE are configured on two separate PVCs on the same DSL line, enter the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# vpdn-group pppoe-term Specifies the VPDN group to be used to establish PPPoE sessions on a PVC.
Chapter 3 Configuring Remote Access to MPLS VPN Configuration Tasks for RA to MPLS VPN Configuring PPPoE over Ethernet in a BBA Group Note Cisco IOS Release 12.2(15)BX does not support RADIUS configuration of BBA groups. You must configure BBA groups manually.
Chapter 3 Configuring Remote Access to MPLS VPN Configuration Tasks for RA to MPLS VPN Note You cannot simultaneously configure a BBA group for PPPoE and a VPDN group for PPPoE. If you configure a BBA group and then you configure a VPDN group, the protocol command in VPDN accept-dialin configuration mode does not include an option for PPPoE (for example, you cannot specify the protocol pppoe command). Use the no bba-group pppoe command to re-enable the pppoe option for the protocol command.
Chapter 3 Configuring Remote Access to MPLS VPN Configuration Tasks for RA to MPLS VPN Defining PVCs To define PVCs, enter the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# interface atm slot/port.subinterface-number point-to-point Specifies an ATM point-to-point subinterface. Enters subinterface configuration mode. Step 2 Router(config-subif)# ip vrf forwarding vrf-name Associates a VRF with the ATM point-to-point subinterface.
Chapter 3 Configuring Remote Access to MPLS VPN Configuration Tasks for RA to MPLS VPN Configuring a Dedicated PVC To configure a dedicated PVC for each VPN, enter the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# interface atm slot/port.subinterface-number point-to-point Creates a point-to-point ATM subinterface. Enters subinterface configuration mode.
Chapter 3 Configuring Remote Access to MPLS VPN Configuration Tasks for RA to MPLS VPN Step 7 Command Purpose Router(config-router-af)# redistribute protocol Redistributes routes from one routing domain into another routing domain. The protocol argument is the source protocol from which routes are being redistributed. It can be one of the following keywords: bgp, connected, egp, igrp, isis, ospf, static [ip], or rip.
Chapter 3 Configuring Remote Access to MPLS VPN Configuration Tasks for RA to MPLS VPN • Reserved: undefined • NAS IP address: 0x0B010181 (hexadecimal value of 11.1.1.129) • NAS Port – Interface (slot/module/port): 0x40 (The slot/module/port values are 01 00/0/000.) – VPI: 0x58 (hexadecimal value of 88) – VCI: 0x320 (hexadecimal value of 800) Example 3-7 Configuring Option 82 for RBE ip dhcp-server 172.16.1.2 ! ip dhcp relay information option ! interface Loopback0 ip address 11.1.1.129 255.255.
Chapter 3 Configuring Remote Access to MPLS VPN Configuration Tasks for RA to MPLS VPN Command Purpose Step 2 Router(config)# interface type number Specifies an interface and enters interface configuration mode. Step 3 Router(config-if)# ip helper-address vrf name [global] address Forwards UDP broadcasts, including BOOTP, received on an interface.
Chapter 3 Configuring Remote Access to MPLS VPN Configuration Tasks for RA to MPLS VPN Example 3-9 assigns a VPN ID to the VRF named vpn1.
Chapter 3 Configuring Remote Access to MPLS VPN Configuration Tasks for RA to MPLS VPN Command Purpose Step 3 Router(config-vrf)# vpn id route-distinguisher Associates the VPN with the VRF. Step 4 Router(config-vrf)# route-target {import | export | both} route-target-ext-community Creates a list of import and export route target communities for the specified VRF.
Chapter 3 Configuring Remote Access to MPLS VPN Verifying VPN Operation Configuring RADIUS User Profiles for RADIUS-Based AAA Use the per VRF AAA feature to partition authentication, authorization, and accounting (AAA) services based on a virtual routing and forwarding (VRF) instance. This feature allows the Cisco 10000 router to communicate directly with the customer RADIUS server without having to go through a RADIUS proxy.
Chapter 3 Configuring Remote Access to MPLS VPN Configuration Examples for RA to MPLS VPN PPPoA to MPLS VPN Configuration Example Example 3-12 shows how to configure the RA to MPLS VPN feature on the Cisco 10000 series router. In this example, one VRF is configured with 300 PPPoA sessions. Example 3-12 Configuring PPPoA to MPLS VPN !Enables the AAA access control model. aaa new-model ! !Configures AAA accounting.
Chapter 3 Configuring Remote Access to MPLS VPN Configuration Examples for RA to MPLS VPN interface GigabitEthernet2/0/0 ip address 172.16.3.1 255.255.0.0 negotiation auto tag-switching ip ! interface ATM3/0/0 no ip address atm flag s1s0 0 atm sonet stm-4 no atm ilmi-keepalive ! interface ATM4/0/0 no ip address load-interval 30 no atm pxf queuing atm sonet stm-4 no atm ilmi-keepalive ! interface ATM4/0/0.
Chapter 3 Configuring Remote Access to MPLS VPN Configuration Examples for RA to MPLS VPN router ospf 200 log-adjacency-changes auto-cost reference-bandwidth 10000 network 10.1.1.1 0.0.0.0 area 40 network 172.16.0.0 0.255.255.255 area 40 ! !Configures BGP to advertise the networks for each VPN. router bgp 100 bgp router-id 10.1.1.1 no bgp default ipv4-unicast bgp cluster-id 671154433 bgp log-neighbor-changes bgp bestpath scan-time 30 bgp scan-time 30 neighbor 10.1.1.4 remote-as 100 neighbor 10.1.1.
Chapter 3 Configuring Remote Access to MPLS VPN Configuration Examples for RA to MPLS VPN PPPoE to MPLS VPN Configuration Example Example 3-13shows how to configure the RA to MPLS VPN feature with one VRF for PPPoE sessions. Example 3-13 Configuring PPPoE to MPLS VPN ! !Enables the AAA access control model. aaa new-model ! !Configures AAA accounting.
Chapter 3 Configuring Remote Access to MPLS VPN Configuration Examples for RA to MPLS VPN ! !Creates a loopback interface in the vpn1 VRF. You do this for each customer VRF you IP !unnumber interfaces to. interface Loopback1 ip vrf forwarding vpn1 ip address 10.24.1.1 255.255.255.255 ! interface Loopback2 ip vrf forwarding vpn2 ip address 10.8.1.2 255.255.255.255 ! !Configures the management interface. You should not configure VPN over the FastEthernet !interface.
Chapter 3 Configuring Remote Access to MPLS VPN Configuration Examples for RA to MPLS VPN class-int vpn ! interface ATM6/0/0 no ip address load-interval 30 no atm pxf queuing atm clock INTERNAL atm sonet stm-4 no atm ilmi-keepalive ! interface ATM6/0/0.
Chapter 3 Configuring Remote Access to MPLS VPN Configuration Examples for RA to MPLS VPN !Defines the virtual template and associates the common VRF with it. interface Virtual-Template1 ip vrf forwarding common ip unnumbered Loopback1 peer default ip address pool common ppp authentication chap ! !Configures OSPF to advertise the networks. router ospf 100 log-adjacency-changes auto-cost reference-bandwidth 1000 network 10.16.3.1 0.0.0.0 area 0 network 10.1.0.0 0.0.255.255 area 0 network 10.2.0.0 0.0.255.
Chapter 3 Configuring Remote Access to MPLS VPN Configuration Examples for RA to MPLS VPN !Specifies the RADIUS host and configures RADIUS accounting. radius-server retransmit is !on by default and cannot be removed. radius-server host 10.19.100.
Chapter 3 Configuring Remote Access to MPLS VPN Monitoring and Maintaining an MPLS Configuration encapsulation aal5snap ! interface atm8/0/0 no atm pxf queuing ! interface atm8/0/0.1 point-to-point ip vrf forwarding CustomerB ip unnumbered loopback2 ip helper-address vrf CustomerB 192.168.3.1 atm route ip range pvc 102/32 102/2031 encapsulation aal5snap ! router bgp 1 no synchronization redistribute connected neighbor 192.168.1.2 remote-as 1 neighbor 192.168.1.2 update source loopback0 neighbor 192.168.1.
Chapter 3 Configuring Remote Access to MPLS VPN Monitoring and Maintaining an MPLS Configuration Verifying the Routing Protocol Is Running To verify that the routing protocol is running, enter any of the following commands in privileged EXEC mode: Command Purpose Router# show ip protocols Displays the parameters and current state of the active routing protocol process. Ensure that the protocol routes for the MPLS network and all neighbors are present.
Chapter 3 Configuring Remote Access to MPLS VPN Monitoring and Maintaining an MPLS Configuration To verify the connections between neighbors, enter any of the following commands in privileged EXEC mode: Command Purpose Router# ping [protocol | tag] {host-name | system-address} Verifies basic network connectivity between neighbors. Router# ping vrf vrf-name system-address Verifies connectivity to the VRF specified. Router# debug mpls packet Verifies that MPLS labels are set.
Chapter 3 Configuring Remote Access to MPLS VPN Monitoring and Maintaining an MPLS Configuration Example 3-18 show mpls forwarding-table Command Router# show mpls forwarding-table LocalOutgoingPrefixBytes tagOutgoingNext Hop tag tag or VCor Tunnel Idswitchedinterface 16 Untagged10.1.0.0/160AT9/0/010.4.4.2 17 Untagged10.0.0.0/80AT9/0/010.4.4.2 18 Untagged192.168.0.0/160AT9/0/110.6.6.2 19 Pop tag192.168.2.1/32624Fal1/0/0172.16.0.1 20 Pop tag192.168.2.2/320Fal1/0/1172.16.0.
Chapter 3 Configuring Remote Access to MPLS VPN Monitoring and Maintaining the MPLS VPN 10.0.0.0/8 in label:17 10.18.0.0/8 out label:16 172.16.1.0/30 in label:imp-null out label:imp-nulllsr: 192.168.1.1:0 out label:20lsr: 172.16.1.18:0 172.16.1.16/30 in label:imp-null out label:16lsr: 192.168.1.1:0 out label:imp-nulllsr: 172.16.1.
Chapter 3 Configuring Remote Access to MPLS VPN Monitoring and Maintaining the MPLS VPN Verifying VRF Configurations To verify VRF configurations, enter any of the following commands in privileged EXEC mode: Command Purpose Router# show ip vrf Displays a summary of all VRFs present on the current router and their associated route distinguishers and interfaces. Use this command to verify the names and configuration of each VRF and the route distinguisher configuration at each PE router.
Chapter 3 Configuring Remote Access to MPLS VPN Monitoring and Maintaining the MPLS VPN Verifying the PE to PE Routing Protocols Border Gateway Protocol (BGP) is used for routing sessions between PE routers. To verify PE to PE routing sessions, enter any of the following commands in privileged EXEC mode: Command Purpose Router# show ip bgp neighbors Displays detailed information on the BGP and TCP connections to individual neighbors.
Chapter 3 Configuring Remote Access to MPLS VPN Monitoring and Maintaining the MPLS VPN Verifying the PE to CE Routing Protocol If the CE router uses a routing protocol other than BGP (for example, RIP or OSPF), enter any of the following commands in privileged EXEC mode to verify the PE to CE routing sessions: Command Purpose Router# show ip rip database vrf vrf-name Displays summary address entries in the Routing Information Protocol (RIP) routing database for the specified VRF.
Chapter 3 Configuring Remote Access to MPLS VPN Monitoring and Maintaining PPPoX to MPLS VPN Command Purpose Router# ping [protocol | tag] {host-name | system-address} Verifies basic network connectivity between neighbors. Router# ping vrf vrf-name system-address Tests network connectivity of the specified VRF from the PE router. Example 3-27 ping vrf vrf-name system-address Command Router# ping vrf vrf-1 192.168.6.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.6.
Chapter 3 Configuring Remote Access to MPLS VPN Monitoring and Maintaining RBE to MPLS VPN Command Purpose Router# debug radius Displays information associated with the Remote Authentication Dial-In User (RADIUS) server. Router# debug vpdn pppoe-events Displays PPPoE protocol errors that prevent a session from being established or errors that cause an established session to be closed.
Chapter 3 Configuring Remote Access to MPLS VPN Monitoring and Maintaining RBE to MPLS VPN Command Purpose Router# debug ip packet Displays general IP debugging information and IP security option (IPSO) security transactions. Note This command is useful if the RFC 1483 PVC does not connect. Router# debug ip dhcp Displays information about DHCP client activities and the status of DHCP packets.
Chapter 3 Configuring Remote Access to MPLS VPN Monitoring and Maintaining RBE to MPLS VPN Cisco 10000 Series Router Software Configuration Guide 3-50 OL-2226-23
CH A P T E R 4 Configuring Multiprotocol Label Switching Multiprotocol label switching (MPLS) combines the performance and capabilities of Layer 2 (data link layer) switching with the proven scalability of Layer 3 (network layer) routing. MPLS enables service providers to meet the challenges of explosive growth in network utilization while providing the opportunity to differentiate services without sacrificing the existing network infrastructure.
Chapter 4 Configuring Multiprotocol Label Switching BGP Multipath Load Sharing for eBGP and iBGP in an MPLS VPN Cisco Express Forwarding (CEF) uses the multipaths to perform load sharing, which can be performed on a per-packet or per-source/destination pair basis. By default, the BGP Multipath Load Sharing for Both eBGP and iBGP in an MPLS VPN feature performs unequal cost load sharing by selecting BGP paths that do not have an equal cost of the Interior Gateway Protocol (IGP).
Chapter 4 Configuring Multiprotocol Label Switching BGP Multipath Load Sharing for eBGP and iBGP in an MPLS VPN Restrictions for BGP Multipath Load Sharing for eBGP and iBGP in an MPLS VPN The BGP Multipath Load Sharing for Both eBGP and iBGP in an MPLS VPN feature has the following restrictions: • The Cisco 10000 series router supports recursive load sharing, but with the following restriction. In recursive load sharing, the information required to forward a packet requires at least 2 lookups.
Chapter 4 Configuring Multiprotocol Label Switching BGP Multipath Load Sharing for eBGP and iBGP in an MPLS VPN The IGP Convergence Acceleration feature leverages the load balance infrastructure of equal paths for unequal paths. An indirection object is inserted for table output chain building. When the interface goes down, the routing protocols purge their routes and the inplace modifier prevents marking of labels with incomplete adjacency.
Chapter 4 Configuring Multiprotocol Label Switching BGP Multipath Load Sharing for eBGP and iBGP in an MPLS VPN Configuring Multipath Load Sharing for eBGP and iBGP To configure iBGP and eBGP routes for multipath load sharing, enter the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# router bgp as-number Configures the router to run a BGP process and enters router configuration mode.
Chapter 4 Configuring Multiprotocol Label Switching BGP Multipath Load Sharing for eBGP and iBGP in an MPLS VPN eBGP and iBGP Multipath Load Sharing Configuration Example Example 4-2 configures a router to select six eBGP or iBGP paths as multipaths in address family configuration mode: Example 4-2 Configuring eBGP and iBGP Multipath Load Sharing Router(config)# router bgp 100 Router(config-router)# address-family ipv4 vrf vrf-1 Router(config-router-af)# maximum-paths eibgp 6 Verifying eBGP and iBGP M
Chapter 4 Configuring Multiprotocol Label Switching IPv6 VPN over MPLS Monitoring and Maintaining BGP Multipath Load Sharing for eBGP and iBGP To display eBGP and iBGP multipath load sharing information, enter any of the following commands in privileged EXEC mode: Command Purpose Router# show ip bgp all neighbors Displays information about the TCP and BGP connections to neighbors. Router# show ip bgp vpnv4 all ip-prefix/length Displays attributes and multipaths for a network in an MPLS VPN.
Chapter 4 Configuring Multiprotocol Label Switching IPv6 VPN over MPLS Simple IPv6 VPN Architecture 2001:DB8:1:1000::/64 2001:DB8:1:2000::/64 P1 Site-1 2001:DB8:1:1000::/56 P2 192.168.2.14 192.168.2.11 CE1 PE1 Host-1 Site-2 2001:DB8:1:2000::/5 192.168.2.10 PE2 CE2 iGP-v4 (OSPF, IS-IS) LDP-v4 IPv6 ND VRF red iGP-v6 (e.g.
Chapter 4 Configuring Multiprotocol Label Switching IPv6 VPN over MPLS Restrictions for Implementing IPv6 VPN over MPLS The 6VPE feature has the following restrictions: • 6VPE is supported by an MPLS IPv4-signaled core. An MPLS IPv6-signaled core is not supported. • The maximum number of IPv6 VRF's that can be supported is 2038, including the global routing instance. However, out of 2038 VRF’s, only 1200 eBGP sessions are supported; the remaining VRF’s are to be static routed.
Chapter 4 Configuring Multiprotocol Label Switching IPv6 VPN over MPLS BGP Features The following features are supported on Cisco 10000 series routers by the IPv6 VPN over MPLS (6VPE) feature: • Site of Origin (SoO) SoO is used to prevent routing loops in the case of a dual-homed CE. The 6VPE feature supports the SoO Attribute for control of IPv6 VPN routes in the same way as it is currently supported for IPv4 VPNs.
Chapter 4 Configuring Multiprotocol Label Switching IPv6 VPN over MPLS Using BGP Route Refresh, an MP-BGP speaker (PE and/or CE) can request another BGP speaker to resend its MP-BGP updates. For information on configuring this feature, see the Configuring BGP section in the Configuring BGP chapter of the Cisco IOS IP Configuration Guide, Release 12.2 Guide at: http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfbgp.
Chapter 4 Configuring Multiprotocol Label Switching IPv6 VPN over MPLS • Model 2: Some VPNs may obtain Internet access via an VRF interface. If a packet is received by a PE over a VRF interface and the packet's destination address does not match any route in the VRF, the packet can be matched against the PE's default forwarding table. If the packet matches the PE’s default forwarding table, the packet can be forwarded natively through the backbone to the Internet instead of being forwarded by MPLS.
Chapter 4 Configuring Multiprotocol Label Switching IPv6 VPN over MPLS Diff-Serv on Ingress PE • The 6VPE feature supports the same QoS mechanisms for IPv6 VPNs that is currently supported for IPv4 VPNs on the Ingress PE. Diff-Serv on Egress PE • The 6VPE feature supports the same QoS mechanisms for IPv6 VPNs that is currently supported for IPv4 VPNs on the Egress PE. FRF.12 • The 6VPE feature supports FRF.
Chapter 4 Configuring Multiprotocol Label Switching IPv6 VPN over MPLS Example 4-4 Configuring IPv6 VPN over MPLS version 12.
Chapter 4 Configuring Multiprotocol Label Switching Session Limit Per VRF ! router isis net 49.0000.0000.0002.00 redistribute connected metric 50 passive-interface Loopback0 ! router bgp 100 bgp log-neighbor-changes neighbor 200.10.10.1 remote-as 100 neighbor 200.10.10.1 update-source Loopback0 neighbor 8008::72a remote-as 200 ! address-family ipv4 neighbor 200.10.10.
Chapter 4 Configuring Multiprotocol Label Switching Session Limit Per VRF then associate a VPDN group with a specific VPDN template. By configuring a group session limit for a VPDN template, you can limit the maximum number of concurrent sessions allowed for all VPDN groups associated with the VPDN template. If you configure a group session limit for the default VPDN template (the unnamed VPDN template), that session limit is the same for all VPDN groups not associated with a named VPDN template.
Chapter 4 Configuring Multiprotocol Label Switching Session Limit Per VRF • VPDN parameters configured for the individual VPDN group are always applied to that VPDN group. • System default settings for VPDN parameters are applied for any settings not configured in the individual VPDN group or VPDN template. VPDN Template Configuration Not all commands that are available for configuring a VPDN group can be used to configure a VPDN template.
Chapter 4 Configuring Multiprotocol Label Switching Session Limit Per VRF Configuring Session Limit Per VRF To configure the session limit Per VRF feature on the Cisco 10000 series router, enter the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# vpdn enable Enables virtual private dialup networking (VPDN) on the router and informs the router to look for tunnel definitions in a local database and on a remote authorization server if one is present.
Chapter 4 Configuring Multiprotocol Label Switching Session Limit Per VRF Step 12 Command Purpose Router(config-vpdn)# session-limit session-number Limits the number of sessions allowed on the VPDN group. The session-number option is the maximum number of sessions allowed on the specified VPDN group. Valid values are from 0 to 32,767. Step 13 Repeat steps 7 through 12 to configure session limiting on additional VPDN groups.
Chapter 4 Configuring Multiprotocol Label Switching Session Limit Per VRF exit session-limit 5 vpdn-group group3 accept-dialin protocol any exit no source vpdn-template Example 4-6 creates a default VPDN template and three VPDN groups named groupA, groupB, and groupC. As indicated in the default VPDN template configuration, the maximum combined number of sessions allowed for all VPDN groups associated with the default template is 10 sessions. The local name of the default VPDN template is local-name.
Chapter 4 Configuring Multiprotocol Label Switching Half-Duplex VRF Monitoring and Maintaining Session Limit Per VRF To monitor and maintain the session limit Per VRF feature, enter the following commands in privileged EXEC mode: Command Purpose Router# show vpdn session [all [interface | tunnel | username] | packets | sequence | state | timers | window] Displays VPDN session information including interface, tunnel, username, packets, status, and window statistics.
Chapter 4 Configuring Multiprotocol Label Switching Half-Duplex VRF The HDVRF feature addresses the limitations previously imposed on hub and spoke topologies by removing the requirement of one VRF per spoke and ensuring that subscriber traffic always traverses the central link between the wholesale service provider and the ISP, whether the subscriber traffic is being routed to a remote network by way of the upstream ISP or to another locally or remotely connected subscriber.
Chapter 4 Configuring Multiprotocol Label Switching Half-Duplex VRF The Cisco 10000 series router redistributes routes from the downstream VRF into Multiprotocol Border Gateway Protocol (MP-BGP). The spoke PE router typically advertises a summary route across the MPLS core for the connected spokes. The upstream VRF configured on the hub PE router imports the advertised summary route.
Chapter 4 Configuring Multiprotocol Label Switching Half-Duplex VRF Configuration Tasks for Half-Duplex VRF To configure the Half-Duplex VRF feature, perform the following configuration tasks: • Configuring Upstream and Downstream VRFs on the L2TP Access Concentrator and PE Router, page 4-24 • Associating VRFs, page 4-25 • Configuring RADIUS, page 4-26 Configuring Upstream and Downstream VRFs on the L2TP Access Concentrator and PE Router To configure the upstream and downstream VRFs on the PE route
Chapter 4 Configuring Multiprotocol Label Switching Half-Duplex VRF Associating VRFs After you define and configure the VRFs on the PE routers, associate each VRF with: • An interface or subinterface, or • A virtual template interface The virtual template interface is used to create and configure a virtual access interface (VAI). For information about configuring a virtual template interface, see the “Configuring a Virtual Template Interface” section on page 3-17.
Chapter 4 Configuring Multiprotocol Label Switching Half-Duplex VRF Configuring RADIUS To configure the downstream VRF for an AAA server, enter the following Cisco attribute value: cisco-avpair = “ip:vrf-id=vrf-name1 downstream vrf-name2” where: The vrf-name1 argument is the name of the VRF associated with the subinterface or virtual template interface. The vrf-name2 argument is the name of the downstream VRF into which all of the subscriber routes from the AAA server are installed.
Chapter 4 Configuring Multiprotocol Label Switching Half-Duplex VRF Hub and Spoke Sample Configuration with Half-Duplex VRFs Example 4-11 shows how to connect two PPPoE clients to a single VRF pair on the spoke PE router named Lipno. Although both PPPoE clients are configured in the same VRF, all communication occurs using the hub PE router. Half-duplex VRFs are configured on the spoke PE. The client configuration is downloaded to the spoke PE from the RADIUS server.
Chapter 4 Configuring Multiprotocol Label Switching Half-Duplex VRF no auto-summary exit-address-family ! address-family ipv4 vrf U no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf D redistribute static no auto-summary no synchronization exit-address-family ! ip local pool U-pool 2.8.1.1 2.8.1.100 ! radius-server host 22.0.20.
Chapter 4 Configuring Multiprotocol Label Switching Half-Duplex VRF Monitoring and Maintaining Half-Duplex VRF To monitor and maintain upstream and downstream VRFs, enter any of the following commands in privileged EXEC mode: Command Purpose Router# show cef interface virtual-interface number internal Displays internal information about the virtual access interface (VAI) you specify, including the downstream VRF associated with the VAI.
Chapter 4 Configuring Multiprotocol Label Switching Half-Duplex VRF Example 4-14 shows how to display information about the interface named virtual-access 4. Example 4-14 show running-config interface—virtual-access 4 Lipno# show running-config interface virtual-access 4 Building configuration... Current configuration : 92 bytes ! interface Virtual-Access4 ip vrf forwarding U downstream D ip unnumbered Loopback2 end Example 4-15 shows how to display the routing table for the downstream VRF named D.
