Cisco Support Community

Home

ASR9000/XR: Migrating from IOS to IOS-XR a starting guide

Document
Thu, 10/01/2015 - 01:52

Alexander Thuijs Feb 21st, 2012

Introduction
This document tries to assist in an easy and smooth migration from IOS to IOS-XR. Because of
the fundamental different nature of the IOS XR operating system and the way things have
been implemented specifically by the ASR9000 platform, this article tries to collect a couple of
key items to think about and providing some pointers that prevent issues down the road and
prepare for proper planning to the great ASR9000.

In this article various topics are separated out per main topic.

Operating System
Monolithic for MicroKernel
Understanding the IOS-XR prompt and privilege levels/taskgroups
Memory architecture
NETIO and "slow switching"
Using show commands and the location keyword
RIB, FIB and adjacencies
Committing configurations and rollback points
Commit options
Rollback options
OSPF
Processes and Using OSPF as a PE-CE protocol
BGP
Capability advertisement
Using neighbor, peer and session groups
RPL
RPL and changes to the policy
InterAS
L2VPN

Matching configuration from 7600 to ASR9K for L2 Services:

Spanning Tree
SVI and BVI
 EFP
Converting IOS trunks into XR

SNMP

This is a "living document", we'll add more and more items as we see questions coming in that
have not been covered before, so watch the revision of the document to see if new items have
been added. I realize that this document is not complete, but more to be added as we go.

Operating System
Monolithic vs Microkernel

One of the key differences between IOS and IOS-XR is the base operating system. Legacy IOS
is known to be a "monolithic" operating system. Effectively it is a run to completion whereby
some timesharing is done between processes. This model has proven to be working out very
well for over 25 years given the success of Cisco IOS based routers and switches. Also IOS
uses a complete shared memory space.

Of course there are also drawbacks which IOS-XR focusses on to address.

One of these enhancements is that XR is running on a microkernel (qnx based) and on top of
that we are running the IOS XR processes.

These processes are running similar to a process on a linux based operating system. Effectively
the QNX gives us a K-Shell from which we can do similar things as a unix based OS.

When seeing the IOS-XR prompt, if you type "run" it will give you access to the K-Shell.
Although it is not supported officially, sometimes it is handy and useful to access the kshell to
get hardware level counters or access the file system to copy things around etc.

The flexibility that IOS-XR gives with these processes are:

ability to restart a process

ability to patch a process (Via a SMU, the software maintenance update)
complete control plane and data plane separation (if eg OSPF crashes it doesn't affect the
forwarding)
control plane distribution (some functionality can be offloaded to the linecards like netflow or
BFD for scale increase)

Understanding the IOS-XR prompt and privilege levels/taskgroups

IOS has a very simple prompt with a host name followed by a sign that identifies the "mode"
that you are in, whether that is privileged exec or regular exec etc.

For instance:
CPE#

or

CPE>

IOS-XR prompt looks like this:

RP/0/RSP0/CPU0:A9K-BNG#

The way to interpret it is as follows:

RP : We are looking at a route processor

0 : Currently we are attached to shelf 0. In the case of multichassis (CRS) or Clustering

(ASR9000) we can link multiple chassis together functioning as a single entity, this number
identifies which shelf from that same logical node we are looking at.

RSP0: Which RSP we are connecting to. In the case of dual RSP the lower slot ID is RSP0 and
the higher slotID is RSP1. Generally you always logon to the active RSP via telnet which can
then either be RSP1 or RSP0.

CPU0: today we only have a single (multicore) CPU on the RSP and linecards. This would
identify the CPU we are working with in the case that we are adding CPU's on the system.

:hostname : this is the well known part, the hostname.

Note that the suffix of the complete prompt is always with a hash '#' sign. Which suggests
that you are in privilige 15 mode.

IOS-XR does NOT have the concept of privilege levels but instead uses task group
authorization.

To learn more about using task groups in IOS-XR check you can see in this picture.

Some key differences and highlights between 7600/IOS and ASR9000/XR

Common part
Both share the same EVC SW infrastructure
Feature parity for the flexible VLAN tag classification, VLAN tag rewrite and service mappin
7600 IOS
VLAN tag classification, rewrite, service mapping are all done on the port level (with some
exceptions), which is classic IOS CLI
Introduced service instance configuration mode for better L2VPN scale
Legacy switchport feature support in parallel (but cant co-exist with EVC on the same port)
ASR 9000 IOS-XR
De-couple port level and service configuration. VLAN tag classification and rewrite are done at
port level. L2VPN services are configured at l2vpn module
Uniform sub-interface CLI for both L2 and L3 service, no additional service instance
structure
Common Infrastructure for native L2 and MPLS based L2VPN service

Matching configuration from 7600 to ASR9K for L2 Services

A very comprehensive overview of the EVC model is found on this link.

