Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x

 

 

 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x

 
Click the links on the left to view the individual chapters in HTML format.

Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-26068-02THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http:// www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. © 2012 Cisco Systems, Inc. All rights reserved.C O N T E N T S P r e f a c e Preface xiii Changes to This Document xiii Obtaining Documentation and Submitting a Service Request xiii C H A P T E R 1 Implementing Access Lists and Prefix Lists 1 Prerequisites for Implementing Access Lists and Prefix Lists 2 Restrictions for Implementing Access Lists and Prefix Lists 2 Hardware Limitations 3 Information About Implementing Access Lists and Prefix Lists 3 Access Lists and Prefix Lists Feature Highlights 3 Purpose of IP Access Lists 3 How an IP Access List Works 4 IP Access List Process and Rules 4 Helpful Hints for Creating IP Access Lists 5 Source and Destination Addresses 5 Wildcard Mask and Implicit Wildcard Mask 5 Transport Layer Information 5 IP Access List Entry Sequence Numbering 6 Sequence Numbering Behavior 6 IP Access List Logging Messages 6 Extended Access Lists with Fragment Control 7 Policy Routing 9 Comments About Entries in Access Lists 9 Access Control List Counters 9 BGP Filtering Using Prefix Lists 10 How the System Filters Traffic by Prefix List 10 Information About Implementing ACL-based Forwarding 11 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 iiiACL-based Forwarding Overview 11 ABF-OT 11 IPSLA support for Object tracking 11 How to Implement Access Lists and Prefix Lists 11 Configuring Extended Access Lists 12 Applying Access Lists 15 Controlling Access to an Interface 15 Controlling Access to a Line 17 Configuring Prefix Lists 18 Configuring Standard Access Lists 21 Copying Access Lists 23 Sequencing Access-List Entries and Revising the Access List 24 Copying Prefix Lists 27 Sequencing Prefix List Entries and Revising the Prefix List 28 How to Implement ACL-based Forwarding 30 Configuring ACL-based Forwarding with Security ACL 31 Implementing IPSLA-OT 32 Enabling track mode 33 Configuring track type 34 Configuring tracking type (line protocol) 34 Configuring track type (list) 35 Configuring tracking type (route) 37 Configuring tracking type (rtr) 38 Configuring Pure ACL-Based Forwarding for IPv6 ACL 40 Configuration Examples for Implementing Access Lists and Prefix Lists 41 Resequencing Entries in an Access List: Example 41 Adding Entries with Sequence Numbers: Example 42 Adding Entries Without Sequence Numbers: Example 43 IPv6 ACL in Class Map 43 Configuring IPv6 ACL QoS - An Example 44 IPv4/IPv6 ACL over BVI interface 46 Configuring IPv4 ACL over BVI interface - An Example 47 Additional References 47 C H A P T E R 2 Configuring ARP 49 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x iv OL-26068-02 ContentsPrerequisites for Configuring ARP 49 Restrictions for Configuring ARP 50 Information About Configuring ARP 50 IP Addressing Overview 50 Address Resolution on a Single LAN 50 Address Resolution When Interconnected by a Router 51 ARP and Proxy ARP 51 ARP Cache Entries 52 Direct Attached Gateway Redundancy 52 Additional Guidelines 52 How to Configure ARP 53 Defining a Static ARP Cache Entry 53 Enabling Proxy ARP 54 Configuring DAGR 56 C H A P T E R 3 Implementing Cisco Express Forwarding 59 Prerequisites for Implementing Cisco Express Forwarding 59 Information About Implementing Cisco Express Forwarding Software 60 Key Features Supported in the Cisco Express Forwarding Implementation 60 Benefits of CEF 60 CEF Components 61 Border Gateway Protocol Policy Accounting 61 Reverse Path Forwarding (Strict and Loose) 62 BGP Attributes Download 63 How to Implement CEF 63 Verifying CEF 63 Configuring BGP Policy Accounting 64 Verifying BGP Policy Accounting 69 Configuring a Route Purge Delay 71 Configuring Unicast RPF Checking 72 Configuring Modular Services Card-to-Route Processor Management Ethernet Interface Switching 73 Configuring BGP Attributes Download 75 Configuring BGP Attributes Download 75 Configuration Examples for Implementing CEF on Routers Software 76 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 v ContentsConfiguring BGP Policy Accounting: Example 76 Verifying BGP Policy Statistics: Example 79 Configuring Unicast RPF Checking: Example 90 Configuring the Switching of Modular Services Card to Management Ethernet Interfaces on the Route Processor: Example 90 Configuring BGP Attributes Download: Example 90 Additional References 90 C H A P T E R 4 Implementing the Dynamic Host Configuration Protocol 93 Prerequisites for Configuring DHCP Relay Agent 93 Information About DHCP Relay Agent 94 How to Configure and Enable DHCP Relay Agent 94 Configuring and Enabling the DHCP Relay Agent 95 Configuring a DHCP Relay Profile 96 Configuring the DHCPv6 (Stateless) Relay Agent 97 Enabling DHCP Relay Agent on an Interface 99 Disabling DHCP Relay on an Interface 100 Enabling DHCP Relay on a VRF 102 Configuring the Relay Agent Information Feature 103 Configuring Relay Agent Giaddr Policy 106 DHCPv6 Relay Agent Notification for Prefix Delegation 108 Configuring DHCPv6 Stateful Relay Agent for Prefix Delegation 108 Configuration Examples for the DHCP Relay Agent 111 DHCP Relay Profile: Example 111 DHCP Relay on an Interface: Example 111 DHCP Relay on a VRF: Example 111 Relay Agent Information Option Support: Example 111 Relay Agent Giaddr Policy: Example 112 Implementing DHCP Snooping 112 Prerequisites for Configuring DHCP Snooping 112 Information about DHCP Snooping 112 Trusted and Untrusted Ports 113 DHCP Snooping in a Bridge Domain 113 Assigning Profiles to a Bridge Domain 113 Relay Information Options 114 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x vi OL-26068-02 ContentsHow to Configure DHCP Snooping 114 Enabling DHCP Snooping in a Bridge Domain 114 Disabling DHCP Snooping on a Specific Bridge Port 117 Using the Relay Information Option 120 Configuration Examples for DHCP Snooping 122 Assigning a DHCP Profile to a Bridge Domain: Example 122 Disabling DHCP Snooping on a Specific Bridge Port: Example 122 Configuring a DHCP Profile for Trusted Bridge Ports: Example 122 Configuring an Untrusted Profile on a Bridge Domain: Example 122 Configuring a Trusted Bridge Port: Example 122 Additional References 123 C H A P T E R 5 Implementing Host Services and Applications 125 Prerequisites for Implementing Host Services and Applications 125 Information About Implementing Host Services and Applications 126 Network Connectivity Tools 126 Ping 126 Traceroute 126 Domain Services 127 TFTP Server 127 File Transfer Services 127 RCP 128 FTP 128 TFTP 128 Cisco inetd 128 Telnet 128 How to Implement Host Services and Applications 128 Checking Network Connectivity 129 Checking Network Connectivity for Multiple Destinations 129 Checking Packet Routes 130 Configuring Domain Services 131 Configuring a Router as a TFTP Server 132 Configuring a Router to Use rcp Connections 134 Configuring a Router to Use FTP Connections 136 Configuring a Router to Use TFTP Connections 138 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 vii ContentsConfiguring Telnet Services 140 Configuration Examples for Implementing Host Services and Applications 141 Checking Network Connectivity: Example 141 Configuring Domain Services: Example 143 Configuring a Router to Use rcp, FTP, or TFTP Connections: Example 143 Additional References 144 C H A P T E R 6 Implementing HSRP 147 Prerequisites for Implementing HSRP 148 Restrictions for Implementing HSRP 148 Information About Implementing HSRP 148 HSRP Overview 148 HSRP Groups 148 HSRP and ARP 150 Preemption 151 ICMP Redirect Messages 151 How to Implement HSRP 151 Enabling HSRP 151 Configuring HSRP Group Attributes 153 Configuring the HSRP Activation Delay 157 Enabling HSRP Support for ICMP Redirect Messages 159 Multiple Group Optimization (MGO) for HSRP 161 Customizing HSRP 161 Configuring a Primary Virtual IPv4 Address 164 Configuring a Secondary Virtual IPv4 Address 166 Configuring a slave follow 168 Configuring a slave primary virtual IPv4 address 170 Configuring a slave secondary virtual IPv4 address 171 Configuring a slave virtual mac address 173 Configuring an HSRP Session Name 175 BFD for HSRP 177 Advantages of BFD 177 BFD Process 178 Configuring BFD 178 Enabling BFD 178 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x viii OL-26068-02 ContentsModifying BFD timers (minimum interval) 180 Modifying BFD timers (multiplier) 181 Enhanced Object Tracking for HSRP and IP Static 183 Configuring object tracking for HSRP 183 Hot Restartability for HSRP 185 Configuration Examples for HSRP Implementation on Software 185 Configuring an HSRP Group: Example 185 Configuring a Router for Multiple HSRP Groups: Example 185 Additional References 186 C H A P T E R 7 Implementing LPTS 189 Prerequisites for Implementing LPTS 189 Information About Implementing LPTS 189 LPTS Overview 190 LPTS Policers 190 How to Implement LPTS 190 Configuring LPTS Policers 190 Configuration Examples for Implementing LPTS Policers 192 Configuring LPTS Policers: Example 192 Additional References 196 C H A P T E R 8 Implementing Network Stack IPv4 and IPv6 199 Prerequisites for Implementing Network Stack IPv4 and IPv6 200 Restrictions for Implementing Network Stack IPv4 and IPv6 200 Information About Implementing Network Stack IPv4 and IPv6 200 Network Stack IPv4 and IPv6 Exceptions 200 IPv4 and IPv6 Functionality 200 IPv6 for Cisco IOS XR Software 201 Larger IPv6 Address Space 201 IPv6 Address Formats 201 IPv6 Address Type: Unicast 202 Aggregatable Global Address 203 Link-Local Address 204 IPv4-Compatible IPv6 Address 205 Simplified IPv6 Packet Header 205 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 ix ContentsPath MTU Discovery for IPv6 210 IPv6 Neighbor Discovery 210 IPv6 Neighbor Solicitation Message 210 IPv6 Router Advertisement Message 212 IPv6 Neighbor Redirect Message 214 ICMP for IPv6 215 Address Repository Manager 215 Address Conflict Resolution 215 Conflict Database 215 Multiple IP Addresses 216 Recursive Resolution of Conflict Sets 216 Route-Tag Support for Connected Routes 216 How to Implement Network Stack IPv4 and IPv6 218 Assigning IPv4 Addresses to Network Interfaces 218 IPv4 Addresses 218 IPv4 Virtual Addresses 220 Configuring IPv6 Addressing 221 Assigning Multiple IP Addresses to Network Interfaces 221 Secondary IPv4 Addresses 221 Configuring IPv4 and IPv6 Protocol Stacks 223 Enabling IPv4 Processing on an Unnumbered Interface 225 IPv4 Processing on an Unnumbered Interface 225 Configuring ICMP Rate Limiting 226 IPv4 ICMP Rate Limiting 226 IPv6 ICMP Rate Limiting 227 Configuring IPARM Conflict Resolution 229 Static Policy Resolution 229 Longest Prefix Address Conflict Resolution 230 Highest IP Address Conflict Resolution 231 Generic Routing Encapsulation 232 IPv4/IPv6 Forwarding over GRE Tunnels 233 IPv6 forwarding over GRE tunnels 233 Configuration Examples for Implementing Network Stack IPv4 and IPv6 234 Creating a Network from Separated Subnets: Example 234 Assigning an Unnumbered Interface: Example 235 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x x OL-26068-02 ContentsConfiguring Helper Addresses: Example 235 Configuring VRF mode big 235 Additional References 237 C H A P T E R 9 Configuring Transports 239 Prerequisites for Configuring NSR, TCP, UDP Transports 239 Information About Configuring NSR, TCP, UDP Transports 240 NSR Overview 240 TCP Overview 240 UDP Overview 240 How to Configure Failover as a Recovery Action for NSR 241 Configuring Failover as a Recovery Action for NSR 241 Additional References 242 C H A P T E R 1 0 Implementing VRRP 245 Prerequisites for Implementing VRRP on Cisco IOS XR Software 246 Restrictions for Implementing VRRP on Cisco IOS XR Software 246 Information About Implementing VRRP 246 VRRP Overview 246 Multiple Virtual Router Support 247 VRRP Router Priority 247 VRRP Advertisements 248 Benefits of VRRP 248 How to Implement VRRP on Cisco IOS XR Software 249 Customizing VRRP 249 Enabling VRRP 253 Verifying VRRP 255 Clearing VRRP Statistics 255 Configuring accept-mode 256 Configuring a Global Virtual IPv6 Address 258 Configuring a Primary Virtual IPv4 Address 260 Configuring a Secondary Virtual IPv4 Address 262 Configuring a Virtual Link-Local IPv6 Address 264 Disabling State Change Logging 266 BFD for VRRP 267 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 xi ContentsAdvantages of BFD 267 BFD Process 268 Configuring BFD 268 Enabling Bidirectional Forward Detection 268 Modifying BFD timers (minimum interval) 270 Modifying BFD timers (multiplier) 271 MIB support for VRRP 273 Configuring SNMP server notifications for VRRP events 274 Hot Restartability for VRRP 275 Configuration Examples for VRRP Implementation on Cisco IOS XR Software 275 Configuring a VRRP Group: Example 275 Clearing VRRP Statistics: Example 276 Additional References 277 C H A P T E R 1 1 Implementing Video Monitoring 281 Prerequisites for Implementing Video Monitoring 281 Information About Implementing Video Monitoring 281 Introduction to Video Monitoring 281 Key Features Supported on Video Monitoring 282 Video Monitoring Terminology 285 Implementing Video Monitoring 286 Creating IPv4 Access Lists 286 Configuring class-map 288 Configuring policy-map 290 Configuring policy-map with metric parameters 290 Media bit-rate 292 Configuring policy-map with flow parameters 294 Configuring policy-map with react parameters 296 Configuring service policy on an interface 299 Configuring Trap and Clone on an interface 301 Configuration Examples for Implementing Video Monitoring 303 Additional References 308 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x xii OL-26068-02 ContentsPreface The Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guidepreface contains these sections: • Changes to This Document, page xiii • Obtaining Documentation and Submitting a Service Request, page xiii Changes to This Document This table lists the technical changes made to this document since it was first printed. Table 1: Changes to This Document Revision Date Change Summary Republished with documentation updates for Cisco IOS XR Release 4.2.1. OL-26068-02 June 2012 OL-26068-01 December 2011 Initial release of this document. Obtaining Documentation and Submitting a Service Request For information on obtaining documentation,submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 xiii Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x xiv OL-26068-02 Preface Obtaining Documentation and Submitting a Service RequestC H A P T E R 1 Implementing Access Lists and Prefix Lists An access control list (ACL) consists of one or more access control entries (ACE) that collectively define the network traffic profile. This profile can then be referenced by Cisco IOS XR softwarefeatures such as traffic filtering, route filtering, QoS classification, and access control. Each ACL includes an action element (permit or deny) and a filter element based on criteria such as source address, destination address, protocol, and protocol-specific parameters. Prefix lists are used in route maps and route filtering operations and can be used as an alternative to access listsin many Border Gateway Protocol (BGP) route filtering commands. A prefix is a portion of an IP address, starting from the far left bit of the far left octet. By specifying exactly how many bits of an address belong to a prefix, you can then use prefixes to aggregate addresses and perform some function on them, such as redistribution (filter routing updates). This module describes the new and revised tasks required to implement access lists and prefix lists on the Cisco ASR 9000 Series Router For a complete description of the access list and prefix list commands listed in this module, refer to the Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Command ReferenceTo locate documentation of other commands that appear in this chapter, use the command reference master index, or search online. Note Feature History for Implementing Access Lists and Prefix Lists Release Modification Release 3.7.2 This feature was introduced. Release 4.2.1 IPv6 ACL over BVI interface feature was added. Release 4.2.1 ACL in Class map feature was added. • Prerequisites for Implementing Access Lists and Prefix Lists , page 2 • Restrictions for Implementing Access Lists and Prefix Lists, page 2 • Hardware Limitations, page 3 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 1• Information About Implementing Access Lists and Prefix Lists , page 3 • Information About Implementing ACL-based Forwarding, page 11 • How to Implement Access Lists and Prefix Lists , page 11 • How to Implement ACL-based Forwarding, page 30 • Configuring Pure ACL-Based Forwarding for IPv6 ACL, page 40 • Configuration Examples for Implementing Access Lists and Prefix Lists , page 41 • IPv6 ACL in Class Map, page 43 • IPv4/IPv6 ACL over BVI interface, page 46 • Additional References, page 47 Prerequisites for Implementing Access Lists and Prefix Lists The following prerequisite applies to implementing access lists and prefix lists: All command task IDs are listed in individual command references and in the Cisco IOS XR Task ID Reference Guide.If you need assistance with your task group assignment, contact your system administrator. Restrictions for Implementing Access Lists and Prefix Lists The following restrictions apply to implementing access lists and prefix lists: • IPv4 ACLs are not supported for loopback and interflex interfaces. • IPv6 ACLs are not supported for loopback, interflex and L2 Ethernet Flow Point (EFP) main or subinterfaces. The following restrictions apply to implementing ACL-based forwarding (ABF): • The following nexthop configurations are not supported: attaching ACL having a nexthop option in the egress direction, modifying an ACL attached in the egress direction having nexthop, deny ACE with nexthop. • The A9K-SIP-700 LC and ASR 9000 Enhanced Ethernet LC support ABFv4 and ABFv6 in Release 4.2.0. ASR 9000 Ethernet LC does not support ABFv6 in Release 4.2.0, it only supports ABFv4. There is one exception to this. In case of IP to TAG, the label is imposed by the ingress LC (based on ABF nexthop), and the packet crossesthe fabric as a tag packet. These packets are handled by A9K-SIP-700 without any issue. Note • Packets punted in the ingress direction from the NPU to the LC CPU are not subjected to ABF treatment due to lack of ABF support in the slow path. • IP packet(s) needing fragmentation are not subjected to ABF. The packet is forwarded in the traditional way. Fragmented packets received are handled by ABF. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 2 OL-26068-02 Implementing Access Lists and Prefix Lists Prerequisites for Implementing Access Lists and Prefix ListsHardware Limitations • Support for ABF is only for IPv4 and Ethernet line cards. IPv6 and other interfaces are not supported. • ABF is an ingress line card feature and the egress line card must be ABF aware. Information About Implementing Access Lists and Prefix Lists To implement access lists and prefix lists, you must understand the following concepts: Access Lists and Prefix Lists Feature Highlights This section lists the feature highlights for access lists and prefix lists. • Cisco IOS XR software provides the ability to clear counters for an access list or prefix list using a specific sequence number. • Cisco IOS XR software provides the ability to copy the contents of an existing access list or prefix list to another access list or prefix list. • Cisco IOS XR software allows users to apply sequence numbers to permit or deny statements and to resequence, add, or remove such statements from a named access list or prefix list. Note Resequencing is only for IPv4 prefix lists. • Cisco IOS XR software does not differentiate between standard and extended access lists. Standard access list support is provided for backward compatibility. Purpose of IP Access Lists Access lists perform packet filtering to control which packets move through the network and where. Such controls help to limit network traffic and restrict the access of users and devices to the network. Access lists have many uses, and therefore many commands accept a reference to an access list in their command syntax. Access lists can be used to do the following: • Filter incoming packets on an interface. • Filter outgoing packets on an interface. • Restrict the contents of routing updates. • Limit debug output based on an address or protocol. • Control vty access. • Identify or classify traffic for advanced features, such as congestion avoidance, congestion management, and priority and custom queueing. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 3 Implementing Access Lists and Prefix Lists Hardware LimitationsHow an IP Access List Works An access list is a sequential list consisting of permit and deny statements that apply to IP addresses and possibly upper-layer IP protocols. The access list has a name by which it is referenced. Many software commands accept an access list as part of their syntax. An access list can be configured and named, but it is not in effect until the access list is referenced by a command that accepts an access list. Multiple commands can reference the same access list. An access list can control traffic arriving at the router or leaving the router, but not traffic originating at the router. IP Access List Process and Rules Use the following process and rules when configuring an IP access list: • The software tests the source or destination address or the protocol of each packet being filtered against the conditions in the access list, one condition (permit or deny statement) at a time. • If a packet does not match an access list statement, the packet is then tested against the next statement in the list. • If a packet and an access list statement match, the remaining statements in the list are skipped and the packet is permitted or denied asspecified in the matched statement. The first entry that the packet matches determines whether the software permits or deniesthe packet. That is, after the first match, no subsequent entries are considered. • If the access list denies the address or protocol, the software discards the packet and returns an Internet Control Message Protocol (ICMP) Host Unreachable message. ICMP is configurable in the Cisco IOS XR software. • If no conditions match, the software drops the packet because each access list ends with an unwritten or implicit deny statement. That is, if the packet has not been permitted or denied by the time it was tested against each statement, it is denied. • The access list should contain at least one permit statement or else all packets are denied. • Because the software stops testing conditions after the first match, the order of the conditions is critical. The same permit or deny statements specified in a different order could result in a packet being passed under one circumstance and denied in another circumstance. • Only one access list per interface, per protocol, per direction is allowed. • Inbound access lists process packets arriving at the router. Incoming packets are processed before being routed to an outbound interface. An inbound access list is efficient because it saves the overhead of routing lookups if the packet is to be discarded because it is denied by the filtering tests. If the packet is permitted by the tests, it is then processed for routing. For inbound lists, permit means continue to process the packet after receiving it on an inbound interface; deny means discard the packet. • Outbound access lists process packets before they leave the router. Incoming packets are routed to the outbound interface and then processed through the outbound accesslist. For outbound lists, permit means send it to the output buffer; deny means discard the packet. • An accesslist can not be removed if that accesslist is being applied by an access group in use. To remove an access list, remove the access group that is referencing the access list and then remove the access list. • An access list must exist before you can use the ipv4 access group command. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 4 OL-26068-02 Implementing Access Lists and Prefix Lists How an IP Access List WorksHelpful Hints for Creating IP Access Lists Consider the following when creating an IP access list: • Create the access list before applying it to an interface. • • Organize your access list so that more specific references in a network or subnet appear before more general ones. • To make the purpose of individualstatements more easily understood at a glance, you can write a helpful remark before or after any statement. Source and Destination Addresses Source address and destination addresses are two of the most typical fields in an IP packet on which to base an access list. Specify source addresses to control packets from certain networking devices or hosts. Specify destination addresses to control packets being sent to certain networking devices or hosts. Wildcard Mask and Implicit Wildcard Mask Address filtering uses wildcard masking to indicate whether the software checks or ignores corresponding IP address bits when comparing the address bits in an access-list entry to a packet being submitted to the access list. By carefully setting wildcard masks, an administrator can select a single orseveral IP addressesfor permit or deny tests. Wildcard masking for IP address bits uses the number 1 and the number 0 to specify how the software treats the corresponding IP address bits. A wildcard mask is sometimes referred to as an inverted mask, because a 1 and 0 mean the opposite of what they mean in a subnet (network) mask. • A wildcard mask bit 0 means check the corresponding bit value. • A wildcard mask bit 1 means ignore that corresponding bit value. You do not have to supply a wildcard mask with a source or destination address in an access list statement. If you use the host keyword, the software assumes a wildcard mask of 0.0.0.0. Unlike subnet masks, which require contiguous bitsindicating network and subnet to be ones, wildcard masks allow noncontiguous bits in the mask. For IPv6 access lists, only contiguous bits are supported. You can also use CIDR format (/x) in place of wildcard bits. For example, the address 1.2.3.4 0.255.255.255 corresponds to 1.2.3.4/8. Transport Layer Information You can filter packets on the basis of transport layer information, such as whether the packet is a TCP, UDP, ICMP, or IGMP packet. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 5 Implementing Access Lists and Prefix Lists How an IP Access List WorksIP Access List Entry Sequence Numbering The ability to apply sequence numbers to IP access-list entries simplifies access list changes. Prior to this feature, there was no way to specify the position of an entry within an access list. If a user wanted to insert an entry (statement) in the middle of an existing list, all the entries after the desired position had to be removed, then the new entry was added, and then all the removed entries had to be reentered. This method was cumbersome and error prone. The IP Access List Entry Sequence Numbering feature allows users to add sequence numbers to access-list entries and resequence them. When you add a new entry, you choose the sequence number so that it is in a desired position in the access list. If necessary, entries currently in the access list can be resequenced to create room to insert the new entry. Sequence Numbering Behavior The following details the sequence numbering behavior: • If entries with no sequence numbers are applied, the first entry is assigned a sequence number of 10, and successive entries are incremented by 10. The maximum sequence number is 2147483646. If the generated sequence number exceeds this maximum number, the following message displays: Exceeded maximum sequence number. • If you provide an entry without a sequence number, it is assigned a sequence number that is 10 greater than the last sequence number in that access list and is placed at the end of the list. • ACL entries can be added without affecting traffic flow and hardware performance. • If a new access list is entered from global configuration mode, then sequence numbers for that access list are generated automatically. • Distributed support is provided so that the sequence numbers of entries in the route processor (RP) and line card (LC) are synchronized at all times. • This feature works with named standard and extended IP access lists. Because the name of an access list can be designated as a number, numbers are acceptable. IP Access List Logging Messages Cisco IOS XR software can provide logging messages about packets permitted or denied by a standard IP access list. That is, any packet that matches the access list causes an informational logging message about the packet to be sent to the console. The level of messages logged to the console is controlled by the logging console command in global configuration mode. The first packet that triggers the access list causes an immediate logging message, and subsequent packets are collected over 5-minute intervals before they are displayed or logged. The logging message includes the access list number, whether the packet was permitted or denied, the source IP address of the packet, and the number of packets from that source permitted or denied in the prior 5-minute interval. However, you can use the { ipv4 | ipv6 } access-list log-update threshold command to set the number of packets that, when they match an access list (and are permitted or denied), cause the system to generate a log message. You might do this to receive log messages more frequently than at 5-minute intervals. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 6 OL-26068-02 Implementing Access Lists and Prefix Lists IP Access List Entry Sequence NumberingIf you set the update-number argument to 1, a log message is sent right away, rather than caching it; every packet that matches an access list causes a log message. A setting of 1 is not recommended because the volume of log messages could overwhelm the system. Caution Even if you use the { ipv4 | ipv6} access-list log-update threshold command, the 5-minute timer remains in effect,so each cache is emptied at the end of 5 minutes, regardless of the number of messagesin each cache. Regardless of when the log message is sent, the cache is flushed and the count reset to 0 for that message the same way it is when a threshold is not specified. The logging facility might drop some logging message packets if there are too many to be handled or if more than one logging message is handled in 1 second. This behavior prevents the router from using excessive CPU cycles because of too many logging packets. Therefore, the logging facility should not be used as a billing tool or as an accurate source of the number of matches to an access list. Note Extended Access Lists with Fragment Control In earlier releases, the non-fragmented packets and the initial fragments of a packet were processed by IP extended access lists (if you apply this access list), but non-initial fragments were permitted, by default. However, now, the IP Extended Access Lists with Fragment Control feature allows more granularity of control over non-initial fragments of a packet. Using this feature, you can specify whether the system examines non-initial IP fragments of packets when applying an IP extended access list. As non-initial fragments contain only Layer 3 information, these access-list entries containing only Layer 3 information, can now be applied to non-initial fragments also. The fragment has all the information the system requires to filter, so the access-list entry is applied to the fragments of a packet. This feature adds the optional fragments keyword to the following IP access list commands: deny (IPv4), permit (IPv4) , deny (IPv6) , permit (IPv6). By specifying the fragments keyword in an access-list entry, that particular access-list entry applies only to non-initial fragments of packets; the fragment is either permitted or denied accordingly. The behavior of access-list entries regarding the presence or absence of the fragments keyword can be summarized as follows: Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 7 Implementing Access Lists and Prefix Lists Extended Access Lists with Fragment ControlIf the Access-List Entry has... Then... For an access-list entry containing only Layer 3 information: • The entry is applied to non-fragmented packets, initial fragments, and non-initial fragments. For an access-list entry containing Layer 3 and Layer 4 information: • The entry is applied to non-fragmented packets and initial fragments. ? If the entry matches and is a permit statement, the packet or fragment is permitted. ? If the entry matches and is a deny statement, the packet or fragment is denied. • The entry is also applied to non-initial fragments in the following manner. Because non-initial fragments contain only Layer 3 information, only the Layer 3 portion of an access-list entry can be applied. If the Layer 3 portion of the access-list entry matches, and ? If the entry is a permit statement, the non-initial fragment is permitted. ? If the entry is a deny statement, the next access-list entry is processed. Note that the deny statements are handled differently for non-initial fragments versus non-fragmented or initial fragments. Note ...no fragments keyword and all of the access-list entry information matches The access-list entry is applied only to non-initial fragments. The fragments keyword cannot be configured for an access-list entry that contains any Layer 4 information. Note ...the fragments keyword and all of the access-list entry information matches You should not add the fragments keyword to every access-list entry, because the first fragment of the IP packet is considered a non-fragment and is treated independently of the subsequent fragments. Because an initial fragment will not match an access list permit or deny entry that contains the fragments keyword, the packet is compared to the next access list entry until it is either permitted or denied by an access list entry that does not contain the fragments keyword. Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair will not include the fragments keyword, and applies to the initial Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 8 OL-26068-02 Implementing Access Lists and Prefix Lists Extended Access Lists with Fragment Controlfragment. The second deny entry of the pair will include the fragments keyword and appliesto the subsequent fragments. In the cases where there are multiple deny access list entries for the same host but with different Layer 4 ports, a single deny access-list entry with the fragments keyword for that host is all that has to be added. Thus all the fragments of a packet are handled in the same manner by the access list. Packet fragments of IP datagrams are considered individual packets and each fragment counts individually as a packet in access-list accounting and access-list violation counts. Note The fragments keyword cannot solve all cases involving access lists and IP fragments. Within the scope of ACL processing, Layer 3 information refers to fields located within the IPv4 header; for example, source, destination, protocol. Layer 4 information refers to other data contained beyond the IPv4 header; for example, source and destination ports for TCP or UDP, flags for TCP, type and code for ICMP. Note Policy Routing Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the match ip address command and the accesslist had entriesthat match on Layer 4 through Layer 7 information. It is possible that noninitial fragments pass the access list and are policy routed, even if the first fragment was not policy routed or the reverse. By using the fragments keyword in access-list entries as described earlier, a better match between the action taken for initial and noninitial fragments can be made and it is more likely policy routing will occur asintended. Comments About Entries in Access Lists You can include comments (remarks) about entries in any named IP access list using the remark access list configuration command. The remarks make the access list easier for the network administrator to understand and scan. Each remark line is limited to 255 characters. The remark can go before or after a permit or deny statement. You should be consistent about where you put the remark so it is clear which remark describes which permit or deny statement. For example, it would be confusing to have some remarks before the associated permit or deny statements and some remarks after the associated statements. Remarks can be sequenced. Remember to apply the access list to an interface or terminal line after the access list is created. See the“Applying Access Lists, on page 15” section for more information. Access Control List Counters In Cisco IOS XR software, ACL counters are maintained both in hardware and software. Hardware counters are used for packet filtering applications such as when an access group is applied on an interface. Software counters are used by all the applications mainly involving software packet processing. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 9 Implementing Access Lists and Prefix Lists Comments About Entries in Access ListsPacket filtering makes use of 64-bit hardware counters per ACE. If the same access group is applied on interfaces that are on the same line card in a given direction, the hardware counters for the ACL are shared between two interfaces. To display the hardware counters for a given access group, use the show access-lists ipv4 [access-list-name hardware {ingress| egress} [interface type interface-path-id] {location node-id}] command in EXEC mode. To clear the hardware counters, use the clear access-list ipv4 access-list-name [hardware {ingress | egress} [interface type interface-path-id] {location node-id}] command in EXEC mode. Hardware counting is not enabled by default for IPv4 ACLs because of a small performance penalty. To enable hardware counting, use the ipv4 access-group access-list-name {ingress | egress} [hardware-count] command in interface configuration mode. This command can be used as desired, and counting is enabled only on the specified interface. Software counters are updated for the packets processed in software, for example, exception packets punted to the LC CPU for processing, or ACL used by routing protocols, and so on. The counters that are maintained are an aggregate of all the software applications using that ACL. To display software-only ACL counters, use the show access-lists ipv4 access-list-name [sequence number] command in EXEC mode. All the above information is true for IPv6, except that hardware counting is always enabled; there is no hardware-count option in the IPv6 access-group command-line interface (CLI). BGP Filtering Using Prefix Lists Prefix lists can be used as an alternative to access lists in many BGP route filtering commands. The advantages of using prefix lists are as follows: • Significant performance improvement in loading and route lookup of large lists. • Incremental updates are supported. • More user friendly CLI. The CLI for using access lists to filter BGP updates is difficult to understand and use because it uses the packet filtering format. • Greater flexibility. Before using a prefix list in a command, you must set up a prefix list, and you may want to assign sequence numbers to the entries in the prefix list. How the System Filters Traffic by Prefix List Filtering by prefix list involves matching the prefixes of routes with those listed in the prefix list. When there is a match, the route is used. More specifically, whether a prefix is permitted or denied is based upon the following rules: • An empty prefix list permits all prefixes. • An implicit deny is assumed if a given prefix does not match any entries of a prefix list. • When multiple entries of a prefix list match a given prefix, the longest, most specific match is chosen. Sequence numbers are generated automatically unless you disable this automatic generation. If you disable the automatic generation of sequence numbers, you must specify the sequence number for each entry using the sequence-number argument of the permit and deny commands in either IPv4 or IPv6 prefix list Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 10 OL-26068-02 Implementing Access Lists and Prefix Lists BGP Filtering Using Prefix Listsconfiguration command. Use the no form of the permit or deny command with the sequence-number argument to remove a prefix-list entry. The show commands include the sequence numbers in their output. Information About Implementing ACL-based Forwarding To implement access lists and prefix lists, you must understand the following concepts: ACL-based Forwarding Overview Converged networks carry voice, video and data. Users may need to route certain traffic through specific paths instead of using the paths computed by routing protocols. A simple solution to achieve this, is by specifying the next-hop address in ACL configurations, so that the configured next-hop address from ACL is used for fowarding packet towardsits destination instead of routing packet-based destination addresslookup. This feature of using next-hop in ACL configurations for forwarding is called ACL Based Forwarding (ABF). ACL-based forwarding enables you to choose service from multiple providers for broadcast TV over IP, IP telephony, data, and so on, which provides a cafeteria-like access to the Internet. Service providers can divert user traffic to various content providers. ABF-OT To provide flexibility to the user to select the suitable nexthop, the ABF functionality is enhanced to interact with object-tracking (OT), which impacts: • Tracking prefix in CEF • Tracking the line-state protocol • IPSLA (IP Service Level Agreement) IPSLA support for Object tracking The OT-module interacts with the IPSLA-module to get reachability information. With IPSLA, the routers perform periodic measurements How to Implement Access Lists and Prefix Lists IPv6 ACL support is available on the Cisco ASR 9000 SIP 700 linecard and the ASR 9000 Ethernet linecards. The relevant scale is: • ACL enabled interfaces - 1000 (500 in each direction); for ASR 9000 Ethernet linecards- 4000 • Unique ACLs - 512 (with 5 ACEs each); for ASR 9000 Ethernet linecards- 2000 • Maximum ACEs per ACL - 8000 (for ASR 9000 Ethernet lincards, ACEs could be 16000, 8000, 4000- based on the LC model) Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 11 Implementing Access Lists and Prefix Lists Information About Implementing ACL-based Forwarding• IPv6 ACL log will also be supported. This section contains the following procedures: Configuring Extended Access Lists This task configures an extended IPv4 or IPv6 access list. SUMMARY STEPS 1. configure 2. {ipv4 | ipv6} access-list name 3. [ sequence-number ] remark remark 4. Do one of the following: • [ sequence-number]{permit | deny} source source-wildcard destination destination-wildcard [precedence precedence] [dscp dscp] [fragments] [packet-length operator packet-length value] [log | log-input] • [ sequence-number ] {permit | deny} protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator {port | protocol-port}] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} [operator {port | protocol-port}] [dscp value] [routing] [authen] [destopts] [fragments] [packet-length operator packet-length value] [log | log-input] 5. Repeat Step 4 as necessary, adding statements by sequence number where you planned. Use the no sequence-number command to delete an entry. 