Chapter 4 Configuring Multiprotocol Label Switching Half-Duplex VRF Cisco 10000 Series Router Software Configuration Guide OL-2226-23 4-31
Chapter 4 Configuring Multiprotocol Label Switching Half-Duplex VRF Cisco 10000 Series Router Software Configuration Guide 4-32 OL-2226-23
CH A P T E R 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server The Cisco 10000 series router supports the Layer 2 Tunnel Protocol (L2TP) to allow users and telecommuters to connect to their corporate intranets or extranets. The Cisco 10000 series router supports the Layer 2 access concentrator (LAC) and Managed L2TP network server features. These features enable the Cisco 10000 series router to act as either a LAC or an LNS device.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server Layer 2 Access Concentrator Feature History for IP Reassembly Cisco IOS Release Description Required PRE 12.3(7)XI1 This feature was integrated into Cisco IOS Release 12.3(7)XI1. PRE2 12.2(28)SB This feature was integrated into Cisco IOS Release 12.2(28)SB. PRE2 Layer 2 Access Concentrator The Cisco 10000 series router supports the Layer 2 access concentrator (LAC) feature.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server Layer 2 Access Concentrator Figure 5-1 Terminating and Forwarding Sessions from the LAC Client OC-3/OC-12 ATM PPPoX sessions Cisco 10000 ESR Client ATM network Client Routed subscribers ISP/corporate network GigEthernet or OC-12 POS IP routed traffic PPPoE sessions EMS/NMS 76099 AAA servers Client Figure 5-2 Placing Sessions from the LAC in VRFs CPE Wholesale LNS provider Retail LNS provider Cisco 100
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server Layer 2 Access Concentrator Tunnel Sharing The tunnel sharing feature enables sessions that are authorized with different domains to share the same tunnel. Tunnel sharing reduces the number of tunnels required from the LAC. When used with the L2TP multihop feature, tunnel sharing also reduces the number of tunnels to an LNS.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server Layer 2 Access Concentrator Static Tunnel Selection The static tunnel selection feature specifies a domain name for a PVC on an ATM interface. The LAC uses the specified domain name to select a tunnel for all PPP sessions originating from the PVC. This feature ignores the domains subscribers indicate in their usernames and forces the subscribers to a specific destination.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server Layer 2 Access Concentrator Session Load Balancing The session load balancing feature enables the LAC to direct sessions across multiple LNS devices. The LAC retrieves L2TP tunnel (VPDN) information from local configuration or a RADIUS server. Both configuration methods support load balancing, but using RADIUS is more scalable than the local method.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server Layer 2 Access Concentrator Restrictions for LAC When configured as a LAC device, the Cisco 10000 series router has the following restrictions: • The L2TP LAC per session features do not support PPP quality of service (QoS) and security access control lists (ACLs). • The Cisco 10000 series router does not support the configuration of L2TP tunnels over the management Fast Ethernet interface.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server Layer 2 Access Concentrator Enabling Sessions with Different Domains to Share the Same Tunnel To enable sessions authorized with different domains to share the same tunnel, enter the following commands: Command Purpose Step 1 Router> enable Enters privileged EXEC mode. Step 2 Router# config terminal Enters global configuration mode.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server Layer 2 Access Concentrator Command Purpose Step 1 Router> enable Enters privileged EXEC mode. Step 2 Router# config terminal Enters global configuration mode. Step 3 Router(config)# interface atm 0/0/0[.subinterface-number] {multipoint | point-to-point | tag-switching} Specifies the ATM interface and optional subinterface.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server Layer 2 Access Concentrator Configuring a Static Domain Name on a Virtual Circuit Class To configure a static domain name on a VC class, enter the following commands beginning in global configuration mode: Command Purpose Step 1 Router> enable Enters privileged EXEC mode. Step 2 Router# config terminal Enters global configuration mode.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server Layer 2 Access Concentrator Enabling Domain Preauthorization To enable the LAC to perform domain authorization before tunneling, enter the following commands: Command Purpose Step 1 Router> enable Enters privileged EXEC mode. Step 2 Router# config terminal Enters global configuration mode. Step 3 Router(config)# vpdn authorize domain Enables domain preauthorization.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server Layer 2 Access Concentrator Command Purpose Step 5 Router(config)# radius-server attribute 44 include-in-access-req vrf vrf-name Sends RADIUS attribute 44 (Accounting Session ID) in access request packets before user authentication (including requests for preauthentication). Step 6 Router(config)# radius-server domain-stripping vrf vrf-name (Optional) Enables VRF-aware domain-stripping.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server Layer 2 Access Concentrator Command Purpose Step 6 Router(config-vpdn-req-in)# domain domain-name Initiates a tunnel based on the client-supplied domain name. Step 7 Router(config-vpdn-req-in)# exit Returns to VPDN group mode.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server Layer 2 Access Concentrator VPDN Group The vpdn-group attribute specifies the group to which the service belongs. All services with matching group names are considered members of the same VPDN group. This attribute has the following syntax: Cisco-AVpair=“vpdn:vpdn-group=group-name” group-name is the group to which the service belongs.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server Layer 2 Access Concentrator Example 5-8 Configuring the RADIUS User Profile for Domain Preauthorization user = nas-port:10.16.9.9:0/0/0/30.33{ profile_id = 826 profile_cycle = 1 radius=Cisco { check_items = { 2=cisco } reply_attributes= { 9, 1=”vpdn:vpd-domain-list=net1.com,net2.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server Layer 2 Access Concentrator Configuring Sessions Per Tunnel Limiting in the RADIUS Service Profile To use a RADIUS server to limit the number of sessions per tunnel, enter the following Cisco-AVpair attributes in the RADIUS service profile: Note • vpdn:ip-addresses • vpdn:ip-address-limits You can configure the RADIUS server or the LAC to limit the number of sessions per tunnel.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server Layer 2 Access Concentrator Verifying Sessions Per Tunnel Limiting in the RADIUS Service Profile To verify the RADIUS service profile, see the user documentation for your RADIUS server. Configuration Example for LAC The following example is a basic LAC configuration in which the LNS authenticates the PPP sessions. Current configuration : 4882 bytes ! version 12.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server Layer 2 Access Concentrator buffers small permanent 15000 buffers middle permanent 12000 buffers large permanent 1000 ! interface Loopback1 no ip address ! interface FastEthernet0/0/0 ip address 23.3.6.3 255.255.0.0 full-duplex ! interface GigabitEthernet1/0/0 no ip address no ip mroute-cache negotiation auto hold-queue 4096 in hold-queue 4096 out ! interface GigabitEthernet1/0/0.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server Layer 2 Access Concentrator interface ATM3/0/0.41104 pvc 41/104 encapsulation aal5snap protocol pppoe ! ! interface ATM3/0/0.41105 pvc 41/105 encapsulation aal5snap protocol pppoe ! ! interface ATM3/0/0.41106 pvc 41/106 encapsulation aal5snap protocol pppoe ! ! interface ATM3/0/0.41107 pvc 41/107 encapsulation aal5snap protocol pppoe ! ! interface ATM3/0/0.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server Layer 2 Access Concentrator ! ! interface ATM3/0/0.41115 pvc 41/115 encapsulation aal5snap protocol pppoe ! ! interface ATM3/0/0.41116 pvc 41/116 encapsulation aal5snap protocol pppoe ! ! interface ATM3/0/0.41117 pvc 41/117 encapsulation aal5snap protocol pppoe ! ! interface ATM3/0/0.41118 pvc 41/118 encapsulation aal5snap protocol pppoe ! ! interface ATM3/0/0.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server Layer 2 Access Concentrator interface ATM4/0/0 no ip address no atm ilmi-keepalive ! interface ATM4/0/1 no ip address no atm ilmi-keepalive ! interface ATM4/0/2 no ip address no atm ilmi-keepalive ! interface ATM4/0/3 no ip address no atm ilmi-keepalive ! interface GigabitEthernet5/0/0 no ip address negotiation auto ! interface Virtual-Template1 ip unnumbered Loopback1 keepalive 30 no peer default ip address ppp authe
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server L2TP Network Server Command Purpose Router# show vpdn session Verifies active L2TP sessions in a VPDN environment. Router# show vpdn tunnel Verifies active L2TP tunnel information in a VPDN environment. L2TP Network Server The Cisco 10000 series router can function as an L2TP network server (LNS). By using the managed LNS features introduced in Cisco IOS Release 12.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server L2TP Network Server • Tunnel Accounting, page 5-25 • Tunnel Authentication, page 5-25 • Named Method Lists, page 5-27 • Framed-Route VRF Aware, page 5-27 • Feature History for LNS, page 5-28 • Restrictions for the LNS, page 5-28 • Prerequisites for LNS, page 5-28 • Required Configuration Tasks for LNS, page 5-29 • Optional Configuration Tasks for LNS, page 5-30 • Configuration Examples for LNS, page
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server L2TP Network Server To be VRF aware, ISPs must define multiple instances of the same operational parameters and secure them to the VRF partitions. Securing AAA parameters to a VRF can be accomplished from one or more of the following sources: • Virtual template—Used as a generic interface configuration. • Service provider AAA server—Used to associate a remote user with a specific VPN based on the domain name.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server L2TP Network Server When you activate packet fragmentation, the router clears the DF bit of packets entering all L2TP tunnels and fragments the packets, but only if the packets exceed the session MTU. Clearing the DF bit allows packets to be fragmented. If a packet enters an L2TP tunnel, but it does not exceed the MTU, the router does not clear the DF bit.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server L2TP Network Server Figure 5-4 Tunnel Authorization and Authentication Tunnel Radius server Client LAC L2TP Customer Radius server 72672 PPPoE LNS As shown in Figure 5-4, typically, a tunnel RADIUS server is used for tunnel authorization and a separate user RADIUS server is used for RADIUS tunnel authentication.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server L2TP Network Server Named Method Lists To configure authentication, authorization, and accounting (AAA), you first define a named list of methods and then apply that list to various interfaces. The named method list defines the types of authentication or accounting to be performed and the sequence in which they will be performed.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server L2TP Network Server Feature History for LNS Cisco IOS Release Description Required PRE 12.2(4)BZ1 This feature was introduced on the Cisco 10000 series router. PRE1 12.3(7)XI1 This feature was integrated into Cisco IOS Release 12.3(7)XI1. PRE2 12.2(28)SB This feature was integrated into Cisco IOS Release 12.2(28)SB.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server L2TP Network Server Required Configuration Tasks for LNS To configure the Cisco 10000 series router as an LNS, perform the following required configuration tasks: Note • Configuring the Virtual Template Interface, page 5-29 • Configuring the LNS to Initiate and Receive L2TP Traffic, page 5-29 You must also configure the LAC and RADIUS server to communicate with the LNS.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server L2TP Network Server Command Purpose Step 6 Router(config-vpdn-acc-in)# protocol 12tp Specifies the Layer 2 Tunnel Protocol. Step 7 Router(config-vpdn-acc-in)# virtual-template template-number Specifies the virtual template to be used to clone virtual access interfaces. Step 8 Router(config-vpdn-acc-in)# exit Returns to VPDN group configuration mode.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server L2TP Network Server Configuring per VRF AAA Services To configure per VRF AAA services, perform the following tasks: Note • Enabling AAA, page 5-31 • Configuring Private Server Parameters, page 5-31 • Configuring AAA for the VRF, page 5-32 • Configuring RADIUS-Specific Commands for the VRF, page 5-34 For more information about configuring AAA parameters, see the Cisco IOS Security Configuration Guide, Releas
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server L2TP Network Server Step 4 Command Purpose Router(config-sg-radius)# server-private ip-address timeout seconds retransmit retries key string Configures the IP address of the private RADIUS server for the group server. The ip-address argument specifies the IP address of the private RADIUS server host. (Optional) The seconds argument specifies the timeout value (1 to 1000).
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server L2TP Network Server Step 4 Command Purpose Router(config)# aaa authorization network list-name method1 [method2...] Sets parameters that restrict user access to a network. The list-name argument is a character string used to name the list of authentication methods tried when a user logs in. The method1[method2...
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server L2TP Network Server Configuring RADIUS-Specific Commands for the VRF To configure AAA global RADIUS-specific commands for the VRF definition, enter the following commands: Command Purpose Step 1 Router> enable Enters privileged EXEC mode. Step 2 Router# config terminal Enters global configuration mode.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server L2TP Network Server Step 10 Command Purpose Router(config)# radius-server attribute 44 include-in-access-req vrf vrf-name Sends RADIUS attribute 44 in access request packets before user authentication and enables the specification on a per VRF basis. The vrf vrf-name keyword and argument specify the per VRF configuration.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server L2TP Network Server Configuring a VRF on the LNS To configure a VRF, enter the following commands: Command Purpose Step 1 Router> enable Enters privileged EXEC mode. Step 2 Router# config terminal Enters global configuration mode. Step 3 Router(config)# ip vrf vrf-name Enters VRF configuration mode and defines the VPN routing instance by assigning a VRF name.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server L2TP Network Server Verifying Sessions per Tunnel Limiting on the LNS To verify sessions per tunnel limiting on the LNS, enter the following commands: Command Purpose Router# show running-config Displays the current router configuration. Check the output to verify that you successfully configured the maximum number of sessions per tunnel.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server L2TP Network Server Command Purpose Step 8 Router(config-sg-radius)# exit Exits server-group configuration mode. Step 9 Router(config)# radius-server attribute list listname Defines the list name given to the set of attributes defined using the attribute command. Define the listname argument to be the same as you defined it in step 5. Step 10 Router(config-sg-radius)# attribute value1 [value2 [value3...
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server L2TP Network Server Configuring the LNS for RADIUS Tunnel Accounting To configure the LNS for RADIUS tunnel accounting, perform the following required configuration tasks: • Configuring AAA Accounting Using Named Method Lists, page 5-39 • Configuring RADIUS for Tunnel Accounting, page 5-39 Configuring AAA Accounting Using Named Method Lists To configure AAA accounting using named method lists, enter the following
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server L2TP Network Server Table 5-1 describes the values for the Acct-Status-Type attribute that support tunnel accounting on the RADIUS server. Table 5-1 Acct-Status-Type Values for RADIUS Tunnel Accounting Acct-Status-Type Values Value Description Tunnel-Start 9 Marks the establishment of a tunnel with another device. Tunnel-Stop 10 Marks the destruction of a tunnel to or from another device.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server L2TP Network Server Acct-Status-Type = Tunnel-Stop Acct-Delay-Time = 0 Acct-Input-Octets = 108276 Acct-Output-Octets = 65986 Acct-Session-Id = 00000B3D Acct-Authentic = RADIUS Acct-Session-Time = 57 Acct-Input-Packets = 2578 Acct-Output-Packets = 2823 Acct-Terminate-Cause = NAS Error Acct-Multi-Session-Id = 00000B3D Tunnel-Client-Auth-ID_tag0 = LAC1 Tunnel-Server-Auth-ID_tag0 = LNS1 Ascend-Connect-Progress = Call-Up A
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server L2TP Network Server Configuring the LNS for RADIUS Tunnel Authentication To configure the LNS for RADIUS tunnel authentication, perform the following required configuration tasks: Note • Configuring RADIUS Tunnel Authentication Method Lists on the LNS, page 5-42 • Configuring AAA Authentication Methods, page 5-43 • Configuring Vendor-Specific Attributes on RADIUS, page 5-44 Cisco 10000 series router supports
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server L2TP Network Server Step 3 Command Purpose Router(config)# vpdn tunnel authorization virtual-template Specifies the default virtual template interface used to clone a virtual access interface (VAI). If you do not specify a virtual template interface in the local VPDN group configuration or in a remote RADIUS configuration, then this default virtual template interface is used.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server L2TP Network Server Configuring Vendor-Specific Attributes on RADIUS Cisco IOS Release 12.2(15)BX adds Cisco-specific VPDN RADIUS attributes to support RADIUS tunnel authentication. To configure the RADIUS server for tunnel authentication, you must configure the following vendor-specific attributes (VSAs) on the RADIUS server: • vpdn-vtemplate—Specifies the virtual template number to use for cloning on the LNS.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server L2TP Network Server Configuration Examples for LNS This section provides example configurations for the following features: • Managed LNS Configuration Example, page 5-45 • Tunnel Accounting Configuration Examples, page 5-47 • Tunnel Authentication Configuration Examples, page 5-50 Managed LNS Configuration Example Example 5-17 is an example of how to configure the Managed LNS features on the Cisco 10000 series
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server L2TP Network Server accept-dialin protocol l2tp virtual-template 1 terminate-from hostname lac1-vpn1 local name r4-1 lcp renegotiation on-mismatch l2tp tunnel password 7 1511021F0725 l2tp tunnel receive-window 100 l2tp tunnel retransmit retries 7 l2tp tunnel retransmit timeout min 2 ! !Terminates the tunnel from the LAC.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server L2TP Network Server ppp authorization vpn1 ppp accounting vpn1 ! !Associates the VRF with the virtual template interface. interface Virtual-Template2 ip vrf forwarding vpn2 ip unnumbered Loopback2 no peer default ip address ppp authentication chap vpn2 ppp authorization vpn2 ppp accounting vpn2 ! !Enters the VRFs in the routing table. ip classless ip route vrf vpn1 192.168.4.2 255.255.255.0 192.168.5.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server L2TP Network Server LNS Tunnel Accounting Configuration Example Example 5-18 shows how to configure the LNS to send tunnel accounting records to the RADIUS server. Example 5-18 Configuring the LNS for Tunnel Accounting aaa new-model ! ! aaa accounting network m1 start-stop group radius aaa accounting network m2 stop-only group radius aaa session-id common enable secret 5 $1$ftf.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server L2TP Network Server ! interface Virtual-Template2 ip unnumbered Loopback1 peer default ip address pool vpdn-pool2 ppp authentication chap ! interface FastEthernet0 no ip address no ip mroute-cache shutdown duplex auto speed auto no cdp enable ! ip local pool vpdn-pool1 172.16.5.1 172.16.128.100 ip local pool vpdn-pool2 10.0.0.1 10.0.0.100 ip default-gateway 10.1.26.254 ip classless ip route 0.0.0.0 0.0.0.0 10.1.26.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server L2TP Network Server Example 5-20 RADIUS Tunnel Accounting Record Wed, 15 Jan 2003 16:34:27 User-Name = gomer1@hello101 NAS-IP-Address = 23.1.2.10 NAS-Port = 550 Service-Type = Framed Framed-Protocol = PPP Ascend-Multilink-ID = 2877 Ascend-PreSession-Time = 0 Tunnel-Type_tag0 = L2TP Tunnel-Medium-Type_tag0 = IPv4 Tunnel-Client-Endpoint_tag0 = 10.2.2.1 Tunnel-Server-Endpoint_tag0 = 10.2.2.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server L2TP Network Server LNS Configuration to Support RADIUS Tunnel Authentication The following example is an LNS configuration that supports RADIUS tunnel authentication. In this configuration, a RADIUS server group is defined by using the aaa group server radius VPDN-Group command. The aaa authorization network mymethodlist group VPDN-Group command queries RADIUS for network authorization.
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server L2TP Network Server Command Purpose Router# show vpdn tunnel Displays information about all active L2TP tunnels in a VPDN. Router# show vpdn tunnel all Displays information about all active L2TP tunnels. Router# debug aaa accounting Displays information on accountable events as they occur. Router# debug aaa authorization Displays information on AAA authorization.
CH A P T E R 6 Configuring PPPoE over Ethernet and IEEE 802.1Q VLAN The Cisco 10000 series router allows the tunneling and termination of PPP sessions over Ethernet links. The PPPoE over Ethernet interface (PPPoEoE) feature enables the Cisco 10000 series router to tunnel and terminate Ethernet PPP sessions over Ethernet links. The PPPoE over IEEE 802.1Q VLANs feature enables the router to tunnel and terminate Ethernet PPP sessions across VLAN links. IEEE 802.
Chapter 6 Configuring PPPoE over Ethernet and IEEE 802.1Q VLAN PPPoE over Ethernet Feature History for PPPoE over Ethernet Cisco IOS Release Description Required PRE 12.2(4)BZ1 This feature was introduced on the Cisco 10000 series router. PRE1 12.3(7)XI1 This feature was integrated into Cisco IOS Release 12.3(7)XI1. PRE2 12.2(28)SB This feature was integrated into Cisco IOS Release 12.2(28)SB.
Chapter 6 Configuring PPPoE over Ethernet and IEEE 802.1Q VLAN PPPoE over Ethernet Creating an Ethernet Interface and Enabling PPPoE To create an Ethernet interface and enable PPPoE on it, enter the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# interface GigabitEthernet number Creates an Ethernet interface and enters interface configuration mode.
Chapter 6 Configuring PPPoE over Ethernet and IEEE 802.1Q VLAN PPPoE over Ethernet To configure a broadband aggregation (BBA) group for PPPoE and to link it to the appropriate virtual template interface, enter the following commands beginning in global configuration mode: Step 1 Command Purpose Router(config)# bba-group pppoe {name | global} Configures a BBA group to be used to establish PPPoE sessions. name identifies the BBA group. You can have multiple BBA groups.
Chapter 6 Configuring PPPoE over Ethernet and IEEE 802.1Q VLAN Static MAC Address for PPPoE Configuration Example for PPPoE over Ethernet Example 6-1 shows a PPPoE over Ethernet configuration. In the example, the virtual template virtual-template 1 is linked to the VPDN group. The configuration also specifies the number of sessions allowed on the VPDN group. Example 6-1 Using a VPDN Group to Configure PPPoE over Ethernet !Creates a VPDN session group and links it to a virtual template.
Chapter 6 Configuring PPPoE over Ethernet and IEEE 802.1Q VLAN Static MAC Address for PPPoE Note Although the Static MAC Address for PPPoE feature is configurable for VPDN groups, we recommend that you configure this feature for BBA groups. The configuration of the Static MAC Address for PPPoE feature for BBA groups and VPDN groups is mutually exclusive.
Chapter 6 Configuring PPPoE over Ethernet and IEEE 802.1Q VLAN PPPoE over IEEE 802.1Q VLANs PPPoE over IEEE 802.1Q VLANs The PPPoE over IEEE 802.1Q VLANs feature enables the Cisco 10000 series router to support PPPoE over IEEE 802.1Q encapsulated VLAN interfaces. IEEE 802.1Q encapsulation is used to interconnect a VLAN-capable router with another VLAN-capable networking device. The packets on the 802.1Q link contain a standard Ethernet frame and the VLAN information associated with that frame.
Chapter 6 Configuring PPPoE over Ethernet and IEEE 802.1Q VLAN PPPoE over IEEE 802.1Q VLANs • Configuring PPPoE in a VPDN Group, page 6-8 • Configuring PPPoE in a BBA Group, page 6-9 The following sections describe how to perform these configuration tasks. For more information, see the “Configuring Broadband Access: PPP and Routed Bridge Encapsulation” chapter in the Cisco IOS Wide-Area Networking Configuration Guide.
Chapter 6 Configuring PPPoE over Ethernet and IEEE 802.1Q VLAN PPPoE over IEEE 802.1Q VLANs Command Purpose Step 3 Router(config-vpdn)# accept-dialin Creates an accept dial-in VPDN group. Step 4 Router(config-vpdn-acc-in)# protocol pppoe Specifies the VPDN group to be used to establish PPPoE sessions. Step 5 Router(config-vpdn-acc-in)# virtual-template template-number Specifies the virtual template interface to use to clone virtual access interfaces (VAIs).
Chapter 6 Configuring PPPoE over Ethernet and IEEE 802.1Q VLAN PPPoE over IEEE 802.1Q VLANs Command Purpose Step 6 Router(config-bba)# exit Returns to global configuration mode. Step 7 Router(config)# interface type number Specifies the interface to which you want to attach the BBA group and enters interface configuration mode. Step 8 Router(config-if)# encapsulation dot1q vlan-id Enables IEEE 802.1Q encapsulation of traffic on a specified subinterface in a VLAN. Specify the VLAN identifier.
Chapter 6 Configuring PPPoE over Ethernet and IEEE 802.1Q VLAN PPPoE over IEEE 802.1Q VLANs peer default ip address pool pool1 ppp authentication chap !Specifies the IP local pool to use for address assignment. ip local pool pool1 192.168.0.1 192.168.0.100 Example 6-5 creates two BBA groups: VPN_1 and VPN_2. The VPN_1 BBA group is associated with virtual-template 1 and the VPN_2 BBA group is associated with virtual-template 2.
Chapter 6 Configuring PPPoE over Ethernet and IEEE 802.1Q VLAN TCP MSS Adjust Clearing PPPoE Sessions To clear PPPoE sessions, enter the following commands in privileged EXEC mode: Command Purpose Router# clear pppoe all Clears all PPPoE sessions. Router# clear pppoe interface Clears all PPPoE sessions on a physical interface or subinterface. Router# clear pppoe rmac Clears PPPoE sessions from a client host MAC address.
Chapter 6 Configuring PPPoE over Ethernet and IEEE 802.1Q VLAN TCP MSS Adjust Restrictions for TCP MSS Adjust • The TCP MSS Adjust feature only works if the MaxSegSize option is the first option included in the packet. If a non-typical TCP packet is received, where MaxSegSize is not the first option in the packet, the TCP MSS Adjust feature configuration will have no effect.
Chapter 6 Configuring PPPoE over Ethernet and IEEE 802.1Q VLAN TCP MSS Adjust TCP MSS Adjustment Configuration: Examples Figure 1 Example Topology for TCP MSS Adjustment Router C Router A Ethernet0/0 IP Address 10.0.1.1 255.255.255.0 Router B Ethernet2/0 IP Address 10.0.1.2 255.255.255.0 TCP MSS 500 170888 Interface Ethernet 0/0 IP Address 192.168.1.1 255.255.255.0 The following example shows how to configure and verify the adjustment value.
Chapter 6 Configuring PPPoE over Ethernet and IEEE 802.1Q VLAN VLAN Range ! interface Dialer1 ip address negotiated ip mtu 1492 ip nat outside encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication pap callin ppp pap sent-username sohodyn password 7 141B1309000528 ! ip nat inside source list 101 Dialer1 overload ip route 0.0.0.0.0.0.0.0 Dialer1 access-list permit ip 192.168.100.0.0.0.0.255 any VLAN Range The VLAN range feature simplifies the configuration of VLAN subinterfaces.
Chapter 6 Configuring PPPoE over Ethernet and IEEE 802.1Q VLAN VLAN Range Restrictions for VLAN Range The VLAN range feature has the following restrictions: • The commands you enter in interface range configuration mode (the mode you enter after issuing the interface range command) are executed as you enter them. The commands are not batched together for execution after you exit interface range mode.
Chapter 6 Configuring PPPoE over Ethernet and IEEE 802.1Q VLAN VLAN Range Step 2 Command Purpose Router(config-int-range)# encapsulation dot1q vlan-id [native] Enables IEEE 802.1Q encapsulation of traffic and applies a unique VLAN ID to each subinterface within the range. The vlan-id argument is the virtual LAN identifier. You must enter a value from 1 to 4095. Note VLAN ID 0 is a valid ID, but is not a valid designation of a VLAN.
Chapter 6 Configuring PPPoE over Ethernet and IEEE 802.1Q VLAN VLAN Range Verifying the Configuration of a Range of Subinterfaces To verify the configuration of a range of subinterfaces for VLAN encapsulation, enter the following commands in privilege EXEC mode: Command Purpose Router# show running-config Displays the current configuration, including information about the interfaces and subinterfaces configured on the router and the type of encapsulation configured for each interface.