Spanning Tree

The ASR9000 only supports full MSTP and no other spanning tree protocol.

There is the possibility to use the PVST in PVST-AG mode or Access Gateway.

The "AG" version of the MST or PVST gives you the ability to run these protocols in an P2MP
VPLS deployment without the need to run the full protocol set. It basically is designed around
the 9K PE's being the root, advertising pre-canned BPDU's and receive the TCN's from the
access switches to trigger MAC withdrawl.

More info on VPLS and ASR9000 is here.

Running Spanning Tree (not the AGG) version together with IOS requires you to be aware of
the concept of VLAN pruning that IOS does and XR is not aware of.

Migrating spanning tree from 7600 to ASR9000 can be a complex task. IOS switches run STP
by default, and you need to disable it explicitly if you don't want to run it. ASR9000 does not
run any spanning tree protocol by default and you need to enable it explicitly.

Also the way that BPDU's are handled in XR/ASR9000 is dependant on your configuration.

The following scenarios cover a few of these design migrations you need to be aware of.

This section tries to cover both MSTP and PVST. The key difference for these 2 protocols is that
MSTP sends BPDU's untagged and PVST sends tagged BPDU's on the vlans that are PVST
enabled.

One of the first decisions you need to make is whether you want the A9K's to be part of the
Spanning Tree design or be transparent to them.

There are pros and cons to each option.

In this first picture below shows a design whereby the ASR9000's are NOT part of the spanning
tree topology.

If you have defined an untagged EFP like this:

int Gig0/0/0/P.1 l2trans

encap untagged

you will capture the MSTP BPDU's and put them subject to the service that is attached to this
untagged EFP.

This can either be a Cross connect (p2p) or a Bridge domain (p2mp). The difference between
XCON and BD is that XCON transparently takes whatever comes in on the Attachment Circuit
(AC) and send it to the other side (whether that is a phyiscal interface again or a PseudoWire).
An Xcon can only have 2 interfaces.

A bridge domain can have multiple EFP's and also employs mac-learning. If the Destination
MAC is not know or part of a broadcast/multicast mac address it will get "Flooded" over to all
EFP's in the Bridge Domain, except for the originating EFP (split horizon).

Ok so in this design, with that knowledge from above, the BPDU's from switch X are sent via
interfaces X and Y to PE1 and PE2.

PE1 would take the BPDU from the untagged EFPand sends them transparently to PE2 over
interface M to Switch B's interface U.
In other words Switch A and B see each other as directly connected neighbors. The A9k's are
completely transparent and acting as a transparent L2 wire.

This STP design will block one of the 4 (X, Y, U or V) interfaces to break the loop.

Design 1

If you were to have a bridge domain on PE1 and a pseudowire between PE1 and PE4, the
BPDU *also* gets sent to PE4 and arriving on interface V.
This model whereby the 9k's are transparent to STP cannot be used with a full mesh of
PseudoWires.

This design that you see above is generally seen by "accident" when it is forgotten that the
switches run STP by default and the 9k would transparently pass everything on.

"Solutions" are to break to loop manually and using an L2ACL to block the MSTP BPDU's from
traversing your 9K's.

In the scenario that you do want the 9k's to participate in spanning tree you basically create
to STP "islands" on the left and right side.
The 9k's now terminate the spanning tree coming from the switches. A full PW mesh is
possible and this is also one of the designs where the AG version of the STP protocol becomes
very useful.

Switch A sees PE1 and PE2 as neighbor.

Design it such that the PE1 and PE2 are root and back up root.

The configuration for this design is to put the interface P into the STP Configuration so that
BPDU's are sent and received.

Design 2

The effects of the design scenarios and the relation to the spanning-tree protocol in use are
pretty much the same for both MSTP and PVST.

What happens when you follow design 1 or 2 in relation to the EFP configuration associated
with it, will be discussed below separated out between the two key STP's.

More detailed configurations and VPLS designs are discussed in this article.

Let us evaluate the various configuration options that you have when defining your EFP's with
and without Spanning tree.
MSTP

Scenario 1 in this picture above is the model that you want to use in the design option "2".
There is no untagged EFP necessary in this case, and BPDU's received are punted and locally
generated BPDU's are injected directly into the port to the switch.