6. Use one of these commands: • end • commit 7. show access-lists {ipv4 | ipv6} [access-list-name hardware {ingress | egress} [interface type interface-path-id] {sequence number | location node-id} | summary [access-list-name] | access-list-name [sequence-number] | maximum [detail] [usage {pfilter location node-id}]] DETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 12 OL-26068-02 Implementing Access Lists and Prefix Lists Configuring Extended Access ListsCommand or Action Purpose Enters either IPv4 or IPv6 access list configuration mode and configures the named access list. {ipv4 | ipv6} access-list name Example: RP/0/RSP0/CPU0:router(config)# ipv4 access-list acl_1 Step 2 or RP/0/RSP0/CPU0:router(config)# ipv6 access-list acl_2 (Optional) Allows you to comment about a permit or deny statement in a named access list. [ sequence-number ] remark remark Example: RP/0/RSP0/CPU0:router(config-ipv4-acl)# 10 remark Do not allow user1 to telnet out Step 3 • The remark can be up to 255 characters; anything longer is truncated. • Remarks can be configured before or after permit or deny statements, but their location should be consistent. Specifies one or more conditions allowed or denied in IPv4 access list acl_1. Step 4 Do one of the following: • [ sequence-number]{permit | deny} source source-wildcard destination • The optional log keyword causes an information logging message about the packet that matches the entry to be sent to the console. destination-wildcard [precedence precedence] [dscp dscp] [fragments] [packet-length operator packet-length value] [log | log-input] • The optional log-input keyword provides the same function as the log keyword, except that the logging message also includes the input interface. • [ sequence-number ] {permit | deny} protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator {port | protocol-port}] or {destination-ipv6-prefix/prefix-length | any | Specifies one or more conditions allowed or denied in IPv6 access list acl_2. host destination-ipv6-address} [operator {port | protocol-port}] [dscp value] [routing] [authen] • Refer to the deny (IPv6) and permit (IPv6) commands for more information on filtering IPv6 traffic based on based on [destopts] [fragments] [packet-length operator packet-length value] [log | log-input] IPv6 option headers and optional, upper-layer protocol type information. Example: RP/0/RSP0/CPU0:router(config-ipv4-acl)# 10 Every IPv6 address list has two implicit permits used for neighbor advertisement and solicitation: Implicit Neighbor Discovery–Neighbor Advertisement (NDNA) permit, and Implicit Neighbor Discovery–Neighbor Solicitation (NDNS) permit. Note Every IPv6 access list has an implicit deny ipv6 any any statement as its last match condition. An IPv6 access list must contain at least one entry for the implicit deny ipv6 any any statement to take effect. Note permit 172.16.0.0 0.0.255.255 RP/0/RSP0/CPU0:router(config-ipv4-acl)# 20 deny 192.168.34.0 0.0.0.255 or RP/0/RSP0/CPU0:router(config-ipv6-acl)# 20 permit icmp any any RP/0/RSP0/CPU0:router(config-ipv6-acl)# 30 deny tcp any any gt 5000 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 13 Implementing Access Lists and Prefix Lists Configuring Extended Access ListsCommand or Action Purpose Repeat Step 4 as necessary, adding statements by Allows you to revise an access list. sequence number where you planned. Use the no sequence-number command to delete an entry. Step 5 Step 6 Use one of these commands: Saves configuration changes. • end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]: • commit Example: RP/0/RSP0/CPU0:router(config)# end ? Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. or RP/0/RSP0/CPU0:router(config)# commit ? Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. show access-lists {ipv4 | ipv6} [access-list-name (Optional) Displays the contents of current IPv4 or IPv6 access lists. hardware {ingress | egress} [interface type Step 7 • Use the access-list-name argument to display the contents of a specific access list. interface-path-id] {sequence number | location node-id} | summary [access-list-name] | access-list-name [sequence-number] | maximum [detail] [usage {pfilter location node-id}]] • Use the hardware , ingress or egress , and location or sequence keywordsto display the access-list hardware contents Example: RP/0/RSP0/CPU0:router# show access-lists ipv4 acl_1 and counters for all interfaces that use the specified access list in a given direction (ingress or egress). The access group for an interface must be configured using the ipv4 access-group command for access-list hardware counters to be enabled. • Use the summary keyword to display a summary of all current IPv4 or IPv6 access-lists. • Use the interface keyword to display interface statistics. What to Do Next After creating an access list, you must apply it to a line or interface. See the Applying Access Lists, on page 15 section for information about how to apply an access list. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 14 OL-26068-02 Implementing Access Lists and Prefix Lists Configuring Extended Access ListsACL commit fails while adding and removing unique Access List Entries (ACE). This happens due to the absence of an assigned manager process. The user has to exit the config-ipv4-acl mode to configuration mode and re-enter the config-ipv4-acl mode before adding the first ACE. Applying Access Lists After you create an access list, you must reference the access list to make it work. Access lists can be applied on either outbound or inbound interfaces. This section describes guidelines on how to accomplish this task for both terminal lines and network interfaces. Set identical restrictions on all the virtual terminal lines, because a user can attempt to connect to any of them. For inbound access lists, after receiving a packet, Cisco IOS XR software checks the source address of the packet against the access list. If the access list permits the address, the software continues to process the packet. If the access list rejects the address, the software discards the packet and returns an ICMP host unreachable message. The ICMP message is configurable. For outbound access lists, after receiving and routing a packet to a controlled interface, the software checks the source address of the packet against the accesslist. If the accesslist permitsthe address, the software sends the packet. If the access list rejects the address, the software discards the packet and returns an ICMP host unreachable message. When you apply an access list that has not yet been defined to an interface, the software acts as if the access list has not been applied to the interface and accepts all packets. Note this behavior if you use undefined access lists as a means of security in your network. Controlling Access to an Interface This task applies an access list to an interface to restrict access to that interface. Access lists can be applied on either outbound or inbound interfaces. SUMMARY STEPS 1. configure 2. interface type interface-path-id 3. Do one of the following: • ipv4 access-group access-list-name {ingress | egress} [hardware-count] [interface-statistics] • ipv6 access-group access-list-name {ingress | egress} [interface-statistics] 4. Do one of the following: • end • commit Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 15 Implementing Access Lists and Prefix Lists Applying Access ListsDETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 Step 2 interface type interface-path-id Configures an interface and enters interface configuration mode. Example: RP/0/RSP0/CPU0:router(config)# interface gigabitethernet 0/2/0/2 • The type argument specifies an interface type. For more information on interface types, use the question mark (?) online help function. • The instance argument specifies either a physical interface instance or a virtual instance. ? The naming notation for a physical interface instance is rack/slot/module/port. The slash (/) between values is required as part of the notation. ? The number range for a virtual interface instance varies depending on the interface type. Step 3 Do one of the following: Controls access to an interface. • ipv4 access-group access-list-name {ingress | egress} [hardware-count] [interface-statistics] • Use the access-list-name argument to specify a particular IPv4 or IPv6 access list. • Use the in keyword to filter on inbound packets or the out keyword to • ipv6 access-group access-list-name filter on outbound packets. {ingress | egress} [interface-statistics] • Use the hardware-count keyword to enable hardware counters for the IPv4 access group. Example: RP/0/RSP0/CPU0:router(config-if)# ? Hardware counters are automatically enabled for IPv6 access groups. • Use the interface-statistics keyword to specify per-interface statistics in the hardware. ipv4 access-group p-in-filter in RP/0/RSP0/CPU0:router(config-if)# ipv4 access-group p-out-filter out This example applies filters on packets inbound and outbound from GigabitEthernet interface 0/2/0/2. Step 4 Do one of the following: Saves configuration changes. • end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before • commit Example: RP/0/RSP0/CPU0:router(config-if)# end exiting(yes/no/cancel)?[cancel]: Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 16 OL-26068-02 Implementing Access Lists and Prefix Lists Applying Access ListsCommand or Action Purpose or RP/0/RSP0/CPU0:router(config-if)# commit ? Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. ? Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. ? Entering cancel leavesthe router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Controlling Access to a Line This task applies an access list to a line to control access to that line. SUMMARY STEPS 1. configure 2. line {aux | console | default | template template-name} 3. access-class list-name{ingress | egress} 4. Use one of these commands: • end • commit DETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 Specifies either the auxiliary, console, default, or a user-defined line template and enters line template configuration mode. line {aux | console | default | template template-name} Step 2 Example: RP/0/RSP0/CPU0:router(config)# line default • Line templates are a collection of attributes used to configure and manage physical terminal line connections (the console and auxiliary ports) and vty connections. The following templates are available in Cisco IOS XR software: Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 17 Implementing Access Lists and Prefix Lists Applying Access ListsCommand or Action Purpose ? Aux line template—The line template that applies to the auxiliary line. ? Console line template—The line template that appliesto the console line. ? Default line template—The default line template that applies to a physical and virtual terminal lines. ? User-defined line templates—User-defined line templates that can be applied to a range of virtual terminal lines. Step 3 access-class list-name{ingress | egress} Restricts incoming and outgoing connections using an IPv4 or IPv6 access list. Example: RP/0/RSP0/CPU0:router(config-line)# access-class acl_2 out • In the example, outgoing connections for the default line template are filtered using the IPv6 access list acl_2. Step 4 Use one of these commands: Saves configuration changes. • end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]: • commit Example: RP/0/RSP0/CPU0:router(config)# end ? Entering yessaves configuration changesto the running configuration file, exits the configuration session, and returns the router to EXEC mode. or RP/0/RSP0/CPU0:router(config)# commit ? Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. ? Entering cancel leavesthe router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changesto the running configuration file and remain within the configuration session. Configuring Prefix Lists This task configures an IPv4 or IPv6 prefix list. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 18 OL-26068-02 Implementing Access Lists and Prefix Lists Configuring Prefix ListsSUMMARY STEPS 1. configure 2. {ipv4 | ipv6} prefix-list name 3. [ sequence-number ] remark remark 4. [ sequence-number] {permit | deny} network/length [ge value] [le value] [eq value] 5. Repeat Step 4 as necessary. Use the no sequence-number command to delete an entry. 6. Do one of the following: • end • commit 7. Do one of the following: • show prefix-list ipv4 [name] [sequence-number] • show prefix-list ipv6 [name] [sequence-number] [summary] 8. clear {ipv4 | ipv6} prefix-list name [sequence-number] DETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 Enters either IPv4 or IPv6 prefix list configuration mode and configures the named prefix list. {ipv4 | ipv6} prefix-list name Example: RP/0/RSP0/CPU0:router(config)# ipv4 prefix-list pfx_1 Step 2 • To create a prefix list, you must enter at least one permit or deny clause. • Use the no {ipv4 | ipv6} prefix-list name command to remove all entries in a prefix list. or RP/0/RSP0/CPU0:router(config)# ipv6 prefix-list pfx_2 (Optional) Allows you to comment about the following permit or deny statement in a named prefix list. [ sequence-number ] remark remark Example: RP/0/RSP0/CPU0:router(config-ipv4_pfx)# 10 Step 3 • The remark can be up to 255 characters; anything longer is truncated. remark Deny all routes with a prefix of • Remarks can be configured before or after permit or deny statements, but their location should be consistent. 10/8 RP/0/RSP0/CPU0:router(config-ipv4_pfx)# 20 deny 10.0.0.0/8 le 32 Specifies one or more conditions allowed or denied in the named prefix list. [sequence-number] {permit | deny} network/length [ge value] [le value] [eq value] Step 4 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 19 Implementing Access Lists and Prefix Lists Configuring Prefix ListsCommand or Action Purpose Example: RP/0/RSP0/CPU0:router(config-ipv6_pfx)# 20 deny 128.0.0.0/8 eq 24 • This example denies all prefixes matching /24 in 128.0.0.0/8 in prefix list pfx_2. Repeat Step 4 as necessary. Use the no Allows you to revise a prefix list. sequence-number command to delete an entry. Step 5 Step 6 Do one of the following: Saves configuration changes. • end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before • commit Example: RP/0/RSP0/CPU0:router(config-ipv6_pfx)# end exiting(yes/no/cancel)?[cancel]: or RP/0/RSP0/CPU0:router(config-ipv6_pfx)# commit ? Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. ? Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Step 7 Do one of the following: (Optional) Displays the contents of current IPv4 or IPv6 prefix lists. • show prefix-list ipv4 [name] [sequence-number] • Use the name argument to display the contents of a specific prefix list. • Use the sequence-number argument to specify the sequence number of the prefix-list entry. • show prefix-list ipv6 [name] [sequence-number] [summary] • Use the summary keyword to display summary output of prefix-list contents. Example: RP/0/RSP0/CPU0:router# show prefix-list ipv4 pfx_1 or RP/0/RSP0/CPU0:router# show prefix-list ipv6 pfx_2 summary Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 20 OL-26068-02 Implementing Access Lists and Prefix Lists Configuring Prefix ListsCommand or Action Purpose clear {ipv4 | ipv6} prefix-list name (Optional) Clears the hit count on an IPv4 or IPv6 prefix list. [sequence-number] Step 8 The hit count is a value indicating the number of matches to a specific prefix-list entry. Note Example: RP/0/RSP0/CPU0:router# clear prefix-list ipv4 pfx_1 30 Configuring Standard Access Lists This task configures a standard IPv4 access list. Standard access lists use source addresses for matching operations. SUMMARY STEPS 1. configure 2. ipv4 access-list name 3. [ sequence-number ] remark remark 4. [ sequence-number ] {permit | deny} source [source-wildcard] [log | log-input] 5. Repeat Step 4 as necessary, adding statements by sequence number where you planned. Use the no sequence-number command to delete an entry. 6. Do one of the following: • end • commit 7. show access-lists [ipv4 | ipv6] [access-list-name hardware {ingress | egress} [interface type interface-path-id] {sequence number | location node-id} | summary [access-list-name] | access-list-name [sequence-number] | maximum [detail] [usage {pfilter location node-id}]] DETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 21 Implementing Access Lists and Prefix Lists Configuring Standard Access ListsCommand or Action Purpose Enters IPv4 access list configuration mode and configures access list acl_1. ipv4 access-list name Example: RP/0/RSP0/CPU0:router# ipv4 access-list acl_1 Step 2 (Optional) Allows you to comment about the following permit or deny statement in a named access list. [ sequence-number ] remark remark Example: RP/0/RSP0/CPU0:router(config-ipv4-acl)# 10 remark Do not allow user1 to telnet out Step 3 • The remark can be up to 255 characters; anything longer is truncated. • Remarks can be configured before or after permit or deny statements, but their location should be consistent. Specifies one or more conditions allowed or denied, which determines whether the packet is passed or dropped. [ sequence-number ] {permit | deny} source [source-wildcard] [log | log-input] Step 4 Example: RP/0/RSP0/CPU0:router(config-ipv4-acl)# 20 permit 172.16.0.0 0.0.255.255 • Use the source argument to specify the number of network or host from which the packet is being sent. • Use the optional source-wildcard argument to specify the wildcard bits to be applied to the source. or RRP/0/RSP0/CPU0:routerrouter(config-ipv4-acl)# 30 deny 192.168.34.0 0.0.0.255 • The optional log keyword causes an information logging message about the packet that matches the entry to be sent to the console. • The optional log-input keyword providesthe same function as the log keyword, except that the logging message also includes the input interface. Repeat Step 4 as necessary, adding statements by Allows you to revise an access list. sequence number where you planned. Use the no sequence-number command to delete an entry. Step 5 Step 6 Do one of the following: Saves configuration changes. • end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before • commit Example: RP/0/RSP0/CPU0:router(config-ipv4-acl)# end exiting(yes/no/cancel)?[cancel]: or RP/0/RSP0/CPU0:router(config-ipv4-acl)# commit ? Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. ? Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 22 OL-26068-02 Implementing Access Lists and Prefix Lists Configuring Standard Access ListsCommand or Action Purpose ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. show access-lists [ipv4 | ipv6] [access-list-name (Optional) Displays the contents of the named IPv4 access list. hardware {ingress | egress} [interface type Step 7 • The contents of an IPv4 standard access list are displayed in extended access-list format. interface-path-id] {sequence number | location node-id} | summary [access-list-name] | access-list-name [sequence-number] | maximum [detail] [usage {pfilter location node-id}]] Example: RP/0/RSP0/CPU0:router# show access-lists ipv4 acl_1 What to Do Next After creating a standard access list, you must apply it to a line or interface. See the Applying Access Lists, on page 15” section for information about how to apply an access list. Copying Access Lists This task copies an IPv4 or IPv6 access list. SUMMARY STEPS 1. copy access-list {ipv4 | ipv6}source-acl destination-acl 2. show access-lists {ipv4 | ipv6}[access-list-name hardware {ingress | egress} [interface type interface-path-id] {sequence number | location node-id} | summary [access-list-name] | access-list-name [sequence-number] | maximum [detail] [usage {pfilter location node-id}]] DETAILED STEPS Command or Action Purpose Step 1 copy access-list {ipv4 | ipv6}source-acl destination-acl Creates a copy of an existing IPv4 or IPv6 access list. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 23 Implementing Access Lists and Prefix Lists Copying Access ListsCommand or Action Purpose Example: RP/0/RSP0/CPU0:router# copy ipv6 access-list list-1 list-2 • Use the source-acl argument to specify the name of the access list to be copied. • Use the destination-acl argument to specify where to copy the contents of the source access list. ? The destination-acl argument must be a unique name; if the destination-acl argument name exists for an access list, the access list is not copied. (Optional) Displays the contents of a named IPv4 or IPv6 access list. For example, you can verify the output to see that the show access-lists {ipv4 | ipv6}[access-list-name hardware {ingress | egress} [interface type Step 2 destination access list list-2 contains all the information from the source access list list-1. interface-path-id] {sequence number| location node-id} | summary [access-list-name] | access-list-name [sequence-number] | maximum [detail] [usage {pfilter location node-id}]] Example: RP/0/RSP0/CPU0:router# show access-lists ipv4 list-2 Sequencing Access-List Entries and Revising the Access List This task shows how to assign sequence numbers to entries in a named access list and how to add or delete an entry to or from an access list. It is assumed that a user wants to revise an access list. Resequencing an access list is optional. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 24 OL-26068-02 Implementing Access Lists and Prefix Lists Sequencing Access-List Entries and Revising the Access ListSUMMARY STEPS 1. resequence access-list {ipv4 | ipv6} name [base [increment]] 2. configure 3. {ipv4 | ipv6} access-list name 4. Do one of the following: • [ sequence-number ] {permit | deny} source source-wildcard destination destination-wildcard [precedence precedence] [dscp dscp] [fragments] [packet-length operator packet-length value] [log | log-input] • [ sequence-number ] {permit | deny} protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator {port | protocol-port}] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} [operator {port | protocol-port}] [dscp value] [routing] [authen] [destopts] [fragments] [packet-length operator packet-length value] [log | log-input] 5. Repeat Step 4 as necessary, adding statements by sequence number where you planned. Use the no sequence-number command to delete an entry. 6. Do one of the following: • end • commit 7. show access-lists [ipv4 | ipv6] [access-list-name hardware {ingress | egress} [interface type interface-path-id] {sequence number | location node-id} | summary [access-list-name] | access-list-name [sequence-number] | maximum [detail] [usage {pfilter location node-id}]] DETAILED STEPS Command or Action Purpose (Optional) Resequences the specified IPv4 or IPv6 access list using the starting sequence number and the increment ofsequence numbers. resequence access-list {ipv4 | ipv6} name [base [increment]] Example: RP/0/RSP0/CPU0:router# resequence access-list ipv4 acl_3 20 15 Step 1 • This example resequences an IPv4 access list named acl_3. The starting sequence number is 20 and the increment is 15. If you do not select an increment, the default increment 10 is used. configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 2 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 25 Implementing Access Lists and Prefix Lists Sequencing Access-List Entries and Revising the Access ListCommand or Action Purpose Enters either IPv4 or IPv6 access list configuration mode and configures the named access list. {ipv4 | ipv6} access-list name Example: RP/0/RSP0/CPU0:router(config)# ipv4 access-list acl_1 Step 3 or RP/0/RSP0/CPU0:router(config)# ipv6 access-list acl_2 Specifies one or more conditions allowed or denied in IPv4 access list acl_1. Step 4 Do one of the following: • [ sequence-number ] {permit | deny} source source-wildcard destination destination-wildcard • The optional log keyword causes an information logging message about the packet that matches the entry to be sent to the console. [precedence precedence] [dscp dscp] [fragments] [packet-length operator packet-length value] [log | log-input] • The optional log-input keyword providesthe same function as the log keyword, except that the logging message also includes the input interface. • [ sequence-number ] {permit | deny} protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator {port | • This access list happens to use a permit statement first, but a deny statement could appear first, depending on the order of statements you need. protocol-port}] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} [operator {port | protocol-port}] [dscp value] [routing] [authen] or [destopts] [fragments] [packet-length operator packet-length value] [log | log-input] Specifies one or more conditions allowed or denied in IPv6 access list acl_2. Example: RP/0/RSP0/CPU0:router(config-ipv4-acl)# 10 • Refer to the permit (IPv6) and deny (IPv6) commands for more information on filtering IPv6 traffic based on IPv6 option headers and upper-layer protocols such as ICMP, permit 172.16.0.0 0.0.255.255 TCP, and UDP. RP/0/RSP0/CPU0:router(config-ipv4-acl)# 20 deny 192.168.34.0 0.0.0.255 Every IPv6 access list has an implicit deny ipv6 any any statement asitslast match condition. An IPv6 access list must contain at least one entry for the implicit deny ipv6 any any statement to take effect. Note or RP/0/RSP0/CPU0:router(config-ipv6-acl)# 20 permit icmp any any RP/0/RSP0/CPU0:router(config-ipv6-acl)# 30 deny tcp any any gt 5000 Repeat Step 4 as necessary, adding statements by Allows you to revise the access list. sequence number where you planned. Use the no sequence-number command to delete an entry. Step 5 Step 6 Do one of the following: Saves configuration changes. • end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before • commit Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 26 OL-26068-02 Implementing Access Lists and Prefix Lists Sequencing Access-List Entries and Revising the Access ListCommand or Action Purpose Example: RP/0/RSP0/CPU0:router(config-ipv4-acl)# end exiting(yes/no/cancel)?[cancel]: or RP/0/RSP0/CPU0:router(config-ipv4-acl)# commit ? Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. ? Entering no exitsthe configuration session and returns the router to EXEC mode without committing the configuration changes. ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. (Optional) Displays the contents of a named IPv4 or IPv6 access list. show access-lists [ipv4 | ipv6] [access-list-name hardware {ingress | egress} [interface type Step 7 interface-path-id] {sequence number| location node-id} • Review the output to see that the access list includes the updated information. | summary [access-list-name] | access-list-name [sequence-number] | maximum [detail] [usage {pfilter location node-id}]] Example: RP/0/RSP0/CPU0:router# show access-lists ipv4 acl_1 What to Do Next If your access list is not already applied to an interface or line or otherwise referenced, apply the access list. See the “Applying Access Lists, on page 15” section for information about how to apply an access list. Copying Prefix Lists This task copies an IPv4 or IPv6 prefix list. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 27 Implementing Access Lists and Prefix Lists Copying Prefix ListsSUMMARY STEPS 1. copy prefix-list {ipv4 | ipv6} source-name destination-name 2. Do one of the following: • show prefix-list ipv4 [name] [sequence-number] • show prefix-list ipv6 [name] [sequence-number] [summary] DETAILED STEPS Command or Action Purpose copy prefix-list {ipv4 | ipv6} source-name Creates a copy of an existing IPv4 or IPv6 prefix list. destination-name Step 1 • Use the source-name argument to specify the name of the prefix list to be copied and the destination-name argument to specify where to copy the contents of the source prefix list. Example: RP/0/RSP0/CPU0:router# copy prefix-list ipv6 list_1 list_2 • The destination-name argument must be a unique name; if the destination-name argument name exists for a prefix list, the prefix list is not copied. Step 2 Do one of the following: (Optional) Displays the contents of current IPv4 or IPv6 prefix lists. • show prefix-list ipv4 [name] [sequence-number] • Review the output to see that prefix list list_2 includes the entries from list_1. • show prefix-list ipv6 [name] [sequence-number] [summary] Example: RP/0/RSP0/CPU0:router# show prefix-list ipv6 list_2 Sequencing Prefix List Entries and Revising the Prefix List This task shows how to assign sequence numbers to entries in a named prefix list and how to add or delete an entry to or from a prefix list. It is assumed a user wants to revise a prefix list. Resequencing a prefix list is optional. Before You Begin Note Resequencing IPv6 prefix lists is not supported. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 28 OL-26068-02 Implementing Access Lists and Prefix Lists Sequencing Prefix List Entries and Revising the Prefix ListSUMMARY STEPS 1. resequence prefix-list ipv4 name [base [increment]] 2. configure 3. {ipv4 | ipv6} prefix-list name 4. [ sequence-number ] {permit | deny} network/length [ge value] [le value] [eq value] 5. Repeat Step 4 as necessary, adding statements by sequence number where you planned. Use the no sequence-number command to delete an entry. 6. Do one of the following: • end • commit 7. Do one of the following: • show prefix-list ipv4 [name] [sequence-number] • show prefix-list ipv6 [name] [sequence-number] [summary] DETAILED STEPS Command or Action Purpose (Optional) Resequencesthe named IPv4 prefix list using the starting sequence number and the increment of sequence numbers. resequence prefix-list ipv4 name [base [increment]] Example: RP/0/RSP0/CPU0:router# resequence prefix-list ipv4 pfx_1 10 15 Step 1 • This example resequences a prefix list named pfx_1. The starting sequence number is 10 and the increment is 15. configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 2 Enters either IPv4 or IPv6 prefix list configuration mode and configures the named prefix list. {ipv4 | ipv6} prefix-list name Example: RP/0/RSP0/CPU0:router(config)# ipv6 prefix-list pfx_2 Step 3 Specifies one or more conditions allowed or denied in the named prefix list. [sequence-number] {permit | deny} network/length [ge value] [le value] [eq value] Example: RP/0/RSP0/CPU0:router(config-ipv6_pfx)# 15 deny 128.0.0.0/8 eq 24 Step 4 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 29 Implementing Access Lists and Prefix Lists Sequencing Prefix List Entries and Revising the Prefix ListCommand or Action Purpose Repeat Step 4 as necessary, adding statements by Allows you to revise the prefix list. sequence number where you planned. Use the no sequence-number command to delete an entry. Step 5 Step 6 Do one of the following: Saves configuration changes. • end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before • commit Example: RP/0/RSP0/CPU0:router(config-ipv6_pfx)# end exiting(yes/no/cancel)?[cancel]: or RP/0/RSP0/CPU0:router(config-ipv6_pfx)# commit ? Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. ? Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. (Optional) Displays the contents of current IPv4 or IPv6 prefix lists. Step 7 Do one of the following: • show prefix-list ipv4 [name] [sequence-number] • Review the output to see that prefix list pfx_2 includes all new information. • show prefix-list ipv6 [name] [sequence-number] [summary] Example: RP/0/RSP0/CPU0:router# show prefix-list ipv6 pfx_2 How to Implement ACL-based Forwarding This section contains the following procedures: Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 30 OL-26068-02 Implementing Access Lists and Prefix Lists How to Implement ACL-based ForwardingConfiguring ACL-based Forwarding with Security ACL Perform this task to configure ACL-based forwarding with security ACL. SUMMARY STEPS 1. configure 2. ipv4 access-list name 3. [sequence-number] permit protocolsource source-wildcard destination destination-wildcard [precedence precedence] [[default] nexthop1 [ipv4 ipv4-address1] nexthop2[ipv4 ipv4-address2] nexthop3[ipv4 ipv4-address3]] [dscp dscp] [fragments] [packet-length operator packet-length value] [log | log-input] [[track track-name] [ttl ttl [value1 ... value2]] 4. Do one of the following: • end • commit 5. show access-list ipv4 [[access-list-name hardware {ingress | egress} [interface type interface-path-id] {sequence number| location node-id} |summary [access-list-name] | access-list-name [sequence-number] | maximum [detail] [usage {pfilter location node-id}]] DETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 Enters IPv4 access list configuration mode and configures the specified access list. ipv4 access-list name Example: RP/0/RSP0/CPU0:router(config)# ipv4 access-list security-abf-acl Step 2 Sets the conditions for an IPv4 access list. The configuration example shows how to configure ACL-based forwarding with security ACL. [ sequence-number ] permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [[default] nexthop1 [ipv4 Step 3 ipv4-address1] nexthop2[ipv4 ipv4-address2] • The nexthop1, nexthop2, nexthop3 keywordsforward the specified next hop for this entry. nexthop3[ipv4 ipv4-address3]] [dscp dscp] [fragments] [packet-length operator packet-length value] [log | log-input] [[track track-name] [ttl ttl [value1 ... value2]] • If the default keyword is configured, ACL-based forwarding action is taken only if the results of the PLU Example: RP/0/RSP0/CPU0:router(config-ipv4-acl)# 10 permit lookup for the destination of the packets determine a default route; that is, no specified route is determined to the destination of the packet. ipv4 10.0.0.0 0.255.255.255 any nexthop 50.1.1.2 RP/0/RSP0/CPU0:router(config-ipv4-acl)# 15 permit ipv4 30.2.1.0 0.0.0.255 any Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 31 Implementing Access Lists and Prefix Lists Configuring ACL-based Forwarding with Security ACLCommand or Action Purpose RP/0/RSP0/CPU0:router(config-ipv4-acl)# 20 permit ipv4 30.2.0.0 0.0.255.255 any nexthop 40.1.1.2 RP/0/RSP0/CPU0:router(config-ipv4-acl)# 25 permit ipv4 any any Step 4 Do one of the following: Saves configuration changes. • end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before • commit Example: RP/0/RSP0/CPU0:router(config-ipv4-acl)# end exiting(yes/no/cancel)?[cancel]: or RP/0/RSP0/CPU0:router(config-ipv4-acl)# commit ? Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. ? Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. show access-list ipv4 [[access-list-name hardware {ingress Displays the information for ACL software. | egress} [interface type interface-path-id] {sequence Step 5 number | location node-id} | summary [access-list-name] | access-list-name [sequence-number] | maximum [detail] [usage {pfilter location node-id}]] Example: RP/0/RSP0/CPU0:router# show access-lists ipv4 security-abf-acl Implementing IPSLA-OT In this section, the following procedures are discussed: • Enabling track mode, on page 33 • Configuring track type, on page 34 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 32 OL-26068-02 Implementing Access Lists and Prefix Lists Implementing IPSLA-OT• Configuring tracking type (line protocol), on page 34 • Configuring track type (list), on page 35 • Configuring tracking type (route), on page 37 • Configuring tracking type (rtr), on page 38 Enabling track mode SUMMARY STEPS 1. configure 2. track track-name 3. Use one of these commands: • end • commit DETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 track track-name Enters track configuration mode. Example: RP/0/RSP0/CPU0:router(config)# track t1 Step 2 Step 3 Use one of these commands: Saves configuration changes. • end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]: • commit Example: RP/0/RSP0/CPU0:router(config)# end ? Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. or RP/0/RSP0/CPU0:router(config)# commit ? Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 33 Implementing Access Lists and Prefix Lists Enabling track modeCommand or Action Purpose • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Configuring track type There are different mechanisms to track the availability of the next-hop device. The tracking type can be of four types, using: • line protocol • list • route • IPSLA Configuring tracking type (line protocol) Line protocol is one of the object types the object tracker component can track. This object type provides an option for tracking state change notification from an interface. Based on the interface state change notification, it decides whether the track state should be UP or DOWN. SUMMARY STEPS 1. configure 2. track track-name 3. type line-protocol state interface type interface-path-id 4. Use one of these commands: • end • commit DETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 34 OL-26068-02 Implementing Access Lists and Prefix Lists Configuring track typeCommand or Action Purpose track track-name Enters track configuration mode. Example: RP/0/RSP0/CPU0:router(config)# track t1 Step 2 type line-protocol state interface type Setsthe interface which needsto be tracked forstate change notifications. interface-path-id Step 3 Example: RP/0/RSP0/CPU0:router(config-track)# type line-protocol state interface tengige 0/4/4/0 Step 4 Use one of these commands: Saves configuration changes. • end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]: • commit Example: RP/0/RSP0/CPU0:router(config)# end ? Entering yes saves configuration changes to the running configuration file, exitsthe configuration session, and returns the router to EXEC mode. or RP/0/RSP0/CPU0:router(config)# commit ? Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Configuring track type (list) List is a boolen object type. Boolean refers to the capability of performing a boolean AND or boolean OR operation on combinations of different object types supported by object tracker. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 35 Implementing Access Lists and Prefix Lists Configuring track type (list)SUMMARY STEPS 1. configure 2. track track-name 3. type list boolean and 4. Use one of these commands: • end • commit DETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 track track-name Enters track configuration mode. Example: RP/0/RSP0/CPU0:router(config)# track t1 Step 2 Sets the list of track objects on which boolean AND or boolean OR operations could be performed. type list boolean and Example: RP/0/RSP0/CPU0:router(config-track)# type list boolean and Step 3 Step 4 Use one of these commands: Saves configuration changes. • end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]: • commit Example: RP/0/RSP0/CPU0:router(config)# end ? Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. or RP/0/RSP0/CPU0:router(config)# commit ? Entering no exitsthe configuration session and returnsthe router to EXEC mode without committing the configuration changes. ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 36 OL-26068-02 Implementing Access Lists and Prefix Lists Configuring track type (list)Command or Action Purpose Configuring tracking type (route) Route is a route object type. The object tracker tracks the fib notification to determine the route reachability and the track state. SUMMARY STEPS 1. configure 2. track track-name 3. type route reachability 4. Use one of these commands: • end • commit DETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 track track-name Enters track configuration mode. Example: RP/0/RSP0/CPU0:router(config)# track t1 Step 2 type route reachability Sets the route on which reachability state needs to be learnt dynamically. Example: RP/0/RSP0/CPU0:router(config-track)# type route reachability Step 3 Step 4 Use one of these commands: Saves configuration changes. • end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]: • commit Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 37 Implementing Access Lists and Prefix Lists Configuring tracking type (route)Command or Action Purpose Example: RP/0/RSP0/CPU0:router(config)# end ? Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. ? Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. or RP/0/RSP0/CPU0:router(config)# commit ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Configuring tracking type (rtr) IPSLA is an ipsla object type. The object tracker tracks the return code of ipsla operation to determine the track state changes. SUMMARY STEPS 1. configure 2. track track-name 3. type rtr ipsla operation id reachability 4. Use one of these commands: • end • commit DETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 38 OL-26068-02 Implementing Access Lists and Prefix Lists Configuring tracking type (rtr)Command or Action Purpose track track-name Enters track configuration mode. Example: RP/0/RSP0/CPU0:router(config)# track t1 Step 2 type rtr ipsla operation id reachability Sets the ipsla operation id which needs to be tracked for reachability. Example: RP/0/RSP0/CPU0:routertype rtr 100 reachability Step 3 Step 4 Use one of these commands: Saves configuration changes. • end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]: • commit Example: RP/0/RSP0/CPU0:router(config)# end ? Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. or RP/0/RSP0/CPU0:router(config)# commit ? Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 39 Implementing Access Lists and Prefix Lists Configuring tracking type (rtr)Configuring Pure ACL-Based Forwarding for IPv6 ACL SUMMARY STEPS 1. configure 2. {ipv6 } access-list name 3. [sequence-number] permit protocolsource source-wildcard destination destination-wildcard [precedence precedence] [dscp dscp] [fragments] [packet-length operator packet-length value] [log | log-input]] [ttl ttl value [value1 ... value2]][default] nexthop1 [ vrf vrf-name1 ][ipv6 ipv6-address1] [ nexthop2 [ vrf vrf-name2 ] [ipv6 ipv6-address2 ] [nexthop3 [vrf vrf-name3 ] [ipv6ipv6-address3 ]]] 4. Do one of the following: • end • commit DETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 Enters IPv6 access list configuration mode and configures the specified access list. {ipv6 } access-list name Example: RP/0/RSP0/CPU0:router(config)# ipv6 access-list security-abf-acl Step 2 Sets the conditions for an IPv6 access list. The configuration example shows how to configure pure ACL-based forwarding for ACL. [ sequence-number ] permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [dscp dscp] [fragments] Step 3 [packet-length operator packet-length value] [log | • Forwards the specified next hop for this entry. log-input]] [ttl ttl value [value1 ... value2]][default] nexthop1 [ vrf vrf-name1 ][ipv6 ipv6-address1] [ nexthop2 [ vrf vrf-name2 ] [ipv6 ipv6-address2 ] [nexthop3 [vrf vrf-name3 ] [ipv6ipv6-address3 ]]] Example: RP/0/RSP0/CPU0:router(config-ipv6-acl)# 10 permit ipv6 any any default nexthop1 vrf vrf_A ipv6 11::1 nexthop2 vrf vrf_B ipv6 nexthop3 vrf vrf_C ipv6 33::3 Step 4 Do one of the following: Saves configuration changes. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 40 OL-26068-02 Implementing Access Lists and Prefix Lists Configuring Pure ACL-Based Forwarding for IPv6 ACLCommand or Action Purpose • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before • end • commit Example: RP/0/RSP0/CPU0:router(config-ipv6-acl)# end exiting(yes/no/cancel)?[cancel]: or RP/0/RSP0/CPU0:router(config-ipv6-acl)# commit ? Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. ? Entering no exitsthe configuration session and returns the router to EXEC mode without committing the configuration changes. ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changesto the running configuration file and remain within the configuration session. Configuration Examples for Implementing Access Lists and Prefix Lists This section provides the following configuration examples: Resequencing Entries in an Access List: Example The following example shows access-list resequencing. The starting value in the resequenced access list is 10, and increment value is 20. The subsequent entries are ordered based on the increment values that users provide, and the range is from 1 to 2147483646. When an entry with no sequence number is entered, by default it has a sequence number of 10 more than the last entry in the access list. ipv4 access-list acl_1 10 permit ip host 10.3.3.3 host 172.16.5.34 20 permit icmp any any 30 permit tcp any host 10.3.3.3 40 permit ip host 10.4.4.4 any 60 permit ip host 172.16.2.2 host 10.3.3.12 70 permit ip host 10.3.3.3 any log 80 permit tcp host 10.3.3.3 host 10.1.2.2 100 permit ip any any Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 41 Implementing Access Lists and Prefix Lists Configuration Examples for Implementing Access Lists and Prefix Listsconfigure ipv4 access-list acl_1 end resequence ipv4 access-list acl_1 10 20 ipv4 access-list acl_1 10 permit ip host 10.3.3.3 host 172.16.5.34 30 permit icmp any any 50 permit tcp any host 10.3.3.3 70 permit ip host 10.4.4.4 any 90 permit ip host 172.16.2.2 host 10.3.3.12 110 permit ip host 10.3.3.3 any log 130 permit tcp host 10.3.3.3 host 10.1.2.2 150 permit ip any any ipv4 access-list acl_1 10 permit ip host 10.3.3.3 host 172.16.5.34 20 permit icmp any any 30 permit tcp any host 10.3.3.3 40 permit ip host 10.4.4.4 any 60 permit ip host 172.16.2.2 host 10.3.3.12 70 permit ip host 10.3.3.3 any log 80 permit tcp host 10.3.3.3 host 10.1.2.2 100 permit ip any any configure ipv6 access-list acl_1 end resequence ipv6 access-list acl_1 10 20 ipv4 access-list acl_1 10 permit ip host 10.3.3.3 host 172.16.5.34 30 permit icmp any any 50 permit tcp any host 10.3.3.3 70 permit ip host 10.4.4.4 any 90 Dynamic test permit ip any any 110 permit ip host 172.16.2.2 host 10.3.3.12 130 permit ip host 10.3.3.3 any log 150 permit tcp host 10.3.3.3 host 10.1.2.2 170 permit ip host 10.3.3.3 any 190 permit ip any any Adding Entries with Sequence Numbers: Example In the following example, an new entry is added to IPv4 access list acl_5. ipv4 access-list acl_5 2 permit ipv4 host 10.4.4.2 any 5 permit ipv4 host 10.0.0.44 any 10 permit ipv4 host 10.0.0.1 any 20 permit ipv4 host 10.0.0.2 any configure ipv4 access-list acl_5 15 permit 10.5.5.5 0.0.0.255 end ipv4 access-list acl_5 2 permit ipv4 host 10.4.4.2 any 5 permit ipv4 host 10.0.0.44 any 10 permit ipv4 host 10.0.0.1 any 15 permit ipv4 10.5.5.5 0.0.0.255 any 20 permit ipv4 host 10.0.0.2 any Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 42 OL-26068-02 Implementing Access Lists and Prefix Lists Adding Entries with Sequence Numbers: ExampleAdding Entries Without Sequence Numbers: Example The following example shows how an entry with no specified sequence number is added to the end of an access list. When an entry is added without a sequence number, it is automatically given a sequence number that puts it at the end of the access list. Because the default increment is 10, the entry will have a sequence number 10 higher than the last entry in the existing access list. configure ipv4 access-list acl_10 permit 10 .1.1.1 0.0.0.255 permit 10 .2.2.2 0.0.0.255 permit 10 .3.3.3 0.0.0.255 end ipv4 access-list acl_10 10 permit ip 10 .1.1.0 0.0.0.255 any 20 permit ip 10 .2.2.0 0.0.0.255 any 30 permit ip 10 .3.3.0 0.0.0.255 any configure ipv4 access-list acl_10 permit 10 .4.4.4 0.0.0.255 end ipv4 access-list acl_10 10 permit ip 10 .1.1.0 0.0.0.255 any 20 permit ip 10 .2.2.0 0.0.0.255 any 30 permit ip 10 .3.3.0 0.0.0.255 any 40 permit ip 10 .4.4.0 0.0.0.255 any IPv6 ACL in Class Map In Release 4.2.1, Quality of Service (Qos) features on ASR 9000 Ethernet line card and ASR 9000 Enhanced Ethernet line card are enhanced to support these: • ASR 9000 Enhanced Ethernet LC: ? Support on L2 and L3 interface and sub-interface ? Support on bundle L2 and L3 interface and sub-interface ? Support for both ingress and egress directions ? ICMP code and type for IPv4/IPv6 • ASR 9000 Ethernet LC: ? Support on only L3 interface and sub-interface ? Support on L3 bundle interface and sub-interface Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 43 Implementing Access Lists and Prefix Lists Adding Entries Without Sequence Numbers: Example? Support for both ingress and egress directions ? ICMP code and type for IPv4/IPv6 • IPv6-supported match fields: ? IPv6 Source Address ? IPv6 Destination Address ? IPv6 Protocol ? Time to live (TTL) or hop limit ? Source Port ? Destination Port ? TCP Flags ? IPv6 Flags(Routing Header(RH), Authentication Header(AH) and Destination Option Header(DH)) • Class map with IPv6 ACL that also supports: ? IPv4 ACL ? Discard class ? QoS Group ? Outer CoS ? Inner CoS ? Outer VLAN (ASR 9000 Enhanced Ethernet LC only) ? Inner VLAN (ASR 9000 Enhanced Ethernet LC only) ? match-not option ? type of service (TOS) support • Policy-map with IPv6 ACL supports: ? hierarchical class-map Configuring IPv6 ACL QoS - An Example This example shows how to configure IPv6 ACL QoS with IPv4 ACL and other fields : ipv6 access-list aclv6 10 permit ipv6 1111:6666::2/64 1111:7777::2/64 authen 30 permit tcp host 1111:4444::2 eq 100 host 1111:5555::2 ttl eq 10 ! ipv4 access-list aclv4 10 permit ipv4 host 10.6.10.2 host 10.7.10.2 ! class-map match-any c.aclv6 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 44 OL-26068-02 Implementing Access Lists and Prefix Lists Configuring IPv6 ACL QoS - An Examplematch access-group ipv6 aclv6 match access-group ipv4 aclv4 match cos 1 end-class-map ! policy-map p.aclv6 class c.aclv6 set precedence 3 ! class class-default ! end-policy-map ! show qos-ea km policy p.aclv6 vmr interface tenGigE 0/1/0/6.10 hw ================================================================================ B : type & id E : ether type VO : vlan outer VI : vlan inner Q : tos/exp/group X : Reserved DC : discard class Fl : flags F2: L2 flags F4: L4 flags SP/DP: L4 ports T : IP TTL D : DFS class# L : leaf class# Pl: Protocol G : QoS Grp M : V6 hdr ext. C : VMR count -------------------------------------------------------------------------------- policy name p.aclv6 and km format type 4 Total Egress TCAM entries: 5 |B F2 VO VI Q G DC T F4 Pl SP DP M IPv4/6 SA IPv4/6 DA ================================================================================ V|3019 00 0000 0000 00 00 00 00 00 00 0000 0000 80 11116666:00000000:00000000:00000000 11117777:00000000:00000000:00000000 M|0000 FF FFFF FFFF FF FF FF FF FF FF FFFF FFFF 7F 00000000:00000000:FFFFFFFF:FFFFFFFF 00000000:00000000:FFFFFFFF:FFFFFFFF R| C=0 03080200 000000A6 F06000FF 0000FF00 0002FF00 00FF0000 FF000000 00000000 V|3019 00 0000 0000 00 00 00 0A 01 00 0064 0000 00 11114444:00000000:00000000:00000002 11115555:00000000:00000000:00000002 M|0000 FF FFFF FFFF FF FF FF 00 FE FF 0000 FFFF FF 00000000:00000000:00000000:00000000 00000000:00000000:00000000:00000000 R| C=1 03080200 000000A6 F06000FF 0000FF00 0002FF00 00FF0000 FF000000 00000000 V|3018 00 0000 0000 00 00 00 00 00 00 0000 0000 00 0A060A02 -------- -------- -------- 0A070A02 -------- -------- -------- M|0000 FF FFFF FFFF FF FF FF FF FF FF FFFF FFFF FF 00000000 -------- -------- -------- 00000000 -------- -------- -------- R| C=2 03080200 000000A6 F06000FF 0000FF00 0002FF00 00FF0000 FF000000 00000000 V|3018 00 2000 0000 00 00 00 00 00 00 0000 0000 00 00000000:00000000:00000000:00000000 00000000:00000000:00000000:00000000 M|0003 FF 1FFF FFFF FF FF FF FF FF FF FFFF FFFF FF FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF R| C=3 03080200 000000A6 F06000FF 0000FF00 0002FF00 00FF0000 FF000000 00000000 V|3018 00 0000 0000 00 00 00 00 00 00 0000 0000 00 00000000:00000000:00000000:00000000 00000000:00000000:00000000:00000000 M|0003 FF FFFF FFFF FF FF FF FF FF FF FFFF FFFF FF FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF R| C=4 03000200 00010002 FF0000FF 0000FF00 0002FF00 00FF0000 FF000000 00000000 This example shows how to configure hierarchical policy map: ipv6 access-list aclv6.p 10 permit ipv6 1111:1111::/8 2222:2222::/8 ipv6 access-list aclv6.c 10 permit ipv6 host 1111:1111::2 host 2222:2222::3 class-map match-any c.aclv6.c match not access-group ipv6 aclv6.c end-class-map ! class-map match-any c.aclv6.p Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 45 Implementing Access Lists and Prefix Lists Configuring IPv6 ACL QoS - An Examplematch access-group ipv6 aclv6.p end-class-map ! policy-map child class c.aclv6.c set precedence 7 ! policy-map parent class c.aclv6.p service-policy child set precedence 1 (config)#do show qos-ea km policy parent vmr interface tenGigE 0/1/0/6 hw ================================================================================ B : type & id E : ether type VO : vlan outer VI : vlan inner Q : tos/exp/group X : Reserved DC : discard class Fl : flags F2: L2 flags F4: L4 flags SP/DP: L4 ports T : IP TTL D : DFS class# L : leaf class# Pl: Protocol G : QoS Grp M : V6 hdr ext. C : VMR count ================================================================================ policy name parent and format type 4 Total Ingress TCAM entries: 3 |B F2 VO VI Q G DC T F4 Pl SP DP M IPv4/6 SA IPv4/6 DA ================================================================================ V|200D 00 0000 0000 00 00 00 00 00 00 0000 0000 00 11111111:00000000:00000000:00000002 22222222:00000000:00000000:00000003 M|0000 FF FFFF FFFF FF FF FF FF FF FF FFFF FFFF FF 00000000:00000000:00000000:00000000 00000000:00000000:00000000:00000000 R| C=0 11800200 00020000 29000000 80004100 00000000 00000000 00000000 00000000 V|200D 00 0000 0000 00 00 00 00 00 00 0000 0000 00 11000000:00000000:00000000:00000000 22000000:00000000:00000000:00000000 M|0000 FF FFFF FFFF FF FF FF FF FF FF FFFF FFFF FF 00FFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF 00FFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF R| C=1 11800200 00010000 29000000 80004700 00000000 00000000 00000000 00000000 V|200C 00 0000 0000 00 00 00 00 00 00 0000 0000 00 00000000:00000000:00000000:00000000 00000000:00000000:00000000:00000000 M|0003 FF FFFF FFFF FF FF FF FF FF FF FFFF FFFF FF FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF FFFFFFFF:FFFFFFFF:FFFFFFFF:FFFFFFFF R| C=2 11000200 00030000 00000000 00000000 00000000 00000000 00000000 00000000 IPv4/IPv6 ACL over BVI interface In Release 4.2.1, IPv4/IPv6 ACL is enabled over BVI interfaces on the ASR 9000 Enhanced Ethernet Line Cards. For ACL over BVI interfaces, the defined direction is: • L2 interface - ingress direction • L3 interface - egress direction On the A9K-SIP-700 and ASR 9000 Ethernet Line Cards, ACLs on BVI interfaces are not supported. For ASR 9000 Ethernet linecards, ACL can be applied on the EFP level (IPv4 L3 ACL can be applied on an L2 interface). Note Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 46 OL-26068-02 Implementing Access Lists and Prefix Lists IPv4/IPv6 ACL over BVI interfaceConfiguring IPv4 ACL over BVI interface - An Example This example shows how to configure IPv4 ACL over a BVI interface: ipv4 access-list bvi-acl 10 permit ipv4 any any ttl eq 70 20 deny ipv4 any any ttl eq 60 Additional References The following sections provide references related to implementing access lists and prefix lists. Related Documents Related Topic Document Title Access List Commands module in Cisco ASR 9000 Series Aggregation Services RouterIP Addresses and Services Command Reference Access list commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples Prefix List Commands module in Cisco ASR 9000 Series Aggregation Services RouterIP Addresses and Services Command Reference Prefix list commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples Terminal Services Commands module in Cisco ASR 9000 Series Aggregation Services Router System Management Command Reference Terminal services commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples Standards Standards Title No new or modified standards are supported by this — feature, and support for existing standards has not been modified by this feature. MIBs MIBs MIBs Link To locate and download MIBs, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http:/ /cisco.com/public/sw-center/netmgmt/cmtk/ mibs.shtml — Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 47 Implementing Access Lists and Prefix Lists Configuring IPv4 ACL over BVI interface - An ExampleRFCs RFCs Title No new or modified RFCs are supported by this — feature, and support for existing RFCs has not been modified by this feature. Technical Assistance Description Link The Cisco Technical Support website contains http://www.cisco.com/techsupport thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 48 OL-26068-02 Implementing Access Lists and Prefix Lists Additional ReferencesC H A P T E R 2 Configuring ARP Address resolution is the process of mapping network addresses to Media Access Control (MAC) addresses. This process is accomplished using the Address Resolution Protocol (ARP). This module describes how to configure ARP processes on the Cisco ASR 9000 Series Aggregation Services Router. For a complete description of the ARP commands listed in this module, refer to the Cisco ASR 9000 Series Aggregation Services RouterIP Addresses and Services Command ReferenceTo locate documentation of other commands that appear in this module, use the command reference master index, or search online. Note Feature History for Configuring ARP Release Modification Release 3.7.2 This feature was introduced. • Prerequisites for Configuring ARP , page 49 • Restrictions for Configuring ARP , page 50 • Information About Configuring ARP , page 50 • How to Configure ARP , page 53 Prerequisites for Configuring ARP • You must be in a user group associated with a task group that includesthe proper task IDs. The command reference guides include the task IDs required for each command. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 49Restrictions for Configuring ARP The following restrictions apply to configuring ARP : • Reverse Address Resolution Protocol (RARP) is not supported. • ARP throttling is not supported. ARP throttling is the rate limiting of ARP packets in Forwarding Information Base (FIB). Note The following additional restrictions apply when configuring the Direct Attached Gateway Redundancy (DAGR) feature on Cisco ASR 9000 Series Routers: • IPv6 is not supported. • Ethernet bundles are not supported. • Non-Ethernet interfaces are not supported. • Hitless ARP Process Restart is not supported. • Hitless RSP Failover is not supported. Information About Configuring ARP To configure ARP, you must understand the following concepts: IP Addressing Overview A device in the IP can have both a local address (which uniquely identifies the device on its local segment or LAN) and a network address (which identifies the network to which the device belongs). The local address is more properly known as a data link address, because it is contained in the data link layer (Layer 2 of the OSI model) part of the packet header and is read by data-link devices (bridges and all device interfaces, for example). The more technically inclined person will refer to local addresses as MAC addresses, because the MAC sublayer within the data link layer processes addresses for the layer. To communicate with a device on Ethernet, for example, Cisco IOS XR software first must determine the 48-bit MAC or local data-link address of that device. The process of determining the local data-link address from an IP address is called address resolution. Address Resolution on a Single LAN The following process describes address resolution when the source and destination devices are attached to the same LAN: 1 End System A broadcasts an ARP request onto the LAN, attempting to learn the MAC address of End System B. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 50 OL-26068-02 Configuring ARP Restrictions for Configuring ARP2 The broadcast is received and processed by all devices on the LAN, including End System B. 3 Only End System B replies to the ARP request. It sends an ARP reply containing its MAC address to End System A. 4 End System A receives the reply and saves the MAC address of End System B in its ARP cache. (The ARP cache is where network addresses are associated with MAC addresses.) 5 Whenever End System A needs to communicate with End System B, it checks the ARP cache, finds the MAC address of System B, and sends the frame directly, without needing to first use an ARP request. Address Resolution When Interconnected by a Router The following process describes address resolution when the source and destination devices are attached to different LANs that are interconnected by a router (only if proxy-arp is turned on): 1 End System Y broadcasts an ARP request onto the LAN, attempting to learn the MAC address of End System Z. 2 The broadcast is received and processed by all devices on the LAN, including Router X. 3 Router X checks its routing table and finds that End System Z is located on a different LAN. 4 Router X therefore acts as a proxy for End System Z. It replies to the ARP request from End System Y, sending an ARP reply containing its own MAC address as if it belonged to End System Z. 5 End System Y receives the ARP reply and saves the MAC address of Router X in its ARP cache, in the entry for End System Z. 6 When End System Y needs to communicate with End System Z, it checks the ARP cache, finds the MAC address of Router X, and sends the frame directly, without using ARP requests. 7 Router X receives the traffic from End System Y and forwards it to End System Z on the other LAN. ARP and Proxy ARP Two forms of addressresolution are supported by Cisco IOS XR software: Address Resolution Protocol (ARP) and proxy ARP, as defined in RFC 826 and RFC 1027, respectively. ARP is used to associate IP addresses with media or MAC addresses. Taking an IP address as input, ARP determines the associated media address. After a media or MAC address is determined, the IP address or media address association is stored in an ARP cache for rapid retrieval. Then the IP datagram is encapsulated in a link-layer frame and sent over the network. When proxy ARP is disabled, the networking device responds to ARP requests received on an interface only if one of the following conditions is met: • The target IP address in the ARP request is the same as the interface IP address on which the request is received. • The target IP address in the ARP request has a statically configured ARP alias. When proxy ARP is enabled, the networking device also responds to ARP requests that meet all the following conditions: Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 51 Configuring ARP Address Resolution When Interconnected by a Router• The target IP address is not on the same physical network (LAN) on which the request is received. • The networking device has one or more routes to the target IP address. • All of the routes to the target IP address go through interfaces other than the one on which the request is received. ARP Cache Entries ARP establishes correspondences between network addresses (an IP address, for example) and Ethernet hardware addresses. A record of each correspondence is kept in a cache for a predetermined amount of time and then discarded. You can also add a static (permanent) entry to the ARP cache that persists until expressly removed. Direct Attached Gateway Redundancy Direct Attached Gateway Redundancy (DAGR) allowsthird-party redundancy schemes on connected devices to use gratuitous ARP as a failover signal, enabling the ARP process to advertise an new type of route in the Routing Information Base (RIB). These routes are distributed by Open Shortest Path First (OSPF). Sometimes part of an IP network requires redundancy without routing protocols. A prime example is in the mobile environment, where devices such as base station controllers and multimedia gateways are deployed in redundant pairs, with aggressive failover requirements (subsecond or less), but typically do not have the capability to use native Layer 3 protocols such as OSPF or Intermediate System-to-Intermediate System (IS-IS) protocol to manage this redundancy. Instead, these devices assume they are connected to adjacent IP devices over an Ethernet switch, and manage their redundancy at Layer 2, using proprietary mechanisms similar to Virtual Router Redundancy Protocol (VRRP). Thisrequires a resilient Ethernetswitching capability, and depends on mechanisms such as MAC learning and MAC flooding. DAGR is a feature that enables many of these devices to connect directly to Cisco ASR 9000 Series Routers without an intervening Ethernet switch. DAGR enables the subsecond failover requirements to be met using a Layer 3 solution. No MAC learning, flooding, or switching is required. Since mobile devices' 1:1 Layer 2 redundancy mechanisms are proprietary, they do not necessarily conform to any standard. So although most IP mobile equipment is compatible with DAGR, interoperability does require qualification, due to the possibly proprietary nature of the Layer 2 mechanisms with which DAGR interfaces. Note Additional Guidelines The following are additional guidelines to consider when configuring DAGR: • Up to 40 DAGR peers, which may be on the same or different interfaces, are supported per system. • Failover is supported for DAGR routes within 500 ms of receipt of an ARP reply packet. • On ARP process restart, DAGR groups are reinitialized. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 52 OL-26068-02 Configuring ARP ARP Cache EntriesHow to Configure ARP This section contains instructions for the following tasks: Defining a Static ARP Cache Entry ARP and other address resolution protocols provide a dynamic mapping between IP addresses and media addresses. Because most hosts support dynamic address resolution, generally you need not to specify static ARP cache entries. If you must define them, you can do so globally. Performing this task installs a permanent entry in the ARP cache. Cisco IOS XR software uses this entry to translate 32-bit IP addresses into 48-bit hardware addresses. Optionally, you can specify that the software responds to ARP requests as if it were the owner of the specified IP address by making an alias entry in the ARP cache. SUMMARY STEPS 1. configure 2. Do one of the following: • arp [vrf vrf-name] ip-address hardware-address encapsulation-type • arp [vrf vrf-name] ip-address hardware-address encapsulation-type alias 3. Do one of the following: • end • commit DETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 Creates a static ARP cache entry associating the specified 32-bit IP address with the specified 48-bit hardware address. Step 2 Do one of the following: • arp [vrf vrf-name] ip-address hardware-address encapsulation-type If an alias entry is created, then any interface to which the entry is attached will act as if it is the owner of the specified addresses, that is, it will respond to ARP request packets for this network layer address with the data link layer address in the entry. Note • arp [vrf vrf-name] ip-address hardware-address encapsulation-type alias Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 53 Configuring ARP How to Configure ARPCommand or Action Purpose Example: RP/0/RSP0/CPU0:router(config)# arp 192.168.7.19 0800.0900.1834 arpa or RP/0/RSP0/CPU0:router(config)# arp 192.168.7.19 0800.0900.1834 arpa alias Step 3 Do one of the following: Saves configuration changes. • end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before • commit Example: RP/0/RSP0/CPU0:router(config)# end exiting(yes/no/cancel)?[cancel]: or RP/0/RSP0/CPU0:router(config)# commit ? Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. ? Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Enabling Proxy ARP Cisco IOS XR software uses proxy ARP (as defined in RFC 1027) to help hosts with no knowledge of routing determine the media addresses of hosts on other networks or subnets. For example, if the router receives an ARP request for a host that is not on the same interface as the ARP request sender, and if the router has all of its routes to that host through other interfaces, then it generates a proxy ARP reply packet giving its own local data-link address. The host that sent the ARP request then sends its packets to the router, which forwards them to the intended host. Proxy ARP is disabled by default; this task describes how to enable proxy ARP if it has been disabled. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 54 OL-26068-02 Configuring ARP Enabling Proxy ARPSUMMARY STEPS 1. configure 2. interface type number 3. proxy-arp 4. Do one of the following: • end • commit DETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 interface type number Enters interface configuration mode. Example: RP/0/RSP0/CPU0:router(config)# interface MgmtEth 0/RSP0/CPU0/0 Step 2 proxy-arp Enables proxy ARP on the interface. Example: RP/0/RSP0/CPU0:router(config-if)# proxy-arp Step 3 Step 4 Do one of the following: Saves configuration changes. • end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before • commit Example: RP/0/RSP0/CPU0:router(config-if)# end exiting(yes/no/cancel)?[cancel]: or RP/0/RSP0/CPU0:router(config-if)# commit ? Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. ? Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 55 Configuring ARP Enabling Proxy ARPCommand or Action Purpose ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Configuring DAGR Follow these steps to create a DAGR group on the Cisco ASR 9000 Series Router. SUMMARY STEPS 1. configure 2. interface type interface-path-id 3. arp dagr 4. peer ipv4 address 5. route distance normal normal- distance priority priority-distance 6. route metric normal normal- metric priority priority-metric 7. timers query query-time standby standby-time 8. priority-timeout time 9. Do one of the following: • end • commit 10. show arp dagr [ interface [ IP-address ]] DETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 56 OL-26068-02 Configuring ARP Configuring DAGRCommand or Action Purpose interface type interface-path-id Enters interface configuration mode and configures an interface. Example: RP/0/RSP0/CPU0:router(config)# interface gigabitethernet 0/2/0/0 Step 2 arp dagr Enters DAGR configuration mode. Example: RP/0/RSP0/CPU0:router(config-if)# arp dagr Step 3 peer ipv4 address Creates a new DAGR group for the virtual IP address. Example: RP/0/RSP0/CPU0:router(config-if-dagr)# peer ipv4 10.0.0.100 Step 4 route distance normal normal- distance priority (Optional) Configures route distance for the DAGR group. priority-distance Step 5 Example: RP/0/RSP0/CPU0:router(config-if-dagr-peer)# route distance normal 140 priority 3 route metric normal normal- metric priority (Optional) Configures the route metric for the DAGR group. priority-metric Step 6 Example: RP/0/RSP0/CPU0:router(config-if-dagr-peer)# route metric normal 84 priority 80 (Optional) Configures the time in seconds between successive ARP requests being sent out for the virtual IP address. timers query query-time standby standby-time Example: RP/0/RSP0/CPU0:router(config-if-dagr-peer)# timers query 2 standby 19 Step 7 (Optional) Configures a timer for the length of time in seconds to wait before reverting to normal priority from a high-priority DAGR route. priority-timeout time Example: RP/0/RSP0/CPU0:router(config-if-dagr-peer)# priority-timeout 25 Step 8 Step 9 Do one of the following: Saves configuration changes. • end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before • commit Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 57 Configuring ARP Configuring DAGRCommand or Action Purpose Example: RP/0/RSP0/CPU0:router(config-if-dagr)# end exiting(yes/no/cancel)?[cancel]: or RP/0/RSP0/CPU0:router(config-if-dagr)# commit ? Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. ? Entering no exitsthe configuration session and returns the router to EXEC mode without committing the configuration changes. ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. (Optional) Displays the operational state of all DAGR groups. Using the optional interface and IP-address argumentsrestricts the output to a specific interface or virtual IP address. show arp dagr [ interface [ IP-address ]] Example: RP/0/RSP0/CPU0:router# show arp dagr Step 10 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 58 OL-26068-02 Configuring ARP Configuring DAGRC H A P T E R 3 Implementing Cisco Express Forwarding Cisco Express Forwarding (CEF) is advanced, Layer 3 IP switching technology. CEF optimizes network performance and scalability for networks with large and dynamic traffic patterns, such as the Internet, on networks characterized by intensive web-based applications, or interactive sessions. This module describes the tasks required to implement CEF on your Cisco ASR 9000 Series Aggregation Services Router. For complete descriptions of the CEF commands listed in this module, refer to the Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Command Reference . To locate documentation for other commands that might appear in the course of executing a configuration task, search online in the master command index. Note Feature History for Implementing CEF Release Modification Release 3.7.2 This feature was introduced. • Prerequisites for Implementing Cisco Express Forwarding, page 59 • Information About Implementing Cisco Express Forwarding Software, page 60 • How to Implement CEF, page 63 • Configuration Examples for Implementing CEF on Routers Software, page 76 • Additional References, page 90 Prerequisites for Implementing Cisco Express Forwarding The following prerequisites are required to implement Cisco Express Forwarding: Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 59• You must be in a user group associated with a task group that includesthe proper task IDs. The command reference guides include the task IDs required for each command. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance. Information About Implementing Cisco Express Forwarding Software To implement Cisco Express Forwarding featuresin this document you must understand the following concepts: Key Features Supported in the Cisco Express Forwarding Implementation The following features are supported for CEF on Cisco IOS XR software: • Border Gateway Protocol (BGP) policy accounting • Reverse path forwarding (RPF) • Virtual interface support • Multipath support • Route consistency • High availability features such as packaging, restartability, and Out of Resource (OOR) handling • OSPFv2 SPF prefix prioritization • BGP attributes download Benefits of CEF CEF offers the following benefits: • Improved performance—CEF is less CPU-intensive than fast-switching route caching. More CPU processing power can be dedicated to Layer 3 services such as quality of service (QoS) and encryption. • Scalability—CEF offers full switching capacity at each modular services card (MSC). • Resilience—CEF offers an unprecedented level of switching consistency and stability in large dynamic networks. In dynamic networks, fast-switched cache entries are frequently invalidated due to routing changes. These changes can cause traffic to be process switched using the routing table, rather than fast switched using the route cache. Because the Forwarding Information Base (FIB) lookup table contains all known routes that exist in the routing table, it eliminates route cache maintenance and the fast-switch or process-switch forwarding scenario. CEF can switch traffic more efficiently than typical demand caching schemes. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 60 OL-26068-02 Implementing Cisco Express Forwarding Information About Implementing Cisco Express Forwarding SoftwareCEF Components Cisco IOS XR softwareCEF always operates in CEF mode with two distinct components: a Forwarding Information Base (FIB) database and adjacency table—a protocol-independent adjacency information base (AIB). CEF is a primary IP packet-forwarding database for Cisco IOS XR software. CEF is responsible for the following functions: • Software switching path • Maintaining forwarding table and adjacency tables (which are maintained by the AIB) for software and hardware forwarding engines The following CEF forwarding tables are maintained in Cisco IOS XR software: • IPv4 CEF database • IPv6 CEF database • MPLS LFD database • Multicast Forwarding Table (MFD) The protocol-dependent FIB process maintains the forwarding tables for IPv4 and IPv6 unicast in the Route Switch Processor (RSP ) and each MSC. The FIB on each node processes Routing Information Base (RIB) updates, performing route resolution and maintaining FIB tables independently in the RSP and each MSC. FIB tables on each node can be slightly different. Adjacency FIB entries are maintained only on a local node, and adjacency entries linked to FIB entries could be different. Border Gateway Protocol Policy Accounting Border Gateway Protocol (BGP) policy accounting measures and classifies IP traffic that is sent to, or received from, different peers. Policy accounting is enabled on an individual input or output interface basis, and counters based on parameters such as community list, autonomous system number, or autonomous system path are assigned to identify the IP traffic. There are two types of route policies. The first type (regular BGP route policies) is used to filter the BGP routes advertised into or out from the BGP links. This type of route policy is applied to the specific BGP neighbor. The second type (specific route policy) is used to set up a traffic index for the BGP prefixes. This route policy is applied to the global BGP IPv4 address family to set up the traffic index when the BGP routes are inserted into the RIB table. BGP policy accounting uses the second type of route policy. Note Using BGP policy accounting, you can account for traffic according to the route it traverses. Service providers can identify and account for all traffic by customer and bill accordingly. In Figure 1: Sample Topology for BGP Policy Accounting, on page 62, BGP policy accounting can be implemented in Router A to measure packet and byte volumes in autonomous system buckets. Customers are billed appropriately for traffic that is routed from a domestic, international, or satellite source. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 61 Implementing Cisco Express Forwarding CEF ComponentsNote BGP policy accounting measures and classifies IP traffic for BGP prefixes only. Figure 1: Sample Topology for BGP Policy Accounting Based on the specified routing policy, BGP policy accounting assigns each prefix a traffic index (bucket) associated with an interface. BGP prefixes are downloaded from the RIB to the FIB along with the traffic index. There are a total of 63 (1 to 63) traffic indexes (bucket numbers) that can be assigned for BGP prefixes. Internally, there is an accounting table associated with the traffic indexes to be created for each input (ingress) and output (egress) interface. The traffic indexes allow you to account for the IP traffic, where the source IP address, the destination IP address, or both are BGP prefixes. Note Traffic index 0 contains the packet count using Interior Gateway Protocol (IGP) routes. Reverse Path Forwarding (Strict and Loose) Unicast IPv4 and IPv6 Reverse Path Forwarding (uRPF), both strict and loose modes, help mitigate problems caused by the introduction of malformed or spoofed IP source addresses into a network by discarding IP packets that lack a verifiable IP source address. Unicast RPF does this by doing a reverse lookup in the CEF table. Therefore, Unicast Reverse Path Forwarding is possible only if CEF is enabled on the router. IPv6 uRPF is supported with ASR 9000-SIP-700 LC, ASR 9000 Ethernet LC and ASR 9000 Enhanced Ethernet LC. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 62 OL-26068-02 Implementing Cisco Express Forwarding Reverse Path Forwarding (Strict and Loose)Unicast RPF allows packets with 0.0.0.0 source addresses and 255.255.255.255 destination addresses to pass so that Bootstrap Protocol and Dynamic Host Configuration Protocol (DHCP) will function properly. Note When strict uRPF is enabled, the source address of the packet is checked in the FIB. If the packet is received on the same interface that would be used to forward the traffic to the source of the packet, the packet passes the check and is further processed; otherwise, it is dropped. Strict uRPF should only be applied where there is natural or configured symmetry. Because internal interfaces are likely to have routing asymmetry, that is, multiple routes to the source of a packet, strict uRPF should not be implemented on interfaces that are internal to the network. The behavior of strict RPF varies slightly by platform, number of recursion levels, and number of paths in Equal-Cost Multipath (ECMP) scenarios. A platform may switch to loose RPF check for some or all prefixes, even though strict RPF is configured. Note When loose uRPF is enabled, the source address of the packet is checked in the FIB. If it exists and matches a valid forwarding entry, the packet passes the check and is further processed; otherwise, it is dropped. Strict mode uRPF requires maintenance of uRPF interfaces list for the prefixes. The list contains only strict mode uRPF configured interfaces pointed by the prefix path. uRPF interface list is shared among the prefixes wherever possible. Size of this list is 12 for ASR 9000 Ethernet Line Cards and 64 for integrated 20G SIP cards. Strict to loose mode uRPF fallback happens when the list goes beyond the maximum supported value. Loose and strict uRPF supports two options: allow self-ping and allow default. The self-ping option allows the source of the packet to ping itself. The allow default option allows the lookup result to match a default routing entry. When the allow default option is enabled with the strict mode of the uRPF, the packet is processed further only if it arrived through the default interface. BGP Attributes Download The BGP Attributes Download feature enables you to display the installed BGP attributes in CEF. Configure the show cef bgp-attribute command to display the installed BGP attributes in CEF. You can use the show cef bgp-attribute attribute-id command and the show cef bgp-attribute local-attribute-id command to look at specific BGP attributes by attribute ID and local attribute ID. How to Implement CEF This section contains instructions for the following tasks: Verifying CEF This task allows you to verify CEF. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 63 Implementing Cisco Express Forwarding BGP Attributes DownloadSUMMARY STEPS 1. show cef {ipv4 | ipv6} 2. show cef {ipv4 | ipv6} summary 3. show cef {ipv4 | ipv6} detail 4. show adjacency detail DETAILED STEPS Command or Action Purpose Displays the IPv4 or IPv6 CEF table. The next hop and forwarding interface are displayed for each prefix. show cef {ipv4 | ipv6} Example: RP/0/RSP0/CPU0:router# show cef ipv4 Step 1 The output of the show cef command varies by location. Note show cef {ipv4 | ipv6} summary Displays a summary of the IPv4 or IPv6 CEF table. Example: RP/0/RSP0/CPU0:router# show cef ipv4 summary Step 2 show cef {ipv4 | ipv6} detail Displays detailed IPv4 or IPv6 CEF table information. Example: RP/0/RSP0/CPU0:router# show cef ipv4 detail Step 3 Displays detailed adjacency information, including Layer 2 information for each interface. show adjacency detail Example: RP/0/RSP0/CPU0:router# show adjacency detail Step 4 The output of the show adjacency command varies by location. Note Configuring BGP Policy Accounting This task allows you to configure BGP policy accounting. There are two types of route policies. BGP policy accounting uses the type that is used to set up a traffic index for the BGP prefixes. The route policy is applied to the global BGP IPv4 address family to set up the traffic index when the BGP routes are inserted into the RIB table. Note BGP policy accounting enables per interface accounting for ingress and egress IP traffic based on the traffic index assigned to the source IP address (BGP prefix) and destination IP address (BGP prefix). The traffic Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 64 OL-26068-02 Implementing Cisco Express Forwarding Configuring BGP Policy Accountingindex of BGP prefixes can be assigned according to the following parameters using Routing Policy Language (RPL): • prefix-set • AS-path-set • community-set Note BGP policy accounting is supported on IPv4 prefixes only. Two configuration tasks provide the ability to classify BGP prefixes that are in the RIB according to the prefix-set, AS-path-set, or the community-set parameters: 1 Use the route-policy command to define the policy for traffic index setup based on the prefix-set, AS-path-set, or community-set. 2 Use the BGP table-policy command to apply the defined route policy to the global BGP IPv4 unicast address family. See the Cisco ASR 9000 Series Aggregation Services Router Routing Command Reference for information on the route-policy and table-policy commands. BGP policy accounting can be enabled on each interface with the following options: • Use the ipv4 bgp policy accounting command with one of the following keyword options: ? input source-accounting ? input destination-accounting ? input source-accounting destination-accounting • Use the ipv4 bgp policy accounting command with one of the following keyword options: ? output source-accounting ? output destination-accounting ? output source-accounting destination-accounting • Use any combination of the keywords provided for the ipv4 bgp policy accounting command. Before You Begin Before using the BGP policy accounting feature, you must enable BGP on the router (CEF is enabled by default). See the Cisco ASR 9000 Series Aggregation Services Router Routing Configuration Guide for information on enabling BGP. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 65 Implementing Cisco Express Forwarding Configuring BGP Policy AccountingSUMMARY STEPS 1. configure 2. as-path-set 3. exit 4. prefix-set name 5. exit 6. route-policy policy-name 7. end 8. configure 9. router bgp autonomous-system-number 10. address-family ipv4 {unicast | multicast } 11. table policy policy-name 12. end 13. configure 14. interface type interface-path-id 15. ipv4 bgp policy accounting {input | output {destination-accounting [source-accounting] | source-accounting [destination-accounting]}} 16. Do one of the following: • end • commit DETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 as-path-set Enters policy configuration mode. Example: RP/0/RSP0/CPU0:router(config)# as-path-set Step 2 as107 RP/0/RSP0/CPU0:router(config-as)# ios-regex '107$' RP/0/RSP0/CPU0:router(config-as)# end-set RP/0/RSP0/CPU0:router(config)# as-path-set as108 RP/0/RSP0/CPU0:router(config-as)# ios-regex '108$' RP/0/RSP0/CPU0:router(config-as)# end-set Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 66 OL-26068-02 Implementing Cisco Express Forwarding Configuring BGP Policy AccountingCommand or Action Purpose exit Returns to global configuration mode. Example: RP/0/RSP0/CPU0:router(config-as)# exit Step 3 prefix-set name Defines the prefix list. Example: RP/0/RSP0/CPU0:router(config)# prefix-set RT-65 Step 4 exit Returns to global configuration mode. Example: RP/0/RSP0/CPU0:router(config-pfx)# exit Step 5 route-policy policy-name Specifies the route-policy name. Example: RP/0/RSP0/CPU0:router(config)# route-policy rp501b Step 6 Step 7 end Saves configuration changes. Example: RP/0/RSP0/CPU0:router(config-rpl)# end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before exiting(yes/no/cancel)?[cancel]: ? Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. ? Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 8 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 67 Implementing Cisco Express Forwarding Configuring BGP Policy AccountingCommand or Action Purpose router bgp autonomous-system-number Allows you to configure the BGP routing process. Example: RP/0/RSP0/CPU0:router(config)# router bgp 1 Step 9 Allows you to enter the address family configuration mode while configuring a BGP routing session. address-family ipv4 {unicast | multicast } Example: RP/0/RSP0/CPU0:router(config-bgp)# address-family ipv4 unicast Step 10 Applies a routing policy to routes being installed into the routing table. table policy policy-name Example: RP/0/RSP0/CPU0:router(config-bgp-af)# table-policy set-traffic-index Step 11 Step 12 end Saves configuration changes. Example: RP/0/RSP0/CPU0:router(config-bgp-af)# end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before exiting(yes/no/cancel)?[cancel]: ? Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. ? Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 13 interface type interface-path-id Enters interface configuration mode. Example: RP/0/RSP0/CPU0:router(config)# interface TenGigE0/1/0/2 Step 14 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 68 OL-26068-02 Implementing Cisco Express Forwarding Configuring BGP Policy AccountingCommand or Action Purpose ipv4 bgp policy accounting {input | output Enables BGP policy accounting. {destination-accounting [source-accounting] | source-accounting [destination-accounting]}} Step 15 Example: RP/0/RSP0/CPU0:router(config-if)# ipv4 bgp policy accounting output destination-accounting Step 16 Do one of the following: Saves configuration changes. • end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before • commit Example: RP/0/RSP0/CPU0:router(config-if)# end exiting(yes/no/cancel)?[cancel]: or RP/0/RSP0/CPU0:router(config-if)# commit ? Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. ? Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Verifying BGP Policy Accounting This task allows you to verify BGP policy accounting. Note BGP policy accounting is supported on IPv4 prefixes. Before You Begin BGP policy accounting must be configured. See the Configuring BGP Policy Accounting, on page 64. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 69 Implementing Cisco Express Forwarding Verifying BGP Policy AccountingSUMMARY STEPS 1. show route bgp 2. show bgp summary 3. show bgp ip-address 4. show route ipv4 ip-address 5. show cef ipv4 prefix 6. show cef ipv4 prefix detail 7. show cef ipv4 interface type interface-path-id bgp-policy-statistics DETAILED STEPS Command or Action Purpose show route bgp Displays all BGP routes with traffic indexes. Example: RP/0/RSP0/CPU0:router# show route bgp Step 1 show bgp summary Displays the status of all BGP neighbors. Example: RP/0/RSP0/CPU0:router# show bgp summary Step 2 show bgp ip-address Displays BGP prefixes with BGP attributes. Example: RP/0/RSP0/CPU0:router# show bgp 40.1.1.1 Step 3 Displaysthe specific BGP route with the traffic index in the RIB. show route ipv4 ip-address Example: RP/0/RSP0/CPU0:router# show route ipv4 40.1.1.1 Step 4 Displays the specific BGP prefix with the traffic index in the RP FIB. show cef ipv4 prefix Example: RP/0/RSP0/CPU0:router# show cef ipv4 40.1.1.1 Step 5 Displays the specific BGP prefix with detailed information in the RP FIB. show cef ipv4 prefix detail Example: RP/0/RSP0/CPU0:router# show cef ipv4 40.1.1.1 detail Step 6 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 70 OL-26068-02 Implementing Cisco Express Forwarding Verifying BGP Policy AccountingCommand or Action Purpose Displays the BGP Policy Accounting statistics for the specific interface. show cef ipv4 interface type interface-path-id bgp-policy-statistics Example: RP/0/RSP0/CPU0:router# show cef ipv4 interface TenGigE 0/2/0/4 bgp-policy-statistics Step 7 Configuring a Route Purge Delay This task allows you to configure a route purge delay. A purge delay purges routes when the RIB or other related process experiences a failure. SUMMARY STEPS 1. configure 2. cef purge-delay seconds 3. Use one of these commands: • end • commit DETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 Configures a delay in purging routes when the Routing Information Base (RIB) or other related processes experience a failure. cef purge-delay seconds Example: RP/0/RSP0/CPU0:router(config)# cef purge-delay 180 Step 2 Step 3 Use one of these commands: Saves configuration changes. • end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]: • commit Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 71 Implementing Cisco Express Forwarding Configuring a Route Purge DelayCommand or Action Purpose Example: RP/0/RSP0/CPU0:router(config)# end ? Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. ? Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. or RP/0/RSP0/CPU0:router(config)# commit ? Entering cancel leavesthe router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Configuring Unicast RPF Checking This task allows you to configure unicast Reverse Path Forwarding (uRPF) RPF checking. Unicast RPF checking allows you to mitigate problems caused by malformed or forged (spoofed) IP source addresses that pass through a router. Malformed or forged source addresses can indicate denial-of-service (DoS) attacks based on source IP address spoofing. SUMMARY STEPS 1. configure 2. interface type interface-path-id 3. {ipv4 | ipv6} verify unicast source reachable-via {any | rx} [allow-default] [allow-self-ping] 4. Do one of the following: • end • or • commit DETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 72 OL-26068-02 Implementing Cisco Express Forwarding Configuring Unicast RPF CheckingCommand or Action Purpose interface type interface-path-id Enters interface configuration mode. Example: RP/0/RSP0/CPU0:router(config)# interface gigabitethernet 0/1/0/0 Step 2 {ipv4 | ipv6} verify unicast source Enables IPv4 or IPv6 uRPF checking. reachable-via {any | rx} [allow-default] [allow-self-ping] Step 3 • The rx keyword enables strict unicast RPF checking. If strict unicast RPF is enabled, a packet is not forwarded unless its source prefix exists Example: RP/0/RSP0/CPU0:router(config-if)# ipv4 in the routing table and the output interface matches the interface on which the packet was received. • The allow-default keyword enables the matching of default routes. This option applies to both loose and strict RPF. verify unicast source reachable-via rx • The allow-self-ping keyword enables the router to ping out an interface. This option applies to both loose and strict RPF. Step 4 Do one of the following: Saves configuration changes. • end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before • or • commit exiting(yes/no/cancel)?[cancel]: Example: RP/0/RSP0/CPU0:router(config-if)# end ? Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. or RP/0/RSP0/CPU0:router(config-if)# commit ? Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Configuring Modular Services Card-to-Route Processor Management Ethernet Interface Switching This task allows you to enable MSC-to-RP management Ethernet interface switching. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 73 Implementing Cisco Express Forwarding Configuring Modular Services Card-to-Route Processor Management Ethernet Interface SwitchingSUMMARY STEPS 1. configure 2. rp mgmtethernet forwarding 3. Use one of these commands: • end • commit DETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 Enablesswitching from the MSC to the route processor Management Ethernet interfaces. rp mgmtethernet forwarding Example: RP/0/RSP0/CPU0:router(config)# rp mgmtethernet forwarding Step 2 Step 3 Use one of these commands: Saves configuration changes. • end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]: • commit Example: RP/0/RSP0/CPU0:router(config)# end ? Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. or RP/0/RSP0/CPU0:router(config)# commit ? Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 74 OL-26068-02 Implementing Cisco Express Forwarding Configuring Modular Services Card-to-Route Processor Management Ethernet Interface SwitchingConfiguring BGP Attributes Download This task allows you to configure the BGP Attributes Download feature. Configuring BGP Attributes Download SUMMARY STEPS 1. configure 2. cef bgp attribute {attribute-id | local-attribute-id } 3. Use one of these commands: • end • commit DETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 cef bgp attribute {attribute-id | Configures a CEF BGP attribute. local-attribute-id } Step 2 Example: RP/0/RSP0/CPU0:router(config)# cef bgp attribute 508 Step 3 Use one of these commands: Saves configuration changes. • end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]: • commit Example: RP/0/RSP0/CPU0:router(config)# end ? Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. or RP/0/RSP0/CPU0:router(config)# commit ? Entering no exitsthe configuration session and returnsthe router to EXEC mode without committing the configuration changes. ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 75 Implementing Cisco Express Forwarding Configuring BGP Attributes DownloadCommand or Action Purpose • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Configuration Examples for Implementing CEF on Routers Software This section provides the following configuration examples: Configuring BGP Policy Accounting: Example The following example shows how to configure BGP policy accounting. Configure loopback interfaces for BGP router-id: interface Loopback1 ipv4 address 10 .1.1.1 255.255.255.255 Configure interfaces with the BGP policy accounting options: interface TenGigE0/2/0/2 mtu 1514 ipv4 address 10 .1.0.1 255.255.255.0 proxy-arp ipv4 directed-broadcast ipv4 bgp policy accounting input source-accounting destination-accounting ipv4 bgp policy accounting output source-accounting destination-accounting ! interface TenGigE0/2/0/2.1 ipv4 address 10 .1.1.1 255.255.255.0 ipv4 bgp policy accounting input source-accounting destination-accounting ipv4 bgp policy accounting output source-accounting destination-accounting dot1q vlan 1 ! interface TenGigE0/2/0/4 mtu 1514 ipv4 address 10 .1.0.1 255.255.255.0 proxy-arp ipv4 directed-broadcast ipv4 bgp policy accounting input source-accounting destination-accounting ipv4 bgp policy accounting output source-accounting destination-accounting ! interface TenGigE0/2/0/4.1 ipv4 address 10 .1.2 .1 255.255.255.0 ipv4 bgp policy accounting input source-accounting destination-accounting ipv4 bgp policy accounting output source-accounting destination-accounting dot1q vlan 1 ! interface gigabitethernet 0/0/0/4 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 76 OL-26068-02 Implementing Cisco Express Forwarding Configuration Examples for Implementing CEF on Routers Softwaremtu 4474 ipv4 address 10 .1.0.40 255.255.0.0 ipv4 directed-broadcast ipv4 bgp policy accounting input source-accounting destination-accounting ipv4 bgp policy accounting output source-accounting destination-accounting encapsulation ppp gigabitethernet crc 32 ! keepalive disable ! interface gigabitethernet0/0/0/8 mtu 4474 ipv4 address 18 .8 .0.1 255.255.0.0 ipv4 directed-broadcast ipv4 bgp policy accounting input source-accounting destination-accounting ipv4 bgp policy accounting output source-accounting destination-accounting gigabitethernet crc 32 ! keepalive disable ! Configure controller: controller gigabitethernet0/0/0/4 ais-shut path ais-shut ! threshold sf-ber 5 ! controller SONET0/0/0/8 ais-shut path ais-shut ! threshold sf-ber 5 ! Configure AS-path-set and prefix-set: as-path-set as107 ios-regex '107$' end-set as-path-set as108 ios-regex '108$' end-set prefix-set RT-65.0 65.0.0.0/16 ge 16 le 32 end-set prefix-set RT-66.0 66.0.0.0/16 ge 16 le 32 end-set Configure the route-policy (table-policy) to set up the traffic indexes based on each prefix, AS-path-set, and prefix-set: route-policy bpa1 if destination in (10 .1.1.0/24) then set traffic-index 1 elseif destination in (10 .1.2.0/24) then Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 77 Implementing Cisco Express Forwarding Configuring BGP Policy Accounting: Exampleset traffic-index 2 elseif destination in (10 .1.3.0/24) then set traffic-index 3 elseif destination in (10 .1.4.0/24) then set traffic-index 4 elseif destination in (10 .1.5.0/24) then set traffic-index 5 endif if destination in (10 .1.1.0/24) then set traffic-index 6 elseif destination in (10 .1.2.0/24) then set traffic-index 7 elseif destination in (10 .1.3.0/24) then set traffic-index 8 elseif destination in (10 .1.4.0/24) then set traffic-index 9 elseif destination in (10 .1.5.0/24) then set traffic-index 10 endif if as-path in as107 then set traffic-index 7 elseif as-path in as108 then set traffic-index 8 endif if destination in RT-65.0 then set traffic-index 15 elseif destination in RT-66.0 then set traffic-index 16 endif end-policy Configure the regular BGP route-policy to pass or drop all the BGP routes: route-policy drop-all drop end-policy ! route-policy pass-all pass end-policy ! Configure the BGP router and apply the table-policy to the global ipv4 address family: router bgp 100 bgp router-id Loopback1 bgp graceful-restart bgp as-path-loopcheck address-family ipv4 unicast table-policy bpa1 maximum-paths 8 bgp dampening ! Configure the BGP neighbor-group: neighbor-group ebgp-peer-using-int-addr address-family ipv4 unicast policy pass-all in policy drop-all out ! Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 78 OL-26068-02 Implementing Cisco Express Forwarding Configuring BGP Policy Accounting: Example! neighbor-group ebgp-peer-using-int-addr-121 remote-as 121 address-family ipv4 unicast policy pass-all in policy drop-all out ! ! neighbor-group ebgp-peer-using-int-addr-pass-out address-family ipv4 unicast policy pass-all in policy pass-all out ! ! Configure BGP neighbors: neighbor 10 .4 .0.2 remote-as 107 use neighbor-group ebgp-peer-using-int-addr ! neighbor 10 .8 .0.2 remote-as 108 use neighbor-group ebgp-peer-using-int-addr ! neighbor 10 .7 .0.2 use neighbor-group ebgp-peer-using-int-addr-121 ! neighbor 10 .1.7 .2 use neighbor-group ebgp-peer-using-int-addr-121 ! neighbor 10 .18 .0.2 remote-as 122 use neighbor-group ebgp-peer-using-int-addr ! neighbor 10 .18 .1.2 remote-as 1221 use neighbor-group ebgp-peer-using-int-addr ! end Verifying BGP Policy Statistics: Example The following example shows how to verify the traffic index setup for each BGP prefix and BGP Policy Accounting statistics on ingress and egress interfaces. The following traffic stream is configured for this example: • Traffic comes in from TenGigE0/2/0/4 and goes out to 5 VLAN subinterfaces under TenGigE0/2/0/2 • Traffic comes in from GigabitEthernet 0/0/08 and goes out to GigabitEthernet 0/0/0/4 show cef ipv4 interface gigabitethernet 0/0/0/8 bgp-policy-statistics gigabitethernet0/0/0/8 is up Input BGP policy accounting on dst IP address enabled Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 79 Implementing Cisco Express Forwarding Verifying BGP Policy Statistics: Examplebuckets packets bytes 7 5001160 500116000 15 10002320 1000232000 Input BGP policy accounting on src IP address enabled buckets packets bytes 8 5001160 500116000 16 10002320 1000232000 Output BGP policy accounting on dst IP address enabled buckets packets bytes 0 15 790 Output BGP policy accounting on src IP address enabled buckets packets bytes 0 15 790 show cef ipv4 interface gigabitethernet 0/0/0/4 bgp-policy-statistics gigabitethernet0/0/0/4 is up Input BGP policy accounting on dst IP address enabled buckets packets bytes Input BGP policy accounting on src IP address enabled buckets packets bytes Output BGP policy accounting on dst IP address enabled buckets packets bytes 0 13 653 7 5001160 500116000 15 10002320 1000232000 Output BGP policy accounting on src IP address enabled buckets packets bytes 0 13 653 8 5001160 500116000 16 10002320 1000232000 show cef ipv4 interface TenGigE0/2/0/4 bgp-policy-statistics TenGigE0/2/0/4 is up Input BGP policy accounting on dst IP address enabled buckets packets bytes 1 3297102 329710200 2 3297102 329710200 3 3297102 329710200 4 3297101 329710100 5 3297101 329710100 Input BGP policy accounting on src IP address enabled buckets packets bytes 6 3297102 329710200 7 3297102 329710200 8 3297102 329710200 9 3297101 329710100 10 3297101 329710100 Output BGP policy accounting on dst IP address enabled buckets packets bytes 0 15 733 Output BGP policy accounting on src IP address enabled buckets packets bytes 0 15 733 show cef ipv4 interface TenGigE0/2/0/2.1 bgp-policy-statistics TenGigE0/2/0/2.1 is up Input BGP policy accounting on dst IP address enabled buckets packets bytes Input BGP policy accounting on src IP address enabled buckets packets bytes Output BGP policy accounting on dst IP address enabled buckets packets bytes 0 15 752 1 3297102 329710200 2 3297102 329710200 3 3297102 329710200 4 3297101 329710100 5 3297101 329710100 Output BGP policy accounting on src IP address enabled buckets packets bytes Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 80 OL-26068-02 Implementing Cisco Express Forwarding Verifying BGP Policy Statistics: Example0 15 752 6 3297102 329710200 7 3297102 329710200 8 3297102 329710200 9 3297101 329710100 10 3297101 329710100 The following example show how to verify BGP routes and traffic indexes: show route bgp B 10 .1.1.0/24 [20/0] via 10 .17 .1.2, 00:07:09 Traffic Index 1 B 10 .1.2.0/24 [20/0] via 10 .17 .1.2, 00:07:09 Traffic Index 2 B 10 .1.3.0/24 [20/0] via 10 .17 .1.2, 00:07:09 Traffic Index 3 B 10 .1.4.0/24 [20/0] via 10 .17 .1.2, 00:07:09 Traffic Index 4 B 10 .1.5.0/24 [20/0] via 10 .17 .1.2, 00:07:09 Traffic Index 5 B 10 .18 .1.0/24 [20/0] via 10 .18 .1.2, 00:07:09 Traffic Index 6 B 10 .18 .2.0/24 [20/0] via 10 .18 .1.2, 00:07:09 Traffic Index 7 B 10 .18 .3.0/24 [20/0] via 10 .18 .1.2, 00:07:09 Traffic Index 8 B 10 .28 .4.0/24 [20/0] via 10 .18 .1.2, 00:07:09 Traffic Index 9 B 10 .28 .5.0/24 [20/0] via 10 .18 .1.2, 00:07:09 Traffic Index 10 B 10 .65 .1.0/24 [20/0] via 10 .45 .0.2, 00:07:09 Traffic Index 15 B 10 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 81 Implementing Cisco Express Forwarding Verifying BGP Policy Statistics: Example.65 .2.0/24 [20/0] via 10 .45 .0.2, 00:07:09 Traffic Index 15 B 10 .65 .3.0/24 [20/0] via 10 .45 .0.2, 00:07:09 Traffic Index 15 B 10 .65 .65 .0/24 [20/0] via 10 .45 .0.2, 00:07:09 Traffic Index 15 B 10 .65 .5.0/24 [20/0] via 10 .45 .0.2, 00:07:09 Traffic Index 15 B 10 .65 .6.0/24 [20/0] via 10 .45 .0.2, 00:07:09 Traffic Index 15 B 10 .65 .7.0/24 [20/0] via 10 .45 .0.2, 00:07:09 Traffic Index 15 B 10 .65 .8.0/24 [20/0] via 10 .45 .0.2, 00:07:09 Traffic Index 15 B 10 .65 .9.0/24 [20/0] via 10 .45 .0.2, 00:07:09 Traffic Index 15 B 10 .65 .10.0/24 [20/0] via 10 .45 .0.2, 00:07:09 Traffic Index 15 B 10 .66 .1.0/24 [20/0] via 10 .32 .0.2, 00:07:09 Traffic Index 16 B 10 .66 .2.0/24 [20/0] via 10 .32 .0.2, 00:07:09 Traffic Index 16 B 10 .66 .3.0/24 [20/0] via 10 .32 .0.2, 00:07:09 Traffic Index 16 B 10 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 82 OL-26068-02 Implementing Cisco Express Forwarding Verifying BGP Policy Statistics: Example.66 .4.0/24 [20/0] via 10 .32 .0.2, 00:07:09 Traffic Index 16 B 10 .66 .5.0/24 [20/0] via 10 .32 .0.2, 00:07:09 Traffic Index 16 B 10 .66 .6.0/24 [20/0] via 10 .32 .0.2, 00:07:09 Traffic Index 16 B 10 .66 .7.0/24 [20/0] via 10 .32 .0.2, 00:07:09 Traffic Index 16 B 10 .66 .8.0/24 [20/0] via 10 .32 .0.2, 00:07:09 Traffic Index 16 B 10 .66 .9.0/24 [20/0] via 10 .32 .0.2, 00:07:09 Traffic Index 16 B 10 .66 .10.0/24 [20/0] via 10 .32 .0.2, 00:07:09 Traffic Index 16 B 10 .67 .1.0/24 [20/0] via 10 .32 .0.2, 00:07:09 Traffic Index 7 B 10 .67 .2.0/24 [20/0] via 10 .32 .0.2, 00:07:09 Traffic Index 7 B 10 .67 .3.0/24 [20/0] via 10 .32 .0.2, 00:07:09 Traffic Index 7 B 10 .67 .4.0/24 [20/0] via 10 .32 .0.2, 00:07:09 Traffic Index 7 B 10 .67 .5.0/24 [20/0] via 10 .32 .0.2, 00:07:09 Traffic Index 7 B 10 .67 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 83 Implementing Cisco Express Forwarding Verifying BGP Policy Statistics: Example.6.0/24 [20/0] via 10 .32 .0.2, 00:07:09 Traffic Index 7 B 10 .67 .7.0/24 [20/0] via 10 .32 .0.2, 00:07:09 Traffic Index 7 B 10 .67 .8.0/24 [20/0] via 10 .32 .0.2, 00:07:09 Traffic Index 7 B 10 .67 .9.0/24 [20/0] via 10 .32 .0.2, 00:07:09 Traffic Index 7 B 10 .67 .10.0/24 [20/0] via 10 .32 .0.2, 00:07:09 Traffic Index 7 B 10 .68 .1.0/24 [20/0] via 10 .8 .0.2, 00:07:09 Traffic Index 8 B 10 .68 .2.0/24 [20/0] via 10 .8 .0.2, 00:07:09 Traffic Index 8 B 10 .68 .3.0/24 [20/0] via 10 .8 .0.2, 00:07:09 Traffic Index 8 B 10 .68 .4.0/24 [20/0] via 10 .8 .0.2, 00:07:09 Traffic Index 8 B 10 .68 .5.0/24 [20/0] via 10 .8 .0.2, 00:07:09 Traffic Index 8 B 10 .68 .6.0/24 [20/0] via 10 .8 .0.2, 00:07:09 Traffic Index 8 B 10 .68 .7.0/24 [20/0] via 10 .8 .0.2, 00:07:09 Traffic Index 8 B 10 .68 .8.0/24 [20/0] via 10 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 84 OL-26068-02 Implementing Cisco Express Forwarding Verifying BGP Policy Statistics: Example.8 .0.2, 00:07:09 Traffic Index 8 B 10 .68 .9.0/24 [20/0] via 10 .8 .0.2, 00:07:09 Traffic Index 8 B 10 .68 .10.0/24 [20/0] via 10 .8 .0.2, 00:07:09 Traffic Index 8 show bgp summary BGP router identifier 192 .0 .2 .0 , local AS number 100 BGP generic scan interval 60 secs BGP main routing table version 151 Dampening enabled BGP scan interval 60 secs BGP is operating in STANDALONE mode. Process RecvTblVer bRIB/RIB SendTblVer Speaker 151 151 151 Neighbor Spk AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down St/PfxRcd 10 .4 .0.2 0 107 54 53 151 0 0 00:25:26 20 10 .1.0.2 0 108 54 53 151 0 0 00:25:28 20 10 .1.0.2 0 121 53 54 151 0 0 00:25:42 0 10 .1.1.2 0 121 53 53 151 0 0 00:25:06 5 10 .1.2.2 0 121 52 54 151 0 0 00:25:04 0 10 .1.3.2 0 121 52 53 151 0 0 00:25:26 0 10 .1.4.2 0 121 53 54 151 0 0 00:25:41 0 10 .1.5.2 0 121 53 54 151 0 0 00:25:43 0 10 .1.6.2 0 121 51 53 151 0 0 00:24:59 0 10 .1.7.2 0 121 51 52 151 0 0 00:24:44 0 10 .1.8.2 0 121 51 52 151 0 0 00:24:49 0 10 .2 .0.2 0 122 52 54 151 0 0 00:25:21 0 10 .2 .1.2 0 1221 54 54 151 0 0 00:25:43 5 10 .2 .2.2 0 1222 53 54 151 0 0 00:25:38 0 10 .2 .3.2 0 1223 52 53 151 0 0 00:25:17 0 10 .2 .4.2 0 1224 51 52 151 0 0 00:24:57 0 10 .2 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 85 Implementing Cisco Express Forwarding Verifying BGP Policy Statistics: Example.5.2 0 1225 52 53 151 0 0 00:25:14 0 10 .2 .6.2 0 1226 52 54 151 0 0 00:25:04 0 10 .2 .7.2 0 1227 52 54 151 0 0 00:25:13 0 10 .2 .8.2 0 1228 53 54 151 0 0 00:25:36 0 show bgp 27.1.1.1 BGP routing table entry for 27.1.1.0/24 Versions: Process bRIB/RIB SendTblVer Speaker 102 102 Paths: (1 available, best #1) Not advertised to any peer Received by speaker 0 121 10 .1.1.2 from 10 .1.1.2 (10 .1.1.2) Origin incomplete, localpref 100, valid, external, best Community: 27:1 121:1 show bgp 10 .1.1.1 BGP routing table entry for 10 .1.1.0/24 Versions: Process bRIB/RIB SendTblVer Speaker 107 107 Paths: (1 available, best #1) Not advertised to any peer Received by speaker 0 1221 10 .2 .1.2 from 10 .2 .1.2 (18.1.1.2) Origin incomplete, localpref 100, valid, external, best Community: 28:1 1221:1 show bgp 10 .0.1.1 BGP routing table entry for 10 .0.1.0/24 Versions: Process bRIB/RIB SendTblVer Speaker 112 112 Paths: (1 available, best #1) Not advertised to any peer Received by speaker 0 107 10 .1.0.2 from 10 .1.0.2 (10 .1.0.2) Origin incomplete, localpref 100, valid, external, best Community: 107:65 show bgp 10 .2 .1.1 BGP routing table entry for 10 .2 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 86 OL-26068-02 Implementing Cisco Express Forwarding Verifying BGP Policy Statistics: Example.1.0/24 Versions: Process bRIB/RIB SendTblVer Speaker 122 122 Paths: (1 available, best #1) Not advertised to any peer Received by speaker 0 108 8.1.0.2 from 8.1.0.2 (8.1.0.2) Origin incomplete, localpref 100, valid, external, best Community: 108:66 show bgp 67.0.1.1 BGP routing table entry for 67.0.1.0/24 Versions: Process bRIB/RIB SendTblVer Speaker 132 132 Paths: (1 available, best #1) Not advertised to any peer Received by speaker 0 107 4.1.0.2 from 4.1.0.2 (4.1.0.2) Origin incomplete, localpref 100, valid, external, best Community: 107:67 show bgp 68.0.1.1 BGP routing table entry for 68.0.1.0/24 Versions: Process bRIB/RIB SendTblVer Speaker 142 142 Paths: (1 available, best #1) Not advertised to any peer Received by speaker 0 108 8.1.0.2 from 8.1.0.2 (8.1.0.2) Origin incomplete, localpref 100, valid, external, best Community: 108:68 show route ipv4 27.1.1.1 Routing entry for 27.1.1.0/24 Known via "bgp 100", distance 20, metric 0 Tag 121, type external, Traffic Index 1 Installed Nov 11 21:14:05.462 Routing Descriptor Blocks 17.1.1.2, from 17.1.1.2 Route metric is 0 No advertising protos. show route ipv4 28.1.1.1 Routing entry for 28.1.1.0/24 Known via "bgp 100", distance 20, metric 0 Tag 1221, type external, Traffic Index 6 Installed Nov 11 21:14:05.462 Routing Descriptor Blocks 18.1.1.2, from 18.1.1.2 Route metric is 0 No advertising protos. show route ipv4 65.0.1.1 Routing entry for 65.0.1.0/24 Known via "bgp 100", distance 20, metric 0 Tag 107, type external, Traffic Index 15 Installed Nov 11 21:14:05.462 Routing Descriptor Blocks 4.1.0.2, from 4.1.0.2 Route metric is 0 No advertising protos. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 87 Implementing Cisco Express Forwarding Verifying BGP Policy Statistics: Exampleshow route ipv4 66.0.1.1 Routing entry for 66.0.1.0/24 Known via "bgp 100", distance 20, metric 0 Tag 108, type external, Traffic Index 16 Installed Nov 11 21:14:05.462 Routing Descriptor Blocks 8.1.0.2, from 8.1.0.2 Route metric is 0 No advertising protos. show route ipv4 67.0.1.1 Routing entry for 67.0.1.0/24 Known via "bgp 100", distance 20, metric 0 Tag 107, type external, Traffic Index 7 Installed Nov 11 21:14:05.462 Routing Descriptor Blocks 4.1.0.2, from 4.1.0.2 Route metric is 0 No advertising protos. show route ipv4 68.0.1.1 Routing entry for 68.0.1.0/24 Known via "bgp 100", distance 20, metric 0 Tag 108, type external, Traffic Index 8 Installed Nov 11 21:14:05.462 Routing Descriptor Blocks 8.1.0.2, from 8.1.0.2 Route metric is 0 No advertising protos. show cef ipv4 27.1.1.1 27.1.1.0/24, version 263, source-destination sharing Prefix Len 24, Traffic Index 1, precedence routine (0) via 17.1.1.2, 0 dependencies, recursive next hop 17.1.1.2/24, TenGigE0/2/0/2.1 via 17.1.1.0/24 valid remote adjacency Recursive load sharing using 17.1.1.0/24 show cef ipv4 28.1.1.1 28.1.1.0/24, version 218, source-destination sharing Prefix Len 24, Traffic Index 6, precedence routine (0) via 18.1.1.2, 0 dependencies, recursive next hop 18.1.1.2/24, TenGigE0/2/0/4.1 via 18.1.1.0/24 valid remote adjacency Recursive load sharing using 18.1.1.0/24 show cef ipv4 65.0.1.1 65.0.1.0/24, version 253, source-destination sharing Prefix Len 24, Traffic Index 15, precedence routine (0) via 4.1.0.2, 0 dependencies, recursive next hop 4.1.0.2/16, gigabitethernet0/0/0/4 via 4.1.0.0/16 valid remote adjacency Recursive load sharing using 4.1.0.0/16 show cef ipv4 66.0.1.1 66.0.1.0/24, version 233, source-destination sharing Prefix Len 24, Traffic Index 16, precedence routine (0) via 8.1.0.2, 0 dependencies, recursive next hop 8.1.0.2/16, gigabitethernet 0/0/0/8 via 8.1.0.0/16 valid remote adjacency Recursive load sharing using 8.1.0.0/16 show cef ipv4 67.0.1.1 67.0.1.0/24, version 243, source-destination sharing Prefix Len 24, Traffic Index 7, precedence routine (0) Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 88 OL-26068-02 Implementing Cisco Express Forwarding Verifying BGP Policy Statistics: Examplevia 4.1.0.2, 0 dependencies, recursive next hop 4.1.0.2/16, gigabitethernet 0/0/0/4 via 4.1.0.0/16 valid remote adjacency Recursive load sharing using 4.1.0.0/16 show cef ipv4 68.0.1.1 68.0.1.0/24, version 223, source-destination sharing Prefix Len 24, Traffic Index 8, precedence routine (0) via 8.1.0.2, 0 dependencies, recursive next hop 8.1.0.2/16, gigabitethernet0/0/0/8 via 8.1.0.0/16 valid remote adjacency Recursive load sharing using 8.1.0.0/16 show cef ipv4 27.1.1.1 detail 27.1.1.0/24, version 263, source-destination sharing Prefix Len 24, Traffic Index 1, precedence routine (0) via 17.1.1.2, 0 dependencies, recursive next hop 17.1.1.2/24, TenGigE0/2/0/2.1 via 17.1.1.0/24 valid remote adjacency Recursive load sharing using 17.1.1.0/24 Load distribution: 0 (refcount 6) Hash OK Interface Address Packets 1 Y TenGigE0/2/0/2.1 (remote) 0 show cef ipv4 28.1.1.1 detail 28.1.1.0/24, version 218, source-destination sharing Prefix Len 24, Traffic Index 6, precedence routine (0) via 18.1.1.2, 0 dependencies, recursive next hop 18.1.1.2/24, TenGigE0/2/0/4.1 via 18.1.1.0/24 valid remote adjacency Recursive load sharing using 18.1.1.0/24 Load distribution: 0 (refcount 6) Hash OK Interface Address Packets 1 Y TenGigE0/2/0/4.1 (remote) 0 show cef ipv4 65.0.1.1 detail 65.0.1.0/24, version 253, source-destination sharing Prefix Len 24, Traffic Index 15, precedence routine (0) via 4.1.0.2, 0 dependencies, recursive next hop 4.1.0.2/16, gigabitethernet0/0/0/4 via 4.1.0.0/16 valid remote adjacency Recursive load sharing using 4.1.0.0/16 Load distribution: 0 (refcount 21) Hash OK Interface Address Packets 1 Y gigabitethernet0/0/0/4 (remote) 0 show cef ipv4 66.0.1.1 detail 66.0.1.0/24, version 233, source-destination sharing Prefix Len 24, Traffic Index 16, precedence routine (0) via 8.1.0.2, 0 dependencies, recursive next hop 8.1.0.2/16, gigabitethernet0/0/0/8 via 8.1.0.0/16 valid remote adjacency Recursive load sharing using 8.1.0.0/16 Load distribution: 0 (refcount 21) Hash OK Interface Address Packets 1 Y gigabitethernet 0/0/0/8 (remote) 0 show cef ipv4 67.0.1.1 detail 67.0.1.0/24, version 243, source-destination sharing Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 89 Implementing Cisco Express Forwarding Verifying BGP Policy Statistics: ExamplePrefix Len 24, Traffic Index 7, precedence routine (0) via 4.1.0.2, 0 dependencies, recursive next hop 4.1.0.2/16, gigabitethernet 0/0/0/4 via 4.1.0.0/16 valid remote adjacency Recursive load sharing using 4.1.0.0/16 Load distribution: 0 (refcount 21) Hash OK Interface Address Packets 1 Y gigabitethernet 0/0/0/4 (remote) 0 show cef ipv4 68.0.1.1 detail 68.0.1.0/24, version 223, source-destination sharing Prefix Len 24, Traffic Index 8, precedence routine (0) via 8.1.0.2, 0 dependencies, recursive next hop 8.1.0.2/16, gigabitethernet 0/0/0/8 via 8.1.0.0/16 valid remote adjacency Recursive load sharing using 8.1.0.0/16 Load distribution: 0 (refcount 21) Hash OK Interface Address Packets 1 Y gigabitethernet 0/0/0/8 (remote) 0 Configuring Unicast RPF Checking: Example The following example shows how to configure unicast RPF checking: configure interface gigabitethernet 0/0/0/1 ipv4 verify unicast source reachable-via rx end Configuring the Switching of Modular Services Card to Management Ethernet Interfaces on the Route Processor: Example The following example shows how to configure the switching of the MSC to Management Ethernet interfaces on the route processor: configure rp mgmtethernet forwarding end Configuring BGP Attributes Download: Example The following example shows how to configure the BGP Attributes Download feature: router configure show cef bgp attribute {attribute-id| local-attribute-id} Additional References The following sections provide references related to implementing CEF. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 90 OL-26068-02 Implementing Cisco Express Forwarding Configuring Unicast RPF Checking: ExampleRelated Documents Related Topic Document Title Cisco Express Forwarding Commands module in Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Command Reference CEF commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples BGP Commands module in the Cisco ASR 9000 Series Aggregation Services Router Routing Command Reference BGP commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples Link Bundling Commands module in the Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Command Reference Link Bundling Commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples Standards Standards Title No new or modified standards are supported by this — feature, and support for existing standards has not been modified by this feature. MIBs MIBs MIBs Link To locate and download MIBs, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http:/ /cisco.com/public/sw-center/netmgmt/cmtk/ mibs.shtml — RFCs RFCs Title No new or modified RFCs are supported by this — feature, and support for existing RFCs has not been modified by this feature. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 91 Implementing Cisco Express Forwarding Additional ReferencesTechnical Assistance Description Link The Cisco Technical Support website contains http://www.cisco.com/techsupport thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 92 OL-26068-02 Implementing Cisco Express Forwarding Additional ReferencesC H A P T E R 4 Implementing the Dynamic Host Configuration Protocol This module describesthe concepts and tasks you will use to configure Dynamic Host Configuration Protocol (DHCP). For a complete description of the DHCP commandslisted in this module, refer to the Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Command Reference publication. To locate documentation of other commands that appear in this chapter, use the command reference master index, or search online. Note Feature History for Implementing the Dynamic Host Configuration Protocol Release Modification Release 3.7.2 This feature was introduced . • Prerequisites for Configuring DHCP Relay Agent , page 93 • Information About DHCP Relay Agent, page 94 • How to Configure and Enable DHCP Relay Agent, page 94 • DHCPv6 Relay Agent Notification for Prefix Delegation, page 108 • Configuration Examples for the DHCP Relay Agent, page 111 • Implementing DHCP Snooping, page 112 • Additional References, page 123 Prerequisites for Configuring DHCP Relay Agent The following prerequisites are required to configure a DHCP relay agent: Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 93• You must be in a user group associated with a task group that includesthe proper task IDs. The command reference guides include the task IDs required for each command. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance. • A configured and running DHCP client and DHCP server • Connectivity between the relay agent and DCHP server Information About DHCP Relay Agent A DHCP relay agent is a host that forwards DHCP packets between clients and servers that do not reside on a shared physical subnet. Relay agent forwarding is distinct from the normal forwarding of an IP router where IP datagrams are switched between networks transparently. DHCP clients use User Datagram Protocol (UDP) broadcasts to send DHCPDISCOVER messages when they lack information about the network to which they belong. If a client is on a network segment that does not include a server, a relay agent is needed on that network segment to ensure that DHCP packets reach the servers on another network segment. UDP broadcast packets are not forwarded, because most routers are not configured to forward broadcast traffic. You can configure a DHCP relay agent to forward DHCP packets to a remote server by configuring a DHCP relay profile and configure one or more helper addresses in it. You can assign the profile to an interface or a VRF. Figure 2: Forwarding UDP Broadcasts to a DHCP Server Using a Helper Address, on page 94 demonstrates the process. The DHCP client broadcasts a request for an IP address and additional configuration parameters on its local LAN. Acting as a DHCP relay agent, Router B picks up the broadcast, changes the destination address to the DHCP server's address and sends the message out on another interface. The relay agent inserts the IP address of the interface, on which the DHCP client’s packets are received, into the gateway address (giaddr) field of the DHCP packet, which enables the DHCP server to determine which subnet should receive the offer and identify the appropriate IP address range. The relay agent unicasts the messages to the server address, in this case 172.16.1.2 (which is specified by the helper address in the relay profile). Figure 2: Forwarding UDP Broadcasts to a DHCP Server Using a Helper Address How to Configure and Enable DHCP Relay Agent This section contains the following tasks: Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 94 OL-26068-02 Implementing the Dynamic Host Configuration Protocol Information About DHCP Relay AgentConfiguring and Enabling the DHCP Relay Agent This task describes how to configure and enable DHCP relay agent. SUMMARY STEPS 1. configure 2. dhcp ipv4 3. Use one of these commands: • end • commit DETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 dhcp ipv4 Enters DHCP IPv4 configuration submode. Example: RP/0/RSP0/CPU0:router(config)# dhcp ipv4 Step 2 Step 3 Use one of these commands: Saves configuration changes. • end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]: • commit Example: RP/0/RSP0/CPU0:router(config)# end ? Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. or RP/0/RSP0/CPU0:router(config)# commit ? Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 95 Implementing the Dynamic Host Configuration Protocol Configuring and Enabling the DHCP Relay AgentCommand or Action Purpose Configuring a DHCP Relay Profile This task describes how to configure and enable the DHCP relay agent. SUMMARY STEPS 1. configure 2. dhcp ipv4 3. profile profile-name relay 4. helper-address [vrf vrf- name ] address 5. Use one of these commands: • end • commit DETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 dhcp ipv4 Enters DHCP IPv4 configuration submode . Example: RP/0/RSP0/CPU0:router(config)# dhcp ipv4 Step 2 profile profile-name relay Enters DHCP IPv4 profile relay submode. Example: RP/0/RSP0/CPU0:router(config-dhcpv4)# profile client relay Step 3 Forwards UDP broadcasts, including BOOTP and DHCP. helper-address [vrf vrf- name ] address Example: RP/0/RSP0/CPU0:router(config-dhcpv4-relay-profile)# helper-address Step 4 • The value of the address argument can be a specific DHCP server address vrf vrf1 or a network address (if other DHCP 10.10.1.1 servers are on the destination network segment). Using the network address Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 96 OL-26068-02 Implementing the Dynamic Host Configuration Protocol Configuring and Enabling the DHCP Relay AgentCommand or Action Purpose enables other servers to respond to DHCP requests. • For multiple servers, configure one helper address for each server. Step 5 Use one of these commands: Saves configuration changes. • end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit • commit Example: RP/0/RSP0/CPU0:router(config)# end them before exiting(yes/no/cancel)? or [cancel]: RP/0/RSP0/CPU0:router(config)# commit ? Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. ? Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Configuring the DHCPv6 (Stateless) Relay Agent Perform this task to specify a destination address to which client messages are forwarded and to enable Dynamic Host Configuration Protocol (DHCP) for IPv6 relay service on the interface. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 97 Implementing the Dynamic Host Configuration Protocol Configuring the DHCPv6 (Stateless) Relay AgentSUMMARY STEPS 1. configure 2. dhcp ipv6 3. interface type interface-path-id relay 4. destination ipv6-address 5. Use one of these commands: • end • commit DETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 dhcp ipv6 Enables DHCP for IPv6 and enters the DHCP IPv6 configuration mode. Example: Step 2 RP/0/RSP0/CPU0:router(config) # dhcp ipv6 RP/0/RSP0/CPU0:router(config-dhcpv6)# Specifies an interface type and interface-path-id, places the router in interface configuration mode, and enables DHCPv6 relay service on the interface. interface type interface-path-id relay Example: Step 3 RP/0/RSP0/CPU0:router(config-dhcpv6) # interface tenGigE 0/5/0/0 relay Step 4 destination ipv6-address Specifies a destination address to which client packets are forwarded. Example: When relay service is enabled on an interface, a DHCP for IPv6 message received on that interface isforwarded to all configured relay destinations. The incoming DHCP for IPv6 message may have come from a client on RP/0/RSP0/CPU0:router(config-dhcpv6-if) that interface, or it may have been relayed by another relay agent. # destination 10:10::10 Step 5 Use one of these commands: Saves configuration changes. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 98 OL-26068-02 Implementing the Dynamic Host Configuration Protocol Configuring the DHCPv6 (Stateless) Relay AgentCommand or Action Purpose • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]: • end • commit Example: RP/0/RSP0/CPU0:router(config)# end ? Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. or RP/0/RSP0/CPU0:router(config)# commit ? Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Enabling DHCP Relay Agent on an Interface This task describes how to enable the Cisco IOS XR DHCP relay agent on an interface. Note On Cisco IOS XR software, the DHCP relay agent is disabled by default. SUMMARY STEPS 1. configure 2. dhcp ipv4 3. interface type name relay profile profile-name 4. Use one of these commands: • end • commit Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 99 Implementing the Dynamic Host Configuration Protocol Enabling DHCP Relay Agent on an InterfaceDETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 dhcp ipv4 Enters DHCP IPv4 configuration submode. Example: RP/0/RSP0/CPU0:router(config)# dhcp ipv4 Step 2 interface type name relay profile profile-name Attaches a relay profile to an interface. Example: RP/0/RSP0/CPU0:router(config-dhcpv4)# interface Step 3 gigabitethernet 0/0/0 /0 relay profile client Step 4 Use one of these commands: Saves configuration changes. • end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]: • commit Example: RP/0/RSP0/CPU0:router(config)# end ? Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. or RP/0/RSP0/CPU0:router(config)# commit ? Entering no exits the configuration session and returnsthe router to EXEC mode without committing the configuration changes. ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changesto the running configuration file and remain within the configuration session. Disabling DHCP Relay on an Interface Thistask describes how to disable the DHCP relay on an interface by assigning the none profile to the interface. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 100 OL-26068-02 Implementing the Dynamic Host Configuration Protocol Disabling DHCP Relay on an InterfaceSUMMARY STEPS 1. configure 2. dhcp ipv4 3. interface type name none 4. Use one of these commands: • end • commit DETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 dhcp ipv4 Enters DHCP IPv4 configuration submode. Example: RP/0/RSP0/CPU0:router(config)# dhcp ipv4 Step 2 interface type name none Disables the DHCP relay on the interface. Example: RP/0/RSP0/CPU0:router(config-dhcpv4-relay-profile)# interface Step 3 gigabitethernet 0/1/4/1 none Step 4 Use one of these commands: Saves configuration changes. • end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit • commit Example: RP/0/RSP0/CPU0:router(config)# end them before exiting(yes/no/cancel)? [cancel]: or RP/0/RSP0/CPU0:router(config)# commit ? Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. ? Entering no exits the configuration session and returnsthe router to EXEC mode without committing the configuration changes. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 101 Implementing the Dynamic Host Configuration Protocol Disabling DHCP Relay on an InterfaceCommand or Action Purpose ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Enabling DHCP Relay on a VRF This task describes how to enable DHCP relay on a VRF. SUMMARY STEPS 1. configure 2. dhcp ipv4 3. vrf vrf-name relay profile profile-name 4. Use one of these commands: • end • commit DETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 dhcp ipv4 Enters DHCP IPv4 configuration submode. Example: RP/0/RSP0/CPU0:router(config)# dhcp ipv4 Step 2 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 102 OL-26068-02 Implementing the Dynamic Host Configuration Protocol Enabling DHCP Relay on a VRFCommand or Action Purpose vrf vrf-name relay profile profile-name Enables DHCP relay on a VRF. Example: RP/0/RSP0/CPU0:router(config-dhcpv4)# vrf default relay profile client Step 3 Step 4 Use one of these commands: Saves configuration changes. • end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]: • commit Example: RP/0/RSP0/CPU0:router(config)# end ? Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. or RP/0/RSP0/CPU0:router(config)# commit ? Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Configuring the Relay Agent Information Feature This task describes how to configure the DHCP relay agent information option processing capabilities. A DHCP relay agent may receive a message from another DHCP relay agent that already contains relay information. By default, the relay information from the previous relay agent is replaced (using the replace option). Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 103 Implementing the Dynamic Host Configuration Protocol Configuring the Relay Agent Information FeatureSUMMARY STEPS 1. configure 2. dhcp ipv4 3. profile profile-name relay 4. relay information option 5. relay information check 6. relay information policy {drop | keep} 7. relay information option allow-untrusted 8. Use one of these commands: • end • commit DETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 dhcp ipv4 Enters DHCP IPv4 configuration submode . Example: RP/0/RSP0/CPU0:router(config)# dhcp ipv4 Step 2 profile profile-name relay Enters DHCP IPv4 profile relay submode . Example: RP/0/RSP0/CPU0:router(config-dhcpv4)# profile client relay Step 3 Enables the system to insert the DHCP relay agent information option (option-82 field) in forwarded BOOTREQUEST messages to a DHCP server. relay information option Example: RP/0/RSP0/CPU0:router(config-dhcpv4-relay-profile)# relay information option Step 4 • This option is injected by the relay agent while forwarding client-originated DHCP packetsto the server. Servers recognizing this option can use the information to implement IP address or other parameter assignment policies. When replying, the DHCP server echoes the option back to the relay agent. The relay agent removes the option before forwarding the reply to the client. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 104 OL-26068-02 Implementing the Dynamic Host Configuration Protocol Configuring the Relay Agent Information FeatureCommand or Action Purpose • The relay agent information is organized as a single DHCP option that contains one or more suboptions. These options contain the information known by the relay agent. The supported suboptions are: ? Remote ID ? Circuit ID This function is disabled by default. The port field of the default circuit-ID denotes the configured bundle-ID of the bundle. If circuit IDs require that bundles be unique, and because the port field is 8 bits, the low-order 8 bits of configured bundle IDs must be unique. To achieve this, configure bundle-IDs within the range from 0 to 255. Note (Optional) Configures DHCP to check the validity of the relay agent information option in forwarded relay information check Example: RP/0/RSP0/CPU0:router(config-dhcpv4-relay-profile)# relay information check Step 5 BOOTREPLY messages. If an invalid message is received, the relay agent drops the message. If a valid message is received, the relay agent removes the relay agent information option field and forwards the packet. • By default, DHCP does not check the validity of the relay agent information option field in DHCP reply packets, received from the DHCP server. Use the relay information check command to reenable thisfunctionality if the functionality has been disabled. Note (Optional) Configures the reforwarding policy for a DHCP relay agent; that is, whether the relay agent will drop or keep the relay information. relay information policy {drop | keep} Example: RP/0/RSP0/CPU0:router(config)# dhcp relay information policy drop Step 6 By default, the DHCP relay agent replaces the relay information option. (Optional) Configures the DHCP IPv4 Relay not to discard BOOTREQUEST packetsthat have an existing relay information option and the giaddr set to zero. relay information option allow-untrusted Example: RP/0/RSP0/CPU0:router(config-dhcpv4-relay-profile)# relay information option allow-untrusted Step 7 Step 8 Use one of these commands: Saves configuration changes. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 105 Implementing the Dynamic Host Configuration Protocol Configuring the Relay Agent Information FeatureCommand or Action Purpose • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]: • end • commit Example: RP/0/RSP0/CPU0:router(config)# end ? Entering yes saves configuration changes to the running configuration file, exits the or RP/0/RSP0/CPU0:router(config)# commit configuration session, and returns the router to EXEC mode. ? Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changesto the running configuration file and remain within the configuration session. Configuring Relay Agent Giaddr Policy This task describes how to configure the DHCP relay agent’s processing capabilities for received BOOTREQUEST packets that already contain a nonzero giaddr attribute. SUMMARY STEPS 1. configure 2. dhcp ipv4 3. profile relay 4. giaddr policy {replace | drop} 5. Use one of these commands: • end • commit Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 106 OL-26068-02 Implementing the Dynamic Host Configuration Protocol Configuring Relay Agent Giaddr PolicyDETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 dhcp ipv4 Enables the DHCP IPv4 configuration submode. Example: RP/0/RSP0/CPU0:router(config)# dhcp ipv4 Step 2 profile relay Enables profile relay submode. Example: RP/0/RSP0/CPU0:router(config-dhcpv4)# profile client relay Step 3 Step 4 giaddr policy {replace | drop} Specifies the giaddr policy. Example: RP/0/RSP0/CPU0:router(config-dhcpv4-relay-profile)# giaddr policy drop • replace—Replaces the existing giaddr value with a value that it generates. • drop—Drops the packet that has an existing nonzero giaddr value. By default, the DHCP relay agent keeps the existing giaddr value. • Step 5 Use one of these commands: Saves configuration changes. • end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them • commit Example: RP/0/RSP0/CPU0:router(config)# end before exiting(yes/no/cancel)? [cancel]: ? Entering yessaves configuration changes to the running configuration file, exits the or RP/0/RSP0/CPU0:router(config)# commit configuration session, and returns the router to EXEC mode. ? Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 107 Implementing the Dynamic Host Configuration Protocol Configuring Relay Agent Giaddr PolicyCommand or Action Purpose ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. DHCPv6 Relay Agent Notification for Prefix Delegation DHCPv6 relay agent notification for prefix delegation allows the router working as a DHCPv6 relay agent to find prefix delegation options by reviewing the contents of a DHCPv6 RELAY-REPLY packet that is being relayed by the relay agent to the client. When the relay agent finds the prefix delegation option, the relay agent extracts the information about the prefix being delegated and inserts an IPv6 subscriber route matching the prefix delegation information onto the relay agent. Future packets destined to that prefix via relay are forwarded based on the information contained in the prefix delegation. The IPv6 subscriber route remains in the routing table until the prefix delegation lease time expires or the relay agent receives a release packet from the client releasing the prefix delegation. The relay agent automatically does the subscriber route management. The IPv6 routes are added when the relay agent relays a RELAY-REPLY packet, and the IPv6 routes are deleted when the prefix delegation lease time expires or the relay agent receives a release message. An IPv6 subscriber route in the routing table of the relay agent can be updated when the prefix delegation lease time is extended. This feature leaves an IPv6 route on the routing table of the relay agent. This registered IPv6 address allows unicast reverse packet forwarding (uRPF) to work by allowing the router doing the reverse lookup to confirm that the IPv6 address on the relay agent is not malformed or spoofed. The IPv6 route in the routing table of the relay agent can be redistributed to other routing protocols to advertise the subnets to other nodes. When the client sends a DHCP_DECLINE message, the routes are removed. Configuring DHCPv6 Stateful Relay Agent for Prefix Delegation Perform this task to configure Dynamic Host Configuration Protocol (DHCP) IPv6 relay agent notification for prefix delegation. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 108 OL-26068-02 Implementing the Dynamic Host Configuration Protocol DHCPv6 Relay Agent Notification for Prefix DelegationSUMMARY STEPS 1. configure 2. dhcp ipv6 3. profile profile-name proxy 4. helper-address ipv6-address interface type interface-path-id 5. exit 6. interface type interface-path-id proxy 7. profile profile-name 8. Use one of these commands: • end • commit DETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 Enables DHCP for IPv6 and enters DHCP IPv6 configuration mode. dhcp ipv6 Example: Step 2 RP/0/RSP0/CPU0:router(config) # dhcp ipv6 RP/0/RSP0/CPU0:router(config-dhcpv6)# profile profile-name proxy Enters the proxy profile configuration mode. Example: Step 3 RP/0/RSP0/CPU0:router(config-dhcpv6)# profile downstream proxy RP/0/RSP0/CPU0:router(config-dhcpv6-profile)# helper-address ipv6-address interface type Configure the DHCP IPv6 relay agent. interface-path-id Step 4 Example: RP/0/RSP0/CPU0:router(config-dhcpv6-profile)# helper-address 2001:db8::1 GigabitEthernet 0/1/0/1 RP/0/RSP0/CPU0:router(config-dhcpv6-profile) Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 109 Implementing the Dynamic Host Configuration Protocol Configuring DHCPv6 Stateful Relay Agent for Prefix DelegationCommand or Action Purpose exit Exits from the profile configuration mode. Example: Step 5 RP/0/RSP0/CPU0:router(config-dhcpv6-profile)# exit RP/0/RSP0/CPU0:router(config-dhcpv6)# Enables IPv6 DHCP on an interface and acts as an IPv6 DHCP stateful relay agent. interface type interface-path-id proxy Example: Step 6 RP/0/RSP0/CPU0:router(config-dhcpv6)# interface GigabitEthernet 0/1/0/0 proxy RP/0/RSP0/CPU0:router(config-dhcpv6-if)# profile profile-name Enters the profile configuration mode. Example: Step 7 RP/0/RSP0/CPU0:router(config-dhcpv6-if)# profile downstream RP/0/RSP0/CPU0:router(config-dhcpv6-if)# Step 8 Use one of these commands: Saves configuration changes. • end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]: • commit Example: RP/0/RSP0/CPU0:router(config)# end ? Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. or RP/0/RSP0/CPU0:router(config)# commit ? Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 110 OL-26068-02 Implementing the Dynamic Host Configuration Protocol Configuring DHCPv6 Stateful Relay Agent for Prefix DelegationConfiguration Examples for the DHCP Relay Agent This section provides the following configuration examples: DHCP Relay Profile: Example The following example shows how to configure the Cisco IOS XR relay profile: dhcp ipv4 profile client relay helper-address vrf foo 10.10.1.1 ! ! ... DHCP Relay on an Interface: Example The following example shows how to enable the DHCP relay agent on an interface: dhcp ipv4 interface gigabitethernet 0/1/1/0 relay profile client ! DHCP Relay on a VRF: Example The following example shows how to enable the DHCP relay agent on a VRF: dhcp ipv4 vrf default relay profile client ! Relay Agent Information Option Support: Example The following example shows how to enable the relay agent and the insertion and removal of the DHCP relay information option: dhcp ipv4 profile client relay relay information option ! ! Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 111 Implementing the Dynamic Host Configuration Protocol Configuration Examples for the DHCP Relay AgentRelay Agent Giaddr Policy: Example The following example shows how to configure relay agent giaddr policy: dhcp ipv4 profile client relay giaddr policy drop ! ! Implementing DHCP Snooping Prerequisites for Configuring DHCP Snooping The following prerequisites are required example shows how to configure DHCP IPv4 snooping relay agent broadcast flag policy: • You must be in a user group associated with a task group that includesthe proper task IDs. The command reference guides include the task IDs required for each command. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance. • A Cisco ASR 9000 Series Router running Cisco IOS XR software. • A configured and running DHCP client and DHCP server. Information about DHCP Snooping DHCP Snooping features are focused on the edge of the aggregation network. Security features are applied at the first point of entry for subscribers. Relay agent information option information is used to identify the subscriber’s line, which is either the DSL line to the subscriber’s home or the first port in the aggregation network. The central concept for DHCP snooping is that of trusted and untrusted links. A trusted link is one providing secure access for traffic on that link. On an untrusted link, subscriber identity and subscriber traffic cannot be determined. DHCP snooping runs on untrusted links to provide subscriber identity. Figure 3: DHCP Snooping in an Aggregation Network, on page 113 shows an aggregation network. The link from the DSLAM to the aggregation network is untrusted and is the point of presence for DHCP snooping. The links connecting Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 112 OL-26068-02 Implementing the Dynamic Host Configuration Protocol Relay Agent Giaddr Policy: Examplethe switches in the aggregation network and the link from the aggregation network to the intelligent edge is considered trusted. Figure 3: DHCP Snooping in an Aggregation Network Trusted and Untrusted Ports On trusted ports, DHCP BOOTREQUEST packets are forwarded by DHCP snooping. The client’s address lease is not tracked and the client is not bound to the port. DHCP BOOTREPLY packets are forwarded. When the first DHCP BOOTREQUEST packet from a client isreceived on an untrusted port, DHCP snooping binds the client to the bridge port and tracks the clients’s address lease. When that address lease expires, the client is deleted from the database and is unbound from the bridge port. Packets from this client received on this bridge port are processed and forwarded aslong asthe binding exists. Packets that are received on another bridge port from this client are dropped while the binding exists. DHCP snooping only forwards DHCP BOOTREPLY packets for this client on the bridge port that the client is bound to. DHCP BOOTREPLY packets that are received on untrusted ports are not forwarded. DHCP Snooping in a Bridge Domain To enable DHCP snooping in a bridge domain, there must be at least two profiles, a trusted profile and an untrusted profile. The untrusted profile is assigned to the client-facing ports, and the trusted profile is assigned to the server-facing ports. In most cases, there are many client facing ports and few server-facing ports. The simplest example istwo ports, a client-facing port and a server-facing port, with an untrusted profile explicitly assigned to the client-facing port and a trusted profile assigned to the server-facing port. Assigning Profiles to a Bridge Domain Because there are normally many client-facing ports and a small number of server-facing ports, the operator assigns the untrusted profile to the bridge domain. This configuration effectively assigns an untrusted profile to every port in the bridge domain. This action saves the operator from explicitly assigning the untrusted profile to all of the client-facing ports. Because there also must be server-facing ports that have trusted DHCP snooping profiles, in order for DHCP snooping to function properly, this untrusted DHCP snooping profile assignment is overridden to server-facing ports by specifically configuring trusted DHCP snooping profiles on the server-facing ports. For ports in the bridge domain that do not require DHCP snooping, all should have the none profile assigned to them to disable DHCP snooping on those ports. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 113 Implementing the Dynamic Host Configuration Protocol Information about DHCP SnoopingRelay Information Options You can configure a DHCP snooping profile to insert the relay information option (option 82) into DHCP client packets only when it is assigned to a client port. The relay information option allow-untrusted command addresses what to do with DHCP client packets when there is a null giaddr and a relay-information option already in the client packet when it is received. This is a different condition than a DHCP snooping trusted/untrusted port. The relay information option allow-untrusted command determines how the DHCP snooping application handles untrusted relay information options. How to Configure DHCP Snooping This section contains the following tasks: Enabling DHCP Snooping in a Bridge Domain The following configuration creates two ports, a client-facing port and a server-facing port. In Step 1 through Step 8, an untrusted DHCP snooping profile is assigned to the client bridge port and trusted DHCP snooping profile is assigned to the server bridge port. In Step 9 through Step 18, an untrusted DHCP snooping profile is assigned to the bridge domain and trusted DHCP snooping profiles are assigned to server bridge ports. SUMMARY STEPS 1. configure 2. dhcp ipv4 3. profile untrusted-profile-name snoop 4. exit 5. dhcp ipv4 6. profile profile-name snoop 7. trusted 8. exit 9. l2vpn 10. bridge group group-name 11. bridge-domain bridge-domain-name 12. interface type interface-path-id 13. dhcp ipv4 snoop profile untrusted-profile-name 14. interface type interface-path-id 15. dhcp ipv4 snoop profile trusted-profile-name 16. exit 17. exit 18. Use one of these commands: • end • commit Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 114 OL-26068-02 Implementing the Dynamic Host Configuration Protocol How to Configure DHCP SnoopingDETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 dhcp ipv4 Enters DHCP IPv4 profile configuration submode. Example: RP/0/RSP0/CPU0:router(config)# dhcp ipv4 Step 2 Configures an untrusted DHCP snooping profile for the client port. profile untrusted-profile-name snoop Example: RP/0/RSP0/CPU0:router(config-dhcpv4)# profile untrustedClientProfile snoop Step 3 exit Exits DHCP IPv4 profile configuration mode. Example: RP/0/RSP0/CPU0:router(config-dhcpv4)# exit Step 4 Enables DHCP for IPv4 and enters DHCP IPv4 profile configuration mode. dhcp ipv4 Example: RP/0/RSP0/CPU0:router(config)# dhcp ipv4 Step 5 Configures a trusted DHCP snooping profile for the server port. profile profile-name snoop Example: RP/0/RSP0/CPU0:router(config-dhcpv4)# profile trustedServerProfile snoop Step 6 trusted Configures a DHCP snoop profile to be trusted. Example: RP/0/RSP0/CPU0:router(config-dhcv4)# trusted Step 7 exit Exits DHCP IPv4 profile configuration mode. Example: RP/0/RSP0/CPU0:router(config-dhcv4)# exit Step 8 l2vpn Enters l2vpn configuration mode. Example: RP/0/RSP0/CPU0:router(config)# l2vpn Step 9 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 115 Implementing the Dynamic Host Configuration Protocol How to Configure DHCP SnoopingCommand or Action Purpose Creates a bridge group to contain bridge domains and enters l2vpn bridge group configuration submode. bridge group group-name Example: RP/0/RSP0/CPU0:router(config-l2vpn)# bridge group ccc Step 10 bridge-domain bridge-domain-name Establishes a bridge domain. Example: RP/0/RSP0/CPU0:router(config-l2vpn-bg)# bridge-domain ddd Step 11 interface type interface-path-id Identifies an interface. Example: RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# interface gigabitethernet 0/1/0/0 Step 12 Attaches an untrusted DHCP snoop profile to the bridge port. dhcp ipv4 snoop profile untrusted-profile-name Example: RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-ac)# dhcp ipv4 snoop profile untrustedClientProfile Step 13 interface type interface-path-id Identifies an interface. Example: RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-ac)# gigabitethernet 0/1/0/1 Step 14 dhcp ipv4 snoop profile trusted-profile-name Attaches a trusted DHCP snoop profile to the bridge port. Example: RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-ac)# dhcp ipv4 snoop profile trustedServerProfile Step 15 Exits the l2vpn bridge group bridge-domain interface configuration submode. exit Example: RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-ac)# exit Step 16 Exits the l2vpn bridge group bridge-domain configuration submode. exit Example: RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# exit Step 17 Step 18 Use one of these commands: Saves configuration changes. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 116 OL-26068-02 Implementing the Dynamic Host Configuration Protocol How to Configure DHCP SnoopingCommand or Action Purpose • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]: • end • commit Example: RP/0/RSP0/CPU0:router(config)# end ? Entering yessaves configuration changesto the running configuration file, exits the or RP/0/RSP0/CPU0:router(config)# commit configuration session, and returns the router to EXEC mode. ? Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Disabling DHCP Snooping on a Specific Bridge Port The following configuration enables DHCP to snoop packets on all bridge ports in the bridge domain ISP1 except for bridge port GigabitEthernet 0/1/0/1 and GigabitEthernet 0/1/0/2. DHCP snooping is disabled on bridge port GigabitEthernet 0/1/0/1. Bridge port GigabitEthernet 0/1/0/2 is the trusted port that connects to the server. In this example, no additional features are enabled, so only DHCP snooping is running. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 117 Implementing the Dynamic Host Configuration Protocol How to Configure DHCP SnoopingSUMMARY STEPS 1. configure 2. l2vpn 3. bridge group group-name 4. bridge-domain bridge-domain-name 5. dhcp ipv4 snoop profile profile-name 6. interface type interface-path-id 7. dhcp ipv4 none 8. interface type interface-path-id 9. dhcp ipv4 snoop profile profile-name 10. exit 11. exit 12. Use one of these commands: • end • commit DETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 l2vpn Enters l2vpn configuration submode. Example: RP/0/RSP0/CPU0:router(config)# l2vpn Step 2 Creates a bridge group to contain bridge domains and enters l2vpn bridge group configuration submode. bridge group group-name Example: RP/0/RSP0/CPU0:router(config-l2vpn)# bridge group GRP1 Step 3 Establishes a bridge domain and enters l2vpn bridge group bridge-domain configuration submode. bridge-domain bridge-domain-name Example: RP/0/RSP0/CPU0:router(config-l2vpn-bg)# bridge-domain ISP1 Step 4 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 118 OL-26068-02 Implementing the Dynamic Host Configuration Protocol How to Configure DHCP SnoopingCommand or Action Purpose Attaches the untrusted DHCP snooping profile to the bridge domain. dhcp ipv4 snoop profile profile-name Example: RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# Step 5 dhcp ipv4 snoop profile untrustedClientProfile Identifies an interface and enters l2vpn bridge group bridge-domain interface configuration submode. interface type interface-path-id Example: RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# interface gigabitethernet 0/1/0/1 Step 6 dhcp ipv4 none Disables DHCP snooping on the port. Example: RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd-if)# dhcp ipv4 none Step 7 Identifies an interface and enters l2vpn bridge group bridge-domain interface configuration submode. interface type interface-path-id Example: RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# interface gigabitethernet 0/1/0/2 Step 8 dhcp ipv4 snoop profile profile-name Attaches the trusted DHCP snooping profile to a port. Example: RP/0/RSP0/CPU0:router(config-l2vpn-bg-bd)# dhcp ipv4 snoop profile trustedServerProfile Step 9 Exitsl2vpn bridge-domain bridge group interface configuration submode. exit Example: RP/0/RSP0/CPU0:router(config-l2vpn-bd-bg)# exit Step 10 exit Exits l2vpn bridge-domain submode. Example: RP/0/RSP0/CPU0:router(config-l2vpn-bg)# exit Step 11 Step 12 Use one of these commands: Saves configuration changes. • end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]: • commit Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 119 Implementing the Dynamic Host Configuration Protocol How to Configure DHCP SnoopingCommand or Action Purpose Example: RP/0/RSP0/CPU0:router(config)# end ? Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. ? Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. or RP/0/RSP0/CPU0:router(config)# commit ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Using the Relay Information Option This task shows how to use the relay information commands to insert the relay information option (option 82) into DHCP client packets and forward DHCP packets with untrusted relay information options. SUMMARY STEPS 1. configure 2. dhcp ipv4 3. profile profile-name snoop 4. relay information option 5. relay information option allow-untrusted 6. Use one of these commands: • end • commit DETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 120 OL-26068-02 Implementing the Dynamic Host Configuration Protocol How to Configure DHCP SnoopingCommand or Action Purpose dhcp ipv4 Enters DHCP IPv4 profile configuration submode. Example: RP/0/RSP0/CPU0:router(config)# dhcp ipv4 Step 2 Configures an untrusted DHCP snooping profile for the client port. profile profile-name snoop Example: RP/0/RSP0/CPU0:router(config-dhcpv4)# profile untrustedClientProfile snoop Step 3 Enables the system to insert the DHCP relay information option field in forwarded BOOTREQUEST messages to a DHCP server. relay information option Example: RP/0/RSP0/CPU0:router(config-dhcpv4-snoop-profile)# relay information option Step 4 Configures DHCP IPv4 relay not to discard BOOTREQUEST packets that have an existing relay information option and the giaddr set to zero. relay information option allow-untrusted Example: RP/0/RSP0/CPU0:router(config-dhcpv4-snoop-profile)# relay information option allow-untrusted Step 5 Step 6 Use one of these commands: Saves configuration changes. • end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]: • commit Example: RP/0/RSP0/CPU0:router(config)# end ? Entering yes saves configuration changes to the running configuration file, exitsthe configuration session, and returns the router to EXEC mode. or RP/0/RSP0/CPU0:router(config)# commit ? Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 121 Implementing the Dynamic Host Configuration Protocol How to Configure DHCP SnoopingConfiguration Examples for DHCP Snooping This section provides the following configuration examples: Assigning a DHCP Profile to a Bridge Domain: Example The following example shows how to enable DHCP snooping in a bridge domain: l2vpn bridge group GRP1 bridge-domain ISP1 dhcp ipv4 profile untrustedClientProfile snoop Disabling DHCP Snooping on a Specific Bridge Port: Example The following example shows how to disable DHCP snooping on a specific bridge port: interface gigabitethernet 0/1/0/1 dhcp ipv4 none Configuring a DHCP Profile for Trusted Bridge Ports: Example The following example shows how to configure a DHCP profile for trusted bridge ports: dhcp ipv4 profile trustedServerProfile snoop trusted Configuring an Untrusted Profile on a Bridge Domain: Example The following example shows how to attach a profile to a bridge domain and disable snooping on a bridge port. l2vpn bridge group GRP1 bridge-domain ISP1 dhcp ipv4 profile untrustedClientProfile snoop interface gigabitethernet 0/1/0/1 dhcp ipv4 none Configuring a Trusted Bridge Port: Example The following example shows ow to assign a trusted DHCP snooping profile to a bridge port: l2vpn bridge group GRP1 bridge-domain ISP1 interface gigabitethernet 0/1/0/2 dhcp ipv4 profile trustedServerProfile snoop Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 122 OL-26068-02 Implementing the Dynamic Host Configuration Protocol Configuration Examples for DHCP SnoopingAdditional References The following sections provide references related to implementing the Cisco IOS XR DHCP relay agent and DHCP snooping features. Related Documents Related Topic Document Title DHCP Commands module in the Cisco ASR 9000 Series Aggregation Services RouterIP Addresses and Services Command Reference Cisco IOS XR DHCP commands Cisco ASR 9000 Series Aggregation Services Router Getting Started Guide Getting started material Configuring AAA Services module in the Cisco ASR 9000 Series Aggregation Services Router System Security Configuration Guide Information about user groups and task IDs Standards Standards Title No new or modified standards are supported by this — feature, and support for existing standards has not been modified by this feature. MIBs MIBs MIBs Link To locate and download MIBs, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http:/ /cisco.com/public/sw-center/netmgmt/cmtk/ mibs.shtml — RFCs RFC Title RFC 2131 Dynamic Host Configuration Protocol Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 123 Implementing the Dynamic Host Configuration Protocol Additional ReferencesTechnical Assistance Description Link The Cisco Technical Support website contains http://www.cisco.com/techsupport thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 124 OL-26068-02 Implementing the Dynamic Host Configuration Protocol Additional ReferencesC H A P T E R 5 Implementing Host Services and Applications Cisco IOS XR softwareHost Services and Applicationsfeatures on the router are used primarily for checking network connectivity and the route a packet follows to reach a destination, mapping a hostname to an IP address or an IP address to a hostname, and transferring files between routers and UNIX workstations. For a complete description of host services and applications commands listed in this module, refer to the Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Command Reference publication. To locate documentation of other commands that appear in this module, use the command reference master index, or search online. Note Feature History for Implementing Host Services and Applications Release Modification Release 3.7.2 This feature was introduced. • Prerequisites for Implementing Host Services and Applications , page 125 • Information About Implementing Host Services and Applications , page 126 • How to Implement Host Services and Applications , page 128 • Configuration Examples for Implementing Host Services and Applications , page 141 • Additional References, page 144 Prerequisites for Implementing Host Services and Applications The following prerequisites are required to implement Cisco IOS XR software Host Services and applications • You must be in a user group associated with a task group that includesthe proper task IDs. The command reference guides include the task IDs required for each command. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 125Information About Implementing Host Services and Applications To implement Cisco IOS XR software Host Services and applications features discussed in this document, you should understand the following concepts: Network Connectivity Tools Network connectivity tools enable you to check device connectivity by running traceroutes and pinging devices on the network. Ping The ping command is a common method for troubleshooting the accessibility of devices. It uses two Internet Control Message Protocol (ICMP) query messages, ICMP echo requests, and ICMP echo replies to determine whether a remote host is active. The ping command also measures the amount of time it takes to receive the echo reply. The ping command first sends an echo request packet to an address, and then it waits for a reply. The ping is successful only if the echo request gets to the destination, and the destination is able to get an echo reply (hostname is alive) back to the source of the ping within a predefined time interval. The bulk option has been introduced to check reachability to multiple destinations. The destinations are directly input through the CLI. This option is supported for ipv4 destinations only. Traceroute Where the ping command can be used to verify connectivity between devices, the traceroute command can be used to discover the paths packets take to a remote destination and where routing breaks down. The traceroute command records the source of each ICMP "time-exceeded" message to provide a trace of the path that the packet took to reach the destination. You can use the IP traceroute command to identify the path that packets take through the network on a hop-by-hop basis. The command output displays all network layer (Layer 3) devices, such as routers, that the traffic passes through on the way to the destination. The traceroute command uses the Time To Live (TTL) field in the IP header to cause routers and servers to generate specific return messages. The traceroute command sends a User Datagram Protocol (UDP) datagram to the destination host with the TTL field set to 1. If a router finds a TTL value of 1 or 0, it drops the datagram and sends back an ICMP time-exceeded message to the sender. The traceroute facility determines the address of the first hop by examining the source address field of the ICMP time-exceeded message. To identify the next hop, the traceroute command sends a UDP packet with a TTL value of 2. The first router decrements the TTL field by 1 and sends the datagram to the next router. The second router sees a TTL value of 1, discards the datagram, and returns the time-exceeded message to the source. This process continues until the TTL increments to a value large enough for the datagram to reach the destination host (or until the maximum TTL is reached). To determine when a datagram reaches its destination, the traceroute command sets the UDP destination port in the datagram to a very large value that the destination host is unlikely to be using. When a host receives a datagram with an unrecognized port number, it sends an ICMP port unreachable error to the source. This message indicates to the traceroute facility that it has reached the destination. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 126 OL-26068-02 Implementing Host Services and Applications Information About Implementing Host Services and ApplicationsDomain Services Cisco IOS XR software domain services acts as a Berkeley Standard Distribution (BSD) domain resolver. The domain services maintains a local cache of hostname-to-address mappings for use by applications, such as Telnet, and commands,such as ping and traceroute . The local cache speedsthe conversion of hostnames to addresses. Two types of entries exist in the local cache: static and dynamic. Entries configured using the domain ipv4 host or domain ipv6 host command are added as static entries, while entries received from the name server are added as dynamic entries. The name server is used by the World Wide Web (WWW) for translating names of network nodes into addresses. The name server maintains a distributed database that maps hostnames to IP addresses through the DNS protocol from a DNS server. One or more name servers can be specified using the domain name-server command. When an application needs the IP address of a host or the hostname of an IP address, a remote-procedure call (RPC) is made to the domain services. The domain service looks up the IP address or hostname in the cache, and if the entry is not found, the domain service sends a DNS query to the name server. You can specify a default domain name that Cisco IOS XR software uses to complete domain name requests. You can also specify either a single domain or a list of domain names. Any IP hostname that does not contain a domain name has the domain name you specify appended to it before being added to the host table. To specify a domain name or names, use either the domain name or domain list command. TFTP Server It istoo costly and inefficient to have a machine that acts only as a server on every network segment. However, when you do not have a server on every segment, your network operations can incur substantial time delays across network segments. You can configure a router to serve as a TFTP server to reduce costs and time delays in your network while allowing you to use your router for its regular functions. Typically, a router that is configured as a TFTP server provides other routers with system image or router configuration files from its flash memory. You can also configure the router to respond to other types of services requests. File Transfer Services File Transfer Protocol (FTP), Trivial File Transfer Protocol (TFTP), and remote copy protocol (rcp) rcp clients are implemented as file systems or resource managers. For example, pathnames beginning with tftp:// are handled by the TFTP resource manager. The file system interface uses URLs to specify the location of a file. URLs commonly specify files or locations on the WWW. However, on Cisco routers, URLs also specify the location of files on the router or remote file servers. When a router crashes, it can be useful to obtain a copy of the entire memory contents of the router (called a core dump) for your technical support representative to use to identify the cause of the crash. FTP, TFTP, or rcp can be used to save the core dump to a remote server. See the Cisco ASR 9000 Series Aggregation Services Router System Management Configuration Guide for information on executing a core dump. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 127 Implementing Host Services and Applications Domain ServicesRCP The remote copy protocol (RCP) commands rely on the remote shell (rsh) server (or daemon) on the remote system. To copy files using rcp, you do not need to create a server for file distribution, as you do with TFTP. You need only to have access to a server that supports the rsh. Because you are copying a file from one place to another, you must have read permissions for the source file and write permission in the destination directory. If the destination file does not exist, rcp creates it for you. Although Cisco rcp implementation emulates the functions of the UNIX rcp implementation—copying files among systems on the network—Cisco command syntax differs from the UNIX rcp command syntax. Cisco IOS XR software offers a set of copy commands that use rcp as the transport mechanism. These rcp copy commands are similar in style to the Cisco IOS XR software TFTP copy commands, but they offer an alternative that provides faster performance and reliable delivery of data. These improvements are possible because the rcp transport mechanism is built on and uses the TCP/IP stack, which is connection-oriented. You can use rcp commands to copy system images and configuration files from the router to a network server and so forth. FTP File Transfer Protocol (FTP) is part of the TCP/IP protocol stack, which is used for transferring files between network nodes. FTP is defined in RFC 959. TFTP Trivial File Transfer Protocol (TFTP) is a simplified version of FTP that allows files to be transferred from one computer to another over a network, usually without the use of client authentication (for example, username and password). Cisco inetd Cisco Internet services process daemon (Cinetd) is a multithreaded server process that is started by the system manager after the system has booted. Cinetd listens for Internet services such as Telnet service, TFTP service, and so on. Whether Cinetd listens for a specific service depends on the router configuration. For example, when the tftp server command is entered, Cinetd starts listening for the TFTP service. When a request arrives, Cinetd runs the server program associated with the service. Telnet Enabling Telnet allows inbound Telnet connections into a networking device. How to Implement Host Services and Applications This section contains the following procedures: Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 128 OL-26068-02 Implementing Host Services and Applications Cisco inetdChecking Network Connectivity As an aid to diagnosing basic network connectivity, many network protocols support an echo protocol. The protocol involves sending a special datagram to the destination host, then waiting for a reply datagram from that host. Results from this echo protocol can help in evaluating the path-to-host reliability, delays over the path, and whether the host can be reached or is functioning. SUMMARY STEPS 1. ping [ipv4 | ipv6 | vrf vrf-name] [host-name | ip-address] DETAILED STEPS Command or Action Purpose ping [ipv4 | ipv6 | vrf vrf-name] Starts the ping tool that is used for testing connectivity. [host-name | ip-address] Step 1 If you do not enter a hostname or an IP address on the same line as the ping command, the system prompts you to specify the target IP address and several other command parameters. After specifying the target IP address, you can specify alternate values for the remaining parameters or accept the displayed default for each parameter. Note Example: RP/0/RSP0/CPU0:router# ping Checking Network Connectivity for Multiple Destinations The bulk option enables you to check reachability to multiple destinations. The destinations are directly input through the CLI. This option is supported for ipv4 destinations only. SUMMARY STEPS 1. ping bulk ipv4 [ input cli { batch | inline }] 2. [vrf vrf-name] [host-name | ip-address] DETAILED STEPS Command or Action Purpose Starts the ping tool that is used for testing connectivity. ping bulk ipv4 [ input cli { batch | inline }] Example: Step 1 RP/0/RSP0/CPU0:router# ping bulk ipv4 input cli Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 129 Implementing Host Services and Applications Checking Network ConnectivityCommand or Action Purpose You must hit the Enter button and then specify one destination address per line. [vrf vrf-name] [host-name | ip-address] Example: Step 2 Please enter input via CLI with one destination per line: vrf myvrf1 1.1.1.1 vrf myvrf2 2.2.2.2 vrf myvrf1 myvrf1.cisco.com vrf myvrf2 myvrf2.cisco.com Starting pings... Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 1.1.1.1, vrf is myvrf1: ! Success rate is 100 percent (1/1), round-trip min/avg/max = 1/1/1 ms Sending 2, 100-byte ICMP Echos to 2.2.2.2, vrf is myvrf2: !! Success rate is 100 percent (2/2), round-trip min/avg/max = 1/1/1 ms Sending 1, 100-byte ICMP Echos to 1.1.1.1, vrf is myvrf1: ! Success rate is 100 percent (1/1), round-trip min/avg/max = 1/4/1 ms Sending 2, 100-byte ICMP Echos to 2.2.2.2, vrf is myvrf2: !! Success rate is 100 percent (2/2), round-trip min/avg/max = 1/3/1 ms Checking Packet Routes The traceroute command allows you to trace the routes that packets actually take when traveling to their destinations. SUMMARY STEPS 1. traceroute [ipv4 | ipv6 | vrf vrf-name] [host-name | ip-address] DETAILED STEPS Command or Action Purpose traceroute [ipv4 | ipv6 | vrf vrf-name] Traces packet routes through the network. [host-name | ip-address] Step 1 If you do not enter a hostname or an IP address on the same line as the traceroute command, the system prompts you to specify the target IP address and several other command parameters. After specifying the target IP address, you can specify alternate values for the remaining parameters or accept the displayed default for each parameter. Note Example: RP/0/RSP0/CPU0:router# traceroute Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 130 OL-26068-02 Implementing Host Services and Applications Checking Packet RoutesConfiguring Domain Services This task allows you to configure domain services. Before You Begin DNS-based hostname-to-address translation is enabled by default. If hostname-to-address translation has been disabled using the domain lookup disable command, re-enable the translation using the no domain lookup disable command. See the Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Command Reference for more information on the domain lookup disable command. SUMMARY STEPS 1. configure 2. Do one of the following: • domain name domain-name • or • domain list domain-name 3. domain name-server server-address 4. domain {ipv4 | ipv6} host host-name {ipv4address | ipv6address} 5. Use one of these commands: • end • commit DETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 Defines a default domain name used to complete unqualified hostnames. Step 2 Do one of the following: • domain name domain-name • or • domain list domain-name Example: RP/0/RSP0/CPU0:router(config)# domain name cisco.com Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 131 Implementing Host Services and Applications Configuring Domain ServicesCommand or Action Purpose or RP/0/RSP0/CPU0:router(config)# domain list domain1.com Specifies the address of a name server to use for name and address resolution (hosts that supply name information). domain name-server server-address Example: RP/0/RSP0/CPU0:router(config)# domain name-server 192.168.1.111 Step 3 You can enter up to six addresses, but only one for each command. Note (Optional) Defines a static hostname-to-address mapping in the host cache using IPv4 or IPv6 . domain {ipv4 | ipv6} host host-name {ipv4address | ipv6address} Step 4 Example: RP/0/RSP0/CPU0:router(config)# domain ipv4 host1 192.168.7.18 You can bind up to eight additional associated addresses to a hostname. Note Step 5 Use one of these commands: Saves configuration changes. • end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]: • commit Example: RP/0/RSP0/CPU0:router(config)# end ? Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. or RP/0/RSP0/CPU0:router(config)# commit ? Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Configuring a Router as a TFTP Server This task allows you to configure the router as a TFTP server so other devices acting as TFTP clients are able to read and write files from and to the router under a specific directory, such as slot0:, /tmp, and so on (TFTP home directory). Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 132 OL-26068-02 Implementing Host Services and Applications Configuring a Router as a TFTP ServerNote For security reasons, the TFTP server requires that a file must already exist for a write request to succeed. Before You Begin The server and client router must be able to reach each other before the TFTP function can be implemented. Verify this connection by testing the connection between the server and client router (in either direction) using the ping command. SUMMARY STEPS 1. configure 2. tftp {ipv4 | ipv6} server {homedir tftp-home-directory} {max-servers number} [access-list name] 3. Use one of these commands: • end • commit 4. show cinetd services DETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 tftp {ipv4 | ipv6} server {homedir Specifies: tftp-home-directory} {max-servers number} [access-list name] Step 2 • IPv4 or IPv6 address prefixes (required) Example: RP/0/RSP0/CPU0:router(config)# tftp • Home directory (required) • Maximum number of concurrent TFTP servers (required) • Name of the associated access list (optional) ipv4 server access-list listA homedir disk0 Step 3 Use one of these commands: Saves configuration changes. • end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]: • commit Example: RP/0/RSP0/CPU0:router(config)# end ? Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 133 Implementing Host Services and Applications Configuring a Router as a TFTP ServerCommand or Action Purpose or RP/0/RSP0/CPU0:router(config)# commit ? Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Displays the network service for each process. The service column shows TFTP if the TFTP server is configured. show cinetd services Example: RP/0/RSP0/CPU0:router# show cinetd services Step 4 Configuring a Router to Use rcp Connections This task allows you to configure a router to use rcp. Before You Begin For the rcp copy request to execute successfully, an account must be defined on the network server for the remote username. If you are reading or writing to the server, the rcp server must be properly configured to accept the rcp read/write request from the user on the router. For UNIX systems, you must add an entry to the hosts file for the remote user on the rcp server. SUMMARY STEPS 1. configure 2. rcp client username username 3. rcp client source-interface type interface-path-id 4. Use one of these commands: • end • commit Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 134 OL-26068-02 Implementing Host Services and Applications Configuring a Router to Use rcp ConnectionsDETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 Specifies the name of the remote user on the rcp server. This name is used when a remote copy using rcp is requested. If the rcp server has a directory rcp client username username Example: RP/0/RSP0/CPU0:router(config)# rcp client username netadmin1 Step 2 structure, all files and images to be copied are searched for or written relative to the directory in the remote user account. rcp client source-interface type Sets the IP address of an interface as the source for all rcp connections. interface-path-id Step 3 Example: RP/0/RSP0/CPU0:router(config)# rcp client source-interface gigabitethernet 1/0/2/1 Step 4 Use one of these commands: Saves configuration changes. • end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]: • commit Example: RP/0/RSP0/CPU0:router(config)# end ? Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. or RP/0/RSP0/CPU0:router(config)# commit ? Entering no exitsthe configuration session and returnsthe router to EXEC mode without committing the configuration changes. ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Troubleshooting Tips When using rcp to copy any file from a source to a destination, use the following path format: copy rcp : Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 135 Implementing Host Services and Applications Configuring a Router to Use rcp Connections//username @ { hostname | ipaddress }/ directory-path / pie-name target-device When using an IPv6 rcp server, use the following path format: copy rcp : //username @ [ipv6-address]/ directory-path / pie-name See the copy command in the Cisco ASR 9000 Series Aggregation Services Router System Management Command Reference for detailed information on using rcp protocol with the copy command. Configuring a Router to Use FTP Connections This task allows you to configure the router to use FTP connections for transferring files between systems on the network. With the the Cisco ASR 9000 Series Routerimplementation of FTP, you can set the following FTP characteristics: • Passive-mode FTP • Password • IP address SUMMARY STEPS 1. configure 2. ftp client passive 3. ftp client anonymous-password password 4. ftp client source-interface type interface-path-id 5. Use one of these commands: • end • commit Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 136 OL-26068-02 Implementing Host Services and Applications Configuring a Router to Use FTP ConnectionsDETAILED STEPS Command or Action Purpose configure Enters global configuration mode. Example: RP/0/RSP0/CPU0:router# configure Step 1 ftp client passive Allows the software to use only passive FTP connections. Example: RP/0/RSP0/CPU0:router(config)# ftp client passive Step 2 ftp client anonymous-password password Specifies the password for anonymous users. Example: RP/0/RSP0/CPU0:router(config)# ftp client anonymous-password xxxx Step 3 ftp clientsource-interface type interface-path-id Specifies the source IP address for FTP connections. Example: RP/0/RSP0/CPU0:router(config)# ftp client source-interface gigabitethernet 0/1/2/1 Step 4 Step 5 Use one of these commands: Saves configuration changes. • end • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]: • commit Example: RP/0/RSP0/CPU0:router(config)# end ? Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. or RP/0/RSP0/CPU0:router(config)# commit ? Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. ? Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x OL-26068-02 137 Implementing Host Services and Applications Configuring a Router to Use FTP ConnectionsTroubleshooting Tips When using FTP to copy any file from a source to a destination, use the following path format: copy ftp :// username:password @ { hostname | ipaddress }/ directory-path / pie-name target-device When using an IPv6 FTP server, use the following path format: copy ftp : //username : password @ [ipv6-address]/ directory-path / pie-name If unsafe or reserved characters appear in the username, password, hostname, and so on, they have to be encoded (RFC 1738). The following characters are unsafe: “<“, “>”, “#”, “%” “{“, “}”, “|”, “”, “~”, “[“, “]”, and “‘” The following characters are reserved: “:”, “/” “?”, “:”, “@”, and “&” The directory-path is a relative path to the home directory of the user. The slash (/) has to be encoded as %2f to specify the absolute path. For example: ftp://user:password@hostname/%2fTFTPboot/directory/pie-name See the copy command in the Cisco ASR 9000 Series Aggregation Services Router System Management Command Reference for detailed information on using FTP protocol with the copy command. Configuring a Router to Use TFTP Connections This task allows you to configure a router to use TFTP connections. You must specify the source IP address for a TFTP connection. Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide, Release 4.2.x 138 OL-26068-02 Implementing Host Services and Applications Configuring a Router to Use TFTP Connections Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide Cisco IOS XR Software Release 4.2.x Text Part Number: OL-26061-02THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Cisco ASR 9000 Aggregation Services Router Interfaces and Hardware Component Configuration Guide © 2010-2011 Cisco Systems, Inc. All rights reserved.HC-iii Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 C O N T E N T S Preface HC-xxix Changes to This Document HC-xxix Obtaining Documentation and Submitting a Service Request HC-xxix Preconfiguring Physical Interfaces on the Cisco ASR 9000 Series Router HC-1 Contents HC-2 Prerequisites for Preconfiguring Physical Interfaces HC-2 Information About Preconfiguring Physical Interfaces HC-2 Physical Interface Preconfiguration Overview HC-2 Benefits of Interface Preconfiguration HC-3 Use of the Interface Preconfigure Command HC-3 Active and Standby RSPs and Virtual Interface Configuration HC-4 How to Preconfigure Physical Interfaces HC-4 Configuration Examples for Preconfiguring Physical Interfaces HC-6 Preconfiguring an Interface: Example HC-6 Additional References HC-7 Related Documents HC-7 Standards HC-7 MIBs HC-7 RFCs HC-7 Technical Assistance HC-8 Advanced Configuration and Modification of the Management Ethernet Interface on the Cisco ASR 9000 Series Router HC-9 Contents HC-9 Prerequisites for Configuring Management Ethernet Interfaces HC-10 Information About Configuring Management Ethernet Interfaces HC-10 Default Interface Settings HC-10 How to Perform Advanced Management Ethernet Interface Configuration HC-11 Configuring a Management Ethernet Interface HC-11 Configuring the Duplex Mode for a Management Ethernet Interface HC-13 Configuring the Speed for a Management Ethernet Interface HC-14 Modifying the MAC Address for a Management Ethernet Interface HC-16 Verifying Management Ethernet Interface Configuration HC-17Contents HC-iv Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Configuration Examples for Management Ethernet Interfaces HC-18 Configuring a Management Ethernet Interface: Example HC-18 Additional References HC-19 Related Documents HC-19 Standards HC-19 MIBs HC-19 RFCs HC-19 Technical Assistance HC-20 Configuring Ethernet Interfaces on the Cisco ASR 9000 Series Router HC-21 Contents HC-23 Prerequisites for Configuring Ethernet Interfaces HC-23 Information About Configuring Ethernet HC-24 16-Port 10-Gigabit Ethernet SFP+ Line Card HC-24 Features HC-24 Restrictions HC-25 Default Configuration Values for Gigabit Ethernet and 10-Gigabit Ethernet HC-25 Layer 2 VPN on Ethernet Interfaces HC-26 Gigabit Ethernet Protocol Standards Overview HC-27 IEEE 802.3 Physical Ethernet Infrastructure HC-27 IEEE 802.3ab 1000BASE-T Gigabit Ethernet HC-27 IEEE 802.3z 1000 Mbps Gigabit Ethernet HC-27 IEEE 802.3ae 10 Gbps Ethernet HC-27 IEEE 802.3ba 100 Gbps Ethernet HC-28 MAC Address HC-28 MAC Accounting HC-28 Ethernet MTU HC-28 Flow Control on Ethernet Interfaces HC-29 802.1Q VLAN HC-29 VRRP HC-29 HSRP HC-29 Link Autonegotiation on Ethernet Interfaces HC-30 Subinterfaces on the Cisco ASR 9000 Series Router HC-30 Layer 2, Layer 3, and EFP's HC-33 Enhanced Performance Monitoring for Layer 2 Subinterfaces (EFPs) HC-35 Frequency Synchronization and SyncE HC-36 How to Configure Ethernet HC-37 Configuring Ethernet Interfaces HC-37 Configuring Gigabit Ethernet Interfaces HC-38 What to Do Next HC-40Contents HC-v Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Configuring MAC Accounting on an Ethernet Interface HC-41 Configuring a L2VPN Ethernet Port HC-43 What to Do Next HC-44 Configuring Frequency Synchronization and SyncE HC-44 Global Configuration HC-45 Line Interface Configuration HC-46 Configuration Examples for Ethernet HC-47 Configuring an Ethernet Interface: Example HC-47 Configuring MAC-Accounting: Example HC-48 Configuring a Layer 2 VPN AC: Example HC-48 Clock Interface Configuration: Example HC-49 Enabling an Interface for Frequency Synchronization: Example HC-49 Where to Go Next HC-49 Additional References HC-49 Related Documents HC-49 Standards HC-50 MIBs HC-50 RFCs HC-50 Technical Assistance HC-50 Configuring Ethernet OAM on the Cisco ASR 9000 Series Router HC-51 Contents HC-53 Prerequisites for Configuring Ethernet OAM HC-53 Information About Configuring Ethernet OAM HC-54 Ethernet Link OAM HC-54 Neighbor Discovery HC-55 Link Monitoring HC-55 MIB Retrieval HC-55 Miswiring Detection (Cisco-Proprietary) HC-55 Remote Loopback HC-55 SNMP Traps HC-55 Unidirectional Link Fault Detection HC-55 Ethernet CFM HC-56 Maintenance Domains HC-57 Services HC-59 Maintenance Points HC-59 CFM Protocol Messages HC-62 MEP Cross-Check HC-69 Configurable Logging HC-70Contents HC-vi Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 EFD HC-70 Flexible VLAN Tagging for CFM HC-71 CFM on MC-LAG HC-72 Ethernet SLA (Y.1731 Performance Monitoring) HC-75 Ethernet SLA Concepts HC-76 Statistics Measurement and Ethernet SLA Operations Overview HC-78 Configuration Overview of Scheduled Ethernet SLA Operations HC-79 Ethernet LMI HC-79 E-LMI Messaging HC-80 Cisco-Proprietary Remote UNI Details Information Element HC-81 E-LMI Operation HC-81 Supported E-LMI PE Functions on the Cisco ASR 9000 Series Router HC-81 Unsupported E-LMI Functions HC-82 Unidirectional Link Detection Protocol HC-83 UDLD Operation HC-83 Types of Fault Detection HC-83 UDLD Modes of Operation HC-84 UDLD Aging Mechanism HC-84 State Machines HC-84 How to Configure Ethernet OAM HC-85 Configuring Ethernet Link OAM HC-85 Configuring an Ethernet OAM Profile HC-85 Attaching an Ethernet OAM Profile to an Interface HC-91 Configuring Ethernet OAM at an Interface and Overriding the Profile Configuration HC-92 Verifying the Ethernet OAM Configuration HC-93 Configuring Ethernet CFM HC-94 Configuring a CFM Maintenance Domain HC-94 Configuring Services for a CFM Maintenance Domain HC-96 Enabling and Configuring Continuity Check for a CFM Service HC-97 Configuring Automatic MIP Creation for a CFM Service HC-99 Configuring Cross-Check on a MEP for a CFM Service HC-101 Configuring Other Options for a CFM Service HC-103 Configuring CFM MEPs HC-105 Configuring Y.1731 AIS HC-107 Configuring EFD for a CFM Service HC-111 Configuring Flexible VLAN Tagging for CFM HC-112 Verifying the CFM Configuration HC-114 Troubleshooting Tips HC-114 Configuring Ethernet SLA HC-116 Ethernet SLA Configuration Guidelines HC-116Contents HC-vii Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Configuring an SLA Operation Profile HC-116 Configuring SLA Probe Parameters in a Profile HC-117 Configuring SLA Statistics Measurement in a Profile HC-119 Configuring a Schedule for an SLA Operation Probe in a Profile HC-121 Configuring an SLA Operation HC-123 Configuring an On-Demand SLA Operation HC-124 Verifying SLA Configuration HC-126 Configuring Ethernet LMI HC-126 Prerequisites for Configuring E-LMI HC-127 Restrictions for Configuring E-LMI HC-127 Creating EVCs for E-LMI HC-127 Configuring Ethernet CFM for E-LMI HC-131 Configuring UNI Names on the Physical Interface HC-133 Enabling E-LMI on the Physical Interface HC-134 Configuring the Polling Verification Timer HC-136 Configuring the Status Counter HC-137 Disabling Syslog Messages for E-LMI Errors or Events HC-139 Disabling Use of the Cisco-Proprietary Remote UNI Details Information Element HC-140 Verifying the Ethernet LMI Configuration HC-142 Troubleshooting Tips for E-LMI Configuration HC-142 Configuring UDLD HC-144 Configuration Examples for Ethernet OAM HC-146 Configuration Examples for EOAM Interfaces HC-146 Configuring an Ethernet OAM Profile Globally: Example HC-146 Configuring Ethernet OAM Features on an Individual Interface: Example HC-147 Configuring Ethernet OAM Features to Override the Profile on an Individual Interface: Example HC-147 Configuring a Remote Loopback on an Ethernet OAM Peer: Example HC-148 Clearing Ethernet OAM Statistics on an Interface: Example HC-148 Enabling SNMP Server Traps on a Router: Example HC-148 Configuration Examples for Ethernet CFM HC-148 Ethernet CFM Domain Configuration: Example HC-149 Ethernet CFM Service Configuration: Example HC-149 Flexible Tagging for an Ethernet CFM Service Configuration: Example HC-149 Continuity Check for an Ethernet CFM Service Configuration: Example HC-149 MIP Creation for an Ethernet CFM Service Configuration: Example HC-149 Cross-check for an Ethernet CFM Service Configuration: Example HC-149 Other Ethernet CFM Service Parameter Configuration: Example HC-150 MEP Configuration: Example HC-150 Ethernet CFM Show Command: Examples HC-150Contents HC-viii Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 AIS for CFM Configuration: Examples HC-153 AIS for CFM Show Commands: Examples HC-154 EFD Configuration: Examples HC-158 Displaying EFD Information: Examples HC-158 Configuration Examples for Ethernet SLA HC-159 Ethernet SLA Profile Type Configuration: Examples HC-160 Ethernet SLA Probe Configuration: Examples HC-160 Profile Statistics Measurement Configuration: Examples HC-161 Scheduled SLA Operation Probe Configuration: Examples HC-162 Ethernet SLA Operation Probe Scheduling and Aggregation Configuration: Example HC-162 Ongoing Ethernet SLA Operation Configuration: Example HC-163 On-Demand Ethernet SLA Operation Basic Configuration: Examples HC-164 Ethernet SLA Show Commands: Examples HC-164 Configuration Example for Ethernet LMI HC-167 Where to Go Next HC-168 Additional References HC-168 Related Documents HC-168 Standards HC-169 MIBs HC-169 RFCs HC-169 Technical Assistance HC-169 Configuring Integrated Routing and Bridging on the Cisco ASR 9000 Series Router HC-171 Contents HC-173 Prerequisites for Configuring IRB HC-173 Restrictions for Configuring IRB HC-173 Information About Configuring IRB HC-175 IRB Introduction HC-175 Bridge-Group Virtual Interface HC-176 BVI Introduction HC-176 Supported Features on a BVI HC-177 BVI MAC Address HC-177 BVI Interface and Line Protocol States HC-177 Packet Flows Using IRB HC-177 Packet Flows When Host A Sends to Host B on the Bridge Domain HC-178 Packet Flows When Host A Sends to Host C From the Bridge Domain to a Routed Interface HC-178 Packet Flows When Host C Sends to Host B From a Routed Interface to the Bridge Domain HC-179 Supported Environments for IRB HC-179Contents HC-ix Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Additional IPv4-Specific Environments Supported for IRB HC-180 Additional IPv6-Specific Environments Supported for IRB HC-180 How to Configure IRB HC-181 Configuring the Bridge Group Virtual Interface HC-181 Configuration Guidelines HC-181 Configuring the Layer 2 AC Interfaces HC-183 Prerequisites HC-183 Configuring a Bridge Group and Assigning Interfaces to a Bridge Domain HC-185 Associating the BVI as the Routed Interface on a Bridge Domain HC-187 Displaying Information About a BVI HC-189 Configuration Examples for IRB HC-189 Basic IRB Configuration: Example HC-189 IRB Using ACs With VLANs: Example HC-190 IPv4 Addressing on a BVI Supporting Multiple IP Networks: Example HC-190 Comprehensive IRB Configuration with BVI Bundle Interfaces and Multicast Configuration: Example HC-191 IRB With BVI and VRRP Configuration: Example HC-192 6PE/6VPE With BVI Configuration: Example HC-192 Additional References HC-194 Related Documents HC-194 Standards HC-195 MIBs HC-195 RFCs HC-195 Technical Assistance HC-195 Configuring Link Bundling on the Cisco ASR 9000 Series Router HC-197 Contents HC-198 Prerequisites for Configuring Link Bundling HC-198 Prerequisites for Configuring Link Bundling on Cisco ASR 9000 Series Router HC-199 Information About Configuring Link Bundling HC-199 Link Bundling Overview HC-200 Features and Compatible Characteristics of Ethernet Link Bundles HC-200 Characteristics of POS Link Bundles in Cisco ASR 9000 Series Router HC-201 Restrictions of POS Link Bundles in Cisco ASR 9000 Series Router HC-202 Link Aggregation Through LACP HC-202 IEEE 802.3ad Standard HC-202 Multichassis Link Aggregation HC-203 Failure Cases HC-203 Interchassis Communication Protocol HC-204 Access Network Redundancy Model HC-205Contents HC-x Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Core Network Redundancy Model HC-206 Switchovers HC-207 MC-LAG Topologies HC-208 Load Balancing HC-210 Layer 2 Ingress Load Balancing on Link Bundles HC-210 Layer 3 Egress Load Balancing on Link Bundles HC-211 Dynamic Load Balancing for LAG HC-212 QoS and Link Bundling HC-212 VLANs on an Ethernet Link Bundle HC-212 Link Bundle Configuration Overview HC-213 Nonstop Forwarding During Card Failover HC-213 Link Failover HC-214 Multi-Gigabit Service Control Point HC-214 How to Configure Link Bundling HC-215 Configuring Ethernet Link Bundles HC-215 Configuring EFP Load Balancing on an Ethernet Link Bundle HC-216 Configuring VLAN Bundles HC-218 Configuring POS Link Bundles HC-219 Configuring Multichassis Link Aggregation HC-223 Configuring Interchassis Communication Protocol HC-223 Configuring Multichassis Link Aggregation Control Protocol Session HC-226 Configuring Multichassis Link Aggregation Control Protocol Bundle HC-228 Configuring Dual-Homed Device HC-230 Configuring Access Backup Pseudowire HC-232 Configuring One-way Pseudowire Redundancy in MC-LAG HC-235 Configuring VPWS Cross-Connects in MC-LAG HC-237 Configuring VPLS in MC-LAG HC-240 How to Configure MGSCP HC-242 Prerequisites for Configuring MGSCP HC-242 Restrictions for Configuring MGSCP HC-243 Configuring the Access Bundle for the Subscriber-Facing Side HC-244 Configuring the Network Bundle for the Core-Facing Side HC-246 Configuring the Bundle Member Interfaces HC-248 Configuring VRFs to Route Traffic to the Bundles HC-249 Configuring VRFs with Static Routing HC-249 Configuring VRFs with Dynamic Routing HC-250 Configuration Examples for Link Bundling HC-250 Example: Configuring an Ethernet Link Bundle HC-250 Example: Configuring a VLAN Link Bundle HC-251Contents HC-xi Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Example: Configuring a POS Link Bundle HC-251 Example: Configuring EFP Load Balancing on an Ethernet Link Bundle HC-252 Example: Configuring Multichassis Link Aggregation HC-252 Configuration Examples for MGSCP HC-256 Example: Configuring Bundle Interfaces and Member Links HC-257 Examples: Configuring VRFs to Route Traffic to the Bundles HC-258 Example: Configuring VRFs with Static Routing HC-258 Example: Configuring VRFs with OSPF Routing HC-259 Example: Configuring MGSCP with ABF to Route Traffic to the Bundles HC-260 Additional References HC-261 Related Documents HC-261 Standards HC-261 MIBs HC-261 RFCs HC-262 Technical Assistance HC-262 Configuring Traffic Mirroring on the Cisco ASR 9000 Series Router HR-263 Contents HR-263 Restrictions for Traffic Mirroring HR-263 Performance Impact with Traffic Mirroring HR-264 Information about Traffic Mirroring HR-264 Introduction to Traffic Mirroring HR-264 Implementing Traffic Mirroring on the Cisco ASR 9000 Series Router HR-265 Traffic Mirroring Terminology HR-265 Characteristics of the Source Port HR-266 Characteristics of the Monitor Session HR-266 Characteristics of the Destination Port HR-267 Supported Traffic Mirroring Types HR-267 Pseudowire Traffic Mirroring HR-268 ACL-Based Traffic Mirroring HR-269 Configuring Traffic Mirroring HR-269 How to Configure Local Traffic Mirroring HR-269 How to Configure Remote Traffic Mirroring HR-271 How to Configure Traffic Mirroring over Pseudowire HR-273 How to Configure ACL-Based Traffic Mirroring HR-277 Prerequisites HR-277 Troubleshooting ACL-Based Traffic Mirroring HR-280 How to Configure Partial Packet Mirroring HR-280 Traffic Mirroring Configuration Examples HR-282Contents HC-xii Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Traffic Mirroring with Physical Interfaces (Local): Example HR-282 Traffic Mirroring with EFPs (Remote): Example HR-283 Viewing Monitor Session Status: Example HR-283 Monitor Session Statistics: Example HR-284 Traffic Mirroring over Pseudowire: Example HR-285 Layer 3 ACL-Based Traffic Mirroring: Example HR-285 Layer 2 ACL-Based Traffic Mirroring: Example HR-285 Partial Packet Mirroring: Example HR-286 Troubleshooting Traffic Mirroring HR-286 Where to Go Next HR-289 Additional References HR-289 Related Documents HR-289 Standards HR-289 MIBs HR-290 RFCs HR-290 Technical Assistance HR-290 Configuring Virtual Loopback and Null Interfaces on the Cisco ASR 9000 Series Router HC-291 Contents HC-291 Prerequisites for Configuring Virtual Interfaces HC-292 Information About Configuring Virtual Interfaces HC-292 Virtual Loopback Interface Overview HC-292 Null Interface Overview HC-292 Virtual Management Interface Overview HC-293 Active and Standby RPs and Virtual Interface Configuration HC-293 How to Configure Virtual Interfaces HC-294 Configuring Virtual Loopback Interfaces HC-294 Restrictions HC-294 Configuring Null Interfaces HC-295 Configuring Virtual IPv4 IPV4 Interfaces HC-296 Configuration Examples for Virtual Interfaces HC-297 Configuring a Loopback Interface: Example HC-298 Configuring a Null Interface: Example HC-298 Configuring a Virtual IPv4 Interface: Example HC-298 Additional References HC-299 Related Documents HC-299 Standards HC-299 MIBs HC-300 RFCs HC-300Contents HC-xiii Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Technical Assistance HC-300 Configuring Channelized SONET/SDH on the Cisco ASR 9000 Series Router HC-301 Contents HC-301 Prerequisites for Configuring Channelized SONET/SDH HC-301 Information About Configuring Channelized SONET/SDH HC-302 Channelized SONET Overview HC-302 Channelized SDH Overview HC-307 Default Configuration Values for Channelized SONET/SDH HC-310 How to Configure Channelized SONET/SDH HC-311 Configuring SONET T3 and VT1.5-Mapped T1 Channels HC-311 Prerequisites HC-311 Restrictions HC-311 Configuring Packet over SONET Channels HC-316 Prerequisites HC-316 Configuring a Clear Channel SONET Controller for T3 HC-319 Prerequisites HC-319 Configuring Channelized SONET APS HC-322 Prerequisites HC-322 Restrictions HC-323 Configuring SDH AU-3 HC-325 Configuring SDH AU-3 Mapped to C11-T1 or C12-E1 HC-325 Configuring SDH AU-3 Mapped to T3 or E3 HC-329 Configuring SDH AU-4 HC-333 Prerequisites HC-333 Restrictions HC-333 Configuration Examples for Channelized SONET HC-338 Channelized SONET Examples HC-338 Channelized SONET T3 to T1 Configuration: Example HC-338 Channelized SONET in VT1.5 Mode and T1 Channelization to NxDS0 HC-338 Channelized Packet over SONET Configuration: Example HC-339 SONET Clear Channel T3 Configuration: Example HC-339 Channelized SONET APS Multirouter Configuration: Example HC-339 Channelized SDH Examples HC-340 Channelized SDH AU-3 Configuration: Examples HC-340 Channelized SDH AU-4 Configuration: Examples HC-341 Additional References HC-344 Related Documents HC-344 Standards HC-344Contents HC-xiv Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 MIBs HC-345 RFCs HC-345 Technical Assistance HC-345 Configuring Circuit Emulation over Packet on the Cisco ASR 9000 Series Router HC-347 Contents HC-347 Prerequisites for Configuration HC-347 Overview of Circuit Emulation over Packet Service HC-348 Information About Configuring CEoP Channelized SONET/SDH HC-349 Channelized SONET and SDH Overview HC-349 Default Configuration Values for Channelized SONET/SDH HC-353 Clock Distribution HC-354 How to implement CEM HC-355 Configuring SONET VT1.5-Mapped T1 Channels and Creating CEM Interface HC-356 Prerequisites HC-356 Configuring SDH AU-3 Mapped to C11-T1 or C12-E1 HC-359 Configuring SDH AU-3 Mapped to C11-T1 and Creating CEM Interface HC-359 Configuring SDH AU-3 Mapped to C12-E1 and Creating CEM Interface HC-362 Configuring CEM Interface HC-365 Configuration Guidelines and Restrictions HC-366 Configuring a Global CEM Class HC-366 Attaching a CEM Class HC-368 HC-369 Configuring Payload Size HC-370 Setting the Dejitter Buffer Size HC-370 Setting an Idle Pattern HC-371 Enabling Dummy Mode HC-371 Setting a Dummy Pattern HC-371 Configuring Clocking HC-373 Configuring Clock Recovery HC-373 Verifying Clock recovery HC-375 Configuration Examples for CEM HC-376 Circuit Emulation Interface Configuration: Examples HC-376 Channelized Sonet / SDH Configurations and CEM Interface Creation HC-376 Clock Recovery : Example HC-378 Adaptive Clock Recovery Configuration: HC-378 Differential Clock Recovery Configuration: HC-378 Additional References HC-379 Related Documents HC-379Contents HC-xv Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Standards HC-379 MIBs HC-380 RFCs HC-380 Technical Assistance HC-380 Configuring Clear Channel SONET Controllers on the Cisco ASR 9000 Series Router HC-381 Contents HC-382 Prerequisites for Configuring Clear Channel SONET Controllers HC-382 Information About Configuring SONET Controllers HC-382 SONET Controller Overview HC-382 Default Configuration Values for SONET Controllers HC-383 SONET APS HC-384 How to Configure Clear Channel SONET Controllers HC-384 Configuring a Clear Channel SONET Controller HC-385 Prerequisites HC-385 Configuring SONET APS HC-388 Prerequisites HC-388 Restrictions HC-388 Configuring a Hold-off Timer to Prevent Fast Reroute from Being Triggered HC-393 Prerequisites HC-393 Configuration Examples for SONET Controllers HC-395 SONET Controller Configuration: Example HC-395 SONET APS Group Configuration: Example HC-395 Additional References HC-396 Related Documents HC-396 Standards HC-396 MIBs HC-396 RFCs HC-396 Technical Assistance HC-397 Configuring Clear Channel T3/E3 and Channelized T3 and T1/E1 Controllers on the Cisco ASR 9000 Series Router HC-399 Contents HC-400 Prerequisites for Configuring T3/E3 Controllers HC-400 Information About T3/E3 Controllers and Serial Interfaces HC-400 Loopback Support HC-404 Configuration Overview HC-406 Default Configuration Values for T3 and E3 Controllers HC-406 Default Configuration Values for T1 and E1 Controllers HC-407 Link Noise Monitoring on T1 or E1 Links HC-408Contents HC-xvi Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 LNM Events HC-408 LNM Logging HC-409 How to Configure Clear Channel T3/E3 Controllers and Channelized T1/E1 Controllers HC-409 Configuring a Clear Channel E3 Controller HC-409 Restrictions HC-409 What to Do Next HC-411 Modifying the Default E3 Controller Configuration HC-411 Prerequisites HC-411 Restrictions HC-412 What to Do Next HC-413 Configuring a Clear Channel T3 Controller HC-414 Prerequisites HC-414 Restrictions HC-414 What to Do Next HC-415 Configuring a Channelized T3 Controller HC-415 Prerequisites HC-416 What to Do Next HC-417 Modifying the Default T3 Controller Configuration HC-418 Prerequisites HC-418 What to Do Next HC-421 Configuring a T1 Controller HC-421 Prerequisites HC-421 Restrictions HC-422 What to Do Next HC-425 Configuring an E1 Controller HC-425 Prerequisites HC-425 Restrictions HC-426 What to Do Next HC-429 Configuring BERT HC-429 Configuring BERT on T3/E3 and T1/E1 Controllers HC-430 Prerequisites HC-430 Restrictions HC-430 Configuring BERT on a DS0 Channel Group HC-433 Prerequisites HC-433 Configuring Link Noise Monitoring on a T1 or E1 Channel HC-436 Prerequisites HC-436 Restrictions HC-436 Verifying Link Noise Monitoring Configuration and Status HC-438 Clearing Link Noise Monitoring States and Statistics HC-439 Configuration Examples HC-439Contents HC-xvii Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Configuring a Clear Channel T3 Controller: Example HC-440 Configuring a T3 Controller with Channelized T1 Controllers: Example HC-440 Configuring BERT on a T3 Controller: Example HC-441 Configuring Link Noise Monitoring on a T1 Controller: Examples HC-442 QoS on T3 Channels: Example HC-443 Additional References HC-443 Related Documents HC-443 Standards HC-444 MIBs HC-444 RFCs HC-444 Technical Assistance HC-445 Configuring Dense Wavelength Division Multiplexing Controllers on the Cisco ASR 9000 Series Router HC-447 Contents HC-447 Prerequisites for Configuring DWDM Controller Interfaces HC-448 Information About the DWDM Controllers HC-448 Information about IPoDWDM HC-449 How to Configure DWDM Controllers HC-450 Configuring G.709 Parameters HC-450 Prerequisites HC-450 What to Do Next HC-452 How to Perform Performance Monitoring on DWDM Controllers HC-453 Configuring DWDM Controller Performance Monitoring HC-453 Configuring IPoDWDM HC-457 Configuring the Optical Layer DWDM Ports HC-457 Configuring the Administrative State of DWDM Optical Ports HC-459 Configuring Proactive FEC-FRR Triggering HC-461 Configuration Examples HC-463 Turning On the Laser: Example HC-463 Turning Off the Laser: Example HC-464 DWDM Controller Configuration: Examples HC-464 DWDM Performance Monitoring: Examples HC-464 IPoDWDM Configuration: Examples HC-465 Optical Layer DWDM Port Configuration: Examples HC-465 Administrative State of DWDM Optical Ports Configuration: Examples HC-465 Proactive FEC-FRR Triggering Configuration: Examples HC-466 Additional References HC-466 Related Documents HC-466Contents HC-xviii Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Standards HC-466 