CH A P T E R 7 Configuring IP Unnumbered on IEEE 802.1Q VLANs Service providers continuously seek ways in which they can make their networks less complex and less expensive, and reduce the cost of provisioning subscribers. One way in which service providers can achieve these results is to migrate their ATM networks to IP networks and upgrade their DSLAM to use a Gigabit Ethernet uplink, instead of an ATM uplink, to connect their DSLAM to an aggregation router, such as the Cisco 10000 series router.
Chapter 7 Configuring IP Unnumbered on IEEE 802.1Q VLANs Feature History for IP Unnumbered on VLANs When a subinterface goes down, the IP host route exists until the DHCP lease time expires. However, if you enter the show ip route dhcp command, the IP host routes do not display. After the subinterface comes back up, the IP host routes display when you enter the show ip route dhcp command if the DHCP lease time has not expired. This chapter describes the IP Unnumbered on IEEE 802.
Chapter 7 Configuring IP Unnumbered on IEEE 802.1Q VLANs Restrictions for IP Unnumbered on VLANs Restrictions for IP Unnumbered on VLANs The IP Unnumbered on VLANs feature has the following restrictions: • You can configure IP unnumbered on only Ethernet VLAN subinterfaces and point-to-point interfaces. • If you configure more than 14,000 IP unnumbered subinterfaces and you have configured EIGRP on all interfaces on a router, the router can stop responding.
Chapter 7 Configuring IP Unnumbered on IEEE 802.1Q VLANs Configuration Examples for IP Unnumbered on VLANs Example 7-1 configures IP unnumbered on the Fast Ethernet 1/0.1 subinterface. Example 7-1 Configuring IP Unnumbered on an Ethernet VLAN Subinterface Router(config)# interface fastethernet 1/0.
Chapter 7 Configuring IP Unnumbered on IEEE 802.1Q VLANs Monitoring and Maintaining IP Unnumbered Ethernet VLAN Subinterfaces The following example enables IP unnumbered on a range of VLAN subinterfaces: interface range fastethernet0/0.11 - fastethernet0/0.
Chapter 7 Configuring IP Unnumbered on IEEE 802.
CH A P T E R 8 Configuring ATM Permanent Virtual Circuit Autoprovisioning With the rapid growth in broadband customers, service providers need to provision service for subscribers in the most efficient and accurate way possible. The ATM PVC autoprovisioning feature automates the configuration of a large number of ATM permanent virtual circuits (PVCs) in DSL service provider networks using the PPPoA, PPPoE, and RBE protocols.
Chapter 8 Configuring ATM Permanent Virtual Circuit Autoprovisioning ATM PVC Autoprovisioning • Configuration Tasks for ATM PVC Autoprovisioning, page 8-6 • Monitoring and Maintaining ATM PVC Autoprovisioning, page 8-12 • Configuration Example for ATM PVC Autoprovisioning, page 8-13 Local Template-Based ATM PVC Provisioning The Local Template-Based ATM PVC Provisioning feature supports PVC autoprovisioning for an infinite range of VPI/VCI combinations on an ATM interface.
Chapter 8 Configuring ATM Permanent Virtual Circuit Autoprovisioning ATM PVC Autoprovisioning VC Class A VC class is a set of preconfigured VC parameters that you configure and apply to a particular VC or ATM interface.
Chapter 8 Configuring ATM Permanent Virtual Circuit Autoprovisioning ATM PVC Autoprovisioning ATM VC Scaling and VC Assignment The ATM line cards support the full range of VPI//VCI pairs (unidirection only)—8 bit VPI range and 16 bit VCI range. Table 8-1 lists the maximum number of active VCs supported on ATM line cards for Cisco IOS Release 12.3(7)XI2 or later releases. Table 8-1 Line Card Active VCs on ATM Line Cards Max. VCs per Port Maximum VCs per Module No.
Chapter 8 Configuring ATM Permanent Virtual Circuit Autoprovisioning ATM PVC Autoprovisioning When SAR the Page Limit is Reached In releases earlier than Cisco IOS Release 12.3(7)XI2, if the SAR page limit was reached while you were creating ATM PVCs, the router continued to create ATM PVCs but they were inactive. In Cisco IOS Release 12.3(7)XI2, the router checks the SAR page limit before creating an ATM PVC.
Chapter 8 Configuring ATM Permanent Virtual Circuit Autoprovisioning ATM PVC Autoprovisioning Note Note: The limit of 510 usable SAR pages in Cisco IOS Release 12.3(7)XI2 represents a reduction from the limit of 512 usable SAR pages in earlier releases. • The Local Template-Based ATM PVC Provisioning feature (infinite range) can be configured only on a main ATM interface; that is, it cannot be configured on a subinterface.
Chapter 8 Configuring ATM Permanent Virtual Circuit Autoprovisioning ATM PVC Autoprovisioning Example 8-1 creates a VC class named myclass, enables PVC autoprovisioning on the class, and sets the idle-timeout timer for 300 seconds. The configuration of the idle-timeout timer is optional.
Chapter 8 Configuring ATM Permanent Virtual Circuit Autoprovisioning ATM PVC Autoprovisioning Command Purpose Step 2 Router(config-if)# range [range-name] pvc start-vpi/start-vci end-vpi/end-vci Specifies the range of PVCs and enters atm-range configuration mode. Step 3 Router(config-if-atm-range)# class-range class-name Applies the VC class on the range of PVCs. Example 8-3 applies the VC class myclass to the PVC range 100/100 to 100/200.
Chapter 8 Configuring ATM Permanent Virtual Circuit Autoprovisioning ATM PVC Autoprovisioning Enabling ATM PVC Autoprovisioning on an Individual PVC To enable ATM PVC autoprovisioning on an individual PVC, enter the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# interface atm slot/0 [.subinterface-number {multipoint | point-to-point}] Specifies the ATM interface and enters interface or subinterface configuration mode.
Chapter 8 Configuring ATM Permanent Virtual Circuit Autoprovisioning ATM PVC Autoprovisioning Command Purpose Step 3 Router(config-if-atm-range)# create on-demand Enables PVC autoprovisioning on the range of PVCs. Step 4 Router(config-if-atm-range)# idle-timeout [time-out-in-seconds] [minimum-traffic-in-kbps] (Optional) Enables the idle-timeout timer on the on-demand PVC range. The default time-out-in-seconds is 0 (no idle-timeout).
Chapter 8 Configuring ATM Permanent Virtual Circuit Autoprovisioning ATM PVC Autoprovisioning Example 8-7 enables autoprovisioning on PVC 100/100 in PVC range 100/100 to 100/200. Example 8-7 Enabling ATM PVC Autoprovisioning on a PVC Within a PVC Range Router(config)# int atm 3/0/0.
Chapter 8 Configuring ATM Permanent Virtual Circuit Autoprovisioning ATM PVC Autoprovisioning Monitoring and Maintaining ATM PVC Autoprovisioning To monitor and maintain the ATM PVC autoprovisioning feature, enter any of the following commands in privileged EXEC mode. Command Purpose Router# show atm pvc Displays information about ATM PVCs, such as the interface, VPI/VCI, type, and encapsulation. PVC-A (PVC-Automatic) listed in the Type field indicates that the PVC is an on-demand PVC.
Chapter 8 Configuring ATM Permanent Virtual Circuit Autoprovisioning ATM PVC Autoprovisioning Example 8-10 displays information about PVC 0/51 and indicates that autoprovisioning is enabled on the PVC. Example 8-10 show atm pvc Command for a Specific PVC Router# show atm pvc 0/51 ATM5/0.
Chapter 8 Configuring ATM Permanent Virtual Circuit Autoprovisioning Variable Bit Rate Non-Real Time Oversubscription Variable Bit Rate Non-Real Time Oversubscription The Variable Bit Rate Non-Real Time (VBR-nrt) Oversubscription feature enables service providers to improve network utilization of otherwise underutilized shared networks by leveraging statistical multiplexing on ATM networks.
Chapter 8 Configuring ATM Permanent Virtual Circuit Autoprovisioning Variable Bit Rate Non-Real Time Oversubscription The VBR-nrt Oversubscription feature is described in the following topics: • Feature History for VBR-nrt Oversubscription, page 8-15 • Restrictions for VBR-nrt Oversubscription, page 8-15 • Configuration Tasks for VBR-nrt Oversubscription, page 8-17 • Configuration Example for ATM PVC Oversubscription, page 8-18 Feature History for VBR-nrt Oversubscription Cisco IOS Release Descri
Chapter 8 Configuring ATM Permanent Virtual Circuit Autoprovisioning Variable Bit Rate Non-Real Time Oversubscription The following configuration enables the oversubscription feature and configures the interface with an over-subscription-factor of 50. Router(config)# interface atm 4/0/0 Router(config-if)# atm over-subscription-factor 50 Router(config-if)# exit • To prevent oversubscription of the interface, use the no atm oversubscribe command.
Chapter 8 Configuring ATM Permanent Virtual Circuit Autoprovisioning Variable Bit Rate Non-Real Time Oversubscription Configuration Tasks for VBR-nrt Oversubscription To configure the VBR-nrt Oversubscription feature, perform the following configuration tasks: • Configuring VBR-nrt Oversubscription, page 8-17 • Verifying ATM PVC Oversubscription, page 8-17 Configuring VBR-nrt Oversubscription To enable oversubscription of ATM VCs, enter the following command in interface configuration mode: Command P
Chapter 8 Configuring ATM Permanent Virtual Circuit Autoprovisioning Variable Bit Rate Non-Real Time Oversubscription Configuration Example for ATM PVC Oversubscription The following example oversubscribes an ATM interface by 10 times the physical transmission capacity: interface atm 4/0/0 atm over-subscription-factor 10 Cisco 10000 Series Router Software Configuration Guide 8-18 OL-2226-23
CH A P T E R 9 Configuring Multihop In a Virtual Private Dialup Network (VPDN) environment, sessions generated from a remote host are routed over an existing tunnel or a tunnel built to route a specific domain. Typically, sessions cannot traverse more than one L2TP tunnel before reaching the ISP or corporate network.
Chapter 9 Configuring Multihop Feature History for Multihop Figure 9-1 Multihop Topology Example ISP/Corporate network Edge router LNS LNS Subscribers LAC LNS ISP core routers LAC ATM network Service provider Cisco 10000 ESR ISP/Corporate network LAC Edge router LNS LAC LNS ISP core routers 87061 LNS This chapter describes the Multihop feature in the following topics: • Feature History for Multihop, page 9-2 • Restrictions for Multihop, page 9-3 • Required Configuration Tasks for Mul
Chapter 9 Configuring Multihop Restrictions for Multihop Restrictions for Multihop The Multihop feature has the following restrictions: • The performance routing engine, part number ESR-PRE1 does not support the Multihop feature. • Tunnel switching is based on a session’s domain or tunnel in which the session arrived. The Cisco 10000 router does not support switching of individual sessions by using the CLI. • The Cisco 10000 router does not support multichassis Multilink PPP (MLPPP).
Chapter 9 Configuring Multihop Required Configuration Tasks for Multihop Terminating the Tunnel from the LAC To terminate the tunnel from the LAC, enter the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# username remote-hostname password secret Configures the secret (password) for the remote LAC. The secret must match the secret configured on the LAC and can consist of any string of up to 11 ASCII characters.
Chapter 9 Configuring Multihop Optional Configuration Tasks for Multihop Command Purpose Step 6 Router(config-vpdn-req-in)# multihop hostname ingress-tunnel-name Initiates a tunnel based on the LAC’s hostname or ingress tunnel ID. Step 7 Router(config-vpdn-req-in)# exit Returns to VPDN group mode. Step 8 Router(config-vpdn)# initiate-to ip ip-address [limit limit-number] [priority priority-number] Specifies the IP address of the LNS that will be tunneled to.
Chapter 9 Configuring Multihop Optional Configuration Tasks for Multihop Configuring an Accept-Dialin VPDN Group to Preserve IP TOS To configure an accept-dialin VPDN group to preserve IP TOS, enter the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# vpdn-group number Selects the VPDN group and enters VPDN configuration mode.
Chapter 9 Configuring Multihop Optional Configuration Tasks for Multihop Configuring a Request-Dialout VPDN Group to Preserve IP TOS To configure a request-dialout VPDN group to preserve IP TOS, enter the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# vpdn-group number Selects the VPDN group and enters VPDN configuration mode. Step 2 Router(config-vpdn)# request-dialout Enables the LNS to request L2TP tunnels for dialout calls.
Chapter 9 Configuring Multihop Configuration Examples for Multihop Configuration Examples for Multihop The example in this section is a multihop configuration in which the Cisco 10000 router is configured as the multihop system (MH). The example includes LAC and LNS configurations to complete the configuration. This configuration scenario supports a maximum of two hops between the LAC device and the destination LNS device.
Chapter 9 Configuring Multihop Monitoring and Maintaining Multihop Configurations local name LAC1 l2tp tunnel password 7 060A0E23 l2tp tunnel receive-window 100 l2tp tunnel retransmit timeout min 2 ! Multihop Configuration username user@cisco.
Chapter 9 Configuring Multihop Monitoring and Maintaining Multihop Configurations Command Purpose Router# show running-config Displays the current router configuration.
Chapter 9 Configuring Multihop Monitoring and Maintaining Multihop Configurations Caution Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco Systems technical support personnel. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users.
Chapter 9 Configuring Multihop Monitoring and Maintaining Multihop Configurations Example 9-4 show interface virtual access Command Router# show interface virtual-access 3 Virtual-Access3 is up, line protocol is up Hardware is Virtual Access interface MTU 1500 bytes, BW 128 Kbit, DLY 100000 usec, rely 255/255, load 1/255 Encapsulation PPP, loopback not set, keepalive set (10 sec) DTR is pulsed for 5 seconds on reset LCP Open, multilink Open Open: IPCP Last input 00:02:30, output never, output hang neve
CH A P T E R 10 Configuring Address Pools Service providers concerned with the efficient management of IP address space are challenged to implement an address assignment mechanism that efficiently assigns addresses to remote users from address pools and effectively manages those pools. Such deployment requires a strategy for dealing with poorly utilized address pools and pools that run out of addresses.
Chapter 10 Configuring Address Pools Address Assignment Mechanisms Local Address Pool A local address pool is a pool of IP addresses statically configured on a PE router. The pool name identifies the address pool. When a PPP session requests an address from a specific pool, the pool manager assigns an unused address from the pool. When the PPP session returns the address, the pool manager puts the address back into the pool from which it was taken. A common group identifier identifies a group of pools.
Chapter 10 Configuring Address Pools Address Assignment Mechanisms Benefits of RADIUS-Based Address Assignment RADIUS is an effective mechanism for providing IP address assignment for remote users: • One benefit of RADIUS-based address assignment is its ability to effectively manage the IP address pools configured on the server. RADIUS can dynamically resize pools as needed, removing addresses from poorly utilized pools and adding them to pools that run out of addresses.
Chapter 10 Configuring Address Pools On-Demand Address Pool Manager Limitations of DHCP-Based Address Assignment DHCP-based address assignment has route summarization problems similar to the problems encountered with RADIUS-based address assignment. Route summarization becomes less efficient as remote users log on and off, and users have limited connectivity while BGP updates all of the PE routers with newly configured routes.
Chapter 10 Configuring Address Pools On-Demand Address Pool Manager Feature History for On-Demand Address Pool Manager Cisco IOS Release Description Required PRE 12.2(15)BX This feature was introduced on the Cisco 10000 series router. PRE2 12.3(7)XI1 This feature was integrated into Cisco IOS Release 12.3(7)XI1. PRE2 12.2(28)SB This feature was integrated into Cisco IOS Release 12.2(28)SB.
Chapter 10 Configuring Address Pools On-Demand Address Pool Manager Note For more information about ODAPs, see the “On-Demand Address Pool Manager” section on page 10-4. For information about configuring MPLS VPNs, see the Remote Access to MPLS VPN chapter or see the Cisco IOS Switching Services Configuration Guide, Release 12.2.
Chapter 10 Configuring Address Pools On-Demand Address Pool Manager Defining DHCP ODAPs as the Global Default Pooling Mechanism To specify on-demand address pooling as the global default mechanism, enter the following command in global configuration mode: Command Purpose Router(config)# ip address-pool dhcp-pool Enables on-demand address pooling as the global default IP address mechanism for PPP remote access sessions into MPLS VPNs. Locally configured VRF-associated DHCP pools allocate IP addresses.
Chapter 10 Configuring Address Pools On-Demand Address Pool Manager Example 10-2 Configuring the DHCP Pool as an ODAP ! ip dhcp pool green_pool vrf Green utilization mark high 60 utilization mark low 40 origin dhcp subnet size initial /24 autogrow /24 ! ip dhcp pool red_pool vrf Red origin dhcp ! ip vrf Green rd 200:1 route-target export 200:1 route-target import 200:1 ! ip vrf Red rd 300:1 route-target export 300:1 route-target import 300:1 ip address-pool dhcp-pool ! interface Virtual-Template1 ip vrf
Chapter 10 Configuring Address Pools On-Demand Address Pool Manager For an example of how to configure AAA, see Example 10-3 in the “Configuring RADIUS” section on page 10-9. Configuring RADIUS To configure RADIUS on the Cisco 10000 router, enter the following commands in global configuration mode: Command Purpose Step 1 Router(config)# ip radius source-interface subinterface-name Forces the Cisco 10000 router to use the IP address of the specified interface for all outgoing RADIUS packets.
Chapter 10 Configuring Address Pools On-Demand Address Pool Manager ! interface Virtual-Template1 ip vrf forwarding Green no ip address ! ip radius source-interface Ethernet1/1 ! !IP address of the Radius server host radius-server host 172.16.1.
Chapter 10 Configuring Address Pools On-Demand Address Pool Manager Configuring ODAPs to Obtain Subnets Through IPCP Negotiation Note When you assign an IP address pool to customer premise equipment (CPE), the pool manager assigns IP addresses to the CPE devices and to a DHCP pool. To use the ODAP functionality requires the following: • The Cisco IOS CPE device must be able to request and use the subnet.
Chapter 10 Configuring Address Pools On-Demand Address Pool Manager Example 10-4 disables the on-demand DHCP pool named test_pool.
Chapter 10 Configuring Address Pools On-Demand Address Pool Manager Example 10-5 show ip dhcp pool Command Router# show ip dhcp pool Pool Green : Utilization mark (high/low): 50 / 30 Subnet size (first/next): 24 / 24 (autogrow) VRF name: Green Total addresses: 18 Leased addresses: 13 Pending event subnet request 3 subnets are currently in the pool : Current indexIP address rangeLeased addresses 0.0.0.0178.16.0.1- 172.16.0.66 0.0.0.0172.16.0.9- 172.16.0.146 172.16.0.17172.l6.0.17- 172.16.0.
Chapter 10 Configuring Address Pools On-Demand Address Pool Manager Example 10-6 show ip dhcp binding Command Router# show ip dhcp binding Bindings from all pools not associated with VRF : IP addressHardware addressLease expirationType Bindings from VRF pool Green : IP addressHardware addressLease expirationType 172.16.0.15674.312d.7465.7374.InfiniteOn-demand 2d38.3930.39 172.16.0.25674.312d.7465.7374.InfiniteOn-demand 2d38.3839.31 172.16.0.35674.312d.7465.7374.InfiniteOn-demand 2d36.3432.34 172.16.0.
Chapter 10 Configuring Address Pools On-Demand Address Pool Manager Example 10-7 Defining DHCP ODAPs on an Interface ! interface Virtual-Template1 ip vrf forwarding green ip unnumbered loopback1 ppp authentication chap peer default ip address dhcp-pool Configuring ODAPs to Obtain Subnets Through IPCP Negotiation Example 10-8 creates a DHCP address pool named my_pool, configures the pool as an on-demand address pool using IPCP as the subnet allocation protocol, and configures the Ethernet0 interface to au
Chapter 10 Configuring Address Pools Overlapping IP Address Pools Command Purpose Router# show ip interface [type number] Displays the usability status of interfaces configured for IP. Router# show ip dhcp pool name Displays DHCP address pool information. Use this command to check that the DHCP pool assigns an IP address for each incoming PPP session and associates the address with the correct VRF.
Chapter 10 Configuring Address Pools Overlapping IP Address Pools The Overlapping IP Address Pools feature is described in the following topics: • Feature History for Overlapping IP Address Pools, page 10-17 • Restrictions for Overlapping IP Address Pools, page 10-17 • Configuration Tasks for Overlapping IP Address Pools, page 10-17 • Verifying Local Pool Groups for IP Overlapping Address Pools, page 10-18 • Configuration Examples for Overlapping IP Address Pools, page 10-18 Feature History for
Chapter 10 Configuring Address Pools Overlapping IP Address Pools Verifying Local Pool Groups for IP Overlapping Address Pools To verify that you have successfully configured a pool group, enter the following commands in privileged EXEC mode and check the resulting output for the pool group name: Command Purpose Router# show ip local pool [pool-name [group group-name]] Displays statistics for defined IP address pools. Router# show ip local pool Displays statistics for all pools configured.
Chapter 10 Configuring Address Pools Overlapping IP Address Pools IP Overlapping Address Pools for VPNs and VRFs Example The following example is a general IP address configuration that VPNs and VRFs might use. This example shows pool names that provide a way to associate a pool name with a VPN (when the pool name stands alone). This association is an operational convenience. There is no required relationship between the names used to define a pool and the name of the group.
Chapter 10 Configuring Address Pools Overlapping IP Address Pools Cisco 10000 Series Router Software Configuration Guide 10-20 OL-2226-23
CH A P T E R 11 Configuring Local AAA Server, User Database—Domain to VRF The Local AAA Server, User Database—Domain to VRF feature extends the Cisco IOS AAA Authorization to local AAA profiles on the router without using an AAA Server. The local user database acts as a local AAA server, and is fully compatible with any external AAA Server. If you want to maintain your user database locally or provide a failover local mechanism, you no longer have to sacrifice policy options when defining local users.
Chapter 11 Configuring Local AAA Server, User Database—Domain to VRF • Configuration Example for Local AAA Server, User Database—Domain to VRF, page 11-9 • Monitoring and Maintaining Local AAA Server, User Database—Domain to VRF, page 11-12 Feature History for Local AAA Server, User Database—Domain to VRF Cisco IOS Release Description Required PRE 12.3(7)XI1 This feature was introduced on the Cisco 10000 series router. PRE2 12.2(28)SB This feature was integrated into Cisco IOS Release 12.
Chapter 11 Configuring Local AAA Server, User Database—Domain to VRF In the figure, the PPP client attempts to establish a PPP session with user@domain. This PAP or CHAP user name request is forwarded to the broadband remote access server (BRAS) for authentication. Authentication could be done locally on the BRAS, but in most cases the authentication is forwarded to a RADIUS server.
Chapter 11 Configuring Local AAA Server, User Database—Domain to VRF In the figure, the BRAS can be configured to provide AAA accounting start/stop and periodic records for each PPP session. The BRAS can also be configured to provide NAS-Port information in the accounting records that will detail the slot/card/interface and VPI/VCI or VLAN. AAA Attribute Lists AAA Attribute Lists are used by the subscriber profiles when there is a match of the user name domain.
Chapter 11 Configuring Local AAA Server, User Database—Domain to VRF Defining AAA Attribute Lists Typically, you define an AAA attribute list for each user name domain. Cisco IOS Release 12.3(7)XI1 introduces the following two new commands to define local AAA attribute lists and attribute types: Command Purpose Router(config)# aaa attribute list aaa attribute list name Defines an AAA attribute list locally on the router. This attribute list is applied to the PPP session.
Chapter 11 Configuring Local AAA Server, User Database—Domain to VRF AAA Method Lists The AAA method lists are defined to use RADIUS for authentication and accounting. Authorization is done locally using the AAA attribute lists. Defining the AAA attribute lists for PPP under the virtual template no longer requires defining the AAA lists. Instead, a default authentication and authorization list can be defined on the virtual template and the AAA method lists can be defined in the AAA attribute lists.
Chapter 11 Configuring Local AAA Server, User Database—Domain to VRF Command Purpose Step 3 Router(config)# aaa authorization network list-name local if-authenticated Specifies to use the local profile if authenticated. Step 4 Router(config)# aaa accounting network list-name start-stop group radius Specifies RADIUS accounting as optional. Step 5 Router(config)# aaa authentication ppp default local Required to allow the definition of the AAA authentication list in the AAA attribute list.
Chapter 11 Configuring Local AAA Server, User Database—Domain to VRF Defining a Loopback Interface To define a loopback interface, enter the following commands in global configuration mode: Command Purpose Step 1 Router(config)# interface loopback number Defines a loopback for the PPP session. Step 2 Router(config)# ip vrf forwarding vrf name Enables VRF forwarding. Step 3 Router(config)# ip address address mask Sets the IP address.
Chapter 11 Configuring Local AAA Server, User Database—Domain to VRF Command Purpose Step 5 Router(config)# attribute type ppp-authen-list aaa_list_name Defines the AAA authentication list to use. Step 6 Router(config)# attribute type ppp-author-list aaa_list_name Defines the AAA authorization list to use. Step 7 Router(config)# attribute type ppp-acct-list aaa_list_name Defines the AAA accounting list to use.
Chapter 11 Configuring Local AAA Server, User Database—Domain to VRF aaa authorization network test2 local if-authenticated aaa accounting delay-start all aaa accounting network test1 start-stop group group_server_test1 aaa accounting network test2 start-stop group group_server_test2 ! aaa attribute list cisco1.
Chapter 11 Configuring Local AAA Server, User Database—Domain to VRF ! interface Loopback2 ip vrf forwarding vrf2 ip address 101.1.1.1 255.255.255.255 ! interface FastEthernet0/0/0 shutdown ! interface ATM1/0/0 no ip address no atm pxf queuing no atm ilmi-keepalive ! interface ATM1/0/0.1 multipoint pvc 1/32 encapsulation aal5autoppp Virtual-Template1 group cisco1.com no create on-demand ! ! interface ATM1/0/0.2 multipoint pvc 1/33 encapsulation aal5autoppp Virtual-Template2 group cisco2.