Scenario 2 describes a situation whereby sometimes people want to peel out their untagged
traffic and transport it while still running MSTP on the 9k as in design "2". This is problematic
today for a few reasons:

1) received BPDU's are subject to the untagged EFP service defintion and will get
forwarded. The local MSTP configuration injects BPDU's.

2) this causes the locally connected switch to see BPDU's from the VPLS remote side
(switch B) as well as PE1.

3) it will cause MSTi mismatches and unexpected blocked ports.

Scenario 3 can be used for "design option 1". We don't have any local configuration for STP,
so we're not injecting anything, we are sending the BPDU's across as per the EFP service
definition.

Note:
Scenario 2 is however a design that is recognized as a design we need to support. Starting
XR421 scenario 2 will work as follows:

If there is an untagged EFP *and* local STP config on the PE, THEN we will NOT forward the
BPDU, but punt them for local STP handling.

We will continue to inject local BPDU's towards the locally connected switch.

In other words if you have untagged traffic that you want to transport but not the BPDU's this
will work in XR421. Today, you will get the behavior as described above in scenario 2.

If your intend is to use design option 1, and you want to forward untagged traffic (config
scenario 3), but you don't want to forward the BPDU's then you must apply an L2 ACL onto the
untagged EFP to block and deny the DMAC used for (MSTP) BPDU's.

The ACL definition is discussed in this article in the related information section.

PVST

The story above doesn't change that much when we are considering PVST.

However there are some minor tweaks caused by the fact that PVST BPDU's are vlan tagged.

Scenario 1 is used in design option "2" whereby you want your A9K's to participate in PVST.
Note that we don't do full PVST, but PVST-AG or access gateway, which means that we are
sending the bpdu's on the EFP's for the respective vlans and take the BPDU's from these vlans
and react on them with mac widthdrawl. The configuration scenario looks like this:

!EFP's

interface g0/0/0/P.10 l2trans

encap dot1q 10

...etc

!service definitions

l2vpn

bridge group VLANS

bridge-domain vlan-10

interface g0/0/0/P.10

bridge-domain vlan-20
interface g0/0/0/P.20
...etc

!spanning-tree config

spanning-tree pvst-ag

interface g0/0/0/P.10

interface g0/0/0/P.20

interface g0/0/0/P.30

HOT HOT HOT HOT

Scenario 2 is a common issue we see happening causing a lot of trouble. This config scenario
does NOT have any local PVST configuration, but if the adjacent switches have PVST enabled
(and that can be the default!!) then we'd be transparently passing on the vlans as part of the
EFP's service definition! The PVST BPDU's are arriving at the remote side and what can be
worse is that if we are doing vlan manipulation in terms of tag rewriting with pop or push
operations, then the remote side received BPDU's meant to describe vlan 10, but received as
VLAN X after the rewrite!

This scenario can be the intended design as described in design option "1" above.
Scenario 3 is a remedy for scenario 2. Basically we are using an L2ACL blocking any bpdu's
on the EFP's received so that we are not confusing switches on either end. Alternatively you
can also disable STP on the switches connected to the 9k PE's. We are applying L2 ACL's that
are blocking a particular DMAC that is used for the PVST bpdu's (see

This issue described here above is something you MUST be aware of.

The ACL definition is discussed in this article in the related information section.

SVI and BVI

The concept between a Switch Virtual Interface and a Bridge Virtual Interface is the same: and
L3 endpoint in an L2 environment.

The SVI is a switch concept and the BVI is an L3 concept generally seen on routers.

The BVI interface in IOS-XR/ASR9000 has some restrictions well documented in the CCO
documentation for BVI.

Use this reference to setup IRB (Integrated Route Bridging) using the BVI.

EFP

When you set up your Ethernet Flow Point (EFP), especially the untagged one, it can make you
run into unexpected scenarios.

For instance, when you have an untagged EFP and you are running full MSTP, the 9K will be
able to inject BPDU's to the peer, but the peer's BPDU's are subject to the service of the
untagged EFP and may get forwarded. This results in MSTP conflicts on your peer device.

With XR 4.2.1 we'll have the auto ability to peel out the BPDU's from the untagged EFP when
MSTP configuration is present.

More info here.

