Mplsconfig Guide

Cisco 7600 Series Ethernet Services Plus
(ES+) and Ethernet Services Plus T (ES+T)

Line Card Configuration Guide
March 30, 2011
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
OL-16147-20
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant
to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial
environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause
harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required
to correct the interference at their own expense.
The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not
installed in accordance with Ciscos installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to
comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable
protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation.
Modifying the equipment without Ciscos written authorization may result in the equipment no longer complying with FCC requirements for Class A or Class B digital
devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television
communications at your own expense.
You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its
peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the following measures:
Turn the television or radio antenna until the interference stops.
Move the equipment to one side or the other of the television or radio.
Move the equipment farther away from the television or radio.
Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make certain the equipment and the television or radio are on circuits
controlled by different circuit breakers or fuses.)
Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate your authority to operate the product.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public
domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this
URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
Cisco 7600 Series Ethernet Services Plus (ES+) and Ethernet Services Plus T (ES+T) Line Card Configuration Guide
2008-12, Cisco Systems, Inc.
All rights reserved.
C O N T E N T S
Preface
xi
Objectives
xi
Document Revision History

Organization
xii
xxi
Related Documentation xxii

Cisco 7600 Series Router Documentation xxii
Other Cisco IOS Software Publications xxiii
Document Conventions
xxiii
Obtaining Documentation and Submitting a Service Request
CHAPTER
Overview
xxiv
1-1
Whats Covered in This Document
1-1
Finding Platform-Independent Feature Information
1-1
Finding Support Information for Platforms and Cisco IOS Software Images
Cisco 7600 Series ES+ Line Card Restrictions
Supported MIBs
CHAPTER
1-2
1-2
1-2
Configuring the Cisco 7600 Series Ethernet Services ES+ Line Card
Required Configuration Tasks
2-1
2-1
Identifying Slots and Subslots for the Cisco 7600 Series Ethernet Services Plus Line Card
Displaying the Cisco 7600 Series Ethernet Services Plus Line Card Type
Resetting a Cisco 7600 Series Ethernet Services Plus Line Card
SFP-GE-T Support
CHAPTER
2-2
2-3
2-3
Configuring High Availability Features
3-1
ISSU Support for Cisco 7600 Series Ethernet Services Plus Line Card
CHAPTER
2-2
Configuring Layer 1 and Layer 2 Features
3-1
4-1
Cisco 7600 Synchronous Ethernet Support 4-2

SSM and ESMC 4-5
Restrictions and Usage Guidelines 4-6
Configuring Synchronous Ethernet on the Cisco 7600 Router with ES+ Line Card
Managing Synchronization on ES+ Card 4-14
4-7
OL-16147-20
iii
Contents
Verification
4-16
Flexible QinQ Mapping and Service Awareness

Examples 4-28
4-24
Configuring MultiPoint Bridging over Ethernet on Cisco 7600 Series ES+ Line Cards
Examples 4-36
Verification 4-38
4-33
Backup Interface for Flexible UNI 4-39

Restriction and Usage Guidelines 4-40
Verification 4-44
Example 4-45
EVC On Port-Channel 4-49
Restrictions and Usage Guidelines
Configuring SPAN on EVC 4-53
Configuring SPAN on EVC 4-53
4-49
4-53
LACP Support for EVC Port Channel 4-56

Configuring Layer 2 Access Control Lists (ACLs) on an EVC
Creating a Layer 2 Access Control List 4-61
DHCP Snooping with Option-82 on EVC
Verification 4-68
Troubleshooting 4-68
4-61
4-64
4-65
DHCP Snooping Over p-mLACP 4-69

DHCP Snooping State Synchronization 4-70
Restrictions for DHCP Snooping over p-mLACP
Troubleshooting Tips 4-71
4-70
Pseudo-Multichassis LACP (p-mLACP) IGMP Snooping State Synchronization

IGMP Snooping State Synchronization 4-71
Restrictions for p-mLACP IGMP Snooping State Synchronization 4-72
IP Source Guard for Service Instance 4-75
Configuring IP Source Guard for a Service Instance
Verification 4-78
4-71
4-75
iv
OL-16147-20
Contents
Configuring MST on EVC Bridge Domain 4-79

Overview of MST and STP 4-80
Overview of MST on EVC Bridge Domain 4-80
Examples 4-83
Verification 4-84
Configuring Link State Tracking (LST) 4-87
Configuring Link State Tracking 4-88
MAC Address Security for EVC Bridge Domain 4-90
Enabling MAC Address Security for EVC Bridge Domain 4-91
Disabling MAC Address Security for EVC Bridge Domain on an EFP
Examples 4-94
Configuring MAC Address Whitelist on an EFP 4-94
Configuring Sticky MAC Addresses on an EFP 4-96
Configuring Secure MAC Address Aging on an EFP 4-98
Configuring MAC Address Limiting on EFP 4-101
Configuring MAC Address Limiting on a Bridge Domain 4-102
Configuring Violation Response on an EFP 4-103
Error Recovery 4-105
Verification 4-106
4-93
CFM and PVST Co-Existence 4-107

Configuring PVST and CFM Co-Existence 4-109
Configuring GVRP and CFM Co-Existence 4-110
Configuring PVST and GVRP Co-Existence 4-111
Verification 4-111
Custom Ethertype for EVC Interfaces 4-112
Supported Rewrite Rules for a Custom Ethertype Configuration 4-112
Supported Rewrites for Non-Range on C-Tag with a NNI 4-113
Supported Rewrites for Range on C-Tag with a NNI 4-113
Examples 4-115
Verification 4-117
GE LAG with LACP on UNI with Advanced Load Balancing 4-118
Configuring GE Link Aggregation with Advanced Load Balancing
Example 4-121
4-119
OL-16147-20
Contents
Verification
4-122
Storm Control on Switchports and Ports Having EVCs 4-123

Detecting a Broadcast Storm 4-124
Configuring Storm Control on Ports with EVC Configurations
Configuring Storm Control on Switchports 4-126
Example 4-127
Configuring Storm Control on Port Channels 4-127
Verification 4-130
Storm Control over EVC 4-132
Restrictions for Storm Control over EVC
Examples 4-134
Verification 4-135
4-125
4-132
Asymmetric Carrier-Delay 4-135

Configuring Asymmetric Carrier Delay 4-136
Manual Load Balancing for EVC over Port-Channel/LACP 4-137
Configuring Manual Load Balancing for EVC over Port-Channel/LACP
Example 4-141
Verification 4-141
EVC Port Channel Per Flow Load Balancing 4-142
Restrictions 4-142
Configuring EVC Port Channel Per Flow Load Balancing
Example 4-144
Verification 4-144
Configuring Layer 3 and Layer 4 ACLs 4-144
4-138
4-143
Multichassis Support for LACP 4-147

Requirements and Restrictions 4-148
Pseudo MLACP Support on Cisco 7600 4-164
Failover Operations 4-165
Restrictions for PMLACP on Cisco 7600 4-166
Configuring PMLACP on Cisco 7600 4-167
Layer 2 Tunneling Protocol Version 3 (L2TPv3)
Restrictions for L2TPv3 4-176
Configuring L2TPv3 4-176
Reverse L2GP for Cisco 7600 4-181
4-175
4-181
vi
OL-16147-20
Contents
Configuring Reverse L2GP for 7600

Examples 4-186
4-182
Configuring Static MAC Binding to EVCs and Psuedowires

4-200
Configuring Resilient Ethernet Protocol 4-210

REP Edge No-Neighbor 4-211
Configuring REP over Ethernet Virtual Circuit 4-211
Configuring REP over EVC for the Cisco 7600 Router 4-213
Configuring Resilient Ethernet Protocol Configurable Timers 4-229
Configuring REP Configurable Timers for the Cisco 7600 Router 4-229
Troubleshooting the REP 4-234
IEEE 802.1ag-2007 Compliant CFM 4-235
CFM over EFP Interface with xconnect 4-253
Configuring CFM over EFP Interface with xconnectPort Channel-Based xconnect Tunnel
4-269
802.1ah: Configuring the MAC Tunneling Protocol 4-274

MTP Software Architecture 4-275
IB Backbone Edge Bridge 4-276
Data Plane Processing 4-276
MTP Configuration 4-276
Scalability Information 4-277
Configuring the MTP for the Cisco 7600 Router 4-278
802.3ah: Dying Gasp and Remote Loopback Initiation 4-283
Restrictions for Dying Gasp and Remote Loopback Initiation
Configuring the Remote Loopback 4-284
Configuring the Dying Gasp 4-285
Configuration Examples 4-286
Verification 4-286
4-283
Support for IEEE 802.1ad 4-287

Prerequisites for IEEE 802.1ad 4-287
Restrictions for IEEE 802.1ad 4-287
Information About IEEE 802.1ad 4-288
How to Configure IEEE 802.1ad 4-295
Troubleshooting Dot1ad 4-318
Y.1731 Performance Monitoring 4-321
Configuring One Way Delay Measurement
Configuration Example 4-330
4-325
OL-16147-20
vii
Contents
Configuring Two-Way Delay Measurement 4-330

Configuring Single Ended Frame Loss Measurement 4-334
Verifying the Frame Delay and Frame Loss Measurement Configurations
4-337
IP and PPPoE Session Support 4-344

IP Address Assignment 4-344
PPPoE and IPoE Session Support on Port Channel (1:1 Redundancy) 4-345
PPPoE and IPoE Session Support on QinQ Subinterfaces with IEEE 802.1AH Customer
Ethertype 4-345
Verification 4-347
Per Subscriber Session Call Admission Control (CAC) 4-362
Restrictions and Guidelines 4-362
Implementing CAC 4-362
Configuring Per Subscriber Session CAC 4-363
Verifying and Monitoring Per Subscriber Session CAC 4-364
Configuring Private Host on Pseudoport on CWAN Cards
4-365
Configuring Unidirectional Link Detection (UDLD) on Ports with EVCs

Configuring UDLD Aggressive Mode 4-366
4-365
Dynamic Ethernet Service Activation 4-370

Configuring Dynamic Ethernet Service Activation Support on C7600
Verifying DESA 4-376
Troubleshooting DESA 4-376
4-370
Control Plane Protection on Non Access Subinterfaces 4-377

Configuring COPP on a Non Access Subinterface 4-377
Verifying COPP on a Non Access Sub Interface 4-380
BFD Scale Improvement on ES+ Line Card for 7600 4-380
BFD Sessions Supported on RSP720 Versions 4-381
SSO Behavior 4-382
Restrictions for BFD Scale Improvement 4-383
Configuring BFD Hardware Offload for 7600 4-384
Troubleshooting BFD Hardware Offload 4-385
viii
OL-16147-20
Contents
CHAPTER
Configuring Multicast Features
5-1
IGMP Snooping for VPLS Pseudowire on Cisco 7600 Series Ethernet Services Plus Line Cards
IP and PPPoE Session Coexistence with Multicast
Verification 5-8
Troubleshooting
5-4
5-9
Multicast VLAN Registration 5-10

Using MVR in a Multicast Television Application
Configuring MVR 5-13
CHAPTER
5-1
Configuring MPLS Features
5-11
6-1
Configuring Any Transport over MPLS
6-1
MPLS VPNL3VPN over GRE 6-6

Prerequisites for MPLS VPNL3VPN over GRE 6-7
Restrictions for MPLS VPNL3VPN over GRE 6-7
Information About MPLS VPNL3VPN over GRE 6-8
How to Configure MPLS VPNL3VPN over GRE 6-10
Configuration Examples for MPLS VPNL3VPN over GRE
6-12
Configuring MPLS Traffic Engineering Class-Based Tunnel Selection

Configuring Virtual Private LAN Service
VPLS Overview 6-24
Restrictions for VPLS 6-24
6-14
6-23
Configuring H-VPLS with Port-Channel Core Interface 6-28

Supported Features 6-30
VPLS Services 6-32
Benefits of VPLS 6-33
Configuring VPLS 6-33
Basic VPLS Configuration 6-34
Full-Mesh Configuration Example 6-52
H-VPLS with MPLS Edge Configuration Example 6-54
Configuring Dot1q Transparency for EoMPLS 6-57
Troubleshooting
6-63
MPLS-TP Support for Ethernet Access Circuits 6-70

Restrictions for MPLS-TP Support for Ethernet Access Circuits
6-70
BFD Over VCCV Control Channel, Support for Ethernet AC 6-71

Restrictions for BFD Over VCCV Control Channel on ES+ Line Card
Configuration Steps 6-72
Verifying BFD VCCV Configuration 6-76
6-71
OL-16147-20
ix
Contents
Debugging the BFD CCV
CHAPTER
Configuring QoS
6-77
7-1
Supported Interfaces 7-3

Mapping Between Bay and Ports
7-3
QoS Functions 7-4

Ingress QoS Functions 7-4
Egress QoS Functions 7-6
Configuring QoS Features Using MQC
Configuring Classification 7-8
7-7
7-8
Configuring Policing 7-13

Attaching a QoS Traffic Policy to an Interface
Configuring Marking 7-22
7-22
Configuring Shaping 7-26

7-26
7-21
Configuring QoS: L2 Overhead Specification for Shaping Parameters for Ethernet

Configuring QoS Queue Scheduling 7-31
Configuring WRED 7-32
Configuring Bandwidth and CBWFQ 7-36
Configuring LLQ 7-40
Configuring DBUS CoS Queuing 7-44
Configuring Bandwidth Remaining Ratio (BRR)
7-30
7-44
Configuring PFC QoS on a Cisco 7600 Series Ethernet Services Plus Line Card 7-47
PFC QoS on a Cisco 7600 Series Ethernet Services Plus Line Card Configuration Guidelines
Configuring Hierarchical QoS
Examples 7-50
7-48
7-48
EVCS QoS Support 7-52

EVC Configuration Examples 7-53
QoS on Port-Channel Member-Link 7-55
Supported Egress QoS Configurations 7-56
QoS on Port-Channel Member-Link Configuration Examples
Troubleshooting QoS on Port-Channel Member-Link 7-63
7-58
OL-16147-20
Contents
IPv6 - Hop by Hop Rate Limiter 7-64

Configuring IPv6 - Hop by Hop Rate Limiter
Example 7-66
7-65
Port Level Shaping Concurrent with 4HQoS on ES+ 7-66

Configuring Port Level Shaping Concurrent with 4HQoS on ES+
Example 7-69
Verification 7-69
Troubleshooting the Port Level Shaping Configuration 7-70
7-67
Minimum Bandwidth Guarantee Plus Multiple Policy 7-70

Port Channel QoS Considerations 7-71
Configuring Bandwidth Guarantee on a Service Group 7-72
Example 7-74
Verification 7-75
Troubleshooting the Minimum Bandwidth Guarantee Configuration
Service Group QoS Support on the Cisco 7600 Series Router
Configuring Service Group QoS 7-77
Examples 7-79
Verification 7-81
7-75
Configuring Flexible Service Mapping Based on CoS and Ethertype

Supported Configurations 7-84
Examples 7-86
Verification 7-87
Egress QoS Scheduling on Port Channel Interfaces 7-88
Configuring Egress QoS Scheduling on Port Channel Interfaces
7-82
7-89
Examples 7-90
Verification 7-92
Troubleshooting Egress QoS Scheduling on a Port Channel Interface
Layer 2 and Layer 3 QoS ACL Classification for EVC 7-93
Configuring Layer 2 and Layer 3 QoS ACL Classification
Examples 7-95
Verification 7-96
7-75
7-92
7-94
OL-16147-20
xi
Contents
Troubleshooting Layer 2 and Layer 3 QoS ACL Classification
7-96
Deny ACL QoS Classification 7-97

Configuring Deny ACL QoS Classification 7-97
Examples 7-100
Verification 7-100
Troubleshooting Deny ACL QoS Classification 7-100
Troubleshooting QoS on a ES+ Line Card
CHAPTER
Troubleshooting
7-100
8-1
General Troubleshooting Information 8-1

Interpreting Console Error Messages 8-2
Using debug Commands 8-2
Using show Commands 8-2
Using the Cisco IOS Event Tracer to Troubleshoot Problems
Troubleshooting SFP/XFP Issues
8-2
8-3
Preparing for Online Insertion and Removal of Cisco 7600 Series ES+ Line Card 8-3
Preparing for Online Removal of a Cisco 7600 Series ES+ Line Card 8-4
Verifying Deactivation and Activation of a Cisco 7600 Series ES+ Line Card 8-5
Deactivation and Activation Configuration Examples 8-6
Line Card Online Diagnostics
Onboard Failure Logging
8-7
8-7
Troubleshooting ES+ Transport Low Queue
CHAPTER
Upgrading Field-Programmable Devices
8-7
9-1
FPD Quick Upgrade 9-1

FPD Quick Upgrade Before Upgrading your Cisco IOS Release (Recommended)
FPD Quick Upgrade After Upgrading your Cisco IOS Release 9-2
Overview of FPD Images and Packages 9-2
Upgrading FPD Images 9-3
Migrating to a Newer Cisco IOS Release 9-3
Upgrading FPD Images in a Production System
Optional FPD Procedures
10
Configuring IPoDWDM
9-5
9-6
FPD Image Upgrade Examples
CHAPTER
9-2
9-12
10-1
WAN PHY and OTN Support on ES+XC Combination Line Cards

10-1
xii
OL-16147-20
Contents
Configuring ITU-T G.709 Transport Modes 10-2

DWDM Provisioning 10-3
Examples 10-4
Enabling OTN Mode Alarms Assertion 10-9
Configuring Tunable DWDM 10-12
Verification 10-15
Performance Monitoring on DWDM Controllers 10-16
Configuring Performance Monitoring on DWDM Controllers
10-17
IPoDWDM Proactive Protection 10-24

Restrictions 10-24
Configuring Proactive Protection 10-25
Virtual Transponder on Cisco 7600 IPoDWDM Line Card
Configuring Virtual Transponder 10-28
10-28
CHAPTER
11
Configuring Automatic Laser Shutdown 11-1

Configuring Automatic Laser Shutdown 11-1
Verification 11-3
Examples 11-3
CHAPTER
12
Network Clocking on Cisco 7600 Series Ethernet Services Plus Line Cards
Contents
12-1
Information About Network Clocking
12-1
How to Configure Network Clocking 12-2

Configuring BITS Clock Support 12-3
Configuring 10GE Interface as Clock Source
Verifying the Clock Source 12-6
Clock Source Recovery 12-8
Cisco 7600 Synchronous Ethernet
CHAPTER
13
12-1
12-5
12-8
13-1
Layer 3 and Layer 4 Security ACL on Service Instance

Configuring on a Service Instance 13-2
13-1
Inline Video Monitoring on the Cisco 7600 Router 13-5

Media Delivery Index 13-6
Support for IP Delay Variation for 7600 Inline Video Monitoring
13-6
OL-16147-20
xiii
Contents
Internet Protocol-Constant Bit Rate (IP-CBR) 13-7

Support MPLS Encapsulation for 7600 Inline Video Monitoring 13-7
Configurable MPEG Video PIDs for Inline Video Monitoring 13-7
RTP Metrics support for 7600 Inline Video Monitoring 13-7
Support Switch-Port Interfaces for 7600 Inline Video Monitoring 13-9
Support PPPoE Encapsulation for 7600 Inline Video Monitoring 13-9
Inline Video Monitoring Support of MDI Metrics for RTP Encapsulated Flows
Inline Video Monitoring Support for Availability Metrics 13-10
Inline Video Monitoring Support for Uncompressed Video 13-11
Restrictions for Inline Video Monitoring 13-11
Supported Interfaces 13-12
Monitored Video Flows 13-13
Alerts and Event Notifications 13-13
Flow Monitoring and Metric Computation 13-14
Supported MIBs 13-30
IP Tunneling - IPv6 Rapid Deployment 13-31
Understanding IPv6 Rapid Deployment 13-31
Restriction for IPv6 Rapid Deployment. 13-33
Configuring IPv6 Rapid Deployment on the Cisco 7600 series router Platform
13-10
13-34
VRF aware IPv6 Tunnels over IPv4 Transport 13-38

Restrictions for VRF aware IPv6 tunnels 13-38
Configuring VRF aware IPv6 tunnel 13-39
IPv6 over IPv4-GRE Tunnels 13-54
Restrictions for IPv6 over IPv4-GRE tunnel 13-54
Configuring IPv6 over IPv4-GRE tunnel 13-55
IPv6 Policy Based Routing 13-68
Policy Based Routing 13-68
Restrictions for IPv6 PBR 13-69
Configuring IPv6 PBR 13-70
INDEX
xiv
OL-16147-20
Preface
This preface describes the objectives and organization of this document and explains how to find
additional information on related products and services. This preface contains the following sections:
Objectives, page xi
Document Revision History, page xii
Organization, page xxi
Related Documentation, page xxii
Document Conventions, page xxiii
Obtaining Documentation and Submitting a Service Request, page xxiv
Objectives
This document describes the Cisco 7600 Series Ethernet Services Plus (ES+) and Ethernet Services
PlusT (ES+T) line cards that are supported on the Cisco 7600 series routers. This document also
describes how to configure line card-specific features for the Cisco 7600 Series ES+ and ES+T line card
and how to troubleshoot the installation.
Note
The information provided in this chapter is applicable to both the ES+ and ES+T line cards unless
specified otherwise.
OL-16147-20
xi
Preface

Table 1 records technical changes to this document. The table shows the Cisco IOS software release
number and document revision number for the change, the date of the change, and a brief summary of
the change.
Table 1
Release No.
Revision
Date
Change Summary
15.2(2)S
OL-16147-20
March 2012
Added the following features:
VRF aware IPv6 Tunnels over IPv4

Transport section on page 38
IPv6 over IPv4-GRE Tunnels section

on page 54
Storm Control over EVC section on

page 4-132
802.3ah: Dying Gasp and Remote

Loopback Initiation section on
page 4-283
Updated the following features:
BFD Scale Improvement on ES+ Line

Card for 7600 section on page 4-380
15.1(3)S2
OL-16147-19
December 2011
Added the IPv6 session support to BFD

Scale Improvement on ES+ Line Card for
7600 section on page 4-380
15.2(1)S
OL-16147-18
November 2011
DHCP Snooping Over p-mLACP

section on page 4-69
Pseudo-Multichassis LACP
(p-mLACP) IGMP Snooping State
Synchronization section on page 4-71
IPv6 Policy Based Routing section on

page 13-68
Configuring Proactive Protection

BFD Over VCCV Control Channel,

Support for Ethernet AC section on
page 6-71
MPLS VPNL3VPN over GRE

section on page 6-6
xii
OL-16147-20
Preface
Table 1
15.1(3)S1
OL-16147-17
September 2011
Updated IPv6 - Hop by Hop Rate

Limiter, page 64 to include a new
configuration command.
Updated SFP-GE-T Support, page 3

with auto-negotiation feature.
Added the following feature:
15.1(3)S
OL-16147-16
July 2011
BFD Over VCCV Control Channel,

Support for Ethernet AC section on
page 6-71
Added support for the following features:
Added Layer 2 Tunneling Protocol

Version 3 (L2TPv3) section on
page 4-175
Added Multicast VLAN Registration

Updated EVC Port Channel Per Flow

Load Balancing section on page 142.
Added support for Layer 3 and Layer 4
ACLs.
Added Performance Monitoring on

DWDM Controllers section on
page 16.
Added Pseudo MLACP Support on

Cisco 7600 section on page 164.
Added Deny ACL QoS Classification

section on page 97.
Added Inline Video Monitoring

Support of MDI Metrics for RTP
Encapsulated Flows section on
page 13-10.

Support for Availability Metrics
section on page 10.

Support for Uncompressed Video
section on page 11.
Added MPLS-TP Support for Ethernet

Access Circuits section on page 6-70.
Updated the following feature:
BFD Scale Improvement on ES+ Line

Card for 7600 section on page 380
OL-16147-20
xiii
Preface
Table 1
15.0(1)S4
OL-16147-15
15.1(2)S1
OL-16147-14
12.2(33)SRE4 OL-16147-13
July 2011
June 2011
May 2011
Added a note under PPPoE and IPoE

Session Support on Port Channel (1:1
Redundancy) section on page 345
indicating M:N LAG support on Port
channel access type sub-interfaces.
Added a note under Ingress Trust

section on page 4 indicating the default
port behavior as trust dscp for
switchport and SVI interfaces.

Redundancy) section on page 4-345
Updated the BFD Scale Improvement

on ES+ Line Card for 7600 section on
page 4-380.

Redundancy) section on page 345
Added a note under Ingress Trust

section on page 4 indicating the default
port behavior as trust dscp for
switchport and SVI interfaces.
15.1(1)S2
OL-16147-12
April 2011
Updated the restrictions and usage

guidelines at IP and PPPoE Session
Support section on page 344.
15.1(2)S
OL-16147-11
April 2011
Updated the Requirements and Restrictions

under the Multichassis Support for LACP,
page 147 section.
xiv
OL-16147-20
Preface
Table 1
15.1(2)S
OL-16147-11
15.1(1)S
OL-16147-10
March 2011
November 2010
Added Y.1731 Performance

Monitoring.
Updated the Restrictions and Usage

Guidelines in Configuring REP
Configurable Timers for the Cisco 7600
Router.
Added BFD Scale Improvement on

ES+ Line Card for 7600.
Added RTP Metrics support for 7600

Inline Video Monitoring section on
page 13-7.
Added Support Switch-Port Interfaces

for 7600 Inline Video Monitoring
section on page 13-9.
Added Support PPPoE Encapsulation

Added BPDU PW Over LAG NNI.
Added Configuring Virtual

Transponder.
Added Port Level Shaping Concurrent

with 4HQoS on ES+ section on
page 7-66.
Added Minimum Bandwidth

Guarantee Plus Multiple Policy section
on page 7-70.
Added Support for IP Delay Variation

Added Support MPLS Encapsulation

Added Configurable MPEG Video

PIDs for Inline Video Monitoring
OL-16147-20
xv
Preface
Table 1
15.1(1)S
OL-16147-10
November 2010
Updated Layer 3 and Layer 4 Security

ACL on Service Instance section.
Added support for EVC Port Channel.
Updated Configuring Layer 2 Access

Control Lists (ACLs) on an EVC
section. Added support for EVC Port
Channel.
Updated Configuring Unidirectional

Link Detection (UDLD) on Ports with
EVCs section. Added support for EVC
Port Channel.
Updated Configuring MST on EVC

Bridge Domain section. Added support
for EVC Port Channel.
Updated Configuring Resilient

Ethernet Protocol section. Added
support for the REP No-Neighbor
functionality.
Added Configuring Link State

Tracking (LST)section.
Added EVC Port Channel Per Flow

Load Balancing section.
Added Per Subscriber Session Call

Admission Control (CAC) section.
Updated Service Group QoS Support

on the Cisco 7600 Series Router
section.
Added support for the bandwidth

profiles shared across L3 & L4.
Added support for HSPW Support for

Ethernet ACs section
xvi
OL-16147-20
Preface
Table 1
12.2(33)SRD5 OL-16147-09
12.2(33)SRE2 OL-16147-08
September 2010
August 2010
Added troubleshooting information for:
Multicast in Chapter 5, Configuring

Multicast Features
MPLS VPN in Chapter 6, Configuring

MPLS Features
Carrier Ethernet features in Chapter 4,

Configuring Layer 1 and Layer 2
Features.
Broadband features inIP and PPPoE

Session Support, page 344.
QoS features in Chapter 7, Configuring

QoS.
Updated the Restrictions and Usage

Guidelines in Configuring Shaping section
on page 26.
Added a note under Ingress Trust section
on page 4 indicating the new behavior for
Ingress CoS configuration.
15.0(1)S
OL-16147-07
July 2010
Added Inline Video Monitoring on the

Cisco 7600 Router section on
page 13-5.
Added Support for IEEE 802.1ad

support.
Updated the QoS on Port-Channel

Member-Link feature to support QoS
service-policies in ingress and egress
traffic for the following interfaces:
Layer 3 Port-channel subinterface
Port-channel member links with per
port queueing
Layer 2 Port-channel interface
OL-16147-20
xvii
Preface
Table 1
15.0(1)S
OL-16147-07
15.0(1)S
15.0(1)S
OL-16147-07
OL-16147-07
July 2010
July 2010
July 2010
Updated Cisco 7600 Synchronous

Ethernet Support section on page 4-2.
Added support for SSM and ESMC.
Also, updated the chapter 12:Network
Clocking on Cisco 7600 Series Ethernet
Services Plus Line Cards.
Updated Configuring Resilient

Ethernet Protocol section. Added
support for the REP Configurable
Timers feature including the commands
REP LSL-age-out- timer and REP
LSL-retries.
Support extended for the WAN PHY

and OTN Support on ES+XC
Combination Line Cards feature from
this release onwards.
Updated the Configuring H-VPLS with

Port-Channel Core Interface section
with TE-FRR Support on VPLS LAG
NNI.
Updated Storm Control on Switchports

and Ports Having EVCs. Modified and
updated the restrictions and usage
guidelines.
Updated Configuring Storm Control on

Port Channels for Storm Control
ActionPort Disable feature.
Updated Cisco 7600 Series ES+ Line

Card Restrictions
Updated Configuring Hierarchical

QoS and Service Group QoS Support
on the Cisco 7600 Series Router
Added Troubleshooting ES+ Transport

Low Queue
12.2(33)SRE1 OL-16147-06
May 2010
Modified the restrictions on QinQ being

supported in VPLS using EVC, L3 MPLS,
VPN, and EoMPLS inVPLS Configuration
Guidelines.
12.2(33)SRE1 OL-16147-06
April 2010
Updated Restrictions in Configuring MST

on EVC Bridge Domain section on page 79.
xviii
OL-16147-20
Preface
Table 1
12.2(33)SRE1 OL-16147-06
April 2010
Updated IEEE 802.1ag-2007 Compliant

CFM section with restrictions on EVC
manual load balancing configuration at
IEEE 802.1ag-2007 Compliant CFM.
12.2(33)SRE1 OL-16147-06
April 2010
Added information for WANPHY / OTN

Support feature available at WAN PHY and
OTN Support on ES+XC Combination Line
Cards.
12.2(33)SRD4 OL-16147-05
March 2010
Updated restriction information for grand

parent CIR granularity information for
Configuring Shaping section.
12.2(33)SRD4 OL-16147-05
February 2010
Support for Private Host SVI added at

Configuring Private Host on Pseudoport on
CWAN Cards section on page 4-365.
12.2(33)SRD4 OL-16147-05
February 2010
Information about policy maps with CoS

based WRED added at Restrictions and
Usage Guidelines.
12.2(33)SRE
OL-16147-04
February 2010
Updated the section Service Scalability in

chapter 4.
12.2(33)SRE
OL-16147-04
February 2010
Updated the supported interface for the

command set mpls exp topmost in
Configuring QoS Features chapter and
updated Restrictions section in Configuring
MST on EVC Bridge Domain, page 79 to
indicate the number of service instances in a
MST VLAN configuration.
12.2(33)SRE
OL-16147-04
January 2009
Added the following information:
12.2(33)SRE
OL-16147-04
December, 2009
Bay versus port mapping information
Load balancing grouping
XFP support for OTN
Updated Onboard Failure Logging section.
OL-16147-20
xix
Preface
Table 1
12.2(33)SRE
OL-16147-04
12.2(33)SRD3 OL-16147-03
November, 2009
Troubleshooting
Multichassis Support for LACP
Reverse L2GP for Cisco 7600
Troubleshooting
Configuring Flexible Service Mapping

Based on CoS and Ethertype
Service Group QoS Support on the

Cisco 7600 Series Router
Layer 3 and Layer 4 Security ACL on

Service Instance
Configuring H-VPLS with Port-Channel

Core Interface
CFM over EFP Interface with xconnect
Configuring Resilient Ethernet Protocol
MAC Address Security for EVC Bridge

Domain
Custom Ethertype for EVC Interfaces
Configuring Layer 2 Access Control

Lists (ACLs) on an EVC
IEEE 802.1ag-2007 Compliant CFM
802.1ah: Configuring the MAC

Tunneling Protocol
Flexible Service Mapping based on

CoS, Ethertype
xx
OL-16147-20
Preface
Organization
Table 1
12.2(33)SRD1 OL-116147-02
12.2(33)SRD
OL-116147-01 September, 2008
IPv6 - Hop by Hop Rate Limiter
QoS on Port-Channel Member-Link
Initial version of this document. The

following features are introduced:
MAC Address Security for EVC

Bridge-Domain
CFM and PVST Co-Existence
32K EVC Scale on ES40
MST on EVC Bridge-Domain
DHCP Snooping with Option-82 on

EVC
EVC on Port-Channel
LACP Support for EVC Port Channel
Storm Control on Switchports and Ports

Having EVCs
IP Source Guard for Service Instance
Organization
This document contains the following chapters:
Section
Title
Chapter 1
Overview
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Configuring QoS
Chapter 8
Troubleshooting
Chapter 9
Chapter 10 Configuring IPoDWDM

Chapter 11 Configuring Automatic Laser Shutdown
Chapter 12 Network Clocking on Cisco 7600 Series Ethernet Services Plus Line Cards
Chapter 13 Configuring Layer 3 and Layer 4 Features
OL-16147-20
xxi
Preface
Related Documentation
Related Documentation
This section refers you to other documentation that also might be useful as you configure your
Cisco 7600 series router. The documentation listed below is available online.
Cisco 7600 Series Router Documentation

As you configure your Cisco 7600 series router, you should also refer to the following companion
publication for important hardware installation information:
Cisco 7600 Series Ethernet Services Plus Line Card Hardware Installation Guide
An overview of the Cisco 7600 series router features, benefits, and applications can be found in the
Cisco 7600 Series Internet Router Essentials document located at the following URL:
http://www.cisco.com/en/US/products/hw/routers/ps368/products_quick_start09186a0080092248.html
Some of the following other Cisco 7600 series router publications might be useful to you as you
configure your Cisco 7600 series router.
Cisco 7600 Series Cisco IOS Software Configuration Guide

http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/7600_15_0s_book.ht
ml
Cisco 7600 Series Cisco IOS Command Reference

http://www.cisco.com/en/US/products/ps6922/prod_command_reference_list.html
Cisco 7600 Series Cisco IOS System Message Guide

http://www.cisco.com/en/US/docs/ios/system/messages/guide/consol_smg.html
Cisco 7600 Series Internet Router MIB Specifications Guide

http://www.cisco.com/en/US/docs/routers/7600/technical_references/7600_mib_guides/MIB_Guid
e_ver_6/mibgde6.html
Several other publications are also related to the Cisco 7600 series router. For a complete reference of
related documentation, refer to the Cisco 7600 Series Routers Documentation Roadmap located at the
following URL:
http://www.cisco.com/en/US/products/hw/routers/ps368/products_documentation_roadmaps_list.html
xxii
OL-16147-20
Preface
Other Cisco IOS Software Publications

Your router and the Cisco IOS software running on it contain extensive features. You can find
documentation for Cisco IOS software features at the following URL:
http://www.cisco.com/en/US/products/ps6922/products_feature_guides_list.html
Cisco IOS Release 12.2SR Software Publications

Documentation for Cisco IOS Release 12.2SR, including command reference and system error
messages, can be found at the following URL:
http://www.cisco.com/en/US/products/ps6922/tsd_products_support_series_home.html
Within the Cisco 7600 Series ES+ line card software configuration guide, the term router is generally
used to refer to a variety of Cisco products (for example, routers, access servers, and switches). Routers,
access servers, and other networking devices that support Cisco IOS software are shown interchangeably
within examples. These products are used only for illustrative purposes; that is, an example that shows
one product does not necessarily indicate that other products are not supported.
This documentation uses the following conventions:
Convention
Description
^ or Ctrl
The ^ and Ctrl symbols represent the Control key. For example, the key combination ^D or Ctrl-D
means hold down the Control key while you press the D key. Keys are indicated in capital letters but
are not case sensitive.
string
A string is a nonquoted set of characters shown in italics. For example, when setting an SNMP
community string to public, do not use quotation marks around the string or the string will include the
quotation marks.
Command syntax descriptions use the following conventions:
Convention
Description
bold
Bold text indicates commands and keywords that you enter exactly as shown.
italics
Italic text indicates arguments for which you supply values.
[x]
Square brackets enclose an optional element (keyword or argument).
A vertical line indicates a choice within an optional or required set of keywords or arguments.
[x | y]
Square brackets enclosing keywords or arguments separated by a vertical line indicate an optional
choice.
{x | y}
Braces enclosing keywords or arguments separated by a vertical line indicate a required choice.
OL-16147-20
xxiii
Preface
Nested sets of square brackets or braces indicate optional or required choices within optional or required
elements. For example:
Convention
Description
[x {y | z}]
Braces and a vertical line within square brackets indicate a required choice within an optional element.
Examples use the following conventions:
Convention
Description
screen
Examples of information displayed on the screen are set in Courier font.
bold screen
Examples of text that you must enter are set in Courier bold font.
<
Angle brackets enclose text that is not printed to the screen, such as passwords.
>
!
[
An exclamation point at the beginning of a line indicates a comment line. (Exclamation points are also
displayed by the Cisco IOS software for certain processes.)
]
Square brackets enclose default responses to system prompts.

The following conventions are used to attract the attention of the reader:
Caution
Means reader be careful. In this situation, you might do something that could result in equipment
damage or loss of data.
Note
Means reader take note. Notes contain helpful suggestions or references to materials that may not be
contained in this manual.
Tip
Means the following information will help you solve a problem. The tips information might not be
troubleshooting or even an action, but could be useful information, similar to a Timesaver.

For information on obtaining documentation, submitting a service request, and gathering additional
information, see the monthly Whats New in Cisco Product Documentation, which also lists all new and
revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the Whats New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed
and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free
service and Cisco currently supports RSS Version 2.0.
xxiv
OL-16147-20
CH A P T E R
Overview
This chapter contains the following sections:
Whats Covered in This Document, page 1-1
Finding Platform-Independent Feature Information, page 1-1
Finding Support Information for Platforms and Cisco IOS Software Images, page 1-2
Cisco 7600 Series ES+ Line Card Restrictions, page 1-2
Supported MIBs, page 1-2
Whats Covered in This Document

This document provides information on configuring the features specific to the Cisco 7600 Series
Ethernet Services Plus (ES+) and Ethernet Services Plus T (ES+T) line card. Platform-independent
feature configuration information is not covered.
All the information available in this documentation is applicable to both the type of line cards unless
explicitly specified otherwise.
Note
Finding Platform-Independent Feature Information

For the latest platform-independent feature information and caveats, see the Cross-Platform Release
Notes for Cisco IOS Release 12.2SR at:
http://www.cisco.com/en/US/docs/ios/12_2sr/release/notes/122SRrn.html
OL-16147-20
1-1
Chapter 1
Overview
Finding Support Information for Platforms and Cisco IOS Software Images
Finding Support Information for Platforms and Cisco IOS

Software Images
Cisco Feature Navigator is a web-based tool that enables you to determine which Cisco IOS software
images support a specific set of features and which features are supported in a specific Cisco IOS image.
You can search by feature or by feature set (software image). Under the release section, you can compare
Cisco IOS software releases side by side to display both the features that are unique to each software
release and the features that the releases have in common.
Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology
releases occur. For the most current information, go to the Cisco Feature Navigator home page at the
following URL:
http://www.cisco.com/go/cfn
For frequently asked questions about Cisco Feature Navigator, see the FAQs at the following URL:
http://www.cisco.com/support/FeatureNav/FNFAQ.html
Cisco 7600 Series ES+ Line Card Restrictions

This section documents unsupported features and feature restrictions for the Cisco 7600 Series ES+ line
card on the Cisco 7600 series router.
As of Cisco IOS Release 12.2(33)SRD, the Cisco 7600 Series ES+ line card is not supported by the
Supervisor Engine 32. The Cisco 7600 Series ES+ line card is supported by the Supervisor Engine 720
PFC3B, the Supervisor Engine 720 PFC3BXL, and the Route Switching Processor 720. It is not
supported with a Supervisor Engine 720 PFC3A or in PFC3A mode.
For ES+T cards, the maximum number of queues allowed per port is 16. When maximum number of
queues are configured, up to 4MB static memory is used.
For more information about the requirements for Policy Feature Cards (PFCs) on the Cisco 7600 series
router, refer to the Cross-Platform Release Notes for Cisco IOS Release 12.2SR at
http://www.cisco.com/en/US/docs/ios/12_2sr/release/notes/122SRrn.html and the Guide to Supported
Hardware for Cisco 7600 Series Routers with Cisco IOS Release 12.2SR at
http://www.cisco.com/en/US/docs/routers/7600/Hardware/12.2SR_supported_hw/7600_hwd.html.
Supported MIBs
The following MIBs are supported in Cisco IOS Release 12.2SRB and later for the Cisco 7600 Series
ES+ line card on a Cisco 7600 series router:
CISCO-ENTITY-ASSET-MIB
CISCO-ENTITY-EXT-MIB
CISCO-ENTITY-FRU-CONTROL-MIB
ENTITY-MIB
OLD-CISCO-CHASSIS-MIB
Class-Based MIB (Cisco Classed-Based QoS MIB)
IF-MIB (Interface MIB)
1-2
OL-16147-20
Chapter 1
Overview
Supported MIBs
EVC MIB
CFM (802.1ag) IEEE MIB
802.3ah SNMP MIB
CISCO-PORT-STORM-CONTROL-MIB
For more information about MIB support on a Cisco 7600 series router, refer to the Cisco 7600 Series
Internet Router MIB Specifications Guide, at the following URL:
http://www.cisco.com/en/US/docs/routers/7600/technical_references/7600_mib_guides/MIB_Guide_v
er_6/mibgde6.html
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use
Cisco MIB Locator found at the following URL:
http://tools.cisco.com/ITDIT/MIBS/servlet/index
If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of
supported MIBs and download MIBs from the Cisco MIBs page at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your
account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify
that your e-mail address is registered with Cisco.com. If the check is successful, account details with a
new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com
by following the directions found at this URL:
https://tools.cisco.com/RPF/register/register.do
OL-16147-20
1-3
Chapter 1
Overview
Supported MIBs
1-4
OL-16147-20
CH A P T E R
Configuring the Cisco 7600 Series Ethernet

Services ES+ Line Card
This chapter provides information about configuring the Cisco 7600 Ethernet Services Plus (ES+) and
Ethernet Services Plus T (ES+T) line card on the Cisco 7600 series router. It includes the following
sections:
Required Configuration Tasks, page 2-1
Identifying Slots and Subslots for the Cisco 7600 Series Ethernet Services Plus Line Card, page 2-2
Displaying the Cisco 7600 Series Ethernet Services Plus Line Card Type, page 2-2
Resetting a Cisco 7600 Series Ethernet Services Plus Line Card, page 2-3
SFP-GE-T Support, page 2-3
For information about managing your system images and configuration files, refer to the Cisco IOS
Configuration Fundamentals Configuration Guide and Cisco IOS Configuration Fundamentals
Command Reference publications that correspond to your Cisco IOS software release.
For more information about the commands used in this chapter, see the Cisco IOS Release 12.2 SR
Command References at
http://www.cisco.com/en/US/products/ps6922/prod_command_reference_list.html.
Also refer to the related Cisco IOS software command reference and master index publications. For more
information about accessing these publications, see Related Documentation, page -xxii.
Note
Required Configuration Tasks

There are not any features that require direct configuration on the Cisco 7600 Series ES+ line card. You
do not need to attach to the Cisco 7600 Series ES+ line card itself to perform any configuration. The
system recognizes the Cisco 7600 Series ES+ line card when it is inserted into an open slot of an
in-service chassis.
OL-16147-20
2-1
Chapter 2 Configuring the Cisco 7600 Series Ethernet Services ES+ Line Card
Identifying Slots and Subslots for the Cisco 7600 Series Ethernet Services Plus Line Card
Identifying Slots and Subslots for the Cisco 7600 Series Ethernet
Services Plus Line Card
For information on how to specify the physical locations of a Cisco 7600 Series ES+ line card on the
Cisco 7600 series routers, see Specifying the Slot Location for a Cisco 7600 Cisco 7600 Series Plus Line
Cards, in the Cisco 7600 Series Ethernet Services Plus Line Card Hardware Installation Guide.
Displaying the Cisco 7600 Series Ethernet Services Plus Line

Card Type
To verify the Cisco 7600 Series ES+ line card hardware type that is installed in your Cisco 7600 series
router, you can use the show module command. There are other commands on the Cisco 7600 series
router that also provide Cisco 7600 Series ES+ line card hardware information, such as the show idprom
command, the show diagbus command, and the show running-config interface command.
The following example shows output from the show module command on the Cisco 7600 series router
with a Cisco 7600 Series ES+ line card installed in slot 8:
Router# show mod 8
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ ----------8 40 7600 ES+ 7600-ES+40G3CXL JAB1122026E
Mod MAC addresses Hw Fw Sw Status
--- ---------------------------------- ------ ------------ ------------ ------8 001d.e5e8.0a80 to 001d.e5e8.0adf 0.118 12.2(33r)SRD 12.2(nightly Ok
Mod Sub-Module Model Serial Hw Status
---- --------------------------- ------------------ ----------- ------- ------8 7600 ES+ DFC XL 7600-ES+3CXL JAB11220263 0.102 Ok
8 7600 ES+ 40xGE SFP 7600-ES+40G JAB112301RT 0.106 Ok
Mod Online Diag Status
---- ------------------8 Pass
Router#
The following example shows output from the show idprom command for a Cisco 7600 Series ES+ line
card installed in slot 8 of the router:
Router# show idprom module 8
IDPROM for module #8
(FRU is '7600 ES+')
OEM String = 'Cisco Systems'
Product Number = '7600-ES+40G3CXL'
Serial Number = 'JAB1122026E'
Manufacturing Assembly Number = '73-10984-01'
Manufacturing Assembly Revision = '10'
Hardware Revision = 0.118
Current supplied (+) or consumed (-) = -4.17A
Router#
The following example shows sample output from the show running-config interface command to
verify that the newly created interface appears in the running configuration:
Router# show running-config interface GE 2/1
Building configuration...
Current configuration : 85 bytes
!
interface GE 2/1
2-2
OL-16147-20
Chapter 2
no ip address
no ip directed-broadcast
shutdown
end

To reset an Cisco 7600 Series ES+ line card, use the following command in privileged EXEC
configuration mode:
Command
Purpose
Router#hw-module module slot reset
Turns power off and on to the Cisco 7600 Series

ES+ line card in the specified slot, where:
slotSpecifies the chassis slot number where

the Cisco 7600 Series ES+ line card is
installed.
SFP-GE-T Support
The SFP-GE-T on the Cisco 7600-ES+ line card supports speeds of 10 Mbps, 100 Mbps, and 1000 Mbps.
You can configure the speed using the speed command. Only full-duplex mode is supported.
You can configure each Ethernet interface independently using any combination of 10 Mbps, 100 Mbps,
or 1000 Mbps.
To set the interface speed, use the following command in the interface configuration mode.
Command
Purpose
Router (config-if)# speed
Configures the interface speed.
Example:
Accepted values are:
Router(config-if)# speed 10
10 for 10 Mbps operation
Effective from Releases 12.2(33)SRE5, 15.1(3)S1, and 15.2(1)S, auto-negotiation is supported on ES+
cards. Use the speed auto command to configure the auto-negotiation. Remember that, this feature
negotiates only speed. Speeds of 10 Mbps, 100 Mbps, and 1000 Mbps are negotiated if the remote end
support auto-negotiation. By default, the mode is 1G non-auto.
Note
Because auto-negotiation of duplex mode is not supported, you must manually configure the remote port
for full-duplex mode.
To set the auto-negotiation, use the following command in the interface configuration mode:
OL-16147-20
2-3
Chapter 2
SFP-GE-T Support
Command
Purpose
Router (config-if)# speed auto
Enables Fast Ethernet auto-negotiation. Speeds of

10 Mbps, 100 Mbps, and 1000 Mbps are
negotiated. By default, the mode is 1G non-auto.
Example:
Router(config-if)# speed auto
2-4
OL-16147-20
CH A P T E R

This chapter provides information about configuring high availability features on the Cisco 7600 Series
Ethernet Services Plus (ES+) and Ethernet Services Plus T (ES+T) line card on the Cisco 7600 series
router.
Command References at:
http://www.cisco.com/en/US/products/ps6922/prod_command_reference_list.html
Note
ISSU Support for Cisco 7600 Series Ethernet Services Plus Line
Card
The Cisco 7600 Series ES+ line card supports In-Service Software Upgrade (ISSU) with Enhanced Fast
Software Upgrade (eFSU). ISSU allows for the upgrade and downgrade of Cisco IOS images at different
release levels on the active and standby supervisors. ISSU procedure also applies to upgrade and
downgrade of line card images. A new line card image is loaded, as necessary, when the supervisor
engine software is upgraded or downgraded.
For information, see the Cisco 7600 Series Cisco IOS Software Configuration Guide, 15.0SR at:
http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/7600_15_0s_book.html
OL-16147-20
3-1
Chapter 3
ISSU Support for Cisco 7600 Series Ethernet Services Plus Line Card
3-2
OL-16147-20
CH A P T E R

This chapter provides information about configuring layer 1 and layer 2 features on the Cisco 7600
Series Ethernet Services Plus (ES+) and Ethernet Services Plus T (ES+T) line card on the Cisco 7600
series router. It includes the following topics:
Cisco 7600 Synchronous Ethernet Support, page 4-2
Configuring MultiPoint Bridging over Ethernet on Cisco 7600 Series ES+ Line Cards, page 4-33
Backup Interface for Flexible UNI, page 4-39
EVC On Port-Channel, page 4-49
Configuring SPAN on EVC, page 4-53
Configuring SPAN on EVC, page 4-53
Configuring Layer 2 Access Control Lists (ACLs) on an EVC, page 4-61
Configuring MST on EVC Bridge Domain, page 4-79
Configuring Link State Tracking (LST), page 4-87
MAC Address Security for EVC Bridge Domain, page 4-90
CFM and PVST Co-Existence, page 4-107
Custom Ethertype for EVC Interfaces, page 4-112
Storm Control on Switchports and Ports Having EVCs, page 4-123
Storm Control over EVC, page 4-132
Asymmetric Carrier-Delay, page 4-135
Manual Load Balancing for EVC over Port-Channel/LACP, page 4-137
EVC Port Channel Per Flow Load Balancing, page 4-142
Multichassis Support for LACP, page 4-147
Pseudo MLACP Support on Cisco 7600, page 4-164
Layer 2 Tunneling Protocol Version 3 (L2TPv3), page 4-175
Reverse L2GP for Cisco 7600, page 4-181
Configuring Resilient Ethernet Protocol, page 4-210
IEEE 802.1ag-2007 Compliant CFM, page 4-235
802.1ah: Configuring the MAC Tunneling Protocol, page 4-274
802.3ah: Dying Gasp and Remote Loopback Initiation, page 4-283
OL-16147-20
4-1
Chapter 4
Cisco 7600 Synchronous Ethernet Support
Support for IEEE 802.1ad, page 4-287
Y.1731 Performance Monitoring, page 4-321
IP and PPPoE Session Support, page 4-344
Per Subscriber Session Call Admission Control (CAC), page 4-362
Configuring Private Host on Pseudoport on CWAN Cards, page 4-365
Dynamic Ethernet Service Activation
BFD Scale Improvement on ES+ Line Card for 7600
Note
Note
Follow these restrictions and guidelines while cross-bundling various linecards:

1. ES20 and ES+ cross-bundling is not supported.
2. Any LAN card, and ES20/ES+ cross-bundling is not supported.

Synchronous Ethernet (SyncE) defined by the ITU-T standards such as G.8261 and G.8262 leverages the
PHY layer of Ethernet to transmit clock information to the remote sites. SyncE over Ethernet provides
a cost-effective alternative to the SONET networks. For SyncE to work, each network element along the
synchronization path must support SyncE. To implement SyncE, the Bit clock of the Ethernet is aligned
to a reliable clock traceable to Primary Reference Clock (PRC).
SyncE is implemented on an ES+ card for Cisco 7600 series routers. An ES+ card has a dedicated
external interface known as BITs interface to recover clock from a Synchronization Supply Unit (SSU).
The 7600 router uses this clock for SyncE. The BITS interface supports E1(European SSUs) and T1
(American BITS) framing. Table 4-1 lists the framing modes for BITS port on an ES+ card:
Table 4-1
Framing Modes for BITS Port on an ES+ card
BITS/SSU port support Matrix
Framing modes supported
SSM/QL support
Tx Port
Rx Port
T1
T1 ESF
Yes
Yes
Yes
T1
T1 SF
No
Yes
Yes
E1
E1 CRC4
Yes
Yes
Yes
E1
E1 FAS
No
Yes
Yes
E1
E1 CAS
No
No
Yes
4-2
OL-16147-20
Chapter 4

BITS/SSU port support Matrix
Framing modes supported
SSM/QL support
Tx Port
Rx Port
E1
E1 CAS CRC4
Yes
No
Yes
2048kHz
2048kHz
No
Yes
Yes
OL-16147-20
4-3
Chapter 4
Table 4-2 lists the External Timing Input and Output Pinouts:
Note
External Timing Input and Output Pinout
Pin
Signal
Rx Ring
Receive (Rx) Tip
Not used
Tx Ring
Transmit (Tx) Tip
Not used
Not used
Not used
Image
H11419
Table 4-2
The pin out for BITS port on ES+ is similar to E1 and T1.
You can implement SyncE on an ES+ card with four different configurations:
Clock Recovery from SyncE: System clock is recovered from the SyncE clocking source (gigabit
and ten gigabit interfaces only). Router uses this clock as the Tx clock for other SyncE interfaces or
ATM/CEoP interfaces.
Clock Recovery from External Interface: System clock is recovered from a BITS clocking source.
Line to External: The clock received from an Ethernet is forwarded to an external SSU. The SynE
feature provides the functionality for clock cleanup. For a router in the middle of synchronization
chain, the received clock may have unacceptable wander and jitter. The router recovers the clock
from the SyncE interface, converts it to the format required for the BITS interface, and sends to a
SSU through the BITS port. The SSU performs the cleanup and sends it back to the BITs interface.
The cleaned up clock is received back from the SSU. This clock is used as Tx clock for the SyncE
ports. For 7600 router, the interface from which the clock is recovered and the BITS port to the SSU
should reside on the same ES+ card.
System to External: The system clock is used as Tx clock for an external interface. By default the
system clock is not transmitted on the external interface.
The SyncE enabled ES+ line card provides the squelching functionality, where an Alarm indication
Signal (AIS) is sent to the Tx interfaces if the clock source goes down. The squelching functionality is
implemented in two cases:
Line to external: If the line source goes down, an AIS is transmitted on the external interface to the
SSU.
System to external: If the router loses all the clock sources, an AIS is sent on the external interface
to the SSU.
Squelching is performed only towards an external device such as SSU or PRC.
4-4
OL-16147-20
Chapter 4

You can have a maximum of six clock sources for a 7600 Router and a maximum of 4 clock sources on
an ES+ card. The clock source with highest priority is made the default clock source. You can manage
the clock sources on an ES+ card by changing the priority of the clock sources. You can also manage the
synchronization on ES+ cards using the following management options:
Hold-of Time: If a clock source goes down, the router waits for a specific hold-off time before
removing the source. By default, the value of hold-of time is 300 ms.
Wait to Restore: If a SyncE interface comes up, the router waits for a specific period of time before
considering the SyncE interface for synchronization source. By default, the value is 300 sec.
Force Switch: Forcefully select a synchronization source irrespective of whether the source is
available or within the specified range.
Manual Switch: Forcefully select a synchronization source provided the source is available and
within the range.
SSM and ESMC

Network Clocking uses these mechanisms to exchange the quality level of the clock between the network
elements:
Synchronization Status Message
Ethernet Synchronization Messaging Channel
Synchronization Status Message

Network elements use Synchronization Status Messages (SSM) to inform the neighboring elements
about the Quality Level (QL) of the clock. The non-ethernet interfaces such as optical interfaces and
SONET/T1/E1 SPA framers uses SSM. The key benefits of the SSM functionality:
Prevents timing loops.
Provides fast recovery when a part of the network fails.
Ensures that a node derives timing from the most reliable clock source.
Ethernet Synchronization Messaging Channel

In order to maintain a logical communication channel in synchronous network connections, ethernet
relies on a channel called Ethernet Synchronization Messaging Channel (ESMC) based on IEEE 802.3
Organization Specific Slow Protocol standards. ESMC relays the SSM code that represents the quality
level of the Ethernet Equipment Clock (EEC) in a physical layer.
The ESMC packets are received only for those ports configured as clock sources and transmitted on all
the SyncE interfaces in the system. These packets are then processed by the Clock selection algorithm
on RP and are used to select the best clock. The Tx frame is generated based on the QL value of the
selected clock source and sent to all the enabled SyncE ports.
Clock Selection Algorithm

Clock selection algorithm selects the best available synchronization source from the nominated sources.
The clock selection algorithm has a non-revertive behavior among clock sources with same QL value
and always selects the signal with the best QL value. For clock option 1, the default is revertive and for
clock option 2, the default is non-revertive.
OL-16147-20
4-5
Chapter 4
The clock selection process works in the QL enabled and QL disabled modes. When multiple selection
processes are present in a network element, all processes work in the same mode.
QL-enabled mode
In QL-enabled mode, the following parameters contribute to the selection process:
Quality level
Signal fail via QL-FAILED
Priority
External commands.
If no external commands are active, the algorithm selects the reference (for clock selection) with the
highest quality level that does not experience a signal fail condition. If multiple inputs have the same
highest quality level, the input with the highest priority is selected. For multiple inputs having the same
highest priority and quality level, the existing reference is maintained (if it belongs to this group),
otherwise an arbitrary reference from this group is selected.
QL-disabled mode
In QL-disabled mode, the following parameters contribute to the selection process:
Signal failure
Priority
External commands
If no external commands are active, the algorithm selects the reference (for clock selection) with the
highest priority that does not experience a signal fail condition. For multiple inputs having the same
highest priority, the existing reference is maintained (if it belongs to this group), otherwise an arbitrary
reference from this group is selected.
Hybrid mode
The SyncE feature requires that each network element along the synchronization path needs to support
SyncE. Timing over Packet (ToP) enables transfer of timing over an asynchronous network. The hybrid
mode uses the clock derived from 1588 (PTP) to drive the system clock. This is achieved by configuring
the Timing over Packet (ToP) interface on the PTP slave as the input source.
Note
The ToP interface does not support QL and works only in the QL-disabled mode.
The ES+ is a family of fixed-port SyncE line cards supporting 20 and 40 gbps bandwidth for the 7600
series routers. The following ES+ cards support SyncE:
4x10G XFP ports
40x1G SFP ports
2x10G XFP ports
20x1G SFP ports
4x10GE or 2x10GE with ITU-T G.709 DWDM optical interface

Follow these restrictions and usage guidelines when configuring the SyncE on an ES40 line card:
4-6
OL-16147-20
Chapter 4

If the network clock algorithm is enabled, all the ES+ cards on the router use the system clock as Tx
clock (synchronous mode) for its ethernet interfaces. You cannot change the synchronous mode on
a per interface basis for the line card. The whole line cards functions in the same mode.
On an ES+ card, you can have a maximum of 4 ports configured as clock source at a time.
For a 20x1 gigabit ES+ line card, you can select a maximum of two ports from each NPU.
For a 40x1 gigabit ES+ line card, you can select only one port from each NPU.
You can configure a maximum of 6 ports as a clock source for a Cisco 7600 router.
The line to external for clock clean up is supported only if the line interface and the external (BITS)
interface are on the same ES+ line card.
SyncE feature is SSO co-existent, but not compliant. The clock selection algorithm is restarted on a
switchover. During the switchover the router goes into hold-over mode.
The ES+ SyncE interfaces in WAN mode cannot be used for QL-enabled clock selection. You should
either use them with the system in QL disabled mode or disable ESMC on the interfaces and use
them as QL-disabled interfaces.
It is recommended that you do not configure multiple input sources with the same priority as this
impacts the TSM switching delay.
You cannot implement the network-clock based clock selection algorithm and the new algorithm
simultaneously. Both these algorithms are mutually exclusive.
SyncE is not supported on 1 Gigabit Ethernet copper SFPs (SFP GE-T and GLC-T).
Configuring Synchronous Ethernet on the Cisco 7600 Router with ES+ Line Card
This section describes how to configure SyncE for Cisco 7600 Router. SyncE is implemented on Cisco
7600 router using four different configurations:
Configuring the Clock Recovery from SyncE, page 4-7
Configuring the Clock Recovery from BITS Port, page 4-9
Configuring the System to External, page 4-11
Configuring the Line to External, page 4-12
Configuring the Clock Recovery from SyncE

This section describes how to configure SyncE over ES+ card on Cisco 7600 router using clock recovery
from SyncE method.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
network-clock synchronization automatic
4.
network-clock synchronization ssm option option_Id Generation_Id
5.
interface gigabitethernet slot/port or interface tengigabitethernet slot/port
6.
[no]clock source {internal | line | loop}
7.
synchronous mode
OL-16147-20
4-7
Chapter 4
8.
exit
9.
network-clock input-source priority {interface interface_name slot/card/port | {external

slot/card/port }}
10. exit
DETAILED STEPS
Step 1
Command
Purpose
enable
Enables privileged EXEC mode.
Enter your password if prompted.
Example:
Router# enable
Step 2
configure terminal
Enters global configuration mode.
Example:
Router# configure terminal
Step 3
Example:
Router(config)# network-clock synchronization automatic
Step 4
network-clock synchronization ssm option {option_id {GEN1 | GEN2}}
Enables the network clock selection algorithm. This

command disables the Cisco specific network-clock
process and turns on G.781 based automatic clock
selection process.
Configures the equipment to work in synchronization
network. The option_id value 1 refers to synchronization
networks design for Europe. This is the default value. The
option_id value 2 refers to synchronization networks
design for US.
Example:
Router(config)# network-clock synchronization ssm option 2 GEN1
Step 5
interface gigabitethernet slot/port or

interface tengigabitethernet slot/port
Specifies the Gigabit Ethernet or the Ten Gigabit Ethernet

interface to configure, where:
slot/portSpecifies the location of the interface.
Example:
Router(config)# int gig 5/1
Step 6
clock source {internal | line | loop}
Example:
Router(config-if)# clock source line
Indicates the clock source to use. The 3 options for clock

source are:
internal: Use internal clock.
line: Recover clock from line.
loop: Use local loop timing.
To implement SYNCE, use line option.
4-8
OL-16147-20
Chapter 4

Step 7
Command
Purpose
synchronous mode
Sets the mode to synchronous mode.
Example:
Router(config-if)# synchronous mode
Step 8
exit
Exits the specific configuration mode.
Example:
Router(config)# exit
Step 9
network-clock input-source priority

{interface interface_name
slot/card/port | {external
slot/card/port }}
Enables clock recovery from SyncE.
Example:
Router(config)# network-clock input-source 1 interface
TenGigabitEthernet7/1
Step 10
exit
Exits the global configuration mode.
Example:
Examples
This example shows how to configure clock recovery from SyncE for Cisco 7600 Routers:
Router>enable
Router(config)# network-clock input-source 1 interface TenGigabitEthernet7/1
Configuring the Clock Recovery from BITS Port

This section describes how to configure SyncE over ES+ card on Cisco 7600 router using clock recovery
from BITS port.
SUMMARY STEPS
1.
enable
OL-16147-20
4-9
Chapter 4
2.
configure terminal
3.
4.
5.
network-clock input-source priority {interface interface_name slot/card/port | {external

slot/card/port }}
6.
exit
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
Example:
Step 4

selection process.
design for US.
Example:
Step 5
network-clock input-source priority

{interface interface_name
slot/card/port | {external
slot/card/port }}
Enables clock recovery from BITS port.
Example:
Router(config-if-srv)# network-clock
input-source 1 External 7/0/0 t1 sf
Step 6
exit
Exits the global configuration mode
Example:
4-10
OL-16147-20
Chapter 4

Examples
This example shows how to configure clock recovery from BITS port for Cisco 7600 Routers:
Router>enable
Router(config)# network-clock input-source 1 External 7/0/0 t1 sf
Configuring the System to External

This section describes how to configure SyncE over ES+ card on Cisco 7600 router using System to
External method.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
5.
network-clock output-source system priority {external slot/card/port [j1 | 2m | 10m] }
6.
exit
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
Example:

selection process.
OL-16147-20
4-11
Chapter 4
Step 4
Command
Purpose

design for US.
Example:
Step 5
network-clock output-source system priority {external slot/card/port [j1 | 2m

| 10m]}
Configures the system clock to be used on external Tx interfaces.
Example:
Router(config)# network-clock output-source system 1 external 4/0/0 t1
sf
Step 6
exit
Example:
Examples
This example shows how to configure system to external clocking for Cisco 7600 Routers:
Router>enable
This example shows how to configure clock clean-up using an SSU:

Router(config)# network-clock output-source line 1 interface GigabitEthernet1/11 External
1/0/0 t1 sf
Configuring the Line to External

This section describes how to configure SyncE over ES+ card on Cisco 7600 router using Line to
External method.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
4-12
OL-16147-20
Chapter 4

5.
6.
[no]clock source {internal | line | loop}
7.
synchronous mode
8.
exit
9.
network-clock output-source line priority {interface interface_name | controller {t1 | e1}

slot/card/port}} {external slot/card/port}
10. exit
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
Example:
Step 4

selection process.
design for US.
Example:
Step 5


Example:
Step 6
Example:
Indicates the clock source to use. The 3 options for clock

source are:
internal: Use internal clock.
line: Recover clock from line.
loop: Use local loop timing.
To implement SYNCE, use line option.
OL-16147-20
4-13
Chapter 4
Step 7
Command
Purpose
synchronous mode
Sets the mode to synchronous mode.
Example:
Step 8
exit
Exits the specific configuration mode.
Example:
Step 9
network-clock output-source line priority {interface interface_name | controller {t1 | e1} slot/card/port}}
{external slot/card/port}
Configures the line clock to be used on external Tx interfaces.
Example:
Router(config-if-srv)# encapsulation
dot1q 40 second-dot1q 42
Step 10
exit
Example:
Examples
This example shows how to configure clock recovery from SyncE for Cisco 7600 Routers:
Router>enable
Router(config)# network-clock input-source 1 interface TenGigabitEthernet7/1
Router(config)# network-clock output-source line 1 interface GigabitEthernet1/11 External
1/0/0
Managing Synchronization on ES+ Card

Manage the synchronization on ES+ cards with these management commands:
4-14
OL-16147-20
Chapter 4

Quality Level Enabled Clock Selection: Use the network-clock synchronization mode
QL-enabled command in global configuration mode to configure the automatic selection process
for QL-enabled mode. This succeeds only if the SyncE interfaces are capable of sending SSM. The
following example shows how to configure network clock synchronization (QL-enabled mode) in
global configuration mode:
Router(config)# network-clock synchronization mode QL-enabled
ESMC Process: Use the esmc process command in global configuration mode to enable the ESMC
process at system level. The no form of the command disables the ESMC process. This command
fails if there is no SyncE-capable interface installed in the platform. The following example shows
how to enable ESMC in global configuration mode:
Router(config)# esmc process
ESMC Mode: Use the esmc mode [tx | rx |<cr>] command in interface configuration mode to
enable ESMC process at interface level. The no form of the command disables the ESMC process.
The following example shows how to enable ESMC in interface configuration mode:
Router(config-if)# esmc mode
tx
Network Clock Source Quality level: Use the network-clock source quality-level command in
interface configuration mode to configure the QL value for ESMC on gigabitethernet port. The value
is based on global interworking options.
If Option 1 is configured, the available values are QL-PRC, QL-SSU-A, QL-SSU-B, QL-SEC,
and QL-DNU.
If Option 2 is configured with GEN 2, the available values are QL-PRS, QL-STU, QL-ST2,
QL-TNC, QL-ST3, QL-SMC, QL-ST4 and QL-DUS.

If option 2 is configured with GEN1, the available values are QL-PRS, QL-STU, QL-ST2,
QL-SMC, QL-ST4 and QL-DUS

Use the network-clock quality-level command in global configuration mode to configure the QL
value for SSM on BITS port. The following example shows how to configure network-clock
quality-level in global configuration mode:
Router(config)# network-clock quality-level rx QL-PRC interface ToP3/0/20
The following example shows how to configure network-clock source quality-level in interface
configuration mode:
Router(config-if)# network-clock source quality-level QL-PRC
Wait-to-Restore: Use the network-clock wait-to-restore timer global command to set

wait-to-restore time. You can configure the wait-to-restore time between 0 to 86400 seconds. The
default value is 300 seconds. The wait-to-restore timer can be set at global configuration mode and
interface configuration mode. The following example shows how to configure wait-to-restore timer
in global configuration mode:
Router(config)# network-clock wait-to-restore 10 global
The following example shows how to configure the wait-to-restore timer in interface configuration
mode:
Router(config)# int ten 7/1
Router(config-if)# network-clock wait-to-restore 10
OL-16147-20
4-15
Chapter 4
Hold-off Time: Use network-clock hold-off timer global command to configure hold-off time. You
can configure the hold-off time to zero or any value between 50 to 10000 milliseconds. The default
value is 300 milliseconds. The network-clock hold-off timer can be set at global configuration
mode and interface configuration mode.The following example shows how to configure hold-off
time:
Router(config)# network-clock hold-off 50 global
Force Switch: Use the network-clock switch force command to forcefully select a synchronization
source irrespective of whether the source is available and within the range. The following example
shows how to configure manual switch:
Router(config)# network-clock switch force interface tenGigabitEthernet 7/1 t1
Manual Switch: Use network-clock switch manual command to manually select a synchronization
source provided the source is available and within the range. The following example shows how to
configure manual switch:
Router(config)# network-clock switch manual interface tenGigabitEthernet 7/1 t1
Clear Manual and Force Switch: Use the network-clock clear switch controller-id command to
clear the manual or switch it by force. The following example shows how to clear a switch:
Router(config)# network-clock clear switch t0
Lock out a Source: Use the network-clock set lockout command to lock-out a clock source. A clock
source flagged as lock-out is not selected for SyncE. To clear the lock-out on a source, use the
network-clock clear lockout command. The following example shows how to lock out a clock
source:
Router(config)# network-clock set lockout interface tenGigabitEthernet 7/1
The following example shows how to clear lock-out on a clock source:

Router(config)# network-clock clear lockout interface tenGigabitEthernet 7/1
Verification
Use the following commands to verify the SyncE configuration:
Use the show network-clock synchronization command to display the sample output:
Router# show network-clocks synchronization
Symbols:
En - Enable, Dis - Disable, Adis - Admin Disable
NA - Not Applicable
* - Synchronization source selected
# - Synchronization source force selected
& - Synchronization source manually switched
Automatic selection process : Enable
Equipment Clock : 2048 (EEC-Option1)
Clock Mode : QL-Enable
ESMC : Enabled
SSM Option : 1
T0 : TenGigabitEthernet12/1
Hold-off (global) : 300 ms
Wait-to-restore (global) : 300 sec
Tsm Delay : 180 ms
4-16
OL-16147-20
Chapter 4

Revertive : No
Nominated Interfaces
Interface
Internal
*Te12/1
AT6/0/0
SigType
NA
NA
NA
Mode/QL
NA/Dis
Sync/En
NA/En
Prio
251
1
1
QL_IN ESMC Tx
QL-SEC
NA
QL-PRC
QL-SSU-A NA
ESMC Rx
NA
NA
Use the show network-clock synchronization detail command to display all details of
network-clock synchronization parameters at the global and interface levels.
Router# show network-clocks synchronization detail
Symbols:
En - Enable, Dis - Disable, Adis - Admin Disable
NA - Not Applicable
* - Synchronization source selected
# - Synchronization source force selected
& - Synchronization source manually switched
ESMC : Enabled
SSM Option : 1
T0 : TenGigabitEthernet12/1
Tsm Delay : 180 ms
Revertive : No
Force Switch: FALSE
Manual Switch: FALSE
Number of synchronization sources: 2
sm(netsync NETCLK_QL_ENABLE), running yes, state 1A
Last transition recorded: (sf_change)-> 1A (ql_change)-> 1A (sf_change)-> 1A
(ql_change)-> 1A (ql_change)-> 1A (sf_change)-> 1A (ql_change)-> 1A (sf_change)-> 1A
(sf_change)-> 1A (ql_change)-> 1A
Interface
Internal
*Te12/1
AT6/0/0
SigType
NA
NA
NA
Mode/QL
NA/Dis
Sync/En
NA/En
Prio
251
1
1
QL_IN ESMC Tx
QL-SEC
NA
QL-PRC
QL-SSU-A NA
ESMC Rx
NA
NA
Interface:
--------------------------------------------Local Interface: Internal
Signal Type: NA
Mode: NA(Ql-enabled)
SSM Tx: Disable
SSM Rx: Disable
Priority: 251
QL Receive: QL-SEC
QL Receive Configured: QL Receive Overrided: QL Transmit: QL Transmit Configured: Hold-off: 0
Wait-to-restore: 0
Lock Out: FALSE
Signal Fail: FALSE
Alarms: FALSE
Slot Disabled: FALSE
Local Interface: Te12/1
OL-16147-20
4-17
Chapter 4
Signal Type: NA
Mode: Synchronous(Ql-enabled)
ESMC Tx: Enable
ESMC Rx: Enable
Priority: 1
QL Receive: QL-PRC
QL Receive Configured: QL Receive Overrided: QL Transmit: QL-DNU
QL Transmit Configured: Hold-off: 300
Wait-to-restore: 300
Lock Out: FALSE
Signal Fail: FALSE
Alarms: FALSE
Local Interface: AT6/0/0
Signal Type: NA
Mode: NA(Ql-enabled)
SSM Tx: Enable
SSM Rx: Enable
Priority: 1
QL Receive: QL-SSU-A
QL Receive Configured: QL Receive Overrided: QL Transmit: QL Transmit Configured: Hold-off: 300
Wait-to-restore: 300
Lock Out: FALSE
Signal Fail: FALSE
Alarms: FALSE
Use the show esmc command to display the sample output.

Router# show esmc
Interface: TenGigabitEthernet12/1
Administative configurations:
Mode: Synchronous
ESMC TX: Enable
ESMC RX: Enable
QL TX: QL RX: Operational status:
Port status: UP
QL Receive: QL-PRC
QL Transmit: QL-DNU
QL rx overrided: ESMC Information rate: 1 packet/second
ESMC Expiry: 5 second
Mode: Synchronous
ESMC TX: Enable
ESMC RX: Enable
Port status: UP
QL Receive: QL-DNU
QL Transmit: QL-DNU
4-18
OL-16147-20
Chapter 4

QL rx overrided: QL-DNU
ESMC Information rate: 1 packet/second
Use the show esmc detail command to display all details of esmc parameters at the global and
interface levels.
Router# show esmc detail
Mode: Synchronous
ESMC TX: Enable
ESMC RX: Enable
Port status: UP
QL Receive: QL-PRC
QL Transmit: QL-DNU
QL rx overrided: ESMC Information rate: 1 packet/second
ESMC Tx Timer: Running
ESMC Rx Timer: Running
ESMC Tx interval count: 1
ESMC INFO pkts in: 2195
ESMC INFO pkts out: 6034
ESMC EVENT pkts in: 1
ESMC EVENT pkts out: 16
Administrative configurations:
Mode: Synchronous
ESMC TX: Enable
ESMC RX: Enable
Port status: UP
QL Receive: QL-DNU
QL Transmit: QL-DNU
QL rx overrided: QL-DNU
ESMC Information rate: 1 packet/second
ESMC Tx Timer: Running
ESMC Rx Timer: Running
ESMC Tx interval count: 1
ESMC INFO pkts in: 0
ESMC INFO pkts out: 2159
ESMC EVENT pkts in: 0
ESMC EVENT pkts out: 10
Troubleshooting the Synchronous Ethernet configuration

The following debug commands are available for troubleshooting the Synchronous Ethernet
configuration on the Cisco 7600 ES+ Line Card:
OL-16147-20
4-19
Chapter 4
Debug Command
Purpose
debug platform ssm
Debugs issues related to SSM such as Rx, Tx,QL

values and so on.
debug platform network-clock
Debugs issues related to network clock such as

alarms, OOR, active-standby sources not selected
correctly and so on.
debug esmc
debug esmc
debug esmc
name>]
debug esmc
name>]
debug esmc
name>]
Verifies whether the ESMC packets are

transmitted or received with proper quality level
values.
error
event
packet [interface <interface
packet rx [interface <interface
packet tx [interface <interface
4-20
OL-16147-20
Chapter 4

Troubleshooting Scenarios
Note
Before you troubleshoot, ensure that all the network clock synchronization configurations are complete.
Troubleshooting
Table 4-3 provides the troubleshooting solutions for the synchronous ethernet feature.
OL-16147-20
4-21
Chapter 4
Table 4-3
Problem
Incorrect clock limit set or disabled queue limit
mode
Solution
Verify that there are no alarms on the

interfaces. Use the show network-clock
synchronization detail RP command to
confirm.
Warning
We suggest you do not use these

debug commands without TAC
supervision.
Use the show network-clock

synchronization command to confirm if the
system is in revertive mode or non-revertive
mode and verify the non-revertive
configurations as shown in this example:
RouterB#show network-clocks
synchronization
Symbols:
En - Enable, Dis - Disable,
Adis - Admin Disable NA - Not Applicable
- Synchronization source selected
#
force selected
- Synchronization source
& - Synchronization source

manually switched
ESMC : Enabled
SSM Option : GEN1
T0 : POS3/1/0
Tsm Delay : 180 ms
Revertive : Yes<<<<If it is non revertive
then it will show NO here.
Interface
Prio QL_IN
SigType
Mode/QL
ESMC Tx ESMC Rx
Internal
251
QL-ST3
NA
NA
SONET 3/0/0
3
QL-ST3
NA
*PO3/1/0
1
QL-ST3
NA
SONET 2/3/0
4
QL-ST3
NA
NA/Dis
NA
NA
NA/En
NA
NA
NA/En
NA
NA
NA/En
NA
4-22
OL-16147-20
Chapter 4

Problem
Solution
Reproduce the current issue and collect the

logs using the debug network-clock errors,
debug network-clock event, and debug
network-clock sm RP commands.
Warning
Incorrect quality level (QL) values when you use

the show network-clock synchronization detail
command.
Contact Cisco technical support if the issue

persists.
Use the network clock synchronization

SSM (option 1 |option 2) command to
confirm that there is no framing mismatch.
Use the show run interface command to
validate the framing for a specific interface.
For the SSM option 1 framing should be SDH
or E1 and for SSM option 2, it should be
SONET or T1.
Reproduce the issue using the debug

network-clock errors, debug
network-clock event and debug platform
ssm RP commands or enable the debug
hw-module subslot command.
Warning
Error message %NETCLK-6-SRC_UPD:

Synchronization source SONET 2/3/0 status
(Critical Alarms(OOR)) is posted to all selection
process" displayed.

supervision.

supervision.
Interfaces with alarms or OOR cannot be the

part of selection process even if it has higher
queue limit or priority. Use the debug
platform network-clock RP command to
troubleshoot network clock issues.
Reproduce the issue using the debug

platform network-clock command enabled
in a route processor or enable the debug
network-clock event and debug
network-clock errors RP commands.
Warning

supervision.
OL-16147-20
4-23
Chapter 4

Flexible QinQ Mapping and Service Awareness allows service providers to offer triple-play services,
residential Internet access from a DSLAM, and business Layer 2 and Layer 3 VPN by providing for
termination of double-tagged dot1q frames onto a Layer 3 subinterface at the access node.
The access node connects to the DSLAM through the Cisco 7600 Series ES+ line cards. This provides a
flexible way to identify the customer instance by its VLAN tags, and to map the customer instance to
different services.
Flexible QinQ Mapping and Service Awareness on Cisco 7600 Series ES+ line cards is supported only
through Ethernet Virtual Connection Services (EVCS) service instances.
EVCS uses the concepts of EVCs (Ethernet virtual circuits) and service instances. An EVC is an
end-to-end representation of a single instance of a Layer 2 service being offered by a provider to a
customer. It embodies the different parameters on which the service is being offered. A service instance
is the instantiation of an EVC on a given port on a given router.
Figure 4-1 shows a typical metro architecture where the access router facing the DSLAM provides
VLAN translation (selective QinQ) and grooming functionality and where the service routers (SR)
provide QinQ termination into a Layer 2 or Layer 3 service.
Figure 4-1
Metro Architecture
IP Core
POP
Service
router
Service
router
BRAS
BRAS
V
Single node
possible
L2/MPLS Access
L2 Access network
L2 Switches facing DSLAM
Service Router:
QinQ termination/L2/L3 VPN
L3 Multicast
Access Router:
Selective QinQ, L3 Multicast
DHCP Relay
DSLAM:
Dot1q Tag imposition
1:1 VLAN per sub
N:1 VLAN for Video
Access
router
Access
router
Qin Q
DSLAMs
Central
Office
Central
Office
VIP
191299
DSLAMs
Flexible QinQ Mapping and Service Awareness on Cisco 7600 Series ES+ line cards provides the
following functionality:
VLAN connect with local significance (VLAN local switching)

Single tag Ethernet local switching where the received dot1q tag traffic from one port is
cross-connected to another port by changing the tag. This is a 1-to-1 mapping service and there
is no MAC learning involved.
4-24
OL-16147-20
Chapter 4

Double tag Ethernet local switching where the received double tag traffic from one port is
cross-connected to another port by changing both tags. The mapping to each double tag
combination to the cross-connect is 1-to-1. There is no MAC learning involved.
Hairpinning:It is a cross connect between two EFPS on the same port.
Note
Connect service does not support identifying BPDU packets.
Selective QinQ (1-to-2 translation)

Cross connectSelective QinQ adds an outer tag to the received dot1q traffic and then tunnels
it to the remote end with Layer 2 switching or EoMPLS.
Double tag translation (2-to-2 translation) Layer 2 switchingTwo received tagged frames are
popped and two new tags are pushed.
Double tag termination (2-to-1 tag translation)

Ethernet MultiPoint Bridging over Ethernet (MPBE)The incoming double tag is uniquely
mapped to a single dot1q tag that is then used to do MPBE.

Double tag MPBEThe ingress line uses double tags in the ingress packet to look up the
bridging VLAN. The double tags are popped and the egress line card adds new double tags and
sends the packet out.
Double tag routingSame as regular dot1q tag routing except that double tags are used to
identify the hidden VLAN.
Local VLAN significanceVLAN tags are significant only to the port.

For the Cisco 7600 Series ES+ line card, the subinterface gets a hidden VLAN (a VLAN that is not
configured and is allocated internally) associated to the subinterface. The hidden VLAN number has
no correlation with the encapsulation VLAN (the VLAN visible to the user or in the wire). Because
the encapsulation is local to the port, you can have the same encapsulation VLAN in multiple ports.
Scalable EoMPLS VCSingle tag packets are sent across the tunnel.
QinQ policing and QoS
Layer 2 protocol data unit (PDU) packet

With connect and xconnect command, the Layer 2 PDUs are forwarded transparently
regardless if they are tagged or untagged.

With bridge-domain command, if the Layer 2 PDUs are tagged, packets are dropped by default;
if the Layer 2 PDUs are untagged, packets are treated per the physical port configuration. (With
an untagged service instance with bridge-domain command, the CPU stops the PDU depending
on the configuration). When the feature is configured on the EFP, the BPDU is passed by the
EFP to the feature which makes the decision accordingly.

Follow these restrictions and usage guidelines when configuring Flexible QinQ Mapping and Service
Awareness on the Cisco 7600 Series ES+ line cards:
Service Scalability:
Service Instances per network processor: 8000
Service instances per Line Card: 16000
OL-16147-20
4-25
Chapter 4
Service instances per port channel: 8000. This is subject to the number of members per NP. This
value would reduce by the factor of the member links per NP. If the member links are spread
across NPs, then the maximum number of service instances per port channel is unchanged.
Using TCAM entries: The number of TCAMs an EVC uses depends on the encapsulation
configured on the TCAM as shown in the following examples.

Example 1
service instance 1 eth
encap dot1q 100
TCAMS used - 1
Example 2
encap dot1q 200 second dot1q 300
TCAMs used - 1
Example 3
encap dot1q 201, 202
TCAMs used - 2 (one for each encapsulation)

Example 4
encap dot1q 20-40
TCAMs used - 4
First entry to match vlans 20-23
Second entry to match vlans 24-31
Third entry to match vlans 32-39
Fourth entry to match vlan 40
A range does not always mean multiple TCAMs as shown in this example where only one TCAM
entry is used.
Example 5
service instance 1 ethernet
encap dot1q 8-15
encap dot1q 2000 second-dot1q 96-127
TCAMs used per EVC : 1

Service instances per router: 32, 000
Bridge-domains per router: 4, 000
Local switching: 16, 000
Xconnect: 16, 000
Subinterface: 2, 000
Number of service instance on a particular domain: 110 per NP
QoS Scalability:
Service instances per router: 32, 000
Bridge-domains: 4, 000
4-26
OL-16147-20
Chapter 4

Local switching: 16, 000

Xconnect: 16, 000
Subinterface: 2, 000
QoS Scalability:
Shaping: Parent queue is 2,000 and child queue is 16,000
Marking: Parent queue is 2,000 and child queue is 16,000
Maximum number of child queues (leaf) supported for ES+T line card is 16 per port.
Modular QoS CLI (MQC) actions supported include:

Shaping
Bandwidth
Two priority queues per policy
The set cos command, set cos-inner command, set cos cos-inner command, and set cos-inner
cos command
WRED aggregate
Queue-limit
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
service instance id ethernet [service-name]
5.
encapsulation dot1q vlan-id
6.
rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q
vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad
vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q
vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}}symmetric
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
OL-16147-20
4-27
Chapter 4
Step 3
Command
Purpose
interface gigabitethernet slot/port

or
Example:
Router(config)# interface
gigabitethernet 4/1
Step 4
service instance id ethernet

[service-name]
Creates a service instance (an instantiation of an EVC) on

an interface and sets the device into the config-if-srv
submode.
Example:
Router(config-if)# service instance 101
ethernet
Step 5
Example:
Defines the matching criteria to be used in order to map

ingress dot1q frames on an interface to the appropriate
service instance.
dot1q 13
Step 6
rewrite ingress tag {push {dot1q

vlan-id | dot1q vlan-id second-dot1q
vlan-id | dot1ad vlan-id dot1q vlan-id}
| pop {1 | 2} | translate {1-to-1
{dot1q vlan-id | dot1ad vlan-id}|
2-to-1 dot1q vlan-id | dot1ad vlan-id}|
1-to-2 {dot1q vlan-id second-dot1q
| 2-to-2 {dot1q vlan-id second-dot1q
vlan-id | dot1ad vlan-id dot1q
vlan-id}} symmetric
Specifies the tag manipulation that is to be performed on

the frame ingress to the service instance.
Example:
Router(config-if-srv)# rewrite ingress
tag push dot1q 20 symmetric
Examples
Single Tag VLAN Connect
This example shows an incoming frame with a dot1q tag of 10 enters TenGigabitEthernet 1/1. It is index
directed to TenGigabitEthernet 1/2 and exits with a dot1q tag of 11. No MAC learning is involved.
Note
Because there is a VLAN translation end to end, Layer2 protocol need to be carefuly considered.
Typically, the use case has both sides on the same encapsulation.
This example shows a typical configuration of a DSLAM facing port of the first PE router.
! DSLAM facing port
Router# enable
4-28
OL-16147-20
Chapter 4

Router(config)# interface TenGigabitEthernet 1/1

Router(config-if)# service instance 100 ethernet
Router(config-if-srv)# encapsulation dot1q 10
Router(config-if-srv)# rewrite ingress tag pop 1 symmetric
!L2 facing port
! connect service
Router(config)# connect EVC1 TenGigabitEthernet 1/1 100 TenGigabitEthernet 1/2 101
Double Tag VLAN Connect

In this example, an incoming frame with an outer dot1q tag of 10 and inner tag of 20 enters
TenGigabitEthernet 1/1. It is index directed to TenGigabitEthernet 1/2 and exits with an outer dot1q tag
of 11 and inner tag 21. No MAC learning is involved.
This example shows a typical configuration of a MPLS core facting port of the first PE router..
! DSLAM facing port
Router# enable
Router(config-if-srv)# encapsulation dot1q 10 second-dot1q 20
!L2 facing port
! connect service
Router(config)# connect EVC1 TenGigabitEthernet 1/1 100 TenGigabitEthernet 1/2 101
Selective QinQ with Xconnect

This configuration uses EoMPLS under the single tag subinterface to forward packets. This example
shows a typical configuration of a MPLS core facting port of the second PE router.
DSLAM facing port
Router# enable
Router(config-if-srv)# encapsulation dot1q 10-20,30,50-60
Router(config-if-srv)# xconnect 2.2.2.2 999 pw-class vlan-xconnect
!
Router(config)# interface Loopback1
Router(config-if)# ip address 1.1.1.1 255.255.255.255
MPLS core facing port

Router(config-if)# mpls ip
OL-16147-20
4-29
Chapter 4
Router(config-if)# mpls label protocol ldp
MPLS core facing port

!
Router(config)# interface Loopback1
CE facing EoMPLS configuration

Router# enable
Router(config-if-srv)# encapsulation dot1q 1000 second-dot1q any
Router(config-if-srv)# xconnect 1.1.1.1 999 pw-class vlan-xconnect
Selective QinQ with Layer 2 Switching

This configuration uses Layer 2 Switching to perform packet forwarding. The forwarding mechanism is
the same as MPBE; only the rewrites for each service instance are different.
DSLAM facing port, single tag incoming
Router# enable
Router(config-if-srv)# encapsulation dot1q 10-20
Router(config-if-srv)# bridge-domain 11
QinQ VLAN
Router(config-if)# switchport
Router(config-if)# switchport mode trunk
Router(config-if)# switchport trunk vlan allow 11
Double Tag Translation (2-to-2 Tag Translation)

In this configuration, double-tagged frames are received on ingress. Both tags are popped and two new
tags are pushed. The packet is then Layer 2 switched to the bridge domain VLAN.
QinQ facing port
Router(config-if-srv)# rewrite ingress tag translate 2-to-2 dot1q 200 second-dot1q 20
symmetric
QinQ VLAN
4-30
OL-16147-20
Chapter 4


Double Tag Termination (2 to 1 Tag Translation)

The configuration in this example uses the Layer 2 switching.
Double tag traffic
!
!
Verification
Use these commands to verify operation.
Command
Purpose
Router# show ethernet service evc [id evc-id | interface

interface-id] [detail]
Displays information pertaining to a specific EVC if an EVC

ID is specified, or pertaining to all EVCs on an interface if an
interface is specified. The detailed option provides additional
information on the EVC.
Router# show ethernet service instance [id instance-id

interface interface-id | interface interface-id] [detail]
Displays information about one or more service instances: If a

service instance ID and interface are specified, only data
pertaining to that particular service instance is displayed. If
only an interface ID is specified, displays data for all service
instances s on the given interface.
Router# show ethernet service interface [interface-id]

[detail]
Displays information in the Port Data Block (PDB).
Router# show mpls l2 transport vc detail
Displays details of the virtual connection (VC).
Router# show mpls forwarding
Displays the contents of the Multiprotocol Label Switching

(MPLS) Label Forwarding Information Base (LFIB).
Note
Output should have the label entry l2ckt.
OL-16147-20
4-31
Chapter 4
Command
Purpose
Router# show connect
Displays statistics and other information about

Frame-Relay-to-ATM Network Interworking (FRF.5) and
Frame Relay-to-ATM Service Interworking (FRF.8)
connections.
Router# show xconnect
Displays information about cross-connect attachment circuits

and pseudowires.
Troubleshooting
Use these debug commands to troubleshoot Flexible QinQ feature.
Debug commands
Command
Purpose
[no] debug ethernet service evc [id <evc-id>]
Enables EVC debugging on the RP. If no EVC ID is specified,

debugging is enabled for all EVCs on the system.
[no] debug ethernet service instance [id <instance-id>

interface <interface-id> | interface <interface-id>]
Enables EFP debugging on the RP. If no options are specified,

debugging for all EFPs is enabled. If an EFP ID and interface
are specified, only those debug messages associated with the
EFP are displayed as the output. If only an interface is
specified, debug messages for all EFPs on that interface is
displayed.
[no] debug ethernet service interface [<interface-id>]
Enables PDB debugging.
[no] debug ethernet service api
Enables debugging between Ethernet Services Infrastructure

and its clients.
debug ethernet service oam-mgr
Enables OAM Manager debugging, to debug OAM

inter-working.
[no] debug ethernet service error
Enables ethernet service error debugging.
[no] debug ethernet service all
Enables EI debugging messages for all PDBs, EVCs and EFPs
Table 4-4 provides the troubleshooting solutions for the Flexible mapping feature.
Table 4-4
Troubleshooting Flexible mapping feature
Problem
Solution
Erroneous TCAM entries.
Use the show hw-module subslot subslot tcam command to

verify and the TCAM entries. Share the output with TAC for
further investigation.
Incorrect virtual VLAN IDs on a QinQ subinterface.
Use the test hw-mod subslot subslot command to verify the

virtual VLAN ID values on a QinQ subinterface. Share the
output with TAC for further investigation.
4-32
OL-16147-20
Chapter 4

Problem
Solution
Wrong interface configured and tag manipulation incorrectly Use the command show platform np interface detail to verfiy
programmed.
the interface and tag details. Share the output with TAC for
VLAN ID is incorrectly programmed
Use the command show hw-module subslot subslot tcam

all_entries vlan to verify the VLAN ID details. Share the
Inner, outer start/end VLANs incorrectly programmed.
Use the show platform np efp command to verify the VLAN

details. Share the output with TAC for further investigation.
Erroneous TCAM entries on the platform
Use the show plat soft qos tcamfeature and show plat soft
qos tcamt commands to verify the TCAM entries. Share the
Configuring MultiPoint Bridging over Ethernet on Cisco 7600

Series ES+ Line Cards
MultiPoint Bridging over Ethernet (MPBE) on Cisco 7600 Series ES+ line cards provides Ethernet LAN
switching with MAC learning, local VLAN significance, and full QoS support. MPBE also provides
Layer 2 switchport-like features without the full switchport implementation. MPBE is supported only
through Ethernet Virtual Connection Services (EVCS) service instances.
EVCS uses the concepts of EVCs (Ethernet virtual circuits) and service instances. An EVC is an
end-to-end representation of a single instance of a Layer 2 service being offered by a provider to a
customer. It embodies the different parameters on which the service is being offered. A service instance
is the instantiation of an EVC on a given port on a given router.
For MPBE, an EVC packet filtering capability prevents leaking of broadcast/multicast bridge-domain
traffic packets from one service instance to another. Filtering occurs before and after the rewrite to
ensure that the packet goes only to the intended service instance.
You can use MPBE to:
Simultaneously configure Layer 2 and Layer 3 services such as Layer 2 VPN, Layer 3 VPN, and
Layer 2 bridging on the same physical port.
Define a broadcast domain in a system. Customer instances that are part of a broadcast domain can
be in the same physical port or in different ports.
Configure multiple service instances with different encapsulations and map them to a single bridge
domain.
Perform local switching between service instances under the same bridge domain.
Perform local switching across different physical interfaces using service instances that are part of
the same bridge domain.
Replicate flooded packets from the core to all service instances under the bridge domain.
Configure a Layer 2 tunneling service or Layer 3 terminating service under the bridge domain
VLAN.
MPBE accomplishes this by manipulating VLAN tags for each service instance and mapping the
manipulated VLAN tags to Layer 2 or Layer 3 services. Possible VLAN tag manipulations include:
Single tag termination
OL-16147-20
4-33
Chapter 4
Single tag tunneling
Single tag translation
Double tag termination
Double tag tunneling
Double tag translation
Selective QinQ translation

When configuring the MPBE over Ethernet on Cisco 7600 Series ES+ line cards, follow these
restrictions and usage guidelines:
Each service instance is considered as a separate circuit under the bridge-domain.
Encapsulation can be dot1q or QinQ packets.
440 MPB VCs are supported under one bridge-domain (110 per network processor).
IGMP snooping is supported with MPB VCs as long as the service instance is terminated on the
bridge-domain (must pop all tags, symmetric).
Split Horizon is supported with MPB VCs.
Untagged BPDU packets can be peered, dropped, or forwarded as data.
Tagged BPDU packets can be dropped or forwarded as data.
1.
enable
2.
configure terminal
3.
4.
[no] service instance id {Ethernet [service-name]}
5.
encapsulation dot1q vlan-id [second-dot1q vlan-id]
6.
[no] rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id
dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id |
dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2
{dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} symmetric
7.
[no] bridge-domain bridge-id
SUMMARY STEPS
4-34
OL-16147-20
Chapter 4

DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3

or

Example:
gigabitethernet 4/1
Step 4
[no] service instance id {Ethernet

[service-name]}

submode.
Example:
ethernet
Step 5

[second-dot1q vlan-id]

service instance.
Example:
dot1q 10
Step 6
[no] rewrite ingress tag {push {dot1q

vlan-id}} symmetric
This command specifies the tag manipulation that is to be

performed on the frame ingress to the service instance.
Note
If this command is not configured, then the frame

is left intact on ingress (the service instance is
equivalent to a trunk port).
Example:
Step 7
Example:
Binds the service instance to a bridge domain instance

where bridge-id is the identifier for the bridge domain
instance.
OL-16147-20
4-35
Chapter 4
Examples
Single Tag Termination Example
In this example, the single tag termination identifies customers based on a single VLAN tag and maps
the single-VLAN tag to the bridge-domain.
Router# enable
Single Tag Tunneling Example

In this single tag tunneling example, the incoming VLAN tag is not removed but continues with the
packet.
Router# enable
Single Tag Translation Example

In this single-tag translation example, the incoming VLAN tag is removed and VLAN 200 is added to
the packet.
Router# enable
Router(config-if-srv)# rewrite ingress tag translate 1-to-1 dot1q 200 symmetric
Double Tag Tunneling Example

In this double tag tunneling example, the incoming VLAN tags are not removed but continue with the
packet.
Router# enable
4-36
OL-16147-20
Chapter 4

Double Tag Termination Configuration Example

In this double-tag termination example, the ingress receives double tags that identify the bridge VLAN;
the double tags are stripped (terminated) from the packet.
Router# enable
Router(config-if-srv)# encapsulation dot1q 10 inner 20
Router(config-if-srv)# encapsulation dot1q 40 inner 30
Double-Tag Translation Configuration Example

In this example, double tagged frames are received on ingress. Both tags are popped and two new tags
are pushed. The packet is then Layer-2-switched to the bridge-domain VLAN.
Router# enable
Router(config-if-srv)# rewrite ingress tag translate 2-to-2 dot1q 40 second dot1q 30
symmetric
Router(config-if-srv)# rewrite ingress tag translate 2-to-2 dot1q 10 second dot1q 20
symmetric
Selective QinQ Configuration Example

In this example, a range of VLANs is configured and plugged into a single MPB VC.
Router# enable
Untagged Traffic Configuration Example

In this example, untagged traffic is bridged to the bridge domain and forwarded to the switchport trunk.
Router# enable
OL-16147-20
4-37
Chapter 4

Router(config)# interface GigabitEthernet 2/1
Router(config-if)# no ip address
Router(config-if-srv)# encapsulation untagged
Router(config-if)# switchport trunk allowed vlan 11
MPBE with Split Horizon Configuration Example

In this example, unknown unicast traffic is flooded on the bridge domain except for the interface from
which the traffic originated.
Router# enable
Router(config-if-srv)# encapsulation dot1q 100 second-dot1q 10-20
Router(config-if-srv)# bridge-domain 100 split-horizon
Router(config-if-srv)# rewrite ingress tag symmetric translate 1-to-2 dot1q 10
second-dot1q 100 symmetric
Router(config-if)# mls qos trust dscp
In this example, service instances are configured on Ethernet interfaces and terminated on the bridge
domain.
Router# enable
Verification
Use these commands to verify operation.
4-38
OL-16147-20
Chapter 4

Backup Interface for Flexible UNI
Command
Purpose


interface is specified. The detail option provides additional

Displays information about one or more service instances: If a

instances on the given interface.

[detail]
Router# show ethernet service instance summary
Displays overall EVC count as well as individual interface

EVC count.

The Backup Interface for Flexible UNI feature allows you to configure redundant user-to-network
interface (UNI) connections for Ethernet interfaces, which provides redundancy for dual-homed devices.
You can configure redundant (flexible) UNIs on a network provider-edge (N-PE) device in order to
supply flexible services through redundant user provider-edge (U-PE) devices. The UNIs on the N-PEs
are designated as primary and backup and have identical configurations. If the primary interface fails,
the service is automatically transferred to the backup interface.
Figure 4-2 shows an example of how Flexible UNIs can be used when the Cisco 7600 series router is
configured as a dual-homed N-PE (NPE1) and as a dual-homed U-PE (UPE2).
Backup Interface for Dual-Homed Devices
NPE11
NPE10
ge2/4.4
gi3/0/0/0
primary
NPE12
fa1/0.4
ge2/4.2
backp
gi3/0/0/11
ge1/3.4
72a
fa1/0.2
NPE14
ge1/3.2
Note
191978
Figure 4-2
The configurations on the primary and backup interfaces must be identical.
The primary interface is the interface for which you configure a backup. During operation, the primary
interface is active and the backup (secondary) interface operates in standby mode. If the primary
interface goes down (due to loss of signal), the router begins using the backup interface.
OL-16147-20
4-39
Chapter 4
While the primary interface is active (up) the backup interface is in standby mode. If the primary
interface goes down, the backup interface transitions to the up state and the router begins using it in place
of the primary. When the primary interface comes back up, the backup interface transitions back to
standby mode. While in standby mode, the backup interface is effectively down and the router does not
monitor its state or gather statistics for it.
This feature provides the following benefits:
Supports the following Ethernet virtual circuit (EVC) features:

Frame matching: EVC with any supported encapsulation (Dot1q, default, untagged).
Frame rewrite: Any supported (ingress and egress with push, pop, and translate).
Frame forwarding: MultiPoint Bridging over Ethernet (MPBE), xconnect, connect.
Quality of Service (QoS) on EVC.
Supports Layer 3 (L3) termination.
Supports several types of uplinks: MultiProtocol Label Switching (MPLS), Virtual Private LAN
Service (VPLS), and switchports.
The Backup Interface for Flexible UNI feature makes use of these Ethernet components:
Ethernet virtual circuit (EVC)An association between two or more UNIs that identifies a
point-to-point or point-to-multipoint path within the provider network. For more information about
EVCs, see the Troubleshooting section on page 4-21.
Ethernet flow point (EFP)The logical demarcation point of an EVC on an interface. An EVC that
uses two or more UNIs requires an EFP on the associated ingress interface and egress interface of
every device that the EVC passes through.
Restriction and Usage Guidelines

Observe these restrictions and usage guidelines as you configure a backup interface for Flexible UNI on
the router:
Hardware and software support:

Supported on Cisco 7600 Series ES+ and ES20 line cards.
Supported with the Route Switch Processor 720 and Supervisor Engine 720.
Requires Cisco IOS Release 12.2(33)SRD or later.
You can use the same IP address on both the primary and secondary interfaces. This enables the
interface to support L3 termination (single or double tagged).
The configurations on the primary and backup interfaces must match. The router does not check that
the configurations match; however, the feature does not work if the configurations are not the same.
Note
If the configuration includes the xconnect command, you must specify a different VCID on
the primary and backup interfaces.
The duplicate resources needed for the primary and secondary interfaces are taken from the total
resources available on the router and thus affect available resources. For example, each xconnect
command consumes resources on both the primary and backup interfaces.
Any features configured on the primary and backup interfaces (such as bridge-domain, xconnect,
and connect commands) transition up or down as the interface itself transitions between states.
4-40
OL-16147-20
Chapter 4

Switchover time between primary and backup interfaces is best effort. The time it takes the backup
interface to transition from standby to active mode depends on the link-state detection time and the
amount of time needed for EVCs and their features to transition to the up state.
Configuration changes and administrative actions made on the primary interface are automatically
reflected on the backup interface.
The router monitors and gathers statistics for the active interface only, not the backup. During
normal operation, the primary interface is active; however, if the primary goes down, the backup
becomes active and the router begins monitoring and gathering statistics for it.
When the primary interface comes back up, the backup interface always transitions back to standby
mode. Once the signal is restored on the primary interface, there is no way to prevent the interface
from being restored as the primary.
1.
enable
2.
configure terminal
3.
interface type slot/port
4.
backup interface type interface
SUMMARY STEPS
Note
You must apply the same configuration to both the primary and backup interfaces or the feature
does not work. To configure EVC service instances on the interfaces, use the service instance,
encapsulation, rewrite, bridge-domain, and xconnect commands. For information, see the
Configuring MultiPoint Bridging over Ethernet on Cisco 7600 Series ES+ Line Cards section
on page 4-33 and the Configuring Any Transport over MPLS section on page 6-1.
5.
(Optional) backup delay enable-delay disable-delay
6.
(Optional) backup load enable-percent disable-percent
7.
exit
8.
(Optional) connect primary interface srv-inst interface srv-inst
9.
(Optional) connect backup interface srv-inst interface srv-inst
10. (Optional) connect primary interface srv-inst1 interface srv-inst2

11. (Optional) connect backup interface srv-inst1 interface srv-inst2
12. exit
OL-16147-20
4-41
Chapter 4
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
Router(config)# interface type slot/port
Selects the primary interface. This is the interface you are

creating a backup interface for. For example, interface
gigabitEthernet 3/1 selects the interface for port1 of the
Gigabit Ethernet card installed in slot 3.
type specifies the interface type. Valid values are

gigabitethernet or tengigabitethernet.
slot/port specifies the location of the interface.
Example:
Router(config)# interface gigabitethernet 3/1
Step 4
Router(config-if)# backup interface type

interface
Selects the interface to serve as a backup interface.
Example:
Router(config)# backup interface
gigabitethernet 4/1
Note
Step 5
You must apply the same configuration to both the primary and backup interfaces or the feature does not work.
To configure EVC service instances on the interfaces, use the service instance, encapsulation, rewrite,
bridge-domain, and xconnect commands. For information, see the Configuring MultiPoint Bridging over Ethernet
on Cisco 7600 Series ES+ Line Cards section on page 4-33 and the Configuring Any Transport over MPLS
Router(config-if)# backup delay enable-delay
disable-delay
Example:
Router(config-if)# backup delay 0 0
(Optional) Specifies a time delay (in seconds) for enabling

or disabling the backup interface.
enable-delay is the amount of time to wait after the

primary interface goes down before bringing up the
backup interface.
disable-delay is the amount of time to wait after the

primary interface comes back up before restoring the
backup interface to the standby (down) state
Note
For the backup interface for Flexible UNI feature,

do not change the default delay period (0 0) or the
feature may not work correctly.
4-42
OL-16147-20
Chapter 4

Step 6
Command or Action
Purpose
Router(config-if)# backup load enable-percent

disable-percent
(Optional) Specifies the thresholds of traffic load on the

primary interface (as a percentage of the total capacity) at
which to enable and disable the backup interface.
Example:
Router(config-if)# backup load 50 10
Step 7
enable-percentActivate the backup interface when

the traffic load on the primary exceeds this percentage
of its total capacity.
disable-percentDeactivate the backup interface

when the combined load of both primary and backup
returns to this percentage of the primary interfaces
capacity.
Applying the settings from the example to a primary

interface with 10-Mbyte capacity, the router enables the
backup interface when traffic load on the primary exceeds
5 mb (50%), and disables the backup when combined
traffic on both interfaces falls below 1 Mbyte (10%).
Exits interface configuration mode and returns to global
configuration mode.
exit
Example:
Router(config-if)# exit
Step 8
Router(config)# connect primary interface

srv-inst interface srv-inst
(Optional) Creates a local connection between a single

service instance (srv-inst) on two different interfaces.
The connect primary command creates a connection
between primary interfaces.
Example:
Router(config-if)# connect primary gi3/2 gi3/3
Step 9
Router(config)# connect backup interface

srv-inst interface srv-inst
(Optional) Creates a local connection between a single

service instance (srv-inst) on two different interfaces.
The connect backup command creates a connection
between backup interfaces.
Example:
Router(config-if)# connect backup gi4/2 gi4/2
Step 10
Router(config)# connect primary interface

srv-inst1 interface srv-inst2
(Optional) Enables local switching between different

service instances (srv-inst1 and srv-inst2) on the same port.
Use the connect primary command to create a connection
on a primary interface.
Example:
Router(config-if)# connect primary gi3/2 gi3/3
Step 11
Router(config)# connect backup interface

srv-inst1 interface srv-inst2
(Optional) Enables local switching between different

service instances (srv-inst1 and srv-inst2) on the same port.
Use the connect backup command to create a connection
on a backup interface.
Example:
Router(config-if)# connect backup gi4/2 gi4/3
Step 12
Exits interface configuration mode.
exit
Example:
OL-16147-20
4-43
Chapter 4
Note
If you have configured any interface (L3, Switchport, or EVC) using the backup interface command,
then you are not supposed to run the shutdown command on the active interface. If you run shutdown,
then the standby interface will also go down.
The following example shows a sample configuration in which:
gi3/1 is the primary interface and gi4/1 is the backup interface.
Each interface supports two service instances (2 and 4), and each service instance uses a different
type of forwarding (bridge-domain and xconnect).
The xconnect command for service instance 2 uses a different VCID on each interface.
Router# enable
Router(config)# interface gi3/1
Router(config-if)# backup interface gi4/1
Router(config-if-srv)# exit
Router(config-if-srv)# xconnect 10.0.0.0 2 encap mpls
Router(config-if-srv)# xconnect 10.0.0.0 5 encap mpls
Verification
This section lists the commands to display information about the primary and backup interfaces
configured on the router. In the examples that follow, the primary interface is gi3/1 and the secondary
(backup) interface is gi3/11.
To display a list of backup interfaces, use the show backup command in privileged EXEC mode.
Our sample output shows a single backup (secondary) interface:
Router# show backup
Primary Interface
----------------GigabitEthernet 3/1
Secondary Interface
------------------GigabitEthernet 3/11
Status
-----normal operation
4-44
OL-16147-20
Chapter 4

To display information about a primary or backup interface, use the show interfaces command in
privileged EXEC mode. Issue the command on the interface for which you want to display
information. The following examples show the output displayed when the command is issued on the
primary (gi3/1) and backup (gi3/11) interfaces:
Router# show interface gi3/1
GigabitEthernet3/1 is up, line protocol is up (connected)
Hardware is GigEther SPA, address is 0005.dc57.8800 (bia 0005.dc57.8800)
Backup interface GigabitEthernet 3/11, failure delay 0 sec, secondary disable delay
0 sec, kickin load not set, kickout load not set
[]
GigabitEthernet3/11 is standby mode, line protocol is down (disabled)
If the primary interface goes down, the backup (secondary) interface is transitioned to the up state, as
shown in the command output that follows. Notice how the command output changes if you reissue the
show backup and show interfaces commands at this time: the show backup status changes, the line
protocol for gi3/1 is now down (notconnect), and the line protocol for gi3/11 is now up (connected).
Router# !!! Link gi3/1 (active) goes down
22:11:11: %LINK-DFC3-3-UPDOWN: Interface GigabitEthernet3/1, changed state to down
22:11:12: %LINK-DFC3-3-UPDOWN: Interface GigabitEthernet3/11, changed state to up
22:11:12: %LINEPROTO-DFC3-5-UPDOWN: Line protocol on Interface GigabitEthernet3/1,
changed state to down
22:11:13: %LINEPROTO-DFC3-5-UPDOWN: Line protocol on Interface GigabitEthernet3/11,
changed state to up
Router# show backup
Primary Interface
Secondary Interface
Status
---------------------------------------GigabitEthernet3/1 GigabitEthernet3/11 backup mode
GigabitEthernet3/1 is down, line protocol is down (notconnect)
Hardware is GigEther SPA, address is 0005.dc57.8800 (bia 0005.dc57.8800)
Backup interface GigabitEthernet3/11, failure delay 0 sec, secondary disable delay 0
sec,
Example
Figure 4-3 shows a sample configuration of a backup interface for Flexible UNI. The configuration
includes several EVCs (service instances), configured as follows:
Service instance 4 is configured on primary and backup interfaces (links) that terminate in a bridge
domain, with a VPLS uplink onto network provider edge NPE12.
Service instance 2 is configured as scalable Ethernet over MPLS, peering with an SVI VPLS on
NPE12.
OL-16147-20
4-45
Chapter 4
Backup Interface for Flexible UNI Configuration
NPE11
NPE10
ge2/4.4
gi3/0/0/0
primary
NPE12
fa1/0.4
ge2/4.2
backp
gi3/0/0/11
ge1/3.4
72a
fa1/0.2
NPE14
ge1/3.2
191978
Figure 4-3
This is the configuration at NPE10:

interface ge2/4.4
description npe10 to npe11 gi3/11 backup - bridged
encapsulation dot1q 4
ip address 100.4.1.33 255.255.255.0
interface ge2/4.2
description npe10 to npe11 gi3/11 backup xconnect
ip address 100.2.1.33 255.255.255.0

interface ge1/3.4
description npe14 to npe11 gi3/1 primary - bridged
ip address 100.4.1.22 255.255.255.0
interface ge1/3.2
description npe14 to npe11 gi3/1 primary - xconnect
ip address 100.2.1.22 255.255.255.0
This is the configuration at 72a, at the user-facing provider edge (U-PE):

interface fa1/0.4
description 72a to npe12 bridged
ip address 100.4.1.12 255.255.255.0
interface fa1/0.2
description 72a to npe12 - xconnect
ip address 100.2.1.12 255.255.255.0

interface gigabitEthernet 3/1
backup interface gigabitEthernet 3/11
rewrite ingress tag pop 1 symmetric
xconnect 12.0.0.1 2 encapsulation mpls
bridge-domain 4
4-46
OL-16147-20
Chapter 4


bridge-domain 4

interface GE-WAN 4/3
description npe11 to npe12
ip address 10.3.3.1 255.255.255.0
mpls ip
l2 vfi vlan4 manual
vpn id 4
neighbor 12.0.0.1 4 encapsulation mpls
interface Vlan 4
xconnect vfi vlan4
l2 vfi vlan4 manual
vpn id 4
neighbor 11.0.0.1 4 encap mpls
interface Vlan4
description npe12 to npe11 xconnect
xconnect vfi vlan4
l2 vfi vlan2 manual
vpn id 2
interface Vlan2
xconnect vfi vlan2
interface GE-WAN 9/4
description npe12 to npe11
ip address 10.3.3.2 255.255.255.0
mpls ip
interface fastEthernet 8/2
description npe12 to 72a
switchport
switchport trunk encap dot1q
switchport mode trunk
switchport trunk allowed vlan 2-4
The primary interface is enabled:

NPE 11# show backup
Primary interface Secondary interface Status
-------------------------------------------GigabitEthernet3/1GigabitEthernet3/11 normal operation
NPE-11#sh int gi3/1
Hardware is GigEther SPA, address is 0005.dc57.8800(bia 0005.dc57.8800)
Backup interface GigabitEthernet3/11, failure delay 0 sec, secondary disable delay 0
sec,kicking load not set, kickout load not set,
[...]
NPE-11# show interface gi3/11
GigabitEthernet 3/11 is standby mode, line protocol is down (disabled)
The primary link is disabled:

NPE 11#!!!Link gi3/1 (active) goes down
OL-16147-20
4-47
Chapter 4
22:11:11: % LINK-DFC3-3-UPDOWN:Interface GigabitEthernet3/1, changed state to down

22:11:12: % LINK-DFC3-3-UPDOWN:Interface GigabitEthernet3/1, changed state to up
22:11:12: % LINKPROTO-DFC3-3-5-UPDOWN:Line protocol on Interface GigabitEthernet3/1,
changed state to down
22:11:13: % LINKPROTO-DFC3-3-5-UPDOWN:Line protocol on Interface GigabitEthernet3/11,
changed state to up
NP-11# show backup
Primary interface Secondary interface Status
-------------------------------------------GigabitEthernet3/1GigabitEthernet3/11 backup mode
NP-11#sh int gi3/1
GigabitEthernet3/1 is down, line protocol is down (notconnect)
Hardware is GigEther SPA, address is 0005.dc57.8800(bia 0005.dc57.8800)
Backup interface GigabitEthernet3/11, failure delay 0 sec, secondary disable delay 0 sec
NPE-11#sh int gi3/11
GigabitEthernet 3/11 is up, line protocol is up (connected)
Troubleshooting
Table 4-5 provides troubleshooting solutions for the backup interface of the Flexible UNI feature.
Table 4-5
Problem
Troubleshooting Scenarios for backup interface of the Flexible UNI feature
Solution
The backup interface is in a standby state or the line protocol Use the show interfaces command on the specific interface in
is down
privileged EXEC mode to display interface and line protocol
details. Share the output with TAC for further investigation.
This sample output of the command is displayed when the
command on the primary (gi3/0/0) and backup (gi3/0/11)
interfaces:
NPE-11# show int gi3/0/0
GigabitEthernet3/0/0 is up, line protocol is up
(connected)
Hardware is GigEther SPA, address is 0005.dc57.8800
(bia 0005.dc57.8800)
Backup interface GigabitEthernet3/0/11, failure
delay 0 sec, secondary disable delay
0 sec, kickin load not set, kickout load not set
[...]
NPE-11# show int gi3/0/11
GigabitEthernet3/0/11 is standby mode, line protocol
is down (disabled)
4-48
OL-16147-20
Chapter 4

EVC On Port-Channel
EVC On Port-Channel
An EtherChannel bundles individual Ethernet links into a single logical link that provides the aggregate
bandwidth of up to eight physical links.The EVC EtherChannel feature provides support for
EtherChannels on Ethernet Virtual Connection Services (EVCS) service instances.
For more information on EtherChannels, and how to configure EtherChannels on Layer 2 or Layer 3
LAN ports, see Configuring EtherChannels at
http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/channel.html.
The EVC EtherChannel feature supports MPBE, local connect, and xconnect service types.
Load balancing is accomplished on a Ethernet flow point (EFP) basis where a number of EFPs exclusively
pass traffic through member links. In a default load balancing, you have no control over how the EFPs
are grouped together, and sometimes the EFP grouping may not be ideal. To avoid this, use manual load
balancing to control the EFP grouping.

When configuring EVC EtherChannel, follow these restrictions and usage guidelines:
All member links of the port-channel are on Cisco 7600-ES+ line cards.
Bridge-domain, xconnect, connect EVCs, switchports, and IP subinterfaces are allowed over the
port-channel interface and the main interface.
The EFP limit decreases with the number of member links on the NP. For instance, if there are 4
members within the same NP, the EVC limit on the NP decreases to 2000, that is (8000/4).
Note
For a switchport (not for data traffic), use the service instance ethernet command to create
a service instance to support OAM requirements.
If you configure a physical port as part of a channel group, you cannot configure EVCs under that
physical port.
A physical port that is part of an EVC port-channel cannot have switchport configuration.
Total number of port channels EVCs per box is 16000.
Statically configuring port-channel membership with LACP is not supported.
You can apply QoS policies under EVCs on a port-channel with the exception that ingress microflow
policing is not supported. For more information on configuring QoS with EVCs, see Configuring
QoS, page 7-1.
You cannot use the bandwidth percent or police percent commands on EVC port-channels in flat
policy-maps or in parent of HQoS policy-maps.
1.
enable
2.
configure terminal
3.
interface port-channel number
4.
[no] ip address
5.
[no] service instance id Ethernet [service-name]
SUMMARY STEPS
OL-16147-20
4-49
Chapter 4
EVC On Port-Channel
6.
encapsulation {default|untagged|dot1q vlan-id [second-dot1q vlan-id]}
7.
vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} symmetric
8.
[no] bridge-domain bridge-id or xconnect vfi vfi name
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
Creates the port-channel interface.
Example:
Router(config)# interface port-channel
11
Step 4
[no] ip address
Assigns a subnet mask to the ethernet channel.
Example:
Step 5
[no] service instance id Ethernet

[service-name}

submode.
Example:
ethernet
Step 6
encapsulation {default|untagged|dot1q
vlan-id [second-dot1q vlan-id]}

service instance.
Example:
dot1q 13
4-50
OL-16147-20
Chapter 4

EVC On Port-Channel
Step 7
Command
Purpose

vlan-id}} symmetric

Example:
Step 8
xconnect vfi vfi name
The bridge-domain command binds the service instance

to a bridge domain instance where bridge-id is the
identifier for the bridge domain instance.
Example:
The xconnect command specifies the Layer 2 VFI that

you are binding to the VLAN port.
or
Examples
This example shows a single port-channel interface is created with three possible member links from
slots 1 and 2:
Router# enable
Router(config)# interface Port-channel5
Router(config-if)# channel-group 5 mode on
This example shows scalable Eompls and EVC connect sample configuration.
Router#enable
Router#configure terminal
Router(config)#interface GigabitEthernet 3/0/0
Router(config-if)#service instance 10 ethernet
Router(config-srv)#encapsulation dot1q 20
Router(config-if-srv)#rewrite ingress tag pop 1 sym
Router(config-if-srv)#exit
Router(config-if)#exit
Router(config)#interface GigabitEthernet 3/0/1
Router(config-srv)#encapsulation dot1q 30
Router(config-if-srv)#rewrite ingress tag pop 1 sym
Router(config)#connect TEST GigabitEthernet 3/0/0 10 GigabitEthernet 3/0/1 12
Router#sh connection all
ID
Name
Segment 1
Segment 2
State
================================================================================
57
TEST
Gi3/0/0:10
Gi3/0/1:12
UP
This is a typical QoS configuration.
OL-16147-20
4-51
Chapter 4
EVC On Port-Channel
Router# enable
Router(config)# interface port-channel10
Router(config-if)# service-policy input x
Router(config-if)# service-policy output y
se the following commands to verify the configuration.

Command
Purpose


interface is specified. The detailed option provides additional
Router# show ethernet service instance interface

port-channel number [summary]
Displays the summary of all the configured EVCs within the

interface.

Displays information about one or more service instances. If a

instances s on the given interface.
Router# show mpls l2 transport vc detail
Displays detailed information related to the virtual connection

(VC).

Note
Router# show etherchannel summary
Displays view all EtherChannel groups states and ports.
Router# show policy-map interface service instance
Displays the policy-map information for a given service

instance.
Troubleshooting
Table 4-6 provides the troubleshooting solutions for the EVC on a Port-Channel.
Table 4-6
Troubleshooting Scenarios for EVC on a Port-Channel
Problem
Solution
Port data block issues in port channel
Use the show ethernet service interface [interface-id]

[detail] command to view information on the port data. Share
the output with TAC for further investigation.
Issues with platform events or errors
Use the debug platform npc custom-ether client [event,

error] command to debug and trace platform issues. Share the
4-52
OL-16147-20
Chapter 4

Configuring SPAN on EVC

Currently, traffic mirroring, lawful intercept, or Switched Port Analyzer (SPAN) on a per service
instance is unavailable.
The existing command line interface supports configuring interface and VLAN as the local SPAN
source. The same command line interface is enhanced to accept service instance IDs along with the
interface. Since an EVC is support only for the local session SPAN, service instance options for the
SPAN source are added in the local SPAN configuration submode.
You configure SPAN to intercept traffic in three ways:
SPAN on Port: The traffic on all EVCs on the port or port channel is included for a SPAN session
along with routed traffic on that port.
SPAN on VLAN: The traffic on all EVC bridge-domains with the same VLAN is included for a
SPAN session along with other switchports on the same VLAN.
SPAN on EVC: The traffic on a given EFP or a set of EFPs is included for a SPAN session.

Follow these restrictions and usage guidelines while configuring SPAN on EVC, follow these
Only Local SPAN is supported.
EVC SPAN is effective only if the EVC is on the ES+ line card.
EVC as a SPAN destination is not supported.
Egress SPAN packet does not undergo QoS processing.
If a combination of switchports and EVC bridge-domain exists, then for flood case packet on both
is spanned. VLAN and SPAN are configured in the transmit direction on the source port.
If a combination of different EVC bridge-domain exists, then for flood case packet on all the EVCs
is spanned. VLAN and SPAN are configured in the transmit direction on the source port.
EVC SPAN does not work with multiple destination ports.
For EVCs configured as a part of more than one SPAN session (EVC, VLAN, or port), traffic is
monitored on only one session.
EFPs and VLAN cannot be configured as source in the same monitor session.
For a 10G port, the aggregate of ingress traffic and SPAN traffic cannot exceed 10G.
For a 10G port with port-shaper, the aggregate of port traffic and SPAN traffic cannot exceed the
port-shaper.
For a 1G port, the total SPAN traffic can be as high as 10G, but due to network processor limitations
and fabric bottleneck, the net traffic can be reduced.

Complete the following steps to configure SPAN on EVC.
OL-16147-20
4-53
Chapter 4
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
[no] ip address
5.
[no] service instance id Ethernet [service-name]
6.
encapsulation {default|untagged|dot1q vlan-id [second-dot1q vlan-id]}
7.
8.
exit
9.
monitor session local_span_session_number type [local | local-tx]
10. source {interface | service instance | vlan}{GigabitEthernet |Port-channel | TenGigabitEthernet} [rx
| tx | both]
11. destination interface{GigabitEthernet |Port-channel | TenGigabitEthernet}
12. [no] shutdown
13. end
DETAILED STEPS
Command
Purpose
Step 1
enable
Enables privileged EXEC mode. Enter your password if

prompted.
Step 2
configure terminal
Step 3
Step 4
[no] ip address
Assigns a subnet mask to the ethernet channel.
Step 5

[service-name}

an interface and sets the device to the ethernet service
configuration submode.
Step 6
encapsulation {default|untagged|dot1q
vlan-id [second-dot1q vlan-id]}
Defines the matching criteria to map ingress dot1q frames

on an interface to the appropriate service instance.
Step 7
rewrite ingress tag {push {dot1q vlan-id | Specifies the tag manipulation on the frame ingress to the
dot1q vlan-id second-dot1q vlan-id | dot1ad service instance.
vlan-id dot1q vlan-id} | pop {1 | 2} |
translate {1-to-1 {dot1q vlan-id | dot1ad
vlan-id}| 2-to-1 dot1q vlan-id | dot1ad
vlan-id}| 1-to-2 {dot1q vlan-id
second-dot1q vlan-id | dot1ad vlan-id dot1q
vlan-id} | 2-to-2 {dot1q vlan-id
vlan-id}} symmetric
Step 8
exit
Exits to global configuration mode.
4-54
OL-16147-20
Chapter 4

Command
Purpose
Step 9
monitor session
local_span_session_number type [local |
local-tx]
Configures a monitor session using a SPAN session

number and enters the SPAN session configuration mode.
Step 10
source {interface | service instance |

vlan}{GigabitEthernet |Port-channel |
TenGigabitEthernet} [rx | tx | both]
Associates the SPAN session number with source ports,

VLANs, or EVC, and selects the traffic direction to be
monitored.
Step 11
destination interface{GigabitEthernet
|Port-channel | TenGigabitEthernet}
Associates the SPAN session number with the

destinations.
Step 12
no shutdown
Activates the SPAN session.
Step 13
end
Exits configuration mode.
Sample Configuration
This is an example for configuring SPAN on EVC.
Router# enable
Router(config)# interface port-channel 11
Router(config-if-srv)# rewrite ingress tag push dot1q 20 symmetric
Router(config)# monitor session 1 type local
Router(config-mon-local)# source service instance 2 - 100 Port-channel 1 both
Router(config-mon-local)# destination interface Port-channel 3
Router(config-mon-local)# no shut
Router(config-mon-local)# end
Verifying SPAN on EVC

This section provides the commands to verify the SPAN configuration.
Router# show monitor session
Session 1
--------Type
:
Status
:
Source EFPs
:
Both
:
Destination Ports
:
Local Session
Admin Enabled
Po1:
Po3
2-100
Router# show run | section monitor

monitor session 1 type local
source service instance 2 - 100 Port-channel1
destination interface Po3
Troubleshooting
For specific troubleshooting information, contact Cisco Technical Assistance Center (TAC) at this
location:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
OL-16147-20
4-55
Chapter 4

An Ethernet link bundle or port-channel is an aggregation of up to eight physical Ethernet links to form
a single logical link for L2/L3 forwarding. Bundled Ethernet ports are used to increase the capacity of
the logical link and provide high availability and redundancy. The EVC EtherChannel feature provides
support for EtherChannels on Ethernet Virtual Connection Services (EVCS) service instances.
For more information on EtherChannels, and how to configure EtherChannels on Layer 2 or Layer 3
LAN ports, see "Configuring EtherChannels" at
http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide/channel.html.
The EVC EtherChannel feature supports MPBE, local connect, and xconnect service types. IEEE
802.3ad/Link Aggregation Control Protocol (LACP) provides an association of port-channels. The
LACP support for EVC Port Channel feature supports service instances over bundled Ethernet links.
Ethernet flow points (EFPs) are configured under a port-channel. The traffic, carried by the EFPs, is
load-balanced across member links. EFPs under a port-channel are grouped and each group is associated
with one member link. Ingress traffic for a single EVC can arrive on any member of the bundle. All
egress traffic for an EFP uses only one of the member links. Load balancing is achieved by grouping
EFPs and assigning them to a member link.
The scalability for a link-bundling EVC is 16000 per chassis. Port Channel EVC scalability for ES+ line
cards is dependent on the same factors as EVCs configured under physical interfaces, with the number
of member links and their distribution across the NPU as an additional parameter. EVC port-channel
QoS leverages EVC QoS infrastructure. For more information on the scalable values, see Restrictions
and Usage Guidelines, page 4-25.

When configuring EVC EtherChannel, follow these restrictions and usage guidelines:
All member links of the port-channel are on Cisco 7600-ES+ line cards.
Only bridge-domain, xconnect, connect EVCs, and IP subinterfaces are allowed over the
port-channel interface. You cannot apply a switchport and EVC configuration under the same
port-channel interface.
If you configure a physical port as part of a channel group, you cannot configure EVCs under that
physical port.
A physical port that is part of an EVC port-channel cannot have switchport configuration.
You can apply QoS policies under EVCs on a port-channel with the exception that ingress microflow
policing is not supported. For more information on configuring QoS with EVCs, see Configuring
QoS, page 7-1.
You cannot use the bandwidth percent or police percent commands on EVC port-channels in flat
policy-maps or in parent of HQoS policy-maps.
1.
enable
2.
configure terminal
3.
interface port-channel
4.
[no] ip address
SUMMARY STEPS
4-56
OL-16147-20
Chapter 4

5.
service instance id Ethernet [service-name]
6.
7.
rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id
dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q
vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q
vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} symmetric
8.
9.
10. channel-protocol {lacp | pagp}

11. channel-group channel-group-number mode {active | on | passive}
Note
The channel-group command options are applicable when configuring port-channel over EVC and the
options active/passive are applicable when configuring port-channel over EVC with LACP.
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
Example:
12
Step 4
[no] ip address
Assigns a subnet mask to the EtherChannel.
Example:
Step 5

[service-name]
Creates a service instance (an instance of an EVC) on an

interface and sets the device into the config-if-srv
submode.
Example:
ethernet
OL-16147-20
4-57
Chapter 4
Step 6
Command
Purpose
Defines the matching criteria to be used to map ingress

dot1q frames on an interface to the appropriate service
instance.
Example:
dot1q 13
Step 7

vlan-id}} symmetric

Example:
Step 8
Example:

instance.
Step 9

or the port-channel interface to configure.
Example:
Router (config) # interface gig 5/1
Step 10
channel-protocol {lacp | pagp}
Sets the protocol that is used on an interface to manage

channeling.
Example:
Router(config-if)# channel-protocol
lacp
Step 11
channel-group channel-group-number mode

{active | on | passive}
Assigns and configures an EtherChannel interface to an

EtherChannel group.
Example:
Router(config-if)# channel-group 5 mode
active
Examples
In this example, a single port-channel interface is created with three possible member links from slots 1
and 2:
Router# enable
4-58
OL-16147-20
Chapter 4


!
!
Router# enable
Router(config)# interface Port-channel5.1
Router(config-if-srv)# encapsulation dot1Q 500 second-dot1q 300
!
Router(config-if)# channel-protocol lacp
Router(config-if)# channel-group 5 mode active
This is a typical QoS configuration.

Router# enable
Router(config)# interface port-channel10
Router(config-if)# service-policy input x
Router(config-if)# service-policy output y
This is configuration for LACP over a configured EVC port-channel, under an interface:
Router# enable
Router(config-if)# channel-group 5 mode ?
Router(config-if)# channel-group 5 mode passive
This is a port-channel configuration:

Router# enable
Router(config-if)# interface Port-channel102
Router(config-if)# mtu 9216
Router(config-if)# lacp fast-switchover
Router(config-if)# lacp max-bundle 1
Router(config-if)# encapsulation dot1q 50
OL-16147-20
4-59
Chapter 4
Router(config-if)# rewrite ingress tag pop 1 symmetric

Router(config-if)# service-policy output lacp-parent
Router(config-if)# bridge-domain 50
This is a member links configuration:

Router# enable
Router(config-if)# interface GigabitEthernet 3/12
Router(config-if)# lacp rate fast
Verification
Use these commands to verify EVC configuration.
Command
Purpose

Displays information that verifies details of a specific EVC,

and also verifies if an EVC ID is specified for all the EVCs on
an interface.
Router# show ethernet service instanceinterface-id

port-channel number [summary]
Displays the summary of all the EVCs configured within the

interface.


only an interface ID is specified, data for all service instances
on the given interface is displayed.

[detail]
Use the following commands to verify LACP over EVC

Router# show etherchannel 15 port-channel
Displays details for port-channel 15. This command is

common to EVC port-channel, switchport port-channel, and
Layer 3 port-channel.
Troubleshooting
For information on troubleshooting LACP support for EVC Port Channel feature, see Table 4-6 on
page 4-52.
4-60
OL-16147-20
Chapter 4


ACLs (Access Control Lists) perform the following tasks:
Apply security and QoS at the interface, sub-interface, and service levels.
Filter the packets in a modular manner.
You can use a collection of sequential ACL rules to filter network traffic. Though the ACLs are applied
on a network interface, you can use this feature to apply Layer 2 on different EVCs. Table 4-7 maps the
supported layers with their parameters and Table 4-8 lists the commands used to activate the Layer 2
ACLs.
Table 4-7
Mapping between the ACL supported layers to the parameters
Layer
Based on
Layer 2
Table 4-8
MAC source and destination
ACL commands
Layer
Action
Layer 2
Create a Layer 2 Access List mac access-list extended {aclname}

Apply an Access list within
the EVC
Command
mac access-group {aclname} in

Follow these restrictions and usage guidelines when you configure ACLs on a EVC:
A Layer 2 ACL is supported only on the ingress.
You can apply a single ACL to more than one EFP.
If a Layer 2 ACL is applied to an EFP (Ethernet Flow Point) with a Layer 2 ACL, the new ACL
replaces the previous ACL.
A Layer 2 ACL configuration applied on the EVC interface should contain the source MAC address,
destination MAC address, and the address mask.
You can apply a maximum of 256 unique ACLs on all the EVCs.
Maximum number of 16 ACEs (Access Control Elements) per ACL are supported.
The counters are supported per ACL per EVC.
Cisco IOS Release 15.1(1)S supports EVC port-channels.
Creating a Layer 2 Access Control List

SUMMARY STEPS
1.
enable
2.
configure terminal
3.
mac access-list extended {aclname} {permit | deny} {host a.b.c host x.y.z}
OL-16147-20
4-61
Chapter 4
4.
exit
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
mac access-list extended aclname {permit

| deny} {host a.b.c host x.y.z}
Creates a Layer 2 Access List on the selected interface.
Example:
me7600-5(config)#mac access-list extended
test-l2-acl
Step 4
Exits the configuration mode.
exit
Applying a Layer 2 Access Control List

SUMMARY STEPS
1.
enable
2.
configure terminal
3.
interface gigabitethernet type/ slot/port [subinterface-number] or interface tengigabitethernet

type/ slot/port [subinterface-number]
4.
[no] service instance id {Ethernet}
5.
encapsulation dot1q vlan id
6.
mac access- group aclname in
7.
exit
4-62
OL-16147-20
Chapter 4

DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
interface gigabitethernet type/ slot/port

[subinterface-number]
or
interface tengigabitethernet type/
slot/port [subinterface-number]
Specifies the gigabit ethernet or the ten gigabit ethernet interface

to configure, where:
slot/subslot/portSpecifies the location of the interface.
subinterface-number(Optional) Specifies a secondary

interface (sub-interface) number.
Example:
Router(config)# interface gigabitethernet
4/0/0
Step 4

[service-name
]}
Creates a service instance on an interface and sets the device to the

config-if-srv configuration mode.
Example:
ethernet
Step 5
encapsulation dot1q
vlan id
Defines the matching criteria to map ingress dot1q frames on an

interface to the appropriate service instance.
Note
Example:
dot1q 5
Step 6
mac access- group
aclname
in
Use the encapsulation dot1q default command to

configure the default service instance on a port. Use the
encapsulation dot1q untagged command to map the
untagged ethernet frames on an ingress interface to a
service instance.
Applies a L2 ACL on the selected EVC.