Chapter 11 Configuring Local AAA Server, User Database—Domain to VRF Example—VRF with ACL Applying a defined output ACL to this PPP: aaa attribute list cisco1.
CH A P T E R 12 Configuring Traffic Filtering The Cisco 10000 series router provides traffic filtering capabilities using access control lists (ACLs). Access lists filter network traffic by controlling whether routed packets are forwarded or blocked at the router's interfaces. Using ACLs, you can do such things as restrict the contents of routing updates, provide traffic flow control, and provide security for your network.
Chapter 12 Configuring Traffic Filtering IP Receive ACLs The IP Receive ACLs feature is described in the following topics: • Feature History for IP Receive ACLs, page 12-2 • Restrictions for IP Receive ACLs, page 12-2 • Configuration Tasks for IP Receive ACLs, page 12-2 • Configuration Example for IP Receive ACLs, page 12-3 Feature History for IP Receive ACLs Cisco IOS Release Description Required PRE 12.3(7)XI1 This feature was introduced on the Cisco 10000 series router.
Chapter 12 Configuring Traffic Filtering IP Receive ACLs Configuring Receive ACLs To configure receive ACLs, enter the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# ip receive acl number Activates receive ACLs and begins filtering packets destined for the router. Step 2 Router(config)# access-list access-list-number {deny | permit} source [source-wildcard] [log] Defines a standard IP access list.
Chapter 12 Configuring Traffic Filtering Time-Based ACLs Example 12-1 Receive ACL Configuration ip receive access-list 100 access-list 100 deny icmp any any fragments access-list 100 permit icmp any any echo access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 22 access-list 100 permit ospf any any precedence internet access-list 100 permit tcp host 10.0.0.
Chapter 12 Configuring Traffic Filtering Time-Based ACLs Restrictions for Time-Based ACLs The Time-Based ACLs feature has the following restrictions: • You can specify a time range for only IP extended access lists. Standard access lists are not supported. • An ACE that refers to a non-existent time-range entry is considered active. • You define time-based ACLs based on hours and minutes. You cannot specify seconds.
Chapter 12 Configuring Traffic Filtering Time-Based ACLs Example 12-2 creates a periodic time range named no-http that specifies Monday through Friday from 8:00 a.m. to 6:00 p.m. Example 12-2 Configuring a Time Range Router(config)# time-range no-http Router(config-time-range)# periodic weekdays 8:00 to 18:00 Example 12-3 creates a time range named HTTP that specifies both periodic and absolute values.
Chapter 12 Configuring Traffic Filtering Time-Based ACLs Example 12-4 Applying a Time Range to a Numbered ACL Router(config)# time-range smtp Router(config-time-range)# periodic daily 5:00 to 23:59 Router(config)# access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 established Router(config)# access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.
Chapter 12 Configuring Traffic Filtering Time-Based ACLs Monitoring and Maintaining Time-Based ACLs To monitor and maintain time-based ACLs, enter any of the following commands in privileged EXEC mode: Command Purpose Router# show access-lists [access-list-number | access-list-name] Displays the contents of current access lists or the access list you specify.
Chapter 12 Configuring Traffic Filtering Time-Based ACLs The following configuration example permits UDP traffic on Saturday and Sunday from 8:00 a.m. on January 1, 1999 to 6:00 p.m.
Chapter 12 Configuring Traffic Filtering Time-Based ACLs Cisco 10000 Series Router Software Configuration Guide 12-10 OL-2226-23
CH A P T E R 13 Unicast Reverse Path Forwarding Cisco integrated security systems incorporate a comprehensive selection of feature-rich security services, offering commercial, enterprise and service provider customers the ability to deploy trusted and protected business applications and services. Threat defense is a critical aspect of an integrated security approach and involves the implementation of proactive measures. One valuable threat defense tool is unicast Reverse Path Forwarding (uRPF).
Chapter 13 Unicast Reverse Path Forwarding Feature History for uRPF Note Cisco 10000 series routers support both strict and loose mode uRPF for IPv4. However, for IPv6, the router supports only strict uRPF.
Chapter 13 Unicast Reverse Path Forwarding Configuring Unicast RPF • By default, without uRPF provision urpf drops can be seen in pxf when: – the interface is not up – there is no ip address on the interface Configuring Unicast RPF To use Unicast RPF, you must configure the router for CEF switching or CEF distributed switching. There is no need to configure the input interface for CEF switching because Unicast RPF has been implemented as a search through the FIB using the source IP address.
Chapter 13 Unicast Reverse Path Forwarding Monitoring and Maintaining uRPF Note You can use default route to configure a default path for all addresses that are not in the regular routing table. When configuring uRPF, you can use the allow-default option to allow ip packets with the source address resolved to a valid default path, depending on the uRPF modes. In strict mode uRPF, the packets are allowed from the same interface that has been pointed by the default route.
Chapter 13 Unicast Reverse Path Forwarding Monitoring and Maintaining uRPF Opts: 0 end, 0 nop, 0 basic security, 0 loose source route 0 timestamp, 0 extended security, 0 record route 0 stream ID, 0 strict source route, 0 alert, 0 cipso, 0 ump 0 other Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble 0 fragmented, 0 couldn't fragment Bcast: 331512 received, 0 sent Mcast: 0 received, 0 sent Sent: 15 generated, 0 forwarded Drop: 0 encapsulation failed, 0 unresolved, 0 no adjacency 0 no route, 5 unicas
Chapter 13 Unicast Reverse Path Forwarding Configuration Examples of uRPF Probe proxy name replies are disabled Policy routing is disabled Network address translation is disabled BGP Policy Mapping is disabled Input features: uRPF IP verify source reachable-via ANY 5 verification drops 5 suppressed verification drops 0 verification drop-rate Example 13-3 shows how uRPF drops can also be seen at the PXF using the show pxf cpu statistics drop interface command.
Chapter 13 Unicast Reverse Path Forwarding Configuration Examples of uRPF Example 13-4 Loose Mode uRPF configuration on 8/1/0 interface Router# conf t Enter configuration commands, one per line. End with CNTL/Z.
Chapter 13 Unicast Reverse Path Forwarding Configuration Examples of uRPF Configuring Loose Mode uRPF with the allow-default Option Example 13-7 shows how you can configure Loose Mode uRPF with the allow-default option. Example 13-7 Loose Mode uRPF with the allow-default option Router# conf t Enter configuration commands, one per line. End with CNTL/Z.
CH A P T E R 14 Configuring Automatic Protection Switching Automatic protection switching (APS) is a protection mechanism for SONET networks that enables SONET connections to switch to another SONET circuit when a circuit failure occurs. A protect interface serves as the backup interface for the working interface. When the working interface fails, the protect interface quickly assumes its traffic load.
Chapter 14 Configuring Automatic Protection Switching Multirouter Automatic Protection Switching Figure 14-1 Multirouter APS Configuration ATM 2/0/0 Working interface Router A ATM 1/0/0 SONET network equipment ATM 1/0/0 ATM 3/0/0 Protect interface 95570 Router B add/drop multiplexer (ADM) On the protect circuit, the K1 and K2 bytes from the line overhead (LOH) of the SONET frame indicate the current status of the APS connection and convey any requests for action.
Chapter 14 Configuring Automatic Protection Switching Multirouter Automatic Protection Switching Restrictions for MR-APS In Cisco IOS Releases 12.3(7)XI2 and 12.2(28)SB, MR-APS is supported for the following line cards: • 4-Port OC3/STM-1 ATM line card • 1-Port OC-12 ATM line card • 1-Port Channelized OC-12/STM-4 line card • 4-Port Channelized OC-3/STM-1 line card In Cisco IOS Release 12.
Chapter 14 Configuring Automatic Protection Switching Multirouter Automatic Protection Switching Step 9 Command Purpose Router(config-if)# aps protect circuit-number ip-address Configures an interface as a protect interface. The ip-address argument specifies the IP address of the router that has the working interface. Step 10 Router(config-if)# exit Exits interface configuration mode and returns to global configuration mode.
Chapter 14 Configuring Automatic Protection Switching Multirouter Automatic Protection Switching Example 14-1 shows the configuration of MR-APS on ATM interfaces. In the example, Router A is configured with the working interface, and Router B is configured with the protect interface. If the working interface on Router A becomes unavailable, the connection automatically switches over to the protect interface on Router B.
Chapter 14 Configuring Automatic Protection Switching Multirouter Automatic Protection Switching Command Purpose Router(config)# ip route prefix mask {ip-address | interface-type interface-number [ip-address]} [distance] [name] [permanent] [tag tag] Configures a static IP address. Step 5 Router(config)# interface type number Specifies the interface type and number. Enters interface configuration mode or controller configuration mode.
Chapter 14 Configuring Automatic Protection Switching Multirouter Automatic Protection Switching Configuring MR-APS with Static Routes on Channelized Line Cards To optionally configure MR-APS with static routes on channelized line cards, enter the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# redundancy Enters redundancy configuration mode, which allows you to associate two line cards as a redundant pair.
Chapter 14 Configuring Automatic Protection Switching Multirouter Automatic Protection Switching Example 14-2 shows the configuration of multirouter APS with static routes on ATM interfaces. Router A is configured with the working interface, and Router B is configured with the protect interface. If the working interface on Router A becomes unavailable, the connection automatically switches over to the protect interface on Router B. Note that 172.16.1.
Chapter 14 Configuring Automatic Protection Switching Single-router Automatic Protection Switching Monitoring and Maintaining the MR-APS Configuration To monitor and maintain the configuration of MR-APS, enter any of the following commands in privileged EXEC mode: Command Purpose Router# show aps Displays about APS-configured interfaces. Router# debug aps Displays debugging information related automatic protection switching.
Chapter 14 Configuring Automatic Protection Switching Single-router Automatic Protection Switching When you associate slots, the software pairs an odd-numbered slot with the next higher even-numbered slot: • Odd-numbered slot—Holds the primary card, or working card • Even-numbered slot—Holds the secondary card, or protect card Figure 14-2 shows the redundant slot pairings in the Cisco 10008 chassis.
Chapter 14 Configuring Automatic Protection Switching Single-router Automatic Protection Switching Feature History for SR-APS Cisco IOS Release Description Required PRE 12.0(21)ST This feature was introduced on the Cisco 10000 series router. PRE1 12.2(13)BZ This feature was integrated into Cisco IOS Release 12.2(13)BZ 12.3(7)XI This feature was integrated into Cisco IOS Release 12.3(7)XI. PRE2 12.2(28)SB This feature was integrated into Cisco IOS Release 12.2(28)SB.
Chapter 14 Configuring Automatic Protection Switching Single-router Automatic Protection Switching Table 14-1 Configuration File—Redundancy Enabled and Disabled Redundancy Enabled Redundancy Disabled card 5/0 1oc12pos-1 card 6/0 1oc12pos-1 ! redundancy associate slot 5 6 ! interface POS5/0/0 ip address 5.5.5.5 255.255.255.
Chapter 14 Configuring Automatic Protection Switching Single-router Automatic Protection Switching Command Purpose Router# aps lockout [POS | SONET] slot#/subslot#/port# Prevents a channel from automatically switching to the active, working, or protection state. Router# aps manual [POS | SONET] slot#/subslot#/port# from [working | protection] Manually switches from the working channel to the protection channel, or from the protection channel to the working channel.
Chapter 14 Configuring Automatic Protection Switching Single-router Automatic Protection Switching Use the no form of the command to return the threshold value to its default. In the following example, the threshold value is set to 10-8. Router(config)# interface pos 8/0/0 Router(config-if)# aps signal-degrade BER threshold 8 Specifying SR-APS Signal Fail BER Threshold Use the aps signal-fail BER threshold command to modify the bit error rate threshold that, if exceeded, causes an APS cutover.
CH A P T E R 15 Configuring IP Multicast The IP multicast feature enables a host to send packets to a subset of hosts known as a multicast group. The hosts in the multicast group are the group members. Packets delivered to group members are identified by a single multicast group address. Multicast packets are delivered to a group using best-effort reliability. Any host, regardless of whether it is a member of a group, can send messages to a group.
Chapter 15 Configuring IP Multicast Feature History for IP Multicast Feature History for IP Multicast Cisco IOS Release Description Required PRE 12.2(4)BZ1 This feature was introduced on the Cisco 10000 series router. PRE1 12.3(7)XI1 This feature was integrated into Cisco IOS Release 12.3(7) PRE2 XI1. 12.2(28)SB This feature was integrated into Cisco IOS Release 12.2(28)SB.
Chapter 15 Configuring IP Multicast Configuration Tasks for IP Multicast Routing Enabling IP Multicast Routing IP multicast routing allows the Cisco IOS software to forward multicast packets. To enable IP multicast routing on the Cisco 10000 router, enter the following command in global configuration mode: Command Purpose Router(config)# ip multicast-routing Enables IP multicast routing.
Chapter 15 Configuring IP Multicast Configuration Tasks for IP Multicast Routing Enabling Sparse Mode To configure PIM on an interface to be in sparse mode, enter the following command in interface configuration mode: Command Purpose Router(config-if)# ip pim sparse-mode Enables sparse mode PIM on the interface. Enabling Sparse-Dense Mode When you enable sparse-dense mode, the interface is treated as dense mode if the group is in dense mode.
Chapter 15 Configuring IP Multicast Configuration Tasks for IP Multicast Routing Command Purpose Router(config)# ip access-list extended acl-copp-PIM Creates the ACL and enters the extended ACL configuration mode. Router(config-ext-nacl)# permit pim any any Permits all PIM packets to be implicitly sent to the rendezvous point (RP). Router(config-ext-nacl)# permit udp any any eq 3232 Permits all data packets that are destined for UDP port 3232.
Chapter 15 Configuring IP Multicast Configuration Tasks for IP Multicast Routing Cisco 10000 Series Router Software Configuration Guide 15-6 OL-2226-23
CH A P T E R 16 Configuring RADIUS Features This chapter describes the following features: • RADIUS Attribute Screening, page 16-1 • RADIUS Transmit Retries, page 16-4 • Extended NAS-Port-Type and NAS-Port Support, page 16-6 • RADIUS Attribute 31: PPPoX Calling Station ID, page 16-13 • RADIUS Packet of Disconnect, page 16-17 RADIUS Attribute Screening The RADIUS Attribute Screening feature allows you to configure a list of “accept” or “reject” RADIUS attributes on the Cisco 10000 router for auth
Chapter 16 Configuring RADIUS Features RADIUS Attribute Screening • Configuration Tasks for RADIUS Attribute Screening, page 16-3 • Configuration Examples for RADIUS Attribute Screening, page 16-3 Feature History for RADIUS Attribute Screening Cisco IOS Release Description Required PRE 12.2(16)BX3 This feature was introduced on the Cisco 10000 series router. PRE2 12.3(7)XI6 This feature was integrated into Cisco IOS Release 12.3(7) PRE2 XI6. 12.
Chapter 16 Configuring RADIUS Features RADIUS Attribute Screening Configuration Tasks for RADIUS Attribute Screening To configure and verify the RADIUS Attribute Screening feature, see the “Configuring RADIUS Attribute Accept or Reject Lists” section on page 5-37.
Chapter 16 Configuring RADIUS Features RADIUS Transmit Retries Authorization Reject and Accounting Accept Configuration Example The following example shows how to configure a reject list for RADIUS authorization and configure an accept list for RADIUS accounting. Although you cannot configure more than one accept or reject list per server group for authorization or accounting, you can configure one list for authorization and one list for accounting per server group.
Chapter 16 Configuring RADIUS Features RADIUS Transmit Retries • Restrictions for RADIUS Transmit Retries, page 16-5 • Configuring RADIUS Transmit Retries, page 16-5 • Configuration Example for RADIUS Transmit Retries, page 16-5 • Monitoring and Troubleshooting RADIUS Transmit Retries, page 16-6 Feature History for RADIUS Transmit Retries Cisco IOS Release Description 12.3(7)XI1 This feature was integrated into Cisco IOS Release 12.3(7) PRE2 XI1. Required PRE 12.
Chapter 16 Configuring RADIUS Features Extended NAS-Port-Type and NAS-Port Support Monitoring and Troubleshooting RADIUS Transmit Retries To monitor and troubleshoot RADIUS transmit retries, enter any of the following commands in privileged EXEC mode: Command Purpose Router# show radius statistics Displays the RADIUS statistics for accounting and authentication packets. The Number of RADIUS Timeouts field indicates the number of times a server did not respond and the RADIUS server resent the packet.
Chapter 16 Configuring RADIUS Features Extended NAS-Port-Type and NAS-Port Support Feature History for Extended NAS-Port-Type and NAS-Port Support Cisco IOS Release Description Required PRE 12.3(7)XI1 This feature was introduced on the Cisco 10000 series router. PRE2 12.2(28)SB This feature was integrated into Cisco IOS Release 12.2(28)SB.
Chapter 16 Configuring RADIUS Features Extended NAS-Port-Type and NAS-Port Support NAS-Port (RADIUS Attribute 5) The NAS-Port (RADIUS attribute 5) is a 32 bit value that uniquely represents the physical or logical port the user is attempting to authenticate on. A logical port can be represented by the virtual path identifier (VPI) and virtual channel identifier (VCI) for an ATM interface, or by the VLAN ID or Q-in-Q ID for an Ethernet interface.
Chapter 16 Configuring RADIUS Features Extended NAS-Port-Type and NAS-Port Support Configuring Extended NAS-Port-Type and NAS-Port Attributes Support To configure Extended NAS-Port-Type and NAS-Port Attributes Support, enter the following commands in global configuration mode: Command Purpose Step 1 Router(config)# radius-server attribute 61 extended Enables extended, non-RFC compliant NAS-Port-Type values, which will identify new broadband service port types, such as PPPoA, PPPoEoA, PPPoEoE, PPPoEoVL
Chapter 16 Configuring RADIUS Features Extended NAS-Port-Type and NAS-Port Support Step 3 Command Purpose Router(config)# radius-server attribute nas-port format e [string] [type {nas-port-type}] Configures a specific service port type for extended NAS-Port-Type support.
Chapter 16 Configuring RADIUS Features Extended NAS-Port-Type and NAS-Port Support You can override the NAS-Port-Type configured globally on the router at an interface or subinterface level.
Chapter 16 Configuring RADIUS Features Extended NAS-Port-Type and NAS-Port Support radius-server radius-server radius-server radius-server radius-server radius-server radius-server attribute nas-port format e SSSSAPPPIIIIIIIICCCCCCCCCCCCCCCC attribute nas-port format e SSSSAPPPIIIIIIIICCCCCCCCCCCCCCCC attribute nas-port format e SSSSAAAAPPPPVVVVVVVVVVVVVVVVVVVV attribute nas-port format e SSSSAPPPVVVVVVVVVVVVVVVVVVVVVVVV attribute nas-port format e SSSSAPPPQQQQQQQQQQQQVVVVVVVVVVVV host 10.76.86.
Chapter 16 Configuring RADIUS Features RADIUS Attribute 31: PPPoX Calling Station ID RADIUS Attribute 31: PPPoX Calling Station ID The RADIUS Attribute 31: PPPoX Calling Station ID feature enables service providers to provide more information about the call originator to the RADIUS server in a DSL environment, such as the physical lines on which customer calls originate. Specifically, this feature allows operators to track customers through the physical lines on which customer calls originate.
Chapter 16 Configuring RADIUS Features RADIUS Attribute 31: PPPoX Calling Station ID Table 16-1 Enabled Calling-Station-ID Formats by Session Type Enabled Calling-Station ID Format Session Type MAC-only Nas-Port MAC-only and Nas-Port PPPoA Not applicable hostname.domainname:int_desc:vpi:vci hostname.domainname:int_desc:vpi:vci PPPoEoA Not applicable hostname.domainname:int_desc:vpi:vci hostname.domainname:int_desc:vpi:vci PPPoEoE macaddr hostname.
Chapter 16 Configuring RADIUS Features RADIUS Attribute 31: PPPoX Calling Station ID Related Documents for PPPoX Calling Station ID • RADIUS Logical Line ID feature guide • “Configuring Broadband Access: PPP and Routed Bridge Encapsulation” in the Cisco IOS Wide-Area Networking Configuration Guide, Release 12.2 • Cisco IOS Dial Technologies Configuration Guide, Release 12.
Chapter 16 Configuring RADIUS Features RADIUS Attribute 31: PPPoX Calling Station ID debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use. Example 16-2 debug radius Command Output *Sep 14 14:54:43.259: RADIUS(00000008): Send Access-Request to 10.0.0.8:1645 id1645/34, len 121 *Sep 14 14:54:43.
Chapter 16 Configuring RADIUS Features RADIUS Packet of Disconnect interface ATM1/0/1 no ip address atm clock INTERNAL no atm auto-configuration atm ilmi-keepalive no atm address-registration pvc 0/16 ilmi ! ! interface ATM1/0/1.111 multipoint ! -----This description is used in the calling-station-id -----description test_descr pvc 0/100 class-vc ppp_auto1200 ! pvc 0/101 class-vc ppp_auto1200 ! interface GigabitEthernet8/0/0 ip address 10.10.0.1 255.255.255.
Chapter 16 Configuring RADIUS Features RADIUS Packet of Disconnect • To prevent unauthorized servers from disconnecting users, the authorizing agent that issues the POD packet must include three parameters in its packet of disconnect request. For a session to be disconnected, all parameters must match their expected values at the router. If the parameters do not match, the router discards the packet of disconnect packet and sends a NACK (negative acknowledgement message) to the agent.
Chapter 16 Configuring RADIUS Features RADIUS Packet of Disconnect Related Documents for RADIUS Packet of Disconnect • Cisco IOS Security Configuration Guide, Release 12.2 • Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2 • Cisco Access Registrar 3.
Chapter 16 Configuring RADIUS Features RADIUS Packet of Disconnect Configuring AAA POD Server To configure the Calling-Station-ID format, perform the following task in global configuration mode: Command Purpose Router(config)# aaa pod server clients [client ip address] port [port-number] [auth-type {any| all| session-key}] [ignore {session-key | server-key}] server-key string Enables inbound user sessions to be disconnected when specific session attributes are presented.
Chapter 16 Configuring RADIUS Features RADIUS Packet of Disconnect Monitoring and Maintaining AAA POD Server To monitor an AAA POD server and troubleshoot problems: • Ensure that the POD port is configured correctly in both the router (using aaa pod server command) and the RADIUS server. Both should be the same. • Ensure that the shared-secret key configured in the router (using aaa pod server command) and in the AAA server are the same.
Chapter 16 Configuring RADIUS Features RADIUS Packet of Disconnect Cisco 10000 Series Router Software Configuration Guide 16-22 OL-2226-23
CH A P T E R 17 Cisco 10000 Series Router PXF Stall Monitor In Cisco IOS Release 12.2(33)XNE, the Cisco 10000 series routers include a mechanism that verifies whether Parallel Express Forwarding (PXF) can forward packet traffic. A PXF forwards traffic and a fault in the PXF can cause the traffic to silently come to a halt. Any fault in the PXF can cause the traffic to halt and cause the router to drop packets without updating the error counters.
Chapter 17 Cisco 10000 Series Router PXF Stall Monitor Information about Cisco 10000 Series Router PXF Stall Monitor • PXF stall—On the LC to PXF path, shown in Figure 17-1, if there are no packets passing between Cobalt3 and the PXF, the PXF stalls. The stall occurs when a packet is not completely read from the Internal Packet Memory (IPM); therefore, the entry remains in the Cobalt3 New Work Queue (NWQ). This entry is marked as the top entry and stays there.
Chapter 17 Cisco 10000 Series Router PXF Stall Monitor Restrictions for Cisco 10000 Series Router PXF Stall Monitor • PXF to LC • LC to PXF • PXF to RP Stall detection is based on threshold values. For example, to avoid false alarms, the number of times a stall condition must be detected, before it is declared as a stall, is set as a threshold value. The PSM communicates the stall condition using syslog messages. The new stall conditions are: • LC stall that is fixed by resetting the LC.
Chapter 17 Cisco 10000 Series Router PXF Stall Monitor Configuring Cisco 10000 Series Router PXF Stall Monitor • PSM cannot detect a LC that gets stalled before interfaces come up on the LC. • PSM cannot detect stalls in LCs where multiple link bundling is done across LCs. • PSM state in the active PRE is not synchronized with the standby PRE, even in SSO mode. Therefore, during a switchover from active PRE to standby PRE, there is a delay in detecting a stall that occurred during the switchover.
Chapter 17 Cisco 10000 Series Router PXF Stall Monitor Configuration Example of Cisco 10000 Series Router PXF Stall Monitor Step 5 Command or Action Purpose exit Exits the global configuration mode. Example: Router(config)# exit Step 6 show pxf stall-monitoring [counters | reset {active-status | cob-fib | cob-tib | pxf-drop} subslot ] Example: Displays the current configuration and the operating status of the PSM.
Chapter 17 Cisco 10000 Series Router PXF Stall Monitor Configuration Example of Cisco 10000 Series Router PXF Stall Monitor Router# show pxf stall-monitoring pxf stall-monitoring : Enabled Stall History ============= Stall Threshold Configuration ============================= Primary Action = LC-reset Threshold = 4 Primary Action = HT-reset Threshold = 5 Secondary action = SSO SwitchOver Router# show pxf stall-monitoring counters To RP Counters ============== IOS To RP Counter = 22299 PXF To RP Drop Coun
Chapter 17 Cisco 10000 Series Router PXF Stall Monitor Configuration Example of Cisco 10000 Series Router PXF Stall Monitor Slot Slot Slot Slot Slot Slot Slot 5 6 6 7 7 8 8 Subslot Subslot Subslot Subslot Subslot Subslot Subslot 1 0 1 0 1 0 1 = = = = = = = 0 0 0 0 0 0 0 Cisco 10000 Series Router Software Configuration Guide OL-2226-23 17-7
Chapter 17 Cisco 10000 Series Router PXF Stall Monitor Configuration Example of Cisco 10000 Series Router PXF Stall Monitor Cisco 10000 Series Router Software Configuration Guide 17-8 OL-2226-23
CH A P T E R 18 SSO-BFD To establish alternative paths, networking equipment are designed to rapidly detect communication failures between adjacent systems. The Bidirectional Forwarding Detection (BFD) protocol detects failures that occur for short durations in the path between adjacent forwarding engines. BFD is a protocol that help the underlying networking protocols to detect failures in the forwarding path.