Also the forwarding of vlan traffic out of an EFP and vlans has a few things that you need to
be aware of documented in this article

Converting IOS trunks into XR

Because the IOS-XR EVC model is not aware of trunks like IOS devices are, the conversion from
an IOS trunk to an XR EVC based config can be a bit confusing at first. This configuration
example documents how to convert an IOS trunk to an XR EVC model:

IOS:
interface TenGigabitEthernet13/3

description my-trunk

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 4,130,133

switchport mode trunk

no ip address

interface Vlan 4

ip add 10.11.2.1 255.255.255.0

XR:

The translation will be:

interface TenGigabitEthernet 0/0/0/0

description my-trunk-like-xr-interface

Define the EFP's with their respective vlan tags. Because a BVI is used we need to pop the tag
so that "inside" the bridge-domain we see untagged packets. On egress, the vlan tag will be
slapped on as per EFP definition. Effectively, we create a bridge-domain per vlan.

interface ten0/0/0/0.4 l2transport

encapsulation dot1q 4

rewrite ingress tag pop 1 symmetric

interface ten0/0/0/0.130 l2transport

encapsulation dot1q 130

rewrite ingress tag pop 1 symmetric

int ten0/0/0/0.133 l2transport

encapsulation dot1q 133

rewrite ingress tag pop 1 symmetric

The L2transport command makes these switchports for L2 services

For the switchport trunk allowed vlans, and the interface vlan X, you need to do the following:

First create the bvi interface:

interface BVI4

ipv4 address 10.4.1.10 255.255.0.0

interface BVI130

ipv4 address 10.130.1.1 255.255.0.0

interface BVI133

ipv4 address 10.130.1.1 255.255.0.0

Note that the BVI interface number doesn't necessarily need to be the same as the VLAN
identifier, same goes for the subinterface number of the l2transport interface. Though for this
example, the practice is followed to make the BVI number, the same as the dot1q TAG value
and the same as the EFP subinterface number for clarity.

Then you need to create the bridge group to tide all together.

l2vpn

bridge group MyTrunks

bridge-domain VLAN4

interface ten0/0/0/0.4

routed-interface bvi4

bridge-domain VLAN130

interface ten0/0/0/0.130

routed-interface bvi130

bridge-domain VLAN133

interface ten0/0/0/0.133
 interface bvi133

The Bridge group is just a non functional configuration hierarchy to tie several
bridge-domains together in part of the same functional group. It functionaly is no
different then creating multiple individual groups with their domains, as opposed to
one group with multiple domains.

SNMP
Because as you've seen throughout this document XR is heavily distributed, SNMP being a
component that requests data from every feature or functioanlity potentially is very heavily
relient on IPC's to get its info. Sometimes it feels that show commands or SNMP performs
slower in a next generation OS like XR, but this is because of these IPC's.

Also because IOS-XR employs the concept of "SDR" or Secure Domain Routers (CRS specific),
some restrictions apply to the way that SNMP operates.

Significant performance options have been put in place. For instance, when you get the stats
for an interface, rather then sending an IPC for one interface, we collect a "bulk" of info for the
next X interfaces also as you might do a getnext for the next if inline.

Some "standard" data like the Entity info is subject to the load of the MGBL pie that gives
access to these MIBS as well as special config is needed to expose this info to the SNMP
agent. See here for more detail on that.

Related Information
More ASR9000 and XR related documents

Xander Thuijs, CCIE #6775

Sr Tech Lead ASR9000

Rating

1
2
3
4
5

Overall Rating: 5 (1 ratings)

Comments
Collapse all
Recent replies last

ahmed zaidi Tue, 09/29/2015 - 00:17

Hello Xander,

i have one question please about configuration mapping between IOS to XR,

i need to translate this configuration :

route-map TOTO permit 1

match ip address 1
set ip next-hop X.X.X.X

Could you please help me ?

Many Thanks

Ahmed

See More
Eddie Chami Tue, 09/29/2015 - 00:30

Ahmed,

its done in a single line ABF statement that is then attached ingress to an interface.

https://supportforums.cisco.com/document/145271/abf-acl-based-forwarding-asr9k

Eddie.

See More

ahmed zaidi Tue, 09/29/2015 - 00:38

Hi Eddie,

Many Thanks can i also attached to an BVI interface ??

Many Thanks,

Ahmed

See More
Eddie Chami Tue, 09/29/2015 - 00:42
Yes in most instances one can, just the ABF support matrix in the link i sent you.

Eddie.

See More

ahmed zaidi Tue, 09/29/2015 - 03:12

Hi Eddie,

ok thanks, but i have a Pb with BVi interface when i attached to an BVI interface

RP/0/RSP0/CPU0:R1(config)#show configuration failed

Tue Sep 29 11:00:45.832 UTC
!! SEMANTIC ERRORS: This configuration was rejected by
!! the system due to semantic errors. The individual
!! errors with each failed configuration command can be
!! found below.

interface BVI600
ipv4 access-group TOTO
!!% 'pfilter-ea' detected the 'resource not available' condition 'Failed on applying ACL based
forwarding rule to non-ingress interface'
!
end

See More
Eddie Chami Tue, 09/29/2015 - 04:08

What sort of line cards do you have? Do a show platform, this isn't support on the Gen1
(trident) line cards. Please check the matrix and confirm you have the supported hardware.