Note
L2 ACL displays only positive permit and deny counts.
Example:
me7600-5(config-if-srv)# mac access-group
test-l2-acl in
Step 7
exit
Examples
You can view the ACL counters for an EVC as shown in this example:
LLB-India-7#sh ethernet service instance id 1 int gig3/0/0 detail
Service Instance ID: 1
L2 ACL (inbound): l2acl
<=====
Associated Interface: GigabitEthernet3/0/0
Associated EVC: test
OL-16147-20
4-63
Chapter 4
L2protocol drop
CE-Vlans:
Interface Dot1q Tunnel Ethertype: 0x8100
State: Up
L2 ACL permit count: 0
L2 ACL deny count: 0
EFP Statistics:
Pkts In
Bytes In
Pkts Out Bytes Out
0
0
0
0
<=====
<=====

DHCP snooping determines whether traffic sources are trusted or untrusted. An untrusted source may
initiate traffic attacks or other hostile actions. To prevent such attacks, DHCP snooping filters messages
traffic from untrusted sources.
To do this, DHCP snooping dynamically builds and maintains the DHCP snooping database using
information extracted from intercepted DHCP messages. The database contains an entry for each
untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping
enabled. The database does not contain entries for hosts connected through trusted interfaces.
Each entry in the DHCP snooping database includes the MAC address of the host, the leased IP address,
the lease time, the binding type, and the VLAN number and interface information associated with the
host.
Additionally, the DHCP Snooping with Option-82 feature can centrally manage the IP address
assignments for a large number of subscribers. When this feature is enabled on the router, a subscriber
device is identified by the router port through which it connects to the network (in addition to its MAC
address). Multiple hosts on the subscriber LAN can be connected to the same port on the access router
and are uniquely identified.
However, EVCs require additional information. If each EVC on an interface is mapped to a single VPN,
it would be possible to use the internal VLAN to identify the path for reply packets. However, because
multiple EVCs with different encapsulations can map to the same VPN, it is necessary to use the actual
EVC encapsulation to distinguish between EVCs.
The DHCP Snooping with Option-82 on EVC feature allows the user to provide this additional
information required for EVC-enabled interfaces. This information is inserted into the option 82 and is
also stored in the binding table for retrieval by other services.
Use the ip dhcp snooping information option allow-untrusted command to enable the switch to accept
incoming DHCP snooping packets with option 82 information from the edge switch. DHCP option 82
data insertion is enabled by default. Accepting incoming DHCP snooping packets with option 82
information from the edge switch is disabled by default.
Use the ip dhcp relay information option subscriber-id command to configure a subscriber string for
an EVC that can be inserted into the option 82 field along with other information when relaying the
DHCP packets to the server. The server can parse the option 82 information to match the subscriber
string and act accordingly. The subscriber string configured for an EVC will not be stored in the binding
table and is only used when sending DHCP packets to the server by inserting into the option 82 field.
For additional information on DHCP Snooping and Option-82 on the Cisco 7600 router, see Configuring
DHCP Snooping at
http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/snoodhcp.html.
4-64
OL-16147-20
Chapter 4


Follow these restrictions and usage guidelines while you configure DHCP Snooping with Option-82:
An EVC with multiple encapsulations is not supported.
The following EVCs are supported on the same interface and bridge-domain:
dot1q encapsulation
QinQ encapsulation
Untagged encapsulation
4000 EVCs are supported per port.
32000 EVCs are supported per router.
Multiple EVCs are supported on the same port, all having the same or different bridge domains.
Multiple EVCs are supported on different ports, all having the same or different bridge domains.
With Cisco IOS Release 12.2(33)SRE, DHCP snooping with Option 82 is supported on EVC
port-channels.
DHCP snooping is not supported with lag NNI VPLS core.
1.
enable
2.
configure terminal
3.
interface gigabitethernet slot/port or interface tengigabitethernet slot/port or interface

port-channel number
4.
[no] ip address
5.
negotiation {forced | auto}
6.
7.
8.
9.
ip dhcp relay information option subscriber-id value
SUMMARY STEPS
10. [no] bridge-domain bridge-id
OL-16147-20
4-65
Chapter 4
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
interface gigabitethernet
slot/subslot/port[.subinterface-number]
or
interface tengigabitethernet
slot/subslot/port[.subinterface-number]
or
Specifies the gigabit ethernet or the ten gigabit ethernet

Example:
Step 4
no ip address
Removes an IP address or disables IP processing.
Example:
Router# Router(config-if)# no ip address
Step 5
negotiation {forced | auto}
Enable advertisement of speed, duplex mode, and flow

control on a gigabit ethernet interface.
Example:
Router(config-if)# negotiation auto
Step 6
[no] service instance id Ethernet [service-name}
Example:
Creates a service instance (an instantiation of an EVC)

on an interface and sets the device into the config-if-srv
submode.
Step 7
Example:

service instance.
4-66
OL-16147-20
Chapter 4

Step 8
Command
Purpose
rewrite ingress tag {push {dot1q vlan-id | dot1q

vlan-id second-dot1q vlan-id | dot1ad vlan-id
dot1q vlan-id} | pop {1 | 2} | translate {1-to-1
{dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q
vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id
vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q
vlan-id | dot1ad vlan-id dot1q vlan-id}}
symmetric
Specifies the tag manipulation to be performed on the

frame ingress to the service instance.
Example:
Router(config-if-srv)# rewrite ingress tag push
dot1q 20 symmetric
Step 9
ip dhcp relay information option subscriber-id

value
Configures a subscriber string that uniquely identifies

the interface from where the DHCP packets originate.
Example:
Router(config)# ip dhcp relay information option
subscriber-id 123
Step 10
Example:

instance.
Example
This example shows a typical configuration on the relay agent and the server. This is a configuration on
the relay agent:
Router# enable
Router(config)# interface GigabitEthernet8/1
ip dhcp relay information option subscriber-id 11
Router(config)# interface Vlan100
Router(config-if)# ip helper-address global 20.0.0.2
Router(config-if)# ip helper-address 20.0.0.2

Router(config-if)# ip dhcp snooping packets
!
This is the configuration on the server:

:
Router# enable
OL-16147-20
4-67
Chapter 4

Router(config-if)# end
Router(config)# ip dhcp pool pool1
Router(dhcp-config)# network 10.0.0.0 255.255.0.0
lease 2
Router(dhcp-config)# update arp
class C1
address range 10.0.0.2 10.0.0.10
class C2
address range 10.0.0.11 10.0.0.20
!
Router(config)# network 11.0.0.0 255.255.0.0 lease 2
!
vrf vrf1
Router(config)# network 10.0.0.0 255.255.255.0 lease 0 0 2
!
!
ip dhcp class C1 <-----------Class C1 maps to the subcriber-id string aabb11.
relay agent information
relay-information hex 00000000000000000000000000000006616162623131 mask
fffffffffffffffffffffffffffffff0000000000000
!
ip dhcp class C2
relay agent information
relay-information hex 00000000000000000000000000000006313162626161 mask
fffffffffffffffffffffffffffffff0000000000000
******************************************************************************************
Verification
Use this commands to verify operation.
Command
Purpose
Router# show ip dhcp snooping
Displays all VLANs (both primary and secondary) that have

DHCP snooping enabled.
Router# show ip dhcp snooping binding
Checks the DHCP snooping database.
Troubleshooting
Table 4-9 provides the troubleshooting solutions for the DHCP Snooping feature.
4-68
OL-16147-20
Chapter 4

Table 4-9
Troubleshooting Scenarios for DHCP Snooping feature
Problem
Solution
DHCP snooping database is not storing any bindings
Complete the following steps to verify and troubleshoot:

1.
Use the show ip dhcp snooping binding command to

check whether there are non-zero bindings built on the
binding table.
2.
The show ip dhcp snooping binding command displays

the total number of bindings as a non-zero value. If not,
check whether the DHCP snooping database agent is
configured correctly. If no bindings exist, it implies that
they were never built or the lease expired. Reconfigure the
bindings with a longer lease period. If the lease time is
configured as maximum (4294967295 seconds effective
from 12.2(33) SRD ), the bindings do not expire.
3.
Use the ip dhcp snooping database command to check if

the DHCP snooping database agent is configured
correctly and is currently running.
Bindings are not getting stored in the database agent
Read the database agent file to check if bindings are stored in

that file. If not, go to Step 3 of the previous solution. If there
is at least one binding stored in the database file , it implies
that the database agent is working fine.
DHCP snooping is not active on the router
DHCP snooping is active on the router only when it is

configured globally and on at least one interface VLAN.
Check if the ip dhcp snooping command exists in the running
and global configuration modes, and at least on one VLAN
interface. If not, configure the feature as described in
Configuring Layer 2 Access Control Lists (ACLs) on an EVC,
page 4-61.
If the configurations exist, use the debug ip dhcp snooping
packets command to check whether or not DHCP packets are
being exchanged between the DHCP server and the client. If
yes, proceed to Step 3 listed in the solution for DHCP
snooping database is not storing any bindings problem. If not,
check the configurations for the DHCP server and client and
whether all the connections to the DHCP relay agent are fine.
If the problem persists, contact TAC.

The Dynamic Host Configuration Protocol (DHCP) snooping over a pseudo-multichassis Link
Aggregate Control Protocol (p-mLACP) feature synchronizes the DHCP snooping database between the
Point of Attachments (PoAs) in a network. The synchronization of the DHCP database allows the
multicast traffic to flow with the least interruption when the p-mLACP fails. This feature uses the
Interchassis Communication Protocol (ICCP) to synchronize the DHCP snooping database with the peer
PoAs to provide multi-chassis redundancy. When the multi-chassis Link Aggregation (mLAG)
transitions from a standby VLAN to the active VLAN on a chassis, this feature facilitates the state
OL-16147-20
4-69
Chapter 4
change with minimal traffic disruption in the network. A system configured with DHCP snooping creates
a DHCP snooping database, which contains DHCP snooping entries (MAC/IP bindings) learnt from the
different VLANs.
The DHCP snooping binding data is added in the active supervisor after successfully synchronizing the
snooping information between the local standby and remote PoAs (active and standby supervisor PoA).
Note
For more information on pmLACP and p-mLACP failure, see Pseudo MLACP Support on Cisco 7600
section in the Cisco 7600 Series ES+ and ES+T Line Card Configuration Guide.
DHCP Snooping State Synchronization

The DHCP snooping state synchronization involves these steps:
0.
The active PoA synchronizes the DHCP snooping binding tables with the standby PoA.
1.
The standby PoA uses the synchronized DHCP binding information for IP source guard (IPSG) and
Dynamic ARP Inspection (DAI).
2.
On switchover, the standby EFP becomes active and any spoofed ARP, MAC or IP traffic is dropped
by the new Active PoA.
Restrictions for DHCP Snooping over p-mLACP

Following restrictions apply for the DHCP Snooping over p-mLACP feature:
The manual load-balance VLAN list and LAG configuration should be same on both the PoAs.
The bridge-domain configured under a p-mLACP port-channel EVC should not be part of any other
non-pmLACP interfaces.
For proper DHCP snooping database synchronization, ensure that the ICRM link is up.
All the PoAs should be configured as p-mLACP peers to enable DHCP snooping database
synchronization.
It is recomended that all the PoAs should be configured for non-revertive mode.
During the mLACP failures A, B, C, and E, the database entries are not lost. In case of p-mLACP
failure D, the database entries are lost but they are restored after synchronization with the peer PoA
through the ICRM link.
The maximum number of DHCP Snooping entries supported per PoA is 20000; 10000 entries on the
active VLAN on the active PoA and 10000 entries synchronized from another PoA through the ICCP
link.
This feature is supported on the ES20 and ES+ line cards in the access mode only.
This feature is supported on both SUP720 and RSP720 (1 GHz & 10 GHz).
For the Virtual Private Lan Service (VPLS)-decoupled mode, all the Ethernet Flow Points (EFPs)
participating in a bridge-domain should have the outer tag VLAN range set to either primary or
secondary VLANs, but not both.
If an EFP is deleted from a PoA, you should remove it from the all the peer PoAs.
While adding EFPs to a PoA, add the standby EFP before adding the active EFP.
IP FRR functionality is not supported with p-mLACP.
4-70
OL-16147-20
Chapter 4

Note
All the p-mLACP restrictions also apply to this feature.

Table 4-10 lists the scalability numbers for DHCP Snooping state synchronization:
Table 4-10
Scalability Numbers for p-mLACP DHCP Snooping State Synchronization
Feature
Per PoA
DHCP snooping entries
20000
Troubleshooting Tips
Table 4-11 lists the commands to troubleshoot the p-mLACP DHCP Snooping State Synchronization.
Table 4-11 Troubleshooting Scenarios
Command
Use
debug ip dhcp snooping event
Use this command to enable the debugging of the

events involved in DHCP snooping.
debug ip dhcp snooping packet
Use this command to display the debugging

messages for DHCP snooping.
show ip dhcp snooping multi-chassis
Use this command to display status of bulk

synchronization.
Pseudo-Multichassis LACP (p-mLACP) IGMP Snooping State

Synchronization
The pseudo-multichassis Link Aggregate Control Protocol (p-mLACP) Internet Group Management
Protocol (IGMP) Snooping State Synchronization feature synchronizes the IGMP snooping database
between the Point of Attachments (PoAs) in a network. The synchronization of the IGMP database
allows the multicast traffic to flow with the least interruption when an mLACP fails. The p-mLACP
IGMP snooping function uses the Interchassis Communication Protocol (ICCP) to synchronize the
IGMP snooping database with the peer PoAs. When the mLAG transitions from a standby VLAN to the
active VLAN on a chassis, this feature facilitates the state change with minimal traffic disruption in the
network.
Note
For more information on pmLACP and p-mLACP failure, see Pseudo MLACP Support on Cisco 7600
section in the Cisco 7600 Series ES+ and ES+T Line Card Configuration Guide.
IGMP Snooping State Synchronization

The p-mLACP IGMP Snooping state synchronization involves these steps:
OL-16147-20
4-71
Chapter 4
POA creates snooping entries for its active VLANs based IGMP reports and the snooping entries are
synchronized to the peer POA using ICCP, where this information corresponds to the standby
VLANs on peer POA.
The peer POA processes the ICCP messages received from the other POA, and pre-programs the
multicast forwarding table based on the received IGMP information.
When p-mLACP fails (A, B, C, D, E) on one of the POA, the peer POA moves its standby VLANs
to active and triggers IGMP reports towards the Designated Router/mrouter based on the IGMP
information received via ICCP for these VLANs.
Next, the peer POA starts forwarding multicast data traffic based on pre-programmed multicast
forwarding table without any delay, enabling fast convergence.
Figure 4-4 shows the basic p-mLACP IGMP Snooping State Synchronization process.
Figure 4-4
IGMP Snooping State Synchronization
IGMP
hosts
mrouter
DSLAM
7600
Downstream
MC-LAG
Upstream
MC-LAG
300142
7600
Restrictions for p-mLACP IGMP Snooping State Synchronization

Following restrictions apply for the p-mLACP IGMP Snooping State Synchronization feature:
The maximum rate supported is 1000 IGMP joins per second.
The maximum number of IGMP Snooping entries supported per PoA is 10000.
IGMP version 2 is supported. IGMP version 3 is not supported.
This feature is supported on the ES20 and ES+ line cards in the access mode only.
This feature is supported on both SUP720 and RSP720 (1 GHz & 10 GHz).
For the Virtual Private Lan Service (VPLS)-decoupled mode, all the Ethernet Flow Points (EFPs)
participating in a bridge-domain should have the outer tag VLAN range set to either primary or
secondary VLANs, but not both.
If an EFP is deleted from a PoA, you should remove it from the all the peer PoAs.
While adding EFPs to a PoA, add the standby EFP before adding the active EFP.
IP FRR functionality is not supported with p-mLACP.
IGMP Snooping is not supported with Hierarchical Virtual Private LAN Service (H-VPLS) and
MAC Tunneling Protocol (MTP) scenarios and topologies.
Table 4-12 lists the scalability numbers for IGMP snooping state synchronization.
4-72
OL-16147-20
Chapter 4

Table 4-12
Note
Scalability Numbers for p-mLACP IGMP Snooping State Synchronization
Feature
Per PoA
Desirable per PoA
Per RG
p-mLACP IGMP
snooping state
synchronization
10K
20K
10K
All p-mLACP restrictions also apply to IGMP Snooping over p-mLACP feature.
Table 4-13 lists the troubleshooting solutions for the p-mLACP IGMP Snooping State Sync
implementation.
Table 4-13 Troubleshooting Scenarios
OL-16147-20
4-73
Chapter 4
Problem
Solution
IGMP snooping database is empty on the PoA.
Complete these steps to verify and troubleshoot:
IGMP Snooping database shows incomplete

snooping entries
1.
Use the show mac-address-table multicast

igmp-snooping command to check for
incomplete snooping entries. If the entries are
incomplete, see the problem definition and
solution explained in the next row
2.
If the output from the show

mac-address-table multicast
igmp-snooping command is empty, check if
the IGMP snooping is enabled on the router.
Enable the IGMP snooping, if disabled.
If incomplete entries are displayed in the show

mac-address-table multicast igmp-snooping
command output, complete these steps:
1.
Check whether the incomplete entries are

specific to the active VLANs or the standby
VLANs.
2.
If the incomplete entries correspond to an

active VLAN, verify the configuration.
3.
If the incomplete entries correspond to a

standby VLAN, check the corresponding VC
states using the show mpls l2transport vc
command. VC state should be in
UP/STANDBY state, not in the DOWN state.
4.
Use the show ip ig snooping mrouter

command output to verify if the mrouter port
is configured properly for the affected
VLAN.
4-74
OL-16147-20
Chapter 4


An IP source guard filters a source IP address on a layer 2 port and prevents malicious hosts from
impersonating a legitimate host. The feature uses dynamic DHCP snooping and static IP source binding
to match IP addresses to hosts on untrusted layer 2 access ports.
Initially, all IP traffic on the service instance is blocked except for DHCP packets that are captured by
DHCP snooping. After a client receives an IP address from the DHCP server, or after static IP source
binding is configured by the administrator, the IP source guard for service instance feature automatically
creates an access control list (ACL) to permit that traffic. Traffic from other hosts is denied. This filtering
limits the ability of a host to attack the network by claiming the IP address of a neighbor host.

Follow these restrictions and usage guidelines while configuring IP source guard for a service instance:
The number of ACLs and ACEs that can be configured as part of IP source guard are bounded by
the hardware resources on the line card.
The IP source guard is meant to verify host source IP and MAC information. Only ingress traffic is
filtered. It is not applicable to egress direction.
The IP source guard is not effective for software forwarded packets. When a non-recoverable TCAM
exception occurs for the IP source guard, the IP filtering is not effective and packets are permitted.
The IP source guard is not supported on subinterfaces.
The IP source guard is supported only on ES+ line cards.
IP source guard is supported on port-channel service instances effective from Cisco IOS release
15.1(2)S.
Configuring IP Source Guard for a Service Instance

SUMMARY STEPS
1.
enable
2.
configure terminal
3.

or
or
4.
[no] ip address
5.
6.
7.
OL-16147-20
4-75
Chapter 4
Note
To distinguish if the packet is DHCP, all tags must be pop; push and translate are not
supported with the IP source guard for service instance feature.
8.
ip verify source vlan dhcp-snooping [port-security]
9.
10. exit
11. end
DETAILED STEPS
Step 1
Command
Purpose
enable
Enables privileged EXEC mode. If prompted, enter your

password.
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
or
Specifies the interface to configure.
slot/port - Specifies the location of the interface.
number - Specifies the port channel interface.
or
Example:
Step 4
[no] ip address
Removes an IP address or disable IP processing.
Example:
Step 5
[no] service instance id ethernet [service-name}
Example:
Creates a service instance (an instantiation of an EVC)

on an interface and sets the device into the config-if-srv
submode.
Step 6
Example:

service instance.
4-76
OL-16147-20
Chapter 4

Step 7
Command
Purpose
rewrite ingress tag {push {dot1q vlan-id | dot1q

vlan-id second-dot1q vlan-id | dot1ad vlan-id
dot1q vlan-id} | pop {1 | 2} | translate {1-to-1
{dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q
vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id
vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q
vlan-id | dot1ad vlan-id dot1q vlan-id}}
symmetric

Note
In order for the router to distinguish if the packet

is DHCP, all tags must be in pop state ; push and
translate states are not supported.
Example:
Router(config-if-srv)# rewrite ingress tag pop 1
symmetric
Step 8
ip verify source vlan dhcp-snooping

[port-security]
Enables the IP source guard states. Use these commands

:
vlan dhcp-snooping enables IP mode and applies

the feature to only specific VLANs on the interface.
The dhcp-snooping option applies the feature to all
VLANs on the interface that have DHCP snooping
enabled.
port-security enables IP/MAC mode and applies

both IP and MAC filtering.
Example:
Router(config-if-srv)# ip verify source vlan
dhcp-snooping
Step 9
Example:

instance.
Step 10
Returns to global configuration mode.
exit
Example:
Step 11
end
Example:
Router(config)# end
Example
This example shows how to configure IP source guard for a service instance with single tag (Dot1q)
encapsulation.
Router# enable
Router(config-if-srv)# ip verify source vlan dhcp-snooping
OL-16147-20
4-77
Chapter 4
This is example shows how to configure IP source guard for a service instance with double tag (QinQ)
encapsulation.
Router# enable
This example shows how to configure IP source guard for a service instance with untagged
encapsulation.
Router# enable
This example shows how to configure IP source guard for a service instance with default encapsulation.
Router# enable
Router(config-if-srv)# encapsulation default
This example shows how to configure IP source guard for a service instance with single tag
encapsulation on a port-channel interface.
Router# enable
Verification
Use the show ip verify source interface to verify the configuration:
router# show ip verify source interface gi5/1 efp_id 10
Interface Filter-type Filter-mode IP-address
Mac-address
Vlan
ID
-------------------------------------------------------------------- ---------Gi5/1 ip-mac
active
123.1.1.1
00:0A:00:0A:00:0A 100
10
router# show ip verify source interface gi5/1
Interface Filter-type Filter-mode IP-address
ID
Mac-address
Vlan
EFP
EFP
4-78
OL-16147-20
Chapter 4

Configuring MST on EVC Bridge Domain
---------------------------- ---------Gi5/1 ip-mac

active
Gi5/1 ip-mac
active
Gi5/1 ip-mac
active
-----------
---------------
123.1.1.1
123.1.1.2
123.1.1.3
-----------------
00:0A:00:0A:00:0A
00:0A:00:0A:00:0B
00:0A:00:0A:00:0C
100
100
100
10
20
30
Troubleshooting
Table 4-14 provides troubleshooting solutions for the IP source guard feature.
Table 4-14
Troubleshooting Scenarios for IP Source Guard feature
Problem
Solution
EVC disabled in IP source guard
Use the [no] ip verify source vlan dhcp-snooping

port-security command in the service instance configuration
mode to verify the IP source guard information. port-security
is an optional keyword to indicate that the source MAC
address filter should be applied with the source IP address.
Share the output with TAC to troubleshoot further.
DHCP snooping failures
1.
Verify whether or not the issues are specific to DHCP

snooping or IP source guard. Use the show ip dhcp
snooping binding command to check the DHCP snooping
bindings on the RP. If the expected entry is missing on the
RP, debug the DHCP snooping sessions and share the
output with TAC.
2.
If the entry is displayed on the route processor, but not on

the line card, use the dhcp snooping ipc debug command
on the RP to debug failures related to DHCP snooping
entries. If the issue persists, contact TAC.

The Multiple Spanning Tree (MST) on EVC Bride Domain feature enables MST on EVC interfaces. It
complements the H-VPLS N-PE Redundancy for QinQ and MPLS Access feature released in Cisco IOS
Release 12.2(33)SRC. For more information on this feature, see
http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_hvpls_npe_red.html.
This section describes how to configure MST on EVC Bridge Domain. It contains these topics:
Overview of MST and STP, page 4-80
Overview of MST on EVC Bridge Domain, page 4-80
Restrictions and Usage Guidelines, page 4-81
Examples, page 4-83
OL-16147-20
4-79
Chapter 4
Overview of MST and STP

Spanning Tree Protocol (STP) is a Layer 2 link-management protocol that provides path redundancy
while preventing undesirable loops in the network. For a Layer 2 Ethernet network to function properly,
only one active path can exist between any two stations. STP operation is transparent to end stations,
which cannot detect whether they are connected to a single LAN segment or a switched LAN of multiple
segments.
Cisco 7600 series routers use STP (the IEEE 802.1D bridge protocol) on all VLANs. By default, a single
instance of STP runs on each configured VLAN (provided you do not manually disable STP). You can
enable and disable STP on a per-VLAN basis.
MST maps multiple VLANs into a spanning tree instance, with each instance having a spanning tree
topology independent of other spanning tree instances. This architecture provides multiple forwarding
paths for data traffic, enables load balancing, and reduces the number of spanning tree instances required
to support a large number of VLANs. MST improves the fault tolerance of the network because a failure
in one instance (forwarding path) does not affect other instances (forwarding paths).
For routers to participate in MST instances, you must consistently configure the routers with the same
MST configuration information. A collection of interconnected routers that have the same MST
configuration comprises an MST region. For two or more routers to be in the same MST region, they
must have the same VLAN-to-instance mapping, the same configuration revision number, and the same
MST name.
The MST configuration controls the MST region to which each router belongs. The configuration
includes the name of the region, the revision number, and the MST VLAN-to-instance assignment map.
A region can have one or multiple members with the same MST configuration; each member must be
capable of processing RSTP bridge protocol data units (BPDUs). There is no limit to the number of MST
regions in a network, but each region can support up to 65 spanning tree instances. Instances can be
identified by any number in the range from 0 to 4094. You can assign a VLAN to only one spanning tree
instance at a time.
For additional information on STP and MST on the Cisco 7600 series routers, see Configuring STP and
MST at:
http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/spantree.html
Overview of MST on EVC Bridge Domain

The MST on EVC Bride-Domain feature uses VLAN IDs for service-instance-to-MST-instance
mapping. EVC service instances with the same VLAN ID (the outer VLAN IDs in the QinQ case) as the
one in another MST instance will be mapped to that MST instance.
EVC service instances can have encapsulations with a single tag as well as double tags. In case of double
tag encapsulations, the outer VLAN ID shall be used for the MST instance mapping, and the inner VLAN
ID is ignored.
A single VLAN per EVC is needed for the mapping with the MST instance. The following service
instances without any VLAN ID or with multiple outer VLAN IDs are not supported:
Untagged (encapsulation untagged)
Priority-tagged (encapsulation priority-tagged)
Default (encapsulation default)
Multiple outer tags (encapsulation dot1q 200 to 400 second-dot1q 300)
4-80
OL-16147-20
Chapter 4


Follow these restrictions and usage guidelines while configuring MST on EVC bridge domain:
Main interface where the EFP is configured must be up and running with MSTP as the selected
Spanning Tree Mode (PVST and Rapid-PVST are not supported).
The SPT PortFast feature is not supported with EFPs.
The co-existence of REP and mLACP with MST on the same port is not supported.
Any action performed on VPORT (which represents a particular VLAN in a physical port) affects
the bridge domain and other services.
This feature cannot co-exist with Ethernet Bridging on FR/ATM that support only PVST.
Supports 64 MSTs and one CIST (common and internal spanning tree).
Supports one MST region.
Scales to 32000 EFP.
Service instances without any VLAN ID in the encapsulation are not supported, because a unique
VLAN ID is required to map an EVC to an MST instance.
Supports EFPs with unambigous outer VLAN tag (that is, no range, list on outer VLAN, neither
default nor untagged).
ES20 and ES+ line cards support this feature.
Removing dot1q encapsulation removes the EVC from MST.
Changing the VLAN (outer encapsulation VLAN of EVC) mapping to a different MST instance will
move the EVC port to the new MST instance.
Changing an EVC service instance to a VLAN that has not been defined in MST 1 will result in
mapping of EVC port to MST 0.
The peer router of the EVC port must also be running MST.
MST is supported only on EVC BD. EVCs without BD configuration will not participate in MST
When an MST is configured on the outer VLAN, you can configure any number of service instances
with the same outer VLAN as shown in the following configuration example.
nPE1#sh run int gi12/5
!
interface GigabitEthernet12/5
description connected to CE1
no ip address
encapsulation dot1q 100 second-dot1q 1
bridge-domain 100
!
bridge-domain 101
!
encapsulation dot1q 100 second-dot1q 120-140
bridge-domain 102
!
OL-16147-20
4-81
Chapter 4
end
nPE1#sh run int gi12/6

!
description connected to CE1
no ip address
bridge-domain 100
!
bridge-domain 101
!
encapsulation dot1q 100 second-dot1q 120-140
bridge-domain 102
!
end
nPE1#sh span vlan 100
MST0
Spanning tree enabled protocol mstp
Root ID
Priority
32768
Address
0018.742f.3b80
Cost
0
Port
2821 (GigabitEthernet12/5)
Hello Time
2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID
Priority
Address
Hello Time
Interface
------------------Gi12/5
Gi12/6
Role
---Root
Altn
32768 (priority 32768 sys-id-ext 0)

001a.303c.3400
Sts
--FWD
BLK
Cost
--------20000
20000
Prio.Nbr
-------128.2821
128.2822
Type
-------------------------------P2p
P2p
nPE1#
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
5.
6.
4-82
OL-16147-20
Chapter 4

DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3

or

interface to configure.
Example:
gigabitethernet 4/1
Step 4

[service-name]
Creates a service instance (EVC instance) on an interface

and sets the device into the config-if-srv submode.
Example:
ethernet
Step 5
Example:

service instance.
dot1q 13
Step 6
Example:

instance.
Examples
In the following example, two interfaces participate in MST instance 0, the default instance to which all
VLANs are mapped:
Router# enable
Router(config)# interface g4/1
Router(config-if-srv)# interface g4/3
Router(config-if-srv)# end
OL-16147-20
4-83
Chapter 4
Verification
Use this command to verify the configuration:
Router# show spanning-tree vlan 2
MST0
Root ID
Priority
32768
Address
0009.e91a.bc40
This bridge is the root
Hello Time
2 sec Max Age 20 sec
Bridge ID
Priority
Address
Hello Time
Forward Delay 15 sec

0009.e91a.bc40
Interface
Role Sts Cost
Prio.Nbr Type
------------------- ---- --- --------- -------- -------------------------------Gi4/1
Desg FWD 20000
128.1537 P2p
Gi4/3
Back BLK 20000
128.1540 P2p
In this example, interface gi4/1 and interface gi4/3 are connected back-to-back. Each has a service
instance (EFP) attached to it. The EFP on both interfaces has an encapsulation VLAN ID of 2. Changing
the VLAN ID from 2 to 8 in the encapsulation directive for the EFP on interface gi4/1 stops the MSTP
from running in the MST instance to which the old VLAN is mapped and starts the MSTP in the MST
instance to which the new VLAN is mapped:
Router(config-if)# interface g4/1
Router(config-if-srv)# encap dot1q 8
Use this command to verify the configuration:

MST1
Root ID
Priority
32769
Address
0009.e91a.bc40
Hello Time
Bridge ID
Priority
Address
Hello Time

0009.e91a.bc40
Interface
Role Sts Cost
Prio.Nbr Type
------------------- ---- --- --------- -------- -------------------------------Gi4/3
Desg FWD 20000
128.1540 P2p
MST2
Root ID
Priority
32770
Address
0009.e91a.bc40
4-84
OL-16147-20
Chapter 4

Hello Time
Bridge ID
Priority
Address
Hello Time
2 sec
Max Age 20 sec

0009.e91a.bc40
Interface
Role Sts Cost
Prio.Nbr Type
------------------- ---- --- --------- -------- -------------------------------Gi4/1
Desg FWD 20000
128.1537 P2p
In this example, interface gi4/3 (with an EFP that has an outer encapsulation VLAN ID of 2 and a bridge
domain of 100) receives a new service:
Router# enable
Router(config)# interface g4/3
Router((config-if)# service instance 2 ethernet
Router((config-if-srv)# encap dot1q 2 second-dot1q 100
Router((config-if-srv)# bridge-domain 200
Now there are two EFPs configured on interface gi4/3 and both of them have the same outer VLAN 2.
no ip address
bridge-domain 100
!
bridge-domain 200
The preceding configuration does not affect the MSTP operation on the interface; there is no state change
for interface gi4/3 in the MST instance it belongs to.
Router# show spanning-tree mst 1
##### MST1
Bridge
Root
vlans mapped:
2
address 0009.e91a.bc40
this switch for MST1
priority
32769 (32768 sysid 1)
Interface
Role Sts Cost
Prio.Nbr Type
---------------- ---- --- --------- -------- -------------------------------Gi4/3
Desg FWD 20000
128.1540 P2p
This example shows MST on port channels:

Router# show spanning-tree mst 1
##### MST1 vlans mapped: 3
Bridge address 000a.f331.8e80 priority 32769 (32768 sysid 1)
Root address 0001.6441.68c0 priority 32769 (32768 sysid 1)
port Po5 cost 20000 rem hops 18
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- -------------------------------Gi2/0/0 Desg FWD 20000 128.257 P2p
Po5 Root FWD 10000 128.3329 P2p
Po6 Altn BLK 10000 128.3330 P2p
MST1
Root ID Priority 32769
OL-16147-20
4-85
Chapter 4
Address 0001.6441.68c0
Cost 20000
Port 3329 (Port-channel5)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 000a.f331.8e80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- -------------------------------Gi2/0/0 Desg FWD 20000 128.257 P2p
Po5 Root FWD 10000 128.3329 P2p
Po6 Altn BLK 10000 128.3330 P2p
Troubleshooting
Table 4-15 provides troubleshooting solutions for the MST on EVC Bridge Domain feature.
Table 4-15
Problem
Solution
Multiple Spanning Tree Protocol (MSTP) incorrectly or

inconsistently formed due to misconfiguration and BPDU
loss
To avoid BPDU loss, re-configure these on the following

nodes:
Configuration name
Bridge revision
Provider-bridge mode
Instance to VLAN mapping
Determine if node A is sending BPDUs to node B. Use the
show spanning-tree mst interface gi1/1 service instance
command for each interface connecting the nodes. Only
designated ports relay periodic BPDUs.
MSTP correctly formed, but traffic flooding occurs
Intermittent BPDU loss occurs when the spanning tree appears

incorrectly in the show commands, but relays topology change
notifications. These notifications cause a MAC flush, forcing
traffic to flood until the MAC addresses are re-learned. Use
the debug spanning-tree mst packet full {received | sent}
command to debug topology change notifications.
Use the debug spanning-tree mst packet brief {received |
sent} command on both nodes to check for missing BPDUs.
Monitor the timestamps. A time gap greater than or equal to
six seconds causes topology change.
4-86
OL-16147-20
Chapter 4

Configuring Link State Tracking (LST)
Problem
Solution
MSTP shows incorrect port state
When the spanning tree protocol (STP) attempts to change the

port state, it uses L2VPN. Check the value of the sent update.
If the value is Yes, then STP is awaiting an update from
L2VPN.
Packet forwarding does not match the MSTP state
Complete the following steps to verify and troubleshoot:

1.
Shut down redundant links, remove MSTP configuration,

and ensure that basic bridging works.
2.
Check the state of each port as calculated by MSTP, and

compare it with the packet counts transmitted and
received on ports and EFPs controlled by MSTP. Normal
data packets should be sent/received only on ports in the
forwarding (FWD) state. BPDUs should be sent/received
on all ports controlled by MSTP.
3.
Ensure that BPDUs are flowing and that root bridge

selection is correct and check the related scenarios.
4.
Use the show l2vpn bridge-domain detail command to

confirm the status of the members of the bridge domain.
Ensure that the relevant bridge domain members are
active.
5.
Check the forwarding state as programmed in hardware.

When a link failure occurs on a REP and MST segment, the associated protocols handle the link failure
event. However, if the primary link to the switch is enabled even though the corresponding uplink ports
on the switch are disabled, the REP and MST protocol is unaware of backbone side, and does not trigger
a failover. The router continues to receive the traffic from the access side and then drops it discreetly due
to lack of backbone connectivity. Link state tracking provides a solution to this problem by allowing the
uplink interfaces to bind the link status to the down link ports. Uplink state tracking is configured such
that when a set of uplink ports are disabled, other ports linked through CLI commands are disabled as
well. The state of all the downlink interfaces are error-disabled only when all the upstream interfaces are
disabled.
The LST triggers REP/MST re-convergence on the access side depending on the state of the core-facing
interface. The link state of the core facing interface and the access facing interface are bound by link
state tracking group.
LST facilitates:
Enabling and disabling of link state group tracking.
Removal of downstream interfaces from a link state group.
Performing shut/no shut on error disabled interface.

Follow these restrictions and usage guidelines when you configure the LST:
OL-16147-20
4-87
Chapter 4
Ensure that the management interfaces are not part of a link state group.
REP port cannot be configured as uplink port.
LST does not allow any interface, upstream or downstream, to be part of more than one link state
group.
You can configure a maximum of 10 link state groups.
When you configure LST for the first time, you must add upstream interfaces to the link state group
before adding downstream, otherwise the state of the downlink interfaces are error-disabled.
The configurable interfaces are physical (both routed and switch port), port-channel, sub-interface
and VLAN.
Upstream interfaces are required to be among:

L3 interface(physical or portchannel)
SVI
Downstream interfaces are required to be among:

L2 interface
L2 Port-channel
EVC
Configuring Link State Tracking

Perform the following tasks to configure a LST.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
link state track number
4.
interface slot/port
5.
link state group [number] {upstream | downstream}
6.
end
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
4-88
OL-16147-20
Chapter 4

Step 3
Command or Action
Purpose
link state track number
Creates a link-state group, and enables LST. The acceptable

range is 1-10; the default value is 1.
Example:
Router(config)# link state track 1
Step 4
interface slot/port
Configures an interface.
Example:
Step 5
Step 6
Example:
Router(config-if)# link state group 1 upstream
Specifies a link-state group and configures the interface as

either an upstream or downstream interface in the
group.The group number can be 1 to 10; the default value is
1.
end
Exits the CLI to privileged EXEC mode.
link state group [number] {upstream |

downstream}
Example:
This example shows how to create a link-state group and configure the interfaces:
Router(config)# link state track 1
Router(config)# interface gigabitethernet3/1
Router(config-if)# interface gigabitethernet3/3
Router(config-if)# link state group 1 downstream
Router(config-if)# link state group 1 downstream
Verification
Use the show link state group command to display the link-state group information.
Router> show link state group 1
Link State Group: 1 Status: Enabled, Down
Use the show link state group detail command to display detailed information about the group.
Router> show link state group detail
(Up):Interface up (Dwn):Interface Down (Dis):Interface disabled
Upstream Interfaces : Gi3/5(Dwn) Gi3/6(Dwn)
Downstream Interfaces : Gi3/1(Dis) Gi3/2(Dis) Gi3/3(Dis) Gi3/4(Dis)
Upstream Interfaces : Gi3/15(Dwn) Gi3/16(Dwn) Gi3/17(Dwn)
Downstream Interfaces : Gi3/11(Dis) Gi3/12(Dis) Gi3/13(Dis) Gi3/14(Dis)
(Up):Interface up (Dwn):Interface Down (Dis):Interface disabled
OL-16147-20
4-89
Chapter 4
MAC Address Security for EVC Bridge Domain
Troubleshooting the Link State Tracking

Table 4-16 lists the troubleshooting issues while configuring LST:
Table 4-16
Troubleshooting LST Issues
Problem
Solution
The downstream interface is in error-disabled

state even though the upstream interfaces are up.
Use the show interfaces <interface> status

err-disabled command to check why the interface
is in such state.
Use the show errdisable recovery command to
view information about the error-disable recovery
timer.

Cisco 7600 series routers currently support port security on a per-port basis. For more information, see
Configuring Port Security at:
http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/port_sec.html
The Media Access Control (MAC) Address Security for EVC Bridge Domain feature addresses port
security with EVCs by providing the capability to control and filter MAC address learning behavior at
the granularity of a per-EFP basis. For instance, when a violation requires a shutdown, only the customer
assigned to a given EFP is affected rather than all customers using the port.
Port Security and the MAC Address Security for EVC Bridge Domain feature operate independently of
each other.
Cisco IOS Release 12.2(33)SRE adds support for MAC address security on EVC port-channels.This
feature operates on a port-channel interface in a similar manner to how it works on a physical port. In
each case, MAC security is configured on a service instance associated with a bridge domain.
This section covers the following topics: This section contains the following topics:
Restrictions and Usage Guidelines, page 4-91
Enabling MAC Address Security for EVC Bridge Domain, page 4-91
Enabling MAC Address Security for EVC Bridge Domain, page 4-91
Disabling MAC Address Security for EVC Bridge Domain on an EFP, page 4-93
Configuring MAC Address Whitelist on an EFP, page 4-94
Configuring Sticky MAC Addresses on an EFP, page 4-96
Configuring Secure MAC Address Aging on an EFP, page 4-98
Configuring MAC Address Limiting on EFP, page 4-101
Configuring MAC Address Limiting on a Bridge Domain, page 4-102
Configuring Violation Response on an EFP, page 4-103
4-90
OL-16147-20
Chapter 4


When configuring MAC Address Security for EVC Bridge Domain, follow these restrictions and usage
guidelines:
System wide, the following limits apply to the total configured whitelist and learned MAC
addresses:
Total number of MAC addresses supported under MAC Security is limited to 32K.
Total number of MAC addresses supported under MAC Security, per bridge domain, is limited
to 10K.
Total number of MAC addresses supported under MAC Security, per EFP, is limited to 1K.
You can configure or remove the various MAC security elements irrespective of whether MAC
security is enabled on the EFP. However, these configurations will become operational only after
MAC security is enabled.
Upon enabling the MAC Address Security for EVC Bridge Domain feature, existing MAC address
table entries on the EFP are removed.
The MAC Address Security for EVC Bridge Domain feature can be configured on an EFP only if
the EFP is a member of a bridge domain.
If you disassociate the EFP from the BD, the MAC security feature is completely removed.
For port-channel, this configuration is propagated to all member links in the port-channel.
Consistent with the already implemented bridge domain EVC port-channel functionality, packets on
a secured EFP are received on any member link, but all the egress packets are sent out to one of the
selected member links.
Enabling MAC Address Security for EVC Bridge Domain

This section describes how to enable MAC address security for EVC bridge domain.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
interface gigabitethernet slot/subslot/port or interface tengigabitethernet slot/subslot/port or

4.
5.
6.
bridge-domain bridge-id
7.
mac security
OL-16147-20
4-91
Chapter 4
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
slot/subslot/port
or
slot/subslot/port
or

Example:
gigabitethernet 4/1
Step 4
service instance id Ethernet

[service-name]

submode.
Example:
ethernet
Step 5
Example:

service instance.
dot1q 13
Step 6
Example:

instance.
Step 7
mac security or no mac security
Enables or disables the MAC Security on the EFP.
Example:
Router(config-if-srv)# mac security or
Router(config-if-srv)# no mac security
Examples
This example shows how to enable MAC address security for EVC bridge domain.
Router# enable
4-92
OL-16147-20
Chapter 4


Router(config-srv)# encapsulation dot1q 20
Router(config-if-srv)# mac security
This example shows how to disable MAC address security for EVC bridge domain.
Router# enable
Disabling MAC Address Security for EVC Bridge Domain on an EFP

This section describes how to disable MAC address security for EVC bridge domain.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.

4.
5.
no mac security
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
slot/subslot/port
or
slot/subslot/port
or

Example:
gigabitethernet 4/1
OL-16147-20
4-93
Chapter 4
Step 4
Command
Purpose

[service-name]

submode.
Example:
ethernet
Step 5
no mac security
Disables MAC Security on the EFP.
Example:
Examples
This example shows how to disable MAC address security for EVC bridge domain.
Router# enable
Configuring MAC Address Whitelist on an EFP

MAC addresses learned dynamically on the EFP after mac security sticky is configured are retained
during a link-down condition and device reload. Stickly Mac is shown in the MAC table as static
addressess. However, you should copy the running config details to retain the mac address details.
This section describes how to configure sticky MAC addresses on an EFP.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.

4.
5.
6.
7.
mac security sticky
8.
mac security
9.
no mac security
4-94
OL-16147-20
Chapter 4

DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
slot/subslot/port
or
slot/subslot/port
or

Example:
gigabitethernet 4/1
Step 4

[service-name]

submode.
Example:
ethernet
Step 5
Example:

service instance.
dot1q 13
Step 6
Example:

instance.
Step 7
mac security address permit mac address
Adds the specified MAC Address as a whitelist ("permit")

MAC Address for the EFP.
Example:
address permit 0000.1111.2222
Step 8
mac security
Enables MAC Security on the EFP.
Example:
OL-16147-20
4-95
Chapter 4
Examples
This example shows how to configure whitelisted MAC addresses on an EFP that is a member of a bridge
domain.
Router# enable
Router(config-if-srv)# mac security address permit 0000.1111.2222
Configuring Sticky MAC Addresses on an EFP

MAC addresses learned dynamically on the EFP after mac security sticky is configured are retained
during a link-down condition and device reload. Stickly Mac is shown in the MAC table as static
addressess. However, you should copy the running config details to retain the mac address details.
This section describes how to configure sticky MAC addresses on an EFP.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.

4.
5.
6.
7.
mac security sticky
8.
mac security
9.
no mac security
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
4-96
OL-16147-20
Chapter 4

Step 3
Command
Purpose
slot/subslot/port
or
slot/subslot/port
or

Example:
gigabitethernet 4/1
Step 4

[service-name]

submode.
Example:
ethernet
Step 5
Example:

ingress dot1q frames (double tagged) on an interface to
the appropriate service instance.
dot1q 13
Step 6
Example:

instance.
Step 7
mac security sticky
Example:
Step 8
Enables Sticky feature causing all dynamic secure MAC

addresses to become sticky MAC addresses. Any new
MAC address learnt becomes sticky.
To retain the sticky MAC addresses across
reloads, ensure that you save the running
configuration to the start up configuration.

sticky
Note
mac security
Example:
Step 9
no mac security
Disables the MAC Security on the EFP.
Example:
Examples
This example configures sticky MAC addresses on an EFP.
Router# enable
OL-16147-20
4-97
Chapter 4

Router(config-if-srv)# mac security sticky
Configuring Secure MAC Address Aging on an EFP

This section shows how to configure aging of secured MAC addresses under MAC Security. Secured
MAC addresses are not subject to the normal aging of MAC table entries in the system.By default, secure
MAC addresses do not age out.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.

4.
5.
encapsulation dot1q vlan-id double tagged
6.
7.
mac security aging time m [inactivity]
8.
mac security aging static
9.
mac security aging sticky
10. mac security

11. no mac security
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
4-98
OL-16147-20
Chapter 4

Step 3
Command
Purpose
slot/subslot/port
or
slot/subslot/port
or

Example:
gigabitethernet 4/1
Step 4

[service-name]

submode.
Example:
ethernet
Step 5
Example:

ingress dot1q double-tagged frames on an interface to the
appropriate service instance.
dot1q 13
Step 6
Example:

instance.
Step 7
mac security aging time m [inactivity]
Example:
aging time 200
Step 8
mac security aging static
Sets the aging time for secure addresses (range is 0-1440).

The optional inactivity keyword specifies that the address
aging is due to inactivity of the sending hosts (as opposed
to absolute aging).
Applies aging controls to statically configured addresses.
Example:
static
Step 9
mac security aging sticky
Applies aging controls to sticky addresses.
Example:
stickly
OL-16147-20
4-99
Chapter 4
Step 10
Command
Purpose
mac security
Enables MAC Security on the EFP. A sticky MAC address

on the MAC table is shown as static addressess.
Example:
Step 11
no mac security
Disables the MAC Security on the EFP.
Example:
Examples
This example shows how to configure the aging time for secure addresses to 10 minutes.
Router# enable
Router(config-if-srv)# mac security aging time 10
This example shows a configuration where the aging out of addresses is based on inactivity of the
sending hosts. An address will age out if it is not seen for 10 minutes.
Router# enable
Router(config-if-srv)# mac security aging time 10 inactivity
The mac security aging time command only ages out secure addresses that are learned. To enable aging
out of whitelist or sticky addresses when the mac security aging time command is configured, use the
mac security aging static command (applies aging controls to statically configured addresses) or the
mac security aging sticky command (applies aging controls to persistent, that is, sticky, addresses). The
configuration below shows an example of applying aging to a sticky address.
Router# enable
Router(config-if-srv)# mac security sticky
Router(config-if-srv)# mac security aging time 100
4-100
OL-16147-20
Chapter 4

Configuring MAC Address Limiting on EFP

This section describes how to configure an upper limit for the number of secured MAC addresses
allowed on an EFP. This includes addresses added as part of a whitelist, as well as dynamically learned
MAC addresses. If the upper limit is decreased, one or more learned MAC entries may be removed. The
default limit is 1.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.

4.
5.
encapsulation dot1q vlan-id double tagged
6.
7.
mac security maximum addresses n
8.
mac security
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
slot/subslot/port
or
slot/subslot/port
or

Example:
gigabitethernet 4/1
Step 4

[service-name]

submode.
Example:
ethernet
OL-16147-20
4-101
Chapter 4
Step 5
Command
Purpose

service instance.
Example:
dot1q 13
Step 6
Example:
Binds the service instance to a bridge-domain instance

instance.
Step 7
mac security maximum addresses n
Example:
Sets (or changes) the maximum number of secure

addresses permitted on the EFP to the integer value n. The
acceptable range secure addresses is 1-1024.

maximum addresses 10
Step 8
mac security
Example:
Examples
This example configures an upper limit of 10 for the number of secured MAC addresses allowed on an
EFP.
Router# enable
Router(config-if-srv)# mac security maximum addresses 10
Configuring MAC Address Limiting on a Bridge Domain

This section describes how to configure an upper limit for the number of secured MAC addresses located
on the bridge domain.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
bridge-domain vlan-id [access | dot1q [tag] | dot1q-tunnel] [broadcast] [ignore-bpdu-pid]

[pvst-tlv CE-vlan] [increment] [lan-fcs] [split-horizon]
4.
mac limit maximum addresses [n]
4-102
OL-16147-20
Chapter 4

DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
bridge-domain vlan-id [access | dot1q

[tag] | dot1q-tunnel] [broadcast]
[ignore-bpdu-pid] [pvst-tlv CE-vlan]
[increment] [lan-fcs] [split-horizon]
Specifies the bridge domain.
Example:
Router(config)# bridge-domain 12
Step 4
mac limit maximum addresses [n]
Sets the limit for maximum addresses. The default value

is 10240.
Example:
Router(config-bdomain)# mac limit
maximum addresses 1000
Examples
This example configures an upper limit of 1000 for the number of secured MAC addresses.
Router# enable
Router(config)# bridge-domain 100
Router(config-if-srv)# mac limit maximum address 1000
Configuring Violation Response on an EFP

This section describes how to specify the expected behavior of the device when an attempt to
dynamically learn a MAC address fails because of a violation of the configured MAC Security policy on
the EFP. The default violation behavior is termed as a EFP shutdown.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.

4.
5.
OL-16147-20
4-103
Chapter 4
6.
7.
mac security violation restrict or mac security violation protect
8.
mac security
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
slot/subslot/port
or
slot/subslot/port
or

Example:
gigabitethernet 4/1
Step 4

[service-name]

submode.
Example:
ethernet
Step 5
Example:

service instance.
dot1q 13
Step 6
Example:

instance.
4-104
OL-16147-20
Chapter 4

Step 7
Command
Purpose
mac security violation restrict

or
mac security violation protect
Sets the violation mode to restrict or protect.
Example:
violation restrict
Step 8
mac security
The no version of this command sets the violation

response back to default (default is shutdown). In the
Restrict scenario, the packets are dropped and an error
message is displayed about the log warning level; in the
Protect scenario, the packets are silently dropped and no
messages are displayed.
Example:
Examples
This example configures a restrict violation response on EFP.
Router# enable
Router(config-if-srv)# mac security violation restrict
Error Recovery
This section describes how to recover from violation causing an EFP shutdown (default violation
response) and contains the following sections:
Manual recovery
Automatic recovery
Manual Recovery
For manual recovery, use the clear ethernet service instance id id interface interface-name errdisable
command to bring the service instance out of an error disabled state as shown below:
Router# enable
Router# clear ethernet service instance id 10 interface gi1/1 errdisable
Automatic recovery
For automatic recovery, use the errdisable recovery cause mac security command. You must specify
the timer interval. The valid value is from 30 to 86400 second. In the configuration example that follows,
the EFP recovers 60 seconds after the violation causes the shutdown.
Router# enable
OL-16147-20
4-105
Chapter 4

Router(config-if-srv)# errdisable recovery cause mac-security 60
Verification
Use the following commands to verify operation.
Command
Purpose
Router# show ethernet service instance id id interface

interface mac security address
Displays the secure addresses on the specified EFP.

interface mac security last violation
Displays the last violation recorded on the specified EFP.

interface mac security statistics
Displays the number of allowed and actual secured address

and the number of violations recorded on the EFP.

interface mac security
Displays the MAC Security status of the specified EFP.
Router# show ethernet service instance mac security

address
Displays the secure addresses on all the EFPs in the system.
Router# show ethernet service instance mac security last

violation
Displays information about the last violation recorded on the

device (across all service instances) and information about the
last violation recorded on each of the service instances.

statistics
Displays the number of allowed and actual secured addresses,

as well as the number of violations recorded on all the EFPs in
the system.
Displays all the EFPs in the system that have MAC Security
enabled.
Router# show bridge-domain id mac security address
Displays the secure addresses on all EFPs belonging to the

specified bridge domain.
Router# show bridge-domain id mac security last violation Displays information about the last violation recorded on each
of the service instances belonging to the bridge domain.
Router# show bridge-domain id mac security statistics
Displays the number of allowed and actual secured addresses,

as well as the number of violations recorded on all the EFPs
that belong to the specified bridge domain.
Router# show bridge-domain id mac security
Displays all the EFPs that belong to the specified bridge

domain, and that have MAC Security enabled.
Troubleshooting
Table 4-17 provides troubleshooting solutions for the MAC Security feature.
4-106
OL-16147-20
Chapter 4

Table 4-17
Troubleshooting Scenarios for MAC Security feature
Problem
Solution
MAC security errors on the RP
Use the debug ethern serv instance id id interface int mac

sec errors and debug ethern serv instance id id interface int
mac table errors commands. Share the output with TAC for
MAC security errors on the SP
Use the debug ethernet service instance mac security errors

and debug ethernet service instance mac table errors
commands to troubleshoot mac security issues on the RP.
EFP is disabled and is unable to automatically recover from Use the errdisable recovery cause mac-security interval or
error disable state
clear ethernet service instance id id interface interface-name
errdisable commands to re-enable the EFP.
Mac security aging timer is inactive
When mac security aging time inactivity is configured, the

hardware mac table aging timer for the EFP VLAN is set with
the configuration command mac address-table aging-time
time [vlan <vlan id>] command. To resolve the aging timer
inactivity, re-set the aging time to the default value of 300
seconds.

Ethernet Connectivity Fault Management (CFM) is an end-to-end per-service-instance Ethernet layer
OAM protocol that includes proactive connectivity monitoring, fault verification, and fault isolation.
Currently, Ethernet CFM supports inward facing and outward facing Maintenance Endpoints (MEPs).
For information on Ethernet Connectivity Fault Management, see
http://www.cisco.com/en/US/docs/ios/12_2sr/12_2sra/feature/guide/srethcfm.html.
The CFM and PVST Co-Existence feature allows Per Vlan Spanning Tree (PVST) and CFM to co-exist
on Cisco 7600 series routers.
The CFM and PVST Co-Existence feature makes use of these Ethernet components:
Ethernet virtual circuit (EVC)An association between two or more UNIs that identifies a
point-to-point or point-to-multipoint path within the provider network.
Ethernet flow point (EFP)The logical demarcation point of an EVC on an interface.
Each EFP is identified with an EVC. An EVC ID is globally unique within a network. In addition, an
EFP is associated with one bridge domain. All the EFPs in a bridge domain belong to the same EVC
(when specified).
For EFPs, untagged, single-tagged, and double-tagged encapsulations exist with dot1q, QinQ, and IEEE
dot1ad Ether types. Different EFPs belonging to a bridge domain can have different encapsulations.

When configuring CFM and PVST Co-Existence, follow these restrictions and usage guidelines:
OL-16147-20
4-107
Chapter 4
The following line cards and supervisors that have three or more match registers are supported:
ES20 line cards
ES+ line cards
RSP720-3C-10GE and
Supervisor Engine 32
WS-X67xx line cards (with supported supervisor)
Generic VLAN Registration Protocol (GVRP) and CFM coexistence is also supported
The following co-existing configurations are supported:

PVST and CFM; you must configure PVST before configuring CFM
Generic VLAN Registration Protocol (GVRP) and CFM; you must configure GVRP before
configuring CFM
PVST and GVRP; there is no restriction for the order of configuration.
CFM uses two match registers to identify the control packet type; PVST also uses a match register
to identify its control packet type. So in order for both protocols to work on the same system each
line card needs to support three match registers, at least one being able to support only a 44 bit MAC
match.
This message is displayed when no match registers are available.
CFM is enabled system wide except on supervisor ports due to spanning tree
configuration on supervisor ports for CFM due to hardware limitations on these
ports. Continued with enabling CFM system-wide to allow coexistence with other
protocols such as PVST.
Administrator action may be required. Ensure no CFM traffic is presented to any

supervisor ports via configuration. If not possible configure STP mode to MST and
re-enable CFM or disable CFM completely.
This message is displayed when the 48 bit match register is not available.
CFM is enabled system wide except it's disabled on supervisor ports due to spanning
tree or GVRP configuration. Unable to program all port ASIC MAC match registers
on supervisor ports for CFM due to hardware limitations on these ports. Continued
with enabling CFM system-wide to allow coexistence with other protocols such such
as PVST or GVRP.System has handled this by disabling CFM on all supervisor ports.
If this is unacceptable configure STP mode to MST and re-enable CFM or disable CFM
completely.
This message is displayed, if after configuring PVST-CFM or GVRP-CFM co-existence, an
attempt is made to power up an unsupported line card or to insert an unsupported line card into
the router:
4-108
OL-16147-20
Chapter 4

Unsupported module in slot 3, power not allowed: Module has insufficient match
registers. Enabled relevant protocols include SSTP CFM_MULTICAST.
Note
Slot 3 in the above message refers to the module with unsufficient match registers.
Configuring PVST and CFM Co-Existence

Note
PVST mode is the default spanning-tree mode. It is enabled when you boot the router.
Note
You cannot disable PVST spanning-tree mode or MST spanning-tree mode with the no versions of the
spanning-tree mode mst or spanning-tree mode pvst commands; you must enable the other
spanning-tree mode to disable the existing spanning-tree mode. For example, if you want to disable the
MST spanning-tree mode, you must enable the PVST spanning-tree mode.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
spanning-tree mode pvst
4.
ethernet cfm enable
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
Configures Per-VLAN Spanning Tree+ (PVST+) mode.
Example:
Router(config)# spanning-tree mode pvst
Step 4
ethernet cfm enable
Enables connectivity fault management (CFM)

processing globally on a device.
Example:
Router(config)# ethernet cfm enable
The following example configures PVST and CFM Co-Existence:
OL-16147-20
4-109
Chapter 4
Router# enable
Configuring GVRP and CFM Co-Existence

SUMMARY STEPS
1.
enable
2.
configure terminal
3.
gvrp global
4.
ethernet cfm enable
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
gvrp global
Enable GVRP globally.
Example:
Router(config)# gvrp global
Step 4
ethernet cfm enable
Enables connectivity fault management (CFM)

processing globally on a device.
Example:
The following example configures GVRP and CFM Co-Existence:

Router# enable
4-110
OL-16147-20
Chapter 4

Configuring PVST and GVRP Co-Existence

SUMMARY STEPS
1.
enable
2.
configure terminal
3.
gvrp global
4.
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
gvrp global
Enable GVRP globally.
Example:
Step 4
Configures Per-VLAN Spanning Tree+ (PVST+) mode.
Example:
The following example configures PVST and GVRP Co-Existence:

Router# enable
Verification
OL-16147-20
4-111
Chapter 4
Command
Purpose
Router# show running configuration
Displays the contents of the current running configuration file

or the configuration for a specific module.
Router# remote command switch show platform mrm info Displays protocols using port ASIC match registers. However,
the feature will not be enabled if the match registers are not
programmed.

The custom ethertype feature allows you to configure the ethertype to be used for outer tag for dot1q and
QinQ packets. By default, the Cisco 7600 series router supports ethertype 0x8100 for dot1q and QinQ
outer tags. The following ethertype can be configured under a physical port:
0x8100 802.1q
0x9100 Q-in-Q
0x9200 Q-in-Q, and
0x88a8 802.1ad
You can use the dot1 q tunneling ethertype ethertype-value command to configure the custom
ethertype within a physical port.
In the following sample configuration, ethertype is set to 0x9100, service instance is created, and
Rewrite process is initiated:
interface GigabitEthernet 1/1
dot1q tunneling ethertype 0x9100
service instance <number> ethernet
encapsulation dot1q <vlan 1> [second-dot1q <vlan 2>]
Rewrite <Rewrite>
Note
802.1q (0x8100) is the default ethertype setting.
Note
Cisco IOS Release 12.2(33)SRE adds support for custom ethertype to port-channels.
Supported Rewrite Rules for a Custom Ethertype Configuration

Rewriting allows you to add or remove VLAN tags in the packets transferred between two customer sites
in the service provider networks.
The following types of Rewrites are supported on a Network Network Interface (NNI):
Non-Range on C-Tag on NNI
Range on C-Tag on NNI
4-112
OL-16147-20
Chapter 4

Supported Rewrites for Non-Range on C-Tag with a NNI

When Custom Ethertype is configured within the NNI physical interface and VLAN range is not
specified, the following Rewrites are supported for a provider bridge:
For encapsulation untagged:

No Rewrite
Rewrite ingress tag push dot1q <vlan1> [second-dot1q <vlan2>] symmetric
For encapsulation default:

No Rewrite
For encapsulation dot1q <vlan>:

No Rewrite
Rewrite ingress tag pop 1 symmetric
Rewrite ingress tag translate 1-to-1 dot1q <vlan> symmetric, and
Rewrite ingress tag translate 1-to-2 dot1q <vlan 1> second-dot1q <vlan 2> symmetric
For encapsulation dot1q <vlan1> second-dot1q <vlan2>:

No Rewrite
Rewrite ingress tag translate 1-to-1 dot1q <vlan> symmetric
Rewrite ingress tag translate 2-to-1 dot1q <vlan> symmetric, and
Supported Rewrites for Range on C-Tag with a NNI

When a VLAN range is specified on the C-Tag, push Rewrites are not supported. The following Rewrites
are supported for VLAN range on C-Tag:
For encapsulation dot1q <vlan1 vlan2>:

No Rewrite
For encapsulation dot1q <vlan1> second-dot1q <vlan2 vlan3>:

No Rewrite
Rewrite ingress tag translate 1-to-1 dot1q <vlan> symmetric
Note
To avoid hierarchical provider bridges when any Custom Ethertype is configured, NNI interface does not
support ingress push Rewrite except for encap untagged.
OL-16147-20
4-113
Chapter 4

When configuring Custom Ethertype, follow these restrictions and usage guidelines:
If a custom ethertype is configured on the port-channel, the same ethertype is implicitly configured
for all the other member interfaces.
You cannot configure Custom ethertype explicitly under a member interface of a port-channel.
An interface configured with custom ethertype cannot be a part of port-channel.
An ES+ port configured with custom ethertype cannot become member of port-channel.
1.
enable
2.
configure terminal
3.

port-channel number
4.
dot1q tunneling ethertype [0x9100|0x9200|0x88A8]
5.
6.
[no] encapsulation untagged, dot1q {any | vlan-id[vlan-id[vlan-id]]} second-dot1q {any

|vlan-id[vlan-id[vlan-id]]}
7.
Rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id dot1q vlan-id} | pop
{1 | 2} | translate {1-to-1 {dot1q vlan-id}| 2-to-1 dot1q vlan-id }| 1-to-2 {dot1q vlan-id second-dot1q
vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id dot1q vlan-id}} symmetric
SUMMARY STEPS
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3

or
or

Example:
gigabitethernet 4/1
4-114
OL-16147-20
Chapter 4

Step 4
Command
Purpose
dot1q tunneling ethertype [0x9100 |

0x9200 | 0x88A8]
Configure Custom Ethertype as 9100, 9200, or 88A8

within the physical interface as all service instances under
physical interface use the configured ethertype.
Example:
Router(config-if)# dot1q tunneling
ethertype 0x88A8
Step 5

[service-name]

submode.
Example:
ethernet
Step 6
encapsulation untagged dot1q {any |

vlan-id[vlan-id[vlain-id]]}
second-dot1q {any |
vlan-id[vlan-id[vlan-id]]}
Defines the matching criteria that maps the ingress dot1q,

QinQ, or untagged frames on an interface for the
appropriate service instance.
Example:
dot1q 100 second dot1q 200
Step 7
Rewrite ingress tag {push {dot1q

vlan-id dot1q vlan-id} | pop {1 | 2} |
translate {1-to-1 {dot1q vlan-id}|
2-to-1 dot1q vlan-id }| 1-to-2 {dot1q
vlan-id second-dot1q vlan-id dot1q
vlan-id} | 2-to-2 {dot1qvlan-id
second-dot1q vlan-id dot1q vlan-id}}
symmetric
Specifies the Rewrite operation.
Example:
Router(config-if-srv)# Rewrite ingress
tag push dot1q 20
Examples
Single Tag Encap with Connect with Custom Ethertype Configured
In the following example, Custom Ethertype is configured on a single tag encap using the connect
configuration:
Router#sh running-config int Gi1/1
//Building configuration...
no ip address
no mls qos trust
OL-16147-20
4-115
Chapter 4
no ip address
mls qos trust dscp
Router)# connect LC1 GigabitEthernet 1/1 1 GigabitEthernet 1/2 1
Single Tag Encap with Bridge Domain

In the following example, Custom Ethertype is configured on a single tag encap using bridge domain
configuration:
no ip address
no mls qos trust
bridge-domain 100
no ip address
mls qos trust dscp
bridge-domain 100
Single Tag Encap with XConnect

In the following example, Custom Ethertype is configured on a single tag encap with xconnect
configuration:
no ip address
no mls qos trust
ip address 10.10.10.2 255.255.255.0
no mls qos trust
mpls label protocol ldp
mpls ip
Custom Ethertype Support with Sub Interfaces

In this example, Custom Ethertype is configured on a sub interface. Custom Ethertype is always
configured within the main physical interface and QinQ encap is configured within the subinterface.
4-116
OL-16147-20
Chapter 4


no ip address
no mls qos trust
end
interface GigabitEthernet 1/1.10
encapsulation dot1Q 10 second-dot1q 20
ip address 20.20.20.2 255.255.255.0
end
Verification
Use the following commands to verify operations.
Command
Purpose
Router# show ethernet service instance [id instance-id |

Displays information about:
Specific EVCs if an EVC ID is specified
All the EVCs on an interface if an interface is specified.
The detailed option provides additional information about the

EVC. This can be given on RP and LC consoles to determine
Custom Ethertype configured under a physical port.
Troubleshooting
Table 4-18 provides troubleshooting solutions for the Custom Ethertype feature.
Table 4-18
Problem
Solution
Error in custom ethertype programming for all the UP links
Use the show platform npc xlif channel-id port <port sram
line command to verify if the port-sram is programmed
correctly and displays the configured ethertype. Share the
Incorrect programming of cusom-ethertype in a port-channel Use the show vlan internal usage command to trace errors
subinterface
related to custom etherytype programming and find the
internal VLAN allocated to the sub-interface. You can use the
internal VLAN to verify if the XLIF entry is present in the
ES40 line card. Use this to verify if the custom ethertype is
properly programmed in the XLIF.
Unknown errors and events on the port channel
Use the debug platform port-channel [event, error]

command to trace the port channel events and errors. Share the
OL-16147-20
4-117
Chapter 4
GE LAG with LACP on UNI with Advanced Load Balancing

The GE Link Aggregation with Advanced Load Balancing feature allows the user to specify the primary
and multiple backup preferred member links for the service instance. Whenever the primary member
link is available (the interface is up and is part of the port-channel group), it is used as the egress interface
for a given service instance. When the preferred member link is not available (the interface is down or
not part of the port-channel group), a backup member link is used. If none of the backup links are
available or the user has neither configured the primary or the backup links, the 7600 platform
automatically selects an egress interface for the given service instance. In this case, the user has no
control over the egress interface.
If primary and backup links are configured and if the primary interface goes down, one of the backup
links is selected as the egress interface. At this stage, when the primary interface comes up, there is a
switch back to the primary interface. The backup link is selected based on the order of the configured
list of backup link IDs. The first backup link in the list is used if available, otherwise the next backup
link in the list is used. This continues until an available backup link is found.
This feature only changes egress EFP traffic in the port-channel and does not affect the ingress traffic.
In the case of bridge domain, ingress traffic may enter any port that has an EFP in the same bridge
domain as the EFP in the port-channel. In the case of local switching (connect) and cross-connect
(xconnect), ingress traffic is received at the EFP or port specified in the connect or cross-connect
configuration. This feature coexists with current service instance feature support and supports the
existing scale of 8000 service instance per processor (all 8000 service instances can be on one interface).
This feature supports HA and SSO as well as OIR.

When configuring GE Link Aggregation with Advanced Load Balancing, follow these guidelines and
restrictions:
When the user configures a link ID for a port-channel member link and configures that member link
as the preferred egress link for some service instances in that port-channel, there is redistribution of
traffic. The redistribution is such that:
Service instances that were configured to be sent over the preferred egress member link is sent
over the preferred member link. This is expected behavior.

Redistribution of traffic for which the user has not configured preferred member link happens.
The way this redistribution happens is as follows:

For example, let's say there are 8 member links in the port-channel. The load share of the
member links is allocated by the port manager as follows,
Member 1Load share bit 0, Member 2Load share bit 1,
Member 6Load share bit 6, Member 7Load share bit 7.
Now when the user configures Member 1 with link ID 2, the port manager code now allocates
load share bit 2 to member 1. So, the new assignments are,
Member 1Load share bit 2, Member 3Load share bit 0 (The load share of other members
remains the same.)
4-118
OL-16147-20
Chapter 4

Consider the example where the platform has chosen an egress link that has the load share bit
2. Before the user has configured the link ID = 2 for Member 1, this EFP traffic has been sent
over Member 3. After the user configuration, since member 1 now has the load share bit = 2,
this traffic is now be sent over member 1.
The reverse also happens; traffic that was going through member 1 before the user configuration
now goes through member 3.
Configuring GE Link Aggregation with Advanced Load Balancing

This section describes how to configure GE LAG with LACP on UNI with Advanced Load Balancing.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
channel-group channel-group-number mode {active | on | passive} link id
5.
exit
6.
7.
8.
9.
exit
10. exit
11. interface port-channel number
12. [no] port-channel load-balance link ID
13. [no] backup link ID_list
14. [no] service-instance service_instance_list
15. [no] group service_group_list
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
OL-16147-20
4-119
Chapter 4
Step 3
Command
Purpose

or
Specifies the Gigabit Ethernet or the Ten Gigabit

Ethernet interface to configure, where:
Example:
Step 4
channel-group channel-group-number mode {active |

on | passive} link id

EtherChannel group.
Example:
Router(config-if)# channel-group 2 mode on link 3
Step 5
exit
Exits the current configuration mode.
Example:
Step 6
Example:
Step 7

[service-name]}
Creates a service instance (an instantiation of a service

instance) on an interface and sets the device into the
config-if-srv submode.
Example:
Step 8
encapsulation dot1q vlan-id [second-dot1q

vlan-id]

service instance.
Example:
Step 9
exit
Example:
Step 10
exit
Example:
Step 11
Example:
Step 12
[no] port-channel load-balance link ID
Example:
Configures the specified member link interfaces for

load-balancing the port-channel's egress traffic and
enters the load-balancing configuration submode.
Router(config-if)# port-channel load-balance link

3
4-120
OL-16147-20
Chapter 4

Step 13
Command
Purpose
[no] backup link ID_list
Configures a list of member links to use as backup for the

primary load-balancing member link.
Example:
You can create multiple backup links using the backup

link command. The backup links are used in order of
configuration if a Port-channel member is down. A
default platform algorithm is used to find the backup
links if all the configured backup links are down.
Router(config-if-lb)# backup link 7
Step 14
[no] service-instance service_instance_list
Example:
Defines the set of service Ethernet instances whose traffic

should egress over the member link identified by
configuration in Step 12.
Router(config-if-lb)# service-instance 10
Step 15
[no] group service_group_list
Defines the Ethernet service groups that will be

load-balanced over an interface.
Example:
Router(config-if-lb)# group 10
Example
The following example shows four member links across two different channel-groups:
Router(config)# interface Gi0/1
Router(config-if-srv)# encapsulation dot1Q 10
Router(config-if-srv)# service instance 20 ethernet
Router(config-if-srv)# group 10
Additional service instance definitions follow:

Router(config-if)# port-channel load-balance link 3
Router(config-if-lb)# service-instance 10,20-22
Router(config-if-lb)# service-instance 30-40
OL-16147-20
4-121
Chapter 4

Verification
Table 4-19
Commands for Displaying Traffic Storm Control Status and Configuration
Command
Purpose
Router# show ethernet service instance interface interface

load-balance
Displays the current egress member-link assignments

for service instances configured with port-channel
load-balancing.
Router# show ethernet service instance id efp interface

port-channel group detail
Displays detailed status for the specified service

instance, including the egress member-link assignment,
if any.
Troubleshooting Load Balancing Features

Table Table 4-20 provides troubleshooting solutions for the LoadBalancing features.
Table 4-20
Problem
Solution
Link group creation command is rejected with an error

message Incomplete command".
Re-configure the link group with the specific link ID and these
keywords:
port-channel load-balance link:<< Missing link ID>>
no port-channel load-balance link: << Missing link

ID>>
default port-channel load-balance link:<< Missing link

ID
port-channel load-balance:<< Missing 'link' keyword
port-channel: << Missing 'load-balance' keyword>>
Error message Invalid input detected".
Re-configure the link group with valid IDs.
Back up link command is rejected and an error message

displayed
Ensure that:
The back up link ID does not overlap with the primary link
ID.
You have not exceeded the permissible number of back up

links.
You have not entered a sub-mode command in a deleted

load-balance group.
4-122
OL-16147-20
Chapter 4

Storm Control on Switchports and Ports Having EVCs
Problem
Solution
Invalid input
Execute the show run command to confirm if duplicate

back up link IDs exists between two link groups.
Ensure that the configured EFPs have valid IDs.
Ensure that you have not configured an existing EFP ID in

a different link group.
Member link is disabled
Use the show etherchannel port-channel command to verify

the load share of each member link. Study the derived output
and share the information with TAC for further investigation.
Traffic is not dsitributed equally among all members (Port

channel load balancing issue)
Use the show ethernet service instance interface

port-channel load-balance command to verify the load
balancing information for all the port channels. Share the
Traffic is not dsitributed equally among all members (EFP

load balancing issues)
Use the show ethernet service instance id efp interface

port-channel group detail command to verify and display the
the load balancing information for the EFPs. Share the output
with TAC for further investigation.

A traffic storm occurs when packets flood the LAN, creating excessive traffic and degrading network
performance. The traffic storm control feature prevents LAN ports from being disrupted by a broadcast
or multicast traffic storm on physical interfaces. The traffic storm control level is set as a percentage of
the total available bandwidth of the port.
For information on LAN-based Ethernet line card Broadcast Storm Control, see the chapter Configuring
Traffic Storm Control in the Cisco 7600 Series Router Cisco IOS Software Configuration Guide at:
http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/storm.html.
This feature implements a mechanism to detect and control broadcast/multicast congestion/storm
scenario via rate control mechanism in ES line cards.
Storm control for ES20 and ES+ cards is supported on:
Switchports
Note
Layer 3 (routed port) to Layer 2 (switchport) conversion is allowed only when there are no
subinterfaces configured on the port.
Ports with EVC configurations

The feature is per port, not per EVC. Hence, all EVCs under the port are subject to the same storm
control rate.
In Cisco IOS Release 15.0(1)S, the following storm control feature enhancements are covered on 67xx,
6196, ES20 and ES+ line cards:
Port-channel interfaces: Support for port-channel interfaces on ES20 and ES+ line cards.
OL-16147-20
4-123
Chapter 4
Shutdown: When a storm is detected and the storm traffic exceeds the accepted threshold, the
affected interface moves to error disable state. The traffic threshold is calculated as a percentage of
the total bandwidth of the port (%BW). Use the error disable detection and the recovery feature, or
the shut or no shut command to re-enable the port on the affected interface.
Trap: An SNMP trap can be sent when a storm is detected.
Detecting a Broadcast Storm

A broadcast storm is detected when the following occurs:
The port receives multicast and broadcast traffic beyond its configured bandwidth.
The value of the TotalSuppDiscards counter increments. This value is displayed when you use the
show interface gigabitEthernet <slot/port> counters storm-control command.

Use the following guidelines and restrictions while configuring traffic storm control:
Note
These restrictions and usage guidelines apply only to the Cisco 7600 Series ES+ line cards.
Traffic storm control is disabled by default.
Unicast storm control is not supported.
Storm control on Layer 3 interfaces is supported.
Storm control feature cannot be configured at the EVC Level.
Storm control rate can not be specified in Packets/Second (PPS).
The broadcast and multicast suppression share the same suppression rate, therefore, when you
configure a different rate either for broadcast or multicast the new rate will apply to broadcast and
multicast.
Storm control feature is not supported on the member interfaces of a port channel.
Untagged frames can be subjected to storm control by having a service instance which marks all
untagged frames. Once such a service instance is created, these frames behave like any storm control
on any other EVC.
Specify the level as a percentage of the total interface bandwidth:

The level can be from 0 to 100.
The optional fraction of a level can be from 0 to 99.
100 percent means no traffic storm control.
0.0 percent suppresses all traffic.
You can specify the percentage rate to allow in units of 0.01%.
The maximum storm control rate is 4 Gbps (on 10 Gigabit interfaces it can be 40% of line rate)
Storm control works in switchport dot1q-tunnel mode.
When storm control is applied on an interface that has an inbound Layer 2 ACL applied, all packets
are dropped irrespective of the configured suppression level.
4-124
OL-16147-20
Chapter 4

Any additions or changes made to the storm control configuration on the port-channel interface is
automatically updated across all the port-channel member-links.
Storm control configuration or deletion is not allowed on member-links.
You can add an interface to a port-channel if the storm control configuration on the interface and the
port-channel are alike.
You can either club member-links to form a port- channel and then configure the port-channel
or change the storm control configuration on the interface to match with the port-channel,
before adding it to the port-channel.
Using the default interface command twice, removes the storm control feature from a member-link
interface.
Configuring Storm Control on Ports with EVC Configurations

This section describes how to configure storm control on ports with EVC configurations.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
[no] service instance id {Ethernet service-name}
5.
6.
7.
storm-control {broadcast | multicast} level level[.level]
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3

or

Example:
gigabitethernet 4/1
OL-16147-20
4-125
Chapter 4
Step 4
Command
Purpose

[service-name}

submode.
Example:
ethernet
Step 5
Example:

service instance.
dot1q 13
Step 6
Example:

instance.
Router(config-subif)# bridge domain 12
Step 7
storm-control {broadcast | multicast}

level level[.level]
Sets the storm control suppression level.
Example:
Router(config-if)# storm-control
broadcast level 30
Example
This example shows a configuration for ports with EVCs on them:
Router# enable
Router(config-if)# storm-control multicast level 45
Configuring Storm Control on Switchports

SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
switchport
5.
switchport mode {access | dot1q-tunnel | dynamic {auto | desirable} | private-vlan | trunk}
6.
storm-control {broadcast | multicast} level level[.level]
4-126
OL-16147-20
Chapter 4

DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3

or

Example:
Step 4
Sets the switching characteristics of the Layer 2-switched

interface.
switchport
Example:
Step 5
switchport mode {access | dot1q-tunnel | dynamic

{auto | desirable} | private-vlan | trunk}
Sets the interface type.
Example:
Step 6
storm-control {broadcast | multicast} level

level[.level]
Sets the storm control suppression level.
Example:
Router(config-if)# storm-control broadcast level
30
Example
This example shows a configuration for ports with switchport configuration:
Router# enable
Router(config)# switchport
Router(config)# switchport mode trunk
Router(config)# storm-control multicast level 45
Configuring Storm Control on Port Channels

Perform the following tasks to configure storm control on port channels:
OL-16147-20
4-127
Chapter 4
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
snmp-server enable traps storm-control trap-rate trap-rate
4.
interface type slot/bay/port
5.
storm-control {{broadcast | multicast} level level | action {shutdown | trap}}
6.
end
7.
show interfaces type/slot/port counters storm-control
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
snmp-server enable traps storm-control trap-rate

trap-rate
Example:
(Optional) Enables SNMP storm control trap parameters.

The trap-rate range is 0 to 1000 traps per minute. However,
the number of traps generated for storm control cannot
exceed six per minute (by design).
Router(config)# snmp-server enable traps

storm-control trap-rate 2
Step 4
interface type slot/bay/port
Selects an interface to configure.
Example:
Router(config)# interface port-channel 1/0/18
Step 5
Router(config-if)# storm-control broadcast level

50
Sets the broadcast and multicast suppression level for

traffic storm control on the interface. Enables an action for
traffic storm control the interface, such as, shuts down an
interface or sends an SNMP trap. However, broadcast or
multicast level suppression must be enabled before setting
the action.
Router(config-if)# storm-control action shutdown
Note
storm-control {{broadcast | multicast} level

level | action {shutdown | trap}}
Example:
A suppression level of 100% means no suppression

will occur and 0% suppression means no traffic of
the suppressed type will be allowed.
The no form of the command disables storm control for

broadcast or multicast traffic or disables the specified
storm-control action, on the selected interface.
Note
Unicast level traffic suppression is not supported

on port channel interface.
4-128
OL-16147-20
Chapter 4

Command
Purpose
Step 6
end
Step 7
show interfaces type/slot/port counters

storm-control
Displays the total number of packets (%) discarded for the

three traffic storm control levels (broadcast, multicast and
unicast) on the specified interface.
Example:
Displays the statistics for the TotalSuppDiscards counter.

This counter increments whenever a traffic storm occurs.
Router# show interfaces gigabitEthernet 4/1

counters storm-control
For more information regarding the commands, see the following command reference guides:
Cisco IOS Interface and Hardware Component Command Reference
Cisco IOS Network Management Command Reference
Example
The following is a sample configuration for storm control on a Layer 2 port channel on the ES+ line card:
interface Port-channel22
switchport
switchport trunk encapsulation dot1q
storm-control broadcast level 0.01
storm-control multicast level 0.01
storm-control action shutdown
storm-control action trap
switchport
channel-group 22 mode on
switchport
channel-group 22 mode on
Use the show interfaces interface counters storm-control command to display the total suppression
percentage of packets for the broadcast, multicast and unicast storm control traffic on all interfaces or
on a specified interface. The storm control shutdown on an interface depends on the TotalSuppDiscards
counter (displayed in the example). This counter increments when a traffic storm occurs.
Router# show interfaces counters storm-control
Port
Gi1/1
Gi1/2
Gi1/3
Gi1/4
Gi1/5
Gi1/6
UcastSupp %
100.00
100.00
100.00
100.00
100.00
100.00
McastSupp %
100.00
100.00
100.00
100.00
100.00
100.00
BcastSupp %
100.00
100.00
100.00
100.00
100.00
100.00
TotalSuppDiscards
0
0
0
0
0
0
OL-16147-20
4-129
Chapter 4
Gi1/7
Gi1/8
Gi1/9
Gi1/10
Gi1/11
Gi1/12
Gi1/13
Gi1/14
Gi1/15
Gi1/16
Gi1/17
Gi1/18
Gi1/19
Gi1/20
Gi1/21
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
20.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
20.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
2943374677
0
0
0
0
0
0
0
0
0
0
434529474
0
0
0
Port
Gi1/22
Gi1/23
Gi1/24
Gi1/25
Gi1/26
Gi1/27
Gi1/28
Gi1/29
Gi1/30
Gi1/31
Gi1/32
Gi1/33
Gi1/34
Gi1/35
Gi1/36
Gi1/37
Gi1/38
Gi1/39
Gi1/40
UcastSupp %
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
McastSupp %
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
BcastSupp %
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
100.00
TotalSuppDiscards
499018427
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Router#
Router# show interfaces gig1/18 counters storm-control
Port
Gi1/18
UcastSupp %
100.00
McastSupp %
100.00
BcastSupp %
100.00
TotalSuppDiscards
434529474
Verification
Table 4-21
Command
Purpose
Router# show interfaces [{type
slot/port} | switchport]
Router# show interfaces [{type1 slot/port} | counters

storm-control
Router# show interfaces counters storm-control [module
slot_number]
Displays the administrative and operational status of all

Layer 2 LAN ports or the specified Layer 2 LAN port.
Displays the total number of packets discarded for all
three traffic storm control modes, on all interfaces or on
the specified interface.
4-130
OL-16147-20
Chapter 4

1.
type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet
OL-16147-20
4-131
Chapter 4
Storm Control over EVC

Storm control prevents traffic on a LAN from being disrupted by a broadcast, a multicast, or a unicast
storm on one of the physical interfaces. A LAN storm occurs when packets flood the LAN, creating
excessive traffic, and degrading network performance.
Currently for ports where EVCs are configured, storm control can be configured per port. When you
configure storm control on a port, policing is applied on all the traffic on that port. Each EVC in a port
represents different types of customers such as different businesses or business and individuals on the
same port. When a traffic storm occurs, all traffic on the port is blocked impacting customers on all the
EVCs . To prevent this, service providers need to combine similar types of customers on the same port.
Effective with Cisco IOS 15.2(2)S, storm control is supported on EVCs and policing can be applied at
the EVC level. This feature enables service providers to combine different type of customers on the same
port.
Restrictions for Storm Control over EVC

Following restrictions apply to storm control over EVC:
Storm control over EVC can be configured on connect, cross connect and bridge-domain interfaces.
Storm control is supported on port channel EVCs.
Storm control over EVC can be configured only for broadcast or multicast packets, not for unicast
packets.
If storm control is already configured at the port level, you cannot configure storm control over EVC
and vice versa.
When an EVC moves to the error-disable state, auto-recovery can be configured for storm-control
after a certain pre-determined interval.
Storm control over EVC is supported only on the Cisco 7600 ES+ line card.
SNMP trap is not supported.
If storm control is enabled on a port channel EVC, the configuration is applied per network
processor (NP).
Only 256 policer profiles are supported per network processor.
QoS and storm-control share the same hardware policer resources.
Configuring Storm Control over EVC

Perform these steps to configure storm control over EVC feature.
Summary Steps
1.
enable
2.
configure terminal
3.
interface type number

or
4.
4-132
OL-16147-20
Chapter 4

5.
6.
storm control {{broadcast | multicast} cir cir| action shutdown}
7.
8.
end
Detailed Steps
Step 1
Command
Purpose
enable

password.
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3

or
or

interface, or port channel to configure.
number Specifies the port channel interface.
Example:
gigabitethernet 4/1
Step 4

[service-name}

the interface.
Example:
ethernet
Step 5
Example:

service instance.
dot1q 100
Step 6

where bridge-id is the identifier.
Example:
Router(config-subif)# bridge-domain 12
OL-16147-20
4-133
Chapter 4
Step 7
Command
Purpose
storm-control {{broadcast | multicast}

cir cir-value | action shutdown }
Sets the storm control rate for broadcast or multicast.

Enables an action for traffic storm control on the
interface, such as, shutting down an interface.
Example:
cir-value - The acceptable range is 10000000

-1000000000 for a gigabit ethernet interface, and
100000000-10000000000 for a ten gigabit interface. The
recommended maximum value is up to 98 percent.
Router(config-if)# storm-control
broadcast cir 11000000
Step 8
end
Example:
Note
When the ingress packets exceed the configured rate, the EVC moves to error-disable state if the action
is configured as shutdown. You can configure the EVC to move to up state after a certain interval using
errdisable recovery casue storm-control interval command. The accepted interval varies from 30 to
86400 seconds.
Examples
This example shows how to configure storm control over an EVC.
Router# enable
Router(config-if-srv)# storm-control broadcast cir 11000000
This example shows how to configure storm control over a port channel EVC.
Router# enable
Router(config-if-srv)# storm-control multicast cir 11000000
4-134
OL-16147-20
Chapter 4

Asymmetric Carrier-Delay
Verification
Use the show ethernet service instance id id interface type slot/port stats command to verify the storm
control over EVC configuration.
Router# show ethernet service instance id 1204 interface gigabit ethernet 2/7 stats
Port maximum number of service instances: 8000
Service Instance 1204, Interface GigabitEthernet2/7
Pkts In
Bytes In
Pkts Out Bytes Out
2262238 452447600
150570
30114000
StormControl Discard Pkts: 1809909
During redundant link deployments where the remote network element is enabled, a link or port may be
displayed as up before the port or link is ready to forward data. This anomaly leads to traffic loss during
switchover as up events are notified faster than the required routing protocol convergence time. With
existing conventional carrier delay, both up and down events are notified within equal time that might
not be feasible in certain network deployments. Asymmetric carrier-delays ensure stable topologies
compared to conventional carrier-delay implementation.
Table 4-22 lists the differences between the conventional carrier-delay and asymmetric carrier-delay
implementations.
Table 4-22
Conventional Carrier-delay versus Asymmetric Carrier-delay
Conventional carrier-delay implementation
Asymmetric carrier-delay implementation
You can configure carrier-delay on a main

physical interface.
You can configure asymmetric carrier-delay on a

main physical interface.
The default value for configuring symmetric

carrier delay is 10 milliseconds.
The default values for configuring asymmetric

carrier-delay is as follows:
For ES+ GE linecards:
up time is 300 milliseconds.
down time is 10 milliseconds.
For ES+ 10 GE linecards:
You can configure a single delay value used by

both up and down events.
up time is 1000 milliseconds.
down time is 10 milliseconds.
You can configure separate delay values for each

down and up timers.
Traffic losses and timer optimization issues due to Optimal timer configurations are achieved due to
single configurable delay values for both up and separate for timer values for up and down events.
down events.
The minimum valid carrier-delay down time that user can configure is 11 milliseconds for Gigabit
ports. By default, carrier-delay is configured to 10 milliseconds during a card bootup. However, even
if you configure a value less than 11 milliseconds , there will not be any impact on the carrier delay.
OL-16147-20
4-135
Chapter 4
Note
As the fast link feature and carrier-delay features are mutually exclusive, fast link feature is enabled
by default.
If you configure carrier-delay values, fast link feature is disabled on a line card.
Though the fast link feature is configured by default in the card, the carrier-delay feature overwrites
the fast link feature when configured.
If you have not configured the carrier-delay values, fast link feature values are utilized for down
event notification.
If you are using Cisco IOS release version 12.2(33) SRE or prior versions and asymmetric carrier delay
is configured on the interface, the show running-config command may display carrier-delay msec 0.
This issue is fixed in Cisco IOS 15.0(1)S and further releases.
Configuring Asymmetric Carrier Delay

Perform these steps to configure asymmetric carrier delay.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
interface type/ slot/port
4.
carrier-delay [{up | down} [seconds]{msec| sec}]
5.
end
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
interface type/ slot/port
Selects the main interface to configure.
Example:
Router(config)# interface gigabit
ethernet 8/0/14
4-136
OL-16147-20
Chapter 4

Manual Load Balancing for EVC over Port-Channel/LACP
Step 4
Command or Action
Purpose
carrier-delay [{up | down}

[seconds]{msec| sec}]
Configures the asymmetric carrier-delay up or down value in

milliseconds or seconds.
Example:
Router(config-if)# carrier-delay up 300
Router(config-if)# carrier-delay down 10
Step 5
end
Verification
You can use the show run command to display the carrier-delay configurations on an ES+ physical
interface. The first example shows asymmetric carrier-delay configuration and the second example
shows symmetric carrier delay configuration.
Router# show running-config interface GigabitEthernet 8/0/4
Current configuration:
!
interface GigabitEthernet8/0/4
no ip address
carrier-delay up 300
carrier-delay down 10
shutdown
Router# show running-config interface GigabitEthernet 2/0/1
Current configuration:
!
no ip address
carrier-delay msec 10
shutdown

The Manual Load Balancing for EVC over Port-Channel/LACP feature allows the user to specify the
primary and multiple backup preferred member links for the service instance. Whenever the primary
member link is available (the interface is up and is part of the port-channel group), it is used as the egress
interface for a given service instance. When the preferred member link is not available (the interface is
down or not part of the port-channel group), a backup member link is used. If none of the backup links
are available or the user has neither configured the primary or the backup links, the 7600 platform
automatically selects an egress interface for the given service instance. In this case, the user has no
control over the egress interface.
If primary and backup links are configured and if the primary interface goes down, one of the backup
links is selected as the egress interface. At this stage, when the primary interface comes up, there is a
switch back to the primary interface. The backup link is selected based on the order of the configured
list of backup link IDs. The first backup link in the list is used if available, otherwise the next backup
link in the list is used. This continues until an available backup link is found.
OL-16147-20
4-137
Chapter 4
This feature only changes egress EFP traffic in the port-channel and does not affect the ingress traffic.
In the case of bridge domain, ingress traffic may enter any port that has an EFP in the same bridge
domain as the EFP in the port-channel. In the case of local switching (connect) and cross-connect
(xconnect), ingress traffic is received at the EFP or port specified in the connect or cross-connect
configuration. This feature coexists with current service instance feature support and supports the
existing scale of 8000 service instance per processor (all 8000 service instances can be on one interface).
This feature supports HA and SSO as well as OIR.

When configuring Manual Load Balancing for EVC over Port-Channel/LACP, follow these guidelines
and restrictions:
When the user configures a link ID for a port-channel member link and configures that member link
as the preferred egress link for some service instances in that port-channel, there is redistribution of
traffic. The redistribution is such that:
Service instances that were configured to be sent over the preferred egress member link is sent
over the preferred member link. This is expected behavior.

Redistribution of traffic for which the user has not configured preferred member link happens.
The way this redistribution happens is as follows:

For example, let's say there are 8 member links in the port-channel. The load share of the
member links is allocated by the port manager as follows,
Member 6Load share bit 6, Member 7Load share bit 7.
Now when the user configures Member 1 with link ID 2, the port manager code now allocates
load share bit 2 to member 1. So, the new assignments are,
Member 1Load share bit 2, Member 3Load share bit 0 (The load share of other members
remains the same.)
Consider the example where the platform has chosen an egress link that has the load share bit
2. Before the user has configured the link ID = 2 for Member 1, this EFP traffic has been sent
over Member 3. After the user configuration, since member 1 now has the load share bit = 2,
this traffic is now be sent over member 1.
The reverse also happens; traffic that was going through member 1 before the user configuration
now goes through member 3.
Configuring Manual Load Balancing for EVC over Port-Channel/LACP

This section describes how to configure manual load balancing for EVC over Port-Channel/LACP.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4-138
OL-16147-20
Chapter 4

4.
channel-group channel-group-number mode {active | on | passive} link id
5.
exit
6.
7.
8.
9.
exit
10. exit
11. interface port-channel number
12. [no] port-channel load-balance link ID
13. [no] backup link ID_list
14. [no] service-instance service_instance_list
15. [no] group service_group_list
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3

or

Example:
Step 4
channel-group channel-group-number mode {active |

on | passive} link id

EtherChannel group.
Example:
Step 5
exit
Example:
Step 6
Example:
OL-16147-20
4-139
Chapter 4
Step 7
Command
Purpose

[service-name]}
Creates a service instance (an instantiation of a service

instance) on an interface and sets the device into the
config-if-srv submode.
Example:
Step 8
encapsulation dot1q vlan-id [second-dot1q

vlan-id]

service instance.
Example:
Step 9
exit
Example:
Step 10
exit
Example:
Step 11
Example:
Step 12
[no] port-channel load-balance link ID
Example:
Configures the specified member link interfaces for

load-balancing the port-channel's egress traffic and
enters the load-balancing configuration submode.
Router(config-if)# port-channel load-balance link

3
Step 13
[no] backup link ID_list
Configures a list of member links to use as backup for the

primary load-balancing member link.
Example:
You can create multiple backup links using the backup

link command. The backup links are used in order of
configuration if a Port-channel member is down. A
default platform algorithm is used to find the backup
links if all the configured backup links are down.
Step 14
[no] service-instance service_instance_list
Example:
Defines the set of service Ethernet instances whose traffic

should egress over the member link identified by
configuration in Step 12.
Step 15
[no] group service_group_list
Defines the Ethernet service groups that will be

load-balanced over an interface.
Example:
4-140
OL-16147-20
Chapter 4

Example
The following example shows four member links across two different channel-groups:
Additional service instance definitions follow:

Router(config-if-lb)# service-instance 10,20-22
Router(config-if-lb)# service-instance 30-40
Verification
Table 4-23
Command
Purpose
Router# show ethernet service instance interface interface

load-balance
Displays the current egress member-link assignments

for service instances configured with port-channel
load-balancing.
Router# show ethernet service instance id efp interface

port-channel group detail
Displays detailed status for the specified service

instance, including the egress member-link assignment,
if any.
OL-16147-20
4-141
Chapter 4
EVC Port Channel Per Flow Load Balancing

EVC port channel per flow load balancing is implemented to load balance traffic across member links
of a port channel when EVCs are configured. If this type of load balancing is not configured, EVCs
configured on a port channel are statically mapped to one of the active port-channel member links, which
results in the outgoing traffic being limited to the bandwidth of the member link.
In a flow based load balancing on EVC port channel, different flows of traffic over an EVC interface are
identified based on the data packet header. For example, the source and destination address of the data
packet can be used to identify a flow. The various data traffic flows are then mapped to the different
member links of a port channel. After the mapping is complete, the data traffic is transmitted through
the assigned member link. The flow mapping is dynamic and changes when there is any change in the
state of a member link to which a flow is assigned. The flow mappings can also change if member links
are added or removed from the EVC interface. Multiple flows can be mapped to each member link.
Table 4-24 lists the ACL support for EVC port channel with per-flow load balancing.
Table 4-24
ACL Support for Port Channel Per-flow Load Balancing
ACL Type
Ingress Support
Egress Support
Layer 2
Yes
No
Layer 3 and Layer 4
Yes
Yes
Ingress ACLs are internally configured on every member interface because the traffic can enter any of
the member links. Therefore, the load balancing algorithm does not change the way the ingress ACLs
behave.
When per-flow load balancing is configured on the port-channel, traffic for an EVC can exit from any
of the member links. Therefore, with the per-flow load balancing feature enabled on the port channel,
the egress ACL is internally configured on each of the member links in the egress direction. When the
per-flow load balancing configuration is removed from the port-channel interface, the egress ACL
information is internally removed from each active member link, and configured on the member selected
by the load balancing algorithm.
Restrictions
Following restrictions apply for EVC port channel per flow load balancing:
When flow-based load balancing is configured, bandwidth of the port channel should be configured
such that it is equal to the member links port bandwidth. Use the bandwidth bandwidth_value
command in the port-channel interface.
EVC port channel per flow load balancing is supported over connect and cross connect.
EVC port channel per flow load balancing is not supported over a bridge domain.
Flow based load balancing cannot co-exist with other load balancing schemes.
4-142
OL-16147-20
Chapter 4

If you configure QoS on a EVC port channel, QoS policies are installed on each port channel
member link with the same QoS configuration of the EVC port channel. For example, if you
configure 1 Mbps bandwidth on a EVC port channel with four active member links, 1 Mbps is
configured on each member link.
If EVCs within a port-channel interface are part of a service group with EVCs and sub interfaces
configured, you cannot remove the flow-based load balancing configuration.
Configuring EVC Port Channel Per Flow Load Balancing

This section describes how to configure flow based load balancing on EVC port channel.
Summary Steps
1.
enable
2.
configure terminal
3.
interface port-channel channel-number
4.
port-channel load-balance flow-based
5.
end
Detailed Steps
Step 1
Command
Purpose
enable

prompted.
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
Example:
Step 4
Configures the specified port-channel interface in flow

based load-balancing mode.
Example:
Router(config-if)# port-channel load-balance
flow-based
Step 5
end
OL-16147-20
4-143
Chapter 4
Example
This example shows configuring flow based load balancing on a port channel interface.
Router# enable
Router(config)# interface Port-channel 1
Router(config-if)# bandwidth 1000000
Router(config-if)# port-channel load-balance flow-based
Verification
Use the show running-config interface port-channel channel-number command to verify the EVC port
channel per flow load balancing configuration.
Router# enable
Router# show running-config interface Port-channel 2
!
band width 1000000
no ip address
end
Configuring Layer 3 and Layer 4 ACLs

This section describes how to configure Layer 3 and Layer 4 ACLs on an EVC port channel with per
flow load balancing.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
mtu bytes
5.
no ip address
6.
7.
service instance id ethernet [evc-name]
8.
4-144
OL-16147-20
Chapter 4

9.
ip access-group {access-list-name | access-list-number} {in | out}
10. xconnect peer-ip-address vc-id {encapsulation mpls}

11. end
DETAILED STEPS
Step 1
Command
Purpose
enable

prompted.
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
Example:
Step 4
Specifies the maximum transmission unit (MTU) size.
mtu bytes
Example:
Step 5
no ip address
Disables IP adress processing.
Example:
Step 6
Configures the specified port-channel interface in a flow

based load-balancing mode.
Example:
Router(config-if)# port-channel load-balance
flow-based
Step 7
service instance id ethernet [evc-name]
Configures an ethernet service instance on an interface and

enters ethernet service configuration mode.
Example:
Step 8
Enables IEEE 802.1Q encapsulation of traffic on the

specified subinterface in a VLAN.
Example:
Router(config-if-srv)#encapsulation dot1q 2
OL-16147-20
4-145
Chapter 4
Step 9
Command
Purpose
ip access-group {access-list-name |
access-list-number} {in | out}
Applies the IP access list to the interface.
Example:
Router(config-if-srv)#ip access-group acl3 out
Step 10
xconnect peer-ip-address vc-id {encapsulation

mpls}
Binds an attachment circuit to a pseudowire.
Example:
Router(config-if-srv)#xconnect 2.2.2.2 2
encapsulation mpls
Step 11
Exits the service instance configuration mode.
end
Configuration Examples
This example shows how to configure Layer 3 and Layer 4 ACLs on an EVC port channel with per flow
load balancing.
Router# enable
Router(config-if-srv)# ip access-group acl3 out
Router(config-if-srv)# xconnect 2.2.2.2 2 encapsulation mpls
Verification
Use the show ip access-lists access-list-name command to list the ACL configuration.
Router# show ip access-lists acl3
Extended IP access list acl3
10 permit tcp any eq 1003 any eq 5003
Use the show ethernet service instance id id command to display information about ethernet customer
service instances.
Router# show ethernet service instance id 3
interface port-channel 4 stats Port maximum number of service instances: 8000 Service
Instance 3, Interface Port-channel4
Pkts In
Bytes In
Pkts Out Bytes Out
0
0
14359328 1794916000
SACL permit out count: 14362672
SACL deny out count: 504376
4-146
OL-16147-20
Chapter 4


Configured at the edge of a provider's network, Multichassis Link Aggregation Control Protocol
(MLACP) features performs the following actions:
Dual-homed devices (DHD) to provide network redundancy between two or more service provider
networks.
Allows the LACP state machine and protocol to operate in a dual- homed mode.
Each switch is a point of attachments (PoA), where one PoA is active, and the other is a standby, and the
active PoA executes the multichassis link aggregation group with a DHD. A virtual LACP peer on the
PoA is created giving the impression that a DHD is connected to one node.
shows the placement of PoAs and DHDs in an MLACP configuration.
Figure 4-5
Placement of PoAs and DHDs in an MLACP Implementation
Standby PoA
(Point of Attachment)
Standby PW
Standby AC
DHD
(Dual-Homed Device)
Active PW
Active PoA
(Point of Attachment)
247311
Active AC
The status of the PoAs during traffic relay are:
The two PoAs form a redundancy group, and only one of the PoAs is active at any given time.
Only two PoAs form a redundancy group; however, you can configure a maximum of 50 redundancy
groups connecting to other DHDs.
Active links exist only between a DHD and active PoAs. None of the links between the DHD and
the standby PoA relay traffic other than Bridge Protocol Data Unit (BPDU)s.
The state of the etherchannel interface on a standby PoA is UP.
A switchover from an active PoA to a standby PoA occurs when there is a failure on the:
Uplink port on the DHD
Downlink port on an active PoA
Active PoA node
OL-16147-20
4-147
Chapter 4
Active PoA uplinks
The default switchover mechanism uses dynamic port priority changes on the port channel and member
link(s) to provide revertive mode and nonrevertive mode options. The default operation in a multichassis LACP is revertive.
Bruteforce is a switchover mechanism where the member link is in a err-disable state after a switchover.
To recover the port channel and enable the member link on a new standby PoA, use the err disable
recovery cause mlacp-minlink command in the global configuration mode.
Use the lacp max-bundle command on all the PoAs to operate in the PoA control and shared control
modes. The max-bundle value argument should not be less than the total number of links in the Link
Aggregation Group (LAG) that are connected to the PoA. Each PoA may be connected to the DHD with
a different number of links for the LAG and, therefore, configured with a different value for the
max-bundle value argument.
Note
The lacp failover brute-force command cannot be used with a nonrevertive configuration.
Requirements and Restrictions

Follow these requirements and restrictions when configuring the MLACP feature in a ES40 line card:
Supported only on ES20 and ES40 line cards, all member links on a port-channel should be on same
type of line card.
Cisco IOS Release 12.2(33)SRE supports service instances only on an MLACP port-channel.
A PoA may be active for one port-channel, and standby for a different port-channel.
The maximum number of port-channels supported on a PoA is 256.
In any LACP configuration, ensure that the numerical value of the system-priority of the virtual
LACP instance on the PoAs is lower (higher priority) than that on the DHD for all control variants.
It is not recommended to configure different max bundle configurations on a PoA. For example, if
DHD 1 to PoA has 4 links, PoA2 should also have 4 links.
Links can be successfully aggregated based on the following constraints:

Links should be from the same line card type.
QoS should be validated.
Port-channel hashing should be identical for two links.
Flowcontrol should match.
When Cisco 7600 routers are used to form a redundancy group within a PoA, the member links
should adhere to the constraints listed in the previous paragraph. These constraints are not validated
across PoAs and you should ensure that configuration between the two PoAs are identical.
Ensure that the etherchannel usage configuration is identical on the two PoAs.
The maximum bundle value on a PoA is 8.
A maximum of two PoAs in a redundancy group and 50 redundancy groups per node are supported.
Multiple Spanning Tree (MST) on an EVC is not supported on MLACP etherchannel ports.
Reverse Layer 2 Gateway Protocol (RL2GP) with MLACP is not supported.
4-148
OL-16147-20
Chapter 4

DHD port-channel cannot use Spanning Tree Protocol (STP) or Resilient Ethernet Protocol (REP)
or Reverse Layer 2 Gateway Protocol (RL2GP) as a redundancy option. DHD port-channel disables
the STP enabled by default.
Subinterfaces on port-channels are not supported.
You can configure the channel-group command as active and configuring the channel-group
command as passive is not supported.
As the lacp direct-loadswap command is not applicable on a PoA, member links on a PoA are not
protected with links on the same PoA.
We do not recommend you to have different bundle configurations on a DHD. For example, if DHD
1 to PoA1 has four links, DHD 1 to PoA 2 should also have the same number of links.
Use the port-channel min-link command to configure each PoA with the minimum number of
links. This maintains the LAG in an active state.
The lacp max-bundle command must be used on all the PoAs to operate in PoA control and shared
control modes. The value of the max-bundle should not be less than the total number of interfaces
in the LAG that are connected to the PoA.
If you use the lacp failover command with brute force, then after the switchover, the port-channel
member link moves to a errdisabled state.By default, the interval is 300 seconds (tunable range is
30 seconds to 300 seconds).To recover the port-channel, use the errdisable recovery cause
mlacp-minlink command. EVC with connect as forwarding function is not supported.
The lacp failover non-revertive and lacp failover brute-force commands are mutually exclusive
within the same port-channel.
Connectivity Fault Management configuration on an MLACP port-channel is not permissible.
For best switchover performance, configure LACP fast-switchover in PoAs and DHDs.
You cannot use MLACP port-channel for IP forwarding.
You cannot configure REP on a MLACP port-channel.
Use the errdisable recovery cause mlacp-minlink command to auto-recover the port-channel after
timer expiration.
The core interfaces in a VPLS core should be a ES20 or ES40 line card.
When switching to MLACP mode from P-MLACP mode, ensure that you:
Enable max bundle configuration to have MLACP active or standby.
Shutdown interface on both PoA to avoid any possible traffic loop.
The recommended configuration sequence is:
Configure interchassis group and MLACP commands.
Configure MLACP interchassis group and other port-channel commands.
Add member links.
1.
enable
2.
configure terminal
3.
redundancy
4.
interchassis group {number}
5.
monitor peer {BFD}
SUMMARY STEPS
OL-16147-20
4-149
Chapter 4
6.
member IP {IP address}
7.
mlacp node-id {number}
8.
mlacp system-mac {IP address}
9.
mlacp system-priority priority
10. backbone interface any interface

11. exit
12. interface port-channel {port-channel number}
13. lacp max-bundle {max-bundle value}
14. lacp failover { non-revertive| brute force }
15. mlacp interchassis group {group-id}
16. backbone int member
17. exit
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
redundancy
Enters redundancy configuration mode.
Example:
Router(config)# redundancy
Step 4
interchassis group {number}
Configures an interchassis group within the redundancy

configuration mode and assigns a group number.
Example:
Router(configure-red)# interchassis
group 400
Step 5
monitor peer {BFD}
Configures the BFD option to monitor the state of the

peer. The default option is route-watch.
Example:
Router(configure-red)#
4-150
OL-16147-20
Chapter 4

Step 6
Command
Purpose
member ip {IP address}
Configures the IP address of the mlacp peer member

group.
Example:
Router(configure-red)# member ip
172.3.3.3
Step 7
mlacp node-id {number}
Example:
Defines the node ID to be used in the LACP port-id field.

Valid value range is 0 - 7, and the value should be
different from the peer values.
Router(config-r-ic)# mlacp node-id 5
Step 8
mlacp system-mac {address}
Defines and advertises the system MAC address value to

the MLACP members of the redundancy group.
Example:
Router(config-r-ic)# mlacp
aaaa.aaaa.aaab
Step 9
Example:
Router(config-r-ic)# mlacp system-priority 100
Step 10
backbone interface any interface
Defines the system priority advertised to the other

MLACP members of the redundancy group. System
priority values are from 1 to 65535, the default value
being 32768. The assigned values should be lower than
the DHD.
Defines the backbone interface for the MLACP configuration.
Example:
Router(config-r-ic)# backbone interface GigabitEthernet2/3
Step 11
exit
Exits the redundancy mode.
Step 12
interface port-channel {port-channel

number}
To identify the PoA uplink failure, configure the portchannel interface or any physical interface.
Example:
Router# interface Port-channel1
Step 13
lacp max-bundle
{max-bundle value}
Example:
Configures the max-bundle links that are connected to the

PoA. The value of the max-bundle links argument should
not be less than the total number of links in the LAG that
are connected to the PoA.
Router (config-int)# lacp max-bundle 4
OL-16147-20
4-151
Chapter 4
Step 14
Command
Purpose
lacp failover { non-revertive| brute

force}
Sets the MLACP switchover to nonrevertive or brute

force. Default value is revertive. If you configure brute
force, a minimum link or last link failure for every
MLACP failure occurs or the dynamic lag priority value
is modified.
Example:
P19_C7609-S(config-if)#lacp failover ?
brute-force
Brute force interface
failover
non-revertive Non revertive interface
failover
Step 15
mlacp interchassis group {group-id}
Specifies that the port-channel is an MLACP port-channel. The group-id should match the configured redundancy group.
Example:
Router(config-red)#interchassis group
230
Step 16
backbone int member
Sets the backbone interface member.
Example:
Router(config-r-ic)# mlacp 5
Step 17
exit
Exits the port-channel interface mode.
Examples
The following is a configuration example for Virtual Private Wire Services (VPWS):
ACTIVE POA
redundancy
interchassis group 100
monitor peer bfd
member ip 172.3.3.3
backbone interface GigabitEthernet2/3
mlacp system-priority 200
mlacp node-id 0
!
no ip address
load-interval 30
speed nonegotiate
port-channel min-links 4
lacp failover brute-force
lacp fast-switchover
lacp max-bundle 4
mlacp lag-priority 28000
mlacp interchassis group 100
xconnect 172.2.2.2 2 pw-class mlacp
backup peer 172.4.4.4 2 pw-class mlacp
!
pseudowire-class mlacp
encapsulation mpls
4-152
OL-16147-20
Chapter 4

status peer topology dual-homed

mpls ldp graceful-restart
!
!
interface Loopback0
ip address 172.1.1.1 255.255.255.255
!
ip address 120.0.0.1 255.255.255.0
carrier-delay msec 0
mpls ip
bfd interval 100 min_rx 100 multiplier 3
!
no ip address
speed 1000
channel-group 1 mode active
Use the show lacp multi-chassis group command to display the interchassis redundancy group value
and the operational LACP parameters.
MLACP-PE1# show lacp multi-chassis group 100
Interchassis Redundancy Group 100
Operational LACP Parameters:
RG State:
Synchronized
System-Id:
200.000a.f331.2680
ICCP Version: 0
Backbone Uplink Status: Connected
Local Configuration:
Node-id:
0
System-Id: 200.000a.f331.2680
Peer Information:
State:
Up
Node-id:
7
System-Id:
2000.0014.6a8b.c680
ICCP Version: 0
State Flags: Active
Standby
Down
AdminDown
Standby Reverting
Unknown
mLACP Channel-groups
Channel
State
Priority
Group
Local/Peer Local/Peer
1
A/S
28000/32768
A
S
D
AD
SR
U
Active Links
Local/Peer
4/4
Inactive Links
Local/Peer
0/0
Use the show lacp multi-chassis portchannel command to display the interface port-channel value
channel group, LAG state, priority, inactive links peer configuration, and standby links.
MLACP-PE1# show lacp multi-chassis port-channel 1
Interface Port-channel1
Address: 000a.f331.2680
Channel Group: 1
State: Active
LAG State: Up
Priority: 28000
Inactive Links: 0
Total Active Links: 4
Bundled: 4
OL-16147-20
4-153
Chapter 4
Selected: 4
Standby: 0
Unselected: 0
Peer Configuration:
Interface: Port-channel1
Address: 0014.6a8b.c680
Channel Group: 1
State: Standby
LAG State: Up
Priority: 32768
Inactive Links: 0
Bundled: 0
Selected: 0
Standby: 4
Unselected: 0
Use the show mpls ldp iccp command to display the LDP session and ICCP state information.
MLACP-PE1# show mpls ldp iccp
ICPM RGID Table
iccp:
rg_id: 100, peer addr: 172.3.3.3
ldp_session 0x3, client_id 0
iccp state: ICPM_ICCP_CONNECTED
app type: MLACP
app state: ICPM_APP_CONNECTED, ptcl ver: 0
ICPM RGID Table total ICCP sessions: 1
ICPM LDP Session Table
iccp:
rg_id: 100, peer addr: 172.3.3.3
app type: MLACP
ICPM LDP Session Table total ICCP sessions: 1
Use the show mpls l2transport command to display the local interface and session details, destination
address, and status.
MLACP-PE1# show mpls l2transport vc 2
Local intf
------------Po1
Po1
Local circuit
-------------------------Eth VLAN 2
Eth VLAN 2
Dest address
--------------172.2.2.2
172.4.4.4
VC ID
---------2
2
Status
---------UP
STANDBY
Use the show etherchannel summary command to display the status and identity of the MLACP
member links.
MLACP-PE1# show etherchannel summary
Flags: D - down
P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3
S - Layer2
U - in use
f - failed to allocate aggregator
M
u
w
d
not in use, minimum links not met

unsuitable for bundling
waiting to be aggregated
default port
Number of channel-groups in use: 2

Number of aggregators:
2
4-154
OL-16147-20
Chapter 4

Group Port-channel Protocol

Ports
------+-------------+-----------+----------------------------------------------1
Po1(RU)
LACP
Gi2/9(P)
Gi2/20(P)
Gi2/31(P)
Use the show lacp internal command to display the device, port, and member- link information.
MLACP-PE1# show lacp internal
Flags: S - Device is requesting Slow LACPDUs
F - Device is requesting Fast LACPDUs
A - Device is in Active mode
P - Device is in Passive mode
Channel group 1
Port
Gi2/9
Gi2/20
Gi2/31
Gi2/40
Flags
SA
SA
SA
SA
State
bndl-act
bndl-act
bndl-act
bndl-act
LACP port
Priority
28000
28000
28000
28000
Admin
Key
0x1
0x1
0x1
0x1
Oper
Key
0x1
0x1
0x1
0x1
Port
Number
0x820A
0x8215
0x8220
0x8229
Port
State
0x3D
0x3D
0x3D
0x3D
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0xF30C
0xF316
0xF321
0xF303
0x5
0x5
0x7
0x7
Peer (MLACP-PE3) mLACP member links

Gi3/11
Gi3/21
Gi3/32
Gi3/2
FA
FA
FA
FA
hot-sby
hot-sby
hot-sby
hot-sby
32768
32768
32768
32768
POA2
redundancy
monitor peer bfd
member ip 172.1.1.1
mlacp node-id 7
!
no ip address
load-interval 30
speed nonegotiate
lacp failover brute-force
lacp max-bundle 4
xconnect 172.2.2.2 2 pw-class mlacp
backup peer 172.4.4.4 2 pw-class mlacp
!
pseudowire-class mlacp
encapsulation mpls
!
!
interface Loopback0
ip address 172.3.3.3 255.255.255.255
!
OL-16147-20
4-155
Chapter 4

!
ip address 123.0.0.2 255.255.255.0
mpls ip
!
Use the show lacp multi-chassis group command to display the LACP parameters, local configuration,
status of the backbone uplink, peer information, node ID, channel, state, priority active, and inactive
links.
RG State:
Synchronized
System-Id:
200.000a.f331.2680
ICCP Version: 0
Node-id:
7
System-Id: 2000.0014.6a8b.c680
Peer Information:
State:
Up
Node-id:
0
System-Id:
200.000a.f331.2680
ICCP Version: 0
State Flags: Active
Standby
Down
AdminDown
Standby Reverting
Unknown
Channel
State
Priority
Group
1
S/A
32768/28000
A
S
D
AD
SR
U
Active Links
Local/Peer
4/4
Inactive Links
Local/Peer
0/0
Channel Group: 1
State: Standby
LAG State: Up
Priority: 32768
Inactive Links: 0
Bundled: 0
Selected: 0
Standby: 4
Unselected: 0
Peer Configuration:
Address: 000a.f331.2680
Channel Group: 1
State: Active
LAG State: Up
4-156
OL-16147-20
Chapter 4

Priority: 28000
Inactive Links: 0
Bundled: 4
Selected: 4
Standby: 0
Unselected: 0
ICPM RGID Table
iccp:
rg_id: 100, peer addr: 172.1.1.1
app type: MLACP
iccp:
rg_id: 100, peer addr: 172.1.1.1
app type: MLACP
MLACP-PE3# sh mpls l2transport vc 2
Local intf
------------Po1
Po1
Local circuit
-------------------------Eth VLAN 2
Eth VLAN 2
Dest address
--------------172.2.2.2
172.4.4.4
VC ID
---------2
2
Status
---------STANDBY
STANDBY
member links.
Flags: D - down
R - Layer3
S - Layer2
U - in use
M
u
w
d

default port

2
Ports
------+-------------+-----------+----------------------------------------------1
Po1(RU)
LACP
Gi3/2(P)
Gi3/11(P)
Gi3/21(P)
Gi3/32(P)
MLACP-PE3# show lacp 1 internal
OL-16147-20
4-157
Chapter 4
Channel group 1
Port
Gi3/2
Gi3/11
Gi3/21
Gi3/32
Flags
FA
FA
FA
FA
State
bndl-sby
bndl-sby
bndl-sby
bndl-sby
LACP port
Priority
32768
32768
32768
32768
Admin
Key
0x1
0x1
0x1
0x1
Oper
Key
0x1
0x1
0x1
0x1
Port
Number
0xF303
0xF30C
0xF316
0xF321
Port
State
0x7
0x5
0x5
0x7
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x8215
0x8220
0x8229
0x820A
0x3D
0x3D
0x3D
0x3D

Gi2/20
SA
Gi2/31
SA
Gi2/40
SA
Gi2/9
SA
MLACP-PE3#
bndl
bndl
bndl
bndl
28000
28000
28000
28000
The following is a configuration example for a Virtual Private Lan Service (VPLS):
Active POA
redundancy
monitor peer bfd
member ip 172.3.3.3
mlacp node-id 0
!
no ip address
speed nonegotiate
lacp max-bundle 4
bridge-domain 4000
!
l2 vfi VPLS manual
vpn id 4000
neighbor 172.2.2.2 encapsulation mpls
status decoupled
!
interface Vlan4000
xconnect vfi VPLS
!
!
interface Loopback0
ip address 172.1.1.1 255.255.255.255
!
ip address 120.0.0.1 255.255.255.0
carrier-delay 0
mpls ip
!
4-158
OL-16147-20
Chapter 4

!
Use the show lacp mg command to display the LACP parameters, local configuration, status of the
backbone uplink, peer information, node ID, channel, state, priority active, and inactive links.
RG State:
Synchronized
System-Id:
200.000a.f331.2680
ICCP Version: 0
Node-id:
0
System-Id: 200.000a.f331.2680
Peer Information:
State:
Up
Node-id:
7
System-Id:
2000.0014.6a8b.c680
ICCP Version: 0
State Flags: Active
Standby
Down
AdminDown
Standby Reverting
Unknown
Channel
State
Priority
Group
1
A/S
28000/32768
A
S
D
AD
SR
U
Active Links
Local/Peer
4/4
Inactive Links
Local/Peer
0/0
Address: 000a.f331.2680
Channel Group: 1
State: Active
LAG State: Up
Priority: 28000
Inactive Links: 0
Bundled: 4
Selected: 4
Standby: 0
Unselected: 0
Peer Configuration:
Channel Group: 1
State: Standby
LAG State: Up
Priority: 32768
Inactive Links: 0
Bundled: 0
OL-16147-20
4-159
Chapter 4
Selected: 0
Standby: 4
Unselected: 0
ICPM RGID Table
iccp:
rg_id: 100, peer addr: 172.3.3.3
app type: MLACP
iccp:
rg_id: 100, peer addr: 172.3.3.3
app type: MLACP
Use the show mpls l2transport command to display the local interface and session details, destination
address, and the status.
MLACP-PE1# show mpls l2transport vc 4000
Local intf
------------VFI VPLS
VFI VPLS
Local circuit
Dest address
VC ID
Status
-------------------------- --------------- ---------- ---------VFI
172.2.2.2
4000
UP
VFI 172.4.4.4 4000
UP
member links.
Flags: D - down
R - Layer3
S - Layer2
U - in use
M
u
w
d

default port

2
Ports
------+-------------+-----------+----------------------------------------------1
Po1(RU)
LACP
Gi2/9(P)
Gi2/20(P)
Gi2/31(P)
Gi2/40(P)
Use the show lacp internal command to display the device, port, and member-link information.
MLACP-PE1# show lacp internal
Channel group 1
4-160
OL-16147-20
Chapter 4

Port
Gi2/9
Gi2/20
Gi2/31
Gi2/40
Flags
SA
SA
SA
SA
State
bndl-act
bndl-act
bndl-act
bndl-act
LACP port
Priority
28000
28000
28000
28000
Admin
Key
0x1
0x1
0x1
0x1
Oper
Key
0x1
0x1
0x1
0x1
Port
Number
0x820A
0x8215
0x8220
0x8229
Port
State
0x3D
0x3D
0x3D
0x3D
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0xF30C
0xF316
0xF321
0xF303
0x5
0x5
0x7
0x7

Gi3/11
Gi3/21
Gi3/32
Gi3/2
FA
FA
FA
FA
hot-sby
hot-sby
hot-sby
hot-sby
32768
32768
32768
32768
Configuration example on a standby PoA:

redundancy
monitor peer bfd
member ip 172.1.1.1
mlacp node-id 7
!
no ip address
speed nonegotiate
lacp max-bundle 4
bridge-domain 4000
!
l2 vfi VPLS manual
vpn id 4000
status decoupled
!
interface Vlan4000
xconnect vfi VPLS
!
!
!
interface Loopback0
ip address 172.3.3.3 255.255.255.255
!
!
ip address 123.0.0.2 255.255.255.0
mpls ip
!
OL-16147-20
4-161
Chapter 4
Use the show lacp multi-chassis group interchassis group number command to display the LACP
parameters, local configuration, status of the backbone uplink, peer information, nodeID, channel, state,
priority, active, and inactive links.
RG State:
Synchronized
System-Id:
200.000a.f331.2680
ICCP Version: 0
Node-id:
7
System-Id: 2000.0014.6a8b.c680
Peer Information:
State:
Up
Node-id:
0
System-Id:
200.000a.f331.2680
ICCP Version: 0
State Flags: Active
Standby
Down
AdminDown
Standby Reverting
Unknown
Channel
State
Priority
Group
1
S/A
32768/28000
A
S
D
AD
SR
U
Active Links
Local/Peer
4/4
Inactive Links
Local/Peer
0/0
Channel Group: 1
State: Standby
LAG State: Up
Priority: 32768
Inactive Links: 0
Bundled: 0
Selected: 0
Standby: 4
Unselected: 0
Peer Configuration:
Address: 000a.f331.2680
Channel Group: 1
State: Active
LAG State: Up
Priority: 28000
Inactive Links: 0
Bundled: 4
Selected: 4
4-162
OL-16147-20
Chapter 4

Standby: 0
Unselected: 0
ICPM RGID Table
iccp:
rg_id: 100, peer addr: 172.1.1.1
app type: MLACP
iccp:
rg_id: 100, peer addr: 172.1.1.1
app type: MLACP
MLACP-PE3# sh mpls l2transport vc 2
Local intf
------------VFI VPLS
VFI VPLS
Local circuit
Dest address
VC ID
Status
-------------------------- --------------- ---------- ---------VFI
172.2.2.2
4000
UP
VFI 172.4.4.4 4000
UP
Use the show etherchannel summary command to display the status and identity of the MLACP member
links.
MLACP-PE3#show etherchannel summary
Flags: D - down
R - Layer3
S - Layer2
U - in use
M
u
w
d

default port

2
Ports
------+-------------+-----------+----------------------------------------------1
Po1(RU)
LACP
Gi3/2(P)
Gi3/11(P)
Gi3/21(P)
Gi3/32(P)
MLACP-PE3# show lacp 1 internal
Channel group 1
Port
Gi3/2
Gi3/11
Gi3/21
Flags
FA
FA
FA
State
bndl-sby
bndl-sby
bndl-sby
LACP port
Priority
32768
32768
32768
Admin
Key
0x1
0x1
0x1
Oper
Key
0x1
0x1
0x1
Port
Number
0xF303
0xF30C
0xF316
Port
State
0x7
0x5
0x5
OL-16147-20
4-163
Chapter 4
Pseudo MLACP Support on Cisco 7600
Gi3/32
FA
bndl-sby
32768
0x1
0x1
0xF321
0x7
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x8215
0x8220
0x8229
0x820A
0x3D
0x3D
0x3D
0x3D

Gi2/20
SA
Gi2/31
SA
Gi2/40
SA
Gi2/9
SA
MLACP-PE3#
bndl
bndl
bndl
bndl
28000
28000
28000
28000

In dual homing, a device is connected to the network using two independent access points or points of
attachments (POAs). One POA is the primary connection and the other is a standby connection that is
activated in the event of a failure of the primary connection. The Multi-chassis Link Aggregation
Protocol (MLACP) solution is an active and standby Provider Edge (PE) redundancy mechanism. The
Pseudo MLACP (PMLACP) feature introduced in Cisco IOS release 15.1(3)S, provides a flexible dual
homing redundancy mechanism where both the connections are in the active mode (active-active mode).
In PMLACP implementation, a PMLACP application is implemented on the PE router. Both the POA
ports are placed in active mode with manual VLAN load balancing.
PMLACP provides higher bandwidth utilization than MLACP and other active and standby link level
schemes. PMLACP provides VLAN based redundancy by allowing you to configure one primary and
one secondary interface pair for each member VLAN. The POAs determine which POA is active and
standby for each VLAN on a Multi-Chassis Link Aggregation (MLAG) and only the active POA
forwards frames for the respective VLAN. Additionally PMLACP allows maximum flexibility for the
PE-CE inter operability in terms of dual-homing redundancy and failover recovery.
Figure 4-6 explains the PMLACP implementation with manual VLAN load-balancing configuration.
Figure 4-6
PMLACP Implementation
Allow: VLAN 1-10

Block: VLAN 11-20
DHD
POA1
Allow: VLAN 1-20

Pseudo
mLACP
A
B
D
C
Allow: VLAN 11-20
Block: VLAN 1-10
E
POA2
282865
Allow: VLAN 1-20
4-164
OL-16147-20
Chapter 4

In the illustration, POA ports are configured for a PMLACP role, and ports are configured in
active-active mode with manual VLAN load-balancing. The POAs are configured to allow certain
VLANs on one of their downlinks but not the other VLANs. The POA activates its uplinks for locally
active VLANs. DHD is configured to enable all VLANs on both its uplinks. Traffic from DHD is initially
flooded on both uplinks until DHD learns which uplink is active for which VLANs.
Failover Operations
The PMLACP feature provides network resiliency by protecting against port, link, and node failures.
Figure 4-7 explains the failure points in a network.
Figure 4-7
PMLACP Failover Protection
Standby POA
E
D
DHD
Pseudo
mLACP
ICCP
A
B
C
E
Active POA
310687
These failures can be categorized into five types.
AFailure of the uplink port on the DHD
BFailure of the ethernet link
CFailure of the downlink port on the POA
DFailure of the POA node
EFailure of the active POA uplinks
The failover operations are triggered by three different events.
Access side link or port failure (failure types A- C): PMLACP on the failing POA initiates a failover
to the peer for any VLANs that were active on the failed link or links. This failover is initiated by
sending an MLACP port state Type Length Value (TLV) message, indicating that the port state is
down.
Node failure (failure type D): PMLACP on the surviving POA receives a node failure notification
and initiates a failover of all VLANs in standby mode on all shared MLAGs.
OL-16147-20
4-165
Chapter 4
POA uplink failure (failure type E): The failing POA sends a message to the peer about the core
isolation using the MLACP system state TLV, indicating that the POA is isolated. It will then place
all VLANs in the blocking mode.
All the three failover events involve the peer POA receiving a notification of the failure. At this point the
receiving standby POA completes the following steps:
1.
Unblocks any of the affected VLANs which were in standby or blocked mode.
2.
Sends a MAC flush message to the access side network device through a Multiple VLAN
Registration Protocol (MVRP) message. This message reflects all the VLANs which are being
activated only for the associated interface. When DHD receives the MVRP message, DHD responds
by flushing the MAC address tables for those VLANs.
3.
Triggers the core network edge MAC flushing.
Failure Recovery
PMLACP uses revertive mode after a failure recovery to support the active-active model. The reversal
process is also similar to the failover process. The standby POA initates the reversal for each VLAN by
indicating that the POA is relinquishing its active role for the VLAN. This is done though an ICCP
PLACP interface state TLV message, which indicates that it is no longer in active mode for the affected
VLANs. Upon TLV receipt, the recovering POA unblocks the affected VLANs and triggers the MAC
flushes towards access side and core side.
Revertive mode is enabled by default. If you want to choose when to trigger reversion after the failover
recovery, you can configure non revertive mode. The non revertive mode is enabled by configuring the
command lacp failover non-revertive under port channel.
Restrictions for PMLACP on Cisco 7600

Follow this restrictions and usage guidelines while configuring PMLACP.
PMLACP is supported on ES+ and ES 20 line cards.
PMLACP is supported on SUP 720 and RSP 720.
PMLACP configuration on a port channel supports only service instances.
If PMLACP is enabled on a port channel, Resilient Ethernet Protocol (REP), Spanning Tree Protocol
(STP), Link Aggregation Control Protocol (LACP), VLAN Trunking Protocol (VTP), or other layer
2 control protocols are not supported.
The ethernet VLAN color blocking needs to be configured on all VLANs under the port channel if
it has EVC xconnect or MTP configured on it. Use the ethernet vlan color-block vlan all command
for configuring it.
Both POAs must contain the same configuration of manual-load balance VLAN list and LAG.
The bridge-domain that is configured under a PMLACP port channel EVC should not be part of any
other non PMLACP interfaces.
Only one port channel of MLACP or PMLACP type is supported on a single redundancy group
(RG). There can be one MLACP port channel and another PMLACP port channel on a single RG,
but not two port channels of the same type.
Active VLAN list configuration needs to be the same on both POAs.
The port-channel configuration on both POAs must be the same, but port-channel members need not
be the same.
4-166
OL-16147-20
Chapter 4

The recommended configuration sequence for PMLACP is:

Configure interchassis group and PMLACP commands.
Configure MLACP interchassis group and other port channel commands.
Add member links.
Configuring PMLACP on Cisco 7600

Complete the following steps to configure PMLACP on the Cisco 7600 router.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
pseudowire-class pw-class-name
4.
encapsulation mpls
5.
6.
exit
7.
l2 vfi name manual
8.
vpn id vpn-id
9.
neighbor remote-id encapsulation mpls
10. exit
11. redundancy
12. interchassis group number
13. monitor peer bfd
14. member IP IP-address
15. mlacp node-id number
16. mlacp system-priority priority
17. backbone interface interface
18. exit
19. interface port-channel port-channel number
20. no ip address
21. mlacp interchassis group group-id
22. mlacp mode active-active
23. mlacp load-balance primary vlan range
24. mlacp load-balance secondary vlan range
25. ethernet vlan color-block all
26. service instance id ethernet
27. encapsulation dot1q vlan id
OL-16147-20
4-167
Chapter 4
28. rewrite ingress tag pop {1 | 2} symmetric

29. xconnect peer-id vc-id pw-class pw-class-name
or
brige-domain bridge-domain-id
30. backup peer peer-id vc-id pw-class pw-class-name
31. exit
32. interface vlan bridge-domain-id
33. xconnect vfi vfi-name
34. end
DETAILED STEPS
Step 1
Command
Purpose
enable
Enables privileged EXEC mode, and if prompted enter

your password.
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
pseudowire-class pw-class-name
Specifies the name of a pseudowire class and enters

pseudowire class configuration mode.
Example:
Router(config)# pseudowire-class vpws
Step 4
encapsulation mpls
Specifies that MPLS is used as the data encapsulation

method for tunneling Layer 2 traffic over the pseudowire.
Example:
Router(config-pw-class)# encapsulation
mpls
Step 5
Example:
Enables the reflection of the attachment circuit status on

both the primary and secondary pseudowires. This configuration is necessary if the peer PEs are connected to a
dual-homed device.
Router(config-pw-class)# status peer

topology dual-homed
Step 6
exit
Exits pseudowire class configuration mode.
Example:
Router(config-pw-class)# exit
4-168
OL-16147-20
Chapter 4

Step 7
Command
Purpose
l2 vfi name manual
Creates a named Layer 2 Virtual Forwarding Instance

(VFI) and enables the Layer 2 VFI manual configuration
mode.
Example:
Step 8
Perform steps 7 to 10 only if you are configuring

PMLACP over VPLS. Else go to step 11.
Router(config)# l2 vfi vpls manual
Note
vpn id vpn-id
Configures a VPN ID for the VPLS domain.
Example:
Router(config-vfi)# vpn id 17
Step 9
neighbor remote-id encapsulation mpls
Example:
Specifies the remote peering router ID, which is the IP

address of the router, and the tunnel encapsulation type
for the emulated VC.
Router(config-vfi)# neighbor 1.5.1.1

encapsulation mpls
Step 10
exit
Exits the L2 VFI manual configuration mode.
Example:
Router(config-vfi)# exit
Step 11
redundancy
Enters redundancy configuration mode.
Example:
Router(config)# redundancy
Step 12
interchassis group number
Configures an interchassis group within the redundancy

configuration mode and assigns a group number.
Example:
Router(configure-red)# interchassis
group 100
Step 13
monitor peer bfd
Example:
Router(configure-r-ic)# monitor peer
bfd
Step 14
member ip IP-address
Configures the BFD option to monitor the state of the

peer.
Note
The monitor peer bfd command is optional. If

this command is not specified, the default option
is route-watch.
Configures the IP address of the MLACP peer member

group.
Example:
Router(configure-r-ic)# member ip
172.3.3.3
OL-16147-20
4-169
Chapter 4
Step 15
Command
Purpose
mlacp node-id node-id
Specifies the node ID to be used in the LACP port-id field.
Example:
Router(config-r-ic)# mlacp node-id 5
Step 16
Specifies the system priority advertised to the other

MLACP members of the redundancy group.
Example:
priority Acceptable range is 1 to 65535. The default

value is 32768. The assigned values should be lower than
the DHD.
Router(config-r-ic)# mlacp system-priority 100
Step 17
node-id Valid range is 0 - 7, and the value should be

different from the peer values.
backbone interface interface
Specifies the backbone interface for the MLACP configuration.
Example:
Router(config-r-ic)# backbone interface GigabitEthernet2/3
Step 18
exit
Exits the redundancy mode.
Example:
Router(config-r-ic)# exit
Step 19
Specifies the port-channel interface.
Example:
Router(config)# interface Port-channel
10
Step 20
no ip address
Removes the IP address from the interface.
Example:
Step 21
mlacp interchassis group group-id
Example:
Specifies that the port-channel is an MLACP port-channel. The group-id should match the configured redundancy group.
Router(config-if)# mlacp interchassis

group 100
Step 22
mlacp mode active-active
Specifies the MLACP mode as active-active.
Example:
Router(config-if)# mlacp mode
active-active
Step 23
mlacp load-balance primary vlan range
Specifies the primary VLAN range for manual load

balancing.
Example:
range Specifies the VLAN ID range. Values range

from 1 to 4094.
Router(config-if)# mlacp load-balance

primary vlan 100-109
4-170
OL-16147-20
Chapter 4

Step 24
Command
Purpose
mlacp load-balance secondary vlan range
Specifies the secondary VLAN range for manual load

balancing.
Example:
Router(config-if)# mlacp load-balance
secondary vlan 110-120
Step 25
ethernet vlan color-block all
Blocks VLANs on EVCs with connect and cross-connect.

devices.
Example:
Note
Router(config-if)# ethernet vlan

color-block all
Step 26
This configuration is required if EVC cross

connect or MTP is used on the PMLACP port
channel.
Creates a service instance on an interface.
Example:
ethernet
Step 27
Configures the encapsulation. Defines the matching

criteria to be used in order to map the ingress dot1q
frames on an interface to the appropriate service instance.
Example:
dot1q 100
Step 28
rewrite ingress tag pop {1 | 2}

symmetric

the frame in ingress direction to the service instance.
Example:
tag pop 1 symmetric
Step 29
xconnect peer-id vc-id pseudowire-class

pw-classname
or
brige-domain bridge-domain-id
Example:
Router(config-if-srv)# xconnect 3.3.3.3
90 pseudowire-class vpws
Binds the 802.1Q VLAN attachment circuit to a virtual

circuit (VC).
Binds the attachment circuit to a pseudowire VC.
peer-id specifies the IP address of the peer PE

router.
vc-id specifies the 32-bit value that identifies the

VC between the peer PE routers at each endpoint of
the VC. You must configure the same VC ID on the
peer PE router.
pw-classname Specifies the pseudowire class.
Note
Use the bridge-domain command if you are

configuring PMLACP on VPLS.
OL-16147-20
4-171
Chapter 4
Step 30
Command
Purpose
backup peer peer-id vc-id pseudowire-class pw-classname
Specifies a redundant peer for a pseudowire virtual

circuit.
Example:
Router(config-if-srv)# backup peer
4.3.3.3 90 pseudowire-class vpws
Step 31
exit
Exits from the interface configuration mode.
Step 32
interface vlan bridge-domain-id
Creates or accesses a dynamic switched virtual interface

(SVI).
Example:
Router(config-if)# interface vlan 201
Step 33
xconnect vfi vfi-name
Note
You need to perform steps 32 and 33 only if you

are configuring VPLS.
Specifies the Layer 2 VFI that you are binding to the

VLAN port.
Example:
Router(config-if)# xconnect vfi vpls
Step 34
end
Exits the port-channel interface mode.
Example:
This is a configuration example for PMLACP with EVC xconnect on two POAs, A and B. In this example
primary VLAN range is configured as 100-109 on router A and 110-120 on router B. The VLAN range
is interchanged so that the primary VLAN range of router A becomes the secondary VLAN range in
router B and the secondary VLAN range of router A becomes the primary VLAN range in router B.
RouterA> enable
RouterA# configure terminal
RouterA(config)# pseudowire-class vpws
RouterA(config-pw-class)# encapsulation mpls
RouterA(config-pw-class)# status peer topology dual-homed
RouterA(config-pw-class)# exit
RouterA(config)# l2 vfi vpls manual
RouterA(config-vfi)# vpn id 100
RouterA(config-vfi)# neighbor 3.3.3.3 encapsulation mpls
RouterA(config-vfi)# exit
RouterA(config)# redundancy
RouterA(config-red)# interchassis group 100
RouterA(config-r-ic)# monitor peer bfd
RouterA(config-r-ic)# member ip 2.2.2.2
RouterA(config-r-ic)# backbone interface GigabitEthernet8/0/10
RouterA(config-r-ic)# mlacp system-priority 100
RouterA(config-r-ic)# mlacp node-id 1
RouterA(config-if)# no ip address
RouterA(config-if)# mlacp interchassis group 100
RouterA(config-if)# mlacp mode active-active
4-172
OL-16147-20
Chapter 4

RouterA(config-if)# mlacp load-balance primary vlan 100-109

RouterA(config-if)# mlacp load-balance secondary vlan 110-120
RouterA(config-if)# ethernet vlan color-block all
RouterA(config-if)# service instance 10 ethernet
RouterA(config-if-srv)# encapsulation dot1q 100
RouterA(config-if-srv)# rewrite ingress tag pop 1 symmetric
RouterA(config-if-srv)# xconnect 3.3.3.3 90 pseudowire-class vpws
RouterA(config-if-srv)# backup peer 4.3.3.3 91
RouterA(config-if)# service instance 11 ethernet
RouterA(config-if-srv)# encapsulation dot1q 101
RouterA(config-if-srv)# rewrite ingress tag pop 1 symmetric
RouterA(config-if-srv)# bridge-domain 201
RouterA(config-if-srv)# exit
RouterA(config-if)# exit
RouterA(config)# interface vlan 201
RouterA(config-if)# no shutdown
RouterA(config-if)# xconnect vfi vpls
RouterA(config-if)# end
RouterB> enable
RouterB# configure terminal
RouterB(config)# pseudowire-class vpws
RouterB(config-pw-class)# encapsulation mpls
RouterB(config-pw-class)# status peer topology dual-homed
RouterB(config-pw-class)# exit
RouterB(config)# l2 vfi vpls manual
RouterB(config-vfi)# vpn id 100
RouterB(config-vfi)# neighbor 3.3.3.3 encapsulation mpls
RouterB(config-vfi)# exit
RouterB(config)# redundancy
RouterB(config-red)# interchassis group 100
RouterB(config-r-ic)# monitor peer bfd
RouterB(config-r-ic)# member ip 1.1.1.1
RouterB(config-r-ic)# backbone interface GigabitEthernet8/0/10
RouterB(config-r-ic)# mlacp system-priority 100
RouterB(config-r-ic)# mlacp node-id 2
RouterB(config-if)# no ip address
RouterB(config-if)# mlacp interchassis group 100
RouterB(config-if)# mlacp mode active-active
RouterB(config-if)# mlacp load-balance primary vlan 110-120
RouterB(config-if)# mlacp load-balance secondary vlan 100-109
RouterB(config-if)# ethernet vlan color-block all
RouterB(config-if)# service instance 10 ethernet
RouterB(config-if-srv)# encapsulation dot1q 100
RouterB(config-if-srv)# rewrite ingress tag pop 1 symmetric
RouterB(config-if-srv)# xconnect 3.3.3.3 90 pseudowire-class vpws
RouterB(config-if-srv)# backup peer 4.3.3.3 91
RouterB(config-if)# service instance 11 ethernet
RouterB(config-if-srv)# encapsulation dot1q 101
RouterB(config-if-srv)# rewrite ingress tag pop 1 symmetric
RouterB(config-if-srv)# bridge-domain 201
RouterB(config-if-srv)# exit
RouterB(config-if)# exit
RouterB(config)# interface vlan 201
RouterB(config-if)# no shutdown
RouterB(config-if)# xconnect vfi vpls
RouterB(config-if)# end
OL-16147-20
4-173
Chapter 4
Verification
Use the show lacp multi-chassis load-balance port-channel number command to verify the PMLACP
configuration information on the port channel interface.
PE1# show lacp multi-chassis load-balance port-channel 10

Interface Port-Channel 10
P-mLACP Enabled:
Yes
Redundancy Group:
100
Revertive Mode:
Non-Revertive
Primary VLANs:
4001-4002,4004-4005,4007-4010
Secondary VLANs:
4012-4013,4015-4016,4018-4021
Local Interface State:
Interface ID: 10
Port State:
Up
Primary VLAN State:
Standby
Secondary VLAN State: Standby
Peer Interface State:
Interface ID: 10
Primary VLAN State:
Active
Secondary VLAN State: Active
Use the show lacp multi-chassis group command to display the interchassis redundancy group and the
operational LACP parameters.
PE1# show lacp multi-chassis group
RG State:
Synchronized
System-Id:
32768.001b.0de6.3080
ICCP Version: 0
Node-id:
1
System-Id: 32768.001b.0de6.3080
Peer Information:
State:
Up
Node-id:
2
System-Id:
32768.f866.f2d2.6680
ICCP Version: 0
State Flags: Active - A
Standby
- S
Down
- D
AdminDown
- AD
Standby Reverting - SR
Unknown
- U
Channel
State
Priority
Active Links
Inactive Links
Group
Local/Peer
Local/Peer
10
A/A
32768/32768
2/2
0/0
Redundancy Group 100 (0x64)
Applications connected: mLACP, Pseudo-mLACP
Monitor mode: BFD
member ip: 2.2.2.2 "PE2", CONNECTED
BFD neighbor: GigabitEthernet2/9, next hop 192.168.41.2, UP
mLACP state: CONNECTED
Pseudo-mLACP state: CONNECTED
backbone int GigabitEthernet8/0/9: UP (IP)
4-174
OL-16147-20
Chapter 4

ICRM fast-failure detection neighbor table

IP Address
Status Type Next-hop IP
==========
====== ==== ===========
2.2.2.2
UP
BFD 192.168.41.2
Interface
=========
GigabitEthernet2/9
Use the show lacp multi-chassis load-balance group command to display the PMLACP configuration
information including redundancy group, link states and interface status.
PE2#sh lacp multi-chassis load-balance group

RG State:
Synchronized
ICCP Version:
0
Node-id:
2
Peer Information:
State:
Up
Node-id:
1
ICCP Version:
0
States:
Active
- ACT
Standby
- SBY
Down
- DN
AdminDown - ADN
Unknown
- UN
Reverting - REV
P-mLACP Interfaces
Interface
Port State
Local VLAN State
Peer VLAN State
ID
Local
Primary/Secondary
Primary/Secondary
10
ADN
ADN/ADN
DN/DN
34
UP
ACT/SBY
ACT/SBY
Table 4-25
Command
Purpose
debug lacp load-balance [all | database |

redundancy-group | vlan]
Enables debugging of the PMLACP activity. Use

this command from the switch processor (SP).
debug redundancy interchassis [all |

application | error | event | monitor]
Enables debugging of the interchassis redundancy

manager.
debug mpls ldp iccp
Enables debugging of the Inter Chassis Control

Protocol (ICCP). Use this command from the RP.