Chapter 18 SSO-BFD Information about SSO-BFD across a switchover, the Cisco 10000 series router needs the addition of SSO support for the BFD protocol. With this addition, a planned or an unplanned switchover does not result in the peer router declaring a failure in the forwarding path. For configuring the SSO-BFD feature, see the How to Configure Bidirectional Forwarding Detection section in the Bidirectional Forwarding Detection guide at the following link: http://www.cisco.
Chapter 18 SSO-BFD Restrictions of SSO-BFD The following line cards support the early packet send routine: • 1-port Channelized OC12 line card. • 4-port channelized OC3/STM-1 line card. • Half-height Gigabit Ethernet line card. • Asynchronous Transfer Mode (ATM) line cards. To summarize the three modules, the sequence of steps before and after a switchover is as follows: 1.
Chapter 18 SSO-BFD Monitoring and Maintaining SSO-BFD Monitoring and Maintaining SSO-BFD The BFD packets are dropped if there is a problem on the link and the BFD signals its client. A corresponding action occurs to bring down the feature. However, during a switchover, if the peer router goes down, the router undergoing the switchover detects the failure when the CEF path comes up.
Chapter 18 SSO-BFD Configuration Examples of SSO-BFD SSO-BFD with Static: Example Example 18-1 and Example 18-2 show the configuration example of the SSO-BFD feature with a static client in a VPN scenario: Example 18-1 SSO-BFD with a Static Client on the CE1 Router CE1 interface GigabitEthernet1/1/0.1 no ip redirect encapsulation dot1q 101 second-dot1q 500 ip address 20.1.1.1 255.255.255.0 bfd interval 999 min_rx 999 multiplier 5 no bfd echo ! interface GigabitEthernet1/1/0.
Chapter 18 SSO-BFD Configuration Examples of SSO-BFD negotiation auto mpls ip mpls label protocol ldp ! ! router ospf 50 router-id 1.1.1.1 log-adjacency-changes nsf ietf network 1.1.1.1 0.0.0.0 area 0 network 50.0.0.0 0.255.255.
Chapter 18 SSO-BFD Configuration Examples of SSO-BFD ! ip route static bfd GigabitEthernet1/0/0.1 20.1.1.1 ip route static bfd ATM4/0/0.1 20.1.2.1 ip route static bfd serial5/0/0/1:1 20.1.4.1 ip route static bfd GigabitEthernet1/0/0.5 20.1.5.1 ! ip route vrf vpn1001 20.1.1.0 255.255.255.0 GigabitEthernet1/0/0.1 20.1.1.1 ip route vrf vpn1002 20.1.2.0 255.255.255.0 ATM4/0/0.1 20.1.2.1 ip route vrf vpn1004 20.1.4.0 255.255.255.0 serial5/0/0/1:1 20.1.4.1 ip route vrf vpn1005 20.1.5.0 255.255.255.
Chapter 18 SSO-BFD Configuration Examples of SSO-BFD Example 18-3 SSO-BFD with a BGP Client on the CE1 Router CE1: interface GigabitEthernet1/1/0.1 no ip redirect encapsulation dot1Q 1001 second-dot1q 500 ip address 20.1.1.1 255.255.255.0 bfd interval 999 min_rx 999 multiplier 5 no bfd echo ! interface GigabitEthernet1/1/0.2 no ip redirect encapsulation dot1Q 1002 ip address 20.1.2.1 255.255.255.0 bfd interval 999 min_rx 999 multiplier 5 no bfd echo ! interface ATM4/0/0.
Chapter 18 SSO-BFD Configuration Examples of SSO-BFD ip vrf vpn1002 rd 75:1002 route-target export 75:1002 route-target import 75:1002 ! ip vrf vpn1003 rd 75:1003 route-target export 75:1003 route-target import 75:1003 ! ! ip vrf vpn1004 rd 75:1004 route-target export 75:1004 route-target import 75:1004 ! ! mpls ldp graceful-restart mpls label protocol ldp ! interface Loopback0 ip address 1.1.1.1 255.255.255.
Chapter 18 SSO-BFD Configuration Examples of SSO-BFD ip address 50.0.0.1 255.0.0.0 negotiation auto mpls ip mpls label protocol ldp ! ! router ospf 50 router-id 1.1.1.1 log-adjacency-changes nsf ietf network 1.1.1.1 0.0.0.0 area 0 network 50.0.0.0 0.255.255.255 area 0 ! router bgp 75 bgp router-id 1.1.1.1 bgp log-neighbor-changes bgp graceful-restart restart-time 120 bgp graceful-restart stalepath-time 360 bgp graceful-restart neighbor 2.2.2.2 remote-as 75 neighbor 2.2.2.
Chapter 18 SSO-BFD Configuration Examples of SSO-BFD neighbor 20.1.4.1 remote-as 71 neighbor 20.1.4.1 ha-mode sso neighbor 20.1.4.1 fall-over bfd neighbor 20.1.4.
Chapter 18 SSO-BFD Configuration Examples of SSO-BFD router eigrp 5 nsf bfd all-interfaces network 20.1.5.0 0.0.0.255 ! end Example 18-6 SSO-BFD with an EIGRP Client on the PE1 Router PE1 mpls ldp graceful-restart mpls label protocol ldp ! interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! interface GigabitEthernet2/0/0 ip address 50.0.0.1 255.0.0.0 negotiation auto mpls ip mpls label protocol ldp ! ! router ospf 50 router-id 1.1.1.1 log-adjacency-changes nsf ietf network 1.1.1.1 0.0.0.
Chapter 18 SSO-BFD Configuration Examples of SSO-BFD no ip redirect encapsulation dot1q 105 ip vrf forwarding vpn1005 ip address 20.1.5.2 255.255.255.0 bfd interval 999 min_rx 999 multiplier 5 no bfd echo ! interface ATM8/0/0.1 point no ip redirect pvc 1/101 encapsulation aal5snap ip vrf forwarding vpn1002 ip address 20.1.2.2 255.255.255.0 bfd interval 999 min_rx 999 multiplier 5 no bfd echo ! interface serial5/0/0/1:1 ip vrf forwarding vpn1004 ip address 20.1.4.2 255.255.255.
Chapter 18 SSO-BFD Configuration Examples of SSO-BFD no synchronization redistribute connected neighbor 2.2.2.2 activate no auto-summary exit-address-family ! address-family vpnv4 neighbor 2.2.2.2 activate neighbor 2.2.2.
Chapter 18 SSO-BFD Configuration Examples of SSO-BFD ip address 192.168.2.1 255.255.255.0 ip router isis bfd interval 999 min_rx 999 multiplier 5 no bfd echo ! int atm4/0/0.1 point no ip redirect pvc 1/101 encap aal5snap ip address 192.168.3.1 255.255.255.0 ip router isis bfd interval 999 min_rx 999 multiplier 5 no bfd echo ! ! int s5/0/0/1:1 no ip redirect ip address 192.168.5.1 255.255.255.0 ip router isis bfd interval 999 min_rx 999 multiplier 5 no bfd echo ! int l0 ip address 1.1.1.1 255.255.255.
Chapter 18 SSO-BFD Configuration Examples of SSO-BFD ! int s5/0/0/1:1 no ip redirect ip address 192.168.5.2 255.255.255.0 ip router isis bfd interval 999 min_rx 999 multiplier 5 no bfd echo ! int l0 ip address 2.2.2.2 255.255.255.
Chapter 18 SSO-BFD Configuration Examples of SSO-BFD bfd all-interfaces network 20.1.1.0 0.0.0.255 ! router ospf 2 nsf ietf bfd all-interfaces network 20.1.2.0 0.0.0.255 ! router ospf 4 nsf ietf bfd all-interfaces network 20.1.4.0 0.0.0.255 ! router ospf 5 nsf ietf bfd all-interfaces network 20.1.5.0 0.0.0.255 ! end area 0 area 0 area 0 area 0 Example 18-10 SSO-BFD with an OSPF Client on the CE1 Router PE1 mpls ldp graceful-restart mpls label protocol ldp ! interface Loopback0 ip address 1.1.1.
Chapter 18 SSO-BFD Configuration Examples of SSO-BFD ! ip vrf vpn1005 rd 75:1005 route-target export 75:1005 route-target import 75:1005 ! ! Qinq interface ! interface GigabitEthernet1/0/0.1 no ip redirect encapsulation dot1q 101 second-dot1q 500 ip vrf forwarding vpn1001 ip address 20.1.1.2 255.255.255.0 bfd interval 999 min_rx 999 multiplier 5 no bfd echo ! ! dot1q interface ! interface GigabitEthernet1/0/0.5 no ip redirect encapsulation dot1q 105 ip vrf forwarding vpn1005 ip address 20.1.5.2 255.255.
Chapter 18 SSO-BFD Configuration Examples of SSO-BFD router ospf 5 vrf vpn1005 nsf ietf redistribute bgp 75 metric 20 subnets network 20.1.5.0 0.0.0.255 area 0 bfd all-interfaces ! ! router bgp 75 bgp router-id 1.1.1.1 bgp log-neighbor-changes bgp graceful-restart restart-time 120 bgp graceful-restart stalepath-time 360 bgp graceful-restart neighbor 2.2.2.2 remote-as 75 neighbor 2.2.2.2 update-source Loopback0 ! address-family ipv4 no synchronization redistribute connected neighbor 2.2.2.
Chapter 18 SSO-BFD Configuration Examples of SSO-BFD Cisco 10000 Series Router Software Configuration Guide 18-20 OL-2226-23
CH A P T E R 19 Configuring Link Noise Monitoring About Link Noise Monitoring Link Noise Monitoring (LNM) feature monitors noise associated with T1/E1 communication links between a base transceiver station (BTS) and the aggregation node (AN). T1/E1 links are leased spans (lines) from service providers. Noise in these lines causes data loss. Significant data loss affects the voice quality. When notified of such issues the system operator can move the faulty span out of service.
Chapter 19 Configuring Link Noise Monitoring About Link Noise Monitoring • The LNM feature is supported only on T1/E1 links. • The use of a repeater removes errors at the physical layer (Layer 1) before passing the data, and renders the LNM feature ineffective. • LNM provides the option of monitoring errors through LCV or PCV values, or both. If the LCV value is specified, the router calculates the PCV value by a liner extrapolation of the Gaussian Curve.
Chapter 19 Configuring Link Noise Monitoring About Link Noise Monitoring Step 1 Command Description t1 t1-number channel-group channel-group-number timeslots list-of-timeslots Specifies the channel group and timeslots on a T1 interface. • t1-number—The T1 interface number from 1 to 28. • Channel-group channel-group-number—Identifies the channel group with any number from 0 to 23 • Timeslots list-of-timeslots—T1 is divided into 24 timeslots (or DS0s).
Chapter 19 Configuring Link Noise Monitoring About Link Noise Monitoring Step 1 Command Description Router# t1 <1-28> span syslog Router# e1 <1-21> span syslog Generates syslog messages for the specified T1 link. A T1 link has 28 channels. An E1 link has 21 channels. Example: Router# t1 3 span syslog Step 2 Router# no [e1 <1-21> span syslog] Router# no [t1 <1-21> span syslog] Disables generation of syslog messages for the specified T1/E1link.
Chapter 19 Configuring Link Noise Monitoring About Link Noise Monitoring Example of LNM Configuration on a Shared Port Adapter Example 2 shows how to configure the LNM feature ona 2-port Channelized OC12/DS0 SPA.
Chapter 19 Configuring Link Noise Monitoring About Link Noise Monitoring 15 16 Channel not configured for E1/T1 Channel not configured for E1/T1 Cisco 10000 Series Router Software Configuration Guide 19-6 OL-2226-23
CH A P T E R 20 Configuring L2 Virtual Private Networks To improve profitability, service providers (SPs) introduce new services to reduce operational expenditures. To reduce the number of managed networks, use network convergence, a multiphase transition of the network. This affects both the core and edge/aggregation side. The technology is predominantly Multiprotocol Label Switching (MPLS) based core networks. However, IP cores are the service of choice in a number of large SPs.
Chapter 20 Configuring L2 Virtual Private Networks Using the Label Distribution Protocol (LDP), an AToM circuit session is identified by a unique VC (virtual circuit) between two PE routers. When a Layer 2 frame is received by the imposition PE router, it is encapsulated in an MPLS packet with a VC label, IGP label, and possibly other labels. When the MPLS packet reaches the disposition PE router, the packet is converted back into its Layer 2 encapsulation.
Chapter 20 Configuring L2 Virtual Private Networks Feature History for L2VPN • Any Transport over MPLS—Tunnel Selection, page 20-47 Feature History for L2VPN Cisco IOS Release Description Required PRE 12.2(28)SB This feature was introduced on the Cisco 10000 series router. PRE2 12.2(31)SB2 Support was added for the PRE3. PRE3 12.2(31)SB2 Ethernet to VLAN over AToM (Bridged) functionality was PRE2/PRE3 added. 12.
Chapter 20 Configuring L2 Virtual Private Networks Prerequisites for L2VPN: AToM Prerequisites for L2VPN: AToM Before configuring L2VPN, ensure that the network is configured as follows: • Configure IP routing in the core so that the PE routers can reach each other using IP. • Configure the label distribution protocol to be Label Distribution Protocol (LDP). • Configure label-switched paths (LSPs) between the PE routers.
Chapter 20 Configuring L2 Virtual Private Networks Restrictions for L2VPN Restrictions for L2VPN The L2VPN feature has the following restrictions: • Address format: Configure the LDP router ID on all PE routers to be a loopback address with a /32 mask. Otherwise, some configurations might not function properly. • The size of maximum transmission unit (MTU) must be the same at both ends of the circuit.
Chapter 20 Configuring L2 Virtual Private Networks MIBs MIBs Table 20-3 lists the MIBs that L2VPN supports. Table 20-3 MIBs Supported by L2VPN Transport Type MIB ATM AAL5 SDU support over MPLS MPLS LDP MIB (MPLS-LDP-MIB.my) ATM MIB (ATM-MIB.my) CISCO AAL5 MIB (CISCO-AAL5-MIB.my) Cisco Enterprise ATM Extension MIB (CISCO-ATM-EXT-MIB.my) Supplemental ATM Management Objects (CISCO-IETF-ATM2-PVCTRAP-MIB.my) Interfaces MIB (IF-MIB.
Chapter 20 Configuring L2 Virtual Private Networks NSF and SSO—L2VPN Checkpointing AToM Information Checkpointing is a function that copies state information from the active RP to the backup RP, thereby ensuring that the backup RP has the latest information. If the active RP fails, the backup RP can take over. For the L2VPN NSF feature, the checkpointing function copies the active RP's information bindings to the backup RP. The active RP sends updates to the backup RP when information is modified.
Chapter 20 Configuring L2 Virtual Private Networks NSF and SSO—L2VPN Nonstop Forwarding for Routing Protocols For information on this topic, see the Nonstop Forwarding for Routing Protocols section in the NSF/SSO: Any Transport over MPLS and Graceful Restart document at: http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsatomha.
Chapter 20 Configuring L2 Virtual Private Networks NSF and SSO—L2VPN Configuration Examples of NSF/SSO—Layer 2 VPN Example 20-1 illustrates how to configure AToM NSF on two PE routers: Example 20-1 Ethernet to VLAN Interworking with AToM NSF PE1 PE2 ip cef ! redundancy mode sso ! mpls ldp graceful-restart mpls ip mpls label protocol ldp mpls ldp router-id Loopback0 force mpls ldp advertise-tags ! pseudowire-class atom-eth encapsulation mpls interworking ethernet ! interface Loopback0 ip address 10.8.8.
Chapter 20 Configuring L2 Virtual Private Networks L2VPN Local Switching—HDLC/PPP L2VPN Local Switching—HDLC/PPP The L2VPN Local Switching - HDLC/PPP feature enables service providers to support different encapsulations over HDLC local switched circuits that function as back-to-back circuits. The provisioned HDLC Local Switched circuits can also be backed by using PWRED. Prerequisites of L2VPN Local Switching—HDLC/PPP In Cisco IOS Release 12.
Chapter 20 Configuring L2 Virtual Private Networks L2VPN Local Switching—HDLC/PPP Frames manipulated by the PE router preserve the PPP header as described in RFC-1661. HDLC Like-to-Like Local Switching Like PPP, HDLC sessions can be forwarded between two CE routers connected to the same PE router. The microcode implements a HDLC pass-through mechanism for the HDLC traffic.
Chapter 20 Configuring L2 Virtual Private Networks Configuration Tasks for L2VPN Configuration Tasks for L2VPN To configure L2VPN, you have to configure the following L2VPN features: • Setting Up the Pseudowire—AToM Circuit, page 20-12 • Configuring ATM AAL5 SDU Support over MPLS, page 20-14 • Configuring ATM-to-ATM PVC Local Switching, page 20-14 • Configuring OAM Cell Emulation for ATM AAL5 SDU Support over MPLS, page 20-15 • Configuring Ethernet over MPLS, page 20-19 • IEEE 802.
Chapter 20 Configuring L2 Virtual Private Networks Configuration Tasks for L2VPN To set up a pseudowire connection or AToM circuit between two PE routers, enter the following commands beginning in global configuration mode: Step 1 Command Purpose Router(config)# pseudowire-class name (Optional) Establishes a pseudowire class with a name that you specify and specifies the tunneling encapsulation.
Chapter 20 Configuring L2 Virtual Private Networks Configuration Tasks for L2VPN Configuring ATM AAL5 SDU Support over MPLS ATM AAL5 SDU support over MPLS encapsulates ATM AAL5 service data units (SDUs) in MPLS packets and forwards them across the MPLS network. Each ATM AAL5 SDU is transported as one packet.
Chapter 20 Configuring L2 Virtual Private Networks Configuration Tasks for L2VPN • 1-port OC-12 To configure ATM-to-ATM PVC local switching, enter the following commands, beginning in global configuration mode: Command Purpose Step 1 Router(config)# interface atm slot/port Specifies an ATM interface and enters interface configuration mode. Step 2 Router(config-if)# pvc vpi/vci l2transport Assigns a virtual path identifier (VPI) and virtual channel identifier (VCI).
Chapter 20 Configuring L2 Virtual Private Networks Configuration Tasks for L2VPN The OAM cells include the following: • Alarm indication signal (AIS) • Remote defect indication (RDI) These cells identify and report defects along a VC. When a physical link or interface failure occurs, intermediate nodes insert OAM AIS cells into all the downstream devices affected by the failure.
Chapter 20 Configuring L2 Virtual Private Networks Configuration Tasks for L2VPN Example 20-6 shows how to enable OAM cell emulation on an ATM PVC. Example 20-6 OAM Cell Emulation on an ATM PVC interface ATM 1/0/0 pvc 1/200 l2transport encapsulation aal5 xconnect 13.13.13.13 100 encapsulation mpls oam-ac emulation-enable oam-pvc manage Example 20-7 shows how to set the rate at which an AIS cell is sent to every 30 seconds.
Chapter 20 Configuring L2 Virtual Private Networks Configuration Tasks for L2VPN Configuring OAM Cell Emulation for ATM AAL5 SDU Support over MPLS in VC Class Configuration Mode The following steps explain how to configure OAM cell emulation as part of a VC class. You can then apply the VC class to an interface, a subinterface, or a VC.
Chapter 20 Configuring L2 Virtual Private Networks Configuration Tasks for L2VPN Example 20-9 configures OAM cell emulation for ATM AAL5 SDU support over MPLS in VC class configuration mode. The VC class is then applied to an interface.
Chapter 20 Configuring L2 Virtual Private Networks Configuration Tasks for L2VPN • Port mode—Allows a frame coming into an interface to be packed into an MPLS packet and transported over the MPLS backbone to an egress interface. The entire Ethernet frame is transported without the preamble or FCS as a single packet. • VLAN ID Rewrite—Enables you to use VLAN interfaces with different VLAN IDs at both ends of the tunnel.
Chapter 20 Configuring L2 Virtual Private Networks Configuration Tasks for L2VPN To configure Ethernet over MPLS in VLAN mode, enter the following commands beginning in global configuration mode: Step 1 Command Purpose Router(config)# interface gigabitethernet slot/interface.subinterface Specifies the Gigabit Ethernet subinterface and enters subinterface configuration mode. Make sure the subinterface on the adjoining CE router is on the same VLAN as this PE router.
Chapter 20 Configuring L2 Virtual Private Networks Configuration Tasks for L2VPN Example 20-12 shows how to configure VC 123 in Ethernet port mode: Example 20-12 Ethernet over MPLS in Port Mode pseudowire-class ethernet-port encapsulation mpls interface gigabitethernet1/0 xconnect 10.0.0.1 123 pw-class ethernet-port Note Depending on the interface type, you can also use the interface fastethernet command.
Chapter 20 Configuring L2 Virtual Private Networks Configuration Tasks for L2VPN Prerequisites for IEEE 802.1Q Tunneling (QinQ) for AToM In Cisco IOS software Release 12.2(33)SB, the QinQ (short for 802.1Q-in-802.
Chapter 20 Configuring L2 Virtual Private Networks Configuration Tasks for L2VPN Figure 20-3 Ethernet VLAN QinQ Header 802.1Q Tag Control Info (2 Bytes) Type/ Length= 802.1Q Tag Type (2 Bytes) Tag Control Info (2 Bytes) Type/ Length (2 Bytes) Data 270307 Dest MAC (6 Bytes) Type/ Length= SRC MAC 802.1Q Tag (6 Bytes) Type (2 Bytes) 802.1Q The IEEE 802.
Chapter 20 Configuring L2 Virtual Private Networks Configuration Tasks for L2VPN • On the egress side—The MPLS label is stripped, and up to two levels of VLAN tags are rewritten per the configuration. Only Unambiguous VLAN tagged Ethernet QinQ interfaces are supported in this release. The Ethernet VLAN Q-in-Q rewrite of both VLAN Tags capability is supported only on Ethernet sub-interfaces with a QinQ encapsulation and explicit pair of VLAN IDs defined.
Chapter 20 Configuring L2 Virtual Private Networks Configuration Tasks for L2VPN Figure 20-5 Remote Link Outage in EoMPLS Wide Area Network Ethernet Ethernet over MPLS (EoMPLS) Ethernet X Provider Edge 1 Provider Edge 2 Cisco 10000 Series Router Cisco 10000 Series Router Customer Edge 2 122409 Customer Edge 1 In earlier releases than Cisco IOS Release 12.2(33)SB, the PE2 router did not detect a failed remote link.
Chapter 20 Configuring L2 Virtual Private Networks Configuration Tasks for L2VPN encapsulation mpls ! interface GigabitEthernet1/0/0 xconnect 1.1.1.1 1 pw-class eompls remote link failure notification ! Example 20-19 Disabling Remote Ethernet Port Shutdown under the Xconnect Configuration pseudowire-class eompls encapsulation mpls ! interface GigabitEthernet1/0/0 xconnect 1.1.1.
Chapter 20 Configuring L2 Virtual Private Networks Configuration Tasks for L2VPN Configuring Frame Relay over MPLS Frame Relay over MPLS encapsulates Frame Relay protocol data units (PDUs) in MPLS packets and forwards them across the MPLS network. For Frame Relay, you can set up data-link connection identifier (DLCI)-to-DLCI connections or port-to-port connections.
Chapter 20 Configuring L2 Virtual Private Networks Configuration Tasks for L2VPN Step 6 Command Purpose Router(config)# connect connection-name interface dlci l2transport Defines connections between Frame Relay PVCs and enters connect submode. Using the l2transport keyword specifies that the PVC will not be a locally switched PVC, but will be tunneled over the backbone network. The connection-name argument is a text string that you provide.
Chapter 20 Configuring L2 Virtual Private Networks Configuration Tasks for L2VPN Enabling Other PE Devices to Transport Frame Relay Packets You can configure an interface as a data terminal equipment (DTE) device or a data circuit-terminating equipment (DCE) switch, or as a switch connected to a switch with network-to-network interface (NNI) connections.
Chapter 20 Configuring L2 Virtual Private Networks Configuration Tasks for L2VPN DLCI-to-DLCI Connections If DLCI-to-DLCI connections are configured, LMI runs locally on the Frame Relay ports between the PE and CE devices. • CE1 sends an active status to PE1 if the PVC for CE1 is available. If CE1 is a switch, LMI checks that the PVC is available from CE1 to the user device attached to CE1. • PE1 sends an active status to CE1 if the following conditions are met: – A PVC for PE1 is available.
Chapter 20 Configuring L2 Virtual Private Networks Configuration Tasks for L2VPN The Frame Relay-to-Frame Relay Local Switching feature is described in the following topics: • Configuring Frame Relay for Local Switching, page 20-32 • Configuring Frame Relay Same-Port Switching, page 20-33 • Verifying Layer 2 Local Switching for Frame Relay, page 20-34 • Configuring QoS Features, page 20-34 Configuring Frame Relay for Local Switching To configure Frame Relay for local switching, enter the followin
Chapter 20 Configuring L2 Virtual Private Networks Configuration Tasks for L2VPN Configuring Frame Relay Same-Port Switching Use the following steps to configure local Frame Relay same-port switching on a single interface, beginning in global configuration mode. Command Purpose Step 1 Router(config)# frame-relay switching Enables PVC switching on a Frame Relay DCE device or a NNI. Step 2 Router(config)# interface type number Specifies the interface and enters interface configuration mode.
Chapter 20 Configuring L2 Virtual Private Networks Configuration Tasks for L2VPN Example 20-25 shows how to configure Frame Relay same-port switching. Example 20-25 Configuring Frame Relay Same-Port Switching frame-relay switching interface serial 1/0/0.