MIBs HC-466 RFCs HC-467 Technical Assistance HC-467 Configuring POS Interfaces onthe Cisco ASR 9000 Series Router HC-469 Contents HC-469 Prerequisites for Configuring POS Interfaces HC-470 Information About Configuring POS Interfaces HC-470 Default Settings for POS Interfaces HC-470 Cisco HDLC Encapsulation HC-471 PPP Encapsulation HC-471 Keepalive Timer HC-472 Frame Relay Encapsulation HC-473 LMI on Frame Relay Interfaces HC-474 How to Configure a POS Interface HC-475 Bringing Up a POS Interface HC-475 Prerequisites HC-475 Restrictions HC-475 What to Do Next HC-478 Configuring Optional POS Interface Parameters HC-478 Prerequisites HC-478 Restrictions HC-478 What to Do Next HC-480 Creating a Point-to-Point POS Subinterface with a PVC HC-480 Prerequisites HC-480 Restrictions HC-480 What to Do Next HC-482 Configuring Optional PVC Parameters HC-482 Prerequisites HC-483 Restrictions HC-483 What to Do Next HC-485 Modifying the Keepalive Interval on POS Interfaces HC-485 Prerequisites HC-485 Restrictions HC-485 How to Configure a Layer 2 Attachment Circuit HC-487 Creating a Layer 2 Frame Relay Subinterface with a PVC HC-488 Prerequisites HC-488 Restrictions HC-488 What to Do Next HC-489Contents HC-xix Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Configuring Optional Layer 2 PVC Parameters HC-490 Prerequisites HC-490 Configuring Optional Layer 2 Subinterface Parameters HC-492 Prerequisites HC-492 Restrictions HC-492 Configuration Examples for POS Interfaces HC-494 Bringing Up and Configuring a POS Interface with Cisco HDLC Encapsulation: Example HC-494 Configuring a POS Interface with Frame Relay Encapsulation: Example HC-494 Configuring a POS Interface with PPP Encapsulation: Example HC-496 Additional References HC-496 Related Documents HC-496 Standards HC-497 MIBs HC-497 RFCs HC-497 Technical Assistance HC-498 Configuring Serial Interfaces on the Cisco ASR 9000 Series Router HC-499 Contents HC-501 Prerequisites for Configuring Serial Interfaces HC-501 Information About Configuring Serial Interfaces HC-502 High-Level Overview: Serial Interface Configuration on Clear-Channel SPAs HC-503 High-Level Overview: Serial Interface Configuration on Channelized SPAs HC-504 Cisco HDLC Encapsulation HC-506 PPP Encapsulation HC-506 Multilink PPP HC-507 Keepalive Timer HC-508 Frame Relay Encapsulation HC-509 LMI on Frame Relay Interfaces HC-510 Layer 2 Tunnel Protocol Version 3-Based Layer 2 VPN on Frame Relay HC-510 Default Settings for Serial Interface Configurations HC-511 Serial Interface Naming Notation HC-511 IPHC Overview HC-512 QoS and IPHC HC-513 How to Configure Serial Interfaces HC-514 Bringing Up a Serial Interface HC-514 Prerequisites HC-515 Restrictions HC-515 What to Do Next HC-518 Configuring Optional Serial Interface Parameters HC-518 Prerequisites HC-518Contents HC-xx Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Restrictions HC-518 What to Do Next HC-520 Creating a Point-to-Point Serial Subinterface with a PVC HC-521 Prerequisites HC-521 Restrictions HC-521 What to Do Next HC-523 Configuring Optional PVC Parameters HC-524 Prerequisites HC-524 Restrictions HC-524 What to Do Next HC-526 Modifying the Keepalive Interval on Serial Interfaces HC-526 Prerequisites HC-527 Restrictions HC-527 How to Configure a Layer 2 Attachment Circuit HC-528 Creating a Serial Layer 2 Subinterface with a PVC HC-529 Prerequisites HC-529 Restrictions HC-529 What to Do Next HC-530 Configuring Optional Serial Layer 2 PVC Parameters HC-531 Prerequisites HC-531 Restrictions HC-531 What to Do Next HC-533 Configuring IPHC HC-533 Prerequisites for Configuring IPHC HC-533 Configuring the IPHC Slot Level Command HC-534 Configuring an IPHC Profile HC-536 Configuring an IPHC Profile HC-538 Enabling an IPHC Profile on an Interface HC-541 Configuration Examples for Serial Interfaces HC-542 Bringing Up and Configuring a Serial Interface with Cisco HDLC Encapsulation: Example HC-542 Configuring a Serial Interface with Frame Relay Encapsulation: Example HC-543 Configuring a Serial Interface with PPP Encapsulation: Example HC-545 IPHC Configuration: Examples HC-545 IPHC Profile Configuration: Example HC-546 IPHC on a Serial Interface Configuration: Examples HC-546 IPHC on Multilink Configuration: Example HC-546 IPHC on a Serial Interface with MLPPP/LFI and QoS Configuration: Example HC-547 Additional References HC-547 Related Documents HC-547 Standards HC-548Contents HC-xxi Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 MIBs HC-548 RFCs HC-548 Technical Assistance HC-548 Configuring Frame Relay on the Cisco ASR 9000 Series Router HC-549 Contents HC-550 Prerequisites for Configuring Frame Relay HC-550 Information About Frame Relay Interfaces HC-550 Frame Relay Encapsulation HC-550 LMI HC-551 Multilink Frame Relay (FRF.16) HC-553 Multilink Frame Relay High Availability HC-553 Multilink Frame Relay Configuration Overview HC-553 End-to-End Fragmentation (FRF.12) HC-557 Configuring Frame Relay HC-557 Modifying the Default Frame Relay Configuration on an Interface HC-557 Prerequisites HC-557 Restrictions HC-558 Disabling LMI on an Interface with Frame Relay Encapsulation HC-560 Configuring Multilink Frame Relay Bundle Interfaces HC-562 Prerequisites HC-562 Restrictions HC-562 Configuring FRF.12 End-to-End Fragmentation on a Channelized Frame Relay Serial Interface HC-568 Configuration Examples for Frame Relay HC-572 Optional Frame Relay Parameters: Example HC-573 Multilink Frame Relay: Example HC-575 End-to-End Fragmentation: Example HC-576 Additional References HC-576 Related Documents HC-577 Standards HC-577 MIBs HC-577 RFCs HC-577 Technical Assistance HC-578 Configuring PPP on the Cisco ASR 9000 Series Router HC-579 Contents HC-580 Prerequisites for Configuring PPP HC-580 Information About PPP HC-581 PPP Authentication HC-581Contents HC-xxii Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 PAP Authentication HC-582 CHAP Authentication HC-582 MS-CHAP Authentication HC-582 Multilink PPP HC-582 MLPPP Feature Summary HC-583 IPHC Over MLPPP HC-583 ICSSO for PPP and MLPPP HC-584 Multi-Router Automatic Protection Switching (MR-APS) HC-584 Session State Redundancy Protocol (SSRP) HC-584 Redundancy Group Manager (RG-MGR) HC-585 IP Fast Reroute (IP-FRR) HC-585 VPN Routing And Forwarding (VRF) HC-585 Open Shortest Path First (OSPF) HC-586 ICSSO Configuration Overview HC-586 Multiclass MLPPP with QoS HC-586 T3 SONET Channels HC-587 How to Configure PPP HC-588 Modifying the Default PPP Configuration HC-588 Prerequisites HC-588 Configuring PPP Authentication HC-591 Enabling PAP, CHAP, and MS-CHAP Authentication HC-591 Prerequisites HC-591 Where To Go Next HC-593 Configuring a PAP Authentication Password HC-594 Configuring a CHAP Authentication Password HC-596 Configuring an MS-CHAP Authentication Password HC-598 Disabling an Authentication Protocol HC-599 Disabling PAP Authentication on an Interface HC-599 Disabling CHAP Authentication on an Interface HC-601 Disabling MS-CHAP Authentication on an Interface HC-602 Configuring Multilink PPP HC-604 Prerequisites HC-604 Restrictions HC-604 Configuring the Controller HC-604 Configuring the Interfaces HC-607 Configuring MLPPP Optional Features HC-610 Configuring ICSSO for PPP and MLPPP HC-612 Prerequisites HC-612 Restrictions HC-613 Configuring a Basic ICSSO Implementation HC-613Contents HC-xxiii Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Configuring MR-APS HC-614 Configuring SSRP on Serial and Multilink Interfaces HC-616 Configuration Examples for PPP HC-621 Configuring a POS Interface with PPP Encapsulation: Example HC-621 Configuring a Serial Interface with PPP Encapsulation: Example HC-621 Configuring MLPPP: Example HC-622 ICSSO for PPP and MLPPP Configuration: Examples HC-622 ICSSO Configuration: Example HC-623 Channelized SONET Controller Configuration for Use with ICSSO: Example HC-623 MR-APS Configuration: Example HC-623 SSRP on Serial and Multilink Interfaces Configuration: Example HC-624 VRF on Multilink Configuration for Use with ICSSO: Example HC-625 VRF on Ethernet Configuration for Use with ICSSO: Example HC-625 OSPF Configuration for Use with ICSSO: Example HC-626 Verifying ICSSO Configuration: Examples HC-626 Verifying SSRP Groups: Example HC-626 Verifying ICSSO Status: Example HC-627 Verifying MR-APS Configuration: Example HC-627 Verifying OSPF Configuration: Example HC-628 Verifying Multilink PPP Configurations HC-629 show multilink interfaces: Examples HC-629 show ppp interfaces multilink: Example HC-631 show ppp interface serial: Example HC-632 show imds interface multilink: Example HC-632 Additional References HC-633 Related Documents HC-633 Standards HC-633 MIBs HC-633 RFCs HC-633 Technical Assistance HC-634 Configuring 802.1Q VLAN Interfaces on the Cisco ASR 9000 Series Router HC-635 Contents HC-635 Prerequisites for Configuring 802.1Q VLAN Interfaces HC-635 Information About Configuring 802.1Q VLAN Interfaces HC-636 802.1Q VLAN Overview HC-636 802.1Q Tagged Frames HC-636 CFM on 802.1Q VLAN Interfaces HC-637 Subinterfaces HC-637Contents HC-xxiv Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Subinterface MTU HC-637 Native VLAN HC-637 EFPs HC-637 Layer 2 VPN on VLANs HC-638 Other Layer 2 VPN Features HC-639 How to Configure 802.1Q VLAN Interfaces HC-639 Configuring 802.1Q VLAN Subinterfaces HC-639 Configuring an Attachment Circuit on a VLAN HC-641 What to Do Next HC-643 Removing an 802.1Q VLAN Subinterface HC-643 Configuration Examples for VLAN Interfaces HC-645 VLAN Subinterfaces: Example HC-645 Additional References HC-647 Related Documents HC-647 Standards HC-647 MIBs HC-647 Technical Assistance HC-648 Configuring Bidirectional Forwarding Detection on the Cisco ASR 9000 Series Router HC-649 Contents HC-650 Prerequisites for Configuring BFD HC-650 Restrictions for Configuring BFD HC-651 Information About BFD HC-652 Differences in BFD in Cisco IOS XR Software and Cisco IOS Software HC-652 BFD Modes of Operation HC-653 BFD Packet Information HC-653 BFD Source and Destination Ports HC-654 BFD Packet Intervals and Failure Detection HC-654 Priority Settings for BFD Packets HC-658 BFD for IPv4 HC-658 BFD for IPv6 HC-660 BFD on Bundled VLANs HC-660 BFD Over Member Links on Link Bundles HC-660 Overview of BFD State Change Behavior on Member Links and Bundle Status HC-661 BFD Multipath Sessions HC-663 BFD for MultiHop Paths HC-663 Setting up BFD Multihop HC-663 How to Configure BFD HC-663 BFD Configuration Guidelines HC-664Contents HC-xxv Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Configuring BFD Under a Dynamic Routing Protocol or Using a Static Route HC-664 Enabling BFD on a BGP Neighbor HC-665 Enabling BFD for OSPF on an Interface HC-667 Enabling BFD for OSPFv3 on an Interface HC-669 Enabling BFD on a Static Route HC-671 Configuring BFD on Bundle Member Links HC-673 Prerequisites HC-673 Specifying the BFD Destination Address on a Bundle HC-673 Enabling BFD Sessions on Bundle Members HC-674 Configuring the Minimum Thresholds for Maintaining an Active Bundle HC-675 Configuring BFD Packet Transmission Intervals and Failure Detection Times on a Bundle HC-677 Configuring Allowable Delays for BFD State Change Notifications Using Timers on a Bundle HC-679 Enabling Echo Mode to Test the Forwarding Path to a BFD Peer HC-681 Overriding the Default Echo Packet Source Address HC-681 Specifying the Echo Packet Source Address Globally for BFD HC-682 Specifying the Echo Packet Source Address on an Individual Interface or Bundle HC-683 Configuring BFD Session Teardown Based on Echo Latency Detection HC-685 Prerequisites HC-685 Restrictions HC-685 Delaying BFD Session Startup Until Verification of Echo Path and Latency HC-686 Prerequisites HC-686 Restrictions HC-686 Disabling Echo Mode HC-689 Disabling Echo Mode on a Router HC-689 Disabling Echo Mode on an Individual Interface or Bundle HC-690 Minimizing BFD Session Flapping Using BFD Dampening HC-692 Enabling and Disabling IPv6 Checksum Support HC-693 Enabling and Disabling IPv6 Checksum Calculations for BFD on a Router HC-694 Enabling and Disabling IPv6 Checksum Calculations for BFD on an Individual Interface or Bundle HC-695 Clearing and Displaying BFD Counters HC-696 Configuration Examples for Configuring BFD HC-697 BFD Over BGP: Example HC-698 BFD Over OSPF: Examples HC-698 BFD Over Static Routes: Examples HC-699 BFD on Bundled VLANs: Example HC-699 Echo Packet Source Address: Examples HC-701 Echo Latency Detection: Examples HC-701Contents HC-xxvi Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Echo Startup Validation: Examples HC-702 BFD Echo Mode Disable: Examples HC-702 BFD Dampening: Examples HC-702 BFD IPv6 Checksum: Examples HC-703 BFD Peers on Routers Running Cisco IOS and Cisco IOS XR Software: Example HC-703 Where to Go Next HC-704 Additional References HC-704 Related Documents HC-704 Standards HC-704 RFCs HC-705 MIBs HC-705 Technical Assistance HC-705 Configuring the Satellite Network Virtualization (nV) System on the Cisco ASR 9000 Series Router HC-707 Contents HC-707 Prerequisites for Configuration HC-708 Overview of Satellite nV Switching System HC-708 Benefits of Satellite nV System HC-709 Overview of Port Extender Model HC-710 Features Supported in the Satellite nV System HC-711 Satellite System Physical Topology HC-711 Inter-Chassis Link Redundancy Modes and Load Balancing HC-711 Satellite Discovery and Control Protocols HC-712 Satellite Discovery and Control Protocol IP Connectivity HC-712 Layer-2 and L2VPN Features HC-712 Layer-3 and L3VPN Features HC-712 Layer-2 and Layer-3 Multicast Features HC-712 Quality of Service HC-713 Cluster Support HC-713 Time of Day Synchronization HC-713 Satellite Chassis Management HC-713 Restrictions of the Satellite nV System HC-714 Implementing a Satellite nV System HC-714 Defining the Satellite nV System HC-714 Configuring the host IP address HC-717 Configuring the Inter-Chassis Links and IP Connectivity HC-718 Configuring the Satellite nV Access Interfaces HC-720 Plug and Play Satellite nV Switch Turn up: (Rack, Plug, and Go installation) HC-721Contents HC-xxvii Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Upgrading and Managing Satellite nV Software HC-722 Prerequisites HC-722 Installing a Satellite HC-722 Monitoring the Satellite Software HC-723 Monitoring the Satellite Protocol Status HC-724 Monitoring the Satellite Inventory HC-725 Reloading the Satellite Device HC-727 Port Level Parameters Configured on a Satellite HC-727 Configuration Examples for Satellite nV System HC-728 Satellite System Configuration: Example HC-728 Satellite Global Configuration HC-728 ICL (satellite-fabric-link) Interface Configuration HC-728 Satellite Interface Configuration HC-729 Satellite Management using private VRF HC-729 Additional References HC-730 Related Documents HC-730 Standards HC-730 MIBs HC-730 RFCs HC-731 Technical Assistance HC-731 Configuring the nV Edge System on the Cisco ASR 9000 Series Router HC-733 Contents HC-733 Prerequisites for Configuration HC-734 Overview of Cisco ASR 9000 nV Edge Architecture HC-734 Inter Rack Links on Cisco ASR 9000 Series nV Edge System HC-735 Failure Detection in Cisco ASR 9000 Series nV Edge System HC-736 Scenarios for High Availability HC-736 Benefits of Cisco ASR 9000 Series nV Edge System HC-737 Restrictions of the Cisco ASR 9000 Series nV Edge System HC-738 Implementing a Cisco ASR 9000 Series nV Edge System HC-738 Configuring Cisco ASR 9000 nV Edge System HC-738 Single Chassis to Cluster Migration HC-738 Configuration Examples for nV Edge System HC-739 nV Edge System Configuration: Example HC-739 IRL (inter-rack-link) Interface Configuration HC-739 Cisco nV Edge IRL link Support from 10Gig interface HC-740 Additional References HC-741 Related Documents HC-741Contents HC-xxvii Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Standards HC-741 MIBs HC-742 RFCs HC-742 Technical Assistance HC-742 IndexHC-xxix Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Preface The Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide provides information and procedures related to router interface and hardware configuration. The preface contains the following sections: • Changes to This Document • Obtaining Documentation and Submitting a Service Request Changes to This Document Table 1 lists the technical changes made to this document since it was first printed. Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0. Table 1 Changes to This Document Revision Date Change Summary OL-26061-02 June 2012 Republished with documentation updates for Cisco IOS XR Release 4.2.1 features. OL-26061-01 December 2011 Initial release of this document.Preface HC-xxx Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02HC-1 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Preconfiguring Physical Interfaces on the Cisco ASR 9000 Series Router This module describes the preconfiguration of physical interfaces on the Cisco ASR 9000 Series Aggregation Services Routers. Preconfiguration is supported for the following types of interfaces and controllers: • Gigabit Ethernet • 10-Gigabit Ethernet • Management Ethernet • Packet-over-SONET/SDH (POS) • Serial • SONET controllers and channelized SONET controllers Preconfiguration allows you to configure modular services cards before they are inserted into the router. When the cards are inserted, they are instantly configured. The preconfiguration information is created in a different system database tree (known as the preconfiguration directory on the route switch processor [RSP]), rather than with the regularly configured interfaces. There may be some preconfiguration data that cannot be verified unless the modular services card is present, because the verifiers themselves run only on the modular services card. Such preconfiguration data is verified when the modular services card is inserted and the verifiers are initiated. A configuration is rejected if errors are found when the configuration is copied from the preconfiguration area to the active area. Note Only physical interfaces can be preconfigured. Feature History for Preconfiguring Physical Interfaces Release Modification Release 3.7.2 Ethernet interface preconfiguration was introduced. Release 4.0.0 POS interface preconfiguration was introduced.Preconfiguring Physical Interfaces on the Cisco ASR 9000 Series Router Contents HC-2 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Contents • Prerequisites for Preconfiguring Physical Interfaces, page 2 • Information About Preconfiguring Physical Interfaces, page 2 • How to Preconfigure Physical Interfaces, page 4 • Configuration Examples for Preconfiguring Physical Interfaces, page 6 • Additional References, page 7 Prerequisites for Preconfiguring Physical Interfaces You must be in a user group associated with a task group that includes the proper task IDs. The command reference guides include the task IDs required for each command. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance. Before preconfiguring physical interfaces, be sure that the following conditions are met: • Preconfiguration drivers and files are installed. Although it may be possible to preconfigure physical interfaces without a preconfiguration driver installed, the preconfiguration files are required to set the interface definition file on the router that supplies the strings for valid interface names. Information About Preconfiguring Physical Interfaces To preconfigure interfaces, you must understand the following concepts: • Physical Interface Preconfiguration Overview, page 2 • Benefits of Interface Preconfiguration, page 3 • Use of the Interface Preconfigure Command, page 3 • Active and Standby RSPs and Virtual Interface Configuration, page 4 Physical Interface Preconfiguration Overview Preconfiguration is the process of configuring interfaces before they are present in the system. Preconfigured interfaces are not verified or applied until the actual interface with the matching location (rack/slot/module) is inserted into the router. When the anticipated modular services card is inserted and the interfaces are created, the precreated configuration information is verified and, if successful, immediately applied to the router’s running configuration. Note When you plug the anticipated modular services card in, make sure to verify any preconfiguration with the appropriate show commands. Use the show run command to see interfaces that are in the preconfigured state. Preconfiguring Physical Interfaces on the Cisco ASR 9000 Series Router Information About Preconfiguring Physical Interfaces HC-3 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Note We recommend filling out preconfiguration information in your site planning guide, so that you can compare that anticipated configuration with the actual preconfigured interfaces when that card is installed and the interfaces are up. Tip Use the commit best-effort command to save the preconfiguration to the running configuration file. The commit best-effort command merges the target configuration with the running configuration and commits only valid configuration (best effort). Some configuration might fail due to semantic errors, but the valid configuration still comes up. Benefits of Interface Preconfiguration Preconfigurations reduce downtime when you add new cards to the system. With preconfiguration, the new modular services card can be instantly configured and actively running during modular services card bootup. Another advantage of performing a preconfiguration is that during a card replacement, when the modular services card is removed, you can still see the previous configuration and make modifications. Use of the Interface Preconfigure Command Interfaces that are not yet present in the system can be preconfigured with the interface preconfigure command in global configuration mode. The interface preconfigure command places the router in interface configuration mode. Users should be able to add any possible interface commands. The verifiers registered for the preconfigured interfaces verify the configuration. The preconfiguration is complete when the user enters the end command, or any matching exit or global configuration mode command. Note It is possible that some configurations cannot be verified until the modular services card is inserted. Note Do not enter the no shutdown command for new preconfigured interfaces, because the no form of this command removes the existing configuration, and there is no existing configuration. Users are expected to provide names during preconfiguration that will match the name of the interface that will be created. If the interface names do not match, the preconfiguration cannot be applied when the interface is created. The interface names must begin with the interface type that is supported by the router and for which drivers have been installed. However, the slot, port, subinterface number, and channel interface number information cannot be validated. Note Specifying an interface name that already exists and is configured (or an abbreviated name like e0/3/0/0) is not permitted.Preconfiguring Physical Interfaces on the Cisco ASR 9000 Series Router How to Preconfigure Physical Interfaces HC-4 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Active and Standby RSPs and Virtual Interface Configuration The standby RSP is available and in a state in which it can take over the work from the active RSP should that prove necessary. Conditions that necessitate the standby RSP to become the active RSP and assume the active RSP’s duties include: • Failure detection by a watchdog • Standby RSP is administratively commanded to take over • Removal of the active RSP from the chassis If a second RSP is not present in the chassis while the first is in operation, a second RSP may be inserted and will automatically become the standby RSP. The standby RSP may also be removed from the chassis with no effect on the system other than loss of RSP redundancy. After failover, the virtual interfaces will all be present on the standby (now active) RSP. Their state and configuration will be unchanged, and there will have been no loss of forwarding (in the case of tunnels) over the interfaces during the failover. The Cisco ASR 9000 Series Router uses nonstop forwarding (NSF) over tunnels through the failover of the host RSP. Note The user does not need to configure anything to guarantee that the standby interface configurations are maintained. How to Preconfigure Physical Interfaces This task describes only the most basic preconfiguration of an interface. SUMMARY STEPS 1. configure 2. interface preconfigure type interface-path-id 3. ipv4 address ip-address subnet-mask 4. Configure additional interface parameters. 5. end or commit 6. exit 7. exit 8. show running-configPreconfiguring Physical Interfaces on the Cisco ASR 9000 Series Router How to Preconfigure Physical Interfaces HC-5 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 DETAILED STEPS Command or Action Purpose Step 1 configure Example: RP/0/RSP0/CPU0:router# configure Enters global configuration mode. Step 2 interface preconfigure type interface-path-id Example: RP/0/RSP0/CPU0:router(config)# interface preconfigure GigabitEthernet 0/1/0/0 Enters interface preconfiguration mode for an interface, where type specifies the supported interface type that you want to configure and interface-path-id specifies the location where the interface will be located in rack/slot/module/port notation. Step 3 ipv4 address ip-address subnet-mask or ipv4 address ip-address/prefix Example: RP/0/RSP0/CPU0:router(config-if-pre)# ipv4 address 192.168.1.2/32 Assigns an IP address and mask to the interface. Step 4 Configure additional interface parameters, as described in this manual in the configuration chapter that applies to the type of interface that you are configuring. Preconfiguring Physical Interfaces on the Cisco ASR 9000 Series Router Configuration Examples for Preconfiguring Physical Interfaces HC-6 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Configuration Examples for Preconfiguring Physical Interfaces This section contains the following example: Preconfiguring an Interface: Example, page 6 Preconfiguring an Interface: Example The following example shows how to preconfigure a basic Ethernet interface: RP/0/RSP0/CPU0:router# configure RP/0/RSP0/CPU0:router(config)# interface preconfigure GigabitEthernet 0/1/0/0 RP/0/RSP0/CPU0:router(config-if)# ipv4 address 192.168.1.2/32 RP/0/RSP0/CPU0:router(config-if)# commit Step 5 end or commit best-effort Example: RP/0/RSP0/CPU0:router(config-if-pre)# end or RP/0/RSP0/CPU0:router(config-if-pre)# commit Saves configuration changes. • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before exiting (yes/no/cancel)? – Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. – Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. – Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit best-effort command to save the configuration changes to the running configuration file and remain within the configuration session. The commit best-effort command merges the target configuration with the running configuration and commits only valid changes (best effort). Some configuration changes might fail due to semantic errors. Step 6 show running-config Example: RP/0/RSP0/CPU0:router# show running-config (Optional) Displays the configuration information currently running on the router. Command or Action PurposePreconfiguring Physical Interfaces on the Cisco ASR 9000 Series Router Additional References HC-7 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Additional References The sections that follow provide references related to the preconfiguration of physical interfaces. Related Documents Standards MIBs RFCs Related Topic Document Title Master command reference Cisco ASR 9000 Series Aggregation Services Routers Master Command Listing Interface configuration commands Cisco ASR 9000 Series Aggregation Services Routers Interface and Hardware Component Command Reference Initial system bootup and configuration information Cisco ASR 9000 Series Router Getting Started Guide Information about user groups and task IDs Cisco IOS XR Task ID Reference Guide Standards Title No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. — MIBs MIBs Link There are no applicable MIBs for this module. To locate and download MIBs for selected platforms using Cisco IOS XR Software, use the Cisco MIB Locator found at the following URL: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs Title No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature. —Preconfiguring Physical Interfaces on the Cisco ASR 9000 Series Router Additional References HC-8 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Technical Assistance Description Link The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content. http://www.cisco.com/techsupportHC-9 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Advanced Configuration and Modification of the Management Ethernet Interface on the Cisco ASR 9000 Series Router This module describes the configuration of Management Ethernet interfaces on the Cisco ASR 9000 Series Aggregation Services Routers. Before you can use Telnet to access the router through the LAN IP address, you must set up a Management Ethernet interface and enable Telnet servers, as described in the Configuring General Router Features module of the Cisco ASR 9000 Series Router Getting Started Guide. This module describes how to modify the default configuration of the Management Ethernet interface after it has been configured, as described in the Cisco ASR 9000 Series Router Getting Started Guide. Note Forwarding between physical layer interface modules (PLIM) ports and Management Ethernet interface ports is disabled by default. To enable forwarding between PLIM ports and Management Ethernet interface ports, use the rp mgmtethernet forwarding command. Note Although the Management Ethernet interfaces on the system are present by default, the user must configure these interfaces to use them for accessing the router, using protocols and applications such as Simple Network Management Protocol (SNMP), Common Object Request Broker Architecture (CORBA), HTTP, extensible markup language (XML), TFTP, Telnet, and command-line interface (CLI). Feature History for Configuring Management Ethernet Interfaces Contents • Prerequisites for Configuring Management Ethernet Interfaces, page 10 • Information About Configuring Management Ethernet Interfaces, page 10 • How to Perform Advanced Management Ethernet Interface Configuration, page 11 • Configuration Examples for Management Ethernet Interfaces, page 18 • Additional References, page 19 Release Modification Release 3.7.2 This feature was introduced on the Cisco ASR 9000 Series Router.Advanced Configuration and Modification of the Management Ethernet Interface on the Prerequisites for Configuring Management Ethernet Interfaces HC-10 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Prerequisites for Configuring Management Ethernet Interfaces You must be in a user group associated with a task group that includes the proper task IDs. The command reference guides include the task IDs required for each command. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance. Before performing the Management Ethernet interface configuration procedures that are described in this chapter, be sure that the following tasks and conditions are met: • You have performed the initial configuration of the Management Ethernet interface, as described in the Configuring General Router Features module of the Cisco ASR 9000 Series Router Getting Started Guide. • You must be in a user group associated with a task group that includes the proper task IDs. The command reference guides include the task IDs required for each command. • You know how to apply the generalized interface name specification rack/slot/module/port. For further information on interface naming conventions, refer to the Cisco ASR 9000 Series Router Getting Started Guide. Note For transparent switchover, both active and standby Management Ethernet interfaces are expected to be physically connected to the same LAN or switch. Information About Configuring Management Ethernet Interfaces To configure Management Ethernet interfaces, you must understand the following concept: • Default Interface Settings, page 10 Default Interface Settings Table 2 describes the default Management Ethernet interface settings that can be changed by manual configuration. Default settings are not displayed in the show running-config command output. Table 2 Management Ethernet Interface Default Settings Parameter Default Value Configuration File Entry Speed in Mbps Speed is autonegotiated. speed [10 | 100 | 1000] To return the system to autonegotiate speed, use the no speed [10 | 100 | 1000] command.Advanced Configuration and Modification of the Management Ethernet Interface on the Cisco ASR 9000 Series Router How to Perform Advanced Management Ethernet Interface Configuration HC-11 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 How to Perform Advanced Management Ethernet Interface Configuration This section contains the following procedures: • Configuring a Management Ethernet Interface, page 11 (required) • Configuring the Duplex Mode for a Management Ethernet Interface, page 13 (optional) • Configuring the Speed for a Management Ethernet Interface, page 14 (optional) • Modifying the MAC Address for a Management Ethernet Interface, page 16 (optional) • Verifying Management Ethernet Interface Configuration, page 17 (optional) Configuring a Management Ethernet Interface Perform this task to configure a Management Ethernet interface. This procedure provides the minimal configuration required for the Management Ethernet interface. The MTU is not configurable for the Management Ethernet Interface. The default value is 1514 bytes. Note You do not need to perform this task if you have already set up the Management Ethernet interface to enable telnet servers, as described in the “Configuring General Router Features” module of the Cisco ASR 9000 Series Router Getting Started Guide. SUMMARY STEPS 1. configure 2. interface MgmtEth interface-path-id 3. ipv4 address ip-address mask 4. no shutdown 5. end or commit 6. show interfaces MgmtEth interface-path-id Duplex mode Duplex mode is autonegotiated. duplex {full | half} To return the system to autonegotiated duplex operation, use the no duplex {full | half} command, as appropriate. MAC address MAC address is read from the hardware burned-in address (BIA). mac-address address To return the device to its default MAC address, use the no mac-address address command. Table 2 Management Ethernet Interface Default Settings Parameter Default Value Configuration File EntryAdvanced Configuration and Modification of the Management Ethernet Interface on the How to Perform Advanced Management Ethernet Interface Configuration HC-12 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 DETAILED STEPS Command or Action Purpose Step 1 configure Example: RP/0/RSP0/CPU0:router# configure Enters global configuration mode. Step 2 interface MgmtEth interface-path-id Example: RP/0/RSP0/CPU0:router(config)# interface MgmtEth 0/RSP0/CPU0/0 Enters interface configuration mode and specifies the Ethernet interface name and notation rack/slot/module/port. The example indicates port 0 on the RSP card that is installed in slot 0. Step 3 ipv4 address ip-address mask Example: RP/0/RSP0/CPU0:router(config-if)# ipv4 address 172.18.189.38 255.255.255.224 Assigns an IP address and subnet mask to the interface. • Replace ip-address with the primary IPv4 address for the interface. • Replace mask with the mask for the associated IP subnet. The network mask can be specified in either of two ways: – The network mask can be a four-part dotted decimal address. For example, 255.0.0.0 indicates that each bit equal to 1 means that the corresponding address bit belongs to the network address. – The network mask can be indicated as a slash (/) and number. For example, /8 indicates that the first 8 bits of the mask are ones, and the corresponding bits of the address are network address. Step 4 no shutdown Example: RP/0/RSP0/CPU0:router(config-if)# no shutdown Removes the shutdown configuration, which removes the forced administrative down on the interface, enabling it to move to an up or down state.Advanced Configuration and Modification of the Management Ethernet Interface on the Cisco ASR 9000 Series Router How to Perform Advanced Management Ethernet Interface Configuration HC-13 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Configuring the Duplex Mode for a Management Ethernet Interface Perform this task to configure the duplex mode of the Management Ethernet interfaces for the RPs. SUMMARY STEPS 1. configure 2. interface MgmtEth interface-path-id 3. duplex [full | half] 4. end or commit Step 5 end or commit Example: RP/0/RSP0/CPU0:router(config-if)# end or RP/0/RSP0/CPU0:router(config-if)# commit Saves configuration changes. • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]: – Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. – Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. – Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Step 6 show interfaces MgmtEth interface-path-id Example: RP/0/RSP0/CPU0:router# show interfaces MgmtEth 0/RSP0/CPU0/0 (Optional) Displays statistics for interfaces on the router. Command or Action PurposeAdvanced Configuration and Modification of the Management Ethernet Interface on the How to Perform Advanced Management Ethernet Interface Configuration HC-14 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 DETAILED STEPS Configuring the Speed for a Management Ethernet Interface Perform this task to configure the speed of the Management Ethernet interfaces for the RPs. SUMMARY STEPS 1. configure 2. interface MgmtEth interface-path-id 3. speed {10 | 100 | 1000} Command or Action Purpose Step 1 configure Example: RP/0/RSP0/CPU0:router# configure Enters global configuration mode. Step 2 interface MgmtEth interface-path-id Example: RP/0/RSP0/CPU0:router(config)# interface MgmtEth 0/RSP0/CPU0/0 Enters interface configuration mode and specifies the Management Ethernet interface name and instance. Step 3 duplex [full | half] Example: RP/0/RSP0/CPU0:router(config-if)# duplex full Configures the interface duplex mode. Valid options are full or half. Note To return the system to autonegotiated duplex operation, use the no duplex command. Step 4 end or commit Example: RP/0/RSP0/CPU0:router(config-if)# end or RP/0/RSP0/CPU0:router(config-if)# commit Saves configuration changes. • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]: – Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. – Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. – Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.Advanced Configuration and Modification of the Management Ethernet Interface on the Cisco ASR 9000 Series Router How to Perform Advanced Management Ethernet Interface Configuration HC-15 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 4. end or commit DETAILED STEPS Command or Action Purpose Step 1 configure Example: RP/0/RSP0/CPU0:router# configure Enters global configuration mode. Step 2 interface MgmtEth interface-path-id Example: RP/0/RSP0/CPU0:router(config)# interface MgmtEth 0/RSP0/CPU0/0 Enters interface configuration mode and specifies the Management Ethernet interface name and instance. Step 3 speed {10 | 100 | 1000} Example: RP/0/RSP0/CPU0:router(config-if)# speed 100 Configures the interface speed parameter. On a Cisco ASR 9000 Series Router, valid speed options are 10 or 100 Mbps. Note The default Management Ethernet interface speed is autonegotiated. Note To return the system to the default autonegotiated speed, use the no speed command. Step 4 end or commit Example: RP/0/RSP0/CPU0:router(config-if)# end or RP/0/RSP0/CPU0:router(config-if)# commit Saves configuration changes. • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]: – Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. – Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. – Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.Advanced Configuration and Modification of the Management Ethernet Interface on the How to Perform Advanced Management Ethernet Interface Configuration HC-16 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Modifying the MAC Address for a Management Ethernet Interface Perform this task to configure the MAC layer address of the Management Ethernet interfaces for the RPs. SUMMARY STEPS 1. configure 2. interface MgmtEth interface-path-id 3. mac-address address 4. end or commit DETAILED STEPS Command or Action Purpose Step 1 configure Example: RP/0/RSP0/CPU0:router# configure Enters global configuration mode. Step 2 interface MgmtEth interface-path-id Example: RP/0/RSP0/CPU0:router(config)# interface MgmtEth 0/RSP0/CPU0/0 Enters interface configuration mode and specifies the Management Ethernet interface name and instance.Advanced Configuration and Modification of the Management Ethernet Interface on the Cisco ASR 9000 Series Router How to Perform Advanced Management Ethernet Interface Configuration HC-17 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Verifying Management Ethernet Interface Configuration Perform this task to verify configuration modifications on the Management Ethernet interfaces for the RPs. SUMMARY STEPS 1. show interfaces MgmtEth interface-path-id 2. show running-config Step 3 mac-address address Example: RP/0/RSP0/CPU0:router(config-if)# mac-address 0001.2468.ABCD Configures the MAC layer address of the Management Ethernet interface. Note To return the device to its default MAC address, use the no mac-address address command. Step 4 end or commit Example: RP/0/RSP0/CPU0:router(config-if)# end or RP/0/RSP0/CPU0:router(config-if)# commit Saves configuration changes. • When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]: – Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. – Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. – Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. • Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Command or Action Purpose Step 1 show interfaces MgmtEth interface-path-id Example: RP/0/RSP0/CPU0:router# show interfaces MgmtEth 0/RSP0/CPU0/0 Displays the Management Ethernet interface configuration. Step 2 show running-config interface MgmtEth interface-path-id Example: RP/0/RSP0/CPU0:router# show