The L2TPv3 feature employs L2TPv3 and pseudowire (PW) technology to provide tunneling service to
Ethernet traffic. The feature is developed for SUP720-3B/3BXL and RSP720 routers, which function as
Provider Edge (PE) routers in the network topologies recommended by RFC3985 Pseudowire Emulation
Edge-to-Edge (PWE3) architecture. L2TPv3 also supports inter-operability between the Cisco 7600
router and any standard compliant Cisco or non-Cisco device.
OL-16147-20
4-175
Chapter 4
A L2TPv3 tunnel is a control connection between two PE routers. One L2TPv3 tunnel can have multiple
data connections, and each data connection is termed as an L2TPv3 session. The control connection is
used to establish, maintain, and release sessions. Each session is identified by a session ID which is
unique across the entire router.
Figure 4-8
Network Topology for L2TPv3
Attachment VC
Pseudowire
Attachment VC
Tunnel
IP Network
PE1
P router
P router
PE2
CE
P router
282928
CE
In Figure 4-8, the attachment Virtual Circuit (VC) represents a physical or a logical port that connects a
Customer Edge (CE) device to a Provider Edge (PE) device. A pseudowire is defined as a VC connecting
two attachment VCs, and it consists of two L2TPv3 tunnel paths, one in each direction.
Restrictions for L2TPv3

Following restrictions apply to L2TPv3:
Layer 2 facing line card must be an L2TPv3 supporting line card.
There must be at least one distinct L2TPv3 tunnel per Layer 2 facing linecard.
The L2TPv3 feature on a Cisco 7600 router is supported on ES+ and SIP 400 line cards.
The Cisco 7600 router supports only IPv4 tunnelling for the Layer 2 frames.
The L2TPv3 feature does not support configurations such as EoL2TPv3oMPLS on the encapsulating
PE.
The L2TPv3 feature supports a maximum of 16,000 pseudowires.
L2TPv3 is not supported in conjunction with EVC features. L2TPv3 coexists with EVC on the same
port. That is, while one sub-interface is used to tunnel dot1q tagged traffic over L2TP, another
sub-interface is used to perform EVC features.
Effective with Cisco IOS release 15.1(3)S, 4000 IP tunnels are supported on ES+ line cards.
The L2TPv3 feature does not support SSO. You must enable cookies for L2TPv3 session on HA
setups.
Configuring L2TPv3
Before configuring L2TPv3, ensure the following:
4-176
OL-16147-20
Chapter 4

Create loopback interfaces to host the local IP addresses used by the L2TP tunnels. On a 7600 router,
create multiple loopback interfaces to accommodate routing protocol configuration and L2TPv3
configuration. The mls l2tpv3 reserve command must be configured under loopback to indicate the
Layer 2 network or CE side facing interface. This interface must be on ES+ or SIP400 LC.
For more information on L2TPv3 process and configuration, see:

http://www.cisco.com/en/US/docs/ios/wan/configuration/guide/wan_l2_tun_pro_v3.html
Complete the following steps to configure L2TPv3:
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
l2tp-class name
4.
exit
5.
interface loopback loopback_id
6.
ip address loopback_address mask
7.
mls l2tpv3 reserve interface gigabitethernet slot/subslot/port
8.
exit
9.
pseudowire-class pseudowire-class name
10. encapsulation l2tpv3

11. protocol l2tpv3 name
12. ip local interface loopback loopback_id
13. exit
14. interface gigabitethernet slot/port
15. encapsulation dot1q vlan_id
16. xconnect loopback_ip vc_id encapsulation l2tpv3 pw-class pseudowire-class name
17. exit
DETAILED STEPS
Step 1
Command
Purpose
enable

prompted.
Example:
Router# enable
Step 2
configure terminal
Example:
OL-16147-20
4-177
Chapter 4
Step 3
Command
Purpose
l2tp-class name
Creates a template of Layer 2 Tunnel Protocol (L2TP)

control plane configuration settings that can be inherited
by different pseudowire classes, and enters L2TP class
configuration mode.
Example:
Router(config)#l2tp-class H-NAME
Note
Step 4
exit
Optionally, you can configure the command hello

interval in the L2TP class configuration mode. It
specifies the exchange interval (in seconds) used
between L2TP hello packets.
Exits the L2TP-class configuration mode.
Example:
Router(config-l2tp-class)# exit
Step 5
interface loopback loopback_id
Creates a loopback with the specified loopback_id.
Example:
Router(config)# interface loopback 8000
Step 6
Creates an IP address for the loopback.
Example:
Router(config-if)# ip address 200.1.1.1 mask
255.255.255.0
Step 7
mls l2tpv3 reserve interface GigabitEthernet

slot/subslot/port
Reserves a loopback interface used as a source of the

L2TPv3 tunnel in a particular line card and prevents it
from being used across multiple line cards.
Example:
Router(config-if)#mls l2tpv3 reserve interface

Gig3/1 Gig3/10
Step 8
exit
Example:
Step 9
pseudowire-class pseudowire-class name
Specifies the name of a L2TPv3 pseudowire class and

enters pseudowire class configuration mode.
Example:
Router(config)# pseudowire-class eth8000
Step 10
encapsulation l2tpv3
Configures the tunnel encapsulation type and ensures that

the L2TPv3 connectivity is up.
Example:
Router(config-pw-class)#encapsulation l2tpv3
Step 11
protocol l2tpv3 name
Defines L2TPv3 signaling protocol.
Example:
Router(config-pw-class)#protocol l2tpv3 H-NAME
4-178
OL-16147-20
Chapter 4

Step 12
Command
Purpose
ip local interface loopback loopback_id
Specifies the local PE interface, whose IP address is used

as the source IP address for sending tunneled packets.
Example:
Router(config-pw-class)#ip local interface
Loopback 8000
Step 13
exit
Example:
Router(config-pw-class)# exit
Step 14
Enters the sub interface configuration mode.
Example:
Router(config)#interface GigabitEthernet3/4.100
Step 15
encapsulation dot1q vlan_id
Example:
Configures the encapsulation by defining the matching

criteria to be used in order to map ingress dot1q frames
on a VLAN interface.
Router(config-subif)#encapsulation dot1Q 100
Step 16
xconnect loopback_ip vc_id encapsulation l2tpv3

pw-class pseudowire-class name
Example:
Attaches the Layer 2 facing interfaces to the pseudowire.

The virtual circuit identifier (VC_ID) used must be a
unique combination on the router. The same VC_ID must
be used on both PE routers.
Router(config-subif)#xconnect 100.1.1.1 80 encap

l2tpv3 pw-class eth8000
Step 17
Exits the sub interface configuration mode.
exit
Example:
Router(config-subif-xconn)#exit
This example shows how to configure L2TPv3:
Router# enable
Router (config)#l2tp-class H-NAME
Router (config-l2tp-class)#exit
Router (config)#interface Loopback8000
Router (config-if)#ip address 200.1.1.1 255.255.255.0
Router (config-if)#mls l2tpv3 reserve interface Gig3/1 Gig3/10
Router (config-if)#exit
Router (config)#pseudowire-class eth8000
Router (config-pw-class)#encapsulation l2tpv3
Router (config-pw-class)#protocol l2tpv3 H-NAME
Router (config-pw-class)#ip local interface Loopback8000
Router (config-pw-class)#exit
Router (config)#interface GigabitEthernet3/4.100
Router (config-subif)#encapsulation dot1Q 100
Router (config-subif)#xconnect 100.1.1.1 80 encap l2tpv3 pw-class eth8000
Router (config-subif-xconn)#exit
Router (config-subif)#exit
Router (config)#exit
OL-16147-20
4-179
Chapter 4
Verification
Use the following commands to verify the L2TPv3 configuration:
Router #show l2tp tunnel
L2TP Tunnel Information Total tunnels 2 sessions 2
LocTunID
RemTunID
Remote Name
2101541749 1606300868 7600-3_BR

2974027542 2468589365 7600-3_BR
State
Remote Address
est
est
100.1.1.1
100.1.2.1
Sessn L2TP Class/

Count VPDN Group
1
H-NAME
1
H-NAME
Router #show l2tp tunnel all

L2TP Tunnel Information Total tunnels 2 sessions 2
Tunnel id 2101541749 is up, remote id is 1606300868, 1 active sessions
Locally initiated tunnel
Tunnel state is established, time since change 03:37:28
Tunnel transport is IP (115)
Remote tunnel name is 7600-3_BR
Internet Address 100.1.1.1, port 0
Local tunnel name is 7600-2-CE
L2TP class for tunnel is H-NAME
Counters, taking last clear into account:
0 packets sent, 0 received
0 bytes sent, 0 received
Last clearing of counters never
Counters, ignoring last clear:
Control Ns 33, Nr 90
Local RWS 1024 (default), Remote RWS 1024
Control channel Congestion Control is disabled
Tunnel PMTU checking enabled
Retransmission time 1, max 1 seconds
Unsent queuesize 0, max 0
Resend queuesize 0, max 2
Total resends 0, ZLB ACKs sent 89
Total out-of-order dropped pkts 0
Total out-of-order reorder pkts 0
Total peer authentication failures 0
Current no session pak queue check 0 of 5
Retransmit time distribution: 0 0 0 0 0 0 0 0 0
Control message authentication is disabled
Tunnel id 2974027542 is up, remote id is 2468589365, 1 active sessions
Locally initiated tunnel
Tunnel state is established, time since change 03:37:36
Tunnel transport is IP (115)
Remote tunnel name is 7600-3_BR
Local tunnel name is 7600-2-CE
L2TP class for tunnel is H-NAME
Counters, taking last clear into account:
Last clearing of counters never
Counters, ignoring last clear:
Control Ns 35, Nr 92
4-180
OL-16147-20
Chapter 4

Local RWS 1024 (default), Remote RWS 1024

Control channel Congestion Control is disabled
Tunnel PMTU checking enabled
Retransmission time 1, max 1 seconds
Unsent queuesize 0, max 0
Resend queuesize 0, max 2
Total resends 0, ZLB ACKs sent 91
Total out-of-order dropped pkts 0
Total out-of-order reorder pkts 0
Total peer authentication failures 0
Current no session pak queue check 0 of 5
Retransmit time distribution: 0 0 0 0 0 0 0 0 0
Control message authentication is disabled
For specific troubleshooting information, contact Cisco Technical Assistance Center (TAC) at this
location:

Layer 2 Gateway Ports (L2GP) is a proposed IEEE standard (802.1ah) to address the issues that arise
when two independent bridged domains are connected redundantly through an arbitrary number of links.
Layer 2 Gateway Ports define how the forwarding gateways are selected so that only redundant ports are
blocked and there are no temporary loops. The transitions can be at least as fast as STP L2GP resolves
the transient loop problem during the re-convergence as it does not require cooperation from the outside
domain.
Reverse L2GP (R-L2GP) is a variation of L2GP. In case of R-L2GP, the pseudo information of the
R-L2GP is transmitted by nPEs, instead of uPEs. R-L2GP provides a mechanism to send out static
preconfigured BPDUs on each ring access port of nPEs to stimulate a per-access ring instantiation of the
protocol. In order for this to work, the pair of nPEs are programmed to send out BPDUs on the access
ring ports in such a way that they appear to be either:
The root bridge itself (the bridge with the lowest bridge id/priority).
The bridge with the second lowest bridge ID/priority, and with a 0 cost path to the root.
Using R-L2GP, you can statically configure the BPDUs instead of dynamic configuration.
For more information, see Configuring STP and MST at:
http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/spantree.html#wp110187
4.

When configuring Reverse L2GP for the Cisco 7600 router, follow these guidelines and restrictions:
R-L2GP is not compatible with pre-standard MST. This combination is not supported.
Use only on bridge ports.
Because VLAN ID is required for EVC service instance to MST instance mapping, EVC service
instances without any VLAN ID in the encapsulation are not supported. This includes:
OL-16147-20
4-181
Chapter 4
Untagged encapsulation
Priority-tagged encapsulation
Default encapsulation
In EVC service instance, MST runs on the encapsulation VLAN, not on the broadcast-domain
VLAN.
Service instances with multiple outer tags are not supported.
The feature is supported only on ES20 and ES+ line cards.
MST and R-L2GP can co-exist on the same router.
R-L2GP does not provide any automatic detection or recovery mechanisms for BPDU data.
MST instance zero under RL2GP must be configured before RL2GP instance is attached to a port.
Configure MST instance zero on the same nPE pair as RL2GP instance.
In case of EVC service instance configuration, Encap vlan and BD vlan should be part of the same
MST instance to send the TCNs on the BD-Vlans.
Configuring Reverse L2GP for 7600

To enable R-L2GP on a port, you need to:
Configure MST
Configure RL2GP instance
Attach RL2GP instance to a port
Configure VPLS BPDU Pseudo Wire
Configuration of MST must be done before configuring RL2GP and attaching it to a port. For MST
configuration, you need to configure:
Provider Bridge Mode
Hello Time
Name
Revision
MSTI information (VLAN mapping, bridge priority, port priority, and cost)
Priority Vector information (bridge ID, port ID, Root Bridge ID)
Since the R-L2GP configuration is bundled with the MSTI configuration, the above parameters can be
recycled from the MSTI and MST region (currently only one MST region is supported on IOS)
configurations. This section describes how to configure Reverse L2GP for 7600. It consists of the
following sections:
Configuring MST, page 4-183
Configuring the RL2GP Instance, page 4-183
Attaching the RL2GP Instance to a Port, page 4-184
Configuring the VPLS Pseudo Wire, page 4-185
4-182
OL-16147-20
Chapter 4

Configuring MST
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
spanning-tree mst configuration
4.
[no] name name
5.
[no] revision version
6.
[no] instance instance-id {vlans vlan-range}
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
spanning-tree mst configuration
Enters MST-configuration submode.
Example:
Router(config)# spanning-tree mst configuration
Step 4
Sets the name of a Multiple Spanning Tree (MST) region.
[no] name name
Example:
Router(config-mst)# name Cisco
Step 5
revision version
Sets the revision number for the Multiple Spanning Tree

(802.1s) (MST) configuration.
Example:
Router(config-mst)# revision 5
Step 6
[no] instance instance-id {vlans vlan-range}
Maps a VLAN or a group of VLANs to a multiple

spanning tree (MST) instance.
Example:
Router(config-mst)# instance 2 vlans 1-100
Configuring the RL2GP Instance

SUMMARY STEPS
1.
spanning-tree pseudo-information transmit indentifier
OL-16147-20
4-183
Chapter 4
2.
remote-id id
3.
mst root mac-address
4.
mst root priority
5.
mst root
6.
mst cost
DETAILED STEPS
Step 1
Command
Purpose
spanning-tree pseudo-information transmit

indentifier
Configures the Reverse-L2GP configuration on the

interface (or untagged EFP port).
Example:
Router(config)# spanning-tree pseudo-information
transmit 10
Step 2
Configures the remote RL2GP instance Id that pairs with

the specified R-L2GP instance Id.
remote-id id
Example:
Router(config-pseudo)# remote-id 5
Step 3
mst root mac-address
Example:
Adds MST instance list to R-L2GP instance and

configures R-L2GP root bridge MAC address for MST
instance (or multiple MST instances).
Router(config-pseudo)# mst root 0000.9c6d.2ec0
Step 4
mst root priority
Example:
Adds MST instance list to RL2GP instance and

configures the R-L2GP bridge priority ( in multiples of
4096) for instances.
Router(config-pseudo)# mst root priority
Step 5
Adds MST instances to RL2GP instances and configures

the MAC address and priority for MST instances.
mst root
Example:
Router(config-pseudo)# mst root
Step 6
Adds MST instance list to RL2GP instance and

configures R-L2GP path cost for MST instance (or
multiple MST instances).
mst cost
Example:
Router(config-pseudo)# mst cost
Attaching the RL2GP Instance to a Port

SUMMARY STEPS
1.
2.
spanning-tree pseudo-information transmit indentifier
4-184
OL-16147-20
Chapter 4

DETAILED STEPS
Step 1
Command
Purpose

or

Example:
Step 2
spanning-tree pseudo-information transmit

indentifier
Configures the Reverse-L2GP configuration on the

interface.
Example:
Router(config-if)# spanning-tree
pseudo-information transmit 10
Configuring the VPLS Pseudo Wire

SUMMARY STEPS
1.
l2 vfi name manual
2.
vpn id vpn_id
3.
forward permit l2protocol all
4.
neighbor ip-address vc-id {encapsulation mpls |pw-class pw-class-name}
5.
exit
6.
interface vlan vlanid type {trbrf | ethernet}
7.
xconnect vfi vfi_name
DETAILED STEPS
Step 1
Command
Purpose
l2 vfi name manual
Creates a Layer 2 VFI and enters the Layer 2 VFI manual

configuration submode.
Example:
Router(config)# l2 vfi vfitest1 manual
Step 2
vpn id vpn_id
Sets or updates a Virtual Private Network (VPN) ID on a

VPN routing and forwarding (VRF) instance.
Example:
Step 3
Example:
Defines the VPLS pseudowire that is used to transport

bridge protocol data unit (BPDU) information between
two network provider edge (N-PE) routers.
Router(config-vfi)# forward permit l2protocol all
OL-16147-20
4-185
Chapter 4
Step 4
Command
Purpose
neighbor ip-address vc-id {encapsulation mpls

|pw-class pw-class-name}
Specifies the routers that should form a point-to-point

Layer 2 virtual forwarding interface (VFI) connection.
Example:
Router(config-vfi)# neighbor 10.10.10.10 1
encapsulation mpls
Step 5
exit
Example:
Router(config)#
Step 6
interface vlan vlanid type {trbrf | ethernet}
Creates a dynamic Switch Virtual Interface (SVI).
Example:
Router(config)# interface vlan 23
Step 7
The xconnect command specifies the Layer 2 VFI that

you are binding to the VLAN port.
Example:
Router(config-if)# xconnect vfi vfi16
Examples
This is a sample configuration for switch port:
----- PE1 configuration ----Step 1:
PE1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
PE1(config)#spanning-tree mode mst
PE1(config)#spanning-tree extend system-id
PE1(config)#spanning-tree pseudo-information transmit 2
PE1(config-pseudo)# remote-id 1
PE1(config-pseudo)# mst 0 root 32768 0000.0000.0001
%Warning: Please make same configuration change on mst instance 0 for
remote Pseudo Info instance also.
Difference in mst instance 0 config
on Pseudo Info pair can cause network instability
PE1(config-pseudo)# mst 1 cost 100
PE1(config-pseudo)#exit
PE1(config)#spanning-tree mst configuration
PE1(config-mst)#instance 1 vlan 100-200, 400-500
Step 2:
PE1(config)#interface TenGigabitEthernet4/1
PE1(config-if)# switchport
PE1(config-if)# switchport mode trunk
PE1(config-if)# spanning-tree pseudo-information transmit 2
PE1(config-if)#end
PE1#
4-186
OL-16147-20
Chapter 4

Step 3:
PE1(config)#l2 vfi bpdupw manual
PE1(config-vfi)#vpn id 100
PE1(config-vfi)#forward permit l2protocol all
PE1(config-vfi)#neighbor 22.22.22.22 encapsulation mpls
PE1(config-vfi-neighbor)#
Step 4:
Enter configuration commands, one per line.
PE1(config)#interface Vlan1
PE1(config-if)#no ip address
PE1(config-if)#xconnect vfi bpdupw
PE1(config-if)#end
PE1#
End with CNTL/Z.
Use the show commands to check the configuration:

PE1#show running-config int te4/1
!
interface TenGigabitEthernet4/1
switchport
spanning-tree pseudo-information transmit 2
end
PE1#show spanning-tree mst

##### MST0
Bridge
Root
Operational
Configured
vlans mapped:
1-99,201-399,501-4094
address 0013.5f21.e240 priority
32768 (32768 sysid 0)
this switch for the CIST
hello time 2 , forward delay 15, max age 20, txholdcount 6
hello time 2 , forward delay 15, max age 20, max hops
20
Interface
----------------------------------------------Te4/1
PW 22.22.22.22:100
##### MST1
Bridge
Root
Role Sts Cost

Prio.Nbr Type
---- --- --------- -------Desg FWD 2000
Desg FWD 200
vlans mapped:
100-200,400-500
Interface
----------------------------------------------Te4/1
PW 22.22.22.22:100
128.769 P2p R-L2GP

128.1020 P2p R-L2GP
32769 (32768 sysid 1)
Role Sts Cost

Prio.Nbr Type
---- --- --------- -------Desg FWD 2000
Desg FWD 200
128.769 P2p R-L2GP

128.1020 P2p R-L2GP
PE1#show spanning-tree pseudo-information

Pseudo id 2, type transmit:
remote_id 1
mst_region_id 0, port_count 1, update_flag 0x0
mrecord 0x1DF3627C, mrec_count 2:
msti 0: root_id 32768.0000.0000.0001, root_cost 0, update_flag 0x0
OL-16147-20
4-187
Chapter 4

Pseudo interfaces:
PE1#show spanning-tree mst detail

##### MST0
Bridge
Root
Operational
Configured
vlans mapped:
1-99,201-399,501-4094
32768 (32768 sysid 0)
20
TenGigabitEthernet4/1 of MST0 is designated forwarding

Port info
port id
128.769 priority
128 cost
2000
Designated root
address 0013.5f21.e240 priority 32768 cost
0
Design. regional root address 0013.5f21.e240 priority 32768 cost
0
Designated bridge
address 0013.5f21.e240 priority 32768 port id 128.769
Pseudo-info (id 2) is running
Timers: message expires in 0 sec, forward delay 0, forward transitions 1
Bpdus sent 500, received 0
PW 22.22.22.22:100 of MST0 is designated forwarding
Port info
port id
128.1020 priority
128 cost
200
Designated root
0
0
Designated bridge
##### MST1
Bridge
Root
vlans mapped:
100-200,400-500
32769 (32768 sysid 1)

Port info
port id
128.769 priority
128 cost
2000
Designated root
0
Designated bridge
Bpdus (MRecords) sent 501, received 0
Port info
port id
128.1020 priority
128 cost
200
Designated root
0
Designated bridge
PE1#show mpls l2transport vc detail

Local interface: VFI bpdupw VFI up
Interworking type is Ethernet
Destination address: 22.22.22.22, VC ID: 100, VC status: up
Output interface: Te4/2, imposed label stack {17}
Preferred path: not configured
Default path: active
Next hop: 12.0.0.2
Create time: 00:15:59, last status change time: 00:15:35
Signaling protocol: LDP, peer 22.22.22.22:0 up
Targeted Hello: 11.11.11.11(LDP Id) -> 22.22.22.22, LDP is UP
4-188
OL-16147-20
Chapter 4

Status TLV support (local/remote)

: enabled/supported
LDP route watch
: enabled
Label/status state machine
: established, LruRru
Last local dataplane
status rcvd: No fault
Last BFD dataplane
status rcvd: Not sent
Last BFD peer monitor status rcvd: No fault
Last local AC circuit status rcvd: No fault
Last local AC circuit status sent: No fault
Last local LDP TLV
status sent: No fault
Last remote LDP TLV
Last remote LDP ADJ
MPLS VC labels: local 21, remote 17
PWID: 16424
Group ID: local 0, remote 0
MTU: local 1500, remote 1500
Remote interface description:
MAC Withdraw: sent:1, received:3
Sequencing: receive disabled, send disabled
Control Word: On (configured: autosense)
SSO Descriptor: 22.22.22.22/100, local label: 21
SSM segment/switch IDs: 20523/4135 (used), PWID: 16424
VC statistics:
transit packet totals: receive 29, send 390
transit byte totals:
receive 4423, send 55770
transit packet drops: receive 0, seq error 0, send 0
PE1#show vfi name bpdupw
Legend: RT=Route-target, S=Split-horizon, Y=Yes, N=No
VFI name: bpdupw, state: up, type: multipoint signaling: LDP
VPN ID: 100
Forwarding BPDUs only
Bridge-Domain 1 attachment circuits:
Vlan1
Neighbors connected via pseudowires:
Peer Address
VC ID
S
22.22.22.22
100
Y
----- PE2 configuration -----
Step 1:
PE2(config-pseudo)# mst 1
PE2(config-pseudo)# mst 1
PE2(config-pseudo)# exit
PE2(config)#spanning-tree
PE2(config-mst)# instance
PE2(config-mst)#end
PE2#
root 32768 0000.0000.0002

cost 100
mst configuration
1 vlan 100-200, 400-500
OL-16147-20
4-189
Chapter 4
Step 2:
PE2(config)#interface GigabitEthernet13/7
PE2(config-if)#switchport
PE2(config-if)#switchport mode trunk
PE2(config-if)#spanning-tree pseudo-information transmit 1
PE2(config-if)#end
PE2#
Step 3:
PE2(config-vfi)#neighbor 11.11.11.11 encapsulation mpls
PE2(config-vfi)#end
PE2#
Step 4:
PE2(config-if)#xconnect vfi bpdupw
PE2(config-if)#end
PE2#
End with CNTL/Z.

PE2#show running-config int gig 13/7
!
switchport
end
##### MST0
Bridge
Root
Operational
Configured
vlans mapped:
1-99,201-399,501-4094
address 0015.c7f9.cc40 priority
32768 (32768 sysid 0)
20
Interface
--------------------------PW 11.11.11.11:100
Gi13/7
##### MST1
Bridge
Root
Role Sts Cost

Prio.Nbr Type
---- --- --------- -------- -------------------Desg FWD 200
Desg FWD 20000
vlans mapped:
100-200,400-500
128.3070 P2p R-L2GP

128.3079 P2p R-L2GP
32769 (32768 sysid 1)
4-190
OL-16147-20
Chapter 4

Interface
--------------------------PW 11.11.11.11:100
Gi13/7
Role Sts Cost

Prio.Nbr Type
---- --- --------- -------- -------------------Desg FWD 200
Desg FWD 20000
128.3070 P2p R-L2GP

128.3079 P2p R-L2GP

remote_id 2
mrecord 0x542B57F4, mrec_count 2:
Pseudo interfaces:
GigabitEthernet13/7
##### MST0
Bridge
Root
Operational
Configured
vlans mapped:
1-99,201-399,501-4094
32768 (32768 sysid 0)
20

Port info
port id
128.3070 priority
128 cost
200
Designated root
address 0015.c7f9.cc40 priority 32768 cost
0
Design. regional root address 0015.c7f9.cc40 priority 32768 cost
0
Designated bridge
address 0015.c7f9.cc40 priority 32768 port id 128.3070
GigabitEthernet13/7 of MST0 is designated forwarding
Port info
port id
128.3079 priority
128 cost
20000
Designated root
0
0
Designated bridge
##### MST1
Bridge
Root
vlans mapped:
100-200,400-500
32769 (32768 sysid 1)

Port info
port id
128.3070 priority
128 cost
200
Designated root
0
Designated bridge
Port info
port id
128.3079 priority
128 cost
20000
Designated root
0
Designated bridge
OL-16147-20
4-191
Chapter 4

Next hop: 12.0.0.1
: enabled/supported
LDP route watch
: enabled
Last BFD dataplane
Last local SSS circuit status rcvd: No fault
Last local SSS circuit status sent: No fault
Last local LDP TLV
Last remote LDP TLV
Last remote LDP ADJ
PWID: 8250
VC statistics:
VPN ID: 100
Vlan1
Peer Address
VC ID
S
11.11.11.11
100
Y
This is a sample configuration for EVC-BD:

PE1(config-pseudo)#remote-id 1
4-192
OL-16147-20
Chapter 4


PE1(config-mst)# instance 1 vlan 100-200, 400-500
Step 2:
PE1(config)#interface TenGigabitEthernet4/1
PE1(config-if)# service instance 2 ethernet
PE1(config-if-srv)# encapsulation dot1q 2
PE1(config-if-srv)# rewrite ingress tag pop 1 symmetric
PE1(config-if-srv)# bridge-domain 100
PE1(config-if-srv)# service instance 499 ethernet
PE1(config-if-srv)#end
PE1#
Step 3:
PE1(config-vfi)# neighbor 22.22.22.22 encapsulation mpls
PE1(config-vfi-neighbor)#
Step 4:
PE1(config-if)# no ip address
PE1(config-if)# xconnect vfi bpdupw
PE1(config-if)#end
PE1#
End with CNTL/Z.

PE1#show running-config int te4/1
!
ip arp inspection limit none
no ip address
bridge-domain 100
!
bridge-domain 402
!
end
OL-16147-20
4-193
Chapter 4

##### MST0
Bridge
Root
Operational
Configured
vlans mapped:
1-99,201-399,501-4094
32768 (32768 sysid 0)
20
Interface
----------------------------------------------Te4/1
PW 22.22.22.22:100
##### MST1
Bridge
Root
Role Sts Cost

Prio.Nbr Type
---- --- --------- -------Desg FWD 2000
Desg FWD 200
vlans mapped:
100-200,400-500
Interface
----------------------------------------------Te4/1
PW 22.22.22.22:100
128.769 P2p R-L2GP

128.1022 P2p R-L2GP
32769 (32768 sysid 1)
Role Sts Cost

Prio.Nbr Type
---- --- --------- -------Desg FWD 2000
Desg FWD 200
128.769 P2p R-L2GP

128.1022 P2p R-L2GP

remote_id 1
mrecord 0x1DF3627C, mrec_count 2:
Pseudo interfaces:
PE1#show spanning-tree mst configuration
Name
[]
Revision 0
Instances configured 2
Instance Vlans mapped
-------- --------------------------------------------------------------------0
1-99,201-399,501-4094
1
100-200,400-500
------------------------------------------------------------------------------PE1#
##### MST0
Bridge
Root
Operational
Configured
vlans mapped:
1-99,201-399,501-4094
32768 (32768 sysid 0)
20

Port info
port id
128.769 priority
128 cost
2000
Designated root
0
0
Designated bridge
Port info
port id
128.1022 priority
128
cost
200
4-194
OL-16147-20
Chapter 4

Designated root
0
0
Designated bridge
##### MST1
Bridge
Root
vlans mapped:
100-200,400-500
32769 (32768 sysid 1)

Port info
port id
128.769 priority
128 cost
2000
Designated root
0
Designated bridge
Port info
port id
128.1022 priority
128 cost
200
Designated root
0
Designated bridge
Next hop: 12.0.0.2
: enabled/supported
LDP route watch
: enabled
Last BFD dataplane
Last BFD peer monitor status rcvd: No fault
Last local AC circuit status rcvd: No fault
Last local AC circuit status sent: No fault
Last local LDP TLV
Last remote LDP TLV
Last remote LDP ADJ
PWID: 20498
VC statistics:
OL-16147-20
4-195
Chapter 4

VPN ID: 100
Vlan1
Peer Address
VC ID
S
22.22.22.22
100
Y
PE2(config-mst)# instance 1 vlan 100-200, 400-500
PE2(config-mst)#end
PE2#
Step 2:
PE2(config)#interface GigabitEthernet13/7
PE2(config-if)# ip arp inspection limit none
PE2(config-if)# service instance 2 ethernet
PE2(config-if-srv)# service instance 499 ethernet
PE2(config-if-srv)#end
PE2#
Step 3:
PE2(config-vfi)# vpn id 100
PE2(config-vfi)# forward permit l2protocol all
PE2(config-vfi)# neighbor 11.11.11.11 encapsulation mpls
PE2(config-vfi)#end
4-196
OL-16147-20
Chapter 4

PE2#
Step 4:
PE2(config-if)# xconnect vfi bpdupw
PE2(config-if)#end
PE2#
End with CNTL/Z.

PE2#show running-config int gig 13/7
!
no ip address
bridge-domain 100
!
bridge-domain 402
!
end
##### MST0
Bridge
Root
Operational
Configured
vlans mapped:
1-99,201-399,501-4094
32768 (32768 sysid 0)
20
Interface
--------------------------PW 11.11.11.11:100
Gi13/7
##### MST1
Bridge
Root
Role Sts Cost

Prio.Nbr Type
---- --- --------- -------- -------------------Desg FWD 200
Desg FWD 20000
vlans mapped:
100-200,400-500
Interface
--------------------------PW 11.11.11.11:100
Gi13/7
128.3070 P2p R-L2GP

128.3079 P2p R-L2GP
32769 (32768 sysid 1)
Role Sts Cost

Prio.Nbr Type
---- --- --------- -------- -------------------Desg FWD 200
Desg FWD 20000
128.3070 P2p R-L2GP

128.3079 P2p R-L2GP

remote_id 2
OL-16147-20
4-197
Chapter 4
mrecord 0x542B57F4, mrec_count 2:

Pseudo interfaces:
GigabitEthernet13/7
PE2#show spanning-tree mst configuration
Name
[]
Revision 0
Instances configured 2
Instance Vlans mapped
-------- --------------------------------------------------------------------0
1-99,201-399,501-4094
1
100-200,400-500
------------------------------------------------------------------------------PE2#
##### MST0
Bridge
Root
Operational
Configured
vlans mapped:
1-99,201-399,501-4094
32768 (32768 sysid 0)
20

Port info
port id
128.3070 priority
128 cost
200
Designated root
0
0
Designated bridge
Port info
port id
128.3079 priority
128 cost
20000
Designated root
0
0
Designated bridge
##### MST1
Bridge
Root
vlans mapped:
100-200,400-500
32769 (32768 sysid 1)

Port info
port id
128.3070 priority
128 cost
200
Designated root
0
Designated bridge
Port info
port id
128.3079 priority
128 cost
20000
Designated root
0
Designated bridge
4-198
OL-16147-20
Chapter 4


Next hop: 12.0.0.1
: enabled/supported
LDP route watch
: enabled
Last BFD dataplane
Last local LDP TLV
Last remote LDP TLV
Last remote LDP ADJ
PWID: 4144
VC statistics:
receive 0, send 0
VPN ID: 100
Vlan1
Peer Address
VC ID
S
11.11.11.11
100
Y
OL-16147-20
4-199
Chapter 4
Troubleshooting
Table 4-26 provides troubleshooting solutions for the Reverse L2GP feature.
Table 4-26
Troubleshooting Reverse L2GP feature
Problem
Solution
RL2GP configuration issues
Use the show spanning-tree pseudo-information [id

[configuration | interface]] and debug spanning-tree
pseudo-information commands to trace the configuration
sequence of the R-L2GP commands and the messages between
the route and switch processor. Share the output with TAC for
Disabled STP or MST instances
Use the show spanning-tree [active | detail | interface]

command to verify the state of the STP or MST. Share the
spanning-tree pseudo-information transmit command is

rejected
Verify if :
All MST instances within the pseudo-information are

configured within the MST global configuration.
MSTI 0 (IST) is configured within the

pseudo-information.
Cannot configure MST
Re-configure MSTE and ensure that priority, MAC address

and cost are the same on both the network processor engines.
System loops
Re-configure all the 64 VLAN instances per RL2GP within a

Pseudo ID.
Configuration is rejected when the MST region ID is

modified.
As IOS supports only single region MST, remove the multiple

MSTregion IDs that have been configured and configure only
a single MST ID.

Static MAC on Ethernet Flow Point (EFP) and Pseudowire (PW) provides the functionality to configure
static unicast or multicast MAC address on EFP and PW. A MAC address can be statically added on an
EFP under port channel. This feature provides the functionality to:
Avoid dynamically learning the traffic in both the directions.
Configure MAC address for Service Instance (SI) and PW.
Limit the scope of the data traffic flood by creating multicast groups. The static MAC address
assignment is important to avoid dynamically learning the traffic in both directions and also to limit
the flooding scope by creating a static multicast group.
Implement security by explicitly enabling a single MAC address.
Resolve the problem of MAC address aging out as the dynamic learning is disabled.
Optimize L2 table performance by limiting the table size.
Configure static MAC on EFPs on port channels.
Configure fully meshed pseudowire network between core facing routers and place them under
single multicast group.
4-200
OL-16147-20
Chapter 4


When configuring static MAC on EFP and PW for the Cisco 7600 routers, follow these guidelines and
restrictions:
You cannot configure unicast static MAC address and MAC security on the same EFP
simultaneously. For multicast addresses, static MAC and MAC security can be simultaneously
supported under EFP.
No support for static MAC on PWs on C-MAC Bridge-domain.
Static MACs are related to a L2 Bridge-domain table, so only the bridged services are supported.
When static MAC is configured on VPLS PW, and core-facing interface fails resulting in egress
interface to move to available interface, the traffic may be delayed.
Static MAC configuration is supported only on EVC bridge-domain interfaces and VFI pseudowires.
Static Mac configuration on EFP is supported on ES+ and ESM20 line cards
Static Mac configuration on VFI PW is supported on ES+, ESM20 and SIP 400 line cards.
Number of MACs per PW (unicast and multicast) is limited to 1024.
Number of MACs per Bridge-domain or VFI (unicast and multicast) is limited to 1024.
Number of MACs per system (unicast and multicast) is limited to 1024.
A static unicast MAC can be configured either globally or within a EVC or PW, not both. If a static
unicast MAC is configured within a EVC or PW first, then configuring the same MAC address
globally using the command mac-address-table static H.H.H vlan vlan_id [drop | interface]
makes the configuration within EVC or PW invalid.
The next section describes how to configure Static MAC on EFP and PW for the Cisco 7600 router. You
need to configure MPLS on core-facing router before configuring static MAC on PW. The information
about configuring MPLS on core-facing router is included as a separate section.
Configuring Static MAC over EFP for the Cisco 7600 Router, page 4-201
Configuring MPLS on Core-Facing Interface, page 4-203
Configuring Static MAC over Pseudowire for the Cisco 7600 Router, page 4-206
Configuring Static MAC over EFP for the Cisco 7600 Router
This section describes how to configure static MAC over EFP or SIs.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
5.
encapsulation dot1q | untagged | double tagged | default vlan-id
6.
7.
mac static address mac_address [auto-learn | disable-snooping]
8.
mac static address mac_address
OL-16147-20
4-201
Chapter 4
9.
exit
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Router# Router(config)# interface gigabitethernet 4/1
Step 3

or interface tengigabitethernet
slot/port

interface to configure, where slot/port specifies the
location of the interface.
Example:
Router(config)# Interface
GigabitEthernet2/0/0
Step 4

submode.
Example:
ethernet
Step 5
encapsulation dot1q {any | vlan-id

[vlan-id[vlain-id]]} second-dot1q {any
| vlan-id[vlan-id[vlan-id]]}
Configuring the encapsulation. Defines the matching

criteria to be used in order to map ingress dot1q frames on
an interface to the appropriate service instance.
Example:
Step 6
Example:
Configuring the bridge domain. Binds the service

instance to a bridge domain instance where bridge-id is
the identifier for the bridge domain instance.
4-202
OL-16147-20
Chapter 4

Step 7
Command
Purpose
Configuring the static mac address for service instance.

These are the options:
auto-learn:Specifies that if the router sees this same

MAC address on a different port, the MAC entry
should be updated with the new port to allow MAC
move.
disable-snooping is used for multicast static MAC

address. This option disables IGMP snooping on the
multicast MAC address.The MAC address is in hexadecimal format.
Example:
Router(config-if-srv)# mac static address 0002.1122.0010
Step 8
Enables the static MAC address.
Example:
exit
Example:
Step9
Examples
This example shows how to configure static MAC over EFP or SIs:
Router# enable
Router(config-if-srv)# mac static address 0100.5e00.1111
disable-snooping
auto-learn
auto-learn
disable-snooping
Configuring MPLS on Core-Facing Interface

You need to configure MPLS on the core-facing router before configuring static MAC over pseudowire.
This section describes how to configure MPLS on the core-facing router interface.
SUMMARY STEPS
1.
enable
2.
configure terminal
OL-16147-20
4-203
Chapter 4
3.
interface gigabitethernet slot/subslot/port
4.
ip address ip_Address mask
5.
mpls ip
6.
7.
exit
8.
interface loopback Loopback_Id
9.
10. exit
11. mpls ldp router-id loopback loopback_Id force
12. router ospf ospf_Id
13. network loopback_network wildcard_mask area 0
14. exit
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
Specifies the Gigabit Ethernet interface to configure,

where:
Example:
Router(config)# interface gigabitethernet 3/0/0
Step 4
ip address ip_Address mask
Configures ip address for the interface.
Example:
Router(config-if)# ip address
10.192.0.2 255.255.0.0
Step 5
mpls ip
Enables MPLS.
Example:
4-204
OL-16147-20
Chapter 4

Step 6
Command
Purpose
Configures the mpls parameters.
Example:
Router(config-if)# mpls label protocol
ldp
Step 7
exit
Example:
Step 8
interface loopback loopback_Id
Creates a loopback with the specified loopback_Id.
Example:
Step 9
Creates an IP address for the loopback.
Example:
Router(config-if)# ip address 1.1.1.1
mask 255.255.255.255
Step 10
exit
Example:
Step 11
mpls ldp router-id loopback loopback_Id

force
Configures loopback address as router-id.
Example:
Router(config)# mpls ldp router-id
loopback 0 force
Step 12
router ospf ospf_Id
Enables OSPF router configuration mode.
Example:
Router(config)# router ospf 50
OL-16147-20
4-205
Chapter 4
Step 13
Command
Purpose
network loopback_network wildcard_mask

area 0
Defines an interface on which OSPF runs and define the

area ID for that interface.
Example:
Router(config)# network 192.168.1.1
255.255.255.225 area 0
Step 14
exit
Exits the interface configuration mode.
Example:
Configuring Static MAC over Pseudowire for the Cisco 7600 Router
This section describes how to configure static MAC over pseudowire.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
l2 vfi vfi_Id manual
4.
vpn id vpn_id
5.
bridge-domain bd_number vlan
6.
neighbor ip_address encapsulation mpls
7.
8.
exit
9.
Interface vlan vlan_Id
10. xconnect vfi vfi_Id

11. no shutdown
12. exit
4-206
OL-16147-20
Chapter 4

DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
l2 vfi vfi_name manual
Creates a VFI and enters L2 VFI configuration mode.
Example:
Router(config-vfi)# l2 vfi smac_vfi
manual
Step 4
vpn id vpn_id
Configure the VPN Identifier.
Example:
Step 5
bridge-domain bd_number vlan
Configures the bridge domain.
Example:
Router(vfi-config)# bridge-domain 40
vlan
Step 6
neighbor ip_address encapsulation mpls
Configures the remote peering router-id and tunnel encapsulation type.
Example:
Router(vfi-config)# neighbor
192.168.1.1 encapsulation mpls
OL-16147-20
4-207
Chapter 4
Step 7
Command
Purpose
Configures the unicast and/or multicast static MAC

address to the interface. MAC address is in hexadecimal
format.
Example:
Configuring the static mac address for service instance.

The option:
Router(config-vfi-neighbor)# mac static address 2222.1111.1000
Step 8
exit
auto-learn is used for unicast static MAC address

only. This option is not available for multicast static
mac address.
disable-snooping is used for multicast static MAC

address. This option disables IGMP snooping on the
multicast MAC address.
Exits the VFI configuration mode.
Example:
Step 9
Interface vlan vlan_Id
Creates an interface VLAN, where the VLAN Id should

be same as the bd_number configured in step 5.
Example:
Step 10
xconnect vfi VFI_Id
Binds the Ethernet or VLAN port to the L2 VFI.
Example:
Router(config-if)# xconnect vfi
smac_vfi
Step 11
exit
Example:
Examples
This example shows how to configure static MAC over pseudowire.
Router# enable
Router(config)# interface GigabitEthernet 4/1/0
Router(config)# l2 vfi foo-core manual
Router(config-vfi)# bridge-domain 10 vlan
Router(config-vfi)# neighbor 11.0.0.1 encapsulation mpls
Router(config-vfi-neighbor)# mac static address 0002.1122.0010 auto-learn
Router(config-vfi-neighbor)# mac static address 0100.5e00.1111
Router(config-vfi-neighbor)# mac static address 0002.1122.0011
Router(config-vfi-neighbor)# mac static address 0100.5e00.1112 disable-snooping
4-208
OL-16147-20
Chapter 4

Router(config-vfi-neighbor)# mac static address 0002.1122.0012 auto-learn

Router(config-vfi-neighbor)# mac static address 0100.5e00.1113 disable-snooping
Router(config-vfi-neighbor)# interface vlan 10
Router(config-if)# xconnect vfi foo-core
Verification
Use the following commands to verify a configuration:
You can use the show bridge-domain domain_Id mac static address command to verify the
configuration:
Bridge-Domain ID : 10
Static MAC count : System : 8, bridge-domain : 8
Port Address Action
vfi foo-core neighbor 1.1.1.1 100 0000.0200.1112
vfi foo-core neighbor 1.1.1.1 100 0000.1111.1001 auto-learn
vfi foo-core neighbor 1.1.1.1 100 0100.5e11.1002
vfi foo-core neighbor 1.1.1.1 100 0100.5e11.1003 disable-snooping
Gi2/0/0 ServInst 2 0000.1111.1003
Gi2/0/0 ServInst 2 0000.1111.1004 auto-learn
Po500 ServInst 1 0000.0000.0777
Po500 ServInst 1 0100.5e00.1111 disable-snooping
You can use the show ethernet service instance id si_Id interface interface mac static address
command to verify the configuration:
Router#Router# show ethernet service instance id 1 interface Gi 2/0/0 mac static
address
Bridge domain ID : 10
Port static MAC count : 2
Port Address Action
Gi2/0/0 ServInst 1 0000.1111.1001
Gi2/0/0 ServInst 1 0000.1111.1002 auto-learn
You can use the show vfi { name vfi_name> | neighbor peer_ip_address vcid id } mac static
address command to verify the configuration:
Router#show vfi neighbor 1.1.1.1 vcid 100 mac static address
Bridge domain ID : 10
Port Address Action
vfi foo-core neighbor 1.1.1.1 100 0000.1111.1002 auto-learn
vfi foo-core neighbor 1.1.1.1 100 0100.5e11.1002
Troubleshooting
Table 4-27 provides the troubleshooting solutions for the REP over EVC feature
OL-16147-20
4-209
Chapter 4
Table 4-27
Troubleshooting REP over EVC feature
Problem
Solution
Pseudowire (PW) state changes
Complete these steps:
MAC address is not installed or deleted from the MAC

address table
Data is not synchronized with the standby supervisor
EFP or PW is disabled
1.
If a PW is down, flush all the static MAC addresses

configured within the PW.
2.
If the PW is up, re-install all the static MAC addresses

configured within the PW.
3.
If there is a PW change in egress due to load-balancing or

FRR, update all static MAC addresses configured within
the PW in the HW MAC table to use the new egress
information.
Use the debug mac static [event | error | ha | issu] command

to confirm if the MAC address (configured through static mac
over EFP/PW feature) is installed or deleted from the mac
address table and if the data is synchronized to the standby
supervisor. Share the output with TAC for further
investigation.

Resilient Ethernet Protocol (REP) is a Cisco proprietary protocol that provides an alternative to
Spanning Tree Protocol (STP) to support L2 resiliency and fast failover with Ethernet networks. REP
provides functionality to:
Control network loops
Handle link failures
Improve convergence time
An REP segment is a connected chain of ports configured with a segment ID. Each segment consists of
standard (non-edge) segment ports and two user-configured edge ports. REP is supported on Layer 2
trunk interfaces and EVC ports. REP controls a group of ports connected in a segment, ensures that the
segment does not create any bridging loops, and responds to link failures within the segment. REP
provides a basis for constructing more complex networks and supports VLAN load balancing. REP
extends the network resiliency across Cisco IP Next-Generation Network (NGN) Carrier Ethernet
Design. REP is designed to provide network and application convergence within 50 to 200 ms. REP is a
segment protocol that integrates easily into existing Carrier Ethernet networks. It allows network
architects to limit the scope of STP domains. REP can also notify the STP about potential topology
changes, allowing interoperability with Spanning Tree.
REP is a distributed and secure protocol and does not rely on a master node controlling the status of the
ring. Hence, the failures can be detected locally either through loss of signal (LOS) or loss of neighbor
adjacency. Any REP port can initiate a switchover after acquiring the secure key to unblock the alternate
port. An REP segment is a chain of ports connected to each other and configured with the same segment
ID. Each end of a segment terminates on an edge switch. The port where the segment terminates is called
the edge port.
4-210
OL-16147-20
Chapter 4

REP Edge No-Neighbor

Effective from Cisco IOS release 15.1.(01)S, a new functionality provides capability to configure the
non-rep switch facing ports as edge no-neighbor ports. These ports inherit the properties of edge ports,
and overcome the limitation of not being able to converge quickly during a failure.
Figure 4-9
Edge No-Neighbor Ports
E1
REP not
supported
273792
E1 and E2 are configured

as edge no-neighbor ports
E2
REP ports
In access ring topologies, the neighboring switch might not support REP, as shown in Figure 4-2. In this
case, you can configure the non-REP facing ports (E1 and E2) as edge no-neighbor ports. These ports
inherit all the properties of edge ports. You can configure these no-neighbor ports as any other edge port
and also enable the ports to send STP or REP topology change notices to the aggregation switch. In this
case the STP Topology Change Notice (TCN) that is sent is a Multiple Spanning-Tree (MST) STP
message.
These sections describes how to configure REP on the Cisco 7600 router:
Configuring REP over Ethernet Virtual Circuit, page 4-211
Configuring Resilient Ethernet Protocol Configurable Timers, page 4-229
Configuring REP over Ethernet Virtual Circuit

The REP over Ethernet Virtual Circuit (EVC) allows you to configure and manage ports at service level.
You cannot configure REP on per service instance. An EVC port can have multiple service instances.
Each service instance corresponds to a unique Event Flow Processor (EFP). By default, REP is disabled
on all ports. Using REP over EVC, you can:
Control data traffic.
Configure VLANs load balancing at service instance level.
The ports on a C7600 platform are classified into three different types: switchports, routed ports, and
EVC ports. By default, a port is a routed port. REP is not supported on routed ports. You need to
configure a port to a switchport or EVC port to configure REP on it. A port that is configured with one
or more service instances is called an EVC port.
OL-16147-20
4-211
Chapter 4
This feature allows you to configure an EVC port to participate in a REP segment. REP can selectively
block or forward data traffic on particular VLANs. For EVC, the VLAN Id refers to the outer tag of the
dot1q encapsulation that is configured on a service instance. REP is supported on a bridge-domain
service. If ethernet vlan color-block all command is configured, REP is supported on connect and
xconnect services.
For more information on REP, see the Cisco IOS and NX-OS Software Resilient Ethernet Protocol guide
at http://www.cisco.com/en/US/docs/ios/lanswitch/configuration/guide/lsw_cfg_rep.html and
http://www.cisco.com/en/US/prod/collateral/switches/ps6568/ps6580/prod_white_paper0900aecd806e
c6fa.pdf.

When configuring REP over EVC for the Cisco 7600 router, follow these guidelines and restrictions:
REP is not supported on service instances configured with encapsulation, untagged, or default type.
Cisco recommends that you begin by configuring one port and then configure the contiguous ports
to minimize the number of segments and the number of blocked ports.
REP can handle only one failure in a segment. If there is more than one failure in a REP segment,
traffic is lost.
REP ports must be Layer 2 trunk ports or EVC ports.
You must configure all trunk ports in the segment with the same set of allowed VLANs, or a
misconfiguration may occur.
Since REP blocks all VLANs until another REP interface sends a message to unblock it, you might
lose connectivity to the port if you enable REP in a Telnet session that accesses the EVC port
through the same interface.
You cannot execute REP and STP/MST or REP and Flex Links on the same segment or interface.
If you connect an STP network to the REP segment, be sure that the connection is at the segment
edge. An STP connection that is not at the edge causes a bridging loop because STP does not run on
REP segments. All STP BPDUs are dropped at REP interfaces.
If REP is enabled on two ports, both the ports must be either regular segment ports or edge ports.
REP ports follow these rules:
If only one port is configured in a segment, the port should be an edge port.
If two ports belong to the same segment, both ports must be edge ports or the regular segment
ports.
If two ports belong to the same segment and one is configured as an edge port and other as a
regular segment port, the edge port is treated as a regular segment port.
There can be only two edge ports in a segment, if there are two edge routers in a segment, each
router can have only one edge port. All the other ports on the edge router function as normal
ports.
REP interfaces come up in a blocked state and remains in a blocked state until notified that it is safe
to unblock.
REP sends all LSL PDUs in untagged frames on the native VLAN. The BPA message(untagged) sent
to the Cisco multicast address is sent on the administration VLAN, which is VLAN 1 by default.
Only the hardware flood layer (HFL) packets are sent on admin VLAN.
REP ports cannot be configured as:
4-212
OL-16147-20
Chapter 4

SPAN destination port

Private VLAN port
Tunnel port
Access port
REP is supported on EtherChannels, but not on an individual port that belongs to an EtherChannel.
It is supported on Swichports and EVC port-channels. REP is implemented on Port-channels instead
of individual ports.
In case of double VLAN tagged frame, REP is implemented only on the outer VLAN tag.
When an edge no-neighbor is configured on a router, configuring and unconfiguring an edge port is
not allowed.
Configuring REP over EVC for the Cisco 7600 Router

This section describes how to configure REP over EVC for the Cisco 7600 router:
Configuring REP over EVC using cross-connect on the Cisco 7600 Router, page 4-213
Configuring REP over EVC using connect for the Cisco 7600 Router, page 4-217
Configuring REP over EVC using bridge-domain for the Cisco 7600 Router, page 4-222
Configuring REP over EVC using cross-connect on the Cisco 7600 Router
This section describes how to configure REP over EVC using cross-connect at global configuration
level.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
interface gigabitEthernet slot/port
4.
rep segment segment_id [edge [no-neighbor] [primary]] [preferred]
5.
ether vlan color-block all
6.
service instance id {Ethernet [service-name}
7.
8.
vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}}
[symmetric]
9.
xconnect loopback_ip vc_id encapsulation mpls
10. exit
OL-16147-20
4-213
Chapter 4
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
Example:

where:
4-214
OL-16147-20
Chapter 4

Step 4
Command
Purpose
Configures the REP over EVC. The segment ID range is

from 1 to 1024.
Note
Example:
Router(config-if)# rep segment 3 edge
These optional keywords are available.
Enter edge to configure the port as an edge port.

Entering edge without the primary keyword
configures the port as the secondary edge port. Each
segment has only two edge ports.
On an edge port, enter primary to configure the port

as the primary edge port, the port on which you can
configure VLAN load balancing.
Note
Although each segment can have only one

primary edge port, if you configure edge ports on
two different switches and enter the primary
keyword on both switches, the configuration is
allowed. However, REP selects only one of these
ports as the segment primary edge port. You can
identify the primary edge port for a segment by
using the show rep topology privileged EXEC
command.
On an edge port, use the no-neighbor keyword to

configure the segment edge with no external rep
neighbor.
Enter preferred to indicate that the port is the

preferred alternate port, or the preferred port for
VLAN load balancing.
Note
Step 5
You must configure two edge ports, including one

primary edge port for each segment.
Configuring a port as preferred does not

guarantee that it becomes the alternate port; it
merely gives it a slight edge among equal
contenders. The alternate port is usually a
previously failed port.
Configures REP to block xconnect type of service instances.
Example:
Router(config-if)# ether vlan color-block all
Step 6

submode.
Example:
ethernet
OL-16147-20
4-215
Chapter 4
Step 7
Command
Purpose
encapsulation dot1q {any |

vlan-id[vlan-id[-vlain-id]]} second-dot1q {any |
vlan-id[vlan-id[-vlan-id]]}

Example:
Step 8

vlan-id}} [symmetric]

Example:
tag dot1q single symmetric
Step 9
xconnect loopback_id vc_id encapsulation mpls
Configures forwarding mechanism on a service instance.

Ensure that the MPLS connectivity is up.
Example:
Router(config-if-srv)# xconnect
10.0.0.2 999 encapsulation mpls
Step 10
exit
Exits service instance mode.
Example:
Examples
This example shows how to configure REP over EVC using xconnect.
Router# enable
Router(cfg-if-ether-vc-xconn)# exit
4-216
OL-16147-20
Chapter 4

Configuring REP over EVC using connect for the Cisco 7600 Router
This section describes how to configure REP over EVC using connect at global configuration level.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
5.
6.
7.
[symmetric]
8.
exit
9.
10. exit
11. interface type slot/port
12. ether vlan color-block all
13. service instance id {Ethernet [service-name}
14. encapsulation dot1q vlan_id
15. rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id
[symmetric]
16. exit
17. rep segment segment_id [edge [no-neighbor] [primary]] [preferred]
18. exit
19. connect <connect_name> <interface> <service_instance_id> <interface> <service_instance_id>
OL-16147-20
4-217
Chapter 4
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3

where:
Example:
Step 4
Configures REP to block connect type of service instances.
Example:
Router(config-if)# Ether vlan color-block all
Step 5

submode.
Example:
ethernet
Step 6


Example:
dot1q 10
4-218
OL-16147-20
Chapter 4

Step 7
Command
Purpose

vlan-id}} [symmetric] tag pop id symmetric

Example:
tag pop 1 symmetric
Step 8
exit
Example:
OL-16147-20
4-219
Chapter 4
Step 9
Command
Purpose
Configures REP over EVC. The segment ID range is from

1 to 1024.
Note
Example:
primary



Note

command.

neighbor.

Configuring a port as preferred does not guarantee that it

becomes the alternate port; it merely gives it a slight edge
among equal contenders. The alternate port is usually a
Step 10
exit
Example:
Step 11

where:
Example:
4-220
OL-16147-20
Chapter 4

Step 12
Command
Purpose
Configures REP to block connect type of service instances.
Example:
Router(config-if)# Ether vlan color-block all
Step 13

submode.
Example:
ethernet
Step 14


Example:
Step 15

vlan-id}} [symmetric] tag pop id symmetric

Example:
tag push dot1q 20
Step 16
exit
Example:
Step 17
Configures REP over EVC.
Example:
primary
OL-16147-20
4-221
Chapter 4
Step 18
Command
Purpose
exit
Example:
Step 19
connect <connect_name> <interface>

<service_instance_id> <interface>
<service_instance_id>
Configures local connect between the two service

instances of two different interfaces.
Example:
outer(config)#connect test gigabitEthernet 2/1 10 gigabitEthernet 3/1 20
Examples
This example shows how to configure REP over EVC using connect.
Router# enable
Router(config)# interface gigabitEthernet 2/1
Router(config-if)# rep segment 2 edge primary
Router(config)#connect test gigabitEthernet 2/1 10 gigabitEthernet 3/1 20
Router(config-connection)#end
Configuring REP over EVC using bridge-domain for the Cisco 7600 Router
This section describes how to configure REP over EVC using bridge-domain at service instance level.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
5.
4-222
OL-16147-20
Chapter 4

6.
[symmetric]
7.
bridge-domain bd_Id
8.
exit
9.
10. exit
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3

where:
Example:
Step 4

submode.
Example:
Step 5


Example:
OL-16147-20
4-223
Chapter 4
Step 6
Command
Purpose


Example:
tag push dot1q 20
Step 7
bridge-domain bd_Id
Configures bridge-domain to add another VLAN tag of

type bridge-domain to the incoming packet.
Example:
Step 8
exit
Example:
4-224
OL-16147-20
Chapter 4

Step 9
Command
Purpose
Configures REP over EVC. The segment ID range is from

1 to 1024.
Note
Example:
primary



Note

command.

neighbor.


Step 10
exit
Exits global configuration mode.
Example:
Examples
This example shows how to configure REP over EVC using bridge-domain.
Router# enable
OL-16147-20
4-225
Chapter 4

This example shows how to configure REP with the edge no-neighbor keyword.
Router# enable
Router(config-if)# rep segment 1 edge no-neighbor primary
Verification
You can use the show rep topology, show rep topology detail and show interface <> rep commands
to verify the REP over EVC configuration. This information is displayed as sample output:
Specific EVCs if an EVC ID is specified.
All the EVCs on an interface if an interface is specified.
The detailed option provides additional information about the EVC. This can be given on RP and
LC consoles to determine custom ethertype configured under a physical port.
Example of show rep topology command:

Router#show rep topology
REP Segment 3
BridgeName PortName Edge Role
---------------- ---------- ---- ---Router Gi4/0/0 Pri Open
REP-ALPHA Gi2/12 Open
REP-ALPHA Fa3/1 Open
REP-BETA Fa1/1 Open
REP-BETA Gi6/1 Open
Router Gi3/4 Sec Alt
--
Example of show rep topology detail command.

Router#show rep topology segment 3 detail
REP Segment 3
Router, Gi4/0/0 (Primary Edge)
Open Port, all vlans forwarding
Bridge MAC: 0015.fa66.ff80
Port Number: 0301
Port Priority: 000
Neighbor Number: 1 / [-6]
REP-ALPHA, Gi2/12 (Intermediate)
Bridge MAC: 0005.7495.cd00
Port Number: 010C
Port Priority: 000
REP-ALPHA, Fa3/1 (Intermediate)
Port Number: 0201
Port Priority: 000
REP-BETA, Fa1/1 (Intermediate)
4-226
OL-16147-20
Chapter 4

Bridge MAC: 0005.7495.c900

Port Number: 001
Port Priority: 000
REP-BETA, Gi6/1 (Intermediate)
Bridge MAC: 0005.7495.c900
Port Number: 0501
Port Priority: 000
Router, Gi3/4 (Secondary Edge)
Alternate Port, some vlans blocked
Port Number: 0204
Port Priority: 010
Example of show interface <> rep command:

Router#show interface gig4/0/0 rep detail
GigabitEthernet4/0/0 REP enabled
Segment-id: 3 (Primary Edge)
PortID: 03010015FA66FF80
Preferred flag: No
Operational Link Status: TWO_WAY
Current Key: 02040015FA66FF804050
Port Role: Open
Blocked VLAN: <empty>
Admin-vlan: 1
Preempt Delay Timer: disabled
Configured Load-balancing Block Port: none
Configured Load-balancing Block VLAN: none
STCN Propagate to: none
LSL PDU rx: 999, tx: 652
HFL PDU rx: 0, tx: 0
BPA TLV rx: 500, tx: 4
BPA (STCN, LSL) TLV rx: 0, tx: 0
BPA (STCN, HFL) TLV rx: 0, tx: 0
EPA-ELECTION TLV rx: 6, tx: 5
EPA-COMMAND TLV rx: 0, tx: 0
EPA-INFO TLV rx: 135, tx: 136
Show outputs for REP with Edge No-Neighbor keyword

Example of show rep topology command with REP edge no-neighbor keyword:
Router#show rep topology
REP Segment 3
BridgeName
PortName
---------------- ---------sw8-ts8-51
Gi0/2
sw9-ts11-50
Gi1/0/4
sw9-ts11-50
Gi1/0/2
sw1-ts11-45
Gi0/2
sw1-ts11-45
Po1
sw8-ts8-51
Gi0/1
--
Edge
---Pri*
Sec*
Role
---Open
Open
Open
Alt
Open
Open
Example of show rep topology detail command with REP edge no-neighbor keyword:
Router#show rep topoology segment 3 detail
REP Segment 3
Router, Gi4/0/0 (Primary Edge No-Neighbor)
OL-16147-20
4-227
Chapter 4

Port Number: 0301
Port Priority: 000
REP-ALPHA, Gi2/12 (Intermediate)
Port Number: 010C
Port Priority: 000
REP-ALPHA, Fa3/1 (Intermediate)
Port Number: 0201
Port Priority: 000
REP-BETA, Fa1/1 (Intermediate)
Bridge MAC: 0005.7495.c900
Port Number: 001
Port Priority: 000
REP-BETA, Gi6/1 (Intermediate)
Bridge MAC: 0005.7495.c900
Port Number: 0501
Port Priority: 000
Router, Gi3/4 (Secondary Edge)
Alternate Port, some vlans blocked
Port Number: 0204
Port Priority: 010
Example of show interface <> rep command with REP edge no-neighbor keyword:
Router#show interface gig4/0/0 rep detail
GigabitEthernet4/0/0 REP enabled
Segment-id: 3 (Primary Edge No-Neighbor)
PortID: 03010015FA66FF80
Preferred flag: No
Operational Link Status: TWO_WAY
Current Key: 02040015FA66FF804050
Port Role: Open
Blocked VLAN: <empty>
Admin-vlan: 1
4-228
OL-16147-20
Chapter 4

Configuring Resilient Ethernet Protocol Configurable Timers

The REP Configurable Timer (REP Fast Hellos) feature provides a fast re-convergence in a ring topology
with higher timer granularity and quicker failure detection on the remote side. The feature also supports
improved convergence of REP segments having nodes with copper based SFPs, where the link detection
time varies between 300 ms to 700 ms.
With the REP Link Status Layer (LSL) ageout timer configuration, the failure detection time can be
configured between a range of 120 millisecond to 10,000 millisecond, in multiples of 40 ms. The result
of this configuration is that, even if the copper pull takes about 700 ms to notify the remote end about
the failure, the REP Configurable Timers process will detect it much earlier and takes subsequent action
for the failure recovery within 200 ms.

When configuring the REP Configurable Timers for the Cisco 7600 router, follow these guidelines and
restrictions:
The LSL Age Out Timer configuration is available on switchports, EVC, L2 Port-channel and
Port-channel EVC interfaces.
The SUP 720, RSP 720, RSP 10G supervisors and the ES20, ES40, and LAN line cards support the
REP Configurable Timers configuration.
While configuring REP configurable timers, we recommend you shut the port, configure REP and
only then use the no shut command. This prevents the REP from flapping and generating large
number of internal messages.
If incompatible switches are neighbors, configure the correct LSL Age Out value first. In some
scenarios, you might not get the expected convergence range.
In order to inter-operate with switches running old IOS versions, the default LSL Age Out time is
set to 5 seconds, default LSL retries is 5, and the hello packet is sent every one second.
Except for the LSL Age Out time, all the other timer values are retained. For example, the EPA (End
Port Advertisement) hello timer continues to be 4 seconds, as it is not required to send EPA PDUs
at a higher frequency.
While configuring REP configurable timers, we recommend you configure the REP LSL number of
retries first and then configure the REP LSL age out timer value.
Effective from Cisco IOS release 15.1(2)S:

The REP Configurable Timers feature is SSO compliant for RSP720, RSP10G (endor) and
SUP720 supervisors.
The REP Configurable Timers feature on SSO is not supported with SUP32 supervisor.
The REP LSL Age Out value can be configured as low as 1520 ms (approximately 500 ms * 3)
for HA systems as this prevents traffic loss.

The REP Configurable Timers feature is supported only on Cisco 7600 S-chassis.
Configuring REP Configurable Timers for the Cisco 7600 Router

This section describes how to configure the LSL age out timer and the LSL number of retries on a Cisco
7600 router:
OL-16147-20
4-229
Chapter 4
Configuring the REP Link Status Layer Retries, page 4-230
Configuring the REP Link Status Layer Age Out Timer, page 4-232
Configuring the REP Link Status Layer Retries

This section describes how to configure REP link status layer number of retries at interface configuration
level.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
5.
rep lsl-retries <no-of-retries>
6.
end
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
Example:
Specifies the Gigabit Ethernet, Ten Gigabit Ethernet and

Port Channel interfaces to configure, where:
4-230
OL-16147-20
Chapter 4

Step 4
Command
Purpose
Configures the REP. The segment ID range is from 1 to

1024.
Note
Example:
primary


command.
Note

neighbor.

preferred alternate port or the preferred port for

Step 5
rep lsl-retries <no-of-retries>
Example:
Configures the number of retries before the REP link is

disabled. The acceptable range of retries is 3-10. The
default LSL number of retries is 5.
Router(config-if)# rep lsl-retries 4
Step 6
end
Example:
Example
This example shows how to configure REP link status layer number of retries.
Router# enable
OL-16147-20
4-231
Chapter 4

Router(config-if)# rep lsl-retries 4
Configuring the REP Link Status Layer Age Out Timer

This section describes how to configure the REP Link Status Layer Age Out Timer at interface
configuration level.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
5.
rep lsl-age-timer <lsl-age-timer>
6.
end
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
Example:
Specifies the Gigabit Ethernet, Ten Gigabit Ethernet and

Port Channel interfaces to configure, where:
4-232
OL-16147-20
Chapter 4

Step 4
Command
Purpose
Configures the REP. The segment ID range is from 1 to

1024.
Note
Example:
primary



Note

command.

neighbor.


Step 5
rep lsl-age-timer <lsl-age-timer>
Example:
Router(config-if)# rep lsl-age-timer
2000
Step 6
end
Configures REP link status layer age out timer value. The
acceptable range of lsl-age-timer is between 120ms and
10000ms, in multiples of 40ms. The default LSL Age Out
time is 5 seconds.
Example:
Example
This example shows how to configure REP link status layer ageout timer value.
Router# enable
OL-16147-20
4-233
Chapter 4

Router(config-if)# rep lsl-age-timer 2000
Verification
Use the show interfaces <interface name> rep detail command to view the configured LSL number of
retries and the LSL Age Out timer values.
7600-1#show interfaces GigabitEthernet11/1 rep detail
GigabitEthernet11/1
REP enabled
Segment-id: 10 (Segment)
PortID: 0A010009B6D8F700
Preferred flag: No
Operational Link Status: NO_NEIGHBOR
Current Key: 0A010009B6D8F700EEA1
Port Role: Fail No Ext Neighbor
Blocked VLAN: 1-4094
Admin-vlan: 1
LSL Ageout Timer: 120 ms
LSL Ageout Retries: 3
Troubleshooting the REP

Table 4-28 lists the debug commands to troubleshoot the REP issues.
Table 4-28
Debug commands and their purpose
Command
Purpose
debug rep bpa-event
Provides information about the BPA (Block Port

Advertisement) events.
debug rep bpasm
Provides information about the BPA state

machine.
debug rep chkpt
Provides information about the checkpoint events.
debug rep database
Provides information about the protocol database.
debug rep em
Provides information about the event manager

events.
debug rep epasm
Provides information about the EPA (End Port

Advertisement) state machine.
debug rep error
Provides information about the REP error thrown.
4-234
OL-16147-20
Chapter 4

Command
Purpose
debug rep failure-recovery
Provides information about the switchover events.
debug rep lslsm
Provides information about the Link Status Layer

state machine.
debug rep prsm
Provides information about the change in the role

of the port based on the Port Role State Machine.
debug rep rf
Provides information about the redundancy.
debug rep sso
Provides information about the redundancy SSO

events.
debug rep sync
Provides information about the sync events.
Troubleshooting scenarios
Table 4-29 lists the potential problems and solutions associated with configuring REP:
Table 4-29
Troubleshooting REP Issues
Problem
Solution
REP traffic is disrupted.
Check if the VLAN Trunking Protocol (VTP)

pruning is configured on an REP segment. Cisco
suggests you avoid VTP pruning configuration on
an REP segment.
Loops formed during configuration.
Avoid configuring parallel segments where two

segments share more than one bridge.
When the link status of two REP enabled

interfaces goes down and one of the links is
recovered, the port status still remains alternate,
leading to traffic disruption.
Use the shut/no shut option on alternate ports and

restore all links to form a ring topology.
Error message seg id: 1 already got 2 ports:

Fa0/2 and Fa0/3" is displayed.
Do not configure three interfaces on the same

switch for the same REP segment. If you do so, an
error message is displayed on the configuration of
the third interface.
Error message Conflict with monitor session is Ensure that you do not configure:
displayed.
A interface as a SPAN destination port and
enable REP on the same port.
REP administrative VLAN as the RSPAN

VLAN.

A Metro Ethernet network consists of networks from multiple operators supported by one service
provider and connects multiple customer sites to form a virtual private network (VPN). Networks
provided and managed by multiple independent service providers have restricted access to each other's
equipment. Because of the diversity in these multiple-operator networks, failures must be isolated
quickly. As a Layer 2 network, Ethernet must be capable of reporting network faults at Layer 2.
OL-16147-20
4-235
Chapter 4
IEEE 802.3ah is a point-to-point and per- physical- wire OAM protocol that detects and isolates
connectivity failures in the network. IEEE 802.1ag draft 8.1 Metro Ethernet Connectivity Fault
Management (CFM) incorporates several OAM facilities that allow you to manage Metro Ethernet
networks, including an Ethernet continuity check, end-to-end Ethernet traceroute facility using
Linktrace message (LTM), Linktrace reply (LTR), Ethernet ping facility using Loopback Message
(LBM), and a Loopback Reply (LBR). These Metro Ethernet CFM protocol elements quickly identify
problems in the network.
operations, administration, and maintenance (OAM) protocol. It includes proactive connectivity
monitoring, fault verification, and fault isolation for large Ethernet metropolitan-area networks (MANs)
and WANs. Connectivity Fault Management (CFM) is the indispensable capability that service providers
require to deploy large-scale, multivendor Metro Ethernet services. This feature upgrades the
implementation of CFM to be compliant with the IEEE 802.1ag with the current standard, 802.1ag-2007
and implementation of CFM over L2VFI (Layer 2 Virtual Forwarding Instance Information), cross
connect, EVC, and Switchport.
Key CFM mechanisms are:
Maintenance domains (MDs) that break up the responsibilities for the network administration of a
given end-to-end service.
Maintenance associations (MAs) that monitor service instances within a specified MD.
Maintenance points, (MPs or MIPs), such as Maintenance end points (MEP's) that transmit and
receive CFM protocol messages, and MIPs that catalog information received from MEPs, and
respond to Linktrace and Loopback messages.
Protocols (Continuity Check, Loopback, and Linktrace) that are used to manage faults.
For more information on CFM, see Cisco IOS Carrier Ethernet Configuration Guide, Release 12.2SR at
http://www.cisco.com/en/US/docs/ios-xml/ios/cether/configuration/12-2sr/ce-cfm-ieee.html.
For more information about the commands used in this section, see Cisco IOS Ethernet Command
Reference Guide at http://www.cisco.com/en/US/docs/ios/cether/command/reference/ce_book.html
SSupported Line Cards

Use the ethernet cfm global command to enable the CFM D8.1 feature on the following line cards:
ES20 and ES40:Switchports, routed ports, and EVC BD.
SIP400:Routed ports, and Layer 2 Virtual Forwarding Instance ( L2VFI).
SIP600:Switchports, and routed ports.
67xx: Switchports, and routed ports.
Table 4-30and Table 4-31 display the complete support matrix for the CFM D8.1 feature.
Note
The matrix is spread over two tables for better readability.
4-236
OL-16147-20
Chapter 4

Table 4-30
Supported Matrix1
Line card
CFM on
Switchport or CFM
on Switch + BD for
SVI Based EoMPLS
for VPLS
(pre-std)
CFM on
Routed Port
(pre-std)
CFM
on
Service Instance
with BD
for SVI based
EoMPLS
for VPLS
(pre-std)
WS-SUP720-3BXL
Up MEP
Down MEP
Not Applicable
Down MEP
Port MEP
Port MEP
Up MEP
Down MEP
Down MEP
Port MEP
Not Applicable
Down MEP
Port MEP
Down MEP
Not Applicable
Port MEP
Port MEP
Up MEP
Down MEP
Down MEP
Port MEP
Not Applicable
Port MEP
Up MEP
Down MEP
Down MEP
Port MEP
Not Applicable
Port MEP
Up MEP
Down MEP
Down MEP
Port MEP
Not Applicable
Port MEP
Up MEP
Down MEP
Down MEP
Port MEP
Not Applicable
Down MEP
Port MEP
Down MEP
Not Applicable
Port MEP
Port MEP
Up MEP
Down MEP
Down MEP
Port MEP
Port MEP
Up MEP
Down MEP
Port MEP
WS-X6148A
Up MEP
Down MEP
Port MEP
WS-SUP32-10GE-3B Up MEP
Up MEP
Down MEP
Port MEP
WS-SUP32-GE-3B
Up MEP
Down MEP
Port MEP
RSP720-3C-GE
Up MEP
Down MEP
Port MEP
RSP720-3CXL-GE
Up MEP
Down MEP
Port MEP
RSP720-3C-10GE
Up MEP
Down MEP
Port MEP
RSP720-3CXL-10GE Up MEP
Up MEP
Down MEP
Port MEP
WS-SUP720-3B
CFM
on
Switchport
or
CFM on Switch +
BD
(Standard)
Not Applicable
Up MEP
Down MEP
Port MEP
OL-16147-20
4-237
Chapter 4
Line card
CFM on
Switchport or CFM
on Switch + BD for
SVI Based EoMPLS
for VPLS
(pre-std)
CFM on
Routed Port
(pre-std)
CFM
on
Service Instance
with BD
for SVI based
EoMPLS
for VPLS
(pre-std)
WS-X6148-FE-SFP
Up MEP
Down MEP
Not Applicable
Down MEP
Port MEP
Port MEP
Up MEP
Down MEP
Down MEP
Port MEP
Not Applicable
Port MEP
Up MEP
Down MEP
Down MEP
Port MEP
Not Applicable
Port MEP
Up MEP
Down MEP
Down MEP
Port MEP
Not Applicable
Port MEP
Up MEP
Down MEP
Down MEP
Port MEP
Not Applicable
Port MEP
Up MEP
Down MEP
Down MEP
Port MEP
Not Applicable
Port MEP
Up MEP
Down MEP
Down MEP
Port MEP
Not Applicable
Port MEP
Down MEP
Not Applicable
Port MEP
Up MEP
Down MEP
Port MEP
WS-X6724-SFP
Up MEP
Down MEP
Port MEP
WS-X6708-10G-3CX Up MEP
L
Down MEP
Up MEP
Down MEP
Port MEP
WS-X6708-10G-3C
Up MEP
Down MEP
Port MEP
WS-X6704-10GE
Up MEP
Down MEP
Port MEP
WS-X6548-GE-TX
Up MEP
Down MEP
Port MEP
WS-X6548-RJ-21
Up MEP
Down MEP
Port MEP
WS-X6524-100FXMM
Up MEP
Down MEP
Port MEP
WS-X6516A-GBIC
CFM
on
Switchport
or
CFM on Switch +
BD
(Standard)
Port MEP
Up MEP
Down MEP
Down MEP
Port MEP
Not Applicable
Port MEP
Up MEP
Down MEP
Port MEP
4-238
OL-16147-20
Chapter 4

Line card
CFM on
Switchport or CFM
on Switch + BD for
SVI Based EoMPLS
for VPLS
(pre-std)
CFM on
Routed Port
(pre-std)
CFM
on
Service Instance
with BD
for SVI based
EoMPLS
for VPLS
(pre-std)
WS-X6748-GE-TX
Up MEP
Down MEP
Not Applicable
Down MEP
Port MEP
Port MEP
Up MEP
Down MEP
Down MEP
Port MEP
Not Applicable
or
Not Supported
( SIP-400 + WAN
SPA
Up MEP
Down MEP
Port MEP
Port MEP
SIP-400 + V2 GE
SPAs
Up MEP
Down MEP
Port MEP
WS-X6748-SFP
CFM
on
Switchport
or
CFM on Switch +
BD
(Standard)
Not
Supported
Not Supported
Not Supported
Not
Supported
Not Supported
Not Supported
Not Supported
Up MEP
SIP-400 + WAN SPA or

SIP-400 + v2 GE
SPA as uplink)
No Transparency
with CFM Enabled
on the box
SIP-400 + V2 FE SPA Not Supported
or
SIP-400 + WAN SPA
SIP-400 + WAN
SPA
or
SIP-400 + V2 GE
SPA as uplink
No Transparency
with CFM Enabled
on the box
SIP-600 + V2 GE
Up MEP
Down MEP
or
Down MEP
Port MEP
v2 10GE SPA
Port MEP
Down MEP
Port MEP
or
WAN SPA
OL-16147-20
4-239
Chapter 4
CFM
on
Switchport
or
CFM on Switch +
BD
(Standard)
CFM on
Switchport or CFM
on Switch + BD for
SVI Based EoMPLS
for VPLS
(pre-std)
CFM on
Routed Port
(pre-std)
CFM
on
Service Instance
with BD
for SVI based
EoMPLS
for VPLS
(pre-std)
Up MEP
Down MEP
Up MEP
Up MEP
ES20-GE
Down MEP
Port MEP
Down MEP
Down MEP
or
Port MEP
Line card
Port MEP
ES20-10GE
ES+ GE /10GE
Up MEP
Down MEP
Up MEP
Up MEP
Down MEP
Port MEP
Down MEP
Down MEP
Port MEP
Table 4-31
Port MEP
Supported Matrix 2
Line card
CFM
on
Service Instance +
xconnect
(Standard)
WS-SUP720-3BXL
Not Applicable
WS-SUP720-3B
Not Applicable
RSP720-3CXL-10GE Not Applicable
RSP720-3C-10GE
RSP720-3CXL-GE
Not Applicable
Not Applicable
CFM
on
Service
Instance +
BD
for SVI
based
EoMPLS
for VPLS
(Standard)
CFM
on
L2-VFI
(Standard)
Not
Applicable
Not Applicable
Not
Applicable
Not Applicable
Not
Applicable
Not Applicable
Not
Applicable
Not Applicable
Not
Applicable
Not Applicable
CFM
on
Routed Port
(Standard)
Down MEP
Port MEP
Down MEP
Port MEP
Down MEP
Port MEP
Down MEP
Port MEP
Down MEP
Port MEP
4-240
OL-16147-20
Chapter 4

Line card
CFM
on
Service Instance +
xconnect
(Standard)
RSP720-3C-GE
Not Applicable
WS-SUP32-GE-3B
Not Applicable
WS-SUP32-10GE-3B Not Applicable

WS-X6148A
WS-X6148-FE-SFP
WS-X6516A-GBIC
Not Applicable
Not Applicable
Not Applicable
WS-X6524-100FXMM
Not Applicable
WS-X6548-RJ-21
Not Applicable
WS-X6548-GE-TX
WS-X6704-10GE
Not Applicable
Not Applicable
CFM
on
Service
Instance +
BD
for SVI
based
EoMPLS
for VPLS
(Standard)
CFM
on
L2-VFI
(Standard)
Not
Applicable
Not Applicable
Not
Applicable
Not Applicable
Not
Applicable
Not Applicable
Not
Applicable
Not Applicable
Not
Applicable
Not Applicable
Not
Applicable
Not Applicable
Not
Applicable
Not Applicable
Not
Applicable
Not Applicable
Not
Applicable
Not Applicable
Not
Applicable
Not Applicable
CFM
on
Routed Port
(Standard)
Down MEP
Port MEP
Down MEP
Port MEP
Down MEP
Port MEP
Down MEP
Port MEP
Down MEP
Port MEP
Down MEP
Port MEP
Down MEP
Port MEP
Down MEP
Port MEP
Down MEP
Port MEP
Down MEP
Port MEP
OL-16147-20
4-241
Chapter 4
Line card
CFM
on
Service Instance +
xconnect
(Standard)
WS-X6708-10G-3C
Not Applicable
CFM
on
Service
Instance +
BD
for SVI
based
EoMPLS
for VPLS
(Standard)
CFM
on
L2-VFI
(Standard)
Not
Applicable
Not Applicable
WS-X6708-10G-3CX Not Applicable

L
Not
Applicable
Not Applicable
WS-X6724-SFP
Not
Applicable
Not Applicable
Not
Applicable
Not Applicable
Not
Applicable
Not Applicable
Not
Supported
Down MEP
WS-X6748-GE-TX
WS-X6748-SFP
SIP-400 + V2 GE
SPAs
Not Applicable
Not Applicable
Not Applicable
Not Supported
No Transperency
SIP-400 + WAN SPA

SIP-400 + V2 FE SPA Not Supported
or
Port MEP
Down MEP
Port MEP
Down MEP
Port MEP
Down MEP
Port MEP
Down MEP
Port MEP
Down MEP
Port MEP
Not
Supported
Down MEP
Down MEP
Port MEP
No
Transperenc
y
SIP-400 + WAN SPA
or
Down MEP
No
Transperenc
y
or
SIP-600 + V2 GE
CFM
on
Routed Port
(Standard)
Not Supported
Not
Supported
Down MEP
Down MEP
Port MEP
V2 10GE SPA
or
WAN SPA
4-242
OL-16147-20
Chapter 4

Line card
ES20-GE
CFM
on
Service Instance +
xconnect
(Standard)
CFM
on
Service
Instance +
BD
for SVI
based
EoMPLS
for VPLS
(Standard)
CFM
on
L2-VFI
(Standard)
Up MEP
Up MEP
Down MEP
Down MEP
Down MEP
Up MEP
Up MEP
Down MEP
Down MEP
CFM
on
Routed Port
(Standard)
Down MEP
Port MEP
or
ES20-10GE
ES+ GE /10GE
Down MEP
Down MEP
Port MEP
Scalable Limits
Table 4-32 maps the supported interfaces with the CFM points and their scalability values.
Table 4-32
Interfaces
Scalable Limits
CFM Points
Scalability Values
Switchports and EVC Up MEP

Bridge Domain (BD) Down MEP
MIP
Port MEP
8K MEPs per box (4K MEPs per LC) at 10 sec CC

interval or higher CC intervals.
1K MEPs at 1 sec CC interval or higher CC intervals.
100 MEPs at 100 msec CC interval or higher CC
intervals.
Routed Ports

intervals.
4K MEPs per box at 10 sec CC interval or higher
CC intervals.
Down MEP
Port MEP
Supported Interfaces
Table 4-33 maps the supported interfaces with the CFM points and their scalability values:
OL-16147-20
4-243
Chapter 4
Table 4-33
Interfaces
CFM Points
Scalability Values
Switchports and EVC Up MEP

Bridge Domain (BD) Down MEP
MIP
Port MEP
8K MEPs per box (4K MEPs per LC) at 10 sec CC

interval or higher CC intervals.
intervals.
Routed Ports

intervals.
4K MEPs per box at 10 sec CC interval or higher
CC intervals.
Down MEP
Port MEP

When configuring CFM D8.1, follow these restrictions and usage guidelines:
Hardware EoMPLS is not supported.
Supports interworking between routed ports, switch ports, and EVC BD.
CFM D8.1 QinQ configuration on a subinterface is not supported.
You can ping or traceroute to a MEP where Continuity Check (CC) is disabled. However, you cannot
use ping and traceroute for an down MEP on a STP blocked port configured on either a supervisor
port or a LAN port.
With lower CC intervals, CC packets are transmitted in bursts. Ensure that you appropriately
configure the MLS rate limiters to avoid flapping of remote MEPs.
Ping and traceroute on trunk ports for Port-MEP's and down MEP's configured on native vlan is
supported only on ES20 and ES40 line cards.
In 802.3ah E-OAM, the remote-loopback TEST status is not retained across switchovers. The
remote loopback works with a longer OAM timeout value that is greater than 10 seconds.
CFM is not supported with a EVC manual load balancing configuration on a EVC bridge-domain
and a EVC cross-connect interface.Though configuration is not rejected, the feature may not work
as expected.
Migrating CFM D1.0 to D8.1 works with a reduced scale of 2k MEPs on the routed ports. For
example, if there is an EVC service configured within a domain in D1, the link fails while migrating
to D8.1. To avoid this, ensure that you configure the VLAN and the EVC within the domain in D1,
as shown in the next example.
Sample D1 configuration during migration:

ethernet cfm domain 2OUT493 level 2 direction outward
service 1 evc 493
Sample configuration to avoid the migration issue:

ethernet cfm domain 2OUT493 level 2 direction outward
service 1 evc 493
service 1 vlan 493
4-244
OL-16147-20
Chapter 4

SUMMARY STEPS (COMMON CONFIGURATIONS FOR EVC, SWITCHPORT, AND ROUTED PORTS)
1.
enable
2.
configure terminal
3.
ethernet cfm domain domain-name level level-id
4.
service { short-ma-name | number MA-number | vlan-id primary-vlan-id | vpn-id vpn-id } {vlan

vlan-id | port | evc evc-name }
5.
continuity-check
6.
continuity-check {interval CC-interval }
7.
end
DETAILED STEPS (COMMON CONFIGURATIONS FOR EVC, SWITCHPORT, AND ROUTED PORTS)
Step 1
Command
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
ethernet cfm domain domain-name

level level-id
Example:
Defines a CFM maintenance domain at a particular maintenance Level. It sets the router into config-ecfm configuration mode, where parameters specific to the
maintenance domain can be set.
PE1(config)#ethernet cfm domain L4

level 4
Step 4
service { short-ma-name | number

MA-number | vlan-id primary-vlan-id | vpn-id vpn-id } {vlan
vlan-id | port | evc evc-name }
Configures the maintenance association and sets a universally unique ID for a customer service instance (CSI) or
the maintenance association number value, primary
VLAN ID and VPN ID within a maintenance domain in
Ethernet connectivity fault management (CFM) configuration mode.
Example:
Router(config-ecfm)#service s41 evc
41 vlan 41
Step 5
continuity-check
Configures the transmission of continuity check

messages (CCMs), in Ethernet connectivity fault management (CFM) service configuration mode.
Example:
Router(config-ecfm-srv)#continuity-check
OL-16147-20
4-245
Chapter 4
Step 6
Command
Purpose
continuity-check {interval CC-interval }
Configures the per-service parameters and sets the

interval at which Continuity Check Messages are transmitted.
The supported interval values are:

100ms 100 ms
Example:
Router(config-ecfm-srv)#continuity-check interval 10s
10m 10 minutes
10ms 10 ms
10s 10 seconds
1m 1 minute
1s 1 second
3.3ms 3.3 ms
The default is 10seconds.
Step 7
Exits the interface.
end
SUMMARY STEPS TO CONFIGURE CFM MEP AND MIP ON A EVC

1.
enable
2.
configure terminal
3.
interface
4.
service instance {id} ethernet {evc-name}
5.
encapsulation {encapsulation-type}
6.
bridge-domain {number}
7.
cfm mep domain {domain-name} mpid {id}
8.
cfm mip level {level}
9.
cfm encapsulation
10. end
4-246
OL-16147-20
Chapter 4

DETAILED STEPS TO CONFIGURE CFM MEP AND MIP ON A EVC
Step 1
Command
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
Enters the interface mode.
interface
Example:
Router(config)# interface tengigabitethernet 1/0/0
Step 4
service instance {id } ethernet

{evc-name}
Configures the service instance and the ethernet virtual

connections.
Example:
Router(config-interface)#service instance 41 ethernet 41
Step 5
encapsulation {encapsulation-type }
Configures the encapsulation type.
Example:
Router(config-if-srv)#encapsulation
dot1q 41
Step 6
bridge-domain
{number}
Example:
Router(config-if)#bridge-domain 41
Step 7
cfm mep domain {domain-name} mpid

{id}
Configures the bridge domain values.The default domain

number is zero; this is the domain number required when
communicating to IEEE bridges that do not support this
domain extension.
Configures the MEP domain and the ID.
Example:
Router(config-if-srv)#cfm mep domain L4 mpid 4001
Step 8
cfm mip level {level}
Example:
Automatically creates a MIP in the Ethernet interface and

sets the maintenance level number. The acceptable
rangeof maintenance levels is zero to seven.
PE1(config-if-srv)#cfm mip level 4
OL-16147-20
4-247
Chapter 4
Step 9
Command
Purpose
cfm encapsulation
Configures the CFM encapsulation type.
Example:
PE1#(config-if-srv)#cfm encapsulation dot1q 100 second-dot1q 200
Step 10
Exits the service instance interface mode.
end
SUMMARY STEPS TO CONFIGURE CFM MEP AND MIP ON A SWITCH PORT

1.
enable
2.
configure terminal
3.
interface
4.
switchport
5.
switchport mode {trunk}
6.
ethernet cfm mep domain domain-name mpid mpid {vlan vlan-id | port}
or
7.
ethernet cfm mip level {0 to 7} {vlan vlan-id }
8.
end
4-248
OL-16147-20
Chapter 4

DETAILED STEPS TO CONFIGURE CFM MEP AND MIP ON A SWITCHPORT
Step 1
Command
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
interface
Example:
Step 4
switchport
Configures the Layer 3 mode into Layer 2 mode for Layer

2 configuration.
Example:
Router(config-interface)#switchport
Step 5
switchport mode {trunk}
Configures a trunking VLAN Layer 2 interface.
Example:
Router(config-if)#switchport mode
trunk
Step 6
ethernet cfm mep domain domain-name

mpid mpid {vlan vlan-id | port}
Example:
Router(config-if)#ethernet cfm mep
domain L4 mpid 1 vlan 41
Sets a port as internal to a maintenance domain, and

defines it as a maintenance endpoint. It sets the device
into config-if-ecfm-mep configuration mode, where parameters specific to the MEP can bet set.
domain-name: String, maximum length of 43 characters
mpid: 1 to 8191
vlan-id: 1 to 4094
port: a port MEP, untagged and valid only for

outward direction to configure MEP with no VLAN
association.
or
OL-16147-20
4-249
Chapter 4
Step 7
Command
Purpose
ethernet cfm mip level {0 to 7}

{vlan vlan-id }

defines it as a maintenance intermediate point.
Example:
PE1(config-if)#ethernet cfm mip level 4 vlan 10
Step 8
end
SUMMARY STEPS TO CONFIGURE CFM MEP ON A ROUTED PORT

1.
enable
2.
configure terminal
3.
interface
4.
no ip address
5.
no mls qos trust
6.
ethernet cfm mep domain domain-name mpid mpid {vlan vlan-id}
7.
8.
encapsulation dot1Q vlan-id
9.
end
4-250
OL-16147-20
Chapter 4

DETAILED STEPS TO CONFIGURE CFM MEP ON A ROUTED PORT
Step 1
Command
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
interface
Example:
Step 4
no ip address
Removes the configured IP address or disables IP processing.
Example:
Router(config-interface)# no ip address
Step 5
no mls qos trust
Example:
Router(config-if)#no mls qos trust
Step 6
ethernet cfm mep domain domain-name mpid mpid {vlan vlan-id }
Example:
Router(config-if)#ethernet cfm mep
domain routed mpid 4001 vlan 4001
Step 7
Configures the multilayer switching (MLS) quality of

service (QoS) port trust state and traffic by examining the
class of service (CoS) or differentiated services code
point (DSCP) value. Use the no form of this command to
return a port to its untrusted state.
defines it as a maintenance end point. It sets the device
into config-if-ecfm-mep configuration mode, where parameters specific to the MEP can be set.
domain-name: String, maximum length of 43 characters
mpid: 1 to 8191
vlan-id: 1 to 4094
Configures the subinterface.
Example:
Router(config)# interface tengigabitethernet 1/0/0.1
OL-16147-20
4-251
Chapter 4
Step 8
Command
Purpose
encapsulation dot1Q vlan-id
Configures the IEEE 802.1Q encapsulation of traffic on a

specified subinterface in a virtual LAN (VLAN) on a
routed port. The acceptable range of a VLAN is from 1 to
4094.
Example:
PE1(config-if)#encapsulation dot1Q
vlan-id 10
Step 9
end
Verification
Command
Purpose
Router# show ethernet cfm maintenance-points local
Displays the local maintenance points.
Router# show ethernet cfm maintenance-points remote
Displays the remote maintenance end points.
Router# show ethernet cfm errors
Displays all the CFM Continuity Check error conditions

logged on the device.
Router# show ethernet cfm mpdb
Displays the remote maintenance points.
Example
The following example shows a configuration of MEP in a switchport:
ethernet cfm domain L4 level 4
service s41 evc 41 vlan 41
continuity-check
int TenGigabitEthernet2/0/0
switchport
ethernet cfm mep domain L4 mpid 1 vlan 41
The following example shows a configuration of MIP in a switchport:

continuity-check
switchport
ethernet cfm mip level 4 vlan 10
The following example shows a configuration of MEP in a EVC bridge domain:

continuity-check
service instance 41 ethernet 41
bridge-domain 41
cfm mep domain L4 mpid 4001
The following example shows a configuration of MIP in a EVC bridge domain:

continuity-check
4-252
OL-16147-20
Chapter 4


bridge-domain 41
cfm cfm mip level 4
The following example shows a configuration of MEP on a routed port:

ethernet cfm domain routed level 5
service s2 evc 2 vlan 2 direction down
continuity-check
no ip address
no mls qos trust
ethernet cfm mep domain routed mpid 4001 vlan 4001
interface GigabitEthernet8/0/0.10
encapsulation dot1Q 10
The following example shows CFM configuration over a EVC with cross connect in the global domain
configuration mode:
service xconn evc xconn
continuity-check
The following example shows CFM configuration over a EVC with cross connect in the interface
configuration mode:
service s100 evc 100
continuity-check
no ip address
cfm mep domain L6 mpid 602
cfm mip level 7
CFM over EFP Interface with xconnect

OAM protocol that includes proactive connectivity monitoring, fault verification, and fault isolation.
Currently, Ethernet CFM supports Up facing and Down facing Maintenance Endpoints (MEPs). For
information on Ethernet Connectivity Fault Management, see
http://www.cisco.com/en/US/docs/ios/12_2sr/12_2sra/feature/guide/srethcfm.html
The CFM over EFP Interface with xconnect feature allows you to:
Forward continuity check messages (CCM) towards the core over cross connect pseudowires.
Receive CFM messages from the core.
Forward CFM messages to the access side (after Continuity Check Database [CCDB] based on
maintenance point [MP] filtering rules).

When configuring CFM over EFP Interface with cross connect, follow these restrictions and usage
guidelines:
The following line cards are supported:

ES20 line cards
OL-16147-20
4-253
Chapter 4
ES+ line cards
Only a single down-facing MEP is allowed on the L2VFI.
As the number of PEs in a VPLS instance scale up, the number of CFM CC messages processed
increases. Accordingly, the configuration of the down-facing MEP on L2VFI for large fully meshed
PW topologies should be considered for only premium valued networks.
In the design of CFM domains, the maintenance level of an Down-facing MEP on the L2VFI
interface must be lower than the level from the AC.
Up MEP, Down MEP, and MIPs are supported.
Configuring CFM over EFP with xconnect for the Cisco 7600 Router
This section describes how to configure REP over EVC for the Cisco 7600 router:
Configuring CFM over EFP Interface with Cross ConnectBasic Configuration, page 4-254
Configuring CFM over EFP Interface with Cross ConnectSingle Tag VLAN Cross Connect,
page 4-257
Configuring CFM over EFP Interface with Cross ConnectDouble Tag VLAN Cross Connect,
page 4-259
Configuring CFM over EFP Interface with Cross ConnectSelective QinQ Cross Connect,
page 4-261
Configuring CFM over EFP Interface with Cross ConnectPort-Based Cross Connect Tunnel,
page 4-262
Configuring CFM over EFP Interface with Cross ConnectPort Channel-Based Cross Connect
Tunnel, page 4-264
Configuring CFM over EFP Interface with Cross ConnectBasic Configuration

This section describes how to configure CFM over EFP Interface with cross connect.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
pseudowire-class [pw-class-name]
4.
encapsulation mpls
5.
exit
6.
7.
8.
9.
xconnect peer-ip-address vc-id {encapsulation {l2tpv3 [manual] | mpls [manual]} | pw-class

pw-class-name }[pw-class pw-class-name] [sequencing {transmit | receive | both}]
10. cfm mep domain domain-name [up | down] mpid mpid-value [cos cos-value]
11. exit
4-254
OL-16147-20
Chapter 4

DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
pseudowire-class [pw-class-name]
Specifies the name of a Layer 2 pseudowire class and

enter pseudowire class configuration mode.
Example:
Router(config)# pseudowire-class
vlan-xconnect
Step 4
encapsulation mpls
Example:
Specifies that Multiprotocol Label Switching (MPLS) is

used as the data encapsulation method for tunneling
Layer 2 traffic over the pseudowire.
Router(config-if)# encapsulation mpls
Step 5
exit
Exits the pseudowire class configuration mode.
Example:
Step 6


Example:
Router(config-if-srv)# interface
Gi2/0/2
Step 7

submode.
Example:
Step 8

vlan-id[vlan-id[-vlan-id]]} second-dot1q {any |

criteria that maps the ingress dot1q, QinQ, or untagged
frames on an interface for the appropriate service
instance.
Example:
OL-16147-20
4-255
Chapter 4
Step 9
Command
Purpose
xconnect peer-ip-address vc-id {encapsulation {l2tpv3 [manual] | mpls [manual]} | pw-class pw-class-name
}[pw-class pw-class-name] [sequencing
{transmit | receive | both}]
Binds an attachment circuit to a pseudowire, and configures an Any Transport over MPLS (AToM) static
pseudowire.
Example:
Router(config-if-srv)# xconnect
10.0.3.201 123 pw-class vlan-xconnect
Step 10
cfm mep domain domain-name [up | down]

mpid mpid-value [cos cos-value]
Configures a maintenance endpoint (MEP) for a domain.
Example:
Router(config-if-srv)# cfm mep down
mpid 100 domain Core
Step 11
exit
Example:
Examples
This example shows how to configure CFM over EVC using cross connect.
PE3#conf terminal
PE3(config)#ethernet cfm domain L6 level 6
PE3(config-ecfm)# service s256 evc 256
PE3(config-ecfm-srv)# continuity-check
PE3(config-ecfm-srv)#end
End with CNTL/Z.
PE3(config)#int ten 2/0/0

PE3(config-if)# service instance 256 ethernet 256
PE3(config-if-srv)# xconnect 1.1.1.1 1 encapsulation mpls
PE3(cfg-if-ether-vc-xconn)# cfm mep domain L6 mpid 256
PE3(config-if-srv-ecfm-mep)#end
PE3#
PE3(config-ecfm)# service s256 evc 256 direction down
PE3#
PE3#
4-256
OL-16147-20
Chapter 4

Configuring CFM over EFP Interface with Cross ConnectSingle Tag VLAN Cross Connect
This section describes how to configure CFM over EFP Interface with Single Tag VLAN cross connect.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
interface type slot/subslot/port or interface tengigabitethernet slot/port
4.
5.
encapsulation dot1q {any | vlan-id[vlan-id[vlan-id]} second-dot1q {any

6.
[symmetric]
7.

8.
cfm mep domain domain-name [up | down] mpid mpid-value [cos cos-value]
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Enters the global configuration mode.
Example:
Step 3

where:
Example:
Router(config)# interface Gi2/0/2
Step 4

submode.
Example:
ethernet
OL-16147-20
4-257
Chapter 4
Step 5
Command
Purpose


instance.
Example:
Step 6


Example:
Router(config-if-srv)# rewrite dot1q
single symmetric
Step 7
pseudowire.
Example:
Router(config)# xconnect 10.0.3.201 123
pw-class vlan-xconnect
Step 8

Example:
Router# cfm mep up mpid 100 domain Core
Examples
This example shows how to configure CFM over EFP Interface with Single Tag VLAN cross connect:
PE3#
PE3#
4-258
OL-16147-20
Chapter 4

Configuring CFM over EFP Interface with Cross ConnectDouble Tag VLAN Cross Connect
This section describes how to configure CFM over EFP Interface with Double Tag VLAN cross connect.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
interface type slot/subslot/port
4.
5.

6.
[symmetric]
7.

8.
9.
exit
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3

where:
Example:
Step 4

submode.
Example:
ethernet
OL-16147-20
4-259
Chapter 4
Step 5
Command
Purpose


instance.
Example:
Step 6


Example:
Router(config-if-srv)# rewrite dot1q
double symmetric
Step 7
pseudowire.
Example:
Step 8

Example:
Router# cfm mep down mpid 100 domain
Core
Examples
This example shows how to configure CFM over EFP Interface with Double Tag VLAN cross connect:
PE3#
PE3(config-if-srv)# encapsulation dot1q 256 second-dot1q 257
4-260
OL-16147-20
Chapter 4

PE3#
Configuring CFM over EFP Interface with Cross ConnectSelective QinQ Cross Connect
This section describes how to configure CFM over EFP Interface with Selective QinQ cross connect.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
exit
5.
6.

7.

8.
9.
exit
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3

where:
Example:
Step 4

submode.
Example:
ethernet
OL-16147-20
4-261
Chapter 4
Step 5
Command
Purpose


instance.
Example:
default
Step 6
pseudowire.
Example:
Step 7

Example:
Router# cfm mep down mpid 100 domain
Core
Examples
This example shows how to configure CFM over EFP Interface with Selective QinQ cross connect:
PE3#
PE3(config-if-srv)# encapsulation dot1q 256 second-dot1q 257 cos 7
PE3#
Configuring CFM over EFP Interface with Cross ConnectPort-Based Cross Connect Tunnel
This section describes how to configure CFM over EFP Interface with Port-Based cross connect Tunnel.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
4-262
OL-16147-20
Chapter 4

5.

6.

7.
8.
exit
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3

where:
Example:
Step 4

submode.
Example:
ethernet
Step 5


instance.
Example:
dot1q 10-20, 30, 50-60
OL-16147-20
4-263
Chapter 4
Step 6
Command
Purpose
xconnect peer-ip-address vc-id {encapsulation {l2tpv3 [manual] | mpls [manual]} | pw-class pw-class-name}[pw-class
pw-class-name] [sequencing {transmit |
receive | both}]
pseudowire.
Example:
Step 7

Example:
Examples
This example shows how to configure CFM over EFP Interface with Port-Based cross connect Tunnel:
PE3#
PE3#
Configuring CFM over EFP Interface with Cross ConnectPort Channel-Based Cross Connect
Tunnel
This section describes how to configure CFM over EFP Interface with Port Channel-Based cross connect
Tunnel.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
5.

4-264
OL-16147-20
Chapter 4

6.
[symmetric]
7.

8.
9.
exit
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3

where:
Example:
1
Step 4

submode.
Example:
ethernet
Step 5


instance.
Example:
OL-16147-20
4-265
Chapter 4
Step 6
Command
Purpose


Example:
tag pop 2 symmetric
Step 7
pseudowire.
Example:
Step 8

Example:
Examples
This example shows how to configure CFM over EFP Interface with Port Channel-Based cross connect
Tunnel:
PE3#
PE3(config)#int port-20
Verification
Use the show ethernet cfm ma remote commands to verify the CFM over EVC configuration. This
command shows the basic configuration information for CFM.
Router-30-PE1#show ethernet cfm ma local
4-266
OL-16147-20
Chapter 4

Local MEPs:
-------------------------------------------------------------------------------MPID Domain Name
Lvl
MacAddress
Type CC
Domain Id
Dir
Port
Id
MA Name
SrvcInst
EVC name
-------------------------------------------------------------------------------1
L6
6
000a.f393.56d0 XCON Y
L6
Down
Te2/0/0
N/A
bbb
1
bbb
3
L5
5
0007.8478.4410 XCON Y
L5
Up
Te2/0/0
N/A
bbb
1
bbb
Total Local MEPs: 2
Local MIPs:
* = MIP Manually Configured
-------------------------------------------------------------------------------Level Port
MacAddress
SrvcInst
Type
Id
-------------------------------------------------------------------------------7
Te2/0/0
0007.8478.4410 1
XCON
N/A
Total Local MIPs: 1
Use the show ethernet cfm ma remote to verify the MEP configuration:
Router-30-PE1#show ethernet cfm ma remote
-------------------------------------------------------------------------------MPID Domain Name
MacAddress
IfSt PtSt
Lvl Domain ID
Ingress
RDI MA Name
Type Id
SrvcInst
EVC Name
Age
-------------------------------------------------------------------------------4
L5
000a.f393.56d0
Up
Up
5
L5
Te2/0/0:(2.2.2.2, 1)
bbb
XCON N/A
1
bbb
9s
2
L6
000a.f393.56d0
Up
Up
6
L6
Te2/0/0:(2.2.2.2, 1)
bbb
XCON N/A
1
bbb
1s
Total Remote MEPs: 2
Use the show ethernet cfm mpdb command to verify the catalouge of CC with MIP in intermediate
routers.
PE2#show ethernet cfm mpdb
* = Can Ping/Traceroute to MEP
-------------------------------------------------------------------------------MPID Domain Name
MacAddress
Version
Lvl
Domain ID
Ingress
Expd MA Name
Type Id
SrvcInst
EVC Name
Age
-------------------------------------------------------------------------------600 * L6
0021.d8ca.d7d0
IEEE-CFM
6
L6
Te2/1:(2.2.2.2, 1)
s1
XCON N/A
1
1
2s
700
L7
001f.cab7.fd01
IEEE-CFM
OL-16147-20
4-267
Chapter 4
7
-
L7
s1
1
Te2/1:(2.2.2.2, 1)
XCON N/A
1
3s
Use the show mpls l2 transport vc 1 detail commaned to show detailed configuration information:
PE1#sh mpls l2 vc 1 deta
Local interface: Te8/0/1 up, line protocol up, Eth VLAN 200 up
Output interface: Te8/0/0, imposed label stack {21}
Next hop: 20.1.1.2
: enabled/supported
LDP route watch
: enabled
Last local LDP TLV
Last remote LDP TLV
Last remote LDP ADJ
VC statistics:
receive 4181, send 72586757556
Use show mpls forwarding-table command to verify the cross connect VC:
PE1#show mpls forwarding-table
Local
Outgoing
Prefix
Label
Label
or Tunnel Id
17
Pop Label 3.3.3.3/32
21
No Label
l2ckt(1)
Bytes Label
Switched
23038746624
4181
Outgoing
interface
Te8/0/0
Te8/0/1
Next Hop
20.1.1.2
point2point
Use show ethernet cfm error command to view the error report:
PE2#show ethernet cfm error

-------------------------------------------------------------------------------MPID Domain Id
Mac Address
Type
Id Lvl
MAName
Reason
Age
-------------------------------------------------------------------------------- L3
001d.45fe.ca81 BD-V
200 3
s2
Receive AIS
8s
PE2#
4-268
OL-16147-20
Chapter 4

Configuring CFM over EFP Interface with xconnectPort Channel-Based

xconnect Tunnel
Use the following commands at the customer facing port:
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
service instance id {Ethernet [service-name]}
5.
encapsulation untagged | dot1q {any | vlan-id[vlan-id[vlan-id]]} second-dot1q {any

6.
[symmetric]
7.

8.
cfm mep domain domain-name mpid mpid-value [cos cos-value]
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3

where:
Example:
1
Step 4

submode.
Example:
ethernet
OL-16147-20
4-269
Chapter 4
Step 5
Command
Purpose
encapsulation untagged dot1q {any |

vlan-id[vlan-id[vlain-id]]} second-dot1q {any |
vlan-id[vlan-id[vlan-id]]}

instance.
Example:
Step 6


Example:
tag pop 2 symmetric
Step 7
pseudowire.
Example:
Step 8

Example:
Examples
This example shows how to configure CFM over EFP Interface with Port Channel-Based xconnect
Tunnel:
PE3#
PE3(config)#int port-20
4-270
OL-16147-20
Chapter 4

Verification
Use show ethernet cfm ma remote commands to verify the CFM over EFP configuration. This
command shows the basic configuration information for CFM.
Router-30-PE1#show ethernet cfm ma local
Local MEPs:
-------------------------------------------------------------------------------MPID Domain Name
Lvl
MacAddress
Type CC
Domain Id
Dir
Port
Id
MA Name
SrvcInst
EVC name
-------------------------------------------------------------------------------1
L6
6
000a.f393.56d0 XCON Y
L6
Down
Te2/0/0
N/A
bbb
1
bbb
3
L5
5
0007.8478.4410 XCON Y
L5
Up
Te2/0/0
N/A
bbb
1
bbb
Total Local MEPs: 2
Local MIPs:
* = MIP Manually Configured
-------------------------------------------------------------------------------Level Port
MacAddress
SrvcInst
Type
Id
-------------------------------------------------------------------------------7
Te2/0/0
0007.8478.4410 1
XCON
N/A
Total Local MIPs: 1
Use show ethernet cfm ma remote to verify the MEP configuration:

Router-30-PE1#show ethernet cfm ma remote
-------------------------------------------------------------------------------MPID Domain Name
MacAddress
IfSt PtSt
Lvl Domain ID
Ingress
RDI MA Name
Type Id
SrvcInst
EVC Name
Age
-------------------------------------------------------------------------------4
L5
000a.f393.56d0
Up
Up
5
L5
Te2/0/0:(2.2.2.2, 1)
bbb
XCON N/A
1
bbb
9s
2
L6
000a.f393.56d0
Up
Up
6
L6
Te2/0/0:(2.2.2.2, 1)
bbb
XCON N/A
1
bbb
1s
Use show ethernet cfm mpdb command to verify the catalogue of CC with MIP in intermediate
routers.
PE2#show ethernet cfm mpdb
* = Can Ping/Traceroute to MEP
-------------------------------------------------------------------------------MPID Domain Name
MacAddress
Version
Lvl
Domain ID
Ingress
OL-16147-20
4-271
Chapter 4
Expd
MA Name
Type Id
SrvcInst
EVC Name
Age
-------------------------------------------------------------------------------600 * L6
0021.d8ca.d7d0
IEEE-CFM
6
L6
Te2/1:(2.2.2.2, 1)
s1
XCON N/A
1
1
2s
700
L7
001f.cab7.fd01
IEEE-CFM
7
L7
Te2/1:(2.2.2.2, 1)
s1
XCON N/A
1
1
3s
Use show mpls l2 transport vc 1 detail command to show detailed configuration information:
PE1#sh mpls l2 vc 1 deta
Local interface: Te8/0/1 up, line protocol up, Eth VLAN 200 up
Output interface: Te8/0/0, imposed label stack {21}
Next hop: 20.1.1.2
: enabled/supported
LDP route watch
: enabled
Last local LDP TLV
Last remote LDP TLV
Last remote LDP ADJ
VC statistics:
receive 4181, send 72586757556
Use show mpls forwarding-table command to verify the xconnect VC:

PE1#show mpls forwarding-table
Local
Outgoing
Prefix
Label
Label
or Tunnel Id
17
Pop Label 3.3.3.3/32
21
No Label
l2ckt(1)
Bytes Label
Switched
23038746624
4181
Outgoing
interface
Te8/0/0
Te8/0/1
Next Hop
20.1.1.2
point2point
Use show ethernet cfm error command to view the error report:
PE2#show ethernet cfm error
-------------------------------------------------------------------------------MPID Domain Id
Mac Address
Type
Id Lvl
MAName
Reason
Age
--------------------------------------------------------------------------------
4-272
OL-16147-20
Chapter 4

L3
s2
001d.45fe.ca81
Receive AIS
BD-V
200
8s
PE2#
Troubleshooting CFM Features

Table 4-34 provides troubleshooting solutions for the CFM features.
Table 4-34
Troubleshooting Scenarios for CFM features
Problem
Solution
When you configure CFM, the message Match registers are Use the show platform mrm info command on the SP console
not available is displayed.
to verify the match registers. Based on the derived output,
perform these tasks:
1.
Check if the line card supports the CFM feature.
2.
Enable CFM across the system to allow co-existence with

other protocols.
3.
Ensure that no CFM traffic is present in any supervisor or

ports.
4.
Configure STP mode to Multiple Spanning Tree (MST)

and re-enable CFM or disable CFM completely.
For more information on match registers, see Ethernet

Connectivity Fault Management at
http://www.cisco.com/en/US/docs/ios/12_2sr/12_2sra/feature
/guide/srethcfm.html.
CFM uses two match registers to identify the control packet
type and each VLAN spanning tree also uses a match register
to identify its control packet type. For both protocols to work
on the same system, each line card should support three match
registers, and at least one supporting only a 44 bit MAC
match.
CFM configuration errors
CFM configuration error occurs when when a MEP receives a

continuity check with an overlapping MPID. To verify the
source of the error, use the command show ethernet cfm
errors configuration or show ethernet cfm errors.
CFM ping and traceroute result is "not found"

1.
Use show run ethernet cfm to view all CFM global

configurations.
2.
Use show ethernet cfm location main to view local

MEPs and their CCM statistics
3.
Use show ethernet cfm peer meps command to View

CFM CCM received from Peer MEPs.
4.
Use trace ethernet cfm command to start a CFM trace.
OL-16147-20
4-273
Chapter 4
802.1ah: Configuring the MAC Tunneling Protocol
Problem
Solution
CFM connectivity is down and issues at the maintenance

domain levels
Use the ping ethernet {mac-address | mpid id | multicast}

domain domain-name { vlan vlan-id | port | evc evc-name }
or traceroute ethernet {mac-address | mpid id } domain
domain-name { vlan vlan-id | port | evc evc-name }
commands to verify ethernet CFM connectivity. Share the
Loop trap error
Use the show ethernet cfm error command to check for Loop
Trap errors as shown here:
CE(config-if)#do sh ethernet cfm err
-----------------------------------------------------------------------------Level Vlan MPID Remote MAC
Reason
Service ID
-----------------------------------------------------------------------------5
711 550 1001.1001.1001 Loop Trap Error
OUT
PE#sh ethernet cfm err
-----------------------------------------------------------------------------Level Vlan MPID Remote MAC
Reason
Service ID
-----------------------------------------------------------------------------5
711 550 1001.1001.1001 Loop Trap Error
OUT
Module has insufficient match registers
CFM is deactivated
ethernet cfm logging

1.
Verify and confirm if a unsupported line card is inserted

into the router.
2.
If yes, perform an OIR of the unsupported line card.

1.
Check if all the line cards have free match reagisters.
2.
Check if CFM is activated on supervisor cards. CFM is not

supported on supervisor cards that has two match
registers. In this scenario, CFM is automatically disabled
on the SUP ports and enabled on the remaining line cards.
In a scale scenario, you configure either the console logging

rate-limiting using logging rate-limit or using logging
buffered instead of using logging console. The suggested
rate-limit is around 30 messages per second.

The MAC Tunneling Protocol (MTP) feature is based on the IEEE 802.1ah standard and provides VLAN
and MAC scalability. This feature extends the Cisco QinQ (the IEEE 802.1ad standard) capability to
support highly scalable Provider Backbone Architecture (PBA). MTP allows a service provider to
interconnect multiple Provider Bridged Networks (PBNs) that support a minimum 10,48,576 (2 to the
20th power) Service VLANS and extend the MAC address scalability.
4-274
OL-16147-20
Chapter 4

With this feature, you can scale a Provider Bridged P802.1ad network using an existing Bridged and
Virtual Bridged Local Area Network (VLAN) deployment. Although the current Cisco QinQ capability
provides VLAN scaling, this feature extends the scaling and interoperability between multiple vendors.
Bridges in a Provider Backbone Bridged Network (PBBN) need to learn the MAC address of each host
to make forwarding decisions. MTP resolves this need for MAC address learning by encapsulating both
the data packet and MAC addresses (source and destination) into a new Ethernet frame. The header of
the new Ethernet frame contains:
Destination Backbone MAC (B-MAC)
Source Backbone MAC (B-MAC)
Backbone VLAN TAG (B-TAG) with 12-bit Backbone VLAN ID (B-VID)
Service Instance TAG (I-TAG) with 24-bit Service Instance ID (I-SID)
The MAC scalability is implemented using the B-MACs. Since the new Ethernet frames are encapsulated
with MAC address (host) while traversing the PBBN, a bridge needs to learn the B-MACs only. The
MAC addresses of hosts are hidden from the Provider Backbone Bridges (PBB), resulting in the
PBBridges to learn only the provider MAC address, irrespective of the number of hosts or the number
of host MAC addresses supported. Since the data packets are sent to specific MAC addresses, the
802.1ah cloud is not flooded with unnecessary traffic. A MAC address is a static entry in the MAC
address table on the Backbone Core Bridge.
The VLAN scalability is implemented using the I-SID. The MTP achieves VLAN scalability by using a
backbone VLAN TAG with a 12-bit B-VID and the Service Instance TAG with a 24-bit Service Instance
ID to provide the VLAN scalability necessary to map large number of customers.
Figure 4-10 shows the basic MTP network deployment.
Figure 4-10
MTP Network Deployment
Provider
Backbone
Bridged
QinQ
QinQ
.1Q/untagg
QinQ
QinQ
276758
.1Q/untagg
MTP Software Architecture

The encapsulation and decapsulation of MAC addresses is performed on a Backbone Edge Bridge (BEB)
at the edge of the PBBN. A BEB can be an I-Bridge (I-BEB), a B-Bridge (B-BEB), or an IB-Bridge
(IB-BEB). Currently, MTP is supported only with the IB-BEB functionality.
Figure 4-11 shows the MTP software architecture.
Figure 4-11
MTP Software Architecture
OL-16147-20
4-275
Chapter 4
Provider Backbone
Bridged Network
Provider Bridged
CE
PB
IB-BEB
IB-BEB
PB
IB-BEB
PB
CE
PB
BC
CE
PB
PB
PB
IB-BEB
276759
CE
IB Backbone Edge Bridge

An IB-BEB consists of one B-Component and one or more I-Components. The IB-BEB provides the
functionality to select the B-MAC and insert I-SIDs based on the supported tags. It also validates the
I-SIDs and transmits or receives the frames on the B-VLAN.
The iIEEE 802.1ah draft describes two types of customer-facing interfaces supported by IB-BEB:
S-Tagged Service Interface

Translating S-tagged Interface
Bundling S-tagged interface:
Port-Based (transparent) Service Interface
MTP supports both type of interfaces.
Data Plane Processing

The packets on the ingress EFP are tunneled to the appropriate MAC tunnel using the C-MAC bridge
domain. For multiple EFPs using the same I-SID, the switching among EFPs is done using the C-MAC
bridge domain. Local switching is performed across all the ports in the bridge domain even if they span
multiple tunnel engines.
MTP Configuration
Table 4-35 lists the relationship between the various entities in a Cisco 7600 Series Router for MTP
implementation.
4-276
OL-16147-20
Chapter 4

Table 4-35
Relationship Between the Various Entities in a Cisco 7600 Series Router
Entity to Entity
Relationship
EFP to C-MAC bridge domain
many to one
C-MAC bridge domain to I-SID
one to one
I-SID to B-MAC bridge domain
many to one
Figure 4-12 show N to N relationship within a Cisco 7600 Series Router:

Figure 4-12
N to N relationship within a Cisco 7600 Series Router
EFP
C-MAC
Bridge
Domain
EFP
I-SID 1
(service
instance)
EFP
B-MAC
Bridge
Domain
EFP
C-MAC
Bridge
Domain
I-SID 2
(service
instance)
276757
EFP
EFP
Scalability Information
Table 4-36 lists scalability information for MTP.
Table 4-36
Scalability Information for MTP
Scalability Factor
Scalability Number
Number of EVCs in the system
32000
Number of EVCs per linecard
16000
Number of C-MAC addresses per NPU
32000 per NPU
Number of EVCs per C-BD per NPU
110
Number of B-bridge-domains per chassis
4094
Number of I-SIDs or MAC-Tunnels
16000
Number of MAC entries in a C-MAC table
32000
OL-16147-20
4-277
Chapter 4
Scalability Factor
Scalability Number
Number of EVCs in the system
32000
Number of EVCs per linecard
16000

Follow these restrictions and usage guidelines when configuring the MAC Tunneling Protocol on an
ES40 line card:
By default, all the BPDUs are dropped.
Port channels with 802.1ah EVCs are not supported.
IGMP Snooping or any multicast protocol support on the C bridge-domain.
MAC address synchronization and MAC address move notification in the C bridge-domain is not
supported.
DHCP Snooping with 802.1ah EVCs is not supported.
B-Bridge and I-Bridge models are not supported.
An ISID configured under a MAC-Tunnel cannot be configured on another MAC-Tunnel.
Tunnel-engine configuration is not supported.
Source MAC address configuration for a Tunnel-Engine is not supported.
Configuring the MTP for the Cisco 7600 Router

This section describes how to configure MTP for Cisco 7600 Router.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
interface gigabitEthernet slot/port or interface tengigabitEthernet slot/port
4.
service instance id {Ethernet [service-name]}
5.
encapsulation untagged dot1q {any | vlan-id[vlan-id[vlan-id]} second-dot1q {any

6.
[symmetric]
7.
[no] bridge-domain bridge-id c-mac
8.
exit
9.
exit
4-278
OL-16147-20
Chapter 4

10. ethernet mac-tunnel virtual mac-in-mac tunnel identifier

11. [no] bridge-domain bridge-id
12. service instance id {Ethernet [service-name]}
13. encapsulation dot1ah i-sid i-sid_number
14. [no] bridge-domain bridge-id c-mac
15. exit
16. exit
17. exit
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
Specifies the Gigabit Ethernet interface to be configured,

where:
Example:
slot/portSpecifies the location of the interface
Step 4

submode.
Example:
Router(config-if)#service instance 20
ethernet
Step 5


Example:
OL-16147-20
4-279
Chapter 4
Step 6
Command
Purpose


Example:
Router(config-if-srv)#rewrite ingress
tag pop 1 symmetric
Step 7
bridge-domain bd_Id c-mac
Example:
Configuring the bridge domain. Binds the service

instance to a bridge domain instance where bd-id is the
identifier for the bridge domain instance.
Router(config-if-srv)#bridge-domain 21
c-mac
Step 8
exit
Exits the service instance mode.
Example:
Step 9
exit
Exits the interface mode.
Example:
Step 10
ethernet mac-tunnel virtual mac-in-macTunnelIdentifier
Configures mac-in-mac tunnel and creates a tunnel identifier for the 802.1ah cloud. Sets the configuration to config-tunnel-min mode.
Example:
Router(config)#ethernet mac-tunnel virtual 22
Step 11
bridge-domain bd_Id
Binds the MAC tunnel to the B-MAC bride domain

instance.
Example:
Router(config-tunnel-minm)#bridge-domain 200
4-280
OL-16147-20
Chapter 4

Step 12
Command
Purpose
Defines the service instance to be used with B-VLAN.