Chapter 20 Configuring L2 Virtual Private Networks Configuration Tasks for L2VPN The values shown in the tables are as follows: • No—You cannot perform this policy map action • Yes—You can perform this policy map action • N/A (not applicable)—You can apply the policy map action but it does not have any effect on packets Table 20-4 Frame Relay DLCI Input Policy Map Actions Policy Map Actions Frame Relay DLCI Interface bandwidth no queue-limit no priority no shape no random-detect no set
Chapter 20 Configuring L2 Virtual Private Networks Configuration Tasks for L2VPN Configuring HDLC and PPP over MPLS With HDLC over MPLS, the entire HDLC packet is transported. The ingress PE router removes only the HDLC flags and frame check sequence (FCS) bits. The contents of the packet are not used or changed. With PPP over MPLS, the ingress PE router removes the flags, address, control field, and the FCS.
Chapter 20 Configuring L2 Virtual Private Networks Configuration Tasks for L2VPN Estimating the Size of Packets Traveling Through the Core Network The following calculation helps you determine the size of the packets traveling through the core network. You set the maximum transmission unit (MTU) on the core-facing interfaces of the P and PE routers to accommodate packets of this size.
Chapter 20 Configuring L2 Virtual Private Networks Configuration Tasks for L2VPN • If AToM is used by the customer carrier in the MPLS-VPN Carrier Supporting Carrier environment, you add a label to the stack. The maximum MPLS label stack in the provider carrier network is 5 (FRR label, TE label, LDP label, VPN label, VC label). • If an AToM tunnel spans different service providers that exchange MPLS labels using IPv4 BGP (RFC 3107), you add a label to the stack.
Chapter 20 Configuring L2 Virtual Private Networks Configuration Tasks for L2VPN Table 20-7 Commands Supported to Change EXP Bits Transport Type Supported Commands ATM AAL5 SDU support over MPLS set mpls experimental Ethernet over MPLS: Port mode match any Frame Relay over MPLS: DLCI-to-DLCI connections Port-to-port connections HDLC over MPLS PPP over MPLS Ethernet over MPLS: VLAN mode set mpls experimental match cos Set the experimental bits in both the VC label and the LSP tunnel label.
Chapter 20 Configuring L2 Virtual Private Networks Configuration Tasks for L2VPN Displaying the Traffic Policy Assigned to an Interface To display the traffic policy attached to an interface, use the show policy-map interface command. Example 20-29 uses the set mpls experimental command with the match any command under a default class. This means that every packet tunneled onto a particular AToM VC carries the same MPLS experimental bit value.
Chapter 20 Configuring L2 Virtual Private Networks Configuration Tasks for L2VPN Table 20-8 Input (Imposition Router) Policy Map Actions Interface Policy Map Actions ATM Ethernet Frame Relay HDLC and PPP bandwidth no no no no queue-limit no no no no priority no no no no shape no no no no random-detect no no no no set ip prec/dscp N/A N/A N/A N/A set qos-group yes yes yes yes set discard class yes yes yes yes set atm-clp N/A N/A N/A N/A set fr-de N/A N/
Chapter 20 Configuring L2 Virtual Private Networks Configuration Tasks for L2VPN Table 20-10 and Table 20-11 describe support for class map match criteria on various interfaces. Table 20-10 describes match criteria support for inbound traffic and Table 20-11 describes support for outbound traffic.
Chapter 20 Configuring L2 Virtual Private Networks Monitoring and Maintaining L2VPN Table 20-11 Output (Disposition Router) Class Map Match Criteria (continued) Interface Match Criteria ATM Ethernet Frame Relay HDLC and PPP Frame Relay DLCI no no no no VLAN ID no no no no Packet Length no no no no DE bit (Frame Relay) N/A N/A N/A N/A Monitoring and Maintaining L2VPN To monitor and maintain the configuration of L2VPN features, use the following commands in privileged EXEC mode.
Chapter 20 Configuring L2 Virtual Private Networks Configuration Example—Frame Relay over MPLS Configuration Example—Frame Relay over MPLS Example 20-31 shows the configuration of Frame Relay over MPLS on two provider edge routers, PE1 and PE2, and on two customer edge routers, CE1 and CE2. The topology for the example is shown in Figure 20-7.
Chapter 20 Configuring L2 Virtual Private Networks Configuration Example—Frame Relay over MPLS mpls ip crc 32 clock source internal ! !Enabling OSPF protocol router ospf 100 log-adjacency-changes network 1.0.0.0 0.255.255.255 area 100 network 50.0.0.0 0.255.255.255 area 100 !Define pseudowire-class pseudowire-class pw_atom1 encapsulation mpls !FR configuration with two subinterfaces interface Serial8/0/0.
Chapter 20 Configuring L2 Virtual Private Networks Configuration Example—Frame Relay over MPLS frame-relay lmi-type q933a interface Serial8/0/0.1/1:0.1 point-to-point interface Serial8/0/0.1/1:0.2 point-to-point !Two AToM VC configuration with vc ids 1 & 2 connect atom1 Serial8/0/0.1/1:0 17 l2transport xconnect 1.1.1.1 1 pw-class pw_atom1 ! ! connect atom2 Serial8/0/0.1/1:0 18 l2transport xconnect 1.1.1.1 2 pw-class pw_atom1 CE2 Configuration ================================ interface Serial8/0/0.
Chapter 20 Configuring L2 Virtual Private Networks Any Transport over MPLS—Tunnel Selection Default path: active Next hop: point2point Create time: 00:00:53, last status change time: 00:00:10 Signaling protocol: LDP, peer 2.2.2.
Chapter 20 Configuring L2 Virtual Private Networks Any Transport over MPLS—Tunnel Selection pseudowire-class pw1 encapsulation mpls preferred-path interface Tunnel1 disable-fallback ! pseudowire-class pw2 encapsulation mpls preferred-path peer 10.18.18.18 ! interface Loopback0 ip address 10.2.2.2 255.255.255.255 no ip directed-broadcast no ip mroute-cache ! interface Tunnel1 ip unnumbered Loopback0 no ip directed-broadcast tunnel destination 10.16.16.
Chapter 20 Configuring L2 Virtual Private Networks Any Transport over MPLS—Tunnel Selection ip route 10.18.18.18 255.255.255.255 Tunnel2 ! ip explicit-path name path-tu1 enable next-address 10.0.0.1 index 3 next-address 10.0.0.1 Router PE2 mpls label protocol ldp mpls traffic-eng tunnels mpls ldp router-id Loopback0 interface Loopback0 ip address 10.16.16.16 255.255.255.255 no ip directed-broadcast no ip mroute-cache ! interface Loopback2 ip address 10.18.18.18 255.255.255.
Chapter 20 Configuring L2 Virtual Private Networks Any Transport over MPLS—Tunnel Selection Cisco 10000 Series Router Software Configuration Guide 20-50 OL-2226-23
CH A P T E R 21 Configuring L2VPN Interworking Interworking is a transforming function that is required to interconnect two heterogeneous alternating currents (ACs). Several types of interworking functions exist. The function that is used would depend on the type of ACs being used, the type of data being carried, and the level of functionality required. The two main L2VPN interworking functions supported in Cisco IOS Software are bridged and routed interworking.
Chapter 21 Configuring L2VPN Interworking Bridged Interworking Ethernet to VLAN—Bridged Interworking In Ethernet Interworking, also called bridged interworking, Ethernet frames are bridged across the pseudowire. The customer edge (CE) routers can bridge Ethernet, or can route using a bridged encapsulation model, such as Bridge Virtual Interface (BVI) or Routed Bridged Encapsulation (RBE). The provider edge (PE) routers operate in the Ethernet like-to-like mode.
Chapter 21 Configuring L2VPN Interworking Bridged Interworking Step 4 Command or Action Purpose encapsulation mpls Specifies the tunneling encapsulation. Example: Router(config-pw)# encapsulation mpls Step 5 Specifies the type of pseudowire and the type of traffic that can flow across it. interworking {ethernet|ip} Example: Router(config-pw)# interworking ethernet Verifying the Configuration You can verify the AToM configuration by using the show mpls l2transport vc detail command.
Chapter 21 Configuring L2VPN Interworking Routed Interworking Ethernet to VLAN over LS—Bridged: Example PE config t interface atm 2/0/0 pvc 0/200 l2transport encapsulation aal5snap interface gigabitethernet 5/1/0 no ip address connect ETH-VLAN gigabitethernet 5/0/0 gigabitethernet 5/1/0.
Chapter 21 Configuring L2VPN Interworking Ethernet/VLAN to ATM AAL5 Interworking – ATM and FR point-to-point—By default, inverse ARP does not run in the point-to-point FR or ATM subinterfaces. The IP Address and subnet mask define the connected prefix therefore, configuration is not required in the CE devices. • Interworking using pseudowire at L2 requires that the MTUs in both attachment circuits match, for the pseudowire to come up.
Chapter 21 Configuring L2VPN Interworking Ethernet/VLAN to ATM AAL5 Interworking • ATM AAL5 to Ethernet Local Switching—Bridged Interworking, page 21-8 • ATM AAL5 to VLAN 802.1Q Local Switching—Bridged Interworking, page 21-9 • ATM AAL5 to Ethernet Port AToM—Bridged Interworking, page 21-9 • ATM AAL5 to Ethernet VLAN 802.
Chapter 21 Configuring L2VPN Interworking Ethernet/VLAN to ATM AAL5 Interworking Figure 21-1 ATM CE Protocol Stack for ATM AAL5 to Ethernet Local Switching Bridged Interworking—With VLAN Header ATM Ethernet PE Eth CE ATM Header MAC Header DA SA DA SA Ethertype 81-00 VLAN Tag Type/Length Ethertype 81-00 VLAN Tag Type/Length Remainder of MAC Frame Remainder of MAC Frame CPCS - UU CPI Length LAN FCS 270308 LLC (AA-AA) LLC(03) OUI (00) OUI (80-C2) PID (00-07) PAD (00-00) MAC Header CRC In Ci
Chapter 21 Configuring L2VPN Interworking Ethernet/VLAN to ATM AAL5 Interworking Figure 21-2 ATM CE Protocol Stack for ATM to Ethernet AToM Bridged Interworking—With VLAN Header ATM MPLS Emulated VC of ATM PE Eth PE Ethernet VLAN Eth CE ATM Header Tunnel Label Tunnel Label VC Label VC Label Control Word Control Word MAC Header MAC Header MAC Header DA SA DA SA DA SA DA SA Ethertype 81-00 VLAN Tag Type/Length Ethertype 81-00 VLAN Tag Type/Length Ethertype 81-00 VLAN Tag Type/Length
Chapter 21 Configuring L2VPN Interworking Ethernet/VLAN to ATM AAL5 Interworking Figure 21-3 ATM CE Protocol Stack for ATM AAL5 to Ethernet Local Switching Bridged Interworking ATM Ethernet PE Eth CE ATM Header DA SA MAC Header DA SA Type/Length Type/Length Remainder of MAC Frame Remainder of MAC Frame CPCS - UU CPI Length LAN FCS CRC 270310 LLC (AA-AA) LLC(03) OUI (00) OUI (80-C2) PID (00-07) PAD (00-00) MAC Header ATM AAL5 to VLAN 802.
Chapter 21 Configuring L2VPN Interworking Ethernet/VLAN to ATM AAL5 Interworking Figure 21-4 Network Topology for ATM to Ethernet AToM Bridged Interworking VPI/VCI Pseudowire using EoMPLS Ethernet Tunnel LSP ATM Link PE with interworking function P Router P Router PE Ethernet CE 270312 ATM CE Ethernet Link MPLS Network The advantage of this architecture is that the Ethernet PE (connected to the Ethernet segment) operates similarly to Ethernet like-to-like services.
Chapter 21 Configuring L2VPN Interworking Ethernet/VLAN to ATM AAL5 Interworking The interworking function is performed in the same way as for the ATM to Ethernet Port case, implemented on the PE connected to the ATM attachment VC. The implementation is based on Multiprotocol Encapsulation over ATM Adaptation Layer 5 (see Figure 21-4). For the PE connected to the Ethernet side, one major difference exists due the existence of the VLAN header in the incoming packet.
Chapter 21 Configuring L2VPN Interworking Ethernet/VLAN to ATM AAL5 Interworking Protocol Stack for ATM to Ethernet—Routed Interworking ATM ATM CE MPLS Emulated VC of type TBD ATM PE Tunnel Label ATM Header LLC (AA-AA) LLC(03) OUI (00) OUI (00-00) EtherType (08-00) VC Label VC Label Control Word IPv4 Header IPv4 Header Data Data Data SA VLAN Tag Type/Length (00-00) Prot. Type (08-00) (00-00) Prot.
Chapter 21 Configuring L2VPN Interworking Ethernet/VLAN to ATM AAL5 Interworking 3. pvc vpi/vci l2transport 4. encapsulation aal5snap 5. interface [ fastethernet | gigabitethernet ] slot/subslot/port 6. no ip address 7. connect connection-name [ fastethernet | gigabitethernet ] slot/subslot/port atm slot/subslot/port vpi/vci interworking ethernet|ip Note The order of the interfaces in the connect command is not important.
Chapter 21 Configuring L2VPN Interworking Ethernet/VLAN to ATM AAL5 Interworking AToM Figure 21-9 illustrates different AToM configurations. Figure 21-9 AToM Model for CLI Commands PE1 P PE2 CE2 270316 CE1 This section explains the following AToM configurations and their examples: • ATM AAL5 to Ethernet Port, page 21-14 • Configuring ATM AAL5 to Ethernet VLAN 802.
Chapter 21 Configuring L2VPN Interworking Ethernet/VLAN to ATM AAL5 Interworking Note When configuring bridged interworking, the PE2 configuration does not include the interworking ethernet command because it is treated as like-to-like, and also because the attachment circuit is already an Ethernet port. However, when configuring routed interworking, the interworking ip command is required.
Chapter 21 Configuring L2VPN Interworking Ethernet/VLAN to ATM AAL5 Interworking You can configure the ATM AAL5 to Ethernet VLAN 802.1Q feature on a PE2 router using the following steps: 1. config t 2. mpls label protocol ldp 3. interface Loopback 4. ip address local-ip-address local-mask 5. pseudowire-class name 6. encapsulation mpls 7. interworking ethernet|ip 8. interface [ fastethernet | gigabitethernet ] slot/subslot/port.subinterface 9. encapsulation dot1q VLAN-ID 10.
Chapter 21 Configuring L2VPN Interworking Ethernet/VLAN to Frame Relay Interworking Ethernet/VLAN to Frame Relay Interworking The Ethernet VLAN to Frame Relay (FR) Interworking feature is described in the following topics: • Prerequisites of Ethernet/VLAN to Frame Relay Interworking, page 21-17 • Restrictions for Ethernet/VLAN to Frame Relay Interworking, page 21-17 • FR DLCI to Ethernet Local Switching—Bridged Interworking, page 21-19 • FR DLCI to VLAN 802.
Chapter 21 Configuring L2VPN Interworking Ethernet/VLAN to Frame Relay Interworking Figure 21-10 FR Ethernet Eth CE PE Q.922 Address Ctrl (03) Pad (00) NLPD (80) OUI (00) OUI (80-C2) PID (00-07) MAC Header DA SA MAC Header DA SA Ethertype (81-00) VLAN Tag Type/Length Ethertype (81-00) VLAN Tag Type/Length Remainder of MAC Frame Remainder of MAC Frame FCS LAN FCS 270317 FR CE Protocol Stack for FR to Ethernet Local Switching Bridged Interworking—With VLAN Header In Cisco IOS Release 12.
Chapter 21 Configuring L2VPN Interworking Ethernet/VLAN to Frame Relay Interworking FR CE Protocol Stack for FR to Ethernet AToM Bridged Interworking—With VLAN Header FR Link MPLS Emulated VC of FR PE Tunnel Label Tunnel Label VC Label VC Label Control Word Control Word MAC Header DA SA MAC Header DA SA Ethertype 81-00 VLAN Tag Type/Length Ethertype 81-00 VLAN Tag Type/Length Remainder of MAC Frame Remainder of MAC Frame Q.
Chapter 21 Configuring L2VPN Interworking Ethernet/VLAN to Frame Relay Interworking FR DLCI to VLAN 802.1Q Local Switching—Bridged Interworking This interworking type provides interoperability between Frame Relay Attachment VC and Ethernet VLAN Attachment VC connected to the same PE router. For this interworking type the Bridged Encapsulation is used, corresponding to Bridged (Ethernet) Interworking mechanism.
Chapter 21 Configuring L2VPN Interworking Ethernet/VLAN to Frame Relay Interworking FR CE Protocol Stack for FR to Ethernet AToM Bridged Interworking—Without VLAN Header FR Link FR PE MPLS Emulated VC of Tunnel Label Q.
Chapter 21 Configuring L2VPN Interworking Ethernet/VLAN to Frame Relay Interworking Frame Relay to Ethernet—Routed Interworking To perform routed interworking, both the FR PE and Ethernet PE routers must be configured. When FR packets arrive from the FR CE router, the FR PE router removes the frame relay header. The FR PE router forwards the IP packet to the egress PE router using IPoMPLS encapsulation over the pseudowire.
Chapter 21 Configuring L2VPN Interworking Ethernet/VLAN to Frame Relay Interworking Configuration Tasks and Examples This section describes configuration tasks for and examples of two L2VPN technology solutions • Local Switching • AToM Local Switching Figure 21-8 shows LS configurations. The following LS configurations and examples are described: • FR DLCI to Ethernet Port, page 21-23 • FR DLCI to Ethernet VLAN 802.
Chapter 21 Configuring L2VPN Interworking Ethernet/VLAN to Frame Relay Interworking FR DLCI to Ethernet VLAN 802.1Q You can configure the FR DLCI to Ethernet VLAN 802.1Q feature on a router using the following steps: 1. config t 2. frame-relay switching 3. interface serial slot/subslot/port[:channel | .channel] 4. encapsulation frame-relay 5. frame-relay intf-type dce 6. frame-relay interface-dlci DLCI switched 7. interface [ fastethernet | gigabitethernet ] slot/subslot/port.
Chapter 21 Configuring L2VPN Interworking Ethernet/VLAN to Frame Relay Interworking 8. frame-relay switching 9. interface serial slot/subslot/port[:channel | .channel] 10. encapsulation frame-relay 11. frame-relay interface-dlci DLCI switched 12. connect mpls serial slot/subslot/port[:channel | .channel] DLCI l2transport 13. xconnect remote-ip-address vc-id pw-class name You can configure the FR DLCI to Ethernet port feature on a PE2 router using the following steps: 1. config t 2.
Chapter 21 Configuring L2VPN Interworking Ethernet/VLAN to Frame Relay Interworking xconnect 10.0.0.100 150 pw-class fr-eth FR DLCI to Ethernet VLAN 802.1Q To configure the FR DLCI to Ethernet VLAN 802.1Q feature on a PE1 router, use the following steps: 1. config t 2. mpls label protocol ldp 3. interface Loopback 4. ip address local-ip-address local-mask 5. pseudowire-class name 6. encapsulation mpls 7. interworking ethernet|ip 8. frame-relay switching 9.
Chapter 21 Configuring L2VPN Interworking ATM to Frame Relay—Routed Interworking encapsulation mpls interworking ethernet frame-relay switching interface serial 2/0/0:1 encapsulation frame-relay frame-relay intf-type dce connect mpls serial 2/0/0:1 567 l2transport xconnect 10.0.0.200 150 pw-class fr-vlan The following example shows how to configure the FR DLCI to Ethernet VLAN 802.1Q feature on a PE2 router using bridged interworking: config t mpls label protocol ldp interface Loopback200 ip address 10.
Chapter 21 Configuring L2VPN Interworking ATM to Frame Relay—Routed Interworking Figure 21-17 ATM to Frame Relay Routed Interworking Bridged frames or IP packets or Other payload types Bridged frames or IP packets or Other payload types MPoMPLS Tunnel LSP ATM Link ATM CE FR Link PE P Router P Router PE FR CE 277387 P Router MPLS Network ATM to FR Interworking Configuration Tasks and Examples This section describes configuration tasks for and examples of two L2VPN technology solutions • Local
Chapter 21 Configuring L2VPN Interworking ATM to Frame Relay—Routed Interworking frame-relay intf-type dce frame-relay interface-dlci 100 switched connect atm-dlci atm 2/0/0 0/200 serial 2/0/0:1 100 interworking ip AToM Figure 21-9 illustrates different AToM configurations. This section explains the FR DLCI to ATM AAL5 configurations and provides examples: FR DLCI to ATM AAL5 To configure the FR DLCI to ATM AAL5 feature on a PE1 router, use the following steps: 1. config t 2.
Chapter 21 Configuring L2VPN Interworking Verifying L2VPN Interworking config t mpls label protocol ldp interface Loopback100 ip address 10.0.0.100 255.255.255.255 pseudowire-class atm-fr encapsulation mpls interworking ip interface atm 2/0/0 pvc 0/200 l2transport encapsulation aal5 xconnect 10.0.0.200 140 pw-class atm-fr The following example shows how to configure the FR DLCI to ATM AAL5 feature on a PE2 router: config t mpls label protocol ldp interface Loopback100 ip address 10.0.0.200 255.255.255.