Eddie.

See More
ahmed zaidi Thu, 10/01/2015 - 00:35

Hello Eddie,

Now it's ok many thanks for your help :), i have a last question,

Could you please tell me what that mean location in this case ???

RP/0/RSP0/CPU0:C1#sh access-lists Toto hardware ingress location ?

0/0/0 Fully qualified location specification
0/0/1 Fully qualified location specification
0/0/CPU0 Fully qualified location specification
0/1/0 Fully qualified location specification
0/1/1 Fully qualified location specification
0/1/CPU0 Fully qualified location specification
0/2/0 Fully qualified location specification
0/2/1 Fully qualified location specification
0/2/CPU0 Fully qualified location specification
0/3/0 Fully qualified location specification
0/3/1 Fully qualified location specification
0/3/CPU0 Fully qualified location specification
0/4/0 Fully qualified location specification
0/4/CPU0 Fully qualified location specification
0/RSP0/CPU0 Fully qualified location specification
0/RSP1/CPU0 Fully qualified location specification
WORD Fully qualified location specification

Br,
Ahmed

See More
Eddie Chami Thu, 10/01/2015 - 01:09

In XR location is a linecard slot. In your case above 0/0/CPU0 is the Linecard in Slot0. 0/0/0 is
the MPA in slot 0. Its CPU-less. Whereas 0/0/cpu0 is the LC and has a CPU, in distributed
systems information is at times locally kept to the LC, so the location xyx/cpu0 is used to fetch
information kept on that LC.

Eddie.

See More

ahmed zaidi Thu, 10/01/2015 - 01:52

ok tmany thanks :)

Ahmed

See More
Munkhbat Tseren... Sun, 07/05/2015 - 22:55

Hello Xander!

Your posts helped me a lot, through my studies and research. And i also have
other questions which first i'm going to ask you is, can you tell me about
sysdb architecture? sysdb directories(namespace)? How do the planes are
separated? and how it is managed by sysdb, or to sysdb?

Regards,

Munkh

See More

Alexander Thuijs Mon, 07/06/2015 - 08:30

hi Munkh,

I think I may have something, it may benefit others also I think, would you mind raising the
question on the discussions piece of the xr os and platforms forum then I'll pull something
together for you so that when people search for sysdb they find our discussion and everyone
can benefit from it?

sounds good?

xander

See More
Munkhbat Tseren... Mon, 07/06/2015 - 16:13

Hi Xander,

Sounds very good, and i have started the discussion -

https://supportforums.cisco.com/discussion/12550556/ios-xr-system-databasesysdb

See More

Pedro Morais Tue, 06/25/2013 - 04:06

Hi Xander,

Very nice reading. Two questions:

1. How to troubleshoot high memory utilization in XR?

2. As far as I know, in XR it is not possible to have an ipsla responder inside a VRF? Is this
correct? Any idea if this is in roadmap?

Thanks.

Regards,

PM

See More
Alexander Thuijs Tue, 06/25/2013 - 05:38

Hi Pedro, thank you!

Mind you that memory utilization is different in XR then it is for IOS.

If a process reports 80% utilization it is just saying it uses 80% of its allocated block.

Block allocation growth can be normal, for instance for BGP when you load more paths.

You can locate the memory utilization per process function if that is of interest, but the
probably result in a PC that you need symbol files for to correlate to an allocating function.

If you suspect a mem leak (which is rather rare in XR) then best to open a TAC case.

VRF aware IPSLA is on the planning, we're trying to get that in XR432, but this isnot yet set in
stone.

regards

xander

See More
Pedro Morais Tue, 06/25/2013 - 06:51

Hi Xander,

Thanks for your prompt reply.

About the high memory utilization, I have a single PE (A9K) in a bunch of 100, with around
30% of physical memory free (1205M available in a RSP2). Strangely, or not, this is one less loaded
device. All the other PEs have around 50% of physical memory free (2188M available). Does this looks
normal?

About 432, do you have an ETA for it?

Regards,

Pedro

See More
Alexander Thuijs Tue, 06/25/2013 - 09:21

That shouldn't be a worry directly Pedro.

Some processes may have allocated the memory, released it in terms of no longer in use but
not returned to the system.