Sets the configuration mode to config-tunnel-srv mode.
Example:
Router(config-tunnel-minm)#service in
23 ethernet
Step 13
encapsulation dot1ah i-sid i-sid_number
Defines the matching criteria to be used to map 802.1ah

frames with I-SID id to the appropriate EVC.
Example:
Router(config-tunnel-srv)#encapsulation dot1ah isid 24
Step 14
bridge-domain bd_Id c-mac
Example:
Router(config-tunnel-srv)#bridge-domain 21 c-mac
Step 15
exit
Maps the I-SID used for forwarding the customer packets

to a specific EVC on the interface. To ensure proper configuration, the bd-id used in Step 7 must match the bd-id
used in this Step.
Exits the mac-tunnel service instance mode.
Example:
Router(config-tunnel-srv)#exit
Step 16
exit
Exits the mac-tunnel mode.
Example:
Router(config-tunnel-minm)#exit
Step 17
exit
Example:
Router(config)#exit
Examples
This example shows how to configure MTP for Cisco 7600 Routers:
Router>enable
Router(config)#interface GigabitEthernet 3/1
Router(config-if-srv)#encapsulation dot1q 40 second-dot1q 42
Router(config-if-srv)#rewrite ingress tag pop 1 symmetric
Router(config-if-srv)#bridge-domain 21 c-mac
Router(config)#ethernet mac-tunnel virtual 22
Router(config-tunnel-minm)#bridge-domain 200
OL-16147-20
4-281
Chapter 4
Router(config-tunnel-minm)#service in 23 ethernet
Router(config-tunnel-srv)#encapsulation dot1ah isid 24
Router(config-tunnel-srv)#bridge-domain 21 c-mac
Router(config-tunnel-srv)#exit
Router(config-tunnel-minm)#exit
Router(config)#exit
Verification
Use the following commands to verify the MTP configuration and view the related information.
You can use the show platform mtp slot slot_num command to verify the MTP configuration and
view MTP information for each slot:
Router#sh platform mtp slot 3
SLOT
TUNNELENGINE
3
MacTunnelEngine3/0
3
MacTunnelEngine3/1
3
MacTunnelEngine3/2
3
MacTunnelEngine3/3
VLAN_LIST
200
You can use show platform mtp c_bd c-vlan-id to view information about a specific C-VLAN:
Router#sh platform mtp c_bd 21
C_BD
B_BD
SLOT
21
200
3
Router#
PPE
0
You can use show platform mtp b_bd b-vlan-id to view information about a specific B-VLAN:
Router#sh platform mtp b_bd 200
B_BD
SLOT
PPE
200
3
0
Router#
C_BD_COUNT
1
B_BD_COUNT
1
You can use show platform mtp befp b-efp-id to view information about a specific B-EFP:
Router#sh platform mtp befp 23

BEFP
C_BD
B_BD
23
21
200
Router#
SLOT
3
PPE
0
C_BD_COUNT
1
Troubleshooting
Table 4-37 provides troubleshooting solutions for the MAC Tunnelling feature.
Table 4-37
Problem
Solution
ethernet mac-tunnel virtual 1 ; bridge-domain 4095

command is rejected

1.
Check the the maximum number of bridge domains you

have set.
2.
Ensure that you have not exceeded the value of 4094.
Error message displayed when the I-SID (service identifier) Complete these steps:
is configured
1. Check the the maximum number of I-SID you have set.
2.
Ensure that you have not exceeded the value of 16777215.
4-282
OL-16147-20
Chapter 4

802.3ah: Dying Gasp and Remote Loopback Initiation
Problem
Solution
Error message displayed when service instance is configured Complete these steps:
1.
Check the the maximum number of service instance you

have configured.
2.
Ensure that you have not exceeded the value of

2147483647.
Packet flooding at dot1ah core.
Use mac-tunnel address destination map C-Mac addr

B-Mac addr command to map the customer multicast
addresses to a default B-DA and correct flooding issues.
RP is disabled
Use the debug bridge domain command to display the

configuration,IPC events and errors. Share the output with
TAC for further investigation.

Faults in Ethernet connectivity that are caused by slowly deteriorating quality are difficult to detect.
Ethernet OAM provides a mechanism for an OAM entity to convey these failure conditions to its peer
through specific flags in the OAM PDU. The following failure conditions can be communicated:
Link FaultLoss of signal is detected by the receiver; for instance, the peer's laser malfunctions. A
link fault is sent once per second in the information OAM PDU. Link fault applies only when the
physical sublayer is capable of independently transmitting and receiving signals.
Dying GaspAn unrecoverable condition occurs; for example, a power failure. This type of
condition is vendor specific. A notification about the condition may be sent immediately and
continuously.
Critical EventAn unspecified critical event occurs. This type of event is vendor specific. A critical
event may be sent immediately and continuously.
In Remote Loopback mode, an OAM entity can put its remote peer into loopback mode using the
loopback control OAM PDU. Loopback mode helps an administrator ensure the quality of links during
installation or when troubleshooting. In the loopback mode, every frame received is transmitted back on
the same port except for OAM PDUs and pause frames. The periodic exchange of OAM PDUs must
continue during the loopback state to maintain the OAM session.
Note
Effective with Release 15.2(2)S, Dying Gasp and Remote Loopback Initiation is supported on ES+
linecards.
Restrictions for Dying Gasp and Remote Loopback Initiation

Following restrictions apply for Dying Gasp and Remote Loopback Initiation:
Internet Group Management Protocol (IGMP) packets are not looped back.
If dynamic ARP inspection is enabled, ARP or reverse ARP packets are not looped or dropped.
Control BPDUs like STP, CDP, PAGP, and LACP are not looped back and dropped.
OL-16147-20
4-283
Chapter 4
Configuring the Remote Loopback

Complete these steps to enable Ethernet OAM remote loopback on an interface:
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
ethernet oam remote-loopback {supported | timeout seconds}
5.
end
6.
ethernet oam remote-loopback start interface type number
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
interface
type number
Example:
Router# interface gigabitethernet 1/7
Step 4
ethernet oam remote-loopback {supported |

timeout seconds }
Example:
Router(config-if)# ethernet oam remote-loopback
supported
Step 5
Enables Ethernet remote loopback on the interface or sets a

loopback timeout period.
Enter supported to enable remote loopback.
Enter timeout seconds to set a remote loopback timeout

period. The range is from 1 to 10 seconds.
Exits the interface and configuration mode.
end
Example:
Step 6
ethernet oam remote-loopback start interface
type number
Starts the loopback initiation.
Example:
Router#ethernet oam remote-loopback start
4-284
OL-16147-20
Chapter 4

Configuring the Dying Gasp

You can configure an error-disable action to occur on an interface if one of the high thresholds is
exceeded, if the remote link goes down, if the remote device is rebooted, or if the remote device disables
Ethernet OAM on the interface.
Complete these steps to enable Ethernet OAM remote-failure indication actions on an interface:
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
ethernet oam remote-failure {critical-event | dying-gasp | link-fault} action

error-disable-interface
5.
end
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
interface
type number
Example:
Step 4
ethernet oam remote-failure {critical-event |

dying-gasp | link-fault} action
error-disable-interface
Example:
Router(config-if)# ethernet oam remote-failure
dying-gasp action error-disable-interface
Step 5
Configures the Ethernet OAM remote-failure action on the

interface. You can disable the interface for one of these
conditions:
Select critical-event to shut down the interface when

an unspecified critical event has occurred.
Select dying-gasp to shut down the interface when

Ethernet OAM is disabled or the interface enters the
error-disabled state.
Select link-fault to shut down the interface when the

receiver detects a loss of signal.
Exits the interface mode.
end
Example:
OL-16147-20
4-285
Chapter 4
This example shows how to configure the remote loopback initiation:
Router> enable
Router#(config) interface gigabitethernet 1/7
Router(config-if)# ethernet oam remote-loopback supported
Router#ethernet oam remote-loopback start interface gigabitEthernet 1/7
This example shows how to configure the action on remote-failure reception:

Router> enable
Router#(config) interface gigabitethernet 1/7
Router(config-if)# ethernet oam remote-failure dying-gasp action error-disable-interface
Verification
This example shows how to verify the configuration:
Router# show ethernet oam status interface gigabitethernet1/7
GigabitEthernet1/7
General
------Admin state:
enabled
Mode:
active
PDU max rate:
10 packets per second
PDU min rate:
1 packet per 1 second
Link timeout:
5 seconds
High threshold action: no action
Link fault action:
no action
Dying gasp action:
error disable interface
Critical event action: no action
Link Monitoring
--------------Status: supported (on)
Symbol Period Error
Window:
Low threshold:
High threshold:
100 x 1048576 symbols

1 error symbol(s)
none
Frame Error
Window:
Low threshold:
High threshold:
10 x 100 milliseconds
1 error frame(s)
none
Frame Period Error

Window:
Low threshold:
High threshold:
1000 x 10000 frames

1 error frame(s)
none
Frame Seconds Error

Window:
Low threshold:
High threshold:

1 error second(s)
none
4-286
OL-16147-20
Chapter 4

Support for IEEE 802.1ad
Receive-Frame CRC Error

Window:
Low threshold:
10 error frame(s)
High threshold:
none
Transmit-Frame CRC Error
Window:
Low threshold:
10 error frame(s)
High threshold:
none
This example shows the summary of the remote loopback configuration and the status of the operation:
P19_C7609-S#show ethernet oam summary
Symbols:
* - Master Loopback State, # - Slave Loopback State
& - Error Block State
Capability codes: L - Link Monitor, R - Remote Loopback
U - Unidirection, V - Variable Retrieval
Local
Interface
Gi1/7
MAC Address
-
Remote
OUI
-
Mode
-
Capability
-

Provider networks handle traffic from a large number of customers. It is important that one customers
traffic is isolated from the other customers traffic. IEEE 802.1ad implements standard protocols for
double tagging of data. The data traffic coming from the customer side are double tagged in the provider
network where the inner tag is the customer-tag (C-tag) and the outer tag is the provider-tag (S-tag). The
control packets are tunneled by changing the destination MAC address in the provider network.
Cisco 7600 series routers already support VLAN double tagging through a feature called QinQ. 802.1ad
is the standardized version of QinQ. It also extends the support for Layer 2 Protocol Tunneling Protocol
(L2PT). By offering transparent Layer 2 connectivity, the service provider does not get involved in the
customers Layer 3 network. This makes provisioning and maintenance simple, and reduces the
operational cost.
Prerequisites for IEEE 802.1ad
The ethertype should be programmable per port.
Restrictions for IEEE 802.1ad

Follow these restrictions and guidelines when you configure 802.1ad:
The l2protocol forward command is available only on the main interface of switchports and L3
ports. The command is not available on the subinterfaces. All the subinterfaces on a port inherit the
behavior from the main interface. The l2protocol forward command is also available on EVC
service instance.
The l2protocol peer and l2protocol drop commands are not supported.
The l2protocol forward command on a main interface and on EVCs supports only cdp, dtp, vtp,
stp, and dot1x.
OL-16147-20
4-287
Chapter 4
You cannot configure Dot1ad if custom ethertype is configured on port.
802.1ad is supported on the following port types:
Port
EVC
Switchport
Layer Interfaces
C-UNI
Ethertype 0x8100
Ethertype 0x8100
Ethertype 0x8100
C-VLAN BPDU
C-VLAN BPDU
C-VLAN BPDU
Any EVCs
Trunk or Access
Ethertype 0x88a8
Ethertype 0x88a8
S-VLAN BPDU (Only

Encapsulation default is
supported)
S-VLAN BPDU
Ethertype 0x88a8
Ethertype 0x88a8
Ethertype 0x88a8
S-VLAN BPDU
S-VLAN BPDU
S-VLAN BPDU
Any EVC
Trunk
Trunk
S-UNI
S-NNI
Not supported
Access only
Information About IEEE 802.1ad

To configure IEEE 802.1ad support, you should understand the following concepts:
How Provider Bridges Work
Guidelines for Handling BPDU
Interoperability of QinQ and Dot1ad
How Provider Bridges Work

Provider bridges pass the network traffic of many customers, and each customer's traffic flow must be
isolated from one another. For the Layer 2 protocols within customer domains to function properly,
geographically separated customer sites must appear to be connected through a LAN, and the provider
network must be transparent.
The IEEE has reserved 33 Layer 2 MAC addresses for customer devices operating Layer 2 protocols. If
a provider bridge uses these standard MAC addresses for its Layer 2 protocols, the customers' and
service provider's Layer 2 traffic will be mixed together. Provider bridges solve this traffic-mixing issue
by providing Layer 2 protocol data unit (PDU) tunneling for customers using a provider bridge
(S-bridge) component and a provider edge bridge (C-bridge) component. Figure 4-13 shows the
topology.
4-288
OL-16147-20
Chapter 4

Figure 4-13
Layer 2 PDU Tunneling
e-type 88a8, vlan 999
CE-1
PE-1
PE-2
88a8-999
8100-10...
88a8-999
8100-20...
88a8-999
8100-30...
CE-2
8100-10
8100-10
8100-20
8100-20
8100-30
8100-30
S-Bridge Component
The S-bridge component is capable of inserting or removing a service provider VLAN (S-VLAN) for all
traffic on a particular port. IEEE 802.1ad adds a new tag called a Service tag (S-tag) to all the ingress
frames from a customer to the service provider.
The VLAN in the S-tag is used for forwarding the traffic in the service provider network. Different
customers use different S-VLANs, which results in each customer's traffic being isolated. In the S-tag,
provider bridges use an Ethertype value that is different from the standard 802.1Q Ethertype value, and
do not understand the standard Ethertype. This difference makes customer traffic tagged with the
standard Ethertype appear as untagged in the provider network so customer traffic is tunneled in the port
VLAN of the provider port. The 802.1ad service provider user network interfaces (S-UNIs) and network
to network interfaces (NNIs) implement the S-bridge component.
For example, a VLAN tag has a VLAN ID of 1, the C-tag Ethertype value is 8100 0001, the S-tag
Ethertype value is 88A8 0001, and the class of service (CoS) is zero.
C-tag S-tag
------------------------------------------------------- ----------------------------------------------0x8100 | Priority bits | CFI | C-VLAN-ID 0x88A8 | Priority bits | 0 | S-VLAN-ID
------------------------------------------------------- -----------------------------------------------
C-Bridge Component
All the C-VLANs entering on a UNI port in an S-bridge component are provided the same service
(marked with the same S-VLAN). Although, C-VLAN components are not supported, a customer may
want to tag a particular C-VLAN packet separately to differentiate between services. Provider bridges
allow C-VLAN packet tagging with a provider edge bridge, called the C-bridge component of the
provider bridge. C-bridge components are C-VLAN aware and can insert or remove a C-VLAN 802.1Q
tag. The C-bridge UNI port is capable of identifying the customer 802.1Q tag and inserting or removing
OL-16147-20
4-289
Chapter 4
an S-tag on the packet on a per service instance or C-VLAN basis. A C-VLAN tagged service instance
allows service instance selection and identification by C-VLAN. The 802.1ad customer user network
interfaces (C-UNIs) implement the C-component.
MAC Addresses for Layer 2 Protocols

Customers' Layer 2 PDUs received by a provider bridge are not forwarded, so Layer 2 protocols running
in customer sites do not know the complete network topology. By using a different set of addresses for
the Layer 2 protocols running in provider bridges, IEEE 802.1ad causes customers' Layer 2 PDUs
entering the provider bridge to appear as unknown multicast traffic and forwards it on customer ports
(on the same S-VLAN). Customers' Layer 2 protocols can then run transparently.
Table 4-38 shows the Layer 2 MAC addresses reserved for the C-VLAN component.
Table 4-38
Reserved Layer 2 MAC Addresses for a C-VLAN Component
Assignment
Value
Bridge Group Address
01-80-c2-00-00-00
IEEE Std 802.3 Full Duplex PAUSE operation
01-80-c2-00-00-01
IEEE Std. 802.3 Slow_Protocols_Multicast

address
01-80-c2-00-00-02
IEEE Std. 802.1X PAE address
01-80-c2-00-00-03
Reserved for future standardization - media

access method-specific
01-80-c2-00-00-04

access method- specific
01-80-c2-00-00-05
Reserved for future standardization
01-80-c2-00-00-06
01-80-c2-00-00-07
Provider Bridge Group Address
01-80-c2-00-00-08
01-80-c2-00-00-09
01-80-c2-00-00-0a
01-80-c2-00-00-0b
01-80-c2-00-00-0c
Provider Bridge GVRP Address
01-80-c2-00-00-0d
IEEE Std. 802.1AB Link Layer Discovery

Protocol multicast address
01-80-c2-00-00-0e
01-80-c2-00-00-0f
4-290
OL-16147-20
Chapter 4

Table 4-39 shows the Layer 2 MAC addresses reserved for an S-VLAN component. These addresses are
a subset of the C-VLAN component addresses, and the C-bridge does not forward the provider's bridge
protocol data units (BPDUs) to a customer network.
Table 4-39
Reserved Layer 2 MAC Addresses for an S-VLAN Component
Assignment
Value
IEEE Std 802.3 Full Duplex PAUSE operation
01-80-c2-00-00-01
IEEE Std. 802.3 Slow_Protocols_Multicast

address
01-80-c2-00-00-02
IEEE Std. 802.1X PAE address
01-80-c2-00-00-03

access method specific
01-80-c2-00-00-04

access method specific
01-80-c2-00-00-05
01-80-c2-00-00-06
01-80-c2-00-00-07
Provider Bridge Group Address
01-80-c2-00-00-08
01-80-c2-00-00-09
01-80-c2-00-00-0a
Guidelines for Handling BPDU

The general BPDU guidelines are listed here:
UNI-C Ports
The guidelines pertaining to UNI-C ports are:
VLAN-aware L2 protocols can be peered, tunneled, or dropped.
Port L2 protocols can either be peered or dropped. They cannot be tunneled.
Table 4-40 shows the Layer 2 PDU destination MAC addresses for customer-facing C-bridge UNI ports,
and how frames are processed.
Table 4-40
Layer 2 PDU Destination MAC Addresses for Customer-Facing C-Bridge UNI Ports
Significance
on C-UNI Port Default Action
Assignment
Protocol
01-80-C2-00-00-00
Bridge Group Address (End-to-End

BPDUs)
BPDU
Peer
01-80-C2-00-00-01
802.3X Pause Protocol
BPDU
Drop
01-80-C2-00-00-02
Slow Protocol address: 802.3ad LACP,

802.3ah OAM, CDP Pagp, VTP, DTP,
UDLD
BPDU
Peer
01-80-C2-00-00-03
802.1X
BPDU
May peer
OL-16147-20
4-291
Chapter 4
Table 4-40
Layer 2 PDU Destination MAC Addresses for Customer-Facing C-Bridge UNI Ports
Significance
on C-UNI Port Default Action
Assignment
Protocol
01-80-C2-00-00-04
Reserved for future media access method None
Drop
01-80-C2-00-00-05
Reserved for future media access method None
Drop
01-80-C2-00-00-06
Reserved for future bridge use
None
Drop
01-80-C2-00-00-07
None
Drop
01-80-C2-00-00-08
Provider STP (BPDU)
None
Drop
01-80-C2-00-00-09
None
Drop
01-80-C2-00-00-0A
None
Drop
01-80-C2-00-000-0B
Reserved for future S-bridge purpose
None
Drop
01-80-C2-00-00-0C
Reserved for future S-bridge purpose
None
Drop
01-80-C2-00-00-0D
Provider Bridge GVRP address
None
Drop
01-80-C2-00-00-0E
802.1ab-LLDP
BPDU
May peer
01-80-C2-00-00-0F
Reserved for future C-bridge or Q-bridge None

use
Drop
01-80-C2-00-00-10
All bridge addresses
Read Data
Snoop if
implemented.
Else, discard
01-80-C2-00-00-20
GMRP
Data/BPDU
May peer
01-80-C2-00-00-21
GVRP
Data/BPDU
May peer
01-80-C2-00-00-22
2F
Other GARP addresses
Data/BPDU
May peer
01-00-0C-CC-CC-CC
Ciscos CDP DTP VTP PagP UDLD

(End-to-End)
BPDU
Peer
BPDU
May peer
01-00-0C-CC-CC-CD Ciscos PVST(End-to-End)
UNI-S Ports
The guidelines pertaining to UNI-S ports are:
Packets with C-Bridge addresses (00 - 0F) that are not part of S-Bridge addresses (01 - 0A) are
treated as data packet (tunneled).
VLAN-aware L2 protocols cannot be peered because the port is not C-VLAN aware. They can only
be tunneled or dropped.
Port L2 protocols can be peered, tunneled, or dropped.
4-292
OL-16147-20
Chapter 4

Table 4-41 shows the Layer 2 PDU destination MAC addresses for customer-facing S-bridge UNI ports,
and how frames are processed.
Table 4-41
Layer 2 PDU Destination MAC Addresses for Customer-Facing S-Bridge UNI Ports
Assignment
Protocol
Significance
on S-UNI Port Default Action
01-80-C2-00-00-00
Bridge Group Address (BPDUs)
Data
Data
01-80-C2-00-00-01
BPDU
Drop
01-80-C2-00-00-02
Slow Protocol address: 802.3ad LACP,

802.3ah
BPDU
Peer
01-80-C2-00-00-03
802.1X
BPDU
Peer
01-80-C2-00-00-04
Reserved for future media access method BPDU
Drop
01-80-C2-00-00-05
Reserved for future media access method BPDU
Drop
01-80-C2-00-00-06
BPDU
Drop
01-80-C2-00-00-07
BPDU
Drop
01-80-C2-00-00-08
Provider STP (BPDU)
BPDU
Drop (peer on
NNI)
01-80-C2-00-00-09
BPDU
Drop
01-80-C2-00-00-0A
BPDU
Drop
01-80-C2-00-00-0B
Data if not
Drop
implemented
01-80-C2-00-00-0C
Data if not
Treat as data until
implemented implemented
01-80-C2-00-00-0D
Reserved for future GVRP address
Data if not
Treat as data until
implemented implemented
01-80-C2-00-00-0E
802.1ab-LLDP
BPDU
01-80-C2-00-00-0F
Reserved for future C-bridge or Q-bridge Data

use
Data
01-80-C2-00-00-10
Data
Data
01-80-C2-00-00-20
GMRP
Data
Data
01-80-C2-00-00-21
GVRP
Data
Data
01-80-C2-00-00-22
2F
Data
Data
01-00-0C-CC-CC-CC
Ciscos CDP DTP VTP PagP UDLD
Data
Data
Data
Data
01-00-0C-CC-CC-CD Ciscos PVST
May peer
NNI Ports
The Dot1add NNI ports behave in the same way as the customer facing S-bridge ports, with the following
exceptions:
On NNI ports, frames received with DA 01-80-C2-00-00-08 contain STP BPDU. The frames are
received and transmitted. On S-UNI ports, any such frames that are received are dropped, and none
are sent.
OL-16147-20
4-293
Chapter 4
On NNI ports, frames received with DA 01-80-C2-00-00-02 include CDP Pagp, VTP, DTP, and
UDLD protocols.
7600 Action Table

Table 4-42 lists the actions performed on a packet when the packet is received with a specified
destination MAC address.
Table 4-42
7600 Action Table
MAC Address
Protocol
C-UNI Action
S-UNI Action
NNI Action
01-80-C2-00-00-00
Bridge Group Address

(BPDUs)
Peer
Data
Data
01-80-C2-00-00-01
Drop
Drop
Drop
01-80-C2-00-00-02
Slow Protocol address: Peer

802.3ad LACP, 802.3ah
Peer
Peer
01-80-C2-00-00-03
802.1X
May peer
May peer
May peer
01-80-C2-00-00-04
Reserved
Drop
Drop
Drop
01-80-C2-00-00-05
Reserved
Drop
Drop
Drop
01-80-C2-00-00-06
Reserved
Drop
Drop
Drop
01-80-C2-00-00-07
Reserved
Drop
Drop
Drop
01-80-C2-00-00-08
Provider STP (BPDU)
Drop
Drop
Peer
01-80-C2-00-00-09
Reserved for future

bridge use
Drop
Drop
Drop
01-80-C2-00-00-0A
Reserved for future

bridge use
Drop
Drop
Drop
01-80-C2-00-00-0B
Reserved for future

bridge use
Drop
Data
Data
01-80-C2-00-00-0C
Reserved for future

bridge use
Drop
Data
Data
01-80-C2-00-00-0D
Reserved for future

GVRP address
Drop
Data
Data
01-80-C2-00-00-0E
802.1ab-LLDP
May peer
Data
Data
01-80-C2-00-00-0F
Reserved for future

C-bridge or Q-bridge
use
Drop
Data
Data
01-80-C2-00-00-10
Snoop if
implemented.
Else drop
Data
Data
01-80-C2-00-00-20
GMRP
May peer
Data
Data
01-80-C2-00-00-21
GVRP
May peer
Data
Data
01-80-C2-00-00-22
2F
May peer
Data
Data
4-294
OL-16147-20
Chapter 4

Table 4-42
7600 Action Table
MAC Address
Protocol
C-UNI Action
S-UNI Action
NNI Action
01-00-0C-CC-CC-C
C
Ciscos CDP DTP VTP

PagP UDLD
Peer
Data
Data
01-00-0C-CC-CC-C
D
Ciscos PVST
May peer
Data
Data
Interoperability of QinQ and Dot1ad

The interoperability of QinQ and Dot1ad network enables the exchange of data frames between the
networks. The 802.1Q network outer tag VLANs are mapped to the provider S-VLANs of the 802.1ad
network.
Figure 4-14 illustrates the interoperability of a Dot1ad network and a QinQ network.
Figure 4-14
Interoperability of Dot1ad Network and a QinQ Network

dot1q
customer
......d0
QinQ
dot1ad
dot1q
customer
QinQ
Box A
QinQ
Box B
dot1ad
Box C
......00
......d0
......d0
......d0 NNI
NNI Interface config: (on the dot1ad network side)

ethernet dot1ad nni
switchport
switchport trunk allowed vlan 999
C-UNI Interface config: (connected to QinQ box B)
ethernet dot1ad uni c-port
switchport
UNI Sport
dot1ad
Box E
NNI
dot1ad
Box D
......d0
UNI Sport
dot1q
customer
......00
dot1ad
Box F
......d0
dot1q
customer
......00
NNI Interface config:

ethernet dot1ad nni
switchport
UNI S-Port config:
ethernet dot1ad uni s-port
I2protocol-tunnel stp
switchport
switchport mode access
switchport access vlan 999
249383
I2protocol-tunnel stp
switchport mode dot1q-tunnel
NNI
......00
How to Configure IEEE 802.1ad

This section contains the information about following procedures:
Configuring a Switchport
Configuring a Layer 2 Protocol Forward
Configuring a Switchport for Translating QinQ to 802.1ad
OL-16147-20
4-295
Chapter 4
Configuring a Switchport (L2PT)
Configuring a Customer-Facing UNI-C Port with EVC
Configuring a Customer-Facing UNI-C Port and Switchport on NNI with EVC
Configuring a Customer-Facing UNI-S Port with EVC
Configuring a Layer 3 Termination
Displaying a Dot1ad Configuration
Configuring a Switchport
A switchport can be configured as a UNI-C port, UNI-S port, or NNI port.
UNI-C Port
A UNI-C port can be configured as either a trunk port or an access port. Perform the following tasks to
configure a UNI-C port as an access port for 802.1ad.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
ethernet dot1ad {nni | uni {c-port | s-port}}
5.
switchport
6.
switchport mode {access | trunk}
7.
switchport access vlan vlan-id
8.
end
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
interface
type number
Example:
Step 4

Example:
Router(config-if)# ethernet dot1ad uni c-port
Configures a dot1ad NNI port or UNI port. In this example,

it is a UNI-C port.
4-296
OL-16147-20
Chapter 4

Step 5
Command or Action
Purpose
switchport
Put the interface into Layer 2 mode.
Example:
Step 6
Sets the interface type. In this example, it is Access.
Example:
Router(config-if)# switchport mode access
Step 7
switchport access vlan
vlan-id
Example:
Router(config-if)# switchport access 1000
Step 8
Sets the VLAN when an interface is in access mode. In this

example, the VLAN is set to 1000.
Returns the CLI to privileged EXEC mode.
end
Example:
Perform the following tasks to configure a UNI-C port as a trunk port for 802.1ad.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
5.
switchport
6.
7.
switchport trunk allowed vlan vlan-list
8.
end
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
interface
type number
Example:
Step 4

Example:

it is a UNI-C port.
OL-16147-20
4-297
Chapter 4
Step 5
Command or Action
Purpose
switchport
Example:
Step 6
Sets the interface type. In this example, it is Trunk.
Example:
Step 7
switchport trunk allowed vlan
vlan-list
Example:
Router(config-if)# switchport trunk allowed
vlan 1000, 2000
Step 8
Sets the list of allowed VLANs that transmit traffic from

this interface in tagged format when in trunking mode.
end
Example:
UNI-S Port
On a UNI-S port, all the customer VLANs that enter are provided with the same service. The port allows
only access configuration. In this mode, the customers port is configured as a trunk port. Therefore, the
traffic entering the UNI-S port is tagged traffic.
Perform the following tasks to configure a UNI-S port as an access port for 802.1ad.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
switchport
5.
6.
7.
8.
end
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
4-298
OL-16147-20
Chapter 4

Command or Action
Step 3
interface
Purpose
type number
Example:
Step 4
switchport
Example:
Step 5
Sets the interface type. In this example, it is Access.
Example:
Step 6

Example:
Router(config-if)# ethernet dot1ad uni s-port
Step 7
vlan-id
Example:
Router(config-if)# switchport access 999
Step 8

it is a UNI-S port.
Sets the VLAN when an interface is in access mode. In this
example, the VLAN is set to 999.
end
Example:
NNI Port
NNI port allows only trunk configuration. On an NNI port, the frames received on all the allowed
VLANs are bridged to the respective internal VLANs.
Perform the following tasks to configure an NNI port as a trunk port for 802.1ad.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
switchport
5.
6.
7.
8.
end
OL-16147-20
4-299
Chapter 4
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
interface
type number
Example:
Step 4
switchport
Example:
Step 5
Example:
Step 6

Example:
Router(config-if)# ethernet dot1ad nni
Step 7
vlan-list
Example:
vlan 999
Step 8

it is an NNI.
end
Example:
Examples
The following example shows how to configure a UNI-C port as an access port. In this example, all the
frames that are received are bridged to one internal VLAN 1000. The transmitted frames do not have the
access VLAN Dot1q tag.
Router(config)# interface gig2/1
Router(config-if# ethernet dot1ad uni c-port
Router(config-if)# switchport access vlan 1000
The following example shows how to configure a UNI-C port as a trunk port. In this example, all the
frames that are received on all allowed VLANs (1000 and 2000) are bridged to the respective internal
VLANs. The transmitted frames have the respective internal VLAN Dot1q tag.
outer(config)# interface gig2/1
4-300
OL-16147-20
Chapter 4

Router(config-if)# switchport access vlan 1000, 2000
The following example shows how to configure a UNI-S port. In this example, all the frames that are
received are bridged to one internal VLAN (999). The transmitted frames do not have the access VLAN
Dot1q tag.
The following example shows how to configure an NNI port. Only trunk configuration is allowed on an
NNI port. In this example, all the frames that are received on all the allowed VLANs (999) are bridged
to the respective internal VLANs. The transmitted frames have the respective internal VLAN Dot1q tag.
The following example shows how to configure Dot1ad on an SVI:

Configuring a Layer 2 Protocol Forward

Perform the following tasks to configure the Layer 2 protocol forward:
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
5.
6.
l2protocol [ forward] [protocol]
7.
end
OL-16147-20
4-301
Chapter 4
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
interface
type number
Example:
Step 4
vlan-id
Sets the VLAN when an interface is in access mode.
Example:
Router(config)# switchport access vlan 500
Step 5

Example:
Step 6
l2 protocol [forward] [protocol]

Example:
Router(config-if)# l2 protocol forward vtp
Step 7

it is a UNI S-port.
Processes or forwards the Layer 2 BPDUs. In this example,
all the BPDUs are forwarded except VTP PDUs.
end
Example:
Examples
The following example shows how to configure a Layer 2 protocol forward:
Router(config-if)# l2protocol forward vtp
Configuring a Switchport for Translating QinQ to 802.1ad

Translating a QinQ port to 802.1ad involves configuring the port connecting to QinQ port and NNI port.
Perform the following tasks to configure a port connecting to the QinQ port.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
4-302
OL-16147-20
Chapter 4

5.
6.
end
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
interface
type number
Example:
Step 4
Example:
Step 5
vlan-list
Example:
vlan 1000
Step 6

end
Example:
Perform the following tasks to configure an NNI port.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
5.
switchport
6.
7.
8.
end
OL-16147-20
4-303
Chapter 4
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
interface
type number
Example:
Step 4

Example:
Step 5

it is an NNI.
switchport
Example:
Step 6
Example:
Step 7
vlan-list
Example:
vlan 999-1199
Step 8

end
Example:
Examples
The following example shows how to translate a QinQ port to 802.1ad. In this example, the peer router
to gig1/1 multiplexes various customer VLANs into VLAN 1000.
Router(config-if)# switchport trunk allowed vlan 1000,1199
4-304
OL-16147-20
Chapter 4

Configuring a Switchport (L2PT)

Configuring the switchport for L2PT is required to tunnel the STP packets from a customer on the dot1ad
network to a customer on the QinQ network.
Perform the following tasks to configure the port connecting to the customer.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
switchport
5.
6.
no l2 protocol [peer | forward] [protocol]
7.
l2protocol-tunnel [cdp | stp | vtp]
8.
9.
end
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
interface
type number
Example:
Step 4
switchport
Example:
Step 5

Example:
Step 6
no l2 protocol [peer | forward] [protocol]

it is a UNI S-port.
Disables L2 protocol forwarding.
Example:
Router(config-if)# no l2 protocol forward
Step 7
Enables protocol tunneling for STP.
Example:
Router(config-if)# l2protocol-tunnel stp
OL-16147-20
4-305
Chapter 4
Step 8
Command or Action
Purpose
Example:
Step 9
end
Example:
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
switchport
5.
6.
7.
end
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
interface
type number
Example:
Step 4
switchport
Example:
Step 5

Example:
Configures a dot1ad NNI or UNI port. In this example, it is

an NNI.
4-306
OL-16147-20
Chapter 4

Step 6
Command or Action
Purpose
Example:
Step 7
end
Example:
Examples
The following example shows how to tunnel the STP packets from a customer on the Dot1ad network to
a customer on a QinQ network:
Router(config-if)# no l2protocol forward
Router(config-if)# l2protocol-tunnel stp

Configuring a Customer-Facing UNI-C Port with EVC

Perform the following tasks to configure a UNI-C port.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
5.
service instance id service-type
6.
encapsulation dot1q vlan-id second-dot1q {any | vlan-id} [native]
7.
bridge-domain vlan-id
8.
9.
10. bridge-domain vlan-id

11. end
OL-16147-20
4-307
Chapter 4
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
interface
type number
Example:
Step 4

Example:
Step 5
service instance
id service-type
Example:
Step 6
encapsulation dot1q
vlan-id} [native]
vlan-id
second-dot1q {any |

it is a UNI C port.
Configures an Ethernet service instance. In this example,
the service instance is 1.
Enables IEEE 802.1Q encapsulation of traffic on a specified
subinterface in a VLAN.
Example:
Router(config-if)# encapsulation dot1q 1-100
Step 7
bridge-domain
vlan-id
Example:
Step 8
service instance
id service-type
Example:
Step 9
encapsulation dot1q
vlan-id} [native]
vlan-id
second-dot1q {any |
Binds a service instance or a MAC tunnel to a bridge

domain.
Example:
Step 10
bridge-domain
vlan-id
Example:
Step 11

domain.
end
Example:
SUMMARY STEPS
1.
enable
4-308
OL-16147-20
Chapter 4

2.
configure terminal
3.
4.
5.
6.
7.
8.
9.
10. encapsulation dot1q vlan-id second-dot1q {any | vlan-id} [native]

11. rewrite ingress tag pop 1 symmetric
13. end
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
interface
type number
Example:
Step 4

Example:
Step 5
service instance
id service-type
Example:
Step 6
encapsulation dot1q
vlan-id} [native]
vlan-id
second-dot1q {any |

it is a UNI C port.
Example:
second-dot1q 1-100
Step 7

Example:
Router(config-if)# rewrite ingress tag pop 1
symmetric
Specifies the encapsulation adjustment that is to be

OL-16147-20
4-309
Chapter 4
Command or Action
Step 8
bridge-domain
Purpose
vlan-id
Example:
Step 9
service instance
id service-type
Example:
Step 10
encapsulation dot1q
vlan-id} [native]
vlan-id
second-dot1q {any |

domain.
Example:
second-dot1q 102-4904
Step 11

Example:
symmetric
Step 12
bridge-domain
vlan-id
Example:
Step 13


domain.
end
Example:
Examples
The following example shows how to configure a customer-facing UNI port. In this example, a dot1q
frame coming on VLAN 50 matches service instance 1, and on the ingress port, the rewrite command
pushes the 1000 outer-vlan.
Router(config-if)# encapsulation dot1q 1000 second dot1q 1-100
Router(config-if)# service instance 2ethernet
Router(config-if)# encapsulation dot1q 500 second dot1q 102-4904
4-310
OL-16147-20
Chapter 4

Configuring a Customer-Facing UNI-C Port and Switchport on NNI with EVC

Perform the following tasks to configure a UNI-C port.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
5.
6.
7.
8.
9.

11. end
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
interface
type number
Example:
Step 4

Example:
Step 5
service instance
id service-type
Example:
Step 6
encapsulation dot1q
vlan-id} [native]
vlan-id
second-dot1q {any |

it is a UNI C port.

Example:
OL-16147-20
4-311
Chapter 4
Command or Action
Step 7
bridge-domain
Purpose
vlan-id
Example:
Step 8
service instance
id service-type
Example:
Step 9
encapsulation dot1q
vlan-id} [native]
vlan-id
second-dot1q {any |

domain.
Example:
Step 10
bridge-domain
vlan-id
Example:
Step 11

domain.
end
Example:
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
5.
switchport
6.
7.
8.
end
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
4-312
OL-16147-20
Chapter 4

Command or Action
Step 3
interface
Purpose
type number
Example:
Step 4

Example:
Step 5

it is an NNI.
switchport
Example:
Step 6
Example:
Step 7
vlan-list
Example:
vlan 1000-500
Step 8

end
Example:
Examples
The following example shows how to configure a customer-facing UNI-C port and switchport on NNI
with EVC:

Router(config-if)# ethernet dot1ad uni
Router(config-if)# switchport allowed vlan 1000,500
Configuring a Customer-Facing UNI-S Port with EVC

Perform the following tasks to configure a UNI-S port.
OL-16147-20
4-313
Chapter 4
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
5.
6.
encapsulation default
7.
8.
end
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
interface
type number
Example:
Step 4
service instance
id service-type
Example:
Step 5

Example:
Step 6
encapsulation default
Example:
Router(config-if)# encapsulation default
Step 7
bridge-domain
vlan-id
Example:
Step 8

it is a UNI-S port.
Configures the default service instance on a port. Anything

that does not meet the criteria of other service instances on
the same physical interface falls into this service instance.
domain.
end
Example:
4-314
OL-16147-20
Chapter 4

SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
5.
6.
7.
8.
9.
end
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
interface
type number
Example:
Step 4
service instance
id service-type
Example:
Step 5

Example:
Step 6
encapsulation dot1q
vlan-id} [native]
vlan-id
second-dot1q {any |

a UNI C port.
Example:
second-dot1q 1-100
Step 7

Example:
symmetric

OL-16147-20
4-315
Chapter 4
Command or Action
Step 8
bridge-domain
vlan-id
Example:
Step 9
Purpose
domain.
end
Example:
Examples
The following example shows how to configure an NNI port:
Configuring a Layer 3 Termination

Perform the following tasks to configure a Layer 3 termination.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
5.
6.
7.
ip address ip-address mask
8.
end
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
4-316
OL-16147-20
Chapter 4

Command or Action
Step 3
interface
Purpose
type number
Example:
Step 4

Example:
Step 5
interface
type number

an NNI port.
Example:
3/0/.1
Step 6
encapsulation dot1q
vlan-id} [native]
vlan-id
second-dot1q {any |

Example:
second-dot1q 10
Step 7
ip address
Example:
255.255.0.0
Sets a primary or secondary IP address for an interface.
Step 8
end
Example:
Examples
The following example shows how to configure a Layer 3 termination. Note that Layer 3 is supported
only on trunk interfaces.
Router(config)# interface gig3/0/0.1
Router(config-if)# encapsulation dot1q 10 second dot1q 10
The following example shows how to configure a Layer 3 termination on an SVI:

Router(config-if)# encapsulation dot1q 200 second dot1q 300
OL-16147-20
4-317
Chapter 4
Displaying a Dot1ad Configuration

You can display a Dot1ad configuration using the show ethernet dot1ad command. This command
displays the Dot1ad configuration for all interfaces. To display the configuration on a particular
interface, use the show ethernet dot1ad interface command.
The following example shows how to display a Dot1ad configuration on all interfaces:
Router# show ethernet dot1ad
Interface: GigabitEthernet4/0/1
DOT1AD C-Bridge Port
L2protocol pass cdp stp vtp dtp pagp dot1x lacp
Interface: GigabitEthernet4/0/2
DOT1AD C-Bridge Port
L2protocol pass cdp stp vtp dtp pagp dot1x lacp
Troubleshooting Dot1ad
The following section describes how to troubleshoot Dot1ad.
Note
The show commands in these examples should be run from a line card console.
How do I verify the Dot1ad configuration on a switchport on an X40G card?
Run the following command to verify the Dot1ad configuration:
XYZ-PE1-dfc1# show platform npc switchport interface gi 1/2
[GigabitEthernet1/2]
status [valid, -, applied, enabled]
src_index [0x1]
rpcb [0x178BB9C4]
xlif_id [4097]
xlif_handle [type:[3] hwidb:[0x20E97F08] if_number:[1121]]
ft_bits [0x2]
ing_ctrl_ft_bits [0x2]
egr_ctrl_ft_bits [0x2]
port vlan [1]
mode ingress [NORMAL] egress [NORMAL]
dot1q_tunnel [No]
native tagging [No]
PVLAN isolated or community [No] promiscuous [No]
ingress vlan-translation [No] BPDU [No]
egress vlan-translation [No] BPDU [No]
dot1ad [Yes] <<<<<<<<<<<<
ethertype [0x88A8] <<<<<<<<<<<
Ingress Stat ID: 778698
Egress Stat ID: 778700
VLAN List:
1
num of vlans [1]
XYZ-PE1-dfc1#
How do I verify the Dot1ad configuration on the ports with EVCs on an X40G card?
Run the following command to verify the Dot1ad configuration:
XYZ-PE1-dfc1# show platform npc xlif interface gi 1/2 efp 1
EFP XLIF(GigabitEthernet1/2, efp1)[np0] = 4136
4-318
OL-16147-20
Chapter 4

Ingress XLIF table fields

Feature common enable: 0x1
Feature enable:
0x1
Feature bits:
0x1
Control common bits:
0x0
Control feature bits:
0x0
Control rewrite opcode: 0x0
Reserved 1:
0x0
Match cond
0x1
Entry valid:
0x1
Dbus VLAN:
30
QoS policy ID:
0
ACL ID:
0
Statistics ID:
450976
Inner rewrite VLAN:
0
Outer rewrite VLAN:
0
QoS flow ID:
0
Feature data: 00000000 40000000 AAA80000 E0000829
EFP admin down state 0x0
----- Bridge data -----layer2_acl_index:
0x00000000
evc_feat_data.ip_src_guard
: 0x0
evc_feat_data.mst_evc
: 0x1
evc_feat_data.layer2_acl
: 0x0
EVC - Mac Security:
0x0
evc_feat_data.sacl
: 0x0
evc_feat_data.layer2_acl_statid: 0
PDT: 0xAAA8
ipsg_label: 0
block_data: 0x0
block_l2bpdu: 0x0
split_h: 0x0
imp_ltl: 0x0829
EFP dot1ad port type 0x3
<<<<<<<<
EFP CDP forward 0x1 <<<<<<<<
EFP DTP forward 0x0
EFP VTP forward 0x0
EFP STP forward 0x0
EFP DOT1X forward 0x0
Egress XLIF table fields
Feature common enable:
Feature enable:
Feature bits:
Control rewrite opcode:
Port:
Match cond
Entry valid:
Dbus VLAN:
QoS policy ID:
ACL ID:
Statistics ID:
Inner rewrite VLAN:
Outer rewrite VLAN:
QoS flow ID:
IP Session en :
Multicast en :
Feature data 0
Intf etype:
Post Filter Opcode
0x1
0x1
0x01
0x00
0x00
0x00
0x1
0x1
0x1
30
0
0
450980
0
0
0
0
0
0x00000000
0x00008064
0x00000008
OL-16147-20
4-319
Chapter 4
Pre Filter Opcode

0x00000000
Pre Tag Outer
0x00000000
Pre Tag Inner
0x00000000
Post Filter Vlan high
0x00000064
Post Filter Vlan low
0x00000064
Post Filter Vlan outer 0x00000000
EVC - MST:
0x1
EVC etype
0x8100
CFM MEP Level
0x00000008
CFM MIP Level
0x00000008
CFM disable
0x0
MIP filtering
0x0
block_data:
0x0
block_l2bpdu:
0x0
sacl:
0x0
sacl index:
0x0000
sacl statid:
0x00000
XYZ-PE1-dfc1#
XYZ-PE1-dfc1#
How do I verify the L2protocol forwarding on a regular L3 switchports?

Run the following command to verify the L2protocol forwarding:
XYZ-PE1-dfc1# show platform npc xlif 0 port_sram 1
........................
dot1ad port type:
l2proto cdp fwd:
l2proto dtp fwd:
l2proto vtp fwd:
l2proto stp fwd:
l2proto dot1x fwd:
0x0002
0x0001
0x0000
0x0000
0x0000
0x0000
<<<<<<<<<
<<<<<<<<<
..............................................
How do I verify the Dot1ad configuration on ES20 cards?

For switchports, run the following command:
XYZ-PE1-dfc1# show platform hardware dot1ad l2protocfg port <port-num>
For EVCs, run the following command:

XYZ-PE1-dfc1# show platform soft efp-client interface gi x/0/y efp-id l2protocfg
To display the default values, run the following commands:

XYZ-PE1-dfc1# show platform hardware dot1ad l2protocfg defaults ?
<0-2> 0=c-uni, 1=s-uni, 2=nni
XYZ-PE1-dfc1# show platform hardware dot1ad l2protocfg defaults 0 ?
<0-2> 0=L3, 1=BD, 2=XCON
XYZ-PE1-dfc1# show platform hardware dot1ad l2protocfg defaults 0 2
Raw Data :000FFF77 FFFCFF51
L2 Proto Configs :
Protocol
IEEE
CISCO
-----------------------------------CDP
:
FRWD
FRWD
VTP
:
FRWD
FRWD
DTP
:
FRWD
FRWD
Others
:
PEER
PEER
4-320
OL-16147-20
Chapter 4

Y.1731 Performance Monitoring
802.1d protocols : 01:80:C2:00:00:XX

XX | Config
----------00 : PEER
04 : FRWD
08 : DROP
0C : FRWD
XX | Config
----------01 : DROP
05 : FRWD
09 : FRWD
0D : FRWD
XX | Config
----------02 : PEER
06 : FRWD
0A : FRWD
0E : FRWD
XX | Config
----------03 : PEER
07 : FRWD
0B : FRWD
0F : FRWD
All Bridge (0180C2000010)= FRWD

Group = PEER
PVST = FRWD

When service providers sell connectivity services to a subscriber, a Service Level Agreement (SLA) is
reached between the buyer and seller of the service. The SLA defines the attributes offered by a provider
and serves as a legal obligation on the service provider. As the level of performance required by
subscribers increases, service providers need to monitor the performance parameters being offered. In
order to capture the needs of the service providers, organizations have defined various standards such as
IEEE 802.1ag and ITU-T Y.1731 that define the methods and frame formats used to measure
performance parameters.
Y.1731 Performance Monitoring (PM) provides a standard ethernet PM function that includes
measurement of ethernet frame delay, frame delay variation, frame loss, and frame throughput
measurements specified by the ITU-T Y-1731 standard and interpreted by the Metro Ethernet Forum
(MEF) standards group. As per recommendations, the 7600 platform should be able to send, receive and
process PM frames in intervals of 10ms (100 frames per second) with the maximum recommended
transmission period being 100ms (10 frames per second) for any given service.
To measure SLA parameters such as frame delay or frame delay variation, a small number of synthetic
frames are transmitted along with the service to the end point of the maintenance region, where the
Maintenance End Point (MEP) responds to the synthetic frame. For a function such as connectivity fault
management, the messages are sent less frequently, while performance monitoring frames are sent more
frequently.
Figure 4-15 illustrates Maintenance Entities (ME) and Maintenance End Points (MEP) typically
involved in a point-to-point metro ethernet deployment for the Y.1731 standard.
OL-16147-20
4-321
Chapter 4
Figure 4-15
A point-to-point metro Ethernet deployment with typical Maintenance Entities and

Maintenance Points
Subscriber
Equipment
1
Operator A NEs
2
Service Provider
4
Subscriber
Equipment
Operator B NEs
5
Subscriber ME
Test MEG
EVC ME
Operator A ME
NNI ME
UNI ME
246186
UNI ME
Operator B ME
Following are the performance monitoring parameters:
Connectivity
Frame Delay and Frame Delay Variation
Frame Loss Ratio and Availability
Connectivity
The first step to performance monitoring is verifying the connectivity. Continuity Check Messages
(CCM) are best suited for connectivity verification, but is optimized for fault recovery operation. It is
usually not accepted as a component of an SLA due to the timescale difference between SLA and Fault
recovery. Hence, Connectivity Fault Management (CFM) and Continuity Check Database (CCDB) are
used to verify connectivity. For more information on CFM see IEEE 802.1ag-2007 Compliant CFM,
page 4-235.
Frame Delay and Frame Delay Variation

Ethernet frame Delay Measurement (ETH-DM) is used for on-demand ethernet Operations,
Administration & Maintenance (OAM) to measure frame delay and frame delay variation.
Ethernet frame delay and frame delay variation are measured by sending periodic frames with ETH-DM
information to the peer MEP and receiving frames with ETH-DM information from the peer MEP.
During the interval, each MEP measures the frame delay and frame delay variation.
Ethernet frame delay measurement also collects useful information, such as worst and best case delays,
average delay, and average delay variation. Ethernet frame delay measurement supports hardware-based
timestamping in the ingress direction. It provides a runtime display of delay statistics during a two-way
delay measurement. Ethernet frame delay measurement records the last 100 samples collected per
remote Maintenance End Point (MEP) or per CFM session.
These are the two methods of delay measurement, as defined by the ITU-T Y.1731 standard:
One-way ETH-DM:
Each MEP transmits frames with one-way ETH-DM information to its peer MEP in a point-to-point
ME to facilitate one-way frame delay and/or one-way frame delay variation measurements at the
peer MEP. One way frame delay requires clock to be synchronized at both ends while frame delay
4-322
OL-16147-20
Chapter 4

variation doesn't require clock synchronization. It is measured using a single delay measurement
(1DM) or Delay Measurement Message (DMM) and Delay Measurement Reply (DMR) frame
combination.
Two-way ETH-DM:
Each MEP transmits frames with ETH-DM request information to its peer MEP and receives frames
with ETH-DM reply information from its peer MEP. Two way frame delay and frame delay variation
is measured using DMM and DMR frame.
These are the pre-requisites for 1DM measurements:

The clocks of the two concerned end-points must be synchronized accurately and precisely. This
is achieved through IEEE 1588-2002.

There is no auto-session create supported on the peer or the receiver. You need to configure an
receive-only session.
You must configure all the create sessions on the receiver's datapath. These are passive listener
sessions.
Note
On a Cisco 7600 router, clock synchronization is achieved using a 2-port gigabit synchronous ethernet
SPA. On an ES+ line card, the Real Time Clock (RTC) is synchronized to the 2-port gigabit synchronous
ethernet SPA time source using Precision Time Protocol (PTP) as the time source protocol. If the time
source selected is PTP, all the Y.1731 PM delay packets should have the 1588V2 timestamps.
For a 7600 router that does not have 2-Port Gigabit Synchronous Ethernet SPA, delay measurement is
done by using the timestamps with Network Time Protocol (NTP) as the time source protocol. This is
applicable only to One-way delay measurements.
To initiate Time of Day (ToD) synchronization on a line card, use the platform time-source command
in global configuration mode.
Frame Loss Ratio and Availability

Ethernet frame Loss Measurement (ETH-LM) is used to collect counter values applicable for ingress and
egress service frames where the counters maintain a count of transmitted and received data frames
between a pair of MEPs.
ETH-LM transmits frames with ETH-LM information to a peer MEP and similarly receives frames with
ETH-LM information from the peer MEP. Each MEP performs frame loss measurements which
contribute to unavailable time. A near-end frame loss refers to frame loss associated with ingress data
frames. Far-end frame loss refers to frame loss associated with egress data frames. Both near-end and
far-end frame loss measurements contribute to near-end severely errored seconds and far end severely
errored seconds which together contribute to unavailable time.
These are the two methods of frame loss measurement, defined by the ITU-T Y.1731 standard:
Single-ended ETH-LM: Each MEP transmits frames with the ETH-LM request information to its
peer MEP and receives frames with ETH-LM reply information from its peer MEP to carry out loss
measurements.
Dual-ended ETH-LM: Each MEP transmits periodic dual-ended frames with ETH-LM information
to its peer MEP in a point-to-point ME and facilitates frame loss measurements at the peer MEP. As
of now, the Cisco 7600 router does not support Dual-ended ETH-LM.
OL-16147-20
4-323
Chapter 4
Y.1731 PM supports these interfaces:
Note
LMM, DMM and 1DM support on EVC BD OFM
LMM, DMM and 1DM support on PC EVC BD OFM
LMM, DMM and 1DM support on EVC Xconnect OFM
LMM, DMM and 1DM support on PC EVC Xconnect OFM
LMM, DMM and 1DM support on EVC Xconnect IFM
LMM, DMM and 1DM support on PC EVC Xconnect IFM
LMM, DMM and 1DM support on Subinterfaces (routed port)
LMM, DMM and 1DM support on PC Subinterfaces (routed port)
PM is supported in the EVC and CFM configurations mentioned above, with both Dot1q and QinQ
encapsulations available on the EVC.

Follow these restrictions and usage guidelines when you configure Y.1731 PM on an ES+ line card:
If the route processor CPU is busy with other processes and if software forwarding is used, the
performance monitoring statistics are not accurate.
Y.1731 PM measurement only works for a point to point network topology.
Y.1731 PM is not SSO compliant. After switchover all sessions data is cleared and IPSLA restart is
required.
In case of one way session or two way session, when one way statistics are required, PTP needs to
be synchronized between peers and stable. You should delay starting of sessions in such situations.
On Cisco 7600 series router, only ES+Line Card is supported in non-switchport mode. PM is not
supported on Port MEPs.
PM is not supported on these interfaces:

mLACP interfaces
EVC BD IFM
Swicthport OFM and IFM
Port MEPs
PM is not supported on VPLS configuration.
PM is not supported on Qinq subinterfaces, as CFM is not supported on these interfaces.
PM does not support SNMP, although CLI and system-logging is supported.
Frame Throughput measurements are not supported.
These are the restrictions for PM support on Port-channel:
Adding or deleting a member link renders the session invalid.
Loss measurement on port-channel interfaces is supported only if all physical interfaces of the
port-channel are present on a single NPU. This restriction cannot be applied for delay
measurements.
4-324
OL-16147-20
Chapter 4

Note
All the member links have to be ES+ ports.
PM is not supported on manual PC EVC Load balancing configuration(UNI LAG).
Before you begin the Y.1731 PM configurations, ensure that the cfm configurations are up and working.
For more information on cfm configurations, please see section IEEE 802.1ag-2007 Compliant CFM,
page 4-235
The command [no] ethernet cfm distribution enable disables the CFM distribution functionality. This
is necessary to avoid performance hits due to the distributing CFM functionality. This command is
disabled by default.
Configuring One Way Delay Measurement

To configure one way delay measurement, complete these steps:
Note
Ensure that you first configure a receiver, schedule it to the pending state, and then configure a sender.
Summary Steps
1.
enable
2.
configure terminal
On the receiver:
3.
ip sla n
4.
ethernet y1731 delay receive 1DM domain domain {{vlan | evc} value}cos value {mpid |
mac-address} value
5.
frame {interval | offset | size} value
6.
history {interval} value
7.
aggregate {interval} value
8.
distribution {delay | delay-variation} {one-way | two-way} value
9.
clock sync
10. max-delay value

11. owner value
12. exit
13. ip sla schedule n {life | ageout | recurring | start-time} value start-time start time
On the sender:
14. ip sla n
15. ethernet y1731 delay 1DM domain domain {{vlan | evc} value} {mpid | mac-address} value cos
value source {mpid | mac-address} value

16. frame {interval | offset | size} value
17. history {interval} value
OL-16147-20
4-325
Chapter 4
18. aggregate {interval} value

19. distribution {delay | delay-variation} {one-way | two-way} value
20. clock sync
21. max-delay value
22. owner value
23. exit
25. exit
Detailed Steps
Step 1
Command
Purpose
enable

prompted.
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
ip sla n
Enables the IP SLA configuration.
Example:
Router((config)# ip sla 2
Step 4
ethernet y1731 delay receive 1DM

domain domain {{vlan | evc} value}
cos value {mpid | mac-address} value
Example:
Router(config-ip-sla)# ethernet
y1731 delay receive 1DM domain r3
evc e3 cos 3 mpid 401
Step 5
frame {interval | offset | size}

value
Example:
Router(config-sla-y1731-delay)#
frame interval 100
Configures one-way delay measurement on the receiver.

These are the parameters:
evc - Specifies the ethernet virtual circuit identifier
vlan - Specifies the VLAN.
cos - Specifies the class of service. The values ranges

between 0 and 7.
mpid - Specifies the source MP ID.
mac-address - Specifies the source mac-address.
Configures Y.1731 frame parameters such as:
interval - Specifies the number of intervals.
offset - Specifies the frame offset for calculations.

The values ranges between 1 and 10.
size - Specifies the frame size. The values ranges

between 64 and 384.
4-326
OL-16147-20
Chapter 4

Step 6
Command
Purpose
Configures Y.1731 history parameters such as:
interval - Specifies the number of intervals. The

number of intervals to store ranges between 1 and 10.
Example:
Router(config-sla-y1731-delay)# history interval 5
Step 7
Configures Y.1731 aggregation parameters such as:
Example:
Router(config-sla-y1731-delay)# aggregate interval 5
Step 8
distribution {delay |
delay-variation} {one-way | two-way}
value
Configures Y.1731 distribution parameters such as:
delay - Specifies delay distribution parameters.
delay-variation - Specifies delay-variation

distribution parameters.
one-way - Specifies one-way distribution

parameters.
two-way - Specifies two-way distribution

parameters.
Example:
Router(config-sla-y1731-delay)#distribution delay-variation one-way 2
Step 9
clock sync

aggregation period in seconds ranges between
<1-65535>.
Checks whether the clocks are synchronized on the sender

and receiver.
Example:
Router(config-sla-y1731-delay)#clock sync
Step 10
max-delay value
Configures the maximum delay in milliseconds. The

value ranges from 1 to 65535.
Example:
Step 11
owner value
Specifies the operation owner.
Example:
Router(config-sla-y1731-delay)#owner name
Step 12
exit
Exits the Y.1731 submode and enters the global configuration mode.
Example:
Router((config-sla-y1731-delay)#
exit
OL-16147-20
4-327
Chapter 4
Command
Step 13
ip sla schedule n {life | ageout |

recurring | start-time} value
start-time start time
Purpose
Schedules the one way delay measurement on receiver.
Life - Specifies a period time to execute in seconds.
Ageout - Specifies a period time to keep the entry

when inactive.
Recurring - Specifies a period time to be scheduled

automatically every day.
Start-time - Specifies the time to start the entry. The

options available are:
Example:
Router((config)# ip sla schedule 1
life 100 start-time pending
after
hh:mm
hh:mm:ss
now
pending
Note
Step 14
ip sla n
On the receiver, the scheduled start time selected

should always be pending.
Example:
Router(config)# ip sla 1
Step 15
ethernet y1731 delay 1DM domain

domain {{vlan | evc} value}{mpid |
mac-address} value cos value source
{mpid | mac-address} value
Example:
y1731 delay 1DM domain r3 evc e3
mpid 500 cos 3 source mpid 400
Step 16

value
Example:
frame interval 100
Step 17
Configures one way delay measurement on sender.
evc - Specifies the ethernet virtual circuit identifier.

between 0 and 7.
mpid - Specifies the destination MP ID. The values

ranges between 1 and 8191.
mac-address - Specifies the destination

mac-address.
source - Specifies the source MP ID or mac-address.
offset - Specifies the frame offset to be used for

calculations. The values ranges between 1 and 10.

between 64 and 384.
Configures the Y.1731 history parameters such as:

Example:
4-328
OL-16147-20
Chapter 4

Step 18
Command
Purpose
Configures the Y.1731 aggregation parameters such as:
Example:
Step 19
value
Configures the Y.1731 distribution parameters such as:


parameters.

parameters.
Example:
Step 20
clock sync

aggregation period in seconds ranges between 1 and
65535.

and receiver.
Example:
Step 21
max-delay value

value ranges between 1 and 65535.
Example:
Step 22
owner value
Example:
Step 23
exit
Example:
exit
OL-16147-20
4-329
Chapter 4
Step 24
Command
Purpose

Schedules the one way delay measurement on the sender.
Life - Specifies a period time to be executed in

seconds.
Example:
Ageout - Specifies a period time to retain the entry

when inactive.
Recurring - Specifies the probe to be scheduled



life 100 start-time now
after
hh:mm
hh:mm:ss
now
pending
Step 25
exit
Example:
Router((config)# exit
Configuration Example
This example displays the configuration of one way frame delay measurement. Before you begin,
configure the receiver, schedule it to pending state, configure the sender and then start the session on it.
Router# enable
On receiver
Router(config)#ip sla 1
Router(config-ip-sla)# ethernet y1731 delay receive 1DM domain r3 evc e3 cos 3 mpid 401
Router(config-sla-y1731-delay)#history interval 5
Router(config-sla-y1731-delay)#aggregate interval 60
Router(config)#exit
Router(config)#ip sla schedule 1 start-time pending
On Sender
Router(config-ip-sla)# Router(config-ip-sla)# ethernet y1731 delay 1DM domain r3 evc e3
Router(config)#exit
Router(config)#ip sla schedule 1 start-time after 00:00:30
Router# end
Configuring Two-Way Delay Measurement

To configure a Two-Way Delay Measurement, complete these steps:
4-330
OL-16147-20
Chapter 4

Summary Steps
1.
enable
2.
configure terminal
3.
ip sla n
4.
ethernet y1731 delay DMM domain domain {{vlan | evc} value} {mpid | mac-address} value cos
5.
6.
7.
8.
distribution {delay | delay-variation} {one-way | two-way} value
9.
clock sync
10. max-delay value

11. owner value
12. exit
14. end
Detailed Steps
Step 1
Command
Purpose
enable

prompted.
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
ip sla n
Example:
OL-16147-20
4-331
Chapter 4
Step 4
Command
Purpose
ethernet y1731 delay DMM domain

Configures a two-way delay measurement on the sender.
Example:
y1731 delay DMM domain r3 evc e3
Step 5

value
Example:
frame interval 100
Step 6

between 0 and 7.


mac-address.


between 64 and 384.

number of intervals ranges between 1 and 10.
Example:
Step 7
Configures Y.1731 aggregation parameters such as:
Example:
Step 8
value
Configures Y.1731 distribution parameters such as:


parameters.

parameters.
Example:
Step 9
clock sync

65535.

and receiver.
Example:
4-332
OL-16147-20
Chapter 4

Step 10
Command
Purpose
max-delay value

Example:
Step 11
owner value
Example:
Step 12
exit
Example:
exit
Step 13

Schedules the two way delay measurement on the sender.
Life - Specifies the period time to execute in seconds.
Ageout - Specifies the period time to keep the entry

when inactive.
Recurring - Specifies the probe to be scheduled


Example:
after
hh:mm
hh:mm:ss
now
pending
Step 14
exit
Example:
The following example configures a two way frame delay measurement
Router# enable
Router(config-ip-sla)# ethernet y1731 delay DMM domain ifm_400 evc e1 mpid 401 cos 4
source mpid 1
Router(config-sla-y1731-delay)#exit
Router(config)#ip sla schedule 1 start-time after 00:00:30
OL-16147-20
4-333
Chapter 4
Router(config)#exit
Configuring Single Ended Frame Loss Measurement

To configure single ended frame loss measurement, complete these steps:
Note
Before you begin, configure the command monitor loss counter [priority cos range] under the EVC
CFM sub-config mode for those interfaces that require loss monitoring.
Summary Steps
1.
enable
2.
configure terminal
3.
ip sla n
4.
ethernet y1731 loss LMM domain domain {{vlan | evc} value} {mpid | mac-address} value cos
5.
6.
7.
8.
clock sync
9.
max-delay value
10. owner value

11. exit
13. end
Detailed Steps
Step 1
Command
Purpose
enable

prompted.
Example:
Router> enable
Step 2
configure terminal
Example:
4-334
OL-16147-20
Chapter 4

Step 3
Command
Purpose
ip sla n
Example:
Step 4
ethernet y1731 loss LMM domain

Example:
y1731 loss LMM domain r3 evc e3 mpid
500 cos 3 source mpid 400
Step 5

value
Example:
Router(config-sla-y1731-loss)# frame
interval 100
Step 6
Configures single ended frame loss measurement on the

sender.

between 0 and 8. The cos value 8 is for aggregated
cos and is used when LMM is configured for routed
port sub interface.


mac-address.
Configures the Y.1731 frame parameters such as:


between 64 and 384.

Example:
Router(config-sla-y1731-loss)# history interval 5
Step 7
Configures the Y.1731 aggregation parameters such as:
Example:
Router(config-sla-y1731-loss)# aggregate interval 5
Step 8
clock sync

65535.

and receiver.
Example:
Router(config-sla-y1731-loss)#clock
sync
Step 9
max-delay value

Example:
Router(config-sla-y1731-loss)#clock
sync
OL-16147-20
4-335
Chapter 4
Step 10
Command
Purpose
owner value
Example:
Router(config-sla-y1731-loss)#owner
name
Step 11
exit
Example:
Router((config-sla-y1731-loss)# exit
Step 12

Example:
Schedules the single ended frame loss measurement on

sender.
Life - Specifies the length of time to execute in

seconds.
Ageout - Specifies the length of time to keep the

entry when inactive.
Recurring - Specifies automatic scheduling every

day.

after
hh:mm
hh:mm:ss
now
pending
Step 13
exit
Example:
This example displays the configuration of single ended frame loss measurement:
Router# enable
Router(config-ip-sla)# ethernet y1731 loss LMM domain r3 vlan 200 mpid 10 cos 3 source
mpid 5
Router(config-sla-y1731-loss)# frame interval 5
Router(config-sla-y1731-loss)# aggregate interval 60
Router(config-sla-y1731-loss)# exit
Router(config)# ip sla schedule 1 life forever start-time now
This example displays the configuration of the command monitor loss counter {priority value} under
the EVC CFM sub-config mode:
4-336
OL-16147-20
Chapter 4

no ip address
service instance 1 ethernet e3
bridge-domain 200
cfm mep domain r3 mpid 5
monitor loss counter priority 0-4
!
end
Note
Use the ip sla reaction-configuration [n] react command to configure the reaction configuration.
Verifying the Frame Delay and Frame Loss Measurement Configurations
To verify and monitor the frame delay and frame delay variation measurement configuration, use
this command in privileged EXEC mode:
Router# show ip sla statistics n

Delay Statistics for
Operation n
Type of operation: Y1731 Delay Measurement
Latest operation start time: *21:37:08.895 PST Thu Aug 20 2009
Latest operation return code:
Distribution Statistics:
Interval <n>
Start time:
Elapsed/End time:
Number of measurements initiated: <x>
Number of measurements completed: <x>
Flag: OK
Delay:
Max/Avg/Min forward: x/y/z
-> Min is only shown if clocks are in sync
Max/Avg/Min backward: x/y/z
-> Only for two-way
Max/Avg/Min: x/y/z
-> Only for two-way
Timestamps forward: Max - 21:37:08.895 PST Thu Aug 20 2009/Min - 21:37:08.995 PST Thu
Aug 20 2009
Timestamps backward: Max - xxx/Min - yyy
Timestamps: Max - xxx/Min - yyy
Bucket Forward:
Bucket Range: 0-9 ms:
Total observations: <x>
Delay Variance
Max/Avg/Min forward: x/y/z
-> Min is only shown if clocks are in sync
Max/Avg/Min backward: x/y/z
-> Only for two-way
Max/Avg/Min: x/y/z
-> Only for two-way
Bucket Forward:
Operation time to live: Forever
OL-16147-20
4-337
Chapter 4
To verify and monitor the frame loss measurement configuration, use this command in privileged
EXEC mode:
Router# show ip sla statistics n

Delay Statistics for
Operation n
Type of operation: Y1731 Loss Measurement
Latest operation start time: *21:37:08.895 PST Thu Aug 20 2009
Latest operation return code:
Interval <n>
Loss
Start time:
Elapsed/End time:
Number of measurements initiated: <x>
Number of measurements completed: <x>
Flag: OK
Forward
Tx frame count:
Rx frame count:
Available indicators:
Unavailable indicators:
Max/Avg/Min(FLR %): 3/2/1
Max/Avg/Min (FLR Numerator:Denominator)forward: xNum:xDen/yNum:yDen/zNum:zDen
Aug 20 2009
Backward
Tx frame count:
Rx frame count:
Available indicators:
Unavailable indicators:
Max/Avg/Min(FLR %): 3/2/1
Max/Avg/Min (FLR Numerator:Denominator)backward: xNum:xDen/yNum:yDen/zNum:zDen
Aug 20 2009
Operation time to live: Forever
To display all details of frame delay and frame delay variation measurements, use the show ip sla
statistics detail command.
Router# show ip sla statistics detail

IPSLAs Latest Operation Statistics
IPSLA operation id: 3
Delay Statistics for Y1731 Operation 3
Latest operation start time: *00:00:00.000 PST Mon Jan 1 1900
Latest operation return code: OK
Interval 1
Type: Delay
Start time: *00:00:00.000 PST Mon Jan 1 1900
Elapsed/End time: *00:00:00.000 PST Mon Jan 1 1900
Number of measurements initiated: 0
Number of measurements completed: 0
Flag: OK
Delay:
Max/Avg/Min TwoWay: 140116936/140116944/140116952
Timestamps TwoWay: Max - *00:00:00.000 PST Mon Jan 1 1900/Min - *00:00:00.000 PST Mon Jan
1 1900
Bucket forward:
Bucket Range: 0-4999 microsecond
Total observations: 0
4-338
OL-16147-20
Chapter 4

Bucket
Total
Bucket
Total
Bucket
Total
Bucket
Total
Bucket
Total
Bucket
Total
Bucket
Total
Bucket
Total
Bucket
Total
Range: 5000-9999 microsecond

observations: 0
observations: 0
observations: 0
observations: 0
observations: 0
observations: 0
observations: 0
observations: 0
Range: 45000--2 microsecond
observations: 0
Bucket backward:
Bucket Range: 45000--2 microsecond
Bucket TwoWay:
Delay Variance:
Max/Avg backward positive: 140116936/140116944
Timestamp backward positive: Max - *00:00:00.000 PST Mon Jan
Max/Avg backward negative: 140116936/140116944
Timestamp backward negative: Max - *00:00:00.000 PST Mon Jan
Max/Avg TwoWay positive: 140116936/140116944
Timestamp TwoWay positive: Max - *00:00:00.000 PST Mon Jan 1
Max/Avg TwoWay negative: 140116936/140116944
Timestamp TwoWay negative: Max - *00:00:00.000 PST Mon Jan 1
1 1900
1 1900
1900
1900
OL-16147-20
4-339
Chapter 4
Bucket forward positive:

Bucket forward negative:
Bucket backward positive:
4-340
OL-16147-20
Chapter 4

Bucket backward negative:
Bucket TwoWay positive:
To display the same outputs as the latest statistics detail command, use the show ip sla history
interval n command. The number displayed is the number of intervals configured.
Output for Loss Measurement:

Router# show ip sla history 1 interval-statistics
Loss Statistics for Y1731 Operation 1
Type of operation: Y1731 Loss Measurement
Latest operation start time: *09:46:16.225 UTC Fri Nov 26 2010
Latest operation return code: OK
Interval 1
Start time: *09:46:16.225 UTC Fri Nov 26 2010
End time: *09:48:16.221 UTC Fri Nov 26 2010
Flag: OK
OL-16147-20
4-341
Chapter 4
Forward
Number of Observations 11999
Timestamps forward:
Max - *09:47:20.252 UTC Fri Nov 26 2010/
Tx frame count: 30000
Rx frame count: 20000
Available indicators: 11999
Unavailable indicators: 0
Max/Avg/Min - (FLR % ): 1:3/2.78%/0:0
Backward
Number of Observations 11999
Timestamps backward:
Max - *09:48:16.221 UTC Fri Nov 26 2010/
Tx frame count: 10000
Rx frame count: 10000
Available indicators: 11999
Unavailable indicators: 0
Max/Avg/Min - (FLR % ): 0:0/0.0%/0:0
Min - *09:48:16.221 UTC Fri Nov 26 2010
Min - *09:48:16.221 UTC Fri Nov 26 2010
Output for Delay Measurement:

Router#show ip sla history 10 interval-statistics
Delay Statistics for Y1731 Operation 10
Latest operation start time: 10:58:30.144 PDT Tue Jan 4 2011
Latest operation return code: Timeout
Interval 1
Start time: 10:58:30.144 PDT Tue Jan 4 2011
End time: 10:59:05.140 PDT Tue Jan 4 2011
Flag: OK
Delay:
Number of TwoWay observations: 34
Max/Avg/Min TwoWay: 113364/100499/100099 (microsec)
Time of occurrence TwoWay:
Max - 10:59:05.140 PDT Tue Jan 4 2011
Min - 10:58:40.076 PDT Tue Jan 4 2011
Bin TwoWay:
Bin Range (microsec)
0 - < 5000
5000 - < 10000
10000 - < 15000
15000 - < 20000
20000 - < 25000
25000 - < 30000
30000 - < 35000
35000 - < 40000
40000 - < 45000
45000 - < 4294967295
Total observations
0
0
0
0
0
0
0
0
0
34
Delay Variance:
Number of TwoWay positive observations: 19
Max/Avg TwoWay positive: 13256/706 (microsec)
Time of occurrence TwoWay positive:
Max - 10:59:05.140 PDT Tue Jan 4 2011
Number of TwoWay negative observations: 14
4-342
OL-16147-20
Chapter 4

Max/Avg TwoWay negative: 86/11 (microsec)

Time of occurrence TwoWay negative:
Max - 10:58:40.076 PDT Tue Jan 4 2011
Bin TwoWay positive:
0 - < 5000
5000 - < 10000
10000 - < 15000
15000 - < 20000
20000 - < 25000
25000 - < 30000
30000 - < 35000
35000 - < 40000
40000 - < 45000
45000 - < 4294967295
Total observations
18
0
1
0
0
0
0
0
0
0
Bin TwoWay negative:

0 - < 5000
5000 - < 10000
10000 - < 15000
15000 - < 20000
20000 - < 25000
25000 - < 30000
30000 - < 35000
35000 - < 40000
40000 - < 45000
45000 - < 4294967295
Total observations
14
0
0
0
0
0
0
0
0
0
To display the performance monitoring session summary, use the show ethernet cfm pm session
summary command.
Router# show ethernet cfm pm session summary

Number of Configured Session : 1
Number of Active Session: 1
Number of Inactive Session: 0
Troubleshooting
These troubleshooting scenarios apply to the Y.1731 performance monitoring configurations:
Problem
Solution
When the IP SLA sessions do not come up.
Use the debug commands:
debug ethernet cfm pm events [session

<session id>]
debug ethernet cfm pm error [session

<session id>]
debug ethernet cfm pm diagnostic
debug ethernet cfm pm ipc [session

<session id>]
debug ethernet cfm pm packet [session

<session id>]
OL-16147-20
4-343
Chapter 4
IP and PPPoE Session Support

Intelligent Services Gateway (ISG) is a Cisco IOS software feature provides a structured framework for
the edge devices to deliver flexible and scalable services to subscribers. ISG supports IP sessions for
subscribers who connect to ISG from routed or Layer 2 access networks. From Cisco IOS Release
12.2(33)SRE onwards, the ISG: Subscriber Aware Ethernet feature provides Intelligent Services
Gateway (ISG) functionality in distributed IP and PPPoE sessions on Cisco 7600 series routers that have
Ethernet Services Plus (ES+) access-facing line cards.
IP sessions, representing a single IP address, collates the traffic received from a single IP source address,
and classifies, identifies and provides services to subscribers. If the IP address is not unique, VRF or
interface is used as unique identifiers. IP addressees can overlap only across VRF, and if two interfaces
have the same VRF, they cannot have overlapping IP addresses. However, overlapping IP addresses are
also supported for MAC based identification.
Note
ISG functionality support for IP and PPPoE sessions is deprecated and will be unavailable in a future
release.
IP sessions are hosted for the following connected subscriber devices:
Devices that are one hop far from SG are L2-connected sessions.
Devices that are multiple hops from the system where Service Gateway (SG) is not at the extreme
L3 edge are routed sessions.
This feature is supported on the following interfaces in a ES+ line card:
Access interfaces
Non-access interfaces (limited to 500 subinterfaces)
This feature supports the following sessions in a ES+ line card:
IP sessions (routed and L2-connected)
DHCP integration with IP sessions
Static IP subnet sessions
Source IP address and MAC address sessions (IP sessions)
PPPoE supported in the PPP Termination and Aggregation (PTA) mode
PPPoEoVLAN supported in the PTA mode
PPPoEoQinQ supported in the PTA mode
PPPoEoDot1Q supported in the PTA mode
IP Address Assignment
DHCP Based IP address assignment: If DHCP is being used to assign IP addresses, and the IP
address that is assigned by DHCP is correct for the service domain, ISG does not have to be involved
in the assignment of an IP address for the subscriber. If the IP address that is assigned by DHCP is
not correct for the service domain, or if the domain changes because of a VRF transfer, ISG can be
configured to influence the DHCP IP address assignment.
Static IP address assignment: If the static IP address for a subscriber is configured correctly for the
service domain, ISG is not involved in the assignment of an IP address for the subscriber.
4-344
OL-16147-20
Chapter 4

IP subnet: For IP subnet sessions, the IP subnet is specified in the user profile.
IP interface: ISG is not involved in the assignment of subscriber IP addresses.
IP Subnet (IP Range) Sessions

A client subnet identifies a IP Subnet session and applies uniform edge processing to packets associated
with a particular IP subnet. IP Subnet sessions are hosted for clients directly connected or over multiple
hops. The following functionalities are not supported on IP Subnet Sessions, but are supported on IP
Sessions:
DHCP session initiation not supported
No Source MAC address session support
No Dynamic VPN selection support
IP Interface Sessions
In an IP Interface session, all the traffic received on a particular physical or logical interface is collated.
However, dynamic VRF transfer is not supported in an IP interface session and, VRF transfer can only
be used with static VRF configuration. Irrespective of the subscriber logged in, a session is created by
default.
PPPoE and IPoE Session Support on Port Channel (1:1 Redundancy)

The 1:1 redundancy on a port channel coupled with Link Aggregation Control Protocol (LACP)
dynamically handles the member links in a port channel bundle. A port channel has two members, of
which one member is active and the other is in standby or redundant mode. The member ports can be
across line cards, but must originate from Ethernet Services Plus (ES+) line card. At any given point of
time, one link is on the physical mode.
The following sessions support 1:1 redundancy in a ES+ line card:
Note
IP Subnet sessions
IP Interface sessions
PPPoEoX sessions.
Port channel sub-interfaces of type access provide M:N LAG support if the Intelligent Services Gateway
(ISG) is not configured. In case the ISG is configured, only the 1:1 activestandby configuration is
supported for access type sub-interfaces.
PPPoE and IPoE Session Support on QinQ Subinterfaces with IEEE 802.1AH
Customer Ethertype
This feature enables you to implement PPPoE and IPoE session (ISG functions) on QinQ subinterfaces
that are configured with custom ethertype. The custom ethertype implemented on the main interface is
inherited by all the subinterfaces. To implement this feature, use dot1q tunnel ethertype command on
main interface for the respective QinQ subinterfaces.
OL-16147-20
4-345
Chapter 4
If the outer VLAN tag on a PPPoE or IPoE session packet matches the custom ethertype VLAN settings
on the QinQ subinterface, the packets are accepted otherwise the packets are dropped. You can set the
outer VLAN tag to the following values:
0x9100
0x9200
0x8100
0x88a8
The PPPoE or IPoE session does not come up if there is ethertype mismatch between ISG and the client.
For example, if the outer VLAN tag on a packet is set to 0x9100 and the interface is configured using
custom ethertype to accept only packets with 0x88a8 VLAN tag, the packet will be dropped in the QinQ
subinterface.
You can configure QinQ on both the access and non-access sub-interfaces. The following code shows
how to define an interface with access sub-interface, create a VLAN QinQ subinterface, and enable
PPPoE session:
Router> enable
Router(config)# interface gigabitethernet 1/0/0
Router(config-if)# dot1q tunneling ethertype 0x9100
Router(config-if)# interface gigabitethernet 1/0/0.100 access
Router(config-subif)# encapsulation dot1q 100 second-dot1q 200
Router(config-subif)# ip subscriber interface

Follow these restrictions and usage guidelines when you configure an IP or a PPPoE sessions on an ES+
linecard:
IP Sessions are not supported on ambiguous VLANs.
Radius proxy is not supported for the IP Sessions.
IP and MAC address spoof Prevention is not supported on subinterfaces on a ES+ linecard unlike on
a SIP400 line card.
IP sessions are supported on Link Aggregation (Ether-Channel) interfaces. LAG etherchannel

interfaces are supported for links on the same and across line cards.
PPPoE sessions are supported on ambiguous VLAN interfaces and VLAN ranges.
There are no drop counters to identify the number of packets dropped due to custom ethertype
mismatch.
VLANs, Source MAC Address, and Ports are matched against session ids to extend security for
PPPoE sessions.
ES+ low queue cards do not support ISG (IP session and PPPoE session).
Follow these restrictions and usage guidelines when you configure 1:1 redundancy on a ES+ linecard:
Subscriber redundancy is available only on a 1:1 access standby model.
Supports access interfaces in port channels to scale the number of port channel subinterfaces to
greater than 4k.
Link Aggregation Control Protocol (LACP) allows dynamic handling of member links in a GEC
bundle.
4-346
OL-16147-20
Chapter 4

Supports a maximum of 64 GEC bundles with 8 links.
Member links in a single GEC bundle reside across NPs or the linecard.
LAG is supported with members across linecards.
Supports LAG across linecards and membership of the LAG does not change after new sessions are
initiated.
Feature supports 32000 access sub-interfaces.
Supports per session load balancing across member links where all the traffic for a session is relayed
over a single port.
To reduce the downtime during member link addition or deletion, QOS queues are allocated for all
member links belonging to the port channel. Though the ingress and egress traffic could be on
different member links, the peer relays all the traffic for a session through a single member link.
LAG supports sessions on non access subinterfaces to support coexistence of multicast streams.
Verification
This section lists the commands to display configuration information.
Use the following commands to configure the PPPoE:

Router-DJ4-dfc9#sh debug
CWAN iEdge LC:
CWAN iEdge LC session event debug debugging is on
X40G XLIF Client:
XLIF NP events debugging is on
Router-DJ4-dfc9# sh log
Syslog logging: enabled (0 messages dropped, 4 messages rate-limited, 0 flushes, 0
overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 308 messages logged, xml disabled,
filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
Log Buffer (1000000 bytes):
Nov 19 16:08:48.247 IST: DFC9: provision_pppoe_routed_ac: switch_info 2CDEC4A4
seghandle 2CD93474 uid 40 if_number 80
Nov 19 16:08:48.247 IST: DFC9: type 1 2 0opaque handle = 0x186DAB48
Nov 19 16:08:48.247 IST: DFC9: inserting 186DAB48 105 40
Nov 19 16:08:48.247 IST: DFC9: cwan_iedge_session_pending_timer started
Nov 19 16:08:48.247 IST: DFC9: no dbus vlan session pending on int 105
Nov 19 16:08:48.251 IST: DFC9: cwan_iedge_update_dbus_vlan: Session 40 gets hidden
vlan 1020 through update for Virtual-Access2.1
Nov 19 16:08:50.247 IST: DFC9: cwan_iedge_common_session_notify: cfg_type 2 va_if_num
105 phy_if_num 80 uid 0action 0
Nov 19 16:08:50.247 IST: DFC9: cwan_iedge_get_session_config: sess_type 2 if_num 105
pid 0
OL-16147-20
4-347
Chapter 4
Nov 19 16:08:50.247 IST: DFC9: cwan_iedge_get_pppoe_config: if_num 80 va_if_num 105

vlan 1020 sess-id 40 cond_debug off
Nov 19 16:08:50.247 IST: DFC9: x40g_npc_xlif_create Cfn[965F2BC] Creating Xlif:
GigabitEthernet9/5 Xid[0] Typ[4] Ch[0] Ifn[105] Xreg[0] Xidx[205352] efp[0]
Nov 19 16:08:50.247 IST: DFC9: x40g_npc_xlif_create_internal successfully created
xlif: GigabitEthernet9/5 Xid[205352] Typ[4] Ch[0] Ifn[105] Xreg[0] Xidx[205352] efp[0]
Nov 19 16:08:50.247 IST: DFC9: x40g_npc_eg_xlif_update_port Cfn[92D1658] Xlif Update
Port 4 : GigabitEthernet9/5 Xid[205352] Typ[4] Ch[0] Ifn[105] Xreg[0] Xidx[205352]
efp[0]
Nov 19 16:08:50.247 IST: DFC9: x40g_npc_xlif_update_tag_rewrite Cfn[965F334] Tag(i-0,
o-2) Dir[2]: GigabitEthernet9/5 Xid[205352] Typ[4] Ch[0] Ifn[105] Xreg[0] Xidx[205352]
efp[0]
Nov 19 16:08:50.247 IST: DFC9: x40g_npc_xlif_update_dbus_vlan Cfn[965F36C] Updatng
Dbus Vlan 1020: GigabitEthernet9/5 Xid[205352] Typ[4] Ch[0] Ifn[105] Xreg[0]
Xidx[205352] efp[0]
Nov 19 16:08:50.247 IST: DFC9: x40g_npc_xlif_update_stats_id Cfn[965D780] Updatng
StatId 599056 Dir[0]: GigabitEthernet9/5 Xid[205352] Typ[4] Ch[0] Ifn[105] Xreg[0]
Xidx[205352] efp[0]
Nov 19 16:08:50.247 IST: DFC9: x40g_npc_xlif_update_stats_id Cfn[965D8A8] Updatng
StatId 599064 Dir[1]: GigabitEthernet9/5 Xid[205352] Typ[4] Ch[0] Ifn[105] Xreg[0]
Xidx[205352] efp[0]
Nov 19 16:08:50.247 IST: DFC9: x40g_npc_xlif_fwd_feat_enable Cfn[965F3BC] Xlif Fwd
Feat 0x1 Enable 1 : GigabitEthernet9/5 Xid[205352] Typ[4] Ch[0] Ifn[105] Xreg[0]
Xidx[205352] efp[0]
Nov 19 16:08:50.247 IST: DFC9: x40g_npc_xlif_enable Cfn[965F3F0] Xlif Enable 1:
GigabitEthernet9/5 Xid[205352] Typ[4] Ch[0] Ifn[105] Xreg[0] Xidx[205352] efp[0]
Nov 19 16:08:50.247 IST: DFC9: x40g_npc_xlif_update_feat_info Cfn[965F604] Xlif update
feature Dir[0]: GigabitEthernet9/5 Xid[205352] Typ[4] Ch[0] Ifn[105] Xreg[0]
Xidx[205352] efp[0]
Nov 19 16:08:50.247 IST: DFC9: x40g_npc_xlif_update_feat_info Cfn[965F700] Xlif update
feature Dir[1]: GigabitEthernet9/5 Xid[205352] Typ[4] Ch[0] Ifn[105] Xreg[0]
Xidx[205352] efp[0]
Router-DJ4#sh debug
PPP:
PPP protocol negotiation debugging is on
PPPoE:
PPPoE protocol events debugging is on
PPPoE control packets debugging is on
Router-DJ4#sh log
Syslog logging: enabled (3340 messages dropped, 2 messages rate-limited, 0 flushes, 0
overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 5280 messages logged, xml disabled,
filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
No active filter modules.
Trap logging: level informational, 203 message lines logged
Log Buffer (1000000 bytes):
Nov 19 16:08:48.231 IST: PPPoE 0: I PADI
R:bb00.1912.0001 L:ffff.ffff.ffff 2 Gi9/5.1
4-348
OL-16147-20
Chapter 4

contiguous pak, size 60

FF FF FF FF FF FF BB 00 19 12 00 01 81 00 00 02
88 63 11 09 00 00 00 04 01 01 00 00 00 0A 03 06
B6 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00
00 00 00 00 00 00 06 F8 00 00 9C 88
Nov 19 16:08:48.231 IST: Service tag: NULL Tag
Nov 19 16:08:48.231 IST: PPPoE 0: O PADO, R:a110.0050.0006 L:bb00.1912.0001 1019
Gi9/5.1
06 02 00 10 03 FB 28 00 03 80 00 00 44 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 02 04 00 00
BB 00 19 12 00 01 A1 10 00 50 00 06 81 00 00 02
88 63 11 07 00 00 00 24 01 01 00 00 01 02 00 08
52 69 61 7A 2D 44 4A 34 ...
Nov 19 16:08:48.231 IST: PPPoE 0: I PADR R:bb00.1912.0001 L:000c.31c9.7000 2 Gi9/5.1
00 0C 31 C9 70 00 BB 00 19 12 00 01 81 00 00 02
88 63 11 19 00 00 00 18 01 01 00 00 01 04 00 10
E2 DB 75 8D E5 9C 95 C1 83 35 DC 91 B2 14 32 89
63 63 65 73 73 2D 70 70 6C 63 70 30
Nov 19 16:08:48.231 IST: PPPoE : encap string prepared
Nov 19 16:08:48.231 IST: [40]PPPoE 40: Access IE handle allocated
Nov 19 16:08:48.231 IST: [40]PPPoE 40: AAA get retrieved attrs
Nov 19 16:08:48.231 IST: [40]PPPoE 40: AAA get nas port details
Nov 19 16:08:48.231 IST: [40]PPPoE 40: AAA get dynamic attrs
Nov 19 16:08:48.231 IST: [40]PPPoE 40: AAA unique ID allocated
Nov 19 16:08:48.231 IST: [40]PPPoE 40: No AAA accounting method list
Nov 19 16:08:48.231 IST: [40]PPPoE 40: Service request sent to SSS
Nov 19 16:08:48.231 IST: [40]PPPoE 40: Created, Service: None R:000c.31c9.7000
L:bb00.1912.0001 2 Gi9/5.1
Nov 19 16:08:48.231 IST: [40]PPPoE 40: State NAS_PORT_POLICY_INQUIRY
Event SSS MORE
KEYS
Nov 19 16:08:48.231 IST: PPP: Alloc Context [19C03860]
Nov 19 16:08:48.231 IST: ppp40 PPP: Phase is ESTABLISHING
Nov 19 16:08:48.231 IST: [40]PPPoE 40: data path set to PPP
Nov 19 16:08:48.231 IST: [40]PPPoE 40: Segment (SSS class): PROVISION
Nov 19 16:08:48.231 IST: [40]PPPoE 40: State PROVISION_PPP
Event SSM PROVISIONED
Nov 19 16:08:48.231 IST: [40]PPPoE 40: O PADS R:bb00.1912.0001 L:000c.31c9.7000 1019
Gi9/5.1
00 02 00 10 03 FB 28 00 03 80 00 00 44 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 02 04 00 00
BB 00 19 12 00 01 A1 10 00 50 00 06 81 00 00 02
88 63 11 65 00 28 00 18 01 01 00 00 01 04 00 10
E2 DB 75 8D E5 9C 95 C1 ...
Nov 19 16:08:48.231 IST: ppp40 PPP: Using vpn set call direction
Nov 19 16:08:48.231 IST: ppp40 PPP: Treating connection as a callin
Nov 19 16:08:48.231 IST: ppp40 PPP: Session handle[28] Session id[40]
Nov 19 16:08:48.231 IST: ppp40 LCP: Event[OPEN] State[Initial to Starting]
Nov 19 16:08:48.231 IST: ppp40 PPP LCP: Enter passive mode, state[Stopped]
Nov 19 16:08:48.231 IST: ppp40 LCP: I CONFREQ [Stopped] id 0 len 14
Nov 19 16:08:48.231 IST: ppp40 LCP:
MagicNumber 0xA4E30BAF (0x0506A4E30BAF)
Nov 19 16:08:48.231 IST: ppp40 LCP:
MRU 1492 (0x010405D4)
Nov 19 16:08:48.231 IST: ppp40 LCP: O CONFREQ [Stopped] id 1 len 19
Nov 19 16:08:48.231 IST: ppp40 LCP:
MRU 1492 (0x010405D4)
Nov 19 16:08:48.231 IST: ppp40 LCP:
AuthProto CHAP (0x0305C22305)
Nov 19 16:08:48.235 IST: ppp40 LCP:
MagicNumber 0x0F501712 (0x05060F501712)
Nov 19 16:08:48.235 IST: ppp40 LCP: O CONFACK [Stopped] id 0 len 14
Nov 19 16:08:48.235 IST: ppp40 LCP:
MagicNumber 0xA4E30BAF (0x0506A4E30BAF)
Nov 19 16:08:48.235 IST: ppp40 LCP:
MRU 1492 (0x010405D4)
Nov 19 16:08:48.235 IST: ppp40 LCP: Event[Receive ConfReq+] State[Stopped to ACKsent]
Nov 19 16:08:48.235 IST: ppp40 LCP: I CONFACK [ACKsent] id 1 len 19
OL-16147-20
4-349
Chapter 4
Nov 19 16:08:48.235
Nov 19 16:08:48.235
Nov 19 16:08:48.235
Nov 19 16:08:48.235
Nov 19 16:08:48.243
Nov 19 16:08:48.243
Nov 19 16:08:48.243
Nov 19 16:08:48.243
Nov 19 16:08:48.243
Nov 19 16:08:48.243
Nov 19 16:08:48.243
Nov 19 16:08:48.243
Nov 19 16:08:48.243
Nov 19 16:08:48.243
Nov 19 16:08:48.243
LOCAL
Nov 19 16:08:48.247
Nov 19 16:08:48.247
Nov 19 16:08:48.247
Nov 19 16:08:48.247
Nov 19 16:08:48.247
Nov 19 16:08:48.247
Nov 19 16:08:48.247
Nov 19 16:08:48.247
Nov 19 16:08:48.247
Nov 19 16:08:48.247
Nov 19 16:08:48.247
Nov 19 16:08:48.247
Nov 19 16:08:48.247
Nov 19 16:08:48.247
Nov 19 16:08:48.247
Nov 19 16:08:48.247
0.0.0.0
Nov 19 16:08:48.247
0.0.0.0
Nov 19 16:08:48.247
Nov 19 16:08:48.247
Nov 19 16:08:48.247
Nov 19 16:08:48.247
Nov 19 16:08:48.247
Nov 19 16:08:48.247
Nov 19 16:08:48.247
Nov 19 16:08:48.251
Nov 19 16:08:48.251
Nov 19 16:08:48.251
Nov 19 16:08:48.251
Nov 19 16:08:48.251
Nov 19 16:08:48.251
Nov 19 16:08:48.251
Nov 19 16:08:48.255
Nov 19 16:08:48.255
Nov 19 16:08:48.255
Nov 19 16:08:48.255
Nov 19 16:08:48.255
Nov 19 16:08:48.255
Nov 19 16:08:48.255
Nov 19 16:08:48.255
Nov 19 16:08:48.255
182.0.0.1
Nov 19 16:08:48.255
Nov 19 16:08:48.255
182.0.0.1
Nov 19 16:08:48.255
Nov 19 16:08:48.255
IST:
IST:
IST:
IST:
IST:
IST:
IST:
IST:
IST:
IST:
IST:
IST:
IST:
IST:
IST:
ppp40 LCP:
MRU 1492 (0x010405D4)
ppp40 LCP:
AuthProto CHAP (0x0305C22305)
ppp40 LCP:
MagicNumber 0x0F501712 (0x05060F501712)
ppp40 LCP: Event[Receive ConfAck] State[ACKsent to Open]
ppp40 PPP: Phase is AUTHENTICATING, by this end
ppp40 CHAP: O CHALLENGE id 1 len 29 from "Router-DJ4"
ppp40 LCP: State is Open
ppp40 CHAP: I RESPONSE id 1 len 29 from "PPP_USER"
ppp40 PPP: Phase is FORWARDING, Attempting Forward
ppp40 PPP: Phase is AUTHENTICATING, Unauthenticated User
ppp40 IPCP: Authorizing CP
ppp40 IPCP: CP stalled on event[Authorize CP]
ppp40 IPCP: CP unstall
ppp40 PPP: Phase is FORWARDING, Attempting Forward
[40]PPPoE 40: State LCP_NEGOTIATION
Event SSS CONNECT
IST:
IST:
IST:
IST:
IST:
IST:
IST:
IST:
IST:
IST:
IST:
IST:
IST:
IST:
IST:
IST:
[40]PPPoE 40: Segment (SSS class): UPDATED

[40]PPPoE 40: Segment (SSS class): BOUND
[40]PPPoE 40: data path set to Virtual Acess
[40]PPPoE 40: State LCP_NEGOTIATION
Event SSM UPDATED
Vi2.1 PPP: Phase is AUTHENTICATING, Authenticated User
Vi2.1 CHAP: O SUCCESS id 1 len 4
[40]PPPoE 40: AAA get dynamic attrs
Vi2.1 PPP: Phase is UP
Vi2.1 IPCP: Protocol configured, start CP. state[Initial]
Vi2.1 IPCP: Event[OPEN] State[Initial to Starting]
Vi2.1 IPCP: O CONFREQ [Starting] id 1 len 10
Vi2.1 IPCP:
Address 100.0.0.1 (0x030664000001)
Vi2.1 IPCP: Event[UP] State[Starting to REQsent]
Vi2.1 IPCP: I CONFREQ [REQsent] id 0 len 10
Vi2.1 IPCP:
Address 0.0.0.0 (0x030600000000)
Vi2.1 IPCP AUTHOR: Start. Her address 0.0.0.0, we want
IST: Vi2.1 IPCP AUTHOR: Done.

IST:
IST:
IST:
IST:
IST:
IST:
IST:
IST:
IST:
IST:
IST:
IST:
IST:
IST:
IST:
IST:
IST:
IST:
IST:
IST:
IST:
IST:
IST:
Her address 0.0.0.0, we want
Vi2.1 IPCP: Pool returned 182.0.0.1

Vi2.1 IPCP: O CONFNAK [REQsent] id 0 len 10
Vi2.1 IPCP:
Address 182.0.0.1 (0x0306B6000001)
Vi2.1 IPCP: Event[Receive ConfReq-] State[REQsent to REQsent]
Vi2.1 IPCP: I CONFACK [REQsent] id 1 len 10
Vi2.1 IPCP:
Address 100.0.0.1 (0x030664000001)
Vi2.1 IPCP: Event[Receive ConfAck] State[REQsent to ACKrcvd]
[40]PPPoE 40: State PTA_BINDING
Event STATIC BIND RESPONSE
[40]PPPoE 40: Connected PTA
Vi2.1 IPCP: I CONFREQ [ACKrcvd] id 1 len 10
Vi2.1 IPCP:
Address 182.0.0.1 (0x0306B6000001)
Vi2.1 IPCP: O CONFACK [ACKrcvd] id 1 len 10
Vi2.1 IPCP:
Address 182.0.0.1 (0x0306B6000001)
Vi2.1 IPCP: Event[Receive ConfReq+] State[ACKrcvd to Open]
Vi2.1 IPCP: Event[DOWN] State[Open to Starting]
Vi2.1 IPCP: Event[CLOSE] State[Starting to Initial]
Vi2.1 IPCP: Event[OPEN] State[Initial to Starting]
Vi2.1 IPCP: O CONFREQ [Starting] id 2 len 10
Vi2.1 IPCP:
Address 100.0.0.1 (0x030664000001)
Vi2.1 IPCP: Event[UP] State[Starting to REQsent]
Vi2.1 IPCP: I CONFREQ [REQsent] id 2 len 10
Vi2.1 IPCP:
Address 182.0.0.1 (0x0306B6000001)
Vi2.1 IPCP AUTHOR: Start. Her address 182.0.0.1, we want
IST: Vi2.1 IPCP AUTHOR: Reject 182.0.0.1, using 182.0.0.1

IST: Vi2.1 IPCP AUTHOR: Done. Her address 182.0.0.1, we want
IST: Vi2.1 IPCP: O CONFACK [REQsent] id 2 len 10
IST: Vi2.1 IPCP:
Address 182.0.0.1 (0x0306B6000001)
4-350
OL-16147-20
Chapter 4

Nov 19 16:08:48.255
Nov 19 16:08:48.255
Nov 19 16:08:48.255
Nov 19 16:08:48.255
Nov 19 16:08:48.275
is up)
Nov 19 16:08:48.275
182.0.0.1
Nov 19 16:08:48.275
Router-DJ4#
IST:
IST:
IST:
IST:
IST:
Vi2.1
Vi2.1
Vi2.1
Vi2.1
Vi2.1
IPCP:
IPCP:
IPCP:
IPCP:
IPCP:
Event[Receive ConfReq+] State[REQsent to ACKsent]

I CONFACK [ACKsent] id 2 len 10
Address 100.0.0.1 (0x030664000001)
Event[Receive ConfAck] State[ACKsent to Open]
State is Open (Indicates that the PPPoE session
IST: Vi2.1 Added to neighbor route AVL tree: topoid 0, address

IST: Vi2.1 IPCP: Install route to 182.0.0.1
interface GigabitEthernet9/17.1
ip address 180.0.0.1 255.255.255.0
ip address 192.0.0.1 255.255.255.0
pppoe enable group dj4_bba_group1
aaa
aaa
aaa
aaa
aaa
aaa
new-model
authentication login default group radius local
authentication ppp default local
authorization network default local
authorization subscriber-service default group radius
session-id common
bba-group pppoe dj4_bba_group1

virtual-template 1
sessions per-vc limit 16000
sessions per-mac limit 16000
sessions per-vlan limit 8000
interface Loopback1
ip address 100.0.0.1 255.255.255.255
interface Virtual-Template1
ip unnumbered Loopback1
no logging event link-status
peer default ip address pool PPPPool_1
no snmp trap link-status
keepalive 300
ppp authentication chap
Use the following commands to verify the PPPoE session:

Router-DJ4#sh pppoe summary
PTA : Locally terminated sessions
FWDED: Forwarded sessions
TRANS: All other sessions (in transient state)
TOTAL
PTA
FWDED
TOTAL
1
1
0
GigabitEthernet9/5
1
1
0
Router-DJ4#sh pppoe ses
Router-DJ4#sh pppoe session
1 session in LOCALLY_TERMINATED (PTA) State
1 session total
TRANS
0
0
Uniq ID
VT
42
PPPoE
SID
42
RemMAC
LocMAC
bb00.1912.0001
000c.31c9.7000
Port
Gi9/5.1
VLAN:
2
VA
VA-st
Vi2.1
UP
State
Type
PTA
OL-16147-20
4-351
Chapter 4
Router-DJ4#sh sss session uid 42 detailed

Unique Session ID: 42
Identifier: PPP_USER
SIP subscriber access type(s): PPPoE/PPP
Current SIP options: Req Fwding/Req Fwded
Session Up-time: 00:19:04, Last Changed: 00:19:04
Interface: Virtual-Access2.1
Policy information:
Context 137426FC: Handle 2400002A
AAA_id 00000038: Flow_handle 0
Authentication status: authen
Downloaded User profile, excluding services:
Framed-Protocol
1 [PPP]
username
"PPP_USER"
Downloaded User profile, including services:
Framed-Protocol
1 [PPP]
username
"PPP_USER"
Config history for session (recent to oldest):
Access-type: PPP Client: SM
Policy event: Process Config Connecting
Profile name: apply-config-only, 2 references
Framed-Protocol
1 [PPP]
username
"PPP_USER"
Rules, actions and conditions executed:
subscriber rule-map PPPoE-SUB
condition always event session-start
1 service local
Configuration sources associated with this session:
Interface: Virtual-Template1, Active Time = 00:19:04
Router-DJ4# sh pppoe session packets
Total PPPoE sessions 1
SID
Pkts-In
42
12
Router-DJ4#
Pkts-Out
13
Bytes-In
184
Bytes-Out
190
Router-DJ4#sh cef int gig 9/5.1

GigabitEthernet9/5.1 is up (if_number 80)
Corresponding hwidb fast_if_number 80
Corresponding hwidb firstsw->if_number 25
Internet address is 192.0.0.1/24
ICMP redirects are always sent
IP unicast RPF check is disabled
Output features: MFIB Adjacency, HW Shortcut Installation
IP policy routing is disabled
BGP based policy accounting on input is disabled
BGP based policy accounting on output is disabled
Hardware idb is GigabitEthernet9/5
Fast switching type 28, interface type 146
IP CEF switching enabled
IP CEF switching turbo vector
IP Null turbo vector
IP prefix lookup IPv4 mtrie generic
Input fast flags 0x40000000, Output fast flags 0x0
ifindex 24(24)
Slot 9/0 (9) Slot unit 5 VC -1
IP MTU 1500
Use the following commands to configure IP session:
4-352
OL-16147-20
Chapter 4

aaa new-model
!
aaa session-id common
!
no ip address
load-interval 30
!
interface GigabitEthernet2/9.1 access
ip address 182.0.0.1 255.255.255.0
ip subscriber routed
initiator unclassified ip-address
!
no ip address
load-interval 30
!
ip address 180.0.0.1 255.255.255.0
!
no ip http server
no ip http secure-server
!
arp 182.0.0.2 aa00.0000.0001 ARPA
arp 180.0.0.2 0000.0000.0001 ARPA
!
Use the following commands to debug IP session:

ISG_NMB#sh deb
CWAN iEdge RP:
CWAN iEdge RP debug debugging is on
IP Subscriber:
all IP subscriber debugs debugging is on
ISG_NMB#
Nov 19 16:02:46.087 IST: IPSUB_DP: [Gi2/9.1:I:CEF:DFL:21.0.0.1] Packet triggers
session initiation
Nov 19 16:02:46.087 IST: IPSUB_DP: [Gi2/9.1:I:CEF:DFL:21.0.0.1] Packet classified,
results = 0x1
Nov 19 16:02:46.087 IST: IPSUB_DP: [uid:0] Insert new entry for mac 0000.1500.0001
Nov 19 16:02:46.087 IST: IPSUB_DP: [uid:0] Processing new in-band session request
Nov 19 16:02:46.087 IST: IPSUB_DP: [uid:0] Delete mac entry 0000.1500.0001
Nov 19 16:02:46.087 IST: IPSUB_DP: [uid:0] In-band session request event for session
Nov 19 16:02:46.087 IST: IPSUB_DP: [uid:0] Added upstream entry into the classifier
Nov 19 16:02:46.087 IST: IPSUB_DP: [uid:0] VRF = DFL, IP = 21.0.0.1, MASK =
255.255.255.255
Nov 19 16:02:46.087 IST: IPSUB: Try to create a new session
Nov 19 16:02:46.087 IST: IPSUB: IPSUB: Check IP DHCP session recovery: 21.0.0.1
Gi2/9.1 mac aa00.0000.0001
Nov 19 16:02:46.087 IST: IPSUB: IPSUB: No DHCP binding found
Nov 19 16:02:46.087 IST: IPSUB: [uid:0] IPSUB: Proceed to create the IP inband session
Nov 19 16:02:46.087 IST: IPSUB: [uid:0] Request to create a new session
Nov 19 16:02:46.087 IST: IPSUB: [uid:0] Session start event for session
Nov 19 16:02:46.087 IST: IPSUB: [uid:0] Event session start, state changed from idle
to requesting
Nov 19 16:02:46.087 IST: IPSUB: HA[uid:32]: Session init-notification on Active
Nov 19 16:02:46.087 IST: IPSUB: HA[uid:32]: Allocated SHDB handle (0xF1000020)
Nov 19 16:02:46.087 IST: IPSUB: HA[uid:32]: Successfully initialized for HA
Nov 19 16:02:46.087 IST: IPSUB: [uid:32] AAA unique ID allocated
Nov 19 16:02:46.087 IST: IPSUB: [uid:32] Added session 21.0.0.1 to L3 session table
OL-16147-20
4-353
Chapter 4
Nov 19 16:02:46.087 IST: IPSUB: [uid:32] Added session to session table with access
session keys
Nov 19 16:02:46.087 IST: IPSUB: [uid:32] IP session(0x63000020) to be associated to
Gi2/9.1
Nov 19 16:02:46.087 IST: IPSUB: [uid:32] Inserted IP session(0x63000020) to
sessions-per-interface db with interface Gi2/9.1
Nov 19 16:02:46.087 IST: IPSUB_DP: [uid:0] Sent message to control plane for in-band
session creation
Nov 19 16:02:46.087 IST: IPSUB_DP: [uid:0] Event inband-session, state changed from
idle to intiated
Nov 19 16:02:46.091 IST: IPSUB: [uid:32] Recieved Message = connect local
Nov 19 16:02:46.091 IST: IPSUB: [uid:32] Connect Local event for session
Nov 19 16:02:46.091 IST: IPSUB: [uid:32] Event connect local, state changed from
requesting to waiting
Nov 19 16:02:46.091 IST: IPSUB: [uid:32] Inside processing IPSIP info
Nov 19 16:02:46.091 IST: IPSUB-ROUTE: [uid:32] Checking whether routes to be
inserted/removed
Nov 19 16:02:46.091 IST: IPSUB-ROUTE: [uid:32] Context not present, creating context
Nov 19 16:02:46.091 IST: IPSUB-ROUTE: [uid:32] Entered the sg subrte context alloc
Nov 19 16:02:46.091 IST: IPSUB-ROUTE: [uid:32] Returning the sg subrte context
0x1348DD20
Nov 19 16:02:46.091 IST: IPSUB-ROUTE: [uid:32] Added Fib Prefix [DFL]:
21.0.0.1/255.255.255.255
Nov 19 16:02:46.091 IST: IPSUB-ROUTE: [uid:32] Both IP addresses and VRF are same, no
need to add route
Nov 19 16:02:46.091 IST: IPSUB: [uid:32] Keys not changed, seg needn't be updated
Nov 19 16:02:46.091 IST: IPSUB: [uid:32] Key list to be created to update SM
Nov 19 16:02:46.091 IST: IPSUB: [uid:32] Created key list to update SM
Nov 19 16:02:46.091 IST: IPSUB: [uid:32] Session Keys Available event for session
Nov 19 16:02:46.091 IST: IPSUB: [uid:32] Event session keys available, state changed
from waiting to provisioning
Nov 19 16:02:46.091 IST: IPSUB: [uid:32] Access and service keys same, no need to add
session with service keys
Nov 19 16:02:46.091 IST: IPSUB: [uid:32] Data plane prov successful event for session
Nov 19 16:02:46.091 IST: IPSUB: [uid:32] Event dataplane prov successful, state
changed from provisioning to connected
Nov 19 16:02:46.091 IST: IPSUB: HA[uid:32]: Session up notification
Nov 19 16:02:46.091 IST: IPSUB: HA[uid:32]: Session ready to sync data (0xF1000020)
Nov 19 16:02:46.091 IST: IPSUB_DP: [uid:0] Setup event for session (session hdl
3858759691)
Nov 19 16:02:46.091 IST: IPSUB_DP: [uid:32] Added downstream entry into the classifier
255.255.255.255
Nov 19 16:02:46.091 IST: IPSUB_DP: [uid:32] Session setup successful
Nov 19 16:02:46.091 IST: IPSUB_DP: [uid:32] Event setup-session, state changed from
intiated to established
Nov 19 16:02:46.091 IST: IPSUB_DP: [uid:32] Activate event for session
Nov 19 16:02:46.091 IST: IPSUB_DP: [uid:32] Event activate-session, state changed from
established to connected
Use the following commands to verify IP session:

ISG_NMB#sh ip sub
Displaying subscribers in the default service vrf:
Type
Subscriber Identifier
Display UID
----------------------------------------routed
21.0.0.1/32
[32]
ISG_NMB#
ISG_NMB#sh sss sess
Current Subscriber Information: Total sessions 1
Uniq ID Interface
State
Service
Status
-----up
Identifier
Up-time
4-354
OL-16147-20
Chapter 4

32
IP
unauthen
Local Term
21.0.0.1
00:02:40
ISG_NMB#sh sss sess uid 32

Identifier: 21.0.0.1
SIP subscriber access type(s): IP
Policy information:
Authentication status: unauthen
Interface: GigabitEthernet2/9.1, Active Time = 00:02:46
ISG_NMB#sh sss sess uid 32 de
ISG_NMB#sh sss sess uid 32 detailed
Identifier: 21.0.0.1
Policy information:
Context 133B22FC: Handle DF000020
Following details is for a L2-connected DHCP session on Dot1Q interface:========================================================================
Use the following commands to configure L2-connected DHCP session:

aaa new-model
!
!
aaa session-id common
!
!
!
clock timezone IST 5
ip source-route
!
!
ip dhcp excluded-address 182.0.0.11 182.0.0.15
no ip dhcp ping packets
!
ip dhcp pool pool_global1
network 182.0.0.0 255.255.255.240
lease 0 0 3
update arp
!
!
!
interface Loopback10
ip address 182.0.0.11 255.255.255.255
!
!
OL-16147-20
4-355
Chapter 4
no ip address
load-interval 30
!
interface GigabitEthernet2/9.1 access
ip unnumbered Loopback10
ip subscriber l2-connected
initiator dhcp class-aware
!
no ip address
load-interval 30
!
ip address 180.0.0.1 255.255.255.0
!
!
no ip http server
no ip http secure-server
ip route 7.0.0.0 255.0.0.0 7.38.0.1
ip route 202.153.0.0 255.255.0.0 7.38.0.1
!
!
Use the following commands to debug L2-connected DHCP session:

ISG_NMB#sh deb
DHCP server packet debugging is on.
DHCP server event debugging is on.
IP Subscriber:
IP subscriber events debugging is on
IP subscriber errors debugging is on
IP subscriber packets debugging is on
ISG_NMB#
Nov 19 15:40:33.595 IST: IPSUB_DP: [Gi2/9.1:I:PROC:aa00.1314.0001] Packet classified,
results = 0x40
Nov 19 15:40:33.595 IST: IPSUB_DP: [Gi2/9.1:I:PROC:aa00.1314.0001] Rx driver allowing
IP routing
Nov 19 15:40:33.595 IST: DHCPD: Reload workspace interface GigabitEthernet2/9.1
tableid 0.
Nov 19 15:40:33.595 IST: DHCPD: tableid for 182.0.0.11 on GigabitEthernet2/9.1 is 0
Nov 19 15:40:33.595 IST: DHCPD: client's VPN is .
Nov 19 15:40:33.595 IST: DHCPD: Sending notification of DISCOVER:
Nov 19 15:40:33.595 IST:
DHCPD: htype 1 chaddr aa00.1314.0001
Nov 19 15:40:33.595 IST:
DHCPD: remote id 020a0000b600000b21010002
Nov 19 15:40:33.595 IST:
DHCPD: interface = GigabitEthernet2/9.1
Nov 19 15:40:33.595 IST:
DHCPD: class id 49786961
Nov 19 15:40:33.595 IST: IPSUB: Create session keys from SSS key list
Nov 19 15:40:33.595 IST: IPSUB: Mac_addr = aa00.1314.0001, Recvd Macaddr =
aa00.1314.0001
Nov 19 15:40:33.599 IST: IPSUB: Session input interface(0x13348754) =
GigabitEthernet2/9.1
Nov 19 15:40:33.599 IST: IPSUB: SHDB Handle = 5A00000B
Nov 19 15:40:33.599 IST: IPSUB: Remote_id = 020a0000b600000b21010002
Nov 19 15:40:33.599 IST: IPSUB: Vendor_Class_id = Ixia
Nov 19 15:40:33.599 IST: DHCPD: DHCPDISCOVER received from client 01aa.0013.1400.01 on
interface GigabitEthernet2/9.1.
Nov 19 15:40:33.599 IST:
4-356
OL-16147-20
Chapter 4

Nov 19 15:40:33.599 IST:

Nov 19 15:40:33.599 IST:
Nov 19 15:40:33.599 IST:
Nov 19 15:40:33.599 IST: DHCPD: Saving workspace (ID=0x8900000B)
Nov 19 15:40:33.599 IST: DHCPD: New packet workspace 0x1333D0D8 (ID=0x2700000C)
Nov 19 15:40:33.599 IST: IPSUB: Try to create a new session
Nov 19 15:40:33.599 IST: IPSUB: [uid:0] Request to create a new session
Nov 19 15:40:33.599 IST: IPSUB: [uid:0] Session start event for session
Nov 19 15:40:33.599 IST: IPSUB: [uid:11] AAA unique ID allocated
Nov 19 15:40:33.599 IST: IPSUB: [uid:11] Added session aa00.1314.0001 to L2 session
table
Nov 19 15:40:33.599 IST: IPSUB: [uid:11] Added session to session table with access
session keys
Nov 19 15:40:33.599 IST: IPSUB: [uid:11] IP session(0xC500000B) to be associated to
Gi2/9.1
Nov 19 15:40:33.599 IST: IPSUB: [uid:11] Inserted IP session(0xC500000B) to
sessions-per-interface db with interface Gi2/9.1
Nov 19 15:40:33.599 IST: DHCPD: Callback for workspace (ID=0x8900000B)
Nov 19 15:40:33.599 IST: DHCPD: No authentication required. Continue
Nov 19 15:40:33.599 IST: DHCPD: Callback: class '' now specified for client
01aa.0013.1400.01
Nov 19 15:40:33.599 IST: DHCPD: Reprocessing saved workspace (ID=0x8900000B)
Nov 19 15:40:33.599 IST: DHCPD: Reload workspace interface GigabitEthernet2/9.1
tableid 0.
Nov 19 15:40:33.599 IST: DHCPD: tableid for 182.0.0.11 on GigabitEthernet2/9.1 is 0
Nov 19 15:40:33.599 IST: DHCPD: client's VPN is .
Nov 19 15:40:33.599 IST:
Nov 19 15:40:33.599 IST:
Nov 19 15:40:33.599 IST:
Nov 19 15:40:33.599 IST:
Nov 19 15:40:33.599 IST: DHCPD: Adding binding to radix tree (182.0.0.1)
Nov 19 15:40:33.599 IST: DHCPD: Adding binding to hash tree
Nov 19 15:40:33.599 IST: DHCPD: assigned IP address 182.0.0.1 to client
01aa.0013.1400.01. (13 1)
Nov 19 15:40:33.599 IST: DHCPD: DHCPOFFER notify setup address 182.0.0.1 mask
255.255.255.240
Nov 19 15:40:33.599 IST: IPSUB: [uid:11] IP session context 0x133D28C8 available to
authorize
Nov 19 15:40:33.599 IST: IPSUB-VRFSET: [uid:11] Entered allocate feature info
Nov 19 15:40:33.599 IST: IPSUB-VRFSET: [uid:11] Allocated sg vrfset info 0x13488EE0
Nov 19 15:40:33.599 IST: IPSUB-VRFSET: [uid:11] Freeing the sg vrfset info 0x13488EE0
Nov 19 15:40:33.599 IST: IPSUB: [uid:11] IPSIP Parsing HostIP: 182.0.0.1 SubnetMask=
255.255.255.255
Nov 19 15:40:33.599 IST: IPSUB: [uid:11] Recieved Message = connect local
Nov 19 15:40:33.599 IST: IPSUB: [uid:11] Connect Local event for session
Nov 19 15:40:33.599 IST: IPSUB: [uid:11] Processing IPSIP info: 0x1330208C (APPLY)
Nov 19 15:40:33.599 IST: IPSUB: [uid:11] Got IP address- IP:-182.0.0.1
Nov 19 15:40:33.599 IST: IPSUB: [uid:11] Set IP address- IP:-182.0.0.1
Nov 19 15:40:33.599 IST: IPSUB-VRFSET: [uid:11] Applying SG VRFSET info
Nov 19 15:40:33.599 IST: IPSUB-VRFSET: [uid:11] DHCP Initiated session, no config,
ignore
inserted/removed
Nov 19 15:40:33.599 IST: IPSUB-ROUTE: [uid:11] Context not present, creating context
Nov 19 15:40:33.599 IST: IPSUB-ROUTE: [uid:11] Entered the sg subrte context alloc
Nov 19 15:40:33.599 IST: IPSUB-ROUTE: [uid:11] Returning the sg subrte context
0x1348DD04
Nov 19 15:40:33.599 IST: IPSUB-ROUTE: [uid:11] Installed ARP entry [DFL]: 182.0.0.1
Nov 19 15:40:33.599 IST: IPSUB-ROUTE: [uid:11] Added Fib Prefix [DFL]:
182.0.0.1/255.255.255.255
OL-16147-20
4-357
Chapter 4
Nov 19 15:40:33.599 IST: IPSUB-ROUTE: [uid:11] Route insert not required for DHCP
hosts with IP unnumbered config on: GigabitEthernet2/9.1
need to add route
Nov 19 15:40:33.599 IST: IPSUB: [uid:11] Found that seg to be updated with new session
keys
Nov 19 15:40:33.599 IST: IPSUB: [uid:11]
Update IP-Address-VRF key: 182.0.0.1:0
Nov 19 15:40:33.599 IST: IPSUB: [uid:11] Found address change to be notified
Nov 19 15:40:33.599 IST: IPSUB: [uid:11] Session Keys Available event for session
Nov 19 15:40:33.603 IST: IPSUB: [uid:11] Added session 182.0.0.1 to L3 session table
Nov 19 15:40:33.603 IST: IPSUB: [uid:11] Added session to session table with service
session keys
Nov 19 15:40:33.603 IST: IPSUB: [uid:11] Recieved Message = update SIP config
Nov 19 15:40:33.603 IST: IPSUB: [uid:11] Config Update event for session
inserted/removed
Nov 19 15:40:33.603 IST: IPSUB-ROUTE: [uid:11] Ctx present, No config change, Nothing
to be done
need to add route
Nov 19 15:40:33.603 IST: IPSUB: [uid:11] Keys not changed, seg needn't be updated
Nov 19 15:40:33.603 IST: IPSUB: [uid:11] Notifying about address change: 182.0.0.1
Nov 19 15:40:33.603 IST: DHCPD: Callback for workspace (ID=0x8900000B)
Nov 19 15:40:33.603 IST: DHCPD: Callback: switching path now setup for client
01aa.0013.1400.01
Nov 19 15:40:33.603 IST: DHCPD: Reprocessing saved workspace (ID=0x8900000B)
Nov 19 15:40:33.603 IST:
Nov 19 15:40:33.603 IST:
Nov 19 15:40:33.603 IST:
Nov 19 15:40:33.603 IST:
Nov 19 15:40:33.603 IST: DHCPD: Found previous server binding
Nov 19 15:40:33.603 IST: DHCPD: Sending DHCPOFFER to client 01aa.0013.1400.01
(182.0.0.1).
Nov 19 15:40:33.603 IST: DHCPD: ARP entry exists (182.0.0.1, aa00.1314.0001).
Nov 19 15:40:33.603 IST: DHCPD: unicasting BOOTREPLY to client aa00.1314.0001
(182.0.0.1).
Nov 19 15:40:33.603 IST: DHCPD: unicast BOOTREPLY output i/f override
Nov 19 15:40:33.603 IST: IPSUB_DP: [Gi2/9.1:O:PROC:DFL:182.0.0.1] Packet classified,
results = 0x0
Nov 19 15:40:33.603 IST: DHCPD: removing ARP entry (182.0.0.1 vrf default).
Nov 19 15:40:33.603 IST: DHCPD: Freeing saved workspace (ID=0x8900000B)
Nov 19 15:40:33.603 IST: IPSUB_DP: [uid:0] Setup event for session (session hdl 0)
Nov 19 15:40:33.603 IST: IPSUB_DP: [uid:0] Insert new entry for mac aa00.1314.0001
Nov 19 15:40:33.603 IST: IPSUB_DP: [uid:11] Added upstream entry into the classifier
Nov 19 15:40:33.603 IST: IPSUB_DP: [uid:11] MAC = aa00.1314.0001
Nov 19 15:40:33.603 IST: IPSUB_DP: [uid:11] Added downstream entry into the classifier
255.255.255.255
Nov 19 15:40:33.603 IST: IPSUB_DP: [uid:11] Session setup successful
Nov 19 15:40:33.603 IST: IPSUB_DP: [uid:11] Sent update msg to the control plane
Nov 19 15:40:33.603 IST: IPSUB_DP: [uid:11] Activate event for session
Nov 19 15:40:33.603 IST: IPSUB_DP: [uid:0] Found mac entry aa00.1314.0001
4-358
OL-16147-20
Chapter 4

Nov 19 15:40:33.603 IST:

results = 0x40
Nov 19 15:40:33.603 IST:
IP routing
Nov 19 15:40:33.603 IST:
Nov 19 15:40:33.603 IST:
tableid 0.
Nov 19 15:40:33.603 IST:
Nov 19 15:40:33.603 IST:
Nov 19 15:40:33.603 IST:
Nov 19 15:40:33.603 IST:
Nov 19 15:40:33.603 IST:
Nov 19 15:40:33.603 IST:
Nov 19 15:40:33.603 IST:
Nov 19 15:40:33.603 IST:
Nov 19 15:40:33.603 IST:
(182.0.0.1).
Nov 19 15:40:33.603 IST:
Nov 19 15:40:33.603 IST:
Nov 19 15:40:33.603 IST:
Nov 19 15:40:33.603 IST:
Nov 19 15:40:33.603 IST:
Nov 19 15:40:33.603 IST:
Nov 19 15:40:33.607 IST:
Nov 19 15:40:33.607 IST:
Nov 19 15:40:33.607 IST:
Nov 19 15:40:33.607 IST:
(182.0.0.1).
Nov 19 15:40:33.607 IST:
Nov 19 15:40:33.607 IST:
results = 0x10
IPSUB_DP: [Gi2/9.1:I:PROC:aa00.1314.0001] Packet classified,

IPSUB_DP: [Gi2/9.1:I:PROC:aa00.1314.0001] Rx driver allowing
DHCPD: input i/f override GigabitEthernet2/9.1 for client
DHCPD: Reload workspace interface GigabitEthernet2/9.1
DHCPD: tableid for 182.0.0.11 on GigabitEthernet2/9.1 is 0
DHCPD: client's VPN is .
DHCPD: DHCPREQUEST received from client 01aa.0013.1400.01.
DHCPD: Sending notification of ASSIGNMENT:
DHCPD: address 182.0.0.1 mask 255.255.255.240
DHCPD: lease time remaining (secs) = 180
DHCPD: Sending DHCPACK to client 01aa.0013.1400.01
DHCPD: lease time = 180
DHCPD: dhcpd_lookup_route: host = 182.0.0.1
DHCPD: dhcpd_lookup_route: index = 183
DHCPD: dhcpd_create_and_hash_route: host = 182.0.0.1
DHCPD: dhcpd_create_and_hash_route index = 183
DHCPD: dhcpd_add_route: lease = 180
DHCPD: ARP entry exists (182.0.0.1, aa00.1314.0001).
DHCPD: Changing arp entry 182.0.0.1 to secure arp entry
DHCPD: Failed to secure arp entry 182.0.0.1
DHCPD: unicasting BOOTREPLY to client aa00.1314.0001
DHCPD: unicast BOOTREPLY output i/f override
IPSUB_DP: [Gi2/9.1:O:PROC:DFL:182.0.0.1] Packet classified,
Use the following commands to verify L2-connected DHCP session:

ISG_NMB#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address
Client-ID/
Lease expiration
Hardware address/
User name
182.0.0.1
01aa.0013.1400.01
Nov 19 2009 03:45 PM
Type
Automatic
ISG_NMB#sh sss session

Current Subscriber Information: Total sessions 1
Uniq ID Interface
11
IP
State
unauthen
Service
Local Term
Identifier
aa00.1314.0001
Up-time
00:00:58
ISG_NMB#sh sss session uid 11

Identifier: aa00.1314.0001
Policy information:
ISG_NMB#sh sss session uid 11 de
OL-16147-20
4-359
Chapter 4
Identifier: aa00.1314.0001
Policy information:
Context 133B2154: Handle 9000000B
Troubleshooting
The following troubleshooting scenarios are applicable to the broadband technology area:
Problem
Solution
When a subinterface is configured for IP sessions Use the show and debug commands to confirm if
the ISG policymap configuration is correct.
and the ISG policy map has been configured to
perform some actions, the IP session does not
come up.
A subinterface is configured for IP sessions
initiator DHCP. ISG policymap applied on
subinterface is for Transparent Autologon (TAL).
The user profile downloaded has the classname
pointing to DHCP pool and the session is not
initiated.
Check if the DHCP pool referred by the

downloaded classname in the user profile is not in
the same subnet as the subinterface loopback
interface. If yes, correct the subnet value to
re-initiate the session.
10 ports on twov2 SPAs are connected to traffic Mark the preceding values in video class of
service to 6 or 7.
generator on access side. One 10 Gigabyte port
(6704 card) is connected to the TGEN on the core
side.Traffic for triple play (video, voice and data)
is being sent on egress. The line card is heavily
oversubscribed voice : 400 Mbps, Video : 3
Gbps, Data : 5 Gbps. Despite video and voice
being classified as priority, video traffic drops
while data traffic is stable.
An IP session is enabled on a subinterface where Check the adjacencies and use the ARP to locate
the problem.
the DHCP initiator is configured in a routed
mode.Traffic in the upstream and downstream
directions is enabled. The traffic generator
indicates that traffic is not received and is dropped
by router and the traffic generator on the access
side does not respond to the Address Resolution
Protocol (ARP).
A subinterface is configured for an IP session and
an ISG policymap configured with police,
default-drop actions is applied. Once the session
is enabled, it is automatically disabled within a
few seconds.
The ISG policymap actions force the session to

authenticate and disconnect after 5 seconds if
authentication fails as radius server does not
authenticate the session. Use the test aaa
command to check if the radius authenticates the
sesssions.
4-360
OL-16147-20
Chapter 4

Problem
Solution
IP session is disabled before the specific time
Use the show ip subscriber command with the

dangling keyword to display dangling sessions.
The seconds argument allows you to specify how
long the session has to remain unestablished
before it is considered dangling.
Issues with trace subscriber sessions, errors,

To enable ISG IP subscriber session debugging,
events, session state changes, and session packets use the debug ip subscriber command in
in the ISG IP subsriber sessions.
privileged EXEC mode.
If a policy-map is applied on the sub-interface and Apply the QoS policy-map either on the session or
a QoS session is enabled, the session is initiated, on the sub-interface, but not on both at the same
but QoS is not installed on it.
time.
Problem
Solution
Check if you have configured the CoS inner and

When you set classification and marking on an
ISG subscriber session, an error is displayed when ACL combination. If yes, unconfigure and
reconfigure them separately.
the session is initiated.
Class SSS: (QoS) - install error is displayed.
The error could be a problem with the QoS

installation on the session due to:
Invalid QoS policymap
QoS session is already applied on the

subinterface.
If both these checks are negative, contact TAC.