CH A P T E R 22 Configuring Multilink Point-to-Point Protocol Connections LAN-based applications and information transfer services, such as electronic mail, transmit large amounts of traffic, placing increased demand on wide-area networks (WANs). Multilink Point-to-Point Protocol (MLP) is a reliable and cost-effective solution that makes efficient use of WAN links. This chapter describes MLP and how to configure it on serial and ATM connections on the Cisco 10000 series router.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections Multilink Point-to-Point Protocol that is equal to the sum of the bandwidths of the component links. MLP also provides load balancing, multivendor interoperability, packet fragmentation and reassembly, and increased redundancy. The Cisco 10008 router implements the MLP specifications defined in RFC 1990.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections MLP Bundles Cisco IOS Release Description Required PRE 12.2(31)SB2 Support was added for the PRE3 and the valid multilink PRE3 interface ranges for MLP over serial or multi-VC MLP over ATM changed from 1 to 9999 (Release 12.2(28)SB and later) to from 1 to 9999 and 65,536 to 2,147,483,647. 12.2(33)SB The MLPPP on LNS feature was introduced on the Cisco 10000 series router that is supported on the PRE3 and PRE4.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections Types of MLP Bundle Interfaces Adding the ppp multilink group command to a link’s configuration does not make that link part of the specified bundle. This command only places a restriction on the link. If the link negotiates to use multilink, then it must provide the proper identification to join the bundle on the multilink interface or to activate a bundle on that interface.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections MLP Groups • Virtual access interfaces (VAIs) • Multilink group interfaces Both of these types of interfaces provide the same level of PPP and multilink functionality once a bundle is established, and all PPP and multilink-related features run identically on the bundle. A VAI is the primary type of interface used for MLP bundles. It is created dynamically for a multilink connection and released as soon as the connection is torn down.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections How MLP Determines the Link a Bundle Joins MLP Group Interfaces and Virtual Template Interfaces You can configure MLP by assigning a multilink group to a virtual template interface configuration. Virtual templates allow a virtual access interface (VAI) to dynamically clone interface parameters from the specified virtual template.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections IP Addresses on MLP-Enabled Links Table 22-2 Bundle Name Generation Command Bundle Name Generation Algorithm multilink bundle-name authenticated The bundle name is the peer’s username, if available. If the peer does not provide a username, the algorithm uses the peer’s endpoint discriminator. Note The authenticated keyword specifies that the bundle name is based on whatever notion of a username the system can derive.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections Valid Ranges for MLP Interfaces Using unnumbered IP interfaces enables you to work around IP problems and configure an IP address on an MLP-enabled link.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections MLP Overhead MLP Overhead MLP encapsulation adds six extra bytes (4 header, 2 checksum) to each outbound packet. These overhead bytes reduce the effective bandwidth on the connection; therefore, the throughput for an MLP bundle is slightly less than an equivalent bandwidth connection that is not using MLP.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections Configuration Commands for MLP Usage Guidelines For Cisco IOS Release 12.2(28)SB and later releases, the range of valid values for multilink interfaces are the following: • MLP over Serial—1 to 9999 (Release 12.2(28)SB and later), and 1 to 9999 and 65,536 to 2,147,483,647 (Release 12.2(31)SB2 and later) • Single-VC MLP over ATM—10,000 and higher • Multi-VC MLP over ATM—1 to 9999 (Release 12.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections Configuration Commands for MLP Command History Cisco IOS Release Description 12.0(23)SX The ppp multilink fragment-delay command was introduced on the Cisco 10000 series router. 12.2(16)BX This command was introduced on the PRE2. 12.2(28)SB This command was integrated into Cisco IOS Release 12.2(28)SB. Defaults If fragmentation is enabled, the fragment delay is 30 milliseconds.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections Configuration Commands for MLP If interleaving is enabled when fragment delay is not configured, the default delay is 30 milliseconds. The fragment size is derived from that delay, depending on the bandwidths of the links. ppp multilink fragment disable Command To disable packet fragmentation, use the ppp multilink fragment disable command in interface configuration mode. To enable fragmentation, use the no form of this command.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections MLP over Serial Interfaces Syntax Description Command History group-number Identifies the multilink group. This number must be identical to the multilink-bundle-number you assigned to the multilink interface. Valid values are: • MLP over Serial—1 to 9999 • Single-VC MLP over ATM—10,000 and higher • Multi-VC MLP over ATM—1 to 9999 Cisco IOS Release Description 12.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections MLP over Serial Interfaces Figure 22-2 shows an MLP bundle that consists of T1 interfaces from three T3 interfaces. Figure 22-2 MLP Bundle for Multilink PPP over Serial Connections You can combine up to ten T1s to create a Multilink bundle. The bundle can include T1 channels assigned to different T3s.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections Single-VC MLP over ATM Virtual Circuits • We strongly recommend that you use only strict priority queues when configuring MLP over Serial-based LFI. For more information, see the “Prioritizing Services” chapter in the Cisco 10000 Series Router Quality of Service Configuration Guide.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections Multi-VC MLP over ATM Virtual Circuits • Each member link can have a bandwidth rate up to 2048 kbps. • The router only supports member links with the same encapsulation type. • MLP PVCs cannot be on-demand VCs that are automatically provisioned. • Associating MLP over ATM PVCs with ATM virtual paths (VPs) is discouraged, though not prevented. • The valid multilink interface values are 10000 to 65534.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections Multi-VC MLP over ATM Virtual Circuits For more information about link fragmentation and interleaving, see the “Fragmenting and Interleaving Real-Time and Nonreal-Time Packets” chapter in the Cisco 10000 Series Router Quality of Service Configuration Guide.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections MLP on LNS • If link fragmentation and interleaving (LFI) is enabled, only one link is used for interleaving. For more information, see the “Fragmenting and Interleaving Real-Time and Nonreal-Time Packets” chapter in the Cisco 10000 Series Router Quality of Service Configuration Guide. • We strongly recommend that you use only strict priority queues when configuring Multi-VC MLP over ATM-based LFI.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections MLP on LNS About MLP on LNS The multilink interface-based configuration requires one virtual template per bundle so that the multilink group # command can be configured on the virtual template. However, for the MLP on LNS feature, you can only scale up to 2000 virtual templates. To address the virtual template scaling issue and to avoid cumbersome configuration management, in the Cisco IOS 12.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections MLP on LNS Figure 22-5 MLP on LNS–Single-Member Bundle Upstream • MLP (single-link bundle) • MLP fragmentation and interleaving Upstream • Reassembly of MLP Fragments Downstream • QoS is allowed • MLP • No MLP fragmentation and interleaving Cisco 10000 series router PRE3 LNS DSLAM LAC VC 270326 L2TP CPE MLP Single link per bundle To accommodate the scaling requirements of up to 2040 multi member and 10240 single-member bundle
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections MLP on LNS Member link single-member bundle 1 1 1 0 Member link multi-member bundle 1 1 1 1 1. A virtual circuit connection identifier (VCCI) is a variable that identifies a virtual circuit connection between two nodes. 2. A hardware interface descriptor block (HWIDB) represents a physical interface, which includes physical ports and channelized interface definitions. 3.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections MLP on LNS Each bundle includes 256 entries. However, in a single link bundle most packets arrive in order; therefore, fewer buffers are required per single link bundle. For example, if the average usage is 10 buffers per single link bundle, the average usage is 436.7 buffers per multilink bundle.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections MLP on LNS Table 22-6 2-mbps Link Speed Performance (in Million Contexts per Second) Bundles 2040 500 Links per bundle 4 2 4 2 Total links 8160 4080 2000 1000 500 byte packets (million context/sec) 24.5 12.2 6.0 3.0 1000 byte packets (million context/sec) 16.3 8.2 4.0 2.0 This scenario shows that for 2-Mpbs links with high-traffic demand, Cisco 10000 series routers cannot obtain maximum bundle scaling.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections MLPoE LAC Switching • Virtual-access bundle support for existing MLP features is not included in this release. • Due to changes in route or switching to backup because of problems on the line, dynamic changing of the physical tunnel interface (the Gigabit Ethernet and ATM on which the L2TP tunnel for MLPoLNS bundle is negotiated) can happen. These changes require the bundles to renegotiate.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections MLPoE at PTA • QoS on interfaces towards the CPE and the tunnel is not supported. • Only single-member MLPoE bundles are supported (with LFI support). The maximum number of single-member MLPoE bundles that can be supported is 10240. MLPoE at PTA In Cisco IOS Release 12.2(33)SB, MLPoE supports LFI on single-link MLP bundles.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections MLPoE at PTA ATM Overhead Accounting Figure 22-6 shows that the outbound interface on the BRAS to the DSLAM is Ethernet. The encapsulation from DSLAM to CPE can be ATM. The overhead must be accounted at the BRAS to avoid the overrun at the subscriber line. The overhead is added by segmenting packets on the DSLAM. As a result, ATM overhead must be accounted for, by applying the traffic shape.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections MLP-Based Link Fragmentation and Interleaving example, if MLPoA is using 2040 multi-member bundles with 10200 member-links (5 links per bundle), MLPoE can only use up to 10220 single-member bundles with 10220 member-links, because the member-link pool is exhausted. Memory and Performance Impact of MLPoE at PTA The MLPoE at PTA feature impacts the memory and VCCI resources of the router processor (RP) to scale MLPoE bundles.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections Configuring MLP Bundles and Member Links Table 22-8 Requirements for Configuring MLP Type MLP Bundle Member Links Virtual Template Service Policy MLP over Serial Required Required Not required Not required Single-VC MLP over ATM Required Required Required Required 1 Multi-VC MLP over ATM Required Required Required Required 1 1.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections Configuring MLP Bundles and Member Links Step 1 Command Purpose Router(config)# interface multilink multilink-bundle-number Creates a multilink bundle. Enters interface configuration mode to configure the bundle. multilink-bundle-number is a nonzero number that identifies the multilink bundle. For Cisco IOS Release 12.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections Configuring MLP Bundles and Member Links Example 22-1 Creating an MLP Bundle Interface Router(config)# interface multilink 8 Router(config-if)# ip address 172.16.48.209 255.255.0.0 Router(config-if)# ppp chap hostname cambridge Enabling MLP on a Virtual Template The virtual template interface is attached to the member links, not to the MLP bundle.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections Configuring MLP Bundles and Member Links Configuration Example for Enabling MLP on a Virtual Template Example 22-2 shows a sample configuration for enabling MLP on a virtual template.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections Configuring MLP Bundles and Member Links Step 4 Command Purpose Router(config-if)# ppp max-failure retries Configures the maximum number of consecutive Configure Negative Acknowledgements (CONFNAKs) to permit before terminating a negotiation. retries is the maximum number of retries. Valid values are from 1 to 255. The default is 5 retries. We recommend 100 retries.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections Configuring MLP Bundles and Member Links Command Purpose Step 1 Router(config)# interface atm slot/module/port Configures or modifies the ATM interface you specify and enters interface configuration mode. Step 2 Router(config-if)# hold-queue length {in | out} Limits the size of the IP output queue on an interface. length is a number that specifies the maximum number of packets in the queue. Valid values are from 0 to 4096.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections Configuring MLP Bundles and Member Links Step 8 Command Purpose Router(config-if-atm-vc)# encapsulation {aal5mux ppp virtual-template number | aal5ciscoppp virtual-template number | aal5snap} Configures the ATM adaptation layer (AAL) and encapsulation type for an ATM virtual circuit (VC). aal5mux ppp specifies the AAL and encapsulation type for multiplex (MUX)-type VCs.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections Configuring MLP Bundles and Member Links Router(config-if)# ip address 10.6.6.1 255.255.255.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections Configuring MLP Bundles and Member Links Step 1 Command Purpose Router(config)# interface type number Specifies the interface that you want to move to a different MLP bundle. Enters interface or subinterface configuration mode. type specifies the type of interface (for example, ATM). number specifies the interface number and is the slot/module/port.subinterface number or the slot/module/port.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections Configuring MLP Bundles and Member Links Command Purpose Step 3 Router(config-if)# no ppp multilink Disables multilink for the link. Step 4 Router(config-if)# no ppp chap hostname Removes PPP authentication. Changing the Default Endpoint Discriminator When the local system negotiates using MLP with the peer system, the default endpoint discriminator value provided is the username that is used for authentication.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections Configuration Examples for Configuring MLP Configuration Examples for Configuring MLP This section provides the following configuration examples: • Configuration Example for Configuring MLP over Serial Interfaces, page 22-38 • Configuration Example for Configuring Single-VC MLP over ATM, page 22-38 • Configuration Example for Configuring Multi-VC MLP over ATM, page 22-39 • Configuration Example for MLP on LNS, page 22-39 • Conf
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections Configuration Examples for Configuring MLP encapsulation aal5mux ppp Virtual-Template1 ppp multilink group 10001 interface Virtual-Template1 bandwidth 512 no ip address ppp multilink interface Multilink 10001 ip address ppp multilink ppp multilink group 10001 Configuration Example for Configuring Multi-VC MLP over ATM Example 22-7 shows a sample configuration for configuring Multi-VC MLP over ATM.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections Configuration Examples for Configuring MLP Example 22-8 MLP on LNS aaa ! ! aaa aaa aaa aaa ! aaa new-model authentication ppp default local authentication ppp TESTME group radius authorization network default local authorization network TESTME group radius session-id common buffers small perm 15000 buffers mid perm 12000 buffers big perm 8000 ! vpdn enable ! vpdn-group LNS_1 accept-dialin protocol l2tp virtual-template 500 terminate
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections Configuration Examples for Configuring MLP Configuration Example for MLPoE LAC Switching Example 22-9 shows how to configure the LAC for switching an MLPoE connection to the LNS, while also forwarding the DSL tags. Example 22-9 MLPoE LAC Switching aaa new-model ! multilink bundle-name authenticated vpdn enable ! vpdn-group LACoe_LFI request-dialin protocol l2tp domain hello_oe dsl-line-info-forwarding initiate-to ip 192.168.125.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections Configuration Examples for Configuring MLP Configuring MLPoE over IEEE 802.1Q VLANs Example 22-10 shows how to configure the PPPoE over IEEE 802.1Q VLANs: Example 22-10 Configuring MLPoE over IEEE 802.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections Verifying and Monitoring MLP Connections Framed-Protocol=PPP, Framed-IP-Address=255.255.255.254, Cisco-avpair = "lcp:interface-config=ppp multilink", Cisco-avpair = "lcp:interface-config=ppp multilink interleave", Cisco-Policy-Down = "policy_mlpoe_in" Note A PPPoE session shaper is required on the virtual template, or must be applied through RADIUS to avoid flooding a downstream device such as an ADSL2+.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections Verifying and Monitoring MLP Connections Bundle Counters and Link Counters When you enter the show interface command on an MLP bundle interface and on all of its member link interfaces, you might expect the counters on the bundle to be equal to the sum of the counters for all of the link interfaces. However, this is not the case. The statistics for the various interfaces reflect the data that actually goes through those interfaces.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections Verifying and Monitoring MLP Connections Keepalive not set DTR is pulsed for 2 seconds on reset LCP Open, multilink Open Open:IPCP Last input 15:24:43, output never, output hang never Last clearing of "show interface" counters 15:27:59 Queueing strategy:fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 36 packets input, 665 bytes, 0 no b
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections Related Documentation • Frag timeout n ms—The maximum amount of time that multilink waits for an expected fragment before declaring it lost. This limit applies only when fragment loss cannot be detected by other, faster means such as sequence number-based detection. • Member links:—The number of active and inactive links currently in the bundle, followed by the desired minimum and maximum number of links.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections Related Documentation Feature Documentation Multilink PPP Cisco IOS Dial Services Configuration Guide: Terminal Services, Release 12.
Chapter 22 Configuring Multilink Point-to-Point Protocol Connections Related Documentation Cisco 10000 Series Router Software Configuration Guide 22-48 OL-2226-23
CH A P T E R 23 Configuring Gigabit EtherChannel Features On a Cisco 10000 Series router, a Gigabit EtherChannel (GEC) is a specialized interface type comprising aggregated Gigabit Ethernet links. A GEC bundle is synonymous with port channel and can have a minimum of one or a maximum of 8 active links. The bandwidth of the GEC interface is the aggregate of all the physical member links comprising the GEC bundle. Note Cisco IOS Release 12.2(31)SB supports a maximum of 4 member links per GEC bundle.
Chapter 23 Configuring Gigabit EtherChannel Features Feature History for Gigabit EtherChannel • Configuring QoS Service Policies on GEC Interfaces, page 23-3 • Configuring Policy Based Routing Support on a GEC Bundle, page 23-7 • Configuring IEEE 802.
Chapter 23 Configuring Gigabit EtherChannel Features Prerequisites for Gigabit EtherChannel Configuration Prerequisites for Gigabit EtherChannel Configuration The following are the prerequisites for configuring GEC bundles: • Create a GEC bundle interface before adding GE links to the GEC bundle using the channel-group command. • Add GE links to the GEC bundle and configure all the links identically.
Chapter 23 Configuring Gigabit EtherChannel Features Configuring QoS Service Policies on GEC Interfaces Output QoS can directly be applied on GEC bundle subinterfaces similar to the GEC main interfaces. Alternatively, output QoS can be applied on member links using the vlan-group QoS feature. The service policy with match-vlan class-maps is applied on the member link main interface.
Chapter 23 Configuring Gigabit EtherChannel Features Configuring QoS Service Policies on GEC Interfaces Restrictions for QoS Service Policies on GEC Bundles The following restrictions are applicable to QoS service policies applied on GEC bundle interfaces and subinterfaces: • Both ingress and egress service-policy without any queuing actions can only be applied on member links for M:N deployment, and are restricted for 1:N deployment.
Chapter 23 Configuring Gigabit EtherChannel Features Configuring QoS Service Policies on GEC Interfaces • Step 3 Shape egress traffic for subinterfaces port-channel 1.1 and port-channel 1.
Chapter 23 Configuring Gigabit EtherChannel Features Configuring Policy Based Routing Support on a GEC Bundle Service-policy police_dscp Interface Port-channel 1.1 Service-policy input customer_A Interface Port-channel 1.2 Service-policy input customer_B Configuring Policy Based Routing Support on a GEC Bundle Cisco Policy Based Routing (PBR) provides a flexible mechanism for network administrators to customize the operation of the routing table and the flow of traffic within their networks.
Chapter 23 Configuring Gigabit EtherChannel Features Configuring IEEE 802.1Q and QinQ Support on GEC Bundle • Ingress packet accounting for QinQ subinterfaces is carried out at the bundle level. Accounting of these ingress packets per member link is not supported. Configuration Tasks for IEEE 802.
Chapter 23 Configuring Gigabit EtherChannel Features Configuring MVPN Support on GEC Bundle Configuring MVPN Support on GEC Bundle The Multicast VPN (MVPN) feature allows a service provider to configure and support multicast traffic within a Virtual Private Network (VPN) environment.
Chapter 23 Configuring Gigabit EtherChannel Features Configuring PPPoX Support on a GEC Bundle Configuration Tasks To enable PPPoE session creation on a GEC bundle, enter the following commands: Command Purpose Step 1 router(config)# interface port-channel number Creates a GEC bundle. Step 2 router(config)# lacp max-bundle 1-8 Sets the maximum number of active links per GEC bundle. For PPPoE sessions maximum number of active links is one.
Chapter 23 Configuring Gigabit EtherChannel Features Configuring High Availability Support on GEC Bundle Configuring High Availability Support on GEC Bundle The following high availability features are supported on GEC bundle interfaces, on the Cisco 10000 Series router. • Stateful Switchover (SSO) • In Service Software Upgrade (ISSU)) • Nonstop Forwarding (NSF) • Nonstop Routing (NSR) The EtherChannel and the IEEE 802.3ad LACP protocol are SSO and ISSU aware.
Chapter 23 Configuring Gigabit EtherChannel Features Configuring VLAN-Based Load Balancing For more information on how to aggregate multiple Ethernet links into one logical channel, see IEEE 802.3ad Link Bundling feature guide at: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122sb/newft/122sb31/sbcelacp.htm#wp1 053782 Configuring VLAN-Based Load Balancing In Cisco IOS Release 12.
Chapter 23 Configuring Gigabit EtherChannel Features Configuring VLAN-Based Load Balancing • When LACP max-bundle is used with VLAN-based load balancing, user needs to verify whether both primary and secondary member-links for a VLAN sub-interface are not selected as standby links by the LACP protocol. • Either of the Flow-based Load-balancing feature or VLAN-based Load Balancing feature for a GEC bundle is supported.
Chapter 23 Configuring Gigabit EtherChannel Features Configuring VLAN-Based Load Balancing Step 8 Command Purpose router(config-subif)# encapsulation dot1Q vlan-id primary member-link secondary member-link Enables IEEE 802.1Q encapsulation of traffic on a specified subinterface in a VLAN. Specify the VLAN identifier, primary and secondary links. Note The primary and secondary links must be a part of the port channel so that traffic can be forwarded to these links.
Chapter 23 Configuring Gigabit EtherChannel Features Configuring VLAN-Based Load Balancing Example 23-5 Configuring The VLAN-Based Load Balancing Feature configure terminal Enter configuration commands, one per line. End with CNTL/Z. interface port-channel 1 load-balancing vlan lacp max-bundle 2 exit ! interface gigabitethernet2/1/0 no ip address channel-group 1 mode active exit ! interface gigabitethernet8/0/0 no ip address channel-group 1 mode active exit ! interface port-channel 1.
Chapter 23 Configuring Gigabit EtherChannel Features Configuring VLAN-Based Load Balancing encapsulation dot1q 1 primary gigabitethernet2/1/0 secondary gigabitethernet8/0/0 Configuration Example for Using the VLAN Group Feature to Apply QoS Assume that the following configurations need to be performed on a port channel bundle Step 1 • Police ingress traffic for VLAN 2 at 100 mbps • Police ingress traffic for VLAN 3 at 150 mbps • Shape egress traffic for VLAN 3 at 50 mbps • Shape egress traffic
Chapter 23 Configuring Gigabit EtherChannel Features Configuring VLAN-Based Load Balancing Step 5 Apply the policy on the port-channel bundle Interface port-channel 1 Service-policy input mega_ingress Service-policy output mega_egress Cisco 10000 Series Router Software Configuration Guide OL-2226-23 23-17
Chapter 23 Configuring Gigabit EtherChannel Features Configuring VLAN-Based Load Balancing Cisco 10000 Series Router Software Configuration Guide 23-18 OL-2226-23
CH A P T E R 24 Configuring IP Version 6 Internet Protocol version 6 (IPv6), formerly called IPng (next generation), is the latest version of IP. IPv6 offers many advantages over the previous version of IP, including a larger address space. IPv6 has been available on other Cisco platforms; with the release of Cisco IOS release 12.2(28)SB, it is available on the Cisco 10000 series routers running the PRE2 processor.
Chapter 24 Configuring IP Version 6 Supported Features – Ability to match on fragment and presence of routing headers – Skipping extension headers to get to layer 4 information – Flag setting to match on the “undetermined-transport” ACL flag • IPv6 Internet Control Message Protocol (ICMP) • IPv6 NDP • IPv6 Layer 2 encapsulation: – Point to Point Protocol (PPP) – Multilink PPP – High-level Data Link Control (HDLC) – VLAN – Point-to-point Frame Relay – Point-to-point ATM • IPv6 Routing: – Static – R
Chapter 24 Configuring IP Version 6 Limitations for IPv6 RPF strict check mode verifies that the source IP address exists in the FIB table and verifies that the source IP address is reachable through the input port • Security ACLs For IPv6, ACEs include the following new fields: – Flow Label – Presence of Routing Header – “Undetermined Transport” • QoS QoS matching is performed only on the following subset of fields, which are common to IPv4 and IPv6: – dscp/precedence – access group (matches only on A
Chapter 24 Configuring IP Version 6 IPv6 Extended ACLs • ACL logging • Time-based ACLs • Reflexive ACLs • Receive Path ACLs • MiniACLs QoS matching is not provided on the following two fields, which are IPv6-specific: • IPv6 src/dst address • IPv6 ACL IPv6 Extended ACLs Access lists determine what traffic is blocked and what traffic is forwarded at router interfaces and allow filtering based on source and destination addresses, inbound and outbound to a specific interface.
Chapter 24 Configuring IP Version 6 IPv6 Extended ACLs Configuring IPv6 Traffic Filtering To enable IPv6 traffic filtering, you must perform the following steps: 1. Create an IPv6 ACL 2. Configure the IPv6 ACL to pass or block traffic 3. Apply the IPv6 ACL to an interface Creating and Configuring the IPv6 ACL SUMMARY STEPS 1. enable 2. configure terminal 3. ipv6 access-list access-list-name 4.
Chapter 24 Configuring IP Version 6 IPv6 Extended ACLs Step 3 Command or Action Purpose ipv6 access-list access-list-name Defines an IPv6 ACL and enters IPv6 access list configuration mode. The router prompt changes to Router(config-ipv6-acl)#.
Chapter 24 Configuring IP Version 6 IPv6 Extended ACLs DETAILED STEPS Step 1 Command or Action Purpose enable Enables privileged EXEC mode. • Enter your password if prompted. Example: Router> enable Step 2 configure terminal Enters global configuration mode. Example: Router# configure terminal Step 3 interface type number Specifies the interface type and number, and enters interface configuration mode.
Chapter 24 Configuring IP Version 6 IPv6 Extended ACLs Create and Apply IPv6 ACL: Examples The following example configures two IPv6 ACLs named OUTBOUND and INBOUND and applies both ACLs to outbound and inbound traffic on Ethernet interface 0. The first and second permit entries in the OUTBOUND list permit all TCP and User Datagram Protocol (UDP) packets from network 2001:0DB8:0300:0201::/32 to exit out of Ethernet interface 0.
CH A P T E R 25 Configuring Template ACLs When user profiles are configured using RADIUS Attribute 242, similar per-user access control lists (ACLs) may be replaced by a single Template ACL. That is, one ACL represents many similar ACLs. In Cisco IOS Release 12.2(28)SB, by using Template ACLs, you can increase the total number of ACLs used in the Cisco 10000 series routers but minimize the memory and CPU consumption in processing the ACLs.
Chapter 25 Configuring Template ACLs Feature History for Template ACLs permit ip host 42.55.15.4 host 192.168.2.1 permit tcp 11.22.11.0 0.0.0.255 host 192.177.2.1 With the Template ACL feature enabled, these two ACLs can be recognized as similar, and a new Template ACL is created as follows: ip access-list extended 4_Temp_ permit igmp any host permit icmp host any deny ip host 44.33.66.36 host deny tcp host 44.33.66.
Chapter 25 Configuring Template ACLs Configuration Tasks for Template ACLs Configuration Tasks for Template ACLs If ACLs are configured using RADIUS Attribute 242, Template ACLs are enabled by default. Configuration tasks for Template ACLs include the following: • Configuring the Maximum Size of Template ACLs (Optional) • Configuring ACLs Using RADIUS Attribute 242 Configuring the Maximum Size of Template ACLs (Optional) By default, Template ACL status is limited to ACLs with 100 or fewer rules.
Chapter 25 Configuring Template ACLs Configuration Tasks for Template ACLs Table 25-1 IP Data Filter Syntax Elements (continued) Element Description dstip Enables destination-IP-address filtering. Applies to packets whose destination address matches the value of . If a subnet mask portion of the address is present, the router compares only the masked bits. If you set to 0.0.0.0, or if this keyword is not present, the filter matches all IP packets.
Chapter 25 Configuring Template ACLs Monitoring and Maintaining the Template ACL Configuration Example 25-2 shows four Attribute 242 IP data filter entries. Example 25-2 RADIUS Attribute 242 IP Data Filter Entries Ascend-Data-Filter=”ip Ascend-Data-Filter=”ip Ascend-Data-Filter=”ip dstport!=telnet” Ascend-Data-Filter=”ip in drop” out forward tcp” out forward tcp dstip 10.0.200.3/16 srcip 10.0.200.25/16 out forward tcp dstip 10.0.200.3/16 srcip 10.0.200.
Chapter 25 Configuring Template ACLs Configuration Examples for Template ACLs Command Purpose Router(config)# access-list template number Enables Template ACL processing. number specifies the maximum length of ACL that should be considered for template status. Only ACLs with number or fewer rules will be considered for template status. If the number variable is omitted, the default of 100 will be used, and only ACLs with 100 or fewer rules will be considered for template status. Default is 100 rules.
Chapter 25 Configuring Template ACLs Configuration Examples for Template ACLs Command Purpose Router# show access-list template {summary | aclname | exceed number | tree} Displays information about ACLs. summary displays summary information. aclname displays information about the specified ACL. exceed number identifies Template ACLs that replace more than number individual ACLs.
Chapter 25 Configuring Template ACLs Configuration Examples for Template ACLs show access-list template aclname The following examples show output from the show access-list template aclname command. Router# show access-list template 4Temp_1073741891108 Showing data for 4Temp_1073741891108 4Temp_1073741891108 peer_ip used is 172.17.2.
Chapter 25 Configuring Template ACLs Configuration Examples for Template ACLs Table 3 describes the significant fields shown in the display.
Chapter 25 Configuring Template ACLs Configuration Examples for Template ACLs Cisco 10000 Series Router Software Configuration Guide 25-10 OL-2226-23
CH A P T E R 26 Protecting the Router from DoS Attacks Internet service providers (ISPs) and other Cisco customers face increasing Denial of Service (DoS) attacks associated with IP options set in the IP header of packets. Cisco IOS routers use the Route Processor (RP) to process IP options packets, which can become problematic during a DoS attack. To protect the router, the Cisco 10000 series router supports the dropping of packets with IP options.
Chapter 26 Protecting the Router from DoS Attacks Restrictions for IP Options Selective Drop Feature History for IP Options Selective Drop Cisco IOS Release Description 12.0(23)S This feature was introduced. 12.2(2)T This feature was integrated in Cisco IOS Release 12.2(2)T. 12.2(25)S This feature was integrated in Cisco IOS Release 12.2(25)S. 12.2(27)SBC This feature was integrated in Cisco IOS Release 12.2(27)SBC. 12.3(19) This feature was integrated in Cisco IOS Release 12.3(19). 12.
Chapter 26 Protecting the Router from DoS Attacks Configuration Examples for IP Options Selective Drop DETAILED STEPS Step 1 Command or Action Purpose enable Enables privileged EXEC mode. Enter your password if prompted. • Example: Router> enable Step 2 configure terminal Enters global configuration mode. Example: Router# configure terminal Step 3 ip options drop Turns IP options processing off. The router drops all the packets received with IP options.
Chapter 26 Protecting the Router from DoS Attacks Related Documentation Verifying IP Options Handling: Example The following sample output from the show ip traffic command indicates that the router received 2905 packets with IP options set. Because the ip options drop command is configured, the router drops all the packets with IP options, as indicated by the options denied counter.
CH A P T E R 27 IP Tunneling This chapter describes IP tunneling features implemented on the Cisco 10000 series routers and includes the following topics: • GRE Tunnel IP Source and Destination VRF Membership, page 27-1 • Restrictions for GRE Tunnel IP Source and Destination VRF Membership, page 27-3 • How to Configure GRE Tunnel IP Source and Destination VRF Membership, page 27-3 • Configuration Examples, page 27-4 GRE Tunnel IP Source and Destination VRF Membership The Generic Routing Encapsulat
Chapter 27 IP Tunneling Feature History for GRE Tunnel IP Source and Destination VRF Membership The tunnel vrf command is used to configure the Tunnel VRF feature. The VRF specified in the tunnel vrf command is the same VRF as the VRF associated with the physical interface over which the tunnel sends packets. This provides outer IP packet routing.