It is like what MAC OSX calls inactive, which can be retrieved if necessary.

It is the way that Linux/QNX manages memory.

You could look at a process memory individually to check out what the precise utilization is.

If it is allocating and keeps on allocating it may be a problem obviously.

But free phy mem is not necessarily a sign of an issue like it was in IOS.

If you like to triage this furhther I would recommend opening a new discussion on that, or
alternatively open a TAC case if it is concern.
XR4.3.2 is end of august/early september target.

cheers

xander

See More
Pedro Morais Tue, 06/25/2013 - 10:09

Hi Xander,

Thank you very much for all your help. I'll open a TAC case since the client is slightly worried about
this.

Cheers,

Pedro
See More

rakeshsekhar Tue, 05/21/2013 - 16:50

Hi Xander,

I understood what you said. But one thing need to know, If a customer has 8
vlans in a single site should the provider create 8 bridge domains in PE routers for handling
the single customer site ?

See More
Alexander Thuijs Wed, 05/22/2013 - 08:03

Rakesh: that is correct. This is the positive and negative of the EVC model.

In the EVC model the 9k has, by default one interface vlan 10 is not necessarily connected to
another interface vlan 10,

UNLESS you put them in teh same bridge domain.

So there is vlan isolation by nature.

The other side of this is that you need to define a bridge domain for every vlan you want to
transport.

regards

xander

See More

rakeshsekhar Tue, 05/21/2013 - 07:33

Hi Xander,

Thanks for your valid response. May I clariffy one more thing. I know in tagged mode
of vpls (

Packet encapsulation on a PW), any packet to the PW must carry P-TAG. That means service
provider adds a Service valn -id (Q in Q Encaps) for identifying each cutomer service. My doubt
is that, for example: Does the service provider allocate(represent) only one service id for each
customer even if a customer has 6 vlans in the site(LAN) ?. I alreday posted this question in
community. But I didn't get any valid response. Please share the knowledge.

See More
Alexander Thuijs Tue, 05/21/2013 - 10:55

that is not correct Rakesh, there is no mandatory need for a Provider TAG or any tag on the
PW.

The tag requriements is what we call a type-4 PW and there is really no need to have that.

(in fact BGP autodiscovery only does type 5 PW's anyway). you can perfectly use plain
ethernet over your pw's

(so tags popped on ingress on your EFP). Sicne your Bridge domain is the equivalent of a vlan
anyways (generally speaking that is)

xander

See More

manuv1984 Thu, 03/07/2013 - 06:00

Hi Xander,

May I know how can I configure option-A inster-AS in ASR9k. Please guide me to
configure it.

See More
manuv1984 Fri, 03/08/2013 - 08:35

Hi Xander,
Thank you very much for your explanation I want to generate the MED in BGP for
the corresponding value of hop count (metric) in RIP. Please give me a reply.

See More

manuv1984 Mon, 03/11/2013 - 07:49

Hi Xander,

Thanks for your reply.

See More
manuv1984 Sun, 03/10/2013 - 10:23

Hi Xander,

Can I create for any lookup miss in the vrf table to be resolved in the Global
routing table, if available.

Thanks,

See More
Alexander Thuijs Mon, 03/11/2013 - 08:48

Here is an example to import rotues from the global table into the vrf:

route-policy dyna-route-leak-8-x

if destination in (8.0.0.0/24) then

pass

endif

end-policy

vrf vrf1

address-family ipv4 unicast

import from default-vrf route-policy dyna-route-leak-8-x

import route-target

1:1

!
See More
manuv1984 Thu, 04/18/2013 - 10:49

Hi Xander,

Thanks for your reply. Along with this may I know how can I configure to do the
lookup in GRT(if prefixes available) if any lookup miss in the vrf table.ie, Destination prefixes
must be leaked from the vrf to the GRT.

See More

Alexander Thuijs Thu, 04/18/2013 - 10:52

that would defeat the purpose of RPF, it would only look in the Routing Table where the
interface resides, as it is supposed to, we cant do any configuration to make the RPF check
other tables.

we can make it more flexible (that is LOOSE mode, with a reachable via ANY, as opposed to
RX).

xander

See More
rakeshsekhar Tue, 04/23/2013 - 07:24

Hi Xander,

Which all types(versions) of STPs are supported by asr 9k in L2VPN domain ? Is

it support

only mstp ?? Please give me your reply.

See More

Alexander Thuijs Tue, 04/23/2013 - 07:29

We support MSTP which is compatible with the RTSP (802.1d-2004), but not legacy STP. On the
AG side (that is paying attention to TCN only) works with PVST and MSTP.