Multiple issues with Control Plane Policing
installation and rate limiting.
Use the show platform copp rate-limit

<arp|dhcp|all> exec-mode command to display
the list of interfaces on which a rate limiter is
active for the given protocol(s) (either for a single
protocol , or for all protocols) along with the
count of conformed or exceeded packets for the
rate limiter. Remaining observation period is
displayed on rate limiter enabled interfaces.
Packets are not limited by rates
Ensure that the interface is enabled and check for

these conditions:
Check the class-map and ensure that it has the

right protocol and keyword access.
Check the policy-map and ensure that it has

the right class-map.
Check if the conform-action is set to

transmit to avoid rate-limited packet drops.
Ensure that the service-policy is applied on

all the access subinterfaces.
Use the show platform copp rate-limit

<protocol-name> command to check if the
policers are configured in the protocol and
rate value is configured within the policy
map.
OL-16147-20
4-361
Chapter 4
Per Subscriber Session Call Admission Control (CAC)

In broadband networks, ISG might receive a large number of incoming requests during peak hours. Each
session that attempts to establish a connection on the ISG consumes a considerable amount of CPU and
memory resources of the ISG. External resources, such as a remote authentication dial in user service
(RADIUS) might not be able to handle all the requests that ISG generates. Accepting too many calls
might make the router inefficient in its operation, overloading its own CPU, and also RADIUS. Per
subscriber session CAC is a function that protects the router and external peripherals from getting
overloaded by limiting the number of incoming calls based on CPU and session charges that a router can
establish.
The route processor (RP) in the ISG checks CPU utilization and session charges to determine if a call
should be accepted or rejected as follows:
CPU utilizationThe RP uses the 5-second average system variable that provides a cumulative
average of the CPU usage percentage over a period of one minute to determine the average CPU
usage percentage allowed on the system and compares that to the current CPU load. The CAC
accepts the call only if the current CPU load is below the system variable limit, else rejects the call.
Session chargesThe RP compares the existing outstanding session charges to a user-configurable

system variable. The CAC accepts the call and adds the session charges only if the session charges
are below the system variable limit, else CAC rejects the call.
Restrictions and Guidelines

The restrictions and guidelines for per subscriber session CAC is given as follows:
CAC is supported on PPPoE and IP sessions. For PPPoE sessions, both CPU and session charge
based CAC is available. On IP sessions, only CPU based CAC is supported.
DHCP sessions are not supported for CAC.
Implementing CAC
The CAC implementation impacts two queues - the First Sign of Life (FSOL) queue and the FSOL
control queue. The default values for the FSOL queue and FSOL control queue are given in Table 4-43.
Whenever the CAC starts, the configured queue values for the actual FSOL and FSOL control queues
are saved and the default values in Table 4-43 are installed on the line card. Whenever the CAC is
stopped, the configured values (the values that are saved when the CAC is started) are restored. You can
use the hw-module slot slot_num rate-limit fsol_rate rate command to configure the queue values. If
you execute the command and configure the queue values while CAC is on, the new values overwrite the
existing queue values that are saved and when the CAC is stopped, the new values are installed.
The CAC is implemented at the queue level even though the configuration accepts rate limit. The
configuration changes are applied on a per network processor (NP) basis.
Table 4-43
Default Values for the FSOL Queues
Queue Name
Queue Depth
Shape Rate in bps
CAC Status
Actual FSOL
100
40000
Off
FSOL control
900
360000
Off
4-362
OL-16147-20
Chapter 4

Queue Name
Queue Depth
Shape Rate in bps
CAC Status
Actual FSOL
100
4000
On
FSOL control
900
36000
On
Configuring Per Subscriber Session CAC

To configure per subscriber session CAC, perform these steps:
Summary Steps
1.
enable
2.
configure terminal
3.
call admission new-model
4.
call admission cpu-limit limit
or
5.
call admission limit charge
6.
call admission type charge lifetime
7.
end
Detailed Steps
Step 1
Command
Purpose
enable

prompted.
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
call admission new-model
Enables the new model of CAC.
Example:
Router(config)# call admission
new-model
OL-16147-20
4-363
Chapter 4
Step 4
Command
Purpose
call admission cpu-limit limit
Configures CAC based on CPU utilization.
Example:
limit- The maximum CPU threshold at which CAC rejects

calls, expressed as a percentage of the CPU load. Valid
range is from 0 to 100 percent.
Router(config)# call admission

cpu-limit 90
Ensure that you do not set the CPU threshold

value too low. The recommended value is between
80 to 90 percent.
Note
or
Step 5
call admission limit charge
Configures CAC based on the session charge by

specifying the maximum value of the total outstanding
session charges to start CAC and reject calls.
Example:
charge- The the maximum value of the outstanding

session charges. Valid values are from 0 to 100,000.
Router(config)# call admission limit 90
Step 6
call admission type charge lifetime
Example:
Router(config)# call admission pppoe 10 1
Step 7
end
Specifies the call charge to add per session.
type - Specifies the type of session charge profile.
charge - Specifies the per-session charge. Valid

values are from 0 to 1000. The recommended value is
10.
lifetime- Specifies the session lifetime. Valid values

are from 1 to 31. The recommended value is 1.
The following example configures a charge of 10 per session and a call admission limit of 50, which
allows calls at a rate of 5 calls per second:
Router# enable
Router(config)# call admission new-model
Router(config)# call admission limit 50
Router(config)# call admission pppoe 10 1
Router# end
Verifying and Monitoring Per Subscriber Session CAC

To verify and monitor per subscriber session CAC, use either of these commands in privileged EXEC
mode:
4-364
OL-16147-20
Chapter 4

Command
Purpose
show call admission statistics
Displays statistical information about CAC

operation and whether the new CAC model is
enabled or not.
show platform isg fsol-queue-statistics
Displays the number of packets dropped in a line

card for a specific queue. This command is
available only on ES+ line cards.

The Private Hosts feature allows automatic insertion of router Switched Virtual Interface (SVI) MAC
into the Private Hosts configuration. Private Hosts track the Layer 2 port that a server is connected to
and limits undesired traffic through the MAC-layer ACLs. Hosts can carry multiple traffic types through
the trunk port, remain isolated from each other, and still communicate to a common server. For more
information on this feature and on Private Hosts, see Cisco 7600 Series Cisco IOS Software
Configuration Guide, 15.0SR at
http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/pacl.html
Configuring Unidirectional Link Detection (UDLD) on Ports with

EVCs
UDLD (Unidirectional Link Detection) is a Layer 2 protocol that interacts with a Layer 1 protocol to
determine the physical status of a link. At Layer 1, physical signaling and fault detection is
auto-negotiated. UDLD detects the neighbor link, identifies, and disables the wrongly connected LAN
ports. When you enable auto-negotiation and UDLD, Layer 1 and Layer 2 detections prevent physical
and logical unidirectional connections, and malfunctioning of other protocols.
A unidirectional link occurs when the neighbor link receives the traffic transmitted by the local device,
but the local device does not receive the transmitted traffic from its neighbor. If auto-negotiation is
active, and one of the fiber strands in a pair is disconnected, the link is disabled. The logical link is
undetermined, and UDLD does not take any action. At Layer 1, if both fibers are normal, UDLD at Layer
2 determines if the fibers are accurately connected, and traffic is relayed bidirectionally between the
right neighbors. In this scenario, auto-negotiation operates in Layer 1, and the link status is unchecked.
The UDLD protocol monitors physical configuration of the cables, and detects unidirectional links of
devices connected to LAN ports via Ethernet cables. When a unidirectional link is detected, UDLD
disables the affected LAN port, and alerts the user.
The Cisco 7600 series router periodically transmits UDLD packets to neighboring devices on LAN ports
with UDLD. If the packets are returned within a specific time frame, and there is no acknowledgement,
the link is flagged as unidirectional, and the LAN port is disabled.

Follow these restrictions and usage guidelines while configuring UDLD on ports with EVCs:
OL-16147-20
4-365
Chapter 4
Note
You can configure UDLD only on a port.
To identify and disable the unidirectional links, devices at both ends must support UDLD.
Service bridge domain should be available on the router.
Any of the supported EVC encapsulation can be configured.
If UDLD is enabled on an EVC port with service type connect or xconnect and encapsulation type
default or untagged, the port is disabled.
For more information on UDLD, see the Cisco 7600 Series Cisco IOS Software Configuration Guide,
12.2SR at the following URL:
http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/udld.html
Configuring UDLD Aggressive Mode

As UDLD aggressive mode is disabled by default, you can configure UDLD aggressive mode in
point-to-point links between network devices that support UDLD aggressive mode.
When UDLD aggressive mode is enabled:
A port on a bidirectional link with UDLD neighbor relationship does not receive UDLD packets.
UDLD tries to reestablish the connection with the neighbor.
After eight failed retries, the port is disabled.
To prevent spanning tree loops, ensure that you set the non aggressive UDLD value interval to 15
seconds. This disables the unidirectional link before blocking the port transitions in the forwarding state
(with default spanning tree parameters).
The benefits of enabling UDLD aggressive mode are:
Port on one side of a link is disabled (both Tx and Rx).
One side of a link is enabled even if the other side of the link fails.
In the above scenario, UDLD aggressive mode disables the port that prevents traffic from being
discarded.
If UDLD...
Then the...
Detects a unidirectional link,
interface with its EVCs are disabled.
Is enabled on a port with an EVC bridge-domain, selected EVC is not shut down, and prevents the
and encapsulation value set to default or
port from being disabled.
untagged,
Enabling UDLD on Ports With EVC Configured

SUMMARY STEPS
1.
enable
2.
configure terminal
4-366
OL-16147-20
Chapter 4

3.
{udld | no udld} enable aggressive
4.
exit
DETAILED STEPS
Step 1
Command
Purpose
enable

prompted.
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
{udld | no udld} enable aggressive
Enables the UDLD aggressive mode.
Example:
Router# udld enable aggressive
Step 4
exit
SUMMARY STEPS
1.
interface type/ slot/ port
2.
{udld port | no udld port } aggressive
3.
show udld type/ slot/ port
4.
exit
DETAILED STEPS
Command
Step 1
interface
Purpose
type/ slot/ port
Selects the LAN port to configure.
Example:
Router(config)# gigethernet 1/0/0
Step 2
{udld port | no udld port } aggressive
Example:
Router(config-if)# udld port aggressive
Router(config-if)# no udld port
aggressive
Enables a UDLD on a specific LAN port. Enter the

aggressive keyword to enable aggressive mode. On a
fiber-optic LAN port, this command overrides the udld
enable global configuration command.
Or
Disables a UDLD on a non- fiber-optic LAN port.
OL-16147-20
4-367
Chapter 4
Command
Step 3
show udld
Purpose
type/ slot/ port
Verifies the configuration.
Example:
Router# show udld 1/0/0
Step 4
exit
Disabling Individual UDLD on Ports With EVC Configured

SUMMARY STEPS
1.
interface type/ slot/ port
2.
{udld port | no udld port } disable
3.
show udld type/ slot/ port
4.
exit
DETAILED STEPS
Command
Step 1
interface
Purpose
type/ slot/ port}
Selects the LAN port to configure.
Example:
Router(config)# gigethernet 1/0/0
Step 2
{udld port | no udld port } disable
Disables a UDLD on the LAN port.

Or
Example:
Router(config-if)# udld port disable
Router(config-if)# no udld port disable
Reverts to the udld enable global configuration

command setting.
Note
Step 3
show udld
type/ slot/ port
This command is supported only on fiber-optic

LAN ports.
Verifies the configuration.
Example:
Router# show udld 1/0/0
Step 4
exit
Resetting Disabled UDLD on Ports With EVC Configured

SUMMARY STEPS
1.
udld reset
4-368
OL-16147-20
Chapter 4

DETAILED STEPS
Step 1
Command
Purpose
udld reset
Resets all the LAN ports disabled by UDLD.
Example:
Router# udld reset
Example
This example displays the global configuration values at router 1:
Router(config)#udld enable
This example displays the ESM20 port at router 1:

Router(config)# inter gi 2/0/1
Router(config-if)# udld port aggressive
Router(config-if-srv)# rewrite ingess tag translate 1-to2 dot1q 5 second-dot1q 5 symmetric
This example displays the configuration for a port that is part of a port channel:
Router(config)#interface Port-channel1
Router(config-if)#no ip address
Router(config-if)#encapsulation untagged
Router(config-if)#bridge-domain 100
Router(config)#interface GigabitEthernet3/0/13
Router(config-if)#ip arp inspection limit none
Router(config-if)#no ip address
Router(config-if)#udld port aggressive
Router(config-if)#no mls qos trust
Router(config-if)#channel-group 1 mode on
Verification
Use the show udld and show udld interface commands to verify the UDLD configuration:
Router(config)show udld gi 3/0/13
Interface Gi1/3
---Port enable administrative configuration setting: Enabled / in aggressive mode
Port enable operational state: Enabled / in aggressive mode
Current bidirectional state: Bidirectional
Current operational state: Advertisement - Single neighbor detected
Message interval: 15
Time out interval: 5
Entry 1
--Expiration time: 37
Cache Device index: 1
Current neighbor state: Bidirectional
Device ID: 011932118C0
OL-16147-20
4-369
Chapter 4
Port ID: Gi1/1

Neighbor echo 1 device: 0FF71CA880
Neighbor echo 1 port: Gi1/3
Message interval: 15
Time out interval: 5
CDP Device name: rish2

Dynamic Ethernet Service Activation (DESA) is an integration of Ethernet Virtual Connection (EVC)
and Intelligent Service Gateway (ISG) to automate the provisioning of Layer 2 services in carrier
ethernet networks. Effective from Cisco IOS release 15.1(2)S, ethernet accounting and dynamic Layer
2 session provisioning functions of the DESA are supported.
Ethernet accounting exposes the ethernet traffic to billing systems through accounting interfaces and
policies. Using ethernet accounting, service providers can track the usage of the services, create usage
based or prepaid service profiles, and provide a traceable accountability for SLA enforcement.
Dynamic Layer 2 provisioning reduces the operating expenses for service providers by easing the
provisioning process and also allows them to play an active role in defining their services. Dynamic
Layer 2 provisioning exposes the creation of Layer 2 services to the Authentication Authorization and
Accounting (AAA) subsystem to enable centralized service policy initiation and customizes service
profiles. After receiving the First Sign of Life (FSOL) frames, the creation and provisioning of Layer 2
customer interfaces is automated after proper authentication and authorization.

Follow these restrictions and guidelines for configuring DESA:
Note
DESA is supported only on ES+ line cards and RSP 720.
Traffic classes are not supported.
Ethernet accounting is limited by the network resources available on the line card.
Use the hw-module slot slot_num rate-limit fsol_rate rate command to configure the FSOL rate on
ES+ line cards. The default FSOL rate is 40000 bps. Both broadband and EFP FSOLs use the same FSOL
queue, hence FSOL rate limiter rate limits the total number of FSOLs it receives from both EFP and
broadband.
Configuring Dynamic Ethernet Service Activation Support on C7600

The configuration steps for DESA vary depending on whether you are creating a dynamic ethernet
session or static ethernet session.
Configuring DESA for a Dynamic Ethernet Session

Complete these steps to configure DESA for a dynamic ethernet session.
4-370
OL-16147-20
Chapter 4

Summary Steps
1.
enable
2.
configure terminal
3.
policy-map type control policy-map-name
4.
class type control always event session-start
5.
action-number authorize identifier identifier-type [plus identifier-type]
6.
interface gigabit ethernet slot/port

or
interface tengigabit ethernet slot/port
7.
service instance dynamic id ethernet
8.
encapsulation dot1q vlan-id second-dot1q vlan-id-range
9.
ethernet subscriber [session {watermark| maximum} limit number]
10. initiator {unclassified vlan}

11. service-policy type control policy-map-name
12. end
Detailed Steps
Command
Purpose
Step 1
enable
Router> enable

password.
Step 2
configure terminal
Example:
Step 3
policy-map type control

policy-map-name
Creates or modifies a control policy map, which is used to

define a control policy.
Example:
Router(config)# policy-map type
control policy1
Step 4
class type control always event

session-start
Specifies a control class, which defines the conditions

that must be met in order for an associated set of actions
to be executed.
Example:
Router(config-control-policy-map)#cl
ass type control always event
session-start
OL-16147-20
4-371
Chapter 4
Step 5
Command
Purpose
action-number authorize identifier

identifier-type [plus
identifier-type]
Inserts the specified identifier into the authorization

requests.
Router(config-control-policymap-clas
s-control)# 1 authorize identifier
stag-type [plus stag-vlan-id]
Step 6

or
interface tengigabit ethernet
slot/port
Specifies the gigabit ethernet or tengigabit ethernet

Example:
ethernet 4/1
Step 7
service instance dynamic id ethernet
Defines the service instance as an ethernet layer 2 context

that is used to detect the FSOL frames.
Example:
id - An integer between 1 to 100.
Router(config-if-srv)# service instance dynamic 1 ethernet
Step 8
Step 9

second-dot1q vlan-id-range
dot1q 124 second-dot1q 2001-4000
Defines the matching criteria to map dot1Q ingress

ethernet subscriber [session

{watermark| maximum} limit number]
Specifies the number of ethernet sessions that can be

created under a given ethernet layer2 context.
vlan-id - An integer between 1 to 4094.
Example:
Router(config)# ethernet subscriber
session maximum limit 100
Step 10
initiator {unclassified vlan}
Enables an ethernet session initiator under the ethernet

layer2 context service instance.
Example:
Router(config)# initiator unclassified vlan
Step 11
service-policy type control

policy-map-name
Applies the service policy to the control plane.
Example:
Router(config-if-srv)#
service-policy type control policy1
Step 12
end
4-372
OL-16147-20
Chapter 4

Configuration Steps for a Static Ethernet Session

Complete these steps to configure DESA for a static ethernet session.
Summary Steps
1.
enable
2.
configure terminal
3.
policy-map type control policy-map-name
4.
class type control always event session-start
5.
action-number service-policy type service name policy-map-name
6.

or
interface tengigabit ethernet slot/port
7.
no ip address
8.
9.
10. ethernet subscriber static

12. service-policy type control policy-map-name
13. end
OL-16147-20
4-373
Chapter 4
Detailed Steps
Step 1
Command
Purpose
enable
Enables privileged EXEC mode.If prompted, enter your

password.
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
policy-map type control

policy-map-name

define a control policy.
Example:
Router(config)# policy-map type
control policy2
Step 4

session-start
Specifies a control class, which defines the conditions

that must be met in order for an associated set of actions
to be executed.
Example:
Router(config-control-policy-map)#
session-start
Step 5
action-number service-policy type

service name policy-map-name
Inserts the specified identifier into the authorization

requests.
Example:
Router(config-control-policymap-clas
s-control)# 1 service-policy type
service name policy-2
Step 6

or
interface tengigabit ethernet
slot/port
Step 7
no ip address
Specifies the gigabit ethernet or tengigabit ethernet

Assigns an IP address to the ethernet interface.
Example:
Step 8
Creates a service instance on the ethernet interface.
Example:
Router(config-if)# service instance
2 ethernet
4-374
OL-16147-20
Chapter 4

Step 9
Command
Purpose

Example:
vlan-id - An integer in the range 1 to 4094.
Step 10
ethernet subscriber static
Initiates a static ethernet subscriber session.
Example:
Router(config-if-srv)# ethernet
subscriber static
Step 11
Enables bridge domain across the ethernet interfaces.
Example:
Step 12
service-policy type control

policy-map-name
Applies the service policy to the control plane.
Example:
Step 13
end
This example shows how to create a service policy and configures DESA for a dynamic ethernet session.
Router# enable
Router(config)# aaa authorization nextwork group default radius
Router(config)# aaa authorization subscriber-service default local group radius
Router(config)# radius-server host 172.29.39.46 key rad123
Router(config)# policy map type control policy1
Router(config-control-policymap)# control always event session start
Router(config-control-policymap-class-control)# 1 authorize identifier stag-type plus
stag-vlan-id
Router(config-if)# service instance dynamic 4 ethernet
Router(config-if-srv)# ethernet subscriber session maximum limit 100
Router(config-if-srv)# initiator unclassified vlan
Router(config-if-srv)# service-policy type control policy1
This example shows how to configure DESA for a static ethernet session.
Router# enable
Router(config)# policy map type control policy2
Router(config-control-policymap)# control always event session start
Router(config-control-policymap-class-control)# 1 service-policy type service name policy2
OL-16147-20
4-375
Chapter 4

ethernet subscriber static
bridge-domain 100
end
Verifying DESA
To verify the DESA feature, use these commands in privileged EXEC mode.
Command
Purpose
show ethernet service instance detail
Displays details about the configured service

instances.
show subscriber session
Displays information about subscriber sessions on

an Intelligent Services Gateway (ISG).
Troubleshooting DESA
To troubleshoot the DESA feature, use these debug commands.
Command
Purpose
debug ethernet service instance dynamic errors Displays any error while bringing up the dynamic
session.
debug ethernet service instance dynamic events Displays all the events while bringing up the
dynamic session.
debug ethernet service instance dynamic ha
errors
Displays any high availability (HA) errors while

bringing up the dynamic session.
debug ethernet service instance dynamic ha

events
Displays the HA events while bringing up the

dynamic session.
4-376
OL-16147-20
Chapter 4

Control Plane Protection on Non Access Subinterfaces

A router is segmented into three planes of operation, each with a clearly defined objective. The data
plane to forward data packets, the control plane to route the data correctly, and the management plane to
manage network elements.
The Cisco 7600 ES+ line card forwards any control plane traffic during data transmission to the route
processor (RP). If there is a continuous stream of control packets to the Cisco 7600 router, all the packets
are forwarded to the RP in the router. If the packet rate is high, the control packet flow consumes the
processing capacity, memory, buffers and other critical system resources, and the RP functionality is
impacted. Control Plane Protection (COPP) is a mechanism to control the traffic destined to the RP from
non access sub interfaces of the ES+ line card using QoS policies.
COPP is already supported on access sub interfaces and the main interfaces. Effective from Cisco IOS
release 15.1(2)S, COPP on non access sub interfaces is also supported on the ES+ line card.

Follow these restrictions and guidelines for configuring COPP on a non access subinterface is given as
follows:
Only the protocols ARP, DHCP, Ethernet Operations Administration and Maintenance (EOAM) and
PPPoE support COPP.
The total number of interfaces with COPP on an ES+ line card is 16000.
If hardware assisted call admission control (CAC) is configured, COPP takes precedence over the
CAC for PPPoE and DHCP control packets including FSOL.
Packets Per Second (PPS) mode of traffic policing is not supported.
Configuring COPP on a Non Access Subinterface

Complete these steps to configure COPP on a non access subinterface.
Summary Steps
1.
enable
2.
configure terminal
3.
class-map match-all class-map-name
4.
match protocol protocol-name
5.
match subscriber access
6.
policy-map policy-map-name
7.
class class-name
8.
police cir cir-value
9.
control-plane user-type access
10. service-policy input policy-map-name

11. interface type number
OL-16147-20
4-377
Chapter 4
12. encapsulation dot1q vlan-id

13. ip address ip-address mask
14. ip subscriber l2-connected
15. initiator {dhcp| static | unclassified}
16. end
Detailed Steps
Step 1
Command
Purpose
enable

prompted.
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
class-map match-all class-map-name
Enables class map configuration mode used to create a

traffic class.
Example:
Router(config)# class-map match-all
cmap
Step 4
match protocol protocol-name
Specifies the match criteria for a class-map.
Example:
Router(config-cmap)# match protocol
arp
Step 5
match subscriber access
Enables ISG COPP.
Example:
Router(config-cmap)# match subscriber access
Step 6
Example:

define a control policy, and enters the control policy map
configuration mode.
Router(config-cmap)# policy-map pmap
Step 7
class class-name
Enters class map configuration mode, which is used to

associate a service policy with a class.
Example:
class-name - Name of a service policy class. The name

can contain up to 40 alphanumeric characters.
Router(config-pmap)# class cmap
4-378
OL-16147-20
Chapter 4

Step 8
Command
Purpose
police cir cir-value
Specifies the committed information rate (CIR) value in

bits per second.
Example:
cir-value - The supported range is 500 to 30000.
Router(config-pmap-c)# police cir

30000
Step 9
control-plane user-type access
Enters control-plane configuration mode.
Example:
Router(config)# control-plane
user-type access
Step 10
service-policy input policy-map-name
Attaches a QoS service policy to the control-plane host

subinterface.
Example:
Router(config-cp-user)#
service-policy input pmap
Step 11
Specifies an interface and enters the interface configuration mode.
Example:
ethernet 1/1.1
Step 12

Example:
vlan-id - An integer in the range of 1 to 4094.
Router(config-subif)# encapsulation
dot1q 400
Step 13
Specifies an IP address for an interface.
Example:
Router(config-subif)# ip-address
1.1.1.1 255.255.255.0
Step 14
ip subscriber l2-connected
Specifies the type of IP subscriber to be hosted on the

interface and enters the configuration mode.
Example:
Router(config-subif)# ip subscriber
l2-connected
Step 15
Step 16
initiator {dhcp|static|unclassified}
Router(config-subscriber)#
initiatior dhcp
end
Creates IP subscriber sessions upon receipt of the

specified packet type.
dhcp - IP session initiated by DHCP
static- Static IP session initiated.
unlcassified - IP session initiated by unclassified

traffic
OL-16147-20
4-379
Chapter 4
This example shows how to configure COPP on a non access sub interface. In the example, a class map
cmap is created to specify the matching criteria. Then a policy map pmap that describes the policing to
be applied, is created and the service policy is applied on the control plane user interface.
Router# enable
Router(config)# class-map match-all cmap
Router(config-cmap)# match protocol dhcp
Router(config-cmap)# match subscriber access
Router(config-cmap)# policy-map pmap
Router(config-pmap)# class cmap
Router(config-pmap-c)# police cir 300000
Router(config)# control-plane user-type access
Router(config-cp-user)# service-policy input pmap
Router(config)# interface gigabit ethernet 1/2.1
Router(config-subif)# encapsulation dot1q 400
Router(config-subif)# ip subscriber l2-connected
Router(config-subscriber)# initiator dhcp
Router(config-subscriber)# end
Verifying COPP on a Non Access Sub Interface

To verify the COPP on a non access subinterface, you can use the following commands in privileged
EXEC mode:
Command
Purpose
show platform copp rate-limit protocol-name
Displays the number of conformed and exceeded

bytes for each interface on the RP for the specified
protocol.
show platform npc copp all
Displays the list of interfaces under each NP for

which COPP is initiated in the line card.
show platform npc copp if_num detail
Displays the number of dropped packets and bytes

for a given interface. First verify whether COPP is
initiated on the interface with show platform npc
copp all command and then use this command for
the detailed output of a specific interface.

Bidirectional Forwarding Detection (BFD) scale improvement feature provides the functionality to
offload a BFD session to an ES+ line card. BFD is a forwarding path failure detection protocol and
reduces the overall network convergence time by sending rapid failure detection packets (messages) to
the routing protocols for recalculating the routing table. Before Release 15.1(2)S, a BFD session was run
as a software component on the Route Processor (RP). Hence, the performance of BFD was restricted to
the capabilities of CPU and IOS on the RP on the Cisco 7600 Router. Effective failure detection requires
BFD to run at high frequencies (using aggressive timers as low as 50ms), which was not possible because
4-380
OL-16147-20
Chapter 4

of CPU and IOS restrictions. Effective with Cisco IOS Release 15.1(2) S, apart from running a BFD
session on the RP, you can also offload a BFD session to the ES+ line card based on specific conditions
listed in the Restrictions for BFD Scale Improvement section on page 4-383.
Note
Effective with Cisco IOS Release 15.1(3)S2, BFD hardware offload is also supported for IPv6 addresses
along with the IPv4 addresses.
Note
If you are running IPv4 and IPv6 sessions on an interface, you can selectively enable or disable
offloading IPv4 or IPv6 sessions using the platform bfd disable-offload ipv4|ipv6 command.
Offloading a BFD session to an ES+ line card allows you to utilize the hardware resources and
capabilities of an ES+ line card, and also distribute the processing load between RP and ES+ line card.
It allows you to scale up to 2000 BFD sessions for each Cisco 7600 series router.
Note
You can scale up to 2000 sessions per chassis using static and OSPF routing protocol for IPv4 BFD
sessions only. For scale number values for IPv6 NFD sessions, see the Restrictions for BFD Scale
Improvement section on page 4-383 section.
BFD Sessions Supported on RSP720 Versions

Table 4-44 lists the number of IPv4 HW BFD sessions supported on various Route Switch Processor 720
(RSP 720) versions.
Table 4-44
IPv4 HW BFD Sessions Supported on Various RSP720 Versions
Sessions
RSP720-3C-GE RSP720-3CXL-GE RSP720-3C-10GE RSP720-3CXL-10GE

1 Gb
2 Gb
1 Gb
2 Gb
1 Gb
2 Gb
1 Gb
2 Gb
OSPF BFD session scale

number1
1200
2000
1200
2000
1200
2000
1200
2000
Static route BFD session

scale number
2000
2000
2000
2000
2000
2000
2000
2000
1. The scale numbers are valid only for the HW BFD sessions on the box and not software BFD session.
Note
The number of HW BFD sessions supported for IGPs is same as what the individual IGPs can scale upto.
Table 4-45 lists the number of software BFD sessions supported on the various RSP720 versions.
Table 4-45
Software BFD Sessions Supported on the Various RSP720 Versions
Timer
Supported Scale Number1
50*3ms
128
999*3 ms
512
OL-16147-20
4-381
Chapter 4
1. These numbers are valid only for the software BFD session on the box and not hardware BFD session.
Table 4-46 lists the number of sessions supported for each type of line card:
Table 4-46
Sessions Supported on Line Cards
Line Card
Sessions
7600-ES+40G3C
1000
7600-ES+40G3CXL
1000
7600-ES+20G3C
500
7600-ES+20G3CXL
500
7600-ES+4TG3C
1000
7600-ES+4TGCXL
1000
7600-ES+2TG3C
500
7600-ES+2TGCXL
500
76-ES+XT-2TG3C
500
76-ES+XT-2TG3CXL
500
76-ES+XT-4TG3C
1000
76-ES+XT-4TG3CXL
1000
76-ES+T-20G3CXL
500
76-ES+T-2TG3CXL
500
76-ES+T-40G3CXL
1000
76-ES+T-4TG3CXL
1000
76-ES+XC-20G3C
500
76-ES+XC-20G3CXL
500
76-ES+XC-40G3C
1000
76-ES+XC-40G3CXL
1000
SSO Behavior
A BFD session supports Stateful Switchover (SSO) when offloaded to the ES+ line card. For a BFD
session running on the RP, the minimum supported transmit (Tx) and receive (Rx) timer value for SSO
is 500ms. When a session is offloaded to an ES+ line card, the minimum supported Tx and Rx timer
value for SSO is 50ms. Usually, a BFD session offloaded to an ES+ line card is not affected during an
SSO. However, these scenarios may be observed:
Session configuration changes from peer during SSO: The line card CPU does not detect the
changed bits in the BFD packets during SSO.
Network failure during SSO: This situation is not handled immediately. Once the SSO is over, the
BFD changes due to network failure are handled.
4-382
OL-16147-20
Chapter 4

Restrictions for BFD Scale Improvement

The following restrictionsapply for BFD scale improvement:
A BFD session is supported on only RSP 720 and Supervisor 720 (SUP720), it is not supported on
SUP32.
Only BFD version 1 is supported.
The BFD session can be offloaded only to an ES+ line card interface.
Ensure that the ES+ Line Card interface configured with the BFD session is on global routing table.
Effective from Cisco IOS Release 15.1(3)S and 15.1(2)S1, the interface with a BFD session can be
on any Virtual Routing and Forwarding (VRF).
Each network processor supports a total of 250 sessions distributed across its ports.
BFD hardware offload is supported for IPv4 sessions with non-echo mode only.
You can configure IPv4 and IPv6 sessions to co-exist on the router as well as the same interface.
Only the single hop BFD hardware offload is supported for both the IPv4 and IPv6 sessions. BFD
hardware offload supports either of these combinations for IPv4 and IPv6 sessions:
1000 IPv6 BFD sessions and no IPv4 sessions.
2000 IPv4 BFD sessions and no IPv6 sessions.
500 IPv4 BFD sessions and 500 IPv6 sessions.
BFD offload is supported only for the ethernet interface.
Timer values for Tx and Rx should only be in multiples of 50 and should range between 50 and
950ms for both the local and remote BFD peer router.
BFD Tx jitter defined in RFC 5880 is not supported.
You cannot swap a BFD session between ES+ line card and IOS by changing the parameters when
the BFD session is up and running. To swap a BFD session, you need to unconfigure and reconfigure
the BFD session with the changed parameters.
BFD offload is not supported on port-channel or SVI interfaces.
In case of prolonged network instability and BFD session flaps, the session state may get stuck in
the DOWN, INIT, or UP state. Unconfigure and reconfigure BFD to resolve this issue.
During line card OIR, the show bfd neighbor detail command may show discrepancy in the
statistics counter. The statistics counter provide information about Rx or Tx counts for a particular
session.
BFD supports 2000 sessions with OSPF as client on RSP. Example scenarios:
All subinterfaces are configured as point to point.
Four instances of OSPF are running with each instance supporting 500 BFD session.
Note
Configure the symmetric slow timers to less than or equal to five seconds on both the ends to bring
up the HW offloaded BFD sessions.
BFD supports a maximum of 10 IPv6 static route sessions on an interface.
Effective with Cisco IOS Release 15.1 (3)S, BFD sessions are also supported on SUP720.
OL-16147-20
4-383
Chapter 4
Note
If the local discriminator (LD) value is less than 8000, it signifies that the session is offloaded to
hardware.
Configuring BFD Hardware Offload for 7600

The BFD offload functionality is enabled by default. You can configure BFD hardware offload on the
route processor. For more information, see Bidirectional Forwarding Detection.
4-384
OL-16147-20
Chapter 4

Troubleshooting BFD Hardware Offload

Table 4-47 provides troubleshooting solutions for the BFD scale improvement issues:
OL-16147-20
4-385
Chapter 4
Table 4-47
Troubleshooting BFD Scale Improvement
Problem
Solution
BFD session repeatedly goes up and

down, or fails to come up.
Complete these steps and report the findings to the TAC team:
1.
Use the show bfd neighbor detail command to verify whether or not a session is
offloaded to IOS or hardware, and identify the local discriminator (LD) value.
2.
Use the show bfd summary command to check the total number of sessions in
both the up and down state.
3.
Use the show platform bfd session | include LD_no command to verify whether
or not the Route Processor Platform Dependent (RP PD) table contains the offloaded session.
4.
Use the attach linecard_no command to attach to the line card console.
5.
Use the show platform npc bfd LD_no command to verify the line card information for the offloaded sessions on the line card.
6.
Use the show bfd drops command on the RP to verify the number of session
drops. Use the command multiple times to check if the drop counter increments
in value.
For further debugging, enable the debug CLIs with the console logging function
disableds and use these commands on the RP:
debug platform bfd offload event command to display the events related to the
offloaded session.
debug platform bfd offload xdr command to display the XDR (communication
mechanism between RP/line card).
debug platform bfd offload error command to display the error messages
generated for the offloaded session.
Use these commands on the line card:
debug platform npc bfd event command to display the line card PD events for
the offloaded session.
debug platform npc bfd error command to display the line card PD errors for
the offloaded session.
debug platform npc bfd xdr command to display the line card PD XDR events
for the offloaded session.
Note
Contact TAC at this location: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html.
4-386
OL-16147-20
Chapter 4

Table 4-47
Troubleshooting BFD Scale Improvement (continued)
Problem
Solution
Unable to offload an existing session

to hardware even though it already
existed in the hardware. Usually,
hardware offload reconfiguration
include these steps:
Complete these steps to successfully offload an existing session to ES+ line card for
a OSPF router:
1.
2.
3.
Disable BFD interval using the

no bfd interval interval_val
min_rx rx_value multiplier
multiplier_val command
Enable the BFD interval usingn
the bfd interval interval_val
min_rx rx_value multiplier
multiplier_val command
1.
Use the no bfd interval interval_val min_rx rx_value multiplier multiplier_val

command to disable the BFD interval configuration.
2.
Use the no network network_id wildcard_mask area area_id command to remove the routing configuration under the routing protocol.
3.
Use the bfd interval interval_val min_rx rx_value multiplier multiplier_val

command to reconfigure the BFD interval configuration.
4.
Use the no bfd echo command to enable the BFD non-echo mode.
5.
Use the network network_id wildcard_mask area area_id command to reconfigure the routing configuration under the routing protocol.
Enable the non-echo mode using

the no bfd echo command.
The BFD session is offloaded to IOS

immediately after reconfiguring the
bfd interval and before the no bfd
echo command. Hence, the command
to enable non-echo mode is not considered while initializing a session on
the IOS.
Unable to offload a static route BFD
session from IOS to ES+ line card.
Complete these steps to offload a static route BFD session from IOS to ES+ line card:
1.
Use the no bfd interval interval_val min_rx rx_value multiplier multiplier_val

command to remove BFD interval from the interface.
2.
Use the no ip route command to remove the static route configuration. For example, use:
router (config)# no ip route static bfd interface-type interface-number gateway
or
router (config)# no ip route [vrf vrf-name] prefix mask {ip-address |
interface-type interface-number [ip-address]} [dhcp] [distance] [name
next-hop-name] [permanent | track number] [tag tag]
3.
Use the bfd interval interval_val min_rx rx_value multiplier multiplier_val

command to configure the BFD interval on an interface.
4.
Use the no bfd echo command to enable the BFD no-echo mode.
5.
Use the ip route command to configure the static route configuration. For example, use:
router (config)# ip route static bfd interface-type interface-number
gateway
or
router (config)# ip route [vrf vrf-name] prefix mask {ip-address | interface-type interface-number [ip-address]} [dhcp] [distance] [name
next-hop-name] [permanent | track number] [tag tag]
OL-16147-20
4-387
Chapter 4
4-388
OL-16147-20
CH A P T E R

This chapter provides information about configuring multicast features on the Cisco 7600 Series
router. It includes the following topics:
IGMP Snooping for VPLS Pseudowire on Cisco 7600 Series Ethernet Services Plus Line Cards,
page 5-1
IP and PPPoE Session Coexistence with Multicast, page 5-4
Multicast VLAN Registration, page 5-10
Note
IGMP Snooping for VPLS Pseudowire on Cisco 7600 Series

Ethernet Services Plus Line Cards
The Internet Group Management Protocol (IGMP) Snooping for VPLS Pseudowire on Cisco 7600 Series
ES+ line cards provides the ability to send Layer 2 multicast frames from the customer equipment (CE)
in a VPLS virtual forwarding instance (VFI) or from a multipoint bridging VLAN only to those remote
peer CEs that have sent an IGMP request to join the multicast group.
IGMP Snooping for VPLS Pseudowire on Cisco 7600 Series ES+ line cards manages multicast traffic at
Layer 2 by configuring the Layer 2 LAN ports dynamically to forward multicast traffic only to those
ports that want to receive it. In VPLS or multipoint bridging, IGMP snooping can be set up on individual
VLANs or on a VFI basis to build the membership tree, because each of the remote points of a VLAN
or VFI can be identified with a virtual port and VLAN ID.

When configuring the IGMP/PIM Snooping for VPLS Pseudowire on Cisco 7600 Series ES+ line cards,
follow these restrictions and usage guidelines:
OL-16147-20
5-1
Chapter 5
IGMP snooping is enabled by default under the bridge-domain VLAN (use the no ip igmp snooping
command to disable the default behavior).
Globally enabling IGMP snooping enables IGMP snooping on all the existing VLAN interfaces.
Globally disabling IGMP snooping disables IGMP snooping on all the existing VLAN interfaces.
System support for 32,000 IGMP groups with no line card-specific limitation.
Supports MultiPoint Bridging over Ethernet on Cisco 7600 Series ES+ line cards.
Supports Virtual Private LAN Service (VPLS).
Use the show ip igmp snooping privileged EXEC command to verify your IGMP settings.
IGMP snooping works only when no tunneling operation occurs (there should not be any VLAN tags
in the packet when it is put on the bridge-domain VLAN).
During snooping, all traffic for a particular group are dropped if there are no interested receivers for
that group.
MROUTER port information should be available to all devices in the snooping domain. You can find
out the MROUTER ports by:
Using the IP address and PIM on SVI.
Using the IGMP query messages heard on the segment.
Forcefully configuring a particular port on a switch as mrouter port using the ip igmp snooping
mrouter interface command.
By default, IGMP snooping is on.
All routers acting as PE devices in a VPLS domain should have the IP address and PIM enabled on
the VPLS SVI.
1.
enable
2.
configure terminal
3.
interface vlan vlanid
4.
no ip address ip-address mask [secondary]
5.
ip igmp snooping
6.
ipv6 mld snooping
7.
SUMMARY STEPS
5-2
OL-16147-20
Chapter 5

DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
Creates a unique VLAN ID number and enters

subinterface configuration mode.
Example:
Step 4
Disables IP processing and enters interface configuration

mode.
Example:
Router(config)# no ip address
Step 5
ip igmp snooping
Enables IGMP snooping. To disable IGMP snooping, use

the no form of this command.
Example:
Router(config-if)# ip igmp snooping
Step 6
ipv6 mld snooping
Example:
Enables Multicast Listener Discovery version 2

(MLDv2) snooping globally. To disable the MLDv2
snooping globally, use the no form of this command.
Router(config)# ipv6 mld snooping
Step 7

VLAN port.
Example:
Example
This is a VLAN configuration.
Router# enable
Router(config)# interface Vlan700
Router(config-if)# ip igmp snooping
Router(config-if)# ipv6 mld snooping
Verification
Use the show ip igmp interface vlan command to verify a configuration.
OL-16147-20
5-3
Chapter 5

The IP and PPPoE Session Coexistence with Multicast feature allows you to converge IP subscribers and
multicast users on the same VLAN. IP subscriber sessions are supported on non-access type
subinterfaces through which multicast control and data traffic can pass through whether the IP session
is absent or present.
The IP and PPPoE Session Coexistence with Multicast feature does not support IP Interface session and
PPP session types. When multicast traffic is received by interfaces hosting IP Interface or PPP sessions,
the multicast traffic will be treated as part of the session traffic.
Multicast traffic streams towards the access node (downstream direction) co-exist on the interface
that is configured for Sessions (IP or PPPoEoX).
This is not for per session multicast but allows multicast stream to co-exist on the interfaces on
which hosts sessions exist.

The multicast stream is targeted for an Access-Node (DSLAM/switch) that handles per
subscriber replication.
Additionally, QoS priority queueing-2 and policing for multicast traffic is supported.
From QoS treatment perspective:

Multicast traffic shaping is not required at subinterface (Dot1Q/QinQ) level.
Multicast traffic need to be considered as PQ2 traffic (at port level) on the egress side.
Multicast traffic co-existence is required only for Ethernet main and subinterfaces.
Support for IP Multicast co-existence on ISG aware sub-interfaces is HA/SSO capable.

Follow these restrictions and usage guidelines when configuring QoS with the IP and PPPoE Session
Coexistence with Multicast:
All multicast traffic on a non-access subscriber interface will be treated as priority level2 packets.
Use the platform subscriber-multicast priority-level2 police command to configure the

percentage rate of port bandwidth that the multicast traffic will be policed at.
The percentage rate configured will be applicable on a per port basis.
When configured, all multicast traffic on non-access subscriber interface will be treated as priority
level 2 and policed at the configured percent of the individual ports bandwidth.
When not configured, multicast traffic is not treated as priority level2 traffic.
The IP and PPPoE Session Coexistence with Multicast feature is not supported on sub-interfaces
created with access keyword option.
Maximum number of IP and PPPoE subscriber sessions suported per port group is 4000.
Maximum number of IP and PPPoE subscriber sessions supported per line card is 16000.
5-4
OL-16147-20
Chapter 5

Configuring IP and PPPoE Session Coexistence with Multicast

Summary Steps
1.
enable
2.
configure terminal
3.
ip multicast-routing [vrf vrf-name] [distributed]
4.
ip pim rp-address ip-address [group-access-list-number] [override]
5.
6.
7.
[no] ip address
8.
[no] ip pim {sparse-mode | sparse-dense-mode | dense-mode [proxy-register {list access-list |

route-map map-name}]}
9.
10. initiator {dhcp [class-aware] | static | nclassified ip-address}

11. end
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Step 3
ip multicast-routing
Enables IP multicast routing.
Example:
Router# ip multicast-routing
Step 4
ip pim rp-address ip-address

[group-access-list-number] [override]
Configures the IP address of a PIM rendezvous point (RP)

for a particular group access list.
Example:
Router# ip pim rp-address 198.92.37.33
Step 5
Example:

where:
gigabitethernet 4/1
OL-16147-20
5-5
Chapter 5
Step 6
Command
Purpose
encapsulation dot1q vlan-id {cos |

comma| hyphen|etype}

frames on an interface to the appropriate service
instance.VLAN ID is an integer in the range 1 to 4094.
Hyphen must be entered to separate the starting and
ending VLAN ID values that are used to define a range of
VLAN IDs. Available options are CoS and ethertype.
Example:
dot1q 100?
Step 7
[no] ip address
Assigns an IP address and subnet mask to the

EtherChannel.
Example:
Step 8
no ip pim {sparse-mode |
sparse-dense-mode | dense-mode
[proxy-register {list access-list |
route-map map-name}]}
Enables Protocol Independent Multicast (PIM) on an

interface.
Example:
Router(config-if)# ip pim sparse-mode
Step 9
Specifies the type of IP subscriber to be hosted on the

interface, and enters ISG IP subscriber configuration
mode.
Example:
Router(config-if)# ip subscriber routed
Step 10
initiator {dhcp [class-aware] |

static | unclassified ip-address}
Configures ISG to create an IP subscriber session upon

receipt of the specified packet type.
dhcpISG will initiate an IP session upon receipt of

a DHCP DISCOVER packet. The class-aware
keyword allows ISG to influence the IP address
assigned by DHCP by providing DHCP with a class
name.
radius-proxyISG will initiate an IP session upon

receipt of a RADIUS Access-Request packet.
unclassified ip-addressISG will initiate an IP

session upon receipt of the first IP packet with an
unclassified IP source address.
This command can be entered more than once to

specify more than one method of IP session initiation.
Example:
Router(config-if)# ip pim sparse-mode
Step 11
end
Ends the current configuration session.
Example:
5-6
OL-16147-20
Chapter 5

Configuring a PQ2 Policer Under the Main Interface

Summary Steps
1.
enable
2.
configure terminal
3.
4.
5.
[no] ip address
6.
load-interval seconds
7.
platform subscriber-multicast priority-level2 police rate_in_kbps
8.
end
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
Example:

where:
gigabitethernet 4/1

Step 4

Example:
dot1q 100?
Step 5
[no] ip address

EtherChannel.
Example:
OL-16147-20
5-7
Chapter 5
Step 6
Command
Purpose
load-interval seconds
Changes the length of time for which data is used to

compute load statistics.
Example:
Router(config-if)# load-interval 30
Step 7
platform subscriber-multicast
priority-level2 police rate in kbps
Defines the percentage of port bandwidth that the

multicast traffic will be policed at.
Example:
Router(config-if)# platform
subscriber-multicast priority-level2
police 200
Step 8
end
Example:
Note
This command is applicable to multicast traffic being sent on the main or subinterfaces that are
configured with ip subscriber command or pppoe enable command. Multicast traffic on other
interfaces on the same port are not impacted by this command. In case of port-channel interfaces, the
command should be configured on the member interfaces of the port-channel.
Examples
This is an example of how to configure a nonaccess subinterface for multicast and ISG sessions:
ip multicast-routing
ip pim rp-address 192.10.10.1
ip address 192.10.10.1 255.255.255.0
ip pim sparse-mode
initiator unclassified ip-address
end
This is an example of how to configure PQ2 policer under main interface:

ip address 33.0.0.1 255.0.0.0
load-interval 30
platform subscriber-multicast priority-level2 police 200
end
Verification
5-8
OL-16147-20
Chapter 5

Troubleshooting
Table 5-1
Command
Purpose
Router# show ip igmp groups
Displays the multicast groups with receivers that are

directly connected to the router and that were learned
through Internet Group Management Protocol (IGMP).
Troubleshooting
This section describes how to troubleshoot common Multicast issues.
Scenarios/Problems
Solution
How do I know the multicast groups with Use the show ip igmp groups command. This is a sample output of the command:
receivers that are directly connected to the Router# show ip igmp groups
router and that were learned through
IGMP Connected Group Membership
Group Address
Interface
Uptime
Expires
Last
IGMP?
Reporter
239.255.255.254
172.21.200.159
224.0.1.40
172.21.200.1
224.0.1.40
172.16.214.251
224.0.1.1
172.21.200.11
224.9.9.2
172.21.200.155
232.1.1.1
172.21.200.206
How do I verify information about the

multicast MAC address table entries?
Ethernet3/1
1w0d
00:02:19
Ethernet3/1
1w0d
00:02:15
Ethernet3/3
1w0d
never
Ethernet3/1
1w0d
00:02:11
Ethernet3/1
1w0d
00:02:10
Ethernet3/1
5d21h
stopped
Use the show mac-address-table multicast command. This example shows how
to display information about the MAC address table for MLDv2 snooping:
Router# show mac-address-table multicast mld-snooping
vlan mac address type learn qos ports
-----+---------------+--------+-----+---+--------------------------------- 3333.0000.0001 static Yes - Switch,Stby-Switch
--- 3333.0000.000d static Yes - Fa2/1,Fa4/1,Router,Switch
--- 3333.0000.0016 static Yes - Switch,Stby-Switch
How do I display information about PIM

neighbors discovered by PIMv1 router
query messages or PIMv2 hello
messages?
Use the show ip pim neighbor command. This is a sample output of the
command:
Router# show ip pim neighbor
PIM Neighbor Table
Mode: B - Bidir Capable, DR - Designated Router, N - Default
Priority,
S - State Refresh Capable
Neighbor
Interface
Uptime/Expires
Address
Prio/Mode
10.0.0.1
GigabitEthernet10/2
00:01:29/00:01:15
S
10.0.0.3
GigabitEthernet10/3
00:01:15/00:01:28
DR S P
DR
Ver
DR
v2
1 /
v2
1 /
OL-16147-20
5-9
Chapter 5
Multicast VLAN Registration
Scenarios/Problems
Solution
How do I check the PIM packets received, Use the debug ip pim command. This is a sample output of the command:
sent, and also the PIM-related events?
router# debug ip pim 224.2.0.1
PIM: Received Join/Prune on Ethernet1 from 172.16.37.33
PIM: Received Join/Prune on Tunnel0 from 10.3.84.1
PIM: Received RP-Reachable on Ethernet1 from 172.16.20.31
PIM: Update RP expiration timer for 224.2.0.1
PIM: Forward RP-reachability packet for 224.2.0.1 on Tunnel0
PIM: Prune-list (10.221.196.51/32, 224.2.0.1)
PIM: Set join delay timer to 2 seconds for (10.221.0.0/16, 224.2.0.1)
on Ethernet1
PIM: Received Join/Prune on Tunnel0 from 10.3.84.1
PIM: Join-list: (*, 224.2.0.1) RP 172.16.20.31
PIM: Add Tunnel0 to (*, 224.2.0.1), Forward state
PIM: Join-list: (10.0.0.0/8, 224.2.0.1)
PIM: Add Tunnel0 to (10.0.0.0/8, 224.2.0.1), Forward state
PIM: Join-list: (10.4.0.0/16, 224.2.0.1)
PIM: Prune-list (172.16.84.16/28, 224.2.0.1) RP-bit set RP
172.16.84.16
PIM: Send Prune on Ethernet1 to 172.16.37.6 for (172.16.84.16/28,
224.2.0.1), RP
PIM: For RP, Prune-list: 10.9.0.0/16
PIM: For 10.3.84.1, Join-list: 172.16.84.16/28
PIM: Send periodic Join/Prune to RP via 172.16.37.6 (Ethernet1)
How do I check PIM-related events

associated with the MVPN routing and
forwarding instance specified for the
vrf-name argument?
Use the debug ip pim vrf command.
How do I display information about IP

PIM snooping?
Use the show ip pim snooping command. This example shows how to display the
information about the global status:
Router# show ip pim snooping
Global runtime mode: Enabled
Global admin mode : Enabled
Number of user enabled VLANs: 1
User enabled VLANs: 10

Multicast VLAN Registration (MVR) is used to deploy multicast traffic across an Ethernet ring-based
service-provider network. For example, the broadcast of multiple television channels over a
service-provider network.
MVR performs the following:
Identifies the MVR IP multicast streams and their associated IP multicast groups in the Layer 2
forwarding table.
5-10
OL-16147-20
Chapter 5

Intercepts the IGMP messages.
Allows a subscriber on a port to subscribe and unsubscribe to a multicast stream on the multicast
VLAN.
Allows a single multicast VLAN to be shared in the network while subscribers remain in separate
VLANs.
Provides the ability to continuously send multicast streams in the multicast VLAN and isolate the
streams from the subscriber VLANs for bandwidth and security reasons.
Modifies the Layer 2 forwarding table to include or remove the subscriber as a receiver of the
multicast stream, even though the receivers might be in a different VLAN from the source. This
forwarding behavior selectively allows traffic to cross between different VLANs.
The router forwards multicast data for MVR IP multicast streams only to MVR ports on which hosts have
joined, either by IGMP reports or by MVR static configuration. The router forwards IGMP reports
received from MVR hosts only to the source (uplink) port. This eliminates using unnecessary bandwidth
on MVR data port links.
Note
Only layer 2 ports participate in MVR. You must configure ports as MVR receiver ports. Only one MVR
multicast VLAN per router is allowed.
During MVR, subscriber ports subscribe and unsubscribe multicast streams by sending out IGMP join
and leave messages. These messages can originate from an IGMP version-2-compatible host with an
Ethernet connection. Although MVR operates on the underlying mechanism of IGMP snooping, the two
features operate independent of each other. However, if IGMP snooping and MVR are both enabled,
MVR reacts only to join and leave messages from multicast groups configured under MVR. Join and
leave messages from all other multicast groups are managed by IGMP snooping.
Using MVR in a Multicast Television Application

In a multicast television application, a PC or a television with a set-top box receives the multicast stream.
Multiple set-top boxes or PCs can be connected to one subscriber port, which is a switch port configured
as an MVR receiver port. Figure 5-1 illustrates this configuration.
The MVR feature in a multicast television application functions in this sequence:
DHCP assigns an IP address to the set-top box or the PC. When a subscriber selects a channel, the
set-top box or PC sends an IGMP report to Switch A to join the appropriate multicast. If the IGMP
report matches one of the configured IP multicast group addresses, the Source Port (SP) CPU
modifies the hardware address table to include this receiver port and VLAN as a forwarding
destination of the specified multicast stream when it is received from the multicast VLAN. Uplink
ports that send and receive multicast data to and from the multicast VLAN are called MVR source
ports.
OL-16147-20
5-11
Chapter 5
Figure 5-1
Multicast VLAN
Cisco router
Multicast
server
SP
Switch B
SP
SP
SP
SP
SP
SP1
SP2
Multicast
data
Multicast
data
Switch A
RP1 RP2 RP3 RP4 RP5 RP6 RP7
Customer
premises
Hub
IGMP join
Set-top box
Set-top box
TV
data
TV
RP = Receiver Port
SP = Source Port
TV
101364
PC
Note: All source ports belong to

the multicast VLAN.
When a subscriber changes channels or switches off the television, the set-top box sends an IGMP
leave message to the multicast stream. The SP CPU sends a MAC-based general query through the
receiver port VLAN. If there is another set-top box in the VLAN still subscribing to this group, that
set-top box must respond within the maximum response time specified in the query. If the CPU does
not receive a response, it eliminates the receiver port as a forwarding destination for this group.
Unless the Immediate Leave feature is enabled, when the router receives an IGMP leave message
from a subscriber on a receiver port, it sends out an IGMP query on that port and waits for IGMP
group membership reports. If no reports are received in a configured time period, the receiver port
is removed from multicast group membership. With the Immediate Leave feature enabled, an IGMP
query is not sent from the receiver port on which the IGMP leave was received. As soon as the leave
message is received, the receiver port is removed from multicast group membership, which speeds
up leave latency. Enable the Immediate Leave feature only on receiver ports to which a single
receiver device is connected.
MVR eliminates the need to duplicate television-channel multicast traffic for subscribers in each
VLAN. Multicast traffic for all channels is only sent around the VLAN trunk onceonly on the
multicast VLAN. The IGMP leave and join messages are in the VLAN to which the subscriber port
5-12
OL-16147-20
Chapter 5

is assigned. These messages dynamically register for streams of multicast traffic in the multicast
VLAN on the layer 3 device, Switch B. The access layer switch, Switch A, modifies the forwarding
behavior to allow the traffic to be forwarded from the multicast VLAN to the subscriber port in a
different VLAN, selectively allowing traffic to cross between two VLANs.
IGMP reports are sent to the same IP multicast group address as the multicast data. The Switch A
CPU must capture all IGMP join and leave messages from receiver ports and forward them to the
multicast VLAN of the source (uplink) port.
Configuring MVR
For information on configuring and troubleshooting the MVR, see:
http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/snooigmp.html
OL-16147-20
5-13
Chapter 5
5-14
OL-16147-20
CH A P T E R

This chapter provides information about configuring Multiprotocol Label Switching (MPLS) features on
the Cisco 7600 Series Ethernet Services Plus (ES+) and Ethernet Services Plus T (ES+T) line card on
the Cisco 7600 series router.
This section includes the following topics:
Note
Configuring Any Transport over MPLS, page 6-1
MPLS VPNL3VPN over GRE, page 6-6
Configuring Virtual Private LAN Service, page 6-23
Configuring H-VPLS with Port-Channel Core Interface, page 6-28
MPLS-TP Support for Ethernet Access Circuits, page 6-70

Any Transport over MPLS (AToM) transports Layer 2 packets over a Multiprotocol Label Switching
(MPLS) backbone. AToM uses a directed Label Distribution Protocol (LDP) session between edge
routers for setting up and maintaining connections. Forwarding occurs through the use of two levels of
labels, switching between the edge routers. The external label (tunnel label) routes the packet over the
MPLS backbone to the egress Provider Edge (PE) at the ingress PE. The VC label is a demultiplexing
label that determines the connection at the tunnel endpoint (the particular egress interface on the egress
PE as well as the virtual path identifier [VPI]/virtual channel identifier [VCI] value for an ATM
Adaptation Layer 5 [AAL5] protocol data unit [PDU], the data-link connection identifier [DLCI] value
for a Frame Relay PDU, or the virtual LAN [VLAN] identifier for an Ethernet frame).
Scalable EoMPLS on Cisco 7600 Series ES+ Line Cards

With Scalable EoMPLS, the CE-facing line card performs all EoMPLS imposition and disposition label
processing. From the core-side line card perspective, the AToM packets in and out of the router appear
as generic MPLS frames.
OL-16147-20
6-1
Chapter 6
HSPW Support for Ethernet ACs

Hot-Standby capability helps to improve the switchover time for pseudowires (PW) in service providers
network. This feature keeps the backup PW pre-programmed in the hardware and at switchover, the
backup PW is enabled to pass the traffic.

When configuring the Scalable EoMPLS on Cisco 7600 Series ES+ line cards, follow these restrictions
and usage guidelines:
Scalable EoMPLS is supported with EVCs (ethernet virtual circuits). An EVC is an end-to-end
representation of a single instance of a Layer 2 service being offered by a provider to a customer.
Scalable EoMPLS is supported as a mapped service for the QinQ termination.
Service Instances supported: 16, 000 per line card (32, 000 per Cisco 7600 series router)
VC type 4 and VC type 5 are supported.
Control word operation is supported.
For ingress policing, only the drop action and the accept action for the police command are
supported.
Ingress COS marking is not supported.
Ingress COS-inner marking is supported.
For QoS marking, mapping of the incoming VLAN dot1q p-bits to the outgoing MPLS EXP bits is
supported.
For QoS marking, mapping of the incoming MPLS EXP bits to the outgoing VLAN dot1q p-bits is
supported (if EVC rewrite is pop tag).
For QoS shaping, egress pseudowire shaping is supported. Matching is based on the MPLS EXP bits.
The Dot1q Transparency for EoMPLS feature is supported.
Because HWEoMPLS is not supported on the ES+ line card, the xconnect command with
encapsulation mpls is rejected on the Layer 3 interface and Layer 3 subinterface.
The HSPW feature is supported only with Scalable EoMPLS and an ES+ line card supports a
maximum of 16000 Scalable EoMPLS.
The HSPW feature supports only pseudowires configured on a ES+ line card within the Ethernet
EVC and supports around 6000 backup PWs.
The HSPW feature supports only VC type 5.
1.
enable
2.
configure terminal
3.
4.
[no] service instance id Ethernet [service-name}
5.
encapsulation dot1q vlan-id second-dot1q {any | vlan-id[vlan-id[-vlan-id]]}
SUMMARY STEPS
6-2
OL-16147-20
Chapter 6

6.
7.
xconnect peer-id vc-id encapsulation mpls
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3

or

Example:
4/1
Step 4

[service-name}
Creates a service instance (an instantiation of an EVC) on an

interface and sets the device into the config-if-srv submode.
Example:
ethernet
Step 5
encapsulation dot1q vlan-id second-dot1q

{any | vlan-id[vlan-id[-vlan-id]]}
Defines the matching criteria to map ingress dot1q frames on an

interface to the appropriate service instance.
Note
Example:
dot1q 5
Use the encapsulation dot1q default command to

configure the default service instance on a port. Use the
encapsulation dot1q untagged command to map
untagged Ethernet frames on an ingress interface to a
service instance.
OL-16147-20
6-3
Chapter 6
Step 6
Command or Action
Purpose
rewrite ingress tag {push {dot1q vlan-id

| dot1q vlan-id second-dot1q vlan-id |
dot1ad vlan-id dot1q vlan-id} | pop {1 |
2} | translate {1-to-1 {dot1q vlan-id |
dot1ad vlan-id}| 2-to-1 dot1q vlan-id |
dot1ad vlan-id}| 1-to-2 {dot1q vlan-id
second-dot1q vlan-id | dot1ad vlan-id
dot1q vlan-id} | 2-to-2 {dot1q vlan-id
second-dot1q vlan-id | dot1ad vlan-id
dot1q vlan-id}} symmetric
Specifies the tag manipulation that is to be performed on the frame

ingress to the service instance.
Example:
tag dot1q single symmetric
Step 7
xconnect peer-id vc-id encapsulation mpls
Example:
Router(config-if-srv)# xconnect 10.0.0.1
123 encapsulation mpls
Configures scalable EoMPLS on a service instance. On the ingress

side, after proper encapsulation manipulations, a packet is
tunneled in an EoMPLS VC and transmitted on the core.
Note
Use the backup peer-id vc-id command to configure the

HSPW feature.
Examples
The following is an example of a basic configuration.
This is the customer-facing port at router 1.
Router# enable
Router(config-if-srv)# rrewrite ingress tag translate 1-to-2 dot1q 5 second-dot1q 5
symmetric
This is the global configuration at router 1.

Router# enable
Router(config)# interface loopback1
!MPLS core facing port
This is the customer-facing port at router 2.

Router# enable
symmetric
6-4
OL-16147-20
Chapter 6

This is the global configuration at router 2.

Router# enable
Router(config)# interface loopback1
This is the MPLS core facing port.

The following is an example of single tag VLAN configuration for tunneling a single VLAN service
instance.
This is the customer facing port.
Router# enable
symmetric
The following is an example of double tag VLAN configuration for tunneling double tag VLAN frames.
Router# enable
symmetric
The following is an example of a selective QinQ xconnect configuration.

Router# enable
Router(config-if-srv)# encapsulation dot1q 10-20, 30, 50-60
The following is an example of a port-based xconnect tunnel configuration that tunnels all incoming
packets to the remote peer.
!All tag and non-tag packets aggregation
Router# enable
Router(config-if-srv)# encapsulation default
!All non-tag packets aggregation
OL-16147-20
6-5
Chapter 6
Verification
Command
Purpose
Router# show ethernet service evc [id evc-id |

interface interface-id] [detail]

interface is specified. The detail option provides additional
Router# show ethernet service instance [id

instance-id interface interface-id | interface

instances on the given interface.
Router# show ethernet service interface

[interface-id] [detail]
Displays information in the Port Data Block (PDB) .
Router# show mpls l2 vc min VC ID max VC ID detail
Displays detailed information related to the virtual connection

(VC).
Router# show mpls l2transport vc
Displays the state of VCs.

Note
Router# show platform atom imp-tbl remote-vc-label
Displays the imposition table on the line card for a VC based

remote label.
Note
Router# show platform atom disp-tbl local-vc-label
You must know the remote VC Label for a VC to use

this command.
Displays the disposition table on the Line Card for a VC based

local label.
Note
You must know the Local VC Label for a VC to use

this command.
Router# show platform atom tbl-summary
Displays the total number of PWs programmed on the line

card, which includes the primary PWs and the backup PWs
that are programmed.
Router# show platform atom imp-tbl backup
Displays the imposition table on the Line Card for backup

VCs.
Router# show platform atom disp-tbl backup
Displays the disposition table on the Line Card for backup

VCs

The MPLS VPNL3VPN over GRE feature provides a mechanism for tunneling Multiprotocol Label
Switching (MPLS) packets over a non-MPLS network.
6-6
OL-16147-20
Chapter 6

The MPLS VPNL3VPN over GRE feature utilizes MPLS over generic routing encapsulation
(MPLSoGRE) to encapsulate MPLS packets inside IP tunnels thus creating virtual point-to-point links
across non-MPLS networks.
Prerequisites for MPLS VPNL3VPN over GRE

Before you configure the MPLS VPNL3VPN over GRE feature, ensure that your MPLS Virtual
Private Network (VPN) is configured and working properly. See the Configuring MPLS Layer 3 VPNs
module for information about setting up MPLS VPNs.
Ensure that the following routing protocols are configured and working properly:
Label Distribution Protocol (LDP)for MPLS label distribution. See MPLS Label Distribution
Protocol Overview.
Multiprotocol Border Gateway Protocol (MP-BGP)for VPN route and label distribution. See
Configuring MPLS Layer 3 VPNs.
Restrictions for MPLS VPNL3VPN over GRE

The MPLS VPNL3VPN over GRE feature does not support the following:
Quality of service (QoS) service policies configured on the tunnel interface; they are supported on
the physical or subinterface
GRE options: sequencing, checksum, and source route
IPv6 GRE
Advanced features such as Carrier Supporting Carrier (CSC) and Interautonomous System
(Inter-AS)
Effective with Release 15.2(1)S, you can configure more than one GRE tunnel on an ES+ line card using
the same source. The packets are hardware switched even when multiple tunnels share the same source.
All the GRE tunnels on a specified node can use a single source IP prefix instead of multiple prefixes.
The advantage is that you can minimize the prefixes required for infrastructure, and enables the network
to scale the number of tunnels. The following restrictions apply:
All core facing interfaces should be on ES+ card
No keys or options are supported in hardware
Fragmented packet processing is not supported in hardware
OL-16147-20
6-7
Chapter 6
Information About MPLS VPNL3VPN over GRE

The MPLS VPNL3VPN over GRE feature provides a mechanism for tunneling MPLS packets over
non-MPLS networks.
MPLS VPNL3VPN over GRE allows you to create a GRE tunnel across a non-MPLS network. The
MPLS packets are encapsulated within the GRE tunnel packets, and the encapsulated packets traverse
the non-MPLS network through the GRE tunnel. When GRE tunnel packets are received at the other side
of the non-MPLS network, the GRE tunnel packet header is removed and the inner MPLS packet is
forwarded to its final destination.
The MPLS VPNL3VPN over GRE feature supports three GRE tunnel configurations:
PE-to-PE Tunneling, page 6-8
P-to-PE Tunneling, page 6-9
P-to-P Tunneling, page 6-9
PE-to-PE Tunneling
The provider edge-to-provider edge (PE-to-PE) tunneling configuration provides a scalable way to
connect multiple customer networks across a non-MPLS network. With this configuration, traffic that is
destined to multiple customer networks is multiplexed through a single GRE tunnel.
Note
A similar nonscalable alternative is to connect each customer network through separate GRE tunnels (for
example, connecting one customer network for each GRE tunnel).
As shown in Figure 1, the PE routers assign VPN routing and forwarding (VRF) numbers to the customer
edge (CE) routers on each side of the non-MPLS network.
The PE routers use routing protocols such as Border Gateway Protocol (BGP), OSPF Open Shortest Path
First (OSPF), or Routing Information Protocol (RIP) to learn about the IP networks behind the CE
routers. The routes to the IP networks behind the CE routers are stored in the associated CE routers VRF
routing table.
The PE router on one side of the non-MPLS network uses the routing protocols (that are operating within
the non-MPLS network) to learn about the PE router on the other side of the non-MPLS network. The
learned routes that are established between the PE routers are then stored in the main or default routing
table.
The opposing PE router uses BGP to learn about the routes that are associated with the customer
networks behind the PE routers. These learned routes are not known to the non-MPLS network.
For this example, BGP defines a static route to the BGP neighbor (the opposing PE router) through the
GRE tunnel that spans the non-MPLS network. Because the routes that are learned by the BGP neighbor
include the GRE tunnel next hop, all customer network traffic is sent using the GRE tunnel.
6-8
OL-16147-20
Chapter 6

PE-to-PE Tunneling
BGP
OSPF
RIP
BGP
OSPF
RIP
BGP
VPN1
VPN1
IPv4 cloud OSPF

GRE Tunnel
CE-11
No MPLS
PE-1
CE-21
PE-2
CE-12
CE-22
188951
Figure 1
P-to-PE Tunneling
As shown in Figure 2, the provider-to-provider edge (P-to-PE) tunneling configuration provides a way
to connect a PE router (P1) to an MPLS segment (PE-2) across a non-MPLS network. In this
configuration, MPLS traffic that is destined to the other side of the non-MPLS network is sent through
a single GRE tunnel.
Figure 2
P-to-PE Tunneling
MPLS/VPN
MPLS/GRE
PE-1
P1
No MPLS
188952
IPv4 cloud
GRE Tunnel
MPLS
PE-2
P-to-P Tunneling
As shown in Figure 3, the provider-to-provider (P-to-P) configuration provides a method of connecting
two MPLS segments (P1 to P2) across a non-MPLS network. In this configuration, MPLS traffic that is
destined to the other side of the non-MPLS network is sent through a single GRE tunnel.
Figure 3
P-to-P Tunneling
Any MPLS Applications (MPLS/VPN)
IPv4 cloud
GRE Tunnel
MPLS
PE-1
P1
No MPLS
MPLS
P2
PE-2
188953
MPLS/GRE
OL-16147-20
6-9
Chapter 6
How to Configure MPLS VPNL3VPN over GRE
Configuring the MPLS VPNL3VPN over GRE Tunnel Interface, page 6-10
Configuring the MPLS VPNL3VPN over GRE Tunnel Interface

To configure the MPLS VPNL3VPN over GRE feature, you must create a GRE tunnel to span the
non-MPLS networks. You must perform this procedure on the devices located at both ends of the GRE
tunnel.
Note
ACLs configured under the tunnel interface are not supported in hardware. Also, the ACLs configured
under tunnel physical interface are not applied to the tunneled traffic.
Prerequisites
Before configuring the MPLS VPNL3VPN over GRE feature, ensure that your MPLS VPN and the
appropriate routing protocols are configured and working properly. See the Prerequisites for MPLS
VPNL3VPN over GRE section on page 6-7.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
interface tunnel tunnel-number
4.
ip route prefix mask {ip-address | interface-type interface-number [ip-address]} [dhcp] [distance]

[name next-hop-name] [permanent | track number] [tag tag]
5.
tunnel source source-address
6.
tunnel destination destination-address
7.
mpls ip
8.
exit
9.
show ip route
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
6-10
OL-16147-20
Chapter 6

Step 3
Command or Action
Purpose
Creates a tunnel on the specified interface and enters

interface configuration mode.
Example:
Router(config)# interface tunnel 1
Step 4
ip route prefix mask {ip-address |

interface-type interface-number [ip-address]}
[dhcp] [distance] [name next-hop-name]
[permanent | track number] [tag tag]
Configures a static route to the BGP neighbor on the SIP 2

interface or tunnel interface.
Example:
Router(config-if)# ip route 209.165.200.253
255.255.255.224 FastEthernet 0/0
Step 5
tunnel source source-address
Specifies the tunnels source IP address.
Example:
Router(config-if)# tunnel source
209.165.200.254
Step 6
tunnel destination destination-address
Specifies the tunnels destination IP address.
Example:
Router(config-if)# tunnel destination
209.165.200.255
Step 7
Enables MPLS on the tunnels physical interface.
mpls ip
Example:
Step 8
exit
Example:
Step 9
show ip route
Displays the current state of the routing table.
Example:
Router(config)# show ip route
Examples
The following example shows a GRE tunnel configuration that spans a non-MPLS network. This
example shows the tunnel configuration on the PE devices (PE1 and PE2) located at both ends of the
tunnel:
PE1 Configuration
Router(config)# interface Tunnel 1
Router(config-if)# tunnel source 209.165.200.254
Router(config-if)# tunnel destination 209.165.200.255
OL-16147-20
6-11
Chapter 6
PE2 Configuration
Router(config)# interface Tunnel 1
Router(config-if)# tunnel source 209.165.200.240
Configuration Examples for MPLS VPNL3VPN over GRE
Example: Configuring the MPLS VPNL3VPN over GRE Tunnel Interface, page 6-12
Example: Verifying Unicast Routes, page 6-13
Example: Configuring the MPLS VPNL3VPN over GRE Tunnel Interface

The following basic MPLS configuration example uses a GRE tunnel to span a non-MPLS network. This
example is similar to the configuration shown in Figure 1 on page 6-9.
PE1 Configuration
!
mpls ip
!
ip vrf vpn1
rd 100:1
route-target import 100:1
route-target export 100:1
!
interface loopback 0
ip address 209.165.200.225 255.255.255.224
!
interface GigabitEthernet 0/1/2
ip address 209.165.200.226 255.255.255.224
!
interface Tunnel 1
ip address 209.165.200.227 255.255.255.224
tunnel source 209.165.200.228
tunnel destination 209.165.200.229
mpls ip
!
ip vrf forwarding vpn1
ip address 209.165.200.230 255.255.255.224
!
router bgp 100
neighbor 209.165.200.231 remote-as 100
neighbor 209.165.200.231 update-source loopback0
!
address-family vpnv4
neighbor 209.165.200.232 activate
neighbor 209.165.200.232 send community-extended
!
address-family ipv4 vrf vpn1
!
6-12
OL-16147-20
Chapter 6

PE2 Configuration
!
mpls ip
!
ip vrf vpn1
rd 100:1
route-target import 100:1
route-target export 100:1
!
interface loopback 0
ip address 209.165.200.240 255.255.255.224
!
ip address 209.165.200.241 255.255.255.224
!
interface Tunnel 1
ip address 209.165.200.244 255.255.255.224
tunnel source 209.165.200.245
tunnel destination 209.165.200.247
mpls ip
!
ip vrf forwarding vpn1
ip address 209.165.200.249 255.255.255.224
!
router bgp 100
neighbor 209.165.200.252 update-source loopback0
!
address-family vpnv4
neighbor 209.165.200.254 send community-extended
!
address-family ipv4 vrf vpn1
Example: Verifying Unicast Routes

The following example shows how to display unicast routes. This display shows the next hop for the BGP
neighbor depending on the selected interface.
Router# show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
O
C
O
S
209.165.200.225/32 is subnetted, 1 subnets

209.165.200.226 [110/3] via 209.165.200.250, 00:09:55, POS2/0/0
209.165.200.229 is directly connected, Loopback0
209.165.200.231 [110/2] via 209.165.200.232, 00:09:55, POS2/0/0
209.165.200.240/8 [1/0] via 209.165.200.252
OL-16147-20
6-13
Chapter 6
S
O
C
209.165.200.247 is directly connected, POS2/0/0

209.165.200.248 [110/3] via 209.165.200.249, 00:09:55, POS2/0/0
209.165.200.254/8 is directly connected, POS2/0/0
Configuring MPLS Traffic Engineering Class-Based Tunnel

Selection
Multiprotocol Label Switching (MPLS) Traffic Engineering (TE) enables you to dynamically route and
forward traffic with different class of service (CoS) values onto different TE tunnels between the same
tunnel headend and the same tailend. The TE tunnels can be regular TE tunnels or DiffServ-aware TE
(DS-TE) tunnels.
The set of TE/DS-TE tunnels from the same headend to the same tailend that you configure to carry
different CoS values is referred to as a tunnel bundle. Tunnels are bundled by creating a master
tunnel and then attaching member tunnels to the master tunnel. After configuration, CBTS dynamically
routes and forwards each packet into the tunnel that meets the following requirements:
Is configured to carry the CoS of the packet
Has the right tailend for the destination of the packet
Because CBTS offers dynamic routing over DS-TE tunnels and requires minimum configuration, it
greatly eases deployment of DS-TE in large-scale networks.
CBTS can distribute all CoS values on eight different tunnels or multiple COS value to multiple tunnels .
CBTS also allows the TE tunnels of a tunnel bundle to exit headend routers through different interfaces.
CBTS configuration involves performing the following tasks:
Creating multiple (DS-) TE tunnels with the same headend and tailend and indicating on each of
these tunnels which CoSs are to be transported on the tunnel.
Creating a master tunnel, attaching the member tunnels to it, and making the master tunnel visible
for routing.
MPLS Traffic Engineering Class-Based Tunnel Selection Restrictions and Usage Guidelines
When configuring MPLS Traffic Engineering Class-Based Tunnel Selection (CBTS), follow these
CBTS has the following prerequisites:

MPLS enabled on all tunnel interfaces
Cisco Express Forwarding (CEF) or distributed CEF (dCEF) enabled in general configuration
mode
CBTS has the following restrictions:

For a given destination, all CoS values are carried in tunnels terminating at the same tailend.
Either all CoS values are carried in tunnels or no values are carried in tunnels. In other words,
for a given destination, you cannot map some CoS values in a DS-TE tunnel and other CoS
values in a Shortest Path First (SPF) Label Distribution Protocol (LDP) or SPF IP path.
No LSP is established for the master tunnel and regular traffic engineering attributes
(bandwidth, path option, fast reroute) are irrelevant on a master tunnel. TE attributes
(bandwidth, bandwidth pool, preemption, priorities, path options, and so on) are configured
completely independently for each tunnel.
6-14
OL-16147-20
Chapter 6

CBTS does not allow load-balancing of a given EXP value in multiple tunnels. If two or more
tunnels are configured to carry a given experimental (EXP) value, CBTS picks one of these
tunnels to carry this EXP value (which is calculated through pre-defined rules).
CBTS supports aggregate control of bumping (that is, it is possible to define default tunnels to
be used if other tunnels go down). However, CBTS does not allow control of bumping if the
default tunnel goes down. CBTS does not support finer-grain control of bumping. For example,
if the voice tunnel goes down, redirect voice to T2, but if video goes down, redirect to T3.
The operation of CBTS is not supported with Any Transport over MPLS (AToM), MPLS TE
Automesh, or label-controlled (LC) ATM.
Creating Multiple MPLS Member TE or DS-TE Tunnels with the Same Headend and the Same Tailend
Perform the following task to create multiple MPLS member TE or DS-TE tunnels with the same
headend and same tailend and to configure EXP values to be carried by each of these tunnels. The
procedure begins in global configuration mode.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
interface tunnel number
4.
ip unnumbered type number
5.
tunnel destination {hostname | ip-address}
6.
tunnel mode mpls traffic-eng
7.
tunnel mpls traffic-eng bandwidth [sub-pool | global] bandwidth
8.
tunnel mpls traffic-eng exp [list-of-exp-values] [default]
9.
exit
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
Configures a tunnel interface type and enters

Example:
numberNumber of the tunnel interface that

you want to create or configure.
OL-16147-20
6-15
Chapter 6
Step 4
Command
Purpose
Enables IP processing on an interface without

assigning an explicit IP address to the interface.
Example:
typeType of another interface on which the

router has an assigned IP address.
numberNumber of another interface on which

the router has an assigned IP address. It cannot be
another unnumbered interface.
Router(config-if)# ip unnumbered loopback0
Step 5
Example:
Step 6
tunnel mode mpls traffic-eng
Specifies the destination of the tunnel for this path

option.
hostnameName of the host destination.
ip-addressIP address of the host destination

expressed in four-part, dotted decimal notation.
Sets the mode of a tunnel to MPLS for TE.
Example:
Router(config-if)# tunnel mode mpls traffic-eng
Step 7
tunnel mpls traffic-eng bandwidth [sub-pool |

global] bandwidth
Example:
Router(config-if)# tunnel mpls traffic-eng bandwidth
100
Configures the bandwidth for the MPLS TE tunnel. If

automatic bandwidth is configured for the tunnel, use
the tunnel mpls traffic-eng bandwidth command to
configure the initial tunnel bandwidth, which is
adjusted by the auto-bandwidth mechanism.
sub-pool(Optional) Indicates a subpool

tunnel.
global(Optional) Indicates a global pool

tunnel. Entering this keyword is not necessary,
because all tunnels are global pool in the absence
of the sub-pool keyword. But if users of
pre-DiffServ-aware Traffic Engineering (DS-TE)
images enter this keyword, it is accepted.
bandwidthBandwidth, in kilobits per second,

set aside for the MPLS traffic engineering tunnel.
Range is between 1 and 4294967295.
Note
Step 8
tunnel mpls traffic-eng exp [list-of-exp-values]

[default]
You can configure any existing mpls

traffic-eng command on these TE or DS-TE
tunnels.
Specifies an EXP value or values for an MPLS TE

tunnel.
list-of-exp-valuesEXP value or values that are

are to be carried by the specified tunnel. Values
range from 0 to 7.
defaultThe specified tunnel is to carry all EXP

values that are:
Example:
Router(config-if)# tunnel mpls traffic-eng exp 7
Not explicitly allocated to another tunnel

Allocated to a tunnel that is currently down
6-16
OL-16147-20
Chapter 6

Step 9
Command
Purpose
exit
Exits to global configuration mode.
Example:
Repeat Step 1 through Step 7 on the same headend router to create additional tunnels from this headend to the same tailend.
Creating a Master Tunnel, Attaching Member Tunnels, and Making the Master Tunnel Visible
Perform the followings task to create a master tunnel, attach member tunnels to it, and make the master
tunnel visible for routing. The procedure begins in global configuration mode.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
5.
6.
tunnel mode mpls traffic-eng exp-bundle master
7.
tunnel mode mpls traffic-eng exp-bundle member tunnel-id
8.
tunnel mpls traffic-eng autoroute announce
9.
tunnel mpls traffic-eng autoroute metric {absolute | relative} value
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
Configures a tunnel interface type and enters

Example:
numberNumber of the tunnel interface that

you want to create or configure.
OL-16147-20
6-17
Chapter 6
Step 4
Command
Purpose
Enables IP processing on an interface without

assigning an explicit IP address to the interface.
Example:
typeType of another interface on which the

router has an assigned IP address.
numberNumber of another interface on which

the router has an assigned IP address. It cannot
be another unnumbered interface.
Step 5
Example:
Step 6
tunnel mode mpls traffic-eng exp-bundle master
Specifies the destination of the tunnel for this path

option.
hostnameName of the host destination.
ip-addressIP address of the host destination

expressed in four-part, dotted decimal notation.
Specifies this is the master tunnel for the CBTS

configuration.
Example:
exp-bundle master
Step 7
tunnel mode mpls traffic-eng exp-bundle member

tunnel-id
Attaches a member tunnel to the master tunnel.
Example:
exp-bundle member Tunnel20000
tunnel-idNumber of the tunnel interface to be

attached to the master tunnel.
Repeat this command for each member tunnel.
6-18
OL-16147-20
Chapter 6

Step 8
Command
Purpose
tunnel mpls traffic-eng autoroute announce
Specifies that the Interior Gateway Protocol (IGP)

should use the tunnel (if the tunnel is up) in its
enhanced shortest path first (SPF) calculation.
Example:
Router(config-if)# tunnel mpls traffic-eng autoroute
announce
Step 9
tunnel mpls traffic-eng autoroute metric {absolute |

relative} value
(Optional) Specifies the MPLS TE tunnel metric that

the IGP-enhanced SPF calculation uses.
absoluteIndicates the absolute metric mode;

you can enter a positive metric value.
relativeIndicates the relative metric mode;

you can enter a positive, negative, or zero value.
valueMetric that the IGP enhanced SPF

calculation uses. The relative value can be from
-10 to 10.
Example:
Router(config-if)# tunnel mpls traffic-eng autoroute
metric relative -1
Note
Note
Even though the value for a relative metric

can be from -10 to +10, configuring a tunnel
metric with a negative value is considered a
misconfiguration. If the metric to the tunnel
tailend appears to be 4 from the routing
table, then the cost to the tunnel tailend
router is actually 3 because 1 is added to the
cost for getting to the loopback address. In
this instance, the lowest value that you can
configure for the relative metric is -3.
Alternatively, static routing could be used instead of autoroute to make the TE or DS-TE tunnels visible
for routing.
Example
The following example shows how to configure Multiprotocol Label Switching (MPLS) Traffic
Engineering (TE) Class-Based Tunnel Selection (CBTS). Tunnel1, Tunnel2, and Tunnel3 are member
tunnels, and Tunnel4 is the master tunnel.
Router# enable
Router(config)# interface Tunnel1
Router(config-if)# interface destination 24.1.1.1
Router(config-if)# tunnel mpls traffic-eng bandwidth sub-pool 30000
Router(config-if)# tunnel mpls traffic-eng exp 5
Router(config-if)# tunnel mpls traffic-eng bandwidth 50000
Router(config-if)# tunnel mpls traffic-eng exp 3 4
OL-16147-20
6-19
Chapter 6

Router(config-if)# tunnel mpls traffic-eng bandwidth 10000
Router(config-if)# tunnel mpls traffic-eng exp default
Router(config-if)# tunnel mpls traffic-eng exp-bundle master
Router(config-if)# tunnel mpls traffic-eng exp-bundle member Tunnel1
Router(config-if)# tunnel mpls traffic-eng autoroute enable
Verifying the MPLS Configuration

The following show commands can be used to verify that the MPLS TE or DS-TE tunnels are operating
and announced to the IGP. The commands are all entered in privileged EXEC configuration mode.
Command
Purpose
show mpls traffic-eng topology {A.B.C.D | igp-id

{isis nsap-address | ospf A.B.C.D} [brief]}
Shows the MPLS traffic engineering global topology as

currently known at this node.
A.B.C.DSpecifies the node by the IP address (router

identifier to interface address).
igp-idSpecifies the node by IGP router identifier.
isis nsap-addressSpecifies the node by router

identification (nsap-address) if you are using Integrated
Intermediate System-to-Intermediate System (IS-IS).
ospf A.B.C.DSpecifies the node by router identifier if

you are using Open Shortest Path First (OSPF).
briefProvides a less-detailed version of the topology.
show mpls traffic-eng exp
Displays EXP mapping.
show ip cef [type number] [detail]
Displays entries in the forwarding information base (FIB) or

displays a summary of the FIB.
type numberIdentifies the interface type and number for

which to display FIB entries.
detailDisplays detailed FIB entry information.
6-20
OL-16147-20
Chapter 6

Command
Purpose
show mpls forwarding-table [network {mask | length}

[detail]]
Displays the contents of the MPLS label forwarding

information base (LFIB).
show mpls traffic-eng autoroute
networkIdentifies the destination network number.
maskIdentifies the network mask to be used with the

specified network.
lengthIdentifies the number of bits in the destination

mask.
detailDisplays information in long form (includes

length of encapsulation, length of MAC string, maximum
transmission unit [MTU], and all labels).
Displays tunnels that are announced to the Interior Gateway

Protocol (IGP).
The show mpls traffic-eng topology command output displays the MPLS TE global topology:
Router# show mpls traffic-eng topology 10.0.0.1
IGP Id: 10.0.0.1, MPLS TE Id:10.0.0.1 Router Node (ospf 10 area 0) id 1
link[0]: Broadcast, DR: 180.0.1.2, nbr_node_id:6, gen:18
frag_id 0, Intf Address:180.0.1.1
TE metric:1, IGP metric:1, attribute_flags:0x0
SRLGs: None
physical_bw: 100000 (kbps), max_reservable_bw_global: 1000 (kbps)
max_reservable_bw_sub: 0 (kbps)
Global Pool
Sub Pool
Total Allocated
Reservable
Reservable
BW (kbps)
BW (kbps)
BW (kbps)
---------------------------------bw[0]:
0
1000
0
bw[1]:
0
1000
0
bw[2]:
0
1000
0
bw[3]:
0
1000
0
bw[4]:
0
1000
0
bw[5]:
0
1000
0
bw[6]:
0
1000
0
bw[7]:
100
900
0
link[1]: Broadcast, DR: 180.0.2.2, nbr_node_id:7, gen:19
frag_id 1, Intf Address:180.0.2.1
TE metric:1, IGP metric:1, attribute_flags:0x0
SRLGs: None
physical_bw: 100000 (kbps), max_reservable_bw_global: 1000 (kbps)
max_reservable_bw_sub: 0 (kbps)
Global Pool
Sub Pool
Total Allocated
Reservable
Reservable
BW (kbps)
BW (kbps)
BW (kbps)
---------------------------------bw[0]:
0
1000
0
bw[1]:
0
1000
0
bw[2]:
0
1000
0
bw[3]:
0
1000
0
bw[4]:
0
1000
0
bw[5]:
0
1000
0
bw[6]:
0
1000
0
bw[7]:
0
1000
0
OL-16147-20
6-21
Chapter 6
The show mpls traffic-eng exp command output displays EXP mapping information about a tunnel:
Router# show mpls traffic-eng exp
Destination: 10.0.0.9
Master:Tunnel10Status: IP
Members: StatusConf EXPActual EXP
Tunnel1UP/ACTIVE55
Tunnel2UP/ACTIVEdefault0 1 2 3 4 6 7
Tunnel3UP/INACTIVE(T)2
Tunnel4DOWN3
Tunnel5UP/ACTIVE(NE)
(T)=Tailend is different to master
(NE)=There is no exp value configured on this tunnel.
The show ip cef detail command output displays detailed FIB entry information for a tunnel:
Router# show ip cef tunnel1 detail
IP CEF with switching (Table Version 46), flags=0x0
31 routes, 0 reresolve, 0 unresolved (0 old, 0 new), peak 2
2 instant recursive resolutions, 0 used background process
8 load sharing elements, 8 references
6 in-place/0 aborted modifications
34696 bytes allocated to the FIB table data structures
universal per-destination load sharing algorithm, id 9EDD49E1
1(0) CEF resets
Resolution Timer: Exponential (currently 1s, peak 1s)
Tree summary:
8-8-8-8 stride pattern
short mask protection disabled
31 leaves, 23 nodes using 26428 bytes
Table epoch: 0 (31 entries at this epoch)
Adjacency Table has 13 adjacencies
10.0.0.9/32, version 45, epoch 0, per-destination sharing
0 packets, 0 bytes
tag information set, all rewrites inherited
local tag: tunnel head
via 0.0.0.0, Tunnel1, 0 dependencies
traffic share 1
next hop 0.0.0.0, Tunnel1
valid adjacency
tag rewrite with Tu1, point2point, tags imposed {12304}
0 packets, 0 bytes switched through the prefix
tmstats: external 0 packets, 0 bytes
internal 0 packets, 0 bytes
The show mpls forwarding-table detail command output displays detailed information from the MPLS
LFIB:
Router# show mpls forwarding 10.0.0.9 detail
Local Outgoing
Prefix
Bytes tag Outgoing
Next Hop
tag
tag or VC
or Tunnel Id
switched
interface
Tun hd Untagged
10.0.0.9/32
0
Tu1
point2point
MAC/Encaps=14/18, MRU=1500, Tag Stack{12304}, via Fa6/0
00027D884000000ED70178A88847 03010000
No output feature configured
Per-exp selection: 1
Untagged
10.0.0.9/32
0
Tu2
point2point
00027D884001000ED70178A98847 03011000
6-22
OL-16147-20
Chapter 6


Per-exp selection: 2 3
Untagged
10.0.0.9/32
0
Tu3
point2point
00027D884001000ED70178A98847 03012000
Per-exp selection: 4 5
Untagged
10.0.0.9/32
0
Tu4
point2point
00027D884001000ED70178A98847 03013000
Per-exp selection: 0 6 7
The show mpls traffic-eng autoroute command output displays tunnels that are announced to the
Interior Gateway Protocol (IGP).
Router# show mpls traffic-eng autoroute
MPLS TE autorouting enabled
destination 10.0.0.9, area ospf 10
Tunnel1
(load balancing metric
(flags: Announce)
Tunnel2
(flags: Announce)
Tunnel3
(flags: Announce)
Tunnel4
(flags: Announce)
area 0, has 4 tunnels

20000000, nexthop 10.0.0.9)
20000000, nexthop 10.0.0.9)
20000000, nexthop 10.0.0.9)
20000000, nexthop 10.0.0.9)

Virtual Private LAN Service (VPLS) enables geographically separate LAN segments to be
interconnected as a single bridged domain over a packet switched network, such as IP, MPLS, or a hybrid
of both.
VPLS solves the network reconfiguration problems at the customer equipment (CE) that is associated
with Layer 2 Virtual Private Network (L2VPN) implementations. The current Cisco IOS software
L2VPN implementation builds a point-to-point connection to interconnect the two attachment VCs of
two peering customer sites. To communicate directly among all sites of an L2VPN network, a distinct
emulated VC needs to be created between each pair of peering attachment VCs.
For example, when two sites of the same L2VPN network are connected to the same PE, you must
establish two separate emulated VCs towards a given remote site, instead of sharing a common emulated
VC between these two sites. For an L2VPN customer who uses the service provider backbone to
interconnect its LAN segments, the current implementation effectively turns its multiaccess broadcast
network into a fully meshed point-to-point network, which requires extensive reconfiguration on the
existing CE devices.
VPLS is a multipoint L2VPN architecture that connects two or more customer devices using EoMPLS
bridging techniques. VPLS with EoMPLS uses an MPLS-based provider core, where the PE routers have
to cooperate to forward customer Ethernet traffic for a given VPLS instance in the core.
VPLS uses the provider core to join multiple attachment circuits together to simulate a virtual bridge
that connects the multiple attachment circuits together. From a customer point of view, there is no
topology for VPLS. All of the CE devices appear to connect to a logical bridge emulated by the provider
core.
OL-16147-20
6-23
Chapter 6
This section describes how to configure Virtual Private LAN Services (VPLS) on the Optical Services
Modules (OSMs) and covers the topics below:
VPLS Overview, page 6-24
Restrictions for VPLS, page 6-24
Configuring H-VPLS with Port-Channel Core Interface, page 6-28
Supported Features, page 6-30
VPLS Services, page 6-32
Benefits of VPLS, page 6-33
Configuring VPLS, page 6-33
Basic VPLS Configuration, page 6-34
Full-Mesh Configuration Example, page 6-52
H-VPLS with MPLS Edge Configuration Example, page 6-54
Configuring Dot1q Transparency for EoMPLS, page 6-57
VPLS Overview
Virtual Private LAN Services (VPLS) uses the provider core to join multiple attachment circuits together
to simulate a virtual bridge that connects the multiple attachment circuits together. From a customer
point of view, there is no topology for VPLS. All of the CE devices appear to connect to a logical bridge
emulated by the provider core. See Figure 6-4.
Figure 6-4
VPLS
VPLS A
VPLS A
SP Backbone
PE
PE
Access
Network
PE
Logical Bridge
VPLS B
VPLS A
132992
VPLS B
Full-mesh, hub and spoke, and Hierarchical VPLS (H-VPLS) with MPLS edge configurations are
available.
Restrictions for VPLS

The following general restrictions pertain to all transport types under VPLS:
6-24
OL-16147-20
Chapter 6

Split horizon is the default configuration to avoid broadcast packet looping and to isolate Layer 2
traffic. With split horizon, a packet coming from a WAN interface never goes back to another WAN
interface (it always get switched to a Layer 2 interface). Split horizon prevents packets received from
an emulated VC from being forwarded into another emulated VC. This technique is important for
creating loop-free paths in a full-meshed network.
The Cisco 7600 series routers support a maximum of 60 peer PEs and a maximum of 15,000 VCs.
For example, you can configure 15,000 VCs as 1,000 VFIs with 15 VPLS peers per VFI.
Note
The 60 peer PEs are distributed between the MPLS edge and the core; do not assume there
are 60 peer PEs on each side.
No software-based data plane is supported.
No auto-discovery mechanism is supported.
Load sharing and failover on redundant CE-PE links are not supported.
The addition or removal of MAC addresses with Label Distribution Protocol (LDP) is not supported.
On the Cisco 7600 series router, the virtual forwarding instance (VFI) is supported only with the
interface vlan command.
Switched Virtual Interface (SVI) Ethernet over MPLS (EoMPLS) does not support layer 3
etherchannel sub-interface.
Full-Mesh Configuration
The full-mesh configuration requires a full mesh of tunnel label switched paths (LSPs) between all the
PEs that participate in the VPLS. With full-mesh, signaling overhead and packet replication
requirements for each provisioned VC on a PE can be high.
You set up a VPLS by first creating a virtual forwarding instance (VFI) on each participating PE router.
The VFI specifies the VPN ID of a VPLS domain, the addresses of other PE routers in the domain, and
the type of tunnel signaling and encapsulation mechanism for each peer PE router.
The set of VFIs formed by the interconnection of the emulated VCs is called a VPLS instance; it is the
VPLS instance that forms the logic bridge over a packet switched network. The VPLS instance is
assigned a unique VPN ID.
The PE routers use the VFI to establish a full-mesh LSP of emulated VCs to all the other PE routers in
the VPLS instance. PE routers obtain the membership of a VPLS instance through static configuration
using the Cisco IOS CLI.
The full-mesh configuration allows the PE router to maintain a single broadcast domain. Thus, when the
PE router receives a broadcast, multicast, or unknown unicast packet on an attachment circuit, it sends
the packet out on all other attachment circuits and emulated circuits to all other CE devices participating
in that VPLS instance. The CE devices see the VPLS instance as an emulated LAN.
To avoid the problem of a packet looping in the provider core, the PE devices enforce a "split-horizon"
principle for the emulated VCs. That means if a packet is received on an emulated VC, it is not forwarded
on any other emulated VC.
After the VFI has been defined, it needs to be bound to an attachment circuit to the CE device.
The packet forwarding decision is made by looking up the Layer 2 virtual forwarding instance (VFI) of
a particular VPLS domain.
OL-16147-20
6-25
Chapter 6
A VPLS instance on a particular PE router receives Ethernet frames that enter on specific physical or
logical ports and populates a MAC table similarly to how an Ethernet switch works. The PE router can
use the MAC address to switch those frames into the appropriate LSP for delivery to the another PE
router at a remote site.
If the MAC address is not in the MAC address table, the PE router replicates the Ethernet frame and
floods it to all logical ports associated with that VPLS instance, except the ingress port where it just
entered. The PE router updates the MAC table as it receives packets on specific ports and removes
addresses not used for specific periods.
Hub and Spoke

In a hub-and-spoke model, the PE router that acts as the hub establishes a point-to-multipoint forwarding
relationship with all PE routers at the spoke sites. An Ethernet or VLAN packet received from the
customer network on the hub PE can be forwarded to one or more emulated VCs.
The PE routers that act as the spoke establish a point-to-point connection to the PE at the hub site.
Ethernet or VLAN packets received from the customer network on the spoke PE are forwarded to the
VFI or VPLS instance at the hub. If there are a number of customer sites connecting to the spoke, you
can terminate multiple VCs per spoke into the same VFI or VPLS instance at the hub.
Hierarchical Virtual Private LAN Service (H-VPLS) with MPLS to the Edge
In a flat or non-hierarchical VPLS configuration, a full mesh of pseudowires (PWs) is needed between
all PE nodes. A pseudowire defines a VLAN and its corresponding pseudoport.
Hierarchical Virtual Private LAN Service (H-VPLS) reduces both signaling and replication overhead by
using a combination of full-mesh and hub-and-spoke configurations. Hub-and-spoke configurations
operate with split horizon to allow packets to be switched between PWs, which effectively reduce the
number of PWs between PEs.
6-26
OL-16147-20
Chapter 6

Figure 6-5
H-VPLS with MPLS to the Edge Network
L2VPN
router
802.3
.1Q
CE1
PE-CLE
7600s
AToM
or
L2TPv3
Full Mesh LDP

PE-PoP
PE-PoP
CE4
PSN
CE2a
MPLS network
400
CE2b
401
SP applied VCLabel & Tunnel LSP

PE-PoP
Data
401 EType SA
DA
100
158088
VPLS functioning
between
participating PEs
Customer applied
VLAN Tags for WG
isolation (CE-VLAN)
33
In the H-VPLS with MPLS to the edge architecture, Ethernet Access Islands (EAIs) work in combination
with a VPLS core network, with MPLS as the underlying transport mechanism. EAIs operate like
standard Ethernet networks. In Figure 6-5, devices CE1, CE2a, and CE2b reside in an EAI. Traffic from
any CE devices within the EAI is switched locally within the EAI by the user-facing provider edge (UPE)
device along the computed spanning-tree path. Each UPE device is connected to one or more
network-facing provider edge (NPE) devices using PWs. The traffic local to the UPE is not forwarded
to any network-facing provider edge (NPE) devices.
VPLS Configuration Guidelines

When configuring VPLS on a Cisco 7600 Series ES+ line card, consider the following guidelines:
The Cisco 7600 Series ES+ line card supports up to 4096 (4K) VPLS domains per Cisco 7600 series
router.
The Cisco 7600 Series ES+ line card supports up to 110 VPLS peers per domain per Cisco 7600
series router.
The Cisco 7600 Series ES+ line card supports up to 32,000 pseudowires (except when the
core-facing interface is a port-channel interface), used in any combination of domains and peers up
to the 4096-domain or 110-peer maximums. For example, up to 4000 domains with 7 peers, up to
60 peers in 500 domains, or 110 peers in 273 domains.
When configuring VPLS on a Cisco 7600 Series ES+ line card, consider the following guidelines:
QinQ is supported in a VPLS instance using EVC, L3 MPLS, VPN and, EoMPLS.
H-VPLS with QinQ edgeRequires a Cisco 7600 Series ES+ line card in the uplink, and any
LAN port or Cisco 7600 Series ES+ line cards on the downlink.
H-VPLS with MPLS edge requires either an optical service module, Cisco 7600 SIP-600,
Cisco 7600 SIP-400, or Cisco 7600 Series ES+ line cards in both the downlink (facing UPE) and
uplink (MPLS core). The ES20 and ES40 cards support port-channel interfaces on the core side of
the router, for VPLS and H-VPLS.
OL-16147-20
6-27
Chapter 6
Configuring H-VPLS with Port-Channel Core Interface
The Cisco 7600 Series ES+ line cards provide Transparent LAN Services (TLS) and Ethernet Virtual
Connection Services (EVCS).
The Cisco 7600 Series ES+ line cards support the following VPLS features:
H-VPLS with MPLS edge
H-VPLS with QinQ edge
VPLS with point-to-multipoint EoMPLS and fully-meshed PE configuration
For information about configuring VPLS on the Cisco 7600 Series ES+ line cards, consider the
guidelines in this document and refer to
http://www.cisco.com/en/US/products/hw/routers/ps368/products_white_paper09186a00801df1df.sht
ml and
http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/7600series/
76cfgeth.html

Hierarchical VPLS (H-VPLS) reduces both signaling and replication overhead by using both full-mesh
as well as hub and spoke configurations. Hub and spoke configurations operate with split horizon to
allow packets to be switched between pseudo-wires (PWs), effectively reducing the number of PWs
between PEs.
Note
Split horizon is the default configuration to avoid broadcast packet looping. To avoid looping when using
the no-split-horizon keyword, be very mindful of your network configuration.
Previously, VPLS was supported only on physical interfaces and subinterfaces. The H-VPLS with
Port-Channel Core Interface feature adds support for VPLS on port-channels in Cisco IOS Release
12.2(33)SRE.
Use this feature to:
Configure VPLS on the port-channel interfaces of the ES+ line card using a load balancing
mechanism.
Match the capabilities and requirements of the VPLS in a single link. Due to multiple links in a link
aggregation (LAG), the packets of a particular flow are always transmitted only to a single link.
Configure VPLS with port-channel interfaces as the core facing interface, where the member links
of the port-channel are from a ES20 or ES40 line card. The load-balancing is per-flow based, where
the traffic of a VPLS VC is load-balanced across member links based on the flow.

Follow these restrictions and guidelines to configure H-Virtual Private LAN Service (VPLS) within a
port-channel core interface:
The ES+ linecard supports 32,000 pseudowires on a Cisco 7600 series router, except when the
core-facing interface is a PoCH interface.
VPLS over core-facing PoCH interfaces is supported in Cisco IOS Release 12.2(33)SRE.
6-28
OL-16147-20
Chapter 6

When a fat pseudo-wire (FAT P/W) is configured, the core-facing interface should be from a ES20
or a ES40 line card.
A provider edge (PE) router should match the configuration of the FAT P/W load balance option, for
the respective VLAN.
PE router link aggregation groups (LAG) are supported on the ES40 line card, for VPLS imposition
or disposition functions.
A fat P/W should be uniformly enabled across all peer PE routers.
Provider router load balancing is supported on the ES40 line card.
Maximum of 6 VPLS capable port-channels are supported.
A highly scaled VPLS or a highly scaled multicast configuration over VPLS on port-channel
interfaces can impact LACP fast switchover convergence.
On the Cisco 7600 series router, the virtual forwarding instance (VFI) is supported only with the
interface vlan command
1.
enable
2.
configure platform
3.
platform vfi load-balance-label vlan [vlan|vlan-vlan]
SUMMARY STEPS
or
port-channel load-balance src-dst-mixed-ip-port
or
[no] port-channel load-balance mpls
or
[no] platform mpls load-balance ingress-port
4.
exit
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
OL-16147-20
6-29
Chapter 6
Step 3
Command
Purpose
[no] platform vfi load-balance-label

vlan [vlan|vlan-vlan]
Configures fat pseudowire load balance label.
Example:
Router(config)# platform vfi
load-balance-label vlan 5
or
port-channel load-balance
src-dst-mixed-ip-port
Example:
Router(config)# port-channel
load-balance src-dst-mixed-ip-port
Configures port-channel load balancing.

The src-dst-mixed-ip-port mode allows load balance of
IPV4 packets by source and destination MAC address,
source and destination IP address and TCP/UDP port
number.
or
[no] port-channel load-balance mpls

[label|label-ip]
Configures port-channel load balancing. The mpls mode

uses the MPLS label or IP address during load balancing.
Example:
Router(config)# port-channel
load-balance mpls label
or
[no] platform mpls load-balance
ingress-port
Configures ingress port-based load balancing on the

P-router. Use the no form of the command to disable the
configuration.
Example:
Router(config)# platform mpls
load-balance ingress-port
Step 4
exit
Exits from the configuration mode.
Supported Features
FAT PW Load balancing
Fat pseudo-wire load balancing balances the VPLS VC traffic across the core network. An additional
load balance label is inserted along with the VPLS VC labels such as VC label and IGP label at the PE
side. The remote end PE removes the load-balance label on the packet. For a single VC, the load-balance
label is calculated based on flow information of a VC.
You can use the following load balance types to streamline the traffic between peer VCs:
ECMP load-balancing: In a core network, multiple ECMP paths are used to reach the remote PE.
Application of the load-balance label balances the traffic load across the multiple paths. This is
because the load-balance label is different for different flows of a VC and the hash algorithm using
the mpls label for load-balancing generates a different hash to distribute the traffic.
Port-channel load-balancing: In a core network, if the selected path is a port-channel, the member
links are load balanced due to modifications in the load balance label.
6-30
OL-16147-20
Chapter 6

You can use the [no] platform vfi load-balance-label vlan [vlan|vlan-vlan] command to configure the
fat pseudo-wire load balancing per vlan on a PE router irrespective of the core facing interface being a
port-channel or a non port-channel.
You can use the [no] port-channel load-balance src-dst-mixed-ip-port and the [no] port-channel
load-balance mpls commands for port-channel load balancing.l
You can use the [no] platform mpls load-balance ingress-port command for ingress port-based P
router load balalncing.
Multipoint-to-Multipoint Support
Two or more devices are associated over the core network. No one device is designated as the Root node,
but all devices are treated as Root nodes. All frames can be exchanged directly between nodes.
Non-Transparent Operation
A virtual Ethernet connection (VEC) can be transparent or non-transparent with respect to Ethernet
PDUs (that is, BPDUs). The purpose of VEC non-transparency is to allow the end user to have a Frame
Relay-type service between Layer 3 devices.
Circuit Multiplexing
Circuit Multiplexing allows a node to participate in multiple services over a single Ethernet connection.
By participating in multiple services, the Ethernet connection is attached to multiple logical networks.
Some examples of possible service offerings are VPN services between sites, Internet services, and
third-party connectivity for intercompany communications.
MAC-Address Learning Forwarding and Aging

PEs must learn remote MAC addresses and directly attached MAC addresses on customer facing ports.
MAC address learning accomplishes this by deriving topology and forwarding information from packets
originating at customer sites. A timer is associated with stored MAC addresses. After the timer expires,
the entry is removed from the table.
Jumbo Frame Support

Jumbo frame support provides support for frame sizes between 1548 through 9216 bytes. You use the
CLI to establish the jumbo frame size for any value specified in the above range. The default value is
1500 bytes in any Layer 2/VLAN interface. You can configure jumbo frame support on a per-interface
basis.
Q-in-Q Support and Q-in-Q to EoMPLS Support

With 802.1Q tunneling (Q-in-Q), the CE issues VLAN-tagged packets and the VPLS forwards the
packets to a far-end CE. Q-in-Q refers to the fact that one or more 802.1Q tags may be located in a packet
within the interior of the network. As packets are received from a CE device, an additional VLAN tag is
added to incoming Ethernet packets to segregate traffic from different CE devices. Untagged packets
originating from the CE use a single tag within the interior of the VLAN switched network, while
previously tagged packets originating from the CE use two or more tags.
OL-16147-20
6-31
Chapter 6
TE-FRR Support on VPLS LAG NNI

In an MPLS environment, traffic engineering (TE) provides a fast protection mechanism for link and
node failures using fast reroute (FRR). On the Cisco 7600 series router, TE/FRR across port-channel
bundles is supported using Bidirectional Forwarding Detection (BFD), Reservation Protocol (RSVP)
fast hello packets, min-link or max-bundle configuration. The default interval for hello packets is 200
milliseconds. It takes three hello packets (600 milliseconds) to detect the downtime of a bundle.
The Link Aggregation Control Protocol (LACP) fast switchover with fast link detection, takes about 200
to 600 milliseconds from the time a link has failed to the time the line card has processed the membership
change request. TE/FRR measurements are highly dependent on LACP convergence, RSVP fast hello
interval, and, LTL programming.
Traffic engineering fast reroute (TE-FRR) for VPLS over port-channel (PoCH) is supported in Cisco IOS
Release 15.0(1)S.
For more information on MPLS Traffic Engineering (TE) - Fast Reroute (FRR), see the MPLS Traffic
Engineering (TE) - Fast Reroute (FRR) Link and Node Protection feature guide at the following url:
http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_te_frr_node_prot.html
BPDU PW Over LAG NNI

BPDU PW can be provisioned over a port channel interface. Provisioning BPDU PW on a port channel
enables you to benefit from the link redundancy provided by LAG-NNI. The redundancy helps
pseudowire to remain always UP.
Effective from Cisco IOS Release 15.1(2)S, this feature is supported on the Cisco 7600 series routers.
For configuration information, see Configuring BPDU PW on a Port Channel, page 6-46.
VPLS Services
Transparent LAN Service (TLS) and Ethernet Virtual Connection Service (EVCS) are available for
service provider and enterprise use.
Transparent LAN Service (TLS)Use when you need transparency of bridging protocols (for
example, bridge protocol data units [BPDUs]) and VLAN values. Bridges see this service as an
Ethernet segment.
Note
You must enable Layer 2 protocol tunneling to run the Cisco Discovery Protocol (CDP), the
VLAN Trunking Protocol (VTP), and the Spanning-Tree Protocol (STP). See Chapter 18,
Configuring IEEE 802.1Q Tunneling in the Cisco 7600 Series Cisco IOS Software
Configuration Guide, 15.0SR.
Ethernet Virtual Connection Service (EVCS)Use when you need routers to reach multiple intranet
and extranet locations from a single physical port. Routers see subinterfaces through which they
access other routers.
Transparent LAN Service

TLS is an extension to the point-to-point port-based EoMPLS. With TLS, the PE router forwards all
Ethernet packets received from the customer-facing interface (including tagged, untagged, and BPDUs)
as follows:
6-32
OL-16147-20
Chapter 6

To a local Ethernet interface or an emulated VC if the destination MAC address is found in the Layer
2 forwarding table.
To all other local Ethernet interfaces and emulated VCs belonging to the same VPLS domain if the
destination MAC address is a multicast or broadcast address or if the destination MAC address is
not found in the Layer 2 forwarding table.
Ethernet Virtual Connection Service

EVCS is an extension to the point-to-point VLAN-based EoMPLS. With EVCS, the PE router forwards
all Ethernet packets with a particular VLAN tag received from the customer-facing interface (excluding
BPDUs) as follows:
Note
To a local Ethernet interface or to an emulated VC if the destination MAC address is found in the
Layer 2 forwarding table.
To all other local Ethernet interfaces and emulated VCs belonging to the same VPLS domain if the
destination MAC address is a multicast or broadcast address or if the destination MAC address is
Because it has only local significance, the demultiplexing VLAN tag that identifies a VPLS domain is
removed before forwarding the packet to the outgoing Ethernet interfaces or emulated VCs.
Benefits of VPLS
VPLS (Virtual Private LAN Service) enables enterprises to link together their Ethernet-based LANs
from multiple sites via the infrastructure provided by their service provider. From the enterprise
perspective, the service provider's public network looks like one giant Ethernet LAN. For the service
provider, VPLS provides an opportunity to deploy another revenue-generating service on top of their
existing network without major capital expenditures. Operators can extend the operational life of
equipment in their network.
Configuring VPLS
This section explains how to perform a basic VPLS configuration.
Note
Provisioning a VPLS link involves provisioning the associated attachment circuit and the VFI on the PE.
Note
VPLS is supported on Supervisor Engine 720-based systems and RSP720.
Prerequisites
Before you configure VPLS, ensure that the network is configured as follows:
Configure IP routing in the core so that the PE routers can reach each other via IP.
Configure MPLS in the core so that a label switched path (LSP) exists between the PE routers.
OL-16147-20
6-33
Chapter 6
Configure a loopback interface for originating and terminating Layer 2 traffic. Make sure the PE
routers can access the other router's loopback interface. Note that the loopback interface is not
needed in all cases. For example, tunnel selection does not need a loopback interface when VPLS is
directly mapped to a TE tunnel.
Supported Modules
Customer facing interfaces are all Ethernet/ Fast Ethernet/ Gigabit Ethernet interfaces based on Layer 2
Catalyst LAN ports.
Basic VPLS Configuration

VPLS configuration requires you to identify peer PE routers and to attach Layer 2 circuits to the VPLS
at each PE router.
VPLS configuration requires the following:
Configuring the PE Layer 2 Interface to the CE, page 6-34
Configuring Layer 2 VLAN Instance on the PE, page 6-40
Configuring MPLS WAN Interface on the PE, page 6-41
Configuring MPLS in the PE, page 6-42
Configuring the VFI in the PE, page 6-43
Associating the Attachment Circuit with the VSI at the PE, page 6-45
Configuring BPDU PW on a Port Channel, page 6-46
Configuring the PE Layer 2 Interface to the CE

You must configure the Layer 2 interface as a switchport for local bridging. You have the option of
selecting tagged or untagged traffic from the CE device.
Note
It is important to define the trunk VLANs; use the switchport trunk allow vlan command as shown in
the first example below.
SUMMARY STEPS 802.1Q Trunk for Tagged Traffic from the CE
Note
1.
2.
3.
switchport
4.
5.
switchport trunk allow vlan
6.
When EVCS is configured, the PE router forwards all Ethernet packets with a particular VLAN tag to a
local Ethernet interface or emulated VC if the destination MAC address is found in Layer 2 forwarding
table.
6-34
OL-16147-20
Chapter 6

DETAILED STEPS
Step 1
Command or Action
Purpose
Example:
Router(config)# interface fastethernet 2/4
Step 2

mode.
Example:
Step 3
Modifies the switching characteristics of the Layer

2-switched interface.
switchport
Example:
Step 4
Sets the switch port encapsulation format to 802.1Q.
Example:
Router(config-if)# switchport trunk
encapsulation dot1q
Step 5
switchport trunk allow vlan
Sets the list of allowed VLANs.
Example:
Router(config-if)# switchport trunk allow vlan
501
Step 6
Sets the interface to a trunking VLAN Layer 2 interface.
Example:
This example shows how to configure the tagged traffic.

Router(config-if)# switchport trunk encapsulation dot1q
Router(config-if)# switchport trunk allow vlan 501
This example shows how to use the show run interface command to verify the configuration.
Router# show run interface GigabitEthernet4/4
!
no ip address
switchport
OL-16147-20
6-35
Chapter 6
end
SUMMARY STEPS
Option 2802.1Q Access Port for Untagged Traffic from CE
1.
2.
3.
speed [1000 | nonegotiate]
4.
switchport
5.
6.
DETAILED STEPS
Step 1
Command or Action
Purpose
Example:
Step 2

mode.
Example:
Step 3
Example:
Sets the port speed for an Ethernet interface; enables or

disables the link negotiation protocol on the Gigabit
Ethernet ports.
Router(config-if)# speed nonegotiate
Step 4

switchport
Example:
Step 5
Sets the interface type to nontrunking, nontagged single

VLAN Layer 2 interface.
Example:
Step 6
Sets the VLAN when the interface is in Access mode.
Example:
This example shows how to configure the untagged traffic.

6-36
OL-16147-20
Chapter 6

!
speed nonegotiate
switchport
end
SUMMARY STEPS
Option 3Using Q-in-Q to Place All VLANs into a Single VPLS
Note
1.
2.
3.
4.
switchport
5.
6.
7.
When TLS is configured, the PE router forwards all Ethernet packets received from the CE device to all
local Ethernet interfaces and emulated VCs belonging to the same VPLS domain if the MAC address is
DETAILED STEPS
Step 1
Command or Action
Purpose
Example:
Step 2

mode.
Example:
Step 3
Example:
Sets the port speed for an Ethernet interface; enables or

disables the link negotiation protocol on the Gigabit
Ethernet ports.
OL-16147-20
6-37
Chapter 6
Step 4

switchport
Example:
Step 5
Sets the VLAN when the interface is in Access mode.
Example:
Step 6
Sets the interface as an 802.1Q tunnel port.
Example:
Router(config-if)# switchport mode dot1q-tunnel
Step 7
Enables protocol tunneling on an interface.
Example:
Router(config-if)# l2protocol-tunnel cdp
This example shows how to configure the tagged traffic.

Router(config-if)# switchport mode dot1q-tunnel
Router(config-if)# l2protocol-tunnel cdp
!
no ip address
speed nonegotiate
switchport
l2protocol-tunnel cdp
end
Use the show spanning-tree vlan command to verify the port is not in a blocked state.
VLAN0501
Spanning tree enabled protocol ieee
Root ID
Priority
33269
Address
0001.6446.2300
Hello Time
Bridge ID
Priority
Address
0001.6446.2300
Hello Time
Aging Time 0
6-38
OL-16147-20
Chapter 6

Interface
Role Sts Cost
Prio.Nbr Type
---------------- ---- --- --------- --------------------------------------Gi4/4
Desg FWD 4
128.388 P2p
OL-16147-20
6-39
Chapter 6
Use the show vlan id command to verify that a specific port is configured to send and receive a specific
VLANs traffic.
Router# show vlan id 501
VLAN Name
Status
Ports
---- -------------------------------- --------501 VLAN0501
active
Gi4/4
VLAN Type SAID
MTU
Parent RingNo BridgeNo Stp BrdgMode Trans1
Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- -----501 enet 100501
1500 0
0
Remote SPAN VLAN
---------------Disabled
Primary Secondary Type
Ports
------- --------- -----------------
Configuring Layer 2 VLAN Instance on the PE

Configuring the Layer 2 VLAN interface on the PE enables the Layer 2 VLAN instance on the PE router
to the VLAN database to set up the mapping between the VPLS and VLANs.
For more information, see Configuring VLANs.
SUMMARY STEPS
1.
vlan vlan-id
2.
interface vlan vlan-id
DETAILED STEPS
Step 1
Command or Action
Purpose
vlan vlan-id
Configures a specific virtual LAN (VLAN).
Example:
Router(config)# vlan 809
Step 2
Configures an interface on the VLAN.
Example:
This is an example of configuring a Layer 2 VLAN instance.

Router(config)# vlan 501
Router(config-if)#
End with CNTL/Z.
Use the show interfaces vlan command to verify the VLAN is in the up state (example not shown).
6-40
OL-16147-20
Chapter 6

Configuring MPLS WAN Interface on the PE

The following commands configure the MPLS WAN interface.
Note
The MPLS uplink must be on one of the supported OSMs.
SUMMARY STEPS
1.
2.
3.
tag-switching ip
4.
mls qos trust [cos
| dscp | ip-precedence]
DETAILED STEPS
Step 1
Command or Action
Purpose
Example:
Router(config)# interface pos 2/4
Step 2
Sets a primary or secondary IP address for an interface

and enters interface configuration mode.
Example:
Router(config)# ip address 100.1.1.1
255.255.255.0
Step 3
tag-switching ip
Enables label switching of IPv4 packets on an interface.
Example:
Router(config-if)# tag-switching ip
Step 4
mls qos trust [cos | dscp | ip-precedence]
Sets the trusted state of an interface to specify that the

ToS bits in the incoming packets contain a DSCP value.
Example:
This is an example of configuring the WAN interface.

Router(config)# interface gigabitethernet4/1
Router(config)# ip address 181.10.10.1 255.255.255.0
Router(config-if)# ip directed-broadcast
Router(config-if)# ip ospf network broadcast
Router(config-if)# no keepalive
Router(config-if)# tag-switching ip
Use the show tag-switching interfaces command to verify operation.

Router# show tag-switching interfaces gigabitethernet4/1
Interface
IP
Tunnel
Operational
gigabitethernet4/1
Yes (ldp)
Yes
Yes
Router#
OL-16147-20
6-41
Chapter 6
Configuring MPLS in the PE

To configure MPLS in the PE, you must provide the required MPLS parameters.
Note
Before configuring MPLS, ensure that you have IP connectivity between all PEs by configuring Interior
Gateway Protocol (IGP) (Open Shortest Path First [OSPF] or Intermediate System to Intermediate
System [IS-IS]) between the PEs.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
mpls label protocol {ldp | tdp}
4.
(Optional) mpls ldp logging neighbor-changes
5.
mpls ldp discovery {hello | directed hello} {holdtime | interval} seconds
6.
mpls ldp router-id Loopback0 force
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
mpls label protocol {ldp | tdp}
Specifies the default Label Distribution Protocol for a

platform.
Example:
Router(config)# mpls label protocol ldp
Step 4
mpls ldp logging neighbor-changes
(Optional) Determines logging neighbor changes.
Example:
Router(config)# mpls ldp logging
neighbor-changes
6-42
OL-16147-20
Chapter 6

Step 5
mpls ldp discovery {hello | directed hello}

{holdtime | interval} seconds
Configures the interval between transmission of LDP

(TDP) discovery hello messages, or the hold time for a
LDP transport connection.
Example:
Router(config)# mpls ldp discovery hello
holdtime 5
Step 6
mpls ldp router-id Loopback0 force
Configures MPLS.
Example:
Router(config)# mpls ldp router-id Loopback0
force
This example shows global MPLS configuration.

Router(config)# mpls label protocol ldp
Router(config)# mpls ldp discovery directed hello
Router(config)# mpls ldp router-id Loopback0 force
This example shows how to use the show ip cef command to verify that LDP label is assigned.
Router# show ip cef 192.168.17.7
192.168.17.7/32, version 272, epoch 0, cached adjacency to POS4/1
0 packets, 0 bytes
tag information set
local tag: 8149
fast tag rewrite with PO4/1, point2point, tags imposed: {4017}
via 11.3.1.4, POS4/1, 283 dependencies
next hop 11.3.1.4, POS4/1
valid cached adjacency
tag rewrite with PO4/1, point2point, tags imposed: {4017}
Configuring the VFI in the PE

The virtual switch instance (VFI) specifies the VPN ID of a VPLS domain, the addresses of other PE
routers in this domain, and the type of tunnel signaling and encapsulation mechanism for each peer. (This
is where you create the VSI and associated VCs.) Configure a VFI as follows:
Note
Only MPLS encapsulation is supported.
SUMMARY STEPS
1.
l2 vfi name manual
2.
vpn id vpn-id
3.
neighbor remote router id [vc-id-value] {encapsulation mpls} [no-split-horizon]
4.
shutdown
OL-16147-20
6-43
Chapter 6
DETAILED STEPS
Step 1
Command or Action
Purpose
l2 vfi name manual
Enables the Layer 2 VFI manual configuration mode.
Example:
Router(config)# l2 vfi vfi17 manual
Step 2
vpn id vpn-id
Example:
Configures a VPN ID for a VPLS domain. The emulated

VCs bound to this Layer 2 VRF use this VPN ID for
signaling.
Step 3
neighbor remote router id

[vc-id-value]{encapsulation mpls}
[no-split-horizon]
Example:
Specifies the remote peering router ID and the tunnel

encapsulation type or the pseudo wire property to be used
to set up the emulated VC.
Note
Split horizon is the default configuration to avoid

broadcast packet looping and to isolate Layer 2
traffic. Use the no-split-horizon keyword to
disable split horizon and to configure multiple
VCs per spoke into the same VFI.
Note
The optional VC ID value identifies the emulated

VC between a pair of peering PE routers.
Router(config-vfi)# neighbor 1.5.1.1 101

encapsulation mpls
Step 4
Disconnects all emulated VCs previously established

under the Layer 2 VFI and prevents the establishment of
new attachment circuits.
shutdown
Example:
Router(config-vfi)# shutdown
Note
It does not prevent the establishment of new

attachment circuits configured with the Layer 2
VFI using CLI.
The following example shows a VFI configuration.

Router(config)# l2 vfi VPLSA manual
The following example shows a VFI configuration for hub and spoke.
Router(config)# l2 vfi VPLSA manual
Router(config-vfi)# neighbor 9.9.9.9 2001 encapsulation mpls
Router(config-vfi)# neighbor 12.12.12.12 2002 encapsulation mpls
Router(config-vfi)# neighbor 33.33.33.33 2003 encapsulation mpls no-split-horizon
The show mpls 12transport vc command displays various information related to PE1.
Note
The show mpls l2transport vc detail command is also available to show detailed information about the
VCs on a PE router as in the following example. (This example is not based on the previous VFI
configurations.)
6-44
OL-16147-20
Chapter 6

VPLS-PE2# show mpls l2transport vc 201

Local intf
------------VFI test1
VFI test1
VFI test1
Note
Local circuit
-------------------VFI
VFI
VFI
Dest address
--------------153.1.0.1
153.3.0.1
153.4.0.1
VC ID
---------201
201
201
Status
---------UP
UP
UP
The VC ID in the output represents the VPN ID; the VC is identified by the combination of the
destination address and the VC ID as in the example below. (This example is not based on the previous
VFI configurations.)
The show vfi vfi name command shows VFI status.
nPE-3# show vfi VPLS-2
VFI name: VPLS-2, state: up
VPN ID: 100
Local attachment circuits:
Vlan2
Peer Address
VC ID
Split-horizon
1.1.1.1
2
Y
1.1.1.2
2
Y
2.2.2.3
2
N
Associating the Attachment Circuit with the VSI at the PE

After defining the VFI, you must bind it to one or more attachment circuits (interfaces, subinterfaces, or
virtual circuits).
SUMMARY STEPS
1.
2.
no ip address (Configuring an IP address causes Layer 3 interface to be created for the VLAN.)
3.
OL-16147-20
6-45
Chapter 6
DETAILED STEPS
Step 1
Command or Action
Purpose

(SVI).
Example:
Step 2
Disables IP processing. (You configure a Layer 3

interface for the VLAN if you configure an IP address.)
no ip address
Example:
Step 3

VLAN port.
Example:
This example shows an interface VLAN configuration.

Router(config-if)# xconnect vfi VPLS_501
This is an example of how to use the show vfi command for VFI status.
Router# show vfi VPLS_501
VFI name: VPLS_501, state: up
VPN ID: 100
vlan 100
192.168.11.1 192.168.12.2 192.168.13.3
192.168.17.7
192.168.16.6
Configuring BPDU PW on a Port Channel

Configure BPDU PW on a port channel between two PEs. Before you begin, you need to configure a VFI
on a remote peer enabling BPDU PW on it. Complete the following steps:
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
l2 vfi name manual
4.
vpn id id-number
5.
6.
neighbor remote-router-id vc-id {encapsulation encapsulation-type | pw-class pw-name}

[no-split-horizon]
7.
end
6-46
OL-16147-20
Chapter 6

DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
l2 vfi
name
manual
Creates a layer 2 VFI and enters layer 2 VFI manual

configuration mode.
Example:
Step 4
vpn id
id-number
Specifies the VPN ID.
Example:
Step 5
Creates a pseudowire that is to be used to transport

BPDU data between the two N-PE routers.
Example:
Router(config-vfi)# forward permit l2protocol
all
Step 6
remote-router-id vc-id {encapsulation

encapsulation-type | pw-class pw-name}
neighbor
[no-split-horizon]
Specifies the peer IP address of the redundant N-PE

router and the type of tunnel signaling and encapsulation
mechanism. Valid encapsulation types are L2TPv3 and
MPLS.
Example:
Router(config-vfi)# neighbor 10.10.10.2
encapsulation mpls
Step 7
Ends the current configuration session and returns to

end
Example:
Router(config-vfi)# end
This example shows the enabling of BPDU PW on a remote peer:

Router> enable
Router(config-vfi)# forward permit l2protocol all
Router(config-vfi)# end
OL-16147-20
6-47
Chapter 6
Configuring the MPLS Enabled Port Channel

Once you configure the BPDU PW on a peer, configure the MPLS enabled port channel towards the core:
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
ip address ip-address
5.
mpls ip
6.
mls qos trust dscp
7.
end
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
channel-number
Creates the EtherChannel (or port channel) virtual

interface.
Example:
Step 4
channel-group
port-channel-number
mode on
Example:
Assign a Fast Ethernet interface to an EtherChannel

group. All possible modes such as, pagp,lacp, and none
are valid here.
Router(config)# channel-group 1 mode on
Step 5
ip address
ip-address subnet-mask
Assigns the protocol IP address and subnet mask to the

interface.
Example:
255.255.255.0
Step 6
mpls ip
Enables MPLS forwarding of IPv4 packets along

normally routed paths for the associated interface.
Example:
6-48
OL-16147-20
Chapter 6

Step 7
mls qos trust dscp
Example:
Classifies incoming packets that have packet DSCP

values (the most significant 6 bits of the 8-bit
service-type field).
Step 8
Ends the current configuration session and returns to

end
Example:
This example shows the configuration of a MPLS enabled port channel:

Router> enable
Router(config)# channel-group 1 mode on
Binding the VFI to the VLAN

Bind the VFI to the VLAN you configured.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
no ip address
5.
6.
end
OL-16147-20
6-49
Chapter 6
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3

(SVI).
Example:
Step 4
no ip address
Disables IP processing. (You configure a Layer 3

interface for the VLAN if you configure an IP address.)
Example:
Step 5

VLAN port.
Example:
This example shows an interface VLAN configuration:

This example shows how to use the show vfi command for VFI status:
Router# show vfi vfi10
VFI name: vfi10, state: up
VPN ID: 100
vlan 1
100.0.0.1 100.0.1.1 100.0.2.2 100.0.4.4 100.0.7.7
6-50
OL-16147-20
Chapter 6

Troubleshooting
This section describes how to troubleshoot BPDU PW issues.
Scenarios/Problems
Solution
How to verify whether or not Use the show mpls l2transport vc command:
the BPDU PW status is in the Router# show mpls l2transport vc 210
UP.
Local intf
Local circuit
------------VFI 210
Dest address
VC ID
Status
-------------------------- --------------- ---------- ---------VFI
10.144.144.144 210
UP
How to verify whether or not Use the show spanning-tree mst command:
a port-channel BPDU PW
Router# show spanning-tree mst
pseudoport is added to the
##### MST0
vlans mapped:
1-4094
MST tree.
Bridge
Root
address 001a.3029.d400 priority

32768 (32768 sysid
address 0026.527c.5300 priority
24577 (24576 sysid
port
Gi5/3
path cost
200019
Regional Root this switch
Operational
hello time 2 , forward delay 15, max age 20, txholdcount
Configured
Interface
---------------------------Gi1/19
Gi1/20
Gi5/3
Gi6/3
Gi8/0/3
Gi8/0/5
Gi8/0/7
0)
1)
6
20
Role Sts Cost

Prio.Nbr Type
---- --- --------- -------- ------------------Desg
Desg
Root
Altn
Desg
Desg
Desg
FWD
FWD
FWD
BLK
FWD
FWD
FWD
20000
20000
200000
200000
20000
20000
20000
128.19
128.20
128.1027
128.1283
128.1796
128.1798
128.1800
P2p
P2p
P2p Bound(STP)
P2p Bound(STP)
P2p
P2p Bound(STP)
P2p
This example shows the detailed output:

Router# show spanning-tree mst detail
##### MST0
vlans mapped:
1-4094
Bridge
address 001a.3029.d400 priority
32768 (32768 sysid
Root
address 0026.527c.5300 priority
24577 (24576 sysid
port
Gi5/3
path cost
200019
Regional Root this switch
Operational
hello time 2 , forward delay 15, max age 20, txholdcount
Configured
0)
1)
6
20

Port info
port id
128.19 priority
128 cost
20000
Designated root
address 0026.527c.5300 priority 24577 cost
200019
Design. regional root address 001a.3029.d400 priority 32768 cost
0
Designated bridge
address 001a.3029.d400 priority 32768 port id
128.19
.................................................
OL-16147-20
6-51
Chapter 6
Full-Mesh Configuration Example

In a full-mesh configuration, each PE router creates a multipoint-to-multipoint forwarding relationship
with all other PE routers in the VPLS domain using a VFI. An Ethernet or VLAN packet received from
the customer network can be forwarded to one or more local interfaces and or emulated VCs in the VPLS
domain. To avoid broadcasted packets looping around in the network, no packet received from an
emulated VC can be forwarded to any emulated VC of the VPLS domain on a PE router. That is, the
Layer 2 split horizon should always be enabled as the default in a full-mesh network. Figure 6-6 shows
the configuration example.
Figure 6-6
VPLS Configuration Example
1.1.1.1
SP Backbone
3.3.3.3
FE0/0
VPLS-A
FE0/1
PE3
2.2.2.2
PE1
VPLS-A
104752
PE2 FE0/0
VPLS-A
Configuration on PE 1
This shows the creation of the virtual switch instances (VSIs) and associated VCs.
l2 vfi PE1-VPLS-A manual
vpn id 100
!
interface Loopback 0
ip address 1.1.1.1 255.255.255.255
This configures the CE device interface (there can be multiple Layer 2 interfaces in a VLAN).
interface FastEthernet0/0
switchport
switchport mode dot1qtunnel
!
Here the attachment circuit (VLAN) is associated with the VSI.

interface vlan 100
no ip address
xconnect vfi PE1-VPLS-A
!
Enabling the Layer 2 VLAN instance.

vlan 100
state active
6-52
OL-16147-20
Chapter 6


vpn id 100
!
ip address 2.2.2.2 255.255.255.255
switchport
!

interface vlan 100
no ip address
!

vlan 100
state active
vpn id 100
!
ip address 3.3.3.3 255.255.255.255
switchport
!

interface vlan 100
no ip address
xconnect vfi PE3-VPLS-A .
!

vlan 100
state active
The show mpls l2 vc command provides information on the status of the VC.
VPLS1# show mpls l2 vc
Local intf
-------------
Local circuit
Dest address
VC ID
Status
-------------------- --------------- ---------- ----------
OL-16147-20
6-53
Chapter 6
Vi1
Vi1
Vi1
Vi1
Vi1
VFI
VFI
VFI
VFI
VFI
22.22.22.22
22.22.22.22
33.33.33.33
44.44.44.44
44.44.44.44
100
200
100
100
200
DOWN
UP
UP
UP
UP
The show vfi command provides information on the VFI.