running-config interface MgmtEth 0/RSP0/CPU0/0 Displays the running configuration.Advanced Configuration and Modification of the Management Ethernet Interface on the Configuration Examples for Management Ethernet Interfaces HC-18 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Configuration Examples for Management Ethernet Interfaces This section provides the following configuration examples: • Configuring a Management Ethernet Interface: Example, page 18 Configuring a Management Ethernet Interface: Example This example displays advanced configuration and verification of the Management Ethernet interface on the RP: RP/0/RSP0/CPU0:router# configure RP/0/RSP0/CPU0:router(config)# interface MgmtEth 0/RSP0/CPU0/0 RP/0/RSP0/CPU0:router(config)# ipv4 address 172.29.52.70 255.255.255.0 RP/0/RSP0/CPU0:router(config-if)# speed 100 RP/0/RSP0/CPU0:router(config-if)# duplex full RP/0/RSP0/CPU0:router(config-if)# no shutdown RP/0/RSP0/CPU0:router(config-if)# commit RP/0/RSP0/CPU0:Mar 26 01:09:28.685 :ifmgr[190]:%LINK-3-UPDOWN :Interface MgmtEth0/RSP0/CPU0/0, changed state to Up RP/0/RSP0/CPU0:router(config-if)# end RP/0/RSP0/CPU0:router# show interfaces MgmtEth 0/RSP0/CPU0/0 MMgmtEth0/RSP0/CPU0/0 is up, line protocol is up Hardware is Management Ethernet, address is 0011.93ef.e8ea (bia 0011.93ef.e8ea ) Description: Connected to Lab LAN Internet address is 172.29.52.70/24 MTU 1514 bytes, BW 100000 Kbit reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set, ARP type ARPA, ARP timeout 04:00:00 Last clearing of "show interface" counters never 5 minute input rate 3000 bits/sec, 7 packets/sec 5 minute output rate 0 bits/sec, 1 packets/sec 30445 packets input, 1839328 bytes, 64 total input drops 0 drops for unrecognized upper-level protocol Received 23564 broadcast packets, 0 multicast packets 0 runts, 0 giants, 0 throttles, 0 parity 57 input errors, 40 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 171672 packets output, 8029024 bytes, 0 total output drops Output 16 broadcast packets, 0 multicast packets 0 output errors, 0 underruns, 0 applique, 0 resets 0 output buffer failures, 0 output buffers swapped out 1 carrier transitions RP/0/RSP0/CPU0:router# show running-config interface MgmtEth 0/RSP0/CPU0/0 interface MgmtEth0/RSP0/CPU0/0 description Connected to Lab LAN ipv4 address 172.29.52.70 255.255.255.0 !Advanced Configuration and Modification of the Management Ethernet Interface on the Cisco ASR 9000 Series Router Additional References HC-19 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Additional References The following sections provide references related to Management Ethernet interface configuration. Related Documents Standards MIBs RFCs Related Topic Document Title Cisco ASR 9000 Series Router master command reference Cisco ASR 9000 Series Router Master Commands List Cisco ASR 9000 Series Router interface configuration commands Cisco ASR 9000 Series Router Interface and Hardware Component Command Reference Initial system bootup and configuration information for a Cisco ASR 9000 Series Router using the Cisco IOS XR Software. Cisco ASR 9000 Series Router Getting Started Guide Information about user groups and task IDs Cisco ASR 9000 Series Router Interface and Hardware Component Command Reference Standards Title No new or modified standards are supported by this feature, and support for existing standards has not been modified by the feature. — MIBs MIBs Link There are no applicable MIBs for this module. To locate and download MIBs for selected platforms using Cisco IOS XR Software, use the Cisco MIB Locator found at the following URL: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs Title No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature. —Advanced Configuration and Modification of the Management Ethernet Interface on the Additional References HC-20 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Technical Assistance Description Link The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content. http://www.cisco.com/techsupportHC-21 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Configuring Ethernet Interfaces on the Cisco ASR 9000 Series Router This module describes the configuration of Ethernet interfaces on the Cisco ASR 9000 Series Aggregation Services Routers. The distributed Gigabit Ethernet and 10-Gigabit Ethernet architecture and features deliver network scalability and performance, while enabling service providers to offer high-density, high-bandwidth networking solutions designed to interconnect the router with other systems in POPs, including core and edge routers and Layer 2 and Layer 3 switches. Feature History for Configuring Ethernet Interfaces on the Cisco ASR 9000 Series Router Release Modification Release 3.7.2 Support was added on the Cisco ASR 9000 Series Router for the following line cards: • 40-Port Gigabit Ethernet Medium Queue and High Queue Line Cards (A9K-40GE-B and A9K-40GE-E) • 4-Port 10-Gigabit Ethernet Medium Queue and High Queue Line Cards (A9K-4T-B and A9K-4T-E) • 8-Port 10-Gigabit Ethernet Medium Queue and High Queue DX Line Cards (A9K-8T/4-B and A9K-8T/4-E) (2:1 oversubscribed)Configuring Ethernet Interfaces on the Cisco ASR 9000 Series Router HC-22 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Release 3.9.0 Support was added on the Cisco ASR 9000 Series Router for the following line cards: • 40-Port Gigabit Ethernet Low Queue Line Card (A9K-40GE-L) • 4-Port 10-Gigabit Ethernet Low Queue Line Card (A9K-4T-L) • 8-Port 10-Gigabit Ethernet Low Queue DX Line Card (A9K-8T/4-L) (2:1 oversubscribed) • 8-Port 10-Gigabit Ethernet Low and High Queue Line Card (A9K-8T-L and A9K-8T-E) • 2-Port 10-Gigabit Ethernet, 20-Port Gigabit Ethernet Medium Queue and High Queue Combination Line Cards (A9K-2T20GE-B and A9K-2T20GE-L) Support for the following features was added: • Frequency Synchronization • SyncE Release 3.9.1 Support was added on the Cisco ASR 9000 Series Router for the following line cards: • 8-Port 10-Gigabit Ethernet Medium Queue Line Card (A9K-8T-B) • 16-Port 10-Gigabit Ethernet SFP+ Line Card (A9K-16T/8-B and A9K-16T/8-B+AIP) Release 4.0.1 Support for Layer 2 statistics collection for performance monitoring on Layer 2 subinterfaces (EFPs) is added. Release 4.1.1 Support was added for MAC address accounting feature.Configuring Ethernet Interfaces on the Cisco ASR 9000 Series Router Contents HC-23 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Contents • Prerequisites for Configuring Ethernet Interfaces, page 24 • Information About Configuring Ethernet, page 26 • Configuring Ethernet Interfaces, page 42 • Configuration Examples for Ethernet, page 55 • Where to Go Next, page 58 • Additional References, page 58 Prerequisites for Configuring Ethernet Interfaces You must be in a user group associated with a task group that includes the proper task IDs. The command reference guides include the task IDs required for each command. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance. Before configuring Ethernet interfaces, be sure that the following tasks and conditions are met: • Confirm that at least one of the following line cards supported on the router is installed: – 2-Port 10-Gigabit Ethernet, 20-Port Gigabit Ethernet Combination line card (A9K-2T20GE-B and A9K-2T20GE-L) – 4-Port 10-Gigabit Ethernet line card (A9K-4T-L, -B, or -E) – 8-Port 10-Gigabit Ethernet DX line card (A9K-8T/4-L, -B, or -E) – 8-Port 10-Gigabit Ethernet line card (A9K-8T-L, -B, or -E) – 16-Port 10-Gigabit Ethernet SFP+ line card (A9K-16T/8-B and A9K-16T/8-B+AIP) – 40-Port Gigabit Ethernet line card (A9K-40GE-L, -B, or -E) • Know the interface IP address. • You know how to apply the specify the generalized interface name with the generalized notation rack/slot/module/port. Configuring Ethernet Interfaces on the Cisco ASR 9000 Series Router Information About Configuring Ethernet HC-24 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Information About Configuring Ethernet Ethernet is defined by the IEEE 802.3 international standard. It enables the connection of up to 1024 nodes over coaxial, twisted-pair, or fiber-optic cable. The Cisco ASR 9000 Series Router supports Gigabit Ethernet (1000 Mbps) and 10-Gigabit Ethernet (10 Gbps) interfaces. This section provides the following information sections: • 16-Port 10-Gigabit Ethernet SFP+ Line Card, page 26 • Default Configuration Values for Gigabit Ethernet and 10-Gigabit Ethernet, page 27 • Layer 2 VPN on Ethernet Interfaces, page 28 • Gigabit Ethernet Protocol Standards Overview, page 29 • MAC Address, page 30 • MAC Accounting, page 31 • Ethernet MTU, page 31 • Flow Control on Ethernet Interfaces, page 31 • 802.1Q VLAN, page 32 • VRRP, page 32 • HSRP, page 32 • Link Autonegotiation on Ethernet Interfaces, page 33 • Subinterfaces on the Cisco ASR 9000 Series Router, page 34 • Frequency Synchronization and SyncE, page 40 16-Port 10-Gigabit Ethernet SFP+ Line Card The 16-Port10-Gigabit Ethernet SFP+ line card is a Small Form Factor (SFP transceiver) optical line card introduced in Cisco IOS XR Release 3.9.1 on the Cisco ASR 9000 Series Router. The 16-Port10-Gigabit Ethernet SFP+ line card supports all of the Gigabit Ethernet commands and configurations currently supported on the router. The 16-Port10-Gigabit Ethernet SFP+ line card is compatible with all existing Cisco ASR 9000 Series Router line cards, route/switch processors (RSPs), and chassis. Features The 16-Port10-Gigabit Ethernet SFP+ line card supports the following features: • 16 10-Gigabit Ethernet ports • 128 10-Gigabit Ethernet ports per system • 1.28 Tbps per system • 160 Gbps forwarding • 120 Gbps bidirectional performance • SR/LR/ER SFP+ optics • Feature parity with existing line cardsConfiguring Ethernet Interfaces on the Cisco ASR 9000 Series Router Information About Configuring Ethernet HC-25 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 • Unicast and multicast forwarding at 160 Gbps, with zero packet loss during RSP switchover Restrictions The following features are not supported on the 16-Port10-Gigabit Ethernet SFP+ line card: • DWDM (G.709) Default Configuration Values for Gigabit Ethernet and 10-Gigabit Ethernet Table 3 describes the default interface configuration parameters that are present when an interface is enabled on a Gigabit Ethernet or 10-Gigabit Ethernet modular services card and its associated PLIM. Note You must use the shutdown command to bring an interface administratively down. The interface default is no shutdown. When a modular services card is first inserted into the router, if there is no established preconfiguration for it, the configuration manager adds a shutdown item to its configuration. This shutdown can be removed only be entering the no shutdown command. Table 3 Gigabit Ethernet and 10-Gigabit Ethernet Modular Services Card Default Configuration Values Parameter Configuration File Entry Default Value MAC accounting mac-accounting off Flow control flow-control egress on ingress off MTU mtu • 1514 bytes for normal frames • 1518 bytes for 802.1Q tagged frames. • 1522 bytes for Q-in-Q frames. MAC address mac address Hardware burned-in address (BIA) Table 4 Fast Ethernet Default Configuration Values Parameter Configuration File Entry Default Value MAC accounting mac-accounting off Duplex operation duplex full duplex half Auto-negotiates duplex operation MTU mtu 1500 bytes Interface speed speed 100 Mbps Auto-negotiation negotiation auto disableConfiguring Ethernet Interfaces on the Cisco ASR 9000 Series Router Information About Configuring Ethernet HC-26 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Layer 2 VPN on Ethernet Interfaces Layer 2 Virtual Private Network (L2VPN) connections emulate the behavior of a LAN across an L2 switched, IP or MPLS-enabled IP network, allowing Ethernet devices to communicate with each other as if they were connected to a common LAN segment. The L2VPN feature enables service providers (SPs) to provide Layer 2 services to geographically disparate customer sites. Typically, an SP uses an access network to connect the customer to the core network. On the Cisco ASR 9000 Series Router, this access network is typically Ethernet. Traffic from the customer travels over this link to the edge of the SP core network. The traffic then tunnels through an L2VPN over the SP core network to another edge router. The edge router sends the traffic down another attachment circuit (AC) to the customer's remote site. On the Cisco ASR 9000 Series Router, an AC is an interface that is attached to an L2VPN component, such as a bridge domain, pseudowire, or local connect. The L2VPN feature enables users to implement different types of end-to-end services. Cisco IOS XR software supports a point-to-point end-to-end service, where two Ethernet circuits are connected together. An L2VPN Ethernet port can operate in one of two modes: • Port Mode—In this mode, all packets reaching the port are sent over the PW (pseudowire), regardless of any VLAN tags that are present on the packets. In VLAN mode, the configuration is performed under the l2transport configuration mode. • VLAN Mode—Each VLAN on a CE (customer edge) or access network to PE (provider edge) link can be configured as a separate L2VPN connection (using either VC type 4 or VC type 5). In VLAN mode, the configuration is performed under the individual subinterface. Switching can take place in three ways: • AC-to-PW—Traffic reaching the PE is tunneled over a PW (and conversely, traffic arriving over the PW is sent out over the AC). This is the most common scenario. • Local switching—Traffic arriving on one AC is immediately sent out of another AC without passing through a pseudowire. • PW stitching—Traffic arriving on a PW is not sent to an AC, but is sent back into the core over another PW. Keep the following in mind when configuring L2VPN on an Ethernet interface: • L2VPN links support QoS (Quality of Service) and MTU (maximum transmission unit) configuration. • If your network requires that packets are transported transparently, you may need to modify the packet’s destination MAC (Media Access Control) address at the edge of the Service Provider (SP) network. This prevents the packet from being consumed by the devices in the SP network. Use the show interfaces command to display AC and PW information. To configure a point-to-point pseudowire xconnect on an AC, refer to these documents: • Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide • Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Command Reference To attach Layer 2 service policies, such as QoS, to the Ethernet interface, refer to the appropriate Cisco IOS XR software configuration guide.Configuring Ethernet Interfaces on the Cisco ASR 9000 Series Router Information About Configuring Ethernet HC-27 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Gigabit Ethernet Protocol Standards Overview The Gigabit Ethernet interfaces support the following protocol standards: • IEEE 802.3 Physical Ethernet Infrastructure, page 30 • IEEE 802.3ab 1000BASE-T Gigabit Ethernet, page 30 • IEEE 802.3z 1000 Mbps Gigabit Ethernet, page 30 • IEEE 802.3ae 10 Gbps Ethernet, page 30 These standards are further described in the sections that follow. IEEE 802.3 Physical Ethernet Infrastructure The IEEE 802.3 protocol standards define the physical layer and MAC sublayer of the data link layer of wired Ethernet. IEEE 802.3 uses Carrier Sense Multiple Access with Collision Detection (CSMA/CD) access at a variety of speeds over a variety of physical media. The IEEE 802.3 standard covers 10 Mbps Ethernet. Extensions to the IEEE 802.3 standard specify implementations for Gigabit Ethernet, 10-Gigabit Ethernet, and Fast Ethernet. IEEE 802.3ab 1000BASE-T Gigabit Ethernet The IEEE 802.3ab protocol standards, or Gigabit Ethernet over copper (also known as 1000BaseT) is an extension of the existing Fast Ethernet standard. It specifies Gigabit Ethernet operation over the Category 5e/6 cabling systems already installed, making it a highly cost-effective solution. As a result, most copper-based environments that run Fast Ethernet can also run Gigabit Ethernet over the existing network infrastructure to dramatically boost network performance for demanding applications. IEEE 802.3z 1000 Mbps Gigabit Ethernet Gigabit Ethernet builds on top of the Ethernet protocol, but increases speed tenfold over Fast Ethernet to 1000 Mbps, or 1 Gbps. Gigabit Ethernet allows Ethernet to scale from 10 or 100 Mbps at the desktop to 100 Mbps up to 1000 Mbps in the data center. Gigabit Ethernet conforms to the IEEE 802.3z protocol standard. By leveraging the current Ethernet standard and the installed base of Ethernet and Fast Ethernet switches and routers, network managers do not need to retrain and relearn a new technology in order to provide support for Gigabit Ethernet. IEEE 802.3ae 10 Gbps Ethernet Under the International Standards Organization’s Open Systems Interconnection (OSI) model, Ethernet is fundamentally a Layer 2 protocol. 10-Gigabit Ethernet uses the IEEE 802.3 Ethernet MAC protocol, the IEEE 802.3 Ethernet frame format, and the minimum and maximum IEEE 802.3 frame size. 10 Gbps Ethernet conforms to the IEEE 802.3ae protocol standards. Just as 1000BASE-X and 1000BASE-T (Gigabit Ethernet) remained true to the Ethernet model, 10-Gigabit Ethernet continues the natural evolution of Ethernet in speed and distance. Because it is a full-duplex only and fiber-only technology, it does not need the carrier-sensing multiple-access with the CSMA/CD protocol that defines slower, half-duplex Ethernet technologies. In every other respect, 10-Gigabit Ethernet remains true to the original Ethernet model.Configuring Ethernet Interfaces on the Cisco ASR 9000 Series Router Information About Configuring Ethernet HC-28 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 IEEE 802.3ba 100 Gbps Ethernet IEEE 802.3ba is supported on the Cisco 1-Port 100-Gigabit Ethernet PLIM beginning in Cisco IOS XR 4.0.1. MAC Address A MAC address is a unique 6-byte address that identifies the interface at Layer 2. MAC Accounting The MAC address accounting feature provides accounting information for IP traffic based on the source and destination MAC addresses on LAN interfaces. This feature calculates the total packet and byte counts for a LAN interface that receives or sends IP packets to or from a unique MAC address. It also records a time stamp for the last packet received or sent. These statistics are used for traffic monitoring, debugging and billing. For example, with this feature you can determine the volume of traffic that is being sent to and/or received from various peers at NAPS/peering points. This feature is currently supported on Ethernet, FastEthernet, and bundle interfaces and supports Cisco Express Forwarding (CEF), distributed CEF (dCEF), flow, and optimum switching. Note A maximum of 512 MAC addresses per trunk interface are supported for MAC address accounting. Ethernet MTU The Ethernet maximum transmission unit (MTU) is the size of the largest frame, minus the 4-byte frame check sequence (FCS), that can be transmitted on the Ethernet network. Every physical network along the destination of a packet can have a different MTU. Cisco IOS XR software supports two types of frame forwarding processes: • Fragmentation for IPV4 packets–In this process, IPv4 packets are fragmented as necessary to fit within the MTU of the next-hop physical network. Note IPv6 does not support fragmentation. • MTU discovery process determines largest packet size–This process is available for all IPV6 devices, and for originating IPv4 devices. In this process, the originating IP device determines the size of the largest IPv6 or IPV4 packet that can be sent without being fragmented. The largest packet is equal to the smallest MTU of any network between the IP source and the IP destination devices. If a packet is larger than the smallest MTU of all the networks in its path, that packet will be fragmented as necessary. This process ensures that the originating device does not send an IP packet that is too large. Jumbo frame support is automatically enable for frames that exceed the standard frame size. The default value is 1514 for standard frames and 1518 for 802.1Q tagged frames. These numbers exclude the 4-byte frame check sequence (FCS). Configuring Ethernet Interfaces on the Cisco ASR 9000 Series Router Information About Configuring Ethernet HC-29 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Flow Control on Ethernet Interfaces The flow control used on 10-Gigabit Ethernet interfaces consists of periodically sending flow control pause frames. It is fundamentally different from the usual full- and half-duplex flow control used on standard management interfaces. Flow control can be activated or deactivated for ingress traffic only. It is automatically implemented for egress traffic. 802.1Q VLAN A VLAN is a group of devices on one or more LANs that are configured so that they can communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments. Because VLANs are based on logical instead of physical connections, it is very flexible for user and host management, bandwidth allocation, and resource optimization. The IEEE's 802.1Q protocol standard addresses the problem of breaking large networks into smaller parts so broadcast and multicast traffic does not consume more bandwidth than necessary. The standard also helps provide a higher level of security between segments of internal networks. The 802.1Q specification establishes a standard method for inserting VLAN membership information into Ethernet frames. VRRP The Virtual Router Redundancy Protocol (VRRP) eliminates the single point of failure inherent in the static default routed environment. VRRP specifies an election protocol that dynamically assigns responsibility for a virtual router to one of the VPN concentrators on a LAN. The VRRP VPN concentrator controlling the IP addresses associated with a virtual router is called the master, and forwards packets sent to those IP addresses. When the master becomes unavailable, a backup VPN concentrator takes the place of the master. For more information on VRRP, see the Implementing VRRP module of Cisco ASR 9000 Series Router IP Addresses and Services Configuration Guide. HSRP Hot Standby Routing Protocol (HSRP) is a proprietary protocol from Cisco. HSRP is a routing protocol that provides backup to a router in the event of failure. Several routers are connected to the same segment of an Ethernet, FDDI, or token-ring network and work together to present the appearance of a single virtual router on the LAN. The routers share the same IP and MAC addresses and therefore, in the event of failure of one router, the hosts on the LAN are able to continue forwarding packets to a consistent IP and MAC address. The transfer of routing responsibilities from one device to another is transparent to the user. HSRP is designed to support non disruptive switchover of IP traffic in certain circumstances and to allow hosts to appear to use a single router and to maintain connectivity even if the actual first hop router they are using fails. In other words, HSRP protects against the failure of the first hop router when the source host cannot learn the IP address of the first hop router dynamically. Multiple routers participate in HSRP and in concert create the illusion of a single virtual router. HSRP ensures that one and only one of the routers is forwarding packets on behalf of the virtual router. End hosts forward their packets to the virtual router. Configuring Ethernet Interfaces on the Cisco ASR 9000 Series Router Information About Configuring Ethernet HC-30 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 The router forwarding packets is known as the active router. A standby router is selected to replace the active router should it fail. HSRP provides a mechanism for determining active and standby routers, using the IP addresses on the participating routers. If an active router fails a standby router can take over without a major interruption in the host's connectivity. HSRP runs on top of User Datagram Protocol (UDP), and uses port number 1985. Routers use their actual IP address as the source address for protocol packets, not the virtual IP address, so that the HSRP routers can identify each other. For more information on HSRP, see the Implementing HSRP module of Cisco ASR 9000 Series Router IP Addresses and Services Configuration Guide. Link Autonegotiation on Ethernet Interfaces Link autonegotiation ensures that devices that share a link segment are automatically configured with the highest performance mode of interoperation. Use the negotiation auto command in interface configuration mode to enable link autonegotiation on an Ethernet interface. On line card Ethernet interfaces, link autonegotiation is disabled by default. Note The negotiation auto command is available on Gigabit Ethernet interfaces only. Subinterfaces on the Cisco ASR 9000 Series Router In Cisco IOS XR, interfaces are, by default, main interfaces. A main interface is also called a trunk interface, which is not to be confused with the usage of the word trunk in the context of VLAN trunking. There are three types of trunk interfaces: • Physical • Bundle On the Cisco ASR 9000 Series Router, physical interfaces are automatically created when the router recognizes a card and its physical interfaces. However, bundle interfaces are not automatically created. They are created when they are configured by the user. The following configuration samples are examples of trunk interfaces being created: • interface gigabitethernet 0/5/0/0 • interface bundle-ether 1 A subinterface is a logical interface that is created under a trunk interface. To create a subinterface, the user must first identify a trunk interface under which to place it. In the case of bundle interfaces, if one does not already exist, a bundle interface must be created before any subinterfaces can be created under it. The user then assigns a subinterface number to the subinterface to be created. The subinterface number must be a positive integer from zero to some high value. For a given trunk interface, each subinterface under it must have a unique value. Subinterface numbers do not need to be contiguous or in numeric order. For example, the following subinterfaces numbers would be valid under one trunk interface: 1001, 0, 97, 96, 100000 Subinterfaces can never have the same subinterface number under one trunk. Configuring Ethernet Interfaces on the Cisco ASR 9000 Series Router Information About Configuring Ethernet HC-31 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 In the following example, the card in slot 5 has trunk interface, GigabitEthernet 0/5/0/0. A subinterface, GigabitEthernet 0/5/0/0.0, is created under it. RP/0/RSP0/CPU0:router# conf Mon Sep 21 11:12:11.722 EDT RP/0/RSP0/CPU0:router(config)# interface GigabitEthernet0/5/0/0.0 RP/0/RSP0/CPU0:router(config-subif)# encapsulation dot1q 100 RP/0/RSP0/CPU0:router(config-subif)# commit RP/0/RSP0/CPU0:Sep 21 11:12:34.819 : config[65794]: %MGBL-CONFIG-6-DB_COMMIT : Configuration committed by user 'root'. Use 'show configuration commit changes 1000000152' to view the changes. RP/0/RSP0/CPU0:router(config-subif)# end RP/0/RSP0/CPU0:Sep 21 11:12:35.633 : config[65794]: %MGBL-SYS-5-CONFIG_I : Configured from console by root RP/0/RSP0/CPU0:router# The show run command displays the trunk interface first, then the subinterfaces in ascending numerical order. RP/0/RSP0/CPU0:router# show run | begin GigabitEthernet0/5/0/0 Mon Sep 21 11:15:42.654 EDT Building configuration... interface GigabitEthernet0/5/0/0 shutdown ! interface GigabitEthernet0/5/0/0.0 encapsulation dot1q 100 ! interface GigabitEthernet0/5/0/1 shutdown ! When a subinterface is first created, the Cisco ASR 9000 Series Router recognizes it as an interface that, with few exceptions, is interchangeable with a trunk interface. After the new subinterface is configured further, the show interface command can display it along with its unique counters: The following example shows the display output for the trunk interface, GigabitEthernet 0/5/0/0, followed by the display output for the subinterface GigabitEthernet 0/5/0/0.0. RP/0/RSP0/CPU0:router# show interface gigabitEthernet 0/5/0/0 Mon Sep 21 11:12:51.068 EDT GigabitEthernet0/5/0/0 is administratively down, line protocol is administratively down Interface state transitions: 0 Hardware is GigabitEthernet, address is 0024.f71b.0ca8 (bia 0024.f71b.0ca8) Internet address is Unknown MTU 1514 bytes, BW 1000000 Kbit reliability 255/255, txload 0/255, rxload 0/255 Encapsulation 802.1Q Virtual LAN, Full-duplex, 1000Mb/s, SXFD, link type is force-up output flow control is off, input flow control is off loopback not set, ARP type ARPA, ARP timeout 04:00:00 Last input never, output never Last clearing of "show interface" counters never 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 total input drops 0 drops for unrecognized upper-level protocolConfiguring Ethernet Interfaces on the Cisco ASR 9000 Series Router Information About Configuring Ethernet HC-32 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 Received 0 broadcast packets, 0 multicast packets 0 runts, 0 giants, 0 throttles, 0 parity 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 total output drops Output 0 broadcast packets, 0 multicast packets 0 output errors, 0 underruns, 0 applique, 0 resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions RP/0/RSP0/CPU0:router# show interface gigabitEthernet0/5/0/0.0 Mon Sep 21 11:12:55.657 EDT GigabitEthernet0/5/0/0.0 is administratively down, line protocol is administratively down Interface state transitions: 0 Hardware is VLAN sub-interface(s), address is 0024.f71b.0ca8 Internet address is Unknown MTU 1518 bytes, BW 1000000 Kbit reliability 255/255, txload 0/255, rxload 0/255 Encapsulation 802.1Q Virtual LAN, VLAN Id 100, loopback not set, ARP type ARPA, ARP timeout 04:00:00 Last input never, output never Last clearing of "show interface" counters never 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 total input drops 0 drops for unrecognized upper-level protocol Received 0 broadcast packets, 0 multicast packets 0 packets output, 0 bytes, 0 total output drops Output 0 broadcast packets, 0 multicast packets The following example shows two interfaces being created at the same time: first, the bundle trunk interface, then a subinterface attached to the trunk: RP/0/RSP0/CPU0:router# conf Mon Sep 21 10:57:31.736 EDT RP/0/RSP0/CPU0:router(config)# interface Bundle-Ether1 RP/0/RSP0/CPU0:router(config-if)# no shut RP/0/RSP0/CPU0:router(config-if)# interface bundle-Ether1.0 RP/0/RSP0/CPU0:router(config-subif)# encapsulation dot1q 100 RP/0/RSP0/CPU0:router(config-subif)# commit RP/0/RSP0/CPU0:Sep 21 10:58:15.305 : config[65794]: %MGBL-CONFIG-6-DB_COMMIT : C onfiguration committed by user 'root'. Use 'show configuration commit changes 10 00000149' to view the changes. RP/0/RSP0/CPU0:router# show run | begin Bundle-Ether1 Mon Sep 21 10:59:31.317 EDT Building configuration... interface Bundle-Ether1 ! interface Bundle-Ether1.0 encapsulation dot1q 100 ! You delete a subinterface using the no interface command. RP/0/RSP0/CPU0:router# RP/0/RSP0/CPU0:router# show run | begin GigabitEthernet0/5/0/0 Mon Sep 21 11:42:27.100 EDT Building configuration... interface GigabitEthernet0/5/0/0 negotiation auto ! interface GigabitEthernet0/5/0/0.0 encapsulation dot1q 100Configuring Ethernet Interfaces on the Cisco ASR 9000 Series Router Information About Configuring Ethernet HC-33 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 ! interface GigabitEthernet0/5/0/1 shutdown ! RP/0/RSP0/CPU0:router# conf Mon Sep 21 11:42:32.374 EDT RP/0/RSP0/CPU0:router(config)# no interface GigabitEthernet0/5/0/0.0 RP/0/RSP0/CPU0:router(config)# commit RP/0/RSP0/CPU0:Sep 21 11:42:47.237 : config[65794]: %MGBL-CONFIG-6-DB_COMMIT : Configuration committed by user 'root'. Use 'show configuration commit changes 1000000159' to view the changes. RP/0/RSP0/CPU0:router(config)# end RP/0/RSP0/CPU0:Sep 21 11:42:50.278 : config[65794]: %MGBL-SYS-5-CONFIG_I : Configured from console by root RP/0/RSP0/CPU0:router# show run | begin GigabitEthernet0/5/0/0 Mon Sep 21 11:42:57.262 EDT Building configuration... interface GigabitEthernet0/5/0/0 negotiation auto ! interface GigabitEthernet0/5/0/1 shutdown ! Layer 2, Layer 3, and EFP's On the Cisco ASR 9000 Series Router, a trunk interface can be either a Layer 2 or Layer 3 interface. A Layer 2 interface is configured using the interface command with the l2transport keyword. When the l2transport keyword is not used, the interface is a Layer 3 interface. Subinterfaces are configured as Layer 2 or Layer 3 subinterface in the same way. A Layer 3 trunk interface or subinterface is a routed interface and can be assigned an IP address. Traffic sent on that interface is routed. A Layer 2 trunk interface or subinterface is a switched interface and cannot be assigned an IP address. A Layer 2 interface must be connected to an L2VPN component. Once it is connected, it is called an access connection. Subinterfaces can only be created under a Layer 3 trunk interface. Subinterfaces cannot be created under a Layer 2 trunk interface. A Layer 3 trunk interface can have any combination of Layer 2 and Layer 3 interfaces. The following example shows an attempt to configure a subinterface under an Layer 2 trunk and the commit errors that occur. It also shows an attempt to change the Layer 2 trunk interface to an Layer 3 interface and the errors that occur because the interface already had an IP address assigned to it. RP/0/RSP0/CPU0:router# config Mon Sep 21 12:05:33.142 EDT RP/0/RSP0/CPU0:router(config)# interface GigabitEthernet0/5/0/0 RP/0/RSP0/CPU0:router(config-if)# ipv4 address 10.0.0.1/24 RP/0/RSP0/CPU0:router(config-if)# commit RP/0/RSP0/CPU0:Sep 21 12:05:57.824 : config[65794]: %MGBL-CONFIG-6-DB_COMMIT : Configuration committed by user 'root'. Use 'show configuration commit changes 1000000160' to view the changes. RP/0/RSP0/CPU0:router(config-if)# end RP/0/RSP0/CPU0:Sep 21 12:06:01.890 : config[65794]: %MGBL-SYS-5-CONFIG_I : Configured from console by root RP/0/RSP0/CPU0:router# show run | begin GigabitEthernet0/5/0/0 Mon Sep 21 12:06:19.535 EDT Building configuration... interface GigabitEthernet0/5/0/0Configuring Ethernet Interfaces on the Cisco ASR 9000 Series Router Information About Configuring Ethernet HC-34 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 ipv4 address 10.0.0.1 255.255.255.0 negotiation auto ! interface GigabitEthernet0/5/0/1 shutdown ! RP/0/RSP0/CPU0:router# RP/0/RSP0/CPU0:router# RP/0/RSP0/CPU0:router# conf Mon Sep 21 12:08:07.426 EDT RP/0/RSP0/CPU0:router(config)# interface GigabitEthernet0/5/0/0 l2transport RP/0/RSP0/CPU0:router(config-if-l2)# commit % Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors RP/0/RSP0/CPU0:router(config-if-l2)# no ipv4 address RP/0/RSP0/CPU0:router(config-if)# commit RP/0/RSP0/CPU0:Sep 21 12:08:33.686 : config[65794]: %MGBL-CONFIG-6-DB_COMMIT : Configuration committed by user 'root'. Use 'show configuration commit changes 1000000161' to view the changes. RP/0/RSP0/CPU0:router(config-if)# end RP/0/RSP0/CPU0:Sep 21 12:08:38.726 : config[65794]: %MGBL-SYS-5-CONFIG_I : Configured from console by root RP/0/RSP0/CPU0:router# RP/0/RSP0/CPU0:router# show run interface GigabitEthernet0/5/0/0 Mon Sep 21 12:09:02.471 EDT interface GigabitEthernet0/5/0/0 negotiation auto l2transport ! ! RP/0/RSP0/CPU0:router# RP/0/RSP0/CPU0:router# conf Mon Sep 21 12:09:08.658 EDT RP/0/RSP0/CPU0:router(config)# interface GigabitEthernet0/5/0/0.0 ^ RP/0/RSP0/CPU0:router(config)# interface GigabitEthernet0/5/0/0.0 RP/0/RSP0/CPU0:router(config-subif)# commit % Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors RP/0/RSP0/CPU0:router(config-subif)# RP/0/RSP0/CPU0:router(config-subif)# interface GigabitEthernet0/5/0/0 RP/0/RSP0/CPU0:router(config-if)# no l2transport RP/0/RSP0/CPU0:router(config-if)# interface GigabitEthernet0/5/0/0.0 RP/0/RSP0/CPU0:router(config-subif)# encapsulation dot1q 99 RP/0/RSP0/CPU0:router(config-subif)# ipv4 address 11.0.0.1/24 RP/0/RSP0/CPU0:router(config-subif)# interface GigabitEthernet0/5/0/0.1 l2transport RP/0/RSP0/CPU0:router(config-subif)# encapsulation dot1q 700 RP/0/RSP0/CPU0:router(config-subif)# commit RP/0/RSP0/CPU0:Sep 21 12:11:45.896 : config[65794]: %MGBL-CONFIG-6-DB_COMMIT : Configuration committed by user 'root'. Use 'show configuration commit changes 1000000162' to view the changes. RP/0/RSP0/CPU0:router(config-subif)# end RP/0/RSP0/CPU0:Sep 21 12:11:50.133 : config[65794]: %MGBL-SYS-5-CONFIG_I : Configured from console by root RP/0/RSP0/CPU0:router# RP/0/RSP0/CPU0:router# show run | b GigabitEthernet0/5/0/0 Mon Sep 21 12:12:00.248 EDT Building configuration... interface GigabitEthernet0/5/0/0 negotiation autoConfiguring Ethernet Interfaces on the Cisco ASR 9000 Series Router Information About Configuring Ethernet HC-35 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 ! interface GigabitEthernet0/5/0/0.0 ipv4 address 11.0.0.1 255.255.255.0 encapsulation dot1q 99 ! interface GigabitEthernet0/5/0/0.1 l2transport encapsulation dot1q 700 ! interface GigabitEthernet0/5/0/1 shutdown ! All subinterfaces must have unique encapsulation statements, so that the router can send incoming packets and frames to the correct subinterface. If a subinterface does not have an encapsulation statement, the router will not send any traffic to it. In Cisco IOS XR, an Ethernet Flow Point (EFP) is implemented as a Layer 2 subinterface, and consequently, a Layer 2 subinterface is often called an EFP. For more information about EFPs, see the Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide. A Layer 2 trunk interface can be used as an access connection. However, a Layer 2 trunk interface is not an EFP because an EFP, by definition, is a substream of an overall stream of traffic. Cisco IOS XR also has other restrictions on what can be configured as a Layer 2 or Layer 3 interface. Certain configuration blocks only accept Layer 3 and not Layer 2. For example, OSPF only accepts Layer 3 trunks and subinterface. Refer to the appropriate Cisco IOS XR configuration guide for other restrictions. Enhanced Performance Monitoring for Layer 2 Subinterfaces (EFPs) Beginning in Cisco IOS XR Release 4.0.1, the Cisco ASR 9000 Series Router adds support for basic counters for performance monitoring on Layer 2 subinterfaces. This section provides a summary of the new support for Layer 2 interface counters. For information about how to configure Performance Monitoring, see the “Implementing Performance Management” chapter of the Cisco ASR 9000 Series Aggregation Services Router System Monitoring Configuration Guide. The interface basic-counters keyword has been added to support a new entity for performance statistics collection and display on Layer 2 interfaces in the following commands: • performance-mgmt statistics interface basic-counters • performance-mgmt threshold interface basic-counters • performance-mgmt apply statistics interface basic-counters • performance-mgmt apply threshold interface basic-counters • performance-mgmt apply monitor interface basic-counters • show performance-mgmt monitor interface basic-counters • show performance-mgmt statistics interface basic-countersConfiguring Ethernet Interfaces on the Cisco ASR 9000 Series Router Information About Configuring Ethernet HC-36 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 The performance-mgmt threshold interface basic-counters command supports the following attribute values for Layer 2 statistics, which also appear in the show performance-mgmt statistics interface basic-counters and show performance-mgmt monitor interface basic-counters command: Other Performance Management Enhancements The following additional performance management enhancements are included in Cisco IOS XR Release 4.0.1: • You can retain performance management history statistics across a process restart or route processor (RP) failover using the new history-persistent keyword option for the performance-mgmt statistics interface command. • You can save performance management statistics to a local file using the performance-mgmt resources dump local command. • You can filter performance management instances by defining a regular expression group (performance-mgmt regular-expression command), which includes multiple regular expression indices that specify strings to match. You apply a defined regular expression group to one or more statistics or threshold templates in the performance-mgmt statistics interface or performance-mgmt thresholds interface commands. Frequency Synchronization and SyncE Cisco IOS XR Release 3.9 introduces support for SyncE-capable Ethernet on the Cisco ASR 9000 Series Router. Frequency Synchronization provides the ability to distribute precision clock signals around the network. Highly accurate timing signals are initially injected into the Cisco ASR 9000 router in the network from an external timing technology (such as Cesium atomic clocks, or GPS), and used to clock the router's physical interfaces. Peer routers can then recover this precision frequency from the line, and also transfer it around the network. This feature is traditionally applicable to SONET/SDH networks, but with Cisco IOS XR Release 3.9, is now provided over Ethernet for Cisco ASR 9000 Series Aggregation Services Routers with Synchronous Ethernet capability. interface controller Attribute Description InOctets Bytes received (64-bit) InPackets Packets received (64-bit) InputQueueDrops Input queue drops (64-bit) InputTotalDrops Inbound correct packets discarded (64-bit) InputTotalErrors Inbound incorrect packets discarded (64-bit) OutOctets Bytes sent (64-bit) OutPackets Packets sent (64-bit) OutputQueueDrops Output queue drops (64-bit) OutputTotalDrops Outband correct packets discarded (64-bit) OutputTotalErrors Outband incorrect packets discarded (64-bit)Configuring Ethernet Interfaces on the Cisco ASR 9000 Series Router How to Configure Ethernet HC-37 Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Configuration Guide OL-26061-02 clock-interface sync location Where expands to: frequency synchronization selection input ssm disable priority quality transmit { lowest [ highest ] | highest | exact } quality receive { lowest [ highest ] | highest | exact } wait-to-restore