In XR, I want to say 5.1 (but it may be 5.2 also), we will support full PV(R)ST.

One thing that I want to make sure is the following: when you say L2VPN, that sounds like a
VPLS design.

In VPLS, you can use MST-AG, REP-AG and PVST-AG.

When we're talking spanning tree outside the scope of VPLS, we only do MSTP right now, and
PV(R)ST in 51/52.

regards!

xander

See More
rakeshsekhar Tue, 04/23/2013 - 08:15

Hi Xander,

Thanks for your reply. Yaah, exactly I meant vpls. If we want, can we disable the
learning of new MAC addresses into the VPLS FIB for each service(vpls) instance ??

See More
Alexander Thuijs Tue, 04/23/2013 - 08:47

Rakesh, if you stop learning new mac addresses we have to define an action also.

That is stop the forwarding, or flooding. We can also limit the number of mac addresses that
can be learnt in a BD.

RP/0/RSP0/CPU0:A9K-BNG(config-l2vpn-bg-bd)#mac limit action ?

flood Stop learning but continue flooding

no-flood Stop learning and stop flooding

shutdown Stop forwarding

You can also associate an action to the mac learning limit defined:

RP/0/RSP0/CPU0:A9K-BNG(config-l2vpn-bg-bd)#mac limit notification ?

both Generate syslog message and SNMP trap

none No notification

trap Generate SNMP trap

Not to be nit picky about terminology but FIB pertains to L3 routing and forwarding. FIB is the
forwarding information base that gets compiled out of the RIB (routing information base) and
that is used in L3 scenarios.
In L2 environments we use the Mac table (or what catalyst called CAM tables for the longest
time) that defines where the mac address that we want to switch to is found.

regards!

xander

See More
manuv1984 Mon, 04/29/2013 - 08:39

Hi ,

Please let me know how l2vpn is forwarding frames. I know L3vpn a little bit. In
l3vpn, RD adds to ipv4 to get vpnv4(96 bits) and sends the vpnv4 packets to destination which
is identified by RT and there is each vrf for each customer also. Can we make l2vpn(VPLS)
connection between the sites via MPLS if one customer site uses ethernet and other end site
uses ATM/framerelay technologies? Is vc label (inside label) and vfi concept in vpls equivalent
to RT and vrf in l3vpn resp. ? How a PE router differentiate its different customers and their
different services in vpls ? According to my knowledge vc label is using for identifying the PWs
as ingress and egress (just like RT in l3 vpn, I don't know can we compare like this, please
accept my apologies if it is not correct.). If anyone know please share the knowledge.

See More
Alexander Thuijs Mon, 04/29/2013 - 09:43

L2VPN is no different then a regular L2 switch: we forward based on the knowledge where the
DMAC is.

We learn the macs based on where the source mac was seen.

If we dont know the DMAC we flood the packet, which also occurs for broadcast and multicast.

When a packet is to be forwarded out a pseudowire we prepend the packet with the rewrite
string belonging to that

PW, this includes the following frame:

L2 header according to the destination mac of the next hop, source mac of the egress
interface connecting to that next hop. MPLS header according to the next hop information.
Next MPLS heder indicating the psuedowire information.

What follows next is the original L2 packet in EoMPLS, with the smac/dmac of the originally
received packet.

VLAn information is dependent on the Type of the PW 4 or 5 and what the rewrite of the vlans
was set for on the EFP access side.
xander

See More
manuv1984 Mon, 04/29/2013 - 10:42

Hi Xander,

Thanks for your precious response. Could you please tell me how the PE router
identifies its different client sites and their different services. Can we do vpls between two
sites even if they use different technolgies(eg: ethernet and frame relay or ATM) on either
sides ? May I know the use of VFI also. I am expecting your response.

See More
Alexander Thuijs Mon, 04/29/2013 - 10:51

PWs are built either statically from one device to the MPLS RID of another device and an
assigned PW-ID. This id is unique between the 2 endpoints and must match between the two.

Theoretically we dont care what the AC is on the other side, bundle, subif, main if etc, but
when we do protocol conversion like ATM or FR then it is important to understand that we
have to IP interworking. The 9K wont support the xlate so that has to be done on the remote
PE. FR doesnt have mac addresses, or PPP for that matter neither, so that is where a difficulty
comes in when doing protocol conversion. I would try to prevent that as much as possible due
to the complexities associated with that.

In terms of the VFI, check this reference:

https://supportforums.cisco.com/docs/DOC-15963

section SPLIT HORIZON

regards

xander

See More

manuv1984 Tue, 04/30/2013 - 09:41

Hi,

Thanks for the reply.