PE-1# show vfi PE1-VPLS-A
VFI name: VPLSA, state: up
VPN ID: 100
Vlan100
2.2.2.2 3.3.3.3
The show mpls 12transport vc command provides information about the virtual circuits.
osr12# show mpls l2 vc detail
Local interface: VFI vfi17 up
Output interface: PO3/4, imposed label stack {18}
Create time: 3d15h, last status change time: 1d03h
VC statistics:
packet totals: receive 0, send 0
byte totals:
receive 0, send 0
packet drops: receive 0, send 0
H-VPLS with MPLS Edge Configuration Example

The Hierarchical VPLS model comprises hub and spoke and full-mesh networks. In a full-mesh
configuration, each PE router creates a multipoint-to-multipoint forwarding relationship with all other
PE routers in the VPLS domain using VFIs.
In the hub and spoke configuration, a PE router can operate in a non-split-horizon mode that allows
inter-VC connectivity without the requirement to add a Layer 2 port in the VLAN.
In the example below, the VLANs on CE1, CE2, CE3, and CE4 (in red color) connect through a
full-mesh network. The VLANs on CE2, CE5, and CE6 connect through a hub and spoke network. CE2
is directly attached to the PE2 hub and CE6 is directly attached to the PE1 hub. CE4 and CE5 both are
connected to the PE3 hub through the spoke uPE. Figure 6-7 shows the configuration example.
6-54
OL-16147-20
Chapter 6

Figure 6-7
CE6
H-VPLS Configuration
20.0.0.1
SP Backbone
120.0.0.3
PE3
PE1
CE3
SP/MPLS
CE4
CE1
162.0.0.2
PE2
30.0.0.1
uPE
CE2
132864
CE5
Configuration on PE1
This shows the creation of the virtual switch instances (VSIs) and associated VCs. Note that the VCs in
green require the no-split-horizon keyword. The no-split-horizon command disables the default Layer
2 split horizon in the data path.
l2 vfi Internet manual
vpn id 100
neighbor 120.0.0.3 encapsulation mpls no-split-horizon
neighbor 162.0.0.2 encapsulation mpls no-split-horizon
vpn id 200
ip address 20.0.0.1 255.255.255.255
interface GigEthernet1/1
switchport
switchport trunk allow vlan 1001,1002-1005
Here the attachment circuit (VLAN) is associated with the VFI.

interface vlan 1001
xconnect vfi Internet
switchport
switchport trunk allow vlan 211,1002-1005
interface vlan 211
This shows the creation of the VFIs and associated VCs.
vpn id 100
OL-16147-20
6-55
Chapter 6

vpn id 200
ip address 162.0.0.2 255.255.255.255
switchport
switchport trunk allow vlan 211,1001,1002-1005
Here the attachment circuit (VLAN) is associated with the VFI.

interface vlan 1001
interface vlan 211
This shows the creation of the VFIs and associated VCs.
vpn id 100
neighbor 30.0.0.1 encapsulation mpls no-split horizon
vpn id 200
neighbor 30.0.0.1 200 encapsulation mpls no-split horizon
ip address 120.0.0.3 255.255.255.255
This configures the CE device interface.

switchport
switchport trunk allow vlan 211
This configures the attachment circuits.

interface vlan 1001
interface vlan 211
Usually EoMPLS is configured on the uPE device. You can use port-based or VLAN-based EoMPLS.
This configures port-based EoMPLS on the uPE (the uPE connects to CE4).
interface GigEthernet 1/1
6-56
OL-16147-20
Chapter 6

This configures VLAN-based EoMPLS on the uPE. (the uPE connects to CE4).
interface GigEthernet 1/1.1
MAC Limit Per VLAN

VPLS provides the ability to limit the maximum number of MAC entries per VLAN to avoid exhausting
resources. To enable the MAC limit feature, use the mac-address-table limit command; see the Cisco
7600 Series Cisco IOS Software Command Reference Guide, 12.2SR.
Traffic Engineering for Transport Tunnel

MPLS traffic engineering software enables an MPLS backbone to replicate and expand upon the traffic
engineering capabilities of Layer 2 ATM and Frame Relay networks. See
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fswtch_c/swprt3/xcftagov.
htm#1022001.
Load Balancing
Load balancing describes a functionality in a router that distributes packets across multiple links. For
information on load balancing, see
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094820.shtml.
Configuring Dot1q Transparency for EoMPLS

The Dot1q Transparency for EoMPLS feature allows a service provider to modify the MPLS EXP bits
for core-based QoS policies while leaving any VPLS customer 802.1p bits unchanged.
When applying a service policy to an EoMPLS configured VLAN interface that sets the MPLS EXP bits,
the set effects both the Interior Gateway Protocol (IGP) label and the VC label. If the customer traffic
includes an 802.1q label with associated 802.1p bits, the 802.1p bits are rewritten on the egress PE based
on the received VC EXP bits. If the policy sets the MPLS EXP bits to a different value from the received
802.1p bits, the rewriting on the egress PE results in a modification of the customer's 802.1p bits.
The Dot1q Transparency for EoMPLS feature provides the option for the VLAN-applied policy to affect
only the IGP label (for core QoS) and leaves the VC label EXP bits equal to the 802.1p bits. On the egress
PE, the 802.1p bits are still rewritten based on the received VC EXP bits, however, because the EXP bits
now match the ingress 802.1p bits, a VPLS customer's 802.1p bits do not change.
Restrictions
The following restrictions apply to the Dot1q Transparency for EoMPLS feature:
Global configuration applies to all virtual forwarding instance (VFI) and switched virtual interface
(SVI) EoMPLS VCs configured on the Cisco 7600 series routers.
Interoperability requires applying the Dot1q Transparency for EoMPLS feature to all participating
PE routers.
OL-16147-20
6-57
Chapter 6
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
platform vfi dot1q-transparency
4.
interface vlan
5.
no ip address
6.
xconnect peer-router-id vcid encapsulation mpls
7.
service-policy output
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
Sets the EXP value in the remote VC label with the DBUS CoS
value.
Example:
Router(config)# platform vfi
dot1q-transparency
Step 4
Creates a unique VLAN ID number.
Example:
Step 5
Disables IP processing.
Example:
6-58
OL-16147-20
Chapter 6

Step 6
Command or Action
Purpose
xconnect peer-router-id vcid

encapsulation mpls
Binds the attachment circuit to a pseudowire VC. The syntax for

this command is the same as for all other Layer 2 transports.
Example:
Router(config-subif)# xconnect 10.0.0.1
123 encapsulation mpls
Step 7
Router(config-if)# service-policy output

policy-name
Attaches a traffic policy to an interface.
Example:
policy-name ip
This is an example of configuring the Dot1q Transparency feature.

!
l2 vfi customer-A manual
vpn id 200
!
class-map match-all any
match any
!
policy-map mpls-set-exp-1
class any
set mpls experimental imposition 1
!
interface Vlan200
no ip address
xconnect vfi customer-A
service-policy input mpls-set-exp-1
Use the show cwan vfi dot1q-transparent command to verify the VLAN is in the up state.
Router# show cwan vfi dot1q-transparency
VFI dot1q transparency is enabled
Router#
Verification
You can use the following command on the RP or on the line card. Use the | output modifier to find the
interface you are interested in:
PE1#show mpls l2 vc 29999 det
Local interface: VFI 300 VFI up
Destination address: 13.13.13.13, VC ID: 29999, VC status: up Output interface: Tu0,
imposed label stack {26 17} Preferred path: Tunnel0, active Default path: ready Next hop:
point2point Create time: 05:43:17, last status change time: 04:18:37 Signaling protocol:
LDP, peer 13.13.13.13:0 up Targeted Hello: 10.10.10.10(LDP Id) -> 13.13.13.13, LDP is UP
Status TLV support (local/remote) : enabled/supported LDP route watch : enabled
Label/status state machine : established, LruRru Last local dataplane status rcvd: No
fault Last local SSS circuit status rcvd: No fault Last local SSS circuit status sent:
OL-16147-20
6-59
Chapter 6
No fault Last local LDP TLV status sent: No fault Last remote LDP TLV status rcvd: No
fault Last remote LDP ADJ status rcvd: No fault MPLS VC labels: local 17, remote 17 Group
ID: local 0, remote 0
Sequencing: receive disabled, send disabled Control Word: On (configured: autosense) VC
statistics:
transit packet totals: receive 100668489, send 774258179 transit byte totals: receive
6845457798, send 55718191727 transit packet drops: receive 0, seq error 0, send 0
You can use the following show command to check adjacencies on an ES+ linecard from the RP.
PE1-dfc7#show plat atom ether-vc vlan 300 AToM Ether VC Index(3): segtype(25)
seghandle(0x27BC5354)
Disposition : flags(17) vlanid(300) local_vc_label(17)
ForwardingTable: oper(6) flags(0x0) vlan(300) dest_index(0xB83)
Imposition: flags(0x71) egress_idx(0x5) ifnum(74)
tx_tvc(0x4B04) rvclbl[0](17) rigplbl[1](285) label[2](0)
label[3](0) ltl(0xB83) mac(0008.7c62.a800) qos_info(0x0)
Current Destination Index (0xB83)
Platform Data:
loc_lbl acif_num fw_idx cword
eg_ifnum ckt_idx vlan ac_hdl
vc_hash
17
0
0x5
0x3
74
0x4
300 0x27BC5354 0x3
Platform Index(0x2D19ABC0) is_sw(1) is_vfi(1) vlan(300) pseudo_port_offset(4)
tx_tvc(0x4B04)
Statistics : Packets
Bytes
Drop Pkts Drop Bytes ID
Disposition: 15440
1049920
0
0
0
Imposition : 355628
25605216
0
0
0
Egress Vlan LTL Table vlan(300) ltl(0xE) ppe(3)
feature_cmn_enable(Yes) ft_enable(Yes) ft_bits(VPLS) split_horizon(1), num_labels(1)
tunnel_vc(Yes) same_npu(No) control_word(Yes) vc_type4(No) routed_mode_iw(No)
PolicyId(0x0) Flow_id(0x0) stat_id(0x9E1B4) fat_pw:(No)
XlifID(0xFFFF) tunnel_index(2) Tunnel(5)
Label1(0x11) exp3(0) exp2(0) exp1(0) exp0(0)
Label3(0x0) poe_mask(0x0) poch_enabled(Yes)
mac_hi(0x87C62) mac_low(0xA800)
poch_slot(0xE), poch_number(0x1)
----------------------------------------TE Label Table for tunnel:(2):
num_lbls:(4) label1:(33) ttl1:(255), eos1:(0)
label2:(26) ttl2:(255), eos2:(0)
slot:(13), ltl_base:(502), mac:0015.2b19.a540
------------------------------------------ Tunnel State -same_slot(Yes) same_npu(Yes) prot_slot(Yes)
bkup_slot(Yes) backup_active(No) local(Yes)
ifnum(74) ppe(3) bkup_ifnum(37), bkup_ppe(3) prot_ifnum(74) prot_ppe(3)
-----------------------------Disposition MPLS Table at Label:(17):
vlan:(300) vc_type4:(0), control_word:(1), l2_fwd_permit(0)
imp_ltl_base:(0x75) imp_ltl_slot:(14) imp_ltl_off:(14)
routed_mode_iw:(0) dmac: 0000.0000.0000 fat_pw_enabled:(No)
tunnel_index:(2) stat_id:(647603) split_horizon:(0x1)
fat-pw:(0) fat-pw-internal:(0)
----------------------------------------Egress Vlan LTL Table vlan(300) ltl(0xE) ppe(3)
6-60
OL-16147-20
Chapter 6


label2:(26) ttl2:(255), eos2:(0)
label2:(26) ttl2:(255), eos2:(0)
label2:(26) ttl2:(255), eos2:(0)
OL-16147-20
6-61
Chapter 6

----------------------------------------VC Summary: vlan(300) VC count(1)
Router#show mls cef adjacency entry 213058 module 2
Index: 213058
smac: a100.0000.0006, dmac: 0003.6c41.d800

mtu: 1518, vlan: 1014, dindex: 0x0, l3rw_vld: 1
packets: 0, bytes: 0
You can use the following show command from a DFC card to see the TTFIB entry (if present).
Router-dfc2# show platform npc vpls disp-table np 0 label 18
Disposition MPLS Table at Label:(18):
----------------------------------------Router-dfc2#
6-62
OL-16147-20
Chapter 6

Troubleshooting
Troubleshooting
This section describes how to troubleshoot common EoMPLS and AToMPLS issues.
Scenarios/Problems
Solution
How do I display information

about AToM VCs and static
pseudowires that have been
enabled to route Layer 2
packets on a router?
Use the show mpls l2transport vc command. This example shows the information that is
provided when an AToM static pseudowire is provisioned and the show mpls l2transport vc
detail command is used to check the configuration. The Signaling protocol field specifies
Manual because a directed control protocol such as Label Distribution Protocol (LDP) cannot
be used to exchange parameters on static pseudowires. The remote interface description field
seen for nonstatic pseudowire configurations is not displayed because remote information is
exchanged using signaling between the PE routers and this is not done on static pseudowires:
Router# show mpls l2transport vc detail
Local interface: Et1/0 up, line protocol up, Ethernet up
Output interface: Et2/0, imposed label stack {10003 150}
Next hop: 10.0.0.2
Signaling protocol: Manual
VC statistics:
packet totals: receive 219, send 220
byte totals:
packet drops: receive 0, send 0
How do I display the contents Use the show mpls forwarding-table command. This is a sample output of the command:
of the MPLS LFIB?
Router# show mpls forwarding-table
Local
Label
26
28
29
30
34
35
36
[T]
Outgoing
Prefix
Bytes label Outgoing
Next Hop
Label or VC
or Tunnel Id
switched interface
No Label
10.253.0.0/16
0
Et4/0/0
10.27.32.4
1/33
10.15.0.0/16
0
AT0/0.1
point2point
Pop Label
10.91.0.0/16
0
Hs5/0
point2point
1/36
10.91.0.0/16
0
AT0/0.1
point2point
32
10.250.0.97/32
0
Et4/0/2
10.92.0.7
32
10.250.0.97/32
0
Hs5/0
point2point
26
10.77.0.0/24
0
Et4/0/2
10.92.0.7
26
10.77.0.0/24
0
Hs5/0
point2point
No Label[T]
10.100.100.101/32 0
Tu301
point2point
Pop Label
10.1.0.0/16
0
Hs5/0
point2point
1/37
10.1.0.0/16
0
AT0/0.1
point2point
Forwarding through a TSP tunnel.
View additional labeling info with the 'detail' option
OL-16147-20
6-63
Chapter 6
Troubleshooting
Scenarios/Problems
Solution
This is a sample output of the show mpls forwarding-table command when the IPv6 Provider
Edge Router over MPLS feature is configured to allow IPv6 traffic to be transported across an
IPv4 MPLS backbone. The labels are aggregated because there are several prefixes for one
local label, and the prefix column contains "IPv6" instead of a target prefix.
Router# show mpls forwarding-table
Local Outgoing
Prefix
Label Label or VC
or Tunnel Id
16
Aggregate
IPv6
17
Aggregate
IPv6
18
Aggregate
IPv6
19
Pop Label
192.168.99.64/30
20
Pop Label
192.168.99.70/32
21
Pop Label
192.168.99.200/32
22
Aggregate
IPv6
23
Aggregate
IPv6
24
Aggregate
IPv6

switched interface
0
0
0
0
Se0/0
0
Se0/0
0
Se0/0
5424
3576
Next Hop
point2point
point2point
point2point
6-64
OL-16147-20
Chapter 6

Troubleshooting
Scenarios/Problems
Solution
This is a sample output of the show mpls forwarding-table command when you specify the
detail keyword. If the MPLS EXP level is used as a selection criterion for packet forwarding,
a bundle adjacency exp (vcd) field is included in the display. This field includes the EXP value
and the corresponding virtual circuit descriptor (VCD) in parentheses. The line in the output
that reads "No output feature configured" indicates that the MPLS egress NetFlow accounting
feature is not enabled on the outgoing interface for this prefix.
Router# show mpls forwarding-table detail
Local Outgoing
Prefix
Next Hop
label
label or VC
or Tunnel Id
switched interface
16
Pop label
10.0.0.6/32
0
AT1/0.1
point2point
Bundle adjacency exp(vcd)
0(1) 1(1) 2(1) 3(1) 4(1) 5(1) 6(1) 7(1)
MAC/Encaps=12/12, MTU=4474, label Stack{}
00010000AAAA030000008847
17
18
10.0.0.9/32
0
AT1/0.1
point2point
0(1) 1(1) 2(1) 3(1) 4(1) 5(1) 6(1) 7(1)
MAC/Encaps=12/16, MTU=4470, label Stack{18}
00010000AAAA030000008847 00012000
18
19
10.0.0.10/32
0
AT1/0.1
point2point
0(1) 1(1) 2(1) 3(1) 4(1) 5(1) 6(1) 7(1)
00010000AAAA030000008847 00013000
19
17
10.0.0.0/8
0
AT1/0.1
point2point
0(1) 1(1) 2(1) 3(1) 4(1) 5(1) 6(1) 7(1)
00010000AAAA030000008847 00011000
20
20
10.0.0.0/8
0
AT1/0.1
point2point
0(1) 1(1) 2(1) 3(1) 4(1) 5(1) 6(1) 7(1)
00010000AAAA030000008847 00014000
21
Pop label
10.0.0.0/24
0
AT1/0.1
point2point
0(1) 1(1) 2(1) 3(1) 4(1) 5(1) 6(1) 7(1)
00010000AAAA030000008847
22
Pop label
10.0.0.4/32
0
Et2/3
10.0.0.4
000427AD10430005DDFE043B8847
Use the show mls cef mpls command. This is a sample output of the command when you
How do I check the MPLS
entries in the MLS-hardware specify the label keyword:
Layer 3 switching table for a PE1-sp#show mls cef mpls labels 60
specific label?
Codes: + - Push label, - - Pop Label
* - Swap Label, E - exp1
Index
224
Local
Label
60
Label
Op
20
Out i/f
PO9/2/0
, 0000.0950.ffff
OL-16147-20
6-65
Chapter 6
Troubleshooting
Scenarios/Problems
Solution
How do I know the

adjacency-entry information
for the specified index?
Use the show mls cef adjacency entry command. This is a sample output of the command:
How do I check the SSM

switch settings?
Use the show ssm switch command. This is a sample output of the command:
PE1-sp#show mls cef adjacency entry 458752 detail

Index: 458752 smac: 0013.1abf.3300, dmac: 0000.0950.ffff
mtu: 4488, vlan: 1041, dindex: 0x0, l3rw_vld: 1
format: MPLS, flags: 0x208408
label0: 0, exp: 0, ovr: 0
op: REPLACE_LABEL2
packets: 0, bytes: 0
PE1#show ssm switch id 45101

Switch-ID 45101 State: Open
Segment-ID: 294992 Type: AToM[17]
Switch-ID:
45101
Physical intf:
Remote
Allocated By:
This CPU
Locked By:
SIP
[1]
Class:
SSS
State:
Active
Class:
ADJ
State:
Active
Segment-ID: 45109 Type: Vlan[3]
Switch-ID:
45101
Physical intf:
Local
Allocated By:
This CPU
Locked By:
SIP
[1]
Class:
SSS
State:
Active
AC Switching Context:
Gi8/1/0.131
SSS Info : Switch Handle 0x86000024 Ckt 0x54BD7190
Interworking 1 Encap Len 4 Boardencap Len 0 MTU 0
AC Encap [4 bytes]
8100 0083
Class:
ADJ
State:
Active
AC Adjacency context:
adjacency = 0x52D0A8C0 [complete] RAW GigabitEthernet8/1/0.131:131
AC Encap [4 bytes]
8100 0083
How do I know information

about the xconnect
attachment circuits and
pseudowires?
Use the show xconnect interface command. This is a sample output of the command:
PE1#show xconnect interface GigabitEthernet8/1/0.131
Legend:
XC ST=Xconnect State S1=Segment1 State S2=Segment2 State
UP=Up
DN=Down
AD=Admin Down
IA=Inactive
SB=Standby RV=Recovering
NH=No Hardware
XC ST Segment 1
S1 Segment 2
------------------------{}-----------------------UP
ac
Gi8/1/0.131:131(Eth VLAN)
UP mpls 12.205.2.2:131
S2
UP
6-66
OL-16147-20
Chapter 6

Troubleshooting
Scenarios/Problems
Solution
How do I debug a problem

related to the xconnect
configuration?
Use the debug xconnect command. This example shows output from the debug xconnect
command for an xconnect session on an Ethernet interface:
Router# debug xconnect
00:01:16: XC AUTH [Et2/1, 5]: Event: start xconnect authorization, state changed
from IDLE
to AUTHORIZING
00:01:16: XC AUTH [Et2/1, 5]: Event: found xconnect authorization, state changed
from
AUTHORIZING to DONE
00:01:16: XC AUTH [Et2/1, 5]: Event: free xconnect authorization request, state
changed
from DONE to END
How do I debug the Segment Use the debug ssm cm command. This example shows the events that occur on the CM and
SM when an AToM VC is provisioned and then unprovisioned:
Switching Manager (SSM)
for switched Layer 2
Router# debug ssm cm events
segments?
SSM Connection Manager events debugging is on
Router# debug ssm sm events
SSM Segment Manager events debugging is on
Router(config)# interface ethernet1/0
Router(config-if)# xconnect 10.55.55.2 101 pw-class mpls
16:57:34: SSM CM: provision switch event, switch id 86040
16:57:34: SSM CM: [Ethernet] provision first segment, id 12313
16:57:34: SSM CM: CM FSM: state Idle - event Provision segment
16:57:34: SSM CM: [SSS:Ethernet:12313] provision segment 1
16:57:34: SSM SM: [SSS:Ethernet:12313] event Provison segment
16:57:34: SSM CM: [SSS:Ethernet] shQ request send ready event
16:57:34: SSM CM: SM msg event send ready event
16:57:34: SSM SM: [SSS:Ethernet:12313] segment ready
16:57:34: SSM SM: [SSS:Ethernet:12313] event Found segment data
16:57:34: SSM CM: Query AToM to Ethernet switching, enabled
16:57:34: SSM CM: [AToM] provision second segment, id 16410
16:57:34: SSM CM: CM FSM: state Down - event Provision segment
16:57:34: SSM CM: [SSS:AToM:16410] provision segment 2
16:57:34: SSM SM: [SSS:AToM:16410] event Provison segment
16:57:34: SSM CM: [AToM] send client event 6, id 16410
16:57:34: label_oce_get_label_bundle: flags 14 label 19
16:57:34: SSM CM: [SSS:AToM] shQ request send ready event
16:57:34: SSM CM: SM msg event send ready event
16:57:34: SSM SM: [SSS:AToM:16410] segment ready
16:57:34: SSM SM: [SSS:AToM:16410] event Found segment data
16:57:34: SSM SM: [SSS:AToM:16410] event Bind segment
16:57:34: SSM SM: [SSS:Ethernet:12313] event Bind segment
16:57:34: SSM CM: [AToM] send client event 3, id 16410
OL-16147-20
6-67
Chapter 6
Troubleshooting
Scenarios/Problems
Solution
Router(config)# interface e1/0
Router(config-if)# no xconnect
16:57:26: SSM CM: [Ethernet] unprovision segment, id 16387
16:57:26: SSM CM: CM FSM: state Open - event Free segment
16:57:26: SSM CM: [SSS:Ethernet:16387] unprovision segment 1
16:57:26: SSM SM: [SSS:Ethernet:16387] event Unprovison segment
16:57:26: SSM CM: [SSS:Ethernet] shQ request send unprovision complete event
16:57:26: SSM CM: [SSS:AToM:86036] unbind segment 2
16:57:26: SSM SM: [SSS:AToM:86036] event Unbind segment
16:57:26: SSM CM: SM msg event send unprovision complete event
16:57:26: SSM SM: [SSS:Ethernet:16387] free segment class
16:57:26: SSM SM: [SSS:Ethernet:16387] free segment
16:57:26: SSM SM: [SSS:Ethernet:16387] event Free segment
16:57:26: SSM SM: last segment class freed
16:57:26: SSM CM: unprovision switch event, switch id 12290
16:57:26: SSM CM: [SSS:AToM] shQ request send unready event
16:57:26: SSM CM: SM msg event send unready event
16:57:26: SSM SM: [SSS:AToM:86036] event Unbind segment
16:57:26: SSM CM: [AToM] unprovision segment, id 86036
16:57:26: SSM CM: CM FSM: state Down - event Free segment
16:57:26: SSM CM: [SSS:AToM:86036] unprovision segment 2
16:57:26: SSM SM: [SSS:AToM:86036] event Unprovison segment
16:57:26: SSM CM: [SSS:AToM] shQ request send unprovision complete event
16:57:26: SSM CM: SM msg event send unprovision complete event
16:57:26: SSM SM: [SSS:AToM:86036] free segment class
16:57:26: SSM SM: [SSS:AToM:86036] free segment
16:57:26: SSM SM: [SSS:AToM:86036] event Free segment
16:57:26: SSM SM: last segment class freed
6-68
OL-16147-20
Chapter 6

Troubleshooting
Scenarios/Problems
Solution
How do I display information Use the debug mpls l2transport command. This is a sample output of MPLS Pseudowire
about the status of the AToM Status Signaling messages from the debug mpls l2transport vc status event and debug mpls
virtual circuits (VCs)?
l2transport vc status fsm commands:
Router#
Router#
*Feb 26
*Feb 26
*Feb 26
*Feb 26
*Feb 26
*Feb 26
*Feb 26
*Feb 26
*Feb 26
*Feb 26
*Feb 26
*Feb 26
*Feb 26
LruRru
*Feb 26
LruRru
*Feb 26
LruRru
debug mpls l2transport

debug mpls l2transport
14:03:42.543: AToM MGR
14:03:42.543: AToM MGR
14:03:42.543: AToM MGR
14:03:42.543: AToM MGR
14:03:42.543: AToM MGR
14:03:42.543: AToM MGR
14:03:42.543: AToM MGR
14:03:42.543: AToM MGR
14:03:42.543: AToM MGR
14:03:42.543: AToM MGR
14:03:42.543: AToM MGR
14:03:42.543: AToM MGR
14:03:42.543: AToM MGR
vc status event
vc status fsm
[10.9.9.9, 100]:
[10.9.9.9, 100]:
[10.9.9.9, 100]:
[10.9.9.9, 100]:
[10.9.9.9, 100]:
[10.9.9.9, 100]:
[10.9.9.9, 100]:
[10.9.9.9, 100]:
[10.9.9.9, 100]:
[10.9.9.9, 100]:
[10.9.9.9, 100]:
[10.9.9.9, 100]:
[10.9.9.9, 100]:
Receive SSS STATUS(UP)

AC status UP
S:Evt local up, LndRru->LnuRru
S:Evt local ready, LnuRru->LruRru
S:Act send label(UP)
Send label(UP)
Local AC : UP
Dataplane: no fault
Overall : no fault
Remote label is ready
S:Evt remote ready in LruRru
S:Evt remote up in LruRru
S:Evt dataplane clear fault in
14:03:42.543: AToM MGR [10.9.9.9, 100]: S:Evt dataplane clear fault in

14:03:42.551: AToM MGR [10.9.9.9, 100]: S:Evt dataplane clear fault in
The status codes in the messages, such as S: and LruRru, indicate the status of the local and
remote routers. The following list translates the status codes:
Llocal router
Rremote router
r or nready (r) or not ready (n)
u or d up (u) or down (d) status
The output also includes these values:
DDataplane
SLocal shutdown
When I ping from CE1 to
CE2, it is failing with MTU
1200 or above.
To troubleshoot this issue, do the following:
Run show interface command in CE1, CE2, PE1, and PE2 to check where the packets are
dropping.
Run show mpls l2transport vc vcid detail command to check the imposition and
disposition packet count in PE1 and PE2.
Assuming packets are dropping in PE1 imposition direction, check the MTU negotiated
between the peers (PE1 and PE2) by running show mpls l2transport vc vcid detail
command.
If MTU negotiated is 1200, it is the problem. Otherwise, check the core-facing interface
MTU. If core-facing interface MTU is around 1200, the packets from CE cannot be sent
towards the core, and line card drops the packets.
OL-16147-20
6-69
Chapter 6
MPLS-TP Support for Ethernet Access Circuits

The Multiprotocol Label Switching-Transport Profile (MPLS-TP) support for Ethernet Access Circuits
feature enables a service provider to merge features and capabilities of Synchronous Optical Network
(SONET) and Synchronous Digital Hierarchy (SDH) networks and MPLS/Ethernet technologies.
MPLS-TP replaces the circuit switching with packet switching while retaining these characteristics of
SONET/SDH networks:
Support in-band Operation, Administration, and Maintenance (OAM).
Support fast failure detection using Bidirectional Forwarding Detection (BFD).
Static provisioning of circuits.
The MPLS-TP feature provides standards-based transport technologies. Service providers can use a
single unified interface for point-and-click provisioning of wavelengths and MPLS-TP label switch
paths.
Note
For more information about this feature, see

http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_transport_profile.html.
Restrictions for MPLS-TP Support for Ethernet Access Circuits

The following restrictions apply to MPLS-TP support for Ethernet Access Circuits feature on ES+ line
card:
MPLS-TP interface on endpoints is supported only on ES+ Line card.
You can configure MPLS-TP mid-points interface on any line card.
Scalable Ethernet over MPLS (EoMPLS, xConnect under EVC) is supported.
Policy Feature Card (PFC) based EoMPLS and SVI based EoMPLS (xConnect under VLAN) are
not supported for MPLS-TP.
Virtual Private LAN Services (VPLS) over MPLS-TP is not supported.
MPLS-TP with dynamic pseudowire (PW) is not supported; only the static PWs are supported.
A maximum of 2000 PW OAM packets are supported at an instance of time for MPLS-TP feature.
Equal Cost Multi-Path (ECMP) is not supported for MPLS-TP.
Penultimate Hop Popping (PHP) is not supported for MPLS-TP.
Different BFD timers for active and standby Label Switched Paths (LSPs) is not supported.
Tunnel hierarchy (nested tunnels) is not supported.
Only the revertive mode is supported.
The maximum sessions supported with different timer profile combination is 255 per ES+ line card.
MPLS-TP is only supported with BFD Hardware Offload.
Asymmetric BFD slow timers are not supported.
BFD Timer profiles supported for MPLS-TP are 10 ms and 50 ms.
IP-less provisioning is not supported on MPLS-TP links.
QoS is not supported on MPLS-TP tunnel interface.
6-70
OL-16147-20
Chapter 6

BFD Over VCCV Control Channel, Support for Ethernet AC
The line cards supported for EVC based Xconnect are:

ES+
SIP400
SIP600
ESM20
Table 6-1 lists the MPLS-TP BFD Session profile per Network Processor.
Table 6-1
Note
MPLS-TP BFD Session profile per Network Processor
BFD Tx/Rx Timer (ms)
Number of BFD Sessions
Number of MPLS-TP Tunnels
10
100
50
50
250
125
For more restriction information, see BFD Restrictions.

Bidirectional Forwarding Detection (BFD) over Virtual Circuit Connectivity Verification (VCCV) is a
mechanism to operate and manage pseudowires for fault detection and diagnostics. BFD is a protocol
that detects faults in the bidirectional path between two forwarding engines. In pseudowires (PW), BFD
uses the VCCV for detecting data plane failures. VCCV provides a control channel that is associated
with a pseudowireand the corresponding operations and management functions.
MPLS pseudowires can dynamically signal or statically configure virtual circuit (VC) labels. VCCV
control channel (CC) types define possible control channels that VCCV can support and the connection
verification (CV) type indicates the types of CV packets and protocols that can be sent on the specified
control channel. In dynamically signalled pseudowires, the CC and CV types are also signalled. In
statically configured pseudowires, the CC and CV types must be configured on both the ends of the
pseudowire.
The BFD over VCCV modes are supported on the following pseudowires:
Static pseudowire with attachment circuit signaling
Static pseudowire without attachment circuit signaling
Dynamic pseudowire without attachment circuit signaling
Restrictions for BFD Over VCCV Control Channel on ES+ Line Card
Following restrictions apply for BFD over VCCV feature.
Only BFD over VCCV Type-1 without Internet Protocol (IP) / User Datagram Protocol (UDP) is
supported. In VCCV Type-1, traffic follows the same path as pseudowire data traffic and VCCV
Type-1 can be used only for MPLS pseudowires with the control word.
L2TPv3 is not supported.
BFD over VCCV feature should be configured only if the core facing interface is the ES+ line card.
OL-16147-20
6-71
Chapter 6
Pseudowire redundancy is not supported.
Up to 1200 pseudowires can be enabled for BFD over VCCV.
When BFD over VCCV is enabled on the pseudowire, switched virtual interface (SVI) based
ethernet over multi protocol label switching (EoMPLS) is not supported.
BFD over VCCV sessions are supported only on single-segment pseudowires between provider edge
routers (PEs).
BFD over VCCV sessions between terminating PE routers (T-PEs) and switching PE routers (S-PEs)
are not supported.
BFD over VCCV sessions are supported only on multi-segment pseudowires between terminating
PE routers (T-PEs).
Configuration Steps
Complete the follosing steps to configure BFD over VCCV for static and dynamic pseudowires.
SUMMARY STEPS
Step 1
enable
Step 2
configure terminal
Step 3
bfd-template single-hop bfd-template-name
Step 4
interval min-tx msec min-rx msec multiplier number
Step 5
exit
Step 6
pseudowire-class pseudowire-class-name
Step 7
encapsulation mpls
Step 8
protocol none
Step 9
preferred-path {interface tunnel tunnel-number | peer {ip-address | host-name}} [disable-fallback]
Step 10
exit
Step 11
Step 12
Step 13
Step 14
xconnect destination vc-id pseudowire-class pseudowire-class-name
Step 15
mpls control-word
Step 16
mpls label local-pseudowire-label remote-pseudowire-label
Step 17
exit
Step 18
pseudowire-class pseudowire-class-name
Step 19
vccv bfd template bfd-template-name
Step 20
vccv bfd status signaling
Step 21
exit
6-72
OL-16147-20
Chapter 6

DETAILED STEPS
Step 1
Command
Purpose
enable
Enter your password when prompted.
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
bfd-template single-hop
bfd-template-name
Specifies the BFD template.
Example:
Router(config)#bfd-template
single-hop bfd_name
Step 4
interval min-tx msec min-rx msec

multiplier number
Specifies the following BFD VCCV parameters:
min-tx: Minimum transmission interval in

milliseconds, that the local system uses when
transmitting BFD control packets. The valid range is
50-999.
min-rx: Minimum receiving interval in milliseconds,

between received control packets that this system is
capable of supporting. The valid range is 50-999.
multiplier: The negotiated transmit interval,

multiplied by this value, provides the detection time
for the transmitting system in asynchronous mode.
Example:
Router(config-bfd)#interval min-tx 500
min-rx 500 multiplier 3
Step 5
exit
Exits the BFD template configuration mode.
Example:
Router(config-bfd)#exit
Step 6
pseudowire-class
pseudowire-class-name
Specifies the pseudowire class.
Example:
Router(config)#pseudowire-class BFD
Step 7
encapsulation mpls
Specifies the encapsulation method.
Example:
Router(config-pw-class)#encapsulation
mpls
Step 8
protocol none
Disables the configured protocol.
Example:
Router(config-pw-class)#protocol none
OL-16147-20
6-73
Chapter 6
Step 9
Command
Purpose
preferred-path {interface tunnel

tunnel-number | peer {ip-address |
host-name}} [disable-fallback]
Specifies the path that the traffic uses, either

Multiprotocol Label Switching (MPLS) Traffic
Engineering (TE) tunnel or destination IP address and
Domain Name Server (DNS) name.
Example:
Router(config-pw-class)#
preferred-path interface tunnel 1
disable-fallback
Step 10
exit
Exits the pseudowire class configuration mode.
Example:
Router(config-pw-class)#exit
Step 11

or
slot/port

Example:
Router(config)#interface
gigabitethernet 4/1
Step 12
Configures an ethernet service instance on an interface.
Example:
Router(config-if)#service instance 9
ethernet
Step 13
Enables IEEE 802.1Q encapsulation for the traffic on the

specified interface in the VLAN.
Example:
dot1q 9
Step 14
xconnect destination vc-id

pseudowire-class
Binds an Ethernet, 802.1q VLAN, or Frame Relay

attachment circuit to a Layer 2 Tunnel Protocol Version 3
(L2TPv3) pseudowire for xconnect service and enters the
xconnect configuration mode.
Example:
Router(config-if-srv)#xconnect
1.1.1.1 9 encapsulation mpls manual
pw-class tp-pw
Step 15
mpls control-word
Example:
Enables the Multiprotocol Label Switching (MPLS)

control word in an Any Transport over MPLS (AToM)
static pseudowire connection.
Router(config-if-srv)#mpls
control-word
Step 16
mpls label local-pseudowire-label

remote-pseudowire-label
Enables the MPLS label in an AToM static pseudowire

connection.
Example:
Router(config-if-srv)#mpls label 100
150
6-74
OL-16147-20
Chapter 6

Step 17
Command
Purpose
exit
Exits the service instance configuration mode.
Example:
Step 18
pseudowire-class
Specifies the pseudowire class.
Example:
Step 19
vccv bfd template bfd-template-name
Applies the configured BFD interval timers to BFD

VCCV pseudowire class.
Example:
Router(config-pw-class)#vccv bfd
template bfd_temp_name
Step 20
vccv bfd status signaling
Enables status signaling for BFD VCCV.
Example:
Router(config-pw-class)#vccv bfd
status signaling
Step 21
exit
Example:
Note
If you apply or remove a QoS service policy on the ATM PVC, the configured BFD VCCV sessions are
also renegotiated and a minimal drop in data traffic occurs.
Example
This example shows how to configure BFD over VCCV:
Router>enable
Router(config)#bfd-template single-hop bfd_name
Router(config-bfd)#interval min-tx 500 min-rx 500 multiplier 3
Router(config-bfd)#exit
Router(config-pw-class)#encapsulation mpls
Router(config-pw-class)#protocol none
Router(config-pw-class)#preferred-path interface tunnel 1 disable-fallback
Router(config)#interface gigabitethernet 4/1
Router(config-if-srv)#encapsulation dot1q 9
Router(config-if-srv)#xconnect 1.1.1.1 9 encapsulation mpls manual pw-class tp-pw
Router(config-if-srv)#mpls control-word
Router(config-if-srv)#mpls label 100 150
Router(config-pw-class)#vccv bfd template bfd_temp_name
Router(config-pw-class)#vccv bfd status signaling
OL-16147-20
6-75
Chapter 6
Verifying BFD VCCV Configuration

Use the show mpls l2 vc command to verify the BFD VCCV configuration.
RouterA# show mpls l2transport vc detail
Local interface: Gi7/4 up, line protocol up, Eth VLAN 2 up
Output interface: Tp1, imposed label stack {200 80001}
Preferred path: Tunnel-tp1, active
Default path:
Next hop: point2point
Signaling protocol: Manual
: enabled/N/A
LDP route watch
: enabled
Last BFD dataplane
Last local LDP TLV
status sent: None
Last remote LDP TLV
Last remote LDP ADJ
PWID: 4096
VCCV BFD protection active
BFD Template - BFD
CC Type - 1
CV Type - fault detection and status signaling without IP/UDP headers
VC statistics:
receive 0, send 0
Alternatively, you could also use the show bfd neighbors command from the destination router to verify
the configuration.
RouterB# show bfd neighbors
NeighAddr
22.1.1.1
:1
Session state is UP and not
OurAddr: 0.0.0.0
Local Diag: 0, Demand mode:
MinTxInt: 500000, MinRxInt:
mpls-pw 22.1.1.1 vcid 1 detail

LD/RD
RH/RS
State
1/1
Up
Up
using echo function.
Int
N/A
0, Poll bit: 0
500000, Multiplier: 3
Received MinRxInt: 500000, Received Multiplier: 3

Holddown (hits): 1372(2), Hello (hits): 500(4051)
Rx Count: 3200, Rx Interval (ms) min/max/avg: 1/488/91 last: 128 ms ago
Tx Count: 3203, Tx Interval (ms) min/max/avg: 40/472/91 last: 128 ms ago
Elapsed time watermarks: 0 0 (last: 0)
Registered protocols: Xconnect
Uptime: 00:04:49
Last packet: Version: 1
- Diagnostic: 0
State bit: Up
- Demand bit: 0
6-76
OL-16147-20
Chapter 6

Poll bit: 0
Multiplier: 3
My Discr.: 1
Min tx interval: 500000
Min Echo interval: 0
Final bit: 1
Length: 24
Your Discr.: 1
Min rx interval: 500000
Debugging the BFD CCV

Use these debug commands to troubleshoot the BFD VCCV configuration.
Command
Purpose
debug condition xconnect peer ipaddress vcid

vcid
Allows conditional filtering of debug messages

based on VC ID.
debug mpls l2 vc vccv events
Debugs AToM VCCV events.
debug mpls l2 vc vccv bfd events
Enables the debug event messages during the

creation of a BFD session. This command enables
debug event messages when BFD sends the data
plane fault notification to L2VPN and also when
L2VPN sends the attachment circuit signaling
status to BFD.
OL-16147-20
6-77
Chapter 6
6-78
OL-16147-20
CH A P T E R
Configuring QoS
This chapter provides information about configuring Quality of Service (QoS) on the Cisco 7600 Series
router.
Note
QoS on the Cisco 7600 Series Ethernet Services Plus line cards uses Layer 2 frame size.
Note
With QoS enabled globally, cross bundling is not allowed between 6xxx cards and ES20 line cards,
between 6xxx cards and ES+ line cards, and between ES20 and ES+ line cards.
When mls qos channel-consistency command is disabled, you can configure ports from cards belonging
different family, as member-links of the same port-channel if QoS is not applied on service instances,
sub-interfaces, service-groups, sessions, and main-interfaces of the port-channel or the member-links of
the port-channel.
For more information about the commands in this chapter, see the Cisco IOS Release 12.2 SR Command
References at http://www.cisco.com/en/US/products/ps6922/prod_command_reference_list.html.
Before referring to any other QoS documentation for the platform or in the Cisco IOS software, use this
chapter to determine Cisco 7600 Series ES+ line card specific QoS feature support and configuration
guidelines.
Note
For additional details about QoS concepts and features in Cisco IOS Release 12.2, you can refer to the
Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.2SR, at
https://www.cisco.com/en/US/docs/ios/qos/configuration/guide/12_2sr/qos_12_2sr_book.html.
This chapter includes the following sections:
Supported Interfaces, page 7-3
Mapping Between Bay and Ports, page 7-3
QoS Functions, page 7-4
Configuring QoS Features Using MQC, page 7-7
Configuring Classification, page 7-8
Configuring Policing, page 7-13
OL-16147-20
7-1
Chapter 7
Configuring QoS
Configuring Marking, page 7-22
Configuring Shaping, page 7-26
Configuring QoS: L2 Overhead Specification for Shaping Parameters for Ethernet, page 7-30
Configuring QoS Queue Scheduling, page 7-31
Configuring PFC QoS on a Cisco 7600 Series Ethernet Services Plus Line Card, page 7-47
Configuring Hierarchical QoS, page 7-48
EVCS QoS Support, page 7-52
QoS on Port-Channel Member-Link, page 7-55
IPv6 - Hop by Hop Rate Limiter, page 7-64
Service Group QoS Support on the Cisco 7600 Series Router, page 7-75
Configuring Flexible Service Mapping Based on CoS and Ethertype, page 7-82
Layer 2 and Layer 3 QoS ACL Classification for EVC
Deny ACL QoS Classification
Troubleshooting QoS on a ES+ Line Card, page 7-100
7-2
OL-16147-20
Chapter 7
Configuring QoS
The Cisco 7600 Series ES+ line cards support QoS on the following interfaces:
Note
Note
Main Layer 3 interface
Layer 3 subinterface
Switchport interfaces
SVI interfaces
Service instances
Port-channel service instances
Starting with Cisco IOS Release 12.2(33)SRD1, these interfaces support QoS:
Port-channel subinterface (supported in input direction only).
Port-channel Layer 3 member-link (supported in output direction only).
Starting with Cisco IOS Release 15.1 (01)S, these interfaces support QoS:
Port-channel Layer 2 main interface
Port-channel Layer 2 member link
Mapping Between Bay and Ports

The following table maps the bay and port information in a ES+ line card:
Table 7-1
Mapping between Bay and Ports
Specifications
Port/Bay Information
ES+, 1GIG, 10 GIG variant has 4 NPs
1-10 NP0
1 GIG: 40 Ports
11-20 NP1
21-30 NP2
31-40 NP3
10 GIG : 4 (10 gig) ports
1 mapped to NP0
2 mapped to NP1
3 mapped to NP2
4 mapped to NP3
There are other flavours with 20 Ports as well. In all these cases, least number of NP is mapped to the
least number ports. For example, 1gig or 10 gig with each NP is mapped to 10 - 1 GIG or 1 - 10 GIG
ports.
OL-16147-20
7-3
Chapter 7
Configuring QoS
QoS Functions
Table 7-2
Mapping between Bay and Ports in Combo Cards
Specifications
Port/Bay Information
40G combo card
1 - 10 G port mapped to NP 2
11- 20 G Port mapped to NP 1
21 TG port mapped to NP0
20G combo card
1 - 10G port mapped to NP1

QoS Functions
The following sections describe ingress and egress QoS functions.
Ingress QoS Functions

The following paragraphs describe ingress QoS support on the Cisco 7600 Series ES+ line card.
Ingress Trust
Trust is a port assignment instructing the port to trust (leave) existing priorities as they are on incoming
frames or to rewrite the priorities back to zero.
A packet can arrive at an interface with a priority value already present in the packets header. The router
needs to determine if the priority setting was set by a valid application or network device according to
pre defined rules or if it was set by a user hoping to get better service.
The router has to decide whether to honor the priority value or change it to another value. How the router
makes this determination is by using the port trust setting.
Note
Starting with Cisco IOS Release 12.2(33)SRE4, for switchport and SVI interfaces, the default port
behavior is trust dscp. The cos value is derived from the dscp value.
The main Layer 3 interface and the Layer 3 subinterface always trust Differentiated Services Code Point
(DSCP) by default.
To change the ingress type of service (ToS), use marking. For information on marking, see the
Configuring Marking section on page 7-22.
Note
The ES+ line card marks a packet as trust cos when ingress marking for CoS is configured for a routed
interface. Hence, the CoS value configured using the set cos value command is retained on the outgoing
packet. This cos value is not overwritten by earl or derived from dscp.
7-4
OL-16147-20
Chapter 7
Configuring QoS
QoS Functions
Ingress Queue Scheduling

The Cisco 7600 Series ES+ line card supports ingress queue scheduling. For information on configuring
ingress scheduling, see the Configuring QoS Queue Scheduling section on page 7-31.
Ingress Classification
Classification entails using a traffic descriptor to categorize a packet within a specific group to define
that packet and make it accessible for QoS handling on the network. Using packet classification, you can
partition network traffic into multiple priority levels or classes of service.
Traffic is classified to determine whether it should be:
Marked for further processing
Policed to rate limit specific traffic types
The Cisco 7600 Series ES+ line card supports ingress classification. For information on configuring
classification, see the Configuring Classification section on page 7-8.
Ingress Policing
Policing provides a means to limit the amount of bandwidth that traffic traveling through a given port,
or a collection of ports in a VLAN, can use. Policing works by defining an amount of data that the router
is willing to send or receive in kilobytes per second.
When policing is configured, it limits the flow of data through the router by dropping or marking down
the QoS value. Policing allows the router to limit the rate of specific types to a level lower than what
they might get otherwise based only the interface bandwidth.
The Cisco 7600 Series ES+ line card supports ingress policing. For information on configuring policing,
see the Configuring Policing section on page 7-13.
Ingress Marking
After it has been classified, traffic can be marked. Marking is a way to selectively modify the
classification bits in a packet to identify traffic within the network. Other interfaces can then match
traffic based on the markings.
The Cisco 7600 Series ES+ line card supports ingress marking. For information on configuring marking,
see the Configuring Marking section on page 7-22.
Ingress Bandwidth and Ingress Queueing

Ingress bandwidth allows you to specify or modify the bandwidth allocated for a class belonging to a
policy-map. Class-based weighted fair queueing (CBWFQ) extends the standard WFQ functionality to
provide support for user-defined traffic classes. Ingress bandwidth and CBWFQ are supported on on
main Layer 3 interface, Layer 3 subinterface, and service instances.
The Cisco 7600 Series ES+ line card supports ingress bandwidth, for more information, see the
Configuring QoS Queue Scheduling section on page 7-31.
OL-16147-20
7-5
Chapter 7
Configuring QoS
QoS Functions
LLQ (Ingress Priority)

Low-Latency Queuing (LLQ) allows you to allocate bandwidth to the class maps in the policy-map.
The Cisco 7600 Series ES+ line card supports LLQ. For information, see the Configuring LLQ section
on page 7-40.
Ingress Shaping
The Cisco 7600 Series ES+ line card supports ingress shaping. The shape average command is supported
in flat/H-QoS policy-maps in ingress on main Layer 3 interface, Layer 3 subinterface, and service
instances. For more information, see the Configuring Shaping section on page 7-26
Note
Ingress queueing commands are not supported on port channel service instances.
Egress QoS Functions

The following sections describe QoS functions on the Cisco 7600 Series ES+ line card egress ports.

Follow these restrictions and usage guidelines when configuring the Egress QoS functions:
Each port on an ES+ card has a special Tx queue where all traffic originating from RP or SP will be
sent, if the packets have DBUS CoS 6 or CoS 7 or BPDU bit set. Packets sent to this egress special
queue will not be subject to the interface egress QoS and egress ACL.
Egress Classification
Classification entails using a traffic descriptor to categorize a packet within a specific group to define
that packet and make it accessible for QoS handling on the network. Using packet classification, you can
partition network traffic into multiple priority levels or classes of service.
Traffic is classified to determine whether it should be:
Marked for further processing
Queued to rate limit specific traffic types
The Cisco 7600 Series ES+ line card supports egress classification. For information on configuring
classification, see the Configuring Classification section on page 7-8.
Egress Policing
The Cisco 7600 Series ES+ line card supports egress port policing.
Egress Marking
After traffic has been classified, the router can mark it. You use marking to selectively modify the
classification bits in the packet to differentiate packets based on the designated markings.
7-6
OL-16147-20
Chapter 7
Configuring QoS
The Cisco 7600 Series ES+ line card supports egress port marking. For information on configuring
marking, see the Configuring Marking section on page 7-22.
Egress Shaping
Traffic shaping allows you to control the traffic going out an interface in order to match its flow to the
speed of the remote target interface and to ensure that the traffic conforms to policies contracted for it.
You can use shaping to meet downstream requirements, thereby eliminating bottlenecks in topologies
with data-rate mismatches.
The Cisco 7600 Series ES+ line card supports shaping on egress port, subinterfaces, and service
instances. For information on configuring shaping, see the Configuring Shaping section on page 7-26.
Egress Queue Scheduling

The egress line card uses congestion avoidance to help prevent congestion and keep its buffers from
overflowing.
The Cisco 7600 Series ES+ line card supports Class-based Weighted Fair Queuing (CBWFQ), Low
Latency Queueing (LLQ), and Weighted Random Early Detection (WRED). For information on
configuring egress scheduling, see the Configuring Bandwidth and CBWFQ section on page 7-36.

The Modular QoS CLI (MQC) is a CLI structure that allows users to create traffic policies and attach
these policies to interfaces. A traffic policy contains a traffic class and one or more QoS features. A
traffic class is used to select traffic, while the QoS features in the traffic policy determine how to treat
the classified traffic.
To configure QoS features using the Modular QoS CLI on the Cisco 7600 Series ES+ line card, complete
the following basic steps:
Step 1
Define a traffic class using the class-map command.
Step 2
Create a traffic policy by associating the traffic class with one or more QoS features (using the
policy-map command).
Step 3
Attach the traffic policy to the interface using the service-policy command.
For a complete discussion about MQC, refer to the Modular Quality of Service Command-Line
Interface Overview section of the Cisco IOS Quality of Service Solutions Configuration Guide, Release
12.3 publication at:
http://www.cisco.com/en/US/docs/ios/12_3/featlist/qos_vcg.html
OL-16147-20
7-7
Chapter 7
Configuring QoS
Configuring Classification
Use the QoS classification features to select your network traffic and categorize it into classes for further
QoS processing based on matching certain criteria. The default class, named class-default, is the class
to which any traffic that does not match any of the selection criteria in the configured class maps is
directed.

Follow these restrictions and usage guidelines when configuring the QoS classification an ES40 line
card:
Only classified based on source MAC address using Layer 2 ACL is supported.
Cisco 7600 Series ES+ line cards support classification on SVI only for EoMPLS and VPLS.
The match not command is not supported.
Table 7-3 provides information about which QoS classification features are supported for the Cisco 7600
Series ES+ line card on the Cisco 7600 series router. For more information about most of the commands
documented in this table, refer to the Cisco IOS Quality of Service Solutions Command Reference.
Table 7-3
QoS Classification Feature Support
Feature (match command)
Match on access list (ACL) number (match

access-group command)
Input and output for the following interfaces:
Switchport interfaces1
Service instances1
Port-channel service instances1
Port-channel subinterface
Note
Deny ACL is not supported on ES+ line cards.
Match on Class of Service (CoS) (match cos command) Input and output for the following interfaces:
Main Layer 3 interface2
SVI interfaces3
Service instances
Port-channel member link
Port-channel layer 2 and layer 3 interface4
7-8
OL-16147-20
Chapter 7
Configuring QoS
Table 7-3
QoS Classification Feature Support (continued)
Match on inner CoS (match cos inner command)
Match on input VLAN (match input vlan command)
Service instances
Output for the following interfaces:
Note
Match on IP DSCP (match ip dscp command)
Match on IP precedence (match ip precedence

command)
Match on MPLS experimental (EXP) bit (match mpls

experimental command)
Main Layer 3
Used with non-intelligent line card in the input
side and a Cisco 7600 Series ES+ line card on the
output side. The service policy is applied on the
output side to match the VLAN from the input
side.
Service instances
Service instances
OL-16147-20
7-9
Chapter 7
Configuring QoS
Table 7-3
QoS Classification Feature Support (continued)
Match on VLAN
(match vlan commandMatches the outer VLAN of a

Layer 2 IEEE 802.1Q frame)
Match on VLAN Inner

(match vlan inner commandMatches the innermost
VLAN of the 802.1Q tag in the Layer 2 frame)
Match on source-address MAC

match source-address mac commandMatches the
source MAC address.
Service instances
Port-channel layer 2 and layer 3 interface
Port channel subinterface
Service instances
Port-channel subinterface (input only)
Service instances
Port-channel layer 2 interface
1. Only classified based on source MAC address using Layer 2 ACL.

2. To match subinterface/EVC traffic and policy-map applied on the main interface.
3. Cisco 7600 Series ES+ line cards support classification on SVI only for EoMPLS and VPLS.
4. The match not command is not supported.
Note
Note
1.
enable
2.
configure terminal
SUMMARY STEPS
7-10
OL-16147-20
Chapter 7
Configuring QoS
3.
class-map [match-all | match-any] class-map-name
4.
match type
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
class-map [match-all | match-any]

class-map-name
Example:
Creates a traffic class, where:
match-all(Optional) Specifies that all match

criteria in the class map must be matched, using a
logical AND of all matching statements defined
under the class. This is the default.
match-any(Optional) Specifies that one or more

match criteria must match, using a logical OR of all
matching statements defined under the class.
class-map-nameSpecifies the user-defined name of

the class.
Note
You can define up to 1000 unique class maps.
Router(config)# class-map match-all

acl9 (id 1049)
Step 4
match type
Example:
Router(config-cmap)# match ip
precedence 5
Specifies the matching criterion to be applied to the

traffic, where type represents one of the forms of the
match command supported by the Cisco 7600 Series ES+
line card as shown in Table 7-3.
Note
A single class map can contain up to 8 different

match command statements.
OL-16147-20
7-11
Chapter 7
Configuring QoS
Examples
This example shows how to configure a class map named ipp5, and enter a match statement for IP
precedence 5:
Router# enable
Router(config)# class-map ipp5
Router(config-cmap)# match ip precedence 5
Router(config-cmap)#
This is an example of configuring class matching on multiple match statements.

Router# enable
Router(config)# class-map match-any many (id 1047)
Router(config-cmap)# match access-group 100
Router(config-cmap)# match mpls experimental 5
This is an example of configuring class matching on named ACLS.

Router# enable
Router(config)# class-map match-all acl9 (id 1049)
Router(config-cmap)# match access-group name rock
This example shows a logical AND operation in a child policy with match vlan and class-default in a
parent.
Router# enable
Router(config)# class-map match-all childAND
Router(config-cmap)# match vlan inner 2-3
Router(config-cmap)# match cos inner 5 6
Router(config)# policy-map testchildAND
Router(config-pmap)# class childAND
Router(config-pmap-c)# shape average 100000000
Router(config)# policy-map parentAND
Router(config-pmap)# class vlan12
Router(config-pmap-c)# service-policy testchildAND
This example shows how to display class-map information for a specific class map using the show
class-map command:
Router# show class-map ipp5
Class Map match-all ipp5 (id 1)
Match ip precedence 5
This example shows how to display class map information matching on extended ACLs using the show
class-map command.
Router# show class-map acl5
Class Map match-all acl5 (id 1042)
Match access-group 102
This example shows how to verify classification on a VLAN in the parent class of a H-QoS policy.
head# show policy-map match
Policy Map match
Class vlan11
shape average 2000000 8000 8000
7-12
OL-16147-20
Chapter 7
Configuring QoS
Configuring Policing
service-policy match4
Class vlan12
shape average 2000000 8000 8000
Class vlans
shape average 500000000 2000000 2000000
The Cisco 7600 Series ES+ line cards support the following features:
Individual Actions
Multiple Actions
Single Rate, 2 Color Policer

Granularity
Accuracy (Rate and Bucket Depths)
Statistics
Percent based policer
Dual Rate, 3 color

Percent based policer
Color aware policer not supported
Single-rate 3-color not supported.
Color blind mode
Hierarchical Policies (up to two levels)
255 Profiles at different rates
Micro-flow policing
Policing is supported at the input and output for the following interfaces:
Service instances
Port-channel subinterface (input only) (aggregate per NPE)
Layer 3 port-channel member link
Micro-flow policing is supported at the input for the following interfaces:
Main Layer 3 interface (micro-flow policing)
Layer 3 subinterface (micro-flow policing)
Port-channel subinterface (micro-flow policing)
OL-16147-20
7-13
Chapter 7
Configuring QoS

When configuring policing, follow these restrictions and usage guidelines:
The Cisco 7600 Series ES+ line card supports maximum of 1k unique global policy-maps per line
card.
The Cisco 7600 Series ES+ line card supports 16K EVCs. 16K ingress service policies and 16K
egress service policies are supported per line card.
Maximum class maps per policy-map are 253.
Policer CIR and PIR can be any value between 64,000 bps to 10 Gb/s.
If a service policy configures both class-based marking and marking as part of a policing action,
then the marking using policing takes precedence over any class-based marking.
When configuring policing paired with priority actions:

If there are some other bandwidth classes configured in the policy-map, then either exceed or
violate action must be dropped. The conform action can be any action.
If no other bandwidth class is configured, then conform, exceed, and violate can be any action.
Up to 48,000 policers per NP are supported for one rate 2 color or two rate 3 color policers.
EVC micro-flow policer is not supported.
When configuring supported micro-flow policing:

A policy must only contain micro-flow policing commands. Micro-flow policing is not
supported with other QoS features (that is, with marking, policing, or queueing).
Micro-flow policing is PFC action. Other QoS features (that is, marking, policing, or queueing)
are implemented in the NPE.
Effective from Cisco IOS Release15.1(2)S, ISG Control Plane Policing(CoPP) is supported on
regular subinterfaces.
Any modification to the micro-flow policing policy that shifts the policy implementation from NPE to
the PFC or from the PFC to the NPE is not supported. All such modifications would require the policy
to be first removed from the attached ES40 interfaces, modified, and then reattached to ES40 interfaces.
Table 7-4 provides information about which policing features are supported for the Cisco 7600 Series
ES+ line card on the Cisco 7600 series routers.
7-14
OL-16147-20
Chapter 7
Configuring QoS
Table 7-4
QoS Policing Feature Support
Policing Command
police bps value conform-action action
exceed-action action
police cir percent % conform-action action

Policing Action (set command)
Transmit the packet (transmit action)
Drop the packet (drop command)
Set the IP precedence value (set ip precedence

command)
Set the IP DSCP value (set ip dscp command)
Set the MPLS EXP bit (07) on imposition

(set-mpls-experimental-imposition command)
Set the MPLS EXP bit in the topmost label

(set-mpls-experimental-topmost command)
Set the COS value (set cos command)
Set the COS-inner value (set cos-inner command)

command)


OL-16147-20
7-15
Chapter 7
Configuring QoS
Table 7-4
QoS Policing Feature Support (continued)
Policing Command
police cir bps value pir bps value conform-action
action exceed-action action violate-action action
police cir percent % pir percent % conform-action

Policing Action (set command)

command)



command)


SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
class {class-name | class-default}
5.
police bps value conform-action action exceed-action action

or
police cir percent % conform-action action exceed-action action
or
police cir bps value pir bps value conform-action action exceed-action action violate-action
action
or
police cir percent % pir percent % conform-action action exceed-action action violate-action
action
7-16
OL-16147-20
Chapter 7
Configuring QoS
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
Example:
Creates or modifies a traffic policy and enters policy-map

configuration mode, where:
Router(config)# policy-map
policy-map-test
Step 4
Specifies the name of the traffic class to which this policy

applies and enters policy-map class configuration mode,
where:
class-nameSpecifies that the policy applies to a

user-defined class name previously configured.
class-defaultSpecifies that the policy applies to

the default traffic class.
Example:
Router (config-pmap)# class acgroup2
Step 5
police bps-value conform-action action

Example:
Router(config-pmap-c)# police 5000000
conform-action drop exceed-action
set-dscp-transmit
policy-map-nameSpecifies the name of the traffic

policy to configure. Names can be a maximum of 40
alphanumeric characters.
Specifies a maximum bandwidth usage by a traffic class

through the use of a token bucket algorithm, where:
bps valueSpecifies the average rate in bits per

second. Valid values are 16000 to 10Gb/s.
actionSpecifies the actions that are taken on a

packet when it conforms or exceeds. The possible
actions are shown in Table 7-4.
Or
police cir percent % conform-action
action exceed-action action
Example:
percent 20 conform-action transmit
exceed-action set-prec-transmit 1
Configures traffic policing on the basis of a percentage of

bandwidth available on an interface, where:
cirSpecifies the committed information rate.

Indicates that the committed information rate (CIR)
will be used for policing traffic.
percentSpecifies that a percentage of bandwidth

will be used for calculating the CIR.
%Specifies the CIR bandwidth percentage. Valid

values are 1 to 100.
actionSpecifies the he actions that are taken on a

Or
OL-16147-20
7-17
Chapter 7
Configuring QoS
Command
Purpose
police cir bps-value pir bps-value

conform-action action exceed-action
action violate-action action
Configures traffic policing using two rates, the CIR and

the peak information rate (PIR), where:

Indicates that the CIR will be used for policing
traffic.
pirSpecifies the peak information rate. Indicates

that the PIR will be used for policing traffic.
bps-valueSpecifies the average rate in bits per

second. Valid values are 64000 to 200000000.

Example:
1000000 pir 2000000 conform-action
set-cos-transmit 3 exceed-action
set-cos-transmit 1 violate-action drop
Or
police cir percent % pir percent %
conform-action action exceed-action
action violate-action action
Example:
percent 20 pir percent 40 conform-action
transmit exceed-action set-prec-transmit
1 violate-action drop
Configures traffic policing using two rates, the CIR and

the PIR, where:

traffic.
percentSpecifies that a percentage of bandwidth

will be used for calculating the CIR.
%Specifies the CIR or PIR bandwidth percentage.

Valid values are 1 to 100.
pirSpecifies the peak information rate. Indicates

that the PIR will be used for policing traffic.

Examples
In the following example, all actions are configured in separate lines.
Router# (config)# policy-map ABC
Router(config-pmap)# class class-default
Router(config-pmap-c)# police 10000000 8000 8000
Router(config-pmap-c-police)# conform-action set-cos-transmit 2
Router(config-pmap-c-police)# exceed-action set-cos-transmit 1
Router(config-pmap-c-police)# end
Router#
Router# show policy-map ABC
Policy Map ABC
Class class-default
police cir 10000000 bc 8000 be 8000
conform-action set-cos-transmit 2
exceed-action set-cos-transmit 1
7-18
OL-16147-20
Chapter 7
Configuring QoS
Router#
This example configures a 1 rate 2-color policer:

Router(config)# policy-map 1r2c
Router(config-pmap-c-police)# conform-action transmit
Router(config-pmap-c-police)# exceed-action drop
Router# show policy-map 1r2c
Policy Map 1r2c
Class class-default
police cir 2000000 bc 62500
conform-action transmit
exceed-action drop
Router#
This example configures a 1 rate 2-color policer with percent:

Router(config)# policy-map 1r2c_percent
Router(config-pmap-c)# police cir percent 20
Router(config-pmap-c-police)# conform-action set-cos-transmit 0
Router(config-pmap-c-police)# exceed-action drop
Router#
Router# show policy-map 1r2c_percent
Policy Map 1r2c_percent
Class class-default
police cir percent 20
conform-action set-cos-transmit 0
exceed-action drop
Router#
This example configures a 2 rate 3-color policer:

Router(config)# policy-map 2r3c
Router(config-pmap-c)# police cir 2000000 pir 3000000
Router(config-pmap-c-police)# conform-action set-prec-transmit 3
Router(config-pmap-c-police)# exceed-action set-prec-transmit 2
Router(config-pmap-c-police)# violate-action set-prec-transmit 1
Router#
Router# show policy-map 2r3c
Policy Map 2r3c
Class class-default
police cir 2000000 bc 62500 pir 3000000 be 93750
conform-action set-prec-transmit 3
exceed-action set-prec-transmit 2
violate-action set-prec-transmit 1
Router#
This example configures a 2 rate 3-color policer with percent:

Router(config)# policy-map 2r3c_percent
Router(config-pmap-c)# police cir percent 10 pir percent 20
Router(config-pmap-c-police)# conform-action transmit
Router(config-pmap-c-police)# exceed-action set-cos-transmit 0
Router(config-pmap-c-police)# violate-action drop
Router#
Router# show policy-map 2r3c_percent
OL-16147-20
7-19
Chapter 7
Configuring QoS
Policy Map 2r3c_percent

Class class-default
police cir percent 10 pir percent 20
conform-action transmit
exceed-action set-cos-transmit 0
violate-action drop
Router#
This example configures a single rate two color policer in class-default with a CIR of 64 Kbps, a conform
action of transmit and an exceed action of drop with as small a Bc as possible:
Router# enable
Router(config)# policy-map police
Router(config-pmap)# class test8
Router(config-pmap-c)# police 64000 2000
This example configures a single rate two color policer in class-default and a child policy with policing:
Router# enable
Router(config)# policy-map police5
Router(config-pmap)# class test18
Router(config-pmap-c)# service policy child-level
Router(config-pmap-c)# police cir 64000 50
The following example shows a 2R3C configuration in a class and policy-map:

Router# enable
Router(config)# policy-map test
Router(config-pmap)# class cos2
Router(config-pmap-c)# police 1000000 pir 2000000 conform-action set-cos-transmit 3
exceed-action set-cos-transmit 1 violate-action drop
The following example configures a dual rate three color policer in class-default with a CIR of 64 Kbps,
and PIR doubled the CIR rate, a conform action of transmit, and an exceed action mark dscp af11 and
violate mark dscp cs1 with default setting on Bc.
Router# enable
Router(config)# policy-Map qos_test
Router(config-pmap-c)# police cir 64000 bc 2000 pir 128000 be 2000 conform-action transmit
exceed-action set-dscp-transmit af11 violate-action set-dscp-transmit cs1
The following example configures a dual rate three color policer in class-default.
Router# enable
Router(config-pmap-c)# police cir percent 20 pir percent 40 conform-action transmit
exceed-action set-prec-transmit 1 violate-action drop
7-20
OL-16147-20
Chapter 7
Configuring QoS
Verification
Use the following commands to verify policing:
Command
Purpose
Router# show policy-map
Displays all configured policy-maps.
Router# show policy-map policy-map-name
Displays the user-specified policy-map.
Router# show policy-map interface
Displays statistics and configurations of all

input and output policies that are attached to
an interface.
This example shows how to display policing statistics using the show policy-map interface command
in the EXEC mode.
service-policy output: x
class-map: a (match-all)
0 packets, 0 bytes
5 minute rate 0 bps
match: ip precedence 0
police:
1000000 bps, 10000 limit, 10000 extended limit
conformed 0 packets, 0 bytes; action: transmit
exceeded 0 packets, 0 bytes; action: drop
conformed 0 bps, exceed 0 bps, violate 0 bps
This is another example of displaying policing statistics using the show policy-map interface
command; in this case the statistics are for a one rate 2 color per EVC policer.
Router# show policy-map interface ten 4/1 service instance 1
TenGigabitEthernet4/1: EFP 1
Service-policy input: evc_ingress
Counters last updated 00:00:00 ago
Class-map: class-default (match-any)
72077 packets, 36903424 bytes
5 minute offered rate 981000 bps, drop rate 440000 bps
Match: any
police:
cir 10000000 bps, bc 8000 bytes
conformed 87426 packets, 44762112 bytes; actions:
transmit
exceeded 85974 packets, 44018688 bytes; actions:
drop
conformed 556000 bps, exceed 448000 bps
Attaching a QoS Traffic Policy to an Interface

Before a traffic policy can be enabled for a class of traffic, it must be configured on an interface. A traffic
policy also can be attached to Ethernet subinterfaces, main interfaces, and service instances.
OL-16147-20
7-21
Chapter 7
Configuring QoS
Configuring Marking
Traffic policies can be applied for traffic coming into an interface (input), and for traffic leaving that
interface (output).
Attaching a QoS Traffic Policy for an Input Interface

When you attach a traffic policy to an input interface, the policy is applied to traffic coming into that
interface. To attach a traffic policy for an input interface, use the following command beginning in
interface configuration mode:
Command
Purpose
Router(config-if)# service-policy input

policy-map-name
Attaches a traffic policy to the input direction of an

interface, where:

policy to configure.
Attaching a QoS Traffic Policy to an Output Interface

When you attach a traffic policy to an output interface, the policy is applied to traffic leaving that
interface. To attach a traffic policy to an output interface, use the following command beginning in
interface configuration mode:
Command
Purpose

policy-map-name
Attaches a traffic policy to the output direction of an

interface, where:

Configuring Marking
After you have created your traffic classes, you can configure traffic policies to configure marking
features to apply certain actions to the selected traffic in those classes.
In most cases, the purpose of a packet mark is identification. After a packet is marked, downstream
devices identify traffic based on the marking and categorize the traffic according to network needs. This
categorization occurs when the match commands in the traffic class are configured to identify the
packets by the mark (for example, match ip precedence, match ip dscp, match cos, and so on). The
traffic policy using this traffic class can then set the appropriate QoS features for the marked traffic.
In some cases, the markings can be used for purposes besides identification. Distributed WRED, for
instance, can use the IP precedence, IP DSCP, or MPLS EXP values to detect and drop packets.

When configuring class-based marking on an Cisco 7600 Series ES+ line card, follow these restrictions
There is no limit on the number of marking statements per class map.
7-22
OL-16147-20
Chapter 7
Configuring QoS
Configuring Marking
Marking can be configured at parent and leaf.
EARL marking is not used.
Marking can be combined with queueing policies.
Marking statistics are not provided in show policy-map interface command output. You can refer
to classification statistics in place of marking statistics.
Table 7-5 provides information about which QoS class-based marking features are supported for the
Cisco 7600 Series ES+ line card on the Cisco 7600 series router.
Table 7-5
QoS Class-Based Marking Feature Support
Marking Feature (set command)
Set IP DSCP
(set ip dscp commandMarks the IP differentiated

services code point (DSCP) in the type of service (ToS)
byte with a value from 0 to 63.)
Set IP precedence
(set ip precedence commandMarks the precedence
value in the IP header with a value from 0 to 7.)
Set Layer 2 IEEE 802.1Q CoS

(set cos commandMarks the CoS value from 0 to 7 in
an 802.1Q tagged frame.)
Service instances
Service instances
Service instances (excluding EoMPLS on input)
Port-channel layer 2 and 3 interface
OL-16147-20
7-23
Chapter 7
Configuring QoS
Configuring Marking
Table 7-5
QoS Class-Based Marking Feature Support (continued)
Marking Feature (set command)
Set Layer 2 802.1Q CoS
(set cos-inner commandMarks the inner CoS field

from 0 to 7 in a bridged frame.)

(set cos-inner cos commandCopies out CoS to inner
CoS.)

(set cos cos-inner command)
Set MPLS experimental (EXP) bit on label imposition

(set mpls experimental imposition command)
Set MPLS EXP topmost

(set mpls experimental topmost command)
Service instances
Service instances
Service instances
Input for the following interfaces:
SVI interfaces (for EoMPLS and VPLS)
Service instances (EVC-based EoMPLS)
Port-channel service instances (Not supported on

switchport)
1. To match subinterface/EVC traffic and policy-map applied on the main interface.
Note
Note
7-24
OL-16147-20
Chapter 7
Configuring QoS
Configuring Marking
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
5.
set type
DETAILED STEPS:
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3

Example:
Router(config)# policy-map policymap3
Step 4

where:


Example:
Router(config-pmap)# class class1
Step 5
set type
Example:
Router(config-pmap-c)# set ip
precedence2

Specifies the marking action to be applied to the traffic,

where type represents one of the forms of the set
command supported by the Cisco 7600 Series ES+ line
card as shown in Table 7-5.
Examples
This example shows the creation of a service policy called policy1. This service policy is associated to
a previously defined classification policy through the use of the class command. This example assumes
that a classification policy called class1 was previously configured.
Router# enable
Router(config)# policy-map policy1
OL-16147-20
7-25
Chapter 7
Configuring QoS
Configuring Shaping
Router(config-pmap-c)# set ip precedence 1
This example configures marking to set the imposed MPLS EXP bits to 1:
Router# enable
Router(config-pmap)# class test
Router(config-pmap-c)# set mpls experimental imposition 1
This example configures marking to set the inner cos value:

Router# enable
Router(config-pmap-c)# set cos inner 1
This example configures marking to set the imposed MPLS EXP bits to 1:
Router# enable
Router(config-pmap-c)# set mpls experimental topmost 1
Verification
Use the following commands to verify marking:
Command
Purpose
Displays all configured policy-maps.
Router# show policy-map policy-map-name
Displays statistics and configurations of all

input and output policies that are attached to
an interface.
For more detailed information about configuring class-based marking features, refer to the Class-Based
Marking document located at the following URL:
http://www.cisco.com/en/US/docs/ios/12_1t/12_1t5/feature/guide/cbpmark2.html
Configuring Shaping
This section describes information for configuring QoS traffic policies for shaping traffic. Shaping is the
process of delaying packets in queues to make them conform to a specified profile.

When configuring shaping on an Cisco 7600 Series ES+ line card, follow these restrictions and usage
guidelines:
7-26
OL-16147-20
Chapter 7
Configuring QoS
Configuring Shaping
Up to 256 shaping profiles are supported at the parent level and 64 at the child level and flat policy.
Shaping can be performed at all levels of the hierarchy.
Shaping rates range from 64 Kbps to link rate.
Dual shapers are not supported.
Service instance, port channel service instance, and Layer 3 subinterface support two-level
policy-map: parent class-default and child policy.
Main interface supports three-level policy-map: grand-parent class-default, parent user defined
classes, and child user defined classes.
Shaper CIR granularity for child level shaper:

64,000 bps to 32,768,000 bps: granularity of 16,000 bps
32,768,000 bps to 131,008,000 bps: granularity of 64,000 bps
Shaper CIR granularity for parent level shaper:

Can be any value between 64,000 bps to 10 Gb/s.
Shaper CIR granularity for grand parent level shaper:

160,000bps to 40,960,000 bps: granularity of 160,000 bps.
40,960,000 bps to 163,840,000 bps: granularity of 640,000 bps.
163,840,000 bps to 655,360,000 bps: granularity of 2,560,000 bps.
655,360,000 bps to 10G: granularity of 40,960,000 bps.
Maximum shaper rate in the leaf policy-map is 130 Mb/s.
The shape average percent command is not supported.
For more detailed information about configuring congestion management features, refer to the Cisco IOS
Quality of Service Solutions Configuration Guide document corresponding to your Cisco IOS software
release.
Table 7-6 provides information about which QoS traffic shaping features are supported for the Cisco
7600 Series ES+ line card on the Cisco 7600 series router.
Table 7-6
QoS Traffic Shaping Feature Support
Traffic Shaping Feature (command)
Cisco 7600 Series ES+ Line Card
Class-based shaping
(shape average commands)
Port-channel service instances (output only)
Port-channel Layer 3 member link (output

only)
Shaper Tc Granularity for ES+ Line Card

The lowest supported Tc on the hardware is 50 micro sec. The value of Tc is derived as:
Tc = BC/CIR
where:
OL-16147-20
7-27
Chapter 7
Configuring QoS
Configuring Shaping
Tc - Time interval over which the committed burst (Bc) can be sent
Bc - Committed burst size, represents the amount of traffic that can be sent over Tc interval.
CIR - Committed Information Rate (in bits per second).
1.
enable
2.
configure terminal
3.
class-map [match-all | match-any] class-map-name
4.
match [ip dscp ip-dscp-value | ip precedence ip-precedence-value | mpls experimental

mpls-exp-value]
5.
policy-map policy-name
6.
class class-name
7.
shape average cir [bc] [be]
SUMMARY STEPS
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
class-map [match-all | match-any]

class-map-name
Creates a class map to be used for matching packets to a

class.
Example:
Router(config)# class-map
class-interface-all
Step 4
match [ip dscp ip-dscp-value | ip

precedence ip-precedence-value | mpls
experimental mpls-exp-value]
Specifies a specific IP DSCP, IP precedence, or MPLS

EXP value as a match criterion.
Example:
Router(config-cmap)# match ip
precedence 2
Step 5
Specifies the name of the policy-map to configure.
Example:
Router(config)# policy-map test2
7-28
OL-16147-20
Chapter 7
Configuring QoS
Configuring Shaping
Step 6
Command
Purpose
class class-name
Specifies the name of a predefined class included in the

service policy.
Example:
Router(config-pmap)# class classtest
Step 7
Specifies the average rate traffic shaping.
Example:
Router(config-pmap-c)# shape average
10000000
Examples
This example shows traffic shaping on a main interface; traffic leaving interface gi1/1 is shaped at the
rate of 10 Mb/s:
Router# enable
Router(config)# class-map class-interface-all
Router(config-cmap)# exit
Router(config)# policy-map dts-interface-all-action
Router(config-pmap)# class class-interface-all
Router(config-pmap-c)# exit
Router(config-if)# service-policy output dts-interface-all-action
This is an example of an output shaping policy on a switchport interface that matches on a CoS value
queuing defined in the classes.
Router# enable
Router(config)# policy-map switchport-cos-policy
Router(config-pmap-c)# shape ave 100000000
Now the policy is applied in the egress direction on the main switchport.
Router# enable
Router(config)# interface TenGigabitEthernet9/1
Router(config-if)# service-policy output switchport-cos-policy
In this example, shape is applied at the parent level of an HQoS policy-map.

Router# enable
Router(config)# policy-map child2
Router(config-pmap)# class prec5
Router(config)# policy-map pcd
Router(config-if)# service-policy child2
OL-16147-20
7-29
Chapter 7
Configuring QoS
Configuring QoS: L2 Overhead Specification for Shaping Parameters for Ethernet
This example configures a shaping policy in default-class with WRED:

Router# enable
Router(config)# policy Map qos_test
Router(config-pmap-c)# shape ave 100Mbps
Router(config-pmap-c)# random-detect dscp-based aggregate
Verification
Use the following commands to verify traffic shaping:
Command
Purpose
Router# show interface [interface-name]
Displays detail status of the traffic

shaping.
Router# show policy policy-name
Displays the configuration of all classes

composing the specified traffic policy.
Router# show policy policy-name

class class-name
Displays the configuration of the

specified class of the specified traffic
policy.
Configuring QoS: L2 Overhead Specification for Shaping

Parameters for Ethernet
This feature helps you to configure shaping QoS features with Layer 2 encapsulation overhead.
Previously, outbound shaping algorithm was based only on the Layer 3 packet length.
Use the hw-module slot slot-number account np np-index out length command in the global
configuration mode, to enable this feature.
Complete the following steps to configure shaping and policing QoS.
Restrictions
This command is not applicable for the policing QOS feature and also for the LLQ classes.
SUMMARY STEPS
Step 1
enable
Step 2
configure terminal
Step 3
hw-module slot slot-number account np np-index out length
Step 4
exit
7-30
OL-16147-20
Chapter 7
Configuring QoS
Configuring QoS Queue Scheduling
DETAILED STEPS
Step 1
Command or Action
Purpose
enable

Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
hw-module slot slot-number

account np np-index out
length
Enables Layer 2 overhead encapsulation for calculating shaped bit rates.
Note
Example:
This command is applicable to all the ports in the specific

NP on the ES40 linecard.
Router(config)# hw-module
slot 1 account np 0 out 4
Step 4
end
Returns the command-line interface (CLI) to privileged EXEC mode.
Example:
This example describes how to configure shaping and policing QoS features:
Router> enable
Router(config)# hw-module slot 1 account np 0 out 4

This section describes Cisco 7600 Series ES+ line card-specific information for configuring QoS queue
scheduling.

When configuring queueing features on an Cisco 7600 Series ES+ line card, follow these restrictions and
usage guidelines:
The number of data queues configurable per policy-map at child level depends on the priority queue
configuration:
If there are no priority queue configured, each subscriber can have up to 8 normal queues.
OL-16147-20
7-31
Chapter 7
Configuring QoS
If there is any priority queue of any priority level configured, each subscriber can have 2 priority
queues and up to 6 normal queues.

If there is only 1 priority queue configured, the other priority queue is reserved and cannot be
used as a normal queue.
4k parent queues for ingress and 8k parent queues for egress per NPE (nonconfigurable).
32K child queues on ingress and 64k child queues for egress per NPE (nonconfigurable).
Parent class-default on sub-interface/EVCs scales more.
Parent user-defined classmap is supported on main Layer 3 interface, and port-channel Layer 3
member link (output only).
QoS queue scheduling supports the following commands:

bandwidth x kbps
bandwidth percent x%
bandwidth remaining percent x %
bandwidth remaining ratio
priority
priority level level
queue-limit queue-size
queue-limit queue-size packets
random-detect
random-detect min-threshold max-threshold mark-prob
random-detect dscp-based aggregate
random-detect dscp 0-63 min-threshold max-threshold mark-prob
random-detect prec-based
random-detect precedence 0-7 min-threshold max-threshold mark-prob
For more detailed information about configuring congestion management features, refer to the Cisco IOS
Quality of Service Solutions Configuration Guide document corresponding to your Cisco IOS software
release.
Configuring WRED
Weighted RED (WRED) generally drops packets selectively based on IP precedence. Packets with a
higher IP precedence are less likely to be dropped than packets with a lower precedence. WRED is
supported on the output of the following interfaces:
Service instances
7-32
OL-16147-20
Chapter 7
Configuring QoS
WRED Aggregate and Non-Aggregate Mode

WRED Aggregate mode and Non-Aggregate modes define how the hardware resources are internally
used to provide the WRED behavior. On an ES+linecard, there are 8 WRED curves. In a WRED
Non-Aggregate mode, a single or Prec value maps to one WRED curve and in a WRED Aggregate mode,
multiple dscp values are mapped to one WRED curve.
For more information on this, see
https://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_q1.html#wp1053666
The set of subclass (DSCP precedence) values defined on a random-detect dscp (aggregate) CLI is
aggregated into a single hardware WRED resource. The statistics for these subclasses are also
aggregated.

When configuring WRED on Cisco 7600 Series ES+ line cards, follow these restrictions and usage
guidelines:
WRED support is precedence-based, dscp-based, and cos-based. The default with the
random-detect command is precedence-based WRED.
dscp-based is supported only in aggregate mode, as dscp takes 64 possible values, and maps
multiple DSCP values to each of the 8 WRED curves. Example: DSCP 30, 50, 60 takes WRED
Curve1, DSCP 10, 40 takes WRED Curve2.
CoS is supported only in non-aggregate mode, as CoS takes eight possible values, and maps
single value to each of the 8 WRED curves.

IP-prec is supported in both aggregate and non-aggregate mode.
The support per interface is as follows:

For switchport, only cos-based is supported.
For EVC and Layer 3 main interface the WRED support is dscp-based, precedence-based, and
cos-based.
For subinterfaces, WRED supports dscp and prec based only.
Queue limit is not supported with WRED command.
Not supported in input direction and parent classes.
Not supported for priority queues of all priority levels.
Random Detect in class queue needs a queueing feature.
Random Detect in default class does not need a queueing feature.
Cisco 7600 Series ES+ line cards do not support discard-class-based WRED and ECN with WRED.
The ES+ line card does not modify ECN bits for traffic passing through it.
Cisco 7600 Series ES+ line cards support aggregate WRED.
Supports 8 curves per queue
The show policymap interface command for WRED does not display transmitted packet and tail
drop counts. Only random drops are displayed.
The maximum threshold value must be between 16 and 1000000.
EXP-based WRED for MPLS packets is supported.
OL-16147-20
7-33
Chapter 7
Configuring QoS
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
class class-name
5.
6.
random-detect
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
Example:
Router(config)# policy-map wred
Step 4
class class-name

service policy.
Example:
Router(config-pmap)# class IPP1
Step 5
Shapes traffic to the indicated bit rate for the specified

class.
Example:
200000000
Step 6
random-detect
Enables WRED.
Example:
Router(config-pmap-c)# random-detect
dscp-based aggregate
Examples
This is an example of a WRED configuration.
Router# enable
Router(config)# policy-map wredtest
7-34
OL-16147-20
Chapter 7
Configuring QoS
Router(config-pmap-c)#
shape average
random-detect
random-detect
random-detect
random-detect
200000000
dscp-based aggregate
dscp values 0 min 100 max 200 mark-prob 1
The following example configures a class-map which matches IPP=1, 3, 5 and 7, and configures a
WRED policy that is applied to the egress interface:
Router# enable
Router(config)# policy-map wred
Router(config-pmap-c)# random-detect precedence-based
The following example show the output of the show policy-map interface command (transmit packets
are not displayed).
Router# enable
Router# show policy-map int gig 11/1 service instance 1
GigabitEthernet11/1: EFP 1
Service-policy output: temp_parent
Match: any
Queueing
queue limit 2048 packets
(queue depth/total drops/no-buffer drops) 0/104062/0
(pkts output/bytes output) 35296/18071552
shape (average) cir 10000000, bc 40000, be 40000
target shape rate 10000000
Service-policy : temp
Match: any
Exp-weight-constant: 9 (1/512)
Mean queue depth: 0 packets
class Random drop Tail drop Minimum Maximum Mark
OL-16147-20
7-35
Chapter 7
Configuring QoS
pkts/bytes pkts/bytes thresh thresh prob
Configuring Bandwidth and CBWFQ

Class-based weighted fair queueing (CBWFQ) extends the standard WFQ functionality to provide
support for user-defined traffic classes. For CBWFQ, you define traffic classes based on match criteria
and access control lists (ACLs).
Bandwidth is supported on the output of the following interfaces:
Service instances
WFQ is a method to determine bandwidth or allocating remaining bandwidth to queueing entities at a

specific level in the hierarchical QoS. You can distribute bandwidth or remaining bandwidth to each
entity based on the commit and excess weights set on the WFQ configuration attached to the entity. The
commit and excess WFQ weights are initially programmed into WFQ profile registers, where later the
WFQ profiles are attached to one or more queuing entities based on whether or not they share the same
or similar bandwidth configuration.
Effective from Cisco IOS Release15.1(1)S, the layer 3 and layer 4 level WFQ profiles belong to one
hardware pool and can be commonly used among the layers.
Calculating commit-weight and excess-weight

Use the following formula to calculate weight for bandwidth:
Commit weight = (Bandwidth of the class) x (Maximum weight allowed at the level) / (Parent
bandwidth).
Commit weight is then rounded to integer value based on optimizations allowed by hardware.
Excess weight = Commit weight (at layer 4 level).
Note
At layer 4 level, if no truncation error appears for (Bandwidth of class) x 100 / (Parent bandwidth), for
all child-classes, then the maximum weight used for calculation would be 100 instead of 1020.
Use the following formula to calculate weight for bandwidth percent:
Commit weight = (Bandwidth percent of class) x (Maximum weight allowed at the level).
Commit weight is then rounded to integer value based on optimizations as allowed by hardware.
Excess weight = Commit weight (at layer 4 level).
Note
Use the following formula to calculate weight for remaining bandwidth percent:
7-36
OL-16147-20
Chapter 7
Configuring QoS
Calculate weights for the remaining bandwidth percent by first calculating the remaining bandwidth
under a policy-map and then allotting this bandwidth for each class based on its remaining bandwidth
percent. Once this remaining bandwidth for a class is known, the excess weight is calculated as:
Excess weight = (Bandwidth remaining allotted to the class) x (Maximum weight allowed at the level) /
(Parent bandwidth).
Excess weight is then rounded to integer value based on optimizations as allowed by hardware.
Commit weight = Excess weight (at layer 4 level).
Note
Use the following formula to calculate weight for Bandwidth Remaining Ratio(BRR):
Excess weight = (BRR of class) subject to maximum weight at the level.
Excess weight is then rounded to integer value based as allowed by hardware.
Commit weight = Excess weight (at layer 4 level).
Table 7-7 lists the maximum and allowed weights at various levels:
Table 7-7
Maximum and Allowed weights at various levels
TM Entity Level
Maximum Weight
Allowed Weights
L4
1020
1.. 255, 256, 260,

264.. 1020
L3
1020
1.. 255, 256, 260,

264.. 1020
L2
255
1.. 255
L1
255
1.. 255

When configuring Bandwidth and CBWFQ on Cisco 7600 Series ES+ line cards, follow these
The bandwidth kbps and bandwidth percent x% commands are supported.
On ingress, the bandwidth kbps, bandwidth remaining ratio, bandwidth remaining percent, and
bandwidth percent x% commands are supported on the main Layer 3 interface, the Layer 3
subinterface, and on service instances.
The bandwidth remaining percent command is supported at the child level. The bandwidth
remaining ratio command is supported at the parent and child level.
Excluding port channel service instances, bandwidth is supported on the input for H-QoS only.
Ingress queueing is not supported for port channel service instances.
The bandwidth command used within a QoS policy-map must be consistent across classes.For
example, class1 with bandwidth kbps and class2 with bandwidth remaining ratio in the same
policy-map is not supported.
The total unique bandwidth profiles used across layer 3 and layer 4 cannot exceed 64.
OL-16147-20
7-37
Chapter 7
Configuring QoS
Note
The consistency need not be maintained between parent and child policy-maps. For
example, parent with bandwidth remaining ratio and child with bandwidth kbps is
supported.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
5.
bandwidth {bandwidth-kbps | percent percent | remaining {ratio ratio | percent percent}}
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3

Example:
Step 4

where:


Example:
Router(config)# class c3
Step 5
bandwidth {bandwidth-kbps | percent

percent | remaining {ratio
ratio|percent percent}}

Specifies the amount of bandwidth, in kbps, or percentage

of available bandwidth, to be assigned to the class. The
amount of bandwidth configured should be large enough
to also accommodate Layer 2 overhead.
Example:
Router(config-pmap-c)# bandwidth
20000
7-38
OL-16147-20
Chapter 7
Configuring QoS
Examples
This example shows a service policy called policy1 that specifies the amount of bandwidth to allocate
for traffic classes 1 and 2:
Router# enable
Router(config)# class-map class1
Router(config-cmap)# match ip dscp 30
Router(config)# class-map class2
Router(config-cmap)# match ip dscp 10
Router(config-pmap-c)# bandwidth 30000
Router(config-pmap)# exit
Router(config)#
Router(config)# interface gigabit ethernet 2/1
Router(config-if)# service-policy output policy1
The following example configures a QoS policy with multiple user class with rate guarantee setting
using the bandwidth command.
Router(config)# Class c1
Router(config-pmap-c)# Bandwidth percent 1%
Router(config-pmap)# Class c2
Router(config-pmap)# Class class-default
Router(config-pmap-c)# Bandwidth 1%
The following example configures a QoS policy with multiple user class with rate guarantee setting:
Router# enable
Router(config)# Policy Map parent_policy
Router(config-pmap)# class-default
Router(config-pmap-c)# bandwidth remaining ratio 5
Router(config-pmap-c)# service-policy child_policy
Router(config)# policy-map child_policy
Router(config-pmap)# class video
Router(config-pmap-c)# priority
Router(config-pmap)# class critical
Router(config-pmap-c)# bandwidth remaining percent 80
Router(config-pmap-c)# bandwidth remaining percent 20
OL-16147-20
7-39
Chapter 7
Configuring QoS
Use the following commands to verify CBWFQ:

Command
Purpose
Router# show policy-map policy-map
Displays the configuration of all classes that

make up the specified policy-map.
Router# show policy-map policy-map

class class-name
Displays the configuration of the specified class

of the specified policy-map.

interface interface-name

configured for all policy-maps on the specified
interface.
Router# show queue interface-type

interface-number
Displays queueing configuration and statistics

for a particular interface.
Configuring LLQ
Low-Latency Queuing (LLQ) uses the priority command to allocate bandwidth to the class maps in the
policy-map.
LLQ is supported on the output of the following interfaces:
Service instances

When configuring LLQ on Cisco 7600 Series ES+ line cards, follow these restrictions and usage
guidelines:
Ingress LLQ
Dual Priority Queues (High, Medium and Data)
LLQ configuration is allowed at the child policy.
The priority and priority level commands are supported but you cannot use both in the same
policy-map.
Basic Priority/Low Latency Queue with bit rates is not supported.
Basic Low Latency Queue with percent is not supported.
Priority queue with bit rates is not supported.
Flat policy map with LLQ is not supported.
Egress LLQ
Dual Priority Queues
LLQ configuration is allowed at the child policy.
7-40
OL-16147-20
Chapter 7
Configuring QoS
policy-map.
Egress LLQ
Dual Priority Queues (High, Medium and Data)
LLQ configuration is allowed only at the leaf policy-map.
policy-map.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
5.
police bps-value conform-action action exceed-action action

or
police cir percent % conform-action action exceed-action action
or
police cir bps-value pir bps-value conform-action action exceed-action action violate-action
action
or
police cir percent % pir percent % conform-action action exceed-action action violate-action
action
6.
priority
or
priority level
OL-16147-20
7-41
Chapter 7
Configuring QoS
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
Example:
Router(config)# policy-map silver
Step 4
Specifies the name of a predefined class included in

the service policy.
Example:
Router(config-pmap)# class classcos0
Step 5
police bps-value conform-action action exceed-action

action
Specifies a maximum bandwidth usage by a traffic

class through the use of a token bucket algorithm,
where:

actionSpecifies the he actions that are taken

on a packet when it conforms or exceeds. The
possible actions are shown in Table 7-4.
Example:
Router(config-pmap-c)# police 5000000 conform-action
set-dscp-transmit 0 exceed-action drop
Or
Configures traffic policing on the basis of a
percentage of bandwidth available on an interface,
where:
police cir percent % conform-action action

Example:
conform-action transmit exceed-action
set-prec-transmit 1

traffic.
percentSpecifies that a percentage of

bandwidth will be used for calculating the CIR.
%Specifies the CIR bandwidth percentage.

Valid values are 1 to 100.

Or
7-42
OL-16147-20
Chapter 7
Configuring QoS
Command
Purpose
police cir bps-value pir bps-value conform-action

Configures traffic policing using two rates, the CIR

and the PIR, where:

traffic.
pirSpecifies the peak information rate.

Indicates that the PIR will be used for policing
traffic.


Example:
Router(config-pmap-c)# police cir 1000000 pir
2000000 conform-action set-cos-transmit 3
exceed-action set-cos-transmit 1 violate-action drop
Or
police cir percent % pir percent % conform-action
Configures traffic policing using two rates, the CIR

and the PIR, where:

traffic.
percentSpecifies that a percentage of

bandwidth will be used for calculating the CIR.
%Specifies the CIR or PIR bandwidth

percentage. Valid values are 1 to 100.
pirSpecifies the peak information rate.

Indicates that the PIR will be used for policing
traffic.

Example:
Router(config-pmap-c)# police cir percent 20 pir
percent 40 conform-action transmit exceed-action
set-prec-transmit 1 violate-action drop
Step 6
Gives strict priority to a class of traffic belonging to

the policy-map.
priority
Example:
Or
priority level
Gives priority level to a class of traffic belonging to

the policy-map.
Example:
Router(config-pmap-c)# priority level 1
Examples
The following example configures an output LLQ policy on a switchport interface that matches on a CoS
value queuing defined in the classes.
Router# enable
OL-16147-20
7-43
Chapter 7
Configuring QoS

Router(config)# policy map switchport-llq-policy
Now the policy is applied to the interface.

Router# enable
Router(config-if)# service-policy output switchport-llq-policy
The following example configures a simple LLQ QoS policy on a class c1 with strict priority setting.
Router# enable
Router(config)# Policy Map qos_llq
The following example configures an LLQ policy with multiple priority classes with a smallest percent
value and default burst value for testing:
Router# enable
Router(config-pmap)# Class-map Voice
Router(config-pmap-c)# Priority
Router(config-pmap)# Class-map Video
Router(config-pmap-c)# Police cir percent 20
Router(config-pmap-c)# Priority
Router(config-pmap)# Class-default
Configuring DBUS CoS Queuing

This feature allows you to configure which DBUS CoS values are mapped to the high-priority queue.
The hw-module slot slot queue priority switch-fpga output cos values|none command is used on the
Routing Processor (RP) to configure the priority values. You can change the priority by changing the
CoS values. The system allows you to configure eight class-of-service values. The default CoS values
are 5,6, and 7.
Configuring Bandwidth Remaining Ratio (BRR)

Bandwidth Remaining Ratio (BRR) specifies the ratio that bandwidth is split between users when the
link is congested (oversubscribed). This feature allows the link rate to be prorated out to logical
interfaces such as EVCs and L3 subinterfaces. This feature is needed by the user since it provides the
ability to oversubscribe the shape rate so logical interfaces can utilize unused bandwidth of other logical
interfaces.
BRR is implemented on logical interfaces using hierarchical policy-maps.
7-44
OL-16147-20
Chapter 7
Configuring QoS

When configuring BRR on the Cisco 7600 Series ES+ line card, follow these restrictions and usage
guidelines:
You can configure Bandwidth Remaining Ratio as an action in the policy-map of a parent or a child
class. BRR can be configured to a minimum ratio of 1 and maximum of 1000 on a logical interface.
Because there is no support for an implicit BRR of 1, you must explicitly configure a BRR of 1 on
policies. This does not mean that a BRR of 1 is required in an LLQ class (LLQ and CBWFQ
configurations in the same class will be rejected by the CLI). A child level BRR automatically
excludes LLQ classes from participating in bandwidth sharing because LLQ classes have bandwidth
guarantees.
Use the bandwidth remaining ratio number command to configure BRR. The larger the number,
the more bandwidth the logical interface that the QoS policy-map is applied to receives when the
link is congested.
BRR at the parent level of an HQoS policy-map will functions if the port is congested with traffic.
If the total traffic on the port is lower than the link bandwidth, then all the traffic that comes in has
sufficient bandwidth to go out, and there is no necessity for BRR.
For BRR on the ES+ line cards, the bandwidth sharing calculation is dynamic. BRR calculations are
updated regularly so that as the traffic profile changes, the bandwidth sharing changes.
BRR between flat and H-QoS policy-maps is not supported.
BRR configurations for a child policy-map and a parent polysemy are similar. However, at the child
level the congestion level that initiates BRR calculations are shifted from the physical port level to
the parent shaper level.
At parent level, you must configure the shaper along with BRR for BRR to work.
BRR is supported on port channel service instances and port-channel member links ( Layer 3). The
ratios are maintained between all service instances load balanced on a member link. For example, if
service instances 1, 2, and 3 were load balanced to link Gi1/1 and service instances 4 and 5 to link
Gi1/2, then BRR ratios would be maintained between service instances 1, 2, and 3 on Gi1/1 and
between 4 and 5 on link Gi1/2.
The ES+ line card supports service propagation. When a port is congested in egress, service
propagation splits the bandwidth remaining on the link between users in the configured ratio after
all LLQ traffic has been serviced.
Service propagation is always on.
Service propagation is turned on automatically when there is no bandwidth guarantee in the
parent.
In order to avoid running out of buffer space on an ES+ line card, it is strongly recommended that
the queue-limit num of pkts command is configured for each child class queue, where num of pkts
is a number reasonable for the queue. Failure to configure the queue-limit command can result in
distorted BRR ratios on sending traffic.
1.
enable
2.
configure terminal
3.
4.
SUMMARY STEPS
OL-16147-20
7-45
Chapter 7
Configuring QoS
5.
6.
bandwidth remaining ratio ratio
7.
service-policy policy-map
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
Example:
Router(config)# policy-map silver
Step 4
Specifies the name of a predefined class included in

the service policy.
Example:
Router(config-pmap)# class classcos0
Step 5
Specifies average or peak rate traffic shaping.
Example:
Step 6
bandwidth remaining ratio ratio
Example:
Specifies a bandwidth-remaining ratio for

class-level or subinterface-level queues to be used
during congestion to determine the amount of excess
bandwidth (unused by priority traffic) to allocate to
non priority queues.
Note
Step 7
service-policy policy-map
The value of ratio is between 1 to 1000.
Attaches a policy-map to a class.
Example:
Router(config-pmap-c)# service-policy cust2-classes
Examples
In the following configuration, three policy-maps are applied in egress on three service instances. If
gold, silver, and bronze service instances send their full quota of 300, 300, and 100 Mb/s of priority
traffic, then because PRP/service propagation is ON, the remaining (1 Gb/s - 700 Mb/s) 300 Mb/s of link
bandwidth is shared between users in the ratio 1 : 2 : 3 where:
User A gets : 1 / (1+2+3) * 300 Mb/s = 50 Mb/s of non-LLQ traffic
7-46
OL-16147-20
Chapter 7
Configuring QoS
Configuring PFC QoS on a Cisco 7600 Series Ethernet Services Plus Line Card
User B gets : 2 / (1+2+3) * 300 Mb/s = 100 Mb/s of non-LLQ traffic

User C gets : 3 / (1+2+3) * 300 Mb/s = 150 Mb/s of non-LLQ traffic
Router# enable
Router(config)# policy-map data_gold_child_out
Router(config-pmap-c)# set cos 4
Router(config)# policy-map data_gold_parent_out
Router(config-pmap-c)# service-policy data_gold_child_out
Router(config)# policy-map data_silver_child_out
Router(config)# policy-map data_silver_parent_out
Router(config-pmap-c)# service-policy data_silver_child_out
Router(config)# policy-map data_bronze_child_out
Router(config)# policy-map data_bronze_parent_out
Router(config-pmap-c)# service-policy data_bronze_child_out
Configuring PFC QoS on a Cisco 7600 Series Ethernet Services

Plus Line Card
The Cisco 7600 Series ES+ line card supports most of the same QoS features as those supported by the
Policy Feature Card (PFC) on the Cisco 7600 series routers.
This section describes those QoS features that have Cisco 7600 Series ES+ line card-specific
configuration guidelines. After you review the Cisco 7600 Series ES+ line card-specific guidelines
described in this document, then refer to the Cisco 7600 Series Router Cisco IOS Software Configuration
Guide, Release 15.0SR located at the following URL:
OL-16147-20
7-47
Chapter 7
Configuring QoS
http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/qos.html
PFC QoS on a Cisco 7600 Series Ethernet Services Plus Line Card Configuration
Guidelines
The Cisco 7600 Series ES+ line card supports Policy Feature Card (PFC) QoS for SVI interfaces only
in the case of ingress cos-to-exp marking and micro flow policing. For supported interfaces, see
Supported Interfaces section on page 7-3.

The Cisco 7600 Series ES+ line cards support hierarchical QoS (H-QoS) that you configure using Cisco
Modular QoS CLI (MQC). The following H-QoS capabilities are supported:
Four-level H-QoS (A policy-map with two levels has three levels of hierarchy when attached on the
main interface, and four levels of hierarchy when attached on a subinterface.)
Granular QoSPolicing and shaping, down to 64 Kbps data rate
Color blind policing 2-rate, 3-color policers and 1-rate, 2-color policers
Note
Color aware policing not supported
Ingress and egress classification
Subinterface/Switch port QoS for Ethernet
Egress Class-based Weighted Fair Queuing (CBWFQ)
Low Latency Queuing (LLQ) (Ingress and Egress)
Egress H-QoS on IP/MPLS and Layer 2 CoS classification
AToM QoS features
Hierarchical policing
Input shaping
Scaling for ES+ line cards

128,000 queues
16,000 traffic shapers
48,000 policers per NPE
8,000 H-QoS policy-maps per NPE in egress. (On the 20xGE and 40xGE port line cards, the
first five ports on the NPE support a maximum of 4,000 H-QoS policy-map applications.
Similarly, the next 5 ports on the NPE also support a maximum of 4000 H-QoS policy-map
applications, giving a total of 4000 + 4000 = 8000 H-QoS policy-maps per NPE in egress). In
ingress, a maximum of 3904 HQoS policy-maps can be applied across the 10 ports of the NPE.
Note that unlike egress, there is no limit in ingress on a per-5-port basis.
Scaling for ES+T line cards

16 Child Queues for each port only for lowq cards.
24000 policers per ES+T-20G/ES+T-2TG.
7-48
OL-16147-20
Chapter 7
Configuring QoS
Follow these restrictions while configuring Hierarchical QoS for the Cisco 7600 series ES+ line cards:
The Cisco 7600 series ES+ line cards support up to128,000 queues.
Support up to 16,000 traffic shapers.
Support up to 48,000 policers per NP.
Support up to 8,000 H-QoS policy-maps per NP in egress and 3904 policy-maps per NP in ingress.
Follow these restrictions and usage guidelines while configuring Hierarchical QoS for the Cisco 7600
series ES+T line cards:
The Cisco 7600 series ES+ T line cards support up to 16 queues for each port.
The Cisco 7600 series ES+ T line cards support up to 16 queues per port channel.
Cisco 76-ES+T-2TG3CXL and Cisco76-ES+T-20G3CXL line cards support up to 24000 policers

per line card.
Cisco 76-ES+T-4TG3CXL and Cisco 76-ES+T-40G3CXL line cards support up to 48000 policers
per line card.
Supports up to 8,000 H-QoS policy maps per NP in egress and 3904 H-QoS policy-maps per NP in
ingress.
If QoS is configured on a port channel and also on the member links of the port channel, then the
sum of queues on the port channel and the largest value of queues among all member links of that
port channel should not exceed 16.
If a child policy is applied with a QoS queuing feature, only the child classes with queuing feature
is considered for the queue restriction per port. The parent class is not considered.
If a child policy is not applied with a QoS queuing feature, then parent class is considered for queue
restriction per port.
In IOS hierarchical levels are represented as follows and current support is up to five levels:
Physical or main interface
Subinterface or logical layer
Grandparent class
Parent class
Child class
A policy-map with two levels has three levels of hierarchy when attached on the main interface, and four
levels of hierarchy when attached on a subinterface.
A policy-map with three levels has four levels of hierarchy when attached on the main interface, and five
levels of hierarchy when attached on a subinterface.
OL-16147-20
7-49
Chapter 7
Configuring QoS
On the ingress, three level H-QOS is supported (port, parent, child).

Table 7-8 provides information about supported H-QoS features.
Table 7-8
Hierarchical QoS Feature Support
Policing
Shaping
Bandwidth
Priority and
Priority
Percent
Main Layer 3 CoS,

interface
prec/dscp,
EXP
Yes
Yes
Yes
No
Yes
Yes
Layer 3
subinterface
CoS,
prec/dscp,
EXP
Yes
Yes
Yes
No
Yes
Yes
Service
instances
outer CoS,
prec/dscp,
inner CoS
Yes
Yes
Yes
No
Yes
Yes
SVI interface Yes
No1
No
No
No
No
No
Switchport
interfaces
Outer CoS
Yes
Yes
Yes
No
Yes
Yes
Port-channel
service
instances
outer CoS,
inner CoS
Yes
Yes
Yes
No
Yes
Yes
Port-channel
Layer 3
member link
CoS,
prec/dscp,
EXP
Yes
Yes
Yes
No
Yes
Yes
Interface
Type
Marking
Priority and
Policing
WRED
1. Earl Policing is not supported post 12.2(33)SRE release.
Examples
This example configures the child policy to allocate different percentages of bandwidth by class:
!
Router# enable
Router(config)# policy-map child
Router(config-pmap)# class User-A
Router(config-pmap-c)# bandwidth percent 40
Router(config-pmap)# class User-B
!
This example applies the parent service policy to an output subinterface:

!
Router# enable
Router(config)# interface TenGigabitEthernet 2/1.1
Router(config-if)# service-policy output parent
7-50
OL-16147-20
Chapter 7
Configuring QoS
This example shows how to configure a 2 level H-QoS policy on a main interface:
Router(config)# policy-map child_1
Router(config-pmap-c)# Police 100kbps
!
Router(config)# policy-map HQoS_parent
Router(config-pmap-c)# service-policy child_1
This example shows how to configure a 2 level H-QoS policy on an EVC interface:

Router(config-pmap)# class cos 2
Router(config-pmap-c)# priority 2
!
Router(config-pmap-c)# service-policy child_1
This example configures an ingress 3-level H-QOS policy on a main-interface:

Router(config-pmap-c)# random-detect precedence based
Router(config-pmap-c)# shape average 10M
!
Router(config-pmap)# class ACL_c1
Router(config-pmap-c)# priority 1
Router(config-pmap-c)# service policy child_1
!
Router(config)# policy-map HQos_grandparent
Router(config-pmap-c)# shape 100000000
Router(config-pmap-c)# service-policy HQoS_parent
This example configures an egress 3 level H-QOS policy on a main-interface:

1.
OL-16147-20
7-51
Chapter 7
Configuring QoS
EVCS QoS Support

Router(config-pmap-c)# random-detect precedence based
Router(config-pmap-c)# shape average 10M
!
!
Router(config)# policy-map HQos_grandparent
Router(config-pmap-c)# shape 100000000
Router(config-pmap-c)# service-policy HQoS_parent
!
EVCS QoS Support

Ethernet Virtual Connection Services (EVCS) uses the concepts of service instances and EVCs (Ethernet
virtual circuits). A service instance is the instantiation of an EVC on a given port on a given router. An
EVC is an end-to-end representation of a single instance of a Layer 2 service being offered by a provider
to a customer. It embodies the different parameters on which the service is being offered.
EVC QoS works with the following EVC combinations:
One TAG case
Two TAG case
One TAG to one TAG
One TAG to two TAG
Two TAG to one TAG
Two TAG to two TAG
One TAG termination
Two TAG termination
Tag to Tag Translation
For information on how to configure EVC QoS, refer to the following sections to see how service
instances and port channel service instances are handled:
Configuring Classification, page 7-8
Configuring Policing, page 7-13
Configuring Marking, page 7-22
Configuring Shaping, page 7-26
Configuring QoS Queue Scheduling, page 7-31
7-52
OL-16147-20
Chapter 7
Configuring QoS
EVCS QoS Support
Configuring Hierarchical QoS, page 7-48

When configuring QoS with EVCS on the Cisco 7600 Series ES+ line card, follow these restrictions and
usage guidelines:
Service instances use MQC.
QoS supports 16,000 service instances.
H-QoS supports up to 2000 policies.
Ingress QoS supports H-QoS and flat policy-maps.
Ingress shaping is supported.
For egress QoS, both hierarchical and flat policy-maps are supported.
Before creating a service instance, remove any policy-maps on the main interface.
Any policy-map can exist in a parent policy.
When QoS is applied on a port channel service instances with member links, the router verifies QoS
compatibility with the ES+ line card. However, if the QoS policy-map is applied when the port
channel service instances does not have member links, the router assumes ES+ line card capability
and allows the policy-map to be attached.
For service instances configured on port channels:

Member links of the port channel can span multiple line cards, but the line cards must be of the
same type. For example, you cannot have an ESM20 and an ES+ member link in the same port
channel.
Ingress QoS is limited to marking and policing.
Ingress queuing is not supported.
The bandwidth percent and police percent commands are not supported in flat policy-maps
or parents of H-QoS policy-maps. Both commands are supported in child policy-maps.

Five-minute load intervals are recommended (30 second load intervals cause higher fluctuations
in rates).
BRR is supported on port-channel service instances.
Bandwidth (kbps, percent) in parent and flat on EVCs is not supported.
EVC Configuration Examples

This example shows ingress QOS on scalable EoMPLS.
Router# enable
Router(config)# interface GE 1/2
Router(config-if)# xconnect 2.2.2.2 100 pw-class vlan-xconnect
Router(config-pmap-c)# service-policy input mark-it-in
Router(config)# policy-map mark-it-in
Router(config-pmap-c)# police
OL-16147-20
7-53
Chapter 7
Configuring QoS
EVCS QoS Support
Router(config-pmap-c)# set mpls exp imposition 5
In this example of a single tag VLAN configuration, because the encapsulation dot1q 10 is already
classified, only the inner VLAN and CoS values are configured.
Router# enable
Router(config)# interface GE 1/2
Router(config-if-srv)# bridge domain 200
Router(config-pmap-c)# service-policy input mark-it-in
Router(config-pmap)# class innervlan20
Router(config-pmap-c)# set cos-inner 0
This is an example of a single tag VLAN connect ingress policy.

Router# enable
Router(config-pmap-c)# service-policy in mark-it-in
Router(config-pmap-c)# service-policy in mark-it-in
Router(config-if-srv)# connect EVC1 GigabitEthernet 1/1 100 GigabitEthernet 1/2 101
Router(config-pmap)# class vlaninner20cosinner5
This is an example of an egress double tag VLAN connect hierarchical configuration.

Router# enable
Router(config-pmap-c)# service-policy out parent-out-100
Router(config-pmap-c)# service-policy out parent-out-101
Router(config-if-srv)# connect EVC1 GigabitEthernet 1/1 100 GigabitEthernet 1/2 101
Router(config)# policy-map child-out-100
Router(config)# policy-map parent-out-100
Router(config-pmap-c)# service-policy child-out-100
Router(config)# policy-map child-out-101
7-54
OL-16147-20
Chapter 7
Configuring QoS

Router(config)# policy-map parent-out-101
Router(config-pmap-c)# service-policy child-out-101
This is an example of an egress double tag VLAN connect flat configuration.

Router# enable
Router(config)# policy-map flat-100
Router(config-pmap)# class class-default <-Router(config-pmap-c)# shape average 10000000
Router(config)# policy-map flat-101
Router(config-pmap)# class class-default <-Router(config-pmap-c)# shape average 10000000
required class
<-- required queuing action
required class
<-- required queuing action

The QoS on Port-Channel Member-Link feature provides support to apply QoS service-policies in
ingress and egress traffic on the following interfaces:
Layer 3 Port-channel main interface
Layer 3 Port-channel subinterface
Port-channel member links with per port queueing
Layer 2 Port-channel interface
For a policy-map attached to a port-channel main interface, ingress or egress traffic coming from any
member link is subjected to policy-map configured on port-channel main interface. If no policy-map is
configured on port-channel main interface, ingress or egress traffic from member-link is subject to the::
Policy-map attached to the EVC or subinterface through which the traffic is flowing.
Policy-map attached to member link in the absence of above case.
For more information, see Table 7-9.

QoS policy-maps cannot co-exist on a port-channel main interface, subinterface, and EVC. However,
member-link policy-map can co-exist with policy-map on L3 port-channel main interface, subinterface,
or EVC. In case of L2 port-channels, you can configure QoS on either port-channel main-interface or on
the member-link. QoS on both the L2 port-channel main-interface and member-link is not supported.
Note
OL-16147-20
7-55
Chapter 7
Configuring QoS
Note
Supported Egress QoS Configurations

Table 7-9 lists the QoS configurations supported on ingress and egress.
Table 7-9
Supported QoS Configurations
QoS Configurations
Policy-map attached to layer 3 port-channel interface (input
and output)
Policy-map attached to layer 3 port-channel subinterface

(input and output)
Policy-map attached on the member-link with no policy-map

configured on port-channel interface, port-channel
subinterface, and portchannel EVC.
Policy-map attached to port-channel member link and

policy-map configured on port-channel interface.
Comments
Traffic ingress from any member link and egress to any

member link will be subject to policy-map attached to
port-channel main interface.
Classification1 is supported on port-channel interface
Policing 2 is supported on port-channel interface

(aggregated policing for each Network Process [NP]).
Policing-microflow (EARL Policing) is not supported.
Marking3 is supported on port-channel interface.
Queueing is not supported on port-channel interface.
Marking is supported on port-channel subinterface.
Policing is supported on port-channel subinterface

(aggregated policing for each NP).
Queueing is not supported on port-channel subinterface.
Policing-microflow (EARL Policing) is supported for

ingress only.
Classification is supported .
All traffic flowing through port-channel Layer 3 member

is subject to policy-map attached to port-channel Layer 3
member link.
Policing-microflow (EARL Policing) is not supported.
Marking is supported on member-link.
Queueing is supported on member-link.
Policy-map on port-channel main interface will take

precedence over policy-map configured on member links.
7-56
OL-16147-20
Chapter 7
Configuring QoS
Table 7-9
Supported QoS Configurations
QoS Configurations
Comments

policy-map configured on port-channel subinterface.
Policy-map on port-channel subinterface will take

precedence over policy-map configured on port-channel
member link for that subinterface traffic.

policy-map configured on port-channel EVC service instance.
Policy-map on port-channel EVC will take precedence

over the policy-map configured on the member-link.
All the traffic flowing through port-channel service

instance is subject to policy-map attached to port-channel
service instance.
Traffic flowing through the member link configured with

QoS policy-map but not through port-channel EVC is
subject to the policy-map attached to member link.
1. For more information on classification, see Table 7-3

2. For more information on policing, see Table 7-4
3. For more information on marking, see Table 7-5
Note
If a policy-map is not applied on an EVC or subinterface, the trafffic from such subinterfaces and EVCs
is subjected to the member QoS policy. For the traffic flowing through a subinterface or EVC with
policy-map, corresponding policy-map is applied on the traffic.

When configuring the QoS on Port-Channel Member-Link feature on the Cisco 7600 Series ES+ line
card, follow these restrictions and usage guidelines:
Any traffic that belongs to a port-channel subinterface or port-channel service instance will go
through the member link policy only if there is no policy directly attached on that port-channel
subinterface or port-channel service instance.
If the port-channel subinterface or port-channel service instance has its own policy, traffic is
subjected to the policy applied on that port-channel subinterface or port-channel service instance.
It is not recommended to configure member link policy on the ingress if there is a micro-flow
policing policy configured on the port-channel main interface or port-channel subinterface. If a
member link policy and a micro-flow policing policy exist together, traffic is subjected to both
policies, first by the member link policy on the NP and then the micro-flow policing policy on the
PFC.
Having Layer 3 port-channel member links with user defined classes in the parent introduces an
additional queuing hierarchy. The interface bandwidth is shared equally between all the user defined
classes.
To protect and guarantee the port channel service instance bandwidth, the member link policy should
have a grand-parent class-default with shape configured to restrict the maximum interface
bandwidth given to non port-channel service instance traffic (if there is more than one class at the
parent level in the member link policy).
Queuing features on Port-Channel main and subinterface are not supported.
Police percent on flat policy-map is not supported on port-channel main and subinterfaces.
OL-16147-20
7-57
Chapter 7
Configuring QoS
Egress microflow policing is not supported on member links, port-channel, and port-channel
subinterface.
If there is a policy-map attached to the main interface, you cannot attach a policy-map the EVC or
sub-interface of the main interface.
QoS on Port-Channel Member-Link Configuration Examples

The following example shows a sample policy-map configuration:
Router# enable
Router(config)# policy-map port-channel-egress_qos
Router(config-pmap)# set ip precedence 3
Router# enable
Router(config)# policy-map subint_egress
Router(config-pmap)#class prec1 <<<< match on precedence 1
Router(config-pmap-c)# police 200000 conform-action set-prec-transmit 3 exceed-action drop
Router(config-pmap)#class class-default
Router(config-pmap-c)#police 400000
Router#
Router(config)# policy-map memlink_child
Router(config-pmap)# class cos0 >>>match on cos 0
Router(config)# policy-map memlink_parent_ingress
Router(config-if)# service-policy child
The following example illustrates how to configure the service-policy under a router port-channel Layer
3 member link.
Router# enable
Router(config-if)# channel-group 1
Router(config-if)# service-policy output port-qos
The following example includes a bandwidth remaining ratio:
7-58
OL-16147-20
Chapter 7
Configuring QoS
Router# enable
Router(config)# policy-map port-qos
The following are four examples of Layer 3 service policies:

Router# enable
Router(config-pmap)# class prec1 >>>match on ip
Router(config-pmap-c)# random-detect aggregate
Router(config-pmap-c)# random-detect precedence
60 mark-prob 1
90 mark-prob 1
120 mark-prob 1
prec 1
values 3 minimum-thresh 40 maximum-thresh

:
Router# enable
Router(config-pmap)# class exp1 >>>match on exp 1
Router(config-pmap)# class exp2
Router# enable
Router(config-pmap)# class ip-exp1 >>>match on ip prec1, or exp 1
Router(config-pmap)# class ip-exp22
Router# enable
Router(config-pmap)# class exp1 >>>match on exp 1
Router(config-pmap)# class exp2
OL-16147-20
7-59
Chapter 7
Configuring QoS

The following example shows the flat service-policies that can be configured under member-links:
Router# enable
Router(config-pmap)# class vlan11 >>>match on vlan 11
.
The following examples shows the H-QoS policy that can be configured under member-links:
Router# enable
Router(config-pmap)# class prec0 >>>match on prec 0
Router(config)# policy-map parent

Router# enable
Router(config)# policy-map parent
The following example shows how to configure QoS on port-channel subinterface in egress:
Router# enable
Router(config)# interface Port-channel 1.1
Router(config-if)# service-policy input subint-engress
7-60
OL-16147-20
Chapter 7
Configuring QoS
The following examples show service-policy combination on various interfaces.

The first example shows an egress service-policy attached to a port-channel member-link. There is no
service-policy on the port-channel service instance.
Router# enable
interface gi1/0
In the next example, an egress service-policy is attached to a port-channel member-link. An egress and
an ingress service-policy are applied on the port-channel service instance.
Router# enable
Router(config-if)# service-policy output evc-egress
Router(config-if)# service-policy input evc-ingress
In the following example, an egress service-policy is attached to a port-channel member-link. An egress

and an ingress service-policy are applied on the port-channel service instance. An ingress service-policy
is applied on the port-channel subinterface.
Router# enable
OL-16147-20
7-61
Chapter 7
Configuring QoS


Router(config-if)# service-policy input subint-ingress
Router(config-if)# service-policy output subint-egress

The following example shows how to configure QoS on member-link for Ingress
Router# enable
Router(config-if)# service-policy input memlink-Parent_ingress
The following examples shows the policy that can be configured under Port channel main interface:
Router# enable
Router(config)# policy-map port-channel-egress_qos
Router(config-pmap)# class dscp0
Router(config-pmap)# set ip precedece 3
Router# enable
Router(config)# policy-map port-channel-ingress_qos
Router(config-pmap-c)# class cos1
Router(config-pmap-c)#police cir 80000 pir 160000 conform-action set-dscp-transmit 5
exceed-action set-dscp-transmit 6 violate-action drop
Router#enable
Router(config-if)# service-policy output port-channel-egress-qos
Router(config-if)# service-policy input port-channel-ingress-qos
The following examples shows how to confiure QoS on port-channel main interface:
Router# enable
Router(config)# policy-map port-channel-ingress_qos
Router(config-pmap-c)# class cos1 >>>match on cos 1
Router(config-pmap-c)#police cir 80000 pir 160000 conform-action set-dscp-transmit 5
exceed-action set-dscp-transmit 6 violate-action drop
Router#enable
Router(config-if)# service-policy output port-channel-egress-qos
Router(config-if)# service-policy input port-channel-ingress-qos
7-62
OL-16147-20
Chapter 7
Configuring QoS
Troubleshooting QoS on Port-Channel Member-Link

This section describes how to troubleshoot QoS on a Port-Channel Member-Link.
The show policy-map interface intf-name command shows service policy in suspended mode.
An example output:
PE2#sh policy-map int port-ch 51
Port-channel51
Service-policy output: abc
Service policy abc is in suspended mode
A policy is suspended when there are no member-links attached to it. Use the show etherchannel
summary command to check the member-links attached to a policy and the corresponding status.
The following example shows the output of the show etherchannel summary command:
PE2#show etherchannel summary
Flags: D - down
R - Layer3
S - Layer2
U - in use
M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
4
Ports
------+-------------+-----------+----------------------------------------------1
Po1(RU)
Gi2/12(P)
2
Po2(SD)
3
Po3(SD)
4
Po4(RU)
Gi2/1(P)
Gi2/2(P)
Gi2/22(P)
The QoS policy-map configured on a port-channel or member-links is not working.

Run the following commands on the route processor:
show interface interface-type slot/port command to check the interface statistics and ensure
that the traffic is flowing.

run policy-map policy-map-name command to verify the policy-map definitions.
show run class-map class-map-name command to verify the class-map definitions.
show run interface port-channel pc-num to check the interface configurations.
show etherchannel summary command to check member-link bundling information.
Verify the support matrix available at:
Run the following commands on the line card:

show platform npc qos sp pc all command to check the number of policies applied on
port-channel main interface, subinterface, and EVC interfaces. The following example shows
an output of the show platform command:
PE2-dfc2#
Port-Channel 3 : No policies attached
Port-Channel 4 :
np port
dir
pc-type
count
--------------------------------------0
0
Input
PC-L3
2
0
0
Output
PC-L3
2
0
0
Input
PC-EVC
1
OL-16147-20
7-63
Chapter 7
Configuring QoS
0
1
Input
PC-L3
0
1
Output
PC-L3
0
1
Input
PC-EVC
0
1
Output
PC-EVC
2
1
Input
PC-L3
2
1
Output
PC-L3
2
1
Input
PC-EVC
--------------------------------
2
2
1
1
2
2
1
show platform npc qos sp np all count command to check the number of policies applied on
all the targets.

PE2-dfc2#sh platform npc qos sp np all count
np
dir
count
---------------------------0
Input
3
0
Output
3
1
Input
0
1
Output
0
2
Input
3
2
Output
2
3
Input
0
3
Output
0
show platform npc xlif interface interface efp evc-id command to verify whether a QoS policy
is configured on QoS or not. If QoS policy-id is zero, the policy is not configured on the
interface.
show platform np qos action np np_number interface if_number classmap command to view
the interface classmap related programming information.

show platform np qos classification policy all-involved-policymap_names command to view
the policy-map related information.
Note
To check the policy-map statistics on EVC and SG targets under a port-channel, run these commands:
show policy-map interface intf service instance efp
show policy-map interface intf service group group.

The IPv6 Hop-by-Hop (HBH) extension header is part of the original specification of the IPv6 protocol
(RFC 2460). It is identified by header type 0 and when present, this extension header must always be the
first extension header (EH) to follow the main header. Because a node must process any received packet
that has an HBH extension header, forwarding of packets containing the HBH header can represent or
be used as a security threat.
The IPv6 - Hop by Hop Rate Limiter feature provides protection from Denial of Service (DoS) attacks
by allowing you to rate limit IPv6 HBH packets.

When rate limiting IPv6 HBH packets on the Cisco 7600 Series ES+ line card, follow these restrictions
Supported with the following supervisor engines:
7-64
OL-16147-20
Chapter 7
Configuring QoS
Route Switching Processor 720-1GE

Route Switching Processor 720-10GE
Setting the police rate to 0 drops all the IPv6 HBH packets.
After setting the police rate, the setting will remain on the line card even if the line card is moved
to another chassis running Cisco IOS Release 12.2(33)SRD1 or later.
IPv6 packets with HBH and EH will bypass other QoS configured on the Cisco 7600 Series ES+ line
card.
Configuring IPv6 - Hop by Hop Rate Limiter

To connect to a specific line card for the purpose of executing the test platform police ipv6 set
command, test platform police ipv6 get command or the test platform police ipv6 disable command,
use the attach command in privileged EXEC mode.
You can then set the IPv6 internal police rate by using the test platform police ipv6 set command in
privileged EXEC mode from the line card console:
SUMMARY STEPS
1.
attach module-number
2.
enable
3.
test platform police ipv6 set rate
4.
test platform police ipv6 get
5.
test platform police ipv6 disable
DETAILED STEPS
Step 1
Command
Purpose
attach module-number
Connects to the line card.
Example:
Router# attach 9
Step 1
enable
Example:
Router-dfc3# enable
Step 2
test platform police ipv6 set rate
Sets the IPv6 internal police rate.
Example:
Router-dfc3# test platform police ipv6 set 1234
OL-16147-20
7-65
Chapter 7
Configuring QoS
Port Level Shaping Concurrent with 4HQoS on ES+
Step 3
Command
Purpose
test platform police ipv6 get
Gets the IPv6 internal police rate.
Example:
Router-dfc3# test platform police ipv6 get
Step 4
test platform police ipv6 disable
Disables the IPv6 internal policer.

Note
Example:
On an ES+ line card, rate=65535 indicates

that the policer is disabled.
Router-dfc3# test platform police ipv6 disable
Example
This example shows how to set the rate.
Console# attach 3
Trying Switch ...
Entering CONSOLE for Switch
Type "^C^C^C" to end this session
osr3-dfc3#
Router-dfc3# enable
Router-dfc3# test platform police ipv6 set 1234
You can obtain IPv6 internal police rate by using the test platform police get command in privileged
EXEC mode from the line card console:
IPv6 with HBH header is policed at 100000 kbps
You can disable the IPv6 internal police rate by using the test platform police ipv6 get command in
privileged EXEC mode from the line card console:
Router-dfc3# test platform police ipv6 disable
IPv6 with HBH header is not policed.

In a network having a PE router connected to a low level device with lesser line rate capability, you can
configure the traffic shaping QoS on the output direction of the PE port. Until Cisco IOS release 15.0(1),
QoS on main interface is not supported to co-exist with the QoS policy on any other target on the same
physical port. This feature allows class-default shaping only QoS policy on a main interface to co-exist
with QoS policy on the sub targets. You can also use this feature to apply a shaping policy on the main
interface and a HQoS policy on the sub targets such as sub-interfaces, EVCs, sessions, and service
groups.
Furthermore, this feature also enables you to control the bandwidth assigned to a node directly connected
to a port as per the service agreement.
7-66
OL-16147-20
Chapter 7
Configuring QoS

Follow these restrictions and usage guidelines while configuring port level shaping concurrent with
4HQoS on an ES+ line card:
To allow coexistence, apply policy-map on the main interface before applying the policy-map on the
sub targets.
You can remove the policy-map on the main interface only after removing policy-maps from all the
corresponding sub targets.
You can configure port level shaping with these policy-maps:

Flat policy-map or HQoS policy-map on a service group
Flat policy-map or HQoS policy-map on an EFP
Flat policy-map or HQoS policy-map on a subinterface
Flat policy-map or HQoS policy-map on an Intelligent services Gateway (ISG) session
Flat policy-map on service group with HQoS on the member EFP, subinterface, or session
Port channel Member link HQoS
Note
For co-existence with sub target QoS, only a flat policy-map with no user defined classes is allowed
and only the shape action is allowed.
Sub target QoS is not allowed for user defined classes on the main interface policy-map, or if there
is a HQoS policy-map on the main interface.
A change in the installed policy-map on the main interface resulting in unsupported configuration
is rejected.
Port level shaping is supported in the egress direction on the main interface and the port-channel
main interface.
The coexistence of port level shaping with sub target QoS is not supported in ingress direction.
On ES+ LowQ interfaces, co-existence of port-shaper with queuing on subtargets like subinterface,
EVC, and service-groups are not supported.
Use the hw-module slot slotnum allow-coexist np npnum command to configure port level shaping on
a 10G interface, else the port level shaper installation fails on the line card.
Configuring Port Level Shaping Concurrent with 4HQoS on ES+

Complete these steps to configure port level shaping concurent with 4HQoS on an ES+ line card:
Attach the default-class to a policy-map
Configure shape rate for the class
Attach the configured policy-map on egress of an interface.
1.
enable
2.
configure terminal
3.
Summary Steps
OL-16147-20
7-67
Chapter 7
Configuring QoS
4.
5.
6.

port-channel number
7.
service-policy output policy-map-name
8.
end
DETAILED STEPS
Step 1
Command
Purpose
enable
Enables the privileged EXEC mode.
Enter the password if prompted.
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
Policy-map policy-map-name
Specifies the name of the policy-map.
Example:
Router(config)# Policy-map subrate
Step 4

service policy.
Example:
Router(config-pmap)# Class
class-default
Step 5
Specifies the average or peak rate traffic shaping.
Example:
Router(config-pmap-c)# Shape average
100000000
Step 6

or
Specifies the gigabit ethernet or the tengigabit ethernet

interface, where:
or
Example:
Router(config-pmap-c)# interface
gigabitethernet 1/1
7-68
OL-16147-20
Chapter 7
Configuring QoS
Step 7
Command
Purpose
service-policy [{input | output}

policy-map-name]

interface, where:
Example:

Router(config-if)# service-policy
output subrate
Step 8
Closes the configuration session.
end
Example:
Example
This example displays port level shaping configuration on ES+ line card.
Router# enable
Router# conf t
Router(config)# policy-map subrate
Router(config-pmap-c)# Shape average 1000000
Router(config-pmap-c)# interface gigabitethernet 3/1
Router(config-if)# Service-policy out subrate
Verification
Use these commands to verify port level shaping configuration on ES+ line card:
Command
Purpose
Displays all the configured policy-maps.

policy-map-name
OL-16147-20
7-69
Chapter 7
Configuring QoS
Minimum Bandwidth Guarantee Plus Multiple Policy
Command
Purpose

interface
Displays the statistics and configurations of all the input and

output policies that are attached to all the interfaces.

interface interface-name
Displays the configuration of all the classes corresponding to all

policy-maps on the specified interface.
Sample Out:
Router#sh policy-map interface teng2/2
Service-policy output: shaper
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000
bps
Match: any
Queueing
shape (average) cir 2000000000, bc 8000000, be
8000000
Router#sh run policy-map shaper
!
policy-map shaper
class class-default
shape average 2000000000
!
end
Troubleshooting the Port Level Shaping Configuration

For information on troubleshooting, see Troubleshooting QoS on a ES+ Line Card.

The minimum bandwidth guarantee on the service groups plus multiple policy feature enables a user to
configure a guaranteed minimum bandwidth at the service group level. This feature allows you to
explicitly guarantee a minimum bandwidth for the subscribers in the service groups and implicitly for
the subscribers without any service group on the same interface. Until release 15.0(1), absolute
bandwidth is not supported for the policies applied on the service groups. Using this feature a user can
configure a minimum bandwidth on a policy-map applied on the service groups. The remaining
bandwidth is computed on each physical port by subtracting the sum of guaranteed bandwidths from the
link rate. This remaining bandwidth is then allocated to the port-default entity that manages those service
groups with no Quality of Service (QoS), and all the members that do not belong to any service group.
Thus, providing a way to configure minimum bandwidth on the default node.
7-70
OL-16147-20
Chapter 7
Configuring QoS
Note
You can configure the minimum bandwidth guarantee feature in terms of: bandwidth rate (Kb/s) or
bandwidth percent. You can configure this feature on the class-default in the flat policy-map or the
class-default in the parent of a Hierarchical QoS (HQoS) policy-map and apply it to a service group.
Furthermore, this feature allows you to allocate a bandwidth share for these targets:
Note
Targets without any service group configuration.
Targets with service groups where the service group is not configured explicitly for the bandwidth.
A target can be an EVC, subinterface, or a session.
Port Channel QoS Considerations

The QoS configuration is based on the load balancing mechanism configured on the port channel. If a
port-channel is configured with non flow-based load-balancing, the sum of bandwidth of all the active
links is considered as the total available bandwidth on the port-channel. In non flow-based load
balancing, the service group QoS is installed on the link where the group is load balanced. When a
port-channel is configured with flow-based load balancing, the service group QoS is replicated on all the
active member links and the maximum bandwidth that can be guaranteed on a port channel is equal to
the single link bandwidth.

Follow these restrictions and usage guidelines when configuring minimum bandwidth guarantee on ES+
line cards:
You can configure bandwidth as bandwidth kbps or bandwidth percent on the class-default of flat
policy-map or HQoS parent policy-map.
Minimum bandwidth guarantee feature is not supported on user defined classes at any level.
Minimum bandwidth guarantee feature is supported only on an egress interface.
For a service group on a port-channel, the service group bandwidth is replicated to all the active
member links if the port-channel is configured with flow-based load balancing. Else, the specified
service group is installed on one of the active member links and the QoS is configured on the same
member link.
If the port-channel has flow-based load balancing mechanism, limit the interface bandwidth on the
port-channel equivalent to the bandwidth of a single member link using the bandwidth command.
If Bandwidth Remaining Ratio (BRR) is configured on HQoS service groups, the sum of excess
weights of all the HQoS service groups is computed and allocated to the new default service group
HQoS node. However, the maximum weight that can be configured at the Layer 2 level is 255.
Bandwidth Remaining Percent (BRP) is not supported on the service groups.
You can configure each HQoS service group with a maximum weight of 255. The sum of all the
HQoS service groups is applied on the Layer 2 node. If the sum is greater than 255, it is rounded off
to 255 and applied on the Layer 2 node and the bandwidth allocated is shared between all the HQoS
service groups on the port.
OL-16147-20
7-71
Chapter 7
Configuring QoS
Configuring Bandwidth Guarantee on a Service Group

You can configure minimum bandwidth guarantee on a service group on an ES+ line card in two ways:
Configuring minimum bandwidth guarantee by Rate (Kb/s)
Configuring minimum bandwidth guarantee by Percentage
1.
enable
2.
configure terminal
3.
4.
5.
bandwidth {kbps | percent percent_value}
6.
exit
7.
exit
8.
service-group id_number
9.
service-policy [{input | output} policy-map-name]
Summary Steps
10. interface gigabitethernet slot/port or interface tengigabitethernet slot/port or interface
port-channel number
11. service instance id {Ethernet [service-name]}
12. encapsulation dot1q id
13. group id_number
14. end
DETAILED STEPS
Step 1
Command
Purpose
enable
Enables the privileged EXEC mode.
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
Example:
Router(config)# Policy-map subrate
7-72
OL-16147-20
Chapter 7
Configuring QoS
Step 4
Command
Purpose

service policy.
Example:
Router(config-pmap)# class
class-default
Step 5
bandwidth {kbps | percent

percent_value}
Note
Use only the class-default keyord while

configuring minimum bandwidth guarantee on
service goups.
Configures the minimum bandwidth guarantee.