Chapter 27 IP Tunneling Restrictions for GRE Tunnel IP Source and Destination VRF Membership Restrictions for GRE Tunnel IP Source and Destination VRF Membership • Both ends of the tunnel must reside within the same VRF. • The VRF associated with the tunnel vrf command is the same as the VRF associated with the physical interface over which the tunnel sends packets (outer IP packet routing).
Chapter 27 IP Tunneling Configuration Examples Configuring VRF-Aware VPDN Tunnels The vpn command enables the VRF-Aware VPDN Tunnels feature by associating an IP address configured in a VPDN group with a VRF. This is applied to a VPDN group as shown in the following Summary Steps. Use the following commands to configure VRF-aware VPDN tunnels on the router: SUMMARY STEPS 1. enable 2. configure terminal 3. vpdn-group name 4. request-dialin 5. protocol [l2f | l2tp| pptp] 6.
Chapter 27 IP Tunneling Configuration Examples tunnel destination 10.16.3.1 tunnel vrf cust2 Configuration Examples for VRF-Aware VPDN Tunnels The following example shows how to enable the VRF-Aware VPDN Tunnels feature. In the example, the vpn command associates the IP address 172.16.1.9 with the VRF named vrf-second, which is applied to the VPDN group named group1. vpdn-group group1 request-dialin protocol l2tp ! vpn vrf vrf-second source-ip 172.16.1.9 initiate-to ip 172.16.1.
Chapter 27 IP Tunneling Configuration Examples Cisco 10000 Series Router Software Configuration Guide 27-6 OL-2226-23
A P P E N D I X A RADIUS Attributes This appendix lists the RADIUS attributes that the Cisco 10000 series router supports in Cisco IOS Release 12.2(4)BZ1 and later releases. The following conventions are used in the tables that follow: Note • Supported and tested—The attribute has been tested and the Cisco 10000 series router supports it. • Not Supported—The Cisco 10000 series router does not support the attribute. • Not Applicable—The attribute does not apply to the Cisco 10000 series router.
Appendix A RADIUS Attributes RADIUS IETF Attributes Table A-1 RADIUS IETF Attributes (continued) Number IETF Attribute Status 13 Framed-Compression Cisco 10000 series router ignores this attribute.
Appendix A RADIUS Attributes RADIUS IETF Attributes Table A-1 RADIUS IETF Attributes (continued) Number IETF Attribute Status 50 Acct-Multi-Session-Id Multilink is not supported. 51 Acct-Link-Count Multilink is not supported. 52 Acct-Input-Gigawords Supported and tested 53 Acct-Output-Gigawords Supported and tested 60 CHAP-Challenge Supported in Cisco IOS but not tested on the Cisco 10000 series router.
Appendix A RADIUS Attributes Vendor-Proprietary RADIUS Attributes Table A-1 RADIUS IETF Attributes (continued) Number IETF Attribute Status 85 Acct-Interim-Interval Supported in Cisco IOS but not tested on the Cisco 10000 series router.
Appendix A RADIUS Attributes Vendor-Proprietary RADIUS Attributes Table A-2 Vendor-Proprietary RADIUS Attributes (continued) Number Vendor-Proprietary Attribute Status 127 Tunneling-Protocol Not Applicable 128 Shared-Profile-Enable Not Applicable 129 Primary-Home-Agent Not Applicable 130 Secondary-Home-Agent Not Applicable 131 Dialout-Allowed Not Applicable 133 BACP-Enable Not Applicable 134 DHCP-Maximum-Leases Not Applicable 135 Primary-DNS-Server Supported and tested 136 Se
Appendix A RADIUS Attributes Vendor-Proprietary RADIUS Attributes Table A-2 Vendor-Proprietary RADIUS Attributes (continued) Number Vendor-Proprietary Attribute Status 163 FR-DTE-N392 Not Applicable 164 FR-DCE-N393 Not Applicable 165 FR-DTE-N393 Not Applicable 166 FR-T391 Not Applicable 167 FR-T392 Not Applicable 168 Bridge-Address Not Applicable 169 TS-Idle-Limit Not Applicable 170 TS-Idle-Mode Not Applicable 171 DBA-Monitor Not Applicable 172 Base-Channel-Count Not App
Appendix A RADIUS Attributes Vendor-Proprietary RADIUS Attributes Table A-2 Vendor-Proprietary RADIUS Attributes (continued) Number Vendor-Proprietary Attribute Status 199 Token-Idle Not Applicable 201 Require-Auth Not Applicable 202 Number-Sessions Not Applicable 203 Authen-Alias Not Applicable 204 Token-Expiry Not Applicable 205 Menu-Selector Not Applicable 206 Menu-Item Not Applicable 207 PW-Warntime Not Supported 208 PW-Lifetime Typically not used in DSL environment 209
Appendix A RADIUS Attributes Vendor-Specific RADIUS IETF Attributes Table A-2 Vendor-Proprietary RADIUS Attributes (continued) Number Vendor-Proprietary Attribute Status 234 Target-Util Not Supported 235 Maximum-Channels Not Supported 236 Inc-Channel-Count Not Supported 237 Dec-Channel-Count Not Supported 238 Seconds-of-History Not Supported 239 History-Weigh-type Not Supported 240 Add-Seconds Not Supported 241 Remove-Seconds Not Supported 242 Data-Filter Supported and test
Appendix A RADIUS Attributes Vendor-Specific RADIUS IETF Attributes Table A-3 Vendor-Specific RADIUS IETF Attributes (continued) Number Vendor-Specific Company Code Sub-Type Number Attribute Status 26 9 1 12tp-cm-local-window-size Supported in Cisco IOS but not tested on the Cisco 10000 series router. 26 9 1 12tp-drop-out-of-order Not Supported 26 9 1 12tp-hello-interval Supported in Cisco IOS but not tested on the Cisco 10000 series router.
Appendix A RADIUS Attributes Vendor-Specific RADIUS IETF Attributes Table A-3 Vendor-Specific RADIUS IETF Attributes (continued) Number Vendor-Specific Company Code Sub-Type Number Attribute Status 26 9 18 Gateway-Id Not Applicable 26 9 19 Call-Type Not Applicable 26 9 20 Port-Used Not Applicable 26 9 21 Abort-Cause Not Applicable H323 Attributes 26 9 23 h323-remote-address Not Applicable 26 9 24 h323-conf-id Not Applicable 26 9 25 h323-setup-time Not Applicable
Appendix A RADIUS Attributes Vendor-Specific RADIUS IETF Attributes Table A-3 Vendor-Specific RADIUS IETF Attributes (continued) Number Vendor-Specific Company Code Sub-Type Number Attribute Status 26 9 1 atm:Sustainable-Cell-Rate= Supported and tested in Cisco IOS Release 12.2(15)BX. 26 9 1 ip:vrf-id= Supported and tested in Cisco IOS Release 12.2(16)BX1. 26 9 1 ip:ip-unnumbered= Supported and tested in Cisco IOS Release 12.2(16)BX1.
Appendix A RADIUS Attributes Vendor-Specific RADIUS IETF Attributes Cisco 10000 Series Router Software Configuration Guide A-12 OL-2226-23
G L OS S A RY A AAA authentication, authorization, and accounting (pronounced “triple a”). AAL5 ATM adaptation layer. This layer maps higher layer user data into ATM cells, making the data suitable for transport through the ATM network. ABR Available bit rate. QoS class defined by the ATM Forum for ATM networks. ABR is used for connections that do not require timing relationships between source and destination.
Glossary broadband Characteristic of any network that multiplexes independent network carriers onto a single cable. This is usually done using frequency division multiplexing (FDM). Broadband technology allows several networks to co-exist on one single cable; traffic from one network does not interfere with traffic from another because the “conversations” happen on different frequencies in the “ether” rather like the commercial radio system.
Glossary CoS Class of service. The three most significant bits (the User Priority bits) of the 2-byte Tag Control Information field in the IEEE 802.1p portion of a Layer 2 IEEE 802.1Q frame header. QoS uses the User Priority bits for Layer 2 CoS information. IEEE 802.1p class of service-based packet matching and marking feature enables the Cisco 10000 series router to interoperate with switches to deliver end-to-end QoS. The IEEE 802.
Glossary E eiBGP External and Internal Border Gateway Protocol. encapsulation The technique used by layered protocols in which a layer adds header information to the protocol data unit (PDU) from the layer above. Ethernet One of the most common local area network (LAN) wiring schemes, Ethernet has a transmission rate of 10, 100, or 1000 Mbps. F Fast switching Cisco feature whereby a route cache is used to expedite packet switching through a router. FCC Federal Communications Commission. A U.S.
Glossary IETF Internet Engineering Task Force. Task force consisting of over 80 working groups responsible for developing Internet standards. IGMP Internet Group Management Protocol. Used by IP hosts to report their multicast group memberships to an adjacent multicast router. Internet A collection of networks interconnected by a set of routers that allow them to function as a single, large virtual network. Internet Protocol (IP) The network layer protocol for the Internet protocol suite.
Glossary LNS L2TP network server. A node that acts as one side of an L2TP tunnel endpoint and is a peer to the L2TP access concentrator (LAC). The LNS is the logical termination point of a PPP session that is being tunneled from the remote system by the LAC. Analogous to the Layer 2 Forwarding (L2F) home gateway (HGW).
Glossary N NAS Network access server. Cisco platform (or collection of platforms) that interfaces between the packet world (for example, the Internet) and the circuit world (for example, PSTN). NetFlow A Cisco-proprietary IP statistics collection feature that collects information on IP flows passing through a router. NVRAM Non-Volatile Random Access Memory. The router uses this memory to store configuration information.
Glossary point-to-point subinterface With point-to-point subinterfaces, each pair of routers has its own subnet. If you put the PVC on a point-to-point subinterface, the router assumes that there is only one point-to-point PVC configured on the subinterface. Therefore, any IP packets with a destination IP address in the same subnet are forwarded on this VC. This is the simplest way to configure the mapping and is, therefore, the recommended method. PPP Point-to-Point Protocol.
Glossary R RADIUS Remote Authentication Dial-In User Service (RADIUS). A client/server security protocol created by Livingston Enterprises. Security information is stored in a central location, known as the RADIUS server. RADIUS accounting Permits system administrators to track dial-in use. client RADIUS security client Controls access to specific services on the network. RBE Routed bridge encapsulation. The process by which a stub-bridged segment is terminated on a point-to-point routed interface.
Glossary T ToS Type of service. First defined in RFC 791. trap Message sent by an SNMP agent to a network management station, console, or terminal to indicate the occurrence of a significant event, such as a specifically defined condition or a threshold that was reached. tunnel A virtual pipe between the LAC and LNS that can carry multiple L2TP sessions. tunnel switch A term used in DSL environments.
Glossary VC Virtual Circuit. Also referred to as Virtual Channel. Used in ATM applications. A link that seems and behaves like a dedicated point-to-point line or a system that delivers packets in sequence, as happens on an actual point-to-point network. In reality, the data is delivered across a network via the most appropriate route. The sending and receiving devices do not have to be aware of the options and the route is chosen only when a message is sent.
Glossary WFQ Weighted Fair Queuing. A QoS congestion management function. WRED Weighted Random Early Detection. A QoS congestion avoidance function. X xDSL Various types of digital subscriber lines. Examples include ADSL, HDLS, and VDSL.
I N D EX authorization network command Numerics group server radius command 3-color policer 1-26 3-level hierarchical QoS policies 1-27 4-Port Channelized T3 Half-Height line card 4-Port OC-3/STM-1c ATM line card 1-21 1-22 5-33, 5-37, 5-42 5-31, 5-37 new model command 5-31 new-model command 10-8, 16-1, 16-2 session-id command 10-8 AAA CLI stop record enhancement AAL5 1-21 1-1 AAL5 over SDU Support over MPLS A About MLP on LNS AAA 20-14 22-19 ABR definition client configuring for
Index Acct-Session-ID RADIUS attribute line cards, maximum VCs supported 16-2 Acct-Status-Type RADIUS attribute ATM adaptation layer 5-40, 16-2 Acct-Tunnel-Connection RADIUS attribute Acct-Tunnel-Packets-Lost RADIUS attribute 5-39 5-39 ACE,See ACE See AAL5 ATM aggregation leased-line architecture ACL 1-11 ATM line cards definition 1-1 IP receive 12-1 named VC scaling ATM PVC autoprovisioning hierarchical shaping 12-7 reflexive atm over-subscription-factor command 12-2 atm pppatm pass
Index attribute command configuration example 5-38 attribute-value pairs configuring 5-25 authen before-forward command authentication key bba-group command 1-1 BGP 5-32, 5-37 tunnel configuration example RADIUS attributes ASN Override 4-10 4-10 BGP AS Path Filtering 16-2 VPDN tunnel searches BGP Max Prefix 9-5 automatic protection switching, multirouter BGP Multipath 1-6 autoprovisioning 4-10 4-10 4-11 BGP Prefix List Filtering ATM PVC BGP Route Refresh configuration example
Index Cisco Express Forwarding C See CEF call admission limit command Calling-Station-ID formats 2-4 Cisco Group Management Protocol 16-13 See CGMP CAR class-based WFQ definition 1-2 See CBWFQ cards class of service backup 14-10 primary 14-10 secondary working CBOS CBR definition class-range command 14-10 class-vc command 14-10 8-8 8-7 clear 1-2 ip dhcp command 1-2 10-15 ip dhcp pool name subnet command definition CBWFQ 1-3 1-2 pppoe command 1-27 definition 6-12 vpdn
Index bba-group call admission limit class-range class-vc ip dhcp relay information option 3-21, 6-4, 6-9 ip helper-address 2-4 ip local pool 8-8 3-27 10-17 ip multicast-routing 8-7 clear 15-3 ip pim dense-mode ip dhcp ip dhcp pool name subnet clear pppoe 15-3 ip pim sparse-dense-mode 10-15 10-16 ip pim sparse-mode clear vpdn tunnel 9-10 ip tos reflect create on-demand 8-6, 8-9, 8-11 ip unnumbered loopback debug ip vrf aaa accounting 5-35, 5-38, 5-52, 16-4 aaa authentication
Index limit max-sessions limit per-mac limit per-vc 3-21, 6-3, 6-4, 6-9 ip route 3-20 protocol pppoe ip vrf 3-46 3-30, 3-44 3-44 ip vrf interfaces 2-9, 16-4, 16-5 3-44 attribute 44 5-35 mpls forwarding-table attribute list 5-38 mpls interfaces domain-stripping retransmit range 16-15 pppoe session all pxf cppu queue 4-24, 5-23, 5-36 request-dialout 4-18, 9-7 server-private 5-32, 5-37 session-limit 5-38, 5-51 running-config 5-8, 5-11, 5-13, 5-21, 5-37, 6-18 tag-switching tdp dis
Index ubr CoS 2-15 username definition 9-4 utilization mark high CPE PVCs and PPP sessions 2-15 vc-class atm RP CPU usage 5-10, 8-6, 8-11 virtual-template vpdn enable with infinite range 5-4 vpdn group 5-8 vpdn-group 5-7, 5-12, 5-25, 5-29, 5-36, 9-4 customer premises equipment See CPE 2-19 9-3 vpdn search-order 9-5 vpdn session-limit 4-18 D 4-18 DBS vpdn tunnel authorization network 5-42 27-2, 27-4 vpn id 5-9 5-5 1-2 dhcp command committed information rate configuration
Index define interface policy-map AV pairs AAA denial of service, protecting against dense mode, enabling 1-26 dout-dialer 12-1 15-3 deployment models managed L2TP network server RA to MPLS VPN downsteam VRF 4-26 downstream rate 1-3 DSCP 16-1 DSL 16-1 1-3 1-3 DSLAM DHCP 1-3 DSL technology 1-1 15-2 DVMRP 10-7 defining ODAPs as the global default pooling mechanism 10-7 ODAP configuration example relay agent 1-3 duplicate IP multicast packets and fast switching 10-2, 10-3 configurin
Index Ethernet over MPLS port mode intelligent service architecture 20-19 interface oversubscription 20-21 VLAN ID Rewrite VLAN mode IP multicast 20-27 Ethernet over MPLS (EoMPLS) pseudowire 1-25 IP receive ACLs 20-25 EXP bits 1-27 15-1 IP over Q-in-Q 20-20 1-27, 12-1 IP SLAs-LSP health monitor setting in AToM external column memory 1-23 IP unnumbered on 802.
Index managed LNS RA to MPLS VPN 5-1 configuration example to VRF Scaling limits for L2TP tunnels 5-45 1-5 MLPPP with LFI 1-23 MPLS carrier supporting carrier MPLS embedded management-LSP ping/traceroute and AToM VCCV 1-23 MPLS-LDP MD5 global configuration template ACL tunnel accounting 5-25 VLAN range Overlapping IP Address Pools percentage-based policing 1-25 1-25 1-28 See FCC per user tunnel selection FIB scaling 1-28 1-25 2-6 File Transfer Protocol See FTP 5-5 flush, on input i
Index G GE, Gigabit Ethernet 1-4 on member links 23-5, 23-16 on VLAN groups 23-5 output QoS GEC 23-4 output QoS for subinterface 802.
Index high-utilization mark high VC count enabling 1-4 hold-queue command 22-14 home gateway, definition hop count http 1-4 15-3 sparse mode 15-4 virtual-template command 5-24 interface multilink command 1-4 hub and spoke topology interface oversubscription 4-22, 4-26, 4-27 interface range command 22-20 15-2 5-29 interface-config RADIUS attribute 1-4 HWIDB dense mode outbound and IP multicast fast switching 1-4 host configurations HTML interface 10-4 2-17, 2-20, 3-5, 3-6, 4-2
Index ip multicast-routing command 15-3 IP overlapping address pools, example IP over Q-in-Q 10-18 1-25 ip pim dense-mode command 15-3 ip pim sparse-dense-mode command ip pim sparse-mode command 15-4 15-4 ip radius source-interface command IP receive ACLs configuring restrictions 12-1 1-5 configuring 14-2 1-5 access concentrator 5-2, 5-7, 5-8, 5-11, 1-5 congestion avoidance 7-1 definition 7-3 show commands ip-unnumbered RADIUS attribute 2-17, 3-5 1-5 domain screening tunnel settin
Index NSF MPLS in VC class configuration 20-1 Prerequisites OAM cell emulation 20-4 pseudowire 20-18 20-2 Restrictions MPLS on a PVC 20-5 show acircuit checkpoint command show mpls l2transport checkpoint command show mpls l2transport vc detail command SSO VPLS OAM cell emulation 20-7 20-7 20-7 supported line cards 20-1 3-40 LCP 20-31 20-14, 20-31 Layer 4 Redirect scaling 2-3, 2-5 Label Forwarding Information Base 2-5 9-8, 1-5 LCP, See Link Control Protocol.
Index prerequisites MIBs 5-28 restrictions CISCO-ATM-PVCTRAP-EXTN-MIB 5-28 terminating tunnel from LAC MLP feature 9-4 verifying sessions per tunnel limiting load balancing bundle interfaces 5-37 bundles 4-3 unequal cost See also eiBGP multipath load sharing 22-4 22-3 description of 4-2 22-1 documentation reference local AAA server, user database domain to VRF 1-27, 11-1 groups 1-23 22-5 local address pool 10-2 interface ranges local address pools 1-6 link fragmentation and
Index label distribution monitoring 3-41 labels 3-41 overview MPLS 3-40, 3-43 restrictions verifying label bindings VPN ID definition 10-5 1-6 multihop hostname command MPLS carrier supporting carrier multiplexer 1-23 MPLS egress netflow accounting feature 1-23 MPLS embedded management-LSP ping/traceroute and AToM VCCV 1-23 MPLS IPv4-signaled core MPLS label stack 4-9 9-3 9-5 1-6 multiplexing, statistical 8-14 multipoint subinterface 1-6 Multiprotocol BGP 4-7 multiprotocol la
Index no atm pxf queuing command 2-15 configuring on an interface no bba-group pppoe command 6-3, 6-4, 6-9 configuring RADIUS on the Cisco 10000 router no ip gratuitous-arp command 2-11 configuring to obtain subnets through IPCP negotiation 10-11 non-volatile random access memory no origin command 1-7 4-16 no virtual-template snmp command 2-13 defining DHCP as the global default pooling mechanism 10-7 20-6 definition Configuration Examples Configuring NSF/SSO 20-9 20-8 disabling NVRAM
Index enabling P Packet buffer usage 22-21 Packet processing rate PAP 22-22 15-4 15-1, 15-3 3-41, 3-47, 10-16 Point-to-Point Protocol passive mode 2-19 See PPP Password Authentication Protocol 5-34, 1-7 point-to-point subinterface Path validation 1-8 policy map 13-1 scaling PBHK service restrictions PBHK translations 2-3 2-6 policy map command 2-5 counting as policy map 22-20 2-6 pool group 1-7 configuring peak cell rate 1-7 percentage-based policing per DSCP WRED 10-10 1
Index clearing sessions PQ 6-12 configuration example primary card 6-5 configuring in a VPDN group definition displaying session information for session IDs enabling configuring 5-31 description 5-24 protocol command 6-11 sessions statistics 14-10 private server 6-8 1-8 session count 1-8 6-11 8-3 Protocol-Independent Multicast See PIM 6-11 protocol pppoe command 6-3, 6-8 specifying 6-3 provider edge router maximum number of PPPoE sessions maximum number of sessions per MAC add
Index QinQ Tunneling Based on Inner and Outer VLAN Tags 20-24 Restrictions 20-23 20-25 16-2, 16-3 87 NAS-Port-ID QoS broadband aggregation enhancements QoS features Diff-Serv on Ingress PE 4-13 Acct-Status-Type 16-18 5-26 5-40 Acct-Tunnel-Connection 4-13 5-39 Acct-Tunnel-Packets-Lost 4-13 IETF 4-13 QoS MQC commands in Frame Relay-to-Frame Relay local switching quality of service 20-34 1-8 2-7 Tunnel-Client-Endpoint 5-39 Tunnel-Server-Endpoint 5-39 vendor-proprietary authentication
Index reject attribute list example retransmit and timeout rates security client RA to MPLS VPN 16-4 configuration example 2-9 3-31 See also MPLS 1-9 transmit retries, configuring 16-5 RBE, definition of transmit retries, restrictions 16-5 rbe nasip command 3-25 RBE to MPLS VPN 3-7 transmit retries, show and debug commands transmit retries range 16-6 troubleshooting commands 16-4 using specified interface definition of 16-2 verifying attribute accept or reject list 1-9 See also ro
Index Routing Information Protocol configuration examples See RIP configuring 4-18 routing protocol monitoring 4-21 verifying overview 3-40 routing table restrictions 1-9 displaying table associated with VRF verifying for VRFs RP 4-17 4-17 verifying configuration 5-35, 5-51 4-19 session load balancing feature 3-44 session load failover feature 15-4 RPF 4-15 prerequisites definition 4-19 5-6 5-6 sessions per tunnel limiting feature 4-23 RX_LOS error alarm verifying 20-26 5-
Index ip route vrf command ip vrf command source vpdn-template command 3-30, 3-44, 3-48, 5-35, 5-51 sparse-dense mode, enabling 3-30, 3-44 ip vrf detail command sparse mode, enabling 3-44 ip vrf interfaces command spokes 3-44 mpls forwarding-table command mpls interfaces command 20-14 mpls tag-switching forwarding-table command pppoe session all command 3-42 static tunnel selection 5-5 subinterface, creating 6-8 definition 2-4 SVC 2-7 1-9 1-9 radius statistics command 5-38, 5-51
Index hub and spoke configuration examples 4-22, 4-26, 4-27 TOS field configuring definition 1-10 preserving 9-5 9-1 3-43 traceroute vrf command tunnel destination command 27-3 tunnel-preference attributes 5-6 Tunnel Selection 3-46 traffic transmit retries range disable-fallback option 16-4 show and debug commands preferred-path sub-command 16-6 virtual circuits 20-37 transport types 5-6 tunnel-server-endpoint RADIUS attribute trunk interface input hold queue turbo access contr
Index Configuring Unicast RPF Global Unicast RPF drops interface type command ip cef command VCI 13-3 VCs 13-4 bandwidth reservation 13-3 definition of 13-3 ip verify unicast source reachable-via any command 13-3 Monitoring and Maintaining uRPF Per-interface Unicast RPF drops Prerequisites 8-14 1-11 oversubscription 8-14 VC scaling 13-4 ATM line cards 13-4 ATM PVC autoprovisioning 13-2 Restrictions 1-11 hierarchical shaping 13-2 VC weighting show ip interface type command show ip t
Index configuring creating enable command 5-23, 5-29, 6-2 ip udp ignore checksum command 5-29 interface-specific commands specifying VLAN multihop command 2-11 3-21, 6-3, 6-4, 6-9 5-22, 1-11 VLAN-based load balancing VLAN ID Rewrite VLAN mode 9-5 session-limit command 4-18 VLAN range feature 6-16 vpdn-template command 6-16 vpdn-vtemplate 6-18 VPI associating a VPDN group creating an accept dial-in VPDN group defining local group name 5-44 1-11 configuring VPN ID 6-3, 6-8 5-7, 5-29
Index testing 3-46 upstream 4-22, 4-24 VRF-aware Router Applications VRF-aware Ping 4-12 VRF-aware Telnet 4-12 VRF-aware Traceroute 4-12 VRF-aware VPDN tunnels 1-25 configuration examples configuring 27-4 27-4 description of 27-2 overlapping IP addresses vrf-id RADIUS attribute VRF-Lite 27-4 2-17, 3-5 4-12 Layer 3 VPN 4-12 Multi-VRF CE VSA 4-12 4-12 16-2 definition 1-11 dout-dialer 5-44 Service-Type 5-44 vpdn-vtemplate 5-44 W WAN 1-11 weighted fair queuing 1-12 weight
Index Cisco 10000 Series Router Software Configuration Guide IN-28 OL-2226-23