See More
muhammad.shiras Thu, 04/25/2013 - 17:15

Hi Alexander,

In ASR 9 k, which feature is using for multichasis end point pwseudowires in

case of Inter-AS PEs or Metro networks? Is it LACP ? To mitigate MAC duplication and loop ,
can I categorise the MAC as protected and non-protected ?

See More

Alexander Thuijs Fri, 04/26/2013 - 06:43

If there are 2 separate nodes then the access side can use MC-LAG and on the core side you
can use (backup) Pseudo wires.

You can also choose to have a link between the 2 nodes and active active PW so that if the
traffic arrives on the PW that terminates on the node that does not have the active member
for the mclag, it can switch it down to the adj node.

Or you can consider using cluster. Single PW, regular LAG and no difficult tricks needed.

regards

xander

See More
rakeshsekhar Mon, 04/29/2013 - 07:21
Hi Xander,

Can I enable and configure proxy server in DHCP of L2vpn ??

See More

Alexander Thuijs Mon, 04/29/2013 - 07:27

Native L2VPN has no L3 component, but we can do snooping for some additional security.

the other (trusted) port is where the dhcp server will be found, but there is no proxy
configuration to that extend in that mode.

What you can do is enable a BVI interface in the l2vpn bridge domain and configure dhcp
proxy on that bvi.

that means that the BVI will pick up the dhcp broadcast and relay that to the dhcp server as
part of the configuration and the BVI interface is then the proxy between the clients and the
dhcp server.

You can still use snooping in this case also to limit where the dhcp messages will go to.

regards

xander

See More
rakeshsekhar Mon, 04/29/2013 - 07:55
Hi Xander,

Thanks for your reply. I would like to clarify one more thing, Does L2vpn support "
IGMP host tracking", because as my knowledge it will run only under IGMP VRF & IGMP
interface configuration modes. Is there any possibility to track and to find (eg: using expiry
time) inactive hosts under igmp of L2vpn ?

See More

Alexander Thuijs Mon, 04/29/2013 - 07:59

For that Rakesh, you want to look into the feature called IGMP snooping.

similar as dhcp snooping but then for mcast related traffic.

(mcast like bcast is flooded if not implemented smoothly)

regards!

xander

See More
rakeshsekhar Mon, 04/29/2013 - 12:01

Hi Xander,

Thanks a lot. I would like to clarify one more thing. Can we apply "eth-cfm" in
l2vpn ? Does asr9k support General Switch Management Protocol in vpls ?
See More

Alexander Thuijs Mon, 04/29/2013 - 12:54

Rakesh,

some protocols are dependent on whether they are locally configured, eg BPDU's and CFM.

IF we dont have the service locally configured, they are subject to the EFP defined service.

Some other protocols need to be explicitly configured via L2TP service definitions, eg in the
case of LACP.

regards

xander

See More
muhammad.shiras Tue, 04/30/2013 - 07:17

Hi Alexander,

Is Multicast Listener Discovery (MLD) used only by ipv6 ? Can I get a confirmation
that asr 9k doesn't support mld snooping in vpls(l2vpn) becasue some one told me it doesn't
support mld snooping or mld in case of vpls.

I am expecting your response.

See More

Alexander Thuijs Tue, 04/30/2013 - 07:33

Hi Shiras,

MLD snooping is an XR4.3.0 feature.

And correct the MLD is something specific to the ip v6 stack.

MLD is used by IPv6 routers for discovering multicast listeners on a directly attached link,
much like

IGMP is used in IPv4. The protocol is embedded in ICMPv6 instead of using a separate protocol.

xander

See More
muhammad.shiras Tue, 04/30/2013 - 09:36

Hi Alexander,
But when I read XR 4.3 config document also, they mention IPv6 Multicast Listener
Discovery (MLD) snooping is not supported. Will it support under VPLS ?

See More

Alexander Thuijs Tue, 04/30/2013 - 11:00

Hi Shiras, That is a misnomer in the documentation... MLD snooping is in XR4.3 and snooping
applies to the L2VPN configuration.

xander

See More

rakeshsekhar Sat, 05/04/2013 - 11:24

Hi Xander,

May I know how to create Pwseudo wire redundancy in case of vpls in asr 9k.
Can I get any documents which includes the commnds of vpls Pws? I am expecting your
precious response.

See More
 1
2
next

https://supportforums.cisco.com/document/92621/asr9000xr-migrating-ios-ios-xr-starting-guide