In the first example, bandwidth is configured in Kb/s.
Example:
Step 6
exit
In the second example, bandwidth is configured in

percent value.
Exits the class bandwidth configuration session.
Example:
Step 7
exit
Exits the policy-map configuration session.
Example:
Step 8
service-group id-number
Assigns a service group identification number. The

acceptable range is between 1 and 32768.
Example:
Router(config)# service group 1
Step 9

policy-map-name]
Attaches a traffic policy to the egress interface, where:

Example:
Router(config-service-group)#
service-policy output flat-sg-policy
Step 10

or
Specifies the gigabit Ethernet or the tengigabit Ethernet

or
Example:
Router(config-service-group)# interface
gigabitethernet 1/1
OL-16147-20
7-73
Chapter 7
Configuring QoS
Step 11
Command
Purpose
service instance instance_id

{Ethernet [service-name }
Creates a service instance on the selected ethernet

interface.
Example:
ethernet
Step 12
ecapsulation dot1q id
Defines the encapsulation format as IEEE 802.1Q.
Example:
dot 200
Step 13
group id_number
Adds the created group to the service instance.
Example:
Step 14
end
Example:
Example
This example displays minimum bandwidth guarantee configuration by bandwidth rate:
Router> enable
Router# conf t
Router(config)# policy-map 4g-bandwidth-policy
Router(config)# service-group 100
Router(config-service-group)# service-policy output 4g-bandwidth-policy
Router(config-service-group)# int teng2/1
This example displays the minimum bandwidth guarantee configuration by percentage:

Router> enable
Router# conf t
Router(config)# policy-map 4g-bandwidth-policy
Router(config-pmap-c)# bandwidth precent 20
7-74
OL-16147-20
Chapter 7
Configuring QoS

Router(config-service-group)# service-policy output 4g-bandwidth-policy
Router(config-service-group)# int teng2/1
Verification
Use these commands to verify minimum bandwidth guarantee on service groups configuration:
Command
Purpose
show policy-map
Displays all the configured policy-maps.
show policy-map policy-map-name
show policy-map interface

interface_Id service group
group_Id
Displays statistics and configurations of all input and output

policies that are attached to the corresponding service group.
Sample output:
Router#show policy-map interface teng2/1 service group
100
TenGigabitEthernet2/1: Service Group 100
Service-policy output: 4g-bandwidth-policy
0 packets, 0 bytes
Match: any
Queueing
bandwidth 4000000 kbps
Troubleshooting the Minimum Bandwidth Guarantee Configuration


A service group is a logical entity that allows you to group different interface types and apply features
as a whole to the group. The interface types can be grouped under a service group and you can apply
QoS policies on an aggregate basis for a number of interface types grouped under the service group.
In Cisco releases prior to 15.1(1)S, only Ethernet Virtual Circuits (EVCs) were supported as members
of service groups. Effective from Cisco IOS release 15.1(1)S, sub interfaces and sessions on those sub
interfaces are supported as members of a service group and you can group all these under the same
service group. Service groups also support port channels with EVCs, sub interfaces or sessions.
OL-16147-20
7-75
Chapter 7
Configuring QoS

Follow these restrictions and guidelines while configuring a QoS service group on the Cisco 7600 series :
An interface type can have a hierarchical policy, but the corresponding group can have only a policy
with class-default.
A service group with HQoS policy can have a hierarchical policy, but the members of the service
group cannot have any QoS policies.
In a service group only shape, BRR, bandwidth, and policing features are supported at the parent
level.
On service groups with HQoS policy, WRED and queue limit features are also supported on child
classes.
On service groups with flat policy, WRED and queue limit features are not supported.
A service group number is global and you cannot assign a service group number that is already
assigned to an interface to another interface.
An interface can only belong to one service group at a time.
QoS on a service group or member and QoS on main interface cannot co-exist except for the
port-level shaper.
QoS on both sessions and sub interfaces of those sessions is not supported.
Service groups only support sessions on sub-interfaces, and not sessions on the main interfaces.
Grouping of main interfaces is not supported. Only grouping of sub interfaces or EVCs on a main
interface is supported.
Queuing features on non-access subinterfaces of port-channel interfaces are not supported.
In ingress direction, HQoS queuing policies on service groups, EVCs, sub interfaces or sessions are
not supported on a port channel.
In ingress direction, flat queuing policy on service group and HQoS policy on EVC, sub interface
or session is not supported on a port channel.
When multiple interface types are part of a service group on a port-channel interface, all interface
types of that group on the port channel should be configured for a common load balancing scheme.
If sub interfaces and EVCs are part of the same service group, then the port channel should have
only flow based load balancing scheme. Only a single type of load balancing scheme is supported
at a time for flow based load balancing.
An access sub interface or sessions supports only 1:1 active or standby redundancy load balancing
scheme. Normal subinterfaces (non-access) support only flow based or 1:1 active or standby
redundancy load balancing schemes.
When a load balancing scheme on a port channel is flow based, QoS on the service groups as well
as QoS on members is replicated on all the member links of the port channel.
When a load balancing scheme on a port channel is service based (manual, automatic, weighted or
1:1 model), QoS on the service group as well as member link is configured only on one member link
based on the specific load balancing scheme.
On a port channel when access subinterface or sessions are part of a service group, flow based,
manual, weighted, or automatic load balancing schemes are not supported.
On a port channel when normal subinterfaces are part of a service group, manual, weighted, or
automatic load balancing schemes are not supported.
7-76
OL-16147-20
Chapter 7
Configuring QoS
For ES+T (76-ES+T-40G3CXL and 76-ES+T-20G3CXL) 10GE line cards:

In ingress direction, support for six service groups with flat policy for a group of 10 ports (the
ports should be grouped as 1-10, 11-20 and so on).

In egress direction, support for 11 service groups with flat policy for a group of 5 ports (the ports
should be grouped as 1-5, 6-10 and so on).

In ingress direction, support for 246 service groups with HQoS policy for a group of 10 ports
(the ports should be grouped as 1-10, 11-20 and so on).

In egress direction, support for 251 groups with HQoS policy for a group of 5 ports (the ports
should be grouped as 1-5, 6-10 and so on).
For ES+T (76-ES+T-2TG3CXL and 76-ES+T-4TG3CXL) 1GE line cards:

In ingress and egress direction, support for 15 service groups with flat policy per port.
In egress direction, support for 255 service groups with HQoS policy per port.
For ES+ line cards with 10 GE ports:

In ingress direction, support for 239 service groups with flat policy per port.
In egress direction, support for 510 service groups with flat policy per port.
In ingress direction, support for 4000 service groups with HQoS policy per port.
In egress direction, support for 8000 service groups with HQoS policy per port.
For ES+ line cards with a single gigabit ethernet port :

In ingress direction, support up to 15 service groups with flat policy per port.
In egress direction, support up to 31 service groups with flat policy per port.
In ingress direction, support up to 3856 service groups with HQoS policy for a group of 10 ports

In egress direction, support up to 4000 service groups with HQoS policy for a group of 5 ports
Note
If you receive an error message while configuring QoS or QoS service groups on an interface, sub
interface, service instance, or session on an ES+ line card, use the show platform npc qos sp np al
hw_qos command to troubleshoot.
Configuring Service Group QoS

Perform these steps to configure service group QoS.
Summary Steps
1.
enable
2.
configure terminal
3.
policy map policy-map-name
4.
5.
6.
service-group id
OL-16147-20
7-77
Chapter 7
Configuring QoS
7.
service-policy [{input | output} policy-map-name]
8.
interface gigabitethernet slot/port [.subinterface] [access] or interface tengigabitethernet

slot/port [.subinterface] [access] or interface port-channel number [.subinterface] [access]
9.
service-instance id {ethernet [service-name]}
10. group id
11. end
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
Specifies the name of the policy map to configure.
Example:
Router(config)# policy-map qos-service
group-in
Step 4

service policy.
Example:
Router(config-pmap)# class cos
Step 5
Example:
10000000
Step 6
service-group id number
Assigns a service group ID. The acceptable range is 1 to

32768.
Example:
Step 7

policy-map-name]
Creates a service policy within the service group and

attaches it to the ingress or egress of a service group.
Example:
Router(config-service-group)#
service-policy in qos-group-in
7-78
OL-16147-20
Chapter 7
Configuring QoS
Step 8
Command
Purpose
slot/port[.subinterface]
[access]
Specifies the interface to configure service group:
slot/port[.subinterface] Specifies the location of

the interface. If you are configuring a sub interface,
you should also specify the sub interface.
number[.subinterface] Specifies the port-channel

interface.
access - Specifies the keyword if the interface is an

access sub interface.
or
slot/port[.subinterface]
[access]
or
number[.subinterface]
[access]
Example:
Router(config)#
gigabitethernet
or
Router(config)#
gigabitethernet
Step 9
interface
4/1
interface
4/1.1 access
service instance id {ethernet

[service-name ]}

interface.
Note
Example:
Perform this step only if the targeted interface

type is EVC.

ethernet
Step 10
group id
Adds the interface type to the service group.
Example:
Router(config-if-subif)# group 1000
or
Step 11
end
Exits the interface configuration mode and returns to the

Example:
Router(config-if-subif)# end
Examples
This example shows how to configure a service group with output service policy and attach a service
instance to the service group.
Router# enable
Router# policy-map p1
Router(config-service-group)# service-policy output p1
OL-16147-20
7-79
Chapter 7
Configuring QoS
This example shows how to configure a service policy in egress direction and attach the access sub
interface to the service group.
Router# enable
Router(config)# interface gigabitethernet 1/1.1 access
Router(config-subif)# group 2
Router(config-subif)# exit
This example shows how to apply a QoS policy to sessions and attach the service group to a sub interface
where sessions are brought up.
Router# enable
Router(config)# policy-map p3
Router(config)# policy-map type service hqos_dynamic
Router(config-service-policy-map)# service-policy output p4
Router(config)# policy-map type control hqos_dynamic_control
Router(config-control-policy-map)# class type control always event session-start
Router(config-control-policy-map-class-control)# 1 service-policy type service name
hqos_dynamic
Router(config)# interface gigabit ethernet 1/1.1 access
Router(config-subif)# service-policy type control hqos_dynamic_control
Router(config-subif)# ip subscriber routed
Router(config-subscriber)# initiator unclassified ip-address
This example shows how to configures a service group with an output service policy and attaches the
service group to a port-channel EVC interface:
Router# enable
Router(config)#service-group 5
This example shows how to apply a QoS policy to sessions and attach the service group to a port-channel
access sub interface where sessions are brought up.
Router# enable
7-80
OL-16147-20
Chapter 7
Configuring QoS

Router(config)# poliy-map type service hqos_dynamic
Router(config-service-policy-map)# service-policy output p4
Router(config)# poliy-map type control hqos_dynamic_control
Router(config-control-policy-map)# class type control always event session-start
Router(config-control-policy-map-class-control)# 1 service-policy type service name
hqos_dynamic
Router(config)# interface port-channel 1.1 access
Router(config-subif)# service-policy type control hqos_dynamic_control
Router(config-subif)# ip subscriber routed
Router(config-subscriber)# initiator unclassified ip-address
Router(config-if-srv)#end
Verification
Use these commands to verify the configuration.
Command
Purpose
Router# Show class-map
Displays class maps and their matching

criteria.
Router# Show policy-map
Displays the configuration of all classes for

all existing policy maps.
Router# Show policy-map interface
Displays the statistics and the configuration

of the input and output policies attached to
an interface.
Router# Show policy-map interface service

instance
Displays the policy-map information for a

given service instance on a port channel.
Router# Show policy-map target service-group

group-id
Displays policy-map information about a

service group with members that are
attached to an interface or port-channel.
Router# Show service-group group-id
Displays service-group information for a

specific service group or for all service
groups.
Router# Show policy-map session
Displays the policy-map information for the

subscriber service switch (SSS) session.
OL-16147-20
7-81
Chapter 7
Configuring QoS
Configuring Flexible Service Mapping Based on CoS and

Ethertype
The Flexible Service Mapping based on CoS and Etherytpe feature enhances the current capability of
mapping packets to service instance by allowing you to use CoS and Ethertypes to classify traffic into
different service instances, thereby consuming a lesser number of VLANs on the module.
This feature adds the following capabilities for mapping to service instances:
For QinQ, match on a single CoS value (either inner CoS or outer CoS, but not both simultaneously)
Match on a range or list of CoS values when a single VLAN or QinQ is specified in the match criteria
Match support for a single CoS value for a range or list of VLANs
Match on the following supported payload ether types

IPv4 (etype 0x0800)
IPv6 (etype 0x086dd)
pppoe-all (0x8863 and 0x8864)
In the case of QinQ, inner VLAN can have a range when the outer VLAN is a single VLAN.
Match on range or list of CoS values when both outer and inner VLANs are single.
Match on etype is supported both in the case of a single VLAN or in QinQ.
The pppoe-all CLI option is supported (matches both 0x8863 and 0x8864). The pppoe-session CLI
option is not supported.

When configuring Flexible Service Mapping based on CoS and Ethertype, follow these restrictions and
guidelines:
This feature supports both Dot1Q and QinQ.
Egress behavior implemented for mismatched CoS and Ethertype forwards the packet without
re-write and there is no filtering on egress based on the CoS or Layer 3 Ethertype. (Even if CoS or
Ethertype mismatches, if egress VLAN information matches, then the frames are forwarded.)
Neither pppoe-discovery or pppoe-session are supported individually as ethertypes. Cisco IOS

release 12.2(33)SRD3 only supports pppoe-all.
Service instances on port-channels are supported.
Matching on both Ethertype and CoS for the same service instance is not allowed.
OuterCoS or inner CoS can be specified under the same service instance, but not at the same time.
Specifying a range or list of outer VLANs in double tag cases is not supported.
MAC learning occurs with bridge-domain, but does not occur with xconnect and connect.
Egress checking of VLAN matching does not occur with xconnect and local connect.
Rewrites are supported.
1.
enable
Summary Steps
7-82
OL-16147-20
Chapter 7
Configuring QoS
2.
configure terminal
3.

port-channel number
4.
[no] shut
5.
6.
encapsulation dot1q vlan-id {cos | comma| hyphen| etype} or encapsulation dot1q vlan-id
second-dot1q {any | vlan-id[,vlan-id[-vlan-id]]} or encapsulation dot1q vlan-id cos [0-7] or
encapsulation dot1q vlan-id etype [IPv4|IPv6|pppoe-all]
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3

or

or
Example:
gigabitethernet 4/1
Step 4
[no] shut
Initiates the selected interface.
Example:
Router(config-if)# no shut
Step 5
service instance id {Ethernet

[service-name }

interface.
Example:
ethernet
Note
The commands that follow are used for Dot1q or QinQ configurations. Read the purpose of each command
to determine which to use.
OL-16147-20
7-83
Chapter 7
Configuring QoS
Step 6
Command
Purpose


Example:
dot1q 100?
or
second-dot1q {any |
vlan-id[,vlan-id[-vlan-id]]}
Defines the matching criteria to map Q-in-Q ingress

Example:
dot1q second-dot1q 20
or
encapsulation dot1q vlan-id cos [0-7 ]
Specifies the CoS value in the match criteria for the

ingress frames on the service instance.
Example:
dot1q 100 cos 5-6
or
encapsulation dot1q vlan-id etype
[IPv4|IPv6|pppoe-all]
Specifies the payload ethertype value in the match criteria

for the ingress frames on the service instance.
Example:
dot1q 100 etype ipv4
Example:
encapsulation dot1q 100 cos 5-7
second-dot1q 500
Specifies cos value in the match criteria based on the

outer tag
Supported Configurations
The following are the supported Ethertype and CoS configurations:
Supported payload ether type configurations for a single tag:

Router(config-if-srv)# encapsulation dot1q vlan_id etype etype string
Supported payload Ethertype configurations for a double tag:

Router(config-if-srv)# encapsulation dot1q vlan id second-dot1q vlan id etype etype
string
7-84
OL-16147-20
Chapter 7
Configuring QoS
Supported payload Ethertype configurations for single tag with single VLAN:
Router(config-if-srv)# encapsulation dot1q 10 etype ipv4
Router(config-if-srv)# encapsulation dot1q 10 etype pppoe-all
Supported payload Ethertype configurations for single tag with range of VLANs:
Router(config-if-srv)# encapsulation dot1q 11-15 etype ipv4
Router(config-if-srv)# encapsulation dot1q 11-15 etype ipv6
Router(config-if-srv)# encapsulation dot1q 11-15 etype pppoe-all
Supported payload Ethertype configurations for double tag with no range:

Router(config-if-srv)# encapsulation dot1q 10 second-dot1q 1001 etype ipv4
Router(config-if-srv)# encapsulation dot1q 10 second-dot1q 1001 etype ipv6
Router(config-if-srv)# encapsulation dot1q 10 second-dot1q 1001 etype pppoe-all
Supported payload Ethertype configurations for double tag with range on inner VLANs:
Router(config-if-srv)# encapsulation dot1q 10 second-dot1q 11-15 etype ipv4
Router(config-if-srv)# encapsulation dot1q 10 second-dot1q 11-15 etype ipv6
Router(config-if-srv)# encapsulation dot1q 10 second-dot1q 11-15 etype pppoe-all
Supported CoS configurations for a single tag:

Router(config-if-srv)# encapsulation dot1q single vlan_id cos single cos value
Router(config-if-srv)# encapsulation dot1q single vlan_id cos list/range of cos values
Router(config-if-srv)# encapsulation dot1q list/range of vlan ids cos single cos value
Supported CoS configurations for a double tag:

Router(config-if-srv)# encapsulation dot1q single vlan _id second-dot1q single vlan id
cos single cos value
OL-16147-20
7-85
Chapter 7
Configuring QoS

Router(config-if-srv)# encapsulation dot1q single
cos list/range of cos_values
vlan_ids cos single cos_value
second-dot1q single vlan_id
second-dot1q single vlan id
second-dot1q list/range of vlan_ids
vlan_id second-dot1q single vlan_id
vlan_id second-dot1q list/range of
vlan_id cos single cos_value
vlan_id cos list/range of cos_values
vlan_id cos single cos_value
Examples
The following example displays EVCs with encap dot1q and CoS under bridge-domain.
Router# conf t
Router(config-if-srv)# encapsulation dot1q 100 cos 5
Router(config-if-srv)# interface gigabitethernet 3/2
Router(config-if-srv)# encapsulation dot1q 100 cos 5
Router#
Router#
Router# show bridge-domain 202
Bridge-domain 202 (2 ports in all)
State: UP
Mac learning: Enabled
GigabitEthernet3/1 service instance 1
The following example shows EVC with encap dot1q and ethertype ipv4 with bridge-domain.
Router(config-if-srv)# interface gigabitethernet 3/2
Router#
Router#
Router# show bridge-domain 202
Bridge-domain 202 (2 ports in all)
State: UP
Mac learning: Enabled
7-86
OL-16147-20
Chapter 7
Configuring QoS

The following is an example of local connect.

Router(config-if-srv)# encapsulation dot1q 2 second-dot1q 2-3 cos 5

Router(config-if-srv)# connect local1 te2/3 1 te2/4 1
The following is an example of xconnect.

!
The peer side router configuration is below:

Router(config)# interface GigabitEthernet3/0/14
!
Verification
Command
Purpose
Router# show ethernet service instance [detail

| id id interface type number [detail | mac
security [address | last violation |
statistics] | platform | stats] | interface
type number [detail | platform | stats |
summary] | mac security [address | last
violation | statistics] | platform |
policy-map | stats | summary]
Displays information about Ethernet service

instances.
Router# show bridge-domain [bridge-id [mac

security [address | last violation |
statistics] | split-horizon [group
{group-number | all | none}]] | stats]
Displays bridge-domain information.
OL-16147-20
7-87
Chapter 7
Configuring QoS
Egress QoS Scheduling on Port Channel Interfaces

A port channel is an aggregation of individual ethernet links to form a single logical link. Queuing and
scheduling is used as a congestion management technique to prioritize selected data traffic while
implementing QoS. In Cisco IOS releases prior to 15.1(2)S, queuing and scheduling in egress on a port
channel interface or subinterface was not supported, and port channel QoS was implemented using
port-channel member link QoS. Effective from Cisco IOS release 15.1(2)S, egress queuing on port
channel interfaces or subinterfaces is supported on the Cisco 7600 ES+ line cards.

Follow these restrictions and guidelines while configuring Egress QoS scheduling on port channel
interfaces:
These queuing functions are supported:

Traffic Shaping
Priority Queuing
Bandwidth Remaining Ratio (BRR)
Weighted Random Early Detection (WRED)
Queue limit
Minimum bandwidth guarantee is not supported for EVCs and sessions at the parent level of an
HQoS policy map.
If the port channel subinterface is a member of a service group, the minimum bandwidth guarantee
can be configured at the service group level, even though the port channel subinterface does not
support absolute bandwidth at the parent level.
WRED and queue limit are supported only at the child level in a policy map.
QoS service policy cannot be simultaneously configured on a port channel main interface and
subinterface except for the port sub-rate shaper.
QoS service policy can be configured simultaneously on port channel main interface and member
link or port channel subinterface and member link. But, port channel member link QoS will be
effective only when main interface or sub interface QoS is removed.
By default a port channel main interface or subinterface follows the flow based load balancing
model .
A 3-level HQoS policy with queuing can be applied only on the port channel interface and not on
the subinterface.When a port channel is configured as a layer 2 interface, the 2-level or 3-level
queuing policies can be applied in the same way as on a normal layer 3 port-channel main interface.
Load balancing on a port channel with an access subinterface or sessions is limited to the1:1 active
standby redundancy model. This applies to the QoS on this port channel as well.
7-88
OL-16147-20
Chapter 7
Configuring QoS
Configuring Egress QoS Scheduling on Port Channel Interfaces

Complete these steps to configure Egress QoS scheduling.
Summary Steps
1.
enable
2.
configure terminal
3.
policy map policy-map-name
4.
5.
6.
interface port-channel number [subinterface] [access]
7.
8.
9.
10. end
OL-16147-20
7-89
Chapter 7
Configuring QoS
Detailed Steps
Step 1
Command
Purpose
enable
Enables the privileged EXEC mode. If prompted, enter

the password.
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
Specifies the name of the policy map.
Example:
Step 4

service policy.
Example:
class-default
Step 5
Example:
100000000
Step 6

[.subinterface] [access]
Example:
1
Step 7

Router(config-if)# encapsulation dot1q
200
Specifies the port channel interface.
number - port channel number assigned to an

interface.
subinterface - Specifies the port channel

subinterface.

frames on a sub interface to the appropriate service
instance.
vlan-id - This is an integer in the range of 1 to 4094.
Note
Perform this step only if you configure egress

QoS scheduling on a port-channel sub interface
or access sub interface.
7-90
OL-16147-20
Chapter 7
Configuring QoS
Step 8
Command
Purpose
Adds an IP address to the interface.
Example:
100.1.1.1 255.0.0.0
Step 9
Example:
output p1
Step 10
end

interface.

Example:
Examples
This example shows how to configure egress QoS scheduling on a port channel main interface.
Router# enable
Router(config-if)# service-policy output p1
This example shows how to configure egress QoS scheduling on a port channel subinterface.
Router# enable
Router(config-subif)# ip address 100.1.1.1 255.0.0.0
This example shows how to configure egress QoS scheduling on a port channel access subinterface.
Router# enable
Router(config)# interface Port-channel 200.1 access
OL-16147-20
7-91
Chapter 7
Configuring QoS
This example shows how to configure egress QoS scheduling on a port channel subinterface with service
group.
Router# enable
Verification
Use these commands to verify the egress QoS scheduling on a port channel interface.
Command
Purpose
Displays the configuration of all classes for all

policy maps attached to all interfaces.
show policy-map interface port-channel

number
Displays the configuration of all classes for all

inbound or outbound policy maps attached to the
specified interface.
show policy-map target service-group
Displays policy map information for service

groups.
Troubleshooting Egress QoS Scheduling on a Port Channel Interface

7-92
OL-16147-20
Chapter 7
Configuring QoS

Classification is the separation of packets into traffic classes. Using classification, you can partition
network traffic into multiple priority levels or classes of service. Once the classification criteria is
defined, the traffic that matches the classification criteria is then subjected to the QoS service policy you
apply to the interface. The QoS policy specifies the actions and rules to apply to packets belonging to a
particular traffic class.
Ethernet Virtual Connection (EVC) is the primary component used in the deployment of the carrier
ethernet technology. Before Cisco IOS release 15.1(2)S, service policies configured under EVCs were
classified only using layer 2 MAC access control lists (ACL). Effective from Cisco IOS release 15.1(2)S,
applying service policies with layer 2, layer 3 or layer 4 ACLs to EVCs are supported.

Follow these restrictions and guidelines while configuring layer 2 and layer 3 QoS ACL classification:
Layer 2 ACL QoS classification is supported in both input and output direction on the switchport
and EVCs of the main and port channel interfaces that include
ACL matching destination MAC address with address mask.
ACL matching source or destination MAC address and COS value.
ACL matching source or destination MAC address and VLAN ID.
If both source and destination MAC addresses are configured in an ACE, the destination address is
ignored.
Neither source nor destination MAC ACL classification is not supported in the same policy.
COS inner and VLAN inner ACL classifications are not supported.
Numbered MAC ACL is not supported.
Deny ACLs are not supported.
Layer 3 QoS ACL classification support under EVCs on physical and port channel interface
includes:
ACL matching an IP source address and an IP protocol
ACL matching an IP source and destination address with wild cards
ACL matching an IP source address and an IP protocol
ACL matching an IP source address and a TCP source port
ACL matching an IP source address and a TCP destination port
ACL matching an IP source address and the TCP FIN bit
ACL matching an IP source address and the TCP SYN bit
ACL matching an IP source address and the TCP URG bit
ACL matching an IP source address and a UDP source port
ACL options such as time range, dynamic range and log is not supported.
IP standard ACL classification is supported.
Both named and numbered IP ACL classification are supported.
IPV6 ACL classification is supported.
OL-16147-20
7-93
Chapter 7
Configuring QoS
Configuring Layer 2 and Layer 3 QoS ACL Classification

Complete these steps to configure the layer 2 and layer 3 QoS ACL classification feature.
Summary Steps
1.
enable
2.
configure terminal
3.
class-map class-map-name
4.
match access-group access-list-name
5.
6.
class class-name
7.
8.
no ip address
9.
service instance identifier ethernet
10. service-policy {input | output} policy-map-name

11. end
Detailed Steps
Step 1
Command
Purpose
enable

the password.
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
Router# class-map l3_l4acl
Specifies the class map name.
Step 4
match access-group access-list-name
Configure the match criteria for a class map based on the

specified ACL name.
Router# match access-group l3_l4acl
Step 5
Example:
7-94
OL-16147-20
Chapter 7
Configuring QoS
Step 6
Command
Purpose

service policy.
Example:
class-default
Step 7

or
or
Specifies the interface.
Example:
1
Step 8
no ip address
Removes an IP address from the interface.
Example:
Step 9

ethernet
Specifies the ethernet service instance.
Step 10
service-policy {input|output}
policy-map-name
Attaches a traffic policy to the interface.

Example:
output p1
Step 11
end
Example:
Examples
This example shows how to configure the layer 2 and layer 3 QoS ACL classification on a gigabit
ethernet interface using a named layer 3 or 4 access control list.
Router# enable
Router(config)# ip access-list extended l3_l4acl
Router(config-ext-nl3-l4acl)# 10 permit ip 0.0.0.1 255.255.0.0 any dscp 32
Router# class-map l3_l4acl
Router(config-cmap)# match access-group name l3_l4acl
Router(config-if)# service-instance 1 ethernet
Router(config-if-srv)# service-policy output p1
OL-16147-20
7-95
Chapter 7
Configuring QoS
This example shows how to configure layer 2 and layer 3 QoS ACL classification using a numbered layer
3 or 4 access control list.
Router# enable
Router(config)# ip access-list extended 121
Router(config-ext-nacl)# 10 permit ip 0.0.0.1 255.255.0.0 any dscp 32
Router# class-map 121
Routeer(config-cmap)# match access-group 121
This example shows how to configure layer 2 and layer 3 QoS ACL classification using a named layer
2 access control list.
Router# enable
Router(config)# MAC access-list extended l2acl
Router(config-ext-nacl)# permit 2222.33ef.0000.0000.ffff any cos 2
Router# class-map l2acl
Router(config-cmap)# match access-group l2acl
Verification
Use these commands to verify the layer 2 and layer 3 QoS ACL classification feature.
Command
Purpose

configured for all policy maps attached to all the
interfaces.
show access-list [access-list-number |

access-list-name]
Displays the configured ACLs.
Troubleshooting Layer 2 and Layer 3 QoS ACL Classification

For troubleshooting information, see Troubleshooting QoS on a ES+ Line Card.
7-96
OL-16147-20
Chapter 7
Configuring QoS

Access Control Lists (ACL) are used to filter data traffic based on a filtering criteria configured on the
router interface. Data packets are matched to the criteria specified in the ACLs and traffic is either
allowed or denied. When deny ACLs are configured under a class map, the packets that match the ACLs
are not classified under that class but classified in the remaining classes depending on the class-map
configuration.
Effective from Cisco IOS release 15.1(3)S, deny ACL QoS classification is supported on the Cisco 7600
ES+ line cards, and Access Control Entries (ACEs) configured with a deny action are considered for
traffic classification.

Follow these restrictions and guidelines while configuring deny ACL QoS classification:
You can configure a QoS policy map with deny ACLs for classification on ES+ main interface, subinterfaces, EVCs, service groups, and sessions.
The following ACL options are not supported:

Time range
Dynamic range
ACL log
Deny ACL configuration in the parent policy is supported only on the main interface.
The number of ACEs per ACL is limited to 8000.
The maximum number of unique ACLs is 8000.
Configuring Deny ACL QoS Classification

Complete these steps to configure the deny ACL QoS classification feature.
Summary Steps
1.
enable
2.
configure terminal
3.
ip access-list extended {acl-name | acl-num}
4.
{deny | permit} protocol {source source-wildcard} {destination destination-wildcard | any}
5.
6.
match access-group acl-name
7.
8.
class class-name
9.
10. no ip address
11. service instance id ethernet
OL-16147-20
7-97
Chapter 7
Configuring QoS
12. service-policy {input| output} policy-map-name

13. encapsulation dot1q vlan-id
14. bridge-domain bridge-id
15. end
Detailed Steps
Step 1
Command
Purpose
enable

the password.
Example:
Router> enable
Step 2
configure terminal
Example:
Step 3
ip access-list extended {acl-name |

acl-num}
Specifies the extended ACL list and enters the extended

ACL configuration mode.
Example:
Router(config)# ip access-list
extended 101
Step 4
{deny | permit} protocol {source

source-wildcard} {destination
destination-wildcard | any}
Configures the extended ACL list.
Example:
Router(config-ext-nacl)# deny ip
200.1.1.0 0.0.0.255 any
Step 5
Specifies the class map name.
Example:
Router(config)# class-map c1
Step 6
match access-group {acl-name |

acl-num}
Configures the match criteria for a class map based on

the specified ACL.
Example:
Router(config-cmap)# match
access-group 101
Step 7
Example:
7-98
OL-16147-20
Chapter 7
Configuring QoS
Step 8
Command
Purpose

service policy.
Example:
Router(config-pmap)# class c1
Step 9

or
or
Specifies the interface.
Example:
gigabitethernet 1/2
Step 10
no ip address
Removes an IP address from the interface.
Example:
Step 11
Specifies the ethernet service instance.
Example:
ethernet
Step 12
service-policy {input|output}
policy-map-name
Attaches a traffic policy to the interface.

policy-map-name - Specifies the name of the traffic
Example:
Router(config-if-srv)# service-policy
output p1
Step 13
Example:
dot1q 100

frames on a sub interface to the appropriate service
instance.
vlan-id - This is an integer in the range of 1 to 4094.
Note
Step 14
Specifies the bridge domain instance.
Example:
bridge-id - The number of the VLAN to be used in this

bridging configuration. The valid range is from 2 to
4094.
Router(config-if-srv)# bridge-domain
10
Step 15
Complete this step only if you configure deny

ACL on an EVC or a sub interface.
end
Example:
OL-16147-20
7-99
Chapter 7
Configuring QoS
Examples
This example shows how to configure deny ACL QoS classification on an EVC interface using a
numbered access control list.
Router# enable
Router(config)# ip access-list extended 102
Router(config-ext-nacl)# deny ip 200.1.1.0 0.0.0.255 any
Router(config)# class-map c1
Router(config-cmap)# match access-group 102
Router(config-pmap)# class c1
Verification
Use these commands to verify the deny ACL QoS classification feature.
Command
Purpose
show running-config class-map class-map
Displays the configuration of a specified class

map.
show running-config policy-map policy-map
Displays the configuration of a specified policy

map.
show ip access-list [access-list-number |

access-list-name]
Displays the configured ACLs.
show policy-map interface [interface-type |

interface-number]
Displays statistics and configurations of all input

and output policies attached to an interface.
Troubleshooting Deny ACL QoS Classification

For troubleshooting information, see Troubleshooting QoS on a ES+ Line Card.

Table 7-10 lists some of the troubleshooting scenarios for a ES+ line card.
7-100
OL-16147-20
Chapter 7
Configuring QoS
Table 7-10
Troubleshooting Scenarios for QoS in a ES+ Line Card
Problem
Solution
Non-functional classification and

marking on an ES+ interface.
Use the show tcam interface interface qos type1/type2 ip detail

(type1 is for input policy, type2 for output policy) command to
verify that the classification hardware parameters are configured
correctly and packets are relayed to the right class as shown in
this example:
Router#sh tcam interface gig10/1 qos type1 ip detail
* Global Defaults not shared
DPort - Destination Port SPort - Source Port
- U -URG
I
Pro
- Inverted LOU
A -ACK
TOS
rtr
MRFM - M -MPLS Packet

P -PSH
COD
- TOS Value
- Router
TN
- T -Tcp Control
- C -Bank Care Flag
- R -Recirc. Flag
- N -Non-cachable
- R -RST
- I -OrdIndep. Flag
- F -Fragment Flag
S -SYN
CAP
- Capture Flag
- D -Dynamic Flag
- M -More Fragments F-P

F -FIN
X
TCP-F
- Protocol
- FlowMask-Prior.
- V(Value)/M(Mask)/R(Result)
- XTAG
(*)
- Bank Priority
----------------------------------------Interface: 1104
protocol: IP
label: 1537
lookup_type: 1
packet-type: 0
+-+-----+---------------+---------------+
|T|Index| Dest Ip Addr | Source Ip Addr|
SPort
DPort
| TCP-F |Pro|MRFM|X|TOS|TN|COD|F-P|
+-+-----+---------------+---------------+ V 36828
0.0.0.0
-----M 36836
0
0.0.0.0
0 ---- 0
0.0.0.0
------
P=0
0 -- --- 0-0
0 X--- 0
P=0
<-
0.0.0.0
0
0
<-
OL-16147-20
7-101
Chapter 7
Configuring QoS
Problem
Solution
R rslt: 1D29C700
<-
{ in the abouve output, "<-" indicates which class the packets

being classified to. }
2) Do do an elam capture and check the the QoS values received
and re-written to.
Elam can capture data coming from the Constellation Data Bus
interface (DBUS), partial results coming from the L3 Forwarding
Engine (Tycho), and final results transmitted on the Constellation
Result Bus (RBUS).
Following are the commands to use the elam.

1. Select slot on which to run elam: show platform capture elam
asic <sup/tyco> slot <slot no>
2. Set the trigger for packets of interest:show platform capture
elam trigger <intersted fields of the packets such as vlan id,
source and destination IP, source index, etc>
3. Start the Elam capture: show platform capture elam start
4. Show the status of Elam: show platform capture elam status
5. Show the captured Elam data: show platform capture elam data
Weneed to repeat the above steps for both dbus as well as rbus
captures .
show platform capture elam help

* Return a brief help that reminds how to use the ELAM
commands
7-102
OL-16147-20
Chapter 7
Configuring QoS
Problem
Solution
Note
"<-" indicates the class where the packets are being

classified.
Perform an ELAM (Embedded Logic Analyzer Module)

capture and check the QoS values received and re-written.
ELAM can capture data from the Constellation Data Bus
interface (DBUS), partial results coming from the L3
Forwarding Engine, and final results transmitted on the
Constellation Result Bus (RBUS).
Use these commands to capture ELAM data on Dbus and

Rbus:
Use the show platform capture elam help to use the
ELAM commands.
Select the slot to use the ELAM show platform capture
elam asic sup/tyco slot slot no command.

Use the show platform capture elam trigger command
to trigger the packets.

Use the show platform capture elam start command to
start the Elam capture.

Use the show platform capture elam status command
to show the status of Elam.

Use the show the captured Elam data command to
show the platform capture elam data.

If the issue persists, contact TAC.
Service group issues
Use the show run service-group, show service group details,

show service group statistics command to display the
policy-map applied to service-group, policy-map applied on
service-group along with the members of the service-group, and
the output of the number of service-groups configured. Share the
output with TAC for troubleshooting.
QoS policy map configured on

port-channel interface is nonfunctional
Check the following commands on the route processor:
Use the show interface interface-type slot/port command

check the interface statistics to confirm the traffic flow.
Verify the policy-map and the class map definitions:

show run policy-map <policy-map name>
show run class-map <class-map name>
show run interface <interface>
Check the support matrix for supported configurations. See

the Cisco 7600 Series Ethernet Services Plus (ES+) and
Ethernet Services Plus T (ES+T) Line Card Configuration
Guide at
http://www.cisco.com/en/US/docs/routers/7600/install_conf
ig/ES40_config_guide/es40_chap7.html
OL-16147-20
7-103
Chapter 7
Configuring QoS
Problem
Solution
Traffic statistic issues in service

instances and service groups
Use the show ethernet service instance stat and show

service-group traffic-stats commands to troubleshoot traffic
issues in service instances and groups. If the issue persists,
contact TAC.
Service-group traffic statistics

issue
Use the clear service-group traffic-stats command to clear

redundant traffic statistics. If the issue persists, contact TAC.
Incorrect QoS rates on EVCs and

service group issues
QoS service policy on a suspend

mode
Use the show policy-map interface <intf> service instance

efp# and show policy-map interface intf service group
group# commands to confirm the policy map information. If
the issue persists, contact TAC.
Use the clear counters command from the route processor

and derive the output of show policy-map interface intf
service instance efp and show policy-map interface intf
service group group statistics and study the conformed and
drop rates. If the issue persists, contact TAC.
The policy moves to a suspension mode when there are no

member links attached to it. Use the show etherchannel
summary command to check member links attached to it and
their status. If the issue persists, contact TAC.
Flags:
D - down
R - Layer3
S - Layer2
U - in use

d - default port
Group
Ports
Port-channel
Protocol
------+-------------+-----------+---------------------------------------------1
Po1(RU)
Po2(SD)
Po3(SD)
4
Po4(RU)
Gi2/22(P)
Troubleshooting policing issues

on the port-channel for member
links across a network processor
Gi2/12(P)
Gi2/1(P)
Gi2/2(P)
On the ES+ line card, policing is performed per NP (Network

Processor) aggregate basis. For example, if 100M policer is
configured on PC sub-targets and if there are 2 member-links
spread across 2 different Network Processors (NPs), traffic from
both the member-links are policed to 200M and not 100M. If the
issue persists, contact TAC.
7-104
OL-16147-20
Chapter 7
Configuring QoS
Problem
Solution
Queuing issues
Use the show policy map interface command to view the

queuing details, shaping, bandwidth, queue limit and WRED
values, that has all these and highlight the queuing, bandwidth
parameters.
Rate counters are not accurate
Rate counters are updated in fixed intervals. Use the

load-interval seconds command to increase the load interval
for accurate rate counter values.
Traffic classified incorrectly
Use the show run class-map command to check the

class-map definition.
Use the show policy-map interface interface command to

check the classification statistics.
Use the show tcam interface interface qos type1/type2 ip

detail (type1 is for input policy, type2 for output policy)
command to verify that the classification hardware
parameters are configured correctly and packets are relayed
to the right class as shown in the example:
Router#sh tcam interface

* Global Defaults shared
DPort - Destination Port
-URG
Pro
I
- Inverted LOU
- A -ACK
rtr
- P -PSH
COD
- R -Recirc. Flag
- R -RST
- F -Fragment Flag
- S -SYN
- M -More Fragments
- F -FIN
T
X
- XTAG
gig10/1 qos type1 ip detail

SPort - Source Port TCP-F - U
Protocol
TOS
- TOS Value
- Router
TN
- T -Tcp Control
- C -Bank Care Flag
- N -Non-cachable
- I -OrdIndep. Flag
CAP
- Capture Flag
- D -Dynamic Flag
F-P
- FlowMask-Prior.
(*)
- Bank Priority
Interface: 1018
label: 513
lookup_type: 1
protocol: IP
packet-type: 0
DPort
|
SPort
V 36828
0.0.0.0
0.0.0.0
P=0
P=0
-----0 ---- 0
0 -- --- 0-0 <M 36836
0.0.0.0
0.0.0.0
0
0
-----0 X--- 0
0
<-
R rslt: 142811A8
V 36829
P=0
M 36836
0
<-
0.0.0.0
0.0.0.0
P=0
-----0 M--- 0
0 -- --- 0-0
0.0.0.0
-----0 X--- 0
0.0.0.0
0
R rslt: 142811A8
Note
<- indicates the class where the packets are classified.
OL-16147-20
7-105
Chapter 7
Configuring QoS
Problem
Excessive drops in packets
Solution
Use the show policy map interface command to check if the

offered rate exceeds the configured policer shape rate.
Queuing on ES20/SIP-600 is performed on the L1 frame with

an overhead of 24 bytes. The ES20 supports user-defined
overhead accounting for shape/wfq classes.
Drops also occur due to low queue-limit configured. Increase

the queue-limits value if unaccounted drops are seen.
In case of excessive drops, check if WRED can be used as,

illustrated in this example.
Router#sh run policy-map queuing


!
policy-map queuing
class prec1
bandwidth 200000
class prec2
random-detect
random-detect precedence 1 100 1000
class class-default
!
end
Router#
Router#sh pol
Router#sh policy-map int gig10/6
GigabitEthernet10/6
Service-policy output: queuing
Class-map: prec1 (match-all)

0 packets, 0 bytes
Match: ip precedence 1
Queueing
7-106
OL-16147-20
Chapter 7
Configuring QoS
Problem
Solution
<<< drops due to bandwidth over subscription
configured in the policy-map
<<<< bandwidth

0 packets, 0 bytes
Match:
precedence 2
Queueing
<<< drops due to shaper
<<<
shaper
configured in the policy-map by the user

Exp-weight-constant: 9 (1/512)
Mean queue depth: 0 packets
class
Maximum
Random drop
Mark
pkts/bytes
prob
thresh
Tail drop
Minimum
pkts/bytes
thresh
0
3457/5687000
0/0
8192
16384 1/10
<<< wred packet/bytes counts
and threshold values
1
1/10
0/0
0/0
100
1000
2
1/10
0/0
0/0
150
1500
3
200
4
16384
0/0
0/0
0/0
12288
0/0
0/0
13312
0/0
0/0
14336
0/0
0/0
15360
1/10
5
16384
1/10
6
16384
1/10
7
16384
1408/4508780
800 1/10
1/10
OL-16147-20
7-107
Chapter 7
Configuring QoS
Problem
Solution
0 packets, 0 bytes
Match: any
Queueing
target shape rate 100000000 <<<
in the policy-map by the user
shaper configured
7-108
OL-16147-20
Chapter 7
Configuring QoS
Problem
Solution
Bandwidth not met
Check if the queue limits are configured right.

Based on this example, check if the bandwidth and priority class
has been configured correctly.
Router#sh run policy-map queuing

!
policy-map queuing
class prec1
bandwidth 200000
class prec2
random-detect
class class-default
!
end
Router#
Router#sh pol
Router#sh policy-map int gig10/6
GigabitEthernet10/6
Service-policy output: queuing

0 packets, 0 bytes
Queueing
<<< drops due to bandwidth over subscription
<<<< bandwidth
configured in the policy-map
OL-16147-20
7-109
Chapter 7
Configuring QoS
Problem
Debug QoS policing traffic issues
in EARL
Solution
Check the policer configured on the hardware. For aggregate

policer and microflow policer, check the aggregate Id value
using the sh mls qos [ip|mpls|ipv6|arp] command. If the
value is 0 or n/a, it indicates a failure.
Use the show tcam interface command to check whether or

not the TCAM is programmed correctly for the interface. The
result from the output can be used to find different fields in
the QoS hardware on that interface.
Warning
Microflow policing issues
Use the show tcam interface command with the

module option to view the tcam programming on the
DFCs.
Check the rate and burst configured on the policer.
Use Elam (Embedded Logical Analyzer Module) Capture

tool (captures the packets routed internally) to view the
packet details. Share the output information with TAC for
further troubleshooting.
Use the sh fm int xxx and sh mls netflow ip detail

commands to view the output. Share the information with
TAC for troubleshooting.
Validation of microflow policing: Use the show mls netflow

ip qos module module command to validate the microflow
policing. In this output, Pkts/Bytes indicates total forwarded
packets/bytes, and the police count column indicates the drop
count.
Router#sh mls netflow ip qos module 10

Displaying Netflow entries in module 10
DstIP
i/f
SrcIP
:AdjPtr
Prot:SrcPort:DstPort Src
------------------------------------------------------------------------------Pkts
Threshold
Bytes
Leak
LastSeen
QoS
PoliceCount
------------------------------------------------------------------------------Drop
Bucket
--------------20.1.1.2
0x0
10.1.1.2
12857116
0
591427336
0
NO
Policer not receiving the packets
255 :0
17:35:40
:0
0x80
-5117484352
3145792
Use the sh mls qos [ip|mpls|ipv6|arp] and sh policy-map

interface commands to confirm if the policer receives the
packets. If not, share the output information with TAC to
troubleshoot line card issues.
7-110
OL-16147-20
Chapter 7
Configuring QoS
Problem
Solution
Incorrect QoS ACLs in TCAM
Use the sh qm int xxx and sh tcam int xx qos [type1|type2]

[ip|mpls|ipv6|other|arp] det commands to verify if the
correct QoS ACLs are displayed in the TCAM. If not, Share
the output information with TAC for further troubleshooting.
Expected CIR/PIR rate not

reached
1.
TCP traffic displays rates below the CIR due to the slow-start
algorithms and retransmissions.
2.
To increase the CIR/PIR rates, use a traffic generator or UDP

traffic .
3.
Use large burst values to police TCP traffic.
Check the traffic type.
Raise the bandwidth. Eg: old 10M users gig link in a 10 gig
backbone network.
Modify the queue limit or introduce WRED.
Egress packet drop issues
OL-16147-20
7-111
Chapter 7
Configuring QoS
Problem
Solution
Non-functional classification and

marking on an ES+ interface.
Use the show tcam interface interface qos type1/type2 ip detail

(type1 is for input policy, type2 for output policy) command to
verify that the classification hardware parameters are configured
correctly and packets are relayed to the right class as shown in
this example:
Router#sh tcam interface gig10/1 qos type1 ip detail
* Global Defaults not shared
DPort - Destination Port SPort - Source Port
- U -URG
I
Pro
- Inverted LOU
A -ACK
TOS
rtr

P -PSH
COD
- TOS Value
- Router
TN
- T -Tcp Control
- C -Bank Care Flag
- R -Recirc. Flag
- N -Non-cachable
- R -RST
- I -OrdIndep. Flag
- F -Fragment Flag
S -SYN
CAP
- Capture Flag
- D -Dynamic Flag
- M -More Fragments F-P

F -FIN
X
TCP-F
- Protocol
- FlowMask-Prior.
- XTAG
(*)
- Bank Priority
----------------------------------------Interface: 1104
protocol: IP
label: 1537
lookup_type: 1
packet-type: 0
+-+-----+---------------+---------------+
SPort
DPort
+-+-----+---------------+---------------+ V 36828
0.0.0.0
-----M 36836
0
0.0.0.0
0 ---- 0
0.0.0.0
------
R rslt: 1D29C700
P=0
0 -- --- 0-0
0 X--- 0
P=0
<-
0.0.0.0
0
0
<-
<-
{ in the abouve output, "<-" indicates which class the packets

being classified to. }
2) Do do an elam capture and check the the QoS values received
and re-written to.
Elam can capture data coming from the Constellation Data Bus
interface (DBUS), partial results coming from the L3 Forwarding
Engine (Tycho), and final results transmitted on the Constellation
Result Bus (RBUS).
7-112
OL-16147-20
Chapter 7
Configuring QoS
Problem
Solution
Following are the commands to use the elam.
1. Select slot on which to run elam: show platform capture elam
asic <sup/tyco> slot <slot no>
2. Set the trigger for packets of interest:show platform capture
elam trigger <intersted fields of the packets such as vlan id,
source and destination IP, source index, etc>
3. Start the Elam capture: show platform capture elam start
4. Show the status of Elam: show platform capture elam status
5. Show the captured Elam data: show platform capture elam data
Weneed to repeat the above steps for both dbus as well as rbus
captures .
show platform capture elam help
* Return a brief help that reminds how to use the ELAM
commands
Note
"<-" indicates the class where the packets are being

classified.
Perform an ELAM (Embedded Logic Analyzer Module)

capture and check the QoS values received and re-written.
ELAM can capture data from the Constellation Data Bus
interface (DBUS), partial results coming from the L3
Forwarding Engine, and final results transmitted on the
Constellation Result Bus (RBUS).
Use these commands to capture ELAM data on Dbus and

Rbus:
Use the show platform capture elam help to use the
ELAM commands.
Select the slot to use the ELAM show platform capture
elam asic sup/tyco slot slot no command.

Use the show platform capture elam trigger command
to trigger the packets.

Use the show platform capture elam start command to
start the Elam capture.

Use the show platform capture elam status command
to show the status of Elam.

Use the show the captured Elam data command to
show the platform capture elam data.

OL-16147-20
7-113
Chapter 7
Configuring QoS
Problem
Solution
Service group issues
Use the show run service-group, show service group details,

show service group statistics command to display the
policy-map applied to service-group, policy-map applied on
service-group along with the members of the service-group, and
the output of the number of service-groups configured. Share the
output with TAC for troubleshooting.
QoS policy map configured on

port-channel interface is nonfunctional
Check the following commands on the route processor:
Use the show interface interface-type slot/port command

check the interface statistics to confirm the traffic flow.
Verify the policy-map and the class map definitions:

show run policy-map <polic-map name>
show run class-map <class-map name>
show run interface <interface>
Check the support matrix for supported configurations. See

the Cisco 7600 Series Ethernet Services Plus (ES+) and
Ethernet Services Plus T (ES+T) Line Card Configuration
Guide at
http://www.cisco.com/en/US/docs/routers/7600/install_conf
ig/ES40_config_guide/es40_chap7.html
Traffic statistic issues in service

instances and service groups
Use the show ethernet service instance stat and show

service-group traffic-stats commands to troubleshoot traffic
issues in service instances and groups. If the issue persists,
contact TAC.
Service-group traffic statistics

issue
Use the clear service-group traffic-stats command to clear

redundant traffic statistics. If the issue persists, contact TAC.
Incorrect QoS rates on EVCs and

service group issues
Use the show policy-map interface <intf> service instance

efp# and show policy-map interface intf service group
group# commands to confirm the policy map information. If
the issue persists, contact TAC.
Use the clear counters command from the route processor

and derive the output of show policy-map interface intf
service instance efp and show policy-map interface intf
service group group statistics and study the conformed and
drop rates. If the issue persists, contact TAC.
7-114
OL-16147-20
Chapter 7
Configuring QoS
Problem
Solution
QoS service policy on a suspend

mode
The policy moves to a suspension mode when there are no

member links attached to it. Use the show etherchannel
summary command to check member links attached to it and
their status. If the issue persists, contact TAC.
Flags:
D - down
R - Layer3
S - Layer2
U - in use

d - default port
Group
Ports
Port-channel
Protocol
------+-------------+-----------+---------------------------------------------1
Po1(RU)
Po2(SD)
Po3(SD)
4
Po4(RU)
Gi2/22(P)
Gi2/12(P)
Gi2/1(P)
Gi2/2(P)
Troubleshooting policing issues

on the port-channel for member
links across a network processor
On the ES+ line card, policing is performed per NP (Network

Processor) aggregate basis. For example, if 100M policer is
configured on PC sub-targets and if there are two member-links
spread across two different NPs, traffic from both the
member-links are policed to 200M and not 100M. If the issue
persists, contact TAC.
Queuing issues
Use the show policy map interface command to view the

queuing details, shaping, bandwidth, queue limit and WRED
values that has all these and highlight the queuing, bandwidth
parameters.
OL-16147-20
7-115
Chapter 7
Configuring QoS
7-116
OL-16147-20
CH A P T E R
Troubleshooting
This chapter describes techniques that you can use to troubleshoot the operation of your Cisco 7600
Series Ethernet Services Plus (ES+) and Ethernet Services Plus T (ES+T) line cards.
It includes the following sections:
General Troubleshooting Information, page 8-1
Using the Cisco IOS Event Tracer to Troubleshoot Problems, page 8-2
Troubleshooting SFP/XFP Issues, page 8-3
Preparing for Online Insertion and Removal of Cisco 7600 Series ES+ Line Card, page 8-3
Line Card Online Diagnostics, page 8-7
Onboard Failure Logging, page 8-7
Troubleshooting ES+ Transport Low Queue, page 8-7
The first section provides information about basic interface troubleshooting. If you are having a problem
with your Small Form-factor Pluggable (SFP) and small form factor pluggable (XFP) modules, use the
steps in the Using the Cisco IOS Event Tracer to Troubleshoot Problems section to begin your
investigation of a possible interface configuration problem.
Note
General Troubleshooting Information

This section describes general information for troubleshooting the ES+ line card. It includes the
following sections:
Interpreting Console Error Messages, page 8-2
Using debug Commands, page 8-2
Using show Commands, page 8-2
OL-16147-20
8-1
Chapter 8
Troubleshooting
Interpreting Console Error Messages

To view the explanations and recommended actions for Cisco 7600 series router error messages,
including messages related to Cisco 7600 series router ES+ line cards, refer to the Cisco 7600 Series
Cisco IOS System Message Guide, 12.2SR at
http://www.cisco.com/en/US/docs/ios/system/messages/guide/consol_smg.html
Using debug Commands

Along with the other debug commands supported on the Cisco 7600 series router, you can obtain
specific debug information for the ES+ line card on the Cisco 7600 series router using the debug
hw-module privileged EXEC command.
The debug hw-module command is intended for use by Cisco technical support personnel.
Caution
Because debugging output is assigned high priority in the CPU process, it can render the system
unusable. For this reason, use debug commands only to troubleshoot specific problems or during
troubleshooting sessions with Cisco technical support staff. Moreover, it is best to use debug commands
during periods of lower network traffic and fewer users. Debugging during these periods decreases the
likelihood that increased debug command processing overhead will affect system use.
For information about other debug commands supported on the Cisco 7600 series routers, refer to the
Cisco IOS Debug Command Reference, Release 12.2 SR at
http://www.cisco.com/en/US/docs/ios/12_2/debug/command/reference/122debug.html.
Using show Commands

There are several show commands that you can use to monitor and troubleshoot the ES+ line card on the
Cisco 7600 series routers. For more information about show commands, see the Cisco IOS Release 12.2
SR Command References at

Note
The Event Tracer feature is intended for use as a software diagnostic tool and should be configured only
under the direction of a Cisco Technical Assistance Center (TAC) representative.
The Event Tracer feature provides a binary trace facility for troubleshooting Cisco IOS software. This
feature gives Cisco service representatives additional insight into the operation of the Cisco IOS
software and can be useful in helping to diagnose problems in the unlikely event of an operating system
malfunction or, in the case of redundant systems, Route Processor switch over.
Event tracing works by reading informational messages from specific Cisco IOS software subsystem
components that have been pre-programmed to work with event tracing, and by logging messages from
those components into system memory. Trace messages stored in memory can be displayed on the screen
or saved to a file for later analysis.
8-2
OL-16147-20
Chapter 8
Troubleshooting
For more information about using the Event Tracer feature, refer to the following URL:
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/evnttrcr.html

Note
The Cisco 7600-ES+ line card uses a slot, port numbering scheme. The slot refers to whichever slot the
line card occupies in the router. The port numbering begins at 1 on all versions of the Cisco 7600-ES+
line card. The upper limit depends on the card type. This physical port numbering is reflected in CLI
messages and all references to port numbers that are visible to the user.
Use the following commands when troubleshooting small form-factor pluggable (SFP) issues from the
route processor (RP) side:
Command
Purpose
Router# show interfaces [interface

interface-number] capabilities [module
number]
Displays the interface capabilities for a module, an

interface, or all interfaces.

interface-number] status [err-disabled
| module number]
Displays the interface status.

interface-number] transceiver
[threshold violations] [detail |
{module number}]
Displays information about the optical transceivers that

have digital optical monitoring (DOM) enabled
Router# show idprom interface
Displays IDPROMs for the line cards.
Use the following commands when troubleshooting small form-factor pluggable (SFP) issues from the
ES+ line card side:
Command
Purpose
Router# remote command module num
Display the details of transceiver configuration and

operation status directly from the line card side.
Preparing for Online Insertion and Removal of Cisco 7600 Series

ES+ Line Card
The Cisco 7600 series router supports online insertion and removal (OIR) of the ES+ line card, in
addition to each of the small form-factor pluggable (SFP or XFP) optical transceivers.
Therefore, you can remove a ES+ line card with its optical transceivers still intact, or you can remove
an optical transceiver independently from the ES+ line card, leaving the ES+ line card installed in the
router.
This section includes the following topics on OIR support:
Preparing for Online Removal of a Cisco 7600 Series ES+ Line Card, page 8-4
OL-16147-20
8-3
Chapter 8
Troubleshooting
Preparing for Online Insertion and Removal of Cisco 7600 Series ES+ Line Card
Verifying Deactivation and Activation of a Cisco 7600 Series ES+ Line Card, page 8-5
Deactivation and Activation Configuration Examples, page 8-6
Preparing for Online Removal of a Cisco 7600 Series ES+ Line Card
The Cisco 7600 series router supports OIR of the ES+ line card. To do this, you can power down an ES+
line card (which automatically deactivates any installed optical transceivers) and remove the ES+ line
card still intact.
Although graceful deactivation of an ES+ line card is preferred using the no power enable module
command, the Cisco 7600 series router does support removal of the ES+ line card without deactivating
it first. If you plan to remove an ES+ line card, you can deactivate the ES+ line card first, using the
no power enable module global configuration command. When you deactivate an ES+ line card using
this command, it automatically deactivates each of the optical transceivers that are installed in that ES+
line card. Therefore, it is not necessary to deactivate each of the optical transceivers prior to deactivating
the ES+ line card.
Either a blank filler plate or a functional optical transceiver should reside in every subslot of an ES+ line
card during normal operation.
For more information about the recommended procedures for physical removal of the ES+ line card,
refer to the Cisco 7600 Series Ethernet Services Plus Line Card Hardware Installation Guide.
Deactivating a Cisco 7600 Series ES+ Line Card

To deactivate an ES+ line card and its installed optical transceivers prior to removal of the line card, use
the following command in global configuration mode:
Command
Purpose
Router(config)# no power enable module

slot
Shuts down any installed interfaces, and deactivates the

ES+ line card in the specified slot, where:
slotSpecifies the chassis slot number where the

line card is installed.
For information on how to specify the physical locations of a ES+ line card on the Cisco 7600 series
routers, see the Specifying the Slot Location for a Cisco 7600 Cisco 7600 Series ES+ Line Cards section
in the Cisco 7600 Series Ethernet Services Plus Line Card Hardware Installation Guide.
Reactivating a Cisco 7600 Series ES+ Line Card

Once you deactivate a ES+ line card, whether or not you have performed an OIR, you must use the power
enable module global configuration command to reactivate the ES+ line card.
If you did not issue a command to deactivate the optical transceivers installed in an ES+ line card, but
you did deactivate the ES+ line card using the no power enable module command, then you do not need
to reactivate the optical transceivers after an OIR of the ES+ line card. The installed optical transceivers
automatically reactivate upon reactivation of the ES+ line card in the router.
8-4
OL-16147-20
Chapter 8
Troubleshooting
For example, consider the case in which you remove an ES+ line card from the router to replace it with
another ES+ line card. You reinstall the same optical transceivers into the new ES+ line card. When you
enter the power enable module command on the router, the optical transceivers will automatically
reactivate with the new ES+ line card.
To activate a ES+ line card and its installed optical transceivers after the ES+ line card has been
deactivated, use the following command in global configuration mode:
Command
Purpose
Router(config)# power enable module slot
Activates the ES+ line card in the specified slot and its
installed optical transceivers, where:
slotSpecifies the chassis slot number where the

ES+ line card is installed.
Verifying Deactivation and Activation of a Cisco 7600 Series ES+ Line Card
To verify the deactivation of an ES+ line card, enter the show module command in privileged EXEC
configuration mode. Observe the Status field associated with the ES+ line card that you want to verify.
The following example shows that the ES+ line card located in slot 10 is deactivated. This is indicated
by its PwrDown status.
Router# show module 10
Mod Ports Card Type
Model
Serial No.
--- ----- -------------------------------------- ------------------ ----------10
20 7600 ES+
7600-ES+20G3CXL
JAE1151865I
Mod MAC addresses
Hw
Fw
Sw
Status
--- ---------------------------------- ------ ------------ ------------ ------10 001d.e5e8.2a00 to 001d.e5e8.2a3f
0.301 12.2(33r)SRD 12.2(nightly PwrDown
Mod
---10
10
Sub-Module
--------------------------7600 ES+ DFC XL
7600 ES+ 20xGE SFP
Model
-----------------7600-ES+3CXL
7600-ES+20G
Serial
Hw
Status
----------- ------- ------JAE115188YM 0.200 PwrDown
JAE1151860R 0.301 PwrDown

---- ------------------10 Not Applicable
Router#
To verify activation and proper operation of an ES+ line card, enter the show module command and
observe Ok in the Status field as shown in the following example:
Router# show module 10
Mod Ports Card Type
Model
Serial No.
--- ----- -------------------------------------- ------------------ ----------10
20 7600 ES+
7600-ES+20G3CXL
JAE1151865I
Mod MAC addresses
Hw
Fw
Sw
Status
--- ---------------------------------- ------ ------------ ------------ ------10 001d.e5e8.2a00 to 001d.e5e8.2a3f
0.301 12.2(33r)SRD 12.2(nightly Ok
OL-16147-20
8-5
Chapter 8
Troubleshooting
Mod
---10
10
Sub-Module
--------------------------7600 ES+ DFC XL
7600 ES+ 20xGE SFP
Model
-----------------7600-ES+3CXL
7600-ES+20G
Serial
Hw
Status
----------- ------- ------JAE115188YM 0.200 Ok
JAE1151860R 0.301 Ok

---- ------------------10 Pass
Router#
Deactivation and Activation Configuration Examples

This section provides the following examples of deactivating and activating an ES+ line card and optical
transceivers:
Deactivation of a Cisco 7600 Series ES+ Line Card Configuration Example, page 8-6
Activation of a Cisco 7600 Series ES+ Line Card Configuration Example, page 8-6
Deactivation of a Cisco 7600 Series ES+ Line Card Configuration Example

Deactivate an ES+ line card when you want to perform OIR of the ES+ line card. The following example
deactivates the ES+ line card that is installed in slot 5 of the router, its optical transceivers, and all of the
interfaces. The corresponding console messages are shown:
Router(config)# no power enable module 5
1w4d: %OIR-6-REMCARD: Card removed from slot 5, interfaces disabled
1w4d: %C6KPWR-SP-4-DISABLED: power to module in slot 5 set off (admin request)
Activation of a Cisco 7600 Series ES+ Line Card Configuration Example

Activate an ES+ line card if you have previously deactivated it. If you did not deactivate the optical
transceivers, the optical transceivers automatically reactivate with reactivation of the ES+ line card.
The following example activates the ES+ line card that is installed in slot 5 of the router, its optical
transceivers, and all of the interfaces (as long as the hw-module subslot shutdown command was not
issued to also deactivate the optical transceivers):
Router(config)# power enable module 5
Notice that there are no corresponding console messages shown with activation. If you re-enter the
power enable module command, a message is displayed indicating that the module is already
enabled:
Router(config)# power enable module 5
% module is already enabled
8-6
OL-16147-20
Chapter 8
Troubleshooting

Note
Output from this procedure will vary slightly depending on which line card you are using, but the basic
information will be the same.
Line card field diagnostic software is bundled with the main Cisco IOS software to enable you to test
whether a suspect line card is faulty. For information on running online diagnostics, see the Configuring
Online Diagnostics chapter in the Cisco 7600 Series Cisco IOS Software Configuration Guide, 15.0 SR
at http://www.cisco.com/en/US/docs/routers/7600/ios/15S/configuration/guide/diags.html.
Onboard Failure Logging

The onboard failure logging (OBFL) feature gathers boot, environmental, and critical hardware failure
data for field-replaceable units (FRUs), and stores the information in the nonvolatile memory of the
FRU. This information is used for troubleshooting, testing, and diagnosis if a failure or other error
occurs.
Because OBFL is on by default, data is collected and stored as soon as the card is installed. If a problem
occurs, the data can provide information about historical environmental conditions, uptime, downtime,
errors, and other operating conditions.
To use the OBFL feature, execute the attach command on the supervisor to enable OBFL on a ES+ line
card.
Caution
OBFL is activated by default in all cards and should not be deactivated. OBFL is used to diagnose
problems in FRUs and to display a history of FRU data.
For information on configuring OBFL, see Onboard Failure Logging at
http://www.cisco.com/en/US/docs/ios/12_2sx/12_2sxh/feature/guide/sxhobfl.html.

On ES+T line cards, you can only configure up to 16 queues per port. An error message is displayed if
the queue length exceeds the limit. This section explains how to use the show platform lowq command
to check the number of queues per port for ES+ T line cards.
Scenario: Queue length exceeded the maximum queue limit for the specified interface and an error
message is displayed.
Identifying the issue: Use the show platform lowq command to check the number of queues per port.
In the following example, service policy installation on the specified interface is failed because the
number of queues exceeded the maximum queue limit of 16 per interface. Then show platform lowq
command is used to check the number of queues per port.
Router(config-subif)# interface ten10/1.5
Router(config-subif)# service-policy input new1
Router(config-subif)#
%X40G_LOWQ-5-MAX_QUEUE_LIMIT_EXCEEDED: The maximum queue limit for interface 10/1 has been
exceeded. Please check the configuration.
Router# show platform lowq
OL-16147-20
8-7
Chapter 8
Troubleshooting
Input Queue count:8
Output Queue count:8
Total Queue count:16
The output of the show platform lowq command indicates that the number of queues created on the
interface is already equal to the maximum number of queues allowed. So, you cannot create more queues
on that interface. To resolve the issue, reduce the number of queues and then try the service policy
installation again.
8-8
OL-16147-20
CH A P T E R

In general terms, field-programmable devices (FPDs) are hardware devices implemented on router cards
that support separate upgrades. The term FPD has been introduced to collectively and generically
describe any type of programmable hardware device on the Cisco 7600 Series Ethernet Services Plus
(ES+) and Ethernet Services Plus T (ES+T) line card.
This chapter describes the information that you need to know to verify image versions and to perform
Cisco 7600 Series ES+ and ES+T line card FPD upgrades.
Note
This chapter includes the following sections:
FPD Quick Upgrade, page 9-1
Overview of FPD Images and Packages, page 9-2
Upgrading FPD Images, page 9-3
Optional FPD Procedures, page 9-6
FPD Image Upgrade Examples, page 9-12
FPD Quick Upgrade

This section provides information if you simply want to upgrade FPDs for Cisco 7600 Series ES+ line
cards as quickly as possible. These instructions are not always feasible for operating network
environments and are not the only methods available for upgrading FPDs. If these methods of upgrade
are not suitable for your situation, see the various other sections of this document for other methods of
upgrading FPDs.
This section addresses the following topics:
FPD Quick Upgrade Before Upgrading your Cisco IOS Release (Recommended), page 9-2
FPD Quick Upgrade After Upgrading your Cisco IOS Release, page 9-2
OL-16147-20
9-1
Chapter 9
FPD Quick Upgrade
FPD Quick Upgrade Before Upgrading your Cisco IOS Release (Recommended)
Step 1
When getting your Cisco IOS image, download the FPD image package for the Cisco IOS release that
you are upgrading to any Flash disk on your router before booting the new version of Cisco IOS. The
FPD image package can be retrieved from the same site where you went to get your Cisco IOS image.
Do not change the name of the FPD image package.
Step 2
Boot using the new version of Cisco IOS. When the new Cisco IOS boots, it by default searches for the
FPD image package in the router flash file systems and the FPD images will be updated automatically
as part of the IOS boot process.
FPD Quick Upgrade After Upgrading your Cisco IOS Release

Step 1
An FPD upgrade is not always necessary after Cisco IOS is reloaded. If you have already reloaded your
Cisco IOS, enter the show hw-module all fpd command to see if all system FPDs are compatible. If the
FPDs are compatible, no further action is necessary. If at least one FPD needs an upgrade, proceed to
Step 2.
Step 2
Go to the cisco.com site where you downloaded your specific Cisco IOS software and locate the FPD
image package.
Step 3
Download this FPD image package to a Flash disk on your router. Do not change the name of the FPD
image package.
Do not change any FPD-related settings on your system (if upgrade fpd auto or upgrade fpd path has
been changed, change the settings back to the default settings using the no form of the command).
Reboot your Cisco IOS release software. When the new Cisco IOS boots, it by default searches for the
FPD image package in the Flash file systems and the FPD images will be updated automatically as part
of the IOS boot process.
Overview of FPD Images and Packages

An FPD image package is used to upgrade FPD images. Whenever a Cisco IOS image is released that
supports the Cisco 7600 Series ES+ line cards, a companion FPD image package is also released for that
Cisco IOS software release. The FPD image package is available from Cisco.com and is accessible from
the Cisco Software Center page where you also go to download your Cisco IOS software image.
If you are running Cisco 7600 Series ES+ line cards on your router and are upgrading your Cisco IOS
image, you should download the FPD image package file before booting the router using the new Cisco
IOS release. If the Cisco 7600 Series ES+ line card requires an FPD upgrade and the Cisco IOS image
is unable to locate an FPD image package, the system messages will indicate that the FPD image is
incompatible and you will need to go to the Cisco Software Center on Cisco.com to download the FPD
image package for your Cisco IOS software release. An FPD incompatibility on a Cisco 7600 Series ES+
line card disables all interfaces on that Cisco 7600 Series ES+ line card until the incompatibility is
addressed.
9-2
OL-16147-20
Chapter 9

Upgrading FPD Images
Note
The FPD automatic upgrade feature only searches for the FPD image package file that is the same
version number as the Cisco IOS release being used by the system. For example, if the Cisco IOS
release being used is Cisco IOS Release 12.2(33)SRD, then the system will search for the FPD image
package file that supports the specific Cisco IOS release (c7600-fpd-pkg.122-33.SRD.pkg).
Therefore, ensure the FPD image package file on your system is compatible with your Cisco IOS
release and do not change the name of the FPD image package file.

This section documents some of the common scenarios where FPD image updates are necessary. It
discusses the following scenarios:
Migrating to a Newer Cisco IOS Release, page 9-3
Upgrading FPD Images in a Production System, page 9-5
Migrating to a Newer Cisco IOS Release

This section discusses the following topics:
Upgrading FPD Images Before Upgrading Cisco IOS Release (Recommended), page 9-3
Upgrade FPD Images after Upgrading the New Cisco IOS Release, page 9-4
Upgrading FPD Images Using Fast Software Upgrade, page 9-6
Upgrading FPD Images Before Upgrading Cisco IOS Release (Recommended)

If you are still running your old Cisco IOS Release but are preparing to load a newer version of Cisco
IOS, you can upgrade FPD for the new Cisco IOS Release using the following method:
Placing FPD Image Package on Flash Disk Before Upgrading IOS (Recommended), page 9-3
Placing FPD Image Package on Flash Disk Before Upgrading IOS (Recommended)
Placing the FPD image package for the IOS release that you are upgrading to before upgrading IOS is
the recommended method for upgrading FPD because it is simple in addition to being fast. To perform
this type of FPD upgrade, follow these steps:
Step 1
While still running the Cisco IOS release that will be upgraded, place the FPD image package for the
new version of Cisco IOS onto one of your routers Flash file systems. For instance, if you are running
Cisco IOS Release 12.2(33)SRD and are upgrading to a newer release, place the FPD image package for
the newer release onto a Flash file system while still running Cisco IOS Release 12.2(33)SRD. You can
locate the FPD image package for a specific IOS release on cisco.com from the same area where you
download that Cisco IOS software image. Your router and Cisco 7600 Series ES+ line cards should
continue to operate normally since this action will have no impact on the current FPDs.
OL-16147-20
9-3
Chapter 9
Caution
Do not change the filename of the FPD image package file. The Cisco IOS searches for the FPD
image package file by filename, so the FPD image package file cannot be found if it has been
renamed.
Step 2
Reboot your router using the new upgraded Cisco IOS image. As part of the bootup process, the router
will search for the FPD image package. Since the default settings for the FPD image package search are
to check for the FPD image package for the specific Cisco IOS Release in a Flash file system, the FPD
image package will be located during the bootup procedure and all FPDs that required upgrades will be
upgraded.
Step 3
When the router has booted, verify the upgrade was successful by entering the show hw-module all fpd
command.
Upgrade FPD Images after Upgrading the New Cisco IOS Release
The following steps explain how to upgrade FPD images if you have already upgraded your Cisco IOS
release but still need to upgrade your FPD images.
To perform an FPD upgrade after the new Cisco release has been booted, follow these steps:
Step 1
If you are unsure if your FPD images for your Cisco 7600 Series ES+ line cards are compatible, enter
the show hw-module all fpd command to verify compatibility of all Cisco 7600 Series ES+ line cards.
If all of your Cisco 7600 Series ES+ line cards are compatible, there is no reason to perform this upgrade.
Step 2
If an FPD upgrade is necessary, place the FPD image package for the new version of Cisco IOS onto the
routers Flash Disk or on an accessible FTP or TFTP server. You can locate the FPD image package on
cisco.com from the same area where you downloaded your Cisco IOS software image.
Step 3
Enter the upgrade hw-module [slot slot-number] file-url command. The file-url command should direct
users to the location of the FPD image package. For instance, if you had placed the FPD image package
for Release 12.2(33)SRD on the TFTP server abrick/muck/myfolder, you would enter upgrade
hw-module [slot slot-number] tftp://abrick/muck/myfolder/c7600-fpd-pkg.122-33.SRD.pkg to
complete this step.
If multiple Cisco 7600 Series ES+ line cards require upgrades, the different pieces of hardware will have
to be updated individually.
Note
Step 4
With the new Cisco IOS release running, if the ES+ cards are disabled or powered down due to
any FPD upgrade errors, the only way to do an FPD upgrade is by reloading the line card using
hw-module reset command (assuming that you have already copied the necessary FPD bundle
file in to the file system).The upgrade hw-module command works only when the line card is
in the UP state.
Verify the upgrade was successful by entering the show hw-module all fpd command.
9-4
OL-16147-20
Chapter 9

Upgrading FPD Images in a Production System

Adding a Cisco 7600 Series ES+ line card to a production system presents the possibility that the Cisco
7600 Series ES+ line card may contain versions of FPD images that are incompatible with the Cisco IOS
release currently running the router. In addition, the FPD upgrade operation can be a very CPU-intensive
operation and therefore the upgrade operation may take more time when it is performed on a production
system. The performance impact will vary depending on various factors, including network traffic load,
the type of processing engine used, type of Cisco 7600 Series ES+ line card, and the type of service
configured.
For these reasons, we recommend that one of the following alternatives be used to perform the FPD
upgrade on a production system if possible:
Using a Non-Production System to Upgrade the Cisco 7600 Series ES+ Line Card FPD Image,
page 9-5
Upgrading FPD Images Using Fast Software Upgrade, page 9-6
Using a Non-Production System to Upgrade the Cisco 7600 Series ES+ Line Card FPD Image
Before beginning the upgrade, ensure:
The spare system is running the same version of the Cisco IOS software release that the target
production system is running.
The automatic upgrade feature is enabled on the spare system (the automatic upgrade feature is
enabled by default. It can also be enabled using the upgrade fpd auto command).
Use the following procedure to perform an upgrade on a spare system:

Step 1
Download the FPD image package file to the routers flash file system or TFTP or FTP server accessible
by the spare system. In most cases, it is preferable to place the file in a Flash file system since the router,
by default, searches for the FPD image package in the Flash file systems. If the Flash file systems are
full, use the upgrade fpd path command to direct the router to search for the FPD image package in the
proper location.
Step 2
Insert the ES+ line card into the spare system.

If an upgrade is required, the system will perform the necessary FPD image updates so that when this
ES+ line card is inserted to the target production system it will not trigger an FPD upgrade operation
there.
Step 3
Verify the upgrade was successful by entering the show hw-module all fpd command.
Step 4
Remove the ES+ line card from the spare system after the upgrade.
Step 5
Insert the ES+ line card into the target production system.
Verifying System Compatibility First

If a spare system is not available to perform an upgrade, you can check for system compatibility by
disabling the automatic upgrade feature before inserting the ES+ line card (the automatic upgrade feature
is enabled by default. It can be disabled using the no upgrade fpd auto command).
If the FPD images on the ES+ line card are compatible with the system, you will only need to
re-enable the automatic upgrade feature (the automatic upgrade feature can be re-enabled using the
upgrade fpd auto command).
OL-16147-20
9-5
Chapter 9
If the FPD images on the ES+ line card are not compatible with the system, the ES+ line card is
disabled but will not impact system performance by attempting to perform an automatic upgrade.
Use the following procedure to check the FPD images on the ES+ line card for system compatibility:
Step 1
Disable the automatic upgrade feature using the no upgrade fpd auto global configuration command.
Step 2
Insert the ES+ line card into the system.

If the FPD images are compatible, the ES+ line card will operate successfully after bootup.
If the FPD images are not compatible, the ES+ line card is disabled. At this point we recommend that
you wait for a scheduled maintenance when the system is offline to manually perform the FPD upgrade
using one of the procedures outlined in the Upgrading FPD Images section on page 9-3.
Step 3
Re-enable the automatic upgrade feature using the upgrade fpd auto global configuration command.
Upgrading FPD Images Using Fast Software Upgrade

The fast software upgrade (FSU) procedure supported by Route Processor Redundancy (RPR) allows
you to upgrade the Cisco IOS image on supervisor engines without reloading the system.
When using FSU to upgrade the Cisco IOS image, remember that Cisco IOS software is configured, by
default, to automatically load the new FPD images from a flash file system on the router. Therefore, if
the FPD image package for the new Cisco IOS has not been downloaded to the router flash file system,
the FPD image that needs to be upgraded will not get upgraded if the new supervisor engine with the
upgraded Cisco IOS becomes the primary supervisor engine. To ensure FPD is upgraded at the time of
the FSU, place the FPD image package for the new version of Cisco IOS onto the flash file system before
upgrading the Cisco IOS and follow the instructions in the Upgrading FPD Images Before Upgrading
Cisco IOS Release (Recommended) section on page 9-3.
If a ES+ line card is disabled after FSU is used to upgrade Cisco IOS and the supervisor engine with the
upgraded Cisco IOS has become the primary supervisor engine, follow the instructions in the Upgrade
FPD Images after Upgrading the New Cisco IOS Release section on page 9-4 to verify and, if necessary,
upgrade FPD.

This section provides information for optional FPD-related functions. None of the topics discussed in
this section are necessary for completing FPD upgrades, but may be useful in some FPD-related
scenarios. It covers the following topics:
Manually Upgrading ES+ Line Card FPD Images, page 9-6
Upgrading FPD from an FTP or TFTP Server, page 9-7
Modifying the Default Path for the FPD Image Package File Location, page 9-8
Displaying Current and Minimum Required FPD Image Versions, page 9-9
Displaying Information About the Default FPD Image Package, page 9-10
Manually Upgrading ES+ Line Card FPD Images

To manually upgrade the current FPD version on a ES+ line card, use the following command:
9-6
OL-16147-20
Chapter 9

Router# upgrade hw-module [slot slot-number] file file-url
In this example, slot-number is the slot where the ES+ line card is installed, file-url is the location and
name of the FPD image package file.
Caution
An image upgrade can require a long period of time to complete depending on the ES+ line card.
Upgrading FPD from an FTP or TFTP Server

The generally recommended method to perform an FPD image upgrade is to download the FPD image
package to a Flash file system and use the FPD automatic upgrade. By default, the system searches the
Flash file system for the FPD image package file when an FPD incompatibility is detected.
This default behavior of loading an FPD image from Flash can be changed using the upgrade fpd path
global configuration command, which sets the path to search for the FPD image package file to a location
other than the routers Flash file systems.
For large deployments where all the systems are being upgraded to a specific Cisco IOS software release,
we recommend that the FPD image package file be placed on an FTP or TFTP server that is accessible
to all the affected systems, and then use the upgrade fpd path global configuration command to
configure the routers to look for the FPD image package file from the FTP or TFTP server prior to the
reloading of the system with the new Cisco IOS release.
Note
This approach can also be used if there is not enough disk space on the system Flash card to hold the
FPD image package file.
To download an FPD image package file to an FTP or TFTP server, use the following procedure:
Step 1
Copy the FPD image package file to the FTP or TFTP server.
Step 2
From global configuration mode, use the upgrade fpd path command to instruct the router to locate the
FPD image package file from the FTP or TFTP server location.
For example, enter one of the following global configuration commands from the target systems
console:
Router(config)# upgrade fpd path tftp://my_tftpserver/fpd_pkg_dir/
or
Router(config)# upgrade fpd path ftp://login:password@my_ftpserver/fpd_pkg_dir/
Note
The final / at the end of each of the above examples is required. If the path is specified without the
trailing / character, the command will not work properly.
In these examples, my_tftpserver or my_ftpserver is the path to server name, fpd_pkg_dir is the directory
on the TFTP server where the FPD image package is located, and login:password is your FTP login name
and password.
Step 3
Make sure that the FPD automatic upgrade feature is enabled by examining the output of the show
running-config command. (Look for the upgrade fpd auto configuration line in the output. If there are
no upgrade commands in the output, then upgrade fpd auto is enabled because it is the default setting.)
If automatic upgrades are disabled, use the upgrade fpd auto global configuration command to enable
automatic FPD upgrades.
OL-16147-20
9-7
Chapter 9
Step 4
Enter the show upgrade fpd file command to ensure your router is connecting properly to the default
FPD image package. If you are able to generate output related to the FPD image package using this
command, the upgrade should work properly.
Step 5
Save the configuration and reload the system with the new Cisco IOS release.
During the system startup after the reload, the necessary FPD image version check for all the ES+ line
cards will be performed and any upgrade operation will occur automatically if an upgrade is required.
In each upgrade operation, the system extracts the necessary FPD images to the ES+ line card from the
FPD image package file located on the FTP or TFTP server.
Modifying the Default Path for the FPD Image Package File Location
By default, the Cisco IOS software looks for the FPD image package file on a Flash file system when
performing an automatic FPD image upgrade.
Note
Be sure there is enough space on one of your Flash file systems to accommodate the FPD image
package file.
Alternatively, you can store an FPD image package file elsewhere. However, because the system looks
on the Flash file systems by default, you need to change the FPD image package file location so that the
system is directed to search an alternate location (such an FTP or TFTP server) that is accessible by the
Cisco IOS software. Enter the upgrade fpd path fpd-pkg-dir-url global configuration command, where
fpd-pkg-dir-url is the alternate location, to instruct the router to search for the FPD image package
elsewhere.
When specifying the fpd-pkg-dir-url, be aware of the following:
The fpd-pkg-dir-url is the path to the FPD image package, but the FPD image package should not
be specified as part of the fpd-pkg-dir-url. For instance, if the c7600-fpd-pkg.122-33.SRD.pkg file
can be found on the TFTP server using the path
mytftpserver/myname/myfpdpkg/c7600-fpd-pkg.122-33.SRD.pkg and you wanted the router to
utilize this FPD image package for FPD upgrades, the upgrade fpd path
tftp://mytftpserver/myname/myfpdpkg/ command should be entered so the router knows where
to find the file. The actual filename should not be specified.
The final / character in the fpd-pkg-dir-url is required. In the preceding example, note that the
fpd-pkg-dir-url is tftp://mytftpserver/myname/myfpdpkg/. Entering
tftp://mytftpserver/myname/myfpdpkg (note: the final / character is missing) as the
fpd-pkg-dir-url in that scenario would not work.
If the upgrade fpd path global configuration command has not been entered to direct the router to locate
an FPD image package file in an alternate location, the system searches the Flash file systems on the
Cisco 7600 series router for the FPD image package file.
Failure to locate an FPD image package file when an upgrade is required will disable the ES+ line card.
Because ES+ line cards will not come online until FPD is compatible, the ES+ line card will also be
disabled if it requires an FPD upgrade and the automatic upgrade feature is disabled.
9-8
OL-16147-20
Chapter 9

Displaying Current and Minimum Required FPD Image Versions

To display the current version of FPD images on the ES+ line cards installed on your router, use the show
hw-module [slot-number | all] fpd command, where slot-number is the slot number where the ES+ line
card is installed. Entering the all keyword shows information for hardware in all router slots.
The following examples show the output when using this show command.
The output display in this example shows that FPD versions on the ES+ line cards in the system meet
the minimum requirements:
Router# show hw-module all fpd
==== ====================== ======
H/W
Slot Card Type
Ver.
==== ====================== ======
1 7600-ES20-GE3CXL
1.0
---- ---------------------- -----4 7600-SIP-400

2.4
---4/0
---4/1
---4/2
---7
---------------------SPA-2X1GE
---------------------SPA-2X1GE
---------------------SPA-2X1GE
---------------------7600-ES20-GE3CXL
-----2.2
-----2.2
-----2.2
-----1.0
---- ---------------------- -----8 7600-ES20-10G3CXL

1.1
---- ---------------------- -----9 7600-ES+40G3CXL

0.303
---------------------- -----7600-ES+3CXL
0.400
---------------------- -----7600-ES+40G
0.401
==== ====================== ======
=============================================
Field Programmable
Current
Min. Required
Device: "ID-Name"
Version
Version
================== =========== ==============
1-ROMMON
1.4
1.4
2-I/O FPGA
0.21
0.21
3-PKT ENG FPGA
0.5
0.5
5-20x1GE LINK FPGA
0.7
0.7
------------------ ----------- -------------1-ROMMON
1.3
1.3
2-I/O FPGA
0.82
0.82
3-SWITCH FPGA
0.39
0.39
------------------ ----------- -------------1-GE I/O FPGA
1.10
1.10
------------------ ----------- -------------1-GE I/O FPGA
1.10
1.10
------------------ ----------- -------------1-GE I/O FPGA
1.10
1.10
------------------ ----------- -------------1-ROMMON
1.4
1.4
2-I/O FPGA
0.21
0.21
3-PKT ENG FPGA
0.5
0.5
5-20x1GE LINK FPGA
0.7
0.7
------------------ ----------- -------------1-ROMMON
1.4
1.4
2-I/O FPGA
0.21
0.21
3-PKT ENG FPGA
0.5
0.5
4-2x10GE LINK FPGA
0.9
0.9
------------------ ----------- -------------1-ROMMON
1.1
1.1
2-I/O FPGA
0.17
0.17
3-SELENE
0.15
0.15
------------------ ----------- -------------4-PKT EN FPGA XL
0.8
0.8
11-Kp FPGA XL
1.1
1.1
------------------ ----------- -------------6-40x1G LinkFPGA
0.15
0.15
10-40x1G LedFPGA
0.2
0.2
=============================================
This example shows the output when verifying the FPD for the ES+ card in a specific slot:
Router# show hw-module slot 9 fpd
==== ====================== ======
H/W
Slot Card Type
Ver.
==== ====================== ======
9 7600-ES+40G3CXL
0.303
=============================================
Field Programmable
Current
Min. Required
Device: "ID-Name"
Version
Version
================== =========== ==============
1-ROMMON
1.1
1.1
2-I/O FPGA
0.17
0.17
3-SELENE
0.15
0.15
OL-16147-20
9-9
Chapter 9
---------------------- ------ ------------------ ----------- -------------7600-ES+3CXL

0.400 4-PKT EN FPGA XL
0.8
0.8
11-Kp FPGA XL
1.1
1.1
---------------------- ------ ------------------ ----------- -------------7600-ES+40G
0.401 6-40x1G LinkFPGA
0.15
0.15
10-40x1G LedFPGA
0.2
0.2
==== ====================== ====== =============================================
Router#
Displaying Information About the Default FPD Image Package

You can use the show upgrade fpd package default command to find out which ES+ line cards are
supported with your current Cisco IOS release and which FPD image package you need for an upgrade.
Router# show upgrade fpd package default
****************************************************************************
This Cisco IOS software image requires the following default FPD Image
Package for the automatic upgrade of FPD images (the package is available
from Cisco.com and is accessible from the Cisco Software Center page where
this IOS software image can be downloaded):
****************************************************************************
Version: 12.2(nightly.SR080616)
Package Filename: c7600-fpd-pkg.122-nightly.SR.pkg
List of card type supported in this package:
No.
---1)
2)
3)
4)
5)
6)
7)
8)
9)
10)
11)
12)
13)
14)
15)
16)
17)
18)
19)
20)
21)
22)
23)
24)
25)
26)
Minimal
Card Type
HW Ver.
---------------------------------------- ------2 port adapter Enhanced FlexRouterN
1.0
2 port adapter Enhanced FlexRouterN
2.0
24xT1E1 CE/ATM SPA
1.0
1xOC3STM1 CE/ATM SPA
1.0
1xOC3STM1 CE/ATM SPA
2.0
2xT3E3 CE/ATM SPA
1.0
1xCHSTM1 SPA
0.0
2xCT3 SPA
0.100
2xCT3 SPA
0.200
4xCT3 SPA
0.100
4xCT3 SPA
0.200
10xGE SPA
0.0
8xGE SPA
0.0
8xFE TX SPA
0.0
4xFE TX SPA
0.0
5xGE SPA
0.0
2xGE SPA
0.0
1x10GE XFP SPA
0.0
10xGE SPA
0.0
8xGE SPA
0.0
8xFE TX SPA
0.0
4xFE TX SPA
0.0
5xGE SPA
0.0
1x10GE XFP SPA
0.0
1x10GE DWDM SPA
0.0
2xGE V2 SPA
0.0
9-10
OL-16147-20
Chapter 9

27)
28)
29)
30)
31)
32)
33)
34)
35)
36)
37)
38)
39)
40)
41)
42)
43)
44)
45)
46)
47)
48)
49)
50)
51)
52)
53)
54)
55)
56)
57)
58)
59)
60)
61)
62)
63)
64)
65)
66)
67)
68)
69)
70)
71)
72)
73)
74)
75)
76)
77)
78)
79)
80)
81)
----
8xCHT1/E1 SPA
0.140
8xCHT1/E1 SPA
0.0
4xT SERIAL SPA
0.0
4xT SERIAL SPA
2.0
2xOC3 POS SPA
0.0
2xOC3 POS SPA
0.200
4xOC3 POS SPA
0.0
4xOC3 POS SPA
0.200
1xOC12 POS SPA
0.0
1xOC12 POS SPA
0.200
1xOC192 POS/RPR XFP SPA
0.0
1xOC192 POS/RPR SPA
0.0
1xOC48 POS/RPR SPA
0.0
2xOC48 POS/RPR SPA
0.0
4xOC48 POS/RPR SPA
0.0
4-subslot SPA Interface Processor-200
0.100
0.450
0.500
0.550
0.600
2.0
0.1
0.1
ESM20G
0.1
2-subslot Services SPA Carrier-400
0.3
0.4
0.5
0.1
7600 ES+
0.100
7600 ES+
0.300
7600 ES+
0.400
7600 ES+ DFC XL
0.100
7600 ES+ DFC XL
0.300
7600 ES+ DFC LITE
0.100
7600 ES+ DFC LITE
0.300
7600 ES+ 40xGE SFP
0.100
7600 ES+ 40xGE SFP
0.200
7600 ES+ 40xGE SFP
0.400
7600 ES+ 20xGE SFP
0.100
7600 ES+ 20xGE SFP
0.200
7600 ES+ 20xGE SFP
0.400
7600 ES+ 4x10GE XFP
0.100
7600 ES+ 4x10GE XFP
0.200
7600 ES+ 4x10GE XFP
0.150
7600 ES+ 2x10GE XFP
0.100
7600 ES+ 2x10GE XFP
0.200
7600 ES+ 2x10GE XFP
0.150
2xT3E3 SPA
0.0
4xT3E3 SPA
0.0
2 Gbps IPSec SPA
0.1
2 Gbps C12000 IPSec SPA
0.1
2xOC3 ATM SPA
0.0
4xOC3 ATM SPA
0.0
1xOC12 ATM SPA
0.0
1xOC48 ATM SPA
0.0
---------------------------------------- -------
OL-16147-20
9-11
Chapter 9

This section provides examples of automatic and manual FPD image upgrades. It includes the following
examples:
Automatic FPD Image Upgrade Example, page 9-12
Manual FPD Image Upgrade Example, page 9-12
Automatic FPD Image Upgrade Example

The following example uses the upgrade fpd auto to do an automatic upgrade.
Router# conf t
Router(config)# upgrade fpd ?
auto Auto upgrade all FPD images
path Set path to locate the FPD image package file for auto upgrade
Router(config)#
Router(config)# upgrade fpd auto ?
<cr>
Router(config)# upgrade fpd auto
Router(config)#
Router(config)#^Z
Router# show version
*Jun 18 10:27:00.078 sum08: %SYS-5-CONFIG_I: Configured from console by consoh ver
Cisco IOS Software, rsp72043_rp Software (rsp72043_rp-ADVENTERPRISEK9_DBG-M), Version
12.2(nightly.SR080616) NIGHTLY BUILD, synced to rainier
RAINIER_BASE_FOR_V122_33_SRA_THROTTLE
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Tue 17-Jun-08 00:10 by cuotran
ROM: System Bootstrap, Version 12.2(33r)SRB3, RELEASE SOFTRouterRE (fc1)
Router uptime is 22 hours, 29 minutes
Uptime for this control processor is 22 hours, 29 minutes
System returned to ROM by reload (SP by reload)
System image file is "disk0:rsp72043-adventerprisek9_dbg-mz.autobahn76_061608"
Last reload type: Normal Reload
Manual FPD Image Upgrade Example

In the following example, FPD for the ES+ line card in slot 8 is upgraded manually:
Router#
Router# upgrade hw-module slot 8 ?
fpd Field programmable device upgrade option
Router# upgrade hw-module slot 8 fpd ?
file Upgrade with field programmable device package/bundle file
Router# upgrade hw-module slot 8 fpd fi
Router# upgrade hw-module slot 8 fpd file c
Router# upgrade hw-module slot 8 fpd file d
*Jun 17 13:24:12.531 sum08: %FPD_MGMT-3-INCOMP_IMG_VER: Incompatible I/O FPGA (FPD ID=2)
image version detected for 7600-ES+40G3CXL card in slot 8. Detected version = 0.16,
minimum required version = 0.17. Current HW version = 0.118.
9-12
OL-16147-20
Chapter 9

*Jun 17 13:24:12.531 sum08: %FPD_MGMT-3-INCOMP_IMG_VER: Incompatible 40x1G LinkFPGA (FPD

ID=6) image version detected for 7600-ES+40G card in slot-dc 8-2. Detected version = 0.14,
minimum required version = 0.15. Current HW version = 0.106.
*Jun 17 13:24:12.531 sum08: %FPD_MGMT-5-UPGRADE_ATTEMPT: Attempting to automatically
upgrade the FPD image(s) for 7600-ES+40G3CXL card in slot 8. Use 'show upgrade fpd
progress' command to view the upgrade progress ...
*Jun 17 13:24:12.547 sum08: %FPD_MGMT-6-BUNDLE_DOWNLOAD: Downloading FPD image bundle for
7600-ES+40G3CXL card in slot 8 ...i
Router#upgrade hw-module slot 8 fpd file disk
*Jun 17 16:24:12.551: %FABRIC_INTF_ASIC-DFC8-5-FABRICSYNC_DONE: Fabric ASIC 0 Channel 1:
Fabric sync done.
*Jun 17 16:24:12.575: %FABRIC_INTF_ASIC-DFC8-5-FABRICSYNC_DONE: Fabric ASIC 1 Channel 1:
Fabric sync done.
OL-16147-20
9-13
Chapter 9
9-14
OL-16147-20
CH A P T E R
10
Configuring IPoDWDM
This chapter provides information about configuring IP over dense wavelength-division multiplexing
(IPoDWDM) on the Cisco 7600 Series Ethernet Services Plus (ES+) and Ethernet Services Plus T
(ES+T) line cards on the Cisco 7600 series router.
IP over DWDM can be configured on the following Cisco 7600 Series ES+ Extended Transport (ES+XT)
line cards:
76-ES+XT-2TG3CXL
76-ES+XT-4TG3CXL
76-ES+T-2TG
76-ES+T-4TG
76-ES+XC-20G3C
76-ES+XC-20G3CXL
76-ES+XC-40G3C
76-ES+XC-40G3CXL
Note
Unless specified otherwise, the information provided in this chapter is applicable to ES+XT, ES+T and
ES+XC line cards. IPoDWDM is supported on ES+XC line cards from SRE1 and later releases.

The 10GE ports on the ES+ and ES+T line cards are hardware, which are capable of supporting the Optical
Transport Network (OTN) and Wide Area Network (WAN) PHY. This feature provides the software
functionality to support OTN and WAN PHY on ES+ and ES+T line cards on Cisco 7600 series router
platforms. WAN PHY leverages 10 Gig SONET infrastructure and accesses WAN facilities using:
Dark Fiber
Dark Wavelengths
SONET TDM Networks
This feature provides low cost optic solutions required for short distances networks that implement store
and forward network design requiring no optical amplifiers.
OL-16147-20
10-1
Chapter 10
Configuring IPoDWDM
The OTN is based on the Optical Transport Hierarchy (OTH) developed by ITU. The OTN is based on
the network architecture defined in ITU G.872 "Architecture for the Optical Transport Network (OTN)".
The G.872 standard defines an architecture composed of the Optical Channel (OCh), Optical Multiplex
Section (OMS), and Optical Transmission Section (OTS). The use of digitally framed signal with digital
overhead for optical channel enables you to implement the management requirements of OCh. It also
allows the use of Forward Error Correction (FEC) system to improve the system performance. The two
new digital layer networks introduced to implement this feature are ODU and OTU.
OTN architecture (ITU-T G.872 standard) defines two interface classes:
Inter-domain interface (IrDI): The OTN IrDI interface class defines the interface (with the 3Rs
[Reamplification, Reshaping and Retiming] processing) at each end of the operator interface. the
operator interface can also be the interface between different vendors within the same operator
Intra-domain interface (IaDI): The IaDI interface class defines the interface within an operator or a
vendor domain.
OTN has the following advantages:
Stronger forward error correction
More levels of Tandem Connection Monitoring (TCM)
Transparent transport of client signals
Switching scalability

When configuring the WAN PHY / OTN support on ES+ and ES+T line cards, follow these restrictions
The distances between the two switching equipments using the WAN PHY and the DWDM facility
depends on the XFP used. Refer the data sheets of relevant XFP.
The MAC address is common for WAN PHY and LAN PHY. The WAN PHY operates at a rate
compatible with the payload rate of OC-192c/VC-464c.
Configuring ITU-T G.709 Transport Modes

Use the transport-mode command in interface configuration mode to configure LAN, WAN, and OTN
transport modes. The transport-mode command otn option has the bit-transparent sub-option, using
which bit transparent mapping into OPU1e or OPU2e can be configured.
Note
The hardware combination of Cisco-INTEL OC192 + 10GBASE-L XFP is not supported because of bit
rate incompatibility between INTEL XFP and OTN for the following transport mode configurations:
opu1e - 10GBASE-R over OPU1e without fixed stuffing (11.0491Gb/s)
opu2e - 10GBASE-R over OPU2e with fixed stuffing (11.0957Gb/s)
1.
enable
2.
configure terminal
3.
SUMMARY STEPS
10-2
OL-16147-20
Chapter 10
Configuring IPoDWDM
4.
transport-mode {lan | wan | otn bit-transparent {opu1e | opu2e}}
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
Specifies the Ten Gigabit Ethernet interface to configure,

where:
Example:
Router(config)# interface tengigabitethernet

4/1
Step 4
transport-mode {lan | wan | otn bit-transparent

{opu1e | opu2e}}
Configures the transport mode.
Example:
Router(config-if)# transport-mode otn
bit-transparent opu2e
DWDM Provisioning
All DWDM provisioning configurations take place on the controller. To configure a DWDM controller,
use the controller dwdm command in global configuration mode.
Prerequisites
The g709 configuration commands can be used only when the controller is in the shutdown state. Use
the no shutdown command after configuring the parameters, to remove the controller from shutdown
state and to enable the controller to move to up state.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
controller dwdm slot/port
OL-16147-20
10-3
Chapter 10
Configuring IPoDWDM
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
Configures the DWDM controller.
Example:
Router(config)# controller dwdm 1/3
Examples
The following are examples of IP over DWDM commands:
Router# show run int te2/3
!
ip address 11.11.11.2 255.255.255.0
transport-mode otn bit-transparent opu2e
end
Router# show controller dwdm 2/3
G709 Information:
Controller dwdm 3/1, is down (shutdown)
Transport mode LAN (10GBASE-R, 10.3125Gb/s)
TAS state is : OOS
Description: connected to a ginsu LC
G709 status : Disabled
OTU
LOS = 18
AIS = 0
TIM = 0
LOF = 0
BDI = 1
IAE = 0
LOM = 0
BIP = 14504
BEI = 2289
ODU
AIS = 0
OCI = 0
BIP = 14500
BDI = 0
LCK = 0
BEI = 2266
TIM = 0
PTIM = 0
FEC Mode: FEC

EC(current second) = 0
EC = 31361
UC = 56318597
10-4
OL-16147-20
Chapter 10
Configuring IPoDWDM
pre-FEC BER < 9.00E-11

Q > 6.45
Q Margin > 7.52 DBQ
Detected Alarms: NONE
Asserted Alarms: NONE
Detected Alerts: NONE
Asserted Alerts: NONE
Alarm reporting enabled for: LOS LOF LOM OTU-AIS OTU-IAE OTU-BDI OTU-TIM ODU-AIS ODU-OCI
ODU-LCK ODU-BDI ODU-PTIM ODU-TIM ODU-BIP Alert reporting enabled for: OTU-SM-TCA
ODU-SD-BER ODU-SF-BER ODU-PM-TCA BER thresholds: ODU-SF = 10e-3 ODU-SD = 10e-6 TCA
thresholds: SM = 10e-3 PM = 10e-3
OTU TTI Sent
String ASCII: This_is_a_static_string
OTU TTI Received String ASCII:
OTU TTI Received String HEX : 0000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000
000000000000000000000000000000 OTU TTI Expected String
ASCII: This_is_a_static_string
ODU TTI Sent
String ASCII: This_is_a_static_string
ODU TTI Received String ASCII:
ODU TTI Received String HEX : 0000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000
000000000000000000000000000000 ODU TTI Expected String
ASCII: This_is_a_static_string
Optics Information:
optics type: DWDM XFP Tunable
Wavelength: C-band, channel 10, 1558.17 nm, 192.40 THz Transceiver Rx optical power
-40.0 dBm
Transceiver Tx power
= 1.5 dBm
TX Laser current bias
= 20988 uAmps
Virtual Link Info:

Adjacency info: This_is_a_static_string
C7600 Node ID :
0 :26:B :28:68:80
Connectivity Info:
Network Connection ID : This_is_a_static_string
Network SRLG values:
Set
Set
Set
Set
Set
Set
Set
Set
Set
Set
Set
Set
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
6142
19113
14477
26689
4989
31230
14967
7234
29164
19852
15452
17460
14852
28561
6364
12832
21486
14312
30337
19184
28532
15403
21048
27105
18102
24607
16426
14253
21500
21952
13523
17545
7863
538
5251
18205
22331
27781
17862
26935
10028
16539
865
29015
7144
20299
27504
2190
13470
7222
8500
6988
18852
20882
21512
702
14117
1870
19304
13075
11919
26281
1898
18454
9948
15302
24263
24747
5275
29138
17325
19226
OL-16147-20
10-5
Chapter 10
Configuring IPoDWDM
Set
Set
Set
Set
13:
14:
15:
16:
10917
1126
20342
3366
18739
24967
29828
27109
16263
26662
7591
22805
20739
13147
18471
16266
32124
32739
18968
2421
24934
3591
7227
9339
Router#
Router# conf t
Router(config)# int tenGigabitEthernet 2/3
Router(config-if)# transport
Router(config-if)# transport-mode ?
lan 10GBASE-R LAN pass-through (10.3125Gb/s)
otn 10GE over Optical Transport Network (G.709)
wan 10GBASE-W WAN SONET/SDH (9.95328Gb/s)
Router(config-if)# transport-mode otn ?
bit-transparent 10GBASE-R transparently mapped into OTU-2
Router(config-if)# transport-mode otn bit-transparent ?
opu1e 10GBASE-R over OPU1e without fixed stuffing (11.0491Gb/s)
opu2e 10GBASE-R over OPU2e with fixed stuffing (11.0957Gb/s)
Router(config-if)# transport-mode otn bit-transparent opu2e

Router#
Router#
Router#
Router# show int tenGigabitEthernet2/3
TenGigabitEthernet2/3 is up, line protocol is up (connected)
Hardware is X40G 10Gb 802.3, address is 00d0.03e2.1c00 (bia 00d0.03e2.1c00)
MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 10Gb/s, clock source internal
Transport mode OTN (10GBASE-R over OPU2e with fixed stuffing, 11.0957Gb/s)
input flow-control is off, output flow-control is off
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:03, output 00:00:03, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
L2 Switched: ucast: 0 pkt, 0 bytes - mcast: 2360 pkt, 221372 bytes
L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes mcast
L3 out Switched: ucast: 0 pkt, 0 bytes mcast: 0 pkt, 0 bytes
2392 packets input, 223718 bytes, 0 no buffer
Received 2477 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
2477 packets output, 229905 bytes, 0 underruns
0 output errors, 0 collisions, 13 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
Router#
10-6
OL-16147-20
Chapter 10
Configuring IPoDWDM
Router# conf t
Router(config-controller)#?
Controller configuration commands:
Network
Configure Vtxp Netwrok parameters
Virtual-Link
Configure Virtual Link (PPC)
admin-state
Configure the transport admin state of the controller
default
Set a command to its defaults
description
Controller specific description
exit
Exit from controller configuration mode
g709
Configure G709 parameters
help
Description of the interactive help system
no
Negate a command or set its defaults
shutdown
Configure dwdm controller processing
transport-mode Configure 10GE PHY transport mode
wavelength
Configure transponder wavelength
Router(config-controller)# g709 ?
fec Configure FEC mode
odu Configure odu parameters
otu Configure otu parameters
tti-processing Configure Trail Trace Identifier
processing
Router(config-controller)# g709 fec ?

disable
Disable FEC
enhanced Enhanced FEC mode
standard Standard FEC mode
Router(config-controller)# g709 odu ?
overhead
Configure ODU overhead
report
Configure odu alarm reporting
threshold Configure odu threshold
Router(config-controller)#g709 odu overhead ?
tti Configure ODU Trail Trace Identifier buffer
Router(config-controller)#g709 odu overhead tti ?
expected
Set expected TTI
sent
Set transmit TTI
Router(config-controller)#g709 odu overhead tti expected ?
ascii Enter ASCII string
hex
Enter hex string- Length should be even number
Router(config-controller)#g709 odu overhead tti expected ascii ?
WORD LINE ASCII text (Max 64 characters)
Router(config-controller)#g709 odu overhead tti expected hex ?
Hex-data LINE Hex nibbles (Max 128- The string length should
be an even number)
Router(config-controller)#g709 odu overhead tti sent ?
hex
Router(config-controller)#g709 odu overhead tti sent ascii ?
Router(config-controller)#g709 odu overhead tti sent hex ?
Hex-data LINE Hex nibbles (Max 128- The string length should
be an even number)
Router(config-controller)# g709 odu report ?
ais
Set Alarm Indication Signal reporting status
bdi
Set Backward Defect Indication reporting status
OL-16147-20
10-7
Chapter 10
Configuring IPoDWDM
lck
oci
pm-tca
ptim
sd-ber
sf-ber
tim
Set
Set
Set
Set
Set
Set
Set
Upstream Connection Locked reporting status

Open Connection Indication reporting status
Path Monitoring BER TCA reporting status
Payload Type Identifier Mismatch reporting status
SM BER in excess of SD threshold reporting status
SM BER in excess of SF threshold reporting status
Trace Identifier Mismatch reporting status
Router(config-controller)# g709 odu threshold ?

pm-tca Set Path Monitoring Threshold Crossing Alert threshold
sd-ber Set Signal Degrade BER threshold
sf-ber Set Signal Failure BER threshold
Router(config-controller)# g709 odu threshold pm-tca ?
<3-9> Bit Error Rate (10 to the minus n) (default 3)
<cr>
Router(config-controller)# g709 odu threshold sd-ber ?
<cr>
Router(config-controller)# g709 odu threshold sf-ber ?
<cr>
Router(config-controller)# g709 otu ?
overhead
Configure OTU overhead
report
Configure otu alarm reporting
threshold Configure otu threshold
Router(config-controller)#g709 otu overhead ?
tti Configure OTU Trail Trace Identifier buffer
Router(config-controller)#g709 otu overhead tti ?
expected
Set expected TTI
sent
Set transmit TTI
Router(config-controller)#g709 otu overhead tti expected ?
hex
Router(config-controller)#g709 otu overhead tti expected ascii ?
Router(config-controller)#g709 otu overhead tti expected hex ?
Hex-data LINE Hex nibbles (Max 128- The string length should be an
even number)
Router(config-controller)#g709 otu overhead tti sent ?
hex
Router(config-controller)#g709 otu overhead tti sent ascii ?
Router(config-controller)#g709 otu overhead tti sent hex ?
Hex-data LINE Hex nibbles (Max 128- The string length should be an
even number)
Router(config-controller)# g709 otu report ?
ais
Set Alarm Indication Signal reporting status
bdi
Set Backward Defect Indication reporting status
fecmismatch Set FEC Mismatch reporting status
iae
Set Incoming Alignment Error reporting status
lof
Set OTU Loss of Frame reporting status
10-8
OL-16147-20
Chapter 10
Configuring IPoDWDM
lom
los
sm-tca
tim
sd-ber
sf-ber
Set
Set
Set
Set
Set
Set
Loss of Multiple Frame reporting status

Loss of Signal reporting status
Section Monitoring BER TCA reporting status
Trace Identifier Mismatch reporting status
SM BER in excess of SD threshold reporting status
SM BER in excess of SF threshold reporting status
Router(config-controller)# g709 otu threshold ?

sd-ber Set Signal Degrade BER threshold
sf-ber Set Signal Failure BER threshold
sm-tca Set Section Monitoring Threshold Crossing Alert threshold
Router(config-controller)# g709 otu threshold sd-ber ?
<cr>
Router(config-controller)# g709 otu threshold sf-ber ?
<cr>
Router(config-controller)# g709 otu threshold sm-tca ?
<cr>
Enabling OTN Mode Alarms Assertion

By default, all the OTN mode alarms are enabled. To control OTN alarms, disable all the alarms and
enable the specific alarms by performing the following steps. Standard FEC is the default FEC mode.
Use the show controller command to verify the alarm status and FEC mode. Perform the steps detailed
in the section to enable OTN mode alarm assertion. Configure same transport mode or FEC mode on
both the routers. The FEC modes, standard and disable, are compatible with each other.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
shut
5.
{g709 | no g709 } fec { disable | standard | enhanced }
6.
{ g709 | no g709 } otu report { ais | bdi | fecmismatch | iae | lof | lom | los | sm-tca | tim | sd-ber
| sf-ber}
7.
{ g709 | no g709 } odu report { ais | bdi | lck | oci | pm-tca | ptim | sd-ber | sf-ber | tim }
8.
{ g709 | no g709 } otu threshold {sd-ber | sf-ber | sm-tca} value
9.
{ g709 | no g709 } odu threshold { pm-tca | sd-ber | sf-ber } value
10. { g709 | no g709 } otu overhead tti{ expected | sent } { ascii | hex } tti-string
11. { g709 | no g709 } odu overhead tti{ expected | sent } { ascii | hex } tti-string
12. no shut
13. end
OL-16147-20
10-9
Chapter 10
Configuring IPoDWDM
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
Configures the DWDM controller.
Example:
Step 4
shut
Shuts down the DWDM controller.
Example:
Router(config-controller)# shut
Step 5
{g709 | no g709 } fec { disable | standard |

enhanced}
Configures the FEC modes
Example:
Router(config-controller)# g709 fec enhanced
Step 6
{ g709 | no g709 } otu report { ais | bdi |

fecmismatch | iae | lof | lom | los | sm-tca |
tim | sd-ber | sf-ber}
Specifies the supported otu alarms and configures the otu

threshold. By default, all alarms are reported.
Example:
Router(config-controller)# no g709 otu report
lof
Step 7
{ g709 | no g709 } odu report { ais | bdi | lck

| oci | pm-tca | ptim | sd-ber | sf-ber | tim }
Specifies the supported odu alarms and configures the odu

threshold. By default, all the alarms are reported.
Example:
Router(config-controller)# no g709 otu
threshold sm-tca
Step 8
{ g709 | no g709 } otu threshold {sd-ber |

sf-ber | sm-tca} value
Set the threshold value to detect section monitoring signal

degrade or signal failure alerts.
Example:
Router(config-controller)# g709 odu threshold
sd-ber 3
10-10
OL-16147-20
Chapter 10
Configuring IPoDWDM
Step 9
Command or Action
Purpose
{ g709 | no g709 } odu threshold { pm-tca |

sd-ber | sf-ber } value
Sets the ber threshold limit to t_value power of ten.
Example:
Router(config-controller)# g709 odu threshold
sd-ber 3
Step 10
{ g709 | no g709 } otu overhead tti{ expected |

sent } { ascii | hex } tti-string
Specifies the trail trace identifier for otu level.
Example:
Router(config-controller)# g709 otu overhead
tti expected ascii tti_new
Step 11
{ g709 | no g709 } odu overhead tti{ expected |

sent } { ascii | hex } tti-string
Specifies the trail trace identifier for odu level.
Example:
Router(config-controller)# g709 odu overhead
tti expected ascii tti_new
Step 12
Sets the controller to no shutdown mode.
no shut
Example:
Router(config-controller)# no shut
Step 13
Ends the session.
end
Example:
Router(config-controller)# end
Note
You need to shutdown the interface using shut command before changing the FEC mode to EFEC.
Router(config)#controller dwdm 4/21
Router(config-controller)#shut
Router(config-controller)#g709 fec enhanced
Router(config-controller)#g709 otu report los
Router(config-controller)#no g709 otu report lof
Router(config-controller)#no g709 otu threshold sm-tca
Router(config-controller)#g709 odu threshold sd-ber 3
Router(config-controller)#no shut
Router(config-controller)#end
Verification
Use the show controllers command to verify the configuration for alarm assertion.
Router#show controllers dwdm 4/21
Controller dwdm 4/2, is up (no shutdown)
TAS state is : IS
OL-16147-20
10-11
Chapter 10
Configuring IPoDWDM
G709 status : Enabled

OTU
LOS = 1
AIS = 0
TIM = 0
LOF = 0
BDI = 1
IAE = 0
LOM = 0
BIP = 0
BEI = 0
AIS = 0
OCI = 0
BIP = 0
BDI = 0
LCK = 0
BEI = 0
TIM = 0
PTIM = 0
ODU
FEC Mode: FEC

EC(current second) = 0
EC = 0
UC = 0
pre-FEC BER < 9.00E-11
Q > 6.45
Q Margin > 7.52 DBQ
Detected Alarms: NONE
Asserted Alarms: NONE
Detected Alerts: NONE
Asserted Alerts: NONE
Alarm reporting enabled for: LOS LOF LOM OTU-AIS OTU-IAE OTU-BDI ODU-AIS ODU-OCI ODU-LCK
ODU-BDI ODU-PTIM ODU-BIP Alert reporting enabled for: OTU-SM-TCA ODU-SD-BER ODU-SF-BER
ODU-PM-TCA BER thresholds: ODU-SF = 10e-3 ODU-SD = 10e-6 TCA thresholds: SM = 10e-3 PM =
10e-3
OTU TTI Sent
String ASCII: Tx TTI Not Configured
OTU TTI Received String ASCII:
OTU TTI Received String HEX : 0000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000
000000000000000000000000000000O OTU TTI Expected String
ASCII: Exp TTI Not Configured
ODU TTI Sent
String ASCII: Tx TTI Not Configured
ODU TTI Received String ASCII:
ODU TTI Received String HEX : 0000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000
000000000000000000000000000000 ODU TTI Expected String
ASCII: Exp TTI Not Configured
Configuring Tunable DWDM

The DWDM wavelengths of DWDM-XFP-C (DWDM XFP tunable) module on the Cisco 7600-ES+ line
card is tunable. You can configure the DWDM ITU wavelengths using the itu channel command in the
The following table contains the wavelength mapping information for DWDM-XFP-C.
Table 10-1
DWDM-XFP-C Wavelength Mapping
Channel
Frequency (THz)
Wavelength (nm)
191.95
1561.83
192.00
1561.42
192.05
1561.01
192.10
1560.61
192.15
1560.20
10-12
OL-16147-20
Chapter 10
Configuring IPoDWDM
Channel
Frequency (THz)
Wavelength (nm)
192.20
1559.79
192.25
1559.39
192.30
1558.98
192.35
1558.58
10
192.40
1558.17
11
192.45
1557.77
12
192.50
1557.36
13
192.55
1556.96
14
192.60
1556.55
15
192.65
1556.15]
16
192.70
1555.75
17
192.75
1555.34
18
192.80
1554.94
19
192.85
1554.54
20
192.90
1554.13
21
192.95
1553.73
22
193.00
1553.33
23
193.05
1552.93
24
193.10
1552.52
25
193.15
1552.12
26
193.20
1551.72
27
193.25
1551.32
28
193.30
1550.92
29
193.35
1550.52
30
193.40
1550.12
31
193.45
1549.72
32
193.50
1549.32
33
193.55
1548.91
34
193.60
1548.51
35
193.65
1548.11
36
193.70
1547.72
37
193.75
1547.32
38
193.80
1546.92
39
193.85
1546.52
40
193.90
1546.12
41
193.95
1545.72
42
194.00
1545.32
OL-16147-20
10-13
Chapter 10
Configuring IPoDWDM
Channel
Frequency (THz)
Wavelength (nm)
43
194.05
1544.92
44
194.10
1544.53
45
194.15
1544.13
46
194.20
1543.73
47
194.25
1543.33
48
194.30
1542.94
49
194.35
1542.54
50
194.40
1542.14
51
194.45
1541.75
52
194.50
1541.35
53
194.55
1540.95
54
194.60
1540.56
55
194.65
1540.16
56
194.70
1539.77
57
194.75
1539.37
58
194.80
1538.98
59
194.85
1538.58
60
194.90
1538.19
61
194.95
1537.79
62
195.00
1537.40
63
195.05
1537.00
64
195.10
1536.61
65
195.15
1536.22
66
195.20
1535.82
67
195.25
1535.43
68
195.30
1535.04
69
195.35
1534.64
70
195.40
1534.25
71
195.45
1533.86
72
195.50
1533.47
73
195.55
1533.07
74
195.60
1532.68
75
195.65
1532.29
76
195.70
1531.90
77
195.75
1531.51
78
195.80
1531.12
79
195.85
1530.72
10-14
OL-16147-20
Chapter 10
Configuring IPoDWDM
Channel
Frequency (THz)
Wavelength (nm)
80
195.90
1530.33
81
195.95
1529.94
82
196.00
1529.55
Summary Steps
1.
enable
2.
configure terminal
3.
4.
itu channel number
Detailed Steps.
Step 1
Command or Action
Purpose
enable

password.
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3

4/11

where:
Step 4
itu channel number
Sets the ITU channel.
Example:
number- Specifies the ITU channel number. The acceptable

values are from 1 to 82.
Router(config-if)# itu channel 28
Verification
In this example show idprom interface command checks the ITU configuration:
Router # enable
Router # configure terminal
Router(config-if)#itu channel 28
Router#end
Router# show running-config interface TenGigabitEthernet 4/11
!
ip address 5.5.5.5 255.255.255.0
itu channel 28
transport-mode otn bit-transparent opu1e
OL-16147-20
10-15
Chapter 10
Configuring IPoDWDM
Performance Monitoring on DWDM Controllers
end
Router# show idprom interface TenGigabitEthernet 4/11 detail
Hexadecimal dump of TRANSCEIVER SEPROM :
XFP IDPROM Page 0x0:
000:
0C 00 49 00 F8 00 46 00 FB 00
010:
00 00 00 00 00 00 00 00 A6 04
020:
09 C4 8C A0 13 88 9B 83 0F 8D
030:
62 1F 18 A6 13 94 00 0A 0C 5A
040:
00 10 00 18 FF E8 00 0C FF F4
050:
00 00 00 00 00 00 00 00 00 00
060:
00 BF 25 1C 00 C4 00 00 01 F4
070:
00 00 00 00 00 00 00 00 00 00
080:
00 00 00 00 BE 20 00 00 00 00
090:
00 00 00 00 00 00 20 F3 00 00
100:
00 00 00 00 00 00 00 00 00 00
110:
A2 B8 00 15 00 00 00 00 00 00 <<See byte 113, the hexa decimal
equivalent for ITU channel 21>>
120:
00 00 00 00 00 00 00 01

Performance monitoring (PM) on DWDM controllers allows you to gather, store, set thresholds for, and
report performance data for early detection of problems. Thresholds are used to set error levels for each
performance monitoring parameter. During the accumulation cycle, if the current value of a performance
monitoring parameter reaches or exceeds its corresponding threshold value, a threshold crossing alert
(TCA) is generated. The TCAs provide early detection of performance degradation.
Performance monitoring statistics are accumulated on a 15-minute basis, synchronized to the start of
each quarter-hour. They are also accumulated on a daily basis starting at midnight. Historical counts are
maintained for thirty-three 15-minute intervals and two daily intervals.
The Cisco 7600 DWDM controller performs the following monitoring tasks:
Retrieves performance monitoring transmission degradation counts and statistics defined in

Table 10-2.
Maintains performance monitoring parameter counts and checks against configured threshold
values.
Generates performance monitoring related threshold crossing alerts (TCA).
Provides performance monitoring numbers to network engineering managers.
Table 10-2 lists the performance monitoring parameters.

Table 10-2
Cisco 7600 DWDM Performance Monitoring Parameters
Parameter
Definition
BBE-PM
Path monitoring background block error (BBE-PM) indicates the number of

background block errors recorded in the optical transport network (OTN) path during
the PM time interval.
BBE-SM
Section monitoring background block error (BBE-SM) indicates the number of

background block errors recorded in the OTN section during the PM time interval.
BBER-PM
Path monitoring background block errors ratio (BBER-PM) indicates the background
block errors ratio recorded in the OTN path during the PM time interval.
10-16
OL-16147-20
Chapter 10
Configuring IPoDWDM
Parameter
Definition
BBER-SM
Section monitoring background block errors ratio (BBER-SM) indicates the

background block errors ratio recorded in the OTN section during the PM time interval.
BIEC
Bit errors corrected (BIEC) indicates the number of bit errors corrected in the DWDM
trunk line during the PM time interval.
ES-PM
Path monitoring errored seconds (ES-PM) indicates the errored seconds recorded in the
OTN path during the PM time interval.
ESR-PM
Path monitoring errored seconds ratio (ESR-PM) indicates the errored seconds ratio
recorded in the OTN path during the PM time interval.
ESR-SM
Section monitoring errored seconds ratio (ESR-SM) indicates the errored seconds ratio
recorded in the OTN section during the SM time interval.
ES-SM
Section monitoring errored seconds (ES-SM) indicates the errored seconds recorded in
the OTN section during the PM time interval.
FC-PM
Path monitoring failure counts (FC-PM) indicates the failure counts recorded in the
OTN path during the PM time interval.
FC-SM
Section monitoring failure counts (FC-SM) indicates the failure counts recorded in the
OTN section during the PM time interval.
LBC-MIN
Laser bias current minimum (LBC-MIN) is the minimum laser bias current.
LBC-AVG
Laser bias current average (LBC-AVG) is the average laser bias current.
LBC-MAX
Laser bias current maximum (LBC-MAX) is the maximum laser bias current.
OPT-AVG
Average transmit optical power (dBm).
OPT-MAX
Maximum transmit optical power (dBm).
OPT-MIN
Minimum transmit optical power (dBm).
OPR-AVG
Optical power average (OPR-AVG) is the measure of average optical power on the
unidirectional port.
OPR-MAX
Optical power maximum (OPR-MAX) is the measure of maximum value of optical

power on the unidirectional port.
OPR-MIN
Optical power minimum (OPR-MIN) is the measure of minimum value of optical power
on the unidirectional port.
SES-PM
Path monitoring severely errored seconds (SES-PM) indicates the severely errored
seconds recorded in the OTN path during the PM time interval.
SES-SM
Section monitoring severely errored seconds (SES-SM) indicates the severely errored
seconds recorded in the OTN section during the PM time interval.
Configuring Performance Monitoring on DWDM Controllers

This section describes how to configure and verify performance monitoring on DWDM controllers.
The controller dwdm command is supported only on the following cards:
76-ES+XT-2TG3CXL
76-ES+XT-4TG3CXL
76-ES+T-2TG
76-ES+T-4TG
OL-16147-20
10-17
Chapter 10
Configuring IPoDWDM
Note
76-ES+XC-20G3C
76-ES+XC-20G3CXL
76-ES+XC-40G3C
76-ES+XC-40G3CXL
Before you configure performance monitoring using the pm command, you should change the transport
mode to transport-mode otn.
SUMMARY STEPS
1.
configure terminal
2.
controller dwdm instance
3.
pm {15-min | 24-hour} fec threshold {ec-bits | uc-words} threshold
4.
pm {15-min | 24-hour} optics threshold {lbc | opr | opt} {max | min} threshold
5.
pm {15-min | 24-hour} otn threshold otn-parameter threshold
6.
pm {15-min | 24-hour} fec report {ec-bits | uc-words} enable
7.
pm {15-min | 24-hour} optics report {lbc | opr | opt} {max-tca | min-tca} enable
8.
pm {15-min | 24-hour} otn report otn-parameter enable
9.
end
10. show controllers dwdm instance pm history [15-min | 24-hour | fec | optics | otn]
11. show controllers dwdm instance pm interval {15-min | 24-hour} [fec | optics | otn]
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Example:
router# configure terminal
Step 2
controller dwdm instance
Specifies the DWDM controller name in the notation

module/port and enters the DWDM configuration mode.
Example:
router(config)# controller dwdm 4/1
Step 3
pm {15-min | 24-hour} fec threshold {ec-bits |

uc-words} threshold
Configures a performance monitoring threshold for specific

parameters on the FEC layer.
Example:
router(config-controller)# pm 15-min fec
threshold ec-bits 900
router(config-controller)# pm 15-min fec
threshold uc-words 800
10-18
OL-16147-20
Chapter 10
Configuring IPoDWDM
Step 4
Command or Action
Purpose
pm {15-min | 24-hour} optics threshold {lbc |

opr | opt} {max | min} threshold

parameters on the optics layer.
Example:
router(config-controller)# pm 15-min optics
threshold opt max 900
threshold lbc min 700
OL-16147-20
10-19
Chapter 10
Configuring IPoDWDM
Step 5
Command or Action
Purpose
pm {15-min | 24-hour} otn threshold

otn-parameter threshold

parameters on the optical transport network (OTN) layer.
OTN parameters are as follows:
Example:
router(config-controller)# pm 15-min otn
threshold bbe-pm-ne 800
router(config-controller)# pm 15-min otn
threshold es-sm-fe 900
bbe-pm-feFar-end path monitoring background

block errors (BBE-PM)
bbe-pm-neNear-end path monitoring background

block errors (BBE-PM)
bbe-sm-feFar-end section monitoring background

block errors (BBE-SM)
bbe-sm-neNear-end section monitoring background

block errors (BBE-SM)
bber-pm-feFar-end path monitoring background

block errors ratio (BBER-PM)
bber-pm-neNear-end path monitoring background

block errors ratio (BBER-PM)
bber-sm-feFar-end section monitoring background

block errors ratio (BBER-SM)
bber-sm-neNear-end section monitoring

background block errors ratio (BBER-SM)
es-pm-feFar-end path monitoring errored seconds

(ES-PM)
es-pm-neNear-end path monitoring errored seconds

(ES-PM)
es-sm-feFar-end section monitoring errored seconds

(ES-SM)
es-sm-neNear-end section monitoring errored

seconds (ES-SM)
esr-pm-feFar-end path monitoring errored seconds

ratio (ESR-PM)
esr-pm-neNear-end path monitoring errored seconds

ratio (ESR-PM)
esr-sm-feFar-end section monitoring errored

seconds ratio (ESR-SM)
esr-sm-neNear-end section monitoring errored

seconds ratio (ESR-SM)
fc-pm-feFar-end path monitoring failure counts

(FC-PM)
fc-pm-neNear-end path monitoring failure counts

(FC-PM)
fc-sm-feFar-end section monitoring failure counts

(FC-SM)
fc-sm-neNear-end section monitoring failure counts

(FC-SM)
10-20
OL-16147-20
Chapter 10
Configuring IPoDWDM
Command or Action
Step 6
pm {15-min | 24-hour} fec report {ec-bits |

uc-words} enable
Purpose
ses-pm-feFar-end path monitoring severely errored

seconds (SES-PM)
ses-pm-neNear-end path monitoring severely

errored seconds (SES-PM)
ses-sm-feFar-end section monitoring severely

errored seconds (SES-SM)
ses-sm-neNear-end section monitoring severely

errored seconds (SES-SM)
sesr-pm-feFar-end path monitoring severely errored

seconds ratio (SESR-PM)
sesr-pm-neNear-end path monitoring severely

errored seconds ratio (SESR-PM)
sesr-sm-feFar-end section monitoring severely

errored seconds ratio (SESR-SM)
sesr-sm-neNear-end section monitoring severely

errored seconds ratio (SESR-SM)
uas-pm-feFar-end path monitoring unavailable

seconds (UAS-PM)
uas-pm-neNear-end path monitoring unavailable

seconds (UAS-PM)
uas-sm-feFar-end section monitoring unavailable

seconds (UAS-SM)
uas-sm-neNear-end section monitoring unavailable

seconds (UAS-SM)
Configures threshold crossing alert (TCA) generation for

specific parameters on the FEC layer.
Example:
router(config-controller)# pm 15-min fec report
ec-bits enable
router(config-controller)# pm 15-min fec report
uc-words enable
Step 7
pm {15-min | 24-hour} optics report {lbc | opr

| opt} {max-tca | min-tca} enable
Configures TCA generation for specific parameters on the

optics layer.
Example:
report opt enable
report lbc enable
OL-16147-20
10-21
Chapter 10
Configuring IPoDWDM
Step 8
Command or Action
Purpose
pm {15-min | 24-hour} otn report otn-parameter

enable
Configures TCA generation for specific parameters on the

optical transport network (OTN) layer. OTN parameters are
as shown in Step 5.
Example:
router(config-controller)# pm 15-min otn report
bbe-pm-ne enable
router(config-controller)# pm 15-min otn report
es-sm-fe enable
Step 9
Saves configuration changes.
end
Example:
router(config-controller)# end
Step 10
show controllers dwdm instance pm history

[15-min | 24-hour | fec | optics | otn]
Displays all of the performance measurement and TCA

generation information for the DWDM controller.
Example:
router# show controllers dwdm 4/1 pm history
24-hour fec
router# show controllers dwdm 4/1 pm history
Step 11
show controllers dwdm instance pm interval

{15-min | 24-hour} [fec | optics | otn]
Displays performance measurement and TCA generation

information for a specific interval.
Example:
router# show controllers dwdm 4/1 pm interval
24-hour 0
router# show controllers dwdm 4/1 pm interval
15-min optics 1
This example shows how to configure performance monitoring for the optics parameters:
router# config terminal
router(config)# controller
router(config-controller)#
router(config)# exit
dwdm 4/21
pm 15-min
pm 15-min
pm 15-min
pm 15-min
pm 15-min
pm 15-min
pm 15-min
pm 15-min
pm 15-min
pm 15-min
pm 15-min
pm 15-min
exit
optics
optics
optics
optics
optics
optics
optics
optics
optics
optics
optics
optics
threshold opt max 2000000

threshold opt min 200
threshold lbc max 3000000
threshold lbc min 300
threshold opr max 4000000
threshold opr min 400
report opt max-tca enable
report opt min-tca enable
report opr max-tca enable
report opr min-tca enable
report lbc max-tca enable
report lbc min-tca enable
Verification
Verify the configuration by using the show controllers dwdm command.
10-22
OL-16147-20
Chapter 10
Configuring IPoDWDM
This example displays the performance measurement and TCA generation information for a specific
interval:
router# show controllers dwdm 4/21 pm interval 24-hour 1
g709 OTN in interval 1 [HH:MM:SS Month Date Year Month Date Year]
ES-SM
: 0
Threshold : 0
TCA(enable) : NO
ESR-SM
: 0
Threshold : 0
TCA(enable) : NO
SES-SM
: 0
Threshold : 0
TCA(enable) : NO
SESR-SM : 0
Threshold : 0
TCA(enable) : NO
UAS-SM
: 0
Threshold : 0
TCA(enable) : NO
BBE-SM
: 0
Threshold : 0
TCA(enable) : NO
BBER-SM : 0
Threshold : 0
TCA(enable) : NO
FC-SM
: 0
Threshold : 0
TCA(enable) : NO
ES-PM
: 0
Threshold : 0
TCA(enable) : NO
ESR-PM
: 0
Threshold : 0
TCA(enable) : NO
SES-PM
: 0
Threshold : 0
TCA(enable) : NO
SESR-PM : 0
Threshold : 0
TCA(enable) : NO
UAS-PM
: 0
Threshold : 0
TCA(enable) : NO
BBE-PM
: 0
Threshold : 0
TCA(enable) : NO
BBER-PM : 0
Threshold : 0
TCA(enable) : NO
FC-PM
: 0
Threshold : 0
TCA(enable) : NO
g709 FEC in the current interval []
EC-BITS
: 0
Threshold : 0
UC-WORDS : 0
Threshold : 0
TCA(enable)
TCA(enable)
: NO
: NO
Optics in the current interval []

MIN
AVG
MAX Threshold TCA Threshold TCA
(min) (enable) (max) (enable)
LBC[mA ] :0
0
0
0
NO
0
NO
OPT[dBm] :0
0
0
0
NO
0
NO
OPR[dBm] :0
0
0
0
NO
0
NO
Table 10-3
Troubleshooting Solutions for the Performance Monitoring Feature
Problem
Solution
Not able to disable the logging of ODU alarms on the

console.
Use the no g709 odu report command in DWDM

configuration mode to disable the logging.
Router(config-controller)# no g709 odu report
For disabling the logging of OTU alarms, use the no g709 otu
report command in DWDM configuration mode.
OL-16147-20
10-23
Chapter 10
Configuring IPoDWDM
IPoDWDM Proactive Protection

Proactive Protection (PP) is a mechanism that uses Bit Error Rate (BER) from the optical drivers to
detect the failure of signal transmission before it actually occurs. It also corrects the errors introduced
during the transmission, or due to a degrading signal.
In IPoDWDM, the Forward Error Correction (FEC) circuitry resides on a router line card. Therefore, the
router has the visibility into the BER statistics before the FEC mechanism corrects these errors. This
allows the router to realize that the working path is degrading beyond a reasonable point (a threshold you
can configure). At this point, the router starts its protection logic and establishes a protection path while
the traffic continues to flow on the degrading working path. Depending on the failure mode, the router
may have ten or even hundreds of milliseconds to move away from the working path before the FEC
mechanism fails.
Proactive Protection is required because the prevailing video encoding is based on MPEG-2 and
MPEG-4 standards, which uses differential coding of the frame with reference to a full frame that is only
sent infrequently. When this frame (called the I-frame) is lost, a large number of users may experience
a visible outage on their screens, lasting up to several seconds. High resolution encoding schemes, such
as MPEG-4, are actually more prone to longer outages because I-frames are less common in the data
stream. For this reason, it is important to minimize the packet loss even below the SONET or SDH
benchmark, ideally aiming for zero packet loss.
Restrictions
Following restrictions apply for proactive protection:
Only the following line cards support this feature:

76-ES+XT-2TG3CXL
76-ES+XT-4TG3CXL
76-ES+T-2TG
76-ES+T-4TG
76-ES+XC-20G3C
76-ES+XC-20G3CXL
76-ES+XC-40G3C
76-ES+XC-40G3CXL
The polling interval of 10ms is not guaranteed in IOS. The actual polling intervals vary depending
on the load on CPU.
You can expect a time lag while triggering or reverting the proactive protection.
Even though the configuration range offered for the thresholds is from 9E-3 to 1E-9, the working
range is only from 9E-4 to 1E-7. Since the values below this range are negligible, it is rounded off
to 0. The values above this range are too high, and can cause the interface to be unstable.
If you enable proactive protection, and shut down the primary interface, the Loss of Signal
Reporting (LOS) will be sent to the other end. Because of this, the PP FSM goes to local state. But
on the local end, where an OTU-BDI is declared, the FSM does not go to remote failed state.
Because of this, the FSM states will not be in sync on both sides.
10-24
OL-16147-20
Chapter 10
Configuring IPoDWDM
Configuring Proactive Protection

Proactive protection involves enabling the protection mechanism, configuring the threshold, polling of
the fast re-route (FRR) pointers, and triggering the FRR.
Complete the following steps:
SUMMARY STEPS
1.
configure terminal
2.
controller dwdm slot port
3.
proactive enable
4.
proactive trig-threshold x-coeff y-power
5.
proactive trig-window window
6.
proactive rvrt-threshold x-coeff y-power
7.
proactive rvrt-window window
8.
end
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Example:
Router# config terminal
Step 2
controller dwdm slot port
Specifies the DWDM controller and enters DWDM

controller mode.
Example:
Step 3
proactive enable
Enables automatic triggering of FEC-FRR.
Example:
Router(config-controller)# proactive enable
Step 4
proactive trig-threshold x-coeff y-power
Configures the trigger threshold of FEC-FRR in the form of

xE-y.
Example:
Router(config-controller)# proactive
trig-threshold 1 5
Step 5
proactive trig-window window
Configures the trigger window (in milliseconds) in which

FRR may be triggered.
Example:
trig-window 2045
OL-16147-20
10-25
Chapter 10
Configuring IPoDWDM
Step 6
Command or Action
Purpose
proactive rvrt-threshold x-coeff y-power
Configures the revert threshold (in the form of xE-y) to

trigger reverting from the FEC-FRR route back to the
original route.
Example:
rvrt-threshold 1 6
Step 7
Configures the revert window in which reverting from the

FEC-FRR route back to the original route is triggered.
proactive rvrt-window window
Example:
rvrt-window 20345
Step 8
Saves configuration changes.
end
Example:
Router(config-controller)# end
This example shows how to configure automatic triggering of FEC-FRR:
Router(config)# controller
Router(config-controller)#
dwdm 0/1
proactive
proactive
proactive
proactive
proactive
end
enable
trig-threshold 1 5
trig-window 2045
rvrt-threshold 1 6
rvrt-window 20345
Verification
Verify the configuration by using the show controllers dwdm proactive status command.
router#show controllers dwdm 3/1 proactive status
Proactive Protection Status: ON
Transport admin-state: IS
Trigger threshold: 6E-4
Revert threshold: 5E-6
Trigger integration window: 2000
Revert integration window: 3000
Received APS: 0x0F
Transmitted APS: 0x0F
10-26
OL-16147-20
Chapter 10
Configuring IPoDWDM
Table 10-4
Troubleshooting Solutions for the Proactive Protection Feature.
Problem
Solution
How do I verify whether or not the proactive protection is

triggered?
Use the show controller dwdm 3/1 proactive status

command. In the command output, check if the APS bytes on
the local side is 0xAF (sent), and the remote end APS received
is 0xAF. Also, use the show proactive infrastructure fsm
command to check whether or not the FSM state is in local or
remote failed state.
For further debugging, run the debug proactive
infrastructure fsm command. You should run the debug
command from the line card. In the debug output, the Tx APS
bytes show the various state of FSM:
How do I verify whether or not the FRR is triggered

correctly?
0x0F --> FSM is in Normal state.
0xAF --> FRR is triggered by PP. FSM is in Local Failed

state.
0xEF --> FSM is in Local Maintenance state.
Check the output of the show mpls traffic-eng fast-reroute

database command. This example displays the output:
router#show mpls traffic-eng fast-reroute database
P2P Headend FRR information:
Protected tunnel
In-label Out
intf/label
FRR intf/label
Status
----------------------------------------------------------------Tunnel1
Tun hd
Te3/1:implicit-n Tu2:implicit-nul Ready
P2P LSP midpoint frr information:
LSP identifier
In-label Out
intf/label
FRR intf/label
Status
----------------------------------------------------------------P2MP Sub-LSP FRR information:
*Sub-LSP identifier
src_lspid[subid]->dst_tunid
In-label Out
intf/label
FRR intf/label
Status
----------------------------------------------------------------* Sub-LSP identifier format:
<TunSrc>_<LSP_ID>[SubgroupID]-><TunDst>_<Tun_ID>
Note: Sub-LSP identifier may be truncated.
Use 'detail' display for the complete key.
Please check the state of the backup tunnel. The backup tunnel
in READY state indicates that the FE FRR is not triggered.
The backup tunnel in ACTIVE state indicates that the FE TRR
is triggered.
OL-16147-20
10-27
Chapter 10
Configuring IPoDWDM

Virtual transponder feature allows you to configure the L1 parameters of a Cisco 7600 IPoDWDM line
card from an ONS 15454 MSTP Network Craft Terminal (CTC). Using this feature, you can monitor
port status, and retrieve monitoring points such as Optical Power, Q Factor, BER, Alarm Status, and so
on.
These cards support virtual transponder on the Cisco 7600:
76-ES+XT-2TG3CXL
76-ES+XT-4TG3CXL
76-ES+T-2TG
76-ES+T-4TG
76-ES+XC-20G3C
76-ES+XC-20G3CXL
76-ES+XC-40G3C
76-ES+XC-40G3CXL
Configuring Virtual Transponder

Configuring virtual transponder involves provisioning a control channel and data link on both
ONS15454 and Cisco 7600. Configuration involves these steps:
Node authentication
SSH server configuration
Provisional Patch Code (PPC) local and remote node configuration
You need to configure PPC through Cisco Transport Controller (CTC) on the ONS15454 because Cisco
7600 does not support PPC. For detailed configuration information, see the ONS documentation at the
following URL:
http://www.cisco.com/en/US/docs/optical/15000r9_2/dwdm/reference/guide/454d92_optcircuitref.htm
l#wp373015
http://www.cisco.com/en/US/docs/optical/15000r9_2/dwdm/procedure/guide/454d92_opticalchannelci
rc.html#wp656975
10-28
OL-16147-20
CH A P T E R
11
Configuring Automatic Laser Shutdown

This chapter provides information about configuring Automatic Laser Shutdown (ALS) on the Cisco
7600 Series Ethernet Services Plus (ES+) and Ethernet Services PlusT (ES+T) line cards on the
Cisco 7600 series router.
ALS can be configured on the following Cisco 7600 Series ES+ Extended Transport (ES+XT) line cards
and Cisco 7600 Series ES+ Transport (ES+T) line cards:
76-ES+XT-2TG3CXL
76-ES+XT-4TG3CXL
76-ES+T-2TG
76-ES+T-4TG
76-ES+XC-20G3C
76-ES+XC-20G3CXL
76-ES+XC-40G3C
76-ES+XC-40G3CXL
Note
Unless otherwise specified, the information provided in this chapter is applicable to ES+XT, ES+T and
ES+XC line cards. ALS is supported on ES+XC line cards from SRE1 release.

Automatic Laser Shutdown (ALS) is a technique used to automatically shut down the output power of
the transmitter in case of fiber break according to ITU-T G.664. This is a safety feature that prevents
dangerous levers of laser light from leaking out of a broken fiber, provided ALS is provisioned on both
ends of the fiber pair.
The sequence of events is as follows. If a fiber is cut, the receiver will detect a Loss Of Signal (LOS).
The ALS agent will turn off the transmitter. The receiver at the far end will then detect an LOS and its
ALS agent will turn off the transmitter. In this way the entire fiber will go dark.
After the fiber is believed to have been repaired, the transmitters can be restarted. To restart, one of the
transmitter lasers is turned on (pulsed) for a provisionable amount of time. If the LOS clears at the
far-end receiver, the far-end transmitter will be restarted. The near-end will clear its LOS and at this point
both transmitters will be on and both LOS alarms will be cleared.
OL-16147-20
11-1
Chapter 11
If a break remains in the fiber, one or both LOS alarms will remain and the transmitters will be disabled.
The near-end transmitter will turn off at the end of its pulse.
There are two types of restart: manual and automatic. In manual restart, you can request a single restart
pulse from the ALS agent. In automatic restart, the ALS agent sends a periodic restart pulse; the period
is configurable.

ALS functions in the following modes:
Disabled modeIf mode is disabled, ALS is disabled. LOS will not cause laser shutdown.
Manual restart modeThe laser is turned off when the ALS agent detects an LOS for 500 ms. After
ALS is engaged, a manual command is issued that turns on the laser for the time period of the pulse
width. The laser is turned on when the LOS has been cleared for 100 ms.
Automatic restart modeThe laser is shut down for the time period of pulse spacing when the ALS
agent detects a LOS for 500 ms. Then, the laser automatically turns on for the time period of the
selected pulse width. If an LOS still exists at that time, the laser is shut down again. This pattern
continues until the LOS is cleared for 100 ms; then, the laser will stay on.
1.
enable
2.
configure terminal
3.
4.
als
5.
als restart {mode | pulse}
6.
als restart mode {automatic | manual}
7.
als restart pulse {interval 100-20000 | width 2-200}
SUMMARY STEPS
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
Enters interface mode.
Example:
2/1
11-2
OL-16147-20
Chapter 11
Step 4
Command or Action
Purpose
als
Enables ALS.
Example:
Router(config-if)# als
Step 5
als restart {mode | pulse}
Request an ALS restart mode.
Example:
Router(config-if)# als restart
Step 6
als restart mode {automatic | manual}
Selects the ALS restart mode.
Example:
Router(config-if)# als restart mode automatic
Step 7
als restart pulse {interval 100-20000 | width

2-200}
Selects the ALS pulse mode.
Example:
Router(config-if)# als restart pulse interval
2000
Verification
Command
Purpose
Router# show als {all | interface}
Displays ALS shutdown status for all or selected

interfaces.
Examples
The following are examples of ALS configuration commands:
Router(config)# interface t2/1
Router(config-if)# als ?
<cr>
Router(config-if)# als
Router(config-if)# do show running inter t2/1
!
no ip address
als
end
Router(config-if)# als ?
restart Specify ALS parameters
<cr>
OL-16147-20
11-3
Chapter 11
Router(config-if)# als restart ?

mode
Specify ALS mode
pulse Specify the ALS PULSE
Router(config-if)# als restart mode ?
automatic Select automatic mode
manual
Select manual mode
Router(config-if)# als restart mode manual ?
<cr>
Router(config-if)# als restart mode manual
Router(config-if)# als restart pulse ?
interval Specify the width of the ALS PULSE
width
Specify the width of the ALS PULSE
Router(config-if)# als restart pulse interv ?
<100-20000> ALS pulse interval in seconds
Router(config-if)# als restart pulse interv 150
Router(config-if)# als restart pulse width ?
<2-200> ALS pulse width in seconds
Router(config-if)# als restart pulse width 100
Router(config-if)# do show runn inter t2/1
!
no ip address
als
als restart mode manual
als restart pulse interval 150
end
Router# show als ?
all
ALS information for all interfaces
interface Interface
Router# show als interface t2/1 ?
| Output modifiers
<cr>
Router# show als interface t2/1
Mode ALS_MODE_MANUAL
Pulse Width 100 sec
Pulse Interval 150 sec
Current state ALS_STATE_NORMAL
Router# show als all
Mode ALS_MODE_MANUAL
Pulse Width 100 sec
Mode ALS_MODE_AUTOMATIC
Pulse Width 100 sec
11-4
OL-16147-20
Chapter 11
Router#
Router# hw-module ?
interface Interface
module
Apply command to a module component
subslot
Control a component in a subslot
Router# hw-module inter t2/1 ?
als
Automatic Laser Shutdown
Router# hw-module inter t2/1 als ?
restart restart ALS for the given inteface
Router# hw-module inter t2/1 als restart ?
<cr>
Router# hw-module inter t2/1 als restart
Router#
OL-16147-20
11-5
Chapter 11
11-6
OL-16147-20
CH A P T E R
12
Network Clocking on Cisco 7600 Series Ethernet

Services Plus Line Cards
This chapter provides information about configuring network clocking on the following Cisco 7600
Series ES+ Extended Transport (ES+XT) line cards:
76-ES+XT-2TG3CXL
76-ES+XT-4TG3CXL
Note
Contents
This chapter contains the following sections:
Information About Network Clocking, page 12-1
How to Configure Network Clocking, page 12-2
Information About Network Clocking

The network clocking support for 76-ES+XT-2TG3CXL and 76-ES+XT-4TG3CXL line cards is built on
top of the existing network clocking feature with SIP-200 and SIP-400 line cards. All the original
network clock sources provided by SPA interfaces on SIP-200 and SIP-400 line cards operate the same
way as before. Additionally, you can use network clocking support for the 76-ES+XT-2TG3CXL and
76-ES+XT-4TG3CXL to configure:
BITS clock source
10GE interface clock source
These enhancements provide Synchronous Ethernet (SyncE) feature support for service provider
applications making the 76-ES+XT-2TG3CXL and 76-ES+XT-4TG3CXL line cards the preferred
choices for carrier Ethernet environments.
OL-16147-20
12-1
Chapter 12
How to Configure Network Clocking
The 76-ES+XT-2TG3CXL or 76-ES+XT-4TG3CXL line cards operate in three different modes for clock
synchronization depending on the configuration and the current source state.
Free-runningA line card that is not participating in network clocking or a line card that is actively
sourcing the clock operates in free-running mode. In this mode, the line card internal oscillator
generates the reference clock to the backplane.
Note
In a nonpartcipating mode or a disabled mode, the line card distributes a Stratum 3-quality
timing signal to an external reference clock. Other interfaces on different line cards receive
either the backplane reference clock or the external reference clock depending on their
configurations.
Note
Line card operation is in free-running mode only if it is not participating in the system
clocking, is configured as the active source using on-board oscillator, or does not currently
have a valid clock source before the first clock synchronization; otherwise the line cards
operate in normal mode.
NormalIn normal mode, the module synchronizes with an externally supplied network timing
reference, sourced from one of the chassis BITS inputs or recovered from a network interface. In
this mode, the accuracy and stability of the output signal is determined by the accuracy and stability
of the input reference.
HoldoverIn holdover mode, the network timing module generates a timing signal based on the
stored timing reference used when operating in normal mode. Holdover mode is automatically
selected when the recovered reference is lost or has drifted excessively.
Note
Note
You cannot configure the drift range; it is set internally on the line card to +/9.2~12 ppm
(parts per million) by default. This ppm setting is typical for applications that requires a
clock quality level of Stratum 3/3E, ITU-T G.813 option 1.
All line cards operate in the free-running mode until the network clock is configured.

The following sections provide information on configuring network clocking:
Configuring BITS Clock Support, page 12-3
Configuring 10GE Interface as Clock Source, page 12-5
Verifying the Clock Source, page 12-6
Clock Source Recovery, page 12-8
12-2
OL-16147-20
Chapter 12
Configuring BITS Clock Support

You can select and configure the BITS port on the 76-ES+XT-2TG3CXL or 76-ES+XT-4TG3CXL line
card as the system clock source. This will synchronize the system backplane clock with the
corresponding BITS port input clock and distribute the BITS port input clock across the chassis as the
transmit clock reference for all other interfaces that support network clocking.
Usage Guidelines
Use the following guidelines:
When the network clocking configuration is present in the startup configuration, the clocking
configuration is not applied until five minutes after the configuration has been parsed. This prevents
clocking instability on the backplane when the interfaces and controllers come up out of order.
Network clocking is enabled by default for the 76-ES+XT-2TG3CXL and 76-ES+XT-4TG3CXL.
Cisco IOS Release 12.2(33)SRD1 does not support synchronization status messaging (SSM)
through BITS input.
If there is a BITS clock source flap because of Loss of Signal (LOS), Loss of Frame (LOF), T1 Blue
Alarm, or E1 Alarm Indication Signal (AIS), there is an interval of 150 seconds before the source
becomes valid and active.
In the event of an Out-of-Range (OOR) switchover (revertive mode), the source switchover occurs
when the clock offset crosses the +/12 ppm threshold. If this occurs, you must reconfigure the
source.
1.
enable
2.
configure terminal
3.
network-clock slot slot bits number {2m | e1 [crc4] | j1 [esf]| t1 [d4 | esf [133ft | 266ft | 399ft |
533ft | 655ft]}
4.
network-clock select priority slot slot bits number
5.
exit
SUMMARY STEPS
Detailed Steps
To configure BITS clock support for the Cisco 76-ES+XT-2TG3CXL and 76-ES+XT-4TG3CXL, use the
following commands.
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
OL-16147-20
12-3
Chapter 12
Step 3
Command
Purpose
network-clock slot slot bits number {2m

| e1 [crc4] | j1 [esf]| t1 [d4 | esf
[133ft | 266ft | 399ft | 533ft |
655ft]}
(Optional) Configure BITS port signaling types.

The default signal type is T1 with ESF framing and a Line
Build-Out Select value of 133 feet.
Example:
Router(config)# network-clock slot 1
bits 0
Step 4
network-clock select priority slot slot

bits number
Names a source to provide timing for the network clock

and specifies the selection priority for this clock source.
Example:
Router(config)# network-clock select 1
slot 1 bits 0
Step 5
exit
Exits global configuration mode and returns to privileged

EXEC mode.
Example:
Example
The following example shows how to configure BITS clock support for the Cisco 76-ES+XT-2TG3CXL
and 76-ES+XT-4TG3CXL.
Router# enable
Router(config)# network-clock slot 1 bits 0 ?
2m 2.048MHz square wave signal type
e1 E1 signal type
j1 Japan J1 signal type
t1 T1 signal type
Router(config)# network-clock slot 1 bits 0 t1 ?
d4 T1 D4 framing mode
esf T1 ESF framing mode
Router(config)# network-clock slot 1 bits 0 t1 d4 ?
133ft Line Build-Out Select 0 to 133 feet
Router(config)# network-clock slot 1 bits 0 t1 d4 266ft
Router(config)# network-clock select 1 slot 1 bits 0
12-4
OL-16147-20
Chapter 12
Configuring 10GE Interface as Clock Source

This will set up the line card to extract the received clock from the 10GE interface, either the LAN PHY
or the WANPHY, and have the system backplane clock synchronized to it. Then the system will use it as
the transmission clock reference for all other interfaces in the chassis that support the network clocking
feature.
Usage Guidelines
Use the following guidelines:
When the network clocking configuration is present in the startup configuration, the clocking
configuration is not applied until five minutes after the configuration has been parsed. This prevents
clocking instability on the backplane when the interfaces/controllers come up out of order.
Network clocking is enabled by default for the 76-ES+XT-2TG3CXL and 76-ES+XT-4TG3CXL.
Cisco IOS Release 12.2(33)SRD1 does not support Ethernet Synchronization Message Channel
(ESMC) on LAN PHY and SSM received from SONET/SDH frames for WANPHY.
If there is a clock source flap because of interface up and down events, there is an interval of 150
seconds before the source becomes valid and active.
In the event of an Out-of-Range (OOR) switchover (revertive mode), but the interface stays up, the
source switchover occurs when the clock offset crosses the +/12 ppm threshold. If this occurs, you
must reconfigure the source.
1.
enable
2.
configure terminal
3.
interface TenGigabitEthernet slot/port
4.
5.
exit
6.
network-clock select priority interface TenGigabitEthernet slot/port
7.
exit
SUMMARY STEPS
Detailed Steps
To configure 10GE interface as the clock source, use the following commands.
OL-16147-20
12-5
Chapter 12
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
interface TenGigabitEthernet slot/port
Example:

where:
tengigabitethernet 1/1
Step 4
Example:
Select interface clock source type to ''Recover clock from

line.'' This will make this interface eligible for system
clock source selection.
Step 5
exit
Exits interface configuration mode and returns to global

configuration mode.
Example:
Step 6
network-clock select priority interface

TenGigabitEthernet slot/port
Names a source to provide timing for the network clock

and specifies the selection priority for this clock source.
Example:
Router(config)# network-clock select 1
interface TenGigabitEthernet 1/1
Example
The following example shows how to configure 10GE interface as the clock source.
Router# enable
Router(config)# interface tengigabitethernet 1/1
Router(config)# network-clock select 1 interface TenGigabitEthernet 1/1
Verifying the Clock Source

Use the show network-clocks command to verify network clocking on the route processor (RP) side.
Router# show network-clocks
Active source = Slot 1 BITS 0
Active source backplane reference line = Secondary Backplane Clock
Standby source = TenGigabitEthernet1/1
12-6
OL-16147-20
Chapter 12
Standby source backplane reference line = Primary Backplane Clock

(Standby source not driving backplane clock currently)
All Network Clock Configuration

--------------------------------Priority Clock Source
1
POS3/0/1
2
Slot 1 BITS 0
3
State
Hardware not present
Valid
Valid
Reason
Current operating mode is Revertive

Current OOR Switchover mode is Switchover
There are no slots disabled from participating in network clocking

BITS Port Configuration
------------------------Slot
Port
Signal Type/Mode
1
0
T1 D4
Line Build-Out Select

DSX-1 (133 to 266 feet)
Use the show platform hardware network-clocks command to verify output on the line card side.
Router-dfc# show platform hardware network-clocks
Local Loop Timing:
Port 1: N
Port 2: N
Port 3: N
Port 4: N
Backplane Bus Status and Source:

Primary
: Disabled, Port 0 RX_DEMAP Clock
Secondary : Enabled, BITS Rx Clock
BITS
: Disabled, Port 0 RX_DEMAP Clock
ZL30138 Configuration and Status:
DPLL1: Lock (2)
Mode of Operation : Automatic
Selected Reference : 4
Ref0 Priority : 15
Ref1
Ref2 Priority : 15
Ref3
Ref4 Priority : 00
Ref5
Ref6 Priority : 15
Ref7
Normal
Priority
Priority
Priority
Priority
:
:
:
:
15
15
15
15
Reference Monitoring: Custom A frequency 25000 kHz

Ref#
SCM
CFM
GST
PFM
Mode
Detected
---------------------------------------------------------0
0
0
0
0
CustA
38.88 MHz
1
1
1
1
1
CustA
not detected
2
0
0
0
1
CustA
38.88 MHz
3
1
1
1
1
CustA
not detected
4
0
0
0
0
Auto
1.544 MHz
5
1
1
1
1
Auto
not detected
6
1
1
1
1
Auto
not detected
7
0
0
0
0
Auto
8 kHz
BITS Configuration and Status:
Signal Type
: T1 D4 Framing
Clock Divider : 1.544 MHz
OL-16147-20
12-7
Chapter 12
Status
: Good
Clock Source Recovery

For clock source recovery on the 76-ES+XT-2TG3CXL and 76-ES+XT-4TG3CXL, consider the
following guidelines:
With BITS port as the clock source:
Clock state shows Hardware not present if the line card is removed.
Clock becomes Validate but not present if BITS Rx reports LOS, LOF, Blue Alarm (T1), or AIS
(E1)
If there are no BITS RX alarms, the clock state is "Valid.
With 10GE ports as the clock source:
Clock state shows Hardware not present if the line card is removed.
Clock becomes Validate but not present if the interface is down.
If interface goes back up, the clock state is "Valid".
For both 10GE port clock recovery and BITS port clock recovery, when the clock source is recovered,
the line card will send notification to the RP. Then after a 150-second debounce period, the RP sends a
control message to every participant to synchronize with the valid clock source again.

Synchronous Ethernet (SyncE) defined by the ITU-T standards such as G.8261 and G.8262 leverages the
PHY layer of Ethernet to transmit clock information to the remote sites. SyncE over Ethernet provides
a cost-effective alternative to the SONET networks. For SyncE to work, each network element along the
synchronization path must support SyncE. To implement SyncE, the Bit clock of the Ethernet is aligned
to a reliable clock traceable to Primary Reference Clock (PRC).
For more information on SyncE, Synchronization Status Message (SSM),Ethernet Synchronization
Messaging Channel (ESMC) and their configurations, please see: Cisco 7600 Synchronous Ethernet
Support section on page 4-2.
12-8
OL-16147-20
CH A P T E R
13

This chapter provides information about configuring Layer 3 and Layer 4 features on the Cisco 7600
Series Ethernet Services Plus (ES+) line card family (ES+, ES+T, ES+XT, ES+XC). It includes the
following topics:
Layer 3 and Layer 4 Security ACL on Service Instance, page 13-1
Inline Video Monitoring on the Cisco 7600 Router, page 13-5
IP Tunneling - IPv6 Rapid Deployment, page 13-31
VRF aware IPv6 Tunnels over IPv4 Transport, page 13-38
IPv6 over IPv4-GRE Tunnels, page 13-54
IPv6 Policy Based Routing, page 13-68
Note
The information provided in this chapter is applicable to all the ES+ line card family unless specified
otherwise.

An ACL consists of a series of statements called ACL entries that define the network traffic profile. Each
entry permits or denies network traffic (inbound and outbound) to the parts of your network specified in
the entry. Each entry also contains a filter element that is based on criteria such as the source address,
the destination address, the protocol, and protocol-specific parameters such as ports and so on.
The Layer 3 and Layer 4 ACLs on Service Instance feature permits you to configure ACLs under an
Ethernet Virtual Circuit (EVC) on the Cisco 7600 Series ES+ line cards. Cisco IOS Release 15.1(1)S
supports EVC port-channels.

When configuring the Layer 3 and Layer 4 Security ACL on Service Instance feature on Cisco 7600
Series ES+ line cards, follow these restrictions and usage guidelines:
8000 unique ACLs are supported per NP
OL-16147-20
13-1
Chapter 13
8000 ACEs are supported per ACL with only single ACL present
8000 EVCs are supported per NP
If TCAM is full, filtering is not supported
IPv6 ACLs are not supported
Operators for Layer 4 attributes are not supported
time-range, dynamic range, and acl log are not supported
Layer 2 and Layer 3 ACLs cannot coexist on the same service instance
8000 access control entries (ACEs) per ACL on EVC
The number of uniquely defined ACLs on the chassis is not affected by support on service instances
ACL configuration with ACEs that contain type of service (ToS) configuration is not supported, but
differentiated services code point (DSCP) is supported
IP options are not supported.
Configuring on a Service Instance

SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
[no] ip address
5.
6.
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
or

Example:
gigabitethernet 4/1
13-2
OL-16147-20
Chapter 13

Step 4
Command
Purpose
[no] ip address

EtherChannel.
Example:
Step 5

[service-name]

submode.
Example:
ethernet
Step 6
Applies an IP access list to an interface.
Example:
Router(config-if-srv)# ip access-group
101 out
Configuring on a Port-Channel
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
4.
[no] ip address
5.
6.
DETAILED STEPS
Step 1
Command
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
Example:
12
OL-16147-20
13-3
Chapter 13
Step 4
Command
Purpose
[no] ip address

EtherChannel.
Example:
Step 5

[service-name]

submode.
Example:
ethernet
Step 6
Applies an IP access list to an interface.
Example:
Router(config-if)# ip access-group 101
out
Examples
In this example, the Layer 3 access control list below is applied under the EVC and a port-channel on a
Cisco ES+ line card.
ip access-list extended l3acl
permit ip 1.1.1.1 255.255.255.255 any
permit ip 2.2.2.2 255.255.255.255 any
Router# enable
Router(config-if-srv)# ip access-group l3acl in/out
Router# enable
Router(config)# interface port-channel 3/1
In this example, the Layer 4 access control list below is applied under the EVC and a port-channel on a
Cisco ES+ line card.
ip access-list extended l4acl
permit tcp host 1.1.1.1 eq 30 any
Router# enable
Router# enable
Router(config)# interface port-channel 3/1
13-4
OL-16147-20
Chapter 13

Inline Video Monitoring on the Cisco 7600 Router
Verification
Command
Purpose
Router# show ethernet service evc [id evc-id |

interface interface-id] [detail]
Displays information pertaining to a specific

EVC if an EVC ID is specified, or pertaining to
all EVCs on an interface if an interface is
specified. The detail option provides additional
Router# show ethernet service instance [id

instance-id interface interface-id | interface
Displays information about one or more service

instances: If a service instance ID and interface
are specified, only data pertaining to that
particular service instance is displayed. If only an
interface ID is specified, displays data for all
service instances on the given interface.

IP video is highly sensitive to delay and packet loss. It is estimated that nearly twenty percent of the
access lines are of marginal quality, and a three millisecond (ms) packet loss results in a 500-1000 ms
video degradation visible to the subscriber. A data loss in a multicast video stream in the core network
affects multiple access and aggregation networks, and thousands of subscribers viewing the stream.
This feature provides the funtionality for inline video monitoring. Using the inline video monitoring, you
can monitor the video inline in the router without using a video probe. A Video probe is an external
device used for video monitoring. Video Monitoring feature enables you to monitor the video data flow
in a network. These features are included in Inline Video Monitoring:
Media Delivery Index
Internet Protocol-Constant Bit Rate (IP-CBR)
Support MPLS Encapsulation for 7600 Inline Video Monitoring
Configurable MPEG Video PIDs for Inline Video Monitoring
RTP Metrics support for 7600 Inline Video Monitoring
Support Switch-Port Interfaces for 7600 Inline Video Monitoring
Support PPPoE Encapsulation for 7600 Inline Video Monitoring
OL-16147-20
13-5
Chapter 13

The Media Delivery Index (MDI) metric provides a relative indicator of the required buffer depths at the
consumer node due to packet jitter. It also gives an indication of the lost packets. MDI provides the Delay
Factor (DF) and the Media Loss Rate (MLR) for the video flow. DF is the maximum difference between
the arrival of a packet and the drain of the packet. MLR is the number of media packets lost over a certain
time interval. Media Discontinuity Count (MDC) is a measure of the number of times discontinuity
events occurred resulting in MLR. MDC metric is a Cisco proprietary standard.
Note
In case of major data loss, the reported MDC & MLR values are capped to 65535 for an interval and
reset to zero from the next interval.
Note
The maximum value for DF is capped to 1000 ms.

Previously, for inline video monitoring, the jitter buffer required by the end devices was calculated using
the delay factor (DF) algorithm defined in RFC 4445. This algorithm was effective for constant bit rate
(CBR) flows where the flow rate was consistent and helped calculate the DF accurately. However, in a
variable bit rate (VBR) flow or inconsistent flow rate, the calculated DF was inaccurate, hence not very
helpful to the service provider.
Effective from release 15.1(1)S, video monitoring on the Cisco 7600 Series Routers supports DF
computation as IP Delay Variation (IPDV). The IPDV algorithm is independent of configured packet rate
and is useful for a service provider to calculate accurate jitter buffer for VBR flows. You can configure
either RFC 4445 or IPDV algorithm on a flow to calculate the DF. To configure the delay factor using
either of these algorithms, use df algo_type command.
Note
DF computed using RFC4445 algorithm includes the inter-packet gap and hence it is never zero. But
IPDV does not include the inter-packet gap and the computed DF can be zero.
These are the characteristics of IPDV configuration:
IPDV or MDI-DF on a per class basis with-in a policy-map is supported.
IPDV and MDI-DF can coexist within the same policy-map.
IPDV cannot co-exist with MDI-DF under the same class-map.
IPDV and MDI-DF can be configured under different class-maps under the same policy-map.
Advantages of using IPDV to calculate DF:
IPDV algorithm works with both CBR and VBR flows and reports only the network introduced
delay. The DF calculation does not include the inter packet delay.
IPDV algorithm is independent of packet rate.
13-6
OL-16147-20
Chapter 13

Internet Protocol-Constant Bit Rate (IP-CBR)

The Internet Protocol-Constant Bit Rate (IP-CBR) metric provides the Media Rate Variation (MRV) and
Delay Factor (DF). MRV is used on CBR flows to isolate the variations in the data transport due to packet
loss. The MRV metric indicates the percentage rate of variation of media from the expected metrics
calculated rate. MRV is calculated based on the expected bit rate provided by the user and the actual bit
rate. Delay factor is the measured difference between the arrival of a packet and the drain of the packet.
Note
The maximum value for DF is restricted to 1000 milliseconds.
Support MPLS Encapsulation for 7600 Inline Video Monitoring

Inline video monitoring feature monitors MPLS encapsulated video packets on MPLS enabled
interfaces. Effective from Cisco IOS release 15.1(1)S, inline video monitoring is also supported for these
MPLS scenarios:
Tag to Tag: 7600 router configured as Label Switch Router (LSR) to switch MPLS packets.
Tag to IP: 7600 router configured as Label Edge Router (LER) to remove the last MPLS tag.
IP to Tag: 7600 router configured as LER to add the first MPLS tag.
The following MPLS packet formats are supported for inline video monitoring:
L3VPN packet formats: 0x8847, MPLS Labels, IP header, UDP header, and MPEG. (ignore
acronyms)
L2VPN and VPLS packet formats: Router MAC, 0x8847, MPLS Labels, control word, VLAN Tags,
CE MAC, IP, UDP, and MPEG.
Configurable MPEG Video PIDs for Inline Video Monitoring

Until Cisco IOS release15.0(1)S, inline video monitoring learned the first five unique Program
Identifiers (PIDs) in an MPEG flow for video, audio, or caption data PIDs. However, monitoring PIDs
for audio or caption data is not a priority for a customer implementing inline video monitoring. Effective
from Cisco IOS release15.1(1)S, video monitoring provides support to configure the PIDs to monitor.
This enables a user to configure only the video PIDs in an MPEG flow on priority. The PIDs to monitor
are configured within the monitor metric mdi command mode using the monitor pids pid_value
command. You can configure a maximum of five PIDs using this command. The PID value can range
from hexadecimal value 2 to 1FFF.
Note
This feature is supported on flows monitored for MDI metrics.
RTP Metrics support for 7600 Inline Video Monitoring

Real-time Transport Protocol (RTP) provides protocol level support for detecting packet loss and jitter
in a network. Packet loss is detected using the 16 bit sequence numbers in the packet header. These
numbers provide an accurate measurement of number of packets lost and delayed during transmission.
OL-16147-20
13-7
Chapter 13
The timestamp information in the RTP packet header is used for calculating jitter in a network data
stream. Effective from Release 15.1(2)S, inline video monitoring supports monitoring packet loss and
jitter metrics for RTP flows in addition to IP-CBR and MPEG flow.
RTP metrics is enabled on a per class-map basis on the Cisco 7600 series routers. A new RTP flow is
created for each RTP Synchronization Source (SSRC) detected in the RTP session matching the
class-map classification criteria. Since RTP sessions are dynamically negotiated, they must be validated
before learning the RTP flow for monitoring. A RTP header does not contain protocol specific
information to identify it as an RTP packets. Currently, these checks are performed to ensure that a
particular RTP packet is valid:
Note
The RTP version number should be two.
The payload type should be known and not equal to SR (Sender Report 200) or RR (Receiver Report
201).
When the SSRC identifier is received for the first time, the data packets carrying the identifier are
considered invalid until a number of data packets with consecutive sequence numbers are received.
The SSRC value should not be zero.
RTP SSRC is a part of flow key along with existing five flow tuples.
RTP Metrics
Apart from the packet loss and jitter metrics, an RTP flow contains additional metrics that provide
information about the RTP traffic. Table 13-1 lists the metrics exported and displayed for an RTP flow.
Table 13-1
RTP Reported Metrics
Metric Name
Description
Cumulative/ Interval
total_pkts
Total number of packets monitored for the

interval.
Interval + Cumulative
expected_pkts
Total number of packets expected in an interval Interval + Cumulative

based on the minimum and maximum sequence
numbers.
lost_pkts
Total number of packets lost in an interval. It is Interval + Cumulative

the difference between the expected
(expected_pkts) and the actual packets
(actual_pkts).
jitter
Jitter reported for an interval
Interval
max_jitter
Maximum jitter observed in the interval.
Interval
loss_intervals
Number of loss intervals . A loss interval is an Interval

interval when the consecutive RTP packets
were lost.
num_resync
Total number of sequence number

re-synchronizations performed in an interval.
Interval + Cumulative
late_pkts
Total number of packets received outside the

sliding window defined by maximum reoder
(max_reorder) and dropout (max_dropout)
parameters.
Interval
13-8
OL-16147-20
Chapter 13

Metric Name
Description
Cumulative/ Interval
reord_pkts
Total number of reordered packets received in a Interval

interval.
lost_fraction
The number of packets lost divided by the

number of packets expected. Displayed in
percent.
avg loss
duration
The number of packets lost (lost_pkts) divided Interval

by the number of loss intervals (loss_intervals).
valid packets
Difference between the number of packets

received and the number of reordered and late
packets.
Interval
Interval
1. For loss interval calculations any late or reordered packets should also be treated as lost.
Support Switch-Port Interfaces for 7600 Inline Video Monitoring

Effective from Release 15.1(2)S, inline video monitoring feature supports video traffic monitoring on
layer 2 and layer 3 interfaces. These layer 2 switch-port interfaces are supported:
Note
Trunk interface: When you configure a switch-port mode as trunk, multiple VLANs can be switched
on the interface.
Access interface: When you configure a switch-port mode as access, a single VLAN can be switched
on the interface.
Dot1q tunnel: When you configure a switch-port mode on the router as trunk and on the peer as
non-trunk or vice-versa.
Apart from the five tuple keys, inner and outer VLAN ids can be used as a key to differentiate flows.
Support PPPoE Encapsulation for 7600 Inline Video Monitoring

Point-to-Point Protocol over Ethernet (PPPoE) is a network protocol for encapsulating Point-to-Point
Protocol (PPP) frames inside the ethernet frames. This protocol is used for Digital Subscriber Line
(DSL) services where a user in a metro ethernet network, connects to the DSL modem. Effective from
Release 15.1(2)S, inline video monitoring supports to monitor video traffic from a PPPoE network.
Packets with ether type as 0x8864 are considered as the PPPoE packets and included for video
monitoring.
These PPPoE encapsulated packet formats arte supported:
PPPoE packets
Eth + VLAN + PPPoE + IP
L2VPN
Eth + MPLS + Eth + VLAN + PPPoE + IP
Eth + VLAN + MPLS + Eth + VLAN + PPPoE + IP
OL-16147-20
13-9
Chapter 13
Note
Video monitoring for PPPoE encapsulated packets is not supported on a node where the session
terminates.
Inline Video Monitoring Support of MDI Metrics for RTP Encapsulated Flows
Effective with Release 15.1(3)S, inline video monitoring supports MDI metrics calculation for
MPEG2-Transport Stream (TS) flows encapsulated in RTP (RFC3550) headers. The MDI metric
(RFC4445) provides information about the buffer required at the consumer node for packet jitter (DF)
and an estimate of the packet loss during the data transmission (MLR/MDC).
Note
Currently, you can monitor either the MDI or RTP at a time for data flow, not both together.
Inline Video Monitoring Support for Availability Metrics

Effective with Release 15.1(3), inline video monitoring provides an availability metrics named
transport-availability, which indicates the availability of a transport stream for a specific period of time.
Inline video monitoring computes transport-availability and error-seconds based on either MDI (RFC
4445) or RTP (RFC 3550) metrics. These metrics provide network operators additional troubleshooting
information and the option to measure per video flow performance against the defined Service Level
Agreements (SLA).
Note
Before Cisco IOS Release 15.1(3), inline video monitoring provided metrics such as MLR and DF for
MDI traffic, and jitter and loss-fraction for RTP traffic. To understand these metrics, a user should have
an understanding of technology and standards.
Transport-availability is calculated as the percentage of time a transport stream is available over a
measured time interval, and the error-seconds (downtime) is the time interval for which the transport
stream in not available for data transmission. The transport-availability is calculated as:
Transport-availability = (Interval duration Error-seconds) / Interval duration
Note
Two new react-types, transport-availability and error-seconds, are introduced in the react command to
help configure alarms based on the keyword values.
Note
Packet drop occurs during the error-seconds interval.
Note
Only the packet loss is considered for calculating error-seconds; jitter is not considered for error-seconds
calculation.
13-10
OL-16147-20
Chapter 13

Inline Video Monitoring Support for Uncompressed Video

Effective with Release 15.1(3)S, inline video monitoring supports monitoring of uncompressed video,
such as Serial Data Interface (SDI) and High Definition- SDI (HD-SDI). RTP loss metrics are not
frequency dependent, and jitter calculation involves frequency. Hence, with the existing default 90kHz
frequency, jitter calculation for higher frequencies might display incorrect results. To monitor
uncompressed videos, three new RTP clock frequencies: 148.5MHz, 148.5/100, and 27MHz are
supported apart from existing support for 90kHz. You can configure the RTP clock frequency using the
clock-rate command. This command allows you to map a dynamic Payload Type (PT) value to the
corresponding frequency for each class-map in the RTP header. Based on the PT value in the RTP header
for a flow, a corresponding frequency is mapped for jitter calculations. For the un-mapped PTs, default
frequency of 90kHz is used.
Note
You can disable jitter calculation for unsupported frequencies. The jitter value for unsupported
frequencies is reported as 0.
Restrictions for Inline Video Monitoring

The following restrictions apply to the inline Video Monitoring feature:
Video Monitoring is supported only on ES+ line cards.
The supported supervisor engines are Sup720 and RSP720 (1 gigabits and 10 gigabits).
Up to 1000 video monitoring flows per Line Card and up to 8000 flows per router are supported for
inline video monitoring.
Only IPv4 ACLs are supported.
The video traffic is not monitored up to first two intervals after the flow is learnt.
After the LC flow traffic stops and is timed out using the configured timeout value under class-map,
some of the system resources are released only after 25 minutes. The learn-delete process may result
in delay in monitoring the flows because the system resources are not released immediately.
In case of video monitoring on EVC, monitoring is performed for learnt unicast and multicast traffic
only. Traffic with unknown unicast destination MAC is not monitored.
MDI:DF, MDI:MLR, MDI:MDC, IP-CBR:DF, and IP-CBR:MRV metrics are supported for CBR
flows. For VBR flows, only MDI:MLR and MDI:MDC are supported.
MDI:DF, MDI:MLR, and MDI:MDC are supported only for MPEG-2 and MPEG-4 transport
streams. Both the single program transport streams (SPTS) and multi-program transport streams
(MPTS) are supported.
Only a flat performance-traffic policy type can be configured in each direction. Hierarchical policies
are not supported for Video Monitoring in the performance-traffic typed policy.
Video Monitoring is an independent feature and can co-exist with QoS. Though QoS and
performance-traffic are policy-map based, both can be applied to the same interface in the same
direction to function independently.
A maximum of five PIDs can be configured for monitoring.
Only the configured PIDs are monitored. For example, if only one PID is configured, no other new
PIDs are monitored.
These reserved PIDs are not monitored:
OL-16147-20
13-11
Chapter 13
0x0000: Reserved for Program Association Table (PAT).

0x0001: Reserved for Conditional Access Table (CAT).
0x0010: Reserved for Network Information Table (NIT).
0x1FFF: Reserved for Null Packets.
Duplicate PID values cannot be configured.
Layer 3 VPN (L3VPN) and Layer 2 VPN (L2VPN)/Virtual Private LAN Services (VPLS) MPLS
encapsulated packet format are supported.
Flow from a CE MAC and IP HDR magic pattern is not supported.
MPLS labels and EXP values are not supported as part of the flow key. If two different customers
using different MPLS labels but same IP address and UDP ports are on the same target, both are
mapped to the same video monitoring flow.
MDI-DF and IPDV cannot be configured on the same class-map.
RTP metric cannot co-exist with MDI or IP-CBR in the same class-map.
Clock rate support is limited to 90Khz. Jitter metric computation accuracy is not guaranteed if the
clock rate for packets is not 90Khz.
Performance-type policy-map is supported on switch-port trunk mode, access mode, and Dot1q
tunnel mode.
PPPoE control packets are not monitored.
These flows are not supported:

Fragmented IPv4 packets
Tunneled GRE, mGRE, L2TPv3, or multicast VPN
IPv6 and tunneled IPv6
MPEG transport streams where TS header is encrypted
The value of error-seconds metrics ranges from 0 to 1000.
Transport-availability and error-seconds metrics are not calculated for IP-CBR flows.
Static payload types 1 to 95 can only be mapped to the frequency option disable.
Video Monitoring is supported on the routed main interface, subinterfaces, switchports, and EVCs in
release 15.0(01)S.
Table 13-2 lists the inline video monitoring interface support for each release:
Table 13-2
Inline Video Monitoring Interface Support Per Release
Cisco IOS Release
Interfaces Supported
12.2(33) ZI
Main-interface, Sub-interface.
15.0(1)
Main-interface, Sub-interface, EVCs.
15.1(1)
Main-interface, Sub-interface, EVCs.
15.1(2)
Main-interface, Sub-interface, EVCs, L2

switch-port interface.
13-12
OL-16147-20
Chapter 13

Note
Video monitoring on EVC enables you to monitor video traffic on layer 2 networks.
Ingress and Egress Interfaces

Video Monitoring can be configured on both ingress and egress interfaces. The following types of
monitoring is allowed on these interfaces:
Ingress only monitoring
Egress only monitoring
Ingress and egress for the different flows on different ports.
Ingress and egress for the same flow
Monitored Video Flows

Video Monitoring feature supports only UDP traffic in release 15.0(01)S. The following flows are
monitored:
IP+UDP
Single program transport streams (SPTS) and multi-program transport streams (MPTS)
MPEG-2 and MPEG-4
MPLS+IP+UDP
IP+UDP+RTP
Alerts and Event Notifications

Alerts and notifications enable you to track the performance in a system. The flow of video can be
tracked and managed using alerts and event notification. Computed metric values are used to generate
alerts and event notifications.
Media Stop Events

Media Stop Event is triggered when no packets are received for at least eight seconds on a valid flow for
a configured interval. The reason for MSE can be:
Media Server failure
Upstream network failure
Genuine flow ending.
MSE interval causes invalidation of metrics data for up to two subsequent intervals. Metrics from these
invalidated intervals do not trigger any traps or reacts.
Threshold Crossing Alerts

Router reports the metric values at the end of the monitoring interval. The computed values are compared
with the configured threshold react range and an alarm is triggered if the computed value is not within
the configured range. The router relays the alerts to the management station through a SNMP trap
OL-16147-20
13-13
Chapter 13
notification. The alerts can be immediate or average. An immediate alert is triggered at the end of
monitoring interval if the metric value crosses the configured range. An average alert is sent based on
the average value, which is computed based on the last n monitored intervals.
Note
If two alerts are asserted for a same interval, the alert with lower profile-id is asserted. The alert profiles
with lower profile-id have higher priority.
Flow Monitoring and Metric Computation

This section describes how to configure the Video Monitoring feature and report the metrics.
Provisioning the Metric

Provisioning the metric involves creating a policy map, defining the filtering criteria, and applying the
policy map on an interface. A new policy map type performance-traffic is used for Video Monitoring.
The policy map contains a list of actions for the flow monitoring.
Note
The maximum number of class maps supported in a performance-traffic policy map is 50. The maximum
number of policy maps (including QoS and typed policy maps) supported on a router is 1023.
Follow these steps to configure video monitoring on an interface:
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
access-list access-list-number permit ip {host} source destination
4.
class-map [match-any] class-map-name
5.
match access-group access-group-name | access-group-number
6.
exit
7.
policy-map type performance-traffic policy-map-name
8.
class class-map-name
9.
monitor parameters
10. df rfc4445 | ipdv

11. interval duration n-secs
12. timeout n-interval
13. history n-interval
14. exit
15. monitor metric {mdi | ip-cbr|rtp}
16. (optional) clock-rate dynamic-pt frequency
17. (optional) monitor pids pid1 [pid2] [pid3] [pid4] [pid5]
18. rate {media | layer3} {packet n-pps [pps] | n {bps | kbps | mbps | gbps}}
13-14
OL-16147-20
Chapter 13

19. packet {size media n-bytes | media in-layer3 n-packets}

20. react profile id-value {mdi-df | mdi-mdc | mdi-mlr | ip-cbr-mrv | ip-cbr-df | media-stop |
rtp-lost-fraction | rtp-jitter | rtp-max-jitter | rtp-lost-pkts | transport-availability |

error-seconds}
21. threshold {range range-value1 range-value2} | {[gt|ge|lt|le] value3} | {type [immediate | average
value4]}
22. action {syslog | snmp}
23. alarm severity {none | informational | notification | warning | error | critical | alert | emergency}
24. alarm type discrete
25. description character string
26. interface type number
27. (optional) service instance instance-number ethernet
28. service-policy type performance-traffic {input | output} {policy-map name}
29. exit
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
router> enable
Step 2
configure terminal
Example:
Step 3
access-list-number
source destination
access-list
permit ip [host]
Example:
router(config)# access-list 101 permit ip host
10.10.2.20 any
Identifies the flow to be monitored.

In this example, the traffic from the host 10.10.2.20 is
monitored. Video Monitoring feature supports both
standard and extended access-list.
Note
Classification based on IP address, precedence, and

DSCP values is supported for extended access list.
Note
The deny option for access-list command is not

supported. If deny option is configured under the
access-list command and the class-map configured
with the deny condition is part of the
performance-traffic policy map, the video traffic is
not monitored.
OL-16147-20
13-15
Chapter 13
Command or Action
Step 4
Step 5
Purpose
class-map match-any
class-map-name
Defines a class map.
Example:
router(config)# class-map match-any video-class
In this example, a class-map named video class is defined

with match criteria match any. The packets must meet any
of the match criteria in the class map video- class.
access-group-name
|access-group-number
Defines the access-group. Only IPv4 acls are supported for

Video Monitoring.
match access-group
Example:
router(config-cmap)# match access-group 101
Step 6
Exits class-map configuration mode.
exit
Example:
router(config-cmap)# exit
Step 7
Step 8
policy-map
name
Creates a performance-traffic type policy map and enters

the policy map configuration mode.
Example:
router(config)# policy-map type
performance-traffic video-monitor
In this example, the type of the policy-map is

performance-traffic and the policy-map name is
video-monitor.
policy-map type performance-traffic
class
class-map-name
Example:
router(config-pmap)# class video-class
Step 9
monitor parameters
Example:
router(config-pmap-c)# monitor parameters
Step 10
interval duration
n-secs
Example:
router(config-pmap-c-monitor)# interval
duration 30
Step 12
timeout
n-inteval
Example:
router(config-pmap-c-monitor)# timeout 200
Step 13
Step 14
In this example, the class map is video-class.

Enters the monitor parameters submode where you can
configure the flow related parameters.
Specifies the jitter buffer calculation mechanism.
df rfc4445 | ipdv
Example:
router(config-pmap-c-monitor)# df ipdv
Step 11
Specifies the traffic (class map) on which an action is to be

performed.
n-inteval
Note
By default, rfc4445 algorithm is selected.
Specifies the monitoring interval. The loss or jitter of

packets is calculated at the end of this interval. The
configurable range is 30 to 900 seconds. The default value
is 30 seconds. The interval value should be a multiple of 5.
Specifies the timeout for a flow. If no traffic is transmitted
within this interval, the monitoring is stopped. When the
flow times out, the resources linked with that flow are
released. The default value is 100 intervals.
Example:
router(config-pmap-c-monitor)# history 20
Specifies the last n-interval number of intervals that should

be maintained in the history table. The range is 1 to 180
intervals. The default value is 10 intervals.
exit
Exits the monitor parameter mode.
history
Example:
router(config-pmap-c-monitor)# exit
Step 15
monitor metric {mdi|ip-cbr|rtp}

Example:
router(config-pmap-c)# monitor metric mdi
Enters the monitor metric submode where you can

configure the metric related parameters.
In this example, the MDI metric is selected.
13-16
OL-16147-20
Chapter 13

Command or Action
Step 16
clock-rate
Purpose
dynamic_pt frequency
Example:
router(config-pmap-c-metric)# clock-rate 1 96
Step 17
(optional) monitor
pids pid1 [pid2] [pid3] [pid4]
Maps a dynamic PT value to the corresponding frequency

for each class-map. The available frequency options are:
148.5/1.001Mhz
148.5Mhz
27Mhz
Disable
Specifies the PIDs to monitor.
[pid5]
Example:
router(config-pmap-c-metric)# monitor pids
0x0011
Step 18
rate media
n (bps
| kbps | mbps | gbps)
Example:
router(config-pmap-c-metric)# rate media
2500031 bps
Specifies the expected media transfer rate. For the media

transfer rate, you have to specify the transfer rate unit. The
following units are available:
bps: Number of bits per second
kbps: Number of kilobits per second
mbps: Number of megabits per second
gbps: Number of gigabits per second
Note
Step 19
packet {size media n-bytes | count media

in-layer3 n-packets}
Example:
router(config-pmap-c-metric)# packet size media
188
Example:
router(config-pmap-c-metric)# packet count
media in-layer3 7
Step 20
For metric monitoring, you should configure

mdi-metric as rate media or ip-cbr metric as rate
layer3.
Specifies the layer 2 or layer 3 packet behavior. In general,

the keyword media refers to layer 2 video or audio frame
whereas layer 3 refers to network layer packet such as IP
layer packet.
The keyword size media specifies the encoding video or
audio frame size in bytes. The valid value is 188.
The keyword count media in-layer3 specifies the number
of MPEG frames within a single IP packet. The default
value is 7 and valid range is 1 - 7.
Exits the monitor metric mode.
exit
Example:
router(config-pmap-c-metric)# exit
Step 21
monitor metric {mdi|ip-cbr|rtp}

Example:
router(config-pmap-c)# monitor metric ip-cbr
Enters the monitor metric submode for IP-CBR where you

can configure the metric related parameters.
OL-16147-20
13-17
Chapter 13
Command or Action
Step 22
rate layer3 packet
Purpose
n [pps]
Example:
router(config-pmap-c-metric)# rate layer3
packet 300
Specifies the expected layer 3 transfer rate. The transfer rate

is configured in packets per second(pps).
For accurate metric computations, recommended pps
configuration should be three precision digits.
Note
Step 23
exit
For metric monitoring, you should configure

mdi-metric as rate media or ip-cbr metric as rate
layer3. If both the options are configured, ip-cbr
metric configuration takes precedence.
Exits the monitor metric mode.
Example:
router(config-pmap-c-metric)# exit
13-18
OL-16147-20
Chapter 13

Step 24
Command or Action
Purpose
react profile-id {mdi-df | mdi-mdc | mdi-mlr |

ip-cbr:mrv | ip-cbr:df | media-stop | rtp |
transport-availability | error-seconds}
Configures the react metrics. At the end of the interval,

values are compared with the configured threshold values.
If the systems exceeds these configured values, an alarm is
triggered.
This command enters the react submode where you can
configure the alarms and threshold values.
When the monitored interval for a flow expires, the
corresponding metric values are generated. These values are
compared to the threshold values you set here, and if the
threshold is crossed, an alarm is exported to the
management system.
You can specify multiple react commands. Each command
is differentiated by the argument operation-id value. The
react argument operation-id value should be unique within
a policy-map. The range of the argument operational
id-value is 1 to 65535. The react types are:
MDI Example:
router(config-pmap-c)# react 100 mdi-df
IP-CBR Example:
router(config-pmap-c)# react 200 ip-cbr-df
mdi-df
mdi-mdc
mdi-mlr
ip-cbr-mrv
ip-cbr-df
media-stop
rtp
transport-availability
error-seconds
Note
If you selected the media-stop option, you cannot

configure more than one react profile for a
class-map for react type media-stop.
A profile-id once used for a react type can not be reused for
any other react type until it is removed using the no react
profile-id react-type command.
OL-16147-20
13-19
Chapter 13
Step 25
Command or Action
Purpose
threshold {range range-value1 range-value2 } |

{[gt|ge|lt|le] value3 | {type [immediate |
average value4]}
Specifies the threshold related parameters.
range: Specifies the threshold range. The unit for this

boundary depends on react type in the react command.
If the react type is MDI:DF, the unit is msec. If the react
type is MDI:MLR, the unit is number of packets lost.
gt|ge|lt|le: Specifies the threshold range where gt

stands for greater than, ge stands for greater than or
equal to, lt stands for less than, and le stands for less
than or equal to.
You need to specify one value and threshold parameter.
In the following example, the threshold is between 100
and infinity:
threshold range gt 100
Example:
router(config-pmap-c-react)# threshold gt 4
router(config-pmap-c-react)# threshold type
average 5
Step 26
action {syslog | snmp}

Example:
router(config-pmap-c-react)# action syslog
Step 27
alarm severity {none | informational |

notification | warning | error | critical |
alert | emergency}
Example:
router(config-pmap-c-react)# alarm severity
none
Step 28
Step 29
The default type is immediate.

Enables the management system to log the
threshold-crossing events.
Specifies the alarm severity associated with a particular
react command.
The default value is none. The router does not generate
syslog message if alarm severity is set to none.
alarm type discrete
Specifies that discrete alarms are supported.
Example:
router(config-pmap-c-react)# alarm type
discrete
Note
description
character-string
Example:
router(config-pmap-c-react)# description
critical TCA
Step 30
type: Specifies the criteria for alarm assertion. If you

select the keyword immediate, an alert is triggered at
the end of monitoring interval if the metric value
crosses the configured range. If you select the keyword
average, the alarm is generated based on the average
value which is computed based on the value4 you set.
The range of the value4 is between 2 and the number
defined in the flow history.
Alarm groups are not supported for Video

Monitoring feature release 15.0(01)S.
Adds the comments for the submodes. Available for all the
submodes. The character-string cannot exceed 200
characters.
end
Example:
router(config-pmap-c-react)#end
Step 31
configure terminal
Example:
Enters the configuration mode.
13-20
OL-16147-20
Chapter 13

Command or Action
Step 32
interface
type number
Purpose
Configures the interface type and number.
Example:
router(config)# interface gig 1/2
Step 33
(optional) service instance instance-number

Ethernet
Example:
router(config)# service instance 1 Ethernet
Step 34
(optional) service-policy type

performance-traffic (input|output)
Configures the service instance for EVC.
Note
Applicable while configuring EVC.
Attaches the specified policy-map to the target EVC.
policy-map-name
Example:
router(config-if-srv)# service-policy type
performance-traffic input video-monitor
Step 35
Note
Applicable while configuring EVC.
exit
Example:
router(config-if)# exit
Example
The following example shows how to configure video monitoring feature on an interface:
Router(config)#policy-map type performance-traffic video-monitor
Router(config-pmap)#class video-class
Router(config-pmap-c)# monitor parameters
Router(config-pmap-c-monitor)# df ipdv
Router(config-pmap-c-monitor)#description mon
Router(config-pmap-c-monitor)#interval duration 30
Router(config-pmap-c-monitor)#history 30
Router(config-pmap-c-monitor)#timeout 10
Router(config-pmap-c-monitor)#exit
Router(config-pmap-c)#monitor metric ip-cbr
Router(config-pmap-c-metric)#rate layer3 packet 237.465 pps
Router(config-pmap-c-metric)#exit
Router(config-pmap-c)#monitor metric mdi
Router(config-pmap-c-metric)# monitor pids 0x0011
Router(config-pmap-c-metric)#rate media 2500031 bps
Router(config-pmap-c-metric)#packet count media in-layer3 7
Router(config-pmap-c-metric)#packet size media 188
Router(config-pmap-c)#react 1 ip-cbr-df
Router(config-pmap-c-react)#alarm severity critical
Router(config-pmap-c-react)#threshold type immediate
Router(config-pmap-c-react)#threshold ge 30.000
Router(config-pmap-c-react)#react 2 ip-cbr-mrv
Router(config-pmap-c-react)#alarm severity informational
Router(config-pmap-c-react)#threshold le -1.00000
Router(config-pmap-c-react)#react 3 mdi-df
Router(config-pmap-c-react)#threshold range 20.000 50.000
Router(config-pmap-c-react)#react 4 mdi-mlr
Router(config-pmap-c-react)#threshold gt 0
OL-16147-20
13-21
Chapter 13
Router(config-pmap-c-react)#react 5 media-stop
Router(config-pmap-c-react)#description for me
Router(config-pmap-c-react)#react 15 mdi-mdc
Router(config-pmap-c-react)#alarm severity notification
Router(config-pmap-c-react)#threshold gt 0
Router(config-pmap-c-react)#react 10 ip-cbr-mrv
Router(config-pmap-c-react)#exit
Router(config-pmap-c)#exit
Router(config-pmap)#exit
Router(config)#interface TenGigabitEthernet3/1
Router(config-if)#service-policy type performance-traffic input video-monitor
Router(config-if)#end
This example shows how to configure RTP metrics for video monitoring:
Router(config)#policy-map type performance-traffic video-monitor
Router(config-pmap)#class video-class
Router(config-pmap-c)# monitor parameters
Router(config-pmap-c-monitor)#description mon
Router(config-pmap-c-monitor)#interval duration 30
Router(config-pmap-c-monitor)#history 30
Router(config-pmap-c-monitor)#timeout 10
Router(config-pmap-c-monitor)#exit
Router(config-pmap-c)#monitor metric rtp
Router(config-pmap-c)#react 1 rtp-jitter
Router(config-pmap-c-react)#react 2 rtp-loss-rate
Router(config-pmap-c-react)#threshold le 50.00
Router(config-pmap-c-react)#react 3 rtp-max-jitter
Router(config-pmap-c-react)#threshold range 20.000 50.000
Router(config-pmap-c-react)#react 4 rtp-lost-pkts
Router(config-pmap-c-react)#threshold ge 10
Router(config-pmap-c-react)#react 5 media-stop
Router(config-pmap-c-react)#description for me
outer(config-pmap-c-react)#exit
Router(config-pmap-c)#exit
Router(config-pmap)#exit
Router(config)#interface TenGigabitEthernet3/1
Router(config-if)#service-policy type performance-traffic input video-monitor
Router(config-if)#end
Verifying the Configuration

Use the show policy-map type performance-traffic interface interface-name command to display all
the flows learnt on the specified interface.
Output for IPCBR/MDI:
13-22
OL-16147-20
Chapter 13

Router#show policy-map type performance-traffic interface gig 8/11

GigabitEthernet8/11
Service-policy input: video-swport
class-map: sw-vlan3
-----------------------------------------------------------------------------------------Mon-Interval(sec): 30, History(intvls): 5, Timeout(sec): 60, DF: rfc4445, Total Flows: 1
-----------------------------------------------------------------------------------------Flow: 0001, IPV4;
Dest: 12.0.0.2
Agg Value(Per Flow)
MDC
: 25200
MLR
: 25200
Port: 6300;
Src: 11.0.0.2
Avail(%)
: 100.000
Error_secs : 0.000
Port: 63
Pkt_cnt
MRV(%)
: 126002
: 0.00000
Error
Transport
Intvl Updated at Type
Pkt_cnt
MRV(%)/MLR
DF(msec)
MDC
Seconds Avail (%)
-----+----------+----+--------------+------------+----------+---------+--------+---------+
43
21:21:36 cbr
3000
0.00000
10.075
NA
NA
NA
43
21:21:36 mdi
3000
600
10.075
600
0.000
100.000
42
21:21:06 cbr
3000
0.00000
10.075
NA
NA
NA
42
21:21:06 mdi
3000
600
10.075
600
0.000
100.000
41
21:20:36 cbr
3000
0.00000
10.075
NA
NA
NA
41
21:20:36 mdi
3000
600
10.075
600
0.000
100.000
40
21:20:06 cbr
3000
0.00000
10.075
NA
NA
NA
40
21:20:06 mdi
3000
600
10.075
600
0.000
100.000
39
21:19:36 cbr
3001
0.03300
10.075
NA
NA
NA
39
21:19:36 mdi
3001
600
10.075
600
0.000
100.000
Output for RTP:
Router#show policy-map type performance-traffic interface gig 8/11 in class sw$

GigabitEthernet8/11
class-map: sw-rtp-vlan3
-----------------------------------------------------------------------------------------Mon-Interval(sec): 30, History(intvls): 5, Timeout(sec): 60, Total Flows: 1
-----------------------------------------------------------------------------------------Flow: 0001, IPV4;
Dest: 12.0.0.2 Port: 50000;
Src: 11.0.0.12 Port: 5000; rtp-ssrc:
3735927471
Agg Value(Per Flow)
Avail(%)
: 99.978
Loss_Intvls : 22
Resyncs
: 22
Pkt_cnt
: 1470026
Error_secs : 0.176
Pkt_exp
: 1481818
Pkt_lost : 11792
Intvl
Loss Err Trnsprt

Intvls Sec Avail
(%)
-----+----------+----+----------+----------+----------+---------+--------+--------+------50
21:25:01 rtp 30001 30001 0
0.00000 0.007 0.048
0.00
0
0.000 100.00
49
21:24:31 rtp 30000 30536 536 1.75530 0.007 0.048
536.00
1
0.008 99.973
48
21:24:01 rtp 30001 30001 0
0.00000 0.005 0.037
0.00
0
0.000 100.00
47
21:23:31 rtp 30000 30536 536 1.75530 0.008 0.048
536.00
1
0.008 99.973
46
21:23:01 rtp 30001 30001 0
0.00000 0.005 0.024
0.00
0
0.000 100.00
Note
Upd at
Type
Pkt
count
Exp Lost
pkts pkts
Loss
Jitter MaxJitter Avg.Loss
Rate(%) (msec) (msec)
Duration
Video-monitoring on ethernet service instance is supported on ScEompls, SVI based Eompls, VPLS,
EVC BD, and EVC local connect services.
OL-16147-20
13-23
Chapter 13
Use the show policy-map type performance-traffic interface interface_name aggregate command to
display the total number of flows on an interface:
Router#show policy-map type performance-traffic interface gig 8/11 aggregate
GigabitEthernet8/11
Total Number of flows
: 6
Use the show policy-map type performance-traffic interface interface_name brief command to
display brief description of all the metrics for all the flows on an interface.
Router#show policy-map type performance-traffic interface gig 8/11 brief
GigabitEthernet8/11
class-map: sw-vlan1
-----------------------------------------------------------------------------------------MRV(%)
Error Transport
FlowID Flow Key
Type Pkt_cnt /MLR
DF(msec) MDC Secs
Avail(%)
------------------ ------- ------ ------- --------1 21.0.1.2:63->32.0.1.2:5000,10:0
cbr 3000
0.00000 10.135
NA
NA
NA
1 21.0.1.2:63->32.0.1.2:5000,10:0
mdi 3000
600
10.135
600
0.000
100.000
-----------------------------------------------------------------------------------------Expected Lost Loss
Jitter
Lost
Err Transport
FlowID Flow Key
Pkts
Pkts Rate(%) (msec) Intvls Secs Avail
------ -------------- ------- ----- ----- -------1 21.0.1.3:63->32.0.1.2:50000,10:0, 30536
536
1.75530 0.000
1
0.008 99.973
3735927471
Use the show policy-map type performance-traffic interface interface_name cumulative command
to display cumulative metrics for the flows on a specified interface.
Router#show policy-map type performance-traffic interface gig 8/11 cumulative
GigabitEthernet8/11
class-map: sw-vlan1
-----------------------------------------------------------------------------------------Mon-Interval(sec): 30, History(intvls): 2, Timeout(sec): 60, DF: rfc4445, Total Flows:
1
-----------------------------------------------------------------------------------------FlowID Flow Key
MRV(%)
MDC
MLR
Error Secs
Avail (%)
------ ---------------------------------1 21.0.1.2:63-> 32.0.1.2:5000, 10:0
0.00000 32400 32400
0.000
100.000
-----------------------------------------------------------------------------------------FlowID FlowKey
Exp
Lost
Lost
Resyncs
Err
Avail
Pkts
Pkts
Intvls
Secs
------ ----------- ----------- ---------- ----1 21.0.1.3:63->32.0.1.2:50000,10:0,
1633428 13400
25
25
0.200 99.975
3735927471
13-24
OL-16147-20
Chapter 13

Use the show policy-map type performance-traffic interface interface_name input|output command
to display the data flow on an interface in a specified direction.
Router#show policy-map type performance-traffic interface gig 8/11 input
GigabitEthernet8/11
class-map: sw-vlan3
1
-----------------------------------------------------------------------------------------Flow: 0001, IPV4;
Dest: 12.0.0.2
Agg Value(Per Flow)
MDC
: 37200
MLR
: 37200
Port: 6300;
Src: 11.0.0.2
Avail(%)
: 100.000
Error_secs : 0.000
Port: 63
Pkt_cnt
MRV(%)
: 186003
: 0.00000
Error
Transport
Pkt_cnt
MRV(%)/MLR
DF(msec)
MDC
Seconds Avail (%)
-----+----------+----+--------------+------------+----------+---------+--------+---------+
65
21:32:36
cbr
3000
0.00000
10.075
NA
NA
NA
65
21:32:36
mdi
3000
600
10.075
600
0.000
100.000
64
21:32:06
cbr
3000
0.00000
10.075
NA
NA
NA
64
21:32:06
mdi
3000
600
10.075
600
0.000
100.000
63
21:31:36
cbr
3000
0.00000
10.075
NA
NA
NA
63
21:31:36
mdi
3000
600
10.075
600
0.000
100.000
62
21:31:06
cbr
3000
0.00000
10.075
NA
NA
NA
62
21:31:06
mdi
3000
600
10.075
600
0.000
100.000
61
21:30:36
cbr
3000
0.00000
10.075
NA
NA
NA
61
21:30:36
mdi
3000
600
10.075
600
0.000
100.000
-----------------------------------------------------------------------------------------Flow: 0001, IPV4;
Dest: 12.0.0.2 Port: 50000;
Src: 11.0.0.12 Port: 5000; rtp-ssrc:
3735927471
Agg Value(Per Flow)
Avail(%)
: 99.973
Loss_Intvls : 29
Resyncs
: 29
Pkt_cnt
: 1920034
Error_secs : 0.232
Pkt_exp
: 1935578
Pkt_lost : 15544
Pkt
Exp Lost Loss Jitter MaxJitter Avg. Loss Loss Err Transport
Intvl Updated Type count pkts pkts Rate(%) (msec) (msec) Dur.
Intvls Sec Avail(%)
-----+----------+----+----------+----------+----------+---------+--------+--------+------66
21:33:01 rtp 30000 30536 536 1.75530 0.005 0.048
536.00
1
0.008
99.973
65
21:32:31 rtp 30001 30001 0
0.00000 0.005 0.024
0.00
0
0.000 100.000
64
21:32:01 rtp 30000 30536 536 1.75530 0.006 0.048
536.00
1
0.008
99.973
63
21:31:31 rtp 30001 30001 0
0.00000 0.005 0.048
0.00
0
0.000 100.000
62
21:31:01 rtp 30000 30536 536 1.75530 0.005 0.024
536.00
1
0.008
99.973
Use the show policy-map type performance-traffic interface interface_name detail command to
display the detailed information for the latest interval of each flow.
Router#show policy-map type performance-traffic interface gig 8/11 detail
GigabitEthernet8/11
OL-16147-20
13-25
Chapter 13
class-map: sw-vlan3
1
-----------------------------------------------------------------------------------------Flow: 0001 Key: 11.0.0.2:63 -> 12.0.0.2:6300 Intervals : 1
Intvl# 68, Updated at 21:34:06.775 PDT Fri Jun 10 2011
Metric Type
: IP-CBR
MRV
: 0.00000%
DF(ms)
: 10.075
Packets
: 3000
Bytes
: 4296000
Metric Type
: MDI
MLR
: 600
MDC
: 600
Packets
: 3000
Bytes
: 4296000
DF(ms)
: 10.075
Error seconds
: 0.000
Transport Availability (%) : 100.000
-------------------------------------------------------------------------------------------Mon-Interval(sec): 30, History(intvls): 5, Timeout(sec): 60, Total Flows: 1
-------------------------------------------------------------------------------------------Flow: 0001 Key: 11.0.0.12:5000 -> 12.0.0.2:50000, 3735927471 Intervals : 1
Pkts Recieved : 30000
Pkts Exp
: 30536
Pkts Valid
:
Pkts Lost
: 536
Pkts Late
: 0
Pkts reord
:
Loss Rate (%) : 1.75530
Loss Intvls : 1
Avg Loss duration:
Jitter(msec) : 0.006
Max Jitter : 0.024
Resyncs
:
Error seconds : 0.008
Transport Availability (%) : 99.973
30000
0
536.00
1
Use the show policy-map type performance-traffic interface interface_name last n command to
display the last n number of intervals for each flow on an interface:
Router#show policy-map type performance-traffic interface gig 8/11 last 2
GigabitEthernet8/11
class-map: sw-vlan3
1
-----------------------------------------------------------------------------------------Flow: 0001, IPV4;
Dest: 12.0.0.2
Agg Value(Per Flow)
MDC
: 39600
MLR
: 39600
Port: 6300;
Src: 11.0.0.2
Avail(%)
: 100.000
Error_secs : 0.000
Port: 63
Pkt_cnt
MRV(%)
: 198003
: 0.00000
Error
Transport
Intvl Updated at
Type
Pkt_cnt
MRV(%)/MLR
DF(msec)
MDC
Seconds Avail (%)
-----+----------+----+--------------+------------+----------+---------+--------+---------+
69
21:34:36
cbr
3000
0.00000
10.075
NA
NA
NA
69
21:34:36
mdi
3000
600
10.075
600
0.000
100.000
68
21:34:06
cbr
3000
0.00000
10.075
NA
NA
NA
68
21:34:06
mdi
3000
600
10.075
600
0.000
100.000
13-26
OL-16147-20
Chapter 13


-----------------------------------------------------------------------------------------Flow: 0001, IPV4;
Dest: 12.0.0.2 Port: 50000;
Src: 11.0.0.12 Port: 5000; rtp-ssrc:
3735927471
Agg Value(Per Flow)
Avail(%)
: 99.973
Loss_Intvls : 31
Resyncs
: 31
Pkt_cnt
: 2040036
Error_secs : 0.248
Pkt_exp
: 2056652
Pkt_lost : 16616
Intvl Updated
---- -----70 21:35:01
69 21:34:31
Pkt
Exp Lost Loss Jitter MaxJitter Avg. Loss Loss Err Transport
Type count pkts pkts Rate(%) (msec) (msec)
Dur.
Intvls Sec Avail(%)
--- ---- --- ----- -------- ----------------- ---- --rtp 30000 30536 536 1.75530 0.007 0.048
536.00
1
0.008 99.973
rtp 30001 30001 0
0.00000 0.007 0.048
0.00
0
0.000 100.000
Use the show policy-map type performance-traffic interface interface-name service instance
instance-number command to display all the flows learnt on the specified EVC:
Router#show policy-map type performance-traffic interface gig 8/11 ser in 1
GigabitEthernet8/11: EFP 1
Service-policy input: video-monitor
class-map: mpls
-----------------------------------------------------------------------------------------Mon-Interval(sec): 30, History(intvls): 5, Timeout(sec): 420, DF: rfc4445, Total
Flows: 1
-----------------------------------------------------------------------------------------Flow: 0001, IPV4;
Dest: 12.0.1.2
Agg Value(Per Flow)
MDC
: 7803
MLR
: 7803
Port: 6300;
Src: 11.0.1.2
Avail(%)
: 100.000
Error_secs : 0.000
Port: 63
Pkt_cnt
MRV(%)
: 39001
: 0.00000
Error
Transport
Pkt_cnt
MRV(%)/MLR
DF(msec)
MDC
Seconds Avail (%)
-----+----------+----+--------------+------------+----------+---------+--------+---------+
21
22:20:04
cbr
3000
0.00000
10.135
NA
NA
NA
21
22:20:04
mdi
3000
600
10.135
600
0.000
100.000
20
22:19:34
cbr
3000
0.00000
10.248
NA
NA
NA
20
22:19:34
mdi
3000
600
10.248
600
0.000
100.000
19
22:19:04
cbr
3000
0.00000
10.134
NA
NA
NA
19
22:19:04
mdi
3000
600
10.134
600
0.000
100.000
18
22:18:34
cbr
3000
0.00000
10.135
NA
NA
NA
18
22:18:34
mdi
3000
600
10.135
600
0.000
100.000
17
22:18:04
cbr
3000
0.00000
10.229
NA
NA
NA
17
22:18:04
mdi
3000
600
10.229
600
0.000
100.000
class-map: rtp-mpls
-----------------------------------------------------------------------------------------Flow: 0001, IPV4;
Dest: 12.0.1.2 Port: 50000;
Src: 11.0.0.13 Port: 63; rtp-ssrc:
3735927471
Agg Value(Per Flow)
Avail(%)
: 99.973
Loss_Intvls : 7
Resyncs
: 7
Pkt_cnt
: 420008
Error_secs : 0.056
Pkt_exp
: 423760
Pkt_lost : 3752
OL-16147-20
13-27
Chapter 13
Intvl Updated
---- -----21 22:20:09
20 22:19:39
19 22:19:09
18 22:18:39
17 22:18:09
Type
--rtp
rtp
rtp
rtp
rtp
Pkt
count
---30000
30001
30000
30001
30000
Exp Lost
pkts pkts
--- ----30000 0
30537 536
30000 0
30537 536
30000 0
Loss Jitter MaxJitter Avg. Loss Loss Err Transport

Rate(%) (msec) (msec)
Dur.
Intvls Sec Avail(%)
-------- ----------------- ---- --0.00000 0.006 0.048
0.00
0
0.000 100.000
1.75524 0.005 0.036
536.00
1
0.008
99.973
0.00000 0.008 0.048
0.00
0
0.000 100.000
1.75524 0.009 0.048
536.00
1
0.008
99.973
0.00000 0.006 0.048
0.00
0
0.000 100.000
************************************************************************
Use show running-config interface interface-name command to display detailed information about
interface:
router#sh running-config interface tenGigabitEthernet 7/21
no ip address
ip rsvp bandwidth
service-policy type performance-traffic input video_monitor_1
service-policy type performance-traffic output video_monitor_2
bridge-domain 101
service-policy type performance-traffic input video_monitor_1
service-policy type performance-traffic output video_monitor_2
bridge-domain 102
end
Use the show policy-map type performance-traffic interface interface_name match ipv4 source
ip-address mask destination ip-address mask command to display the flow matching the specified IPV4
source or destination IP.
Router#show policy-map type performance-traffic interface gig 8/11 match ipv4 source
11.0.0.12 255.255.255.255 destination 12.0.0.2 255.255.255.255
GigabitEthernet8/11
class-map: sw-vlan3
------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------Flow: 0001, IPV4;
Dest: 12.0.0.2 Port: 50000;
Src: 11.0.0.12 Port: 5000; rtp-ssrc:
3735927471
Agg Value(Per Flow)
Avail(%)
: 99.973
Loss_Intvls : 32
Resyncs
: 32
Pkt_cnt
: 2130038
Error_secs : 0.256
Pkt_exp
: 2147190
Pkt_lost : 17152
Pkt
Exp
Lost
Loss
Jitter
MaxJitter Avg. Loss
Loss
Err Transport
13-28
OL-16147-20
Chapter 13

Intvl Updated
---- -----73 21:36:31
72 21:36:01
71 21:35:31
70 21:35:01
69 21:34:31
Type count pkts pkts Rate (msec) (msec)

Dur.
Intvls Sec Avail(%)
--- ---- ------- -------- ----------------- ---- --rtp 30001 30537 536 1.75524 0.006 0.040 536.00
1
0.008
99.973
rtp 30000 30000
0
0.00000 0.009 0.048 0.00
0
0.000 100.000
rtp 30001 30001
0
0.00000 0.006 0.024 0.00
0
0.000 100.000
rtp 30000 30536 536 1.75530 0.007 0.048 536.00
1
0.008
99.973
rtp 30001 30001
0
0.00000 0.007 0.048 0.00
0
0.000 100.000
Note
The match option can be used with brief, cumulative, or detail options in the show command.
Note
The last option can be used with brief or detail options in the show command.
Troubleshooting the Inline Video Monitoring Implementation

The following section describes how to troubleshoot Video Monitoring.
Flow is not displayed in the show command

A flow is defined as unique traffic identified by the source and destination IP and port information.
When the flow path is not displayed by the show command, perform the following steps to identify
the problem:
1.
Check the interface statistics using the show interface interface-type slot/port command to
ensure that the traffic is flowing.
2.
Check the configuration of class-map and the ACL configured under the class-map to ensure
that the ACL is classifying the flows. The following example shows how to check the
configuration of a class-map:
ROUTER#show running-config class-map video-class
!
class-map match-any video-class
match access-group 102
!
end
ROUTER#
outer#sh access-lists 102
Extended IP access list 102
10 permit ip any host 200.0.0.2
3.
Note
Check whether the rate layer3 packet command or rate media command is configured under
the class using show policy-map type performance-traffic policy-map-name command.
The data flow path is not learnt for fragmented packets, MPLS packets, non-UDP protocols, and
tunneled packets.
The change in media rate does not affects the DF metrics.
Use the show policy-map type performance-traffic policy-map-name command to check if the
rate layer3 packet command is configured for the class. If the rate layer3 packet command is
configured for the class, the IP-CBR packet rate configuration is used for both the IP-CBR and MDI
metric calculations.
OL-16147-20
13-29
Chapter 13
DF value is returned even though the data flow stream is stable.

DF is used to determine the jitter buffer required to ensure effective utilization of buffer while
handling a stream. The minimum jitter buffer size is sufficient to receive a single packet. Therefore,
even when there is no impairment or delay in the stream, the DF is equal to an inter-packet-gap. This
DF value reported by the router when there is no impairment, is approximately equal to
1/packet-rate.
When packets are dropped, no message is triggered for MDI:DF even if the TCAs (reacts) are
configured for MDI:DF.
When there are drops seen in the stream, DF computed is incorrect. In such a case, where packets
are dropped in a stream(MLR), the computed DF is not used for triggering the message.
Show command output returns a dash (-).

Indicates that the metrics computed for that interval are invalid. This condition occurs during the
initial flow learn, when a policy-map is updated dynamically or when the next intervals on the MSE
are reported for the current interval.
Metrics cannot be configured under the default class (class-default).

Performance traffic functionality is not supported in the default class. The default class includes the
traffic that is not classified under any other class-maps and has no defined rate. It is not possible to
configure metric parameters for the default class.
TCA threshold messages are not triggered even when the metric value crosses the configured range.
Use the show policy-map type performance-traffic policy-map-name command to verify that the
alarm severity is not configured to none.
Uncertainty over the choice of right debug logs.

Complete the following steps to collect the output for the line card:
1.
Run the attach module-number command to connect to the line card.
2.
Run the show platform npc performance-traffic action np number interface classmap
command to display the class-map configuration on the line card.
3.
Run the show platform npc performance-traffic action np number interface result command
to display the class-map structure used by the microcode.
4.
Run the show platform npc performance-traffic action np number interface stats command
to print per flow statistics for the network processor.
5.
Run the show platform npc performance-traffic action np number stats command to print the
aggregate flow count in the network processor.
6.
Run the show platform npc performance-traffic classification all to print the classification
details for each class.
Supported MIBs
Video Monitoring supports the following MIBs. These MIBs are used for retrieving the data collected
by flow monitors.
CISCO-FLOW-MONITOR-TC-MIB: This MIB module defines the text conventions common to

the rest of the MIB modules.
CISCO-FLOW-MONITOR-MIB: This MIB module defines a framework that describes the flow
monitors supported by the system, the flows that are learned, and the flow metrics collected for those
flows.
13-30
OL-16147-20
Chapter 13

IP Tunneling - IPv6 Rapid Deployment
CISCO-MDI-METRICS-MIB: This MIB module defines objects describing quality metrics

collected for streams that comply to the Media Delivery Index (MDI).
CISCO-IP-CBR-METRICS-MIB: This MIB module defines objects describing quality metrics

collected for IP streams that have a Constant Bit Rate (CBR).
CISCO-RTP-METRICS-MIB: This MIB module defines objects that describe the quality metrics
of RTP streams.

The following sections describe the IPv6 Rapid Deployment (6RD) function.
Understanding IPv6 Rapid Deployment, page 13-31
Restriction for IPv6 Rapid Deployment., page 13-33
Configuring IPv6 Rapid Deployment on the Cisco 7600 series router Platform, page 13-34
Troubleshooting Tips, page 13-37
Understanding IPv6 Rapid Deployment

The 6RD deployment is an variant of the 6to4 feature, and allows a service provider to provide a unicast
IPv6 service to customers over its IPv4 network (using IPv6 encapsulation in IPv4).
For more information on 6to4 feature, see Cisco IOS IPv6 Configuration Guide, Release 12.2SR at:
http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-tunnel_ps6922_TSD_Products_Co
nfiguration_Guide_Chapter.html.
The differences between 6RD and 6to4 tunneling are:
6RD does not require IP addresses to have a 2002::/16 prefix. Therefore, the prefix can be from the
service provider's own address block. This function allows the 6RD operational domain to be within
the service provider network. From the perspective of customer sites and the general IPv6 internet
connected to a 6RD-enabled service provider network, the IPv6 service provided is equivalent to
native IPv6.
Not all the 32 bits from the IPv4 destination address are carried to the IPv6 payload header. The IPv4
destination is obtained from a combination of bits in the payload header and information on the
router. The IPv4 address is not at a fixed location in the IPv6 header as in the case with 6to4
tunneling.
Figure 13-1 shows a high-level view of the 6RD deployment.
OL-16147-20
13-31
Chapter 13
Figure 13-1
6RD Deployment
The service provider delegates a 6RD service provider prefix for the IPv6 deployment, using the IPv4
address bits.
Figure 13-2 shows how 6RD prefix delegation works.
Figure 13-2
6RD Prefix Delegation
13-32
OL-16147-20
Chapter 13

Figure 13-3 shows the 6RD prefix delegation topology.

Figure 13-3
6RD Prefix Delegation Topology
Restriction for IPv6 Rapid Deployment.

The IPv4 network facing the interface must be on the ES40 linecard.
Supported Features
Table 13-3 shows the list of supported and unsupported features for 6RD functionality.
Table 13-3
Supported and Unsupported Features
Feature
Supported
6RD BR mode
Yes
6RD CE mode
Yes
6RD tunnel
Yes
Scale
512
OL-16147-20
13-33
Chapter 13
Feature
Supported
MIBs
No
Linecards
ES40
VRF awareness
No
ISG Co-existence
No
Qos on Tunnels
No
Configuring IPv6 Rapid Deployment on the Cisco 7600 series router Platform
The following sections describe how to configure 6RD on the c7600 platform:
Configuring 6RD, page 13-34
Verifying the Configuration, page 13-37
Configuring 6RD
Complete the following steps to configure 6RD.
SUMMARY STEPS
Step 1
enable
Step 2
configure terminal
Step 3
Step 4
ipv6 address {ipv6-address/prefix-length | prefix-name sub-bits/prefix-length}
Step 5
tunnel source {ip-address | interface-type interface-number}
Step 6
tunnel mode ipv6ip [6rd | 6to4 | auto-tunnel | isatap]
Step 7
mls 6rd reserve interface gigabitethernet/ tengigabitethernet
Step 8
tunnel 6rd prefix ipv6-prefix/prefix-length
Step 9
tunnel 6rd ipv4 {prefix-length length} {suffix-length length}
Step 10
exit
Step 11
interface type instance
Step 12
Step 13
ipv6 route { ipv6-prefix | prefix-length } tunnel tunnel-number
Step 14
exit
13-34
OL-16147-20
Chapter 13

DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode. Enter your password if prompted.
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
interface tunnel
tunnel-number
Specifies a tunnel interface and enters the interface configuration mode.
Example:
tunnel 1
Step 4
ipv6 address
{ipv6-address/prefix-length |
prefix-name
sub-bits/prefix-length}
Specifies the IPv6 address assigned to the interface and enables IPv6 processing
on the interface.
Example:
Router(config-if)# ipv6
address
2001:B000:400::1/124
Step 5
tunnel source {ip-address |

interface-type
interface-number}
Specifies the source interface type and number for the tunnel interface.
Example:
Router(config-if)# tunnel
source loopback 0
Step 6
tunnel mode ipv6ip [6rd |

6to4 | auto-tunnel | isatap]
Configures a static IPv6 tunnel interface.
Example:
mode ipv6ip 6rd
Step 7
mls 6rd reserve interface

gigabitethernet/
tengigabitethernet
Redirects the IPv6 traffic to IPv4 core facing interface on the ES40 line card.
Example:
Router(config-if)# mls 6rd
reserve interface gig 9/5
OL-16147-20
13-35
Chapter 13
Step 8
Command or Action
Purpose
tunnel 6rd prefix

ipv6-prefix/prefix-length
Specifies the common IPv6 prefix on IPv6 rapid 6RD tunnels.
Example:
6rd prefix 2001:B000::/32
Step 9
tunnel 6rd ipv4

{prefix-length length}
{suffix-length length}
Specifies the prefix and suffix length of the IPv4 transport address common to all
the 6RD routers in a domain.
Example:
6rd ipv4 prefix-len 16
suffix-len 8
Step 10
exit
Exits configuration mode, and returns the CLI to privileged EXEC mode.
Example:
Step 11
interface
type instance
Enters interface configuration mode and names the new loopback interface.
Example:
loopback 0
Step 12
ip address
ip-address
Assigns an IP address and subnet mask to the loopback interface.
Example:
Router(config-if)# ip
address 10.1.4.1
255.255.255.255
Step 13
ipv6 route
ipv6-prefix/prefix-length
tunnel tunnel-number
Redirects 6RD specific traffic to the 6RD tunnel.
Example:
route 2001:b000::/32
tunnel 1
Step 14
end
Example:
This example shows how to configure 6RD.
Router# enable
13-36
OL-16147-20
Chapter 13

Router(config-if)# ipv6 address 2001:B000:400::1/124

Router(config-if)# tunnel source loopback 0
Router(config-if)# tunnel mode ipv6ip 6rd
Router(config-if)# mls 6rd reserve interface gig 9/5
Router(config-if)# tunnel 6rd prefix 2001:B000::/3
Router(config-if)# tunnel 6rd ipv4 prefix-len 16 suffix-len 8
Router(config-if)# ipv6 route 2001:b000::/32 tunnel 1

Use these commands to verify the configuration of 6RD on the Cisco 7600 series router:
Router# show tunnel 6rd tunnel 10
Interface Tunnel10:
Tunnel Source: 10.1.4.1
6RD: Operational, V6 Prefix: 2001:B000::/32
V4 Prefix, Length: 16, Value: 10.1.0.0
V4 Suffix, Length: 8, Value: 0.0.0.1
General Prefix: 2001:B000:400::/40
Router# show tunnel 6rd destination 2001:b000:800::12 tunnel 10
Interface: Tunnel10
6RD Prefix: 2001:B000:800::12
Router# show tunnel 6rd prefix 10.1.8.1 tunnel 10
Interface: Tunnel10
6RD Prefix: 2001:B000:800::
For troubleshooting information, contact Cisco Technical Assistance Center (TAC) at:
OL-16147-20
13-37
Chapter 13
VRF aware IPv6 Tunnels over IPv4 Transport

The current IPv6 tunneling feature on c7600 does not support Virtual Routing and Forwarding (VRF)
awareness. The forwarding table lookups for IPv6 overlay addresses and IPv4 transport addresses are
performed in the global routing tables. This feature extends the tunneling support for IPv6 overlay
addresses in VRF.
These scenarios explain the VRF aware IPv6 tunnel function:
IPv6 overlay address in VRF and IPv4 transport address in Global routing table (RT).
IPv6 overlay address in VRF and IPv4 transport address in VRF.
Figure 13-4 illustrates the topology for the IPv6 overlay address in VRF, and the IPv4 transport address
in VRF.
Figure 13-4
Topology for VRF aware IPv6 Tunnel
The VRF Aware IPv6 over IPv4 Tunnel can have any line card towards the core facing side.
.
Restrictions for VRF aware IPv6 tunnels

Following restrictions apply to the VRF aware IPv6 tunnels feature:
13-38
OL-16147-20
Chapter 13

This feature supports the IPv6IP and 6to4 tunnels mode.
Due to EARL limitation, the same source tunnels across VRFs are not supported.
The tunnel source and the tunnel destination should be in the same VRF instance.
The tunnel IPv4 transport addresses and the physical interface where the tunnel traffic exits, should be
in the same VRF instance.
The incoming IPv6 interface and the tunnel should be in the same VRF instance.
This feature does not support IPv6IP auto-tunnels and ISATAP.
Configuring VRF aware IPv6 tunnel

The following sections describe how to configure VRF aware IPv6 tunnel on c7600:
Configure IPv6 overlay addresses in VRF and IPv4 transport addresses in Global RT, page 13-39
Configure IPv6 overlay addresses in VRF and IPv4 transport addresses in VRF, page 13-45
Configure IPv6 overlay addresses in VRF and IPv4 transport addresses in Global RT
Complete the following steps to configure IPv6 overlay addresses in VRF and IPv4 transport addresses in
Global RT:
SUMMARY STEPS
Step 1
enable
Step 2
configure terminal
Step 3
ipv6 unicast-routing
Step 4
mls ipv6 vrf
Step 5
vrf definition vrf name
Step 6
rd {ASN:nn | IP address: nn}
Step 7
route-target [import | export | both]{ASN:nn | IP address: nn}
Step 8
address-family ipv6
Step 9
exit
Step 10
address-family ipv4
Step 11
exit
Step 12
exit
Step 13
Step 14
vrf forwarding vrf name
Step 15
Step 16
exit
Step 17
Step 18
Step 19
exit
OL-16147-20
13-39
Chapter 13
Step 20
interface loopback interface-number
Step 21
Step 22
exit
Step 23
Step 24
Step 25
Step 26
Step 27
tunnel destination {hostname | ip-address | ipv6-address}
Step 28
tunnel mode ipv6ip
Step 29
end
13-40
OL-16147-20
Chapter 13

DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
Enables the forwarding of IPv6 unicast datagrams.
Example:
Router(config)# ipv6
unicast-routing
Step 4
Enables IPv6 globally in a VRF instance.
mls ipv6 vrf
Example:
Router(config)# mls ipv6
vrf
Step 5
vrf definition vrf name
Configures a VRF instance and enters the VRF configuration mode.
Example:
Router(config)# vrf
definition VRF_RED
Step 6
rd {ASN:nn | IP address:
nn}
Example:
Specifies a route distinguisher (RD).
ASN:nn: Specifies an autonomous system number and an arbitrary number.
IP address: nn: Specifies an IP address and an arbitrary number.
Router(config-vrf)# rd 1:1
Step 7
route-target [import |
export | both]{ASN:nn | IP
address: nn}
Example:
Router(config-vrf)#route-ta
rget export 1:1
Router(config-vrf)#route-ta
rget import 1:1
Step 8
address-family ipv6
Example:
Creates a route-target extended community for a VRF instance. Route target

extended community attributes are used to identify a set of sites and VRF
instances that can receive routes with a configured route target.
import: Imports routing information from the target VPN extended

community.
export: Exports routing information to the target VPN extended community.
both: Imports both import and export routing information to the target VPN
extended community.
Selects an address family type for a VRF table and enters VRF address family
configuration mode. This command configures the separate route-target policies
for IPv6.
Router#(config-vrf)#address
-family ipv6
OL-16147-20
13-41
Chapter 13
Step 9
Command or Action
Purpose
exit
Exits the address family configuration mode.
Example:
Router#(config-vrf-af)#exit
Step 10
address-family ipv4
Example:
for IPv4.
Router#(config-vrf)#address
-family ipv4
Step 11
exit
Example:
Router#
(config-vrf-af)#exit
Step 12
exit
Exits the VRF configuration mode.
Example:
Router#(config-vrf)#exit
Step 13
slot/port
Enters the interface configuration mode and specifies the Gigabit interface to
configure.
Example:
Note

This command configures the interface towards the IPv6 network.
gigabitethernet 3/1
Step 14
Associates a VRF instance with an interface or a subinterface.
Example:
Router(config-if)#vrf
forwarding VRF_RED
Step 15
ipv6 address
{ipv6-address|prefix-length
| prefix-name sub-bits
|prefix-length}
on the interface.
Example:
Router (config-if)# ipv6
address 1::2/64
Step 16
exit
Example:
Router (config-if)#exit
13-42
OL-16147-20
Chapter 13

Step 17
Command or Action
Purpose
slot/port
configure.
Example:
Step 18
gigabitethernet 4/1
Note
Assigns an IP address and subnet mask to the interface.
Example:
Router(config-if)#ip
address 10.1.1.1
255.255.255.0
Step 19
exit
Example:
Step 20
interface loopback
interface-number
Note
This command configures a loopback interface for the tunnel source
Example:
Loopback 666
Step 21
Example:
address 66.66.66.66
255.255.255.255
Step 22
exit
Example:
Step 23
interface tunnel
tunnel-number

Note
This command configures the IPv6 tunneling over IPv4 Transport.
Example:
tunnel 666
Step 24

Note
Example:
This command specifies the VRF instance to which the tunnel belongs,
that is, the VRF instance used for IPv6 overlay address lookup.
Router# (config-if)#vrf
forwarding VRF_RED
OL-16147-20
13-43
Chapter 13
Command or Action
Step 25
ipv6 address
{ipv6-address/prefix-length
Purpose
|
prefix-name
on the interface.
Example:
address 3::1/120
Step 26
tunnel source {ip-address |

interface-type
interface-number}
Example:
source loopback 666
Step 27
tunnel destination
{host-name | ip-address |
ipv6-address}
Specifies the destination address for a tunnel interface.
Example:
destination 10.66.66.1
Step 28
tunnel mode ipv6ip [6rd |

6to4 | auto-tunnel |
isatap]
Example:
mode ipv6ip
Step 29
end
Example:
This example shows how to configure the IPv6 overlay addresses in VRF, and the IPv4 transport
addresses in the Global Routing Table:
Router# enable
Router(config)# ipv6 unicast-routing
Router(config)# mls ipv6 vrf
Router(config)# vrf definition VRF_RED
Router(config-vrf)# route-target export 1:1
Router(config-vrf)# route-target import 1:1
Router(config-vrf)# address-family ipv6
Router(config-vrf-af)# exit
Router(config-vrf)# (config-vrf-af)# exit
Router(config-vrf)# exit
13-44
OL-16147-20
Chapter 13

Router(config-if)# vrf forwarding VRF_RED

Router(config-if)# ipv6 address 1::2/64
Router(config)# interface Loopback 666
Router(config-if)# tunnel mode ipv6ip
Configure IPv6 overlay addresses in VRF and IPv4 transport addresses in VRF
Complete the following steps to configure IPv6 overlay addresses in VRF, and IPv4 transport addresses
in VRF:
SUMMARY STEPS
Step 1
enable
Step 2
configure terminal
Step 3
Step 4
mls ipv6 vrf
Step 5
vrf definition vrf name 1
Step 6
Step 7
route-target [import | export | both] {ASN:nn | IP address: nn}
Step 8
address-family ipv6
Step 9
exit
Step 10
address-family ipv4
Step 11
exit
Step 12
exit
Step 13
Step 14
Step 15
Step 16
address-family ipv4
Step 17
exit
Step 18
exit
Step 19
Step 20
vrf forwarding vrf name 1
Step 21
Step 22
exit
OL-16147-20
13-45
Chapter 13
Step 23
Step 24
Step 25
Step 26
exit
Step 27
Step 28
Step 29
Step 30
exit
Step 31
Step 32
Step 33
Step 34
Step 35
Step 36
tunnel mode ipv6ip
Step 37
tunnel vrf vrf name 2
Step 38
end
13-46
OL-16147-20
Chapter 13

DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
Example:
unicast-routing
Step 4
mls ipv6 vrf
Example:
vrf
Step 5
Example:
Router(config)# vrf
definition VRF_RED
Step 6
nn}
Example:
Step 7
address: nn}
Example:
Router(config-vrf)#route-t
arget export 1:1
arget import 1:1
Step 8
address-family ipv6
Example:

extended community attributes are used to identify a set of sites and VRF instances
that can receive routes with a configured route target.

community.
extended community.
Select san address family type for a VRF table and enters VRF address family
for IPv6.
Router(config-vrf)#address
-family ipv6
OL-16147-20
13-47
Chapter 13
Step 9
Command or Action
Purpose
exit
Example:
Router(config-vrf-af)#exit
Step 10
address-family ipv4
Example:
for IPv4.
-family ipv4
Step 11
exit
Example:
Router
Step 12
exit
Example:
Router(config-vrf)#exit
Step 13
Example:
Router(config)# vrf
definition VRF_GREEN
Step 14
nn}
Example:
Step 15
address: nn}
Example:
arget export 1:1
arget import 1:1
Step 16
address-family ipv4
Example:


community.
extended community.
for IPv4.
-family ipv4
13-48
OL-16147-20
Chapter 13

Step 17
Command or Action
Purpose
exit
Example:
Router
Step 18
exit
Example:
Step 19
slot/port
configure.
Example:
gigabitethernet 3/1
Step 20
Note

Example:
forwarding VRF_RED
Step 21
ipv6 address
{ipv6-address|prefix-lengt
h | prefix-name sub-bits
|prefix-length}
on the interface.
Example:
address 1::2/64
Step 22
exit
Example:
Router# (config-if)# exit
Step 23
slot/port
configure.
Example:
gigabitethernet 4/1
Step 24
Note

Example:
forwarding VRF_GREEN
OL-16147-20
13-49
Chapter 13
Step 25
Command or Action
Purpose
Example:
address 10.1.1.1
255.255.255.0
Step 26
exit
Example:
Step 27
interface loopback
interface-number
Note
Example:
Loopback 666
Step 28
Example:
Step 29
Example:
address 66.66.66.66
255.255.255.255
Step 30
exit
Example:
Step 31
interface tunnel
tunnel-number

Note
Example:
tunnel 666
Step 32

Note
Example:
This command specifies the VRF instance to which the tunnel belongs, that
is, the VRF instance used for IPv6 overlay address lookup.
forwarding VRF_RED
13-50
OL-16147-20
Chapter 13

Command or Action
Step 33
ipv6 address
Purpose
|
prefix-name
on the interface.
Example:
address 3::1/120
Step 34
tunnel source {ip-address

| interface-type
interface-number}
Example:
source loopback 666
Step 35
tunnel destination
ipv6-address}
Example:
Step 36
tunnel mode ipv6ip
Example:
mode ipv6ip
Step 37
Configures a VRF instance with a specific tunnel destination, interface or a

subinterface.
Example:
Note
vrf VRF_GREEN
Step 38
end
This command specifies the VRF instance used for tunnel IPv4 transport
address lookup, that is, the tunnel source and the tunnel destination.
Example:
This example shows how to configure the IPv6 overlay addresses in VRF, and the IPv4 transport
addresses in VRF:
Router# enable
OL-16147-20
13-51
Chapter 13

Router(config)# vrf definition VRF_GREEN
Router(config-if)# vrf forwarding VRF_GREEN
Router(config-if)# tunnel mode ipv6ip
Router(config-if)# tunnel vrf VRF_GREEN

Use these commands to verify the configuration of VRF aware IPv6 tunnel on c7600:
Router# show vrf vrf-red
Name
vrf-red
Default RD
100:1
Protocols
ipv4,ipv6
Interfaces
Tu666
Router# show interface tunnel 666

Tunnel666 is up, line protocol is up
Hardware is Tunnel
MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 66.66.66.66 (Loopback666), destination 66.66.66.65
Tunnel Subblocks:
src-track:
Tunnel666 source tracking subblock associated with Loopback666
Set of tunnels with source Loopback666, 1 member (includes iterators), on
interface <OK>
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 00:07:00, output 00:02:39, output hang never
Last clearing of "show interface" counters 00:07:19
13-52
OL-16147-20
Chapter 13

Queueing strategy: fifo

Output queue: 0/0 (size/max)
L2 Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes
L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes mcast
L3 out Switched: ucast: 0 pkt, 0 bytes mcast: 0 pkt, 0 bytes
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 unknown protocol drops
OL-16147-20
13-53
Chapter 13
IPv6 over IPv4-GRE Tunnels

IPv6 traffic is carried over IPv4 generic routing encapsulation (GRE) tunnels using the standard GRE
tunneling technique. As in the manually configured IPv6 tunnels, GRE tunnels are links between two
points, with a separate tunnel for each link. The GRE tunnels provide stable connections that require
regular secure communication between two edge routers or between an edge router and an end system.
This feature supports VRF Aware IPv6 over IPv4-GRE Tunnel on the c7600.
Figure 13-5
Topology for VRF Aware IPv6 over IPv4-GRE
The VRF Aware IPv6 over IPv4 GRE tunnel must have ES+ line card towards the core facing side.
Restrictions for IPv6 over IPv4-GRE tunnel

Following restrictions apply to the IPv6 over IPv4-GRE tunnel:
The IPv4 tunnel facing interface must be on the ES+ line card.
The GRE tunnel key is not supported in the hardware.
13-54
OL-16147-20
Chapter 13

The IPv4 fragmentation after tunnel encapcapsulation is not supported in the hardware.
The fragmented IPv4 packets for tunnel decapsulation is not supported in the hardware.
The IPv4 GRE keepalives are supported, but the IPv6 GRE keepalives are not supported.
The keepalives are not supported when the VRF instances configured using the vrf forwarding and
tunnel vrf commands are different.
Due to EARL limitation, same source tunnels across VRFs are not supported.
This feature is not SSO compliant.
With scaled configurations, when changing the tunnel mode from IPv6 over GRE to IPv6IP and on
enabling the mls mpls tunnel-recirc command, the system didplays an error message with a
traceback.
Configuring IPv6 over IPv4-GRE tunnel

The following sections describe how to configure IPv6 over IPv4-GRE tunnel on the c7600 platform:
Configure IPv6 traffic over IPv4-GRE, page 13-55
Configure VRF Aware IPv6 over IPv4-GRE Tunnel, page 13-58
Configure IPv6 traffic over IPv4-GRE

Complete the following steps to configure IPv6 traffic over IPv4-GRE tunnel:
Step 1
enable
Step 2
configure terminal
Step 3
Step 4
Step 5
Step 6
exit
Step 7
Step 8
Step 9
exit
Step 10
Step 11
Step 12
exit
Step 13
Step 14
ipv6 enable
Step 15
Step 16
Step 17
Step 18
tunnel mode gre ip
Step 19
exit
OL-16147-20
13-55
Chapter 13
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
Example:
unicast-routing
Step 4
slot/port
configure.
Example:
gigabitethernet 3/1
Step 5
ipv6 address
|prefix-length}
Note

Specifies the IPv6 address assigned to the interface, and enables IPv6 processing
on the interface.
Example:
address 1::2/64
Step 6
exit
Example:
Step 7
slot/port
configure.
Example:
gigabitethernet 4/1
Step 8
Note

Example:
address 10.1.1.1
255.255.255.0
13-56
OL-16147-20
Chapter 13

Step 9
Command or Action
Purpose
exit
Example:
Step 10
interface loopback
interface-number
Note
Example:
Loopback 666
Step 11
Example:
address 66.66.66.66
255.255.255.255
Step 12
exit
Example:
Step 13
interface tunnel
tunnel-number
Note
Example:
tunnel 666
Step 14
Enables IPv6 processing on an interface not configured with an explicit IPv6

address.
ipv6 enable
Example:
enable
Step 15
ipv6 address
prefix-name
Specifies the IPv6 address assigned to the interface, and enables IPv6 processing
on the interface.
Example:
address 3::1/120
Step 16

| interface-type
interface-number}
Example:
source loopback 666
OL-16147-20
13-57
Chapter 13
Step 17
Command or Action
Purpose
tunnel destination
ipv6-address}
Example:
Step 18
tunnel mode gre ip
Sets the encapsulation mode for the tunnel interface to GRE.
Example:
mode gre ip
Step 19
end
Example:
This example shows how to configure IPv6 traffic over IPv4-GRE tunnel:
Router# enable
Router(config-if)# ipv6 enable
Router(config-if)# tunnel mode gre ip
Configure VRF Aware IPv6 over IPv4-GRE Tunnel

Complete the following steps to configure VRF Aware IPv6 over IPv4-GRE Tunnel:
Step 1
enable
Step 2
configure terminal
Step 3
Step 4
mls ipv6 vrf
Step 5
13-58
OL-16147-20
Chapter 13

Step 6
Step 7
Step 8
address-family ipv6
Step 9
exit
Step 10
address-family ipv4
Step 11
exit
Step 12
exit
Step 13
Step 14
Step 15
Step 16
address-family ipv4
Step 17
exit
Step 18
exit
Step 19
Step 20
Step 21
Step 22
exit
Step 23
Step 24
Step 25
Step 26
exit
Step 27
Step 28
Step 29
Step 30
exit
Step 31
Step 32
Step 33
Step 34
Step 35
Step 36
tunnel mode gre ip
Step 37
Step 38
end
OL-16147-20
13-59
Chapter 13
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Example:
Router# enable
Step 2
configure terminal
Example:
Step 3
Example:
unicast-routing
Step 4
mls ipv6 vrf
Example:
vrf
Step 5
Example:
Router(config)# vrf
definition VRF_RED
Step 6
nn}
Example:
Specifies an RD.
Step 7
address: nn}
Example:
arget export 1:1
arget import 1:1
Step 8
address-family ipv6
Example:


community.
extended community.
Select san address family type for a VRF table and enters VRF address family
for IPv6.
-family ipv6
13-60
OL-16147-20
Chapter 13

Step 9
Command or Action
Purpose
exit
Example:
Router(config-vrf-af)#exit
Step 10
address-family ipv4
Example:
for IPv4.
-family ipv4
Step 11
exit
Example:
Router
Step 12
exit
Example:
Step 13
Example:
Router(config)# vrf
definition VRF_GREEN
Step 14
nn}
Example:
Specifies an RD.
Step 15
address: nn}
Example:
arget export 1:1
arget import 1:1
Step 16
address-family ipv4
Example:


community.
extended community.
for IPv4.
-family ipv4
OL-16147-20
13-61
Chapter 13
Step 17
Command or Action
Purpose
exit
Example:
Router
Step 18
exit
Example:
Step 19
slot/port
configure.
Example:
gigabitethernet 3/1
Step 20
Note

Example:
forwarding VRF_RED
Step 21
ipv6 address
|prefix-length}
on the interface.
Example:
address 1::2/64
Step 22
exit
Example:
Step 23
slot/port
configure.
Example:
gigabitethernet 4/1
Step 24
Note

Example:
13-62
OL-16147-20
Chapter 13

Step 25
Command or Action
Purpose
Example:
address 10.1.1.1
255.255.255.0
Step 26
exit
Example:
Step 27
interface loopback
interface-number
Note
Example:
Loopback 666
Step 28
Example:
Step 29
Example:
address 66.66.66.66
255.255.255.255
Step 30
exit
Example:
Step 31
interface tunnel
tunnel-number

Note
Example:
tunnel 666
Step 32

Note
Example:
This command specifies the VRF instance to which the tunnel belongs ,
that is, the VRF instance used for IPv6 overlay address lookup.
forwarding VRF_RED
OL-16147-20
13-63
Chapter 13
Step 33
Command or Action
Purpose
ipv6 address
|prefix-length}
on the interface.
Example:
address 3::1/120
Step 34

| interface-type
interface-number}
Example:
source loopback 666
Step 35
tunnel destination
ipv6-address}
Example:
Step 36
tunnel mode gre ip
Sets the encapsulation mode for the tunnel interface to GRE.
Example:
mode gre ip
Step 37
Configures a VRF instance with a specific tunnel destination, interface or a

subinterface.
Example:
Note
vrf VRF_GREEN
Step 38
end
This command specifies the VRF instance used for tunnel IPv4 transport
address lookup, that is, the tunnel source and the tunnel destination.
Example:
This example shows how to configure VRF Aware IPv6 over IPv4-GRE Tunnel:
Router# enable
13-64
OL-16147-20
Chapter 13

Router(config)# vrf definition VRF_GREEN
Router(config-if)# tunnel mode gre ip
Router(config-if)# tunnel vrf VRF_GREEN

Use these commands to verify the configuration of IPv6 over IPv4-GRE tunnel on the c7600:
Router# show platform npc ipv6ogre interface tunnel 666
Tunnel666 is up, line protocol is up
Hardware is Tunnel
MTU 0 bytes, BW 10000000 Kbit/sec, DLY 0 usec,
Encapsulation TUNNEL, loopback not set
Keepalive set (10 sec)
Tunnel source 66.66.66.66 (Loopback666), destination 66.66.66.65
Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled
Checksumming of packets disabled, vip tunneling enabled
Last input never, output never, output hang never
Last clearing of "show interface" counters 00:08:54
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 unknown protocol drops
Platform information
Tunnel vlan
: 1026
Tun rsvd vlan : 1025
Phy vlan
: 1017
Tunnel id
: 0
HPLA addr
: 0x23AF10A0
OL-16147-20
13-65
Chapter 13
Router# show platform npc ipv6ogre egress-table 1026

IPV6OGRE egress table entry
eg_entry->match_cond
= 1
eg_entry->ent_valid
= 1
eg_entry->phy_vlan
= 1017
eg_entry->src_ip
= 66.66.66.66
eg_entry->dst_ip
= 66.66.66.65
eg_entry->smac
= 0012.44dc.9000
eg_entry->dmac
= 0018.7468.0000
eg_entry->eg_stats_id
= 639626 0x0009C28A
Raw dump
value: 00 00 3f 93 68 74 18 00 12 00 00 00 00 90 dc 44
value: aa 45 00 08 42 42 42 42 41 42 42 42 00 09 c2 8a
Router# show platform npc ipv6ogre tcam 1026
Dumping tcam for 1026 on NP 0
Key Decode :
Source
IP : 66.66.66.65 Mask : 00000000
Destination IP : 66.66.66.66 Mask : 00000000
Feature id
: 3 Mask : 00
Result Decode :
Vlan
: 1025
Statistics ID
: 0x9C287
..?.ht........\D
*E..BBBBABBB..B.
Raw output :
g_vmr.value : 42 42 42 42 42 42 42 41 03 00 00 00 00 00 00 00 00 00 E8 80
g_vmr.mask : 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF FF 64 A0
g_vmr.result: 04 01 01 03 00 09 C2 87
Dumping tcam for 1026 on NP 1
Key Decode :
Source
IP : 66.66.66.65 Mask : 00000000
Destination IP : 66.66.66.66 Mask : 00000000
Feature id
: 3 Mask : 00
Result Decode :
Vlan
: 1025
Statistics ID
: 0x9C28B
Raw output :
g_vmr.value : 42 42 42 42 42 42 42 41 03 00 00 00 00 00 00 00 00 00 E8 80
g_vmr.mask : 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF FF 64 A0
g_vmr.result: 04 01 01 03 00 09 C2 8B
Router# show platform npc ipv6ogre xlif 1026
Feature enable:
Feature bits:
Port:
Match cond
Entry valid:
Optimal Path en :
Dbus VLAN:
QoS policy ID:
ACL ID:
Statistics ID:
Inner rewrite VLAN:
Outer rewrite VLAN:
QoS flow ID:
IP Session en :
0x1
0x1
0x04
0x00
0x00
0x00
0x4
0x1
0x1
0x0
1017
0
0
0
0
0
0
0
13-66
OL-16147-20
Chapter 13

Feature data 0
Intf etype:
Multicast enable:
Post Filter Opcode
Pre Filter Opcode
Pre Tag Outer
Pre Tag Inner
Post Filter Vlan outer
EVC - MST:
EVC etype
CFM MEP Level
CFM MIP Level
CFM disable
MIP filtering
block_data: 0x0
block_l2bpdu: 0x1
sacl:
sacl index:
sacl statid:
Span Enable:
0x40C40010
0x00004242
0x00000001
0x00000004
0x00000000
0x00000010
0x000000C4
0x00000414
0x00000242
0x00000242
0x0
0x03F9
0x00000004
0x00000002
0x0
0x1
0x0
0x0000
0x00100
0x0

Feature enable:
Feature bits:
Port:
Match cond
Entry valid:
Optimal Path en :
Dbus VLAN:
QoS policy ID:
ACL ID:
Statistics ID:
Inner rewrite VLAN:
Outer rewrite VLAN:
QoS flow ID:
IP Session en :
Feature data 0
Intf etype:
Multicast enable:
Post Filter Opcode
Pre Filter Opcode
Pre Tag Outer
Pre Tag Inner
Post Filter Vlan outer
EVC - MST:
EVC etype
CFM MEP Level
CFM MIP Level
CFM disable
MIP filtering
block_data: 0x0
block_l2bpdu: 0x0
sacl:
sacl index:
sacl statid:
0x1
0x1
0x01
0x00
0x00
0x00
0x4
0x1
0x1
0x1
1017
0
0
0
0
0
0
0
0x00C40010
0x00008100
0x00000000
0x00000008
0x00000000
0x00000010
0x000000C4
0x00000000
0x00000100
0x00000000
0x0
0x0000
0x00000000
0x00000000
0x0
0x0
0x0
0x0000
0x00000
OL-16147-20
13-67
Chapter 13
IPv6 Policy Based Routing
Span Enable:
0x0

IPv6 policy-based routing (PBR) provides a flexible mechanism to route packets and define policy for
the traffic flows. It extends and complements the existing mechanisms provided by routing protocols.
PBR also provides a basic packet-marking capability.
PBR performs the following tasks:
Classifies traffic based on extended access list criteria. It provides access to lists and then establishes
the match criteria.
Sets IPv6 precedence bits and enables the network to differentiate classes of service.
Routes packets to specific traffic-engineered paths. You can route the packets to allow a specific
quality of service (QoS) through the network.
The Cisco 7600 Series Router implements this feature using the Earl7 forwarding engines capability to
classify traffic through an Access Control List (ACL) Ternary Content Addressable Memory (TCAM)
lookup. The ACL TCAM lookup classifies traffic based on the combination of a variety of Layer 3 and
Layer 4 traffic parameters. Once classified, the ACL TCAM drives results for matching flows. The
Feature Manager (FM) component converts the route map policy configured on an interface into a series
of values, masks and results (VMRs) and programs these in the ACL TCAM.
Policy Based Routing

All packets received on a PBR-enabled interface are passed through enhanced packet filters known as
route maps. Route maps are composed of statements that are marked as permit or deny, and they are
interpreted in these ways:
If a packet matches all match statements for a route map that is marked as permit, the router subjects
the packet to PBR using the set statements.
If the packet matches any match statements for a route map that is marked as deny, the router does
not subject the packet to PBR and forwards it normally.
If the statement is marked as permit and the packets do not match any route map statements, the
router sends the packets back through the normal forwarding channels and performs
destination-based routing.
Packet Matching
The IPv6 PBR match criterion for a sequence is specified through a combination of IPv6 access-lists and
packet length operations. Match statements are evaluated first by the criteria specified in the match ipv6
address command and then by criteria specified in the match length command. Therefore, if both an
13-68
OL-16147-20
Chapter 13

ACL and a length statement are used, a packet is first subjected to an ACL match. Only packets that pass
the ACL match are subjected to the length match. Finally, only packets that pass both the ACL and the
length statement are policy routed.
Packet Forwarding Using Set Statements

PBR for IPv6 packet forwarding is controlled using a number of set statements in the PBR route map.
Listed below are the forwarding actions in order of decreasing priority, and the manner in which these
options are reflected in the result from the VMRs programmed in the ACL TCAM. When more than one
kind of packet forwarding action is specified in a sequence, the one with the highest priority is chosen.
Table 13-4
Packet Forwarding Set Statements
Set Statement
Notes
set vrf vrf name
Specifies the VPN Routing and Forwarding (VRF) instance to

which the packet should be sent, based on packet attributes. By
default the VRF that a packet is forwarded on is the same as the
VRF that receives the packet.
set ipv6 next-hop next-hop ipv6

address
Specifies the next hop for the packet. The next hop must be present
in the Routing Information Base (RIB); it must be directly
connected, and it must be a global IPv6 address. If the next hop is
invalid, the set statement is ignored.
set interface next-hop interface
Specifies the next hop interface for the packet. A packet is

forwarded out of a specified interface. An entry for the packet
destination address must exist in the IPv6 RIB, and the specified
output interface must be in the path set. If the interface is invalid,
the set statement is ignored.
set ipv6 default next-hop

default next-hop ipv6 address
Specifies the connected next hop for the packet if the usual
forwarding method fails to produce the default result. It must be a
global IPv6 address. This set statement is used only when there is
no explicit entry for the packet destination in the IPv6 RIB.
set default interface default

next-hop interface
Specifies the default next-hop interface, from which the matching

packets are forwarded if the usual forwarding method fails to
produce a result. This set statement is used only when there is no
explicit entry for the packet destination in the IPv6 RIB.
Restrictions for IPv6 PBR

Following restrictions apply to the IPv6 PBR:
Match length is not supported in the hardware, and the PBR is applied to the software.
Packet marking actions are not supported in the hardware, and packets requiring marking due to
PBR are punted to the software.
Set interface is supported in the hardware only for the serial interface. Other interfaces are supported
on the software.
Packets containing an IPv6 hop-by-hop header need to be examined by the router and are punted to
the software. Such packets are subjected to PBR in the software.
OL-16147-20
13-69
Chapter 13
PBR policies using access-lists matching on IPv6 flow label, DSCP value and extension headers
such as, routing, mobility, destination headers cannot be fully classified in the hardware, and are
punted to the software after partial classification.
It is not possible to completely classify traffic in hardware, when access-lists matching on non
compressible addresses are used. In such cases, the PBR is applied to the software.
On Tycho based systems, fragment packets that require matching on layer 4 protocol are punted to
the software .
IPv6 PBR on SVI interfaces is applied to the software, and hardware provides only partial
classification.
IPv6 PBR when applied to hardware will also be applied on packets destined to a router address.
A set next-hop action where the next-hop is at the other end of a tunnel is not supported in the
hardware.
For set interface and set default interface, the interface should be a point-to-point one.
PBR is not applied to multicast traffic and the traffic destined to link local addresses.
When there is no traffic flow, the TCAM entry does not change from punt to policy-route.
Configuring IPv6 PBR

To configure, verify and troubleshoot the IPv6 PBR, see: : Configuring IPv6 PBR.
13-70
OL-16147-20
I N D EX
VPLS, using QinQ to place all VLANs into a single

VPLS 6-38
automatic FPD image upgrade
VPLS, VFI in the PE
(example)
disabling
configure terminal command
9-12
8-6
Configuring Bandwidth Guarantee on a Service

Group 7-72
9-6
re-enabling
6-44
9-6
Configuring Port Level Shaping Concurrent with 4HQoS

on ES+ 7-67
Configuring Private Host on Pseudoport on CWAN
Cards 4-365
B
Backup
Configuring Storm Control on Port Channels
4-39
backup interface for flexible UNI feature
4-127
Configuring UniDirectional Link Detection (UDLD)
4-39
BFD Over VCCV Control Channel, Support for Ethernet

AC 6-71
Detailed Steps
Disable UDLD on ports with configured EVC
4-368
BFD Sessions Supported on RSP720 Versions
Enable UDLD on Ports with configured EVC
4-367
4-381
bridge-domain command
4-35, 4-51, 4-58, 4-67, 4-77, 4-83,

4-92, 4-95, 4-99, 4-104, 4-126, 4-133, 4-202, 4-215, 4-220, 4-221, 4-225,
4-231, 4-233, 4-256
4-367
Reset the disabled UDLD on ports with configured

EVC. 4-368
Summary
4-366
UDLD Aggressive Mode

Create L2 Access List
4-366
4-61
Custom Ethertype
cautions, usage in text
i-xxiv
Examples
command syntax
conventions
4-115
Rewrite Rules
i-xxiii
4-112
Supported Rewrites
Configurable MPEG Video PIDs for Inline Video

Monitoring 13-7
4-113
Custom Ethertype, supported rewrites
4-113
Custom Ethetype on EVC interfaces
configuration example
VPLS, 802.1Q access port for untagged traffic from

CE 6-36
VPLS, 802.1Q Trunk for tagged traffic from the CE
device 6-35
VPLS, associating the attachment circuit with the VSI

at the PE 6-46, 6-50
deactivation, verifying for ES+ line
VPLS, L2 VLAN instance on the PE

VPLS, MPLS in the PE
6-40
6-41
8-5
8-2
debug hw-module command
6-43
VPLS, MPLS WAN interface on the PE
debug commands
4-114
8-2
DHCP snooping option-82 feature
4-64
OL-16147-20
IN-1
Index

drop command
FPDs (field-programmable devices), description
4-69
FTP server, downloading FPD images to
7-15, 7-16
9-1
9-7 to 9-8
encapsulation dot1q command
4-63, 5-6, 5-7, 7-84
encapsulation frame-relay ietf command 4-28, 4-50, 4-54,

4-58, 4-66, 4-76, 4-97, 4-99, 4-102, 4-104, 4-126, 4-133, 4-151, 4-170
error messages
8-2
ES+ line card

activation (example)
deactivating
8-6
restrictions
7-50
hierarchical virtual private LAN services (H-VPLS)
deactivation (example)
reactivating
hierarchical QoS
8-4
ISSU support
GE LAG with LACP on UNI with Advanced Load

Balancing 4-118
8-6
http
3-1
//www.cisco.com/en/US/docs/ios/ipv6/configuration/
guide/ip6-tunnel_ps6922_TSD_Products_Configurati
on_Guide_Chapter.html 13-31
8-4
1-2
//www.cisco.com/en/US/support/tsd_cisco_worldwid
e_contacts.html 4-55, 4-181, 13-37
Ethertypes
0x8100 802.1q
4-112
0x88a8 802.1ad
hw-module subslot shutdown command
8-6
4-112
0x9100 Q-in-Q
4-112
0x9200 Q-in-Q
4-112
4-49
IGMP/PIM snooping for VPLS pseudowire
EVC on port-channel
event tracer feature
8-2
Internet Protocol-Constant Bit Rate
IP-CBR
flexible QinQ mapping and service awareness
4-24
FPD image packages
4-35, 4-63, 6-3

13-7
5-3
4-75
5-3
9-10
9-7 to 9-8
modifying the default path

overview
ip igmp snooping command

ipv6 mld snooping command
displaying default information
13-5
13-7
IP source guard for service instance
9-4, 9-8
downloading
5-1

interface gigabitethernet command
caution
6-26
9-8
9-2
LACP over EVC Port Channel
version number requirements
9-3
configuration commands, configuration steps
4-83,
4-92, 4-202, 4-214, 4-230, 4-232, 4-245, 4-255
FPD images
displaying minimum and current versions
manually upgrading
upgrade scenarios
9-9
Verification
4-60, 4-252
LACP over EVC port channel
9-6
9-3
upgrading in production
9-5 to 9-6
IN-2
OL-16147-20
Index
configuration commands, configuration steps 4-8,

4-10, 4-11, 4-13, 4-57, 4-93, 4-95, 4-96, 4-98, 4-101, 4-103, 4-104,
4-106, 4-109, 4-110, 4-111, 4-204, 4-207, 4-218, 4-223, 4-257,
4-259, 4-261, 4-263, 4-265, 4-269, 4-279
Examples
4-58, 4-152, 4-172
LACP support for EVC port channel

LLQ
no upgrade fpd auto command
O
OIR
4-56
9-6
8-3, 8-4
onboard failure logging (OBFL)
7-40
load balancing
online diagnostics
6-57
8-7
8-7
online insertion and removal
8-3
M
MAC address security for EVC bridge-domain
marking
4-90
PFC QoS
7-22
match access-group command

match cos command
power enable module command

7-9
7-9
match mpls experimental command

match vlan inner command
MIBs, supported
Q
7-9
QoS
7-10
ingress trust
7-10
13-6
13-13
1-2
VPLS
policing
7-13
shaping
7-26
queue scheduling
6-1
6-23
7-31
MST on EVC bridge-domain
6-70
REP
4-79
4-210
Resilient Ethernet Protocol
4-33
multipoint bridging over Ethernet (MPBE)
4-33
4-210
Restrictions for MPLS-TP Support for Ethernet Access

Circuits 6-70
rewrite ingress tag command
4-35
RTP Metrics support for 7600 Inline Video

Monitoring 13-7
no power enable module command

notes, usage in text
7-55
6-14

MultiPoint
7-22
QoS on Port-Channel Member-Link Configuration

Examples 7-58
MPLS
traffic engineering
marking
7-4
Minimum Bandwidth Guarantee Plus Multiple

Policy 7-70
scalable EoMPLS
8-5, 8-6
7-9
match ip precedence command

match vlan command
7-66
Pseudo-Multichassis LACP (p-mLACP) IGMP Snooping

State Synchronization 4-71
7-9
match input vlan command

match ip dscp command
7-47
7-8
7-8
match inner-cos command
Media Stop Event
8-4, 8-6
i-xxiv
OL-16147-20
IN-3
Index
Support for IP Delay Variation for 7600 Inline Video

Monitoring 13-6
S
service instance command
set cos command
4-35, 4-63, 4-120, 4-140, 6-3, 7-83
7-23
Support MPLS Encapsulation for 7600 Inline Video

Monitoring 13-7
7-24
Support PPPoE Encapsulation for 7600 Inline Video

Monitoring 13-9
set cos-inner cos command
7-24
Support Switch-Port Interfaces for 7600 Inline Video

Monitoring 13-9
set-dscp-transmit command
7-15, 7-16
Synchronous Ethernet Support
set cos cos-inner command

set cos-inner command
set ip dscp command
7-24
7-23
set ip precedence command
7-23
set mpls experimental imposition command
T
7-24
TE-FRR Support on VPLS LAG NNI
set-mpls-experimental-imposition-transmit
command 7-15, 7-16
set mpls experimental topmost command
Threshold Crossing Alerts

7-15,
7-16
set-prec-transmit command
SFPs, troubleshooting
shape peak command
9-7 to 9-8
13-13
i-xxiv
8-1, 8-3
Troubleshooting the Minimum Bandwidth Guarantee

Configuration 7-75
7-27
Troubleshooting the Port Level Shaping

Configuration 7-70, 7-92
7-27
7-26
show hw-module subslot command

show module command
9-9
show policy-map command
UDE on ES-20 Line cards
7-40
restrictions
7-40
show policy-map interface command

show queue command
8-5
show policy-map class command
7-40, 7-70
7-40
show running-config command

Spanning Tree Protocol
4-87, 4-346
upgrade fpd auto command
9-6, 9-7, 9-12
upgrade fpd path command
9-7, 9-8
upgrade hw-module subslot command
9-7
show upgrade package default command
9-7
9-10
4-210
storm control on switchports and ports having EVC

4-123
4-122,
V
Video Monitoring
Storm Control on Switchports and Ports Having

EVCs 4-123
STP
tips, usage in text

troubleshooting
7-15, 7-16
8-3
shape adaptive command
6-32
TFTP server, downloading FPD images to

7-24
set-mpls-experimental-topmost-transmit command
shaping
4-2
13-5
virtual private LAN services (VPLS)

associating attachment circuit with the VSI at the
PE 6-45
4-210
Supported Egress QoS Configurations

Supported Rewrites
basic configuration
6-34
configuration example
Range on C-Tag with a NNI

7-56
4-287
4-113
6-52
configuring MPLS in the PE
6-42
configuring MPLS WAN interface on the PE

configuring PE layer 2 interface to the CE
6-41
6-34
IN-4
OL-16147-20
Index
configuring the VFI in the PE

overview
6-24
restrictions
services
6-24
6-32
supported features
VPLS
6-43
6-31
6-23
VPLS (virtural private LAN service)
6-23
W
WAN PHY and OTN Support on ES+XC Combination
Line Cards 10-1
X
xconnect vfi command
5-3
OL-16147-20
IN-5
Index
IN-6
OL-16147-20

Mplsconfig Guide

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Mplsconfig Guide

Hochgeladen von

Copyright:

Verfügbare Formate

Cisco 7600 Series Ethernet Services Plus

(ES+) and Ethernet Services Plus T (ES+T)

Document Revision History

Related Documentation xxii

Obtaining Documentation and Submitting a Service Request

Whats Covered in This Document

Finding Platform-Independent Feature Information

Configuring High Availability Features

Configuring Layer 1 and Layer 2 Features

Cisco 7600 Synchronous Ethernet Support 4-2

Flexible QinQ Mapping and Service Awareness

Backup Interface for Flexible UNI 4-39

LACP Support for EVC Port Channel 4-56

DHCP Snooping Over p-mLACP 4-69

Pseudo-Multichassis LACP (p-mLACP) IGMP Snooping State Synchronization

Configuring MST on EVC Bridge Domain 4-79

CFM and PVST Co-Existence 4-107

Storm Control on Switchports and Ports Having EVCs 4-123

Asymmetric Carrier-Delay 4-135

Multichassis Support for LACP 4-147

Configuring Reverse L2GP for 7600

Configuring Static MAC Binding to EVCs and Psuedowires

Configuring Resilient Ethernet Protocol 4-210

802.1ah: Configuring the MAC Tunneling Protocol 4-274

Support for IEEE 802.1ad 4-287

Configuring Two-Way Delay Measurement 4-330

IP and PPPoE Session Support 4-344

Configuring Unidirectional Link Detection (UDLD) on Ports with EVCs

Dynamic Ethernet Service Activation 4-370

Control Plane Protection on Non Access Subinterfaces 4-377

Configuring Multicast Features

Multicast VLAN Registration 5-10

Configuring MPLS Features

Configuring Any Transport over MPLS

MPLS VPNL3VPN over GRE 6-6

Configuring MPLS Traffic Engineering Class-Based Tunnel Selection

Configuring H-VPLS with Port-Channel Core Interface 6-28

MPLS-TP Support for Ethernet Access Circuits 6-70

BFD Over VCCV Control Channel, Support for Ethernet AC 6-71

Debugging the BFD CCV

Supported Interfaces 7-3

QoS Functions 7-4

Configuring Policing 7-13

Configuring Shaping 7-26

Configuring QoS: L2 Overhead Specification for Shaping Parameters for Ethernet

EVCS QoS Support 7-52

IPv6 - Hop by Hop Rate Limiter 7-64

Port Level Shaping Concurrent with 4HQoS on ES+ 7-66

Minimum Bandwidth Guarantee Plus Multiple Policy 7-70

Configuring Flexible Service Mapping Based on CoS and Ethertype

Troubleshooting Layer 2 and Layer 3 QoS ACL Classification

Deny ACL QoS Classification 7-97

General Troubleshooting Information 8-1

Troubleshooting ES+ Transport Low Queue

Upgrading Field-Programmable Devices

FPD Quick Upgrade 9-1

FPD Image Upgrade Examples

WAN PHY and OTN Support on ES+XC Combination Line Cards

Configuring ITU-T G.709 Transport Modes 10-2

IPoDWDM Proactive Protection 10-24

Configuring Automatic Laser Shutdown 11-1

Information About Network Clocking

How to Configure Network Clocking 12-2

Configuring Layer 3 and Layer 4 Features